Re: [RadiusNT] access list

jmercer ( (no email) )
Wed, 12 May 1999 08:45:25 -0500

Yes it is very possible. Just set up the attributes you want for e-mail
only in RadATConfigs like so
RadATConfigID AccountType RadAttributeID Data Value RadVendorID
RadVendorType RadCheck
1 EMail 6 2 2
2 EMail 7 1 1
3 EMail 11 mailonly 0
Then add an access list in your cisco called mailonly or whatever you put
in above. The cisco does the filtering so make sure the access list does
exactly what you want. When a designated user logs in with the AccountType
EMail this access list will be applied to him or her.
We use this for an access list:
ip access-list extended mailonly
permit tcp any eq smtp x.x.x.0
permit tcp any eq domain x.x.x.0
permit udp any eq domain x.x.x.0
permit icmp any x.x.x.0 echo-reply
permit tcp any eq ident x.x.x.0
permit tcp any eq pop3 x.x.x.0
where x.x.x. is our class C
Hope this helps

*********** REPLY SEPARATOR ***********

>Dear Sir,
>I would like to know if we can create a group of users that can access
>only some TCP ports only or some internet services only such as e-mail
>only using the radiusNT and the cisco 2511 NAS.
>thank you for your help.

Jerry Mercer
Internet -