We are trying to setup a filter to work with Radius/Ldap to allow for a group that has email as the only service!
This is what we have put together as of now... we have tried it and it does not work!!! :( I have opened 2 tac
cases with Cisco. Cisco claims that the only possible way to do this is to have TACACS and a separate dial
pool! That would be wasteful of on ips! There has to be a way!! Any suggestions???
# Default Dial-Up PPP EMAIL ONLY User System Profile
DEFAULT Auth-Type = System, NAS-Port-Type = Async, Group = email,
- Service-Type = Framed-User,
- Framed-Protocol = PPP,
- Framed-IP-Address = 255.255.255.254,
- Framed-IP-Netmask = 255.255.255.255,
- cisco-avpair = "lcp:interface-config=ip policy route-map email",
- Filter-Id = "email.sec",
- Port-Limit = 1,
- Idle-Timeout = 1200,
- Session-Timeout = 28800,
- Class = email
- Framed-Protocol = PPP,
ip policy route-map email
route-map email permit 10
match ip address 103
access-list 103 permit tcp any any eq 25
access-list 103 permit udp any any eq 53
access-list 103 permit tcp any any eq 110
access-list 103 permit tcp any any eq 113
access-list 103 deny any any
On PM3
1 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 25
2 permit 0.0.0.0/0 206.40.79.2/32 udp dst eq 53
3 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 80
4 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 110
5 permit 0.0.0.0/0 206.40.79.2/32 tcp src eq 113
6 permit 0.0.0.0/0 206.40.79.2/32 tcp dst eq 443
7 permit 0.0.0.0/0 206.40.79.2/32 icmp
add filter email.sec
set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 25 dst eq 25 estab
set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 53 dst eq 53 estab
set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 110 dst eq 110 estab
set filter email.sec 1 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 113 dst eq 113 estab
set filter email.sec 1 deny 0.0.0.0/0 0.0.0.0/0 tcp
set filter email.sec 1 deny 0.0.0.0/0 0.0.0.0/0 udp
Let me know what you think!
Thanks,
Emily Whitworth
