Hi
The simplest way would be to define a dial-based NAR to deny access to the VPN device inside each of the T+ groups. Users would still authenticate, but be denied access due to the filter.
Since its a dial (aka CLID/DNIS) filter it would not prevent the same users doing a T+ login (via telnet) to the VPN device itself.
Would be nice to say "Group XYZ doesnt support RADIUS"
Darran