Service-Logon

Jay Kuhne (jkuhne) jkuhne at cisco.com
Fri Oct 15 12:04:40 CEST 2010 

Hi Alan and all,

This is just a follow-up, here is the config which works for
Service-Logon with Cisco AVP.

The "A" vs "N" in front of the service name determines whether service
is applied at bring-up (AutoLogon) or applied via COA afterwards

tester1 at asr_domain1 Cleartext-Password := "hello1"
    Service-Type += Framed-User,
    Framed-Protocol += PPP,
    Cisco-Account-Info += "ASERVICE_USR1",
    Cisco-Account-Info += "NSERVICE_USR1_NET",
    Framed-IPv6-Prefix += "0015:0000:0000:0000:0000:0000:0000:0000/64",
    Fall-Through = no

SERVICE_USR1 Cleartext-Password := "cisco"
    Service-Type += Outbound-User,
    cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
    cisco-avpair += "ipv6:inacl#2=permit tcp  1::1/64  any eq 50001",
    cisco-avpair += "ipv6:inacl#3=permit tcp any 2001:0DB8:bb00:1::/64
eq 23",
    cisco-avpair += "ipv6:inacl#4=permit ipv6 any 2003:1:2::0/48",
    cisco-avpair += "ipv6:inacl#5=permit udp any eq 546 any eq 547",
    cisco-avpair += "ipv6:outacl#1=permit ipv6 any 15::0/64",
    cisco-avpair += "ipv6:outacl#2=permit tcp  any 1::1/64 eq 50001",
    cisco-avpair += "ipv6:outacl#3=permit tcp 2001:0DB8:bb00:1::/64 any
eq 23",
    cisco-avpair += "ipv6:outacl#4=permit ipv6 2003:1:2::0/48 any",
    cisco-avpair += "ipv6:outacl#5=permit udp any eq 546 any eq 547",

SERVICE_USR1_NET Cleartext-Password := "cisco"
    Service-Type += Outbound-User,
    cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
    cisco-avpair += "ipv6:inacl#2=permit tcp  1::1/64  any eq 50002",



COA service activation is simply the following with Radclient

User-Name += "tester at asr_domain1"
Service-Type += Outbound-User
Acct-Session-Id="000003F5"
cisco-avpair += "subscriber:command=deactivate-service"
cisco-avpair += "subscriber:service-name=SERVICE_USR1_NET"

Cheers,
Jay

-----Original Message-----
From: freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org
[mailto:freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 7:51 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply.  Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

  See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

  No idea.  The only goal in RADIUS is to get the "right" contents to
the NAS.  We document how to put things in the packet.  The NAS
documents what it needs in the packet.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list