Cisco aaa authorization network

Stefan Winter stefan.winter at
Wed Feb 15 10:56:09 CET 2006


while migrating a NAS (Cisco AS5300) from TACACS+ to RADIUS I stumbled over 
some peculiarities of the equipment.
When configuring with
aaa authentication network default group radius
aaa authorization network default group radius

and having a user logging in with PPP, it seems that the NAS expects some of 
the Cisco-AVPairs, but I don't exactly know what to send him. Since I send 
the wrong things, I'm in the situation that authentication succeeds 
(Access-Accept), but subsequent authorization fails. I know this is slightly 
off-topic for the list, sorry, but I'm really at the end of my knowledge 
here, maybe someone has a clue.
The old TACACS+ config was

group = DialupUser {
        maxsess = 2
        service = ppp protocol = ip {}
        service = ppp protocol = multilink {}

which I thought I could convert into the following entry in the users file

        Framed-Protocol := PPP,
        Cisco-AVPair += "ppp:protocol=ip",
        Cisco-AVPair += "ppp:protocol=multilink"

but either that was not sufficient and I need more Cisco-AVPairs or it's plain 
wrong (the attributes get sent alright, it's just not what the NAS likes). 
Instead of "ppp:" I also tried "lcp:" "ipcp:" and "network:". None of this 
impresses the AS5300, and turning on debugging didn't reveal what he would 
expect instead.
Can someone help out?


Stefan Winter 


Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at     Tel.:     +352 424409-1                Fax:      +352 422473

More information about the Freeradius-Users mailing list