Cisco aaa authorization network
Stefan Winter
stefan.winter at restena.lu
Wed Feb 15 10:56:09 CET 2006
Hello,
while migrating a NAS (Cisco AS5300) from TACACS+ to RADIUS I stumbled over
some peculiarities of the equipment.
When configuring with
aaa authentication network default group radius
aaa authorization network default group radius
and having a user logging in with PPP, it seems that the NAS expects some of
the Cisco-AVPairs, but I don't exactly know what to send him. Since I send
the wrong things, I'm in the situation that authentication succeeds
(Access-Accept), but subsequent authorization fails. I know this is slightly
off-topic for the list, sorry, but I'm really at the end of my knowledge
here, maybe someone has a clue.
The old TACACS+ config was
group = DialupUser {
maxsess = 2
service = ppp protocol = ip {}
service = ppp protocol = multilink {}
}
which I thought I could convert into the following entry in the users file
DEFAULT NAS-IP-Address == 158.64.2.6
Framed-Protocol := PPP,
Cisco-AVPair += "ppp:protocol=ip",
Cisco-AVPair += "ppp:protocol=multilink"
but either that was not sufficient and I need more Cisco-AVPairs or it's plain
wrong (the attributes get sent alright, it's just not what the NAS likes).
Instead of "ppp:" I also tried "lcp:" "ipcp:" and "network:". None of this
impresses the AS5300, and turning on debugging didn't reveal what he would
expect instead.
Can someone help out?
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
More information about the Freeradius-Users
mailing list