NAS not accepting the Access-Accept?

Matt Ashfield mda at
Tue Apr 24 13:34:31 CEST 2007

Ok thanks! I am definitely seeing the NAS request Administrative-User in the
Access-Request packet. I guess I wsen't returning it! Thanks for your help.


-----Original Message-----
From: Alan DeKok [mailto:aland at] 
Sent: April 24, 2007 3:21 AM
To: mda at; FreeRadius users mailing list
Subject: Re: NAS not accepting the Access-Accept?

Matt Ashfield wrote:
> HI,
> I have a network switch that I'm trying to configure to allow Console port
> authentication via RADIUS.
> In the documentation of the switch it says:
> "To provide each user with appropriate levels of access to the switch, set
> the following username attributes on your RADIUS server:
> - R/W access -- Set the Service-Type field value to Administrative
> - Read-Only -- set the Service-Type field value to NAS-Prompt"
> So, in my users file, I have defined a user:
> "testuser"  NAS-IP-Address == "", Cleartext-Password :=
> "testing", Service-Type =="Administrative-User"

  Which matches if there's a request for administrative user.  You also
have to acknowledge that request in the response, otherwise the NAS will
not let the administrator in:

"testuser"  NAS-IP-Address == "", Cleartext-Password :=
 "testing", Service-Type =="Administrative-User"
	Service-Type := "Administrative-User"

> However, when I run a packet capture, I see that no Radius attributes are
> being passed back to the NAS device. Shouldn't I be seeing the
> Administrative-User attribute?

  If you don't tell the server to send it back, no.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list