Service-Logon

Jay Kuhne (jkuhne) jkuhne at cisco.com
Sat Oct 9 13:08:53 CEST 2010


Hi Alan,

Thanks for the reply.  Does it need to be configured on the NAS or the
NAS accepts Radius is telling it "this is the policy to use"

For Cisco ASR1K IOS-XE NAS,  I understand the following command is
needed to tell NAS to accept RADIUS policy vs. looking local.

"aaa authorization subscriber-service default group RADIUS_GROUP"

Any other thoughts on what I might be doing incorrectly?

At the moment I execute the following with "coa" being the filename for
contents below:
ssh -x -l root erbu-freerad-10 /usr/local/bin/radclient -x -t 20 -n 30
-c 1 -p 30  -f /usr/local/etc/raddb/coa  5.28.6.10:1700 coa cisco

Acct-Session-Id="000003EE"
Service-Type += Outbound-User
cisco-avpair="subscriber:command=activate-service"
cisco-avpair="subscriber:service-name=ACL_NAMED_ POLICY"
cisco-avpair="ip:inacl=IN_ACL_NAMED_v6_2"

Thanks again,
Jay

# NAS Config:
aaa new-model
!
!
aaa group server radius RADIUS_GROUP
 server-private 5.28.21.99 non-standard key cisco
 ip vrf forwarding Mgmt-intf
!
aaa authentication login default none
aaa authentication ppp default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP 
aaa authorization subscriber-service default group RADIUS_GROUP 
!
!
!
!
aaa server radius dynamic-author
 client 5.28.21.99 vrf Mgmt-intf
 server-key cisco
 auth-type any
!

-----Original Message-----
From: freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org
[mailto:freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 2:52 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Do I need to define the service that I am referencing "v4_POLICY"
elsewhere in freeradius?  

  No.  You're sending that to the NAS.  The NAS interprets it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list