Service-Logon
Jay Kuhne (jkuhne)
jkuhne at cisco.com
Sat Oct 9 13:08:53 CEST 2010
Hi Alan,
Thanks for the reply. Does it need to be configured on the NAS or the
NAS accepts Radius is telling it "this is the policy to use"
For Cisco ASR1K IOS-XE NAS, I understand the following command is
needed to tell NAS to accept RADIUS policy vs. looking local.
"aaa authorization subscriber-service default group RADIUS_GROUP"
Any other thoughts on what I might be doing incorrectly?
At the moment I execute the following with "coa" being the filename for
contents below:
ssh -x -l root erbu-freerad-10 /usr/local/bin/radclient -x -t 20 -n 30
-c 1 -p 30 -f /usr/local/etc/raddb/coa 5.28.6.10:1700 coa cisco
Acct-Session-Id="000003EE"
Service-Type += Outbound-User
cisco-avpair="subscriber:command=activate-service"
cisco-avpair="subscriber:service-name=ACL_NAMED_ POLICY"
cisco-avpair="ip:inacl=IN_ACL_NAMED_v6_2"
Thanks again,
Jay
# NAS Config:
aaa new-model
!
!
aaa group server radius RADIUS_GROUP
server-private 5.28.21.99 non-standard key cisco
ip vrf forwarding Mgmt-intf
!
aaa authentication login default none
aaa authentication ppp default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa authorization subscriber-service default group RADIUS_GROUP
!
!
!
!
aaa server radius dynamic-author
client 5.28.21.99 vrf Mgmt-intf
server-key cisco
auth-type any
!
-----Original Message-----
From: freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org
[mailto:freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 2:52 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon
Jay Kuhne (jkuhne) wrote:
> Do I need to define the service that I am referencing "v4_POLICY"
elsewhere in freeradius?
No. You're sending that to the NAS. The NAS interprets it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list