Service-Logon

Jay Kuhne (jkuhne) jkuhne at cisco.com
Mon Oct 11 17:19:53 CEST 2010


One step closer by reverse-engineering a TAC example... but still not
quite working


# "users" file - initial bring up
jkuhne1 at asr_5_61 Cleartext-Password := "hello1"
    Service-Type += Framed-User,
    Framed-Protocol += PPP,
    Cisco-Account-Info += "NAMED_ACL_SERVICE",
    Framed-IPv6-Prefix += "0015:0000:0000:0000:0000:0000:0000:0000/64",
    cisco-avpair += "ipv6:inacl#1=permit ipv6  15::0/64 any",
    cisco-avpair += "ipv6:inacl#2=permit tcp  1::1/64  any eq 50001",
    Fall-Through = no

DEFAULT    Prefix == "NAMED_ACL_SERVICE"
           Service-Type += Outbound-User,
           cisco-avpair += "ipv6:inacl=IN_ACL_NAMED_v6_2"



#Able to see it on NAS
asr05#sh aaa service-profiles
<etc...>
1000> Service Name: asr_5_61
1001> Service Name: NAMED_ACL_SERVICE

# attempting COA
User-Name += "jkuhne1 at asr_5_61"
Acct-Session-Id="000003EE"
cisco-avpair += "subscriber:command=activate-service"
cisco-avpair += "subscriber:service-name=NAMED_ACL_SERVICE"

# Radius Debug:
Oct 11 14:11:37.838: COA: 5.28.21.99 request queued
Oct 11 14:11:37.838: RADIUS:  authenticator 43 98 88 99 AE 20 8E CA - DE
91 37 88 E8 74 93 D8
Oct 11 14:11:37.838: RADIUS:  User-Name           [1]   18
"jkuhne1 at asr_5_61"
Oct 11 14:11:37.838: RADIUS:  Acct-Session-Id     [44]  10  "000003EE"
Oct 11 14:11:37.838: RADIUS:  Vendor, Cisco       [26]  43  
Oct 11 14:11:37.838: RADIUS:   Cisco AVpair       [1]   37
"subscriber:command=activate-service"
Oct 11 14:11:37.838: RADIUS:  Vendor, Cisco       [26]  49  
Oct 11 14:11:37.838: RADIUS:   Cisco AVpair       [1]   43
"subscriber:service-name=NAMED_ACL_SERVICE"
Oct 11 14:11:37.838: COA: Message Authenticator missing or failed decode

I can do COA successfully for tagged or named ACLs defined directly, so
overall feel it is a syntax issue.

Any suggestions appreciated.
Jay

-----Original Message-----
From: freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org
[mailto:freeradius-users-bounces+jkuhne=cisco.com at lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 7:51 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply.  Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

  See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

  No idea.  The only goal in RADIUS is to get the "right" contents to
the NAS.  We document how to put things in the packet.  The NAS
documents what it needs in the packet.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list