Hi Alan, Thanks for the reply. Does it need to be configured on the NAS or the NAS accepts Radius is telling it "this is the policy to use"
For Cisco ASR1K IOS-XE NAS, I understand the following command is needed to tell NAS to accept RADIUS policy vs. looking local. "aaa authorization subscriber-service default group RADIUS_GROUP" Any other thoughts on what I might be doing incorrectly? At the moment I execute the following with "coa" being the filename for contents below: ssh -x -l root erbu-freerad-10 /usr/local/bin/radclient -x -t 20 -n 30 -c 1 -p 30 -f /usr/local/etc/raddb/coa 5.28.6.10:1700 coa cisco Acct-Session-Id="000003EE" Service-Type += Outbound-User cisco-avpair="subscriber:command=activate-service" cisco-avpair="subscriber:service-name=ACL_NAMED_ POLICY" cisco-avpair="ip:inacl=IN_ACL_NAMED_v6_2" Thanks again, Jay # NAS Config: aaa new-model ! ! aaa group server radius RADIUS_GROUP server-private 5.28.21.99 non-standard key cisco ip vrf forwarding Mgmt-intf ! aaa authentication login default none aaa authentication ppp default group RADIUS_GROUP aaa authorization network default group RADIUS_GROUP aaa authorization subscriber-service default group RADIUS_GROUP ! ! ! ! aaa server radius dynamic-author client 5.28.21.99 vrf Mgmt-intf server-key cisco auth-type any ! -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Alan DeKok Sent: Saturday, October 09, 2010 2:52 AM To: FreeRadius users mailing list Subject: Re: Service-Logon Jay Kuhne (jkuhne) wrote: > Do I need to define the service that I am referencing "v4_POLICY" elsewhere in freeradius? No. You're sending that to the NAS. The NAS interprets it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
