RE: Service-Logon

Jay Kuhne (jkuhne) Fri, 15 Oct 2010 03:10:32 -0700

Hi Alan and all,

This is just a follow-up, here is the config which works for
Service-Logon with Cisco AVP.


The "A" vs "N" in front of the service name determines whether service
is applied at bring-up (AutoLogon) or applied via COA afterwards

test...@asr_domain1 Cleartext-Password := "hello1"
    Service-Type += Framed-User,
    Framed-Protocol += PPP,
    Cisco-Account-Info += "ASERVICE_USR1",
    Cisco-Account-Info += "NSERVICE_USR1_NET",
    Framed-IPv6-Prefix += "0015:0000:0000:0000:0000:0000:0000:0000/64",
    Fall-Through = no

SERVICE_USR1 Cleartext-Password := "cisco"
    Service-Type += Outbound-User,
    cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
    cisco-avpair += "ipv6:inacl#2=permit tcp  1::1/64  any eq 50001",
    cisco-avpair += "ipv6:inacl#3=permit tcp any 2001:0DB8:bb00:1::/64
eq 23",
    cisco-avpair += "ipv6:inacl#4=permit ipv6 any 2003:1:2::0/48",
    cisco-avpair += "ipv6:inacl#5=permit udp any eq 546 any eq 547",
    cisco-avpair += "ipv6:outacl#1=permit ipv6 any 15::0/64",
    cisco-avpair += "ipv6:outacl#2=permit tcp  any 1::1/64 eq 50001",
    cisco-avpair += "ipv6:outacl#3=permit tcp 2001:0DB8:bb00:1::/64 any
eq 23",
    cisco-avpair += "ipv6:outacl#4=permit ipv6 2003:1:2::0/48 any",
    cisco-avpair += "ipv6:outacl#5=permit udp any eq 546 any eq 547",

SERVICE_USR1_NET Cleartext-Password := "cisco"
    Service-Type += Outbound-User,
    cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any",
    cisco-avpair += "ipv6:inacl#2=permit tcp  1::1/64  any eq 50002",



COA service activation is simply the following with Radclient

User-Name += "tes...@asr_domain1"
Service-Type += Outbound-User
Acct-Session-Id="000003F5"
cisco-avpair += "subscriber:command=deactivate-service"
cisco-avpair += "subscriber:service-name=SERVICE_USR1_NET"

Cheers,
Jay

-----Original Message-----
From: [email protected]
[mailto:[email protected]]
On Behalf Of Alan DeKok
Sent: Saturday, October 09, 2010 7:51 AM
To: FreeRadius users mailing list
Subject: Re: Service-Logon

Jay Kuhne (jkuhne) wrote:
> Thanks for the reply.  Does it need to be configured on the NAS or the
> NAS accepts Radius is telling it "this is the policy to use"

  See the NAS documentation for how the NAS behaves.

> Any other thoughts on what I might be doing incorrectly?

  No idea.  The only goal in RADIUS is to get the "right" contents to
the NAS.  We document how to put things in the packet.  The NAS
documents what it needs in the packet.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Service-Logon

Reply via email to