One step closer by reverse-engineering a TAC example... but still not quite working
# "users" file - initial bring up jkuh...@asr_5_61 Cleartext-Password := "hello1" Service-Type += Framed-User, Framed-Protocol += PPP, Cisco-Account-Info += "NAMED_ACL_SERVICE", Framed-IPv6-Prefix += "0015:0000:0000:0000:0000:0000:0000:0000/64", cisco-avpair += "ipv6:inacl#1=permit ipv6 15::0/64 any", cisco-avpair += "ipv6:inacl#2=permit tcp 1::1/64 any eq 50001", Fall-Through = no DEFAULT Prefix == "NAMED_ACL_SERVICE" Service-Type += Outbound-User, cisco-avpair += "ipv6:inacl=IN_ACL_NAMED_v6_2" #Able to see it on NAS asr05#sh aaa service-profiles <etc...> 1000> Service Name: asr_5_61 1001> Service Name: NAMED_ACL_SERVICE # attempting COA User-Name += "jkuh...@asr_5_61" Acct-Session-Id="000003EE" cisco-avpair += "subscriber:command=activate-service" cisco-avpair += "subscriber:service-name=NAMED_ACL_SERVICE" # Radius Debug: Oct 11 14:11:37.838: COA: 5.28.21.99 request queued Oct 11 14:11:37.838: RADIUS: authenticator 43 98 88 99 AE 20 8E CA - DE 91 37 88 E8 74 93 D8 Oct 11 14:11:37.838: RADIUS: User-Name [1] 18 "jkuh...@asr_5_61" Oct 11 14:11:37.838: RADIUS: Acct-Session-Id [44] 10 "000003EE" Oct 11 14:11:37.838: RADIUS: Vendor, Cisco [26] 43 Oct 11 14:11:37.838: RADIUS: Cisco AVpair [1] 37 "subscriber:command=activate-service" Oct 11 14:11:37.838: RADIUS: Vendor, Cisco [26] 49 Oct 11 14:11:37.838: RADIUS: Cisco AVpair [1] 43 "subscriber:service-name=NAMED_ACL_SERVICE" Oct 11 14:11:37.838: COA: Message Authenticator missing or failed decode I can do COA successfully for tagged or named ACLs defined directly, so overall feel it is a syntax issue. Any suggestions appreciated. Jay -----Original Message----- From: freeradius-users-bounces+jkuhne=cisco....@lists.freeradius.org [mailto:freeradius-users-bounces+jkuhne=cisco....@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, October 09, 2010 7:51 AM To: FreeRadius users mailing list Subject: Re: Service-Logon Jay Kuhne (jkuhne) wrote: > Thanks for the reply. Does it need to be configured on the NAS or the > NAS accepts Radius is telling it "this is the policy to use" See the NAS documentation for how the NAS behaves. > Any other thoughts on what I might be doing incorrectly? No idea. The only goal in RADIUS is to get the "right" contents to the NAS. We document how to put things in the packet. The NAS documents what it needs in the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html