Hugh Irvine wrote:
> Cisco's are very picky about the attributes they receive in an Access-Accept -
> They *require* that the Service-Type in the reply match the Service-Type in the
> request. In the debug output we can see that the Service-Type = Framed-User
> arrives in the Access-Request, but the reply does not include the same
> Service-Type = Framed-User.
>
> It is not obvious in your configuration file where the reply attributes are
> coming from, but you will have to add the Service-Type to make the Cisco happy.
>
Cisco aaa implementation is generic layer on top of Radius or Tacacs+ as
sub-layers, but with concepts inspired in tacacs+, where Authentication
and Authorization are clearly separated. The difference between
Authentication and Authorization is not so obvious in Radius and
sometimes it creates some confusion working with Cisco routers.
Cisco routers are also very happy with Cisco financial results. :)
Félix
______________________________________________________________________
DATAGRAMA SERVICIOS GLOBALES IP
C/ Acer 30 Pho: +34 93 223 00 98
08038 Barcelona ( SPAIN ) Fax: +34 93 223 12 66
mailto:[EMAIL PROTECTED] http://www.datagrama.net
______________________________________________________________________
ÿ
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
