Hello, this topic is maybe some OT, but I assume that some of you are familiar with Cisco's SSG feature and maybe could help me and answer for some key questions. We are preparing network configuration which core is based on FreeRADIUS (1.0) and Cisco 2651 router (IOS 12.3(8)). Our main functionality is to serve prepaid services.
I configured router to support sending service authorization requests (quota requests) to different radius server. Because we don't want to put too much business logic info FreeRADIUS, we are preparing to develop our own RADIUS functionality for billing server (receiving service authorization requests and sending back answers with quota that is allowed for requested user and requested service). I think this is good idea - if not, please correct me. As I found in SSG logging informations, SSG is first sending authentication request to authenticate user with it's IP as username, and globally configured password to our RADIUS server (FreeRADIUS 1.0). FreeRADIUS is responding with Accesss-Accept and some of VSA attributes that defines which services user should be subscribed. At the beginning SSG has no service definition so it downloads it from our FreeRADIUS. Service profile contains "Z" value in Service-Info VSA, that means that is should be authorized for requesting user. In the next step, SSG tries to authorize service for this user. This request is sent to other host (at now it is dumb and no process is listening on the socket, so I'm prepared that no response will be send :-) but I'm only looking at debug informations). One thing is not clear in packet that SSG sends to this host. It contains name of service, accounting session id, and few other attributes but no User-Name attribute. It isn't necessary to have this User-Name because we can compute it from accounting session id, but this is strange to me. If it is normal, please correct me. This is some of my SSG configuration: ! AAA prepaid group definition aaa group server radius group-prepaid server 172.16.0.2 auth-port 1812 acct-port 1813 aaa authorization network ssg_sg_prepaid_author_internal group noc-prepaid ! turning on group-prepaid for SSG prepaid ssg aaa group prepaid group-prepaid ! RADIUS definition radius-server attribute 44 include-in-access-req radius-server attribute 55 include-in-acct-req radius-server host 172.16.0.2 auth-port 1812 acct-port 1813 key mysecret radius-server vsa send accounting radius-server vsa send authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html