[c-nsp] Rate limiting via radius

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu May 4 11:43:27 EDT 2006 

do you have network authorization enabled? 

If you send "lcp:interface-config=rate-limit output access-group 101
64000 1 6000 32000 conform-action transmit exceed-action drop", you need
to define acl 101 on your router locally.

"debug radius authentication", "debug aaa authorization" and "debug aaa
per-user" should give you some hints on what is going on. 

	oli

Paul Stewart <> wrote on Thursday, May 04, 2006 5:37 PM:

> Thanks for the reply...
> 
> The Radius server is sending it to the best of our knowledge but it's
> not showing up at all on the router.  Weird though, the test account
> slows down to a crawl but when I do a "show interface vi233
> rate-limit" it doesn't show anything....
> 
> I have restarted etc. and it loads the users file no problem and
> doesn't complain about any issues...
> 
> Thanks,
> 
> Paul
> 
> 
> -----Original Message-----
> From: Kristofer Sigurdsson [mailto:kristosig at gmail.com]
> Sent: Thursday, May 04, 2006 11:03 AM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Rate limiting via radius
> 
> We're using FreeRADIUS and have no problems at all (not rate limiting,
> but using other interface commands).
> 
> If you have more AV-Pair attributes, you might have to use "+=" add
> new ones.
> 
> What exactly is not working?  Is the RADIUS server delivering it
> correctly and the router not using it, or do you have problems getting
> the RADIUS server to deliver?  Do you have a sample output from the
> RADIUS server?
> 
> -Kristo
> 
> 2006/5/4, Paul Stewart <pstewart at nexicomgroup.net>:
>> Thanks... We've had problems getting this to work but will continue
>> investigating.. 
>> 
>> Does anyone have a complete sample of this in a working radius config
>> file?  We're using Cistron if that matters...
>> 
>> Paul Stewart
>> IP Routing/Switching
>> Nexicom Inc.
>> http://www.nexicom.net/
>> 
>> -----Original Message-----
>> From: Kristofer Sigurdsson [mailto:kristosig at gmail.com]
>> Sent: Thursday, May 04, 2006 10:48 AM
>> To: Paul Stewart
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Rate limiting via radius
>> 
>> Maybe you could use RADIUS AV-pairs to put in rate limiting commands
>> on the virtual access interfaces?
>> 
>> Like so:
>> 
>> cisco-avpair = lcp:interface-config#1=rate-limit input [...]
>> 
>> 2006/5/4, Paul Stewart <pstewart at nexicomgroup.net>:
>>> Can anyone tell me what attributes I can use to do rate-limiting on
>>> our 7206VXR that's terminating DSL users both via PPPOE and
>>> PPPoVPDN? 
>> 
>>> Our 7206VXR has a number of l2tp tunnels coming in from our telco
>>> provider and also direct OC-3 termination from our own DSLAMS.
>>> 
>>> We need a way to limit on a per customer basis using Radius....
>>> 
>>> Thanks in advance,
>>> 
>>> Paul Stewart
>>> IP Routing/Switching
>>> Nexicom Inc.
>>> http://www.nexicom.net/
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list