[c-nsp] Rate limiting via radius

Paul Stewart pstewart at nexicomgroup.net
Thu May 4 11:57:29 EDT 2006 

I ran a debug on the router for radius and I get this: 

May  4 11:50:12: RADIUS(00A7FEBF): Send Access-Request to
xxx.xxx.xxx.xxx:1812 id 1645/211, len 178
May  4 11:50:12: RADIUS:  authenticator 30 E3 95 B0 E4 A3 8C DB - 67 67
5E F8 1D 54 7E 68
May  4 11:50:12: RADIUS:  Vendor, Cisco       [26]  41
May  4 11:50:12: RADIUS:   Cisco AVpair       [1]   35
"client-mac-address=0012.3f09.6417"
May  4 11:50:12: RADIUS:  Framed-Protocol     [7]   6   PPP
[1]
May  4 11:50:12: RADIUS:  User-Name           [1]   15
"xxxxxxxxxxxxxxx"
May  4 11:50:12: RADIUS:  User-Password       [2]   18  *
May  4 11:50:12: RADIUS:  NAS-Port-Type       [61]  6   Ethernet
[15]
May  4 11:50:12: RADIUS:  NAS-Port            [5]   6   33554447
May  4 11:50:12: RADIUS:  NAS-Port-Id         [87]  10  "0/0/2/15"
May  4 11:50:12: RADIUS:  Service-Type        [6]   6   Framed
[2]
May  4 11:50:12: RADIUS:  NAS-IP-Address      [4]   6   xxx.xxx.xxx.xxx
May  4 11:50:12: RADIUS:  Acct-Session-Id     [44]  19
"0/0/2/15_014ECBD2"
May  4 11:50:12: RADIUS:  Nas-Identifier      [32]  25
"acs1-con-mb.nexicom.net"
May  4 11:50:12: RADIUS: Received from id 1645/211 216.168.xxx.xxx:1812,
Access-Accept, len 247
May  4 11:50:12: RADIUS:  authenticator 2C F0 71 D9 E2 FE AD 08 - 7F 6E
F7 68 2B 9B A4 9A
May  4 11:50:12: RADIUS:  Service-Type        [6]   6   Framed
[2]
May  4 11:50:12: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header
Compressi[1]
May  4 11:50:12: RADIUS:  Vendor, Cisco       [26]  107
May  4 11:50:12: RADIUS:   Cisco AVpair       [1]   101
"lcp:interface-config#1=rate-limit input 256000 7500 7500 conform-action
transmit exceed-action drop"
May  4 11:50:12: RADIUS:  Vendor, Cisco       [26]  108
May  4 11:50:12: RADIUS:   Cisco AVpair       [1]   102
"lcp:interface-config#2=rate-limit output 512000 7500 7500
conform-action transmit exceed-action drop"
May  4 11:50:12: RADIUS(00A7FEBF): Received from id 1645/211
May  4 11:50:12: RADIUS/ENCODE(00A7D4DC):Orig. component type = VPDN
May  4 11:50:12: RADIUS(00A7D4DC): Config NAS IP: 216.168.xxx.xxx
May  4 11:50:12: RADIUS(00A7D4DC): Config NAS IP: 216.168.xxx.xxx
May  4 11:50:12: RADIUS: Received from id 1646/175 216.168.xxx.xxx:1813,
Accounting-response, len 20

It looks like radius is sending the information forward....

How do I check specifically the "network authorization" is enabled?  I
believe it is, but want to clarify it's function and command
structure.... As I do have:

aaa authorization network Nexicom group Nexicom

In the configuration??

Thanks :)

Paul


-----Original Message-----
From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] 
Sent: Thursday, May 04, 2006 11:43 AM
To: Paul Stewart; Kristofer Sigurdsson
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate limiting via radius

do you have network authorization enabled? 

If you send "lcp:interface-config=rate-limit output access-group 101
64000 1 6000 32000 conform-action transmit exceed-action drop", you need
to define acl 101 on your router locally.

"debug radius authentication", "debug aaa authorization" and "debug aaa
per-user" should give you some hints on what is going on. 

	oli

More information about the cisco-nsp mailing list