ACS5 - Returning multiple Framed-Route RADIUS attributes

Paul Masterton · ‎01-25-2013

Hello All,

I've got a load of internal users in my ACS boxes. I've added Framed-Route as a variable in the Internal User dictionary and use it as a dynamic variable in my Authorzation Profiles as a RADIUS attribute. Now, a couple of users need two Framed-Routes, what's the right way to accomodate this?

I know I can return multiple Framed-Route attributes in the profile, but only one or two users need multiple Framed-Routes. I could add an optional "Framed-Route2" to the dictionary and give the Authorzation Profile a second Framed-Route attribute, but then for all the other users ACS will be returning two Framed-Route attributes, one of which will be empty (and uneccasry) and I'm not sure how upstream devices will interpret this?

Is there a better way to do this? Or will ACS not send the attribute if the value is empty? Any ideas?

Cheers all!

jrabinow · ‎01-26-2013

Will answer in brief assuming you have the basic configuration in place

Defined a second user attribute called Framed-Route-2. Give a default value that won't in fact be a real IP address that is used; say 0.0.0.0

Prepare two authorization profiles; one with one framed route from the first user attribute; the second with 2 framed route attributes: using both the first and second user attribute

In authoirzation policy have a rule like

if "user attribute 2" is not equal to defaultl value (0.0.0.0) then use authorization profile with two frame attributes

else use the one with a single framed attribute

Paul Masterton · ‎01-27-2013

That's a great answer, much more elegant than where my mind was going!

Two quick questions...

Does that mean ACS returns both attributes if defined in the profile, even if one has an empty value?
Any reason to use "0.0.0.0" as a default over just blank ("") as Framed-Route is a string value? (It just seems cleaner to leave it empty than put a fake value in if not used... I think)

Thanks again!