Showing results for 
Search instead for 
Did you mean: 

Prefer OSPF route over per-user static route(Injected via Radius)



Have a clients site with Eth(PRimary)+DSL(Redundant) tails terminating in vrf(Same PE), We are running ospf over Eth service, with CE advertising LAN Subnets, and DSL service is injecting same LAN subnets on auth via Radius - Our issue is that the Radius injected routes are being preferred over the OSPF routes:


Preferred via DSL:

U [1/0] via   <-- When DSL service is connected

Disconnect DSL and Eth (OSPF route) is preferred:

O E2 [110/1] via, 00:00:02, Port-channel1.91 <-- DSL has been disconnected.

Tried manipulating ospf advertisements from ce (default-metric 1), but obviously per-user static is 1/0, so still prefered

Is there a way to add weight to avpair radius reply - Tried the following, but it fails to connect

route=" 254"

Hoping there is some way to make the DSL routes less attractive than the OSPF routes.

Thanks in advance.

8 Replies 8

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello John,

most specific routes are used first regardless of Administrative distance settings. If possible you should try to inject via Radius less specific routes then those learned by  OSPF. This should fix your problem.

Hope to help


Thank Giuseppe - Do you know if it is possible to inject less specific route via radius with av-pair reply attribute?


Sorted it out -The following works like a charm.

cisco-avpair = "ip:route= 254 name test"

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi John,

Are you suggesting that you have simply extended the avpair content to the form of an usual ip route command including the administrative distance and even the route name - and it got accepted? That is fabulous - you're a genius! I've browsed over the Cisco website and tried to google out any usable information but every page staunchly maintained that the syntax of the route# avpair is rather terse. This is not even in the official Cisco documentation

I am glad you got it running and thanks for having all of us know the solution!

Best regards,


Hi Peter,

Yes, Cisco doc's are a little light on this subject, so tried a few variations, and the avpair above was accepted....the "framed-route" reply attribute is very restrictive.

LNS is 7200, with Radiator radius server.

FYI, radius logs, after successful auth and with routes etc.

Code:       Access-Accept
Identifier: 152
Authentic:  y<12><31><180><31>~<192><160><9><14><197><17><13>9YS
        Framed-IP-Address =
        cisco-avpair = "lcp:interface-config=ip vrf forwarding REGENTS \nip unnumbered Loopback35"
        cisco-avpair = "ip:route= 254 name REGENTS_LAN"
        cisco-avpair = "ip:route= 254 name REGENTS_LAN"
        cisco-avpair = "ip:route= 254 name REGENTS_LAN"
        cisco-avpair = "ip:route= 254 name REGENTS_MNGMT"
        Framed-Protocol = PPP
        Framed-IP-Netmask =
        Framed-Routing = None
        Framed-MTU = 1500     
        Framed-Compression = Van-Jacobson-TCP-IP
        Service-Type = Framed-User

Hello John,

very good job.

as Peter has noted you have been very kind to provide a feedback on this.

with less specific route I meant for example to advertise a instead of so that when OSPF comes back its most specific route is used.

But your solution is better because can work in any case, my  suggestion can be used if address plan allows for use of these less specific summary route (no overlapping with another remote site)

I had used a similar setup for ISDN backup access to MPLS VPN involving a radius server but without L2TP (direct access)

Hope to help


hi ,

i have the same issue of Per-user static routes from AAA ,

but i want to deny this issue from router , what command to put it on router so as to prevent the per-user route from being installed into routing table ??

i mean i want to still allow it from radius but i want to deny it from router ?


Hi Lohn,

thanks for this valuable info, but please I have a concern and need your help for that ,

you mentioned that you can add static route as below :

cisco-avpair = "ip:route= 254 name test"

but what about adding static route under a vrf is it would be something like below :

cisco-avpair = "ip:route= 254 vrf TEST name test"

thanks again and waiting your repy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: