Notifying RADIUS of AAA Failure

If a user passes RADIUS authentication, but fails AAA authentication, the RADIUS server may still allocate an address for the user from its internal address pool. To indicate to the RADIUS server to free the address, you can set up the router to send an Acct-Stop message if a user fails AAA.

aaa accounting acct-stop on-aaa-failure

• Use to cause the router to send an Acct-Stop message if a user fails AAA, but RADIUS grants access.
• Example

  host1:vr17(config)#aaa accounting acct-stop on-aaa-failure disable

• Use the no version to return to the default value, enabled.
• See aaa accounting acct-stop on-aaa-failure

aaa accounting acct-stop on-access-deny

• Use to cause the router to issue an Acct-Stop message if RADIUS denies access.
• Example

  host1:vr17(config)#aaa accounting acct-stop on-access-deny enable

• Use the no version to return to the default value, disabled.
• See aaa accounting acct-stop on-access-deny

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.