Notifying RADIUS of AAA Failure

If a user passes RADIUS authentication, but fails AAA authentication, the RADIUS server may still allocate an address for the user from its internal address pool. To indicate to the RADIUS server to free the address, you can set up the router to send an Acct-Stop message if a user fails AAA.

aaa accounting acct-stop on-aaa-failure

Use to cause the router to send an Acct-Stop message if a user fails AAA, but RADIUS grants access.
Example
host1:vr17(config)#aaa accounting acct-stop on-aaa-failure disable
Use the no version to return to the default value, enabled.
See aaa accounting acct-stop on-aaa-failure

aaa accounting acct-stop on-access-deny

Use to cause the router to issue an Acct-Stop message if RADIUS denies access.
Example
host1:vr17(config)#aaa accounting acct-stop on-access-deny enable
Use the no version to return to the default value, disabled.
See aaa accounting acct-stop on-access-deny