Prefer OSPF route over per-user static route(Injected via Radius)

Unanswered Question
Jan 19th, 2010
User Badges:


Have a clients site with Eth(PRimary)+DSL(Redundant) tails terminating in vrf(Same PE), We are running ospf over Eth service, with CE advertising LAN Subnets, and DSL service is injecting same LAN subnets on auth via Radius - Our issue is that the Radius injected routes are being preferred over the OSPF routes:


Preferred via DSL:

U [1/0] via   <-- When DSL service is connected

Disconnect DSL and Eth (OSPF route) is preferred:

O E2 [110/1] via, 00:00:02, Port-channel1.91 <-- DSL has been disconnected.

Tried manipulating ospf advertisements from ce (default-metric 1), but obviously per-user static is 1/0, so still prefered

Is there a way to add weight to avpair radius reply - Tried the following, but it fails to connect

route=" 254"

Hoping there is some way to make the DSL routes less attractive than the OSPF routes.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Giuseppe Larosa Wed, 01/20/2010 - 06:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,

most specific routes are used first regardless of Administrative distance settings. If possible you should try to inject via Radius less specific routes then those learned by  OSPF. This should fix your problem.

Hope to help


johnelliot6 Wed, 01/20/2010 - 14:06
User Badges:

Thank Giuseppe - Do you know if it is possible to inject less specific route via radius with av-pair reply attribute?

johnelliot6 Wed, 01/20/2010 - 14:27
User Badges:


Sorted it out -The following works like a charm.

cisco-avpair = "ip:route= 254 name test"

Peter Paluch Wed, 01/20/2010 - 15:43
User Badges:
  • Cisco Employee,

Hi John,

Are you suggesting that you have simply extended the avpair content to the form of an usual ip route command including the administrative distance and even the route name - and it got accepted? That is fabulous - you're a genius! I've browsed over the Cisco website and tried to google out any usable information but every page staunchly maintained that the syntax of the route# avpair is rather terse. This is not even in the official Cisco documentation

I am glad you got it running and thanks for having all of us know the solution!

Best regards,


johnelliot6 Wed, 01/20/2010 - 15:58
User Badges:

Hi Peter,

Yes, Cisco doc's are a little light on this subject, so tried a few variations, and the avpair above was accepted....the "framed-route" reply attribute is very restrictive.

LNS is 7200, with Radiator radius server.

FYI, radius logs, after successful auth and with routes etc.

Code:       Access-Accept
Identifier: 152
Authentic:  y<12><31><180><31>~<192><160><9><14><197><17><13>9YS
        Framed-IP-Address =
        cisco-avpair = "lcp:interface-config=ip vrf forwarding REGENTS \nip unnumbered Loopback35"
        cisco-avpair = "ip:route= 254 name REGENTS_LAN"
        cisco-avpair = "ip:route= 254 name REGENTS_LAN"
        cisco-avpair = "ip:route= 254 name REGENTS_LAN"
        cisco-avpair = "ip:route= 254 name REGENTS_MNGMT"
        Framed-Protocol = PPP
        Framed-IP-Netmask =
        Framed-Routing = None
        Framed-MTU = 1500     
        Framed-Compression = Van-Jacobson-TCP-IP
        Service-Type = Framed-User

Giuseppe Larosa Thu, 01/21/2010 - 00:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello John,

very good job.

as Peter has noted you have been very kind to provide a feedback on this.

with less specific route I meant for example to advertise a instead of so that when OSPF comes back its most specific route is used.

But your solution is better because can work in any case, my  suggestion can be used if address plan allows for use of these less specific summary route (no overlapping with another remote site)

I had used a similar setup for ISDN backup access to MPLS VPN involving a radius server but without L2TP (direct access)

Hope to help


Ahmed M Alzaeem Tue, 11/06/2012 - 01:21
User Badges:

hi ,

i have the same issue of Per-user static routes from AAA ,

but i want to deny this issue from router , what command to put it on router so as to prevent the per-user route from being installed into routing table ??

i mean i want to still allow it from radius but i want to deny it from router ?


networksplanning Thu, 01/31/2013 - 01:04
User Badges:

Hi Lohn,

thanks for this valuable info, but please I have a concern and need your help for that ,

you mentioned that you can add static route as below :

cisco-avpair = "ip:route= 254 name test"

but what about adding static route under a vrf is it would be something like below :

cisco-avpair = "ip:route= 254 vrf TEST name test"

thanks again and waiting your repy


This Discussion

Related Content