RADIUS Attributes Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
RADIUS Attributes Overview and RADIUS IETF Attributes
RADIUS Attributes Overview and RADIUS IETF Attributes
Last Updated: October 1, 2012
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which are stored on the RADIUS program. This chapter lists the RADIUS attributes that are supported.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Overview
IETF Attributes Versus VSAs
RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. All clients and servers that exchange AAA information using IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.
RADIUS vendor-specific attributes (VSAs) are derived from a vendor-specific IETF attribute (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes; that is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26. The newly created attribute is accepted if the user accepts attribute 26.
For more information on VSAs, refer to the chapter "RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values."
RADIUS Packet Format
The data between a RADIUS server and a RADIUS client is exchanged in RADIUS packets. The data fields are transmitted from left to right.
The figure below shows the fields within a RADIUS packet.
Each RADIUS packet contains the following information:
RADIUS Packet Types
The following list defines the various types of RADIUS packet types that contain attribute information:
Access-Request--Sent from a client to a RADIUS server. The packet contains information that allows the RADIUS server to determine whether to allow access to a specific network access server (NAS), which will allow access to the user. A user performing authentication must submit an Access-Request packet. After the Access-Request packet is received, the RADIUS server must forward a reply.
Access-Accept--After a RADIUS server receives an Access-Request packet, it must send an Access-Accept packet if all attribute values in the Access-Request packet are acceptable. Access-Accept packets provide the configuration information necessary for the client to provide service to the user.
Access-Reject--After a RADIUS server receives an Access-Request packet, it must send an Access-Reject packet if any of the attribute values are not acceptable.
Access-Challenge--After the RADIUS server receives an Access-Accept packet, it can send the client an Access-Challenge packet, which requires a response. If the client does not know how to respond or if the packets are invalid, the RADIUS server discards the packets. If the client responds to the packet, a new Access-Request packet must be sent with the original Access-Request packet.
Accounting-Request--Sent from a client to a RADIUS accounting server, which provides accounting information. If the RADIUS server successfully records the Accounting-Request packet, it must submit an Accounting Response packet.
Accounting-Response--Sent by the RADIUS accounting server to the client to acknowledge that the Accounting-Request has been received and recorded successfully.
Understanding the types of files used by RADIUS is important for communicating AAA information from a client to a server. Each file defines a level of authentication or authorization for the user. The dictionary file defines which attributes the user's NAS can implement, the clients file defines which users are allowed to make requests to the RADIUS server, and the users file defines which user requests the RADIUS server will authenticate based on security and configuration data.
A dictionary file provides a list of attributes that are dependent on which attributes your NAS supports. However, you can add your own set of attributes to your dictionary for custom solutions. It defines attribute values, so you can interpret attribute output such as parsing requests. A dictionary file contains the following information:
When the data type for a particular attribute is an integer, you can optionally expand the integer to equate to some string. The following sample dictionary includes an integer-based attribute and its corresponding values.
# dictionary sample of integer entry # ATTRIBUTE Service-Type 6 integer VALUE Service-Type Login 1 VALUE Service-Type Framed 2 VALUE Service-Type Callback-Login 3 VALUE Service-Type Callback-Framed 4 VALUE Service-Type Outbound 5 VALUE Service-Type Administrative 6 VALUE Service-Type NAS-Prompt 7 VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Callback-NAS-Prompt 9 VALUE Service-Type Call-Check 10 VALUE Service-Type Callback-Administrative 11
A clients file contains a list of RADIUS clients that are allowed to send authentication and accounting requests to the RADIUS server. To receive authentication, the name and authentication key that the client sends to the server must be an exact match with the data contained in the clients file.
The following is an example of a clients file. The key, as shown in this example, must be the same as the radius-server keySomeSecret command.
#Client Name Key #---------------- --------------- 10.1.2.3:256 test nas01 bananas nas02 MoNkEys nas07.foo.com SomeSecret
A RADIUS users file contains an entry for each user that the RADIUS server will authenticate; each entry, which is also known as a user profile, establishes an attribute the user can access.
The first line in any user profile is always a "user access" line; that is, the server must check the attributes on the first line before it can grant access to the user. The first line contains the name of the user, which can be up to 252 characters, followed by authentication information such as the password of the user.
Additional lines, which are associated with the user access line, indicate the attribute reply that is sent to the requesting client or server. The attributes sent in the reply must be defined in the dictionary file. When looking at a user file, note that the data to the left of the equal (=) character is an attribute defined in the dictionary file, and the data to the right of the equal character is the configuration data.
The following is an example of a RADIUS user profile (Merit Daemon format). In this example, the user name is company.com, the password is user1, and the user can access five tunnel attributes.
# This user profile includes RADIUS tunneling attributes company.com Password="user1" Service-Type=Outbound Tunnel-Type = :1:L2TP Tunnel-Medium-Type = :1:IP Tunnel-Server-Endpoint = :1:10.0.0.1 Tunnel-Password = :1:"welcome" Tunnel-Assignment-ID = :1:"nas"
RADIUS IETF Attributes
Supported RADIUS IETF Attributes
Table 1 lists Cisco-supported IETF RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.
Refer to Table 2 for a description of each listed attribute.
1 This RADIUS attribute complies with the following two draft IETF documents: RFC 2868 RADIUS Attributes for Tunnel Protocol Support and RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support.
2 This RADIUS attribute complies withRFC 2865 and RFC 2868.
Comprehensive List of RADIUS Attribute Descriptions
The table below lists and describes IETF RADIUS attributes. In cases where the attribute has a security server-specific format, the format is specified.
3 This RADIUS attribute complies with the following two IETF documents: RFC 2868, RADIUS Attributes for Tunnel Protocol Support and RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support .
Feature Information for RADIUS Attributes Overview and RADIUS IETF Attributes
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.