The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Attribute Screening for Access Requests feature allows you to configure your network access server (NAS) to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Attribute Screening for Access Requests" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
•Prerequisites for Attribute Screening for Access Requests
•Restrictions for Attribute Screening for Access Requests
•Information About Attribute Screening for Access Requests
•How to Configure Attribute Screening for Access Requests
•Configuration Examples for Attribute Filtering for Access Requests
•Feature Information for Attribute Screening for Access Requests
•You must be familiar with configuring attribute lists.
•Attributes 1 (Username), 2 (User-Password), and 3 (Chap-Password) cannot be filtered.
•Configuring an NAS to Filter Attributes in Outbound Access Requests
The Attribute Screening for Access Requests feature allows you to configure your NAS to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization. The filters can be configured on the NAS, or they can be downloaded via downloadable vendor-specific attributes (VSAs) from the authentication, authorization, and accounting (AAA) server.
The following are some examples of the downloadable VSAs:
Cisco:Cisco-Avpair="ppp-authen-type=chap"
Cisco:Cisco-Avpair="ppp-authen-list=group 1"
Cisco:Cisco-Avpair="ppp-author-list=group 1"
Cisco:Cisco-Avpair="vpdn:tunnel-id=B53"
Cisco:Cisco-Avpair="vpdn:ip-addresses=10.0.58.35"
Note You must be aware of which attributes you want to filter. Filtering certain key attributes can result in authentication failure (for example, attribute 60 should not be filtered).
•Configuring Attribute Screening for Access Requests
•Configuring a Router to Support Downloadable Filters
•Monitoring and Maintaining Attribute Filtering for Access Requests
1. enable
2. configure terminal
3. radius-server attribute list listname
4. attribute value1 [value2 [value3...]]
5. aaa group server radius group-name
6. authorization [request | reply] [accept | reject] listname
or
accounting [request | reply] [accept | reject] listname
To configure your router to support downloadable filters, perform the following steps.
1. enable
2. configure terminal
3. aaa authorization template
4. aaa authorization network default group radius
5. radius-server attribute list list-name
6. attribute value1 [value2 [value3...]]
If attribute filtering is not working, ensure that the attribute list is properly defined.
To monitor and maintain attribute filtering, you can use the debug radius command.
1. enable
2. debug radius
•Attribute Filtering for Access Requests: Example
•Attribute Filtering User Profile: Example
•debug radius Command: Example
The following example shows that the attributes 30-31 that are defined in "all-attr" will be rejected in all outbound Access Request messages:
aaa group server radius ras
server 172.19.192.238 auth-port 1745 acct-port 1746
authorization request reject all-attr
!
.
.
.
radius-server attribute list all-attr
attribute 30-31
!
.
.
.
The following is a sample user profile after attribute filtering has been configured for Access Requests:
cisco.com Password = "cisco"
Service-Type = Framed,
Framed-Protocol = PPP,
Cisco:Cisco-Avpair = :1:"rad-serv=172.19.192.87 key rad123",
Cisco:Cisco-Avpair = :1:"rad-serv-filter=authorization request reject range1",
Cisco:Cisco-Avpair = :1:"rad-serv-filter=accounting request reject range1",
Cisco:Cisco-Avpair = "ppp-authen-type=chap"
Cisco:Cisco-Avpair = "ppp-authen-list=group 1",
Cisco:Cisco-Avpair = "ppp-author-list=group 1",
Cisco:Cisco-Avpair = "ppp-acct-list=start-stop group 1",
Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53",
Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp",
Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35",
Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"
user2@cisco.com
Service-Type = Outbound,
Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53",
Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp",
Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35",
Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"
When a session for user2@cisco.com "comes up" at the Layer 2 Tunneling Protocol (L2TP) Network Server (LNS)—as is shown above—because the aaa authorization template command has been configured, a RADIUS request is sent to the server for Cisco.com. The server then sends an Access Accept message if authentication is successful, along with the VSAs that are configured as part of the Cisco.com profile. If filters are configured as part of the Cisco.com profile, these filters will be parsed and applied to the RADIUS requests for user2@cisco.com.
In the above profile example, filter range1 has been applied to the authorization and accounting requests.
If the attribute you are trying to filter is rejected, you will see an debug radius output statement similar to the following:
RADIUS: attribute 31 rejected
If you try to filter an attribute that cannot be filtered, you will see an output statement similar to the following:
RADIUS: attribute 1 cannot be rejected
|
|
---|---|
Cisco IOS commands |
|
Configuring RADIUS |
"Configuring RADIUS" feature module. |
Security commands |
|
|
---|---|
None. |
— |
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
|
|
---|---|
None |
— |
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.