Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.3 Special and Early Deployments

Attribute Screening for Access Requests

Downloads

Table Of Contents

Attribute Screening for Access Requests

Contents

Prerequisites for Attribute Screening for Access Requests

Restrictions for Attribute Screening for Access Requests

Information About Attribute Screening for Access Requests

Configuring an NAS to Filter Attributes in Outbound Access Requests

How to Configure Attribute Screening for Access Requests

Configuring Attribute Screening for Access Requests

Configuring a Router to Support Downloadable Filters

Troubleshooting Tips

Monitoring and Maintaining Attribute Filtering for Access Requests

Configuration Examples for Attribute Filtering for
Access Requests

Attribute Filtering for Access Requests: Example

Attribute Filtering User Profile: Example

debug radius Command: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

authorization (server-group)


Attribute Screening for Access Requests

First Published: 12.3(3)B
Last Updated: February 28, 2006

The Attribute Screening for Access Requests feature allows you to configure your network access server (NAS) to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.

History for the Attribute Screening for Access Requests Feature

Release
Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was integrated into Cisco IOS Release 12.3(7)T.

12.2(28)SB

This feature was integrated into Cisco IOS Release 12.2(28)SB.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for Attribute Screening for Access Requests

Restrictions for Attribute Screening for Access Requests

Information About Attribute Screening for Access Requests

How to Configure Attribute Screening for Access Requests

Configuration Examples for Attribute Filtering for Access Requests

Additional References

Command Reference

Prerequisites for Attribute Screening for Access Requests

You must be familiar with configuring attribute lists.

Restrictions for Attribute Screening for Access Requests

Attributes 1 (Username), 2 (User-Password), and 3 (Chap-Password) cannot be filtered.

Information About Attribute Screening for Access Requests

To configure the Attribute Screening for Access Requests feature, you should understand the following concept:

Configuring an NAS to Filter Attributes in Outbound Access Requests

Configuring an NAS to Filter Attributes in Outbound Access Requests

The Attribute Screening for Access Requests feature allows you to configure your NAS to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization. The filters can be configured on the NAS, or they can be downloaded via downloadable vendor-specific attributes (VSAs) from the authentication, authorization, and accounting (AAA) server.

The following are some examples of the downloadable VSAs: 

Cisco:Cisco-Avpair="ppp-authen-type=chap"

Cisco:Cisco-Avpair="ppp-authen-list=group 1"

Cisco:Cisco-Avpair="ppp-author-list=group 1"

Cisco:Cisco-Avpair="vpdn:tunnel-id=B53"

Cisco:Cisco-Avpair="vpdn:ip-addresses=10.0.58.35"

Note You must be aware of which attributes you want to filter. Filtering certain key attributes can result in authentication failure (for example, attribute 60 should not be filtered).

How to Configure Attribute Screening for Access Requests

This section contains the following procedures:

Configuring Attribute Screening for Access Requests

Configuring a Router to Support Downloadable Filters

Monitoring and Maintaining Attribute Filtering for Access Requests

Configuring Attribute Screening for Access Requests

To configure attribute screening for Access Requests, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server attribute list listname

4. attribute value1 [value2 [value3...]]

5. aaa group server radius group-name

6. authorization [request | reply] [accept | reject] listname

or

accounting [request | reply] [accept | reject] listname

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

radius-server attribute list listname

Example:

Router (config)# radius-server attribute list attrlist

Defines an attribute list.

Step 4 

attribute value1 [value2[value3...]]

Example:

Router (config)# attribute 6-10, 12

Adds attributes to an accept or reject list.

Step 5 

aaa group server radius group-name

Example:

Router (config)# aaa group server radius rad1

Applies the attribute list to the AAA server group and enters server-group configuration mode.

Step 6 

authorization [request | reply][accept | reject] listname


or

accounting [request | reply] [accept | reject] listname

Example:

Router (config-sg-radius)# authorization request accept attrlist


or

Example:

Router (config-sg-radius)# accounting request accept attrlist

Filters attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.

The request keyword defines filters for outgoing authorization Access Requests.

The reply keyword defines filters for incoming authorization Accept and Reject packets and for outgoing accounting requests.

Configuring a Router to Support Downloadable Filters

To configure your router to support downloadable filters, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa authorization template

4. aaa authorization network default group radius

5. radius-server attribute list list-name

6. attribute value1 [value2 [value3...]]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

aaa authorization template

Example:

Router (config)# aaa authorization template

Enables usage of a local or remote customer template on the basis of Virtual Private Network (VPN) routing and forwarding (VRF).

Step 4 

aaa authorization network default group radius

Example:

Router (config)# aaa authorization network default group radius

Sets parameters that restrict user access to a network.

Step 5 

radius-server attribute list list-name

Example:

Router (config)# radius-server attribute list attlist

Defines an accept or reject list name.

Step 6 

attribute value1 [value2 [value3...]]

Example:

Router (config)# attribute 10-14, 24

Adds attributes to an accept or reject list.

Troubleshooting Tips

If attribute filtering is not working, ensure that the attribute list is properly defined.

Monitoring and Maintaining Attribute Filtering for Access Requests

To monitor and maintain attribute filtering, you can use the debug radius command.

SUMMARY STEPS

1. enable

2. debug radius

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug radius

Example:

Router# debug radius

Displays information associated with RADIUS, including filtering information.

Configuration Examples for Attribute Filtering for
Access Requests

This section provides the following configuration examples:

Attribute Filtering for Access Requests: Example

Attribute Filtering User Profile: Example

debug radius Command: Example

Attribute Filtering for Access Requests: Example

The following example shows that the attributes 30-31 that are defined in "all-attr" will be rejected in all outbound Access Request messages: 

aaa group server radius ras

 server 172.19.192.238 auth-port 1745 acct-port 1746

 authorization request reject all-attr

!

.

.

.

radius-server attribute list all-attr

 attribute 30-31

!

.

.

.

Attribute Filtering User Profile: Example

The following is a sample user profile after attribute filtering has been configured for Access Requests: 

cisco.com Password = "cisco"

Service-Type = Framed,

Framed-Protocol = PPP,

Cisco:Cisco-Avpair = :1:"rad-serv=172.19.192.87 key rad123",

Cisco:Cisco-Avpair = :1:"rad-serv-filter=authorization request reject range1",

Cisco:Cisco-Avpair = :1:"rad-serv-filter=accounting request reject range1",

Cisco:Cisco-Avpair = "ppp-authen-type=chap"

Cisco:Cisco-Avpair = "ppp-authen-list=group 1",

Cisco:Cisco-Avpair = "ppp-author-list=group 1",

Cisco:Cisco-Avpair = "ppp-acct-list=start-stop group 1",

Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53",

Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp",

Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35",

Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"



user2@cisco.com

Service-Type = Outbound,

Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53",

Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp",

Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35",

Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"

When a session for user2@cisco.com "comes up" at the Layer 2 Tunneling Protocol (L2TP) Network Server (LNS)—as is shown above—because the aaa authorization template command has been configured, a RADIUS request is sent to the server for Cisco.com. The server then sends an Access Accept message if authentication is successful, along with the VSAs that are configured as part of the Cisco.com profile. If filters are configured as part of the Cisco.com profile, these filters will be parsed and applied to the RADIUS requests for user2@cisco.com.

In the above profile example, filter range1 has been applied to the authorization and accounting requests.

debug radius Command: Example

If the attribute you are trying to filter is rejected, you will see an debug radius output statement similar to the following: 

RADIUS: attribute 31 rejected

If you try to filter an attribute that cannot be filtered, you will see an output statement similar to the following: 

RADIUS: attribute 1 cannot be rejected

Additional References

The following sections provide references related to Attribute Filtering for Access Requests.

Related Documents

Related Topic
Document Title

Authentication, authorization, and accounting (AAA)

"Authentication, Authorization, and Accounting (AAA)" section of the Cisco IOS Security Configuration Guide, Release 12.4

Configuring RADIUS

"Configuring RADIUS" chapter of the Cisco IOS Security Configuration Guide, Release 12.4

Security commands

Cisco IOS Security Command Reference, Release 12.4T.

RADIUS attribute lists

RADIUS Attribute Screening, Release 12.2(13)T


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

None


Technical Assistance

Description
Link

The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport


Command Reference

This section documents one modified command only.

authorization (server-group)

authorization (server-group)

To filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization, use the authorization command in server-group configuration mode. To remove the filter on the authorization request or reply, use the no form of the command.

authorization [request | reply] [accept | reject] list-name

no authorization [request | reply] [accept | reject] list-name

Syntax Description

request

(Optional) Defines filters for outgoing authorization Access Requests.

reply

(Optional) Defines filters for incoming authorization Accept or Reject packets and for outgoing accounting requests.

accept

(Optional) Indicates that the required attributes and the attributes specified in the list-name argument will be accepted. All other attributes will be rejected.

reject

(Optional) Indicates that the attributes specified in the list-name will be rejected. All other attributes will be accepted.

list-name

Defines the given name for the accept or reject list.


Command Default

If specific attributes are not accepted or rejected, all attributes will be accepted.

Command Modes

Server-group configuration

Command History

Release
Modification

12.2(1)DX

This command was introduced.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(4)T

This command was integrated into Cisco IOS Release 12.2(4)T.

12.2(13)T

Platform support was added for the Cisco 7401ASR.

12.3(3)B

The request and reply keywords were added.

12.3(7)T

The request and reply keywords were integrated into Cisco IOS Release 12.3(7)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.


Usage Guidelines

An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes.

Only one filter may be used for RADIUS authorization per server group.

Note The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.

Examples

The following example shows how to configure accept list "min-author" in an Access-Accept packet from the RADIUS server: 

aaa new-model

aaa authentication ppp default group radius-sg

aaa authorization network default group radius-sg

aaa group server radius radius-sg

 server 10.1.1.1

 authorization accept min-author

!

radius-server host 10.1.1.1 key mykey1

radius-server attribute list min-author

 attribute 6-7

The following example shows that the attribute "all-attr" will be rejected in all outbound authorization Access Request messages: 

aaa group server radius ras

 server 192.168.192.238 auth-port 1745 acct-port 1746

 authorization request reject all-attr

Related Commands

Command
Description

aaa authentication ppp

Specifies one or more AAA authentication methods for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict network access to the user.

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

accounting (server-group configuration)

Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.

attribute (server-group configuration)

Adds attributes to an accept or reject list.

radius-server attribute list

Defines an accept or reject list name.


Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2003-2006 Cisco Systems, Inc. All rights reserved.