Cisco IOS Software Releases 12.3 T

Table Of Contents

RADIUS Attribute 104

Contents

Prerequisites for RADIUS Attribute 104

Restrictions for RADIUS Attribute 104

Information About RADIUS Attribute 104

Policy-Based Routing: Background

Attribute 104 and the Policy-Based Route Map

RADIUS Attribute 104 Overview

Permit Route Map

Default Private Route

Route Map Order

How to Apply RADIUS Attribute 104

Applying RADIUS Attribute 104 to Your User Profile

Examples

Verifying Route Maps

Troubleshooting the RADIUS Profile

Configuration Examples for RADIUS Attribute 104

Route-Map Configuration in Which Attribute 104 Has Been Applied: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

show ip policy

show route-map

RADIUS Attribute 104

---

First Published: March 1, 2004

Last Updated: February 28, 2006

The RADIUS Attribute 104 feature allows you to specify private routes (attribute 104) in your RADIUS authorization profile. The private routes affect only packets that are received on an individual interface. The routes are stored apart from the global routing table and are not injected into any routing protocols for redistribution.

History for the RADIUS Attribute 104 Feature

Release	Modification
12.3(7)T	This feature was introduced.
12.3(14)T	This feature was integrated into Cisco IOS release 12.3(14)T.
12.2(28)SB	This feature was integrated into Cisco IOS Release 12.2(28)SB.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for RADIUS Attribute 104

•Restrictions for RADIUS Attribute 104

•Information About RADIUS Attribute 104

•How to Apply RADIUS Attribute 104

•Configuration Examples for RADIUS Attribute 104

•Additional References

•Command Reference

Prerequisites for RADIUS Attribute 104

•You must be using a Cisco RADIUS server.

•You should be familiar with configuring RADIUS.

•You should be familiar with policy-based routing (PBR) and private routes.

•You should be familiar with configuring access control lists (ACLs).

•Before using the RADIUS Attribute 104 feature, you must configure RADIUS AAA authorization and RADIUS route download.

•The following memory bytes are required:

–One route map—50 bytes.

–One match-set clause—600 bytes.

–One extended ACL—366 bytes.

–For N number of attribute 104s, the memory requirement is (600+366)*N+50=1000*N(approximate) per user.

Restrictions for RADIUS Attribute 104

•If you already have PBR locally (statically) configured under the interface, and you specify attribute 104, the locally configured PBR will be disabled.

•If a pseudo next-hop address is involved, there must be a route available in the routing table for the next-hop address. If a route is not available, the packet will not be policy routed.

•Policy routing does not order the match-set clauses and relies on the first match, so you should specify the attributes in the order in which you want them to be matched.

•Metric numbers cannot be used in the attribute.

Information About RADIUS Attribute 104

Before using the RADIUS Attribute 104 feature, you should understand the following concepts:

•Policy-Based Routing: Background

•Attribute 104 and the Policy-Based Route Map

Policy-Based Routing: Background

PBR provides a mechanism for the forwarding, or routing of, data packets on the basis of defined policies. The policies are not wholly dependent on the destination address but rather on other factors, such as type of service, source address, precedence, port numbers, or protocol type.

Policy-based routing is applied to incoming packets. All packets that are received on an interface that has policy-based routing enabled are considered for policy-based routing. The router passes the packets through enhanced packet filters called route maps. On the basis of the criteria that are defined in the route maps, the packets are forwarded to the appropriate next hop.

Each entry in a route map statement contains a combination of match clauses and set clauses or commands. The match clauses define the criteria for whether appropriate packets meet the particular policy (that is, whether the conditions are met). The set clauses provide instruction for how the packets should be routed after they have met the match criteria. The match clause specifies which set of filters a packet must match for the corresponding set clause to be applied.

Attribute 104 and the Policy-Based Route Map

This section discusses the attribute 104 feature and how it works with policy-based route maps.

RADIUS Attribute 104 Overview

Using the RADIUS Attribute 104 feature, you can specify private routes in your RADIUS authorization profile. The private routes you specify will affect only packets that are received on an individual interface. The routes are stored apart from the global routing table and are not injected into any routing protocols for redistribution.

Permit Route Map

Route map statements can be marked as "permit" or "deny." If the statement is marked "permit," the set clause is applied to the packets that match the match criteria. For attribute 104, when you are configuring the route map, you need to mark the route map as "permit," as follows. (To configure a route map, see the chapter "Configuring Policy-Based Routing" in the Cisco IOS Quality of Service Solutions Configuration Guide.)

route-map map-tag permit sequence-number

Default Private Route

The policy routing process proceeds through the route map until a match is found. If no match is found in the route map, the global routing table is consulted. If you have specified a default route in your user profile, any further routes beyond the default route are effectively ignored.

Route Map Order

You need to specify route maps on the server in the order that you want them to be applied.

How to Apply RADIUS Attribute 104

This section contains the following procedures:

•Applying RADIUS Attribute 104 to Your User Profile

•Verifying Route Maps

•Troubleshooting the RADIUS Profile

Applying RADIUS Attribute 104 to Your User Profile

You can apply RADIUS attribute 104 to your user profile by adding the following to the RADIUS server database.

SUMMARY STEPS

1. Apply RADIUS attribute 104 to your user profile.

DETAILED STEPS

	Command or Action	Purpose
Step 1	Apply RADIUS attribute 104 to your user profile.	Ascend-Private-Route="dest_addr/netmask next_hop" The destination network address of the router is "dest_addr/netmask", and the address of the next-hop router is "next_hop."

Examples

The following is a sample user profile that creates three private routes that are associated with the caller:

username Password="ascend"; User-Service=Framed-User

   Framed-Protocol=PPP,

   Framed-Address=10.1.1.1,

   Framed-Netmask=255.0.0.0,

   Ascend-Private-Route="172.16.1.1/16 10.10.10.1"

   Ascend-Private-Route="192.168.1.1/32 10.10.10.2"

   Ascend-Private-Route="10.20.0.0/1 10.10.10.3"

   Ascend-Private-Route="10.0.0.0/0 10.10.10.4"

Using the above profile, the private routing table for the connection contains the following routes, including a default route:

Destination/Mask     Gateway

172.16.1.1/16         10.10.10.1

192.168.1.1/32         10.10.10.2

10.20.20.20/1       10.10.10.3

10.0.0.0/0            10.10.10.4

Verifying Route Maps

You can use the following show commands to verify the route maps that have been configured.

SUMMARY STEPS

1. enable

2. show ip policy

3. show route-map [map-name | dynamic [dynamic-map-name | application [application-name]] | all]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show ip policy Example: Router# show ip policy	Displays the route map that is used for policy routing.
Step 3	show route-map [map-name | dynamic [dynamic-map-name | application [application-name]] | all] Example: Router# show route-map	Displays all route maps that are configured or only the one that is specified.

Troubleshooting the RADIUS Profile

If your private route configuration is not working properly, you may want to reread the section "Policy-Based Routing: Background." This section may help you determine what is happening to the packets. In addition, the following debug commands can be used to troubleshoot your RADIUS profile.

SUMMARY STEPS

1. enable

2. debug radius

3. debug aaa per-user

4. debug ip policy

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	debug radius Example: Router# debug radius	Displays information associated with RADIUS.
Step 3	debug aaa per-user Example: Router# debug aaa per-user	Displays the attributes that are applied to each user as the user authenticates.
Step 4	debug ip policy Example: Router# debug ip policy	Displays IP routing packet activity.

Configuration Examples for RADIUS Attribute 104

This section includes the following configuration example:

•Route-Map Configuration in Which Attribute 104 Has Been Applied: Example

Route-Map Configuration in Which Attribute 104 Has Been Applied: Example

The following output is a typical route-map configuration to which attribute 104 has been applied:

Router# show route-map dynamic

route-map AAA-01/08/04-14:13:59.542-1-AppSpec, permit, sequence 0, identifier 1639994476

  Match clauses:

    ip address (access-lists): PBR#1 PBR#2 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map AAA-01/08/04-14:13:59.542-1-AppSpec, permit, sequence 1, identifier 1640264784

  Match clauses:

    ip address (access-lists): PBR#3 PBR#4 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map AAA-01/08/04-14:13:59.542-1-AppSpec, permit, sequence 2, identifier 1645563704

  Match clauses:

    ip address (access-lists): PBR#5 PBR#6 

    length 10 100

  Set clauses:

    ip next-hop 10.1.1.1

    ip gateway10.1.1.1

  Policy routing matches: 0 packets, 0 bytes

 Current active dynamic routemaps = 1

Additional References

The following sections provide references related to RADIUS Attribute 104.

Related Documents

Related Topic	Document Title
Configuring RADIUS	"Configuring RADIUS" chapter in the "Security Server Protocols" section of the Cisco IOS Security Configuration Guide, Release 12.4
Configuring policy-based routing	"Configuring Policy-Based Routing" chapter in the "Classification" section of the Cisco IOS Quality of Service Configuration Guide, Release 12.4
Configuring access control lists	•The "Access Control Lists: Overview and Guidelines" chapter of the "Traffic Filtering and Firewalls" section of the Cisco  IOS Security Configuration Guide, 12.4 •IP Access List Entry Sequence Numbering, Release 12.3(2)T
Configuring RADIUS AAA authorization and RADIUS route download	"RADIUS Route Download" chapter in the Cisco IOS Security Configuration Guide, Release 12.2(8)T
Security commands	Cisco IOS Security Command Reference, Release 12.4
Quality of Service (QoS) commands (for policy-based routing commands)	Cisco IOS Quality of Service Solutions Command Reference, Release 12.3 T

Standards

Standards	Title
None	—

MIBs

MIBs	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
None	—

Technical Assistance

Description	Link
The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport

Command Reference

This section includes the following modified commands:

•show ip policy

•show route-map

show ip policy

To display the route map used for policy routing, use the show ip policy command in user EXEC or privileged EXEC mode.

show ip policy

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC
Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.
12.3(7)T	The display output was modified to include a label for dynamic route maps.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.(28)SB.

Examples

The following is sample output from the show ip policy command:

Router# show ip policy

Interface      Route map

local          equal

Ethernet0/2    equal

Ethernet0/3    AAA-02/06/04-14:01:26.619-1-AppSpec (Dynamic)

The following is sample output from the show route-map command, which relates to the preceding sample display:

Router# show route-map

route-map equal, permit, sequence 10

  Match clauses:

    length 150 200

  Set clauses:

    ip next-hop 10.10.11.254

  Policy routing matches: 0 packets, 0 bytes

route-map equal, permit, sequence 20

  Match clauses:

    ip address (access-lists): 101 

  Set clauses:

    ip next-hop 10.10.11.14

  Policy routing matches: 144 packets, 15190 bytes

Table 1 describes the significant fields shown in the display.

Table 1 show ip policy Field Descriptions 

Field	Description
route-map equal	The name of the route map is equal.
permit	The route map contains permit statements.
sequence	Sequence number of the route map, which determines in what order it is processed among other route maps.
Match clauses	Clauses in the route map that must be matched to satisfy the permit or deny action.
Set clauses	Set clauses that will be put into place if the match clauses are met.
Policy routing matches packets	Number of packets that meet the match clauses.
bytes	Number of bytes in the packets that meet the match clauses.

Related Commands

Command	Description
match ip address	Distributes any routes that have a destination network number address that is permitted by a standard or extended access list, and performs policy routing on packets.
match length	Bases policy routing on the Level 3 length of a packet.
route-map (IP)	Defines the conditions for redistributing routes from one routing protocol into another, or enables policy routing.
set default interface	Indicates where to output packets that pass a match clause of a route map for policy routing and have no explicit route to the destination.
set interface	Indicates where to output packets that pass a match clause of route map for policy routing.
set ip default next-hop verify-availability	Indicates where to output packets that pass a match clause of a route map for policy routing and for which the Cisco IOS software has no explicit route to a destination.
set ip next-hop	Indicates where to output packets that pass a match clause of a route map for policy routing.

show route-map

To display static and dynamic route maps, use the show route-map command in privileged EXEC mode.

show route-map [map-name | dynamic [dynamic-map-name | application [application-name]] | all] [detailed]

Syntax Description

map-name	(Optional) Name of a specific route map.
dynamic	(Optional) Displays dynamic route map information.
dynamic-map-name	(Optional) Name of a specific dynamic route map.
application	(Optional) Displays dynamic route maps based on applications.
application-name	(Optional) Name of a specific application.
all	(Optional) Displays all static and dynamic route maps.
detailed	(Optional) Displays the details of the access control lists (ACLs) that have been used in the match clauses for dynamic route maps.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.0(22)S	This command was integrated into Cisco IOS Release 12.0(22)S, and support for continue clauses was integrated into the command output.
12.2(15)T	An additional counter collect policy routing statistic was integrated into Cisco IOS Release 12.2(15)T.
12.3(2)T	Support for continue clauses was integrated into Cisco IOS Release 12.3(2)T.
12.2(18)S	This command was integrated into Cisco IOS Release 12.2(18)S.
12.3(7)T	The dynamic, application, and all keywords were added.
12.0(28)S	The support for recursive next-hop clause was added.
12.3(14)T	The support for recursive next-hop clause was integrated into Cisco IOS Release 12.3(14)T. Support for the map display extension functionality was added. The detailed keyword was added.
12.2(28)SB	This command was integrated into Cisco IOS Release 12.2(28)SB.

Usage Guidelines

For Cisco IOS Release 12.3(14)T and later 12.4 and 12.4T releases, you can display the ACL-specific information that pertains to the route map in the same display without having to execute a show route-map command to display each ACL that is associated with the route map.

Examples

The show route-map command will display configured route-maps, match, set, and continue clauses. The output will vary depending on which keywords are included with the command, and which software image is running in your router.

show route-map Command with No Keywords Specified Example

The following is sample output from the show route-map command:

Router# show route-map

route-map ROUTE-MAP-NAME, permit, sequence 10

  Match clauses:

    ip address (access-lists): 1 

    metric 10 

  Continue: sequence 40

  Set clauses:

    as-path prepend 10

  Policy routing matches: 0 packets, 0 bytes

route-map ROUTE-MAP-NAME, permit, sequence 20

  Match clauses:

    ip address (access-lists): 2 

    metric 20 

  Set clauses:

    as-path prepend 10 10

  Policy routing matches: 0 packets, 0 bytes

route-map ROUTE-MAP-NAME, permit, sequence 30

  Match clauses:

  Continue: to next entry 40

  Set clauses:

    as-path prepend 10 10 10

  Policy routing matches: 0 packets, 0 bytes

route-map ROUTE-MAP-NAME, deny, sequence 40

  Match clauses:

    community (community-list filter): 20:2 

  Set clauses:

    local-preference 100

  Policy routing matches: 0 packets, 0 bytes

route-map LOCAL-POLICY-MAP, permit, sequence 10

  Match clauses:

  Set clauses:

    community 655370

  Policy routing matches: 0 packets, 0 bytes

The following example shows Multiprotocol Label Switching (MPLS)-related route map information:

Router# show route-map

route-map OUT, permit, sequence 10

Match clauses:

  ip address (access-lists): 1 

Set clauses:

  mpls label

Policy routing matches: 0 packets, 0 bytes

route-map IN, permit, sequence 10

Match clauses:

  ip address (access-lists): 2 

  mpls label

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Table 2 describes the significant fields shown in the display.

Table 2 show route-map Field Descriptions 

Field	Description
route-map ROUTE-MAP-NAME	Name of the route map.
permit	Indicates that the route is redistributed as controlled by the set actions.
sequence	Number that indicates the position a new route map is to have in the list of route maps already configured with the same name.
Match clauses:   tag	Match criteria—conditions under which redistribution is allowed for the current route map.
Continue:	Continue clause—shows the configuration of a continue clause and the route-map entry sequence number that the continue clause will go to.
Set clauses:   metric	Set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met.
Policy routing matches:	Number of packets and bytes that have been filtered by policy routing.

show route-map Command with Dynamic Route Map Specified Example

The following is sample output from the show route-map command when entered with the dynamic keyword:

Router# show route-map dynamic

route-map AAA-02/06/04-14:01:26.619-1-AppSpec, permit, sequence 0, identifier 1137954548

  Match clauses:

    ip address (access-lists): PBR#1 PBR#2 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map AAA-02/06/04-14:01:26.619-1-AppSpec, permit, sequence 1, identifier 1137956424

  Match clauses:

    ip address (access-lists): PBR#3 PBR#4 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map AAA-02/06/04-14:01:26.619-1-AppSpec, permit, sequence 2, identifier 1124436704

  Match clauses:

    ip address (access-lists): PBR#5 PBR#6 

    length 10 100

  Set clauses:

    ip next-hop 172.16.1.1

    ip gateway 172.16.1.1

  Policy routing matches: 0 packets, 0 bytes

Current active dynamic routemaps = 1

The following is sample output from the show route-map command when entered with the dynamic and application keywords:

Router# show route-map dynamic application

Application - AAA

  Number of active routemaps = 1

When you specify an application name, only dynamic routes for that application are shown. The following is sample output from the show route-map command when entered with the dynamic and application keywords and the AAA application name:

Router# show route-map dynamic application AAA

AAA

  Number of active rmaps = 2

AAA-02/06/04-14:01:26.619-1-AppSpec

AAA-02/06/04-14:34:09.735-2-AppSpec

Router# show route-map dynamic AAA-02/06/04-14:34:09.735-2-AppSpec

route-map AAA-02/06/04-14:34:09.735-2-AppSpec, permit, sequence 0, identifier 1128046100

  Match clauses:

    ip address (access-lists): PBR#7 PBR#8 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map AAA-02/06/04-14:34:09.735-2-AppSpec, permit, sequence 1, identifier 1141277624

  Match clauses:

    ip address (access-lists): PBR#9 PBR#10 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map AAA-02/06/04-14:34:09.735-2-AppSpec, permit, sequence 2, identifier 1141279420

  Match clauses:

    ip address (access-lists): PBR#11 PBR#12 

    length 10 100

  Set clauses:

    ip next-hop 172.16.1.12

    ip gateway 172.16.1.12

  Policy routing matches: 0 packets, 0 bytes

Current active dynamic routemaps = 2

show route-map Command with Detailed ACL Information for Route Maps Specified Example

The following is sample output from the show route-map command with the dynamic and detailed keywords entered:

Router# show route-map dynamic detailed

route-map AAA-01/20/04-22:03:10.799-1-AppSpec, permit, sequence 1, identifier 29675368 

Match clauses: 

ip address (access-lists): 

Extended IP access list PBR#3 

1 permit icmp 10.0.16.12 10.204.167.240 10.1.1.0 10.0.0.255 syn dscp af12 log-input 
fragments 

Extended IP access list PBR#4 

1 permit icmp 10.0.16.12 10.204.167.240 10.1.1.0 10.0.0.255 syn dscp af12 log-input 
fragments 

Set clauses: 

ip next-hop 172.16.1.14 

ip gateway 172.16.1.14 

Policy routing matches: 0 packets, 0 bytes 

Related Commands

Command	Description
redistribute (IP)	Redistributes routes from one routing domain into another routing domain.
route-map (IP)	Defines the conditions for redistributing routes from one routing protocol into another, or enables policy routing.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2004-2006 Cisco Systems, Inc. All rights reserved.