Guest

Networking Software (IOS & NX-OS)

Extended NAS-Port-Type and NAS-Port Support

Hierarchical Navigation

Downloads

Table Of Contents

Extended NAS-Port-Type and NAS-Port Support

Finding Feature Information

Contents

Prerequisites for Extended NAS-Port-Type and NAS-Port Support

Information About Extended NAS-Port-Type and NAS-Port Support

Extended NAS-Port-Type (RADIUS Attribute 61)

Benefits of Using the Extended NAS-Port-Type Attribute

NAS-Port (RADIUS Attribute 5)

Relationship Between NAS-Port-Type (RADIUS Attribute 61) and NAS-Port (RADIUS Attribute 5)

NAS-Port-ID (RADIUS Attribute 87)

How to Configure Extended NAS-Port-Type and NAS-Port Support

Configuring Extended NAS-Port-Type Attribute and NAS-Port Attribute Support

Overriding Global NAS-Port-Type Configuration

Configuration Examples for Extended NAS-Port-Type and NAS-Port Support

Configuring Global Support for Extended NAS-Port-Type Attribute: Example

Configuring a Customized Format e String and Port Type: Example

Displaying Command Output From a Configured RADIUS Command: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Extended NAS-Port-Type and NAS-Port Support


Extended NAS-Port-Type and NAS-Port Support

First Published: August 2, 2004
Last Updated: October 2, 2009

The Extended NAS-Port-Type and NAS-Port Support feature allows you to identify what service type is taking place on specific ports with non-RADIUS RFC supported types. You have the flexibility to use your own coding mechanism to track users or to track shared resources, such as Ethernet or ATM interfaces, as you identify traffic based on the service type.

RADIUS attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile. NAS-Port-Type (RADIUS IETF attribute 61) indicates the type of physical port the network access server (NAS) is using to authenticate the user. NAS-Port-ID (RADIUS IEFT attribute 87) contains a text string that identifies the NAS port that is authenticating the user.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Extended NAS-Port-Type and NAS-Port Support" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Extended NAS-Port-Type and NAS-Port Support

Information About Extended NAS-Port-Type and NAS-Port Support

How to Configure Extended NAS-Port-Type and NAS-Port Support

Configuration Examples for Extended NAS-Port-Type and NAS-Port Support

Additional References

Feature Information for Extended NAS-Port-Type and NAS-Port Support

Prerequisites for Extended NAS-Port-Type and NAS-Port Support

The router/Cisco device must be:

Running a Cisco IOS image that contains the AAA component.

Set up to use RADIUS and AAA must be enabled.

Information About Extended NAS-Port-Type and NAS-Port Support

To use the Extended NAS-Port-Type and NAS-Port Support feature, you should understand the following concepts:

Extended NAS-Port-Type (RADIUS Attribute 61)

NAS-Port (RADIUS Attribute 5)

NAS-Port-ID (RADIUS Attribute 87)

Extended NAS-Port-Type (RADIUS Attribute 61)

Prior to the attribute 61 extension, attribute 61 allowed you to identify virtual or Ethernet resources only. Now, by enabling the extended attribute 61 you can also do the following:

Track specific service port information for broadband environments.

Identify service port type sessions PPP over ATM (PPPoA), PPP over Ethernet (PPPoE) over Ethernet (PPPoEoE), PPPoE over ATM (PPPoEoA), PPPoE over VLAN (PPPoEoVLAN), and PPPoE over Q-in-Q (PPPoEoQinQ) with a corresponding RADIUS value, which allows you to identify physical NAS port types based on service types.

Benefits of Using the Extended NAS-Port-Type Attribute

The benefits of using the extended attribute 61 are as follows:

Establishing your own coding scheme to track users on specific physical ports. For example, service providers may want to track customers using shared resources such as Ethernet or ATM interfaces that have virtual LANs (VLANs), stacked VLAN (Q-in-Q), or virtual circuits (VCs) connected to certain customers.

Allowing additional granularity for subinterfaces such as VLAN, Q-in-Q, VC, or VC ranges by overriding the attribute 61 value to be sent on any session that resides on the port. For example, this capability provides an extra level of detail for service providers in managing their end users and allows for further detail of different customer usage.

The value for the extended 61 attribute can be any number you choose. In particular, customizing your own value is useful when you need to distinguish between NAS port types based on the type of end client using a port. For example, if you want to track mobile clients behind a specific private virtual connection (PVC), you can define your own attribute 61 value for mobile clients.

The non-RFC compliant broadband service port types with their corresponding values that can be set with the extended attribute 61 are shown in Table 1.

Table 1 Service Port Types and Corresponding RADIUS Values

Service Port Type
RADIUS Value

Wireless - IEEE 802.16

27

PPPoA

30

PPPoEoA

31

PPPoEoE

32

PPPoEoVLAN

33

PPPoEoQinQ

34


NAS-Port (RADIUS Attribute 5)

NAS-Port (RADIUS attribute 5) indicates the physical NAS port number that is authenticating the user. A logical port can be represented by the virtual path identifier (VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for an Ethernet interface.

Each platform and service may have different port information, which is relevant to its environment; therefore there is no unique way to populate this attribute. There are four service-specific non configurable formats (a, b, c, and d) and one configurable format (e) that can be tailored to customer and platform needs.

Format e allowed customization of only one global format for all call types on a device, which had limitations for devices that contained multiple services. With the extended attribute 5 support, it is possible to configure a custom format e string for any service type based on the value of attribute 61. When building the RADIUS access or accounting request, the encoding routine will apply the specific format e string defined for the session of the value of attribute 61.

Note Setting a specific format e string for the value of attribute 61 overrides the default global format e string.

Relationship Between NAS-Port-Type (RADIUS Attribute 61) and NAS-Port (RADIUS Attribute 5)

The radius-server attribute nas-port format command supports the custom format e string with the type nas-port-type keyword and option. The type keyword allows you to specify format strings to represent physical port types for any of the extended NAS-Port-Type values.

The relationship between the extended attribute 61 and extended attribute 5 support is that the format e string chosen by the encoding routine will depend on the value of attribute 61 for the session. If you use the extended attribute 61 values (values 30-34) and want to further customize the NAS port type, configure a different format string.

For example, you can specify the string "SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC" for type 30 (all PPPoA ports), and you can also specify string "SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV" for type 33 (all PPPoAoVLAN ports). In this case, you can track VPI/VCI-specific information for a PPPoA user and VLAN-specific information for a PPPoEoVLAN user.

Note If you enable the extended attribute 61, format e with either type 5 (Virtual) or type 15 (Ethernet) will not function, because these types require an additional value to be set (the extended attribute 61 values 30-34).

NAS-Port-ID (RADIUS Attribute 87)

The NAS-Port-ID (RADIUS attribute 87) contains the character text string identifier of the NAS port that is authenticating the user. This text string typically matches the interface description found under the CLI configuration. This attribute is sent by default under IETF attribute 87, it was previously under Cisco vendor-specific-attribute (VSA) Cisco-NAS-Port.

How to Configure Extended NAS-Port-Type and NAS-Port Support

This section contains the following procedures that allow you to configure the extended NAS-Port-Type attribute and NAS-Port attributes:

Configuring Extended NAS-Port-Type Attribute and NAS-Port Attribute Support

Overriding Global NAS-Port-Type Configuration

Configuring Extended NAS-Port-Type Attribute and NAS-Port Attribute Support

Use the following task to configure extended NAS-Port-Type attribute and NAS-Port attribute support.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server attribute 61 extended

4. radius-server attribute nas-port format format [string]

5. radius-server attribute nas-port format format [string] [type nas-port-type]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

radius-server attribute 61 extended

Example:

Router(config)# radius-server attribute 61 extended

Enables extended, non-RFC compliant RADIUS attribute 61 (NAS Port Type, a number) values. These values are sent in an access-request to indicate the type of physical port of the NAS, which is authenticating the user with a number.

Identifies the following broadband service port types:

IEEE 802.16

PPPoA

PPPoEoA

PPPoEoE

PPPoEoVLAN

PPPoEoQinQ

Sends the appropriate value to the AAA record.

The value "Virtual" refers to a connection to the NAS through a transport protocol, instead of through a physical port. For example, if a user telnets into a NAS, the value "Virtual" would be reflected as the NAS value.

There is no specific NAS value for IP sessions. The NAS value depends on the underlying transport technology values described in Table 1 or "Virtual" is used for IP sessions.

Step 4 

radius-server attribute nas-port format format [string]

Example:

Router(config)# radius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU

Configures a global attribute 61 session format string that is used as the default session format.

This command does not customize a specific service port type value.

The format argument indicates the specific NAS port format.

The string argument represents all of a specific port type. The characters supported for format, are shown in the radius-server attribute nas-port format command page.

Note If the global format is not set, format a is used by default.

Note You must explicitly define the usage of the 32-bit attribute 5 to use format e. The usage is defined with a given parser character for each NAS port field of interest for a given bit field.

Step 5 

radius-server attribute nas-port format format [string] [type nas-port-type]

Example:

Router(config)# radius-server attribute nas-port format e SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC type 30

Configures a specific service port type for extended attribute 61 support and

This command does customize a specific service port type value.

The format argument indicates the specific NAS port format.

The string argument represents all of a specific port type. The characters supported for format e are shown in the radius-server attribute nas-port format command page.

The type keyword allows you to specify different format strings to represent different physical port types.

The nas-port-type argument can be set to one of the extended attribute 61 values.

Note You must explicitly define the usage of the 32-bit attribute 5 to use format e. The usage is defined with a given parser character for each NAS port field of interest for a given bit field.

Overriding Global NAS-Port-Type Configuration

You can override attribute 61 configured globally on the router at an interface or subinterface level.

Use the following task to override all global options on how the extended attribute 61 is sent to any subinterface such as Ethernet, VLAN, Q-in-Q, VC, or VC ranges.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface atm interface-number [subinterface-number {mpls | multipoint | point-to-point}]

4. pvc [name] vpi/vci [ces | ilmi | qsaal | smds | l2transport]

5. radius attribute nas-port-type port-number

6. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface atm interface-number [subinterface-number {mpls|multipoint|point-to-point}]

Example:

Router(config)# interface atm 5/0/0.1

Enters ATM subinterface mode.

Step 4 

pvc [name] vpi/vci [ces|ilmi|qsaal|smds|l2transport]

Example:

Router(config-subif)# pvc 1/33

Enters PVC subinterface mode.

Step 5 

radius attribute nas-port-type port-number

Example:

Router(config-if-atm-vc)# radius attribute nas-port-type 7

Sets a specific extended attribute 61 value for an interface or subinterface, select a value for a port type to override the NAS-Port type configured globally.

The range for the port-number is 0-2147483647.

The value argument must be assigned a number 1-40 to set a customized extended NAS port type and configure a specific service port type.

If you choose a number outside of this range, the default global NAS port format e string is used to configure the NAS port value that is sent for the session.

You can set a specific service port type with the radius-server attribute nas-port format command. This setting overrides a global NAS port type session format.

Step 6 

end

Example:

Router(config-if-atm-vc)# end

Ends the configuration session and returns to privileged EXEC mode.

Configuration Examples for Extended NAS-Port-Type and NAS-Port Support

This section provides the following extended NAS-Port-Type and NAS-Port Support configuration examples:

Configuring Global Support for Extended NAS-Port-Type Attribute: Example

Configuring a Customized Format e String and Port Type: Example

Displaying Command Output From a Configured RADIUS Command: Example

Configuring Global Support for Extended NAS-Port-Type Attribute: Example

The following example shows how to configure global support for extended NAS-Port-Type ports and how to specify two separate format e strings globally for two different types of ports:

Type 30 (which is PPPoA)

Type 33 (which is PPPoEoVLAN) 

Router# configure terminal

Router(config)# radius-server attribute 61 extended

Router(config)# radius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU

Router(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC 
type 30 

Router(config)#

Router(config)# radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV 
type 33

Configuring a Customized Format e String and Port Type: Example

The following example shows how to customize a format e string and port type for an ATM interface and then how to override the global value set for extended attribute 61 by applying the customer customized NAS port type value of 36 on the ATM interface: 

Router# configure terminal

Router(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC 
type 36

Router(config)# interface atm 5/0/0.1

Router(config-subif)# pvc 1/33

Router(config-if-atm-vc)# radius attribute nas-port-type 36

Displaying Command Output From a Configured RADIUS Command: Example

The following example displays command output from a configured RADIUS command, where you have enabled extended attribute 61. You can use the delimiting characters to display only the relevant parts of the configuration. 

Router# show running-config | include radius


aaa authentication ppp default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

radius-server attribute 61 extended

radius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU

radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30

radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 31

radius-server attribute nas-port format e SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV type 32

radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33

radius-server attribute nas-port format e SSSSAPPPQQQQQQQQQQQQVVVVVVVVVVVV type 34

radius-server host 10.76.86.91 auth-port 1645 acct-port 1646

radius-server key rad123

.

.

.

The following example displays command output for a configured RADIUS command, where you have globally specified the format e string for all PPPoA ports (type 30): 

Router# show running-config | include radius


aaa authentication ppp default group radius

aaa authorization network default group radius

aaa accounting network default start-stop group radius

radius-server attribute nas-port format e SSSSSSSSAAAAAAAAPPPPPPPPIIIIIIII

radius-server attribute nas-port format e SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC type 30

radius-server host 10.76.86.91 auth-port 1645 acct-port 1646

radius-server key rad123

.

.

.

Additional References

The following sections provide references related to extended NAS-Port-Type and NAS-Port support.

Related Documents

Related Topic
Document Title

Cisco 10000 Series Router

Cisco 10000 Series Broadband Aggregation and Leased-Line Configuration Guide, Release 12.3XI

RADIUS Attributes

RADIUS Attributes


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

None


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Extended NAS-Port-Type and NAS-Port Support

Table 2 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 2 Feature Information for Extended NAS-Port-Type and NAS-Port Support

Feature Name
Releases
Feature Information

Extended NAS-Port-Type and NAS-Port Support

12.3(7)XI1
12.2(28)SB
12.2(33)SRC
15.0(1)M

The Extended NAS-Port-Type and NAS-Port Support feature allows you to identify what service type is taking place on specific ports with non-RADIUS RFC supported types.

This feature was introduced to support the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI1.

The following command was introduced or modified: radius attribute nas-port-type, radius-server attribute 61 extended, radius-server attribute nas-port format.


CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco  IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidenta.

© 2004, 2006-2009 Cisco Systems, Inc. All rights reserved.