Downloads |
Table Of Contents
Ascend Binary Attribute Support
Trace Output Before Conversion
RADIUS Attributes
This appendix lists the RFC 2865 RADIUS attributes with their names and values.
RADIUS attributes carry the specific authentication, authorization information, and configuration details for requests and replies. For more information, see RFC 2865.
RADIUS Dictionary Attributes
Table C-1 lists the standard RADIUS Dictionary attributes.
Ascend Binary Attribute Support
This section provides information about support for the Ascend binary attribute.
Overview
Cisco Access Registrar 1.6 supports Ascend-Data-Filter (Ascend attribute 242) with IP filter and generic filter type. Please refer to Ascend document for details of the data syntax. The value for Ascend-Data-Filter is in binary format. This creates some inconvenience for administrators to configuring values for this attribute.
Cisco Access Registrar 1.6 (and above) introduces an implementation-specific attribute 225 (Text-Ascend-Data-Filter). This attribute enables you to define the equivalent Ascend-Data-Filter in text format. AR converts the values of this attribute into binary format and saves them into Ascend-Data-Filter attributes. AR maintains the same order for the multiple values in Text-Ascend-Data-Filter and Ascend-Data-Filter.
The conversion occurs before any Access-Accept packet leaves AR. So the scripts inside AR only deal with Text-Ascend-Data-Filter in place of Ascend-Data-Filter during the whole process. After conversion, the Text-Ascend-Data-Filter is removed, and Ascend-Data-Filter is passed on.
For packets with Ascend-Data-Filter attributes that pass through AR, such as in proxy mode, the original Ascend-Data-Filter is untouched. If any Text-Ascend-Data-Filter attributes are added while processing packets inside AR, they are converted to Ascend-Data-Filter and appended to the original Ascend-Data-Filters right before the packet leaves the server.
Examples
Assume you want to add the following filters to a profile and pass the profile as part of the Access-Accept to the client.
Ascend-Data-Filter = ip out forward tcp dstip 10.1.1.3/16
Ascend-Data-Filter = ip out drop
Ascend-Data-Filter = generic in drop 0 ffff 0080
Ascend-Data-Filter = generic in drop 0 ffff != 0080 more
Ascend-Data-Filter = generic in drop 16 ff aa
Note
Refer to Ascend reference for the filter syntax.
Configuring a Local Profile
To configure on local profile:
[ //localhost/Radius/Profiles/default-PPP-users/Attributes ]
Ascend-Idle-Limit = 1800
Framed-Compression = "VJ TCP/IP header compression"
Framed-MTU = 1500
Framed-Protocol = PPP
Framed-Routing = None
Service-Type = Framed
Text-Ascend-Data-Filter = "ip out forward tcp dstip 10.1.1.3/16"
Text-Ascend-Data-Filter = "ip out drop"
Text-Ascend-Data-Filter = "generic in drop 0 ffff 0080"
Text-Ascend-Data-Filter = "generic in drop 0 ffff != 0080 more"
Text-Ascend-Data-Filter = "generic in drop 16 ff aa"Configuring an LDAP Profile
To configure for LDAP profile, do the following:
[ //localhost/Radius/RemoteServers/test/LDAPToRadiusMappings ]
ldap-attribute-that-contains-ascend-data-filter-in-text = Text-Ascend-Data-FilterTrace Output Before Conversion
06/17/2000 18:12:35: P29: Trace of Access-Accept packet
06/17/2000 18:12:35: P29: identifier = 1
06/17/2000 18:12:35: P29: length = 60
06/17/2000 18:12:35: P29: reqauth = 4f:93:b4:1c:0d:21:cd:4a:88:4d:e0:00:c6:12:dc:3d
06/17/2000 18:12:35: P29: Service-Type = Framed
06/17/2000 18:12:35: P29: Framed-Protocol = PPP
06/17/2000 18:12:35: P29: Framed-IP-Address = 192.168.0.0
06/17/2000 18:12:35: P29: Framed-IP-Netmask = 255.255.255.0
06/17/2000 18:12:35: P29: Framed-Routing = None
06/17/2000 18:12:35: P29: Framed-MTU = 1500
06/17/2000 18:12:35: P29: Framed-Compression = VJ TCP/IP header compression
06/17/2000 18:12:35: P29: Ascend-Idle-Limit = 1800
06/17/2000 18:12:35: P29: Text-Ascend-Data-Filter = ip out forward tcp dstip 10.1.1.3/16
06/17/2000 18:12:35: P29: Text-Ascend-Data-Filter = ip out drop
06/17/2000 18:12:35: P29: Text-Ascend-Data-Filter = generic in drop 0 ffff 0080
06/17/2000 18:12:35: P29: Text-Ascend-Data-Filter = generic in drop 0 ffff != 0080 more
06/17/2000 18:12:35: P29: Text-Ascend-Data-Filter = generic in drop 16 ffaaTrace Output After Conversion
06/17/2000 18:12:35: P29: Trace of Access-Accept packet
06/17/2000 18:12:35: P29: identifier = 1
06/17/2000 18:12:35: P29: length = 60
06/17/2000 18:12:35: P29: reqauth = 4f:93:b4:1c:0d:21:cd:4a:88:4d:e0:00:c6:12:dc:3d
06/17/2000 18:12:35: P29: Service-Type = Framed
06/17/2000 18:12:35: P29: Framed-Protocol = PPP
06/17/2000 18:12:35: P29: Framed-IP-Address = 192.168.0.0
06/17/2000 18:12:35: P29: Framed-IP-Netmask = 255.255.255.0
06/17/2000 18:12:35: P29: Framed-Routing = None
06/17/2000 18:12:35: P29: Framed-MTU = 1500
06/17/2000 18:12:35: P29: Framed-Compression = VJ TCP/IP header compression
06/17/2000 18:12:35: P29: Ascend-Idle-Limit = 1800
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 01:01:00:00:00:00:00:00:0a:01:
01:03:00:10:06:00:00:00:00:00:00:00:00:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 01:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 00:00:01:00:00:00:00:02:00:00:
ff:ff:00:00:00:00:00:80:00:00:00:00:00:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 00:00:01:00:00:00:00:02:00:01:
ff:ff:00:00:00:00:00:80:00:00:00:00:01:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 00:00:01:00:00:10:00:01:00:00:
ff:00:00:00:00:00:aa:00:00:00:00:00:00:00
