Downloads |
Table of Contents
RADIUS Attribute ScreeningFeature Overview
Supported Platforms
Supported Standards, MIBs, and RFCs
Prerequisites
Configuration Tasks
Configuration Examples
Accounting Reject Example
Authorization Reject and Accounting Accept Example
Rejecting Required Attributes Example
accounting (server-group configuration)
authorization (server-group configuration)
attribute
radius-server attribute list
Glossary
RADIUS Attribute Screening
Feature History
This feature module describes the RADIUS Attribute Screening feature. It includes the following sections:
Feature Overview
The RADIUS Attribute Screening feature allows users to configure a list of "accept" or "reject" RADIUS attributes on the network access server (NAS) for purposes such as authorization or accounting.
If a NAS accepts and processes all RADIUS attributes received in an Access-Accept packet, unwanted attributes may be processed, creating a problem for wholesale providers who do not control their customers' authentication, authorization, and accounting (AAA) servers. For example, there may be attributes that specify services to which the customer has not subscribed, or there may be attributes that may degrade service for other wholesale dial users. The ability to configure the NAS to restrict the use of specific attributes has therefore become a requirement for many users.
The RADIUS Attribute Screening feature should be implemented in one of the following ways:
Benefits
The RADIUS Attribute Screening feature provides the following benefits:
Accept or Reject Lists
Users can configure an accept or reject list consisting of a selection of attributes on the NAS for a specific purpose so unwanted attributes are not accepted and processed.
Restricting Accept Lists to Relevant Accounting Attributes
Users might wish to configure an accept list that includes only relevant accounting attributes, thereby reducing unnecessary traffic and allowing users to customize their accounting data.
Restrictions
NAS Requirements
To enable this feature, your NAS should be configured for authorization with RADIUS groups.
Accept or Reject Lists Limitations
The two filters used to configure accept or reject lists are mutually exclusive; therefore, a user can configure only one access list or one reject list for each purpose, per server group.
Vendor-Specific Attributes
This feature does not support vendor-specific attribute (VSA) screening; however, a user can specify attribute 26 (Vendor-Specific) in an accept or reject list, which will accept or reject all VSAs.
Required Attributes Screening Recommendation
It is recommended that users do not reject the following required attributes:
If an attribute is required, the rejection will be refused, and the attribute will be allowed to pass through.
 |
Note The user will not receive an error at the point of configuring a reject list for required attributes because the list does not specify a purpose—authorization or accounting. The server will determine whether an attribute is required when it is known what the attribute is to be used for. |
- Cisco IOS Security Command Reference , Release 12.2
- Cisco IOS Security Configuration Guide , Release 12.2
Supported Platforms
The following platforms support the RADIUS Attribute Screening feature:
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register .
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
MIBs
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Before configuring a RADIUS accept or reject list, you must enable AAA.
For more information, refer to the AAA chapters in the Cisco IOS Security Configuration Guide, Release 12.2.
Configuration Tasks
See the following section for configuration tasks for the RADIUS Attribute Screening feature. Each task in the list is identified as either optional or required.
- Configuring RADIUS Attribute Screening (required)
- Verifying RADIUS Attribute Screening (optional)
Configuring RADIUS Attribute Screening
To configure a RADIUS attribute accept or reject list for authorization or accounting, use the following commands beginning in global configuration mode:
Verifying RADIUS Attribute Screening
To verify an accept or reject list, use one of the following commands in privileged EXEC mode:
Configuration Examples
This section provides the following configuration examples:
Authorization Accept Example
The following example shows how to configure an accept list for attribute 6 (Service-Type) and attribute 7 (Framed-Protocol); all other attributes (including VSAs) are rejected for RADIUS authorization.
Accounting Reject Example
The following example shows how to configure a reject list for attribute 66 (Tunnel-Client-Endpoint) and attribute 67 (Tunnel-Server-Endpoint); all other attributes (including VSAs) are accepted for RADIUS accounting.
Authorization Reject and Accounting Accept Example
The following example shows how to configure a reject list for RADIUS authorization and configure an accept list for RADIUS accounting. Although you cannot configure more than one accept or reject list per server group for authorization or accounting, you can configure one list for authorization and one list for accounting per server group.
Rejecting Required Attributes Example
The following example shows debug output for the debug aaa accounting command. In this example, required attributes 44, 40, and 41 have been added to the reject list:
Command Reference
This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
accounting (server-group configuration)
To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode.
- accounting [accept | reject] listname
Syntax Description
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Command History
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data.
Only one filter may be used for RADIUS accounting per server group.
|
Note The listname must be the same as the listname defined in the radius-server attribute list command which is used with the attribute command to add to an accept or reject list. |
Examples
The following example shows how to specify accept list "usage-only" for RADIUS accounting:
Related Commands
authorization (server-group configuration)
To specify an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server, use the authorization command in server-group configuration mode.
- authorization [accept | reject] listname
Syntax Description
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Command History
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes.
Only one filter may be used for RADIUS authorization per server group.
|
Note The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute command to add to an accept or reject list. |
Examples
The following example shows how to configure accept list "min-author" in an Access-Accept packet from the RADIUS server:
Related Commands
attribute
To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command.
- attribute value1 [value2 [value3]...]
- no attribute value1 [value2 [value3]...]
Syntax Description
|
Specifies which attributes to include in an accept or reject list. The value can be a single integer, such as 7, or a range of numbers, such as 56-59. At least one attribute value must be specified. |
Defaults
If this command is not enabled, all attributes are sent to the network access server (NAS).
Command Modes
Command History
Usage Guidelines
Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the network access server (NAS) from receiving and processing unwanted attributes for authorization or accounting.
The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:
- For authorization:
- For accounting:
-
- 4 (NAS-IP-Address)
- 40 (Acct-Status-Type)
- 41 (Acct-Delay-Time)
- 44 (Acct-Session-ID)
Note The user will not receive an error at the point of configuring a reject list for required attributes because the list does not specify a purpose—authorization or accounting. The server will determine whether an attribute is required when it is known what the attribute is to be used for.
Examples
The following example shows how to add attributes 12, 217, 6-10, 13, 64-69, and 218 to the list name "standard":
Related Commands A
radius-server attribute list
To define an accept or reject list name, use the radius-server attribute list command in global configuration mode.
- radius-server attribute list listname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Command History
Usage Guidelines
A user can configure an accept or reject list with a selection of attributes on the network access server (NAS) for authentication or accounting so unwanted attributes are not accepted and processed. The radius-server attribute list command allows users to specify a name for an accept or reject list. This command is used in conjunction with the attribute command, which adds attributes to an accept or reject list.
|
Note The listname must be the same as the listname defined in the accounting or authorization configuration command. |
Examples
The following example shows how to configure the reject list "bad-author" for RADIUS authorization and accept list "usage-only" for RADIUS accounting:
|
Note Although you cannot configure more than one access or reject list per server group for authorization or accounting, you can configure one list for authorization and one list for accounting per server group. |
Related Commands
Glossary
AAA—Authentication, authorization, and accounting. Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
attribute—RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. Because IETF attributes are standard, the attribute data is predefined and well known; thus all clients and servers who exchange AAA information via IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.
NAS—Network access server. A Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the Public Switched Telephone Network).
RADIUS—Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
VSA—Vendor-specific attribute. VSAs are derived from one IETF attribute—vendor-specific (attribute 26). Attribute 26 allows a vendor to create and implement an additional 255 attributes. That is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26; essentially, Vendor-Specific ="protocol:attribute=value".