- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
- Finding Feature Information
- Contents
- Prerequisites for Attribute Screening for Access Requests
- Restrictions for Attribute Screening for Access Requests
- Information About Attribute Screening for Access Requests
- How to Configure Attribute Screening for Access Requests
- Configuration Examples for Attribute Filtering for
Access Requests - Additional References
- Feature Information for Attribute Screening for Access Requests
Attribute Screening for Access Requests
The Attribute Screening for Access Requests feature allows you to configure your network access server (NAS) to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Attribute Screening for Access Requests" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Prerequisites for Attribute Screening for Access Requests
•Restrictions for Attribute Screening for Access Requests
•Information About Attribute Screening for Access Requests
•How to Configure Attribute Screening for Access Requests
•Configuration Examples for Attribute Filtering for Access Requests
•Feature Information for Attribute Screening for Access Requests
Prerequisites for Attribute Screening for Access Requests
•You must be familiar with configuring attribute lists.
Restrictions for Attribute Screening for Access Requests
•Attributes 1 (Username), 2 (User-Password), and 3 (Chap-Password) cannot be filtered.
Information About Attribute Screening for Access Requests
To configure the Attribute Screening for Access Requests feature, you should understand the following concept:
•Configuring an NAS to Filter Attributes in Outbound Access Requests
Configuring an NAS to Filter Attributes in Outbound Access Requests
The Attribute Screening for Access Requests feature allows you to configure your NAS to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization. The filters can be configured on the NAS, or they can be downloaded via downloadable vendor-specific attributes (VSAs) from the authentication, authorization, and accounting (AAA) server.
The following are some examples of the downloadable VSAs:
Cisco:Cisco-Avpair="ppp-authen-type=chap"
Cisco:Cisco-Avpair="ppp-authen-list=group 1"
Cisco:Cisco-Avpair="ppp-author-list=group 1"
Cisco:Cisco-Avpair="vpdn:tunnel-id=B53"
Cisco:Cisco-Avpair="vpdn:ip-addresses=10.0.58.35"
Note You must be aware of which attributes you want to filter. Filtering certain key attributes can result in authentication failure (for example, attribute 60 should not be filtered).
How to Configure Attribute Screening for Access Requests
This section contains the following procedures:
•Configuring Attribute Screening for Access Requests
•Configuring a Router to Support Downloadable Filters
•Monitoring and Maintaining Attribute Filtering for Access Requests
Configuring Attribute Screening for Access Requests
To configure the attribute screening for access requests, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server attribute list listname
4. attribute value1 [value2 [value3...]]
5. aaa group server radius group-name
6. authorization [request | reply] [accept | reject] listname
or
accounting [request | reply] [accept | reject] listname
DETAILED STEPS
Configuring a Router to Support Downloadable Filters
Perform this task to configure your router to support downloadable filters.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization template
4. aaa authorization network default group radius
5. radius-server attribute list list-name
6. attribute value1 [value2 [value3...]]
DETAILED STEPS
Troubleshooting Tips
If attribute filtering is not working, ensure that the attribute list is properly defined.
Monitoring and Maintaining Attribute Filtering for Access Requests
To monitor and maintain attribute filtering, you can use the debug radius command.
SUMMARY STEPS
1. enable
2. debug radius
DETAILED STEPS
Configuration Examples for Attribute Filtering for
Access Requests
This section provides the following configuration examples:
•Attribute Filtering for Access Requests: Example
•Attribute Filtering User Profile: Example
•debug radius Command: Example
Attribute Filtering for Access Requests: Example
The following example shows that the attributes 30-31 that are defined in "all-attr" will be rejected in all outbound Access Request messages:
aaa group server radius ras
server 172.19.192.238 auth-port 1745 acct-port 1746
authorization request reject all-attr
!
.
.
.
radius-server attribute list all-attr
attribute 30-31
!
.
.
.
Attribute Filtering User Profile: Example
The following is a sample user profile after attribute filtering has been configured for Access Requests:
cisco.com Password = "cisco"
Service-Type = Framed,
Framed-Protocol = PPP,
Cisco:Cisco-Avpair = :1:"rad-serv=172.19.192.87 key rad123",
Cisco:Cisco-Avpair = :1:"rad-serv-filter=authorization request reject range1",
Cisco:Cisco-Avpair = :1:"rad-serv-filter=accounting request reject range1",
Cisco:Cisco-Avpair = "ppp-authen-type=chap"
Cisco:Cisco-Avpair = "ppp-authen-list=group 1",
Cisco:Cisco-Avpair = "ppp-author-list=group 1",
Cisco:Cisco-Avpair = "ppp-acct-list=start-stop group 1",
Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53",
Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp",
Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35",
Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"
user2@cisco.com
Service-Type = Outbound,
Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53",
Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp",
Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35",
Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"
When a session for user2@cisco.com "comes up" at the Layer 2 Tunneling Protocol (L2TP) Network Server (LNS)—as is shown above—because the aaa authorization template command has been configured, a RADIUS request is sent to the server for Cisco.com. The server then sends an Access Accept message if authentication is successful, along with the VSAs that are configured as part of the Cisco.com profile. If filters are configured as part of the Cisco.com profile, these filters will be parsed and applied to the RADIUS requests for user2@cisco.com.
In the above profile example, filter range1 has been applied to the authorization and accounting requests.
debug radius Command: Example
If the attribute you are trying to filter is rejected, you will see an debug radius output statement similar to the following:
RADIUS: attribute 31 rejected
If you try to filter an attribute that cannot be filtered, you will see an output statement similar to the following:
RADIUS: attribute 1 cannot be rejected
Additional References
The following sections provide references related to Attribute Filtering for Access Requests.
Related Documents
|
|
---|---|
Configuring RADIUS |
"Configuring RADIUS" feature document. |
Security commands |
|
RADIUS attribute lists |
"RADIUS Attribute Screening" feature document. |
Standards
|
|
---|---|
None |
— |
MIBs
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
None |
— |
Technical Assistance
Feature Information for Attribute Screening for Access Requests
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2003-2009 Cisco Systems, Inc. All rights reserved.