Setting up RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:
-
Authentication—The process of verifying users when they attempt to log into the controller.
Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server. If multiple databases are configured, you can specify the sequence in which the backend database must be tired.
Note
The management password for RADIUS server or Cisco controller which is set for local authentication is limited to 127 charecters in length.
Note
Clients using Microsoft Windows 10 with default (zero-touch config) supplicant fail to connect to controller when there is no CA certificate to validate the server certificate. This is because the supplicant does not pop up a window to accept the server certificate and silently rejects the 802.1X authentication. Therefore, we recommend that you do either of the following:-
Manually install a third-party CA certificate on the AAA server, which the clients using Microsoft Windows 10 can trust.
-
Use any other supplicant, such as Cisco AnyConnect, which pops up a window to trust or not trust the server certificate. If you accept the trust certificate, then the client is authenticated.
-
-
Accounting—The process of recording user actions and changes.
Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.
RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.
You can configure multiple RADIUS accounting and authentication servers. For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.
When a management user is authenticated using a RADIUS server, only the PAP protocol is used. For web authentication users, PAP, MSCHAPv2 and MD5 security mechanisms are supported.
RADIUS Server Support
-
You can configure up to 32 RADIUS authentication and accounting servers each.
-
If multiple RADIUS servers are configured for redundancy, the user database must be identical in all the servers for the backup to work properly.
-
One Time Passwords (OTPs) are supported on the controller using RADIUS. In this configuration, the controller acts as a transparent passthrough device. The controller forwards all client requests to the RADIUS server without inspecting the client behavior. When using OTP, the client must establish a single connection to the controller to function properly. The controller currently does not have any intelligence or checks to correct a client that is trying to establish multiple connections.
-
To create a read-only controller user on the RADIUS sever, you must set the service type to NAS prompt instead of Callback NAS prompt. If you set the service type to Callback NAS Prompt, the user authentication fails while setting it to NAS prompt gives the user read-only access to the controller.
Also, the Callback Administrative service type gives the user the lobby ambassador privileges to the controller.
-
If RADIUS servers are mapped per WLAN, then controller do not use RADIUS server from the global list on that WLAN.
-
To configure the RADIUS server:
-
Using Access Control Server (ACS)—See the latest Cisco Secure Access Control System guide at https://www.cisco.com/c/en/us/support/security/secure-access-control-system/products-user-guide-list.html.
-
Using Identity Services Engine (ISE)—See the Configuring External RADIUS Servers section in the Cisco Identity Services Engine Administrator Guide at https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-installation-and-configuration-guides-list.html.
-
Primary and Fallback RADIUS Servers
The primary RADIUS server (the server with the lowest server index) is assumed to be the most preferable server for the controller. If the primary server becomes unresponsive, the controller switches to the next active backup server (the server with the next lowest server index). The controller continues to use this backup server, unless you configure the controller to fall back to the primary RADIUS server when it recovers and becomes responsive or to a more preferable server from the available backup servers.
Note |
Functionality change introduced in Release 8.5.140.0: When RADIUS aggressive failover for controller is disabled: Packet is retried for six times unless there is a termination from clients. The RADIUS server (both AUTH and ACCT) is marked unreachable after three timeout events (18 consecutive retries) from multiple clients (previously, from exactly three clients). When RADIUS aggressive failover for controller is enabled: Packet is retried for six times unless there is a termination from clients. The RADIUS server (both AUTH and ACCT) is marked unreachable after one timeout event (6 consecutive retries) from multiple clients (previously, from exactly one client). It means 18 consecutive retries per RADIUS server (both AUTH and ACCT) can be from multiple clients. Therefore, it is not always guaranteed that each packet will be retried for six times. |
RADIUS DNS
You can use a fully qualified domain name (FQDN) that enables you to change the IP address when needed, for example, for load balancing updates. A submenu, DNS, is added to the Security > AAA > RADIUS menu, which you can use to get RADIUS IP information from a DNS. The DNS query is disabled by default.
This section contains the following subsections:
Restrictions on Configuring RADIUS
-
You can configure the session timeout value for RADIUS server up to 65535 seconds. The controller does not support configuring session timeout value for RADIUS server higher than 65535 seconds.
-
The session timeout value configured on RADIUS server if set beyond 24 days, then the RADIUS session timeout value does not override the session timeout value configured locally over a WLAN.
-
A network address translation (NAT) scenario when IPSec is enabled on traffic between the controller and RADIUS server is not supported.
Configuring RADIUS Authentication (GUI)
Procedure
Step 1 |
Choose .This page lists any RADIUS servers that have already been configured.
|
||
Step 2 |
From the Auth Called Station ID Type drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available:
|
||
Step 3 |
Enable RADIUS-to-controller key transport using AES key wrap protection by checking the Use AES Key Wrap check box. The default value is unchecked. This feature is required for FIPS customers. |
||
Step 4 |
From the MAC Delimiter drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available:
|
||
Step 5 |
Click Apply. Perform one of the following:
|
||
Step 6 |
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured RADIUS servers providing the same service. |
||
Step 7 |
If you are adding a new server, enter the IP address of the RADIUS server in the Server IP Address text box.
|
||
Step 8 |
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key to be used between the controller and the RADIUS server. The default value is ASCII. |
||
Step 9 |
In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for authentication between the controller and the server.
|
||
Step 10 |
If you are configuring a new RADIUS authentication server and want to enable AES key wrap, which makes the shared secret between the controller and the RADIUS server more secure, follow these steps:
|
||
Step 11 |
(Optional) Check the Apply Cisco ISE Default settings check box. Enabling Cisco ISE Default settings changes the following parameters:
The Layer 2 security is either WPA+WPA2 with 802.1X or None with MAC filtering. You can change these default settings if required. |
||
Step 12 |
If you are adding a new server, enter the RADIUS server’s UDP port number for the interface protocols in the Port Number text box. The valid range is 1 to 65535, and the default value is 1812 for authentication. |
||
Step 13 |
From the Server Status text box, choose Enabled to enable this RADIUS server or choose Disabled to disable it. The default value is enabled. |
||
Step 14 |
If you are configuring a new RADIUS authentication server, from the Support for CoA drop-down list, choose Enabled to enable change of authorization, which is an extension to the RADIUS protocol that allows dynamic changes to a user session, or choose Disabled to disable this feature. By default, this is set to Disabled state. Support for CoA includes support for disconnecting users and changing authorizations applicable to a user session and supports disconnect and change of authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately where CoA messages modify session authorization attributes such as data filters. |
||
Step 15 |
In the Server Timeout box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds. Check the Key Wrap check box.
|
||
Step 16 |
Check the Network User check box to enable network user authentication, or uncheck it to disable this feature. The default value is unchecked. If you enable this feature, this entry is considered the RADIUS authentication server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users. |
||
Step 17 |
If you are configuring a RADIUS authentication server, check the Management check box to enable management authentication, or uncheck the check box to disable this feature. The default value is checked. If you enable this feature, this entry is considered the RADIUS authentication server for management users, and authentication requests go to the RADIUS server. |
||
Step 18 |
Enter the Management Retransmit Timeout value, which denotes the network login retransmission timeout for the server. |
||
Step 19 |
If you want to use a tunnel gateway as AAA proxy, check the Tunnel Proxy check box. The gateway can function as a proxy RADIUS server as well as a tunnel gateway. |
||
Step 20 |
Check the PAC Provisioning check box to enable PAC for RADIUS authentication, or uncheck it to disable this feature. The default value is unchecked. If you enable this feature, the entry is considered by the RADIUS authentication server to provision PAC for users.
|
||
Step 21 |
Check the IPSec check box to enable the IP security mechanism, or uncheck the check box to disable this feature. The default value is unchecked.
|
||
Step 22 |
From the IPSec Profile Name drop-down list, choose the IPSec profile. You can create an IPSec profile by navigating to . For more information, see the "IPSec Profile" section in the "Controller Security" chapter. |
||
Step 23 |
Click Apply. |
||
Step 24 |
Click Save Configuration. |
||
Step 25 |
Repeat the previous steps if you want to configure any additional services on the same server or any additional RADIUS servers. |
Configuring RADIUS Accounting Servers (GUI)
Procedure
Step 1 |
Choose .This page lists any RADIUS servers that have already been configured.
|
||
Step 2 |
From the Acct Called Station ID Type drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available:
|
||
Step 3 |
From the MAC Delimiter drop-down list, choose the option that is sent to the RADIUS server in the Access-Request message. The following options are available:
|
||
Step 4 |
Click Apply. Perform one of the following:
|
||
Step 5 |
If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured RADIUS servers providing the same service. |
||
Step 6 |
If you are adding a new server, enter the IP address of the RADIUS server in the Server IP Address text box.
|
||
Step 7 |
From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key to be used between the controller and the RADIUS server. The default value is ASCII. |
||
Step 8 |
In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for accounting between the controller and the server.
|
||
Step 9 |
If you are adding a new server, enter the RADIUS server’s UDP port number for the interface protocols in the Port Number text box. The valid range is 1 to 65535, and the default value is 1813 for accounting. |
||
Step 10 |
From the Server Status text box, choose Enabled to enable this RADIUS server or choose Disabled to disable it. The default value is enabled. |
||
Step 11 |
In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds. |
||
Step 12 |
Check the Network User check box to enable network user accounting, or uncheck it to disable this feature. The default value is unchecked. If you enable this feature, this entry is considered the RADIUS accounting server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users. |
||
Step 13 |
Check the Management check box to enable management accounting, or uncheck the check box to disable this feature. The default value is checked. If you enable this feature, this entry is considered the RADIUS accounting server for management users, and accounting requests go to the RADIUS server. |
||
Step 14 |
If you want to use a tunnel gateway as AAA proxy, check the Tunnel Proxy check box. The gateway can function as a proxy RADIUS server as well as a tunnel gateway. |
||
Step 15 |
Check the PAC Provisioning check box to enable PAC for RADIUS accounting, or uncheck it to disable this feature. The default value is unchecked. If you enable this feature, the entry is considered by the RADIUS accounting server to provision PAC for users.
|
||
Step 16 |
Check the IPSec check box to enable the IP security mechanism, or uncheck the check box to disable this feature. The default value is unchecked.
|
||
Step 17 |
From the IPSec Profile Name drop-down list, choose the IPSec profile. You can create an IPSec profile by navigating to . For more information, see the "IPSec Profile" section in the "Controller Security" chapter. |
||
Step 18 |
Click Apply. |
||
Step 19 |
Click Save Configuration. |
||
Step 20 |
Repeat the previous steps if you want to configure any additional services on the same server or any additional RADIUS servers. |
Configuring RADIUS (CLI)
Procedure
RADIUS Authentication Attributes Sent by the Controller
The following tables identify the RADIUS authentication attributes sent between the controller and the RADIUS server in access-request and access-accept packets.
Attribute ID |
Description |
---|---|
1 | User-Name |
2 | Password |
3 | CHAP-Password |
4 | NAS-IP-Address |
5 | NAS-Port |
6 | Service-Type |
12 | Framed-MTU |
30 | Called-Station-ID (MAC address) |
31 | Calling-Station-ID (MAC address) |
32 | NAS-Identifier |
33 | Proxy-State |
60 | CHAP-Challenge |
61 | NAS-Port-Type |
79 | EAP-Message |
Attribute ID |
Description |
---|---|
1 | Cisco-LEAP-Session-Key |
2 | Cisco-Keywrap-Msg-Auth-Code |
3 | Cisco-Keywrap-NonCE |
4 | Cisco-Keywrap-Key |
5 | Cisco-URL-Redirect |
6 | Cisco-URL-Redirect-ACL |
Note |
These Cisco-specific attributes are not supported: Auth-Algo-Type and SSID. |
Attribute ID |
Description |
---|---|
6 | Service-Type. To specify read-only or read-write access to controllers through RADIUS authentication, you must set the Service-Type attribute (6) on the RADIUS server to Callback NAS Prompt for read-only access or to Administrative for read-write privileges. |
8 | Framed-IP-Address |
25 | Class |
26 | Vendor-Specific |
27 | Timeout |
29 | Termination-Action |
40 | Acct-Status-Type |
64 | Tunnel-Type |
79 | EAP-Message |
81 | Tunnel-Group-ID |
Note |
Message authentication is not supported. |
Attribute ID |
Description |
---|---|
11 | MS-CHAP-Challenge |
16 | MS-MPPE-Send-Key |
17 | MS-MPPE-Receive-Key |
25 | MS-MSCHAP2-Response |
26 | MS-MSCHAP2-Success |
Attribute ID |
Description |
||
---|---|---|---|
1 | VAP-ID | ||
3 | DSCP | ||
4 | 8021P-Type | ||
5 | VLAN-Interface-Name | ||
6 | ACL-Name | ||
7 | Data-Bandwidth-Average-Contract | ||
8 | Real-Time-Bandwidth-Average-Contract | ||
9 | Data-Bandwidth-Burst-Contract | ||
10 | Real-Time-Bandwidth-Burst-Contract | ||
11 | Guest-Role-Name
|
||
13 | Data-Bandwidth-Average-Contract-US | ||
14 | Real-Time-Bandwidth-Average-Contract-US | ||
15 | Data-Bandwidth-Burst-Contract-US | ||
16 | Real-Time-Bandwidth-Burst-Contract-US |
Authentication Attributes Honored in Access-Accept Packets (Airespace)
This section lists the RADIUS authentication Airespace attributes currently supported on the controller.
VAP ID
This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. The WLAN ID is sent by the controller in all instances of authentication except IPsec. In case of web authentication, if the controller receives a WLAN-ID attribute in the authentication response from the AAA server, and it does not match the ID of the WLAN, authentication is rejected. The 802.1X/MAC filtering is also rejected. The rejection, based on the response from the AAA server, is because of the SSID Cisco AVPair support. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| WLAN ID (VALUE) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 1
-
Vendor length – 4
-
Value – ID of the WLAN to which the client should belong.
QoS-Level
This attribute indicates the QoS level to be applied to the mobile client's traffic within the switching fabric, as well as over the air. This example shows a summary of the QoS-Level Attribute format. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| QoS Level |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 2
-
Vendor length – 4
-
Value – Three octets:
-
3 – Bronze (Background)
-
0 – Silver (Best Effort)
-
1 – Gold (Video)
-
2 – Platinum (Voice)
-
Differentiated Services Code Point (DSCP)
DSCP is a packet header code that can be used to provide differentiated services based on the QoS levels. This attribute defines the DSCP value to be applied to a client. When present in a RADIUS Access Accept, the DSCP value overrides the DSCP value specified in the WLAN profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DSCP (VALUE) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 3
-
Vendor length – 4
-
Value – DSCP value to be applied for the client.
802.1p Tag Type
802.1p VLAN tag received from the client, defining the access priority. This tag maps to the QoS Level for client-to-network packets. This attribute defines the 802.1p priority to be applied to the client. When present in a RADIUS Access Accept, the 802.1p value overrides the default specified in the WLAN profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 802.1p (VALUE) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 4
-
Vendor length – 3
-
Value – 802.1p priority to be applied to a client.
VLAN Interface Name
This attribute indicates the VLAN interface a client is to be associated to. A summary of the Interface-Name Attribute format is shown below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Interface Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – >7
-
Vendor-Id – 14179
-
Vendor type – 5
-
Vendor length – >0
-
Value – A string that includes the name of the interface the client is to be assigned to.
Note
This attribute only works when MAC filtering is enabled or if 802.1X or WPA is used as the security policy.
ACL-Name
This attribute indicates the ACL name to be applied to the client. A summary of the ACL-Name Attribute format is shown below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ACL Name...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – >7
-
Vendor-Id – 14179
-
Vendor type – 6
-
Vendor length – >0
-
Value – A string that includes the name of the ACL to use for the client
Data Bandwidth Average Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied for a client for non-realtime traffic such as TCP. This value is specific for downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data Bandwidth Average Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 7
-
Vendor length – 4
-
Value – A value in kbps
Real Time Bandwidth Average Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for realtime traffic such as UDP. This value is specific for downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Average Contract value overrides the Average Real-Time Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Real Time Bandwidth Average Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 8
-
Vendor length – 4
-
Value – A value in kbps
Data Bandwidth Burst Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data Bandwidth Burst Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 9
-
Vendor length – 4
-
Value – A value in kbps
Real Time Bandwidth Burst Contract
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
Note |
If you try to implement Average Data Rate and Burst Data Rate as AAA override parameters to be pushed from a AAA server, both Average Data Rate and Burst Data Rate have to be sent from ISE. |
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Real Time Bandwidth Burst Contract...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 10
-
Vendor length – 4
-
Value – A value in kbps
Guest Role Name
This attribute provides the bandwidth contract values to be applied for an authenticating user. When present in a RADIUS Access Accept, the bandwidth contract values defined for the Guest Role overrides the bandwidth contract values (based on QOS value) specified for the WLAN. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| GuestRoleName ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 11
-
Vendor length – Variable based on the Guest Role Name length
-
Value – A string of alphanumeric characters
Data Bandwidth Average Contract Upstream
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data Bandwidth Average Contract Upstream...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 13
-
Vendor length – 4
-
Value – A value in kbps
Real Time Bandwidth Average Contract Upstream
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Average Contract value overrides the Average Real-Time Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Real Time Bandwidth Average Contract Upstream...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 14
-
Vendor length – 4
-
Value – A value in kbps
Data Bandwidth Burst Contract Upstream
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data Bandwidth Burst Contract Upstream...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 15
-
Vendor length – 4
-
Value – A value in kbps
Real Time Bandwidth Burst Contract Upstream
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont.) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Real Time Bandwidth Burst Contract Upstream...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
-
Type – 26 for Vendor-Specific
-
Length – 10
-
Vendor-Id – 14179
-
Vendor type – 16
-
Vendor length – 4
-
Value – A value in kbps
RADIUS Accounting Attributes
This table identifies the RADIUS accounting attributes for accounting requests sent from a controller to the RADIUS server.
Attribute ID |
Description |
---|---|
1 | User-Name |
4 | NAS-IP-Address |
5 | NAS-Port |
8 | Framed-IP-Address |
25 | Class |
30 | Called-Station-ID (MAC address) |
31 | Calling-Station-ID (MAC address) |
32 | NAS-Identifier |
40 | Accounting-Status-Type |
41 | Accounting-Delay-Time (Stop and interim messages only) |
42 | Accounting-Input-Octets (Stop and interim messages only) |
43 | Accounting-Output-Octets (Stop and interim messages only) |
44 | Accounting-Session-ID |
45 | Accounting-Authentic |
46 | Accounting-Session-Time (Stop and interim messages only) |
47 | Accounting-Input-Packets (Stop and interim messages only) |
48 | Accounting-Output-Packets (Stop and interim messages only) |
49 | Accounting-Terminate-Cause (Stop messages only) |
52 | Accounting-Input-Gigawords |
53 | Accounting-Output-Gigawords |
55 | Event-Timestamp |
64 | Tunnel-Type |
65 | Tunnel-Medium-Type |
81 | Tunnel-Group-ID |
IPv6-Framed-Prefix | |
190 | IPv6-Framed-Address |
This table lists the different values for the Accounting-Status-Type attribute (40).
Attribute ID |
Description |
||
---|---|---|---|
1 | Start | ||
2 | Stop | ||
3 | Interim-Update
|
||
7 | Accounting-On | ||
8 | Accounting-Off | ||
9-14 | Reserved for Tunneling Accounting | ||
15 | Reserved for Failed |