Configuring RFC 5580 Location Attributes

RFC 5580 location attributes

An RFC 5580 location attribute is a RADIUS protocol attribute that

  • conveys location related information for authentication and accounting exchanges,

  • supports both user and NAS locations using Civic profiles and Geo profiles, and

  • enables services such as location-aware authorization, billing, and enhanced user privacy.

Feature history for RFC 5580 location attributes

This table lists the release and related information for this feature.

This feature is available in all subsequent releases unless stated otherwise.

Table 1. Feature history for RFC 5580 location attributes

Release

Feature

Feature information

Cisco IOS XE 17.9.1

Support for RFC 5580 location attributes in the controller

This feature uses RFC 5580 location attributes to convey location related information for authentication and accounting exchanges.

The controller supports these RFC 5580-related attributes:

  • Location-Information

  • Location-Data CIVIC Profile: Country

  • Location-Data CIVIC Profile: CAtype 1 (state)

  • Location-Data CIVIC Profile: CAtype 3 (city)

  • Location-Data CIVIC Profile: CAtype 23 (venue name)

  • Location-Data CIVIC Profile: CAtype 24 (zip code)

  • Location-Data GEO Profile (longitude, latitude, and altitude)

  • Operator Name

Various operators use RFC 5580 location attributes in wireless networks deployed in public places such as shopping malls, airports, hotels, and coffee shops.

To enable location-aware authorization, billing, or services, the network may require the user location.

You must protect the location information against unauthorized access and distribution.

  • User location specifies a user-specific location, typically configured at the access point.

  • NAS location refers to the common host location for all users connected to a specific network access server, configurable in AAA (Authentication, Authorization, and Accounting).

Each location can have two profiles: a Civic profile and a Geo profile.

  • Civic Profile describes a location using civic attributes such as country, state, city, area, and postal code.

  • Geo Profile describes a location using geographic attributes such as latitude, longitude, and altitude.

Location Attributes and Profiles

If a user has both user location and NAS location, you can configure each location using Civic profiles and Geo profiles.

You can configure these locations:

  • Civic user location

  • Civic NAS location

  • Geo user location

  • Geo NAS location

Each location information, for example, the civic user location, is sent using the attributes that include:

  • Location-Information

  • Location-Data

The controller supports these RFC 5580-related attributes:

  • Location-Information

  • Location-Data CIVIC Profile: Country

  • Location-Data CIVIC Profile: CAtype 1 (state)

  • Location-Data CIVIC Profile: CAtype 3 (city)

  • Location-Data CIVIC Profile: CAtype 23 (venue name)

  • Location-Data CIVIC Profile: CAtype 24 (zip code)

  • Location-Data GEO Profile (longitude, latitude, and altitude)

  • Operator Name

You can configure four locations and one operator name for each user.

The Out-of-Band Agreement delivery method (Flow one) mentioned in RFC 5580 is supported for transferring location information if the feature is enabled and location information is configured.

Location-capable attribute

A location-capable attribute is a Remote Authentication Dial-In User Service (RADIUS) attribute that

  • signals to a RADIUS server that a device is capable of providing location information,

  • is included in network access authentication or authorization requests for wireless clients, and

  • enables support for location-based services as specified in RFC 5580.

Additional reference information

Cisco IOS XE 17.11.1 supports the location-capable attribute defined by RFC 5580. You can enable this attribute by using the following command: radius-server attribute wireless location delivery out-of-band include-location-capable .

According to RFC 5580, the attribute is typically sent in Flow two, which refers to location delivery based on the Initial Request. This configuration also enables sending the attribute in Flow one, which refers to an out of band agreement.

The location-capable attribute appears in RADIUS requests for wireless clients. The server may use this data to provide or restrict network access based on device location capability.

Restriction for configuring RFC 5580 location attributes

This feature is supported only for 802.11ax users.

Configure location delivery based on out-of-band agreement (CLI)

Configure RFC 5580 out-of-band location delivery on network devices through CLI.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure RFC 5580 Out-of-Band location support.

Example:

Device(config)# radius-server attribute wireless location delivery out-of-band

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The device is configured to support out-of-band location delivery as per RFC 5580.

Configure the location-capable attribute (CLI)

Enable and include the location-capable attribute in RADIUS access requests for wireless location delivery features according to RFC 5580.

Before you begin

Use the radius-server attribute wireless location delivery out-of-band command to enable the feature globally.

You can use the radius-server attribute wireless location delivery out-of-band include-location-capable command to include the location-capable attribute along with other location attributes.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure RFC 5580 out-of-band location attributes along with enabling the location-capable attribute to be part of the access request.

Example:

Device(config)# radius-server attribute wireless location delivery out-of-band include-location-capable

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The device includes the location-capable attribute in RADIUS access requests, enabling the server to support advanced wireless location tracking and services.

Creating Location Attributes

Configure a civic profile (CLI)

Configure civic profiles to specify user location information for Remote Authentication Dial-In User Service (RADIUS) requests and network services.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the civic profile for the user location.

Example:

Device(config)# location civic-location identifier civic_identifier

Here, civic_identifier refers to the civic location identifier string. The identifier can be up to 215 characters long. You can allocate up to 250 bytes for civic address attributes. Of these, Cisco reserves 50 bytes for internal information, leaving 200 bytes available for user-configured civic location information.

Note

 

You can configure these types of civic attributes and add them to RADIUS requests:

  • Country,

  • City,

  • State,

  • ZIP code, and

  • Name

Step 3

Set the country ID.

Example:

Device(config-civic)# country country_ID

Note

 

Only two-letter ISO 3166 country codes are accepted.

Step 4

Set the city name.

Example:

Device(config-civic)# city city_name

Step 5

Set the state name.

Example:

Device(config-civic)# state state_name

Step 6

Set the ZIP code.

Example:

Device(config-civic)# postal-code postal_code

Step 7

Set the residence name.

Example:

Device(config-civic)# name residence_name

Step 8

Return to privileged EXEC mode.

Example:

Device(config-civic)# end

The civic profile is configured, and the device now uses the specified location details in RADIUS requests.

Configure a geo profile (CLI)

Set precise geographic information—identifier, latitude, longitude, altitude, and resolution—for the user’s location on your device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a geo profile for the user location.

Example:

Device(config)# location geo-location identifier geo_identifier

Here, the geographic location identifier string is referenced. It can contain up to 215 characters.

Step 3

Set latitude information.

Example:

Device(config-geo)# latitude latitude_in_degrees resolution resolution_value

Optional parameters appear in square brackets.

If you do not specify a resolution, the system uses a default value of 10 meters (32.8 feet).

Step 4

Set longitude information.

Example:

Device(config-geo)# longitude longitude_in_degrees resolution resolution_value

Optional parameters appear in square brackets.

If you do not specify a resolution, the system uses a default value of 10 meters (32.8 feet).

Step 5

Configure altitude for the geographic location.

Example:

Device(config-geo)# altitude altitude_value feet resolution resolution_value floor meters resolution resolution_value

Example:

Device(config-geo)# altitude 10 meters (32.8 feet) resolution 10

Optional parameters appear in square brackets.

  • altitude_value : refers to the altitude, in feet, floors, or meters.

  • resolution_value : refers to the resolution, in feet or meters.

    Note

     

    Altitude and altitude resolution values must use the same unit.

Step 6

Specify a resolution for both latitude and longitude.

Example:

Device(config-geo)# resolution resolution_value

Step 7

Return to privileged EXEC mode.

Example:

Device(config-geo)# end

The geo profile is now configured on your device. It is associated with the identifier, latitude, longitude, altitude, and resolution you specified.

Configure an operator name (CLI)

Establish a unique operator-name identifier for your device user or Network Access Server (NAS) location so you can reference it for administrative or tracking purposes.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure an operator name for the user's location.

Example:

Device(config)# location operator identifier identifier_name

In this context, identifier_name supports strings with a maximum length of 215characters (215bytes).

Step 3

Configure the operator name for the location.

Example:

Device(config-operator)# name operator-name

In this context, operator-name supports strings with a maximum length of 248characters (248bytes).

Step 4

Configure the namespace for the location where the operator name applies.

Example:

Device(config-operator)# namespace-id E212 ICC REALM TADIG

You can use these namespace options.

  • E212 refers to the Mobile Country Code (MCC) and Mobile Network Code (MNC).

  • ICC refers to the International Telecommunication Union Carrier Codes (ICC).

  • REALM refers to any registered domain name.

  • TADIG refers to the Transferred Account Data Interchange Group (TADIG) code.

Note

 

  • If you have not configured any namespace, REALM is used as the default.

  • You can associate the operator name with both NAS-Location and USER-Location. If you configure an operator name at both locations, the operator name you configure in USER-Location takes precedence.

Step 5

Return to privileged EXEC mode.

Example:

Device(config-operator)# end

The operator name is now configured for the location you specified. The device uses this operator name to identify the appropriate context.

Associate a location attribute with a user location (CLI)

Assign location metadata to user-defined locations for APs for improved location-based services.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a location name for an AP.

Example:

Device(config)# ap location name location_name

Step 3

Add the AP to the location.

Example:

Device(config-ap-location)# ap-eth-mac AP_Ethernet_MAC

Here, AP_Ethernet_MAC refers to the AP Ethernet MAC address.

Step 4

Associate the civic location attribute with the user location.

Example:

Device(config-ap-location)# location civic-location-id identifier_name

Step 5

Associate the geographic location attribute with the user location.

Example:

Device(config-ap-location)# location geo-location-id identifier_name

Step 6

Associate the operator location attribute with the user location.

Example:

Device(config-ap-location)# location operator-id identifier_name

Step 7

Return to privileged EXEC mode.

Example:

Device(config-ap-location)# end

The selected AP has its civic, geographic, and operator attributes associated with the specified user location.

Associate the NAS location with location attributes (CLI)

Apply location attributes to a NAS device for wireless location tracking and compliance.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Associate the civic location attribute with the NAS location.

Example:

Device(config)# radius-server attribute wireless location civic-location-id identifier_name

Here, identifier_name supports strings up to 215 characters in length.

Step 3

Associate the geographic location attribute with the NAS location.

Example:

Device(config)# radius-server attribute wireless location geo-location-id identifier_name

Here, identifier_name supports strings up to 215 characters in length. Enter a valid or existing identifier name.

Step 4

Associate the operator location attribute with the NAS location.

Example:

Device(config)# radius-server attribute wireless location operator-id identifier_name

Step 5

Return to privileged EXEC mode.

Example:

Device(config)# end

The specified location attributes are now associated with the NAS location.

Verify RFC 5580 location attribute configuration

To verify the location attributes associated with a given location, use this command:

Device# show ap location details AAA_location
Location Name......................: AAA_location
Location description...............:
Policy tag.........................: default-policy-tag
Site tag...........................: default-site-tag
RF tag.............................: default-rf-tag
AAA Location Status ...............: Enabled
Civic Location Identifier : NAS_C_1
Geo Location Identifier   : NAS_G_1
Operator Name Identifier  : NAS_O_1

Configured list of APs
38ed.18ca.5a20

To verify the Cisco AP location, use this command:

Device# show ap name AP38ED.18CA.5A20 config general
Cisco AP Name   : AP38ED.18CA.5A20
=================================================

Cisco AP Identifier                             : 38ed.18cb.cf00
Country Code                                    : Multiple Countries :
Regulatory Domain Allowed by Country            : 802.11bg:   802.11a:   802.11 6GHz:
AP Country Code                                 : US  -
AP Regulatory Domain
  802.11bg                                      : -A
  802.11a                                       : -A
MAC Address                                     : 38ed.18ca.5a20
IP Address Configuration                        : Static IP assigned
IP Address                                      : 192.0.2.254
IP Netmask                                      : 255.255.255.0
Gateway IP Address                              : 9.4.172.1
Fallback IP Address Being Used                  : 
Domain                                          :
Name Server                                     :
CAPWAP Path MTU                                 : 1485
Capwap Active Window Size                       : 1
Telnet State                                    : Disabled
CPU Type                                        :  ARMv7 Processor rev 0 (v7l)
Memory Type                                     : DDR3
Memory Size                                     : 995328 KB
SSH State                                       : Disabled
Cisco AP Location                               : AAA_location
-
-
-

To verify the location attributes associated with a given MAC address, use this command:

Device# show wireless client mac 0080.5222.545c detail

Client MAC Address : 0080.5222.545c
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address :
AP MAC Address : 38ed.18cb.cf00
AP Name: AP38ED.18CA.5A20
AP slot : 1
Client State : Associated
Policy Profile : default-policy-profile
Flex Profile : N/A
…
Civic Location Identifier : NAS_C_1
Geo Location Identifier   : NAS_G_1
Operator Name Identifier  : NAS_O_1

Note

You will be able to view this output only if the RFC 5580 feature is enabled.

To verify the Civic location details, use this command:

Device# show location civic-location identifier TEST1
Civic location information
--------------------------
Identifier              : TEST1
Name                    : home
City                    : Morges
State                   : Vaud
Postal code             : 1110
Country                 : CH

To verify the Geo location details, use this command:

Device# show location geo-location identifier TEST4
Geo location information
------------------------
Identifier  : TEST4
Latitude    : 46.5112700           
Longitude   : 6.4985400            
Altitude    : 380 meters           Resolution : 10
Resolution  : 100

To verify the Operator location details, use this command:

Device# show location operator-location identifier myoperator
Operator location information
------------------------
Operator Identifier     : myoperator
Operator Name           : myoperator
Operator Namespace      : REALM
------------------------