RADIUS Call Station Identifier

Feature history for RADIUS call station identifier

This table provides release and related information for the feature explained in this module.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for RADIUS call station identifier

Release

Feature Information

Cisco IOS XE Bengaluru 17.4.1

The RADIUS called station identifier configuration is enhanced to include more attributes. The newly added options for authentication and accounting are:

  • policy-tag-name

  • flex-profile-name

  • ap-macaddress-ssid-flexprofilename

  • ap-macaddress-ssid-policytagname

  • ap-macaddress-ssid-sitetagname

  • ap-ethmac-ssid-flexprofilename

  • ap-ethmac-ssid-policytagname

  • ap-ethmac-ssid-sitetagname

For more information on the attributes listed above, see the commands:

RADIUS call station identifier

The RADIUS call station identifier (seen as Called-Station-Id in RADIUS protocol messages) is an attribute that allows a Network Access Server (NAS) to include information in the RADIUS Access-Request packet. The attribute identifies the network endpoint (or called station) that a client is trying to access.

Use cases

  • In dial-up scenarios, the attribute can contain the phone number dialed by the user. The NAS captures this attribute in the Access-Request packet using Dialed Number Identification (DNIS) or similar technology.

  • In IEEE 802.1X authenticators (wired or wireless network access), the attribute can contain the MAC address of the bridge or AP, formatted as ASCII text.

Role in RADIUS authorization

  • The RADIUS server can use this attribute to define which MAC addresses or network segments (or called stations) a client is allowed to connect to.

  • The RADIUS server can use the attribute to restrict or allow access based on where or to what network resource the client is connecting. However, this is possible only in configurations supporting preauthentication, where a client tries to authenticate before fully connecting.

In summary, the Called-Station-Id attribute helps the NAS indicate to the RADIUS server which specific endpoint or resource the client is requesting. This allows the server to enforce connection policies based on that information.


Note


The Called-Station-Id attribute is applicable only for Access-Request, and not for Access-Accept or CoA-Request.


Configure a RADIUS call station identifier

Set a custom call station identifier (Called-Station-ID) for RADIUS authentication and accounting messages sent from the device.

Use this task to specify a policy tag name or identifier in RADIUS messages for better tracking or policy assignment.

Procedure


Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a call station identifier sent in the RADIUS authentication messages.

Example:

Device(config)# radius-server attribute wireless authentication 
                        call-station-id policy-tag-name

Step 3

Configure a call station identifier sent in the RADIUS accounting messages.

Example:

Device(config)# radius-server attribute wireless accounting 
                        call-station-id policy-tag-name

The specified policy tag name is now included as the Called-Station-ID in all RADIUS authentication and accounting messages.