Nas-port (radius attribute 5), Nas-port-id (radius attribute 87) – Cisco 10000 User Manual

16-46

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 16 Configuring RADIUS Features

Extended NAS-Port-Type and NAS-Port Support

NAS-Port (RADIUS Attribute 5)

The NAS-Port (RADIUS attribute 5) is a 32 bit value that uniquely represents the physical or logical port
the user is attempting to authenticate on. A logical port can be represented by the virtual path identifier
(VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for
an Ethernet interface.

Because each platform and service may have different port information which are relevant to their
environment, there is no one unique way to populate this attribute. Currently Cisco has 4 hard wired
formats (a-d) which are service specific and 1 configurable format (e) which can be tailored to customer
and platform-specific needs.

Previously format e only allowed customizing 1 global format for all call types on a device, which
limited its usefulness on devices that contained multiple services. With the extended NAS-port support,
you can now configure a custom format e string for any and all service types based on the value of the
NAS-Port-Type (RADIUS attribute 61). That is, when building the RADIUS Access or Accounting
request, the encoding routine will pick the specific format e string defined for the session's
NAS-Port-Type value and use that first instead of using the default global format e string.

The only relationship between NAS-Port-Type extensions and NAS-Port extension is that the format e
string chosen by the encoding routine will depend on the value of the NAS-Port-Type for the session.
Therefore if you use the extended NAS-Port-Type values (values 30-34), you should also configure
format e to use them. If you do not use the extended NAS-Port-Type support, then you should use the
old values, specifically, value 5 for Virtual and value 15 for Ethernet service port types. Configuring back
to these port types can also allow the user to revert to previous behavior for certain interfaces.

The radius-server attribute nas-port format e command was enhanced to support the custom format
e string with the [type nas-port-type] keyword and option. The type option allows you to specify
different format strings to represent different physical types of ports on the Cisco 10000 for any of the
extended NAS-Port-Type values. For example, you can specify the string
"SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC" for type 30 (all PPPoA ports), yet you can also specify
the string "SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV" for type 33 (all PPPoAoVLAN ports).
In this case, the service provider can track VPI/VCI-specific information for a PPPoA user and
VLAN-specific information for a PPPoEoVLAN user.

NAS-Port-ID (RADIUS Attribute 87)

The NAS-Port-ID (RADIUS attribute 87) contains the character text string identifier of the NAS port
that is authenticating the user. This text string typically matches the interface description found under
the CLI configuration. This attribute was previously available under Cisco Vendor Specific Attribute
(VSA) "cisco-nas-port". But it is now sent by default under the IETF attribute 87 as per customer
demand.

Prerequisites for Extended NAS-Port-Type and NAS-Port Attributes Support

Authentication, Authorization, and Accounting (AAA) must be enabled and already set up to use
RADIUS.