Radius attributes – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Page 424

Advertising
background image

424

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

Chapter 14

Configuring RADIUS and TACACS+ Servers

Configuring the Access Point
to Use Vendor-specific
RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method
for communicating vendor-specific information between the access point and the
RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-
specific attributes (VSAs) allow vendors to support their own extended attributes
not suitable for general use.

The Cisco RADIUS implementation supports one vendor-specific option by
using the format recommended in the specification. Cisco’s vendor ID is 9, and
the supported option has vendor type 1, that is named cisco-avpair. The value is a
string with this format:

protocol : attribute sep value *

Protocol is a value of the Cisco protocol attribute for a particular type of
authorization. Attribute and value are an appropriate AV pair defined in the
Cisco TACACS+ specification, and sep is = for mandatory attributes and the
asterisk (*) for optional attributes. This lets a full set of features available for
TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair activates Cisco’s multiple named ip address
pools feature during IP authorization (during PPP’s IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

The following example shows how to provide a user logging in from an access
point with immediate access to privileged EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor IDs, options, and associated VSAs.
For more information about vendor IDs and VSAs, refer to RFC 2138, “Remote
Authentication Dial-In User Service (RADIUS).”

Beginning in privileged EXEC mode, follow these steps to configure the access
point to recognize and use VSAs:

1. Enter global configuration mode.

configure terminal

2. Enable the access point to recognize and use VSAs as defined by RADIUS

IETF attribute 26.
(Optional) Use the accounting keyword to limit the set of recognized

vendor-specific attributes to only accounting attributes.

(Optional) Use the authentication keyword to limit the set of

recognized vendor-specific attributes to only authentication attributes.

Advertising
Popular Brands
Popular manuals