Cisco 15327 User Manual

19-19

Ethernet Card Software Feature and Configuration Guide, R7.2

Chapter 19 Configuring Security for the ML-Series Card

Configuring RADIUS

cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”

Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”

Beginning in privileged EXEC mode, follow these steps to configure the ML-Series card to recognize
and use VSAs:

For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the
“RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2.

Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication

Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the ML-Series card and the RADIUS server, some vendors have extended the
RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary
RADIUS attributes.

As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you
must specify the host running the RADIUS server daemon and the secret text string it shares with the
ML-Series card. You specify the RADIUS host and secret text string by using the radius-server global
configuration commands.

Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server
host and a shared secret text string:

Command

Purpose

Step 1

Router# configure terminal

Enter global configuration mode.

Step 2

Router (config)# radius-server

vsa send

[accounting |

authentication

]

Enable the ML-Series card to recognize and use VSAs as defined by
RADIUS IETF attribute 26.

•

(Optional) Use the accounting keyword to limit the set of recognized
vendor-specific attributes to only accounting attributes.

•

(Optional) Use the authentication keyword to limit the set of
recognized vendor-specific attributes to only authentication attributes.

If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.

The AAA server includes the authorization level in the VSA response
message for the ML-Series card.

Step 3

Router (config)# end

Return to privileged EXEC mode.

Step 4

Router# show running-config

Verify your settings.

Step 5

Router# copy running-config

startup-config

(Optional) Save your entries in the configuration file.

Command

Purpose

Step 1

Router# configure terminal

Enter global configuration mode.

Step 2

Router (config)# radius-server host

{

hostname |

ip-address} non-standard

Specify the IP address or hostname of the remote
RADIUS server host and identify that it is using a
vendor-proprietary implementation of RADIUS.