- Read Me First
- Attribute Screening for Access Requests
- Enhanced Test Command
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Timeout Set During Pre-Authentication
- Tunnel Authentication via RADIUS on Tunnel Terminator
- ACL Default Direction
- RADIUS Progress Codes
- Offload Server Accounting Enhancement
- Finding Feature Information
- Prerequisites for Attribute Screening for Access Requests
- Restrictions for Attribute Screening for Access Requests
- Information About Attribute Screening for Access Requests
- How to Configure Attribute Screening for Access Requests
- Configuration Examples for Attribute Filtering for Access Requests
- Additional References
- Feature Information for Attribute Screening for Access Requests
Attribute Screening for Access Requests
The Attribute Screening for Access Requests feature allows you to configure your network access server (NAS) to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.
- Finding Feature Information
- Prerequisites for Attribute Screening for Access Requests
- Restrictions for Attribute Screening for Access Requests
- Information About Attribute Screening for Access Requests
- How to Configure Attribute Screening for Access Requests
- Configuration Examples for Attribute Filtering for Access Requests
- Additional References
- Feature Information for Attribute Screening for Access Requests
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Attribute Screening for Access Requests
You must be familiar with configuring attribute lists.
Restrictions for Attribute Screening for Access Requests
Attributes 1 (Username), 2 (User-Password), and 3 (Chap-Password) cannot be filtered.
Information About Attribute Screening for Access Requests
Configuring an NAS to Filter Attributes in Outbound Access Requests
The Attribute Screening for Access Requests feature allows you to configure your NAS to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization. The filters can be configured on the NAS, or they can be downloaded via downloadable vendor-specific attributes (VSAs) from the authentication, authorization, and accounting (AAA) server.
The following are some examples of the downloadable VSAs:
Cisco:Cisco-Avpair=“ppp-authen-type=chap” Cisco:Cisco-Avpair=“ppp-authen-list=group 1” Cisco:Cisco-Avpair=“ppp-author-list=group 1” Cisco:Cisco-Avpair=“vpdn:tunnel-id=B53” Cisco:Cisco-Avpair=“vpdn:ip-addresses=10.0.58.35”
Note | You must be aware of which attributes you want to filter. Filtering certain key attributes can result in authentication failure (for example, attribute 60 should not be filtered). |
How to Configure Attribute Screening for Access Requests
- Configuring Attribute Screening for Access Requests
- Configuring a Router to Support Downloadable Filters
- Monitoring and Maintaining Attribute Filtering for Access Requests
Configuring Attribute Screening for Access Requests
or
accounting [request | reply] [accept | reject] listname
- authorization [request | reply][accept | reject] listname
- accounting [request | reply] [accept | reject] listname
1.
enable
2.
configure
terminal
3.
radius-server
attribute
list
listname
4.
attribute
value1
[value2[value3 ...]]
5.
aaa
group
server
radius
group-name
6.
Do one of the following:
DETAILED STEPS
Configuring a Router to Support Downloadable Filters
To configure your router to support downloadable filters, perform the following steps.
1.
enable
2.
configure
terminal
3.
aaa
authorization
template
4.
aaa
authorization
network
default
group
radius
5.
radius-server
attribute
list
list-name
6.
attribute
value1
[value2 [value3...]]
DETAILED STEPS
Troubleshooting Tips
If attribute filtering is not working, ensure that the attribute list is properly defined.
Monitoring and Maintaining Attribute Filtering for Access Requests
To monitor and maintain attribute filtering, you can use the debug radiuscommand.
1.
enable
2.
debug
radius
DETAILED STEPS
Command or Action | Purpose |
---|
Configuration Examples for Attribute Filtering for Access Requests
- Attribute Filtering for Access Requests Example
- Attribute Filtering User Profile Example
- debug radius Command Example
Attribute Filtering for Access Requests Example
The following example shows that the attributes 30-31 that are defined in “all-attr” will be rejected in all outbound Access Request messages:
aaa group server radius ras server 172.19.192.238 auth-port 1745 acct-port 1746 authorization request reject all-attr ! . . . radius-server attribute list all-attr attribute 30-31 ! . . .
Attribute Filtering User Profile Example
The following is a sample user profile after attribute filtering has been configured for Access Requests:
cisco.com Password = "cisco" Service-Type = Framed, Framed-Protocol = PPP, Cisco:Cisco-Avpair = :1:"rad-serv=172.19.192.87 key rad123", Cisco:Cisco-Avpair = :1:"rad-serv-filter=authorization request reject range1", Cisco:Cisco-Avpair = :1:"rad-serv-filter=accounting request reject range1", Cisco:Cisco-Avpair = "ppp-authen-type=chap" Cisco:Cisco-Avpair = "ppp-authen-list=group 1", Cisco:Cisco-Avpair = "ppp-author-list=group 1", Cisco:Cisco-Avpair = "ppp-acct-list=start-stop group 1", Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53", Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp", Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35", Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco" user2@cisco.com Service-Type = Outbound, Cisco:Cisco-Avpair = "vpdn:tunnel-id=B53", Cisco:Cisco-Avpair = "vpdn:tunnel-type=l2tp", Cisco:Cisco-Avpair = "vpdn:ip-addresses=10.0.58.35", Cisco:Cisco-Avpair = "vpdn:l2tp-tunnel-password=cisco"
When a session for user2@cisco.com “comes up” at the Layer 2 Tunneling Protocol (L2TP) Network Server (LNS)--as is shown above--because the aaa authorization template command has been configured, a RADIUS request is sent to the server for Cisco.com. The server then sends an Access Accept message if authentication is successful, along with the VSAs that are configured as part of the Cisco.com profile. If filters are configured as part of the Cisco.com profile, these filters will be parsed and applied to the RADIUS requests for user2@cisco.com.
In the above profile example, filter range1 has been applied to the authorization and accounting requests.
debug radius Command Example
If the attribute you are trying to filter is rejected, you will see an debug radius output statement similar to the following:
RADIUS: attribute 31 rejected
If you try to filter an attribute that cannot be filtered, you will see an output statement similar to the following:
RADIUS: attribute 1 cannot be rejected
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Configuring RADIUS |
Configuring RADIUS feature module. |
Security commands |
Cisco IOS Security Command Reference |
Standards
Standards |
Title |
---|---|
None. |
-- |
MIBs
MIBs |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFCs |
Title |
---|---|
None |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Attribute Screening for Access Requests
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Attribute Screening for Access Requests |
Cisco IOS XE Release 2.1 Cisco IOS XE Release 3.3S |
This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. The Attribute Screening for Access Requests feature allows a network access server (NAS) to be configured to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization. The following commands were introduced or modified by this feature: authorization (server-group). |