RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level

The RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level feature allows configurations to be customized for different RADIUS server groups. This flexibility allows customized network access server- (NAS-) port formats to be used instead of global formats.

Prerequisites for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level

  • You must be running a Cisco IOS image that contains the authentication, authorization, and accounting (AAA) component.

Information About RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level

RADIUS Attribute 5 Format Customization

Prior to Cisco IOS Release 12.3(14)T, Cisco IOS software allowed RADIUS attributes that were sent in access requests or accounting requests to be customized on a global basis. You could customize how each configurable attribute should function when communicating with a RADIUS server. Since the implementation of server groups, global attribute configurations were not flexible enough to address the different customizations that were required to support the various RADIUS servers with which a router might be interacting. For example, if you configured the global radius-server attribute nas-port format command option, every service on the router that interacted with a RADIUS server was used in the same way.

Effective with Cisco IOS Release 12.3(14)T, you can configure your router to support override flexibility for per-server groups. You can configure services to use specific named methods for different service types on a RADIUS server. The service types can be set to use their own respective service groups. This flexibility allows customized NAS-port formats to be used instead of the global formats.

How to Configure RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level

Configuring the RADIUS Attribute 5 Format on a Per-Server Group Level

To configure your router to support the RADIUS Attribute 5 format on a per-server group level, perform the following steps.


Note

To use this per-server group capability, you must actively use a named method list within your services. You can configure one client to use a specific named method while other clients use the default format.

Before you begin

Before performing these steps, you should first configure method lists for AAA as is applicable for your situation.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa group server radius group-name
  4. server ip-address [auth-port port-number ] [acct-port port-number ]
  5. attribute nas-port format format-type [string ]

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

aaa group server radius group-name

Example:


Router (config)# aaa group server radius radius1

Groups different RADIUS server hosts into distinct lists and distinct methods and enters server-group configuration mode.

Step 4

server ip-address [auth-port port-number ] [acct-port port-number ]

Example:


Router (server-group)# server 172.101.159.172 auth-port 1645 acct-port 1646

Configures the IP address of the RADIUS server for the group server.

Step 5

attribute nas-port format format-type [string ]

Example:


Router (server-group)# attribute nas-port format d

Configures a service to use specific named methods for different service types.

  • The service types can be set to use their own respective server groups.

Monitoring and Maintaining RADIUS Attribute 5 Format on a Per-Server Group Level

To monitor and maintain RADIUS Attribute 5 Format on a Per-Server Group Level, perform the following steps (the debug commands may be used separately):

SUMMARY STEPS

  1. enable
  2. debug aaa sg-server selection
  3. debug radius

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

debug aaa sg-server selection

Example:


Router# debug aaa sg-server selection

Displays information about why the RADIUS and TACACS+ server group system in a router is choosing a particular server.

Step 3

debug radius

Example:


Router# debug radius

Displays information showing that a server group has been selected for a particular request.

Configuration Examples for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level

RADIUS Attribute 5 Format Specified on a Per-Server Level Example

The following configuration example shows a leased-line PPP client that has chosen to send no RADIUS Attribute 5 while the default is to use format F:\tips-migration 


interface Serial2/0
 no ip address
 encapsulation ppp
 ppp accounting SerialAccounting
 ppp authentication pap
aaa accounting network default start-stop group radius
aaa accounting network SerialAccounting start-stop group group1
aaa group server radius group1
 server 10.101.159.172 auth-port 1645 acct-port 1646
 attribute nas-port none
radius-server host 10.101.159.172 auth-port 1645 acct-port 1646
radius-server attribute nas-port format d

Additional References

The following sections provide references related to RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values.

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Security commands

Cisco IOS Security Command Reference

Security Features

Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2

Security Server Protocols

Security Server Protocols section of the Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2

RADIUS Configuration

Configuring RADIUS feature module.

Standards

Standard

Title

Internet Engineering Task Force (IETF) Internet Draft: Network Access Servers Requirements

Network Access Servers Requirements: Extended RADIUS Practices

MIBs

MIB

MIBs Link

None.

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

RFC 2865

Remote Authentication Dial In User Service (RADIUS)

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level

Feature Name

Releases

Feature Information

RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level

Cisco IOS XE Release 3.9S

The RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level feature allows configurations to be customized for different RADIUS server groups. This flexibility allows customized network access server- (NAS-) port formats to be used instead of global formats.

The following commands were introduced or modifieF:\tips-migration attribute nas-port format .