|
The Cisco 6510 Service Selection Gateway (Cisco 6510) uses vendor-specific Remote Access Dial-In User Service (RADIUS) attributes. If using the Cisco 6510 with User Control Point (UCP), specify settings that allow processing of the Cisco 6510 attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another authentication, authorization, and accounting (AAA) server, you must customize that server's database code to handle processing of the Cisco 6510 vendor-specific attributes.
Table D-1 lists vendor-specific attributes used by the Cisco 6510. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (Cisco SSD) can send requests to the Cisco 6510 to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.
AttrID | VendorID | SubAttrID | SubAttrName | SubAttrDataType |
---|---|---|---|---|
26 | 9 | 1 | Cisco-AVpair | String |
26 | 9 | 250 | Account-Info | String |
26 | 9 | 251 | Service-Info | String |
26 | 9 | 252 | Command-Code | Binary |
26 | 9 | 253 | Control-Info | String |
The following sections describe the format of each subattribute.
The Cisco-AVpair attributes are used to build a Virtual Private Dial-Up Network (VPDN) tunnel.
The following illustrates the format for Cisco-AVpair attributes in a RADIUS packet:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 1 (subattribute ID for Account-Info)
e = len (length of the vendor-specific subattribute)
f = code (Cisco-AVpair code for attribute)
g = value (additional information required by code)
This attribute specifies IP addresses of the home gateway to receive the (Layer 2 Forwarding) L2F connection.
Cisco-AVpair = "vpdn:ip-addresses={ip_address1}[,ip_address2...,ip_addressX]"When more than one home gateway is configured, the Cisco 6510 load balances (round-robin) connections between the home gateways.
ip_address1 | First IP address of the home gateway. |
ip_address2...;ip_addressX | Additional IP addresses. |
Cisco-AVpair="vpdn:ip-addresses=135.69.255.198"
Cisco's implementation of VPDN requires that the network access server (NAS) authenticates with the home gateway and the home gateway authenticates with the NAS. This attribute specifies the Challenge-Handshake Authentication Protocol (CHAP) secret the home gateway uses to authenticate with the Cisco 6510 when negotiating an L2F tunnel.
Cisco-AVpair = "vpdn:gw-password=gateway-pwd"gateway_pwd | CHAP secret the home gateway uses to authenticate the L2F tunnel between the Cisco 6510 and the home gateway. |
Cisco-AVpair="vpdn:gw-password=hello"
Cisco's implementation of VPDN requires that the NAS authenticates with the home gateway and the home gateway authenticates with the NAS. This attribute specifies the CHAP secret the Cisco 6510 uses to authenticate with the home gateway when negotiating an L2F tunnel.
Cisco-AVpair = "vpdn:nas-password=nas-pwd"nas_pwd | CHAP secret the NAS uses to authenticate the L2F tunnel between the |
Cisco-AVpair="vpdn:nas-password=greetings"
The Cisco 6510 appears as a NAS to the service provider's home gateway. For the Cisco 6510 to be authenticated, the tunnel name must match a NAS name on the home gateway's VPDN incoming statement.
This attribute specifies the name of the tunnel that must match the home gateway's VPDN incoming statement.
Cisco-AVpair = "vpdn:tunnel-id=tunnel_name"tunnel_name | Name of the tunnel. |
Cisco-AVpair="vpdn:tunnel-id=ibm_marketing"
The Account-Info attributes are used in user profiles and service group profiles.
User profiles define individual users and indicate the username and password, whether or not the user is granted the transparent passthrough service, and the services and groups to which the user is subscribed.
Service group profiles contain a list of services and service groups and can be used to create sophisticated directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the name of the service, the password, the service type (outbound), a list of services, and a list of service groups.
The following illustrates the format for Account-Info attributes in a RADIUS packet:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 250 (subattribute ID for Account-Info)
e = len (length of the vendor-specific subattribute)
f = code (account-info code for attribute)
g = value (additional information required by code)
Account-Info = "DD"
9,250 = "DD"
This attribute is used in a user profile and determines whether the user's packets not destined for a tunnel are forwarded (usually to the Internet).
Account-Info = "D{value}"value | D---Disables access to the default service. E---Enables access to the default service. |
Account-Info = "DD"
In user profiles, this attribute subscribes the user to the specified service. In service group profiles, this attribute lists services that belong to the service group.
Account-Info = "Nname"name | Name of the service profile. |
Account-Info = "NHewlett Packard Intranet Access"
In user profiles, this attribute subscribes a user to a service group. In service group profiles, this attribute lists the service groups that belong to this service group.
Account-Info = "Gname"name | Name of the group. |
Account-Info = "GServiceGroup1"
This attribute automatically logs the user on to a service when the user accesses the Cisco SSD.
Account-Info = "Aservicename [;username;password]"servicename | Name of the service. |
username | Username used to access the service. |
password | Password used to access the service. |
Account-Info = "Agamers.net;jdoe;secret"
This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service profile name is used.
Account-Info = "Idescription"description | Description of the service group. |
Account-Info = "IHewlett Packard Intranet Access"
The Service-Info attributes are used to define a service profile. A service profile includes the name of the service, the service type (passthrough or tunnel), the service access mode (sequential or concurrent), the DNS server IP address, and the networks that exist in the service domain.
The following illustrates the format for Service-Info attributes in a RADIUS packet:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 251 (subattribute ID for Service-Info)
e = len (length of the vendor-specific subattribute)
f = code (service-info code for attribute)
g = value (additional information required by code)
This attribute defines the name of the service.
Service-Info = "Nname"name | Name of the service profile or service that belongs to a service group. |
Service-Info = "Nhp.com"
This attribute indicates whether the service is accessed through a tunnel or passed through (usually to the Internet).
Service-Info = "Ttype"type | P---Passthrough. Indicates the user's packets are forwarded through the T---Tunnel. Indicates the user's packets are forwarded through an L2F tunnel. |
Service-Info = "TP"
This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential).
Service-Info = "Mmode"mode | S---Sequential mode. C---Concurrent mode. |
Service-Info = "MS"
This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the Cisco 6510 can send DNS requests to the primary DNS server until performance diminished or it fails (failover) or the Cisco 6510 can load balance the requests between the two servers. For more information, see the "Configuring DNS Fault Tolerance Settings" section.
Service-Info = "Dip_address_1[;ip_address_2]"ip_address_1 | IP address of the primary DNS server. |
ip_address_2 | IP address of the secondary DNS server (optional). |
Service-Info = "D198.46.9.2;198.46.9.3"
This attribute specifies networks that exist for a tunneled service beyond the home gateway.
Service-Info = "Rip_address;mask"ip_address | IP address. |
mask | Subnet mask. |
Use the Service Route attribute to specify networks that exist for a service.
When forwarding an IP packet, the Cisco 6510 searches a connection list that consists of services that are available to the user, ordered from smallest to largest in terms of network size (see the "Filter" section). To determine the service search order, the Cisco 6510 uses the following guidelines:
Service-Info = "R171.99.73.128;255.255.255.192"
This attribute specifies whether the Cisco 6510 uses the CHAP or PAP protocol to authenticate users for a tunneled service.
Service-Info = "Aauthen-type"authen-type | C---CHAP Authentication. P---PAP Authentication. |
Service-Info = "AC"
This attribute specifies the next hop key for this service. Each Cisco 6510 uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see the "Next Hop Gateway Table Entry" section.
Service-Info = "Gkey"key | Name of the next hop. This name must be unique for each service. |
Service-Info = "Ghp"
This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address.
Service-Info = "Oname1[;name2]...[;nameX]"name1 | Domain name that gets DNS resolution from this server. |
name2...X | Additional domain name(s) that gets DNS resolution from this server. |
Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server.
When forwarding a DNS packet, the Cisco 6510 searches a connection list that consists of services available to the user, ordered from smallest to largest in terms of network size (see the "Filter" section). To determine the DNS search order, the Cisco 6510 uses the following guidelines:
Service-Info = "Ocisco.com;cisco-sales.com"
This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway. This attribute is only used in Accounting Records and should not be configured in a service profile.
Service-Info = "Uusername"username | The name provided by the user to authenticate with the home gateway. |
Service-Info = "Ujoe@cisco.com"
The Control-Info attributes are used to define parameters that can be used in user profiles, service profiles, and pseudo-service profiles. This includes configuring the Next Hop Gateway table and defining filters that can be applied to user profiles, service profiles, and the Transparent Passthrough feature.
The following illustrates the format for Control-Info attributes in a RADIUS packet:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 253 (subattribute ID for Service-Info)
e = len (length of the vendor-specific subattribute)
f = code (service-info code for attribute)
g = value (additional information required by code)
This attribute can be used to block or allow access to IP addresses and ports in user profiles, service profiles, and the transparent passthrough profile TPTProfile.
Control-Info = "Fsrc_ip[:src_port_list];src_mask;dst_ip[:dst_port_list]src_ip | Source IP address. |
src_port_list | List of source port addresses, separated by commas. For example, 0-3,21-34,60. If you do not enter this parameter, ports 0 through 65535 are assumed. |
src_mask | Source subnet mask. |
dst_ip | Source IP address. |
dst_port_list | List of source port addresses, separated by commas. For example, 0-3,21-34,60. If you do not enter this parameter, ports 0 through 65535 are assumed. |
dst_mask | Source subnet mask. |
flag | P--- Permit. D--- Deny. |
filter-ID | Number between 0 and 65535 used to set the order of the filter in the list. |
Use this attribute to block or allow access to IP addresses and ports in user profiles, service profiles, and the transparent passthrough profile TPTFilterProfile.
The filter list is processed from beginning to end until an explicit IP/mask match is found. If an IP/mask combination is found and there is a port match, the flag specified for the filter is applied.
To create a filter for transparent passthrough, create a service profile called TPTProfile and start adding filters.
For information on enabling or disabling the transparent passthrough feature, see the "Configuring Transparent Passthrough" section. For information on the transparent passthrough pseudo-service profile, see the "TPTFilterProfile Pseudo-Service Profile" section.
Control-Info = "F172.16.0.0;255.255.255.0;192.168.100.0:20,21;
255.255.0.0;P;1"
Because multiple Cisco 6510s might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each Cisco 6510 to determine the IP address of the next hop, each Cisco 6510 downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see the "Service Next Hop Gateway" section.
key | The key specified in the Service Next Hop Gateway service profile. |
ip_address | IP address of the next hop for this service. |
Use this attribute to create a next hop gateway table for the selected Cisco 6510.
To define the IP address of the next hop for each service, the Cisco 6510 downloads a special service profile that associates the next hop gateway key for each service with an IP address.
To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each Cisco 6510.
For information on downloading this profile to the Cisco 6510, see the "nhgtable download" section.
Control-Info = "GSSG_1;171.99.73.128"
Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for this usage, the Cisco 6510 uses the Octets attribute.
The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.
Control-Info = "Orollover;value"rollover | Number of times the 32-bit integer rolled over to 0. |
value | Value in the 32-bit integer when the stop record was generated and the service or user was logged out. |
Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:
rollover * 4294967296 + value
Control-Info = "O2;153"
Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.
In order for the accounting server to keep track of and bill for this usage, the Cisco 6510 uses the Octets attribute.
The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.
Control-Info = "Irollover;value"rollover | Number of times the 32-bit integer rolled over to 0. |
value | Value in the 32-bit integer when the stop record was generated and the service or user was logged out. |
Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:
rollover * 4294967296 + value
Control-Info = "I3;151"
This section provides samples of user profiles and service profiles used with the
Cisco 6510.
The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:
bert Password = "ernie"
Session-Timeout = 21600,
Account-Info = "GServiceGroup1",
Account-Info = "Nhp.com;Hewlett Packard Intranet Access;T",
Account-Info = "Ngamers.net;The Gamer's Network;P",
Account-Info = "DD"
The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:
user = bert {
radius = 6510-SSG-v1.0 {
check_items = {
2 = "ernie"
}
reply_attributes = {
27 = 21600
9,250 = "GServiceGroup1"
9,250 = "Nhp.com;Hewlett Packard Intranet Access;T"
9,250 = "Ngamers.net;The Gamer's Network;P"
9,250 = "DD"
}
}
}
The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:
ServiceGroup1 Password = "cisco"
Account-Info = "Nhp.com",
Account-Info = "Ngamers.net",
Account-Info = "GServiceGroup3"
Account-Info = "GServiceGroup4"
Account-Info = "IStandard User Services"
The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:
user = ServiceGroup1 {
radius = 6510-SSG-v1.0 {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
9,250 = "Nhp.com"
9,250 = "Ngamers.net"
9,250 = "GServiceGroup3"
9,250 = "GServiceGroup4"
9,250 = "IStandard User Services"
}
}
}
The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:
hp.com Password = "cisco"
Cisco-AVpair = "vpdn:nas-password=hello",
Cisco-AVpair = "vpdn:gw-password=hi_there",
Cisco-AVpair = "vpdn:ip-addresses=135.69.255.198",
Cisco-AVpair = "vpdn:tunnel-id=cisco_eng",
Idle-Timeout = 1800,
Service-Info = "R171.99.73.128;255.255.255.192",
Service-Info = "R171.99.2.0;255.255.255.192",
Service-Info = "R171.99.13.0;255.255.255.0",
Service-Info = "Ghp",
Service-Info = "D171.99.2.81",
Service-Info = "MC",
Service-Info = "TT"
Service-Info = "IHewlett Packard Intranet Access"
The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:
user = hp.com {
radius = 6510-SSG-v1.0 {
check_items = {
2 = "cisco"
}
reply_attributes = {
28 = 1800
9,1 = "vpdn:nas-password=hello"
9,1 = "vpdn:gw-password=hi_there"
9,1 = "vpdn:ip-addresses=135.69.255.198"
9,1 = "vpdn:tunnel-id=cisco_eng"
9,251 = "R171.99.73.128;255.255.255.192"
9,251 = "R171.99.2.0;255.255.255.192"
9,251 = "R171.99.13.0;255.255.255.0"
9,251 = "Ghp"
9,251 = "D171.99.2.81"
9,251 = "MC"
9,251 = "TT"
9,251 = "IHewlett Packard Intranet Access"
}
}
}
The following is an example of the Transparent Passthrough Filter Profile (TPTFilterProfile) pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:
hp.com Password = "cisco"
ssg-filter Password = "cisco", Service-Type = Outbound
Control-Info = "F172.17.0.0;255.255.0.0;20.0.0.0:80;255.0.0.0;D;1",
Control-Info = "F172.21.9.0;255.255.255.0;20.0.0.0:80;255.0.0.0;D;2",
Control-Info = "F0.0.0.0;0.0.0.0;0.0.0.0;0.0.0.0;P;9999"
The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:
user = ssg-filter {
radius = 6510-SSG-v1.1 {
check_items = {
2 = "cisco"
6 = 5
}
reply_attributes = {
9,253 = "F172.17.0.0;255.255.0.0;20.0.0.0:80;255.0.0.0;D;1",
9,253 = "F172.21.9.0;255.255.255.0;20.0.0.0:80;255.0.0.0;D;2",
9,253 = "F0.0.0.0;0.0.0.0;0.0.0.0;0.0.0.0;P;9999"
}
}
}
|