|
|
This chapter describes Remote Access Dial-In User Service (RADIUS) attributes that can be used in Cisco 6510 Service Selection Gateway (Cisco 6510) user profiles, service profiles, and specialized pseudo-service profiles.
For detailed information on the syntax of these attributes, see "Cisco 6510 Vendor-Specific RADIUS Attributes."
RADIUS user profiles contain the password, list of subscribed services, and whether the user has access to the transparent passthrough service.
This section specifies standard RADIUS attributes that can be used in Cisco 6510 user profiles.
| Attribute | Usage |
|---|---|
Password | Specifies the user's password (check attribute). |
NAS-IP-Address | IP address of the NAS1 (check attribute). |
Service_Type | Specifies the level of service the user is requesting (check attribute). |
Session-Timeout | Specifies, in seconds, the maximum length of the user's session (reply attribute). |
Idle-Timeout | Specifies, in seconds, the maximum time a connection can remain idle (reply attribute). |
| 1NAS = network access server. |
This section specifies vendor-specific attributes that can be used in Cisco 6510 user profiles.
| Attribute | Usage |
|---|---|
Default User Passthrough | Specifies whether the user's packets not destined for a service are forwarded (usually to the Internet). |
Service Name | Subscribes the user to a service. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service to which the user is subscribed. |
Service Group | Subscribes the user to a service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service group to which the user is subscribed. |
Auto Service | Automatically logs a user onto a service when the user accesses the Cisco SSD1. |
Filter | Blocks or allows access to IP addresses and ports. There can be multiple instances of this attribute within a single user profile. |
| 1SSD = Service Selection Dashboard. |
Service group profiles contain a list of services and service groups and can be used to create directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the name of the service, the password, the service type (outbound), a list of services, and a list of service groups.
This section specifies vendor-specific attributes that can be used in Cisco 6510 service group profiles.
| Attribute | Usage |
|---|---|
Service Name | Lists services that belong to the service group. There can be multiple instances of this attribute within a single user profile. Use one attribute for each service. |
Service Group | Lists the service groups that belong to this service group. When configured, the service group and service name attributes can define an organized directory structure for accessing services. There can be multiple instances of this attribute within a service group profile. Use one attribute for each service group that belongs to this service group. |
Group Description | Provides a description of the service group. |
Service profiles include the name of the service, the service type (passthrough or tunnel), VPDN information (if applicable), the service access mode (sequential or concurrent), the DNS server IP address, and networks that exist in the service domain.
This section specifies Cisco AVPair attributes that appear within service profiles.
| Attribute | Usage |
|---|---|
VPDN IP Addresses | Specifies IP addresses of the home gateway to receive the L2F1 connection. |
VPDN Gateway Password | Specifies the CHAP2 secret the home gateway uses to authenticate with the Cisco 6510 when negotiating an L2F tunnel. |
VPDN NAS Password | Specifies the CHAP secret the Cisco 6510 uses to authenticate with the home gateway when negotiating an L2F tunnel. |
VPDN Tunnel ID | Specifies the name of the tunnel that must match the home gateway's VPDN3 incoming statement. |
| 1L2F = Layer 2 Forwarding. 2CHAP = Challenge-Handshake Authentication Protocol. 3VPDN = Virtual Private Dial-Up Network. |
This section specifies standard RADIUS attributes that can be used in Cisco 6510 user profiles.
| Attribute | Usage |
|---|---|
Password | Specifies the password (check attribute). |
Service_Type | Specifies the level of service (check attribute). |
Session-Timeout | Specifies, in seconds, the maximum length of the session (reply attribute). |
Idle-Timeout | Specifies, in seconds, the maximum time a service connection can remain idle (reply attribute). |
This section specifies attributes that appear within service profiles.
| Attribute | Usage |
|---|---|
Service Type | Indicates whether the service is accessed through a tunnel or passed through (usually to the Internet). |
Service Mode | Specifies whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential). |
DNS Server Address | Specifies the primary and secondary DNS servers for this service. |
Service Route | Specifies networks that exist for the service. There can be multiple instances of this attribute within a single user profile. |
Service Authentication Type | Specifies whether the Cisco 6510 uses the CHAP or PAP protocol to authenticate users for a tunneled service. |
Next Hop Gateway | Specifies the next hop key for this service. Each Cisco 6510 uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see the "Next Hop Gateway Pseudo-Service Profile" section. |
Domain Name | Specifies domain names that get DNS resolution from the DNS server(s) specified in DNS Server Address. |
Filter | Blocks or allows access to IP addresses and ports. |
Service Description | Provides a description of the service that is displayed to the user. |
This section describes pseudo-service profiles. Pseudo-service profiles are used to define variable length tables or lists of information. There are currently two types of pseudo-service profiles: TPTFilterProfile and Next Hop Gateway. The following sections describe each.
Transparent passthrough is designed to allow unauthenticated traffic (users or network devices that have not logged in to the Cisco 6510 through the Cisco SSD) to pass through the Cisco 6510 (usually to the Internet).
| Attribute | Usage |
|---|---|
Filter | Blocks or allows access to IP addresses and ports. |
The TPTFilterProfile pseudo-service profile allows or denies access to IP addresses and ports accessed through the transparent passthrough feature.
To define what traffic can pass through, the Cisco 6510 downloads the TPTFilterProfile pseudo-service profile. This profile contains a list of filter items. Each item contains an IP address or range of IP addresses, a list of port numbers, and specifies whether traffic is allowed or denied.
To create a filter for transparent passthrough, create a service profile called TPTFilterProfile. After you have created the service profile, use the Filter attribute to define what can and cannot be accessed.
For more information, see the "Configuring Transparent Passthrough" section.
Because multiple Cisco 6510s might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each Cisco 6510 to determine the IP address of the next hop, each Cisco 6510 downloads its own next hop gateway table that associates keys with IP addresses.
| Attribute | Usage |
|---|---|
Next Hop Gateway Entry | Associates next hop gateway keys with IP addresses. |
To create a next hop gateway table, create a service profile and give it any name. Use the Next Hop Gateway Entry attribute to associate service keys with their IP addresses. When you have finished, repeat this for each Cisco 6510.
For information on downloading this profile to the Cisco 6510, see the "nhgtable download" section.
|
|