|
The Cisco 6510 Service Selection Gateway uses vendor-specific Remote Access Dial-In User Service (RADIUS) attributes. If you use the Cisco 6510 with Cisco User Control Point (UCP), you specify settings that allow processing of the Cisco 6510 attributes while configuring the CiscoSecure Access Control Server (ACS) component. If you use another authentication, authorization, and accounting (AAA) server, you must customize that server's database code to handle processing of the Cisco 6510 vendor-specific attributes.
The following table lists vendor-specific attributes used by the Cisco 6510. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Dashboard client can send requests to the Cisco 6510 to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.
AttrID | VendorID | SubAttrID | SubAttrName | SubAttrDataType |
---|---|---|---|---|
26 | 9 | 1 | Cisco-AVpair | String |
26 | 9 | 250 | Account-Info | String |
26 | 9 | 251 | Service-Info | String |
26 | 9 | 252 | Command-Code | Binary |
The following sections describe the format of each sub-attribute.
This Cisco-AVpair attributes are used to build a Virtual Private Dial-Up Network (VPDN) tunnel.
The following illustrates the format for Cisco-AVpair attributes:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 1 (sub-attribute ID for Account-Info)
e = len (length of the vendor-specific sub-attribute)
f = code (Cisco-AVpair code for attribute)
g = value (additional information required by code)
This attribute specifies the IP address of the home gateway to receive the (Layer 2 Forwarding) L2F connection.
Cisco-AVpair = "vpdn:ip-addresses=gateway-ip"gateway_ip | IP address of the home gateway. |
Cisco-AVpair="vpdn:ip-addresses=
135.69.255.198"
This attribute specifies the IP address of the home gateway to receive the L2F connection.
Cisco-AVpair = "vpdn:gw-password=gateway-pwd"gateway_pwd | Password of the home gateway. |
Cisco-AVpair="vpdn:gw-password=hello"
The Account-Info attributes are used in user profiles. User profiles indicate whether or not the user is granted the default service, the services to which the user is subscribed, and how often Dashboard tests the connection to the Cisco 6510.
The following illustrates the format for Account-Info attributes:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 250 (sub-attribute ID for Account-Info)
e = len (length of the vendor-specific sub-attribute)
f = code (account-info code for attribute)
g = value (additional information required by code)
Account-Info = "DD"
9,250 = "DD"
This attribute determines whether the user's packets not destined for a tunnel are forwarded (usually to the Internet).
Account-Info = "D{value}"value | D--Disables access to the default service.
E--Enables access to the default service. |
Account-Info = "DD"
This attribute subscribes the user to the specified service.
Account-Info = "N{name;description;flag}"name | Name of the service profile. |
description | Description of the service. |
flag | I--Internet. Indicates the user's packets are forwarded straight through the Cisco 6510.
T--Tunnel. Indicates the user's packets are forwarded through an L2F tunnel. |
Account-Info = "Nhp.com;Hewlett Packard Intranet Access;T"
This attribute is used to define how frequently the Dashboard tests the connection to the Cisco 6510.
Account-Info = "P{seconds}"seconds | Indicates how often, in seconds, the Dashboard will test the connection to the Cisco 6510. |
Account-Info = "P60"
The Service-Info attributes are used to define the profile of a service. This includes the name of the service, the service type (Internet or tunnel), the service access mode (sequential or concurrent), the DNS server IP address, and the networks that exist on the service.
The following illustrates the format for Service-Info attributes:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 251 (sub-attribute ID for Service-Info)
e = len (length of the vendor-specific sub-attribute)
f = code (service-info code for attribute)
g = value (additional information required by code)
This attribute is used to set whether the Cisco 6510 uses the CHAP or PAP protocol to authenticate users on the service.
Service-Info = "A{authen-type}"authen-type | C--CHAP Authentication.
P--PAP Authentication. |
Service-Info = "AC"
This attribute is used to include a name and description of the service in accounting records and is not required in service profiles.
Service-Info = "N{name;description}"name | Name of the service profile. |
description | Description of the service. |
Service-Info = "Nhp.com;Hewlett Packard Intranet Access"
This attribute is used to indicate whether the service is an Internet or tunnel connection.
Service-Info = "T{type}"type | I--Internet. Indicates the user's packets are forwarded straight through the Cisco 6510.
T--Tunnel. Indicates the user's packets are forwarded through an L2F tunnel. |
Service-Info = "TI"
This attribute is used to define whether the user is able to log onto this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential).
Account-Info = "M{mode}"mode | S--Sequential mode.
C--Concurrent mode. |
Service-Info = "MS"
This attribute is used to indicate the username that was provided by the Dashboard user to log on to the service and for authentication with the home gateway. This attribute is only used in Accounting Records.
Service-Info = "U{username}"username | The name provided by the user which was used to authenticate with the home gateway |
Service-Info = "Ujoe@cisco.com"
This attribute specifies the DNS server for this service. Multiple attributes may be specified to indicate a primary DNS server, a secondary DNS server, and so on.
Service-Info = "D{ip_address}"ip_address | IP address of the DNS server. |
Service-Info = "198.46.9.2"
This attribute is used to specify networks that exist for a service beyond the home gateway.
Service-Info = "F{ip_address;mask;flag}"ip_address | IP address. |
mask | Subnet mask. |
flag | A--Allows access to the specified IP address(es).
B--Denies access to the specified IP address(es). |
Service-Info = "F171.99.73.128;255.255.255.192;A"
The Command-Code attributes are used for communication between the Dashboard and the Cisco 6510. The following parameters are for reference only and are not used in user or service profiles.
The following illustrates the format for Command-Code attributes:
+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+
a = 26 (RADIUS attribute for vendor specific)
b = len (length of the RADIUS vendor-specific attribute)
c = 9 (Cisco vendor ID)
d = 252 (sub-attribute ID for Command-Code)
e = len (length of the vendor-specific sub-attribute)
f = code (command-code for attribute in binary format)
g = value (additional information required by code in ascii format)
This attribute is used by the Dashboard to log on a user.
Command-Code = "\001{name}"name | Account name. |
Command-Code = "\001USER1"
This attribute is used by the Dashboard to log off a user.
Command-Code = "\002{name}"name | Account name. |
Command-Code = "\002USER1"
This attribute is used by Dashboard to test the connection to the Cisco 6510.
Command-Code = "\004"
Command-Code = "\004"
This attribute is used by Dashboard to request that the Cisco 6510 logs the user on to a service.
Command-Code = "\013{s_name}"s_name | Service name. |
Command-Code = "\013cisco.com"
This attribute is used by Dashboard to request that the Cisco 6510 logs the user off of a service.
Command-Code = "\014{s_name}"s_name | Service name. |
Command-Code = "\014cisco.com"
This attribute is used by the Dashboard to communicate the DNS search order for the service to the Cisco 6510.
Command-Code = "\016{s_order}"s_order | The DNS server search order, separated by semicolons (;). |
Command-Code = "\016cisco.com;microsoft.com;hp.com"
This attribute is used by the Cisco 6510 to communicate messages to the Dashboard client.
Command-Code = "\017{message}"message | Message communicated from the Cisco 6510. |
Command-Code = "\017Your session has timed out"
This section provides samples of user profiles and service profiles used with the
Cisco 6510.
The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:
bert Password = "ernie"
Session-Timeout = 3600,
Account-Info = "Nhp.com;Hewlett Packard Intranet Access;T",
Account-Info = "Ngamers.net;The Gamer's Network;I",
Account-Info = "P60",
Account-Info = "DD"
The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:
user = bert {
radius = 6510-SSG-v1.0 {
check_items = {
2 = "ernie"
}
reply_attributes = {
27 = 3600
9,250 = "Nhp.com;Hewlett Packard Intranet Access;T"
9,250 = "Ngamers.net;The Gamer's Network;I"
9,250 = "P60"
9,250 = "DD"
}
}
}
The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:
hp.com Password = "cisco"
Cisco-AVpair = "vpdn:gw-password=hello",
Cisco-AVpair = "vpdn:ip-addresses=135.69.255.198",
Service-Info = "F171.99.73.128;255.255.255.192;A",
Service-Info = "F171.99.2.0;255.255.255.192;A",
Service-Info = "F171.99.13.0;255.255.255.0;A",
Service-Info = "F171.99.13.21;255.255.255.255;B",
Service-Info = "D171.99.2.81",
Service-Info = "MC",
Service-Info = "TT"
The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:
user = hp.com {
radius = 6510-SSG-v1.0 {
check_items = {
2 = "cisco"
}
reply_attributes = {
9,1 = "vpdn:gw-password=hello"
9,1 = "vpdn:ip-addresses=135.69.255.198"
9,251 = "F171.99.73.128;255.255.255.192;A"
9,251 = "F171.99.2.0;255.255.255.192;A"
9,251 = "F171.99.13.0;255.255.255.0;A"
9,251 = "F171.99.13.21;255.255.255.255;B",
9,251 = "D171.99.2.81"
9,251 = "MC"
9,251 = "TT"
}
}
}
|