This appendix describes the configuration steps required to include a RADIUS server in a Cisco Subscriber Edge Services Manager (SESM) deployment. This appendix includes the following topics:

Configuring SSG to Communicate with the RADIUS Server

You must configure SSG to communicate with the RADIUS server. To do so, use the radius-server host Cisco IOS command on the SSG host. Different ports are used for handling authentication and accounting packets. For example:

radius-server host 10.3.3.2 auth-port 1812 acct-port 1813 key cisco

To use different RADIUS servers for authentication and accounting, use two commands as follows:

radius-server host 10.3.3.2 auth-port 1812 acct-port 0 key cisco
radius-server host 10.3.3.3 auth-port 0 acct-port 1813 key cisco

Configuring RADIUS Clients

The RADIUS protocol is based on a client server model. The RADIUS server is the server. Multiple dial-in Network Access Server (NAS) devices are the clients. Before communication can occur, each client must be configured on the server.

An SESM deployment requires that you configure the following NAS clients on the RADIUS server:

The SSG host—This is the Cisco device on which SSG is running, such as the Cisco 7200, Cisco 7400, or a node route processor (NRP) on the Cisco 56. The RADIUS server must recognize each SSG host as a client.

The SESM web portal—This is the NWSP application, or your customized SESM web application. SESM web portals query the RADIUS server directly for service information. The RADIUS server must recognize the SESM web portal as a client.

Table D-1 summarizes the information that might be required to define a NAS client on the RADIUS server. See your RADIUS server vendor documentation for more specific requirements, syntax, and procedures.

Table D-1: NAS Client Configuration

Property	Description
Name or IP Address	Identifies the client. Use either IP address or host name.
Shared Secret	Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message. A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password.
Type	For SSG—Cisco:NAS For SESM—RAD_RFC+ACCT_RFC

Property

Description

Name or IP Address

Identifies the client. Use either IP address or host name.

Shared Secret

Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message.

A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password.

Type

For SSG—Cisco:NAS

For SESM—RAD_RFC+ACCT_RFC

The following sample entries show a Merit RADIUS format defining SESM web portals and an SSG host as RADIUS clients. The examples use the value cisco as the shared secret on all of the clients.

#Entries for SESM-Server clients 
10.3.3.2       cisco     type=RAD_RFC+ACCT_RFC
10.3.3.101     cisco 		    type=RAD_RFC+ACCT_RFC
10.3.3.102     cisco     type=RAD_RFC+ACCT_RFC
 
#Entries for SSG host
192.168.1.6     cisco     type=Cisco:NAS

Adding Cisco SSG Vendor-Specific Attributes to the Attribute Dictionary

An attribute dictionary defines attributes to the RADIUS server. The attribute dictionary contains:

Standard RADIUS attributes as defined by RFC 2138.

Vendor-specific attributes (VSAs) that extend the standard attributes. VSAs add new capabilities, supported by specific vendors, to the RADIUS server. The value of a VSA can be one or more subattributes whose meanings depend on the vendor's definition.

An SESM deployment requires that you add Cisco VSAs to your RADIUS attribute dictionary. See your RADIUS server vendor's documentation for instructions and syntax. The Cisco Access Registrar ships with all of the Cisco SESM VSAs preconfigured.

Table D-2 shows the Cisco VSAs required in an SESM deployment that uses a RADIUS server, which includes:

SESM running in RADIUS mode. In this deployment, the RADIUS server supports authorization, authentication, and accounting features.
SESM running in LDAP mode and using SSG accounting features. In this deployment, the RADIUS server supports accounting features.
SESM running in LDAP mode and using the RDP server in proxy mode. In this deployment, the RADIUS server supports authentication features.

Table D-2: Cisco SSG VSAs

RADIUS Attribute	Vendor ID	Subattribute	Name	Type
26	9	1	Cisco-Avpair	String
26	9	250	Account-Info	String
26	9	251	Service-Info	String
26	9	253	Control-Info	String

Configuring Service Profiles

Service profiles define the services that subscribers can select from an SESM web portal.

In an SESM deployment, you must configure a service profile for each service that will be accessible through the SESM web portal.

Table D-3 briefly describes the attributes in a RADIUS service profile. Use the following references for more information.

If you are using the Cisco Access Registrar, see the "Configuring Cisco Access Registrar for SESM Deployments" section for service profile examples and syntax. Otherwise, see your RADIUS server vendor documentation for the syntax of a service profile
For sample SESM service profiles, see the demo.txt file located in the NWSP config directory (for example, nwsp/config/demo.txt). This file is installed whether or not you choose the demo option. It shows service and subscriber profiles in Merit RADIUS format.
The SSG documentation describes service profile attributes and provides examples of their use. See the "Related Documentation" section for a link to online SSG documentation.

Table D-3: Attributes in Service Profiles

Attribute	Description
Service profile name	An identifying name for a service profile. Each profile name must be unique. Service profile names are used in the subscriber profiles to indicate that a subscriber is subscribed to the service.
Password	Must match the service password that was configured on the SSG host and in SESM. On the SSG host, configure a service password using the following Cisco IOS command: `ssg service password password` In SESM, configure the service password in the following line from the AAA MBean in the nwsp.xml file: `<Set name="servicePassword">servicecisco</Set>`
Service-Type	Standard RADIUS attribute number 6. The value must be "outbound."
Session-Timeout	Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this service (the service object on SSG) can remain active in a session at any one time. When the time expires, SSG deletes the service object, which disconnects the subscriber from the service. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal. Note The NWSP application does not relay this state change to the subscriber. If Session-Timeout is not set, there is no limit on how long the subscriber can use the service. In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.
Idle-Timeout	Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a service connection can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.
Service-Info	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 251. Valid values for Service-Info attributes are: AauthenType—Specifies whether SSG uses the CHAP or PAP protocol to authenticate users for proxy services. Idescription—Service description. Optional. Describes the service. Ttype—Type of service. Optional. Valid values for type are: P—Passthrough. This is the default. T—Tunnel X—Proxy. Indicates that the SSG performs proxy service. Mmode—Service mode. Optional. Valid values for mode are: S—Sequential mode. Prevents the subscriber from accessing any other services while connected to this service. C—Concurrent mode. This is the default. Allows the subscriber to simultaneously log onto this service while connected to other services. Rip_address;mask—Service route (destination). Required. Specifies the network or the host where the service resides. Multiple instances of this attribute can exist within a single service profile, to specify multiple service destinations. An Internet service is typically specified as `"R0.0.0.0;0.0.0.0"`. Dip_address_1[;ip_address_2]—DNS Server Address. Optional. Specifies the IP addresses for the primary and secondary DNS servers to use for the domains that are defined using the O option. Oname1[name2]...[;nameX]—D omain names. Optional. SRadiusServerAddress;authPort;acctPort;secret—Remote server information. Required when type of service (T) is Proxy (X); not applicable for other service types. Specifies the remote RADIUS server that will perform authentication, authorization, and accounting for this service. Gkey—Service next hop gateway. Specifies the next hop key for this service. Each SSG uses its own next hop gateway table that associates this key with a valid IP address. See the "Configuring Next Hop Gateway Profiles" section for information about creating a next hop gateway table. Uurl or Hurl—These attributes specify the URL that is displayed in the HTTP address field when the service opens. If the SESM web portal is designed to use HTML frames, then these options also specify whether the service is displayed in a new browser window or in a frame in the current (SESM) window, as follows: Uurl—URL for a service displayed in its own browser window. Hurl—URL for a service displayed in a frame in the SESM portal window. Note In a frameless application, both U and H cause a new browser window to open for the service. The NWSP application is a frameless application. Bsize—The PPP maximum transmission unit (MTU) for SSG as a LAC. By default, the PPP MTU size is1500 bytes.
Service-Info (continued)	X—Indicates that the RADIUS authentication and accounting requests use the full user name (for example, user@service). Vstring—Service-defined cookie. Optional. Specifies any information that you wish to include in RADIUS authentication and accounting requests. SSG does not parse or interpret string. You must configure the proxy RADIUS server to interpret this attribute. SSG supports only one service-defined cookie per service profile. Use this attribute to add fields to accounting records.
Cisco-AVpair	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a service profile are: "ip:inacl[#number]={standardACL \| extendedACL}"—Upstream access control list (ACL). Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the subscriber. "ip:outacl[#number]={standardACL \| extendedACL}"—Downstream ACL. Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the subscriber. number—Identifies the access list. If a profile includes multiple inacl or outacl attributes, the attributes are downloaded and executed according to the order implied by number. standardACL—A Cisco IOS standard ACL. extendedACL—A Cisco IOS extended ACL. Note A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL. "vpdn:ip-addresses=address1[<delimiter>address2][<delimiter>address3]..."—Virtual private dial-up network (VPDN) IP address. Specifies the IP addresses of the home gateways (LNSs) to receive the L2TP connections. address—IP address of the home gateway. <delimiter>—A comma (,) or a space ( ) indicates that the SSG selects load sharing among IP addresses. A slash (/) indicates that the SSG considers IP addresses on the left side of the slash a higher priority than those on the right side of the slash. "vpdn:tunnel-id=name"—VPDN tunnel ID. Specifies the name of the tunnel that must match the tunnel ID specified in the LNS VPDN group. "vpdn:tunnel-password=secret"—L2TP tunnel password. Specifies the secret (password) used for L2TP tunnel authentication. "vpdn:12tp-hello-interval=interval"—L2TP hello interval. Specifies the number of seconds for the hello keepalive interval.

Example Service Profiles

The service configuration examples in this section use a Merit RADIUS format.

Example Service Profile for Passthrough Service

internet Password = "servicecisco", Service-Type = Outbound

Service-Info = "IInternet",
Service-Info = "R153.153.153.0;255.255.255.0",
Service-Info = "MC",
Service-Info = "TP"

Example Service Profile for Proxy Service

corporate Password = "servicecisco", Service-Type = Outbound

Service-Info = "ICorporate Intranet (proxy)",
Service-Info = "R154.154.154.0;255.255.255.0",
Service-Info = "S10.3.3.101;1812;1813;cisco",
Service-Info = "MC",
Service-Info = "TX"

Example Service Profile Using Timeout Values

iptv Password = "servicecisco", Service-Type = Outbound

Service-Info = "IIP/TV",
Service-Info = "R160.160.160.0;255.255.255.0",
Service-Info = "MC",
Service-Info = "TP"
Idle-Timeout = 60,
Session-Timeout = 60

Configuring Service Group Profiles

Service group profiles contain a list of services. Table D-4 briefly describes the attributes in a RADIUS subscriber profile.

Table D-4: Attributes in Service Group Profiles

Attribute	Description
Password
Service-Type	Standard RADIUS attribute number 6. The level of service. Must be outbound.
Account-Info	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are: "Idescription"—Describes the service group. If this field is omitted, the service group profile name is used. "GName"—Service group name. "Nname"—Lists the services that belong to the group. "TE"—Indicates that this is a mutually exclusive service group.

Attribute

Description

Password

Service-Type

Standard RADIUS attribute number 6. The level of service. Must be outbound.

Account-Info

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:

"Idescription"—Describes the service group. If this field is omitted, the service group profile name is used.
"GName"—Service group name.
"Nname"—Lists the services that belong to the group.
"TE"—Indicates that this is a mutually exclusive service group.

Example Service Group Profiles

The service group configuration examples in this section use a Merit RADIUS format.

Example Service Group Profile

SvcGroup1 Password = "servicecisco", Service-Type = Outbound

Account-Info = "Nvidconf",
Account-Info = "Ndistlearn",
Account-Info = "Ncorporate",
Account-Info = "Nbanking"

Example Service Group Profile for a Mutex Group

MutexGrp1 Password = "groupcisco", Service-Type = Outbound

Account-Info = "IBandwidth-QoS",
Account-Info = "Nbw-gold",
Account-Info = "Nbw-silver",
Account-Info = "Nbw-bronze",
Account-Info = "TE"

Configuring Subscriber Profiles

Subscriber profiles define SESM logon names and passwords, access control lists associated with each logon, and subscribed services for each logon.

In an SESM RADIUS mode deployment, you must define a subscriber profile for each subscriber that will sign onto an SESM portal from a web browser.

Table D-5 briefly describes the attributes in a RADIUS subscriber profile. Use the following references for more information:

If you are using the Cisco Access Registrar, see the "Configuring Cisco Access Registrar for SESM Deployments" section for subscriber profile examples and syntax. Otherwise, see your RADIUS server vendor documentation for the syntax of a subscriber profile
For sample SESM subscriber profiles, see the demo.txt file located in the NWSP config directory (for example, nwsp/config/demo.txt). This file is installed whether or not you choose the demo option. It shows service and subscriber profiles in Merit RADIUS format.
The SSG documentation describes subscriber profile attributes and provides examples of their use. See the "Related Documentation" section for a link to online SSG documentation.

Table D-5: Attributes in Subscriber Profiles

Attribute	Description
User-Name	Standard RADIUS attribute number 1. The subscriber name used for authentication.
User-Password	Standard RADIUS attribute number 2. The subscriber password used for authentication.
Called-Station_Id	Standard RADIUS attribute number 30. The access point name (APN), which can optionally be used for authentication.
Calling-Station_Id	Standard RADIUS attribute number 31. The MSISDN, which can optionally be used for authentication.
NAS-Identifier	Standard RADIUS attribute number 32. The NAS identifier, which can optionally be used for authentication.
Session-Timeout	Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this subscriber session (the host object on SSG) can remain active at any one time. When the time expires, SSG deletes the host object, which ends the session. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal. Note The NWSP application does not relay this state change to the subscriber. If Session-Timeout is not set, there is no limit on how long the session lasts. In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.
Idle-Timeout	Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a subscriber session can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.
Account-Info	Note In SSG Release 12.2.4(B) or later, if a point-to-point protocol (PPP) subscriber profile does not include any VSAs, the SSG does not create a host object for the subscriber and therefore, the SSG does not apply any control over the subscriber's access. The fact that the PPP link is established and the SSG is not applying any control means that the subscriber has unrestricted access to any downstream connections defined in the subscriber's profile or by the Cisco IOS configuration on the SSG host device. If it is important to avoid this situation, make sure that all PPP clients are subscribed to at least one service or define any other Cisco SSG VSA in the profile, such as a Uurl or Hurl attribute. A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are: "NserviceName"—Service name. Subscribes the subscriber to the specified service and includes the service in the service list obtained by the SESM web portal. The serviceProfileName must be defined in a service profile. There can be multiple instances of this attribute within a subscriber profile. "GserviceGroupProfileName"—Service group. Creates a folder for the service group on the subscriber's SESM web portal. The serviceGroupProfileName must be defined in a service group profile. There can be multiple instances of this attribute within a subscriber profile.
Account-Info (continued)	"AautoConnectServiceName"—Automatic connection. Subscribes the subscriber to the specified service and indicates that the subscriber should be automatically connected to this service after successful logon. Note The service list displayed by SESM does not include A entries. It only shows N entries. To display an auto connect service on the SESM service list, include both an A and an N entry for the service in the profile. See the "Example Subscriber Profile for Auto Services" section for an example. "Uurl or Hurl"—These attributes specify the URL for the user's preferred Internet home page. If the SESM web portal is designed to use HTML frames, then these options also specify whether the home page is displayed in a new browser window or in a frame in the current (SESM) window, as follows: Uurl—URL for the home page displayed in its own browser window. Hurl—URL for the home page displayed in a frame in the SESM browser window. Note In a frameless application, both U and H cause a new browser window to open for the home page. The NWSP application is a frameless application. "RIgroup;duration[;service]"—Overrides the TCP redirect configuration on the SSG for initial logon redirections. The group is the captive portal group to use for initial logon redirections for this subscriber. The group must be configured on the SSG with TCP redirect commands. The duration is the duration of the captivation (in seconds). If you specify the optional service field, initial logon redirection occurs only when the subscriber requests connection to the named service. "RAgroup;duration;frequency[;service]"—Overrides the TCP redirect configuration on the SSG for advertisement redirections. The group is the captive portal group to use for advertisement redirections for this subscriber. The group must be configured on the SSG with TCP redirect commands. The duration is the duration of the captivation (in seconds). The frequency is the approximate interval between redirections (in seconds). If you specify the optional service field, redirection occurs only when the subscriber requests connection to the named service.
Account-Info (continued)	"RS"—The subscriber has SMTP forwarding capability.
Cisco-AVpair	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a subscriber profile are: "ip:inacl[#number]={standardACL \| extendedACL}"—Upstream access control list (ACL). Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the subscriber. "ip:outacl[#number]={standardACL \| extendedACL}"—Downstream ACL. Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the subscriber. number—Identifies the access list. If a profile includes multiple inacl or outacl attributes, the attributes are downloaded and executed according to the order implied by number. standardACL—A Cisco IOS standard ACL. extendedACL—A Cisco IOS extended ACL. Note A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.
Cisco-AVpair

Example Subscriber Profiles

The subscriber profile example in this section is in a Merit RADIUS format.

Example Subscriber Profile for Auto Services

user1 Password = "cisco"

Service-Type = Framed-User,
Account-Info = "Ainternet",      (hidden on the subscriber's web page)
Account-Info = "Ninternet"       (makes it visible)

Note The first Account-Info line specifies automatic connection to the service. If you do not include the second line, the auto connection service does not appear on the SESM web portal. To display the service on the SESM web portal, you must include both entries as shown in the example.

Configuring Next Hop Gateway Profiles

Next Hop Gateway profiles associate next hop gateway keys with IP addresses. Because multiple SSGs might access services from different networks, service profiles can specify next hop keys. (See the service-info G attribute in Table D-3.) If this is the case, you must configure a next hop gateway pseudo-service profile to resolve the keys to valid IP addresses.

An example next hop gateway pseudo-service profile follows:

ssg-next-hop Password = "xssg-key"

Control-Info = "Gl2tp-net7;192.168.1.101",
Control-Info = "Gl2tp-net40;192.168.1.102",
Control-Info = "Gweb-key;192.168.1.101",
Control-Info = "Gproxy-radius-key;192.168.1.101",
Control-Info = "Gxint-24;192.168.1.101"

Configuring the RADIUS Accounting Feature

If you configure a RADIUS accounting port, SSG generates accounting records and forwards them to the RADIUS server. To configure a RADIUS server for accounting only, you must perform the following configuration steps.

Configure the NAS clients as described in the "Configuring RADIUS Clients" section.
Add the Cisco VSAs to the RADIUS server attribute dictionary, as described in the "Adding Cisco SSG Vendor-Specific Attributes to the Attribute Dictionary" section.
Configure an accounting port, as described in the "Configuring SSG to Communicate with the RADIUS Server" section.

Note You do not need to provide service and subscriber profiles if you are using the RADIUS server solely for accounting purposes.

The subscriber actions that cause SSG to generate a RADIUS accounting record are:

Subscriber logs in
Subscriber logs off
Subscriber accesses a service
Subscriber terminates a service

Use the following references for more information:

SSG documentation—Describes the attributes contained in the accounting records
RADIUS server vendor documentation—Describes RADIUS accounting capabilities

Configuring Cisco Access Registrar for SESM Deployments

This section describes how to configure the Cisco Access Registrar (Cisco AR) for an SESM deployment. The section includes profile examples in Cisco AR format.

Configuring the RADIUS Ports

By default, Cisco Access Registrar listens on ports 1645 and 1646 for any type of RADIUS request. You can configure Cisco Access Registrar to listen on ports 1812 and 1813 instead by entering the following commands:

add /Radius/Advanced/Ports/1812
add /Radius/Advanced/Ports/1813

These commands cause Cisco Access Registrar to listen on the explicitly defined ports, 1812 and 1813, for all types of RADIUS requests. It no longer listens on the default ports.

Cisco SSG VSAs in Cisco Access Registrar Dictionary

Cisco Access Registrar is installed with the following Cisco VSAs already defined in its attribute dictionary:

Cisco-AVPair
Cisco-SSG-Account-Info
Cisco-SSG-Service-Info
Cisco-SSG-Command-Code
Cisco-SSG-Control-Info

Configuring NAS Clients in Cisco Access Registrar

Use the following commands to configure the NAS clients required by an SESM deployment:

add /Radius/Clients/SESM1 "" 10.3.3.2 cisco
add /Radius/Clients/SESM2 "" 10.3.3.101 cisco
add /Radius/Clients/SESM1 "" 10.3.3.102 cisco

Configuring Attribute Profiles in Cisco Access Registrar

This section shows commands for creating sample profiles in Cisco Access Registrar format.

Internet Service Profile

add /Radius/Profiles/internet-profile
set /Radius/Profiles/internet-profile/Attributes/Cisco-SSG-Service-Info IInternet

R153.153.153.0;255.255.255.0 MC TP

Corporate Service Profile

add /Radius/Profiles/corporate-profile
set /Radius/Profiles/corporate-profile/Attributes/Cisco-SSG-Service-Info "ICorporate

Intranet(proxy)" R154.154.154.0;255.255.255.0 S10.3.3.101;1812;1813;cisco MC TX

IPTV Profile

add /Radius/Profiles/iptv-profile
set /Radius/Profiles/iptv-profile/Attributes/Cisco-SSG-Service-Info IIP/TV

R160.160.160.0;255.255.255.0 MC TP

set /Radius/Profiles/iptv-profile/Attributes/Idle-Timeout 60
set /Radius/Profiles/iptv-profile/Attributes/Session-Timeout 60

Standard Subscriber Profile

add /Radius/Profiles/std-user-profile
set /Radius/Profiles/std-user-profile/Attributes/Service-Type Framed
set /Radius/Profiles/std-user-profile/Attributes/Cisco-SSG-Account-Info Ainternet

Ninternet

Pseudo-service Profile

add /Radius/Profiles/pseudo-service-profile
set /Radius/Profiles/pseudo-service-profile/Attributes/Cisco-SSG-Control-Info

Gl2tp-net7;192.168.1.101 Gl2tp-net40;192.168.1.102 Gweb-key;192.168.1.101 Gproxy-radius-key;192.168.1.101 Gxint-24;192.168.1.101

Configuring Cisco Access Registrar Userlists and Authentication and Authorization Services

This section describes how to configure userlists and authentication and authorization services on Cisco Access Registrar.

Configuring Userlist for SESM Services

The following commands configure userlists containing SESM services and corresponding attribute profiles.

add /Radius/Userlists/SESMservices
add /Radius/Userlists/SESMservices/internet "" servicecisco TRUE "" internet-profile
add /Radius/Userlists/SESMservices/corporate "" servicecisco TRUE "" corporate-profile
add /Radius/Userlists/SESMservices/iptv "" servicecisco TRUE "" iptv-profile

Configuring Userlist for SESM Users

The following commands configure userlists containing SESM users and corresponding attribute profiles.

add /Radius/Userlists/SESMusers
add /Radius/Userlists/SESMusers/user1 "" cisco TRUE "" std-user-profile
add /Radius/Userlists/SESMusers/ssg-next-hop "" xssg-key TRUE "" pseudo-service-profile

Configuring AA Services

The following commands configure Cisco Access Register AA services. The first command configures services for the SESM services userlist. The second command configures services for SESM users userlist.

add /Radius/Services/Outbound "" local "" "" RejectAll "" SESMservices
add /Radius/Services/SESMdefault "" local "" "" RejectAll "" SESMusers

Checking the Service-Type Attribute

The following commands configure Cisco Access Registrar to check the Service-Type attribute in the request. If Service-Type is set to Outbound, then the Outbound AA service is used; otherwise, the SESM default AA service is used.

set /Radius/DefaultAuthenticationService ${q|Service-Type}{SESMdefault}
set /Radius/DefaultAuthorizationService ${q|Service-Type}{SESMdefault}

Configuring Accounting on Cisco Access Registrar

To configure accounting services, use the following commands:

add /Radius/Services/SESMaccounting "" file
set /Radius/DefaultAccountingService SESMaccounting

Saving the Configuration and Reloading the Server

To save the configuration and reload the Cisco Access Registrar server, use the following commands:

save
reload

Table of Contents