|
This appendix describes the configuration steps required to include a RADIUS server in a Cisco Subscriber Edge Services Manager (SESM) deployment. This appendix includes the following topics:
radius-server host 10.3.3.2 auth-port 1812 acct-port 1813 key cisco
To use different RADIUS servers for authentication and accounting, use two commands as follows:
radius-server host 10.3.3.2 auth-port 1812 acct-port 0 key cisco
radius-server host 10.3.3.3 auth-port 0 acct-port 1813 key cisco
The RADIUS protocol is based on a client server model. The RADIUS server is the server. Multiple dial-in Network Access Server (NAS) devices are the clients. Before communication can occur, each client must be configured on the server.
An SESM deployment requires that you configure the following NAS clients on the RADIUS server:
Table C-1 summarizes the information that might be required to define a NAS client on the RADIUS server. See your RADIUS server vendor documentation for more specific requirements, syntax, and procedures.
Property | Description |
---|---|
Name or IP Address | Identifies the client. Use either IP address or host name. |
Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message. A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password. | |
Type | For SSGCisco:NAS For SESMRAD_RFC+ACCT_RFC |
The following sample entries show a Merit RADIUS format defining SESM web portals and an SSG host as RADIUS clients. The examples use the value cisco
as the shared secret on all of the clients.
#Entries for SESM-Server clients
10.3.3.2 cisco type=RAD_RFC+ACCT_RFC
10.3.3.101 cisco type=RAD_RFC+ACCT_RFC
10.3.3.102 cisco type=RAD_RFC+ACCT_RFC
#Entries for SSG host
192.168.1.6 cisco type=Cisco:NAS
SESM applications, including RDP, CDAT, and the portal applications, internally predefine the standard RADIUS attributes and the Cisco SSG VSAs. You can use these predefined attributes in RADIUS and LDAP profiles whether or not they are defined in an attribute dictionary. See the "SESM Predefined Attributes" section for predefined attribute names.
Table C-2 lists the standard RADIUS attribute names that are predefined in SESM applications. Table C-3 shows the Cisco SSG VSAs that are predefined in SESM applications.
RADIUS Attribute Names1 | ||
---|---|---|
USER_NAME USER_PASSWORD CHAP_PASSWORD NAS_IP_ADDRESS NAS_PORT SERVICE_TYPE FRAMED_PROTOCOL FRAMED_IP_ADDRESS FRAMED_IP_NETMASK FRAMED_ROUTING FILTER_ID FRAMED_MTU FRAMED_COMPRESSION LOGIN_IP_HOST LOGIN_SERVICE LOGIN_TCP_PORT REPLY_MESSAGE CALLBACK_NUMBER CALLBACK_ID FRAMED_ROUTE FRAMED_IPX_NETWORK STATE CLASS VENDOR | SESSION_TIMEOUT IDLE_TIMEOUT TERMINATION_ACTION CALLED_STATION_ID CALLING_STATION_ID NAS_IDENTIFIER PROXY_STATE LOGIN_LAT_SERVICE LOGIN_LAT_NODE LOGIN_LAT_GROUP FRAMED_APPLETALK_LINK FRAMED_APPLETALK_NETWORK FRAMED_APPLETALK_ZONE ACCT_STATUS_TYPE ACCT_DELAY_TIME ACCT_INPUT_OCTETS ACCT_OUTPUT_OCTETS ACCT_SESSION_ID ACCT_AUTHENTIC ACCT_SESSION_TIME ACCT_INPUT_PACKET ACCT_OUTPUT_PACKETS ACCT_TERMINATE_CAUSE ACCT_MULTI_SESSION_ID | ACCT_LINK_COUNT ACCT_INPUT_GIGAWORDS ACCT_OUTPUT_GIGAWORDS EVENT_TIMESTAMP CHAP_CHALLENGE NAS_PORT_TYPE PORT_LIMIT LOGIN_LAT_PORT ARAP_PASSWORD ARAP_FEATURES ARAP_ZONE_ACCESS ARAP_SECURITY ARAP_SECURITY_DATA PASSWORD_RETRY PROMPT CONNECT_INFO CONFIGURATION_TOKEN EAP_MESSAGE MESSAGE_AUTHENTICATOR ARAP_CHALLENGE_RESPONSE ACCT_INTERIM_INTERVAL NAS_PORT_ID FRAMED_POOL
|
1A hyphen (-) can replace the underbar (_) in RADIUS attribute names. The attribute names are not case-sensitive. |
RADIUS Attribute | Vendor ID | Subattribute | Name1 | Type |
---|---|---|---|---|
26 | 9 | 1 | Cisco-Av | String |
26 | 9 | 250 | Account-Info | String |
26 | 9 | 251 | Service-Info | String |
26 | 9 | 252 | Command-Code | BINARY |
26 | 9 | 253 | Control-Info | String |
1The hyphen (-) and underbar (_) are interchangeable in RADIUS attribute names. The attribute names are not case-sensitive. |
Dynamic attributes are defined as new subattributes under the standard RADIUS vendor-specific attribute number 26.
Valid formats are:
Note If you omit attributeName, the parentheses surrounding the attribute definition are optional, but recommended. |
Where:
Note To successfully use the attribute by name in a different profile, the user whose profile contains the attribute definition must logs onto the portal before any user whose profile contains only the new attribute name without the definition. |
An example follows:
Other valid syntax is:
name([[type=]26],[vendorId=]vendorId,[vendorType=]vendorType,[dataType=]dataType)
In a Merit file, define a new attribute and assign a value in the following format:
[attributeName](attributeDefinition) = "attributeValue"
In CDAT, define a new attribute and assign a value in the Local RADIUS attributes field as follows:
For example:
Table C-4 briefly describes the attributes in a RADIUS service profile. Use the following references for more information.
Attribute | Description |
---|---|
Service profile name | An identifying name for a service profile. Each profile name must be unique. Service profile names are used in the subscriber profiles to indicate that a subscriber is subscribed to the service. |
Password | Must match the service password on the RADIUS server. SESM obtains the service password directly from the RADIUS server. In SESM, configure this password in the servicePassword attribute in the AAA MBean. |
Service-Type | Standard RADIUS attribute number 6. The value must be "outbound." |
Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this service (the service object on SSG) can remain active in a session at any one time. When the time expires, SSG deletes the service object, which disconnects the subscriber from the service. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal. Note The NWSP application does not relay this state change to the subscriber. If Session-Timeout is not set, there is no limit on how long the subscriber can use the service. In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem. | |
Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a service connection can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute. | |
Service-Info | A vendor-specific attribute (attribute number 26), vendor 9, subattribute 251. Valid values for Service-Info attributes are:
|
Service-Info (continued) |
Note In a frameless application, both U and H cause a new browser window to open for the service. The NWSP application is a frameless application.
|
Cisco-AVpair | A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a service profile are:
Note A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.
|
The service configuration examples in this section use a Merit RADIUS format.
internet Password = "servicecisco", Service-Type = Outbound
Service-Info = "IInternet",
Service-Info = "R153.153.153.0;255.255.255.0",
Service-Info = "MC",
Service-Info = "TP"
corporate Password = "servicecisco", Service-Type = Outbound
Service-Info = "ICorporate Intranet (proxy)",
Service-Info = "R154.154.154.0;255.255.255.0",
Service-Info = "S10.3.3.101;1812;1813;cisco",
Service-Info = "MC",
Service-Info = "TX"
iptv Password = "servicecisco", Service-Type = Outbound
Service-Info = "IIP/TV",
Service-Info = "R160.160.160.0;255.255.255.0",
Service-Info = "MC",
Service-Info = "TP"
Idle-Timeout = 60,
Session-Timeout = 60
Service group profiles contain a list of services. Table C-5 briefly describes the attributes in a RADIUS service group profile.
Attribute | Description |
---|---|
Password | The password required to obtain the profile. |
Standard RADIUS attribute number 6. The level of service. Must be outbound. | |
Account-Info | A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:
|
The service group configuration examples in this section use a Merit RADIUS format.
SvcGroup1 Password = "servicecisco", Service-Type = Outbound
Account-Info = "Nvidconf",
Account-Info = "Ndistlearn",
Account-Info = "Ncorporate",
Account-Info = "Nbanking"
MutexGrp1 Password = "groupcisco", Service-Type = Outbound
Account-Info = "IBandwidth-QoS",
Account-Info = "Nbw-gold",
Account-Info = "Nbw-silver",
Account-Info = "Nbw-bronze",
Account-Info = "TE"
In an SESM RADIUS mode deployment, you must define a subscriber profile for each subscriber that will sign onto an SESM portal from a web browser.
Table C-6 briefly describes the attributes in a RADIUS subscriber profile. Use the following references for more information:
Attribute | Description |
---|---|
User-Name | Standard RADIUS attribute number 1. The subscriber name used for authentication. |
User-Password | Standard RADIUS attribute number 2. The subscriber password used for authentication. |
Called-Station_Id | Standard RADIUS attribute number 30. The access point name (APN), which can optionally be used for authentication. |
Calling-Station_Id | Standard RADIUS attribute number 31. The MSISDN, which can optionally be used for authentication. |
NAS-Identifier | Standard RADIUS attribute number 32. The NAS identifier, which can optionally be used for authentication. |
Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this subscriber session (the edge session on SSG) can remain active at any one time. When the time expires, SSG ends the session. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal. Note The NWSP application does not relay this state change to the subscriber. If Session-Timeout is not set, there is no limit on how long the session lasts. In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem. | |
Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a subscriber session can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute. | |
Account-Info | A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:
Note The service list displayed by SESM does not include A entries. It only shows N entries. To display an auto connect service on the SESM service list, include both an A and an N entry for the service in the profile. See the "Example Subscriber Profile for Auto Services" section for an example.
Note In a frameless application, both U and H cause a new browser window to open for the home page. The NWSP application is a frameless application.
|
Account-Info (continued) |
Note The $ in a subattribute code indicates that the subattribute is used only by SESM, and not by SSG or other Cisco network devices. Note Deployers might see $ subcodes in access accept messages from SSG that are not documented below. SSG uses $ subcodes to identify information about the subscriber that it passes along for SESM use, such as MAC address, VPI/VCI, MSISDN number, and other connection information. Those codes are not documented in this guide because they are not used in subscriber profiles.
|
Account-Info (continued) |
"$AAgivenName;S;James"
"$AAhobbies;V;{sports;news;travel}"
|
Cisco-AVpair | A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a subscriber profile are:
Note A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL. |
The subscriber profile examples in this section are in a Merit RADIUS format.
user1 Password = "cisco"
Service-Type = Framed-User,
Account-Info = "Ainternet", (hidden on the subscriber's web page)
Account-Info = "Ninternet" (makes it visible)
golduser Password = "cisco"
Service-Type = Framed-User,
Account-Info = "$UGgold",
Account-Info = "Ainternet_gold",
Account-Info = "Ninternet_gold",
Account-Info = "Ncorporate",
Account-Info = "Ngames",
Account-Info = "Ndiscount_shopping",
Account-Info = "Hhttp://www.spiderbait.com",
Account-Info = "$PESelf Manage",
Account-Info = "$PESubaccount Manage",
Account-Info = "$PEService Subscription",
Account-Info = "$SAbanking",
Account-Info = "$GAnewsgroup",
Account-Info = "$AAinitials;V;{A}",
Account-Info = "$AAgender;S;female",
Account-Info = "$AAsurname;S;Goodbody",
Account-Info = "$AAtitle;S;Miss",
Account-Info = "$AAgivenName;S;Felicity",
Account-Info = "$AAhobbies;V;{science;news;travel}"
See the aaa.properties file in the nwps/config directory for more examples.
Next Hop Gateway profiles associate next hop gateway keys with IP addresses. Because multiple SSGs might access services from different networks, service profiles can specify next hop keys. (See the service-info G attribute in Table C-4.) If this is the case, you must configure a next hop gateway pseudo-service profile to resolve the keys to valid IP addresses.
An example next hop gateway pseudo-service profile follows:
ssg-next-hop Password = "xssg-key"
Control-Info = "Gl2tp-net7;192.168.1.101",
Control-Info = "Gl2tp-net40;192.168.1.102",
Control-Info = "Gweb-key;192.168.1.101",
Control-Info = "Gproxy-radius-key;192.168.1.101",
Control-Info = "Gxint-24;192.168.1.101"
Note You do not need to provide service and subscriber profiles if you are using the RADIUS server solely for accounting purposes. |
The subscriber actions that cause SSG to generate a RADIUS accounting record are:
Use the following references for more information:
By default, Cisco Access Registrar listens on ports 1645 and 1646 for any type of RADIUS request. You can configure Cisco Access Registrar to listen on ports 1812 and 1813 instead by entering the following commands:
add /Radius/Advanced/Ports/1812
add /Radius/Advanced/Ports/1813
These commands cause Cisco Access Registrar to listen on the explicitly defined ports, 1812 and 1813, for all types of RADIUS requests. It no longer listens on the default ports.
Cisco Access Registrar is installed with the following Cisco VSAs already defined in its attribute dictionary:
Use the following commands to configure the NAS clients required by an SESM deployment:
add /Radius/Clients/SESM1 "" 10.3.3.2 cisco
add /Radius/Clients/SESM2 "" 10.3.3.101 cisco
add /Radius/Clients/SESM1 "" 10.3.3.102 cisco
This section shows commands for creating sample profiles in Cisco Access Registrar format.
add /Radius/Profiles/internet-profile
set /Radius/Profiles/internet-profile/Attributes/Cisco-SSG-Service-Info IInternet
R153.153.153.0;255.255.255.0 MC TP
add /Radius/Profiles/corporate-profile
set /Radius/Profiles/corporate-profile/Attributes/Cisco-SSG-Service-Info "ICorporate
Intranet(proxy)" R154.154.154.0;255.255.255.0 S10.3.3.101;1812;1813;cisco MC TX
add /Radius/Profiles/iptv-profile
set /Radius/Profiles/iptv-profile/Attributes/Cisco-SSG-Service-Info IIP/TV
R160.160.160.0;255.255.255.0 MC TP
set /Radius/Profiles/iptv-profile/Attributes/Idle-Timeout 60
set /Radius/Profiles/iptv-profile/Attributes/Session-Timeout 60
add /Radius/Profiles/std-user-profile
set /Radius/Profiles/std-user-profile/Attributes/Service-Type Framed
set /Radius/Profiles/std-user-profile/Attributes/Cisco-SSG-Account-Info Ainternet
Ninternet
add /Radius/Profiles/pseudo-service-profile
set /Radius/Profiles/pseudo-service-profile/Attributes/Cisco-SSG-Control-Info
Gl2tp-net7;192.168.1.101 Gl2tp-net40;192.168.1.102 Gweb-key;192.168.1.101
Gproxy-radius-key;192.168.1.101 Gxint-24;192.168.1.101
This section describes how to configure userlists and authentication and authorization services on Cisco Access Registrar.
The following commands configure userlists containing SESM services and corresponding attribute profiles.
add /Radius/Userlists/SESMservices
add /Radius/Userlists/SESMservices/internet "" servicecisco TRUE "" internet-profile
add /Radius/Userlists/SESMservices/corporate "" servicecisco TRUE "" corporate-profile
add /Radius/Userlists/SESMservices/iptv "" servicecisco TRUE "" iptv-profile
The following commands configure userlists containing SESM users and corresponding attribute profiles.
add /Radius/Userlists/SESMusers
add /Radius/Userlists/SESMusers/user1 "" cisco TRUE "" std-user-profile
add /Radius/Userlists/SESMusers/ssg-next-hop "" xssg-key TRUE "" pseudo-service-profile
The following commands configure Cisco Access Register AA services. The first command configures services for the SESM services userlist. The second command configures services for SESM users userlist.
add /Radius/Services/Outbound "" local "" "" RejectAll "" SESMservices
add /Radius/Services/SESMdefault "" local "" "" RejectAll "" SESMusers
The following commands configure Cisco Access Registrar to check the Service-Type attribute in the request. If Service-Type is set to Outbound, then the Outbound AA service is used; otherwise, the SESM default AA service is used.
set /Radius/DefaultAuthenticationService ${q|Service-Type}{SESMdefault}
set /Radius/DefaultAuthorizationService ${q|Service-Type}{SESMdefault}
To configure accounting services, use the following commands:
add /Radius/Services/SESMaccounting "" file
set /Radius/DefaultAccountingService SESMaccounting
To save the configuration and reload the Cisco Access Registrar server, use the following commands:
save
reload
nwsp
config
aaa.properties
Posted: Fri Oct 18 10:03:45 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.