Support User Manuals

Cisco Systems 10000 Network Router User Manual

Open as PDF

of 624

16-2

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 16 Configuring RADIUS Features

RADIUS Attribute Screening

• Configuration Tasks for RADIUS Attribute Screening, page 16-3

• Configuration Examples for RADIUS Attribute Screening, page 16-3

Feature History for RADIUS Attribute Screening

Restrictions for RADIUS Attribute Screening

The following restrictions apply to the RADIUS Attribute Screening feature:

• Network Access Server (NAS) Requirement

To enable the RADIUS Attribute Screening feature, you should configure the Cisco 10000 router,

acting as the NAS, for authorization with RADIUS groups.

• Accept or Reject Lists Limitations

The two filters used to configure accept or reject lists are mutually exclusive; therefore, you can

configure only one accept list or one reject list for each purpose and for each server group.

• Vendor-Specific Attributes

The RADIUS Attribute Screening feature does not support vendor-specific attribute (VSA)

screening. However, you can specify attribute 26 (Vendor-Specific) in an accept or reject list, which

will accept or reject all VSAs.

• Required Attributes

Required attributes in a reject list are allowed to pass through. Do not reject the following required

attributes:

–

Authorization—6 (Service-Type) and 7 (Framed-Protocol)

–

Accounting—4 (NAS-IP-Address), 40 (Acct-Status-Type), 41 (Acct-Delay-Time), and44

(Acct-Session-ID)

Note When you configure a reject list with required attributes, an error message does not appear because the

list does not specify a purpose (authorization or accounting). The server determines if an attribute is

required when the attribute’s purpose is known.

Prerequisites for RADIUS Attribute Screening

Before you configure a RADIUS accept or reject list, enable AAA using the aaa new-model command

in global configuration mode. For more information, see the Cisco IOS Command Summary, Volume

2

of 3, Release 12.2.

Cisco IOS Release Description Required PRE

12.2(16)BX3 This feature was introduced on the Cisco 10000 series

router.

PRE2

12.3(7)XI6 This feature was integrated into Cisco IOS Release 12.3(7)

XI6.

PRE2

12.2(28)SB This feature was integrated into Cisco IOS Release

12.2(28)SB.

PRE2

previous next