Updated: January 31, The challenge collects additional data from the user. Table 1. Note This is the only call type available for channel-associated signaling CAS. Table 2. Modem Management String Command Argument min-speed to , any max-speed to , any modulation K56Flex, v22bis, v32bis, v34, v90, any error-correction lapm, mnp4 compression mnp5, v42bis When the modem management string is received from the RADIUS server in the form of a VSA, the information is passed to the Cisco software and applied on a per-call basis.
Note Before you can perform subsequent authentication, you must set up a regular user profile in addition to a preauthentication profile. RADIUS Profile for Subsequent Authentication Types If you specified subsequent authentication in the preauthentication profile, you must also specify the authentication types to be used for subsequent authentication.
Table 3. Note You should use this VSA only if subsequent authentication is required because it specifies the authentication type for subsequent authentication. Note Do not configure the ppp authentication command with the radius command. Note If subsequent authentication is required, the authorization attributes in the preauthentication profile are not applied.
Step 2 configure terminal Example: Device configure terminal Enters global configuration mode. Step 5 address ipv4 ip-address Example: Device config-radius-server address ipv4 Configuring a Device to Expand Network Access Server Port Information Sometimes PPP or login authentication occurs on an interface that is different from the interface on which the call itself comes in.
Note The radius-server attribute nas-port format command replaces the radius-server extended-portnames command and the radius-server attribute nas-port extended command. Step 3 radius-server configure-nas Example: Device config radius-server configure-nas Optional Tells the Cisco device or access server to query the RADIUS server for the static routes and IP pool definitions used throughout its domain.
Note Because the radius-server configure-nas command is used when the Cisco device starts up, it does not take effect until you issue a copy system:running-config nvram:startup-config command. Step 4 radius-server attribute nas-port format Example: Device config radius-server attribute nas-port format Expands the size of the NAS-Port attribute from 16 to 32 bits to display extended interface information.
Step 4 aaa route download time Example: Device config aaa route download Enables the download static route feature and sets the amount of time in minutes between downloads. Step 6 interface dialer number Example: Device config interface dialer 1 Defines a dialer rotary group and enters interface configuration mode. Step 7 dialer aaa Example: Device config-if dialer aaa Allows a dialer to access the AAA server for dialing information.
Step 8 dialer aaa suffix suffix password password Example: Device config-if dialer aaa suffix samp password password12 Allows a dialer to access the AAA server for dialing information and specifies a suffix and nondefault password for authentication.
Step 5 exit Example: Device exit Exits the device session. This command enables AAA. The next set of commands configures multiple host entries for the same IP address. Figure 1. Topology for Configuration Examples! Enable AAA globally. Enable VPDN. Define VPDN group number 1. Enable global AAA securities services. Create virtual-template 1 and assign all values for virtual access interfaces. Borrow the IP address from loopback interface.
Disable multicast fast switching. Create vpdn-group number 1. Accept all dialin l2tp tunnels from virtual-template 1 from remote peer DJ. Table 4.
Was this Document Helpful? Yes No Feedback. Unrestricted digital, restricted digital. Speech, 3. This is the only call type available for channel-associated signaling CAS. Anything with the V. K56Flex, v22bis, v32bis, v34, v90, any. Your email address will not be published.
Views: Leave a Reply Cancel reply Your email address will not be published. In the case of two-way authentication, the calling networking device must authenticate the NAS. Instead, the username and password can be included in the Access-Accept messages for preauthentication. Do not configure the ppp authentication command with the radius command. To set up PAP, do not configure the ppp pap sent-name password command on the interface.
If only preauthentication is configured, subsequent authentication is bypassed. Note that because the username and password are not available, authorization is also bypassed.
However, you can include authorization attributes in the preauthentication profile to apply per-user attributes and avoid having to return subsequently to RADIUS for authorization. To initiate the authorization process, you must also configure the aaa authorization network command on the NAS. You can configure authorization attributes in the preauthentication profile with one exception: the service-type attribute attribute 6. The service-type attribute must be converted to a VSA in the preauthentication profile.
This VSA has this syntax:. If subsequent authentication is required, the authorization attributes in the preauthentication profile are not applied. The AAA accounting feature enables you to track the services users are accessing and the amount of network resources they are consuming. The order in which the hosts are entered is the order in which they are attempted.
Use the ip tcp synwait-time command to set the number of seconds that the NAS waits before trying to connect to the next host on the list; the default is 30 seconds. To control whether user responses to Access-Challenge packets are echoed to the screen, you can configure the Prompt attribute in the user profile on the RADIUS server.
This attribute is included only in Access-Challenge packets. To allow user responses to echo, set the attribute to Echo. If the Prompt attribute is not included in the user profile, responses are echoed by default.
This attribute overrides the behavior of the radius-server challenge-noecho command configured on the access server. For example, if the access server is configured to suppress echoing, but the individual user profile allows echoing, the user responses are echoed. The IETF standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute attribute Vendor-specific attributes VSAs allow vendors to support their own extended attributes not suitable for general use.
Note that any AV pair can be made optional:. The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands:. To have the Cisco device or access server query the RADIUS server for static routes and IP pool definitions when the device starts up, use the radius-server configure-nas command. Because the radius-server configure-nas command is performed when the Cisco devcie starts up, it does not take effect until you enter a copy system:running-config nvram:startup-config command.
Vendor-proprietary attributes are not supported unless you use the radius-server host non-standard command. Sometimes PPP or login authentication occurs on an interface that is different from the interface on which the call itself comes in. For example, in a V.
The upper 16 bits of the NAS-Port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication. This procedure is required. Configures the switch as an authentication, authorization, and accounting AAA server to facilitate interaction with an external policy server. Enters dynamic authorization local server configuration mode and specifies a RADIUS client from which a device will accept CoA and disconnect requests.
Optional Configures the switch to ignore a CoA request to temporarily disable the port hosting a session. The purpose of temporarily disabling the port is to trigger a DHCP renegotiation from the host when a VLAN change occurs and there is no supplicant on the endpoint to detect the change. Optional Configures the switch to ignore a nonstandard command requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session. For detailed information about the fields in these displays, see the command reference for this release. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:.
This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:.
This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands:. This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad between the switch and the server:.
Download this chapter. Finding Feature Information Your software release may not support all the features documented in this module. To use the Change-of-Authorization CoA interface, a session must already exist on the switch. CoA can be used to identify a session and enforce a disconnect request. The update affects only the specified session.
This is to help ensure that the RADIUS server remains accessible in case one of the connected stack members is removed from the switch stack. Switch-to-switch or router-to-router situations. Networks using a variety of services. Turnkey network security environments in which applications support the RADIUS protocol, such as in an access environment that uses a smart card access control system. Network in which the user must only access a single service.
The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources such as time, packets, bytes, and so forth used during the session.
An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs. Figure 1. REJECT—The user is either not authenticated and is prompted to re-enter the username and password, or access is denied.
Change-of-Authorization Requests Change of Authorization CoA requests, as described in RFC , are used in a push model to allow for session identification, host reauthentication, and session termination. This table shows the IETF attributes are supported for this feature. This table shows the possible values for the Error-Cause attribute. Session Reauthentication The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture joins the network and is associated with a restricted access authorization profile such as a guest VLAN.
Session Reauthentication in a Switch Stack When a switch stack receives a session reauthentication message: It checkpoints the need for a re-authentication before returning an acknowledgment ACK. It initiates reauthentication for the appropriate session.
If authentication completes with either success or failure, the signal that triggered the reauthentication is removed from the stack member. If the stack master fails before authentication completes, reauthentication is initiated after stack master switch-over based on the original command which is subsequently removed.
If the stack master fails before sending an ACK, the new stack master treats the re-transmitted command as a new command. Session Termination There are three types of CoA requests that can trigger session termination. Related Concepts Session Identification.
Note A Disconnect-Request failure following command re-sending could be the result of either a successful session termination before change-over if the Disconnect-ACK was not sent or a session termination by other means for example, a link failure that occurred after the original command was issued and before the standby switch became active. Stacking Guidelines for CoA-Request Bounce-Port Because the bounce-port command is targeted at a session, not a port, if the session is not found, the command cannot be executed.
When the Auth Manager command handler on the stack master receives a valid bounce-port command, it checkpoints the following information before returning a CoA-ACK message: the need for a port-bounce the port-id found in the local session context The switch initiates a port-bounce disables the port for 10 seconds, then re-enables it.
Stacking Guidelines for CoA-Request Disable-Port Because the disable-port command is targeted at a session, not a port, if the session is not found, the command cannot be executed. When the Auth Manager command handler on the stack master receives a valid disable-port command, it verifies this information before returning a CoA-ACK message: the need for a port-disable the port-id found in the local session context The switch attempts to disable the port.
Before You Begin If you configure both global and per-server functions timeout, retransmission, and key commands on the switch, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. Defining AAA Server Groups You use the server group server configuration command to associate a particular server with a defined group server. Switch config radius-server host AAA Server Groups.
Residual Session Context Removed. Unsupported Attribute. Missing Attribute. NAS Identification Mismatch.
0コメント