Cisco Cisco IOS Software Release 12.2(1)DX
RADIUS Attribute Screening
Feature Overview
2
Cisco IOS Release 12.2(1)DX
Benefits
The RADIUS Attribute Screening feature provides the following benefits:
•
Users can configure an accept or reject list consisting of a selection of attributes on the NAS for a
specific purpose so unwanted attributes are not accepted and processed.
specific purpose so unwanted attributes are not accepted and processed.
•
Users may wish to configure an accept list that includes only relevant accounting attributes, thereby
reducing unnecessary traffic and allowing users to customize their accounting data.
reducing unnecessary traffic and allowing users to customize their accounting data.
Restrictions
NAS Requirements
To enable this feature, your NAS should be configured for authorization with RADIUS groups.
Accept or Reject Lists Limitations
The two filters used to configure accept or reject lists are mutually exclusive; therefore, a user can
configure only one access list or one reject list for each purpose, per server group.
configure only one access list or one reject list for each purpose, per server group.
Vendor-Specific Attributes
This feature does not support vendor-specific attribute (VSA) screening; however, a user can specify
attribute 26 (Vendor-Specific) in an accept or reject list, which will accept or reject all VSAs.
attribute 26 (Vendor-Specific) in an accept or reject list, which will accept or reject all VSAs.
Required Attributes Screening Recommendation
It is recommended that users do not reject the following required attributes:
•
For authorization:
–
6 (Service-Type)
–
7 (Framed-Protocol)
•
For accounting:
–
4 (NAS-IP-Address)
–
40 (Acct-Status-Type)
–
41 (Acct-Delay-Time)
–
44 (Acct-Session-ID)
If an attribute is required, the rejection will be refused, and the attribute will be allowed to pass through.
Note
The user will not receive an error at the point of configuring a reject list for required attributes
because the list does not specify a purpose—authorization or accounting. The server will determine
whether an attribute is required when it is known what the attribute is to be used for.
because the list does not specify a purpose—authorization or accounting. The server will determine
whether an attribute is required when it is known what the attribute is to be used for.
Related Documents
•
Cisco IOS Security Command Reference, Release 12.2
•
Cisco IOS Security Configuration Guide, Release 12.2