Cisco Cisco IOS Software Release 12.2(1)DX

The RADIUS Attribute Screening feature provides the following benefits:

Users can configure an accept or reject list consisting of a selection of attributes on the NAS for a 
specific purpose so unwanted attributes are not accepted and processed.

Users may wish to configure an accept list that includes only relevant accounting attributes, thereby 
reducing unnecessary traffic and allowing users to customize their accounting data.

To enable this feature, your NAS should be configured for authorization with RADIUS groups.

The two filters used to configure accept or reject lists are mutually exclusive; therefore, a user can 
configure only one access list or one reject list for each purpose, per server group.

This feature does not support vendor-specific attribute (VSA) screening; however, a user can specify 
attribute 26 (Vendor-Specific) in an accept or reject list, which will accept or reject all VSAs.

It is recommended that users do not reject the following required attributes:

For authorization:

6 (Service-Type) 

7 (Framed-Protocol) 

For accounting:

4 (NAS-IP-Address)

40 (Acct-Status-Type)

41 (Acct-Delay-Time)

44 (Acct-Session-ID)

If an attribute is required, the rejection will be refused, and the attribute will be allowed to pass through.

The user will not receive an error at the point of configuring a reject list for required attributes 
because the list does not specify a purpose—authorization or accounting. The server will determine 
whether an attribute is required when it is known what the attribute is to be used for.

Cisco IOS Security Command Reference, Release 12.2

Cisco IOS Security Configuration Guide, Release 12.2