Specifications

ManualsBrandsCisco ManualsComputer equipmentAS5800

151

152

153

154

155

156

157

158

159

160

Table Of Contents

4-18

Cisco AS5800 Operations, Administration, Maintenance, and Provisioning Guide

DOC-7810814=

Chapter 4 Administration

Access Service Security

For example, the following AV pair causes the Cisco “multiple named ip address pools” feature to be

activated during IP authorization (during PPP's IPCP address assignment).

cisco-avpair= “ip:addr-pool=first”

The following example causes a “NAS Prompt” user to have immediate access to EXEC commands.

cisco-avpair= “shell:priv-lvl=15”

Other vendors have their own vendor-IDs, options, and associated VSAs. For more information about

vendor-IDs and VSAs, refer to the RADIUS specification RFC 2138, “Remote Authentication Dial-In

User Service (RADIUS),” described in How Does RADIUS Work?, available online at

http://www.cisco.com/warp/public/707/32.html

To configure the NAS to recognize and use VSAs, perform the following task in global configuration

mode:

Enable the network Cisco AS5800 to recognize and use VSAs as defined by RADIUS IETF attribute 26.

radius-server vsa send [accounting|authentication]

For a complete list of RADIUS attributes or more information about vendor-specific Attribute 26, refer

to the RADIUS Attributes appendix.

Configure Router for Vendor-Proprietary RADIUS Server Communication

Although the IETF draft standard for RADIUS specifies a method for communicating vendor-specific

information between the network Cisco AS5800 and the RADIUS server, some vendors have extended

the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary

RADIUS attributes.

To configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host

running the RADIUS server daemon and the secret text string it shares with the Cisco device. You

specify the RADIUS host and secret text string by using the radius-server commands. To identify that

the RADIUS server is using a vendor-proprietary implementation of RADIUS, use the radius-server host

nonstandard command.

Vendor-proprietary attributes will not be supported unless you use the radius-server host non-standard

command.

To specify a vendor-proprietary RADIUS server host and a shared secret text string, perform the

following tasks in global configuration mode.

Specify the IP address or host name of the remote RADIUS server host and identify that it is using a

vendor-proprietary implementation of RADIUS.

radius-server host {hostname |ip-address} non-standard

Specify the shared secret text string used between the router and the vendor-proprietary RADIUS server.

The router and the RADIUS server use this text string to encrypt passwords and exchange responses.

radius-server key string