User Manual User guide

ManualsBrandsRockwell Automation ManualsEquipment1783-WAPxxx Stratix 5100 Wireless Access Point

421

422

423

424

425

426

427

428

429

430

424 Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

Chapter 14 Configuring RADIUS and TACACS+ Servers

Configuring the Access Point

to Use Vendor-specific

RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method

for communicating vendor-specific information between the access point and the

RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-

specific attributes (VSAs) allow vendors to support their own extended attributes

not suitable for general use.

The Cisco RADIUS implementation supports one vendor-specific option by

using the format recommended in the specification. Cisco’s vendor ID is 9, and

the supported option has vendor type 1, that is named cisco-avpair. The value is a

string with this format:

protocol : attribute sep value *

Protocol is a value of the Cisco protocol attribute for a particular type of

authorization. Attribute and value are an appropriate AV pair defined in the

Cisco TACACS+ specification, and sep is = for mandatory attributes and the

asterisk (*) for optional attributes. This lets a full set of features available for

TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair activates Cisco’s multiple named ip address

pools feature during IP authorization (during PPP’s IPCP address assignment):

cisco-avpair= ”ip:addr-pool=first“

The following example shows how to provide a user logging in from an access

point with immediate access to privileged EXEC commands:

cisco-avpair= ”shell:priv-lvl=15“

Other vendors have their own unique vendor IDs, options, and associated VSAs.

For more information about vendor IDs and VSAs, refer to RFC 2138, “Remote

Authentication Dial-In User Service (RADIUS).”

Beginning in privileged EXEC mode, follow these steps to configure the access

point to recognize and use VSAs:

1. Enter global configuration mode.

configure terminal

2. Enable the access point to recognize and use VSAs as defined by RADIUS

IETF attribute 26.

• (Optional) Use the accounting keyword to limit the set of recognized

vendor-specific attributes to only accounting attributes.

• (Optional) Use the authentication keyword to limit the set of

recognized vendor-specific attributes to only authentication attributes.