Cisco Systems 15310-CL, 15310-MA Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication

15-19

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

78-18133-01

Chapter 15 Configuring Security for the ML-Series Card

RADIUS Stand Alone Mode

This example shows how to apply an output ACL in ASCII format to an interface for the duration of this

connection:

cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”

Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information

about vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dia l-In User Service (RADIUS).”

Beginning in privileged EXEC mode, follow these steps to configure the ML-Series card to recognize

and use VSAs:

For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the

“RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2.

Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication

Although an IETF draft standard for RADIUS specifies a method for commu nicating vendor-proprietary

information between the ML-Series card and the RADIUS server, some vendors have extended the

RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary

RADIUS attributes.

As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-comp liant), you

must specify the host running the RADIUS server daemon and the secret text string it shares with the

ML-Series card. You specify the RADIUS host and secret text string by using the radius-server global

configuration commands.

Command Purpose

Step 1 Router# configure terminal Enter global configuration mode.

Step 2 Router (config)# radius-server vsa

send [accounting | authentication]

Enable the ML-Series card to recognize and use VSAs as defined by

RADIUS IETF attribute 26.

• (Optional) Use the accounting keyword to limit the set of recognized

vendor-specific attributes to only accounting attributes.

• (Optional) Use the authentication keyword to limit the set of

recognized vendor-specific attributes to only authentication attributes.

If you enter this command without keywords, both accounting and

authentication vendor-specific attributes are used.

The AAA server includes the authorizatio n level in the VSA response

message for the ML-Series card.

Step 3 Router (config)# end Return to privileged EXEC mode.

Step 4 Router# show running-config Verify your settings.

Step 5 Router# copy running-config

startup-config

(Optional) Save your entries in the configuration file.