RADIUS Authentication, Authorization, and Accounting

Commands Authorization

6.Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example).

7.Restart all Cisco services.

8.The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.

9.Select Submit + Restart to effect the change. The HP RADIUS VSA attributes will appear in Cisco ACS configurations, for example, “Interface Configuration”, “Group Setup”, “User Setup”.

To enable the processing of the HP-Command-String VSA for RADIUS accounting:

1.Select System Configuration.

2.Select Logging.

3.Select CSV RADIUS Accounting. In the Select Columns to Log section, add the HP-Command-String attribute to the Logged Attributes list.

4.Select Submit.

5.Select Network Configuration. In the AAA Clients section, select an entry in the AAA Client Hostname column. You will go to the AAA Client Setup screen.

6.Check the box for Log Update/Watchdog Packets from this AAA Client.

7.Click Submit + Restart. You should be able to see the HP-Command- String attribute in the RADIUS accounting reports.

You can enter the commands you wish to allow or deny with the special characters used in standard regular expressions (c, ., \, [list], [^list], *, ^, $). Commands must be between 1-249 characters in length.

Example Configuration Using FreeRADIUS

1.Create a dictionary file (for example, dictionary.hp) containing HP VSA definitions. An example file is:

5-32