000024223 - How to enter Cisco Vendor-Specific attributes in a user's RADIUS profile

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024223
Applies ToCisco Router
RSA ACE/Server RADIUS
RSA Authentication Manager 6.1
IssueHow to enter Cisco Vendor-Specific attributes in a user's RADIUS profile
How to pass Radius Attribute Value A/V pair information in an RSA profile
Resolution

If you need to pass back group/profile information from RSA Radius to a Radius client, (Cisco ACS, etc..) so that it can assign Authorization/Access Rights based on that group/profile information, do the following:


From Authentication Manager Host mode you needs to;


 1. Create a Radius Profile with Radius - Add Profile.  Use all Capitals.


 2. Go to Radius - Manage Radius to get into the Funk SB Radius interface


 3. Add the same Profile in the Funk SB Radius interface, (you can only use Capital letters), then [add] a Return List Attribute 'Class' with a string value of the group name, such as  Administrators or Powerusers.  The Class attribute is #25. 


 


For example, with a Cisco ASA 5500, if you had a group policy name of BigGuns which you wanted applied to Administrators, you would Add a Class attribute with a string of   ou=BigGuns.  For Cisco router Priv level see below.


 


 4. Back at the Auth Manager Host mode, edit the User, and assign one of the Profiles you just created; Administrators or whatever.


 5. When that user authenticates, Auth Manager will return the group name.  This can be seen in the display of NTRadPing.exe.  The Radius client can use this profile information to assign Group Access rights to the authenticated user.


 


There was also a Funk Steel Belted Radius attribute that is sent by default:


Class=SBR2CL\0xbc\0xb1\0xf90x95\0xe4\0xec\0xcd\0xa8\


This Funk SB Radius class attribute may interfere with the group/profile information.  Turn it off by:


By default, Funk Steel Belted Radius sends the Funk class attribute to the NAS device if the profile contains the attribute Class


To correct this issue, locate the vendor.ini file in the /rsa/radius/ directory for UNIX or in the C:\Program Files\RSA Security\RSA Radius\Service\ directory for Microsoft Windows. Edit the vendor.ini file and locate the entries for the NAS vendor that corresponds to your RADIUS profile. In this example, we will look at the lines for standard RADIUS:
vendor-product          = - Standard Radius -
dictionary                   = Radius
ignore-ports               = no
help-id                        = 2000
Change it to read as follows:
vendor-product          = - Standard Radius -
dictionary                   = Radius
ignore-ports               = no
help-id                        = 2000
send-class-attribute   = no
Then restart RADIUS for this change to take effect.


A Cisco Vendor-Specific attribute will always begin with Vendor-ID 9 (cisco) and Vendor-Type 1 (cisco-avpair) (This only applies up to 6.0., not in 6.1, in 6.1 you would select CISCO-IOS for the Make/Model of the Radius Client and then in the profile you would select Cisco-AVPAIR and then fill it in with the values below)
The remainder of the entry is a string value and is enclosed in double quotes.  Possible options include:
"shell:acl="
"shell:timeout="
"shell:idletime="
"shell:autocmd="
"shell:noescape="
"shell:nohangup="
"shell:priv-lvl="
"shell:callback-dialstring="
"shell:nocallback-verify="
"shell:callback-line="
"shell:callback-rotary="
"lcp:interface-config="
"ip:inacl="
"ip:outacl="
"ip:addr="
"ip:addr-pool="
"ip:routing="
"ip:route="
"ip:rte-fltr-in="
"ip:rte-fltr-out="
"ip:pool-def="
"ip:pool-timeout="
"ipx:outacl="
"ipx:route="
"ipx:rte-fltr-in="
"ipx:rte-fltr-out="
"ipx:sap="
"ipx:sap-fltr-in="
"ipx:sap-fltr-out="
"arap:zonelist="
"arap:timeout="
"arap:acl="
"arap:callback-dialstring="
"arap:nocallback-verify="
"arap:callback-line="
"arap:callback-rotary="
"slip:addr="
"slip:addr-pool="
"slip:routing="
"slip:route="
"slip:callback-dialstring="
"slip:nocallback-verify="
"slip:callback-line="
"slip:callback-rotary="
"vpdn:tunnel-id="
"vpdn:nas-password="
"vpdn:gw-password="
"vpdn:ip-addresses="
"vpdn:source-ip="
"vpdn:tunnel-type="
"vpdn:l2tp-tunnel-password="
The "=" would be followed with an appropriate string or numeric value. If the attribute is optional, then replace the "=" with "*"
For example:
Edit the user's profile and add the attribute referred to as "Vendor-Specific"
Enter the following text in the field:
9 1 "shell:priv-lvl=15"
The above command gives a login user (i.e., telnet user) full access privilege to EXEC commands on the router.
Legacy Article ID6.0.990284.2703749

Attachments

    Outcomes