000021921 - How to configure multiple values for the same vendor-specific attribute in RSA ACE/Server RADIUS

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000021921
Applies ToVendor-Specific Attribute (VSA)
RSA ACE/Server 5.2
RSA ACE/Server RADIUS
IssueHow to configure multiple values for the same vendor-specific attribute in RSA ACE/Server RADIUS
Defining RADIUS Access Lists in RSA ACE/Server
Use the RADIUS Server Vendor-Specific Attributes
How to apply Access Lists to Dial Interfaces with a RADIUS server
ResolutionNOTE: Using multiple vendor-specific attributes is not possible until upgrading to RSA ACE/Server 5.1.2 and higher versions.

If you are trying to implement complex access control lists from the ACE/Server as per the example below:

Service-Type = Framed
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Cisco:Avpair="ip:route#1=9.9.9.9 255.255.255.255 11.11.11.12"
Cisco:Avpair="ip:route#2=15.15.15.15 255.255.255.255 12.12.12.13"
Cisco:Avpair="ip:route#3=15.15.15.16 255.255.255.255 12.12.12.13"
Cisco:Avpair="ip:inacl#1=permit icmp 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255"
Cisco:Avpair="ip:inacl#2=permit tcp 1.1.1.0 0.0.0.255 15.15.15.0 0.0.0.255"

Detailed instructions for configuring the Access Control Lists can be obtained at the following Cisco URL:
How to apply Access Lists to Dial Interfaces with a RADIUS Server
(this RSA SecurCare Online solution was written using values taken directly from the example located at the above Cisco URL)

In the ACE/Server Database Administration Tool:
Select Profile > Edit Profile or Add Profile > Choose or enter profile name > OK
Select the attribute Service-Type, arrow down to Framed and press Enter press Tab and Enter on OK
Select the attribute Framed-Protocol, arrow down to PPP and press Enter press Tab and Enter on OK
Select the attribute Framed-IP-Address, Select a format for input of Dotted, Hexadecimal or Decimal, press Tab
Enter the desired Address in the Value: field, press Tab, press Enter on OK
Select the attribute Vendor-Specific, Leave the default Value Type: String Value, Press Tab, type the following string literally in the Value field:
9 1 "ip:route#1=9.9.9.9 255.255.255.255 11.11.11.12"
Press Tab and Enter on OK
Select Add Attribute and continue adding the Vendor Specific attributes

The resulting Attributes will look as follows in the Administration Tool:

Attribute                Value
_______________________________________________________________________________________________
Service-Type                Framed
Framed-Protocol        PPP
Framed-IP-Address        255.255.255.254
Vendor Specific                9 1 "ip:route#1=9.9.9.9 255.255.255.255 11.11.11.12"
Vendor Specific                9 1 "ip:route#2=15.15.15.15 255.255.255.255 12.12.12.13"
Vendor Specific                9 1 "ip:route#3=15.15.15.16 255.255.255.255 12.12.12.13"
Vendor Specific                9 1 "ip:inacl#1=permit icmp 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255"
Vendor Specific                9 1 "ip:inacl#2=permit tcp 1.1.1.0 0.0.0.255 15.15.15.0 0.0.0.255"

The format for entering information in the Vendor-Specific value field is:
(vendor-id-number) (attribute-number)  "value"

For example, to implement an access control list on Cisco, this might read as follows:
9 1 "ip:inacl=100"

9 is the vendor code for Cisco, 1 is the attribute number for Cisco:AVpair, and the value is contained in quotes.

LIMITATIONS: ACE/Server 5.0 allows up to 253 characters in the field per RFC 2865

NOTE: If you have upgraded from ACE/Server 4.1 or earlier, you will be unable to use multiple Vendor-Specific attributes in a profile until you run the 1modattr utility.  This utility is available from the Downloads section of SecurCare Online.

Please see solution Radius Server sends Vendor Specific Attribute string with too many characters for more information.

To find the Vendor-Specific Attribute Vendor-Id Code for the manufacturer of a specific RADIUS client device, download the complete list of Private Enterprise Numbers from the Information Sciences Institute FTP Site.
Legacy Article IDa10015

Attachments

    Outcomes