免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 4331 | 回复: 0

RADIUS Attribute 8 (Framed-IP-Address) in Request [复制链接]

论坛徽章:
0
发表于 2007-12-18 23:14 |显示全部楼层

Feature Overview
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible for a network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance of user authentication. An application can be run on the RADIUS server to use this hint and build a table (map) of usernames and addresses. Using the mapping information, service applications can begin preparing user login information to have available upon successful user authentication.
How It Works
When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP address of the dial-in host is not communicated to the RADIUS server until after successful user authentication. Communicating the device IP address to the server in the RADIUS access request allows other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information, such as the username, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:

  • If the user profile on the RADIUS server already includes attribute 8, the RADIUS server can override the IP address sent by the NAS with the IP address defined as attribute 8 in the user profile. The address defined in the user profile is returned to the NAS.
  • If the user profile does not include attribute 8, the RADIUS server can accept attribute 8 from the NAS, and the same address is returned to the NAS.

The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured), and stop packets will also include the same IP address provided in attribute 8.
Benefits
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible to run applications on the RADIUS server that build mapping tables of users and IP addresses. The server can then use the mapping table information in other applications, such as preparing customized user login pages in advance of a successful user authentication with the RADIUS server.
Related Documents

  • "Configuring Authentication" and "Configuring RADIUS" chapters, Cisco IOS Security Configuration Guide, Release 12.1
  • RFC 2138, Remote Authentication Dial In User Service (RADIUS)

Supported Platforms

  • Cisco AS5200
  • Cisco AS5300
  • Cisco AS5800
  • Cisco AS5400 universal gateway
  • Cisco 6400

Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of MIBs supported by platform and Cisco IOS release and to download MIB modules, go to the Cisco MIB web site on Cisco Connection Online (CCO) at
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
Sending RADIUS attribute 8 in the RADIUS access requests assumes that the login host has been configured to request its IP address from the NAS server. It also assumes that the login host has been configured to accept an IP address from the NAS.
The NAS must be configured with a pool of network addresses on the interface supporting the login hosts.
Configuration Tasks
See the following section for the configuration task for the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature:
Configuring RADIUS Attribute 8 in Access Requests
(required).
Configuring RADIUS Attribute 8 in Access Requests
To send RADIUS attribute 8 in the access request, use the following global configuration command:
Command
Purpose
Router(config)# radius-server attribute 8
include-in-access-req

Sends RADIUS attribute 8 in access-request packets.
Verifying RADIUS Attribute 8 in Access Requests
To verify that RADIUS attribute 8 is being sent in access requests, use the following privileged EXEC commands. Attribute 8 should be present in all PPP access requests.
Command
Purpose
Router# more system:running-config

Displays the contents of the current running configuration file. (Note that the more system:running-config command has replaced the show running-config command.)
Router# debug radius

Displays information associated with RADIUS. The output of this command shows whether attribute 8 is being sent in access requests.
Configuration Examples
The following example shows a NAS configuration that sends the IP address of the dial-in host to the RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication, authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and applied at interface Async1.
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
ip address-pool local
!
interface Async1
peer default ip address pool async1-pool
!
ip local pool async1-pool 192.168.200.225 192.168.200.229
!
radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server attribute 8 include-in-access-req
radius-server key radhost
Command Reference
This section documents the new command that configures the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
radius-server attribute 8 include-in-access-req
To send the IP address of a user to the RADIUS server in the access request, use the radius-server attribute 8 include-in-access-req global configuration command. To disable sending of the user IP address to the RADIUS server during authentication, use the no form of this command.
radius-server attribute 8 include-in-access-req
no radius-server attribute 8 include-in-access-req
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled.
Command Modes
Global configuration mode
Command History
Release
Modification
12.1(3)AA
This command was introduced.
12.1(5)T
This command was integrated in the T train.
Freeradius中定义如下
ATTRIBUTE Framed-IP-Address 8 ipaddr
Users:
LR
Hints:
-R
Huntgroups:
LR
Additivity:
Replace
Proxy propagated:
No
This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.
The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user's IP.
When used in a RHS, the value of this attribute can optionally be followed by a plus sign. This usage means that the value of NAS-Port-Id must be added to this IP before replying. For example,

        Framed-IP-Address = 10.10.0.1+



本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/49403/showart_445293.html
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP