Security
7705 SAR OS System Management Guide Page 37
Vendor-Specific Attributes (VSAs)
The 7705 SAR software supports the configuration of Alcatel-Lucent-specific RADIUS
attributes. These attributes are known as vendor-specific attributes (VSAs) and are discussed
in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to
the vendor to specify the format of their VSA. The attribute-specific field is dependent on
the vendor's definition of that attribute. The Alcatel-Lucent-defined attributes are
encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the
vendor ID number.
Note that “PE-Record” should be added as a new standard attribute in the standard RADIUS
dictionary file.
The following RADIUS VSAs are supported by Alcatel-Lucent:
•
timetra-access <ftp> <console> <both> — this is a mandatory command
that must be configured. This command specifies whether the user has FTP and /or
console (serial port, Telnet, and SSH) access.
•
timetra-profile <profile-name> — when configuring this VSA for a user,
it is assumed that the user profiles are configured on the local 7705 SAR router and
the following applies for local and remote authentication:
1. The
authentication-order parameters configured on the router must include
the
local keyword.
2. The user name may or may not be configured on the 7705 SAR router.
3. The user must be authenticated by the RADIUS server.
4. Up to eight valid profiles can exist on the router for a user. The sequence in which
the profiles are specified is relevant. The most explicit matching criteria must be
ordered first. The process stops when the first complete match is found.
If all the above-mentioned conditions are not met, then access to the router is denied
and a failed login event/trap is written to the security log.
•
timetra-default-action <permit-all | deny-all | none> — this is a
mandatory command that must be configured even if the
timetra-cmd VSA is not
used. This command specifies the default action when the user has entered a
command and no entry configured in the
timetra-cmd VSA for the user resulted
in a match condition.
•
timetra-cmd <match-string> — configures a command or command subtree
as the scope for the match condition
The command and all subordinate commands in subordinate command levels are
specified.
Configure from most specific to least specific. The 7705 SAR exits on the first
match; subordinate levels cannot be modified with subsequent action commands.
Subordinate level VSAs must be entered prior to this entry to be effective.
To Next Page
Loading...
