Security
28
System Management Guide
3HE 11018 AAAC TQZZA Edition: 01
3.3 Vendor-Specific Attributes (VSAs)
The 7705 SAR software supports the configuration of Nokia-specific RADIUS
attributes. These attributes are known as vendor-specific attributes (VSAs) and are
discussed in RFC 2138. VSAs must be configured when RADIUS authorization is
enabled. It is up to the vendor to specify the format of their VSA. The attribute-
specific field is dependent on the vendor's definition of that attribute. The Nokia-
defined attributes are encapsulated in a RADIUS vendor-specific attribute with the
vendor ID field set to 6527, the vendor ID number.
“PE-Record” should be added as a new standard attribute in the standard RADIUS
dictionary file.
The following RADIUS VSAs are supported by Nokia:
• timetra-access <ftp> <console> <both> — this is a mandatory command that
must be configured. This command specifies whether the user has FTP and /or
console (serial port, Telnet, and SSH) access.
• timetra-profile <profile-name> — when configuring this VSA for a user, it is
assumed that the user profiles are configured on the local 7705 SAR router and
the following applies for local and remote authentication.
− The authentication-order parameters configured on the router must
include the local keyword.
− The user name may or may not be configured on the 7705 SAR router.
− The user must be authenticated by the RADIUS server.
− Up to eight valid profiles can exist on the router for a user. The sequence in
which the profiles are specified is relevant. The most explicit matching
criteria must be ordered first. The process stops when the first complete
match is found.
• If all the above-mentioned conditions are not met, access to the router is denied
and a failed login event/trap is written to the security log.
• timetra-default-action <permit-all | deny-all | none> — this is a mandatory
command that must be configured even if the timetra-cmd VSA is not used.
This command specifies the default action when the user has entered a
command and no entry configured in the timetra-cmd VSA for the user resulted
in a match condition.
• timetra-cmd <match-string> — configures a command or command subtree
as the scope for the match condition
The command and all subordinate commands in subordinate command levels
are specified.
To Next Page
Loading...
