« Version 4.1 - 5.5.e IEEE 802.1x | Main | Version 4.1 - 5.6 Cisco Identity Services Engine (ISE) Part 1 »

Version 4.1 - 5.5.f VSAs

VSAs are Vendor-Specific Attributes. These were touched on in the RADIUS section. Let me repeat the link to the Cisco PDF on VSAs.

VSAs are specified in Attribute 26 of a RADIUS packet.

Attribute 26 contains the following three elements:
• Type
• Length
• String (also known as data)
– Vendor-Id
– Vendor-Type
– Vendor-Length
– Vendor-Data

A defined code is used to identify a particular vendor. Code 9 defines Cisco VSAs, 311 defines Microsoft VSAs, and 529 defines Ascend VSAs.

For example - Attribute 26 uses the Vendor-Specific Company Code 311 with a Sub-Type number of 1 for MSCHAP-Response. Code 311 with a Sub-Type of 11 is for MSCHAP-Challenge.

The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format:

protocol:attribute sep value

Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. For example:

cisco-avpair= "ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"

The first example causes Cisco's multiple named IP address pools feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a NAS prompt user to have immediate access to EXEC commands.

The above is about all you'll find for examples. However I found another doc TACACS+ and RADIUS Attributes for Various Cisco and Non-Cisco Devices Configuration Example. It may be worth browsing. If you look at the device list, you may see some familiar names.

Device List
Aggregation Services Routers (ASR)
Application Control Engine (ACE)
BlueCoat Packet Shaper
Brocade Switches
Cisco Unity Express (CUE)
Infoblox
Intrusion Prevention System (IPS)
Juniper
Nexus Switches
Riverbed
Wireless LAN Controller (WLC)

I don't think they'll get that specific (where you need to memorize tables of code numbers), but you will want to be familiar with this (at least have laid eyes on it before) - because anything is fair game on the exam. And the AV pair syntax is used in DACLs.

Posted by BlueWolf |

Contact Lori

Sections

References

Downloads

RFCS, WHITE PAPERS and CONFIGURATION GUIDES

Powered by
Movable Type 3.2