Table of Contents
Advertisement
Configuring RADIUS
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
general use. The Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1,
which is named
protocol : attribute sep value *
Where
attributes, and
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the
RADIUS protocol directs the RADIUS server to return user attributes, such as authorization
information, along with authentication results. This authorization information is specified through
VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco SAN-OS software:
•
•
The following attributes are supported by the Cisco SAN-OS software:
•
•
Specifying SNMPv3 on AAA Servers
The vendor/custom attribute
format:
shell:roles="roleA roleB ..."
If the roll option in the
The VSA format optionally specifies your SNMPv3 authentication and privacy protocol attributes also
as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are
AES-128 and DES. If these options are not specified in the
MD5 and DES are used by default.
Cisco MDS 9000 Family CLI Configuration Guide
28-8
cisco-avpair.
is a Cisco attribute for a particular type of authorization, and
protocol
is for optional attributes.
*
protocol—used in access-accept packets to provide user profile information.
Shell
protocol—used in accounting-request packets. If a value contains any white spaces, it
Accounting
should be put within double quotation marks.
This attribute lists all the roles to which the user belongs. The value field is a string storing
roles—
the list of group names delimited by white space. For example, if you belong to roles
and
, the value field would be "
storage-admin
sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be
used with the shell protocol value. These are two examples using the roles attribute:
shell:roles="network-admin vsan-admin"
shell:roles*"network-admin vsan-admin"
When an VSA is specified as
an optional attribute, and other Cisco devices ignore this attribute.
—This attribute stores additional accounting information besides the attributes
accountinginfo
covered by a standard RADIUS accounting protocol. This attribute is only sent in the VSA portion
of the Account-Request frames from the RADIUS client on the switch, and it can only be used with
the accounting protocol-related PDUs.
cisco-av-pair
cisco-av-pair
The value is a string with the following format:
vsan-admin storage-admin
shell:roles*"network-admin vsan-admin"
can be used to specify user's role mapping using the
attribute is not set, the default user role is network-operator.
Chapter 28
Configuring RADIUS and TACACS+
is
sep
." This subattribute is
, this VSA is flagged as
attribute on the ACS server,
cisco-av-pair
OL-8222-01, Cisco MDS SAN-OS Release 3.x
for mandatory
=
vsan-admin
Advertisement
Table of Contents
