The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Extended NAS-Port-Type and NAS-Port Support feature allows you to identify what service type is taking place on specific ports with non-RADIUS RFC supported types. You have the flexibility to use your own coding mechanism to track users or to track shared resources, such as Ethernet or ATM interfaces, as you identify traffic based on the service type.
RADIUS attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile. NAS-Port-Type (RADIUS IETF attribute 61) indicates the type of physical port the network access server (NAS) is using to authenticate the user. NAS-Port-ID (RADIUS IEFT attribute 87) contains a text string that identifies the NAS port that is authenticating the user.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prior to the attribute 61 extension, attribute 61 allowed you to identify virtual or Ethernet resources only. Now, by enabling the extended attribute 61 you can also do the following:
The benefits of using the extended attribute 61 are as follows:
The value for the extended 61 attribute can be any number you choose. Customizing your own value is useful when you need to distinguish between NAS port types based on the type of end client using a port. For example, if you want to track mobile clients behind a specific private virtual connection (PVC), you can define your own attribute 61 value for mobile clients.
The non-RFC compliant broadband service port types with their corresponding values that can be set with the extended attribute 61 are shown in the table below.
Table 1 | Service Port Types and Corresponding RADIUS Values |
Service Port Type |
RADIUS Value |
---|---|
Wireless - IEEE 802.16 |
27 |
PPPoA |
30 |
PPPoEoA |
31 |
PPPoEoE |
32 |
PPPoEoVLAN |
33 |
PPPoEoQinQ |
34 |
NAS-Port (RADIUS attribute 5) indicates the physical NAS port number that is authenticating the user. A logical port can be represented by the virtual path identifier (VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for an Ethernet interface.
Each platform and service may have different port information, which is relevant to its environment; therefore there is no unique way to populate this attribute. There are four service-specific non configurable formats (a, b, c, and d) and one configurable format (e) that can be tailored to customer and platform needs.
Format e allowed customization of only one global format for all call types on a device, which had limitations for devices that contained multiple services. With the extended attribute 5 support, it is possible to configure a custom format e string for any service type based on the value of attribute 61. When building the RADIUS access or accounting request, the encoding routine will apply the specific format e string defined for the session of the value of attribute 61.
Note |
Setting a specific format e string for the value of attribute 61 overrides the default global format e string. |
The radius-server attribute nas-port formatcommand supports the custom format e string with the type nas-port-type keyword and argument. The type keyword allows you to specify format strings to represent physical port types for any of the extended NAS-Port-Type values.
The relationship between extended attribute 61 and extended attribute 5 support is that the format e string chosen by the encoding routine will depend on the value of attribute 61 for the session. If you use the extended attribute 61 values (values 30-34) and want to further customize the NAS port type, configure a different format string.
For example, you can specify the string "SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC" for type 30 (all PPPoA ports), and you can also specify string "SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV" for type 33 (all PPPoAoVLAN ports). In this case, you can track VPI/VCI-specific information for a PPPoA user and VLAN-specific information for a PPPoEoVLAN user.
Note |
If you enable the extended attribute 61, format e with either type 5 (Virtual) or type 15 (Ethernet) will not function, because these types require an additional value to be set (extended attribute 61 values 30-34). |
The NAS-Port-ID (RADIUS attribute 87) contains the character text string identifier of the NAS port that is authenticating the user. This text string typically matches the interface description found under the CLI configuration. This attribute is sent by default under IETF attribute 87, it was previously under Cisco vendor-specific-attribute (VSA) Cisco-NAS-Port.
You can override attribute 61 configured globally on the router at an interface or subinterface level.
Use the following task to override all global options on how the extended attribute 61 is sent to any subinterface such as Ethernet, VLAN, Q-in-Q, VC, or VC ranges.
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
Example: Device(config)# interface atm 5/0/0.1 |
Enters ATM subinterface mode. |
|
Example: Device(config-subif)# pvc 1/33 |
Enters PVC subinterface mode. |
|
Example: Device(config-if-atm-vc)# radius attribute nas-port-type 7 |
Sets a specific extended attribute 61 value for an interface or subinterface, select a value for a port type to override the NAS-Port type configured globally.
|
|
Example: Device(config-if-atm-vc)# end |
Ends the configuration session and returns to privileged EXEC mode. |
The following example shows how to configure global support for extended NAS-Port-Type ports and how to specify two separate format e strings globally for two different types of ports:
Device# configure terminal Device(config)# radius-server attribute 61 extended Device(config)# radius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU Device(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30 Device(config)# Device(config)# radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33
The following example shows how to customize a format e string and port type for an ATM interface and then how to override the global value set for extended attribute 61 by applying the customer customized NAS port type value of 36 on the ATM interface:
Device# configure terminal Device(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 36 Device(config)# interface atm 5/0/0.1 Device(config-subif)# pvc 1/33 Device(config-if-atm-vc)# radius attribute nas-port-type 36
The following example displays command output from a configured RADIUS command, where extended attribute 61 is enabled . You can use the delimiting characters to display only the relevant parts of the configuration.
Device# show running-config | include radius
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
radius-server attribute 61 extended
radius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30
radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 31
radius-server attribute nas-port format e SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV type 32
radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33
radius-server attribute nas-port format e SSSSAPPPQQQQQQQQQQQQVVVVVVVVVVVV type 34
radius-server host 10.76.86.91 auth-port 1645 acct-port 1646
radius-server key rad123
.
.
.
The following example displays command output for a configured RADIUS command, where you have globally specified the format e string for all PPPoA ports (type 30):
Device# show running-config | include radius
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
radius-server attribute nas-port format e SSSSSSSSAAAAAAAAPPPPPPPPIIIIIIII
radius-server attribute nas-port format e SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC type 30
radius-server host 10.76.86.91 auth-port 1645 acct-port 1646
radius-server key rad123
.
.
.
Related Topic | Document Title |
---|---|
Cisco IOS commands |
|
Broadband Access Aggregation and DSL commands |
Cisco IOS Broadband Access Aggregation and DSL Command Reference |
RADIUS Attributes |
RADIUS Attributes |
Description | Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 2 | Feature Information for Extended NAS-Port-Type and NAS-Port Support |
Feature Name | Releases | Feature Information |
---|---|---|
Extended NAS-Port-Type and NAS-Port Support |
12.3(7)XI1, 12.2(28)SB, 12.2(33)SRC 15.0(1)M 15.1(1)SG |
The Extended NAS-Port-Type and NAS-Port Support feature allows you to identify what service type is taking place on specific ports with non-RADIUS RFC supported types. This feature was introduced to support the Cisco 10000 series router in Cisco IOS Release 12.3(7)XI1. The following commands were introduced or modified: radius attribute nas-port-type,radius-server attribute 61 extended, radius-server attribute nas-port format. |