Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

ASR9K BNG and user defined VSAs

Go to solution
dfranjoso
Beginner
Beginner

‎06-03-2013 01:42 PM

Hello All,

I am currently deploying Cisco ASR9K BNG solution and it needs to be integrated with a Cisco ACS 3.3 equipment (yes that old .. going to migrate to new product in the future). There are several specific attributes need that are not on the base config of the ACS 3.3 but it seems that i can configure them manually:

'

In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. Vendors you add must be IETF-compliant; therefore, all VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26.

'

This is from the ACS 3.3 configuration manual.

I have never done this user defined VSAs. Anyone has experience with this ? Will this work ?

How can i identify the exact attributes necessary for my implementation to work ?

Thanks!

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xthuijs
Cisco Employee
Cisco Employee

‎06-04-2013 05:56 PM

Hi David,

yes that will work.

Radius is very "simple", it defines attributes in teh following format:

attribute-number     string representation     encoding type.

the encoding type is important, because the value you provide on the string representation fo the attribute

will get encoded in that manner.

For instance  a string value of "105" is 3 bytes with chars "1", "0" and "5". the INT encoding of this will be a single byte with value "105", which is the ascii letter "i".

Now Attribute number "26" has string representation "vendor-specific". These attributes are encoded slightly different

attribute 26, vendor code, vendor length, vendor attribute, vendor value.

for Cisco the vendor code is 9, always.

The vendor attribute we have some options, for isntance:

"1" is the cisco-avpair you may well know.

"2" is cisco-nas-port

250 is SSG command code for instance.

In general, all VSA's follow a string encoding.

So if you have the ability to define a new VENDOR specific attribute, they always start with 26, vendorcode and vendor attribute.

IF you like you add a, what we call IETF attribute, that is the first digit (some vendors "stole" some values there like ascend, who was the originator of radius pretty much), they had assigned for instance number 135 for ascend-primary-dns which is encoded as ip address (so 4 octets converted to a ulong value).

Does that clarify your Q at all? In short, yes VSA's are alwyas usable in ANY radius that supprots attribute 26.

regards

xander

View solution in original post

0 Helpful
3 Replies 3

Go to solution
xthuijs
Cisco Employee
Cisco Employee

‎06-04-2013 05:56 PM

Hi David,

yes that will work.

Radius is very "simple", it defines attributes in teh following format:

attribute-number     string representation     encoding type.

the encoding type is important, because the value you provide on the string representation fo the attribute

will get encoded in that manner.

For instance  a string value of "105" is 3 bytes with chars "1", "0" and "5". the INT encoding of this will be a single byte with value "105", which is the ascii letter "i".

Now Attribute number "26" has string representation "vendor-specific". These attributes are encoded slightly different

attribute 26, vendor code, vendor length, vendor attribute, vendor value.

for Cisco the vendor code is 9, always.

The vendor attribute we have some options, for isntance:

"1" is the cisco-avpair you may well know.

"2" is cisco-nas-port

250 is SSG command code for instance.

In general, all VSA's follow a string encoding.

So if you have the ability to define a new VENDOR specific attribute, they always start with 26, vendorcode and vendor attribute.

IF you like you add a, what we call IETF attribute, that is the first digit (some vendors "stole" some values there like ascend, who was the originator of radius pretty much), they had assigned for instance number 135 for ascend-primary-dns which is encoded as ip address (so 4 octets converted to a ulong value).

Does that clarify your Q at all? In short, yes VSA's are alwyas usable in ANY radius that supprots attribute 26.

regards

xander

0 Helpful

Go to solution
dfranjoso
Beginner
Beginner
In response to xthuijs

‎06-04-2013 06:00 PM

Thanks Alexander. I had that idea, but i was affraid to overlook something. Looking forward to see your palestra in Cisco Live.

0 Helpful

Go to solution
xthuijs
Cisco Employee
Cisco Employee
In response to dfranjoso

‎06-04-2013 06:15 PM

I'll see you in Orlando David! My session is on Wednesday the 25th at noon time.

cheers

xander

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents