The 7210 SAS supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.
The PE-record entry is required to support the RADIUS Discovery for Layer 2 VPN feature. A PE-record is only relevant if the RADIUS Discovery feature is used, not for the standard RADIUS setup.
The following RADIUS vendor-specific attributes (VSAs) are supported by Nokia:
timetra-access <ftp> <console> <both>
This is a mandatory command that must be configured. This command specifies if the user has FTP and /or console (serial port, Telnet, and SSH) access.
timetra-profile <profile-name>
When configuring this VSA for a user, it is assumed that the user profiles are configured on the local router and the following applies for local and remote authentication:
The authentication-order parameters configured on the router must include the local keyword.
The username may or may not be configured on the router.
The user must be authenticated by the RADIUS server
Up to 8 valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.
If all the preceding conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log:
timetra-default-action <permit-all|deny-all|none>
This is a mandatory command that must be configured even if the timetra-cmd VSA is not used. This command specifies the default action when the user has entered a command and no entry configured in the timetra-cmd VSA for the user resulted in a match condition.
timetra-cmd <match-string>
Configures a command or command subtree as the scope for the match condition.
The command and all subordinate commands in subordinate command levels are specified.
Configure from most specific to least specific. The system exits on the first match; subordinate levels cannot be modified with subsequent action commands. Subordinate level VSAs must be entered before this entry to be effective.
All commands at and below the hierarchy level of the matched command are subject to the timetra-action VSA.
Multiple match-strings can be entered in a single timetra-cmd VSA. Match strings must be semicolon (;) separated (maximum string length is 254 characters).
One or more timetra-cmd VSAs can be entered followed by a single timetra-action VSA:
timetra-action <deny|permit>
Causes the permit or deny action to be applied to all match strings specified since the last timetra-action VSA.
timetra-home-directory <home-directory string>
Specifies the home directory that applies for the FTP and CLI user. If this VSA is not configured, the home directory is Compact Flash slot 1 (cf1:).
timetra-restrict-to-home-directory <true|false>
Specifies if user access is limited to their home directory (and directories and files subordinate to their home directory). If this VSA is not configured the user is allowed to access the entire file system.
timetra-login-exec <login-exec-string>
Specifies the login exec file that is executed when the user login is successful. If this VSA is not configured no login exec file is applied.
If no VSAs are configured for a user, then the following applies:
The password authentication-order command on the router must include local.
The username must be configured on the router.
The user must be successfully be authenticated by the RADIUS server
A valid profile must exist on the router for this user.
If all of the preceding conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log.
The complete list of TiMetra VSAs is available on a file included on the compact flash shipped with the image.