The 7705 SAR software supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are discussed in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.
‟PE-Record” should be added as a new standard attribute in the standard RADIUS dictionary file.
The following RADIUS VSAs are supported by Nokia:
timetra-access <ftp> <console> <both> — this is a mandatory command that must be configured. This command specifies whether the user has FTP and /or console (serial port, Telnet, and SSH) access.
timetra-profile <profile-name> — when configuring this VSA for a user, it is assumed that the user profiles are configured on the local 7705 SAR router and the following applies for local and remote authentication.
The authentication-order parameters configured on the router must include the local keyword.
The username may or may not be configured on the 7705 SAR router.
The user must be authenticated by the RADIUS server.
Up to eight valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.
If all the above-mentioned conditions are not met, access to the router is denied and a failed login event/trap is written to the security log.
timetra-default-action <permit-all | deny-all | none> — this is a mandatory command that must be configured even if the timetra-cmd VSA is not used. This command specifies the default action when the user has entered a command and no entry configured in the timetra-cmd VSA for the user resulted in a match condition.
timetra-cmd <match-string> — configures a command or command subtree as the scope for the match condition
The command and all subordinate commands in subordinate command levels are specified.
Configure from most specific to least specific. The 7705 SAR exits on the first match; subordinate levels cannot be modified with subsequent action commands. Subordinate level VSAs must be entered before this entry to be effective.
All commands at and below the hierarchy level of the matched command are subject to the timetra-action VSA. Multiple match-strings can be entered in a single timetra-cmd VSA. Match strings must be semicolon (;) separated (maximum string length is 254 characters).
One or more timetra-cmd VSAs can be entered followed by a single timetra-action VSA:
timetra-action <deny | permit> — causes the permit or deny action to be applied to all match strings specified since the last timetra-action VSA
timetra-home-directory <home-directory string> — specifies the home directory that applies for the FTP and CLI user. If this VSA is not configured, the home directory is Compact Flash slot 1 (cf3: on all platforms).
timetra-restrict-to-home-directory <true | false> — specifies if user access is limited to their home directory (and directories and files subordinate to their home directory). If this VSA is not configured, the user is allowed to access the entire file system.
timetra-login-exec <login-exec-string> — specifies the login exec file that is executed when the user login is successful. If this VSA is not configured, no login exec file is applied.
If no VSAs are configured for a user, the following applies.
The password authentication-order command on the 7705 SAR router must include local.
The username must be configured on the 7705 SAR router.
The user must be successfully authenticated by the RADIUS server.
A valid profile must exist on the 7705 SAR router for this user.
If all conditions listed above are not met, access to the 7705 SAR router is denied and a failed login event/trap is written to the security log.
For receiving data from the RADIUS server, the following are supported:
Juniper (vendor-id 4874) attributes 4 (Primary DNS server) and 5 (Secondary DNS server)
Redback (vendor-id 2352) attributes 1 (Primary DNS) and 2 (Secondary DNS)
sending authentication requests: (from the DSL Forum) (vendor-id 3561), attributes 1 (Circuit ID) and 2 (Remote ID)