Vendor-specific attributes

The software supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are discussed in RFC 2138. The RADIUS user authenticates with parameters defined in the default RADIUS user template if VSAs are not configured in the RADIUS server. If VSAs are configured, all mandatory VSAs must be configured for the RADIUS user to authenticate. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number. For a full list of Nokia VSAs, see the dictionary-freeradius.txt file in the support folder of the software distribution.

Note: The PE-record entry is required to support the RADIUS Discovery for Layer 2 VPN feature. A PE-record is only relevant if the RADIUS Discovery feature is used, not for the standard RADIUS setup.

The following RADIUS vendor-specific attributes (VSAs) are supported by Nokia.

Timetra-Access <ftp> <console> <both><netconfig><grpc>

This is a mandatory VSA that specifies if the user has FTP, console (serial port, Telnet, and SSH), NETCONF, or gRPC access.
Timetra-Profile <string>

When configuring this VSA for a user, it is assumed that the user profiles are configured on the local router and the following applies for local and remote authentication:
1. The authentication-order parameters configured on the router must include the local keyword.
2. The username may or may not be configured on the router.
3. The user must be authenticated by the RADIUS server.
4. Up to 8 valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.
  
  If all the above mentioned conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log.
Timetra-Default-Action <permit-all | deny-all | none>

This is a mandatory VSA that must be configured even if the Timetra-Cmd VSA is not used. This command specifies the default action when the user has entered a command and no entry configured in the Timetra-Cmd VSA for the user resulted in a match condition.
Timetra-Cmd <string>

This VSA configures a command or command subtree as the scope for the match condition.

The command and all subordinate commands in subordinate command levels are specified.
Timetra-Home-Directory <string>

This VSA specifies a user's home directory.
Timetra-Restrict-To-Home <true | false>

When this VSA is set to true, the user's file system access is restricted to the home directory specified with Timetra-Home-Directory.