Using vendor specific attributes (VSAs)
Some RADIUS-based features implemented on switches use VSAs for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendor-specific information.
commands
authorization
are: HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)
HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.
The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below.
HP-command-string |
HP-command-exception |
Description |
---|---|---|
Not present |
Not present |
If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server. This message appears: "Access denied: no user's authorization info supplied by the RADIUS server." |
Not present |
DenyList-PermitOthers(1) |
Authenticated user is allowed to execute all commands available on the switch. |
Not present |
PermitList-DenyOthers(0) |
Authenticated user can only execute a minimal set of commands (those that are available by default to any user). |
Commands List |
DenyList-PermitOthers(1) |
Authenticated user may execute all commands except those in the Commands list. |
Commands List |
PermitList-DenyOthers(0) |
Authenticated user can execute only those commands provided in the Commands List, plus the default commands. |
Commands List |
Not present |
Authenticated user can only execute commands from the Commands List, plus the default commands. |
Empty Commands List |
Not present |
Authenticate user can only execute a minimal set of commands (those that are available by default to any user). |
Empty Commands List |
DenyList-PermitOthers(1) |
Authenticated user is allowed to execute all commands available on the switch. |
Empty Commands List |
PermitList-DenyOthers(0) |
Authenticate user can only execute a minimal set of commands (those that are available by default to any user). |
You must configure the RADIUS server to provide support for the VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.