Using vendor specific attributes (VSAs)

Some RADIUS-based features implemented on switches use VSAs for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendor-specific information.

The attributes supported with commands authorization are:
  • HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)

  • HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.

The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below.

HP command string and exception

HP-command-string

HP-command-exception

Description

Not present

Not present

If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server. This message appears: "Access denied: no user's authorization info supplied by the RADIUS server."

Not present

DenyList-PermitOthers(1)

Authenticated user is allowed to execute all commands available on the switch.

Not present

PermitList-DenyOthers(0)

Authenticated user can only execute a minimal set of commands (those that are available by default to any user).

Commands List

DenyList-PermitOthers(1)

Authenticated user may execute all commands except those in the Commands list.

Commands List

PermitList-DenyOthers(0)

Authenticated user can execute only those commands provided in the Commands List, plus the default commands.

Commands List

Not present

Authenticated user can only execute commands from the Commands List, plus the default commands.

Empty Commands List

Not present

Authenticate user can only execute a minimal set of commands (those that are available by default to any user).

Empty Commands List

DenyList-PermitOthers(1)

Authenticated user is allowed to execute all commands available on the switch.

Empty Commands List

PermitList-DenyOthers(0)

Authenticate user can only execute a minimal set of commands (those that are available by default to any user).

You must configure the RADIUS server to provide support for the VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.