Using Vendor Specific Attributes (VSAs)
Some RADIUS-based features implemented on switches use VSAs for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendor-specific information.
The list of commands that are permitted (or denied) execution by the user are called regular expressions. The system compares those regular expressions against the full command name to determine whether the user is allowed to execute the command. For example, assume a RADIUS user is defined as follows:
- User1
User-Password = “hpswitch”
Service-Type = Administrative-User,
HP-Command-Exception = 1, # Deny_list
HP-Command-String = “config”
User1 is blocked from executing all commands that contain “config” in the name, which includes the following commands:
configure
show running-config (sh run)
show config
To block User 1 from executing only the “configure” command, the regular expression would be:
- User1
User-Password = “hpswitch”
Service-Type = Administrative-User,
HP-Command-Exception = 1, # Deny_list
HP-Command-String = “^configure$”
The ^ metacharacter defines the start of the string and the $ character defines the end of the string. Do not leave a space between the semi-colon and the start of the next regular expression. So the HP-Command-String with more than one regular expression defined may look as follows:
HP-Command-String = “^configure$;^show running-config$”.
In this case, User1 is blocked from executing the commands “configure” and “show running-config” but is able to execute the “show config” command.
commands
authorization
are: HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)
HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.
The following table shows the results of using the HP-Command-String and HP-Command-Exception attributes in various combinations.
HP-command-string |
HP-command-exception |
Description |
---|---|---|
Not present |
Not present |
If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server. This message appears: "Access denied: no user's authorization info supplied by the RADIUS server." |
Not present |
DenyList-PermitOthers(1) |
Authenticated user is allowed to execute all commands available on the switch. |
Not present |
PermitList-DenyOthers(0) |
Authenticated user can only execute a minimal set of commands (those that are available by default to any user). |
Commands List |
DenyList-PermitOthers(1) |
Authenticated user may execute all commands except those in the Commands list. |
Commands List |
PermitList-DenyOthers(0) |
Authenticated user can execute only those commands provided in the Commands List, plus the default commands. |
Commands List |
Not present |
Authenticated user can only execute commands from the Commands List, plus the default commands. |
Empty Commands List |
Not present |
Authenticate user can only execute a minimal set of commands (those that are available by default to any user). |
Empty Commands List |
DenyList-PermitOthers(1) |
Authenticated user is allowed to execute all commands available on the switch. |
Empty Commands List |
PermitList-DenyOthers(0) |
Authenticate user can only execute a minimal set of commands (those that are available by default to any user). |
You must configure the RADIUS server to provide support for the VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.