Configuring the RADIUS attribute translation feature
About RADIUS attribute translation
The RADIUS attribute translation feature enables the device to work correctly with the RADIUS servers of different vendors that support RADIUS attributes incompatible with the device.
RADIUS attribute translation has the following implementations:
Attribute conversion—Converts source RADIUS attributes into destination RADIUS attributes based on RADIUS attribute conversion rules.
Attribute rejection—Rejects RADIUS attributes based on RADIUS attribute rejection rules.
When the RADIUS attribute translation feature is enabled, the device processes RADIUS packets as follows:
For the sent RADIUS packets:
Deletes the rejected attributes from the packets.
Uses the destination RADIUS attributes to replace the attributes that match RADIUS attribute conversion rules in the packets.
For the received RADIUS packets:
Ignores the rejected attributes in the packets.
Interprets the attributes that match RADIUS attribute conversion rules as the destination RADIUS attributes.
To identify proprietary RADIUS attributes, you can define the attributes as extended RADIUS attributes, and then convert the extended RADIUS attributes to device-supported attributes.
Restrictions and guidelines for RADIUS attribute translation configuration
Configure either conversion rules or rejection rules for a RADIUS attribute.
Configure either direction-based rules or packet type-based rules for a RADIUS attribute.
For direction-based translation of a RADIUS attribute, you can configure a rule for each direction (inbound or outbound). For packet type-based translation of a RADIUS attribute, you can configure a rule for each RADIUS packet type (RADIUS Access-Accept, RADIUS Access-Request, or RADIUS accounting).
Configuring the RADIUS attribute translation feature for a RADIUS scheme
Enter system view.
system-view
(Optional.) Define an extended RADIUS attribute.
radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }
Enter RADIUS scheme view.
radius scheme radius-scheme-name
Enable the RADIUS attribute translation feature.
attribute translate
By default, this feature is disabled.
Configure a RADIUS attribute conversion rule or a RADIUS attribute reject rule. Choose the following tasks as needed:
Configure a RADIUS attribute conversion rule.
attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
By default, no RADIUS attribute conversion rules are configured.
Configure a RADIUS attribute rejection rule.
attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
By default, no RADIUS attribute rejection rules are configured.
Configuring the RADIUS attribute translation feature for a RADIUS DAS
Enter system view.
system-view
(Optional.) Define an extended RADIUS attribute.
radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }
Enter RADIUS DAS view.
radius dynamic-author server
Enable the RADIUS attribute translation feature.
attribute translate
By default, this feature is disabled.
Configure a RADIUS attribute conversion rule or a RADIUS attribute rejection rule. Choose the following tasks as needed:
Configure a RADIUS attribute conversion rule.
attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }
By default, no RADIUS attribute conversion rules are configured.
Configure a RADIUS attribute rejection rule.
attribute reject attr-name { { coa-ack | coa-request } * | { received | sent } * }
By default, no RADIUS attribute rejection rules are configured.