Aaa Authorization; Radius Accounting; Vendor-Specific Radius Attributes - Cisco Catalyst 2960-X Security Configuration Manual

Configuring RADIUS
sent to different UDP ports on a server at the same IP address. If you configure two different host entries on
the same RADIUS server for the same service, (for example, accounting), the second configured host entry
acts as a fail-over backup to the first one. If the first host entry fails to provide accounting services, the network
access server tries the second host entry configured on the same device for accounting services. (The RADIUS
host entries are tried in the order in which they are configured.)
Related Topics
Defining AAA Server Groups, on page 88

AAA Authorization

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch
uses information retrieved from the user's profile, which is in the local user database or on the security server,
to configure the user's session. The user is granted access to a requested service only if the information in the
user profile allows it.
Related Topics
Configuring RADIUS Authorization for User Privileged Access and Network Services, on page 90

RADIUS Accounting

The AAA accounting feature tracks the services that users are using and the amount of network resources that
they are consuming. When you enable AAA accounting, the switch reports user activity to the RADIUS
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. You can then analyze the data for network management, client
billing, or auditing.
Related Topics
Starting RADIUS Accounting, on page 92

Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the switch and the RADIUS server by using the vendor-specific attribute
(attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not
suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using
the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type
1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value
are an appropriate attributevalue (AV) pair defined in the Cisco TACACS+ specification, and sep is = for
mandatory attributes and is * for optional attributes. The full set of features available for TACACS+
authorization can then be used for RADIUS.
OL-29048-01
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
AAA Authorization
71