Vendor-Specific Attributes (Vsas) - Alcatel-Lucent 7210 SAS E OS System Management Manual

Vendor-Specific Attributes (VSAs)

Vendor-Specific Attributes (VSAs)
software supports the configuration of Alcatel-Lucent-specific RADIUS attributes. These
attributes are known as vendor-specific attributes (VSAs) and are discussed in RFC 2138. VSAs
must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the
format of their VSA. The attribute-specific field is dependent on the vendor's definition of that
attribute. The Alcatel-Lucent-defined attributes are encapsulated in a RADIUS vendor-specific
attribute with the vendor ID field set to 6527, the vendor ID number.
Note that the PE-record entry is required in order to support the RADIUS Discovery for Layer 2
VPN feature. Note that a PE-record is only relevant if the RADIUS Discovery feature is used, not
for the standard RADIUS setup.
The following RADIUS vendor-specific attributes (VSAs) are supported by Alcatel-Lucent.
•
•
•
•
Page 28
timetra-access <ftp> <console>
must be configured. This command specifies if the user has FTP and /or console (serial
port, Telnet, and SSH) access.
timetra-profile <profile-name>
assumed that the user profiles are configured on the local router and the following applies
for local and remote authentication:
1. The
authentication-order
keyword.
local
2. The user name may or may not be configured on the router.
3. The user must be authenticated by the RADIUS server
4. Up to 8 valid profiles can exist on the router for a user. The sequence in which the pro-
files are specified is relevant. The most explicit matching criteria must be ordered first.
The process stops when the first complete match is found.
If all the above mentioned conditions are not met, then access to the router is denied and a
failed login event/trap is written to the security log.
timetra-default-action <permit-all|deny-all|none>
command that must be configured even if the
command specifies the default action when the user has entered a command and no entry
configured in the
timetra-cmd
timetra-cmd <match-string>
scope for the match condition.
The command and all subordinate commands in subordinate command levels are
specified.
Configure from most specific to least specific. The implementation exits on the first
match, subordinate levels cannot be modified with subsequent action commands.
Subordinate level VSAs must be entered prior to this entry to be effective.
<both> — This is a mandatory command that
— When configuring this VSA for a user, it is
parameters configured on the router must include the
timetra-cmd
VSA for the user resulted in a match condition.
— Configures a command or command subtree as the
7210 SAS-E OS System Management Guide
— This is a mandatory
VSA is not used. This