attribute

Configures RADIUS Framed-MTU attribute used in access and accounting requests. The Framed-MTU attribute reduces the EAP (Extensible Authentication Protocol) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation.

To ensure network security, some firewall software drop UDP fragments from RADIUS server EAP packets. Consequently, the packets are large. Using Framed MTU (Maximum Transmission Unit) reduces the packet size. EAP authentication uses Framed MTU to notify the RADIUS server about the MTU negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|
cisco-vsa|framed-ip-address|framed-mtu|location-information|nas-ip-address|nas-ipv6-address|
operator-name|service-type]
attribute acct-delay-time
attribute acct-multi-session-id
attribute chargeable-user-identity
attribute cisco-vsa audit-session-id
attribute framed-ip-address
attribute framed-mtu <100-1500>
attribute location-information [include-always|none|server-requested]
attribute nas-ip-address <WORD>
attribute nas-ipv6-address
attribute operator-name <OPERATOR-NAME>
attribute service-type [framed|login]

Parameters

attribute acct-delay-time

acct-delay-time

Enables support for accounting-delay-time attribute in accounting requests. When enabled, this attribute indicates the number of seconds the client has been trying to send a request to the accounting server. By subtracting this value from the time the packet is received by the server, the system is able to calculate the time of a request-generating event. Note, the network transit time is ignored. This option is disabled by default.

Including the acct-delay-time attribute in accounting requests updates the acct-delay-time value whenever the packet is retransmitted, This changes the content of the attributes field, requiring a new identifier and request authenticator.

attribute multi-session-id

acct-multi-session-id

Enables support for accounting-multi-session-id attribute. When enabled, it allows linking of multiple related sessions of a roaming client. This option is useful in scenarios where a client roaming between access points sends multiple RADIUS accounting requests to different access points. This option is disabled by default.
attribute chargeable-user-identity

chargeable-user-identity

Enables support for chargeable-user-identity attribute. This option is disabled by default.
attribute cisco-vsa audit-session-id

cisco-vsa audit-session-id

Configures the CISCO VSA (Vendor Specific Attribute) attribute included in access requests. This feature s disabled by default.

This VSA allows CISCO‘s ISE (Identity Services Engine) to validate a requesting client‘s network compliance, such as the validity of virus definition files (anti virus software or definition files for an anti-spyware software application).

  • audit-session-id – Includes the audit session ID attribute in access requests

The audit session ID is included in access requests when Cisco ISE is configured as an authentication server.

Note: If the Cisco VSA attribute is enabled, configure an additional UDP port to listen for dynamic authorization messages from the Cisco ISE server. For more information, see service.
attribute framed-ip-address
framed-ip-address Enables inclusion of framed IP address attribute in access and accounting requests. This option is disabled by default.
attribute framed-mtu <100-1500>

framed-mtu <100-1500>

Configures Framed-MTU attribute used in access requests

The Framed-MTU attribute reduces the EAP (Extensible Authentication Protocol) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation. EAP authentication uses Framed-MTU to notify the RADIUS server about the MTU negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network.

  • <100-1500> – Specify the Framed-MTU attribute value from 100 - 1500. The default value is 1400.
attribute location-information [include-always|none|server-requested]

location-information [include-always| none|server-requested]

Enables support for RFC5580 location information attribute, based on the option selected. The options are:
  • include-always – Always includes location information in RADIUS authentication and accounting messages
  • none – Disables sending of location information in RADIUS authentication and accounting messages. This is the default setting.
  • server-requested – Includes location information in RADIUS authentication and accounting messages only when requested by the server
Note: When enabled, location information is exchanged in authentication and accounting messages.
attribute nas-ip-address <WORD>
nas-ip-address <WORD> Enables configuration of an IP address, which is used as the RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. If you are using a cluster of small NASs (network access servers) to simulate a large NAS, use this option to improve scalability. The IP address configured using this option allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.
  • <WORD> – Provide the IPv4 address.
attribute nas-ipv6-address

nas-ipv6-address

Enables support for NAS IPv6 address. This option is disabled by default.

When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6 addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a larger address space.

attribute operator-name <OPERATOR-NAME>

operator-name <OPERATOR-NAME>

Enables support for RFC5580 operator name attribute. When enabled, the network operator‘s name is included in all RADIUS authentication and accounting messages and uniquely identifies the access network owner. This option is disabled by default.
  • <OPERATOR-NAME> – Specify the network operator‘s name (should not exceed 63 characters in length).
attribute service-type [framed|login]

service-type [framed|login]

Configures the service-type (6) attribute value. This attribute identifies the following: the type of service requested and the type of service to be provided.
  • framed – Sets service-type to framed (2) in the authentication packets. When enabled, a framed protocol, PPP (Point-to-Point Protocol) or SLIP (Serial Line Internet Protocol), is started for the client. This is the default setting.
  • login – Sets service-type to login (1) in the authentication packets. When enabled, the client is connected to the host.

Examples

nx9500-6C8809(config-aaa-policy-test)#attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
 accounting server 2 host 172.16.10.10 secret 0 test1 port 1
 accounting server 2 timeout 2 attempts 2
 accounting interim interval 65
 accounting server preference auth-server-number
 attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#
nx9500-6C8809(config-aaa-policy-test1)#attribute cisco-vsa audit-session-id
nx9500-6C8809(config-aaa-policy-test1)#show context
aaa-policy test1
 attribute cisco-vsa audit-session-id
nx9500-6C8809(config-aaa-policy-test1)#

Related Commands

no

Resets values or disables commands