Configures RADIUS Framed-MTU attribute used in access and accounting requests. The Framed-MTU attribute reduces the EAP (Extensible Authentication Protocol) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation.
To ensure network security, some firewall software drop UDP fragments from RADIUS server EAP packets. Consequently, the packets are large. Using Framed MTU (Maximum Transmission Unit) reduces the packet size. EAP authentication uses Framed MTU to notify the RADIUS server about the MTU negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network.
attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity| cisco-vsa|framed-ip-address|framed-mtu|location-information|nas-ip-address|nas-ipv6-address| operator-name|service-type]
attribute acct-delay-time
attribute acct-multi-session-id
attribute chargeable-user-identity
attribute cisco-vsa audit-session-id
attribute framed-ip-address
attribute framed-mtu <100-1500>
attribute location-information [include-always|none|server-requested]
attribute nas-ip-address <WORD>
attribute nas-ipv6-address
attribute operator-name <OPERATOR-NAME>
attribute service-type [framed|login]
attribute acct-delay-time
acct-delay-time |
Enables support for accounting-delay-time
attribute in accounting requests. When enabled, this attribute indicates the
number of seconds the client has been trying to send a request to the
accounting server. By subtracting this value from the time the packet is
received by the server, the system is able to calculate the time of a
request-generating event. Note, the network transit time is ignored. This
option is disabled by default. Including the acct-delay-time attribute in accounting requests updates the acct-delay-time value whenever the packet is retransmitted, This changes the content of the attributes field, requiring a new identifier and request authenticator. |
attribute multi-session-id
acct-multi-session-id |
Enables support for accounting-multi-session-id attribute. When enabled, it allows linking of multiple related sessions of a roaming client. This option is useful in scenarios where a client roaming between access points sends multiple RADIUS accounting requests to different access points. This option is disabled by default. |
attribute chargeable-user-identity
chargeable-user-identity |
Enables support for chargeable-user-identity attribute. This option is disabled by default. |
attribute cisco-vsa audit-session-id
cisco-vsa audit-session-id |
Configures the CISCO VSA (Vendor Specific Attribute) attribute
included in access requests. This feature s disabled by default. This VSA allows CISCO‘s ISE (Identity Services Engine) to validate a requesting client‘s network compliance, such as the validity of virus definition files (anti virus software or definition files for an anti-spyware software application).
The audit session ID is included in access requests when Cisco ISE is configured as an authentication server. Note: If the Cisco VSA attribute is
enabled, configure an additional UDP port to listen for dynamic
authorization messages from the Cisco ISE server. For more information,
see service.
|
attribute framed-ip-address
framed-ip-address | Enables inclusion of framed IP address attribute in access and accounting requests. This option is disabled by default. |
attribute framed-mtu <100-1500>
framed-mtu <100-1500> |
Configures Framed-MTU attribute used in access requests The Framed-MTU attribute reduces the EAP (Extensible Authentication Protocol) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation. EAP authentication uses Framed-MTU to notify the RADIUS server about the MTU negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network.
|
attribute location-information [include-always|none|server-requested]
location-information [include-always| none|server-requested] |
Enables support for RFC5580 location information
attribute, based on the option selected. The options are:
Note: When enabled, location information is exchanged in authentication
and accounting messages.
|
attribute nas-ip-address <WORD>
nas-ip-address <WORD> | Enables configuration of an IP address, which is used as the RADIUS
attribute 4, NAS-IP-Address, without changing the source IP address in the
IP header of the RADIUS packets. If you are using a cluster of small NASs
(network access servers) to simulate a large NAS, use this
option to improve scalability. The IP address configured using this option
allows the NASs to behave as a single RADIUS client from the perspective of
the RADIUS server.
|
attribute nas-ipv6-address
nas-ipv6-address |
Enables support for NAS IPv6 address. This option
is disabled by default. When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6 addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a larger address space. |
attribute operator-name <OPERATOR-NAME>
operator-name <OPERATOR-NAME> |
Enables support for RFC5580 operator name
attribute. When enabled, the network operator‘s name is included in all
RADIUS authentication and accounting messages and uniquely identifies the
access network owner. This option is disabled by default.
|
attribute service-type [framed|login]
service-type [framed|login] |
Configures the service-type (6) attribute
value. This attribute identifies the following: the type of service
requested and the type of service to be provided.
|
nx9500-6C8809(config-aaa-policy-test)#attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#show context aaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110 nx9500-6C8809(config-aaa-policy-test)#
nx9500-6C8809(config-aaa-policy-test1)#attribute cisco-vsa audit-session-id
nx9500-6C8809(config-aaa-policy-test1)#show context aaa-policy test1 attribute cisco-vsa audit-session-id nx9500-6C8809(config-aaa-policy-test1)#
no |
Resets values or disables commands |