Configuring AAA Profiles

An AAA profile is a set of characteristics that act as a pattern that you can assign to domain names. Once you create an AAA profile, you can map it between a PPP client’s domain name and certain AAA services on given interfaces. Using AAA profiles, you can:

• Allow or deny a domain name access to AAA authentication
• Map the original domain name to the mapped domain name for domain name lookup
• Use domain name aliases
• Force tunneling whenever a domain map contains tunnel attributes
• Manually set the NAS-Port-Type attribute (RADIUS attribute 61) for ATM and Ethernet interfaces
• Set the Service-Description attribute (RADIUS attribute 26-53)

An AAA profile contains a set of commands to control access for the incoming PPP subscriber. If no AAA profile is used, AAA continues as normal. The user’s name and domain name are not changed as a result of an AAA profile mapping.

Note: There are two domain names with special meaning. The domain name none indicates that there is no domain name present in the subscriber’s name. For more information about none, see the section Mapping User Requests Without a Valid Domain Name. The domain name default indicates that no other match occurs. For more information about default, see the section Mapping User Requests Without a Configured Domain Name.

Allowing or Denying Domain Names

You can control a PPP subscriber’s access to certain domains on given interfaces. As the administrator, you can use the deny command to prevent PPP subscribers from using unauthorized domain names. Using the allow command, you can allow PPP subscribers to use authorized domain names.

Configuration Example

In this example, the administrator wants to restrict access of a PPP interface to the specific domain abc.com.

1. Create an AAA profile.

   host1(config)#aaa profile restrictToABC

2. Specify the domain name you want to allow.

   host1(config-aaa-profile)#allow abc.com

3. Specify the domain name you want to restrict.

   host1(config-aaa-profile)#deny default

4. Associate the AAA profile to the designated PPP interface.

   host1(config-if)#ppp aaa-profile restrictToABC

When configured as such, the following is a likely scenario:

• PPP passes the AAA profile restrictToABC to AAA in the authentication request.
• AAA performs the following:
  • Receives the authentication request from PPP with the subscriber’s name will@xyz.com.
  • Parses the domain name xyz.com and examines the specified AAA profile restrictToABC.
  • Determines that the AAA profile restrictToABC is valid.
  • Searches restrictToABC for a match on the PPP subscriber’s domain name and finds no match.
  • Searches restrictToABC for a match on the domain name default.
  • Finds a match and denies the user access.

Using Domain Name Aliases

You can translate an original domain name to a new domain name via the translate command. The command allows you to create domain name aliases; that is, the grouping of multiple domain names into a single domain name. You can partition PPP subscribers with the same domain into separate domains, based on the PPP interface.

Note: Partitioning subscribers does not cause modification of a user’s name or domain.

When you use aliases, you greatly simplify the configuration process. When there are a large number of domains and you use aliases, it reduces the configuration volume, thus requiring less NVS and memory usage.

Example 1

In this example, an administrator wants to associate all subscribers of a PPP interface with a specific domain name.

1. Create an AAA profile.

   host1(config)#aaa profile forwardToXyz

2. Map the original domain name to the mapped domain name for domain map lookup.

   host1(config-aaa-profile)#translate default xyz.com

3. Associate the AAA profile with the designated PPP interface.

   host1(config-if)#ppp aaa-profile forwardToXyz

When configured as such, the following scenario is typical:

• PPP passes the AAA profile forwardToXyz to AAA in the authentication request.
• AAA performs the following tasks:
  • Receives the authentication request from PPP with the subscriber’s name morris@abc.com.
  • Parses the domain name abc.com and examines the specified AAA profile forwardToXyz.
  • Determines that the AAA profile forwardToXyz is valid.
  • Searches forwardToXyz for a match on the PPP subscriber’s domain name and finds no match.
  • Searches forwardToXyz for a match on the domain name default.
  • Finds a match and continues as normal using the domain name xyz.com.

    Note: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile. If the user’s name does not contain a domain name, then AAA attempts to match to the domain name none in the AAA profile. If there is no entry for none, then AAA attempts to match for the domain name default in the AAA profile. If there is no entry for either none or default, then AAA continues processing as if there were no AAA profile.

Example 2

In this example, an administrator wants to use aliases; that is, to associate multiple domain names with a specific domain name and not allow other domain names.

1. Create an AAA profile.

   host1(config)#aaa profile toAbc

2. Map the original domain name to the mapped domain name for domain map lookup.

   host1(config-aaa-profile)#translate abc1.com abc.com

   host1(config-aaa-profile)#translate abc2.com abc.com

   host1(config-aaa-profile)#translate abc3.com abc.com

3. Specify the domain name you want to restrict.

   host1(config-aaa-profile)#deny default

4. Associate the AAA profile with the designated PPP interface.

   host1(config-if)#ppp aaa-profile toAbc

When configured as such, the following scenario is typical:

• PPP passes the AAA profile toAbc to AAA in the authentication request.
• AAA:
  • Receives the authentication request from PPP with the subscriber’s name jane@abc1.com
  • Parses the domain name abc1.com and examines the specified AAA profile toAbc
  • Determines that the AAA profile toAbc is valid
  • Searches toAbc for a match on the PPP subscriber’s domain name and finds a match
  • Continues as normal using the domain name abc.com

    Note: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile. If the user’s name does not contain a domain name, then AAA attempts to match to the domain name none in the AAA profile. If there is no entry for none, then AAA attempts to match for the domain name default in the AAA profile. If there is no entry for either none or default, then AAA continues processing as if there were no AAA profile.

aaa profile

• Use to configure a new AAA profile.
• Example

  host1(config)#aaa profile boston123

• Use the no version to delete the AAA profile.
• See aaa profile

allow

• Use to specify the domain name(s) that you want to be allowed access to AAA authentication.
• This command does not indicate that the user will be granted access; it is simply the first access point to AAA authentication.
• Using this command does not implicitly deny all other domains.
• Example

  host1(config-aaa-profile)#allow xyz.com

• Use the no version to negate the command.
• See allow

deny

• Use to specify the domain name(s) that you want to be denied access to AAA authentication.
• Example

  host1(config-aaa-profile)#deny xyz.com

• Use the no version to negate the command.
• See deny

ppp aaa-profile

• Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces.
• The PPP application associates the AAA profile with the interface and passes the AAA profile to AAA for authentication.
• If an AAA profile is deleted after it has been assigned to an interface, AAA will deny the authentication and log a message.
• When you remove an AAA profile, it does not remove any corresponding bindings between PPP interfaces or interface profiles and the AAA profile. If an AAA profile with the same name is added, the interface cannot authenticate until the AAA profile is reassigned.

  Note: Although an AAA profile and an interface profile have similar functionality, they are not related and should be treated differently.

• Example

  host1(config-if)#ppp aaa-profile westford24

• Use the no version to remove the AAA profile assignment.
• See ppp aaa-profile

translate

• Use to map the original domain name to the mapped domain name for domain map lookup.
• This command allows you to group multiple domain names into a single domain name (that is, to use aliases).
• You can use this command to partition PPP subscribers with the same domain into separate domains, based on the PPP interface. By doing this, you do not cause modification of the user’s name or domain.
• Example

  host1(config-aaa-profile)#translate abc.com xyz.com

• Use the no version to negate the command.
• See translate

Manually Setting NAS-Port-Type Attribute

You can manually configure the NAS-Port-Type RADIUS attribute (attribute 61) in AAA profiles for ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the NAS port type for a given connection.

To set the NAS-Port-Type attribute for ATM or Ethernet interfaces:

1. Create an AAA profile.

   host1(config)#aaa profile nasPortType

2. (Optional) Set the NAS-Port-Type attribute for ATM interfaces.

   host1(config-aaa-profile)#nas-port-type atm wireless-80211

3. (Optional) Set the NAS-Port-Type attribute for Ethernet interfaces.

   host1(config-aaa-profile)#nas-port-type ethernet wireless-cable

aaa profile

• Use to create and configure a AAA profile.
• Example

  host1(config)#aaa profile nasPortType

• Use the no version to delete the AAA profile.
• See aaa profile

nas-port-type atm

• Use to specify the RADIUS NAS-Port-Type attribute (61) for ATM interfaces. You can set the attribute to:
  • value—Number in the range 0–65535
  • adsl-cap—Asymmetric DSL, carrierless amplitude phase (CAP) modulation
  • adsl-dmt—Asymmetric DSL, discrete multitone (DMT)
  • cable
  • iapp—Inter Access Point Protocol (IAPP)
  • idsl—ISDN DSL
  • sdsl—Symmetric DSL
  • wireless-1x-ev—Wireless 1xEV
  • wireless-80211—Wireless 802.11
  • wireless-cdma—Wireless code division multiple access (CDMA)
  • wireless-other
  • wireless-umts—Wireless universal mobile telecommunications system (UMTS)
  • xdsl—DSL of unknown type
• Example

  host1(config-aaa-profile)#nas-port-type atm wireless-80211

• Use the no version to remove the NAS-Port-Type setting for ATM interfaces.
• See nas-port-type atm

nas-port-type ethernet

• Use to specify the RADIUS NAS-Port-Type attribute (61) for Ethernet interfaces. You can set the attribute to:
  • value—Number in the range 0–65535
  • cable
  • iapp—IAPP
  • wireless-1x-ev—Wireless 1xEV
  • wireless-80211—Wireless 802.11
  • wireless-cdma—Wireless CDMA
  • wireless-other
  • wireless-umts—Wireless UMTS
• Example

  host1(config-aaa-profile)#nas-port-type ethernet wireless-80211

• Use the no version to remove the NAS-Port-Type setting for Ethernet interfaces.
• See nas-port-type ethernet

Service-Description Attribute

You can specify a service description that will be associated with an AAA profile. The description can then be exported through RADIUS by the Service-Description attribute (RADIUS attribute 26-53) in AAA profiles.

To set the Service-Description attribute:

1. Create the AAA profile.

   host1(config)#aaa profile xyzCorpPro2

2. Set the Service-Description attribute.

   host1(config-aaa-profile)#service-description bos-xyzcorp

aaa profile

• Use to create and configure a AAA profile.
• Example

  host1(config)#aaa profile xyzCorpPro2

• Use the no version to delete the AAA profile.
• See aaa profile

service-description

• Use to specify a description that is associated with the AAA profile. The description can be transmitted to RADIUS in the Service-Description attribute (26-53)
• The service description can be a maximum of 64 characters.
• Example

  host1(config-aaa-profile)#service-description service11

• Use the no version to remove the service description for the profile.
• See service-description