[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring AAA Profiles

An AAA profile is a set of characteristics that act as a pattern that you can assign to domain names. Once you create an AAA profile, you can map it between a PPP client’s domain name and certain AAA services on given interfaces. Using AAA profiles, you can:

Allow or deny a domain name access to AAA authentication
Map the original domain name to the mapped domain name for domain name lookup
Use domain name aliases
Force tunneling whenever a domain map contains tunnel attributes
Manually set the NAS-Port-Type attribute (RADIUS attribute 61) for ATM and Ethernet interfaces
Set the Service-Description attribute (RADIUS attribute 26-53)

An AAA profile contains a set of commands to control access for the incoming PPP subscriber. If no AAA profile is used, AAA continues as normal. The user’s name and domain name are not changed as a result of an AAA profile mapping.

Note: There are two domain names with special meaning. The domain name none indicates that there is no domain name present in the subscriber’s name. For more information about none, see the section Mapping User Requests Without a Valid Domain Name. The domain name default indicates that no other match occurs. For more information about default, see the section Mapping User Requests Without a Configured Domain Name.

Allowing or Denying Domain Names

You can control a PPP subscriber’s access to certain domains on given interfaces. As the administrator, you can use the deny command to prevent PPP subscribers from using unauthorized domain names. Using the allow command, you can allow PPP subscribers to use authorized domain names.

Configuration Example

In this example, the administrator wants to restrict access of a PPP interface to the specific domain abc.com.

Create an AAA profile.host1(config)#aaa profile restrictToABC
Specify the domain name you want to allow.host1(config-aaa-profile)#allow abc.com
Specify the domain name you want to restrict.host1(config-aaa-profile)#deny default
Associate the AAA profile to the designated PPP interface.host1(config-if)#ppp aaa-profile restrictToABC

When configured as such, the following is a likely scenario:

PPP passes the AAA profile restrictToABC to AAA in the authentication request.
AAA performs the following:
- Receives the authentication request from PPP with the subscriber’s name will@xyz.com.
- Parses the domain name xyz.com and examines the specified AAA profile restrictToABC.
- Determines that the AAA profile restrictToABC is valid.
- Searches restrictToABC for a match on the PPP subscriber’s domain name and finds no match.
- Searches restrictToABC for a match on the domain name default.
- Finds a match and denies the user access.

Using Domain Name Aliases

You can translate an original domain name to a new domain name via the translate command. The command allows you to create domain name aliases; that is, the grouping of multiple domain names into a single domain name. You can partition PPP subscribers with the same domain into separate domains, based on the PPP interface.

Note: Partitioning subscribers does not cause modification of a user’s name or domain.

When you use aliases, you greatly simplify the configuration process. When there are a large number of domains and you use aliases, it reduces the configuration volume, thus requiring less NVS and memory usage.

Example 1

In this example, an administrator wants to associate all subscribers of a PPP interface with a specific domain name.

Create an AAA profile.host1(config)#aaa profile forwardToXyz
Map the original domain name to the mapped domain name for domain map lookup.host1(config-aaa-profile)#translate default xyz.com
Associate the AAA profile with the designated PPP interface.host1(config-if)#ppp aaa-profile forwardToXyz

When configured as such, the following scenario is typical:

PPP passes the AAA profile forwardToXyz to AAA in the authentication request.

AAA performs the following tasks:

Receives the authentication request from PPP with the subscriber’s name morris@abc.com.
Parses the domain name abc.com and examines the specified AAA profile forwardToXyz.
Determines that the AAA profile forwardToXyz is valid.
Searches forwardToXyz for a match on the PPP subscriber’s domain name and finds no match.
Searches forwardToXyz for a match on the domain name default.

Finds a match and continues as normal using the domain name xyz.com.

Note: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile.

If the user’s name does not contain a domain name, then AAA attempts to match to the domain name none in the AAA profile. If there is no entry for none, then AAA attempts to match for the domain name default in the AAA profile. If there is no entry for either none or default, then AAA continues processing as if there were no AAA profile.

Example 2

In this example, an administrator wants to use aliases; that is, to associate multiple domain names with a specific domain name and not allow other domain names.

Create an AAA profile.host1(config)#aaa profile toAbc
Map the original domain name to the mapped domain name for domain map lookup.host1(config-aaa-profile)#translate abc1.com abc.com host1(config-aaa-profile)#translate abc2.com abc.com host1(config-aaa-profile)#translate abc3.com abc.com
Specify the domain name you want to restrict.host1(config-aaa-profile)#deny default
Associate the AAA profile with the designated PPP interface.host1(config-if)#ppp aaa-profile toAbc

When configured as such, the following scenario is typical:

PPP passes the AAA profile toAbc to AAA in the authentication request.

AAA:

Receives the authentication request from PPP with the subscriber’s name jane@abc1.com
Parses the domain name abc1.com and examines the specified AAA profile toAbc
Determines that the AAA profile toAbc is valid
Searches toAbc for a match on the PPP subscriber’s domain name and finds a match

Continues as normal using the domain name abc.com

Note: If there is no matching entry in the AAA profile for the user’s domain name or for the domain name default, then AAA continues processing as if there were no AAA profile.

aaa profile

Use to configure a new AAA profile.
Examplehost1(config)#aaa profile boston123
Use the no version to delete the AAA profile.
See aaa profile

allow

Use to specify the domain name(s) that you want to be allowed access to AAA authentication.
This command does not indicate that the user will be granted access; it is simply the first access point to AAA authentication.
Using this command does not implicitly deny all other domains.
Examplehost1(config-aaa-profile)#allow xyz.com
Use the no version to negate the command.
Seeallow

deny

Use to specify the domain name(s) that you want to be denied access to AAA authentication.
Examplehost1(config-aaa-profile)#deny xyz.com
Use the no version to negate the command.
See deny

ppp aaa-profile

Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces.
The PPP application associates the AAA profile with the interface and passes the AAA profile to AAA for authentication.
If an AAA profile is deleted after it has been assigned to an interface, AAA will deny the authentication and log a message.
When you remove an AAA profile, it does not remove any corresponding bindings between PPP interfaces or interface profiles and the AAA profile. If an AAA profile with the same name is added, the interface cannot authenticate until the AAA profile is reassigned.

Note: Although an AAA profile and an interface profile have similar functionality, they are not related and should be treated differently.
Examplehost1(config-if)#ppp aaa-profile westford24
Use the no version to remove the AAA profile assignment.
See ppp aaa-profile

translate

Use to map the original domain name to the mapped domain name for domain map lookup.
This command allows you to group multiple domain names into a single domain name (that is, to use aliases).
You can use this command to partition PPP subscribers with the same domain into separate domains, based on the PPP interface. By doing this, you do not cause modification of the user’s name or domain.
Examplehost1(config-aaa-profile)#translate abc.com xyz.com
Use the no version to negate the command.
See translate

Manually Setting NAS-Port-Type Attribute

You can manually configure the NAS-Port-Type RADIUS attribute (attribute 61) in AAA profiles for ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the NAS port type for a given connection.

To set the NAS-Port-Type attribute for ATM or Ethernet interfaces:

Create an AAA profile.host1(config)#aaa profile nasPortType
(Optional) Set the NAS-Port-Type attribute for ATM interfaces.host1(config-aaa-profile)#nas-port-type atm wireless-80211
(Optional) Set the NAS-Port-Type attribute for Ethernet interfaces.host1(config-aaa-profile)#nas-port-type ethernet wireless-cable

aaa profile

Use to create and configure a AAA profile.
Examplehost1(config)#aaa profile nasPortType
Use the no version to delete the AAA profile.
See aaa profile

nas-port-type atm

Use to specify the RADIUS NAS-Port-Type attribute (61) for ATM interfaces. You can set the attribute to:
- value—Number in the range 0–65535
- adsl-cap—Asymmetric DSL, carrierless amplitude phase (CAP) modulation
- adsl-dmt—Asymmetric DSL, discrete multitone (DMT)
- cable
- iapp—Inter Access Point Protocol (IAPP)
- idsl—ISDN DSL
- sdsl—Symmetric DSL
- wireless-1x-ev—Wireless 1xEV
- wireless-80211—Wireless 802.11
- wireless-cdma—Wireless code division multiple access (CDMA)
- wireless-other
- wireless-umts—Wireless universal mobile telecommunications system (UMTS)
- xdsl—DSL of unknown type
Examplehost1(config-aaa-profile)#nas-port-type atm wireless-80211
Use the no version to remove the NAS-Port-Type setting for ATM interfaces.
See nas-port-type atm

nas-port-type ethernet

Use to specify the RADIUS NAS-Port-Type attribute (61) for Ethernet interfaces. You can set the attribute to:
- value—Number in the range 0–65535
- cable
- iapp—IAPP
- wireless-1x-ev—Wireless 1xEV
- wireless-80211—Wireless 802.11
- wireless-cdma—Wireless CDMA
- wireless-other
- wireless-umts—Wireless UMTS
Examplehost1(config-aaa-profile)#nas-port-type ethernet wireless-80211
Use the no version to remove the NAS-Port-Type setting for Ethernet interfaces.
See nas-port-type ethernet

Service-Description Attribute

You can specify a service description that will be associated with an AAA profile. The description can then be exported through RADIUS by the Service-Description attribute (RADIUS attribute 26-53) in AAA profiles.

To set the Service-Description attribute:

Create the AAA profile.host1(config)#aaa profile xyzCorpPro2
Set the Service-Description attribute.host1(config-aaa-profile)#service-description bos-xyzcorp

aaa profile

Use to create and configure a AAA profile.
Examplehost1(config)#aaa profile xyzCorpPro2
Use the no version to delete the AAA profile.
See aaa profile

service-description

Use to specify a description that is associated with the AAA profile. The description can be transmitted to RADIUS in the Service-Description attribute (26-53)
The service description can be a maximum of 64 characters.
Examplehost1(config-aaa-profile)#service-description service11
Use the no version to remove the service description for the profile.
See service-description

[Contents] [Prev] [Next] [Index] [Report an Error]