This is a quick how-to guide on returning RADIUS attributes in ACSv5. After a tweet by Ethan Banks (@ecbanks) it occurred to me that the majority of network engineers out there are used to the ‘old school’ of ACS 4.x. I’ve only really know version 5 – I was actually part of the team who did the initial Beta testing and NAC-RADIUS inter-op testing, so I don’t really have a view of how different it is to version 4. But I found that’s a good thing; when I first started the Beta testing, I was working alongside an ‘old-school’ engineer who’d worked on v4 for a long time, and he was totally confused by v5′s new approach – for me, it all seemed to make sense.

Anyway – this was supposed to be a quick how-to returning RADIUS attributes – firstly, you can’t define a ‘custom’ IETF attribute, else it wouldn’t be an IETF one. But you can use one of the many pre-defined ones available in the Dictionary.

Q. What’s the Dictionary?
A. In ACSv5, any attribute or value that can be sent/received with an authentication or accounting interaction is defined in the Dictionary. A dictionary entry will define the attributes’s Name and value-type (integer, boolean, string..) as well as any pre-defined values

So – on the left navigation under System Administration -> Configuration -> Dictionaries -> Protocols -> RADIUS -> RADIUS IETF you’ll find all the RADIUS IETF attributes that are available to ACS – either for use as a response, or to validate against in a rule.
If you’re wondering.. RADIUS VSA stands for ‘Vendor Specific Attributes’ – such as Cisco’s AV-PAIR or Microsoft’s CHAP or even Juniper’s ‘Allow commands’.

So how to make use of these..

RADIUS and other attributes are returned to an authenticating device when a rule in the ‘Authorization Policy’ is hit, however in the spirit of ‘object-orientated’ doo-hickies, they are not directly defined here. Instead you define an ‘Authorization Profile’ under Policy-Elements. The idea being, you can build up authorization responses (a set of attributes for example) and use them multiple times in multiple Authorization Policies.

Confused yet?

Under Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles – create yourself a new profile and go to the ‘RADIUS Attributes’ tab:

Now you can select and ‘Add’ the attributes you want to make use of to your Auth Profile, remembering to set the value you want

The value is set in the bottom box. If it’s a custom value, you should be able to enter string text, if it’s predefined or boolean, then use the Select button to pick the value it should be.

If you Add an attribute and make a mistake – select it in the list and click ‘Edit’ – this will pull it back down into the boxes.. here you’ll edit it and click ‘Replace’ to apply the changes. (The wording of the buttons isn’t great, I’ll admit).

Name and Submit your new profile and it’ll now be available under ‘Authorization Policies’ for use.

This really was a ‘quick and dirty’ post. I’ll try and write-up the whole ACSv5 approach to authentication/authorization and accounting in the next few days.

Cheers- Jim.