| At the top level of AR is the Administrator object that you just configured and the Radius object. The Radius object specifies the name of the server and other parameters that are related to the way AR handles user requests. In configuring this site, you need to change only a few of these properties. This section of the chapter shows you how to configure some basic RADIUS parameters for AR. Start with this step: Step 1. | Change to the Radius object, as seen in Example 15-5.
|
Example 15-5. The Radius Object  cd Radius/ [ //localhost/Radius ] Name = Radius Description = Version = 3.0R1 IncomingScript~ = OutgoingScript~ = DefaultAuthenticationService~ = local-users DefaultAuthorizationService~ = local-users DefaultAccountingService~ = local-file DefaultSessionService~ = DefaultSessionManager~ = session-mgr-1 UserLists/ UserGroups/ Policies/ Clients/ Vendors/ Scripts/ Services/ SessionManagers/ ResourceManagers/ Profiles/ Rules/ Translations/ TranslationGroups/ RemoteServers/ Advanced/ Replication/
Earlier in this chapter, you saw the sub-objects of the Radius object. Your next step is to configure some basic parameters here. The next subsections take a look at these configurations in more detail. Checking the System-Level Defaults When you change to the Radius object, you see the Name, Description, and Version of AR. You might want to give the server a description. If so, use the following steps: Step 1. | You can edit the description by using the set command. When you enter the command, it echoes back on the screen to you, like so:
set Description "ACE ISP ACCESS REGISTRAR."
| Step 2. | To verify your work, simply type the ls command.
Other configurations that you can perform are the application of incoming and outgoing scripts. Because this site does not use incoming or outgoing scripts at this time, you do not need to change the scripts' properties (IncomingScript and OutgoingScript). These configurations can be left with the blank default values.
IncomingScript~ = OutgoingScript~ =
Moving on to the authentication, authorization, and accounting (AAA) properties, you can point each service to different lists.
| Step 3. | Because the default authentication and authorization properties specify a single user list, you can leave these unchanged as well (DefaultAuthenticationService and DefaultAuthorizationService).
DefaultAuthenticationService~ = local-users DefaultAuthorizationService~ = local-users
| Step 4. | Because this is a basic site, all accounting can be sent to a file as well. You can leave the default value here as well using DefaultAccountingService:
DefaultAccountingService~ = local-file
| Step 5. | Session management is something that is on by default. For a basic site, you might not want to use session management, so it needs to be disabled. To disable session management, use the set command:
 Set DefaultSessionManager ""
|
By using a set of double quotes, you essentially set the value to null, in this case disabling session management. For a small site, session management might be disabled because it has an effect on the performance of AR. Other actions that can affect the health of AR include the following: The rejection of an Access-Request Configuration errors Running out of memory Errors reading from the network Dropping packets that cannot be read (because the server ran out of memory) Errors writing to the network
When you log into aregcmd, you are informed of the health of AR. You can retrieve this information at any time in the command line. To do so, do the following: Step 1. | From the CLI enter the status command.
| Step 2. | Another default value that you might need to change is the RADIUS ports. By default, AR listens on ports 1645 and 1646. Because these are not the new RADIUS port assignments, you might want to add 1812 and 1813. This needs to be done in the Advanced sub-object of Radius under the Ports sub-object. To do so, change to the proper object using the cd command, as seen in Example 15-6.
Example 15-6. The Ports Object cd Advanced/Ports/ [ //localhost/Radius/Advanced/Ports ] <no ports specified, will be using the well-known ports, 1645, 1646>
| Step 3. | Use the add command to add the new ports:
Step 4. | Check your work using the ls command:
|
You now have AR configured to perform authentication to a local list and listen on ports 1812 and 1813, and you have disabled session management to conserve the resources of AR. The next step is to add users to the local list that AR compares authentication requests against. Displaying the UserLists The UserLists object contains all the individual UserLists, which in turn contain the specific users. When AR receives an Access-Request, it directs it to an authentication and/or authorization service based on what you have specified in the DefaultAuthenticationService parameter at the Radius level. If the service has its type set to local-users, the service looks up the user's entry in the specific UserList and authenticates and/or authorizes the user. Earlier you saw that AR, by default, specifies a DefaultAuthenticationService called local-users that has the type local and uses the default UserList. You can now display the default UserList by following these simple steps: Step 1. | Use the cd command to change to UserLists/Default:
--> cd /Radius/UserLists/Default
| Step 2. | Use the ls -R command to display the properties of the three users that are placed there by default, as seen in Example 15-7:
Example 15-7. Viewing the Properties of the Added Users
|
As a result of executing the previous step sequence, you see that Cisco AR displays these three sample users: bob who is configured as a PPP user jane who is configured as a Telnet user joe who is configured as either a PPP or Telnet user depending on how he logs in
Working with Users The previous section demonstrated the sample users that were already in AR as models. In this section, configure a few new users for ACE ISP. To do this, you need to access the default User List, and then use the add command to add the users. Follow these steps to add users to the ACE ISP server: Step 1. | Use the cd command to change to the default UserList.
| Step 2. | Use the add command to add a user. You must supply the name, an optional description, a password, whether the user is enabled (that is, is allowed access), and an optional group. The following example adds the user beth with the description Marketing, the password 123, enabled set to TRUE, and specifying the PPP-users group. The options must be entered in the correct order.
Step 3. | Repeat for the other users you want to add.
| Step 4. | Use the ls command to check your additions:
Step 5. | To delete the sample users, or to remove a user from the ACE ISP AR server from the appropriate UserList, use the delete command and specify the name of the user you want to delete. For example, to delete user beth from the default UserList, type the following:
beth's profile in AR.
|
Displaying and Configuring UserGroups The UserGroups object contains the specific user groups. By default, the three group are Default, PPP-users, and Telnet-users. The Default group uses the script AuthorizeService to determine the type of service to provide the user. This group is intended for users that can use PPP and Telnet. If the user can use both, this is where you should place them. The PPP-users group uses the BaseProfile called default-PPP-users to specify the attributes of PPP service to provide the user. The Telnet-users group uses the BaseProfile called default-Telnet-users to specify the attributes of Telnet service to provide the user. Specific UserGroups allow you to maintain common authentication and authorization attributes in one location. These groups are referenced in a user profile. For the ACE ISP, you do not need to change these UserGroups, since we are configuring a basic site. To view the default user groups, follow these steps: Step 1. | Change to the UserGroups object using the cd command, as seen in Example 15-8.
Example 15-8. Changing to the UserGroups Object
| Step 2. | Later on, you might want to add or delete groups. You can use the add or delete commands to do so:
Step 3. | Check your work with the ls command, as seen in Example 15-9:
Example 15-9. Using ls to Verify the Addition
|
Configuring AAA Clients in AR The Clients object contains all AAA clients and proxies that communicate with AR. Each client must be identified in AR and have the same secret key configured on both ends. This means that AR must be identified in the AAA client as well. To add an AAA client to AR, perform the following steps: Step 1. | Use the cd command to change to the Clients object level, as seen in Example 15-10:
Example 15-10. Changing to the Clients Object Step 2. | Use the add command to add the NAS Airport-AP1:
Step 3. | Use the ls command to check your work, as seen in Example 15-11:
Example 15-11. Verify the Addition of an AAA Client Step 4. | Use the cd command to change directory to the Airport-AP1 object, as seen in Example 15-12:
Example 15-12. Changing to the New Object
| Step 5. | Use the set command to specify the description WestTerminalAP, the IP address 196.168.198.100, the shared secret key of secretapkey. You could also configure incoming scripts that would be applied to this AAA client, as seen in Example 15-13.
Example 15-13. Configuring an AAA Client [ //localhost/Radius/Clients/Airport-AP1 ] Name = Airport-AP1 Description = IPAddress = SharedSecret = Type = NAS Vendor = IncomingScript~ = OutgoingScript~ = EnablePOD = FALSE
| Step 6. | Configure the description of the entry.
Step 7. | Configure the IP address of the AAA client.
Step 8. | Configure the shared secret key of the AAA client.
|
Configuring Profiles The Profiles object allows you to set specific Request For Comments (RFC)-defined attributes such as frame type, login service, and ports that AR returns in the Access-Accept response packet. You can use profiles to group attributes in one place that you want to apply to more than one user. This is also where you can set different Attribute-Value (AV) pairs. This method saves you from configuring parameters over and over again. The sample users that you looked at earlier in this chapter reference the following AR profiles: default-PPP-users This profile specifies the appropriate attributes for Point-to-Point Protocol (PPP) service. default-SLIP-users This profile specifies the appropriate attributes for Serial Line Internet Protocol (SLIP) service. default-Telnet-users This profile specifies the appropriate attributes for Telnet service.
If you want to add an attribute or modify the attributes for Radius, you use a profile to do so. In the following steps, you modify a profile using the set command, as follows: Step 1. | From the main level in AR, cd into the Radius/Profiles sub-object.
| Step 2. | Use the set command to add the name=value attribute. The following example adds the attribute Service-Type=Framed:
set Service-Type Framed
| Step 3. | To add more than one value, simply place each parameter in double quotes. For example, if you wanted to set Cisco AV pair values and you entered line by line "set Cisco-Avpair "value", you would keep overwriting the previously entered value. To enter multiple values, use the syntax "set Cisco-Avpair "value1" "value2" "value3".
| |
