The radius-attribute translate command configures a RADIUS attribute to be translated.
The undo radius-attribute translate command cancels the configuration.
By default, no RADIUS attribute is translated.
radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *
radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *
radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *
undo radius-attribute translate [ src-attribute-name ]
undo radius-attribute translate extend src-attribute-name
undo radius-attribute translate extend vendor-specific src-vendor-id src-sub-id
Parameter |
Description |
Value |
|---|---|---|
src-attribute-name |
Specifies the name of the source attribute. |
The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name. |
dest-attribute-name |
Specifies the name of the destination attribute. |
The value is a string of 1 to 64 characters. After the name is entered, the system automatically associates the RADIUS attribute with the name. |
receive |
Translates RADIUS attributes for received packets. |
- |
send |
Translates RADIUS attributes for sent packets. |
- |
access-request |
Translates RADIUS attributes for Authentication Request packets. |
- |
account-request |
Translates RADIUS attributes for Accounting Request packets. |
- |
access-accept |
Translates RADIUS attributes for Authentication Accept packets. |
- |
account-response |
Translates RADIUS attributes for Accounting Response packets. |
- |
extend |
Translates extended RADIUS attributes. |
- |
vendor-specific src-vendor-id src-sub-id |
Specifies the source extended attribute to be translated.
|
|
vendor-specific dest-vendor-id dest-sub-id |
Specifies the destination extended attribute to be translated.
|
|
Usage Scenario
Currently, RADIUS servers of different vendors may support different RADIUS attributes and have vendor-specific RADIUS attributes. To communicate with different RADIUS servers, the device provides the RADIUS attribute translation function. After RADIUS attribute translation is enabled, the device can translate RADIUS attributes when sending or receiving packets.
RADIUS attribute translation is used in the following modes:
Format translation for the same attribute
This mode is widely applied. It solves the problem of compatibility because different users have different requirements for the format of a RADIUS attribute.
Translation between different attributes
This mode is used because different vendors have different implementations of RADIUS attributes.
For example, the device delivers the priority of the administrator by using the Huawei proprietary attribute HW-Exec-Privilege (26-29), whereas another vendor's device delivers it by using the Login-service (15) attribute. When the device and the vendor's device use the same RADIUS server on a network, the device is required to deliver the priority of the administrator by using the Login-service (15) attribute. After the radius-attribute translate command is configured, the device automatically processes the Login-service attribute in the received RADIUS authentication response packet as the HW-Exec-Privilege attribute.
Prerequisites
RADIUS attribute translation has been enabled by using the radius-server attribute translate command.
Before configuring RADIUS attribute translation, run the display radius-attribute command to view the RADIUS attributes supported by the device.
Precautions
When the device sends packets, if attribute A is to be translated to attribute B, the type of the encapsulated attribute is the same as that of attribute B but the attribute content and format are the same as those of attribute A.
When the device receives packets, if attribute A is to be translated to attribute B, the device parses the received attribute A as attribute B.
Three commands are available to translate RADIUS attributes:
The device can translate the RADIUS attribute only when the type of the source RADIUS attribute is the same as that of the destination RADIUS attribute. For example, the types of NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively, they cannot be translated into each other.
# Configure the device to translate NAS-Identifier into NAS-Port-Id when sending RADIUS packets.
<HUAWEI> system-view [HUAWEI] radius-server template temp1 [HUAWEI-radius-temp1] radius-server attribute translate [HUAWEI-radius-temp1] radius-attribute translate nas-identifier nas-port-id send
# Translate the Cisco No. 2 attribute (vendor ID 9) in Authentication Accept and Accounting Response packets to Huawei No. 155 extended attribute HW-URL-Flag.
<HUAWEI> system-view [HUAWEI] radius-server template temp1 [HUAWEI-radius-temp1] radius-server attribute translate [HUAWEI-radius-temp1] radius-attribute translate extend Vendor-Specific 9 2 HW-URL-Flag access-accept account-response
# Translate the Huawei No. 153 extended attribute HW-Access-Type in Authentication Request and Accounting Request packets to Cisco No. 11 attribute.
<HUAWEI> system-view [HUAWEI] radius-server template temp1 [HUAWEI-radius-temp1] radius-server attribute translate [HUAWEI-radius-temp1] radius-attribute translate extend HW-Access-Type vendor-specific 9 11 access-request account-request