radius-server authorization attribute-encode-sameastemplate

Usage Scenario

The attribute match check function is configured on the RADIUS servers of some vendors. The attribute match check succeeds and the RADIUS server successfully interconnects with a device to implement dynamic authorization or offline operations only when the attribute encapsulation formats in the COA or DM Response packet received by the RADIUS server are the same as those parsed from the RADIUS authentication Response packets. The RADIUS server encapsulates the attributes parsed from the RADIUS Response packet based on the configurations in the RADIUS server template. To ensure that the attribute formats in the COA or DM Response packet are the same as those parsed by the RADIUS server from the RADIUS packet, you can run the radius-server authorization attribute-encode-sameastemplate command to configure the device to encapsulate attributes in the COA or DM Response packet based on the configurations in the RADIUS server template, so that the device is successfully interconnected with the RADIUS server.

Attributes whose encapsulation formats need to be configured in the COA or DM Response packet include Calling-Station-Id (31), NAS-IP-Address (4), and User-Name (1).

Precautions

• This function is used to configure the encapsulation modes of the Calling-Station-Id (31), NAS-IP-Address (4), and User-Name (1) attributes in the COA or DM Response packet to be the same as those configured in the RADIUS server template. Therefore, perform the following steps before using this function.

  1. Configure the encapsulation modes of attributes in the RADIUS server template view.
     • Run the calling-station-id mac-format command to configure the encapsulation mode of the MAC address in the Calling-Station-Id attribute.
     • Run the radius-attribute nas-ip command to configure the NAS-IP-Address attribute in a RADIUS packet sent from an NAS.
     • Run the radius-server user-name domain-included command to configure whether the user name carried in the RADIUS packet contains a domain name.
  2. Run the radius-server authorization command in the system view to configure the authorization server to use the RADIUS server template server-group.
• After this function is configured, the priority of the NAS IP address in the NAS-IP-Address (4) attribute is as follows: NAS IP address configured in the RADIUS server template>source IP address configured on the accounting server>source IP address configured on the authentication server>destination IP address of the Request packet
• If the radius-server authorization attribute-encode-sameastemplate command is not configured, no RADIUS server template is bound to the authorization server, or no attribute format configuration exists in the RADIUS server template, the formats of COA or DM response packets are as follows:
  • MAC address in the Calling-Station-Id (31) attribute: The MAC address is encapsulated in the default format XXXXXXXXXXXX.
  • NAS IP address in the NAS-IP-Address (4) attribute: destination IP address in the Request packet
  • User name in the User-Name (1) attribute: The user name in the Request packet is used.