Configuring the RADIUS attribute translation feature
The RADIUS attribute translation feature enables the device to work correctly with the RADIUS servers of different vendors that support RADIUS attributes incompatible with the device.
RADIUS attribute translation has the following implementations:
Attribute conversion—Converts source RADIUS attributes into destination RADIUS attributes based on RADIUS attribute conversion rules.
Attribute rejection—Rejects RADIUS attributes based on RADIUS attribute rejection rules.
When the RADIUS attribute translation feature is enabled, the device processes RADIUS packets as follows:
For the sent RADIUS packets:
Deletes the rejected attributes from the packets.
Uses the destination RADIUS attributes to replace the attributes that match RADIUS attribute conversion rules in the packets.
For the received RADIUS packets:
Ignores the rejected attributes in the packets.
Interprets the attributes that match RADIUS attribute conversion rules as the destination RADIUS attributes.
To identify proprietary RADIUS attributes, you can define the attributes as extended RADIUS attributes, and then convert the extended RADIUS attributes to device-supported attributes.
To configure the RADIUS attribute translation feature for a RADIUS scheme:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Define an extended RADIUS attribute. | radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string } | By default, no user-defined extended RADIUS attributes exist. Repeat this command to define multiple extended RADIUS attributes. |
3. Enter RADIUS scheme view. | radius scheme radius-scheme-name | N/A |
4. Enable the RADIUS attribute translation feature. | attribute translate | By default, this feature is disabled. |
5. Configure a RADIUS attribute conversion rule. | attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * } | By default, no RADIUS attribute conversion rules exist. Repeat this command to add multiple RADIUS attribute conversion rules. |
6. Configure a RADIUS attribute rejection rule. | attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * } | By default, no RADIUS attribute rejection rules exist. Repeat this command to add multiple RADIUS attribute rejection rules. |
To configure the RADIUS attribute translation feature for a RADIUS DAS:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Define an extended RADIUS attribute. | radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string } | By default, no user-defined extended RADIUS attributes exist. Repeat this command to define multiple extended RADIUS attributes. |
3. Enter RADIUS DAS view. | radius dynamic-author server | N/A |
4. Enable the RADIUS attribute translation feature. | attribute translate | By default, this feature is disabled. |
5. Configure a RADIUS attribute conversion rule. | attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * } | By default, no RADIUS attribute conversion rules exist. Repeat this command to add multiple RADIUS attribute conversion rules. |
6. Configure a RADIUS attribute rejection rule. | attribute reject attr-name { { coa-ack | coa-request } * | { received | sent } * } | By default, no RADIUS attribute rejection rules exist. Repeat this command to add multiple RADIUS attribute rejection rules. |