Applies To:

Show Versions Show Versions

Manual Chapter: AAA Configuration Examples
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

AAA server configuration examples

This appendix includes AAA configuration examples for all authentcation methods.

Example for converting hex attributes

The following are examples for converting hex attributes for RADIUS, Active Directory, and LDAP.

Handling of binary value attribute for RADIUS

For RADIUS authentication, we convert attributes to hex if they have unprintable characters, or they are based on attribute type. We convert class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.

Case 1:

Handling of attributes with single value

1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007

Case 2:

Handling of attributes with multiple values (mix of binary and non binary values)

243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006

If the attribute type does not require hex encoding, and some of the values are unprintable, then only those value(s) are encoded to hex.

3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1

Handling of binary value attribute for Active Directory

For Active Directory, we cannot base the conversion on attribute type. The decision to convert attribute value to hex is made only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then we convert only those particular values to hex.

Case 1:

Handling of attributes with single value

7ecc84a2.session.ad.last.attr.objectSid 58 / 0x01050000000000051500000013fe8e97c03cd5b5ad04e2e255040000

Case 2:

Handling of attributes with multiple values (mix of binary and non binary values) 7ecc84a2.session.ad.last.attr.memberOf 460 | CN=printable group,OU=groups,OU=someco,DC=sherwood,DC=labt,DC=fp,DC=somelabnet,DC=com | 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352 | / c44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d | / CN=Domain Users,CN=Users,DC=smith,DC=labt,DC=fp,DC=somlabnet,DC=com | / CN=CERTSVC_DCOM_ACCESS,CN=Users,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com | / CN=Users,CN=Builtin,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com |

Handling of binary value attribute for LDAP

The conversion of attributes to hex for LDAP is identical to Active Directory.

Case 1:

Handling of attributes with single value 9302eb80.session.ldap.last.attr.objectGUID 34 / 0xfef232d3039be9409a72bfc60bf2a6d0

Case 2:

Handling of attributes with multiple values (mix of binary and non binary values) 29302eb80.session.ldap.last.attr.memberOf 251 | / CN=printable group,OU=groups,OU=someco,DC=smith, / DC=labt,DC=fp,DC=somelabnet,DC=com | / 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352c / 44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d |

Example of authenticating and authorizing users with Active Directory

This is an example of an access policy with all the associated elements that are needed to authenticate and authorize your users with Active Directory query and Active Directory authentication. Notice that the objects were added to the access policy as part of the authentication process.

Example of an access policy for AD auth query Example of an access policy for AD auth and query

Example of LDAP auth and query default rules

In this example, after successful authentication, the system retrieves a user group using an LDAP query. Resources are assigned to users if the user group has access to the network access resources. Additionally, users are directed to the webtop ending.

In the following figure, the rule for LDAP query was changed from default rule to check for user’s group attribute.

Example of an access policy for LDAP auth query Example of an access policy for LDAP auth query
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)