This appendix includes AAA configuration examples for all authentcation methods.
The following are examples for converting hex attributes for RADIUS, Active Directory, and LDAP.
For RADIUS authentication, we convert attributes to hex if they have unprintable characters, or they are based on attribute type. We convert class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.
Handling of attributes with single value1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007
Handling of attributes with multiple values (mix of binary and non binary values)243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006
If the attribute type does not require hex encoding, and some of the values are unprintable, then only those value(s) are encoded to hex.3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1
For Active Directory, we cannot base the conversion on attribute type. The decision to convert attribute value to hex is made only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then we convert only those particular values to hex.
Handling of attributes with single value7ecc84a2.session.ad.last.attr.objectSid 58 / 0x01050000000000051500000013fe8e97c03cd5b5ad04e2e255040000
The conversion of attributes to hex for LDAP is identical to Active Directory.
This is an example of an access policy with all the associated elements that are needed to authenticate and authorize your users with Active Directory query and Active Directory authentication. Notice that the objects were added to the access policy as part of the authentication process.
In this example, after successful authentication, the system retrieves a user group using an LDAP query. Resources are assigned to users if the user group has access to the network access resources. Additionally, users are directed to the webtop ending.
In the following figure, the rule for LDAP query was changed from default rule to check for user’s group attribute.