Applies To:Show Versions
- 11.4.1, 11.4.0
AAA server configuration examples
This appendix includes AAA configuration examples for all authentication methods.
Example for converting hex attributes
The following are examples for converting hex attributes for RADIUS, Active Directory, and LDAP.
Handling of binary value attribute for RADIUS
For RADIUS authentication, we convert attributes to hex if they have unprintable characters, or they are based on attribute type. We convert class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.
Handling of attributes with single value1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007
Handling of attributes with multiple values (mix of binary and non binary values)243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006
If the attribute type does not require hex encoding, and some of the values are unprintable, then only those value(s) are encoded to hex.3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1
Handling of binary value attribute for Active Directory
For Active Directory, we cannot base the conversion on attribute type. The decision to convert attribute value to hex is made only if the value contains unprintable characters. If the session variable contains several values, and one or more of those values is unprintable, then we convert only those particular values to hex.
Handling of attributes with single value7ecc84a2.session.ad.last.attr.objectSid 58 / 0x01050000000000051500000013fe8e97c03cd5b5ad04e2e255040000
Case 2:Handling of attributes with multiple values (mix of binary and non binary values) 7ecc84a2.session.ad.last.attr.memberOf 460 | CN=printable group,OU=groups,OU=someco,DC=sherwood,DC=labt,DC=fp,DC=somelabnet,DC=com | 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352 | / c44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d | / CN=Domain Users,CN=Users,DC=smith,DC=labt,DC=fp,DC=somlabnet,DC=com | / CN=CERTSVC_DCOM_ACCESS,CN=Users,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com | / CN=Users,CN=Builtin,DC=smith,DC=labt,DC=fp,DC=somelabnet,DC=com |
Handling of binary value attribute for LDAP
The conversion of attributes to hex for LDAP is identical to Active Directory.
Case 1:Handling of attributes with single value 9302eb80.session.ldap.last.attr.objectGUID 34 / 0xfef232d3039be9409a72bfc60bf2a6d0
Case 2:Handling of attributes with multiple values (mix of binary and non binary values) 29302eb80.session.ldap.last.attr.memberOf 251 | / CN=printable group,OU=groups,OU=someco,DC=smith, / DC=labt,DC=fp,DC=somelabnet,DC=com | / 0x434e3d756e7072696e7461626c6520c2bdc2a12067726f75702c4f553d67726f7570732c4f553d66352c / 44433d73686572776f6f642c44433d6c6162742c44433d66702c44433d66356e65742c44433d636f6d |
Example of authenticating and authorizing users with Active Directory
This is an example of an access policy with all the associated elements that are needed to authenticate and authorize your users with Active Directory query and Active Directory authentication. Notice that the objects were added to the access policy as part of the authentication process.
Example of LDAP auth and query default rules
In this example, after successful authentication, the system retrieves a user group using an LDAP query. Resources are assigned to users if the user group has access to the network access resources. Additionally, users are directed to the webtop ending.
In the following figure, the rule for LDAP query was changed from default rule to check for user’s group attribute.