ISG RADIUS Change of Authorization Interface Guide, Cisco IOS XE Release 3SG
Appendix A: Attribute Definition
Downloads: This chapterpdf (PDF - 236.0KB) | Feedback

Attribute Definitions

Table Of Contents

Attribute Definitions

Cisco Vendor-Specific AVPair Attributes

Cisco Vendor-Specific non-AVPair Attributes


Attribute Definitions


First Published: December 5, 2006

This appendix describes Intelligent Services Gateway (ISG) attributes, including the appropriate RADIUS codes for the vendor-specific attributes (VSAs). Cisco uses two types of vendor specific attributes; some are defined as AVPair and others that are not AVPair.

This appendix describes the following ISG attributes:

Cisco Vendor-Specific AVPair Attributes

Cisco Vendor-Specific non-AVPair Attributes

Cisco Vendor-Specific AVPair Attributes

To identify an Avpair attribute, RADIUS code 26 is used followed by Cisco vendor ID (9) and the Standard VSA ID of 1. The Avpair attribute is then encoded using the format of Cisco-AVPair= "attribute-name = attribute value". The exact format is shown in the figure below:

Table 1 AVPair Attribute Format

a

b

c

d

e

f


a = 26 (RADIUS code for VSA)

b = len (length of the RADIUS VSA)

c = 9 (Cisco vendor ID)

d = 1 (standard VSA ID)

e = len (length of the vendor-specific subattribute)

f = "attribute-name=attribute-value"

Table 2 shows Cisco vendor-specific AVPair attributes for ISG.

Table 2 Cisco Vendor-Specific AVPair Attributes

Attribute Name and Value
Function
Example
Used in**

ip:portbundle=enable

Enable PBHK feature

ip:portbundle=enable

Acc-Acc CoA Req

ip:l4redirect=redirect to {group server-group-name | ip ip-address [port port-number]} [duration seconds] [frequency seconds]

Enables L4 redirection.

ip:l4redirect=redirect to group L4-REDIRECT

ip:l4redirect=redirect list 199 to group SERVER_GROUP1 duration 120 frequency 120

Acc-Acc CoA Req

ip:traffic-class= [in | out] access-group [acl-number | name acl-name] [priority value]

Classification (traffic class) for a TC service

Note TC cannot be dynamically downloaded via the ip:inacl or other VSA pairs. The ACLs in this command must be predefined on the ISG.

ip:traffic-class=in access-group name ACL_IN_L4R priority 5

Acc-Acc CoA Req

ip:inacl[#number]={standard-access-control-list | extended-access-control-list}

Incoming ACL definition, for feature push.

ip:inacl=ACL1_IN

where "ACL1_IN" is predefined on the ISG

OR

ip:inacl#10=deny ip any 13.13.16.0 0.0.0.255

ip:inacl#20=permit ip any any

Acc-Acc CoA Req

ip:outacl[#number]=
{standard-access-control-list | extended-access-control-list}

Outgoing ACL definition, for feature push.

Ip:outacl=ACL1_OUT

where "ACL1_OUT" is predefined on the ISG

or

ip:outacl#10=deny ip 13.13.16.0 0.0.0.255 any

ip:outacl#20=permit ip any any

Acc-Acc CoA Req

ip:sub-qos-policy-in=in-policy-name

Per-Session MQC Input policy name

Note Actual MQC policy must be predefined on the ISG. Only Supported for PPP session.

ip:sub-qos-policy-int=QOS_POLICY_IN

Acc-Acc CoA Req

ip:sub-qos-policy-out=<out-policy-name>

Per-Session MQC Output policy name

Note Actual MQC policy must be predefined on the ISG. Only Supported for PPP session.

ip:sub-qos-policy-out=QOS_POLICY_OUT

Acc-Acc CoA Req

atm:vc-qos-policy-in=<in-policy-name>

Specifies MQC policy applied on atm vc

atm:vc-qos-policy-in= QOS_POLICY_IN

Acc-Acc CoA Req

atm:vc-qos-policy-out=<out-policy-name>

Specifies MQC policy applied on atm vc

atm:vc-qos-policy-out= QOS_POLICY_OUT

Acc-Acc CoA Req

ip:vrf-id=<vrf_name>

Places a session inside the specified VRF

ip:vrf-id=VPN_ISP1

Acc-Acc CoA Req

ip:ip-unnumbered=<loopback address>

Specifies loopback address

ip:ip-unnumbered= loopback5

Acc-Acc CoA Req

ip:pool-def#n =<ip pool definition>

IP pool definition for router

ip:pool-def#1=beta 2.0.2.5 2.0.2.8

 

ip:addr-pool =<pool_name>

IP address pool name used for PPP access

ip:addr-pool=PPPOE_POOL

Acc-Acc CoA Req

parent-session-id=<id-number>

Used to match a TC service with parent session for accounting purposes.

parent-session-id= 00000081

Accounting

client-mac-address=<mac-address>

Identify client's MAC address

client-mac-address= 0050.5607.0103

Acc-Req Accounting

circuit-id-tag=<tag name>

DHCP Option 82 tag (identifies line card & port)

circuit-id-tag=0|4|22|1|15

Acc-Req Acc-Acc CoA Req Accounting

remote-id-tag=<tag name>

DHCP Option 82 tag (identifies DSLAM or L2 switch)

remote-id-tag= 0|6|000d.edc0.3f80

Acc-Req Acc-Acc CoA Req Accounting

vrf-id = <vrf name>

Identifier for the virtual routing table.

vrf-id=VPN_ISP1

Accounting

sg-version=<isg-version>

Identify ISG version

sg-version=1.0

CoA Ack

connect-progress=<session-state>

Report session state - (Call Up, LAN Ses Up)

connect-progress= Call Up

Accounting

disc-cause-ext=<disconnect-cause>

Report disconnect cause - (No Reason, PPP Receive Term, TS User Exit)

disc-cause-ext= PPP Receive Term

Accounting

subscriber:classname=<dhcp-class-name>

Used to assign IP address from a specific DHCP pool

subscriber:classname= VPN_ISP1_CLASS

Acc-Acc CoA Req

subscriber:accounting-list=<accounting-method-list-name>

The session or service requires accounting.

subscriber:accounting-list=ACCNT_LIST1

Acc-Acc CoA Req

Prepaid-config=<prepaid-method -name>

Specify service is pre-paid

prepaid-config=PREPAID_CONFIG

Acc-Acc CoA Req

subscriber:policy-directive=<policy-directive>

Additional policy directive for a service. (i.e., further authentication)

subscriber:policy-directive=authenticate aaa list APP1_SERVER

Acc-Acc

subscriber:subscriber-service = <type of service>

Type of service - (vpdn, local, relay-pppoe) Typically used as part of a service profile for PPP sessions to decide whether the session needs to forwarded or terminated.

subscriber:subscriber-service=local

Acc-Acc

subscriber:sg-service-type=primary

Indicates whether service is primary.

subscriber:sg-service-type=primary

Acc-Acc

subscriber:service-group=<group-name >

Defines a group name to outline what non-primary services are dependent on a primary service.

subscriber:sg-service-type=ISP1_SERVICES

Acc-Acc CoA-Req

vpdn:tunnel-id =<vpdn_tunnel_id>

VPDN tunnel id

vpdn:tunnel-id=nas1

Acc-Acc

CoA-Req

vpdn:l2tp-tunnel_password=<vpdn_tunnel_password>

VPDN tunnel password

vpdn:l2tp-tunnel-password=cisco

Acc-Acc

CoA-Req

vpdn:ip-addresses=<vpdn_ip_address>

VPDN Ip addresses

vpdn:ip-addresses=10.0.1.26

Acc-Acc

CoA-Req

vpdn:tunnel-type =<vpdn_tunnel_type>

VPDN tunnel type (t2tp,l2f, pptp)

vpdn:tunnel-type=l2tp

Acc-Acc

CoA-Req


Cisco Vendor-Specific non-AVPair Attributes

To identify an Avpair attribute, RADIUS code 26 is still used followed by Cisco vendor ID (9) but a vendor-specific sub-attribute is used. The non-Avpair attribute is then encoded using the format shown in Table 3.

Table 3 Non-AVPair Attribute Format

a

b

c

d

e

f


a = 26 (RADIUS code for VSA)

b = len (length of the RADIUS VSA)

c = 9 (Cisco vendor ID)

d = n (vendor specific sub-attribute ID)

e = len (length of the vendor-specific subattribute)

f = Attribute value (can contain a sub-attribute code followed by value <code> <sub attribute value>)

Table 4 shows Cisco vendor-specific non-AVPair attributes for ISG.

Table 4 Cisco Vendor specific non-AVPair attributes

Sub-AttrID
Attribute Type
Value
Function
Example
Used in

249

subscriber- password

<Initiator vector> <encrypted value>

Authenticator for password encryption within a CoA Account Logon or CoA Service Activate

(This is a 16 byte vector - followed by an encrypted value)

CoA Req

250

account-info

A<service-name;username; password>

Auto-start service; the username and password are optional

AINTERNET_SERVICE

Acc-Acc CoA_Ack

250

account-info

N[service-state] <service-name> [time-connected] [username] [pkt-in] [pkt-out] [bytes_in] [bytes_out]

To list service accessible to subscriber or to report service status.

Service state:
0 - inactive
1 - active

N1BOD_1MEG_SERVICE;277;IP_UC1;139;179; 24236;213422

Acc-Acc CoA_Ack

250

account-info

QU;cir;normal burst;excess burst;D;cir;normal burst;excess burst

QoS parameters for the session in both the Upstream and Downstream direction

QU;512000;256000; D;512000;256000

Acc-Acc CoA Ack

250

account-info

Vcookie

Specifies a cookie string for a service (used for billing).

VSERVICE_GROUP_1

Acc-Acc CoA Ack

250

account-info

S[IP-address | PBHK]

Subscriber identifier between ISG & portal. The port number is used when PBHK is enabled.

S10.10.10.11:85

CoA Req CoA Ack

250

account-info

$MA<MAC-address>

Subscriber MAC address.

$MA0050.5607.0103

CoA Ack

250

account-info

$SI[sub-interface]

Sub-interface for interface session.

$SI

CoA Ack

250

account-info

$VP<VPI/VCI>

VPI/VCI for ATM interface session.

$VP

CoA Ack

251

service-info

N<service-name>

Service name in accounting requests.

NBOD_1MEG_SERVICE

Accounting

251

service-info

QU;cir;normal burst;excess burst;D;cir;normal burst;excess burst

Uplink and downlink subscriber policing (feature push capabilities).

QU;512000;256000; D;512000;256000

CoA Req

251

service-info

PPW:tariff time:days

Postpaid tariff switch parameters.

PPW:

 

251

service-info

Vcookie

Service cookie used for billing.

VSERVICE_GROUP_1

Accounting

252

command-code

<command-code>, optionally followed by sub-attributes as described in RADIUS Interface Guide

CoA Command Code

0x1 Account Logon

0x2 Account Alogoff

0x4 Session Query

0xB Service Activate

0xC Service De-Activate

0x4INTERNET_SERVICE

CoA Req CoA Ack

252

command-code

0x10 (Command code), followed by ascii command code value

ASCII Values - (OUT OF MEMORY, AUTHENTICATE USER FAIL, NO RESOURCE FOR CONN, SERVICE AUTHENTICATION ERROR, HOST NOT LOGON, AUTHORIZE USER ERROR, AAA REQ SEND FAIL, AUTHORIZE USER FAIL)

0x10 `5' `5' (Code 55 for Service authentication error)

CoA Nak

253

control-info

QT<value>

Used for pre-paid. QT defines Time Quota in seconds.

QT600

Acc-Req Acc-Acc

QV<value>

QV defines Volume-based Quota in bytes.

QV10000

QR<number>

QR defines Prepaid ReauthReason.

QR1: re-authorization is performed due to idle timer expiry

QR0 is only applicable for a prepaid service which has both Time(QT) and Volume(QV)

QR1

QB<bytes-used since-switch, time>

QB - indicates tariff switching happened in previous interval

QB9540,59

QX<seconds before switch>;<pre-switch volume in bytes>;<post-switch volume in bytes>

QX defines Quota for Tariff Switching

QX300,8588,3219

253

control-info

Ivalue-overflow;

value

Indicates the overflow value and value of I (input) bytes in accounting packets. The formula to calculate the exact byte count is value-overflow*4294967296 + value

I0;266867

Accounting

253

control-info

Ovalue-overflow;

value

Indicates the overflow value and value of O (output) bytes in accounting packets. The formula to calculate the exact byte count is value-overflow*4294967296 + value.

O0;266940

Accounting