Cisco Prime Access Registrar 6.0.1 User Guide
Environment Dictionary
Downloads: This chapterpdf (PDF - 298.0KB) The complete bookPDF (PDF - 9.01MB) | Feedback

Environment Dictionary

Table Of Contents

Environment Dictionary

Cisco Prime Access Registrar Environment Dictionary Variables

Accepted-Profiles

Accounting-Service

Acquire-Dynamic-DNS

Acquire-Group-Session-Limit

Acquire-Home-Agent

Acquire-IP-Dynamic

Acquire-IPX-Dynamic

Acquire-IP-Per-NAS-Port

Acquire-Subnet-Dynamic

Acquire-User-Session-Limit

Acquire-USR-VPN

Allow-Null-Password

Authentication-Service

Authorization-Service

AuthorizationInfo

BackingStore-Env-Vars

Blacklisted-IMSI

Broadcast-Accounting-Packet

Cache-Attributes-In-Session

Current-Group-Count

Cache-Outer-Identity

Destination-IP-Address

Destination-Port

Dest-Translation-Type

Dest-Numbering-Plan

Dest-Encoding-Scheme

Dest-Nature-Of-Address

Dest-GT-Format

Disable-Accounting-On-Off-Broadcast

DSA-Response-Cache

Dynamic-DNS-HostName

Dynamic-Search-Filter

Dynamic-Search-Path

Dynamic-Search-Scope

Dynamic-Service-Loop-Limit

Dynamic-User-Password-Attribute

EAP-Actual-Identity

EAP-Authentication-Mode

Enforce-Traffic-Throttling

FetchAuthorizationInfo

Generate-BEK

Group-Session-Limit

HLR-GlobalTitle-Address

HLR-Translated-IMSI

Ignore-Accounting-Signature

IMSI

Incoming-Translation-Groups

Master-URL-Fragment

Misc-Log-Message-Info

MSISDN

Outgoing-Translation-Groups

Pager

Query-Service

Re-Accounting-Service

Re-Authentication-Service

Re-Authorization-Service

Realm

Reject-Reason

Remote-Server

Remove-Session-On-Acct-Stop

Remote-Servers-Tried

Request-Authenticator

Request-Type

Require-User-To-Be-In-Authorization-List

Response-Type

Retrace-Packet

Send-PEAP-URI-TLV

Session-Key

Session-Manager

Session-Notes

Session-Service

Set-Session-Mgr-And-Key-Upon-Lookup

Skip-Session-Management

Skip-Overriding-Username-With-LDAP-UID

Skip-Overriding-UserName-With-PEAPIdentity

Source-IP-Address

Source-Port

Subnet-Size-If-No-Match

Trace-Level

Unavailable-Resource

Unavailable-Resource-Type

UserDefined1

User-Authorization-Script

User-Group

User-Group-Session-Limit

User-Name

User-Profile

User-Session-Limit

Virtual-Server-Outgoing-Script

Windows-Domain-Groups

X509- Subject-Name

Internal Variables


Environment Dictionary


This appendix describes the environment variables the scripts use to communicate with Cisco Prime Access Registrar (Prime Access Registrar) or to communicate with other scripts.

Prime Access Registrar sets the arguments variable in the Environment dictionary, before calling the InitEntryPoint of each script. The arguments variable is set to the value of the InitEntryPointArgs property corresponding to that script, and it allows the administrator to pass (possibly unique) information to each script initialization function.

Environment variables that are set and read for resource management override provide scripts further control over session management. These environment variables, including the following Acquire-User-Session-Limit, Acquire-Group-Session-Limit, Acquire-IP-Dynamic, Acquire-IP-Per-NAS-Port, Acquire-IPX-Dynamic, and Acquire-USR-VPN, can be set at any point before session management is invoked. These environment variables are read as the packet flows through each Resource Manager that the chosen Session Manager calls. The default setting for these environment variables is TRUE. See the "Resource Managers" section for additional information about Resource Managers.

This appendix has the following major sections:

Cisco Prime Access Registrar Environment Dictionary Variables

This section lists environment variables you can use in scripts to communicate with Prime Access Registrar or to communicate with other scripts.

Internal Variables

This section lists environment variables used by the Prime Access Registrar server for internal operations. The environment variables listed in this section must not be modified by scripts.

Cisco Prime Access Registrar Environment Dictionary Variables

The following variables are text strings stored in the Environment dictionary passed to each scripting point.

Accepted-Profiles

Accepted-Profiles is read during authorization after calling server and client incoming scripts (not set by Prime Access Registrar code). If set, the authorization done by local user lists checks to see if the given user's profile as specified in the user record is one of those in the separated list of profiles. If it is not in the separated list of profiles, the request is rejected.

Accounting-Service

Accounting-Service is set after calling server and client incoming scripts and is used to determine which accounting service is used for this request. If set, the server directs the request to be processed by the specified accounting service.

When Accounting-Service is not set, the DefaultAccountingService (as defined in the server configuration) is used instead.

Acquire-Dynamic-DNS

Acquire-Dynamic-DNS is set and read for resource management override. Acquire-Dynamic-DNS is set to FALSE to skip DNS updating during resource management processing.

Acquire-Group-Session-Limit

Acquire-Group-Session-Limit is set and read for resource management override. Acquire-Group-Session-Limit is set to FALSE to override the use of group session limit resource management.

Acquire-Home-Agent

Acquire-Home-Agent is set and read for resource management override. Acquire-Home-Agent is set to FALSE to override the allocation of the home agent IP address during resource management processing.

Acquire-IP-Dynamic

Acquire-IP-Dynamic is set and read for resource management override. Acquire-IP-Dynamic is set to FALSE to override the use of a managed pool of IP addresses resource management.

Acquire-IPX-Dynamic

Acquire-IPX-Dynamic is set and read for resource management override. Acquire-IPX-Dynamic is set to FALSE to override the use of a managed pool of IPX addresses resource management.

Acquire-IP-Per-NAS-Port

Acquire-IP-Per-NAS-Port is set and read for resource management override. Acquire-IP-Per-NAS-Port is set to FALSE to override the use of ports associated with specific IP addresses resource management.

Acquire-Subnet-Dynamic

Acquire-Subnet-Dynamic is not always used. If set to FALSE, subnet-dynamic resource managers are skipped.

Acquire-User-Session-Limit

Acquire-User-Session-Limit set and read for resource management override. Acquire-User-Session-Limit is set to FALSE to override the use of user session limit resource management.

Acquire-USR-VPN

Acquire-USR-VPN is set and read for resource management override. Acquire-USR-VPN is set to FALSE to override the use of Virtual Private Networks (VPNs) that use USR NAS Clients resource management.

Allow-Null-Password

Allow-Null-Password is read during password matching and set in local userlist password matching if not set prior. If Allow-Null-Password is set to TRUE, the Prime Access Registrar server accepts requests with null passwords.

Authentication-Service

Authentication-Service is set and read for authentication service selection and is used to determine which service is used to authenticate the user. If set, the server directs the request to be processed by the specified authentication service. When Authentication-Service is not set, the DefaultAuthenticationService is used instead.

Authorization-Service

Authorization-Service is set and read for authorization service selection and is used to determine which service to use to authorize the user. If set, the server directs the request to be processed by the specified authorization service. When Authorization-Service is not set, the DefaultAuthorizationService is used instead.

AuthorizationInfo

The MSISDN information is copied to AuthorizationInfo that is fetched by M3UA service.

BackingStore-Env-Vars

BackingStore-Env-Vars overrides the BackingStoreEnvironmentVariables property of remote servers of type odbc-accounting only when the property BufferAccountingPackets is set to TRUE. The value is a comma separated list of environment variables to be stored along with the packet contents in the local disk.

Blacklisted-IMSI

This variable is configured on a SIGTRAN-M3UA remote server. For any incoming request with an IMSI value, if the variable is set as TRUE, then that IMSI value is blacklisted and will not forwarded to the HLR. For more information, see Blacklisting IMSI Values.

Broadcast-Accounting-Packet

If set to TRUE, Broadcast-Accounting-Packet enables broadcasting of Accounting-on or Accounting-off packets to all remote servers of type radius.

Cache-Attributes-In-Session

Cache-Attributes-In-Session is set and read for resource management override. Cache-Attributes-
In-Session
is set to FALSE to override the caching of attributes by the session-cache type of resource manager.

Current-Group-Count

Current-Group-Count is set and read for group session management. If set, the group-session-limit resource manager sets Current-Group-Count to be the new value of the group-session-limit counter.

Cache-Outer-Identity

Cache-Outer-Identity value is set to enable identifying session of an user. If it is set to TRUE, WiMAX session manager will cache the outer identity. If it is set to FALSE, the WiMAX session manager will cache the inner identity. The value is set to FALSE by default.

Destination-IP-Address

Destination-IP-Address is a read only value which is set to the receiver IP address. Destination-IP-Address contains the IP address of the request packet receiver.

Destination-Port

Destination-port is a read only value which is set to the receiving port number. Destination-port contains the port number of the receiver of the request.

Dest-Translation-Type

Dest-Translation-Type is configured through the GlobalTitleTranslationScript. When the RoutingIndicator is set to RTE_GT, Prime Access Registrar server reads the value that is set in Dest-Translation-Type and sets the TranslationType field of the Called Party Address. The value in this environment variable overrides the value that is configured in the DestinationGTAddress/DestTranslationType property of a remote server, SIGTRAN-M3UA.

Dest-Numbering-Plan

Dest-Numbering-Plan is configured through the GlobalTitleTranslationScript. When the RoutingIndicator is set to RTE_GT, Prime Access Registrar server reads the value that is set in Dest-Numbering-Plan and sets the NumberingPlan field of the Called Party Address. The value in this environment variable overrides the value that is configured in the DestinationGTAddress/Dest-Numbering-Plan property of a remote server, SIGTRAN-M3UA.

The following are the only values that are used for Dest-Numbering-Plan environment variable:

DATA

GENERIC

ISDN

ISDNMOB

LANMOB

MARMOB

NWSPEC

TEL

TELEX

UNKN

If you set any variable other than the above ones, Prime Access Registrar server sets the NumberingPlan that is configured in DestinationGTAddress/Dest-Numbering-Plan property of a remote server of type SIGTRAN-M3UA.

Dest-Encoding-Scheme

Dest-Encoding-Scheme is configured through the GlobalTitleTranslationScript. When the RoutingIndicator is set to RTE_GT, Prime Access Registrar server reads the value that is set in Dest-Encoding-Scheme environment variable and sets the EncodingScheme field of the Called Party Address. The value in this environment variable overrides the value that is configured in the DestinationGTAddress/ DestEncodingScheme property of a remote server, SIGTRAN-M3UA.

The following are the only values that are used for Dest-Encoding-Scheme environment variable:

BCDEVEN

BCDODD

If you set any variable other than the above ones, Prime Access Registrar server sets the EncodingScheme that is configured in the DestinationGTAddress/ DestEncodingScheme property of a remote server of type SIGTRAN-M3UA.

Dest-Nature-Of-Address

Dest-Nature-Of-Address is configured through the GlobalTitleTranslationScript. When the RoutingIndicator is set to RTE_GT, Prime Access Registrar server reads the value that is set in Dest-Nature-Of-Address environment variable and sets the NatureOfAddress field of the Called Party Address. The value in this environment variable overrides the value that is configured in the DestinationGTAddress/ DestNatureofAddress property of a remote server, SIGTRAN-M3UA.

The following are the only values that are used for Dest-Nature-Of-Address environment variable:

ADDR_NOTPRSNT

INTNUM

NATSIGNUM

SUBNUM

If you set any variable other than the above ones, Prime Access Registrar server sets the NatureOfAddress that is configured in the DestinationGTAddress/ DestNatureofAddress property of a remote server of type SIGTRAN-M3UA.

Dest-GT-Format

Dest-GT-Format configured through the GlobalTitleTranslationScript. When the RoutingIndicator is set to RTE_GT, Prime Access Registrar server reads the value that is set in Dest-GT-Format environment variable and uses this format specified for the Global Title Digits(Address Information). The value in this environment variable overrides the value that is configured in the DestinationGTAddress/ DestGTFormat property of a remote server, SIGTRAN-M3UA.

The following are the only values that are used for Dest-GT-Format environment variable:

GTFRMT_0

GTFRMT_1

GTFRMT_2

GTFRMT_3

GTFRMT_4

GTFRMT_5

If you set any variable other than the above ones, Prime Access Registrar server sets the GTFormat that is configured in the DestinationGTAddress/ DestGTFormat property of a remote server of type SIGTRAN-M3UA.

Disable-Accounting-On-Off-Broadcast

If set to TRUE, Disable-Accounting-On-Off-Broadcast disables broadcasting of Accounting-On and Accounting-Off packets to all remote servers of type 'radius'.

DSA-Response-Cache

DSA-Response-Cache is used while performing DSA( Dynamic Service Authorization) feature in Prime Access Registrar. It is FALSE by default, which will clear the response dictionary before Re-Authentication. If DSA-Response-Cache is set to TRUE, Prime Access Registrar will not clear the response dictionary before Re-Authenticating with next service configured.

Dynamic-DNS-HostName

Dynamic-DNS-HostName is read while constructing the forward hostname during resource management processing to update DNS entries. If set, the name will be used as forward hostname instead of constructing one.

Dynamic-Search-Filter

Dynamic-Search-Filter overrides the Filter property in remote servers of type ldap. The format of the value set for Dynamic-Search-Filter should be similar to that of the Filter property.

Dynamic-Search-Path

Dynamic-Search-Path is read for LDAP searching. If set, the server uses it as its LDAP search path rather than the value set in the remote server configuration.

Dynamic-Search-Scope

Dynamic-Search-Scope is used to dynamically set the SearchScope property of an LDAP remote server configuration on a per-packet basis.

Dynamic-Service-Loop-Limit

Dynamic-Service-Loop-Limit variable is used to change loop counts. When using the same service for reauthentication and reauthorization, a loop can occur in these services. The loop count, by default is 10. You can change the loop count using this variable.

Dynamic-User-Password-Attribute

Dynamic-User-Password-Attribute is read for LDAP authentication and overrides the UserPasswordAttribute. If set, the server uses it to retrieve the password field as its LDAP UserPassword attribute instead of the value set in the remote server configuration.

EAP-Actual-Identity

EAP-Actual-Identity is a read-only variable that contains the International Mobile Subscriber Identity (IMSI) of the user after a successful EAP-SIM authentication.

EAP-Authentication-Mode

EAP-Authentication-Mode is a read-only variable, set after a successful EAP-SIM authentication, that indicates whether the EAP-SIM authentication was a reauthentication or a full authentication.

Enforce-Traffic-Throttling

By default, the value is set to FALSE. When set to TRUE, the traffic throttling check for the packet will be executed.

FetchAuthorizationInfo

When set to TRUE, this variable fetches MSISDN value from the HLR.

Do not use FetchAuthorizationInfo for authorization. We recommend that you use the authorization service of m3ua instead.

Generate-BEK

Generate-BEK is read when WiMax provisioning service is enabled. If this is set, Prime Access Registrar will generate the Bootstrap Encryption Key in the WiMax flow.

Group-Session-Limit

Group-Session-Limit is set and read for group session management. The group-session-limit resource manager sets this environment variable to be the limit of the group-session-limit counter as set by the configuration.

HLR-GlobalTitle-Address

HLR-GlobalTitle-Address is configured through the GlobalTitleTranslationScript. When the RoutingIndicator is set to RTE_GT in SIGTRAN-M3UA remote server, Prime Access Registrar server reads the value that is set in HLR-GlobalTitle-Address and sets the Destination GT Digits(Address Information field) of the Called Party Address.

HLR-Translated-IMSI

HLR-Translated-IMSI is configured through the IMSITranslationScript. Prime Access Registrar server reads the value in HLR-Translated-IMSI and sets the value as IMSI before sending the request to STP/HLR. The value that is configured in the HLR-Translated-IMSI environment variable overrides the IMSI received in EAP-AKA/EAP-SIM request packet.

Ignore-Accounting-Signature

Ignore-Accounting-Signature is set after calling server and client incoming scripts and is used to ignore missing or incorrect accounting signatures from NASs. If set, Prime Access Registrar does not check whether the account request packet has been signed with the same shared secret as the NAS.

Ignore-Accounting-Signature is used to work with RADIUS implementations that did not sign Accounting-Requests. A script was provided in the distribution (for USR NASs) that could be set in the IncomingScript extension point for the USR Vendor that simply set this environment variable.

IMSI

International Mobile System Identifier (IMSI) that is fetched from the response from HLR.

Incoming-Translation-Groups

Incoming-Translation-Groups is read for authentication while processing responses from a remote RADIUS server. If set, Incoming-Translation-Groups specifies the translation groups to be used to filter attributes on requests.

Master-URL-Fragment

Used with the Windows Provisioning Service feature, Master-URL-Fragment specifies the fragment within the Master URL to be sent back to the provisioning server. Master-URL-Fragment can be set to any of the following four values: signup, renewal, passwordchange, and forceupdate. If Master-URL-Fragment is not set and is required to send the URL, signup will be sent by default.

The environmental variable Send-PEAP-URL-TLV indicates whether or not to send the URL.

Misc-Log-Message-Info

Misc-Log-Message-Info is read for packet event logging. If a log message is generated, the value of Misc-Log-Message-Info is inserted into the middle of the log message.

MSISDN

The Mobile Subscriber ISDN Number (MSISDN) that is fetched from the response from HLR.

Outgoing-Translation-Groups

Outgoing-Translation-Groups is read while proxying to a remote radius server. If set, Outgoing-Translation-Groups specifies the translation groups to be used to filter attributes.

Pager

The aregcmd command supports the Pager environment variable. When the aregcmd command stats is used and the Pager environment variable is set, the output of the stats command is displayed using the program specified by the Pager environment variable.

Query-Service

The Query-Service variable is set and read for the radius-query service selection type. The Query-Service variable must be set before authentication phase begins at the server, vendor, or client incoming scripting point or using the policy engine. If set, the server directs requests to be processed by the specified radius-query service. After the Query-Service variable is set, no AAA processing will be done.

Re-Accounting-Service

Re-Accounting-Service is configured, through script, for dynamic service authorization. When the Re-Accounting-Service is set, the server directs the request to the specified reaccounting service for processing.

Re-Authentication-Service

Re-Authentication-Service is configured, through script, for dynamic service authorization. When the Re-Authentication-Service is set, the server directs the request to the specified reauthentication service for processing.

Re-Authorization-Service

Re-Authorization-Service is configured, through script, for dynamic service authorization. When the Re-Authorization-Service is set, the server directs the request to the specified reauthorization service for processing.

Realm

The Realm variable is set for domain-auth type of service and is used as the domain name for windows authentication.

Reject-Reason

Reject-Reason is set when a request is being rejected and contains the Reject-Reason. Prime Access Registrar uses the value of Reject-Reason to look up the reject reason in the reply message table.

If Reject-Reason is set to one of: UnknownUser, UserNotEnabled, UserPasswordInvalid, UnableToAcquireResource, ServiceUnavailable, InternalError, MalformedRequest, ConfigurationError, IncomingScriptFailed, OutgoingScriptFailed, IncomingScriptRejectedRequest, OutgoingScriptRejectedRequest, or TerminationAction, then the value set in the configuration under /Radius/Advanced/ReplyMessages will be returned.

Remote-Server

Remote-Server is set and read for logging a rejected packet from a remote server. Remote-Server records the name and IP address of the remote server to which the request has been forwarded.

Remove-Session-On-Acct-Stop

When set to TRUE, server removes the session on receiving an accounting stop packet.

Remote-Servers-Tried

Remote-Servers-Tried contains a list of remote servers that were tried before a request was accepted or rejected (in the case of a Failover multiple remoteserver policy). The list of servers is a comma-separated list of remote server names.

Request-Authenticator

Request-Authenticator is set for every packet upon reception. Getting the Request-Authenticator from a script returns the value of the request authenticator.

Request-Type

Request-Type is set when a request is first received to the type of request, such as one of Access-Request, Access-Accept, Access-Reject, Accounting-Request, Accounting-Response, or Access-Challenge before calling any extension points.

The request contains a string representation of the RADIUS packet type (code). When Prime Access Registrar does not recognize the packet type, it is represented as "Unknown-Packet-Type-<N>, where <N> is the numeric value of the packet type (for example "Unknown-Packet-Type-9). The known packet types are listed in Table B-1.

Table B-1 Request-Type Packets 

String
Packet Code

Access-Request

(1)

Access-Accept

(2)

Access-Reject

(3)

Accounting-Request

(4)

Accounting-Response

(5)

Access-Challenge

(11)

Status-Server

(12)

Status-Client

(13)

USR-Resource-Free-Request

(21)

USR-Resource-Free-Response

(22)

USR-Resource-Query-Request

(12)

USR-Resource-Query-Response

(24)

USR-NAS-Reboot-Request

(26)

USR-NAS-Reboot-Response

(27)

Ascend-IPA-Allocate

(50)

Ascend-IPA-Release

(51)

USR-Enhanced-Radius

(254)



Note Request-Type is to be used as a read-only variable by scripts.


Require-User-To-Be-In-Authorization-List

Require-User-To-Be-In-Authorization-List is read for authorization. If we are authorizing with a different service than we authenticated with (not usually done) and the user is not known by the authorization service, the default is to continue on unless this environment variable is set, in which case we reject the request with a cause of Unknown-user.

Response-Type

Response-Type is set and read throughout processing and used to determine whether the request should be accepted, rejected, or challenged. When Response-Type is set to "Access-Reject at any time during the processing of a request, no more processing of the request is done, and an Access-Reject response is sent. For other valid values for Response-Type, see Table B-1.

Retrace-Packet

If set, Retrace-Packet, causes a trace the packet to be displayed during the incoming and outgoing scripts. If set, will cause a second trace of the request packet's contents after running all the incoming scripts and/or a second trace of the response packet's contents before running the outgoing scripts.

Send-PEAP-URI-TLV

When set to TRUE, the URI PEAP-TLV is included along with the Result PEAP-TLV in the access-challenge packet. The authenticating user service (of type userlist, LDAP, or WDA) can set this to TRUE using an extension point script or attribute mapping so that the PEAP-v0 service can send the URI PEAP-TLV. The default value for this is FALSE.


Note This variable is used with the Windows Provisioning Service (WPS) feature.


Session-Key

Session-Key is read for session management. If set, the server uses it as the key to look up the session associated with the current request, if any. If not set, the server uses the NAS IP Address and NAS Port to create a session key.

Session-Manager

Session-Manager is read after user authorization and determines which dynamic resources to allocate for this user, when one is needed. If set, the server directs the request to be processed by the specified session manager. When not set, the SessionManager (as defined in DefaultSessionManager) is used when needed.

Session-Notes

Session-Notes is a comma-separated list set to make session information available to scripts. Session-Notes contains the names of other environment variables. If set, these variables are stored on a Session as notes.

Session-Service

Session-Service is set and read during session management. If set, the server will direct the request to be processed by the specified session service.

Set-Session-Mgr-And-Key-Upon-Lookup

When Set-Session-Mgr-And-Key-Upon-Lookup is set to TRUE, a session-cache resource manager sets the session-manager and session-key environment variable during a query-lookup, and the Prime Access Registrar server does not cache the response dictionary attributes. Set-Session-Mgr-And-Key-Upon-Lookup is set to TRUE by a query-service IncomingScript.

Skip-Session-Management

When set to TRUE in a request, Skip-Session-Management causes session management to be skipped for the request, even if session management might normally occur.

Skip-Overriding-Username-With-LDAP-UID

Skip-Overriding-Username-With-LDAP-UID is used to decide if the username should be replaced with the UID from the LDAP server. When Skip-Overriding-Username-With-LDAP-UID is set to TRUE, the username is not replaced with the UID from the LDAP server.

You can use Skip-Overriding-Username-With-LDAP-UID to retain case sensitivity in usernames when the username given logging into the network is in a different case that the UID in the LDAP server database, such as User1 and user1.

Skip-Overriding-UserName-With-PEAPIdentity

Skip-Overriding-Username-With-PEAPIdentity is used to decide if the username should be replaced with the PEAP Identity. When Skip-Overriding-Username-With-PEAPIdentity is set to TRUE, the username is not replaced with the PEAP Identity.

Source-IP-Address

Source-IP-Address is set when a request is first received to the IP address from which the IP request was received before calling any extension points. Source-IP-Address contains the IP address of the NAS or proxy server that sent the request to this server.


Note Source-IP-Address is to be used as a read-only variable by scripts.


Source-Port

Source-Port is set when a request is first received to the port from which the request was received. Source-Port is set for each request before calling any extension points and contains the port on the NAS or proxy server that was used to send the request to this server.


Note Source-Port is to be used as a read-only variable by scripts.


Subnet-Size-If-No-Match

Subnet-Size-If-No-Match is set to one of BIGGER, SMALLER or EXACT, determines the behavior of the subnet-dynamic resource manager if a pool of the requested size is not available.

Trace-Level

Trace-Level is set for each request before calling any extension points. Trace-Level is set to the current trace level as specified through aregcmd. If set by a script, Trace-Level changes the trace level used to determine what level of information is traced.

Unavailable-Resource

Unavailable-Resource is set during session management. If the request is being rejected because one of the resource managers failed to allocate a resource, Unavailable-Resource is set to the name of the resource manager that failed.

Unavailable-Resource-Type

Unavailable-Resource-Type is set during session management. If the request is being rejected because one of the resource managers failed to allocate a resource, Unavailable-Resource-Type is set to the type of the resource manager that failed.

UserDefined1

UserDefined1 is set to the value of the UserDefined1 property of the user from a local user list during password matching of local users.

User-Authorization-Script

User-Authorization-Script is read in local services during authorization. If set, the server calls the specified script to do additional user authorization after authentication succeeds.

User-Group

User-Group is read in local services during authorization. If set, species the UserGroup to which the current user belongs.

User-Group-Session-Limit

User-Group-Session-Limit is read during session management. If set, User-Group-Session-Limit overrides the limit specified for the group-session-limit resource manager.

User-Name

User-Name is read by a local service during authentication. When User-Name is set, it is the name used to authenticate or authorize the request and overrides the User-Name in the Request dictionary.

User-Profile

User-Profile is read in local services during authorization. If set, User-Profile specifies the Profile from which the current user should receive attributes.

User-Session-Limit

User-Session-Limit is read during session management. If set, User-Session-Limit overrides the limit specified for the user-session-limit resource manager.

Virtual-Server-Outgoing-Script

Virtual-Server-Outgoing-Script is read when LawfulIntercept script object is enabled to use virtaul script object. If this is set, the configured script will be executed after server outgoing script.

Windows-Domain-Groups

The Windows-Domain-Groups variable is a read-only variable that contains a comma separated list of group names to which the user belongs in the Active Directory. The Windows-Domain-Groups variable is set after a successful authentication using a domain-auth type of service.

X509- Subject-Name

X509- Subject-Name reads the value of the subject in the SSL certificate. This is read while processing the access request.

Internal Variables

The following environment variables are used by the server for internal operation. The values for these environment variables must not be modified.

Add-Message-Authenticator

Calling-Service-Name

Cleartext-Password

Current-Service-Name

Dynamic-Search-UID

Duplicate-Req

EAP-Internal-Services

Group-Service

Group-Service-State-ID

Hidden-Attrib

IMSI

Local-Port-type

Message-Authenticator-Present

MSCHAP-Account-Name

MS-ChapV2-Message

NAS-Name-And-IPAddress

Notify-Service-Session-Key

Notify-Service-State-ID

Number-Requested-Quintets

Number-Requested-Triplets

Proxied-Dynamic-Auth (named Proxied-POD in earlier releases)

Provider-Identifier

Rcd-NT-Password-Hash-Hash (named Rcd-NT-Password-Hash in earlier releases)

Remote-Session

Return-Data

Roaming

Script-Level

Session-ID

Session-Accounting-Counter

Session-Generation-Tag

Session-Last-Accessed-Time

Session-Manager-Key

Session-NAS-Identifier

Session-NAS-Port

Session-Resource-Count

Session-Resource-%d

Session-Reuse

Session-Start-Time

Session-Survives-NAS-Reboot

Session-User-Name

User-Name-Used-For-Lookup

WiMax-Authentication

WiMax-SessionManager-Exists