User Guide for Cisco Secure ACS for Windows Server Version 3.3
TACACS+ Attribute-Value Pairs

Table Of Contents

TACACS+ Attribute-Value Pairs

Cisco IOS AV Pair Dictionary

TACACS+ AV Pairs

TACACS+ Accounting AV Pairs


TACACS+ Attribute-Value Pairs


Cisco Secure Access Control Server (ACS) for Windows Server supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value.

Cisco IOS AV Pair Dictionary

Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your AAA client is running Cisco IOS Release 11.2 or later. Earlier versions of Cisco IOS work with Cisco Secure ACS but do not fully support the TACACS+ features in Cisco Secure ACS.


Note If you specify a given AV pair in Cisco Secure ACS, you must also enable the corresponding AV pair in the Cisco IOS software running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If Cisco Secure ACS sends an AV pair to the AAA client that the Cisco IOS software does not support, that attribute is not implemented.


For more information on TACACS+ AV pairs, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients.


Note All TACACS+ values are strings. The concept of value "type" does not exist in TACACS+ as it does in Remote Access Dial-In User Service (RADIUS).


TACACS+ AV Pairs


Note Beginning with Cisco Secure ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes:
 
   addr
   addr-pool
   callback-dialstring
 
Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA).


Cisco Secure ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ AV pairs supported in Cisco Secure ACS are as follows:

acl=

addr=

addr-pool=

autocmd=

callback-dialstring

callback-line

callback-rotary

cmd-arg=

cmd=

dns-servers=

gw-password

idletime=

inacl#n

inacl=

interface-config=

ip-addresses

link-compression=

load-threshold=n

max-links=n

nas-password

nocallback-verify

noescape=

nohangup=

old-prompts

outacl#n

outacl=

pool-def#n

pool-timeout=

ppp-vj-slot-
compression

priv-lvl=

protocol=

route

route#n

routing=

rte-ftr-in#n

rte-ftr-out#n

sap#n

sap-fltr-in#n

sap-fltr-out#n

service=

source-ip=

timeout=

tunnel-id

wins-servers=

zonelist=

TACACS+ Accounting AV Pairs

Cisco Secure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ accounting AV pairs supported in Cisco Secure ACS are as follows:

bytes_in

bytes_out

cmd

data-rate

disc-cause

disc-cause-ext

elapsed_time

event

mlp-links-max

mlp-sess-id

nas-rx-speed

nas-tx-speed

paks_in

paks_out

port

pre-bytes-in

pre-bytes-out

pre-paks-in

pre-paks-out

pre-session-time

priv_level

protocol

reason

service

start_time

stop_time

task_id

timezone

xmit-rate