Table Of Contents
TACACS+ Attribute-Value Pairs
Cisco IOS AV Pair Dictionary
TACACS+ AV Pairs
TACACS+ Accounting AV Pairs
TACACS+ Attribute-Value Pairs
Cisco Secure Access Control Server (ACS) for Windows Server supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value.
Cisco IOS AV Pair Dictionary
Before selecting TACACS+ AV pairs for Cisco Secure ACS, confirm that your AAA client is running Cisco IOS Release 11.2 or later. Earlier versions of Cisco IOS work with Cisco Secure ACS but do not fully support the TACACS+ features in Cisco Secure ACS.
Note If you specify a given AV pair in Cisco Secure ACS, you must also enable the corresponding AV pair in the Cisco IOS software running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If Cisco Secure ACS sends an AV pair to the AAA client that the Cisco IOS software does not support, that attribute is not implemented.
For more information on TACACS+ AV pairs, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients.
Note All TACACS+ values are strings. The concept of value "type" does not exist in TACACS+ as it does in Remote Access Dial-In User Service (RADIUS).
TACACS+ AV Pairs
Note Beginning with Cisco Secure ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes:
addr
addr-pool
callback-dialstring
Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA).
Cisco Secure ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ AV pairs supported in Cisco Secure ACS are as follows:
•acl=
•addr=
•addr-pool=
•autocmd=
•callback-dialstring
•callback-line
•callback-rotary
•cmd-arg=
•cmd=
•dns-servers=
•gw-password
•idletime=
•inacl#n
•inacl=
•interface-config=
•ip-addresses
•link-compression=
•load-threshold=n
•max-links=n
•nas-password
•nocallback-verify
•noescape=
•nohangup=
•old-prompts
•outacl#n
•outacl=
•pool-def#n
•pool-timeout=
•ppp-vj-slot-
compression
•priv-lvl=
•protocol=
•route
•route#n
•routing=
•rte-ftr-in#n
•rte-ftr-out#n
•sap#n
•sap-fltr-in#n
•sap-fltr-out#n
•service=
•source-ip=
•timeout=
•tunnel-id
•wins-servers=
•zonelist=
TACACS+ Accounting AV Pairs
Cisco Secure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ accounting AV pairs supported in Cisco Secure ACS are as follows:
•bytes_in
•bytes_out
•cmd
•data-rate
•disc-cause
•disc-cause-ext
•elapsed_time
•event
•mlp-links-max
•mlp-sess-id
•nas-rx-speed
•nas-tx-speed
•paks_in
•paks_out
•port
•pre-bytes-in
•pre-bytes-out
•pre-paks-in
•pre-paks-out
•pre-session-time
•priv_level
•protocol
•reason
•service
•start_time
•stop_time
•task_id
•timezone
•xmit-rate