User Guide for Cisco Secure ACS for Windows 4.0
RADIUS Attributes

Table Of Contents

RADIUS Attributes

Before Using RADIUS Attributes

Cisco IOS Dictionary of RADIUS IETF

Cisco IOS/PIX 6.0 Dictionary of RADIUS VSAs

About the cisco-av-pair RADIUS Attribute

Cisco VPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs

Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

Cisco Airespace Dictionary of RADIUS VSA

IETF Dictionary of RADIUS IETF (AV Pairs)

Microsoft MPPE Dictionary of RADIUS VSAs

Ascend Dictionary of RADIUS AV Pairs

Nortel Dictionary of RADIUS VSAs

Juniper Dictionary of RADIUS VSAs


RADIUS Attributes


Cisco Secure Access Control Server Release 4.0 for Windows, hereafter referred to as ACS, supports many Remote Access Dial-In User Service (RADIUS) attributes. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes that ACS supports.

This appendix contains the following topics:

Before Using RADIUS Attributes

Cisco IOS Dictionary of RADIUS IETF

Cisco IOS/PIX 6.0 Dictionary of RADIUS VSAs

About the cisco-av-pair RADIUS Attribute

Cisco VPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs

Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

Cisco Airespace Dictionary of RADIUS VSA

IETF Dictionary of RADIUS IETF (AV Pairs)

Microsoft MPPE Dictionary of RADIUS VSAs

Ascend Dictionary of RADIUS AV Pairs

Nortel Dictionary of RADIUS VSAs

Juniper Dictionary of RADIUS VSAs

Before Using RADIUS Attributes

You can enable different attribute-value (AV) pairs for Internet Engineering Task Force (IETF) RADIUS and any supported vendor. For outbound attributes, you can configure the attributes that are sent and their content by using the ACS web interface. The RADIUS attributes that are sent to authentication, authorization, and accounting (AAA) clients in access-accept messages are user specific.

To configure a specific attribute to be sent for a user, you must ensure that:

1. In the Network Configuration section, you must configure the AAA client entry corresponding to the access device that grants network access to the user to use a variety of RADIUS that supports the attribute that you want sent to the AAA client. For more information about the RADIUS attribute sets that RADIUS varieties support, see Protocol Configuration Options for RADIUS.

2. In the Interface Configuration section, you must enable the attribute so that it appears on user or user group profile pages. You can enable attributes on the page corresponding to the RADIUS variety that supports the attribute. For example, IETF RADIUS Session-Timeout attribute (27) appears on the RADIUS (IETF) page.


Note By default, per-user RADIUS attributes are not enabled (they do not appear in the Interface Configuration page). Before you can enable attributes on a per-user basis, you must enable the Per-user TACACS+/RADIUS Attributes option on the Advanced Options page in the Interface Configuration section. After enabling per-user attributes, a user column will appear as disabled in the Interface Configuration page for that attribute.


3. In the profile that you use to control authorizations for the user— in the user or group edit pages or Shared RADIUS Authorization Component page—you must enable the attribute. Enabling this attribute causes ACS to send the attribute to the AAA client in the access-accept message. In the options that are associated with the attribute, you can determine the value of the attribute that is sent to the AAA client.


Note Settings in a user profile override settings in a group profile. For example, if you configure Session-Timeout in the user profile and also in the group to which the user is assigned, ACS sends the AAA client the Session-Timeout value that is specified in the user profile. If Network Access Profiles (NAPs) are being used, it is possible that attributes from Shared RADIUS Authorization Components may be included in the access accept response. For a discussion about the interaction among group, user, and Shared Radius Authorization Components (SRAC) attributes, see Merging Attributes.


Cisco IOS Dictionary of RADIUS IETF

ACS supports Cisco RADIUS IETF (IOS RADIUS AV pairs). Before selecting AV pairs for ACS, you must confirm that your AAA client is a compatible release of Cisco IOS or compatible AAA client software. For more information, see Installation Guide for Cisco Secure ACS for Windows for information about network and port requirements.


Note If you specify a given AV pair on ACS, the corresponding AV pair must be implemented in the Cisco IOS software that is running on the network device. Always consider which AV pairs your Cisco IOS release supports. If ACS sends an AV pair that the Cisco IOS software does not support, the attribute is not implemented.



Note Because IP pools and callback supersede them, the following RADIUS attributes do not appear on the Group Setup page:

Number
Name

8

Framed-IP-Address

19

Callback-Number

218

Ascend-Assign-IP-Pool



None of these attributes can be set via Relational Database Management System (RDBMS) Synchronization.


Table C-1 lists the supported Cisco IOS RADIUS AV pairs.

Table C-1 Cisco IOS Software RADIUS AV Pairs 

Number
Attribute
Type of Value
Inbound/Outbound
Multiple

1

User-Name

String

Inbound

No

2

User-Password

String

Outbound

No

3

CHAP-Password

String

Outbound

No

4

NAS-IP Address

Ipaddr

Inbound

No

5

NAS-Port

Integer

Inbound

No

6

Service-Type

Integer

Both

No

7

Framed-Protocol

Integer

Both

No

9

Framed-IP-Netmask

Ipaddr (maximum length 15 characters)

Outbound

No

10

Framed-Routing

Integer

Outbound

No

11

Filter-Id

String

Outbound

Yes

12

Framed-MTU

Integer (maximum length 10 characters)

Outbound

No

13

Framed-Compression

Integer

Outbound

Yes

14

Login-IP-Host

Ipaddr (maximum length 15 characters)

Both

Yes

15

Login-Service

Integer

Both

No

16

Login-TCP-Port

Integer (maximum length 10 characters)

Outbound

No

18

Reply-Message

String

Outbound

Yes

21

Expiration

Date

22

Framed-Route

String

Outbound

Yes

24

State

String (maximum length 253 characters)

Outbound

No

25

Class

String

Outbound

Yes

26

Vendor specific

String

Outbound

Yes

27

Session-Timeout

Integer (maximum length 10 characters)

Outbound

No

28

Idle-Timeout

Integer (maximum length 10 characters)

Outbound

No

30

Called-Station-ID

String

Inbound

No

31

Calling-Station-ID

String

Inbound

No

33

Login-LAT-Service

String (maximum length 253 characters)

Inbound

No

40

Acct-Status-Type

Integer

Inbound

No

41

Acct-Delay-Time

Integer

Inbound

No

42

Acct-Input-Octets

Integer

Inbound

No

43

Acct-Output-Octets

Integer

Inbound

No

44

Acct-Session-ID

String

Inbound

No

45

Acct-Authentic

Integer

Inbound

No

46

Acct-Session-Time

Integer

Inbound

No

47

Acct-Input-Packets

Integer

Inbound

No

48

Acct-Output-Packets

Integer

Inbound

No

49

Acct-Terminate-Cause

Integer

Inbound

No

61

NAS-Port-Type

Integer

Inbound

No

62

NAS-Port-Limit

Integer (maximum length 10 characters)

Both

No


Cisco IOS/PIX 6.0 Dictionary of RADIUS VSAs

ACS supports Cisco IOS/PIX 6.0 vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 9.

Table C-2 lists the supported Cisco IOS/PIX 6.0 RADIUS VSAs.


Note For a discussion of the Cisco IOS/PIX 6.0 RADIUS cisco-av-pair attribute, see About the cisco-av-pair RADIUS Attribute.



Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP (VoIP) documentation.



Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.


Table C-2 Cisco IOS/PIX 6.0 RADIUS VSAs 

Number
Attribute
Type of Value
Inbound/Outbound
Multiple

1

cisco-av-pair

String

Both

Yes

2

cisco-nas-port

String

Inbound

No

23

cisco-h323-remote-address

String

Inbound

No

24

cisco-h323-conf-id

String

Inbound

No

25

cisco-h323-setup-time

String

Inbound

No

26

cisco-h323-call-origin

String

Inbound

No

27

cisco-h323-call-type

String

Inbound

No

28

cisco-h323-connect-time

String

Inbound

No

29

cisco-h323-disconnect-time

String

Inbound

No

30

cisco-h323-disconnect-cause

String

Inbound

No

31

cisco-h323-voice-quality

String

Inbound

No

33

cisco-h323-gw-id

String

Inbound

No

35

cisco-h323-incoming-conn-id

String

Inbound

No

101

cisco-h323-credit-amount

String (maximum length 247 characters)

Outbound

No

102

cisco-h323-credit-time

String (maximum length 247 characters)

Outbound

No

103

cisco-h323-return-code

String (maximum length 247 characters)

Outbound

No

104

cisco-h323-prompt-id

String (maximum length 247 characters)

Outbound

No

105

cisco-h323-day-and-time

String (maximum length 247 characters)

Outbound

No

106

cisco-h323-redirect-number

String (maximum length 247 characters)

Outbound

No

107

cisco-h323-preferred-lang

String (maximum length 247 characters)

Outbound

No

108

cisco-h323-redirect-ip-addr

String (maximum length 247 characters)

Outbound

No

109

cisco-h323-billing-model

String (maximum length 247 characters)

Outbound

No

110

cisco-h323-currency

String (maximum length 247 characters)

Outbound

No

250

cisco-ssg-account-info

String (maximum length 247 characters)

Outbound

No

251

cisco-ssg-service-info

String (maximum length 247 characters)

Both

No

253

cisco-ssg-control-info

String (maximum length 247 characters)

Both

No


About the cisco-av-pair RADIUS Attribute

The first attribute in the Cisco IOS/PIX 6.0 RADIUS implementation, cisco-av-pair, supports the inclusion of many AV pairs by using the following format:

 
attribute sep value 
 

where attribute and value are an AV pair supported by the releases of IOS implemented on your AAA clients, and sep is = for mandatory attributes and asterisk (*) for optional attributes. You can then use the full set of Terminal Access Controller Access Control System (TACACS+) authorization features for RADIUS.


Note The attribute name in an AV pair is case sensitive. Typically, attribute names are all in lowercase letters.


The following is an example of two AV pairs included in a single Cisco IOS/PIX 6.0 RADIUS cisco-av-pair attribute:

ip:addr-pool=first 
shell:priv-lvl=15 

The first example activates the Cisco multiple named IP address pools feature during IP authorization (during PPP IPCP address assignment). The second example immediately grants access to a user of a device-hosted administrative session to EXEC commands.

In IOS, support for Network Admission Control (NAC) includes the use of the following AV pairs:

url-redirect—Enables the AAA client to intercept an HTTP request and redirect it to a new URL. This pair is especially useful if the result of posture validation indicates that the NAC-client computer requires an update or patch that you have made available on a remediation web server. For example, a user can be redirected to a remediation web server to download and apply a new virus DAT file or an operating system patch. For example:

url-redirect=http://10.1.1.1 

posture-token—Enables ACS to send a text version of a system posture token (SPT) derived by posture validation. The SPT is always sent in numeric format and using the posture-token AV pair renders the result of a posture validation request more easily read on the AAA client. For example:

posture-token=Healthy 


Caution The posture-token AV pair is the only way that ACS notifies the AAA client of the SPT that posture validation returns. Because you manually configure the posture-token AV pair, errors in configuring the posture-token can cause the incorrect system posture token to be sent to the AAA client or; if the AV pair name is mistyped, the AAA client will not receive the system posture token at all.

For a list of valid SPTs, see Posture Tokens.

status-query-timeout—Overrides the status-query default value of the AAA client with the value that you specify, in seconds. For example:

status-query-timeout=150 

For more information about AV pairs that IOS supports, refer to the documentation for the releases of IOS implemented on your AAA clients.

Cisco VPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs

ACS supports Cisco VPN 3000/ASA/PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.


Note Some of the RADIUS VSAs supported by Cisco virtual private network (VPN) 3000 Concentrators, Adaptive Security Appliance (ASA), and Project Information Exchange (PIX) 7.x+ appliances are interdependent. Before you implement them, we recommend that you refer to your respective device documentation.


For example, to control Microsoft Point-to-Point Encryption (MPPE) settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the ACS web interface or how those attributes might be configured.

Table C-3 lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs.

Table C-3 Cisco VPN 3000 Concentrator /ASA/PIX 7.x+ RADIUS VSAs 

Number
Attribute
Type of Value
Inbound/Outbound
Multiple

1

CVPN3000-Access-Hours

String (maximum length 247 characters)

Outbound

No

2

CVPN3000-Simultaneous-Logins

Integer (maximum length 10 characters)

Outbound

No

5

CVPN3000-Primary-DNS

Ipaddr (maximum length 15 characters)

Outbound

No

6

CVPN3000-Secondary-DNS

Ipaddr (maximum length 15 characters)

Outbound

No

7

CVPN3000-Primary-WINS

Ipaddr (maximum length 15 characters)

Outbound

No

8

CVPN3000-Secondary-WINS

Ipaddr (maximum length 15 characters)

Outbound

No

9

CVPN3000-SEP-Card-Assignment

Integer

Outbound

No

11

CVPN3000-Tunneling-Protocols

Integer

Outbound

No

12

CVPN3000-IPSec-Sec-Association

String (maximum length 247 characters)

Outbound

No

13

CVPN3000-IPSec-Authentication

Integer

Outbound

No

15

CVPN3000-IPSec-Banner1

String (maximum length 247 characters)

Outbound

No

16

CVPN3000-IPSec-Allow-Passwd-Store

Integer

Outbound

No

17

CVPN3000-Use-Client-Address

Integer

Outbound

No

20

CVPN3000-PPTP-Encryption

Integer

Outbound

No

21

CVPN3000-L2TP-Encryption

Integer

Outbound

No

27

CVPN3000-IPSec-Split-Tunnel-List

String (maximum length 247 characters)

Outbound

No

28

CVPN3000-IPSec-Default-Domain

String (maximum length 247 characters)

Outbound

No

29

CVPN3000-IPSec-Split-DNS-Names

String (maximum length 247 characters)

Outbound

No

30

CVPN3000-IPSec-Tunnel-Type

Integer

Outbound

No

31

CVPN3000-IPSec-Mode-Config

Integer

Outbound

No

33

CVPN3000-IPSec-User-Group-Lock

Integer

Outbound

No

34

CVPN3000-IPSec-Over-UDP

Integer

Outbound

No

35

CVPN3000-IPSec-Over-UDP-Port

Integer (maximum length 10 characters)

Outbound

No

36

CVPN3000-IPSec-Banner2

String (maximum length 247 characters)

Outbound

No

37

CVPN3000-PPTP-MPPC-Compression

Integer

Outbound

No

38

CVPN3000-L2TP-MPPC-Compression

Integer

Outbound

No

39

CVPN3000-IPSec-IP-Compression

Integer

Outbound

No

40

CVPN3000-IPSec-IKE-Peer-ID-Check

Integer

Outbound

No

41

CVPN3000-IKE-Keep-Alives

Integer

Outbound

No

42

CVPN3000-IPSec-Auth-On-Rekey

Integer

Outbound

No

45

CVPN3000-Required-Client-Firewall-Vendor-Code

Integer (maximum length 10 characters)

Outbound

No

46

CVPN3000-Required-Client-Firewall-Product-Code

Integer (maximum length 10 characters)

Outbound

No

47

CVPN3000-Required-Client-Firewall-Description

String (maximum length 247 characters)

Outbound

No

48

CVPN3000-Require-HW-Client-Auth

Integer

Outbound

No

49

CVPN3000-Require-Individual-User-
Auth

Integer

Outbound

No

50

CVPN3000-Authenticated-User-Idle-
Timeout

Integer (maximum length 10 characters)

Outbound

No

51

CVPN3000-Cisco-IP-Phone-Bypass

Integer

Outbound

No

52

CVPN3000-User-Auth-Server-Name

String (maximum length 247 characters)

Outbound

No

53

CVPN3000-User-Auth-Server-Port

Integer (maximum length 10 characters)

Outbound

No

54

CVPN3000-User-Auth-Server-Secret

String (maximum length 247 characters)

Outbound

No

55

CVPN3000-IPSec-Split-Tunneling-
Policy

Integer

Outbound

No

56

CVPN3000-IPSec-Required-Client-
Firewall-Capability

Integer

Outbound

No

57

CVPN3000-IPSec-Client-Firewall-
Filter-Name

String (maximum length 247 characters)

Outbound

No

58

CVPN3000-IPSec-Client-Firewall-
Filter-Optional

Integer

Outbound

No

59

CVPN3000-IPSec-Backup-Servers

Integer

Outbound

No

60

CVPN3000-IPSec-Backup-Server-List

String (maximum length 247 characters)

Outbound

No

62

CVPN3000-MS-Client-Intercept-
DHCP-Configure-Message

Integer

Outbound

No

63

CVPN3000-MS-Client-Subnet-Mask

Ipaddr (maximum length 15 characters)

Outbound

No

64

CVPN3000-Allow-Network-
Extension-Mode

Integer

Outbound

No

65

Authorization-Type

Integer

Outbound

No

66

Authorization-Required

Integer

Outbound

No

67

Authorization-DN-Field

String

Outbound

No

68

IKE-Keepalive-Confidence-Interval

Integer

Outbound

No

69

WebVPN-Content-Filter-Parameters

Integer

Outbound

No

75

Cisco-LEAP-Bypass

Integer

Outbound

No

77

Client-Type-Version-Limiting

String

Outbound

No

79

WebVPN-Port-Forwarding-Name

String

Outbound

No

80

IE-Proxy-Server

String

Outbound

No

81

IE-Proxy-Server-Policy

Integer

Outbound

No

82

IE-Proxy-Exception-List

String

Outbound

No

83

IE-Proxy-Bypass-Local

Integer

Outbound

No

84

IKE-Keepalive-Retry-Interval

Integer

Outbound

No

85

Tunnel-Group-Lock

String

Outbound

No

86

Access-List-Inbound

String

Outbound

No

87

Access-List-Outbound

String

Outbound

No

88

Perfect-Forward-Secrecy-Enable

Integer

Outbound

No

89

NAC-Enable

Integer

Outbound

No

90

NAC-Status-Query-Timer

Integer

Outbound

No

91

NAC-Revalidation-Timer

Integer

Outbound

No

92

NAC-Default-ACL

Integer

Outbound

No

93

WebVPN-URL-Entry-Enable

Integer

Outbound

No

94

WebVPN-File-Access-Enable

Integer

Outbound

No

95

WebVPN-File-Server-Entry-Enable

Integer

Outbound

No

96

WebVPN-File-Server-Browsing-
Enable

Integer

Outbound

No

97

WebVPN-Port-Forwarding-Enable

Integer

Outbound

No

98

WebVPN-Outlook-Exchange-Proxy-
Enable

Integer

Outbound

No

98

WebVPN-Port-Forwarding-HTTP-
Proxy

Integer

Outbound

No

99

WebVPN-Outlook-Exchange-Proxy-
Enable

Integer

Outbound

No

100

WebVPN-Auto-Applet-Download-
Enable

Integer

Outbound

No

101

WebVPN-Citrix-MetaFrame-Enable

Integer

Outbound

No

102

WebVPN-Apply-ACL

Integer

Outbound

No

103

WebVPN-SSL-VPN-Client-Enable

Integer

Outbound

No

104

WebVPN-SSL-VPN-Client-Required

Integer

Outbound

No

105

WebVPN-SSL-VPN-Client-Keep-
Installation

Integer

Outbound

No

135

CVPN3000-Strip-Realm

Integer

Outbound

No


Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table C-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs.

Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs 

Number
Attribute
Type of Value
Inbound/Outbound
Multiple

001

CVPN5000-Tunnel-Throughput

Integer

Inbound

No

002

CVPN5000-Client-Assigned-IP

String

Inbound

No

003

CVPN5000-Client-Real-IP

String

Inbound

No

004

CVPN5000-VPN-GroupInfo

String (maximum length 247 characters)

Outbound

No

005

CVPN5000-VPN-Password

String (maximum length 247 characters)

Outbound

No

006

CVPN5000-Echo

Integer

Inbound

No

007

CVPN5000-Client-Assigned-IPX

Integer

Inbound

No


Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

ACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263.

Table C-5 lists the supported Cisco BBSM RADIUS VSA.

Table C-5 Cisco BBSM RADIUS VSA 

Number
Attribute
Type of Value
Inbound/Outbound
Multiple

001

CBBSM-Bandwidth

Integer

Both

No


Cisco Airespace Dictionary of RADIUS VSA

Table C-6 lists the supported RADIUS (Cisco Airespace) attributes. In addition to these attributes, Cisco Airespace devices support some IETF attributes for 802.1x identity networking:

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Private-Group-Id (81)

ACS cannot offer partial support of IETF; hence, adding an Cisco Airespace device (into the Network Configuration) will automatically enable all IETF attributes.

Table C-6 Cisco Airespace RADIUS Attributes 

Number
Name
Description
Type of Value
Inbound/Outbound
Multiple

1

Aire-WLAN-Id

Name of the user being authenticated.

Integer

Outbound

No

2

Aire-QoS-Level

Enumerations:

0: Bronze

1: Silver

2: Gold

3: Platinum

4: Uranium

Integer

Outbound

No

3

Aire-DSCP

Integer

Outbound

No

4

Aire-802.1P-Tag

Integer

Outbound

No

5

Aire-Interface-Name

String

Outbound

No

6

Aire-ACL-Name

String

Outbound

No


IETF Dictionary of RADIUS IETF (AV Pairs)

Table C-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified.

Table C-7 RADIUS (IETF) Attributes 

Number
Name
Description
Type of Value
Inbound/Outbound
Multiple

1

User-Name

Name of the user being authenticated.

String

Inbound

No

2

User-Password

User password or input following an access challenge. Passwords longer than 16 characters are encrypted by using IETF Draft #2 or later specifications.

String

Outbound

No

3

CHAP-
Password

PPP (Point-to-Point Protocol) Challenge Handshake Authentication Protocol (CHAP) response to an Access-Challenge.

String

Outbound

No

4

NAS-IP Address

IP address of the AAA client that is requesting authentication.

Ipaddr

Inbound

No

5

NAS-Port

Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) comprises one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as:

Asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.

Ordinary synchronous network interfaces, the value is 10xxx.

Channels on a primary-rate ISDN (Integrated Services Digital Network) interface, the value is 2ppcc.

Channels on a basic rate ISDN interface, the value is 3bb0c.

Other types of interfaces, the value is 6nnss.

Integer

Inbound

No

6

Service-Type

Type of service requested or type of service to be provided:

In a request:

Framed—For a known Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP) connection.

Administrative User—For enable command.

In a response:

Login—Make a connection.

Framed—Start SLIP or PPP.

Administrative User—Start an EXEC or enable ok.

Exec User—Start an EXEC session.

Integer

Both

No

7

Framed-
Protocol

Framing to be used for framed access.

Integer

Both

No

8

Framed-IP-
Address

Address to be configured for the user.

9

Framed-IP-
Netmask

IP netmask to be configured for the user when the user is a router to a network. This AV causes a static route to be added for Framed-IP-Address with the mask specified.

Ipaddr (maximum length 15 characters)

Outbound

No

10

Framed-
Routing

Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.

Integer

Outbound

No

11

Filter-Id

Name of the filter list for the user, formatted: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.

String

Outbound

Yes

12

Framed-MTU

Indicates the maximum transmission unit (MTU) that you can configure for the user when the MTU is not negotiated by PPP or some other means.

Integer (maximum length 10 characters)

Outbound

No

13

Framed-
Compression

Compression protocol used for the link. This attribute results in /compress being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.

Integer

Outbound

Yes

14

Login-IP-Host

Host to which the user will connect when the Login-Service attribute is included.

Ipaddr (maximum length 15 characters)

Both

Yes

15

Login-Service

Service that you should use to connect the user to the login host.

Service is indicated by a numeric value:

0: Telnet

1: Rlogin

2: TCP-Clear

3: PortMaster

4: LAT

Integer

Both

No

16

Login-TCP-
Port

Transmission Control Protocol (TCP) port with which to connect the user when the Login-Service attribute is also present.

Integer (maximum length 10 characters)

Outbound

No

18

Reply-Message

Text that the user will see.

String

Outbound

Yes

19

Callback-
Number

String

Outbound

No

20

Callback-Id

String

Outbound

No

22

Framed-Route

Routing information to configure for the user on this AAA client. The RADIUS RFC (Request for Comments) format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or zero (0), the peer IP address is used. Metrics are ignored.

String

Outbound

Yes

23

Framed-IPX-
Network

Integer

Outbound

No

24

State

Allows State information to be maintained between the AAA client and the RADIUS server. This attribute is applicable only to CHAP challenges.

String (maximum length 253 characters)

Outbound

No

25

Class

Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server.

String

Both

Yes

26

Vendor-
Specific

Carries subattributes known as vendor-specific attributes (VSAs), a feature of RADIUS that allows vendors to support their own extended attributes. Subattributes are identified by IANA-assigned vendor numbers in combination with the vendor-assigned subattribute number. For example, the vendor number for Cisco IOS/PIX 6.0 RADIUS is 9. The cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9.

String

Outbound

Yes

27

Session-
Timeout

Maximum number of seconds of service to provide to the user before the session terminates. This AV becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.

Integer (maximum length 10 characters)

Outbound

No

28

Idle-Timeout

Maximum number of consecutive seconds of idle connection time that the user is allowed before the session terminates. This AV becomes the per-user session-timeout. This attribute is not valid for PPP sessions.

Integer (maximum length 10 characters)

Outbound

No

29

Termination-
Action

Indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets. If the Value is set to RADIUS-Request (1), upon termination of the specified service, the NAS may send a new Access-Request to the RADIUS server, including the State attribute if any.

Integer

Both

No

30

Called-
Station-Id

Allows the AAA client to send the telephone number or other information identifying the AAA client as part of the access-request packet by using automatic number identification or similar technology. Different devices provide different identifiers.

String

Inbound

No

31

Calling-
Station-Id

Allows the AAA client to send the telephone number or other information identifying the end-user client as part of the access-request packet by using Dialed Number Identification Server (DNIS) or similar technology. For example, Cisco Aironet Access Points usually send the MAC address of the end-user client.

String

Inbound

No

32

NAS-Identifier

String

Inbound

No

33

Proxy-State

Included in proxied RADIUS requests per RADIUS standards. The operation of ACS does not depend on the contents of this attribute.

String (maximum length 253 characters)

Inbound

No

34

Login-LAT-
Service

System with which the local area transport (LAT) protocol connects the user. This attribute is only available in the EXEC mode.

String (maximum length 253 characters)

Inbound

No

35

Login-LAT-
Node

String

Inbound

No

36

Login-LAT-
Group

String

Inbound

No

37

Framed-
AppleTalk-
Link

Integer

Outbound

No

38

Framed-
AppleTalk-
Network

Integer

Outbound

Yes

39

Framed-
AppleTalk-
Zone

String

Out

No

40

Acct-Status-
Type

Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).

Integer

Inbound

No

41

Acct-Delay-
Time

Number of seconds the client has been trying to send a particular record.

Integer

Inbound

No

42

Acct-Input-
Octets

Number of octets received from the port while this service is being provided.

Integer

Inbound

No

43

Acct-Output-
Octets

Number of octets sent to the port while this service is being delivered.

Integer

Inbound

No

44

Acct-Session-
Id

Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this interval is unsuitable.

String

Inbound

No

44

Acct-Authentic

Way in which the user was authenticated—by RADIUS, the AAA client itself, or another remote authentication protocol. This attribute is set to radius for users who are authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.

Integer

Inbound

No

46

Acct-Session-
Time

Number of seconds the user has been receiving service.

Integer

Inbound

No

47

Acct-Input-
Packets

Number of packets received from the port while this service is being provided to a framed user.

Integer

Inbound

No

48

Acct-Output-
Packets

Number of packets sent to the port while this service is being delivered to a framed user.

Integer

Inbound

No

49

Acct-
Terminate-
Cause

Reports details on why the connection was terminated. Termination causes are indicated by a numeric value:

1: User request

2: Lost carrier

3: Lost service

4: Idle timeout

5: Session-timeout

6: Admin reset

7: Admin reboot

8: Port error

9: AAA client error

10: AAA client request

11: AAA client reboot

12: Port unneeded

13: Port pre-empted

14: Port suspended

15: Service unavailable

16: Callback

17: User error

18: Host request

Integer

Inbound

No

50

Acct-Multi-
Session-Id

String

Inbound

No

51

Acct-Link-
Count

Integer

Inbound

No

52

Acct-Input-
Gigawords

Integer

Inbound

No

53

Acct-Output-
Gigawords

Integer

Inbound

No

55

Event-
Timestamp

Date

Inbound

No

60

CHAP-
Challenge

String

Inbound

No

61

NAS-Port-
Type

Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value:

0: Asynchronous

1: Synchronous

2: ISDN-Synchronous

3: ISDN-Asynchronous (V.120)

4: ISDN- Asynchronous (V.110)

5: Virtual

Integer

Inbound

No

62

Port-Limit

Sets the maximum number of ports to be provided to the user by the network-access server.

Integer (maximum length 10 characters)

Both

No

63

Login-LAT-
Port

String

Both

No

64

Tunnel-Type

Tagged integer

Both

Yes

65

Tunnel-
Medium-Type

Tagged integer

Both

Yes

66

Tunnel-Client-
Endpoint

Tagged string

Both

Yes

67

Tunnel-Server-
Endpoint

Tagged string

Both

Yes

68

Acct-Tunnel-
Connection

String

Inbound

No

69

Tunnel-
Password

Tagged string

Both

Yes

70

ARAP-
Password

String

Inbound

No

71

ARAP-
Features

String

Outbound

No

72

ARAP-Zone-
Access

Integer

Outbound

No

73

ARAP-
Security

Integer

Inbound

No

74

ARAP-
Security-Data

String

Inbound

No

75

Password-
Retry

Integer

Internal use only

No

76

Prompt

Integer

Internal use only

No

77

Connect-Info

String

Inbound

No

78

Configuration-
Token

String

Internal use only

No

79

EAP-Message

String

Internal use only

No

80

Message-
Authenticator

String

Outbound

No

81

Tunnel-
Private-Group-
ID

Tagged string

Both

Yes

82

Tunnel-
Assignment-ID

Tagged string

Both

Yes

83

Tunnel-
Preference

Tagged integer

Both

No

85

Acct-Interim-
Interval

Integer

Outbound

No

87

NAS-Port-Id

String

Inbound

No

88

Framed-Pool

String

Internal use only

No

90

Tunnel-Client-
Auth-ID

Tagged string

Both

Yes

91

Tunnel-Server-
Auth-ID

Tagged string

Both

Yes

135

Primary-DNS-
Server

Ipaddr

Both

No

136

Secondary-
DNS-Server

Ipaddr

Both

No

187

Multilink-ID

Integer

Inbound

No

188

Num-In-
Multilink

Integer

Inbound

No

190

Pre-Input-
Octets

Integer

Inbound

No

191

Pre-Output-
Octets

Integer

Inbound

No

192

Pre-Input-
Packets

Integer

Inbound

No

193

Pre-Output-
Packets

Integer

Inbound

No

194

Maximum-
Time

Integer

Both

No

195

Disconnect-
Cause

Integer

Inbound

No

197

Data-Rate

Integer

Inbound

No

198

PreSession-
Time

Integer

Inbound

No

208

PW-Lifetime

Integer

Outbound

No

209

IP-Direct

Ipaddr

Outbound

No

210

PPP-VJ-Slot-
Comp

Integer

Outbound

No

218

Assign-
IP-pool

Integer

Outbound

No

228

Route-IP

Integer

Outbound

No

233

Link-
Compression

Integer

Outbound

No

234

Target-Utils

Integer

Outbound

No

235

Maximum-
Channels

Integer

Outbound

No

242

Data-Filter

Ascend filter

Outbound

Yes

243

Call-Filter

Ascend filter

Outbound

Yes

244

Idle-Limit

Integer

Outbound

No


Microsoft MPPE Dictionary of RADIUS VSAs

ACS supports the Microsoft RADIUS VSAs used for MPPE. The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt PPP links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that ACS supports. The following ACS RADIUS protocols support the Microsoft RADIUS VSAs:

Cisco IOS/PIX 6.0

Cisco VPN 3000/ASA/PIX 7.x+

Ascend

Cisco Airespace

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the ACS web interface or how those attributes might be configured.

Table C-8 lists the supported MPPE RADIUS VSAs.

Table C-8 Microsoft MPPE RADIUS VSAs 

Number
Attribute
Type of Value
Description
Inbound/
Outbound
Multiple

1

MS-CHAP-
Response

String

Inbound

No

2

MS-CHAP-
Error

String

Outbound

No

3

MS-CHAP-
CPW-1

String

Inbound

No

4

MS-CHAP-
CPW-2

String

Inbound

No

5

MS-CHAP-
LM-Enc-PW

String

Inbound

No

6

MS-CHAP-
NT-Enc-PW

String

Inbound

No

7

MS-MPPE-
Encryption-
Policy

Integer

The MS-MPPE-Encryption-Policy attribute signifies whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), you can use any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute. If the Policy field is equal to 2 (Encryption-Required), you can use any of the encryption types specified in the MS-MPPE-Encryption-Types attribute; but at least one must be used.

Outbound

No

8

MS-MPPE-
Encryption-
Types

Integer

The MS-MPPE-Encryption-Types attribute signifies the types of encryption available for use with MPPE. It is a four-octet integer that is interpreted as a string of bits.

Outbound

No

10

MS-CHAP-
Domain

String

Inbound

No

11

MS-CHAP-
Challenge

String

Inbound

No

12

MS-CHAP-
MPPE-Keys

String

The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets.

Note ACS auto generates the MS-CHAP-MPPE-Keys attribute value; there is no value to set in the web interface.

Outbound

No

16

MS-MPPE-
Send-Key

String (maximum length 240 characters)

The MS-MPPE-Send-Key attribute contains a session key for use by MPPE. This key is for encrypting packets sent from the AAA client to the remote host. This attribute is only included in Access-Accept packets.

Outbound

No

17

MS-MPPE-
Recv-Key

String (maximum length 240 characters)

The MS-MPPE-Recv-Key attribute contains a session key for use by MPPE. This key is for encrypting packets that the AAA client from the remote host receives. This attribute is only included in Access-Accept packets.

Outbound

No

18

MS-RAS-
Version

String

Inbound

No

25

MS-CHAP-
NT-Enc-PW

String

Inbound

No

26

MS-CHAP2-
Response

String

Outbound

No

27

MS-CHAP2-
CPW

String

Inbound

No


Ascend Dictionary of RADIUS AV Pairs

ACS supports the Ascend RADIUS AV pairs. Table C-9 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions comprise AV pairs. The value of each attribute is specified as:

String—0-253 octets.

Abinary—0-254 octets.

Ipaddr—4 octets in network byte order.

Integer—32-bit value in big endian order (high byte first).

Call filter—Defines a call filter for the profile.


Note RADIUS filters are retrieved only when a call is placed by using a RADIUS outgoing profile or answered by using a RADIUS incoming profile. Filter entries are applied in the order in which they are entered. If you change a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile.


Date—32-bit value in big-endian order. For example, seconds since 00:00:00 universal time (UT), January 1, 1970.

Enum—Enumerated values are stored in the user file with dictionary value translations for easy administration.

Table C-9 Ascend RADIUS Attributes 

Number
Attribute
Type of Value
Inbound/
Outbound
Multiple
Dictionary of Ascend Attributes

1

User-Name

String

Inbound

No

2

User-Password

String

Outbound

No

3

CHAP-Password

String

Outbound

No

4

NAS-IP-Address

Ipaddr

Inbound

No

5

NAS-Port

Integer

Inbound

No

6

Service-Type

Integer

Both

No

7

Framed-Protocol

Integer

Both

No

8

Framed-IP-Address

Ipaddr

Both

No

9

Framed-IP-Netmask

Ipaddr

Outbound

No

10

Framed-Routing

Integer

Outbound

No

11

Framed-Filter

String

Outbound

Yes

12

Framed-MTU

Integer

Outbound

No

13

Framed-Compression

Integer

Outbound

Yes

14

Login-IP-Host

Ipaddr

Both

Yes

15

Login-Service

Integer

Both

No

16

Login-TCP-Port

Integer

Outbound

No

17

Change-Password

String

18

Reply-Message

String

Outbound

Yes

19

Callback-ID

String

Outbound

No

20

Callback-Name

String

Outbound

No

22

Framed-Route

String

Outbound

Yes

23

Framed-IPX-Network

Integer

Outbound

No

24

State

String

Outbound

No

25

Class

String

Outbound

Yes

26

Vendor-Specific

String

Outbound

Yes

30

Call-Station-ID

String

Inbound

No

31

Calling-Station-ID

String

Inbound

No

40

Acct-Status-Type

Integer

Inbound

No

41

Acct-Delay-Time

Integer

Inbound

No

42

Acct-Input-Octets

Integer

Inbound

No

43

Acct-Output-Octets

Integer

Inbound

No

44

Acct-Session-Id

Integer

Inbound

No

45

Acct-Authentic

Integer

Inbound

No

46

Acct-Session-Time

Integer

Inbound

No

47

Acct-Input-Packets

Integer

Inbound

No

48

Acct-Output-Packets

Integer

Inbound

No

64

Tunnel-Type

String

Both

Yes

65

Tunnel-Medium-Type

String

Both

Yes

66

Tunnel-Client-Endpoint

String (maximum length 250 characters)

Both

Yes

67

Tunnel-Server-Endpoint

String (maximum length 250 characters)

Both

Yes

68

Acct-Tunnel-Connection

Integer (maximum length 253 characters)

Inbound

No

104

Ascend-Private-Route

String (maximum length 253 characters)

Both

No

105

Ascend-Numbering-Plan-ID

Integer (maximum length 10 characters)

Both

No

106

Ascend-FR-Link-Status-Dlci

Integer (maximum length 10 characters)

Both

No

107

Ascend-Calling-Subaddress

String (maximum length 253 characters)

Both

No

108

Ascend-Callback-Delay

String (maximum length 10 characters)

Both

No

109

Ascend-Endpoint-Disc

String (maximum length 253 characters)

Both

No

110

Ascend-Remote-FW

String (maximum length 253 characters)

Both

No

111

Ascend-Multicast-GLeave-Delay

Integer (maximum length 10 characters)

Both

No

112

Ascend-CBCP-Enable

String

Both

No

113

Ascend-CBCP-Mode

String

Both

No

114

Ascend-CBCP-Delay

String (maximum length 10 characters)

Both

No

115

Ascend-CBCP-Trunk-Group

String (maximum length 10 characters)

Both

No

116

Ascend-AppleTalk-Route

String (maximum length 253 characters)

Both

No

117

Ascend-AppleTalk-Peer-Mode

String (maximum length 10 characters)

Both

No

118

Ascend-Route-AppleTalk

String (maximum length 10 characters)

Both

No

119

Ascend-FCP-Parameter

String (maximum length 253 characters)

Both

No

120

Ascend-Modem-PortNo

Integer (maximum length 10 characters)

Inbound

No

121

Ascend-Modem-SlotNo

Integer (maximum length 10 characters)

Inbound

No

122

Ascend-Modem-ShelfNo

Integer (maximum length 10 characters)

Inbound

No

123

Ascend-Call-Attempt-Limit

Integer (maximum length 10 characters)

Both

No

124

Ascend-Call-Block_Duration

Integer (maximum length 10 characters)

Both

No

125

Ascend-Maximum-Call-Duration

Integer (maximum length 10 characters)

Both

No

126

Ascend-Router-Preference

String (maximum length 10 characters)

Both

No

127

Ascend-Tunneling-Protocol

String (maximum length 10 characters)

Both

No

128

Ascend-Shared-Profile-Enable

Integer

Both

No

129

Ascend-Primary-Home-Agent

String (maximum length 253 characters)

Both

No

130

Ascend-Secondary-Home-Agent

String (maximum length 253 characters)

Both

No

131

Ascend-Dialout-Allowed

Integer

Both

No

133

Ascend-BACP-Enable

Integer

Both

No

134

Ascend-DHCP-Maximum-Leases

Integer (maximum length 10 characters)

Both

No

135

Ascend-Client-Primary-DNS

Address (maximum length 15 characters)

Both

No

136

Ascend-Client-Secondary-DNS

Address (maximum length 15 characters)

Both

No

137

Ascend-Client-Assign-DNS

Enum

Both

No

138

Ascend-User-Acct-Type

Enum

Both

No

139

Ascend-User-Acct-Host

Address (maximum length 15 characters)

Both

No

140

Ascend-User-Acct-Port

Integer (maximum length 10 characters)

Both

No

141

Ascend-User-Acct-Key

String (maximum length 253 characters)

Both

No

142

Ascend-User-Acct-Base

Enum (maximum length 10 characters)

Both

No

143

Ascend-User-Acct-Time

Integer (maximum length 10 characters)

Both

No

Support IP Address Allocation from Global Pools

144

Ascend-Assign-IP-Client

Ipaddr (maximum length 15 characters)

Outbound

No

145

Ascend-Assign-IP-Server

Ipaddr (maximum length 15 characters)

Outbound

No

146

Ascend-Assign-IP-Global-Pool

String (maximum length 253 characters)

Outbound

No

DHCP Server Functions

147

Ascend-DHCP-Reply

Integer

Outbound

No

148

Ascend-DHCP-Pool-Number

Integer (maximum length 10 characters)

Outbound

No

Connection Profile/Telco Option

149

Ascend-Expect-Callback

Integer

Outbound

No

Event Type for an Ascend-Event Packet

150

Ascend-Event-Type

Integer (maximum length 10 characters)

Inbound

No

RADIUS Server Session Key

151

Ascend-Session-Svr-Key

String (maximum length 253 characters)

Outbound

No

Multicast Rate Limit Per Client

152

Ascend-Multicast-Rate-Limit

Integer (maximum length 10 characters)

Outbound

No

Connection Profile Fields to Support Interface-Based Routing

153

Ascend-IF-Netmask

Ipaddr (maximum length 15 characters)

Outbound

No

154

Ascend-Remote-Addr

Ipaddr (maximum length 15 characters)

Outbound

No

Multicast Support

155

Ascend-Multicast-Client

Integer (maximum length 10 characters)

Outbound

No

Frame Datalink Profiles

156

Ascend-FR-Circuit-Name

String (maximum length 253 characters)

Outbound

No

157

Ascend-FR-LinkUp

Integer (maximum length 10 characters)

Outbound

No

158

Ascend-FR-Nailed-Group

Integer (maximum length 10 characters)

Outbound

No

159

Ascend-FR-Type

Integer (maximum length 10 characters)

Outbound

No

160

Ascend-FR-Link-Mgt

Integer (maximum length 10 characters)

Outbound

No

161

Ascend-FR-N391

Integer (maximum length 10 characters)

Outbound

No

162

Ascend-FR-DCE-N392

Integer (maximum length 10 characters)

Outbound

No

163

Ascend-FR-DTE-N392

Integer (maximum length 10 characters)

Outbound

No

164

Ascend-FR-DCE-N393

Integer (maximum length 10 characters)

Outbound

No

165

Ascend-FR-DTE-N393

Integer (maximum length 10 characters)

Outbound

No

166

Ascend-FR-T391

Integer (maximum length 10 characters)

Outbound

No

167

Ascend-FR-T392

Integer (maximum length 10 characters)

Outbound

No

168

Ascend-Bridge-Address

String (maximum length 253 characters)

Outbound

No

169

Ascend-TS-Idle-Limit

Integer (maximum length 10 characters)

Outbound

No

170

Ascend-TS-Idle-Mode

Integer (maximum length 10 characters)

Outbound

No

171

Ascend-DBA-Monitor

Integer (maximum length 10 characters)

Outbound

No

172

Ascend-Base-Channel-Count

Integer (maximum length 10 characters)

Outbound

No

173

Ascend-Minimum-Channels

Integer (maximum length 10 characters)

Outbound

No

IPX Static Routes

174

Ascend-IPX-Route

String (maximum length 253 characters)

Inbound

No

175

Ascend-FT1-Caller

Integer (maximum length 10 characters)

Inbound

No

176

Ascend-Backup

String (maximum length 253 characters)

Inbound

No

177

Ascend-Call-Type

Integer

Inbound

No

178

Ascend-Group

String (maximum length 253 characters)

Inbound

No

179

Ascend-FR-DLCI

Integer (maximum length 10 characters)

Inbound

No

180

Ascend-FR-Profile-Name

String (maximum length 253 characters)

Inbound

No

181

Ascend-Ara-PW

String (maximum length 253 characters)

Inbound

No

182

Ascend-IPX-Node-Addr

String (maximum length 253 characters)

Both

No

183

Ascend-Home-Agent-IP-Addr

Ipaddr (maximum length 15 characters)

Outbound

No

184

Ascend-Home-Agent-Password

String (maximum length 253 characters)

Outbound

No

185

Ascend-Home-Network-Name

String (maximum length 253 characters)

Outbound

No

186

Ascend-Home-Agent-UDP-Port

Integer (maximum length 10 characters)

Outbound

No

187

Ascend-Multilink-ID

Integer

Inbound

No

188

Ascend-Num-In-Multilink

Integer

Inbound

No

189

Ascend-First-Dest

Ipaddr

Inbound

No

190

Ascend-Pre-Input-Octets

Integer

Inbound

No

191

Ascend-Pre-Output-Octets

Integer

Inbound

No

192

Ascend-Pre-Input-Packets

Integer

Inbound

No

193

Ascend-Pre-Output-Packets

Integer

Inbound

No

194

Ascend-Maximum-Time

Integer (maximum length 10 characters)

Both

No

195

Ascend-Disconnect-Cause

Integer

Inbound

No

196

Ascend-Connect-Progress

Integer

Inbound

No

197

Ascend-Data-Rate

Integer

Inbound

No

198

Ascend-PreSession-Time

Integer

Inbound

No

199

Ascend-Token-Idle

Integer (maximum length 10 characters)

Outbound

No

200

Ascend-Token-Immediate

Integer

Outbound

No

201

Ascend-Require-Auth

Integer (maximum length 10 characters)

Outbound

No

202

Ascend-Number-Sessions

String (maximum length 253 characters)

Outbound

No

203

Ascend-Authen-Alias

String (maximum length 253 characters)

Outbound

No

204

Ascend-Token-Expiry

Integer (maximum length 10 characters)

Outbound

No

205

Ascend-Menu-Selector

String (maximum length 253 characters)

Outbound

No

206

Ascend-Menu-Item

String

Outbound

Yes

RADIUS Password Expiration Options

207

Ascend-PW-Warntime

Integer (maximum length 10 characters)

Outbound

No

208

Ascend-PW-Lifetime

Integer (maximum length 10 characters)

Outbound

No

209

Ascend-IP-Direct

Ipaddr (maximum length 15 characters)

Outbound

No

210

Ascend-PPP-VJ-Slot-Comp

Integer (maximum length 10 characters)

Outbound

No

211

Ascend-PPP-VJ-1172

Integer (maximum length 10 characters)

Outbound

No

212

Ascend-PPP-Async-Map

Integer (maximum length 10 characters)

Outbound

No

213

Ascend-Third-Prompt

String (maximum length 253 characters)

Outbound

No

214

Ascend-Send-Secret

String (maximum length 253 characters)

Outbound

No

215

Ascend-Receive-Secret

String (maximum length 253 characters)

Outbound

No

216

Ascend-IPX-Peer-Mode

Integer

Outbound

No

217

Ascend-IP-Pool-Definition

String (maximum length 253 characters)

Outbound

No

218

Ascend-Assign-IP-Pool

Integer

Outbound

No

219

Ascend-FR-Direct

Integer

Outbound

No

220

Ascend-FR-Direct-Profile

String (maximum length 253 characters)

Outbound

No

221

Ascend-FR-Direct-DLCI

Integer (maximum length 10 characters)

Outbound

No

222

Ascend-Handle-IPX

Integer

Outbound

No

223

Ascend-Netware-Timeout

Integer (maximum length 10 characters)

Outbound

No

224

Ascend-IPX-Alias

String (maximum length 253 characters)

Outbound

No

225

Ascend-Metric

Integer (maximum length 10 characters)

Outbound

No

226

Ascend-PRI-Number-Type

Integer

Outbound

No

227

Ascend-Dial-Number

String (maximum length 253 characters)

Outbound

No

Connection Profile/PPP Options

228

Ascend-Route-IP

Integer

Outbound

No

229

Ascend-Route-IPX

Integer

Outbound

No

230

Ascend-Bridge

Integer

Outbound

No

231

Ascend-Send-Auth

Integer

Outbound

No

232

Ascend-Send-Passwd

String (maximum length 253 characters)

Outbound

No

233

Ascend-Link-Compression

Integer

Outbound

No

234

Ascend-Target-Util

Integer (maximum length 10 characters)

Outbound

No

235

Ascend-Max-Channels

Integer (maximum length 10 characters)

Outbound

No

236

Ascend-Inc-Channel-Count

Integer (maximum length 10 characters)

Outbound

No

237

Ascend-Dec-Channel-Count

Integer (maximum length 10 characters)

Outbound

No

238

Ascend-Seconds-Of-History

Integer (maximum length 10 characters)

Outbound

No

239

Ascend-History-Weigh-Type

Integer

Outbound

No

240

Ascend-Add-Seconds

Integer (maximum length 10 characters)

Outbound

No

241

Ascend-Remove-Seconds

Integer (maximum length 10 characters)

Outbound

No

Connection Profile/Session Options

242

Ascend-Data-Filter

Call filter

Outbound

Yes

243

Ascend-Call-Filter

Call filter

Outbound

Yes

244

Ascend-Idle-Limit

Integer (maximum length 10 characters)

Outbound

No

245

Ascend-Preempt-Limit

Integer (maximum length 10 characters)

Outbound

No

Connection Profile/Telco Options

246

Ascend-Callback

Integer

Outbound

No

247

Ascend-Data-Svc

Integer

Outbound

No

248

Ascend-Force-56

Integer

Outbound

No

249

Ascend-Billing-Number

String (maximum length 253 characters)

Outbound

No

250

Ascend-Call-By-Call

Integer (maximum length 10 characters)

Outbound

No

251

Ascend-Transit-Number

String (maximum length 253 characters)

Outbound

No

Terminal Server Attributes

252

Ascend-Host-Info

String (maximum length 253 characters)

Outbound

No

PPP Local Address Attribute

253

Ascend-PPP-Address

Ipaddr (maximum length 15 characters)

Outbound

No

MPP Percent Idle Attribute

254

Ascend-MPP-Idle-Percent

Integer (maximum length 10 characters)

Outbound

No

255

Ascend-Xmit-Rate

Integer (maximum length 10 characters)

Outbound

No


Nortel Dictionary of RADIUS VSAs

Table C-10 lists the Nortel RADIUS VSAs supported by ACS. The Nortel vendor ID number is 1584.

Table C-10 Nortel RADIUS VSAs 

Number
Attribute
Type of Value
Inbound/
Outbound
Multiple

035

Bay-Local-IP-Address

Ipaddr (maximum length 15 characters)

Outbound

No

054

Bay-Primary-DNS-Server

Ipaddr (maximum length 15 characters)

Outbound

No

055

Bay-Secondary-DNS-Server

Ipaddr (maximum length 15 characters)

Outbound

No

056

Bay-Primary-NBNS-Server

Ipaddr (maximum length 15 characters)

Outbound

No

057

Bay-Secondary-NBNS-Server

Ipaddr (maximum length 15 characters)

Outbound

No

100

Bay-User-Level

Integer

Outbound

No

101

Bay-Audit-Level

Integer

Outbound

No


Juniper Dictionary of RADIUS VSAs

Table C-11 lists the Juniper RADIUS VSAs supported by ACS. The Juniper vendor ID number is 2636.

Table C-11 Juniper RADIUS VSAs 

Number
Attribute
Type of Value
Inbound/
Outbound
Multiple

001

Juniper-Local-User-Name

String (maximum length 247 characters)

Outbound

No

002

Juniper-Allow-Commands

String (maximum length 247 characters)

Outbound

No

003

Juniper-Deny-Commands

String (maximum length 247 characters)

Outbound

No