Table Of Contents
RADIUS Attributes
Before Using RADIUS Attributes
Cisco IOS Dictionary of RADIUS IETF
Cisco IOS/PIX 6.0 Dictionary of RADIUS VSAs
About the cisco-av-pair RADIUS Attribute
Cisco VPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
Cisco Airespace Dictionary of RADIUS VSA
IETF Dictionary of RADIUS IETF (AV Pairs)
Microsoft MPPE Dictionary of RADIUS VSAs
Ascend Dictionary of RADIUS AV Pairs
Nortel Dictionary of RADIUS VSAs
Juniper Dictionary of RADIUS VSAs
RADIUS Attributes
The Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS, supports many Remote Access Dial-In User Service (RADIUS) attributes. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes that ACS supports.
This appendix contains the following topics:
•Before Using RADIUS Attributes
•Cisco IOS Dictionary of RADIUS IETF
•Cisco IOS/PIX 6.0 Dictionary of RADIUS VSAs
•About the cisco-av-pair RADIUS Attribute
•Cisco VPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs
•Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
•Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
•Cisco Airespace Dictionary of RADIUS VSA
•IETF Dictionary of RADIUS IETF (AV Pairs)
•Microsoft MPPE Dictionary of RADIUS VSAs
•Ascend Dictionary of RADIUS AV Pairs
•Nortel Dictionary of RADIUS VSAs
•Juniper Dictionary of RADIUS VSAs
Before Using RADIUS Attributes
You can enable different attribute-value (AV) pairs for Internet Engineering Task Force (IETF) RADIUS and any supported vendor. For outbound attributes, you can configure the attributes that are sent and their content by using the ACS web interface. The RADIUS attributes that are sent to authentication, authorization, and accounting (AAA) clients in access-accept messages are user specific.
To configure a specific attribute to be sent for a user, you must ensure that:
1. In the Network Configuration section, you must configure the AAA client entry corresponding to the access device that grants network access to the user to use a variety of RADIUS that supports the attribute that you want sent to the AAA client. For more information about the RADIUS attribute sets that RADIUS varieties support, see Displaying TACACS+ Configuration Options, page 2-6.
2. In the Interface Configuration section, you must enable the attribute so that it appears on user or user group profile pages. You can enable attributes on the page corresponding to the RADIUS variety that supports the attribute. For example, IETF RADIUS Session-Timeout attribute (27) appears on the RADIUS (IETF) page.
Note By default, per-user RADIUS attributes are not enabled (they do not appear in the Interface Configuration page). Before you can enable attributes on a per-user basis, you must enable the Per-user TACACS+/RADIUS Attributes option on the Advanced Options page in the Interface Configuration section. After enabling per-user attributes, a user column will appear as disabled in the Interface Configuration page for that attribute.
3. In the profile that you use to control authorizations for the user— in the user or group edit pages or Shared RADIUS Authorization Component page—you must enable the attribute. Enabling this attribute causes ACS to send the attribute to the AAA client in the access-accept message. In the options that are associated with the attribute, you can determine the value of the attribute that is sent to the AAA client.
Note Settings in a user profile override settings in a group profile. For example, if you configure Session-Timeout in the user profile and also in the group to which the user is assigned, ACS sends the AAA client the Session-Timeout value that is specified in the user profile. If Network Access Profiles (NAPs) are being used, it is possible that attributes from Shared RADIUS Authorization Components may be included in the access accept response. For a discussion about the interaction among group, user, and Shared Radius Authorization Components (SRAC) attributes, see Merging Attributes, page 14-31.
Cisco IOS Dictionary of RADIUS IETF
ACS supports Cisco RADIUS IETF (IOS RADIUS AV pairs). Before selecting AV pairs for ACS, you must confirm that your AAA client is a compatible release of Cisco IOS or compatible AAA client software. For more information, see the Installation Guide for Cisco Secure ACS for Windows Release 4.1 or the Installation Guide for Cisco Secure ACS Solution Engine Release 4.1 for information about network and port requirements.
Note If you specify a given AV pair on ACS, the corresponding AV pair must be implemented in the Cisco IOS software that is running on the network device. Always consider which AV pairs your Cisco IOS release supports. If ACS sends an AV pair that the Cisco IOS software does not support, the attribute is not implemented.
Note Because IP pools and callback supersede them, the following RADIUS attributes do not appear on the Group Setup page:
Number
|
Name
|
8
|
Framed-IP-Address
|
19
|
Callback-Number
|
218
|
Ascend-Assign-IP-Pool
|
None of these attributes can be set via Relational Database Management System (RDBMS) Synchronization.
Table C-1 lists the supported Cisco IOS RADIUS AV pairs.
Table C-1 Cisco IOS Software RADIUS AV Pairs
Number
|
Attribute
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
1
|
User-Name
|
String
|
Inbound
|
No
|
2
|
User-Password
|
String
|
Outbound
|
No
|
3
|
CHAP-Password
|
String
|
Outbound
|
No
|
4
|
NAS-IP Address
|
Ipaddr
|
Inbound
|
No
|
5
|
NAS-Port
|
Integer
|
Inbound
|
No
|
6
|
Service-Type
|
Integer
|
Both
|
No
|
7
|
Framed-Protocol
|
Integer
|
Both
|
No
|
9
|
Framed-IP-Netmask
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
10
|
Framed-Routing
|
Integer
|
Outbound
|
No
|
11
|
Filter-Id
|
String
|
Outbound
|
Yes
|
12
|
Framed-MTU
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
13
|
Framed-Compression
|
Integer
|
Outbound
|
Yes
|
14
|
Login-IP-Host
|
Ipaddr (maximum length 15 characters)
|
Both
|
Yes
|
15
|
Login-Service
|
Integer
|
Both
|
No
|
16
|
Login-TCP-Port
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
18
|
Reply-Message
|
String
|
Outbound
|
Yes
|
21
|
Expiration
|
Date
|
—
|
—
|
22
|
Framed-Route
|
String
|
Outbound
|
Yes
|
24
|
State
|
String (maximum length 253 characters)
|
Outbound
|
No
|
25
|
Class
|
String
|
Outbound
|
Yes
|
26
|
Vendor specific
|
String
|
Outbound
|
Yes
|
27
|
Session-Timeout
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
28
|
Idle-Timeout
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
30
|
Called-Station-ID
|
String
|
Inbound
|
No
|
31
|
Calling-Station-ID
|
String
|
Inbound
|
No
|
33
|
Login-LAT-Service
|
String (maximum length 253 characters)
|
Inbound
|
No
|
40
|
Acct-Status-Type
|
Integer
|
Inbound
|
No
|
41
|
Acct-Delay-Time
|
Integer
|
Inbound
|
No
|
42
|
Acct-Input-Octets
|
Integer
|
Inbound
|
No
|
43
|
Acct-Output-Octets
|
Integer
|
Inbound
|
No
|
44
|
Acct-Session-ID
|
String
|
Inbound
|
No
|
45
|
Acct-Authentic
|
Integer
|
Inbound
|
No
|
46
|
Acct-Session-Time
|
Integer
|
Inbound
|
No
|
47
|
Acct-Input-Packets
|
Integer
|
Inbound
|
No
|
48
|
Acct-Output-Packets
|
Integer
|
Inbound
|
No
|
49
|
Acct-Terminate-Cause
|
Integer
|
Inbound
|
No
|
61
|
NAS-Port-Type
|
Integer
|
Inbound
|
No
|
62
|
NAS-Port-Limit
|
Integer (maximum length 10 characters)
|
Both
|
No
|
Cisco IOS/PIX 6.0 Dictionary of RADIUS VSAs
ACS supports Cisco IOS/PIX 6.0 vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 9.
Table C-2 lists the supported Cisco IOS/PIX 6.0 RADIUS VSAs.
Note For a discussion of the Cisco IOS/PIX 6.0 RADIUS cisco-av-pair
attribute, see About the cisco-av-pair RADIUS Attribute.
Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP (VoIP) documentation.
Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.
Table C-2 Cisco IOS/PIX 6.0 RADIUS VSAs
Number
|
Attribute
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
1
|
cisco-av-pair
|
String
|
Both
|
Yes
|
2
|
cisco-nas-port
|
String
|
Inbound
|
No
|
23
|
cisco-h323-remote-address
|
String
|
Inbound
|
No
|
24
|
cisco-h323-conf-id
|
String
|
Inbound
|
No
|
25
|
cisco-h323-setup-time
|
String
|
Inbound
|
No
|
26
|
cisco-h323-call-origin
|
String
|
Inbound
|
No
|
27
|
cisco-h323-call-type
|
String
|
Inbound
|
No
|
28
|
cisco-h323-connect-time
|
String
|
Inbound
|
No
|
29
|
cisco-h323-disconnect-time
|
String
|
Inbound
|
No
|
30
|
cisco-h323-disconnect-cause
|
String
|
Inbound
|
No
|
31
|
cisco-h323-voice-quality
|
String
|
Inbound
|
No
|
33
|
cisco-h323-gw-id
|
String
|
Inbound
|
No
|
35
|
cisco-h323-incoming-conn-id
|
String
|
Inbound
|
No
|
101
|
cisco-h323-credit-amount
|
String (maximum length 247 characters)
|
Outbound
|
No
|
102
|
cisco-h323-credit-time
|
String (maximum length 247 characters)
|
Outbound
|
No
|
103
|
cisco-h323-return-code
|
String (maximum length 247 characters)
|
Outbound
|
No
|
104
|
cisco-h323-prompt-id
|
String (maximum length 247 characters)
|
Outbound
|
No
|
105
|
cisco-h323-day-and-time
|
String (maximum length 247 characters)
|
Outbound
|
No
|
106
|
cisco-h323-redirect-number
|
String (maximum length 247 characters)
|
Outbound
|
No
|
107
|
cisco-h323-preferred-lang
|
String (maximum length 247 characters)
|
Outbound
|
No
|
108
|
cisco-h323-redirect-ip-addr
|
String (maximum length 247 characters)
|
Outbound
|
No
|
109
|
cisco-h323-billing-model
|
String (maximum length 247 characters)
|
Outbound
|
No
|
110
|
cisco-h323-currency
|
String (maximum length 247 characters)
|
Outbound
|
No
|
250
|
cisco-ssg-account-info
|
String (maximum length 247 characters)
|
Outbound
|
No
|
251
|
cisco-ssg-service-info
|
String (maximum length 247 characters)
|
Both
|
No
|
253
|
cisco-ssg-control-info
|
String (maximum length 247 characters)
|
Both
|
No
|
About the cisco-av-pair RADIUS Attribute
The first attribute in the Cisco IOS/PIX 6.0 RADIUS implementation, cisco-av-pair
, supports the inclusion of many AV pairs by using the following format:
where attribute and value are an AV pair supported by the releases of IOS implemented on your AAA clients, and sep is = for mandatory attributes and asterisk (*) for optional attributes. You can then use the full set of Terminal Access Controller Access Control System (TACACS+) authorization features for RADIUS.
Note The attribute name in an AV pair is case sensitive. Typically, attribute names are all in lowercase letters.
The following is an example of two AV pairs included in a single Cisco IOS/PIX 6.0 RADIUS cisco-av-pair
attribute:
ip:addr-pool=first
shell:priv-lvl=15
The first example activates the Cisco multiple named IP address pools feature during IP authorization (during PPP IPCP address assignment). The second example immediately grants access to a user of a device-hosted administrative session to EXEC commands.
In IOS, support for Network Admission Control (NAC) includes the use of the following AV pairs:
•url-redirect—Enables the AAA client to intercept an HTTP request and redirect it to a new URL. This pair is especially useful if the result of posture validation indicates that the NAC-client computer requires an update or patch that you have made available on a remediation web server. For example, a user can be redirected to a remediation web server to download and apply a new virus DAT file or an operating system patch. For example:
url-redirect=http://10.1.1.1
•posture-token—Enables ACS to send a text version of a system posture token (SPT) derived by posture validation. The SPT is always sent in numeric format and using the posture-token AV pair renders the result of a posture validation request more easily read on the AAA client. For example:
Caution The posture-token AV pair is the only way that ACS notifies the AAA client of the SPT that posture validation returns. Because you manually configure the posture-token AV pair, errors in configuring the posture-token can cause the incorrect system posture token to be sent to the AAA client or; if the AV pair name is mistyped, the AAA client will not receive the system posture token at all.
For a list of valid SPTs, see Posture Tokens, page 13-3.
•status-query-timeout—Overrides the status-query default value of the AAA client with the value that you specify, in seconds. For example:
For more information about AV pairs that IOS supports, refer to the documentation for the releases of IOS implemented on your AAA clients.
Cisco VPN 3000 Concentrator/ASA/PIX 7.x+ Dictionary of RADIUS VSAs
ACS supports Cisco VPN 3000/ASA/PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.
Note Some of the RADIUS VSAs supported by Cisco virtual private network (VPN) 3000 Concentrators, Adaptive Security Appliance (ASA), and Project Information Exchange (PIX) 7.x+ appliances are interdependent. Before you implement them, we recommend that you refer to your respective device documentation.
For example, to control Microsoft Point-to-Point Encryption (MPPE) settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the ACS web interface or how those attributes might be configured.
Table C-3 lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs.
Table C-3 Cisco VPN 3000 Concentrator /ASA/PIX 7.x+ RADIUS VSAs
Number
|
Attribute
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
1
|
CVPN3000-Access-Hours
|
String (maximum length 247 characters)
|
Outbound
|
No
|
2
|
CVPN3000-Simultaneous-Logins
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
5
|
CVPN3000-Primary-DNS
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
6
|
CVPN3000-Secondary-DNS
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
7
|
CVPN3000-Primary-WINS
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
8
|
CVPN3000-Secondary-WINS
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
9
|
CVPN3000-SEP-Card-Assignment
|
Integer
|
Outbound
|
No
|
11
|
CVPN3000-Tunneling-Protocols
|
Integer
|
Outbound
|
No
|
12
|
CVPN3000-IPSec-Sec-Association
|
String (maximum length 247 characters)
|
Outbound
|
No
|
13
|
CVPN3000-IPSec-Authentication
|
Integer
|
Outbound
|
No
|
15
|
CVPN3000-IPSec-Banner1
|
String (maximum length 247 characters)
|
Outbound
|
No
|
16
|
CVPN3000-IPSec-Allow-Passwd-Store
|
Integer
|
Outbound
|
No
|
17
|
CVPN3000-Use-Client-Address
|
Integer
|
Outbound
|
No
|
20
|
CVPN3000-PPTP-Encryption
|
Integer
|
Outbound
|
No
|
21
|
CVPN3000-L2TP-Encryption
|
Integer
|
Outbound
|
No
|
27
|
CVPN3000-IPSec-Split-Tunnel-List
|
String (maximum length 247 characters)
|
Outbound
|
No
|
28
|
CVPN3000-IPSec-Default-Domain
|
String (maximum length 247 characters)
|
Outbound
|
No
|
29
|
CVPN3000-IPSec-Split-DNS-Names
|
String (maximum length 247 characters)
|
Outbound
|
No
|
30
|
CVPN3000-IPSec-Tunnel-Type
|
Integer
|
Outbound
|
No
|
31
|
CVPN3000-IPSec-Mode-Config
|
Integer
|
Outbound
|
No
|
33
|
CVPN3000-IPSec-User-Group-Lock
|
Integer
|
Outbound
|
No
|
34
|
CVPN3000-IPSec-Over-UDP
|
Integer
|
Outbound
|
No
|
35
|
CVPN3000-IPSec-Over-UDP-Port
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
36
|
CVPN3000-IPSec-Banner2
|
String (maximum length 247 characters)
|
Outbound
|
No
|
37
|
CVPN3000-PPTP-MPPC-Compression
|
Integer
|
Outbound
|
No
|
38
|
CVPN3000-L2TP-MPPC-Compression
|
Integer
|
Outbound
|
No
|
39
|
CVPN3000-IPSec-IP-Compression
|
Integer
|
Outbound
|
No
|
40
|
CVPN3000-IPSec-IKE-Peer-ID-Check
|
Integer
|
Outbound
|
No
|
41
|
CVPN3000-IKE-Keep-Alives
|
Integer
|
Outbound
|
No
|
42
|
CVPN3000-IPSec-Auth-On-Rekey
|
Integer
|
Outbound
|
No
|
45
|
CVPN3000-Required-Client-Firewall-Vendor-Code
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
46
|
CVPN3000-Required-Client-Firewall-Product-Code
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
47
|
CVPN3000-Required-Client-Firewall-Description
|
String (maximum length 247 characters)
|
Outbound
|
No
|
48
|
CVPN3000-Require-HW-Client-Auth
|
Integer
|
Outbound
|
No
|
49
|
CVPN3000-Require-Individual-User- Auth
|
Integer
|
Outbound
|
No
|
50
|
CVPN3000-Authenticated-User-Idle- Timeout
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
51
|
CVPN3000-Cisco-IP-Phone-Bypass
|
Integer
|
Outbound
|
No
|
52
|
CVPN3000-User-Auth-Server-Name
|
String (maximum length 247 characters)
|
Outbound
|
No
|
53
|
CVPN3000-User-Auth-Server-Port
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
54
|
CVPN3000-User-Auth-Server-Secret
|
String (maximum length 247 characters)
|
Outbound
|
No
|
55
|
CVPN3000-IPSec-Split-Tunneling- Policy
|
Integer
|
Outbound
|
No
|
56
|
CVPN3000-IPSec-Required-Client- Firewall-Capability
|
Integer
|
Outbound
|
No
|
57
|
CVPN3000-IPSec-Client-Firewall- Filter-Name
|
String (maximum length 247 characters)
|
Outbound
|
No
|
58
|
CVPN3000-IPSec-Client-Firewall- Filter-Optional
|
Integer
|
Outbound
|
No
|
59
|
CVPN3000-IPSec-Backup-Servers
|
Integer
|
Outbound
|
No
|
60
|
CVPN3000-IPSec-Backup-Server-List
|
String (maximum length 247 characters)
|
Outbound
|
No
|
62
|
CVPN3000-MS-Client-Intercept- DHCP-Configure-Message
|
Integer
|
Outbound
|
No
|
63
|
CVPN3000-MS-Client-Subnet-Mask
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
64
|
CVPN3000-Allow-Network- Extension-Mode
|
Integer
|
Outbound
|
No
|
65
|
Authorization-Type
|
Integer
|
Outbound
|
No
|
66
|
Authorization-Required
|
Integer
|
Outbound
|
No
|
67
|
Authorization-DN-Field
|
String
|
Outbound
|
No
|
68
|
IKE-Keepalive-Confidence-Interval
|
Integer
|
Outbound
|
No
|
69
|
WebVPN-Content-Filter-Parameters
|
Integer
|
Outbound
|
No
|
75
|
Cisco-LEAP-Bypass
|
Integer
|
Outbound
|
No
|
77
|
Client-Type-Version-Limiting
|
String
|
Outbound
|
No
|
79
|
WebVPN-Port-Forwarding-Name
|
String
|
Outbound
|
No
|
80
|
IE-Proxy-Server
|
String
|
Outbound
|
No
|
81
|
IE-Proxy-Server-Policy
|
Integer
|
Outbound
|
No
|
82
|
IE-Proxy-Exception-List
|
String
|
Outbound
|
No
|
83
|
IE-Proxy-Bypass-Local
|
Integer
|
Outbound
|
No
|
84
|
IKE-Keepalive-Retry-Interval
|
Integer
|
Outbound
|
No
|
85
|
Tunnel-Group-Lock
|
String
|
Outbound
|
No
|
86
|
Access-List-Inbound
|
String
|
Outbound
|
No
|
87
|
Access-List-Outbound
|
String
|
Outbound
|
No
|
88
|
Perfect-Forward-Secrecy-Enable
|
Integer
|
Outbound
|
No
|
89
|
NAC-Enable
|
Integer
|
Outbound
|
No
|
90
|
NAC-Status-Query-Timer
|
Integer
|
Outbound
|
No
|
91
|
NAC-Revalidation-Timer
|
Integer
|
Outbound
|
No
|
92
|
NAC-Default-ACL
|
Integer
|
Outbound
|
No
|
93
|
WebVPN-URL-Entry-Enable
|
Integer
|
Outbound
|
No
|
94
|
WebVPN-File-Access-Enable
|
Integer
|
Outbound
|
No
|
95
|
WebVPN-File-Server-Entry-Enable
|
Integer
|
Outbound
|
No
|
96
|
WebVPN-File-Server-Browsing- Enable
|
Integer
|
Outbound
|
No
|
97
|
WebVPN-Port-Forwarding-Enable
|
Integer
|
Outbound
|
No
|
98
|
WebVPN-Outlook-Exchange-Proxy- Enable
|
Integer
|
Outbound
|
No
|
98
|
WebVPN-Port-Forwarding-HTTP- Proxy
|
Integer
|
Outbound
|
No
|
99
|
WebVPN-Outlook-Exchange-Proxy- Enable
|
Integer
|
Outbound
|
No
|
100
|
WebVPN-Auto-Applet-Download- Enable
|
Integer
|
Outbound
|
No
|
101
|
WebVPN-Citrix-MetaFrame-Enable
|
Integer
|
Outbound
|
No
|
102
|
WebVPN-Apply-ACL
|
Integer
|
Outbound
|
No
|
103
|
WebVPN-SSL-VPN-Client-Enable
|
Integer
|
Outbound
|
No
|
104
|
WebVPN-SSL-VPN-Client-Required
|
Integer
|
Outbound
|
No
|
105
|
WebVPN-SSL-VPN-Client-Keep- Installation
|
Integer
|
Outbound
|
No
|
135
|
CVPN3000-Strip-Realm
|
Integer
|
Outbound
|
No
|
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table C-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs.
Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs
Number
|
Attribute
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
001
|
CVPN5000-Tunnel-Throughput
|
Integer
|
Inbound
|
No
|
002
|
CVPN5000-Client-Assigned-IP
|
String
|
Inbound
|
No
|
003
|
CVPN5000-Client-Real-IP
|
String
|
Inbound
|
No
|
004
|
CVPN5000-VPN-GroupInfo
|
String (maximum length 247 characters)
|
Outbound
|
No
|
005
|
CVPN5000-VPN-Password
|
String (maximum length 247 characters)
|
Outbound
|
No
|
006
|
CVPN5000-Echo
|
Integer
|
Inbound
|
No
|
007
|
CVPN5000-Client-Assigned-IPX
|
Integer
|
Inbound
|
No
|
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
ACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263.
Table C-5 lists the supported Cisco BBSM RADIUS VSA.
Table C-5 Cisco BBSM RADIUS VSA
Number
|
Attribute
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
001
|
CBBSM-Bandwidth
|
Integer
|
Both
|
No
|
Cisco Airespace Dictionary of RADIUS VSA
Table C-6 lists the supported RADIUS (Cisco Airespace) attributes. In addition to these attributes, Cisco Airespace devices support some IETF attributes for 802.1x identity networking:
•Tunnel-Type (64)
•Tunnel-Medium-Type (65)
•Tunnel-Private-Group-Id (81)
ACS cannot offer partial support of IETF; hence, adding an Cisco Airespace device (into the Network Configuration) will automatically enable all IETF attributes.
Table C-6 Cisco Airespace RADIUS Attributes
Number
|
Name
|
Description
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
1
|
Aire-WLAN-Id
|
Name of the user being authenticated.
|
Integer
|
Outbound
|
No
|
2
|
Aire-QoS-Level
|
Enumerations:
0: Bronze
1: Silver
2: Gold
3: Platinum
4: Uranium
|
Integer
|
Outbound
|
No
|
3
|
Aire-DSCP
|
|
Integer
|
Outbound
|
No
|
4
|
Aire-802.1P-Tag
|
—
|
Integer
|
Outbound
|
No
|
5
|
Aire-Interface-Name
|
—
|
String
|
Outbound
|
No
|
6
|
Aire-ACL-Name
|
—
|
String
|
Outbound
|
No
|
IETF Dictionary of RADIUS IETF (AV Pairs)
Table C-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified.
Table C-7 RADIUS (IETF) Attributes
Number
|
Name
|
Description
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
1
|
User-Name
|
Name of the user being authenticated.
|
String
|
Inbound
|
No
|
2
|
User-Password
|
User password or input following an access challenge. Passwords longer than 16 characters are encrypted by using IETF Draft #2 or later specifications.
|
String
|
Outbound
|
No
|
3
|
CHAP- Password
|
PPP (Point-to-Point Protocol) Challenge Handshake Authentication Protocol (CHAP) response to an Access-Challenge.
|
String
|
Outbound
|
No
|
4
|
NAS-IP Address
|
IP address of the AAA client that is requesting authentication.
|
Ipaddr
|
Inbound
|
No
|
5
|
NAS-Port
|
Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) comprises one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as:
•Asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00 ttt, where ttt is the line number or async interface unit number.
•Ordinary synchronous network interfaces, the value is 10xxx .
•Channels on a primary-rate ISDN (Integrated Services Digital Network) interface, the value is 2ppcc .
•Channels on a basic rate ISDN interface, the value is 3bb0c .
•Other types of interfaces, the value is 6nnss .
|
Integer
|
Inbound
|
No
|
6
|
Service-Type
|
Type of service requested or type of service to be provided:
•In a request:
–Framed—For a known Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP) connection.
–Administrative User—For enable command.
•In a response:
–Login—Make a connection.
–Framed—Start SLIP or PPP.
–Administrative User—Start an EXEC or enable ok.
–Exec User—Start an EXEC session.
|
Integer
|
Both
|
No
|
7
|
Framed- Protocol
|
Framing to be used for framed access.
|
Integer
|
Both
|
No
|
8
|
Framed-IP- Address
|
Address to be configured for the user.
|
—
|
—
|
—
|
9
|
Framed-IP- Netmask
|
IP netmask to be configured for the user when the user is a router to a network. This AV causes a static route to be added for Framed-IP-Address with the mask specified.
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
10
|
Framed- Routing
|
Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.
|
Integer
|
Outbound
|
No
|
11
|
Filter-Id
|
Name of the filter list for the user, formatted: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.
|
String
|
Outbound
|
Yes
|
12
|
Framed-MTU
|
Indicates the maximum transmission unit (MTU) that you can configure for the user when the MTU is not negotiated by PPP or some other means.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
13
|
Framed- Compression
|
Compression protocol used for the link. This attribute results in /compress being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.
|
Integer
|
Outbound
|
Yes
|
14
|
Login-IP-Host
|
Host to which the user will connect when the Login-Service attribute is included.
|
Ipaddr (maximum length 15 characters)
|
Both
|
Yes
|
15
|
Login-Service
|
Service that you should use to connect the user to the login host.
Service is indicated by a numeric value:
0: Telnet
1: Rlogin
2: TCP-Clear
3: PortMaster
4: LAT
|
Integer
|
Both
|
No
|
16
|
Login-TCP- Port
|
Transmission Control Protocol (TCP) port with which to connect the user when the Login-Service attribute is also present.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
18
|
Reply-Message
|
Text that the user will see.
|
String
|
Outbound
|
Yes
|
19
|
Callback- Number
|
—
|
String
|
Outbound
|
No
|
20
|
Callback-Id
|
—
|
String
|
Outbound
|
No
|
22
|
Framed-Route
|
Routing information to configure for the user on this AAA client. The RADIUS RFC (Request for Comments) format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or zero (0), the peer IP address is used. Metrics are ignored.
|
String
|
Outbound
|
Yes
|
23
|
Framed-IPX- Network
|
—
|
Integer
|
Outbound
|
No
|
24
|
State
|
Allows State information to be maintained between the AAA client and the RADIUS server. This attribute is applicable only to CHAP challenges.
|
String (maximum length 253 characters)
|
Outbound
|
No
|
25
|
Class
|
Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server.
|
String
|
Both
|
Yes
|
26
|
Vendor- Specific
|
Carries subattributes known as vendor-specific attributes (VSAs), a feature of RADIUS that allows vendors to support their own extended attributes. Subattributes are identified by IANA-assigned vendor numbers in combination with the vendor-assigned subattribute number. For example, the vendor number for Cisco IOS/PIX 6.0 RADIUS is 9. The cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9.
|
String
|
Outbound
|
Yes
|
27
|
Session- Timeout
|
Maximum number of seconds of service to provide to the user before the session terminates. This AV becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
28
|
Idle-Timeout
|
Maximum number of consecutive seconds of idle connection time that the user is allowed before the session terminates. This AV becomes the per-user session-timeout. This attribute is not valid for PPP sessions.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
29
|
Termination- Action
|
Indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets. If the Value is set to RADIUS-Request (1), upon termination of the specified service, the NAS may send a new Access-Request to the RADIUS server, including the State attribute if any.
|
Integer
|
Both
|
No
|
30
|
Called- Station-Id
|
Allows the AAA client to send the telephone number or other information identifying the AAA client as part of the access-request packet by using automatic number identification or similar technology. Different devices provide different identifiers.
|
String
|
Inbound
|
No
|
31
|
Calling- Station-Id
|
Allows the AAA client to send the telephone number or other information identifying the end-user client as part of the access-request packet by using Dialed Number Identification Server (DNIS) or similar technology. For example, Cisco Aironet Access Points usually send the MAC address of the end-user client.
|
String
|
Inbound
|
No
|
32
|
NAS-Identifier
|
—
|
String
|
Inbound
|
No
|
33
|
Proxy-State
|
Included in proxied RADIUS requests per RADIUS standards. The operation of ACS does not depend on the contents of this attribute.
|
String (maximum length 253 characters)
|
Inbound
|
No
|
34
|
Login-LAT- Service
|
System with which the local area transport (LAT) protocol connects the user. This attribute is only available in the EXEC mode.
|
String (maximum length 253 characters)
|
Inbound
|
No
|
35
|
Login-LAT- Node
|
—
|
String
|
Inbound
|
No
|
36
|
Login-LAT- Group
|
—
|
String
|
Inbound
|
No
|
37
|
Framed- AppleTalk- Link
|
—
|
Integer
|
Outbound
|
No
|
38
|
Framed- AppleTalk- Network
|
—
|
Integer
|
Outbound
|
Yes
|
39
|
Framed- AppleTalk- Zone
|
—
|
String
|
Out
|
No
|
40
|
Acct-Status- Type
|
Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).
|
Integer
|
Inbound
|
No
|
41
|
Acct-Delay- Time
|
Number of seconds the client has been trying to send a particular record.
|
Integer
|
Inbound
|
No
|
42
|
Acct-Input- Octets
|
Number of octets received from the port while this service is being provided.
|
Integer
|
Inbound
|
No
|
43
|
Acct-Output- Octets
|
Number of octets sent to the port while this service is being delivered.
|
Integer
|
Inbound
|
No
|
44
|
Acct-Session- Id
|
Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this interval is unsuitable.
|
String
|
Inbound
|
No
|
44
|
Acct-Authentic
|
Way in which the user was authenticated—by RADIUS, the AAA client itself, or another remote authentication protocol. This attribute is set to radius for users who are authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.
|
Integer
|
Inbound
|
No
|
46
|
Acct-Session- Time
|
Number of seconds the user has been receiving service.
|
Integer
|
Inbound
|
No
|
47
|
Acct-Input- Packets
|
Number of packets received from the port while this service is being provided to a framed user.
|
Integer
|
Inbound
|
No
|
48
|
Acct-Output- Packets
|
Number of packets sent to the port while this service is being delivered to a framed user.
|
Integer
|
Inbound
|
No
|
49
|
Acct- Terminate- Cause
|
Reports details on why the connection was terminated. Termination causes are indicated by a numeric value:
1: User request
2: Lost carrier
3: Lost service
4: Idle timeout
5: Session-timeout
6: Admin reset
7: Admin reboot
8: Port error
9: AAA client error
10: AAA client request
11: AAA client reboot
12: Port unneeded
13: Port pre-empted
14: Port suspended
15: Service unavailable
16: Callback
17: User error
18: Host request
|
Integer
|
Inbound
|
No
|
50
|
Acct-Multi- Session-Id
|
—
|
String
|
Inbound
|
No
|
51
|
Acct-Link- Count
|
—
|
Integer
|
Inbound
|
No
|
52
|
Acct-Input- Gigawords
|
—
|
Integer
|
Inbound
|
No
|
53
|
Acct-Output- Gigawords
|
—
|
Integer
|
Inbound
|
No
|
55
|
Event- Timestamp
|
—
|
Date
|
Inbound
|
No
|
60
|
CHAP- Challenge
|
—
|
String
|
Inbound
|
No
|
61
|
NAS-Port- Type
|
Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value:
0: Asynchronous
1: Synchronous
2: ISDN-Synchronous
3: ISDN-Asynchronous (V.120)
4: ISDN- Asynchronous (V.110)
5: Virtual
|
Integer
|
Inbound
|
No
|
62
|
Port-Limit
|
Sets the maximum number of ports to be provided to the user by the network-access server.
|
Integer (maximum length 10 characters)
|
Both
|
No
|
63
|
Login-LAT- Port
|
—
|
String
|
Both
|
No
|
64
|
Tunnel-Type
|
—
|
Tagged integer
|
Both
|
Yes
|
65
|
Tunnel- Medium-Type
|
—
|
Tagged integer
|
Both
|
Yes
|
66
|
Tunnel-Client- Endpoint
|
—
|
Tagged string
|
Both
|
Yes
|
67
|
Tunnel-Server- Endpoint
|
—
|
Tagged string
|
Both
|
Yes
|
68
|
Acct-Tunnel- Connection
|
—
|
String
|
Inbound
|
No
|
69
|
Tunnel- Password
|
—
|
Tagged string
|
Both
|
Yes
|
70
|
ARAP- Password
|
—
|
String
|
Inbound
|
No
|
71
|
ARAP- Features
|
—
|
String
|
Outbound
|
No
|
72
|
ARAP-Zone- Access
|
—
|
Integer
|
Outbound
|
No
|
73
|
ARAP- Security
|
—
|
Integer
|
Inbound
|
No
|
74
|
ARAP- Security-Data
|
—
|
String
|
Inbound
|
No
|
75
|
Password- Retry
|
—
|
Integer
|
Internal use only
|
No
|
76
|
Prompt
|
—
|
Integer
|
Internal use only
|
No
|
77
|
Connect-Info
|
—
|
String
|
Inbound
|
No
|
78
|
Configuration- Token
|
—
|
String
|
Internal use only
|
No
|
79
|
EAP-Message
|
—
|
String
|
Internal use only
|
No
|
80
|
Message- Authenticator
|
—
|
String
|
Outbound
|
No
|
81
|
Tunnel- Private-Group- ID
|
—
|
Tagged string
|
Both
|
Yes
|
82
|
Tunnel- Assignment-ID
|
—
|
Tagged string
|
Both
|
Yes
|
83
|
Tunnel- Preference
|
—
|
Tagged integer
|
Both
|
No
|
85
|
Acct-Interim- Interval
|
—
|
Integer
|
Outbound
|
No
|
87
|
NAS-Port-Id
|
—
|
String
|
Inbound
|
No
|
88
|
Framed-Pool
|
—
|
String
|
Internal use only
|
No
|
90
|
Tunnel-Client- Auth-ID
|
—
|
Tagged string
|
Both
|
Yes
|
91
|
Tunnel-Server- Auth-ID
|
—
|
Tagged string
|
Both
|
Yes
|
135
|
Primary-DNS- Server
|
—
|
Ipaddr
|
Both
|
No
|
136
|
Secondary- DNS-Server
|
—
|
Ipaddr
|
Both
|
No
|
187
|
Multilink-ID
|
—
|
Integer
|
Inbound
|
No
|
188
|
Num-In- Multilink
|
—
|
Integer
|
Inbound
|
No
|
190
|
Pre-Input- Octets
|
—
|
Integer
|
Inbound
|
No
|
191
|
Pre-Output- Octets
|
—
|
Integer
|
Inbound
|
No
|
192
|
Pre-Input- Packets
|
—
|
Integer
|
Inbound
|
No
|
193
|
Pre-Output- Packets
|
—
|
Integer
|
Inbound
|
No
|
194
|
Maximum- Time
|
—
|
Integer
|
Both
|
No
|
195
|
Disconnect- Cause
|
—
|
Integer
|
Inbound
|
No
|
197
|
Data-Rate
|
—
|
Integer
|
Inbound
|
No
|
198
|
PreSession- Time
|
—
|
Integer
|
Inbound
|
No
|
208
|
PW-Lifetime
|
—
|
Integer
|
Outbound
|
No
|
209
|
IP-Direct
|
—
|
Ipaddr
|
Outbound
|
No
|
210
|
PPP-VJ-Slot- Comp
|
—
|
Integer
|
Outbound
|
No
|
218
|
Assign- IP-pool
|
—
|
Integer
|
Outbound
|
No
|
228
|
Route-IP
|
—
|
Integer
|
Outbound
|
No
|
233
|
Link- Compression
|
—
|
Integer
|
Outbound
|
No
|
234
|
Target-Utils
|
—
|
Integer
|
Outbound
|
No
|
235
|
Maximum- Channels
|
—
|
Integer
|
Outbound
|
No
|
242
|
Data-Filter
|
—
|
Ascend filter
|
Outbound
|
Yes
|
243
|
Call-Filter
|
—
|
Ascend filter
|
Outbound
|
Yes
|
244
|
Idle-Limit
|
—
|
Integer
|
Outbound
|
No
|
Microsoft MPPE Dictionary of RADIUS VSAs
ACS supports the Microsoft RADIUS VSAs used for MPPE. The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt PPP links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that ACS supports. The following ACS RADIUS protocols support the Microsoft RADIUS VSAs:
•Cisco IOS/PIX 6.0
•Cisco VPN 3000/ASA/PIX 7.x+
•Ascend
•Cisco Airespace
To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, ACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000/ASA/PIX 7.x+) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the ACS web interface or how those attributes might be configured.
Table C-8 lists the supported MPPE RADIUS VSAs.
Table C-8 Microsoft MPPE RADIUS VSAs
Number
|
Attribute
|
Type of Value
|
Description
|
Inbound/ Outbound
|
Multiple
|
1
|
MS-CHAP- Response
|
String
|
—
|
Inbound
|
No
|
2
|
MS-CHAP- Error
|
String
|
—
|
Outbound
|
No
|
3
|
MS-CHAP- CPW-1
|
String
|
—
|
Inbound
|
No
|
4
|
MS-CHAP- CPW-2
|
String
|
—
|
Inbound
|
No
|
5
|
MS-CHAP- LM-Enc-PW
|
String
|
—
|
Inbound
|
No
|
6
|
MS-CHAP- NT-Enc-PW
|
String
|
—
|
Inbound
|
No
|
7
|
MS-MPPE- Encryption- Policy
|
Integer
|
The MS-MPPE-Encryption-Policy attribute signifies whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), you can use any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute. If the Policy field is equal to 2 (Encryption-Required), you can use any of the encryption types specified in the MS-MPPE-Encryption-Types attribute; but at least one must be used.
|
Outbound
|
No
|
8
|
MS-MPPE- Encryption- Types
|
Integer
|
The MS-MPPE-Encryption-Types attribute signifies the types of encryption available for use with MPPE. It is a four-octet integer that is interpreted as a string of bits.
|
Outbound
|
No
|
10
|
MS-CHAP- Domain
|
String
|
—
|
Inbound
|
No
|
11
|
MS-CHAP- Challenge
|
String
|
—
|
Inbound
|
No
|
12
|
MS-CHAP- MPPE-Keys
|
String
|
The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets.
Note ACS auto generates the MS-CHAP-MPPE-Keys attribute value; there is no value to set in the web interface.
|
Outbound
|
No
|
16
|
MS-MPPE- Send-Key
|
String (maximum length 240 characters)
|
The MS-MPPE-Send-Key attribute contains a session key for use by MPPE. This key is for encrypting packets sent from the AAA client to the remote host. This attribute is only included in Access-Accept packets.
|
Outbound
|
No
|
17
|
MS-MPPE- Recv-Key
|
String (maximum length 240 characters)
|
The MS-MPPE-Recv-Key attribute contains a session key for use by MPPE. This key is for encrypting packets that the AAA client from the remote host receives. This attribute is only included in Access-Accept packets.
|
Outbound
|
No
|
18
|
MS-RAS- Version
|
String
|
—
|
Inbound
|
No
|
25
|
MS-CHAP- NT-Enc-PW
|
String
|
—
|
Inbound
|
No
|
26
|
MS-CHAP2- Response
|
String
|
—
|
Outbound
|
No
|
27
|
MS-CHAP2- CPW
|
String
|
—
|
Inbound
|
No
|
Ascend Dictionary of RADIUS AV Pairs
ACS supports the Ascend RADIUS AV pairs. Table C-9 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions comprise AV pairs. The value of each attribute is specified as:
•string—0-253 octets.
•abinary—0-254 octets.
•ipaddr—4 octets in network byte order.
•integer—32-bit value in big endian order (high byte first).
•call filter—Defines a call filter for the profile.
Note RADIUS filters are retrieved only when a call is placed by using a RADIUS outgoing profile or answered by using a RADIUS incoming profile. Filter entries are applied in the order in which they are entered. If you change a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile.
•date—32-bit value in big-endian order. For example, seconds since 00:00:00 universal time (UT), January 1, 1970.
•enum—Enumerated values are stored in the user file with dictionary value translations for easy administration.
Table C-9 Ascend RADIUS Attributes
Number
|
Attribute
|
Type of Value
|
Inbound/ Outbound
|
Multiple
|
Dictionary of Ascend Attributes
|
1
|
User-Name
|
String
|
Inbound
|
No
|
2
|
User-Password
|
String
|
Outbound
|
No
|
3
|
CHAP-Password
|
String
|
Outbound
|
No
|
4
|
NAS-IP-Address
|
Ipaddr
|
Inbound
|
No
|
5
|
NAS-Port
|
Integer
|
Inbound
|
No
|
6
|
Service-Type
|
Integer
|
Both
|
No
|
7
|
Framed-Protocol
|
Integer
|
Both
|
No
|
8
|
Framed-IP-Address
|
Ipaddr
|
Both
|
No
|
9
|
Framed-IP-Netmask
|
Ipaddr
|
Outbound
|
No
|
10
|
Framed-Routing
|
Integer
|
Outbound
|
No
|
11
|
Framed-Filter
|
String
|
Outbound
|
Yes
|
12
|
Framed-MTU
|
Integer
|
Outbound
|
No
|
13
|
Framed-Compression
|
Integer
|
Outbound
|
Yes
|
14
|
Login-IP-Host
|
Ipaddr
|
Both
|
Yes
|
15
|
Login-Service
|
Integer
|
Both
|
No
|
16
|
Login-TCP-Port
|
Integer
|
Outbound
|
No
|
17
|
Change-Password
|
String
|
—
|
—
|
18
|
Reply-Message
|
String
|
Outbound
|
Yes
|
19
|
Callback-ID
|
String
|
Outbound
|
No
|
20
|
Callback-Name
|
String
|
Outbound
|
No
|
22
|
Framed-Route
|
String
|
Outbound
|
Yes
|
23
|
Framed-IPX-Network
|
Integer
|
Outbound
|
No
|
24
|
State
|
String
|
Outbound
|
No
|
25
|
Class
|
String
|
Outbound
|
Yes
|
26
|
Vendor-Specific
|
String
|
Outbound
|
Yes
|
30
|
Call-Station-ID
|
String
|
Inbound
|
No
|
31
|
Calling-Station-ID
|
String
|
Inbound
|
No
|
40
|
Acct-Status-Type
|
Integer
|
Inbound
|
No
|
41
|
Acct-Delay-Time
|
Integer
|
Inbound
|
No
|
42
|
Acct-Input-Octets
|
Integer
|
Inbound
|
No
|
43
|
Acct-Output-Octets
|
Integer
|
Inbound
|
No
|
44
|
Acct-Session-Id
|
Integer
|
Inbound
|
No
|
45
|
Acct-Authentic
|
Integer
|
Inbound
|
No
|
46
|
Acct-Session-Time
|
Integer
|
Inbound
|
No
|
47
|
Acct-Input-Packets
|
Integer
|
Inbound
|
No
|
48
|
Acct-Output-Packets
|
Integer
|
Inbound
|
No
|
64
|
Tunnel-Type
|
String
|
Both
|
Yes
|
65
|
Tunnel-Medium-Type
|
String
|
Both
|
Yes
|
66
|
Tunnel-Client-Endpoint
|
String (maximum length 250 characters)
|
Both
|
Yes
|
67
|
Tunnel-Server-Endpoint
|
String (maximum length 250 characters)
|
Both
|
Yes
|
68
|
Acct-Tunnel-Connection
|
Integer (maximum length 253 characters)
|
Inbound
|
No
|
104
|
Ascend-Private-Route
|
String (maximum length 253 characters)
|
Both
|
No
|
105
|
Ascend-Numbering-Plan-ID
|
Integer (maximum length 10 characters)
|
Both
|
No
|
106
|
Ascend-FR-Link-Status-Dlci
|
Integer (maximum length 10 characters)
|
Both
|
No
|
107
|
Ascend-Calling-Subaddress
|
String (maximum length 253 characters)
|
Both
|
No
|
108
|
Ascend-Callback-Delay
|
String (maximum length 10 characters)
|
Both
|
No
|
109
|
Ascend-Endpoint-Disc
|
String (maximum length 253 characters)
|
Both
|
No
|
110
|
Ascend-Remote-FW
|
String (maximum length 253 characters)
|
Both
|
No
|
111
|
Ascend-Multicast-GLeave-Delay
|
Integer (maximum length 10 characters)
|
Both
|
No
|
112
|
Ascend-CBCP-Enable
|
String
|
Both
|
No
|
113
|
Ascend-CBCP-Mode
|
String
|
Both
|
No
|
114
|
Ascend-CBCP-Delay
|
String (maximum length 10 characters)
|
Both
|
No
|
115
|
Ascend-CBCP-Trunk-Group
|
String (maximum length 10 characters)
|
Both
|
No
|
116
|
Ascend-AppleTalk-Route
|
String (maximum length 253 characters)
|
Both
|
No
|
117
|
Ascend-AppleTalk-Peer-Mode
|
String (maximum length 10 characters)
|
Both
|
No
|
118
|
Ascend-Route-AppleTalk
|
String (maximum length 10 characters)
|
Both
|
No
|
119
|
Ascend-FCP-Parameter
|
String (maximum length 253 characters)
|
Both
|
No
|
120
|
Ascend-Modem-PortNo
|
Integer (maximum length 10 characters)
|
Inbound
|
No
|
121
|
Ascend-Modem-SlotNo
|
Integer (maximum length 10 characters)
|
Inbound
|
No
|
122
|
Ascend-Modem-ShelfNo
|
Integer (maximum length 10 characters)
|
Inbound
|
No
|
123
|
Ascend-Call-Attempt-Limit
|
Integer (maximum length 10 characters)
|
Both
|
No
|
124
|
Ascend-Call-Block_Duration
|
Integer (maximum length 10 characters)
|
Both
|
No
|
125
|
Ascend-Maximum-Call-Duration
|
Integer (maximum length 10 characters)
|
Both
|
No
|
126
|
Ascend-Router-Preference
|
String (maximum length 10 characters)
|
Both
|
No
|
127
|
Ascend-Tunneling-Protocol
|
String (maximum length 10 characters)
|
Both
|
No
|
128
|
Ascend-Shared-Profile-Enable
|
Integer
|
Both
|
No
|
129
|
Ascend-Primary-Home-Agent
|
String (maximum length 253 characters)
|
Both
|
No
|
130
|
Ascend-Secondary-Home-Agent
|
String (maximum length 253 characters)
|
Both
|
No
|
131
|
Ascend-Dialout-Allowed
|
Integer
|
Both
|
No
|
133
|
Ascend-BACP-Enable
|
Integer
|
Both
|
No
|
134
|
Ascend-DHCP-Maximum-Leases
|
Integer (maximum length 10 characters)
|
Both
|
No
|
135
|
Ascend-Client-Primary-DNS
|
Address (maximum length 15 characters)
|
Both
|
No
|
136
|
Ascend-Client-Secondary-DNS
|
Address (maximum length 15 characters)
|
Both
|
No
|
137
|
Ascend-Client-Assign-DNS
|
Enum
|
Both
|
No
|
138
|
Ascend-User-Acct-Type
|
Enum
|
Both
|
No
|
139
|
Ascend-User-Acct-Host
|
Address (maximum length 15 characters)
|
Both
|
No
|
140
|
Ascend-User-Acct-Port
|
Integer (maximum length 10 characters)
|
Both
|
No
|
141
|
Ascend-User-Acct-Key
|
String (maximum length 253 characters)
|
Both
|
No
|
142
|
Ascend-User-Acct-Base
|
Enum (maximum length 10 characters)
|
Both
|
No
|
143
|
Ascend-User-Acct-Time
|
Integer (maximum length 10 characters)
|
Both
|
No
|
Support IP Address Allocation from Global Pools
|
144
|
Ascend-Assign-IP-Client
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
145
|
Ascend-Assign-IP-Server
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
146
|
Ascend-Assign-IP-Global-Pool
|
String (maximum length 253 characters)
|
Outbound
|
No
|
DHCP Server Functions
|
147
|
Ascend-DHCP-Reply
|
Integer
|
Outbound
|
No
|
148
|
Ascend-DHCP-Pool-Number
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
Connection Profile/Telco Option
|
149
|
Ascend-Expect-Callback
|
Integer
|
Outbound
|
No
|
Event Type for an Ascend-Event Packet
|
150
|
Ascend-Event-Type
|
Integer (maximum length 10 characters)
|
Inbound
|
No
|
RADIUS Server Session Key
|
151
|
Ascend-Session-Svr-Key
|
String (maximum length 253 characters)
|
Outbound
|
No
|
Multicast Rate Limit Per Client
|
152
|
Ascend-Multicast-Rate-Limit
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
Connection Profile Fields to Support Interface-Based Routing
|
153
|
Ascend-IF-Netmask
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
154
|
Ascend-Remote-Addr
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
Multicast Support
|
155
|
Ascend-Multicast-Client
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
Frame Datalink Profiles
|
156
|
Ascend-FR-Circuit-Name
|
String (maximum length 253 characters)
|
Outbound
|
No
|
157
|
Ascend-FR-LinkUp
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
158
|
Ascend-FR-Nailed-Group
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
159
|
Ascend-FR-Type
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
160
|
Ascend-FR-Link-Mgt
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
161
|
Ascend-FR-N391
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
162
|
Ascend-FR-DCE-N392
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
163
|
Ascend-FR-DTE-N392
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
164
|
Ascend-FR-DCE-N393
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
165
|
Ascend-FR-DTE-N393
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
166
|
Ascend-FR-T391
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
167
|
Ascend-FR-T392
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
168
|
Ascend-Bridge-Address
|
String (maximum length 253 characters)
|
Outbound
|
No
|
169
|
Ascend-TS-Idle-Limit
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
170
|
Ascend-TS-Idle-Mode
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
171
|
Ascend-DBA-Monitor
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
172
|
Ascend-Base-Channel-Count
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
173
|
Ascend-Minimum-Channels
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
IPX Static Routes
|
174
|
Ascend-IPX-Route
|
String (maximum length 253 characters)
|
Inbound
|
No
|
175
|
Ascend-FT1-Caller
|
Integer (maximum length 10 characters)
|
Inbound
|
No
|
176
|
Ascend-Backup
|
String (maximum length 253 characters)
|
Inbound
|
No
|
177
|
Ascend-Call-Type
|
Integer
|
Inbound
|
No
|
178
|
Ascend-Group
|
String (maximum length 253 characters)
|
Inbound
|
No
|
179
|
Ascend-FR-DLCI
|
Integer (maximum length 10 characters)
|
Inbound
|
No
|
180
|
Ascend-FR-Profile-Name
|
String (maximum length 253 characters)
|
Inbound
|
No
|
181
|
Ascend-Ara-PW
|
String (maximum length 253 characters)
|
Inbound
|
No
|
182
|
Ascend-IPX-Node-Addr
|
String (maximum length 253 characters)
|
Both
|
No
|
183
|
Ascend-Home-Agent-IP-Addr
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
184
|
Ascend-Home-Agent-Password
|
String (maximum length 253 characters)
|
Outbound
|
No
|
185
|
Ascend-Home-Network-Name
|
String (maximum length 253 characters)
|
Outbound
|
No
|
186
|
Ascend-Home-Agent-UDP-Port
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
187
|
Ascend-Multilink-ID
|
Integer
|
Inbound
|
No
|
188
|
Ascend-Num-In-Multilink
|
Integer
|
Inbound
|
No
|
189
|
Ascend-First-Dest
|
Ipaddr
|
Inbound
|
No
|
190
|
Ascend-Pre-Input-Octets
|
Integer
|
Inbound
|
No
|
191
|
Ascend-Pre-Output-Octets
|
Integer
|
Inbound
|
No
|
192
|
Ascend-Pre-Input-Packets
|
Integer
|
Inbound
|
No
|
193
|
Ascend-Pre-Output-Packets
|
Integer
|
Inbound
|
No
|
194
|
Ascend-Maximum-Time
|
Integer (maximum length 10 characters)
|
Both
|
No
|
195
|
Ascend-Disconnect-Cause
|
Integer
|
Inbound
|
No
|
196
|
Ascend-Connect-Progress
|
Integer
|
Inbound
|
No
|
197
|
Ascend-Data-Rate
|
Integer
|
Inbound
|
No
|
198
|
Ascend-PreSession-Time
|
Integer
|
Inbound
|
No
|
199
|
Ascend-Token-Idle
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
200
|
Ascend-Token-Immediate
|
Integer
|
Outbound
|
No
|
201
|
Ascend-Require-Auth
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
202
|
Ascend-Number-Sessions
|
String (maximum length 253 characters)
|
Outbound
|
No
|
203
|
Ascend-Authen-Alias
|
String (maximum length 253 characters)
|
Outbound
|
No
|
204
|
Ascend-Token-Expiry
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
205
|
Ascend-Menu-Selector
|
String (maximum length 253 characters)
|
Outbound
|
No
|
206
|
Ascend-Menu-Item
|
String
|
Outbound
|
Yes
|
RADIUS Password Expiration Options
|
207
|
Ascend-PW-Warntime
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
208
|
Ascend-PW-Lifetime
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
209
|
Ascend-IP-Direct
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
210
|
Ascend-PPP-VJ-Slot-Comp
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
211
|
Ascend-PPP-VJ-1172
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
212
|
Ascend-PPP-Async-Map
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
213
|
Ascend-Third-Prompt
|
String (maximum length 253 characters)
|
Outbound
|
No
|
214
|
Ascend-Send-Secret
|
String (maximum length 253 characters)
|
Outbound
|
No
|
215
|
Ascend-Receive-Secret
|
String (maximum length 253 characters)
|
Outbound
|
No
|
216
|
Ascend-IPX-Peer-Mode
|
Integer
|
Outbound
|
No
|
217
|
Ascend-IP-Pool-Definition
|
String (maximum length 253 characters)
|
Outbound
|
No
|
218
|
Ascend-Assign-IP-Pool
|
Integer
|
Outbound
|
No
|
219
|
Ascend-FR-Direct
|
Integer
|
Outbound
|
No
|
220
|
Ascend-FR-Direct-Profile
|
String (maximum length 253 characters)
|
Outbound
|
No
|
221
|
Ascend-FR-Direct-DLCI
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
222
|
Ascend-Handle-IPX
|
Integer
|
Outbound
|
No
|
223
|
Ascend-Netware-Timeout
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
224
|
Ascend-IPX-Alias
|
String (maximum length 253 characters)
|
Outbound
|
No
|
225
|
Ascend-Metric
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
226
|
Ascend-PRI-Number-Type
|
Integer
|
Outbound
|
No
|
227
|
Ascend-Dial-Number
|
String (maximum length 253 characters)
|
Outbound
|
No
|
Connection Profile/PPP Options
|
228
|
Ascend-Route-IP
|
Integer
|
Outbound
|
No
|
229
|
Ascend-Route-IPX
|
Integer
|
Outbound
|
No
|
230
|
Ascend-Bridge
|
Integer
|
Outbound
|
No
|
231
|
Ascend-Send-Auth
|
Integer
|
Outbound
|
No
|
232
|
Ascend-Send-Passwd
|
String (maximum length 253 characters)
|
Outbound
|
No
|
233
|
Ascend-Link-Compression
|
Integer
|
Outbound
|
No
|
234
|
Ascend-Target-Util
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
235
|
Ascend-Max-Channels
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
236
|
Ascend-Inc-Channel-Count
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
237
|
Ascend-Dec-Channel-Count
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
238
|
Ascend-Seconds-Of-History
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
239
|
Ascend-History-Weigh-Type
|
Integer
|
Outbound
|
No
|
240
|
Ascend-Add-Seconds
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
241
|
Ascend-Remove-Seconds
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
Connection Profile/Session Options
|
242
|
Ascend-Data-Filter
|
Call filter
|
Outbound
|
Yes
|
243
|
Ascend-Call-Filter
|
Call filter
|
Outbound
|
Yes
|
244
|
Ascend-Idle-Limit
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
245
|
Ascend-Preempt-Limit
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
Connection Profile/Telco Options
|
246
|
Ascend-Callback
|
Integer
|
Outbound
|
No
|
247
|
Ascend-Data-Svc
|
Integer
|
Outbound
|
No
|
248
|
Ascend-Force-56
|
Integer
|
Outbound
|
No
|
249
|
Ascend-Billing-Number
|
String (maximum length 253 characters)
|
Outbound
|
No
|
250
|
Ascend-Call-By-Call
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
251
|
Ascend-Transit-Number
|
String (maximum length 253 characters)
|
Outbound
|
No
|
Terminal Server Attributes
|
252
|
Ascend-Host-Info
|
String (maximum length 253 characters)
|
Outbound
|
No
|
PPP Local Address Attribute
|
253
|
Ascend-PPP-Address
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
MPP Percent Idle Attribute
|
254
|
Ascend-MPP-Idle-Percent
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
255
|
Ascend-Xmit-Rate
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
Nortel Dictionary of RADIUS VSAs
Table C-10 lists the Nortel RADIUS VSAs supported by ACS. The Nortel vendor ID number is 1584.
Table C-10 Nortel RADIUS VSAs
Number
|
Attribute
|
Type of Value
|
Inbound/ Outbound
|
Multiple
|
035
|
Bay-Local-IP-Address
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
054
|
Bay-Primary-DNS-Server
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
055
|
Bay-Secondary-DNS-Server
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
056
|
Bay-Primary-NBNS-Server
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
057
|
Bay-Secondary-NBNS-Server
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
100
|
Bay-User-Level
|
Integer
|
Outbound
|
No
|
101
|
Bay-Audit-Level
|
Integer
|
Outbound
|
No
|
Juniper Dictionary of RADIUS VSAs
Table C-11 lists the Juniper RADIUS VSAs supported by ACS. The Juniper vendor ID number is 2636.
Table C-11 Juniper RADIUS VSAs
Number
|
Attribute
|
Type of Value
|
Inbound/ Outbound
|
Multiple
|
001
|
Juniper-Local-User-Name
|
String (maximum length 247 characters)
|
Outbound
|
No
|
002
|
Juniper-Allow-Commands
|
String (maximum length 247 characters)
|
Outbound
|
No
|
003
|
Juniper-Deny-Commands
|
String (maximum length 247 characters)
|
Outbound
|
No
|