User Guide for Cisco Secure Access Control Server 4.2.1 - TACACS+ Attribute-Value Pairs [Cisco Secure Access Control Server for Windows]

Table Of Contents

TACACS+ Attribute-Value Pairs

Cisco IOS AV Pair Dictionary

TACACS+ AV Pairs

TACACS+ Accounting AV Pairs

Multi Instance and Multi line TACACS+ AV Pair

TACACS+ Attribute-Value Pairs

The Cisco Secure Access Control Server Release 4.2, hereafter referred to as ACS, supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value.

Cisco IOS AV Pair Dictionary

To use the full range of the Cisco IOS AV-pair dictionary for TACACS+, the AAA client should use IOS version 11.3 or later. Cisco IOS 11.1 and 11.2 have only partial support for TACACS+ AV-pairs.

Note If you specify a given AV pair in ACS, you must also enable the corresponding AV pair in the Cisco IOS software that is running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If ACS sends an AV pair to the AAA client that the Cisco IOS software does not support, that attribute is not implemented.

For more information on TACACS+ AV pairs, refer to Cisco IOS documentation for the release of Cisco IOS that is running on your AAA clients.

Note All TACACS+ values are strings. The concept of value type does not exist in TACACS+ as it does in Remote Access Dial-In User Service (RADIUS).

TACACS+ AV Pairs

Note Beginning with ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page; because IP pools and callback supersede:

   addr
   addr-pool
   callback-dialstring

Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA).

ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS that is running on your AAA clients. TACACS+ AV pairs supported in ACS are:

•acl=

•autocmd=

•callback-line

•callback-rotary

•cmd-arg=

•cmd=

•dns-servers=

•gw-password

•idletime=

•inacl#n

•inacl=

•interface-config=

•ip-addresses

•link-compression=

•load-threshold=n

•max-links=n

•nas-password

•nocallback-verify

•noescape=

•nohangup=

•old-prompts

•outacl#n

•outacl=

•pool-def#n

•pool-timeout=

•ppp-vj-slot- compression

•priv-lvl=

•protocol=

•route

•route#n

•routing=

•rte-ftr-in#n

•rte-ftr-out#n

•sap#n

•sap-fltr-in#n

•sap-fltr-out#n

•service=

•source-ip=

•timeout=

•tunnel-id

•wins-servers=

•zonelist=

TACACS+ Accounting AV Pairs

ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS that is running on your AAA clients. TACACS+ accounting AV pairs that ACS supports are:

•bytes_in

•bytes_out

•cmd

•data-rate

•disc-cause

•disc-cause-ext

•elapsed_time

•event

•mlp-links-max

•mlp-sess-id

•nas-rx-speed

•nas-tx-speed

•paks_in

•paks_out

•port

•pre-bytes-in

•pre-bytes-out

•pre-paks-in

•pre-paks-out

•pre-session-time

•priv_level

•protocol

•reason

•service

•start_time

•stop_time

•task_id

•timezone

•xmit-rate

Multi Instance and Multi line TACACS+ AV Pair

ACS supports multiple instances of TACACS+ AV pair to help you overcome the limitation in length and multiple lines while specifying value for TACACS+ custom attributes.

If the value of the AV pair exceeds 255 characters or if you want to give the value for the AV pair in multiple lines, then defining multiple instances for the AV pair would help you to achieve this.

When you specify the values in multiple instances, ACS sends multiple instances of the AV pair to NAS in the order in which it is specified. When ACS receives data from NAS, it tries to match the incoming data with the order in which the AV pairs are written.

For example, assume that the following values of AV pairs are specified:

av-pair1=<<value of av-pari1 instance1>>
av-pair1=<<value of av-pair1 instance2>>
av-pair1=<<value of av-pair1 instance3>>
av-pair2=<<value of av-pair2 instance1>>
av-pair2=<<value of av-pair2 instance2>>
av-pair3=<<value of av-pair3 instance1>>
av-pair4=<<value of av-pair4 instance1>>

In the above example, multiple instances of AV pairs are specified. When ACS receives data from NAS, it matches the value for three instances of av-pair1, with the values specified. If the value for the 3rd instance is not sent in the same order but is sent after av-pair3, it will still be matched against the 3rd instance of av-pair1.

Note ACS will not fragment the value given for a particular instance of an AV pair. You have to fragment the data by defining one more instance for the AV pair.

If the value for the AV pair exceeds 255 characters, an error will be shown. So, if value for the particular AV pair is more than 255 characters, then you have to break the value at the appropriate place before the 255 mark and define one more instance for that AV pair.

Note Multi-instance and multiline TACACS+ AV Pair is applicable only for custom attributes and will not be valid for predefined attributes.

	User Guide for Cisco Secure Access Control Server 4.2.1
	TACACS+ Attribute-Value Pairs
User Guide for Cisco Secure Access Control Server 4.2.1 Preface Overview Using the Web Interface Network Configuration Shared Profile Components User Group Management User Management System Configuration: Basic System Configuration: Advanced System Configuration: Authentication and Certificates Logs and Reports Administrators and Administrative Policy User Databases Posture Validation Network Access Profiles Unknown User Policy User Group Mapping and Specification TACACS+ Attribute-Value Pairs RADIUS Attributes CSUtil Database Utility VPDN Processing RDBMS Synchronization Import Definitions Internal Architecture Index	Download this chapter TACACS+ Attribute-Value Pairs Download the complete book pdf (PDF - 10 MB) Feedback Table Of Contents TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary TACACS+ AV Pairs TACACS+ Accounting AV Pairs Multi Instance and Multi line TACACS+ AV Pair TACACS+ Attribute-Value Pairs The Cisco Secure Access Control Server Release 4.2, hereafter referred to as ACS, supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value. Cisco IOS AV Pair Dictionary To use the full range of the Cisco IOS AV-pair dictionary for TACACS+, the AAA client should use IOS version 11.3 or later. Cisco IOS 11.1 and 11.2 have only partial support for TACACS+ AV-pairs. Note If you specify a given AV pair in ACS, you must also enable the corresponding AV pair in the Cisco IOS software that is running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If ACS sends an AV pair to the AAA client that the Cisco IOS software does not support, that attribute is not implemented. For more information on TACACS+ AV pairs, refer to Cisco IOS documentation for the release of Cisco IOS that is running on your AAA clients. Note All TACACS+ values are strings. The concept of value type does not exist in TACACS+ as it does in Remote Access Dial-In User Service (RADIUS). TACACS+ AV Pairs Note Beginning with ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page; because IP pools and callback supersede: addr addr-pool callback-dialstring Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA). ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS that is running on your AAA clients. TACACS+ AV pairs supported in ACS are: •`acl=` •`autocmd=` •`callback-line` •`callback-rotary` •`cmd-arg=` •`cmd=` •`dns-servers=` •`gw-password` •`idletime=` •`inacl#`n •`inacl=` •`interface-config=` •`ip-addresses` •`link-compression=` •`load-threshold=`n •`max-links=`n •`nas-password` •`nocallback-verify` •`noescape=` •`nohangup=` •`old-prompts` •`outacl#`n •`outacl=` •`pool-def#`n •`pool-timeout=` •`ppp-vj-slot- compression` •`priv-lvl=` •`protocol=` •`route` •`route#`n •`routing=` •`rte-ftr-in#`n •`rte-ftr-out#`n •`sap#`n •`sap-fltr-in#`n •`sap-fltr-out#`n •`service=` •`source-ip=` •`timeout=` •`tunnel-id` •`wins-servers=` •`zonelist=` TACACS+ Accounting AV Pairs ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS that is running on your AAA clients. TACACS+ accounting AV pairs that ACS supports are: •`bytes_in` •`bytes_out` •`cmd` •`data-rate` •`disc-cause` •`disc-cause-ext` •`elapsed_time` •`event` •`mlp-links-max` •`mlp-sess-id` •`nas-rx-speed` •`nas-tx-speed` •`paks_in` •`paks_out` •`port` •`pre-bytes-in` •`pre-bytes-out` •`pre-paks-in` •`pre-paks-out` •`pre-session-time` •`priv_level` •`protocol` •`reason` •`service` •`start_time` •`stop_time` •`task_id` •`timezone` •`xmit-rate` Multi Instance and Multi line TACACS+ AV Pair ACS supports multiple instances of TACACS+ AV pair to help you overcome the limitation in length and multiple lines while specifying value for TACACS+ custom attributes. If the value of the AV pair exceeds 255 characters or if you want to give the value for the AV pair in multiple lines, then defining multiple instances for the AV pair would help you to achieve this. When you specify the values in multiple instances, ACS sends multiple instances of the AV pair to NAS in the order in which it is specified. When ACS receives data from NAS, it tries to match the incoming data with the order in which the AV pairs are written. For example, assume that the following values of AV pairs are specified: av-pair1=<<value of av-pari1 instance1>> av-pair1=<<value of av-pair1 instance2>> av-pair1=<<value of av-pair1 instance3>> av-pair2=<<value of av-pair2 instance1>> av-pair2=<<value of av-pair2 instance2>> av-pair3=<<value of av-pair3 instance1>> av-pair4=<<value of av-pair4 instance1>> In the above example, multiple instances of AV pairs are specified. When ACS receives data from NAS, it matches the value for three instances of av-pair1, with the values specified. If the value for the 3rd instance is not sent in the same order but is sent after av-pair3, it will still be matched against the 3rd instance of av-pair1. Note ACS will not fragment the value given for a particular instance of an AV pair. You have to fragment the data by defining one more instance for the AV pair. If the value for the AV pair exceeds 255 characters, an error will be shown. So, if value for the particular AV pair is more than 255 characters, then you have to break the value at the appropriate place before the 255 mark and define one more instance for that AV pair. Note Multi-instance and multiline TACACS+ AV Pair is applicable only for custom attributes and will not be valid for predefined attributes.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks