Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco VPN 3000 Series Concentrators

Cisco VPN 3000 Concentrator Vendor Specific Attributes 2.0 - 4.1: User and Group Attributes

Downloads

Document ID: 14501


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Vendor-specific Attributes
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document displays the Cisco VPN 3000 Concentrator vendor-specific user and group attributes for versions 2.0 through 4.1.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the Cisco VPN Concentrator 3000 series versions 2.0 through 4.1. .

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Vendor-specific Attributes

  • Five asterisks (*****) next to an attribute denotes that they are specific to version 4.1.

  • Four asterisks (****) next to an attribute denotes that they are specific to version 4.0.

  • Three asterisks (***) next to an attribute denotes that they are specific to version 3.6.

  • Two asterisks (**) next to an attribute denotes that they are specific to version 3.5. No asterisks indicates versions 2.0 through 3.0.

  • An asterisk (*) next to an attribute means that the attribute is not inherited.

  • Args - Passed to the Authentication subsystem.

  • Group - Group-based attribute.

  • User - User-based attribute.

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Values

Base Value

Base Location

General ** Identity

User/Group Name*

N

Y

Y

1

 

1

String

 

N/A

User DB

General ** Identity

User/Group Password*

N

N

Y

2

 

2

String

Valid group name

N/A

User DB

General ** Identity

Group Name

N

N

Y

25

  

25

String

Valid group name

N/A

User DB

General

Access Hours

N

Y

Y

26

1

4097

String

Name of the Access Hours

(None - Implying no restrictions)

User DB

General

Simultaneous Logins

N

Y

Y

26

2

4098

Integer

1-n (n=?)

1

User DB

General

Minimum Password Length

N

Y

N

26

3

4099

Integer

1-n (n=?)

8

User DB ** Only used internally by the VPN 3000 concentrator - do not send this from RADIUS

General

Allow Alphabetic-Only Passwords

N

Y

N

26

4

4100

Boolean

0 (False), 1 (True),

0 (False)

User DB ** Only used internally by the VPN 3000 concentrator - do not send this from RADIUS

General

Idle Timeout

N

Y

Y

28

 

28

Integer

1-n (n = ?) in minutes. 0 means no idle timeout.

30

User DB

General

Filter

N

Y

Y

11

 

11

String

Name of the Filter

(None - implying to filter)

User DB

General

Primary DNS

N

Y

N

26

5

4101

IP Address

 

(None)

User DB

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Values

Base Value

Base Location

General

Secondary DNS

N

Y

N

26

6

4102

IP Address

 

(None)

User DB

General

Primary WINS

N

Y

N

26

7

4103

IP Address

 

(None)

User DB

General

Secondary WINS

N

Y

N

26

8

4104

IP Address

 

(None)

User DB

General

SEP Card Assignment

N

Y

Y

26

9

4105

Bitmap

1 = Card 1,

2 = Card 2,

4 = Card 3,

8 = Card 4

15 (All)

User DB

General

Priority on SEP

N

Y

N

26

10

4106

Integer

1-5

1

User DB

General

Tunneling Protocols

N

Y

Y

26

11

4107

Bitmap

1 = PPTP,

2 = L2TP,

4 = IPSec,

8 = L2TP/IPSec

** 8 and 4 are mutually exclusive, (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 are legal values)

7 (All)

User DB

General

IP Address

N

N

Y

8

 

8

IP Address

 

(None)

User DB

General

Subnet Mask

N

N

Y

9

 

9

IP Address

 

(None)

User DB

General

Maximum Connect Time

N

Y

Y

27

 

27

Integer

1-n (n = ?) in minutes, 0 means no maximum connect time

0

User DB

General

Default Route

N

Y

N

22

 

22

IP Address

 

(None)

User DB

** General

** Strip Realm

N

Y

N

26

135

?

Boolean

0 (False), 1 (True)

(None)

User DB

** General

**** DHCP Network Scope

N

Y

N

26

61

?

IP Address

N/A

N/A

?

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Values

Base Value

Base Location

IPSec

Security Association (SA)

N

Y

Y

26

12

4108

String

Name of the Security Association

(None - implying no SA)

User DB

IPSec

Authentication

N

Y

N

26

13

4109

Integer

0 (None), 1 (RADIUS), 2 (LDAP) [**** LDAP not available from version 4.0], 3 (NT Domain), 4 (SDI), 5 (Internal) ** 6 (RADIUS with Expiry), **** 7 (Kerberos)

5 (Internal)

User DB

IPSec

**** Authorization Type

N

Y

N

26

65

?

Integer

0 (None), 1 (Radius), 2 (LDAP)

0 (None)

?

IPSec

**** Authorization Required

N

Y

N

26

66

?

Boolean

0 (False), 1 (True)

0 (False)

?

IPSec

**** DN Field

N

Y

N

26

67

?

String

CN Otherwise OU, CommonName(CN), Surename(SN), Country(C), Locality(L), State/Province(SP), Organization(O), Organizational Unit(OU), Title(T), Name(N), Given Name(GN), Initials(I), Email Address(EA), Generational Qualifier(GENQ), DN Qualifier(DNQ), Serial Number(SER)

CN Otherwise OU

?

IPSec

** IKE Peer ID Check

N

N/A

N/A

26

40

?

Integer

1 (Required), 2 (If supported by peer certificate), 3 (Do not check)

N/A

N/A

IPSec

** IKE Keepalives

N

N/A

N/A

26

41

?

Boolean

0 (False), 1 (True)

N/A

N/A

IPSec

****Confidence Level (EasyVPN Clients Only)

N

Y

N

26

68

?

Integer

10 - 300 in seconds

N/A

?

IPSec

** Reauthentication on Rekey

N

N/A

N/A

26

42

?

Boolean

0 (False), 1 (True)

0 (False)

N/A

IPSec

** IPComp

N

N/A

N/A

26

39

?

Integer

0 (None), 1 (LZS)

None

N/A

IPSec

Banner

N

Y

N

26

15

4111

String

Up to 256 characters

(None - implying no banner)

User DB

IPSec

Allow Password Storage on Client

N

Y

Y

26

16

4112

Boolean

0 (False), 1 (True)

0 (False)

User DB

PPTP/L2TP

VJ Header Compression

N

Y

Y

13

 

12

Integer

0 (None), 1 (VJ Compression), 2 (IPX Compression - unused)

1 (VJ Compression)

PPP MIB: alPppIpcpCompType (must be mapped)

PPTP/L2TP

Use Client Specified Address

N

Y

Y

26

17

4113

Boolean

0 (False), 1 (True)

0 (False)

Address MIB: alAddressIpcpEnable

PPTP

Minimal Authentication Protocol

N

Y

Y

26

18

4114

Bitmap

** 1 = PAP, ** 2 = CHAP, 4 = EAP-MD5, 8 = EAP-GTC, 16 = EAP-TLS, ** 32 = MSCHAP, ** 64 = MSCHAP2

102 (All except PAP, EAP-GTC, EAP-TLS)

PPP MIB: alPppPptpAuthentication

L2TP

Minimal Authentication Protocol

N

Y

Y

26

19

4115

Bitmap

** 1 = PAP, ** 2 = CHAP, 4 = EAP-MD5, 8 = EAP-GTC, 16 = EAP-TLS, ** 32 = MSCHAP, ** 64 = MSCHAP2

102 (All except PAP, EAP-GTC, EAP-TLS)

PPP MIB: alPppL2tpAuthentication

PPTP

Encryption

N

Y

N

26

20

4116

Bitmap

1 = Encryption Required, 2 = 40-bit, 4 = 128-bit, 8 = Stateless Required ** (Valid values: 2, 3, 4, 5, 6, 7, 10, 11, 12, 13, 14, 15)

Note: These should not be sent by RADIUS since PPTP negotiates this before authenticating; therefore, this is really only a Base Group parameter that should be configured on the concentrator.

6 (40-bit and/or 128-bit)

PPP MIB: alPppPptpEncryption

** PPTP

** MPPC Compression

N

N/A

N/A

26

37

?

Integer

1 (True), 2 (False)

N/A

N/A

** L2TP

** MPPC Compression

N

N/A

N/A

26

38

?

Integer

1 (True), 2 (False)

N/A

N/A

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Values

Base Value

Base Location

L2TP

Encryption

N

Y

N

26

21

4117

Bitmap

1 = Encryption Required, 2 = 40-bit, 4 = 128-bit, 8 = Stateless Required

6 (40-bit and/or 128-bit)

PPP MIB: alPppL2tpEncryption

Argument

Authentication Server Type*

Y

N

N

26

22

4118

Integer

0 = First Active Server, 1 = RADIUS, 2 = LDAP, 3 = NT, 4 = SDI, 5 = Internal

N/A

N/A

Argument

Authentication Server Password*

Y

N

N

26

23

4119

String

 

N/A

N/A

Argument

Request Authenticator Vector*

Y

N

N

26

24

4120

String

 

N/A

N/A

IPSec

LTL Keepalives

N

Y

N

26

25

4121

Boolean

0 (False), 1 (True)

??

User DB

Argument

IPSec Group Name*

Y

N

N

26

26

4122

String

Specifies the name of the internal group used for creating the IPSec tunnel (needed for CR 1508).

N/A

N/A

IPSec

Split Tunneling

N

Y

N

26

27

4123

String

Specifies the name of the network list that describes the split tunnel inclusion list

N/A

User DB

IPSec

Split Tunneling Policy

N

Y

N

26

55

4123

Integer

0 = Tunnel everything 1 = Split Tunneling - Only tunnel networks in the list 2 = Local LAN Permitted - Tunnel everything but allow local networks in list to bypass

N/A

User DB

IPSec

Default Domain

N

Y

N

26

28

4124

String

Specifies the single default domain name to send to the client (up to 128 characters)

(None)

User DB

IPSec

Tunnel Type

N

Y

N

26

30

4126

Integer

1 (LAN to LAN), 2 (Remote Access)

2 (Remote Access)

User DB

IPSec

Mode Configuration

N

Y

N

26

31

4127

Boolean

0 (False), 1 (True)

1 (True)

User DB

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Value

Base Value

Base Location

Argument

Authentication Server Priority*

Y

N

N

26

32

4128

Integer

Non-zero value specifies selection of an authentication server based on the passed priority number

N/A

N/A

IPSec

Group Lock of User

N

Y

N

26

33

4129

Boolean

0 (False), 1 (True)

1 (True)

User DB

IPSec

IPSec over UDP (for NAT)

N

Y

N

26

34

4130

Boolean

0 (False), 1 (True)

0 (False)

User DB

IPSec

UPP Port Number for IPSec

N

Y

N

26

35

4131

Integer

4001-49,151

10,000

User DB

Partitioning

Primary DHCP

N

Y

N

26

128

4224

IP Address

Valid IP Address

N/A

User DB

Partitioning

Secondary DHCP

N

Y

N

26

129

4225

IP Address

Valid IP Address

N/A

User DB

Partitioning

Premise Router

N

Y

N

26

131

4226

IP Address

Valid IP Address

N/A

User DB

Partitioning

Partition Max Sessions

N

Y

N

26

132

4227

Integer

 

N/A

User DB

Partitioning

Mobile IP Key

N

Y

N

26

133

4228

String

Key for the mobile IP connection to the premise router (16 bytes fixed)

N/A

User DB

Partitioning

Mobile IP Address

N

Y

N

26

134

4229

IP Address

IP Address for the mobile IP connection to the premise router

N/A

User DB

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Value

Base Value

Base Location

** Mode Config

** Banner

Y

N

N

26

15

?

String

Up to 255 characters

None

N/A

** Mode Config

** Banner (Part 2)

N

Y

N

26

36

?

String

Up to 255 characters

?

?

** Mode Config

** Allow Password Storage on Client

N

Y

N

26

16

?

Boolean

0 (False), 1 (True)

0 (False)

?

** Mode Config

Split Tunneling Policy

N

Y

N

26

55

?

Integer

0 (Tunneling everything), 1 (Split Tunneling - only tunnel networks in the list), 2 (Local LAN Permitted - tunnel everything but allow local networks in the list to bypass)

?

?

** Mode Config

** Split Tunneling Network List

Y

N

N

26

27

?

String

Specifies the name of the network list that describes the split tunnel inclusion list

None

N/A

** Mode Config

** Default Domain Name

N

Y

N

26

28

?

String

Specifies the single default domain name to send to the client (up to 128 characters)

?

?

** Mode Config

** IPSec over UDP (for NAT)

N

Y

N

26

34

?

Boolean

0 (False), 1 (True)

0 (False)

?

** Mode Config

** IPSec over UDP Port

N

Y

N

26

35

?

Integer

4001 - 49151

10000

?

** Mode Config

** IPSec Backup Server Enabled

N

Y

N

26

59

?

Integer

1 (Client Configured), 2 (Disable and Clear), 3 (Use Backup IPSec Server List)

?

?

** Mode Config

** IPSec Backup Server List

N

Y

N

26

60

?

String

Valid String

none

?

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Value

Base Value

Base Location

** Client FW

** Required Client Firewall Vendor Code

Y

N

N

26

45

?

Integer

0-65535 (Mappings defined in User Management Documentation)

?

?

** Client FW

** Required Client Firewall Product Code

N

Y

N

26

46

?

Bitmap

0 to ((2**32) - 1) (Mappings defined in User Management Documentation)

?

?

** Client FW

** Client Firewall Optional

N

Y

N

26

58

?

Boolean

0 (False, for example, required), 1 (True, for example, optional)

0 (False)

?

** Client FW

** Required Client Firewall Description

N

Y

N

26

47

?

String

Describes the required firewall when codes are selected outside of pull-down menu

?

?

** Client FW

** Required Client Firewall Capability

Y

N

N

26

56

?

Bitmap

0 (None), 1 (AYT), 2 (CPP), 4 (Policy from server)

?

?

** Client FW

** Client Firewall Filter Name

N

Y

N

26

57

?

String

Specifies the name of the filter to be pushed to the client as a firewall policy (when CPP is selected)

?

?

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Value

Base Value

Base Location

** HW Client

** Require Interactive Hardware Client Authentication

Y

N

N

26

48

?

Boolean

0 (False), 1 (True)

?

?

** HW Client

** Require Individual User Authentication

N

Y

N

26

49

?

Boolean

0 (False), 1 (True)

?

?

** HW Client

** User Idle Timeout

N

Y

N

26

50

?

Integer

Minutes

30

?

** HW Client

** Cisco IP Phone Bypass

N

Y

N

26

51

?

Boolean

0 (False), 1 (True)

?

?

HW Client

**** LEAP Bypass

N

Y

N

26

75

?

Boolean

0 (False), 1 (True)

0 (False)

?

Category

Attribute

Args

Group

User

RADIUS Attribute

Vendor Attribute

MIB ID

Type

Value

Base Value

Base Location

Partitioning

Mobile IP Security Parameter Index (SPI)

N

Y

N

26

135

4230

String

SPI for the mobile IP connection to the premise router

N/A

User DB

Partitioning

Strip Realm

N

Y

N

26

136

4231

Boolean

0 (False), 1 (True)

N/A

User DB

Partitioning

Group ID

N

Y

N

26

137

4232

Integer

 

N/A

User DB

***IPSec

Secondary Domain List

N

Y

N

26

29

4125

String

Specifies the list of secondary domain names to send to the client (up to 256 characters)

(None)

User DB

***PPTP/L2TP

Push configuration policy to MS style clients

N

Y

N

26

62

4158

Boolean

0 (False), 1 (True)

0 (False)

User DB

***PPTP/L2TP

Client Subnet Mask

N

Y

N

26

63

4159

IP Address

Valid string

N/A

User DB

***IPSec

Network Extension Mode Limiting

N

Y

N

26

64

4160

Boolean

0 (False), 1 (True)

0 (False)

User DB

WebVPN

*****WebVPN-Content-Filter-Parameters

N

Y

N

26

69

4165

Bitmap

1 (Java ActiveX), 2 (Scripts), 4 (Image), 8 (Cookies)

N/A

User DB

WebVPN

*****WebVPN-Enable-functions

N

Y

N

26

70

4166

Bitmap

1 (URLs), 2 (File Access), 4 (Server Entry), 8 (Server Browsing), 16 (Web Email), 32 (Port Forwarding), 64 (MAPI Proxy), 128 (ACL Apply), 256 (Citrix Support)

N/A

User DB

WebVPN

*****WebVPN-Exchange-Server-Address

N

Y

N

26

74

4170

String

Valid String

Null

User DB

IPSec

*****Client-Type-Version-Limiting

N

Y

N

26

77

4173

String

Valid String

Null

User DB

WebVPN

*****WebVPN-ExchangeServer-NETBIOS-Name

N

Y

N

26

78

4174

String

Valid String

Null

User DB

WebVPN

*****Port-Forwarding-Name

N

Y

N

26

79

4175

String

Valid String

Application Access

User DB

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for VPN
Service Providers: VPN Service Architectures
Service Providers: Network Management
Virtual Private Networks: Security
Virtual Private Networks: General

Related Information

Updated: Jan 14, 2008Document ID: 14501