RADIUS Attribute-Value Pairs

Cisco Secure ACS 2.3 for Windows NT Server (CiscoSecure ACS) provides support for many Remote Access Dial-In User Service (RADIUS) attribute-value (AV) pairs. Included with CiscoSecure ACS are the full AV pairs contained in Cisco IOS Release 11.2, Ascend, RedCreek, and Internet Engineering Task Force (IETF) RADIUS. You can enable different AV pairs for any of the supported vendors. The supported AV pairs specific to each vendor are listed in this appendix.

Cisco IOS Dictionary of RADIUS AV Pairs

Before selecting AV pairs for the CiscoSecure ACS, confirm that your network access server (NAS) is running Cisco IOS Release 11.2 or later or compatible NAS software, for RADIUS support.

Note If you specify a given AV pair on the CiscoSecure ACS, the corresponding AV pair must be implemented in the Cisco IOS software running on the NAS. As a result, always consider what AV pairs your Cisco IOS release supports on the NAS. If CiscoSecure ACS sends those AV pairs to the NAS but the Cisco IOS software does not support them, the attribute you requested cannot be implemented.

Note Beginning with CiscoSecure ACS Release 2.3, someRADIUS attributes no longer appear on the Group Setup page. This is because IP pools and Callback supersede the following attributes:
8, Framed-IP-Address
19, Callback-Number
218, Ascend-Assign-IP-Pool
Additionally, these attributes cannot be set via database synchronization.

**Table D-1: Cisco IOS Software RADIUS AV Pairs**
Attribute	Value	Type of Value
User-Name	1	string
Password	2	string
CHAP-Password	3	string
Client-Id	4	ipaddr
Client-Port-Id	5	integer
User-Service-Type	6	integer
Framed-Protocol	7	integer
Framed-Netmask	9	ipaddr
Framed-Routing	10	integer
Framed-Filter-Id	11	string
Framed-MTU	12	integer
Framed-Compression	13	integer
Login-Host	14	ipaddr
Login-Service	15	integer
Login-TCP-Port	16	integer
Old-Password	17	string
Port-Message	18	string
Dialback-Name	20	string
Expiration	21	date
Framed-Route	22	string
Framed-IPX-Network	23	ipaddr
Challenge-State	24	string
Vendor specific	26	string
Acct-Status-Type	40	integer
Acct-Delay-Time	41	integer
Acct-Input-Octets	42	integer
Acct-Output-Octets	43	integer
Acct-Session-Id	44	string
Acct-Authentic	45	integer
Acct-Session-Time	46	integer
Acct-Input-Packets	47	integer
Acct-Ouput-Packets	48	integer

RADIUS (IETF) Attributes

Table D-2 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified.

**Table D-2: RADIUS (IETF) Attributes Listed by Cisco IOS Release**
No.	Attribute	Description	11.1	11.2
1	User-Name	Name of the user being authenticated.	Yes	Yes
2	User-Password	User's password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.	Yes	Yes
3	CHAP-Password	PPP¹ CHAP² response to an Access-Challenge.	Yes	Yes
4	NAS-IP Address	IP address of the NAS that is requesting authentication.	Yes	Yes
5	NAS-Port	Physical port number of the NAS that is authenticating the user. The NAS port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows: For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number. For ordinary synchronous network interfaces, the value is 10xxx. For channels on a primary-rate ISDN³ interface, the value is 2ppcc. For channels on a basic rate ISDN interface, the value is 3bb0c. For other types of interfaces, the value is 6nnss.	Yes	Yes
6	Service-Type	Type of service requested or type of service to be provided: In a request: Framed for known PPP or SLIP⁴ connection. Administrative-user for enable command. In a response: Login---Make a connection. Framed---Start SLIP or PPP. Administrative User---Start an EXEC or enable ok. Exec User---Start an EXEC session.	Yes	Yes
7	Framed-Protocol	Framing to be used for framed access.	Yes	Yes
8	Framed-IP-Address	Address to be configured for the user.	Yes	Yes
9	Framed-IP-Netmask	IP netmask to be configured for the user when the user is a router to a network. This attribute-value results in a static route being added for Framed-IP-Address with the mask specified.	Yes	Yes
10	Framed-Routing	Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.	Yes	Yes
11	Filter-Id	Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.	Yes	Yes
13	Framed-Compression	Compression protocol used for the link. This attribute results in "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.	Yes	Yes
14	Login-IP-Host	Host to which the user will connect when the Login-Service attribute is included.	Yes	Yes
15	Login-Service	Service that should be used to connect the user to the login host.	Yes	Yes
16	Login-Port	TCP⁵ port with which the user is to be connected when the Login-Service attribute is also present.	Yes	Yes
17	Change-Password	Request to change a user's password.	No	11.2(5)F
18	Reply-Message	Text to be displayed to the user.	Yes	Yes
21	Password-Expiration	Expiration date for a user's password in the user's file entry.	No	11.2(5)F
22	Framed-Route	Routing information to be configured for the user on this NAS. The RADIUS RFC⁶ format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored.	Yes	Yes
24	State	Allows State information to be maintained between the NAS and the RADIUS server. This attribute is applicable only to CHAP challenges.	Yes	Yes
26	Vendor-Specific	Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format: protocol:attribute sep value Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. For example: cisco-avpair= "ip:addr-pool=first" cisco-avpair= "shell:priv-lvl=15" The first example causes Cisco's multiple named IP address pools feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a NAS prompt user to have immediate access to EXEC commands.	Yes	Yes
27	Session-Timeout	Maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.	Yes	Yes
28	Idle-Timeout	Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This attribute value becomes the per-user session-timeout. This attribute is not valid for PPP sessions.	Yes	Yes
34	Login-LAT-Service	System with which the user is to be connected by LAT. This attribute is only available in the EXEC mode.	Yes	Yes
35	Login-LAT-Node	Node with which the user is to be automatically connected by LAT⁷.	No	No
36	Login-LAT-Group	LAT group codes that this user is authorized to use.	No	No

¹PPP = Point-to-Point Protocol
²CHAP = Challenge Handshake Authentication Protocol
³ISDN = Integrated Services Digital Network
⁴SLIP = Serial Line Internet Protocol
⁵TCP = Transmission Control Protocol
⁶RFC = Request for Comments
⁷LAT = local-area transport

RADIUS (IETF) Accounting Attributes

Table D-3 lists the supported RADIUS (IETF) accounting attributes. If the attribute has a security server-specific format, the format is specified.

**Table D-3: RADIUS (IETF) Accounting Attributes Listed by Cisco IOS Release**
Number	Attribute	Description	11.1	1.2
25	Class	Arbitrary value that the NAS includes in all accounting packets for this user if supplied by the RADIUS server.	Yes	Yes
30	Called-Station-Id	Allows the NAS to send the telephone number the user called into as part of the access-request packet (using DNIS¹ or similar technology). This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI².	Yes	Yes
31	Calling-Station-Id	Allows the NAS to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI.	Yes	Yes
40	Acct-Status-Type	Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).	Yes	Yes
41	Acct-Delay-Time	Number of seconds the client has been trying to send a particular record.	Yes	Yes
42	Acct-Input-Octets	Number of octets received from the port while this service is being provided.	Yes	Yes
43	Acct-Output-Octets	Number of octets sent to the port while this service is being delivered.	Yes	Yes
44	Acct-Session-Id	Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.	Yes	Yes
45	Acct-Authentic	Way in which the user was authenticated---by RADIUS, by the NAS itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.	Yes	Yes
46	Acct-Session-Time	Number of seconds the user has been receiving service.	Yes	Yes
47	Acct-Input-Packets	Number of packets received from the port while this service is being provided to a framed user.	Yes	Yes
48	Acct-Output-Packets	Number of packets sent to the port while this service is being delivered to a framed user.	Yes	Yes
61	NAS-Port-Type	Type of physical port the NAS is using to authenticate the user.	Yes	Yes

¹DNIS = Dialed Number Identification Server
²PRI = Primary Rate Interface

Dictionary of Ascend RADIUS Attributes

This file contains dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types:

string---0-253 octets
abinary---0-254 octets
ipaddr---4 octets in network byte order
integer---32-bit value in big endian order (high byte first)
call filter---defines a call filter for the profile

Note RADIUS filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied in the order in which they are entered. If you make changes to a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile.

date---32-bit value in big-endian order. For example, seconds since 00:00:00 universal time (UT), Jan. 1, 1970

Enumerated values are stored in the user file with dictionary value translations for easy administration.

Table D-4: **Dictionary of Ascend RADIUS Attributes**
Attribute	Value	Type of Value
Dictionary of Ascend Attributes
User-Name	1	string
Password	2	string
Challenge-Response	3	string
NAS-Identifier	4	ipaddr
NAS-Port	5	integer
User-Service	6	integer
Framed-Protocol	7	integer
Framed-Address	8	ipaddr
Framed-Netmask	9	ipaddr
Framed-Routing	10	integer
Framed-Filter	11	string
Framed-MTU	12	integer
Framed-Compression	13	integer
Login-Host	14	ipaddr
Login-Service	15	integer
Login-TCP-Port	16	integer
Change-Password	17	string
Reply-Message	18	string
Callback-Number	19	string
Callback-Name	20	string
Ascend-PW-Expiration	21	date
Framed-Route	22	string
Framed-IPX-Network	23	integer
State	24	string
Class	25	string
Vendor-Specific	26	string
Client-Port-DNIS	30	string
Caller-Id	31	string
Acct-Status-Type	40	integer
Acct-Delay-Time	41	integer
Acct-Input-Octets	42	integer
Acct-Output-Octets	43	integer
Acct-Session-Id	44	integer
Acct-Authentic	45	integer
Acct-Session-Time	46	integer
Acct-Input-Packets	47	integer
Acct-Output-Packets	48	integer
Ascend-Client-Primary-DNS	135	address
Ascend-Client-Secondary-DNS	136	address
Ascend-Client-Assign-DNS	137	enum
Ascend-User-Acct-Type	138	enum
Ascend-User-Acct-Host	139	address
Ascend-User-Acct-Port	140	integer
Ascend-User-Acct-Key	141	string
Ascend-User-Acct-Base	142	enum
Ascend-User-Acct-Time	143	integer
Support IP Address Allocation from Global Pools
Ascend-Assign-IP-Client	144	ipaddr
Ascend-Assign-IP-Server	145	ipaddr
Ascend-Assign-IP-Global-Pool	146	string
DHCP Server Functions
Ascend-DHCP-Reply	147	integer
Ascend-DHCP-Pool-Number	148	integer
Connection Profile/Telco Option
Ascend-Expect-Callback	149	Integer
Event Type for an Ascend-Event Packet
Ascend-Event-Type	150	Integer
RADIUS Server Session Key
Ascend-Session-Svr-Key	151	string
Multicast Rate Limit Per Client
Ascend-Multicast-Rate-Limit	152	integer
Connection Profile Fields to Support Interface-Based Routing
Ascend-IF-Netmask	153	ipaddr
Ascend-Remote-Addr	154	ipaddr
Multicast Support
Ascend-Multicast-Client	155	integer
Frame Datalink Profiles
Ascend-FR-Circuit-Name	156	string
Ascend-FR-LinkUp	157	integer
Ascend-FR-Nailed-Grp	158	integer
Ascend-FR-Type	159	integer
Ascend-FR-Link-Mgt	160	integer
Ascend-FR-N391	161	integer
Ascend-FR-DCE-N392	162	integer
Ascend-FR-DTE-N392	163	integer
Ascend-FR-DCE-N393	164	integer
Ascend-FR-DTE-N393	165	integer
Ascend-FR-T391	166	integer
Ascend-FR-T392	167	integer
Ascend-Bridge-Address	168	string
Ascend-TS-Idle-Limit	169	integer
Ascend-TS-Idle-Mode	170	integer
Ascend-DBA-Monitor	171	integer
Ascend-Base-Channel-Count	172	integer
Ascend-Minimum-Channels	173	integer
IPX Static Routes
Ascend-IPX-Route	174	string
Ascend-FT1-Caller	175	integer
Ascend-Backup	176	string
Ascend-Call-Type	177	integer
Ascend-Group	178	string
Ascend-FR-DLCI	179	integer
Ascend-FR-Profile-Name	180	string
Ascend-Ara-PW	181	string
Ascend-IPX-Node-Addr	182	string
Ascend-Home-Agent-IP-Addr	183	ipaddr
Ascend-Home-Agent-Password	184	string
Ascend-Home-Network-Name	185	string
Ascend-Home-Agent-UDP-Port	186	integer
Ascend-Multilink-ID	187	integer
Ascend-Num-In-Multilink	188	integer
Ascend-First-Dest	189	ipaddr
Ascend-Pre-Input-Octets	190	integer
Ascend-Pre-Output-Octets	191	integer
Ascend-Pre-Input-Packets	192	integer
Ascend-Pre-Output-Packets	193	integer
Ascend-Maximum-Time	194	integer
Ascend-Disconnect-Cause	195	integer
Ascend-Connect-Progress	196	integer
Ascend-Data-Rate	197	integer
Ascend-PreSession-Time	198	integer
Ascend-Token-Idle	199	integer
Ascend-Token-Immediate	200	integer
Ascend-Require-Auth	201	integer
Ascend-Number-Sessions	202	string
Ascend-Authen-Alias	203	string
Ascend-Token-Expiry	204	integer
Ascend-Menu-Selector	205	string
Ascend-Menu-Item	206	string
RADIUS Password Expiration Options
Ascend-PW-Warntime	207	integer
Ascend-PW-Lifetime	208	integer
Ascend-IP-Direct	209	ipaddr
Ascend-PPP-VJ-Slot-Comp	210	integer
Ascend-PPP-VJ-1172	211	integer
Ascend-PPP-Async-Map	212	integer
Ascend-Third-Prompt	213	string
Ascend-Send-Secret	214	string
Ascend-Receive-Secret	215	string
Ascend-IPX-Peer-Mode	216	integer
Ascend-IP-Pool-Definition	217	string
Ascend-FR-Direct	219	integer
Ascend-FR-Direct-Profile	220	string
Ascend-FR-Direct-DLCI	221	integer
Ascend-Handle-IPX	222	integer
Ascend-Netware-timeout	223	integer
Ascend-IPX-Alias	224	integer
Ascend-Metric	225	integer
Ascend-PRI-Number-Type	226	integer
Ascend-Dial-Number	227	string
Connection Profile/PPP Options
Ascend-Route-IP	228	integer
Ascend-Route-IPX	229	integer
Ascend-Bridge	230	integer
Ascend-Send-Auth	231	integer
Ascend-Send-Passwd	232	string
Ascend-Link-Compression	233	integer
Ascend-Target-Util	234	integer
Ascend-Maximum-Channels	235	integer
Ascend-Inc-Channel-Count	236	integer
Ascend-Dec-Channel-Count	237	integer
Ascend-Seconds-Of-History	238	integer
Ascend-History-Weigh-Type	239	integer
Ascend-Add-Seconds	240	integer
Ascend-Remove-Seconds	241	integer
Connection Profile/Session Options
Ascend-Data-Filter	242	call filter
Ascend-Call-Filter	243	call filter
Ascend-Idle-Limit	244	integer
Ascend-Preempt-Limit	245	integer
Connection Profile/Telco Options
Ascend-Callback	246	integer
Ascend-Data-Svc	247	integer
Ascend-Force-56	248	integer
Ascend-Billing-Number	249	string
Ascend-Call-By-Call	250	integer
Ascend-Transit-Number	251	string
Terminal Server Attributes
Ascend-Host-Info	252	string
PPP Local Address Attribute
Ascend-PPP-Address	253	ipaddr
MPP Percent Idle Attribute
Ascend-MPP-Idle-Percent	254	integer

Dictionary of RedCreek RADIUS AV Pairs

This file contains dictionary translations for RedCreek RADIUS. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following data types:

string---0-253 octets
ipaddr---4 octets in network byte order

The Vendor Name is Redcreek; the code is 1958.

**Table D-5: Dictionary of RedCreek RADIUS AV Pairs**
Number	Attribute	Type of Value
005	RedCreek-Tunneled-IP-Addr	ipaddr
006	RedCreek-Tunneled-IP-Netmask	ipaddr
007	RedCreek-Tunneled-Gateway	ipaddr
008	RedCreek-Tunneled-DNS-Server	string
009	RedCreek-Tunneled-WINS-Server1	string
010	RedCreek-Tunneled-WINS-Server2	string
011	RedCreek-Tunneled-HostName	string
012	RedCreek-Tunneled-DomainName	string
013	RedCreek-Tunneled-SearchList	string

Posted: Mon Feb 1 13:44:32 PST 1999
Posted: Mon Feb 1 13:44:32 PST 1999

Table of Contents