Table of Contents
RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs
Cisco IOS/PIX Dictionary of RADIUS VSAs
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
Vendor-Proprietary IETF RADIUS AV Pairs
IETF Dictionary of RADIUS AV Pairs
Microsoft MPPE Dictionary of RADIUS VSAs
Ascend Dictionary of RADIUS AV Pairs
Nortel Dictionary of RADIUS VSAs
Juniper Dictionary of RADIUS VSAs
RADIUS Attributes
Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) provides support for many RADIUS attributes. This appendix lists the standard attributes, vendor-proprietary attributes, vendor-specific attributes supported by Cisco Secure ACS for the following vendors' implementations of RADIUS:
- Cisco IOS RADIUS
- Cisco VPN 3000 Concentrator RADIUS
- Cisco VPN 5000 Concentrator RADIUS
- Cisco Building Broadband Service Manager RADIUS
- Microsoft RADIUS
- Ascend RADIUS
- Nortel RADIUS
- Juniper RADIUS
- Internet Engineering Task Force (IETF) RADIUS
You can enable different AV pairs for any supported vendors. The supported RADIUS AV pairs specific to each vendor are listed in this appendix:
Cisco IOS Dictionary of RADIUS AV Pairs
Cisco Secure ACS supports Cisco IOS RADIUS attribute-value (AV) pairs. Before selecting AV pairs for Cisco Secure ACS, confirm that your AAA client is a compatible release of Cisco IOS or compatible AAA client software. For more information, see the "System Requirements" section.
 |
Note If you specify a given AV pair on Cisco Secure ACS, the corresponding AV pair must be implemented in the Cisco IOS software running on the network device. Always take into consideration which AV pairs your Cisco IOS release supports. If Cisco Secure ACS sends an AV pair that the Cisco IOS software does not support, the attribute is not implemented. |
|
Note Beginning with Cisco Secure ACS version 2.3, some RADIUS attributes do not appear on the Group Setup page. This is because IP pools and callback supersede the following attributes:
8, Framed-IP-Address
19, Callback-Number
218, Ascend-Assign-IP-Pool
Neither can these attributes be set via RDBMS Synchronization. |
Table D-1 lists the supported Cisco IOS RADIUS AV pairs.
Table D-1
Cisco IOS Software RADIUS AV Pairs
| Attribute |
Number |
Type of Value |
|
User-Name
|
1
|
string
|
|
User-Password
|
2
|
string
|
|
CHAP-Password
|
3
|
string
|
|
NAS-IP Address
|
4
|
ipaddr
|
|
NAS-Port
|
5
|
integer
|
|
Service-Type
|
6
|
integer
|
|
Framed-Protocol
|
7
|
integer
|
|
Framed-IP-Netmask
|
9
|
ipaddr
|
|
Framed-Routing
|
10
|
integer
|
|
Filter-Id
|
11
|
string
|
|
Framed-MTU
|
12
|
integer
|
|
Framed-Compression
|
13
|
integer
|
|
Login-IP-Host
|
14
|
ipaddr
|
|
Login-Service
|
15
|
integer
|
|
Login-TCP-Port
|
16
|
integer
|
|
Old-Password
|
17
|
string
|
|
Reply-Message
|
18
|
string
|
|
Expiration
|
21
|
date
|
|
Framed-Route
|
22
|
string
|
|
State
|
24
|
string
|
|
Class
|
25
|
string
|
|
Vendor specific
|
26
|
string
|
|
Session-Timeout
|
27
|
integer
|
|
Idle-Timeout
|
28
|
integer
|
|
Called-Station-ID
|
30
|
string
|
|
Calling-Station-ID
|
31
|
string
|
|
Login-LAT-Service
|
33
|
string
|
|
Acct-Status-Type
|
40
|
integer
|
|
Acct-Delay-Time
|
41
|
integer
|
|
Acct-Input-Octets
|
42
|
integer
|
|
Acct-Output-Octets
|
43
|
integer
|
|
Acct-Session-ID
|
44
|
string
|
|
Acct-Authentic
|
45
|
integer
|
|
Acct-Session-Time
|
46
|
integer
|
|
Acct-Input-Packets
|
47
|
integer
|
|
Acct-Output-Packets
|
48
|
integer
|
|
Acct-Terminate-Cause
|
49
|
integer
|
|
NAS-Port-Type
|
61
|
integer
|
|
NAS-Port-Limit
|
62
|
integer
|
Cisco IOS/PIX Dictionary of RADIUS VSAs
Cisco Secure ACS supports Cisco IOS/PIX vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 009. Table D-2 lists the supported Cisco IOS/PIX RADIUS VSAs.
|
Note For a discussion of Cisco IOS/PIX RADIUS VSA 1, cisco-av-pair, see AV pair 26 in Table D-7 D-12. |
|
Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP documentation. |
|
Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation. |
Table D-2
Cisco IOS/PIX RADIUS VSAs
| Attribute |
Number |
Type of Value |
|
cisco-av-pair
|
1
|
string
|
|
cisco-vsa-port-string
|
2
|
string
|
|
cisco-h323-remote-address
|
23
|
string
|
|
cisco-h323-conf-id
|
24
|
string
|
|
cisco-h323-setup-time
|
25
|
string
|
|
cisco-h323-call-origin
|
26
|
string
|
|
cisco-h323-call-type
|
27
|
string
|
|
cisco-h323-connect-time
|
28
|
string
|
|
cisco-h323-disconnect-time
|
29
|
string
|
|
cisco-h323-disconnect-cause
|
30
|
string
|
|
cisco-h323-voice-quality
|
31
|
string
|
|
cisco-h323-gw-id
|
33
|
string
|
|
cisco-h323-incoming-conn-id
|
35
|
string
|
|
cisco-h323-credit-amount
|
101
|
string
|
|
cisco-h323-credit-time
|
102
|
string
|
|
cisco-h323-return-code
|
103
|
string
|
|
cisco-h323-prompt-id
|
104
|
string
|
|
cisco-h323-day-and-time
|
105
|
string
|
|
cisco-h323-redirect-number
|
106
|
string
|
|
cisco-h323-preferred-lang
|
107
|
string
|
|
cisco-h323-redirect-ip-addr
|
108
|
string
|
|
cisco-h323-billing-model
|
109
|
string
|
|
cisco-h323-currency
|
110
|
string
|
|
cisco-ssg-account-info
|
250
|
string
|
|
cisco-ssg-service-info
|
251
|
string
|
|
cisco-ssg-control-info
|
253
|
string
|
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
Cisco Secure ACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. Table D-3 lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs.
|
Note Some of the RADIUS VSAs supported by Cisco VPN 3000 Concentrators are interdependent. Before you implement them, we recommend that you refer to Cisco VPN 3000-series Concentrator documentation. |
Table D-3
Cisco VPN 3000 Concentrator RADIUS VSAs
| Attribute |
Number |
Type of
Value |
|
CVPN3000-Access-Hours
|
1
|
string
|
|
CVPN3000-Simultaneous-Logins
|
2
|
integer
|
|
CVPN3000-Primary-DNS
|
5
|
ipaddr
|
|
CVPN3000-Secondary-DNS
|
6
|
ipaddr
|
|
CVPN3000-Primary-WINS
|
7
|
ipaddr
|
|
CVPN3000-Secondary-WINS
|
8
|
ipaddr
|
|
CVPN3000-SEP-Card-Assignment
|
9
|
integer
|
|
CVPN3000-Tunneling-Protocols
|
11
|
integer
|
|
CVPN3000-IPSec-Sec-Association
|
12
|
string
|
|
CVPN3000-IPSec-Authentication
|
13
|
integer
|
|
CVPN3000-IPSec-Banner1
|
15
|
string
|
|
CVPN3000-IPSec-Allow-Passwd-Store
|
16
|
integer
|
|
CVPN3000-Use-Client-Address
|
17
|
integer
|
|
CVPN3000-PPTP-Encryption
|
20
|
integer
|
|
CVPN3000-L2TP-Encryption
|
21
|
integer
|
|
CVPN3000-IPSec-Split-Tunnel-List
|
27
|
string
|
|
CVPN3000-IPSec-Default-Domain
|
28
|
string
|
|
CVPN3000-IPSec-Tunnel-Type
|
30
|
integer
|
|
CVPN3000-IPSec-Mode-Config
|
31
|
integer
|
|
CVPN3000-IPSec-User-Group-Lock
|
33
|
integer
|
|
CVPN3000-IPSec-Over-UDP
|
34
|
integer
|
|
CVPN3000-IPSec-Over-UDP-Port
|
35
|
integer
|
|
CVPN3000-IPSec-Banner2
|
36
|
string
|
|
CVPN3000-PPTP-MPPC-Compression
|
37
|
integer
|
|
CVPN3000-L2TP-MPPC-Compression
|
38
|
integer
|
|
CVPN3000-IPSec-IP-Compression
|
39
|
integer
|
|
CVPN3000-IPSec-IKE-Peer-ID-Check
|
40
|
integer
|
|
CVPN3000-IKE-Keep-Alives
|
41
|
integer
|
|
CVPN3000-IPSec-Auth-On-Rekey
|
42
|
integer
|
|
CVPN3000-Required-Client-Firewall-Vendor-Code
|
45
|
integer
|
|
CVPN3000-Required-Client-Firewall-Product-Code
|
46
|
integer
|
|
CVPN3000-Required-Client-Firewall-Description
|
47
|
string
|
|
CVPN3000-Require-HW-Client-Auth
|
48
|
integer
|
|
CVPN3000-Require-Individual-User-Auth
|
49
|
integer
|
|
CVPN3000-Authenticated-User-Idle-Timeout
|
50
|
integer
|
|
CVPN3000-Cisco-IP-Phone-Bypass
|
51
|
integer
|
|
CVPN3000-User-Auth-Server-Name
|
52
|
string
|
|
CVPN3000-User-Auth-Server-Port
|
53
|
integer
|
|
CVPN3000-User-Auth-Server-Secret
|
54
|
string
|
|
CVPN3000-IPSec-Split-Tunneling-Policy
|
55
|
integer
|
|
CVPN3000-IPSec-Required-Client-Firewall-Capability
|
56
|
integer
|
|
CVPN3000-IPSec-Client-Firewall-Filter-Name
|
57
|
string
|
|
CVPN3000-IPSec-Client-Firewall-Filter-Optional
|
58
|
integer
|
|
CVPN3000-IPSec-Backup-Servers
|
59
|
integer
|
|
CVPN3000-IPSec-Backup-Server-List
|
60
|
string
|
|
CVPN3000-Strip-Realm
|
135
|
integer
|
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Secure ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table D-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs.
Table D-4
Cisco VPN 5000 Concentrator RADIUS VSAs
| Attribute |
Number |
Type of Value |
|
CVPN5000-Tunnel-Throughput
|
001
|
integer
|
|
CVPN5000-Client-Assigned-IP
|
002
|
string
|
|
CVPN5000-Client-Real-IP
|
003
|
string
|
|
CVPN5000-VPN-GroupInfo
|
004
|
string
|
|
CVPN5000-VPN-Password
|
005
|
string
|
|
CVPN5000-Echo
|
006
|
integer
|
|
CVPN5000-Client-Assigned-IPX
|
007
|
integer
|
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
Cisco Secure ACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263. Table D-5 lists the supported Cisco BBSM RADIUS VSA.
Table D-5
Cisco BBSM RADIUS VSA
| Attribute |
Number |
Type of Value |
|
CBBSM-Bandwidth
|
001
|
integer
|
Vendor-Proprietary IETF RADIUS AV Pairs
Table D-6 lists the supported vendor-proprietary RADIUS (IETF) attributes
Table D-6
Vendor-Proprietary RADIUS Attributes
| No. |
Vendor-Proprietary Attribute |
|
17
|
Change-Password
|
|
21
|
Password-Expiration
|
|
135
|
Primary-DNS-Server
|
|
136
|
Secondary-DNS-Server
|
|
187
|
Multilink-ID
|
|
188
|
Num-In-Multilink
|
|
190
|
Pre-Input-Octets
|
|
191
|
Pre-Output-Octets
|
|
192
|
Pre-Input-Packets
|
|
193
|
Pre-Output-Packets
|
|
194
|
Maximum-Time
|
|
195
|
Disconnect-Cause
|
|
197
|
Data-Rate
|
|
198
|
PreSession-Time
|
|
208
|
PW-Lifetime
|
|
209
|
IP-Direct
|
|
210
|
PPP-VJ-Slot-Comp
|
|
218
|
Assign-IP-pool
|
|
228
|
Route-IP
|
|
233
|
Link-Compression
|
|
234
|
Target-Utils
|
|
235
|
Maximum-Channels
|
|
242
|
Data-Filter
|
|
243
|
Call-Filter
|
|
244
|
Idle-Limit
|
IETF Dictionary of RADIUS AV Pairs
Table D-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified. Accounting attributes are listed in Table D-8.
Table D-7
RADIUS (IETF) Attributes
| No. |
Attribute |
Description |
|
1
|
User-Name
|
Name of the user being authenticated.
|
|
2
|
User-Password
|
User's password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.
|
|
3
|
CHAP-Password
|
PPP (Point-to-Point Protocol) CHAP (Challenge Handshake Authentication Protocol) response to an Access-Challenge.
|
|
4
|
NAS-IP Address
|
IP address of the AAA client that is requesting authentication.
|
|
5
|
NAS-Port
|
Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows:
For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.
For ordinary synchronous network interfaces, the value is 10xxx.
For channels on a primary-rate ISDN (Integrated Services Digital Network) interface, the value is 2ppcc.
For channels on a basic rate ISDN interface, the value is 3bb0c.
For other types of interfaces, the value is 6nnss.
|
|
6
|
Service-Type
|
Type of service requested or type of service to be provided:
In a request:
Framed—For known PPP or SLIP (Serial Line Internet Protocol) connection.
Administrative User—For enable command.
In a response:
Login—Make a connection.
Framed—Start SLIP or PPP.
Administrative User—Start an EXEC or enable ok.
Exec User—Start an EXEC session.
|
|
7
|
Framed-Protocol
|
Framing to be used for framed access.
|
|
8
|
Framed-IP-Address
|
Address to be configured for the user.
|
|
9
|
Framed-IP-Netmask
|
IP netmask to be configured for the user when the user is a router to a network. This attribute-value results in a static route being added for Framed-IP-Address with the mask specified.
|
|
10
|
Framed-Routing
|
Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.
|
|
11
|
Filter-Id
|
Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.
|
|
12
|
Framed-MTU
|
Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means.
|
|
13
|
Framed-Compression
|
Compression protocol used for the link. This attribute results in "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.
|
|
14
|
Login-IP-Host
|
Host to which the user will connect when the Login-Service attribute is included.
|
|
15
|
Login-Service
|
Service that should be used to connect the user to the login host.
Service is indicated by a numeric value as follows:
0: Telnet
1: Rlogin
2: TCP-Clear
3: PortMaster
4: LAT
|
|
16
|
Login-TCP-Port
|
TCP (Transmission Control Protocol) port with which the user is to be connected when the Login-Service attribute is also present.
|
|
18
|
Reply-Message
|
Text to be displayed to the user.
|
|
22
|
Framed-Route
|
Routing information to be configured for the user on this AAA client. The RADIUS RFC (Request for Comments) format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are currently ignored.
|
|
24
|
State
|
Allows State information to be maintained between the AAA client and the RADIUS server. This attribute is applicable only to CHAP challenges.
|
|
26
|
Vendor-Specific
|
Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format:
protocol:attribute sep value
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. The following is an example:
cisco-avpair= "ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"
The first example causes Cisco's multiple named IP address pools feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a AAA client prompt user to have immediate access to EXEC commands.
|
|
27
|
Session-Timeout
|
Maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.
|
|
28
|
Idle-Timeout
|
Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This attribute value becomes the per-user session-timeout. This attribute is not valid for PPP sessions.
|
|
34
|
Login-LAT-Service
|
System with which the user is to be connected by LAT. This attribute is only available in the EXEC mode.
|
|
61
|
NAS-Port-Type
|
Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value as follows:
0: Asynchronous
1: Synchronous
2: ISDN-Synchronous
3: ISDN-Asynchronous (V.120)
4: ISDN- Asynchronous (V.110)
5: Virtual
|
|
62
|
Port-Limit
|
Sets the maximum number of ports to be provided to the user by the network access server.
|
RADIUS (IETF) Accounting AV Pairs
Table D-8 lists the supported RADIUS (IETF) accounting attributes. If the attribute has a security server-specific format, the format is specified.
Table D-8
RADIUS (IETF) Accounting Attributes
| No. |
Attribute |
Description |
|
25
|
Class
|
Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server.
|
|
30
|
Called-Station-Id
|
Allows the AAA client to send the telephone number the user called into as part of the access-request packet, using DNIS (Dialed Number Identification Server) or similar technology. This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI (Primary Rate Interface).
|
|
31
|
Calling-Station-Id
|
Allows the AAA client to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI.
|
|
40
|
Acct-Status-Type
|
Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).
|
|
41
|
Acct-Delay-Time
|
Number of seconds the client has been trying to send a particular record.
|
|
42
|
Acct-Input-Octets
|
Number of octets received from the port while this service is being provided.
|
|
43
|
Acct-Output-Octets
|
Number of octets sent to the port while this service is being delivered.
|
|
44
|
Acct-Session-Id
|
Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.
|
|
45
|
Acct-Authentic
|
Way in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.
|
|
46
|
Acct-Session-Time
|
Number of seconds the user has been receiving service.
|
|
47
|
Acct-Input-Packets
|
Number of packets received from the port while this service is being provided to a framed user.
|
|
48
|
Acct-Output-Packets
|
Number of packets sent to the port while this service is being delivered to a framed user.
|
|
49
|
Acct-Terminate-Cause
|
Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:
1: User request
2: Lost carrier
3: Lost service
4: Idle timeout
5: Session-timeout
6: Admin reset
7: Admin reboot
8: Port error
9: AAA client error
10: AAA client request
11: AAA client reboot
12: Port unneeded
13: Port pre-empted
14: Port suspended
15: Service unavailable
16: Callback
17: User error
18: Host request
|
|
61
|
NAS-Port-Type
|
Type of physical port the AAA client is using to authenticate the user.
|
Microsoft MPPE Dictionary of RADIUS VSAs
Cisco Secure ACS supports the Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that Cisco Secure ACS supports. The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSAs:
- Cisco IOS
- Cisco VPN 3000
- Ascend
Table D-9 lists the supported MPPE RADIUS VSAs.
Table D-9
Microsoft MPPE RADIUS VSAs
| Attribute |
Number |
Type of Value |
Description |
|
MS-CHAP-Response
|
1
|
string
|
—
|
|
MS-CHAP-Error
|
2
|
string
|
—
|
|
MS-CHAP-CPW-1
|
3
|
string
|
—
|
|
MS-CHAP-CPW-2
|
4
|
string
|
—
|
|
MS-CHAP-LM-Enc-PW
|
5
|
string
|
—
|
|
MS-CHAP-NT-Enc-PW
|
6
|
string
|
—
|
|
MS-MPPE-Encryption-Policy
|
7
|
integer
|
The MS-MPPE-Encryption-Policy attribute signifies whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used, but at least one must be used.
|
|
MS-MPPE-Encryption-Types
|
8
|
integer
|
The MS-MPPE-Encryption-Types attribute signifies the types of encryption available for use with MPPE. It is a four octet integer that is interpreted as a string of bits.
|
|
MS-CHAP-Domain
|
10
|
string
|
—
|
|
MS-CHAP-Challenge
|
11
|
string
|
—
|
|
MS-CHAP-MPPE-Keys
|
12
|
string
|
The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets.
The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.
|
|
MS-MPPE-Send-Key
|
16
|
string
|
The MS-MPPE-Send-Key attribute contains a session key for use by MPPE. As the name implies, this key is intended for encrypting packets sent from the AAA client to the remote host. This attribute is only included in Access-Accept packets.
|
|
MS-MPPE-Recv-Key
|
17
|
string
|
The MS-MPPE-Recv-Key attribute contains a session key for use by MPPE. As the name implies, this key is intended for encrypting packets received by the AAA client from the remote host. This attribute is only included in Access-Accept packets
|
|
MS-RAS-Version
|
18
|
string
|
—
|
|
MS-CHAP-NT-Enc-PW
|
25
|
string
|
—
|
|
MS-CHAP2-Response
|
26
|
string
|
—
|
|
MS-CHAP2-CPW
|
27
|
string
|
—
|
Ascend Dictionary of RADIUS AV Pairs
Cisco Secure ACS supports the Ascend RADIUS AV pairs. Table D-10 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types:
- string—0-253 octets
- abinary—0-254 octets
- ipaddr—4 octets in network byte order
- integer—32-bit value in big endian order (high byte first)
- call filter—Defines a call filter for the profile
|
Note RADIUS filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied in the order in which they are entered. If you make changes to a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile. |
- date—32-bit value in big-endian order. For example, seconds since 00:00:00 universal time (UT), January 1, 1970
- enum—Enumerated values are stored in the user file with dictionary value translations for easy administration.
Table D-10
Ascend RADIUS Attributes
| Attribute |
Number |
Type of Value |
| Dictionary of Ascend Attributes |
|
User-Name
|
1
|
string
|
|
Password
|
2
|
string
|
|
Challenge-Response
|
3
|
string
|
|
NAS-Identifier
|
4
|
ipaddr
|
|
NAS-Port
|
5
|
integer
|
|
User-Service
|
6
|
integer
|
|
Framed-Protocol
|
7
|
integer
|
|
Framed-Address
|
8
|
ipaddr
|
|
Framed-Netmask
|
9
|
ipaddr
|
|
Framed-Routing
|
10
|
integer
|
|
Framed-Filter
|
11
|
string
|
|
Framed-MTU
|
12
|
integer
|
|
Framed-Compression
|
13
|
integer
|
|
Login-Host
|
14
|
ipaddr
|
|
Login-Service
|
15
|
integer
|
|
Login-TCP-Port
|
16
|
integer
|
|
Change-Password
|
17
|
string
|
|
Reply-Message
|
18
|
string
|
|
Callback-Number
|
19
|
string
|
|
Callback-Name
|
20
|
string
|
|
Framed-Route
|
22
|
string
|
|
Framed-IPX-Network
|
23
|
integer
|
|
State
|
24
|
string
|
|
Class
|
25
|
string
|
|
Vendor-Specific
|
26
|
string
|
|
Client-Port-DNIS
|
30
|
string
|
|
Caller-Id
|
31
|
string
|
|
Acct-Status-Type
|
40
|
integer
|
|
Acct-Delay-Time
|
41
|
integer
|
|
Acct-Input-Octets
|
42
|
integer
|
|
Acct-Output-Octets
|
43
|
integer
|
|
Acct-Session-Id
|
44
|
integer
|
|
Acct-Authentic
|
45
|
integer
|
|
Acct-Session-Time
|
46
|
integer
|
|
Acct-Input-Packets
|
47
|
integer
|
|
Acct-Output-Packets
|
48
|
integer
|
|
Tunnel-Type
|
64
|
string
|
|
Tunnel-Medium-Type
|
65
|
string
|
|
Tunnel-Client-Endpoint
|
66
|
string
|
|
Tunnel-Server-Endpoint
|
67
|
string
|
|
Tunnel-ID
|
68
|
integer
|
|
Ascend-Private-Route
|
104
|
string
|
|
Ascend-Numbering-Plan-ID
|
105
|
integer
|
|
Ascend-FR-Link-Status-Dlci
|
106
|
integer
|
|
Ascend-Calling-Subaddress
|
107
|
string
|
|
Ascend-Callback-Delay
|
108
|
string
|
|
Ascend-My-Name-Alias
|
109
|
string
|
|
Ascend-Remote-FW
|
110
|
string
|
|
Ascend-Multicast-GLeave-Delay
|
111
|
integer
|
|
Ascend-CBCP-Enable
|
112
|
string
|
|
Ascend-CBCP-Mode
|
113
|
string
|
|
Ascend-CBCP-Delay
|
114
|
string
|
|
Ascend-CBCP-Trunk-Group
|
115
|
string
|
|
Ascend-AppleTalk-Route
|
116
|
string
|
|
Ascend-AppleTalk-Peer-Mode
|
117
|
string
|
|
Ascend-Route-AppleTalk
|
118
|
string
|
|
Ascend-FCP-Parameter
|
119
|
string
|
|
Ascend-Modem-PortNo
|
120
|
integer
|
|
Ascend-Modem-SlotNo
|
121
|
integer
|
|
Ascend-Modem-ShelfNo
|
122
|
integer
|
|
Ascend-Call-Attempt-Limit
|
123
|
integer
|
|
Ascend-Call-Block_Duration
|
124
|
integer
|
|
Ascend-Maximum-Call-Duration
|
125
|
integer
|
|
Ascend-Router-Preference
|
126
|
string
|
|
Ascend-Tunneling-Protocol
|
127
|
string
|
|
Ascend-Shared-Profile-Enable
|
128
|
string
|
|
Ascend-Primary-Home-Agent
|
129
|
string
|
|
Ascend-Secondary-Home-Agent
|
130
|
string
|
|
Ascend-Dialout-Allowed
|
131
|
integer
|
|
Ascend-BACP-Enable
|
133
|
string
|
|
Ascend-DHCP-Maximum-Leases
|
134
|
integer
|
|
Ascend-Client-Primary-DNS
|
135
|
address
|
|
Ascend-Client-Secondary-DNS
|
136
|
address
|
|
Ascend-Client-Assign-DNS
|
137
|
enum
|
|
Ascend-User-Acct-Type
|
138
|
enum
|
|
Ascend-User-Acct-Host
|
139
|
address
|
|
Ascend-User-Acct-Port
|
140
|
integer
|
|
Ascend-User-Acct-Key
|
141
|
string
|
|
Ascend-User-Acct-Base
|
142
|
enum
|
|
Ascend-User-Acct-Time
|
143
|
integer
|
| Support IP Address Allocation from Global Pools |
|
Ascend-Assign-IP-Client
|
144
|
ipaddr
|
|
Ascend-Assign-IP-Server
|
145
|
ipaddr
|
|
Ascend-Assign-IP-Global-Pool
|
146
|
string
|
| DHCP Server Functions |
|
Ascend-DHCP-Reply
|
147
|
integer
|
|
Ascend-DHCP-Pool-Number
|
148
|
integer
|
| Connection Profile/Telco Option |
|
Ascend-Expect-Callback
|
149
|
integer
|
| Event Type for an Ascend-Event Packet |
|
Ascend-Event-Type
|
150
|
integer
|
| RADIUS Server Session Key |
|
Ascend-Session-Svr-Key
|
151
|
string
|
| Multicast Rate Limit Per Client |
|
Ascend-Multicast-Rate-Limit
|
152
|
integer
|
| Connection Profile Fields to Support Interface-Based Routing |
|
Ascend-IF-Netmask
|
153
|
ipaddr
|
|
Ascend-Remote-Addr
|
154
|
ipaddr
|
| Multicast Support |
|
Ascend-Multicast-Client
|
155
|
integer
|
| Frame Datalink Profiles |
|
Ascend-FR-Circuit-Name
|
156
|
string
|
|
Ascend-FR-LinkUp
|
157
|
integer
|
|
Ascend-FR-Nailed-Group
|
158
|
integer
|
|
Ascend-FR-Type
|
159
|
integer
|
|
Ascend-FR-Link-Mgt
|
160
|
integer
|
|
Ascend-FR-N391
|
161
|
integer
|
|
Ascend-FR-DCE-N392
|
162
|
integer
|
|
Ascend-FR-DTE-N392
|
163
|
integer
|
|
Ascend-FR-DCE-N393
|
164
|
integer
|
|
Ascend-FR-DTE-N393
|
165
|
integer
|
|
Ascend-FR-T391
|
166
|
integer
|
|
Ascend-FR-T392
|
167
|
integer
|
|
Ascend-Bridge-Address
|
168
|
string
|
|
Ascend-TS-Idle-Limit
|
169
|
integer
|
|
Ascend-TS-Idle-Mode
|
170
|
integer
|
|
Ascend-DBA-Monitor
|
171
|
integer
|
|
Ascend-Base-Channel-Count
|
172
|
integer
|
|
Ascend-Minimum-Channels
|
173
|
integer
|
| IPX Static Routes |
|
Ascend-IPX-Route
|
174
|
string
|
|
Ascend-FT1-Caller
|
175
|
integer
|
|
Ascend-Backup
|
176
|
string
|
|
Ascend-Call-Type
|
177
|
integer
|
|
Ascend-Group
|
178
|
string
|
|
Ascend-FR-DLCI
|
179
|
integer
|
|
Ascend-FR-Profile-Name
|
180
|
string
|
|
Ascend-Ara-PW
|
181
|
string
|
|
Ascend-IPX-Node-Addr
|
182
|
string
|
|
Ascend-Home-Agent-IP-Addr
|
183
|
ipaddr
|
|
Ascend-Home-Agent-Password
|
184
|
string
|
|
Ascend-Home-Network-Name
|
185
|
string
|
|
Ascend-Home-Agent-UDP-Port
|
186
|
integer
|
|
Ascend-Multilink-ID
|
187
|
integer
|
|
Ascend-Num-In-Multilink
|
188
|
integer
|
|
Ascend-First-Dest
|
189
|
ipaddr
|
|
Ascend-Pre-Input-Octets
|
190
|
integer
|
|
Ascend-Pre-Output-Octets
|
191
|
integer
|
|
Ascend-Pre-Input-Packets
|
192
|
integer
|
|
Ascend-Pre-Output-Packets
|
193
|
integer
|
|
Ascend-Maximum-Time
|
194
|
integer
|
|
Ascend-Disconnect-Cause
|
195
|
integer
|
|
Ascend-Connect-Progress
|
196
|
integer
|
|
Ascend-Data-Rate
|
197
|
integer
|
|
Ascend-PreSession-Time
|
198
|
integer
|
|
Ascend-Token-Idle
|
199
|
integer
|
|
Ascend-Token-Immediate
|
200
|
integer
|
|
Ascend-Require-Auth
|
201
|
integer
|
|
Ascend-Number-Sessions
|
202
|
string
|
|
Ascend-Authen-Alias
|
203
|
string
|
|
Ascend-Token-Expiry
|
204
|
integer
|
|
Ascend-Menu-Selector
|
205
|
string
|
|
Ascend-Menu-Item
|
206
|
string
|
| RADIUS Password Expiration Options |
|
Ascend-PW-Warntime
|
207
|
integer
|
|
Ascend-PW-Lifetime
|
208
|
integer
|
|
Ascend-IP-Direct
|
209
|
ipaddr
|
|
Ascend-PPP-VJ-Slot-Comp
|
210
|
integer
|
|
Ascend-PPP-VJ-1172
|
211
|
integer
|
|
Ascend-PPP-Async-Map
|
212
|
integer
|
|
Ascend-Third-Prompt
|
213
|
string
|
|
Ascend-Send-Secret
|
214
|
string
|
|
Ascend-Receive-Secret
|
215
|
string
|
|
Ascend-IPX-Peer-Mode
|
216
|
integer
|
|
Ascend-IP-Pool-Definition
|
217
|
string
|
|
Ascend-Assign-IP-Pool
|
218
|
integer
|
|
Ascend-FR-Direct
|
219
|
integer
|
|
Ascend-FR-Direct-Profile
|
220
|
string
|
|
Ascend-FR-Direct-DLCI
|
221
|
integer
|
|
Ascend-Handle-IPX
|
222
|
integer
|
|
Ascend-Netware-Timeout
|
223
|
integer
|
|
Ascend-IPX-Alias
|
224
|
integer
|
|
Ascend-Metric
|
225
|
integer
|
|
Ascend-PRI-Number-Type
|
226
|
integer
|
|
Ascend-Dial-Number
|
227
|
string
|
| Connection Profile/PPP Options |
|
Ascend-Route-IP
|
228
|
integer
|
|
Ascend-Route-IPX
|
229
|
integer
|
|
Ascend-Bridge
|
230
|
integer
|
|
Ascend-Send-Auth
|
231
|
integer
|
|
Ascend-Send-Passwd
|
232
|
string
|
|
Ascend-Link-Compression
|
233
|
integer
|
|
Ascend-Target-Util
|
234
|
integer
|
|
Ascend-Max-Channels
|
235
|
integer
|
|
Ascend-Inc-Channel-Count
|
236
|
integer
|
|
Ascend-Dec-Channel-Count
|
237
|
integer
|
|
Ascend-Seconds-Of-History
|
238
|
integer
|
|
Ascend-History-Weigh-Type
|
239
|
integer
|
|
Ascend-Add-Seconds
|
240
|
integer
|
|
Ascend-Remove-Seconds
|
241
|
integer
|
| Connection Profile/Session Options |
|
Ascend-Data-Filter
|
242
|
call filter
|
|
Ascend-Call-Filter
|
243
|
call filter
|
|
Ascend-Idle-Limit
|
244
|
integer
|
|
Ascend-Preempt-Limit
|
245
|
integer
|
| Connection Profile/Telco Options |
|
Ascend-Callback
|
246
|
integer
|
|
Ascend-Data-Svc
|
247
|
integer
|
|
Ascend-Force-56
|
248
|
integer
|
|
Ascend-Billing-Number
|
249
|
string
|
|
Ascend-Call-By-Call
|
250
|
integer
|
|
Ascend-Transit-Number
|
251
|
string
|
| Terminal Server Attributes |
|
Ascend-Host-Info
|
252
|
string
|
| PPP Local Address Attribute |
|
Ascend-PPP-Address
|
253
|
ipaddr
|
| MPP Percent Idle Attribute |
|
Ascend-MPP-Idle-Percent
|
254
|
integer
|
|
Ascend-Xmit-Rate
|
255
|
integer
|
Nortel Dictionary of RADIUS VSAs
Table D-11 lists the Nortel RADIUS VSAs supported by Cisco Secure ACS. The Nortel vendor ID number is 1584.
Table D-11
Nortel RADIUS VSAs
| Attribute |
Number |
Type of Value |
|
Bay-Local-IP-Address
|
035
|
ipaddr
|
|
Bay-Primary-DNS-Server
|
054
|
ipaddr
|
|
Bay-Secondary-DNS-Server
|
055
|
ipaddr
|
|
Bay-Primary-NBNS-Server
|
056
|
ipaddr
|
|
Bay-Secondary-NBNS-Server
|
057
|
ipaddr
|
|
Bay-User-Level
|
100
|
integer
|
|
Bay-Audit-Level
|
101
|
integer
|
Juniper Dictionary of RADIUS VSAs
Table D-12 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Juniper vendor ID number is 2636.
Table D-12
Juniper RADIUS VSAs
| Attribute |
Number |
Type of Value |
|
Juniper-Local-User-Name
|
001
|
string
|
|
Juniper-Allow-Commands
|
002
|
string
|
|
Juniper-Deny-Commands
|
003
|
string
|
