User Guide for Cisco Secure ACS for Windows Server 3.2
RADIUS Attributes

Table Of Contents

RADIUS Attributes

Cisco IOS Dictionary of RADIUS AV Pairs

Cisco IOS/PIX Dictionary of RADIUS VSAs

Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

IETF Dictionary of RADIUS AV Pairs

Microsoft MPPE Dictionary of RADIUS VSAs

Ascend Dictionary of RADIUS AV Pairs

Nortel Dictionary of RADIUS VSAs

Juniper Dictionary of RADIUS VSAs

RADIUS Attributes


CiscoSecureAccessControlServer (CiscoSecureACS) for WindowsServer version3.2 supports many RADIUS attributes. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes supported by CiscoSecureACS for the following vendor implementations of RADIUS:

Cisco IOS RADIUS

Cisco VPN 3000 Concentrator RADIUS

Cisco VPN 5000 Concentrator RADIUS

Cisco Building Broadband Service Manager RADIUS

Microsoft RADIUS

Ascend RADIUS

Nortel RADIUS

Juniper RADIUS

Internet Engineering Task Force (IETF) RADIUS

You can enable different attribute-value (AV) pairs for IETF RADIUS and for any supported vendor. This appendix provides information about the following RADIUS AV pairs:

CiscoIOS Dictionary of RADIUS AV Pairs

CiscoIOS/PIX Dictionary of RADIUS VSAs

CiscoVPN 3000 Concentrator Dictionary of RADIUS VSAs

Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

IETF Dictionary of RADIUS AV Pairs

Microsoft MPPE Dictionary of RADIUS VSAs

Ascend Dictionary of RADIUS AV Pairs

Nortel Dictionary of RADIUS VSAs

Juniper Dictionary of RADIUS VSAs

Cisco IOS Dictionary of RADIUS AV Pairs

CiscoSecureACS supports Cisco IOS RADIUS AV pairs. Before selecting AV pairs for CiscoSecureACS, confirm that your AAA client is a compatible release of CiscoIOS or compatible AAA client software. For more information, see Network and Port Requirements.


Note If you specify a given AV pair on CiscoSecureACS, the corresponding AV pair must be implemented in the CiscoIOS software running on the network device. Always consider which AV pairs your Cisco IOS release supports. If CiscoSecureACS sends an AV pair that the CiscoIOS software does not support, the attribute is not implemented.



Note Because IP pools and callback supersede them, the following RADIUS attributes do not appear on the Group Setup page:

8, Framed-IP-Address
19, Callback-Number
218, Ascend-Assign-IP-Pool

None of these attributes can be set via RDBMS Synchronization.


TableC-1 lists the supported CiscoIOS RADIUS AV pairs.

Table C-1 Cisco IOS Software RADIUS AV Pairs 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

User-Name

1

String

Inbound

No

User-Password

2

String

Outbound

No

CHAP-Password

3

String

Outbound

No

NAS-IP Address

4

Ipaddr

Inbound

No

NAS-Port

5

Integer

Inbound

No

Service-Type

6

Integer

Both

No

Framed-Protocol

7

Integer

Both

No

Framed-IP-Netmask

9

Ipaddr (maximum length 15 characters)

Outbound

No

Framed-Routing

10

Integer

Outbound

No

Filter-Id

11

String

Outbound

Yes

Framed-MTU

12

Integer (maximum length 10 characters)

Outbound

No

Framed-Compression

13

Integer

Outbound

Yes

Login-IP-Host

14

Ipaddr (maximum length 15 characters)

Both

Yes

Login-Service

15

Integer

Both

No

Login-TCP-Port

16

Integer (maximum length 10 characters)

Outbound

No

Reply-Message

18

String

Outbound

Yes

Expiration

21

Date

Framed-Route

22

String

Outbound

Yes

State

24

String (maximum length 253 characters)

Outbound

No

Class

25

String

Outbound

Yes

Vendor specific

26

String

Outbound

Yes

Session-Timeout

27

Integer (maximum length 10 characters)

Outbound

No

Idle-Timeout

28

Integer (maximum length 10 characters)

Outbound

No

Called-Station-ID

30

String

Inbound

No

Calling-Station-ID

31

String

Inbound

No

Login-LAT-Service

33

String (maximum length 253 characters)

Inbound

No

Acct-Status-Type

40

Integer

Inbound

No

Acct-Delay-Time

41

Integer

Inbound

No

Acct-Input-Octets

42

Integer

Inbound

No

Acct-Output-Octets

43

Integer

Inbound

No

Acct-Session-ID

44

String

Inbound

No

Acct-Authentic

45

Integer

Inbound

No

Acct-Session-Time

46

Integer

Inbound

No

Acct-Input-Packets

47

Integer

Inbound

No

Acct-Output-Packets

48

Integer

Inbound

No

Acct-Terminate-Cause

49

Integer

Inbound

No

NAS-Port-Type

61

Integer

Inbound

No

NAS-Port-Limit

62

Integer (maximum length 10 characters)

Both

No


Cisco IOS/PIX Dictionary of RADIUS VSAs

CiscoSecureACS supports Cisco IOS/PIX vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 009. TableC-2 lists the supported CiscoIOS/PIX RADIUS VSAs.


Note For a discussion of Cisco IOS/PIX RADIUS VSA 1, cisco-av-pair, see AV pair 26 in TableC-6.



Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP documentation.



Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.


Table C-2 Cisco IOS/PIX RADIUS VSAs 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

cisco-av-pair

1

String

Both

Yes

cisco-nas-port

2

String

Inbound

No

cisco-h323-remote-address

23

String

Inbound

No

cisco-h323-conf-id

24

String

Inbound

No

cisco-h323-setup-time

25

String

Inbound

No

cisco-h323-call-origin

26

String

Inbound

No

cisco-h323-call-type

27

String

Inbound

No

cisco-h323-connect-time

28

String

Inbound

No

cisco-h323-disconnect-time

29

String

Inbound

No

cisco-h323-disconnect-cause

30

String

Inbound

No

cisco-h323-voice-quality

31

String

Inbound

No

cisco-h323-gw-id

33

String

Inbound

No

cisco-h323-incoming-conn-id

35

String

Inbound

No

cisco-h323-credit-amount

101

String (maximum length 247 characters)

Outbound

No

cisco-h323-credit-time

102

String (maximum length 247 characters)

Outbound

No

cisco-h323-return-code

103

String (maximum length 247 characters)

Outbound

No

cisco-h323-prompt-id

104

String (maximum length 247 characters)

Outbound

No

cisco-h323-day-and-time

105

String (maximum length 247 characters)

Outbound

No

cisco-h323-redirect-number

106

String (maximum length 247 characters)

Outbound

No

cisco-h323-preferred-lang

107

String (maximum length 247 characters)

Outbound

No

cisco-h323-redirect-ip-addr

108

String (maximum length 247 characters)

Outbound

No

cisco-h323-billing-model

109

String (maximum length 247 characters)

Outbound

No

cisco-h323-currency

110

String (maximum length 247 characters)

Outbound

No

cisco-ssg-account-info

250

String (maximum length 247 characters)

Outbound

No

cisco-ssg-service-info

251

String (maximum length 247 characters)

Both

No

cisco-ssg-control-info

253

String (maximum length 247 characters)

Both

No


Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

CiscoSecureACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. TableC-3 lists the supported CiscoVPN 3000 Concentrator RADIUS VSAs.


Note Some of the RADIUS VSAs supported by Cisco VPN 3000 Concentrators are interdependent. Before you implement them, we recommend that you refer to Cisco VPN 3000-series Concentrator documentation.


To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, CiscoSecureACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the CiscoSecureACS HTML interface or how those attributes might be configured.

Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

CVPN3000-Access-Hours

1

String (maximum length 247 characters)

Outbound

No

CVPN3000-Simultaneous-Logins

2

Integer (maximum length 10 characters)

Outbound

No

CVPN3000-Primary-DNS

5

Ipaddr (maximum length 15 characters)

Outbound

No

CVPN3000-Secondary-DNS

6

Ipaddr (maximum length 15 characters)

Outbound

No

CVPN3000-Primary-WINS

7

Ipaddr (maximum length 15 characters)

Outbound

No

CVPN3000-Secondary-WINS

8

Ipaddr (maximum length 15 characters)

Outbound

No

CVPN3000-SEP-Card-Assignment

9

Integer

Outbound

No

CVPN3000-Tunneling-Protocols

11

Integer

Outbound

No

CVPN3000-IPSec-Sec-Association

12

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Authentication

13

Integer

Outbound

No

CVPN3000-IPSec-Banner1

15

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Allow-Passwd-
Store

16

Integer

Outbound

No

CVPN3000-Use-Client-Address

17

Integer

Outbound

No

CVPN3000-PPTP-Encryption

20

Integer

Outbound

No

CVPN3000-L2TP-Encryption

21

Integer

Outbound

No

CVPN3000-IPSec-Split-Tunnel-
List

27

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Default-Domain

28

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Split-DNS-Names

29

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Tunnel-Type

30

Integer

Outbound

No

CVPN3000-IPSec-Mode-Config

31

Integer

Outbound

No

CVPN3000-IPSec-User-Group-
Lock

33

Integer

Outbound

No

CVPN3000-IPSec-Over-UDP

34

Integer

Outbound

No

CVPN3000-IPSec-Over-UDP-Port

35

Integer (maximum length 10 characters)

Outbound

No

CVPN3000-IPSec-Banner2

36

String (maximum length 247 characters)

Outbound

No

CVPN3000-PPTP-MPPC-
Compression

37

Integer

Outbound

No

CVPN3000-L2TP-MPPC-
Compression

38

Integer

Outbound

No

CVPN3000-IPSec-IP-Compression

39

Integer

Outbound

No

CVPN3000-IPSec-IKE-Peer-ID-
Check

40

Integer

Outbound

No

CVPN3000-IKE-Keep-Alives

41

Integer

Outbound

No

CVPN3000-IPSec-Auth-On-Rekey

42

Integer

Outbound

No

CVPN3000-Required-Client-
Firewall-Vendor-Code

45

Integer (maximum length 10 characters)

Outbound

No

CVPN3000-Required-Client-
Firewall-Product-Code

46

Integer (maximum length 10 characters)

Outbound

No

CVPN3000-Required-Client-
Firewall-Description

47

String (maximum length 247 characters)

Outbound

No

CVPN3000-Require-HW-Client-
Auth

48

Integer

Outbound

No

CVPN3000-Require-Individual-
User-Auth

49

Integer

Outbound

No

CVPN3000-Authenticated-User-
Idle-Timeout

50

Integer (maximum length 10 characters)

Outbound

No

CVPN3000-Cisco-IP-Phone-
Bypass

51

Integer

Outbound

No

CVPN3000-User-Auth-Server-
Name

52

String (maximum length 247 characters)

Outbound

No

CVPN3000-User-Auth-Server-Port

53

Integer (maximum length 10 characters)

Outbound

No

CVPN3000-User-Auth-Server-
Secret

54

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Split-Tunneling-
Policy

55

Integer

Outbound

No

CVPN3000-IPSec-Required-Client-
Firewall-Capability

56

Integer

Outbound

No

CVPN3000-IPSec-Client-Firewall-
Filter-Name

57

String (maximum length 247 characters)

Outbound

No

CVPN3000-IPSec-Client-Firewall-
Filter-Optional

58

Integer

Outbound

No

CVPN3000-IPSec-Backup-Servers

59

Integer

Outbound

No

CVPN3000-IPSec-Backup-Server-
List

60

String (maximum length 247 characters)

Outbound

No

CVPN3000-MS-Client-Intercept-
DHCP-Configure-Message

62

Integer

Outbound

No

CVPN3000-MS-Client-Subnet-
Mask

63

Ipaddr (maximum length 15 characters)

Outbound

No

CVPN3000-Allow-Network-
Extension-Mode

64

Integer

Outbound

No

CVPN3000-Strip-Realm

135

Integer

Outbound

No


Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

CiscoSecureACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. TableC-4 lists the supported CiscoVPN 5000 Concentrator RADIUS VSAs.

Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

CVPN5000-Tunnel-Throughput

001

Integer

Inbound

No

CVPN5000-Client-Assigned-IP

002

String

Inbound

No

CVPN5000-Client-Real-IP

003

String

Inbound

No

CVPN5000-VPN-GroupInfo

004

String (maximum length 247 characters)

Outbound

No

CVPN5000-VPN-Password

005

String (maximum length 247 characters)

Outbound

No

CVPN5000-Echo

006

Integer

Inbound

No

CVPN5000-Client-Assigned-IPX

007

Integer

Inbound

No


Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

CiscoSecureACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263. TableC-5 lists the supported Cisco BBSM RADIUS VSA.

Table C-5 Cisco BBSM RADIUS VSA 

Attribute
Number
Type of Value
Inbound/Outbound
Multiple

CBBSM-Bandwidth

001

Integer

Both

No


IETF Dictionary of RADIUS AV Pairs

TableC-6 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified.

Table C-6 RADIUS (IETF) Attributes 

Attribute
Number
Description
Type of Value
Inbound/
Outbound
Multiple

User-Name

1

Name of the user being authenticated.

String

Inbound

No

User-Password

2

User password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.

String

Outbound

No

CHAP-Password

3

PPP (Point-to-Point Protocol) CHAP (Challenge Handshake Authentication Protocol) response to an Access-Challenge.

String

Outbound

No

NAS-IP Address

4

IP address of the AAA client that is requesting authentication.

Ipaddr

Inbound

No

NAS-Port

5

Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows:

For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.

For ordinary synchronous network interfaces, the value is 10xxx.

For channels on a primary-rate ISDN (Integrated Services Digital Network) interface, the value is 2ppcc.

For channels on a basic rate ISDN interface, the value is 3bb0c.

For other types of interfaces, the value is 6nnss.

Integer

Inbound

No

Service-Type

6

Type of service requested or type of service to be provided:

In a request:

Framed —For known PPP or SLIP (Serial Line Internet Protocol) connection.

Administrative User —For enable command.

In a response:

Login —Make a connection.

Framed —Start SLIP or PPP.

Administrative User —Start an EXEC or enable ok .

Exec User —Start an EXEC session.

Integer

Both

No

Framed-Protocol

7

Framing to be used for framed access.

Integer

Both

No

Framed-IP-
Address

8

Address to be configured for the user.

Framed-IP-
Netmask

9

IP netmask to be configured for the user when the user is a router to a network. This AV results in a static route being added for Framed-IP-Address with the mask specified.

Ipaddr (maximum length 15 characters)

Outbound

No

Framed-Routing

10

Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.

Integer

Outbound

No

Filter-Id

11

Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.

String

Outbound

Yes

Framed-MTU

12

Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means.

Integer (maximum length 10 characters)

Outbound

No

Framed-
Compression

13

Compression protocol used for the link. This attribute results in "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.

Integer

Outbound

Yes

Login-IP-Host

14

Host to which the user will connect when the Login-Service attribute is included.

Ipaddr (maximum length 15 characters)

Both

Yes

Login-Service

15

Service that should be used to connect the user to the login host.

Service is indicated by a numeric value as follows:

0: Telnet

1: Rlogin

2: TCP-Clear

3: PortMaster

4: LAT

Integer

Both

No

Login-TCP-Port

16

TCP (Transmission Control Protocol) port with which the user is to be connected when the Login-Service attribute is also present.

Integer (maximum length 10 characters)

Outbound

No

Reply-Message

18

Text to be displayed to the user.

String

Outbound

Yes

Callback-
Number

19

String

Outbound

No

Callback-Id

20

String

Outbound

No

Framed-Route

22

Routing information to be configured for the user on this AAA client. The RADIUS RFC (Request for Comments) format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are ignored.

String

Outbound

Yes

Framed-IPX-
Network

23

Integer

Outbound

No

State

24

Allows State information to be maintained between the AAA client and the RADIUS server. This attribute is applicable only to CHAP challenges.

String (maximum length 253 characters)

Outbound

No

Class

25

Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server.

String

Both

Yes

Vendor-Specific

26

Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format:

protocol:attribute sep value

protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. The following is an example:

cisco-avpair= 
"ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"

The first example causes the Cisco multiple named IP address pools feature to be activated during IP authorization (during PPP IPCP address assignment). The second example causes a user of a device-hosted administrative session to have immediate access to EXEC commands.

String

Outbound

Yes

Session-Timeout

27

Maximum number of seconds of service to be provided to the user before the session terminates. This AV becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.

Integer (maximum length 10 characters)

Outbound

No

Idle-Timeout

28

Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This AV becomes the per-user session-timeout. This attribute is not valid for PPP sessions.

Integer (maximum length 10 characters)

Outbound

No

Termination-
Action

29

Integer

Both

No

Called-Station-
Id

30

Allows the AAA client to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI.

String

Inbound

No

Calling-Station-
Id

31

Allows the AAA client to send the telephone number the user called into as part of the access-request packet, using DNIS (Dialed Number Identification Server) or similar technology. This attribute is only supported on ISDN and for modem calls on the CiscoAS5200 if used with PRI (Primary Rate Interface).

String

Inbound

No

NAS-Identifier

32

String

Inbound

No

Proxy-State

33

Included in proxied RADIUS requests per RADIUS standards. The operation of CiscoSecureACS does not depend on the contents of this attribute.

String (maximum length 253 characters)

Inbound

No

Login-LAT-
Service

34

System with which the user is to be connected by local area transport (LAT) protocol. This attribute is only available in the EXEC mode.

String (maximum length 253 characters)

Inbound

No

Login-LAT-
Node

35

String

Inbound

No

Login-LAT-
Group

36

String

Inbound

No

Framed-
AppleTalk-Link

37

Integer

Outbound

No

Framed-
AppleTalk-
Network

38

Integer

Outbound

Yes

Framed-
AppleTalk-
Zone

39

String

Out

No

Acct-Status-
Type

40

Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).

Integer

Inbound

No

Acct-Delay-
Time

41

Number of seconds the client has been trying to send a particular record.

Integer

Inbound

No

Acct-Input-
Octets

42

Number of octets received from the port while this service is being provided.

Integer

Inbound

No

Acct-Output-
Octets

43

Number of octets sent to the port while this service is being delivered.

Integer

Inbound

No

Acct-Session-Id

44

Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.

String

Inbound

No

Acct-Authentic

45

Way in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.

Integer

Inbound

No

Acct-Session-
Time

46

Number of seconds the user has been receiving service.

Integer

Inbound

No

Acct-Input-
Packets

47

Number of packets received from the port while this service is being provided to a framed user.

Integer

Inbound

No

Acct-Output-
Packets

48

Number of packets sent to the port while this service is being delivered to a framed user.

Integer

Inbound

No

Acct-Terminate-
Cause

49

Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:

1: User request

2: Lost carrier

3: Lost service

4: Idle timeout

5: Session-timeout

6: Admin reset

7: Admin reboot

8: Port error

9: AAA client error

10: AAA client request

11: AAA client reboot

12: Port unneeded

13: Port pre-empted

14: Port suspended

15: Service unavailable

16: Callback

17: User error

18: Host request

Integer

Inbound

No

Acct-Multi-
Session-Id

50

String

Inbound

No

Acct-Link-Count

51

Integer

Inbound

No

Acct-Input-
Gigawords

52

Integer

Inbound

No

Acct-Output-
Gigawords

53

Integer

Inbound

No

Event-
Timestamp

55

Date

Inbound

No

CHAP-
Challenge

60

String

Inbound

No

NAS-Port-Type

61

Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value as follows:

0: Asynchronous

1: Synchronous

2: ISDN-Synchronous

3: ISDN-Asynchronous (V.120)

4: ISDN- Asynchronous (V.110)

5: Virtual

Integer

Inbound

No

Port-Limit

62

Sets the maximum number of ports to be provided to the user by the network access server.

Integer (maximum length 10 characters)

Both

No

Login-LAT-Port

63

String

Both

No

Tunnel-Type

64

Tagged integer

Both

Yes

Tunnel-Medium-
Type

65

Tagged integer

Both

Yes

Tunnel-Client-
Endpoint

66

tagged string

Both

Yes

Tunnel-Server-
Endpoint

67

Tagged string

Both

Yes

Acct-Tunnel-
Connection

68

String

Inbound

No

Tunnel-
Password

69

tagged string

Both

Yes

ARAP-Password

70

String

Inbound

No

ARAP-Features

71

String

Outbound

No

ARAP-Zone-
Access

72

Integer

Outbound

No

ARAP-Security

73

Integer

Inbound

No

ARAP-Security-
Data

74

String

Inbound

No

Password-Retry

75

Integer

Internal use only

No

Prompt

76

Integer

Internal use only

No

Connect-Info

77

String

Inbound

No

Configuration-
Token

78

String

Internal use only

No

EAP-Message

79

String

Internal use only

No

Message-
Authenticator

80

String

Outbound

No

Tunnel-Private-
Group-ID

81

tagged string

Both

Yes

Tunnel-
Assignment-ID

82

tagged string

Both

Yes

Tunnel-
Preference

83

Tagged integer

Both

No

Acct-Interim-
Interval

85

Integer

Outbound

No

NAS-Port-Id

87

String

Inbound

No

Framed-Pool

88

String

Internal use only

No

Tunnel-Client-
Auth-ID

90

tagged string

Both

Yes

Tunnel-Server-
Auth-ID

91

tagged string

Both

Yes

Primary-DNS-
Server

135

Ipaddr

Both

No

Secondary-DNS-
Server

136

Ipaddr

Both

No

Multilink-ID

187

Integer

Inbound

No

Num-In-
Multilink

188

Integer

Inbound

No

Pre-Input-Octets

190

Integer

Inbound

No

Pre-Output-
Octets

191

Integer

Inbound

No

Pre-Input-
Packets

192

Integer

Inbound

No

Pre-Output-
Packets

193

Integer

Inbound

No

Maximum-Time

194

Integer

Both

No

Disconnect-
Cause

195

Integer

Inbound

No

Data-Rate

197

Integer

Inbound

No

PreSession-Time

198

Integer

Inbound

No

PW-Lifetime

208

Integer

Outbound

No

IP-Direct

209

Ipaddr

Outbound

No

PPP-VJ-Slot-
Comp

210

Integer

Outbound

No

Assign-IP-pool

218

Integer

Outbound

No

Route-IP

228

Integer

Outbound

No

Link-
Compression

233

Integer

Outbound

No

Target-Utils

234

Integer

Outbound

No

Maximum-
Channels

235

Integer

Outbound

No

Data-Filter

242

Ascend filter

Outbound

Yes

Call-Filter

243

Ascend filter

Outbound

Yes

Idle-Limit

244

Integer

Outbound

No


Microsoft MPPE Dictionary of RADIUS VSAs

CiscoSecureACS supports the Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that CiscoSecureACS supports. The following CiscoSecureACS RADIUS protocols support the Microsoft RADIUS VSAs:

Cisco IOS

Cisco VPN 3000

Ascend

To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, CiscoSecureACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the CiscoSecureACS HTML interface or how those attributes might be configured.

TableC-7 lists the supported MPPE RADIUS VSAs.

Table C-7 Microsoft MPPE RADIUS VSAs 

Attribute
Number
Type of Value
Description
Inbound/Outbound
Multiple

MS-CHAP-
Response

1

String

Inbound

No

MS-CHAP-Error

2

String

Outbound

No

MS-CHAP-CPW-
1

3

String

Inbound

No

MS-CHAP-CPW-
2

4

String

Inbound

No

MS-CHAP-LM-
Enc-PW

5

String

Inbound

No

MS-CHAP-NT-
Enc-PW

6

String

Inbound

No

MS-MPPE-
Encryption-Policy

7

Integer

The MS-MPPE-Encryption-Policy attribute signifies whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used, but at least one must be used.

Outbound

No

MS-MPPE-
Encryption-Types

8

Integer

The MS-MPPE-Encryption-Types attribute signifies the types of encryption available for use with MPPE. It is a four octet integer that is interpreted as a string of bits.

Outbound

No

MS-CHAP-
Domain

10

String

Inbound

No

MS-CHAP-
Challenge

11

String

Inbound

No

MS-CHAP-
MPPE-Keys

12

String

The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets.

Note The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

Outbound

No

MS-MPPE-Send-
Key

16

String (maximum length 240 characters)

The MS-MPPE-Send-Key attribute contains a session key for use by MPPE. This key is for encrypting packets sent from the AAA client to the remote host. This attribute is only included in Access-Accept packets.

Outbound

No

MS-MPPE-Recv-
Key

17

String (maximum length 240 characters)

The MS-MPPE-Recv-Key attribute contains a session key for use by MPPE. This key is for encrypting packets received by the AAA client from the remote host. This attribute is only included in Access-Accept packets.

Outbound

No

MS-RAS-Version

18

String

Inbound

No

MS-CHAP-NT-
Enc-PW

25

String

Inbound

No

MS-CHAP2-
Response

26

String

Outbound

No

MS-CHAP2-CPW

27

String

Inbound

No


Ascend Dictionary of RADIUS AV Pairs

CiscoSecureACS supports the Ascend RADIUS AV pairs. TableC-8 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types:

String —0-253 octets.

Abinary —0-254 octets.

Ipaddr —4 octets in network byte order.

Integer —32-bit value in big endian order (high byte first).

Call filter —Defines a call filter for the profile.


Note RADIUS filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied in the order in which they are entered. If you make changes to a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile.


Date —32-bit value in big-endian order. For example, seconds since 00:00:00 universal time (UT), January 1, 1970.

Enum —Enumerated values are stored in the user file with dictionary value translations for easy administration.

Table C-8 Ascend RADIUS Attributes 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

Dictionary of Ascend Attributes

User-Name

1

String

Inbound

No

User-Password

2

String

Outbound

No

CHAP-Password

3

String

Outbound

No

NAS-IP-Address

4

Ipaddr

Inbound

No

NAS-Port

5

Integer

Inbound

No

Service-Type

6

Integer

Both

No

Framed-Protocol

7

Integer

Both

No

Framed-IP-Address

8

Ipaddr

Both

No

Framed-IP-Netmask

9

Ipaddr

Outbound

No

Framed-Routing

10

Integer

Outbound

No

Framed-Filter

11

String

Outbound

Yes

Framed-MTU

12

Integer

Outbound

No

Framed-Compression

13

Integer

Outbound

Yes

Login-IP-Host

14

Ipaddr

Both

Yes

Login-Service

15

Integer

Both

No

Login-TCP-Port

16

Integer

Outbound

No

Change-Password

17

String

Reply-Message

18

String

Outbound

Yes

Callback-ID

19

String

Outbound

No

Callback-Name

20

String

Outbound

No

Framed-Route

22

String

Outbound

Yes

Framed-IPX-Network

23

Integer

Outbound

No

State

24

String

Outbound

No

Class

25

String

Outbound

Yes

Vendor-Specific

26

String

Outbound

Yes

Call-Station-ID

30

String

Inbound

No

Calling-Station-ID

31

String

Inbound

No

Acct-Status-Type

40

Integer

Inbound

No

Acct-Delay-Time

41

Integer

Inbound

No

Acct-Input-Octets

42

Integer

Inbound

No

Acct-Output-Octets

43

Integer

Inbound

No

Acct-Session-Id

44

Integer

Inbound

No

Acct-Authentic

45

Integer

Inbound

No

Acct-Session-Time

46

Integer

Inbound

No

Acct-Input-Packets

47

Integer

Inbound

No

Acct-Output-Packets

48

Integer

Inbound

No

Tunnel-Type

64

String

Both

Yes

Tunnel-Medium-Type

65

String

Both

Yes

Tunnel-Client-Endpoint

66

String (maximum length 250 characters)

Both

Yes

Tunnel-Server-Endpoint

67

String (maximum length 250 characters)

Both

Yes

Acct-Tunnel-Connection

68

Integer (maximum length 253 characters)

Inbound

No

Ascend-Private-Route

104

String (maximum length 253 characters)

Both

No

Ascend-Numbering-Plan-ID

105

Integer (maximum length 10 characters)

Both

No

Ascend-FR-Link-Status-Dlci

106

Integer (maximum length 10 characters)

Both

No

Ascend-Calling-Subaddress

107

String (maximum length 253 characters)

Both

No

Ascend-Callback-Delay

108

String (maximum length 10 characters)

Both

No

Ascend-Endpoint-Disc

109

String (maximum length 253 characters)

Both

No

Ascend-Remote-FW

110

String (maximum length 253 characters)

Both

No

Ascend-Multicast-GLeave-Delay

111

Integer (maximum length 10 characters)

Both

No

Ascend-CBCP-Enable

112

String

Both

No

Ascend-CBCP-Mode

113

String

Both

No

Ascend-CBCP-Delay

114

String (maximum length 10 characters)

Both

No

Ascend-CBCP-Trunk-Group

115

String (maximum length 10 characters)

Both

No

Ascend-AppleTalk-Route

116

String (maximum length 253 characters)

Both

No

Ascend-AppleTalk-Peer-Mode

117

String (maximum length 10 characters)

Both

No

Ascend-Route-AppleTalk

118

String (maximum length 10 characters)

Both

No

Ascend-FCP-Parameter

119

String (maximum length 253 characters)

Both

No

Ascend-Modem-PortNo

120

Integer (maximum length 10 characters)

Inbound

No

Ascend-Modem-SlotNo

121

Integer (maximum length 10 characters)

Inbound

No

Ascend-Modem-ShelfNo

122

Integer (maximum length 10 characters)

Inbound

No

Ascend-Call-Attempt-Limit

123

Integer (maximum length 10 characters)

Both

No

Ascend-Call-Block_Duration

124

Integer (maximum length 10 characters)

Both

No

Ascend-Maximum-Call-Duration

125

Integer (maximum length 10 characters)

Both

No

Ascend-Router-Preference

126

String (maximum length 10 characters)

Both

No

Ascend-Tunneling-Protocol

127

String (maximum length 10 characters)

Both

No

Ascend-Shared-Profile-Enable

128

Integer

Both

No

Ascend-Primary-Home-Agent

129

String (maximum length 253 characters)

Both

No

Ascend-Secondary-Home-Agent

130

String (maximum length 253 characters)

Both

No

Ascend-Dialout-Allowed

131

Integer

Both

No

Ascend-BACP-Enable

133

Integer

Both

No

Ascend-DHCP-Maximum-Leases

134

Integer (maximum length 10 characters)

Both

No

Ascend-Client-Primary-DNS

135

Address (maximum length 15 characters)

Both

No

Ascend-Client-Secondary-DNS

136

Address (maximum length 15 characters)

Both

No

Ascend-Client-Assign-DNS

137

Enum

Both

No

Ascend-User-Acct-Type

138

Enum

Both

No

Ascend-User-Acct-Host

139

Address (maximum length 15 characters)

Both

No

Ascend-User-Acct-Port

140

Integer (maximum length 10 characters)

Both

No

Ascend-User-Acct-Key

141

String (maximum length 253 characters)

Both

No

Ascend-User-Acct-Base

142

Enum (maximum length 10 characters)

Both

No

Ascend-User-Acct-Time

143

Integer (maximum length 10 characters)

Both

No

Support IP Address Allocation from Global Pools

Ascend-Assign-IP-Client

144

Ipaddr (maximum length 15 characters)

Outbound

No

Ascend-Assign-IP-Server

145

Ipaddr (maximum length 15 characters)

Outbound

No

Ascend-Assign-IP-Global-Pool

146

String (maximum length 253 characters)

Outbound

No

DHCP Server Functions

Ascend-DHCP-Reply

147

Integer

Outbound

No

Ascend-DHCP-Pool-Number

148

Integer (maximum length 10 characters)

Outbound

No

Connection Profile/Telco Option

Ascend-Expect-Callback

149

Integer

Outbound

No

Event Type for an Ascend-Event Packet

Ascend-Event-Type

150

Integer (maximum length 10 characters)

Inbound

No

RADIUS Server Session Key

Ascend-Session-Svr-Key

151

String (maximum length 253 characters)

Outbound

No

Multicast Rate Limit Per Client

Ascend-Multicast-Rate-Limit

152

Integer (maximum length 10 characters)

Outbound

No

Connection Profile Fields to Support Interface-Based Routing

Ascend-IF-Netmask

153

Ipaddr (maximum length 15 characters)

Outbound

No

Ascend-Remote-Addr

154

Ipaddr (maximum length 15 characters)

Outbound

No

Multicast Support

Ascend-Multicast-Client

155

Integer (maximum length 10 characters)

Outbound

No

Frame Datalink Profiles

Ascend-FR-Circuit-Name

156

String (maximum length 253 characters)

Outbound

No

Ascend-FR-LinkUp

157

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-Nailed-Group

158

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-Type

159

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-Link-Mgt

160

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-N391

161

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-DCE-N392

162

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-DTE-N392

163

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-DCE-N393

164

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-DTE-N393

165

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-T391

166

Integer (maximum length 10 characters)

Outbound

No

Ascend-FR-T392

167

Integer (maximum length 10 characters)

Outbound

No

Ascend-Bridge-Address

168

String (maximum length 253 characters)

Outbound

No

Ascend-TS-Idle-Limit

169

Integer (maximum length 10 characters)

Outbound

No

Ascend-TS-Idle-Mode

170

Integer (maximum length 10 characters)

Outbound

No

Ascend-DBA-Monitor

171

Integer (maximum length 10 characters)

Outbound

No

Ascend-Base-Channel-Count

172

Integer (maximum length 10 characters)

Outbound

No

Ascend-Minimum-Channels

173

Integer (maximum length 10 characters)

Outbound

No

IPX Static Routes

Ascend-IPX-Route

174

String (maximum length 253 characters)

Inbound

No

Ascend-FT1-Caller

175

Integer (maximum length 10 characters)

Inbound

No

Ascend-Backup

176

String (maximum length 253 characters)

Inbound

No

Ascend-Call-Type

177

Integer

Inbound

No

Ascend-Group

178

String (maximum length 253 characters)

Inbound

No

Ascend-FR-DLCI

179

Integer (maximum length 10 characters)

Inbound

No

Ascend-FR-Profile-Name

180

String (maximum length 253 characters)

Inbound

No

Ascend-Ara-PW

181

String (maximum length 253 characters)

Inbound

No

Ascend-IPX-Node-Addr

182

String (maximum length 253 characters)

Both

No

Ascend-Home-Agent-IP-Addr

183

Ipaddr (maximum length 15 characters)

Outbound

No

Ascend-Home-Agent-Password

184

String (maximum length 253 characters)

Outbound

No

Ascend-Home-Network-Name

185

String (maximum length 253 characters)

Outbound

No

Ascend-Home-Agent-UDP-Port

186

Integer (maximum length 10 characters)

Outbound

No

Ascend-Multilink-ID

187

Integer

Inbound

No

Ascend-Num-In-Multilink

188

Integer

Inbound

No

Ascend-First-Dest

189

Ipaddr

Inbound

No

Ascend-Pre-Input-Octets

190

Integer

Inbound

No

Ascend-Pre-Output-Octets

191

Integer

Inbound

No

Ascend-Pre-Input-Packets

192

Integer

Inbound

No

Ascend-Pre-Output-Packets

193

Integer

Inbound

No

Ascend-Maximum-Time

194

Integer (maximum length 10 characters)

Both

No

Ascend-Disconnect-Cause

195

Integer

Inbound

No

Ascend-Connect-Progress

196

Integer

Inbound

No

Ascend-Data-Rate

197

Integer

Inbound

No

Ascend-PreSession-Time

198

Integer

Inbound

No

Ascend-Token-Idle

199

Integer (maximum length 10 characters)

Outbound

No

Ascend-Token-Immediate

200

Integer

Outbound

No

Ascend-Require-Auth

201

Integer (maximum length 10 characters)

Outbound

No

Ascend-Number-Sessions

202

String (maximum length 253 characters)

Outbound

No

Ascend-Authen-Alias

203

String (maximum length 253 characters)

Outbound

No

Ascend-Token-Expiry

204

Integer (maximum length 10 characters)

Outbound

No

Ascend-Menu-Selector

205

String (maximum length 253 characters)

Outbound

No

Ascend-Menu-Item

206

String

Outbound

Yes

RADIUS Password Expiration Options

Ascend-PW-Warntime

207

Integer (maximum length 10 characters)

Outbound

No

Ascend-PW-Lifetime

208

Integer (maximum length 10 characters)

Outbound

No

Ascend-IP-Direct

209

Ipaddr (maximum length 15 characters)

Outbound

No

Ascend-PPP-VJ-Slot-Comp

210

Integer (maximum length 10 characters)

Outbound

No

Ascend-PPP-VJ-1172

211

Integer (maximum length 10 characters)

Outbound

No

Ascend-PPP-Async-Map

212

Integer (maximum length 10 characters)

Outbound

No

Ascend-Third-Prompt

213

String (maximum length 253 characters)

Outbound

No

Ascend-Send-Secret

214

String (maximum length 253 characters)

Outbound

No

Ascend-Receive-Secret

215

String (maximum length 253 characters)

Outbound

No

Ascend-IPX-Peer-Mode

216

Integer

Outbound

No

Ascend-IP-Pool-Definition

217

String (maximum length 253 characters)

Outbound

No

Ascend-Assign-IP-Pool

218

Integer

Outbound

No

Ascend-FR-Direct

219

Integer

Outbound

No

Ascend-FR-Direct-Profile

220

String (maximum length 253 characters)

Outbound

No

Ascend-FR-Direct-DLCI

221

Integer (maximum length 10 characters)

Outbound

No

Ascend-Handle-IPX

222

Integer

Outbound

No

Ascend-Netware-Timeout

223

Integer (maximum length 10 characters)

Outbound

No

Ascend-IPX-Alias

224

String (maximum length 253 characters)

Outbound

No

Ascend-Metric

225

Integer (maximum length 10 characters)

Outbound

No

Ascend-PRI-Number-Type

226

Integer

Outbound

No

Ascend-Dial-Number

227

String (maximum length 253 characters)

Outbound

No

Connection Profile/PPP Options

Ascend-Route-IP

228

Integer

Outbound

No

Ascend-Route-IPX

229

Integer

Outbound

No

Ascend-Bridge

230

Integer

Outbound

No

Ascend-Send-Auth

231

Integer

Outbound

No

Ascend-Send-Passwd

232

String (maximum length 253 characters)

Outbound

No

Ascend-Link-Compression

233

Integer

Outbound

No

Ascend-Target-Util

234

Integer (maximum length 10 characters)

Outbound

No

Ascend-Max-Channels

235

Integer (maximum length 10 characters)

Outbound

No

Ascend-Inc-Channel-Count

236

Integer (maximum length 10 characters)

Outbound

No

Ascend-Dec-Channel-Count

237

Integer (maximum length 10 characters)

Outbound

No

Ascend-Seconds-Of-History

238

Integer (maximum length 10 characters)

Outbound

No

Ascend-History-Weigh-Type

239

Integer

Outbound

No

Ascend-Add-Seconds

240

Integer (maximum length 10 characters)

Outbound

No

Ascend-Remove-Seconds

241

Integer (maximum length 10 characters)

Outbound

No

Connection Profile/Session Options

Ascend-Data-Filter

242

Call filter

Outbound

Yes

Ascend-Call-Filter

243

Call filter

Outbound

Yes

Ascend-Idle-Limit

244

Integer (maximum length 10 characters)

Outbound

No

Ascend-Preempt-Limit

245

Integer (maximum length 10 characters)

Outbound

No

Connection Profile/Telco Options

Ascend-Callback

246

Integer

Outbound

No

Ascend-Data-Svc

247

Integer

Outbound

No

Ascend-Force-56

248

Integer

Outbound

No

Ascend-Billing-Number

249

String (maximum length 253 characters)

Outbound

No

Ascend-Call-By-Call

250

Integer (maximum length 10 characters)

Outbound

No

Ascend-Transit-Number

251

String (maximum length 253 characters)

Outbound

No

Terminal Server Attributes

Ascend-Host-Info

252

String (maximum length 253 characters)

Outbound

No

PPP Local Address Attribute

Ascend-PPP-Address

253

Ipaddr (maximum length 15 characters)

Outbound

No

MPP Percent Idle Attribute

Ascend-MPP-Idle-Percent

254

Integer (maximum length 10 characters)

Outbound

No

Ascend-Xmit-Rate

255

Integer (maximum length 10 characters)

Outbound

No


Nortel Dictionary of RADIUS VSAs

TableC-9 lists the Nortel RADIUS VSAs supported by CiscoSecureACS. The Nortel vendor ID number is 1584.

Table C-9 Nortel RADIUS VSAs 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

Bay-Local-IP-Address

035

Ipaddr (maximum length 15 characters)

Outbound

No

Bay-Primary-DNS-Server

054

Ipaddr (maximum length 15 characters)

Outbound

No

Bay-Secondary-DNS-Server

055

Ipaddr (maximum length 15 characters)

Outbound

No

Bay-Primary-NBNS-Server

056

Ipaddr (maximum length 15 characters)

Outbound

No

Bay-Secondary-NBNS-Server

057

Ipaddr (maximum length 15 characters)

Outbound

No

Bay-User-Level

100

Integer

Outbound

No

Bay-Audit-Level

101

Integer

Outbound

No


Juniper Dictionary of RADIUS VSAs

TableC-10 lists the Juniper RADIUS VSAs supported by CiscoSecureACS. The Juniper vendor ID number is 2636.

Table C-10 Juniper RADIUS VSAs 

Attribute
Number
Type of Value
Inbound/
Outbound
Multiple

Juniper-Local-User-Name

001

String (maximum length 247 characters)

Outbound

No

Juniper-Allow-Commands

002

String (maximum length 247 characters)

Outbound

No

Juniper-Deny-Commands

003

String (maximum length 247 characters)

Outbound

No