Table Of Contents
RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs
Cisco IOS/PIX Dictionary of RADIUS VSAs
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
IETF Dictionary of RADIUS AV Pairs
Microsoft MPPE Dictionary of RADIUS VSAs
Ascend Dictionary of RADIUS AV Pairs
Nortel Dictionary of RADIUS VSAs
Juniper Dictionary of RADIUS VSAs
RADIUS Attributes
CiscoSecureAccessControlServer(CiscoSecureACS)Appliance version3.2 supports many RADIUS attributes. This appendix lists the standard attributes, vendor-proprietary attributes, and vendor-specific attributes supported by CiscoSecureACS for the following vendor implementations of RADIUS:
•
Cisco IOS RADIUS
•Cisco VPN 3000 Concentrator RADIUS
•Cisco VPN 5000 Concentrator RADIUS
•Cisco Building Broadband Service Manager RADIUS
•Microsoft RADIUS
•Ascend RADIUS
•Nortel RADIUS
•Juniper RADIUS
•Internet Engineering Task Force (IETF) RADIUS
You can enable different attribute-value (AV) pairs for IETF RADIUS and for any supported vendor. This appendix provides information about the following RADIUS AV pairs:
• CiscoIOS Dictionary of RADIUS AV Pairs
• CiscoIOS/PIX Dictionary of RADIUS VSAs
• CiscoVPN 3000 Concentrator Dictionary of RADIUS VSAs
• Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
• Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
• IETF Dictionary of RADIUS AV Pairs
• Microsoft MPPE Dictionary of RADIUS VSAs
• Ascend Dictionary of RADIUS AV Pairs
• Nortel Dictionary of RADIUS VSAs
• Juniper Dictionary of RADIUS VSAs
Cisco IOS Dictionary of RADIUS AV Pairs
CiscoSecureACS supports Cisco IOS RADIUS AV pairs. Before selecting AV pairs for CiscoSecureACS, confirm that your AAA client is a compatible release of CiscoIOS or compatible AAA client software. For more information, see Network and Port Requirements.
Note If you specify a given AV pair on CiscoSecureACS, the corresponding AV pair must be implemented in the CiscoIOS software running on the network device. Always consider which AV pairs your Cisco IOS release supports. If CiscoSecureACS sends an AV pair that the CiscoIOS software does not support, the attribute is not implemented.
Note Because IP pools and callback supersede them, the following RADIUS attributes do not appear on the Group Setup page:
8, Framed-IP-Address
19, Callback-Number
218, Ascend-Assign-IP-Pool
None of these attributes can be set via RDBMS Synchronization.
TableC-1 lists the supported CiscoIOS RADIUS AV pairs.
Table C-1 Cisco IOS Software RADIUS AV Pairs
|
Attribute
|
Number
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
|
User-Name
|
1
|
String
|
Inbound
|
No
|
|
User-Password
|
2
|
String
|
Outbound
|
No
|
|
CHAP-Password
|
3
|
String
|
Outbound
|
No
|
|
NAS-IP Address
|
4
|
Ipaddr
|
Inbound
|
No
|
|
NAS-Port
|
5
|
Integer
|
Inbound
|
No
|
|
Service-Type
|
6
|
Integer
|
Both
|
No
|
|
Framed-Protocol
|
7
|
Integer
|
Both
|
No
|
|
Framed-IP-Netmask
|
9
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
Framed-Routing
|
10
|
Integer
|
Outbound
|
No
|
|
Filter-Id
|
11
|
String
|
Outbound
|
Yes
|
|
Framed-MTU
|
12
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Framed-Compression
|
13
|
Integer
|
Outbound
|
Yes
|
|
Login-IP-Host
|
14
|
Ipaddr (maximum length 15 characters)
|
Both
|
Yes
|
|
Login-Service
|
15
|
Integer
|
Both
|
No
|
|
Login-TCP-Port
|
16
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Reply-Message
|
18
|
String
|
Outbound
|
Yes
|
|
Expiration
|
21
|
Date
|
—
|
—
|
|
Framed-Route
|
22
|
String
|
Outbound
|
Yes
|
|
State
|
24
|
String (maximum length 253 characters)
|
Outbound
|
No
|
|
Class
|
25
|
String
|
Outbound
|
Yes
|
|
Vendor specific
|
26
|
String
|
Outbound
|
Yes
|
|
Session-Timeout
|
27
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Idle-Timeout
|
28
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Called-Station-ID
|
30
|
String
|
Inbound
|
No
|
|
Calling-Station-ID
|
31
|
String
|
Inbound
|
No
|
|
Login-LAT-Service
|
33
|
String (maximum length 253 characters)
|
Inbound
|
No
|
|
Acct-Status-Type
|
40
|
Integer
|
Inbound
|
No
|
|
Acct-Delay-Time
|
41
|
Integer
|
Inbound
|
No
|
|
Acct-Input-Octets
|
42
|
Integer
|
Inbound
|
No
|
|
Acct-Output-Octets
|
43
|
Integer
|
Inbound
|
No
|
|
Acct-Session-ID
|
44
|
String
|
Inbound
|
No
|
|
Acct-Authentic
|
45
|
Integer
|
Inbound
|
No
|
|
Acct-Session-Time
|
46
|
Integer
|
Inbound
|
No
|
|
Acct-Input-Packets
|
47
|
Integer
|
Inbound
|
No
|
|
Acct-Output-Packets
|
48
|
Integer
|
Inbound
|
No
|
|
Acct-Terminate-Cause
|
49
|
Integer
|
Inbound
|
No
|
|
NAS-Port-Type
|
61
|
Integer
|
Inbound
|
No
|
|
NAS-Port-Limit
|
62
|
Integer (maximum length 10 characters)
|
Both
|
No
|
Cisco IOS/PIX Dictionary of RADIUS VSAs
CiscoSecureACS supports Cisco IOS/PIX vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 009. TableC-2 lists the supported CiscoIOS/PIX RADIUS VSAs.
Note For a discussion of Cisco IOS/PIX RADIUS VSA 1, cisco-av-pair, see AV pair 26 in TableC-6.
Note For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP documentation.
Note For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.
Table C-2 Cisco IOS/PIX RADIUS VSAs
|
Attribute
|
Number
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
|
cisco-av-pair
|
1
|
String
|
Both
|
Yes
|
|
cisco-nas-port
|
2
|
String
|
Inbound
|
No
|
|
cisco-h323-remote-address
|
23
|
String
|
Inbound
|
No
|
|
cisco-h323-conf-id
|
24
|
String
|
Inbound
|
No
|
|
cisco-h323-setup-time
|
25
|
String
|
Inbound
|
No
|
|
cisco-h323-call-origin
|
26
|
String
|
Inbound
|
No
|
|
cisco-h323-call-type
|
27
|
String
|
Inbound
|
No
|
|
cisco-h323-connect-time
|
28
|
String
|
Inbound
|
No
|
|
cisco-h323-disconnect-time
|
29
|
String
|
Inbound
|
No
|
|
cisco-h323-disconnect-cause
|
30
|
String
|
Inbound
|
No
|
|
cisco-h323-voice-quality
|
31
|
String
|
Inbound
|
No
|
|
cisco-h323-gw-id
|
33
|
String
|
Inbound
|
No
|
|
cisco-h323-incoming-conn-id
|
35
|
String
|
Inbound
|
No
|
|
cisco-h323-credit-amount
|
101
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-credit-time
|
102
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-return-code
|
103
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-prompt-id
|
104
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-day-and-time
|
105
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-redirect-number
|
106
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-preferred-lang
|
107
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-redirect-ip-addr
|
108
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-billing-model
|
109
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-h323-currency
|
110
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-ssg-account-info
|
250
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
cisco-ssg-service-info
|
251
|
String (maximum length 247 characters)
|
Both
|
No
|
|
cisco-ssg-control-info
|
253
|
String (maximum length 247 characters)
|
Both
|
No
|
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
CiscoSecureACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. TableC-3 lists the supported CiscoVPN 3000 Concentrator RADIUS VSAs.
Note Some of the RADIUS VSAs supported by Cisco VPN 3000 Concentrators are interdependent. Before you implement them, we recommend that you refer to Cisco VPN 3000-series Concentrator documentation.
To control Microsoft MPPE settings for users accessing the network through a Cisco VPN 3000-series concentrator, use the CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) attributes. Settings for CVPN3000-PPTP-Encryption (VSA 20) and CVPN3000-L2TP-Encryption (VSA 21) override Microsoft MPPE RADIUS settings. If either of these attributes is enabled, CiscoSecureACS determines the values to be sent in outbound RADIUS (Microsoft) attributes and sends them along with the RADIUS (Cisco VPN 3000) attributes, regardless of whether RADIUS (Microsoft) attributes are enabled in the CiscoSecureACS HTML interface or how those attributes might be configured.
Table C-3 Cisco VPN 3000 Concentrator RADIUS VSAs
|
Attribute
|
Number
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
|
CVPN3000-Access-Hours
|
1
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-Simultaneous-Logins
|
2
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
CVPN3000-Primary-DNS
|
5
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
CVPN3000-Secondary-DNS
|
6
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
CVPN3000-Primary-WINS
|
7
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
CVPN3000-Secondary-WINS
|
8
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
CVPN3000-SEP-Card-Assignment
|
9
|
Integer
|
Outbound
|
No
|
|
CVPN3000-Tunneling-Protocols
|
11
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Sec-Association
|
12
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Authentication
|
13
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Banner1
|
15
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Allow-Passwd-
Store
|
16
|
Integer
|
Outbound
|
No
|
|
CVPN3000-Use-Client-Address
|
17
|
Integer
|
Outbound
|
No
|
|
CVPN3000-PPTP-Encryption
|
20
|
Integer
|
Outbound
|
No
|
|
CVPN3000-L2TP-Encryption
|
21
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Split-Tunnel-
List
|
27
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Default-Domain
|
28
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Split-DNS-Names
|
29
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Tunnel-Type
|
30
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Mode-Config
|
31
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-User-Group-
Lock
|
33
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Over-UDP
|
34
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Over-UDP-Port
|
35
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Banner2
|
36
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-PPTP-MPPC-
Compression
|
37
|
Integer
|
Outbound
|
No
|
|
CVPN3000-L2TP-MPPC-
Compression
|
38
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-IP-Compression
|
39
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-IKE-Peer-ID-
Check
|
40
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IKE-Keep-Alives
|
41
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Auth-On-Rekey
|
42
|
Integer
|
Outbound
|
No
|
|
CVPN3000-Required-Client-
Firewall-Vendor-Code
|
45
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
CVPN3000-Required-Client-
Firewall-Product-Code
|
46
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
CVPN3000-Required-Client-
Firewall-Description
|
47
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-Require-HW-Client-
Auth
|
48
|
Integer
|
Outbound
|
No
|
|
CVPN3000-Require-Individual-
User-Auth
|
49
|
Integer
|
Outbound
|
No
|
|
CVPN3000-Authenticated-User-
Idle-Timeout
|
50
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
CVPN3000-Cisco-IP-Phone-
Bypass
|
51
|
Integer
|
Outbound
|
No
|
|
CVPN3000-User-Auth-Server-
Name
|
52
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-User-Auth-Server-Port
|
53
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
CVPN3000-User-Auth-Server-
Secret
|
54
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Split-Tunneling-
Policy
|
55
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Required-Client-
Firewall-Capability
|
56
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Client-Firewall-
Filter-Name
|
57
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-IPSec-Client-Firewall-
Filter-Optional
|
58
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Backup-Servers
|
59
|
Integer
|
Outbound
|
No
|
|
CVPN3000-IPSec-Backup-Server-
List
|
60
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN3000-MS-Client-Intercept-
DHCP-Configure-Message
|
62
|
Integer
|
Outbound
|
No
|
|
CVPN3000-MS-Client-Subnet-
Mask
|
63
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
CVPN3000-Allow-Network-
Extension-Mode
|
64
|
Integer
|
Outbound
|
No
|
|
CVPN3000-Strip-Realm
|
135
|
Integer
|
Outbound
|
No
|
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
CiscoSecureACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. TableC-4 lists the supported CiscoVPN 5000 Concentrator RADIUS VSAs.
Table C-4 Cisco VPN 5000 Concentrator RADIUS VSAs
|
Attribute
|
Number
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
|
CVPN5000-Tunnel-Throughput
|
001
|
Integer
|
Inbound
|
No
|
|
CVPN5000-Client-Assigned-IP
|
002
|
String
|
Inbound
|
No
|
|
CVPN5000-Client-Real-IP
|
003
|
String
|
Inbound
|
No
|
|
CVPN5000-VPN-GroupInfo
|
004
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN5000-VPN-Password
|
005
|
String (maximum length 247 characters)
|
Outbound
|
No
|
|
CVPN5000-Echo
|
006
|
Integer
|
Inbound
|
No
|
|
CVPN5000-Client-Assigned-IPX
|
007
|
Integer
|
Inbound
|
No
|
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
CiscoSecureACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263. TableC-5 lists the supported Cisco BBSM RADIUS VSA.
Table C-5 Cisco BBSM RADIUS VSA
|
Attribute
|
Number
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
|
CBBSM-Bandwidth
|
001
|
Integer
|
Both
|
No
|
IETF Dictionary of RADIUS AV Pairs
TableC-6 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified.
Table C-6 RADIUS (IETF) Attributes
|
Attribute
|
Number
|
Description
|
Type of Value
|
Inbound/Outbound
|
Multiple
|
|
User-Name
|
1
|
Name of the user being authenticated.
|
String
|
Inbound
|
No
|
|
User-Password
|
2
|
User password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.
|
String
|
Outbound
|
No
|
|
CHAP-Password
|
3
|
PPP (Point-to-Point Protocol) CHAP (Challenge Handshake Authentication Protocol) response to an Access-Challenge.
|
String
|
Outbound
|
No
|
|
NAS-IP Address
|
4
|
IP address of the AAA client that is requesting authentication.
|
Ipaddr
|
Inbound
|
No
|
|
NAS-Port
|
5
|
Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows:
•For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.
•For ordinary synchronous network interfaces, the value is 10xxx.
•For channels on a primary-rate ISDN (Integrated Services Digital Network) interface, the value is 2ppcc.
•For channels on a basic rate ISDN interface, the value is 3bb0c.
•For other types of interfaces, the value is 6nnss.
|
Integer
|
Inbound
|
No
|
|
Service-Type
|
6
|
Type of service requested or type of service to be provided:
•In a request:
–Framed —For known PPP or SLIP (Serial Line Internet Protocol) connection.
–Administrative User —For enable command.
•In a response:
–Login —Make a connection.
–Framed —Start SLIP or PPP.
–Administrative User —Start an EXEC or enable ok .
–Exec User —Start an EXEC session.
|
Integer
|
Both
|
No
|
|
Framed-Protocol
|
7
|
Framing to be used for framed access.
|
Integer
|
Both
|
No
|
|
Framed-IP-
Address
|
8
|
Address to be configured for the user.
|
—
|
—
|
—
|
|
Framed-IP-
Netmask
|
9
|
IP netmask to be configured for the user when the user is a router to a network. This AV results in a static route being added for Framed-IP-Address with the mask specified.
|
Ipaddr (maximum length 15 characters)
|
Outbound
|
No
|
|
Framed-Routing
|
10
|
Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.
|
Integer
|
Outbound
|
No
|
|
Filter-Id
|
11
|
Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.
|
String
|
Outbound
|
Yes
|
|
Framed-MTU
|
12
|
Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Framed-Compression
|
13
|
Compression protocol used for the link. This attribute results in "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.
|
Integer
|
Outbound
|
Yes
|
|
Login-IP-Host
|
14
|
Host to which the user will connect when the Login-Service attribute is included.
|
Ipaddr (maximum length 15 characters)
|
Both
|
Yes
|
|
Login-Service
|
15
|
Service that should be used to connect the user to the login host.
Service is indicated by a numeric value as follows:
•0: Telnet
•1: Rlogin
•2: TCP-Clear
•3: PortMaster
•4: LAT
|
Integer
|
Both
|
No
|
|
Login-TCP-Port
|
16
|
TCP (Transmission Control Protocol) port with which the user is to be connected when the Login-Service attribute is also present.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Reply-Message
|
18
|
Text to be displayed to the user.
|
String
|
Outbound
|
Yes
|
|
Callback-Number
|
19
|
—
|
String
|
Outbound
|
No
|
|
Callback-Id
|
20
|
—
|
String
|
Outbound
|
No
|
|
Framed-Route
|
22
|
Routing information to be configured for the user on this AAA client. The RADIUS RFC (Request for Comments) format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are ignored.
|
String
|
Outbound
|
Yes
|
|
Framed-IPX-
Network
|
23
|
—
|
Integer
|
Outbound
|
No
|
|
State
|
24
|
Allows State information to be maintained between the AAA client and the RADIUS server. This attribute is applicable only to CHAP challenges.
|
String (maximum length 253 characters)
|
Outbound
|
No
|
|
Class
|
25
|
Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server.
|
String
|
Both
|
Yes
|
|
Vendor-Specific
|
26
|
Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format:
protocol:attribute sep value
protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. The following is an example:
cisco-avpair=
"ip:addr-pool=first"
cisco-avpair=
"shell:priv-lvl=15"
The first example causes the Cisco multiple named IP address pools feature to be activated during IP authorization (during PPP IPCP address assignment). The second example causes a user of a device-hosted administrative session to have immediate access to EXEC commands.
|
String
|
Outbound
|
Yes
|
|
Session-Timeout
|
27
|
Maximum number of seconds of service to be provided to the user before the session terminates. This AV becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Idle-Timeout
|
28
|
Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This AV becomes the per-user session-timeout. This attribute is not valid for PPP sessions.
|
Integer (maximum length 10 characters)
|
Outbound
|
No
|
|
Termination-
Action
|
29
|
—
|
Integer
|
Both
|
No
|
|
Called-Station-Id
|
30
|
Allows the AAA client to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI.
|
String
|
Inbound
|
No
|
|
Calling-Station-Id
|
31
|
Allows the AAA client to send the telephone number the user called into as part of the access-request packet, using DNIS (Dialed Number Identification Server) or similar technology. This attribute is only supported on ISDN and for modem calls on the CiscoAS5200 if used with PRI (Primary Rate Interface).
|
String
|
Inbound
|
No
|
|
NAS-Identifier
|
32
|
—
|
String
|
Inbound
|
No
|
|
Proxy-State
|
33
|
Included in proxied RADIUS requests per RADIUS standards. The operation of CiscoSecureACS does not depend on the contents of this attribute.
|
String (maximum length 253 characters)
|
Inbound
|
No
|
|
Login-LAT-
Service
|
34
|
System with which the user is to be connected by local area transport (LAT) protocol. This attribute is only available in the EXEC mode.
|
String (maximum length 253 characters)
|
Inbound
|
No
|
|
Login-LAT-Node
|
35
|
—
|
String
|
Inbound
|
No
|
|
Login-LAT-Group
|
36
|
—
|
String
|
Inbound
|
No
|
|
Framed-
AppleTalk-Link
|
37
|
—
|
Integer
|
Outbound
|
No
|
|
Framed-
AppleTalk-
Network
|
38
|
—
|
Integer
|
Outbound
|
Yes
|
|
Framed-
AppleTalk-
Zone
|
39
|
—
|
String
|
Out
|
No
|
|
Acct-Status-Type
|
40
|
Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).
|
Integer
|
Inbound
|
No
|
|
Acct-Delay-Time
|
41
|
Number of seconds the client has been trying to send a particular record.
|
Integer
|
Inbound
|
No
|
|
Acct-Input-Octets
|
42
|
Number of octets received from the port while this service is being provided.
|
Integer
|
Inbound
|
No
|
|
Acct-Output-
Octets
|
43
|
Number of octets sent to the port while this service is being delivered.
|
Integer
|
Inbound
|
No
|
|
Acct-Session-Id
|
44
|
Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.
|
String
|
Inbound
|
No
|
|
Acct-Authentic
|
45
|
Way in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.
|
Integer
|
Inbound
|
No
|
|
Acct-Session-
Time
|
46
|
Number of seconds the user has been receiving service.
|
Integer
|
Inbound
|
No
|
|
Acct-Input-
Packets
|
47
|
Number of packets received from the port while this service is being provided to a framed user.
|
Integer
|
Inbound
|
No
|
|
Acct-Output-
Packets
|
48
|
Number of packets sent to the port while this service is being delivered to a framed user.
|
Integer
|
Inbound
|
No
|
|
Acct-Terminate-
Cause
|
49
|
Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:
•1: User request
•2: Lost carrier
•3: Lost service
•4: Idle timeout
•5: Session-timeout
•6: Admin reset
•7: Admin reboot
•8: Port error
•9: AAA client error
•10: AAA client request
•11: AAA client reboot
•12: Port unneeded
•13: Port pre-empted
•14: Port suspended
•15: Service unavailable
•16: Callback
•17: User error
•18: Host request
|
Integer
|
Inbound
|
No
|
|
Acct-Multi-
Session-Id
|
50
|
—
|
String
|
Inbound
|
No
|
|
Acct-Link-Count
|
51
|
—
|
Integer
|
Inbound
|
No
|
|
Acct-Input-
Gigawords
|
52
|
—
|
Integer
|
Inbound
|
No
|
|
Acct-Output-
Gigawords
|
53
|
—
|
Integer
|
Inbound
|
No
|
|
Event-Timestamp
|
55
|
—
|
Date
|
Inbound
|
No
|
|
CHAP-Challenge
|
60
|
—
|
String
|
Inbound
|
No
|
|
NAS-Port-Type
|
61
|
Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value as follows:
•0: Asynchronous
•1: Synchronous
•2: ISDN-Synchronous
•3: ISDN-Asynchronous (V.120)
•4: ISDN- Asynchronous (V.110)
•5: Virtual
|
Integer
|
Inbound
|
No
|
|
Port-Limit
|
62
|
Sets the maximum number of ports to be provided to the user by the network access server.
|
Integer (maximum length 10 characters)
|
Both
|
No
|
|
Login-LAT-Port
|
63
|
—
|
String
|
Both
|
No
|
|
Tunnel-Type
|
64
|
—
|
Tagged integer
|
Both
|
Yes
|
|
Tunnel-Medium-
Type
|
65
|
—
|
Tagged integer
|
Both
|
Yes
|
|
Tunnel-Client-
Endpoint
|
66
|
—
|
tagged string
|
Both
|
Yes
|
|
Tunnel-Server-
Endpoint
|
67
|
—
|
Tagged string
|
Both
|
Yes
|
|
Acct-Tunnel-
Connection
|
68
|
—
|
String
|
Inbound
|
No
|
|
Tunnel-Password
|
69
|
—
|
tagged string
|
Both
|
Yes
|
|
ARAP-Password
|
70
|
—
|
String
|
Inbound
|
No
|
|
ARAP-Features
|
71
|
—
|
String
|
Outbound
|
No
|
|
ARAP-Zone-
Access
|
72
|
—
|
Integer
|
Outbound
|
No
|
|
ARAP-Security
|
73
|
—
|
Integer
|
Inbound
|
No
|
|
ARAP-Security-
Data
|
74
|
—
|
String
|
Inbound
|
No
|
|
Password-Retry
|
75
|
—
|
Integer
|
Internal use only
|
No
|
|
Prompt
|
76
|
—
|
Integer
|
Internal use only
|
No
|
|
Connect-Info
|
77
|
—
|
String
|
Inbound
|
No
|
|
Configuration-
Token
|
78
|
—
|
String
|
Internal use only
|
No
|
|
EAP-Message
|
79
|
—
|
String
|
|
