• Skip to content
  • Skip to search
  • Skip to footer
  • Cisco.com Worldwide
  • Products and Services
  • Solutions
  • Support
  • Learn
  • Explore Cisco
  • How to Buy
  • Partners Home
  • Partner Program
  • Support
  • Tools
  • Find a Cisco Partner
  • Meet our Partners
  • Become a Cisco Partner
  • td
  • docs
  • ios-xml
  • ios
  • sec_conn_ike2vpn
  • configuration
  • xe-16
  • sec-flex-vpn-xe-16-6-book

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
    null
Find Matches in This Book
Log in to Save Content
Available Languages

Results

Updated:
January 21, 2018

Chapter: Appendix: FlexVPN RADIUS Attributes

  • FlexVPN RADIUS Attributes

Appendix: FlexVPN RADIUS Attributes

This chapter describes the RADIUS attributes supported by FlexVPN server.

  • FlexVPN RADIUS Attributes

FlexVPN RADIUS Attributes

The following are the RADIUS attributes categories used by FlexVPN Server:

  • Inbound and bidirectional IETF RADIUS attributes

  • Outbound Local

  • Outbound Remote


Note


For inbound attributes sent by the FlexVPN server to RADIUS that are not listed below, the value is set by the AAA system.


Attribute

User-Name

Type

IETF

Format

String

Attribute ID

1

Description

This attribute is sent by the FlexVPN server to Radius and is derived as follows:

  • AAA based preshared keys—Peer IKEv2 identity

  • EAP authentication—Peer EAP identity

  • User or group authorization—Output of the name mangler or the string specified in the IKEv2 profile authorization commands

  • Accounting—Peer EAP identity or IKEv2 identity

This attribute may also be received from Radius in Access-Accept after successful EAP authentication and specifies the authenticated peer EAP identity.

Attribute

User-Password

Type

IETF

Format

String

Attribute ID

2

Description

This attribute is sent by the FlexVPN server to RADIUS and is derived as follows:

  • AAA based preshared keys—“cisco”

  • User/group authorization—“cisco”

Attribute

Calling-Station-ID

Type

IETF

Format

String

Attribute ID

31

Description

This attribute is sent by FlexVPN server to RADIUS and is derived as follows:

  • AAA based pre-shared keys—IKEv2 initiator address

  • EAP authentication—IKEv2 initiator address

  • User/group authorization—IKEv2 initiator address

Attribute

Service-Type

Type

IETF

Format

String

Attribute ID

6

Description

This attribute is used by FlexVPN server for EAP authentication and the value of this attribute is set to ‘Login’.

Attribute

EAP-Message

Type

IETF

Format

String

Attribute ID

79

Description

This attribute is used by FlexVPN server for EAP authentication to relay EAP packets between EAP server and the Remote Access Client.

Attribute

Message-Authenticator

Type

IETF

Format

String

Attribute ID

80

Description

This attribute is sent by FlexVPN server for EAP authentication. The value for this attribute is set by AAA subsystem.

Attribute

Framed-Pool

Type

IETF

Format

String

Attribute ID

88

Local config

pool name

Radius config

Framed-Pool=pool-name

Description

Specifies the name of IPv4 address pool that is used by FlexVPN server to allocate the IPv4 address to assign to the client. The allocated address is pushed to client via IKEv2 standard config attribute INTERNAL_IP4_ADDRESS.

Attribute

ipsec:group-dhcp-server

Type

Cisco AV Pair

Format

String

Local config

dhcp server {ipddr | host}

Radius config

cisco-avpair=“ipsec: group-dhcp-server=ipaddr”

Description

Specifies the IPv4 DHCP server that is used by FlexVPN server to lease IPv4 address to assign to the client. The leased address is pushed to client via IKEv2 standard config attribute INTERNAL_IP4_ADDRESS.

Attribute

ipsec:dhcp-giaddr

Type

Cisco AV Pair

Format

IPaddr

Local config

dhcp giaddr ipaddr

Radius config

cisco-avpair=“psec: dhcp-giaddr=ipaddr”

Description

Specifies the IPv4 DHCP gateway IP address that is used by FlexVPN server to contact the DCHP server.

Attribute

ipsec:dhcp-timeout

Type

Cisco AV Pair

Format

Integer

Local config

dhcp timeout seconds

Radius config

cisco-avpair=“ipsec:dhcp-timeout=seconds”

Description

Specifies the time to wait for response from IPv4 DHCP server that is used by FlexVPN server to timeout response from the DHCP server.

Attribute

ipsec:ipv6-addr-pool

Type

Cisco AV Pair

Format

String

Local config

ipv6 pool name

Radius config

cisco-avpair=“ipsec:ipv6-addr-pool=pool-name”

Description

Specifies the name of IPv6 address pool used by FlexVPN server to allocate the IPv6 address to assign to the client. The allocated address is pushed to the client via IKEv2 standard config attribute INTERNAL_IP6_ADDRESS.

Attribute

ipsec:route-set=prefix

Type

Cisco AV Pair

Format

String

Local config

N/A

Radius config

cisco-avpair=“ipsec:route-set=prefix prefix/length”

Example

ipsec:route-set=prefix 192.168.1.0/24

Description

Specifies a subnet protected by FlexVPN server. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_SUBNET.

Note   

This AV pair was introduced in Cisco IOS Release 15.2(2)T.

Attribute

ipsec:route-set=interface

Type

Cisco AV Pair

Format

String

Local config

route set interface

Radius config

cisco-avpair=“ipsec:route-set=interface”

Description

This attribute is used locally and enables sending of VPN interface IP address to the peer via IKEv2 standard config attribute INTERNAL_IP4_SUBNET. This allows running routing protocols such as BGP over VPN.

Note   

In Cisco IOS Release 15.2(2)T, this AV pair replaced the “ipsec:route-set-interface” AV pair.

Attribute

ipsec:route-accept

Type

Cisco AV Pair

Format

String

Local config

route accept any [tag tag-id] [distance distance]

Radius config

cisco-avpair=“ipsec:route-accept=any [tag:tag] [distance:distance]”

Example

ipsec:route-accept=any tag=100

Description

This attribute is used locally and specifies the filter for the subnets received from the peer via IKEv2 standard config attribute INTERNAL_IP4_SUBNET. The attribute also specifies the tag and distance for the routes added by IKEv2 for the filtered subnets.

Note   

In Cisco IOS Release 15.2(2)T, the AV pair “ipsec:route-accept=any” replaced “ipsec:route-accept=accept acl:any” and the AV pair “ipsec:route-accept=none” replaced “ipsec:route-accept=deny”.

Attribute

ipsec:ipsec-flow-limit

Type

Cisco AV Pair

Format

Integer

Local config

ipsec flow-limit limit

Radius config

cisco-avpair=“ipsec:ipsec-flow-limit=limit”

Description

This attribute is used by FlexVPN server and specifies the maximum number of IPsec SAs that an IPSec dVTI session can have. There is no limit by default. This parameter is similar to the crypto ipsec profile and set security-policy limit commands.

Attribute

ip:interface-config

Type

Cisco AV Pair

Format

String

Local config

aaa attribute list list

attribute type interface-config string

Radius config

cisco-avpair=“ip:interface-config=interface cmd string”

Example

ip:interface-config=ip vrf forwarding red

Description

This attribute is used locally and specifies an interface configuration mode command string that is applied on the virtual access interface for the session. For local configuration, the IKEv2 authorization policy points to an AAA attribute list that must have interface-config attribute.

Attribute

Tunnel-Type

Type

IETF

Format

Integer

Attribute ID

64

Radius config

Tunnel-Type=type

Description

This attribute specifies the tunnel type (ESP, AH, GRE, etc.) and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

Tunnel-Medium-Type

Type

IETF

Format

Integer

Attribute ID

65,

Radius config

Tunnel-Medium-Type=type

Description

This attribute specifies the tunnel transport type (IPv4, IPv6, etc.) and is received when FlexVPN server fetches preshared key for the session from the RADIUS server.

Attribute

Tunnel-Password

Type

IETF

Format

String

Attribute ID

69

Radius config

Tunnel-Password=string

Description

This attribute specifies the symmetric preshared key and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

ipsec:ikev2-password-local

Type

Cisco AV Pair

Format

String

Radius config

cisco-avpair=“ipsec:ikev2-password-local=string”

Description

This attribute specifies the local preshared key and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

ipsec:ikev2-password-remote

Type

Cisco AV Pair

Format

String

Radius config

cisco-avpair=“ipsec:ikev2-password-remote=string”

Description

This attribute specifies the remote preshared key and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

Framed-IP-Address

Type

IETF

Format

IPaddr

Attribute ID

8

Radius config

Framed-IP-Address=ipaddr

Description

Specifies IPv4 address assigned to the client. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_ADDRESS.

Attribute

Framed-IP-Netmask

Type

IETF

Format

IPaddr

Attribute ID

9

Local config

netmask mask

Radius config

Framed-IP-Netmask=mask

Description

Specifies the subnet mask of the IPv4 address assigned to the client. This is pushed to client via IKEv2 standard configuration attribute INTERNAL_IP4_NETMASK.

Attribute

ipsec:dns-servers

Type

Cisco AV Pair

Format

String

Local config

dns primary [secondary]

Radius config

cisco-avpair=“ipsec:dns-servers=primary secondary”

Description

Specifies the primary and secondary IPv4 DNS servers for the client. This is pushed to the client via IKEv2 standard config attribute INTERNAL_IP4_DNS.

Attribute

ipsec:wins-servers

Type

Cisco AV Pair

Format

String

Local config

wins primary [secondary]

Radius config

cisco-avpair=“ipsec:wins-servers=primary secondary”

Description

Specifies the primary and secondary IPv4 WINS servers for the client. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_NBNS.

Attribute

ipsec:route-set=access-list

Type

Cisco AV Pair

Format

String

Local config

route set access-list {acl-name | acl-number}

Radius config

cisco-avpair=“ipsec:route-set=access-list {acl-name | acl-number}”

Description

Specifies the IPv4 subnets protected by FlexVPN server. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_SUBNET.

Note   

In Cisco IOS Release 15.2(2)T, this AV pair replaced the “ipsec:inacl” AV pair.

Attribute

ipsec:addrv6

Type

Cisco AV Pair

Format

String

Radius config

cisco-avpair=“ipsec:addrv6=ipv6-addr”

Description

Specifies the IPv6 address assigned to the client. This is pushed to client via IKEv2 standard configuration attribute INTERNAL_IP6_ADDRESS in the first 16 bytes.

Attribute

ipsec:prefix-len

Type

Cisco AV Pair

Format

Integer

Local config

N/A

Radius config

cisco-avpair=“ipsec:prefix-len=value”

Example

ipsec:prefix-len=24

Description

Specifies the prefix length of the IPv6 address assigned to the client. This is pushed to client via IKEv2 standard configuration attribute INTERNAL_IP6_ADDRESS in the last (17th) byte.

Attribute

ipsec:ipv6-dns-servers-addr

Type

Cisco AV Pair

Format

String

Local config

ipv6 dns primary [secondary]

Radius config

cisco-avpair=“ipsec: ipv6-dns-servers-addr=ipaddr1 *ipaddr2”

Description

Specifies the primary and secondary IPv6 DNS servers for the client. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP6_DNS.

Attribute

ipsec:route-set=access-list ipv6

Type

Cisco AV Pair

Format

String

Local config

route set access-list ipv6 acl-name

Radius config

cisco-avpair=“ipsec:route-set=access-list ipv6 acl-name”

Description

Specifies IPv6 subnets protected by the FlexVPN server. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP6_SUBNET.

Note   

In Cisco IOS Release 15.2(2)T, this AV pair replaced the “ ipsec:ipv6-subnet-acl” AV pair.

Attribute

ipsec:banner

Type

Cisco AV Pair

Format

String

Local config

banner text

Radius config

cisco-avpair=“ipsec:banner=text”

Description

Specifies the banner text. This is pushed to the client via Cisco Unity attribute MODECFG_BANNER.

Attribute

ipsec:default-domain

Type

Cisco AV Pair

Format

String

Local config

def-domain name

Radius config

cisco-avpair=“ipsec:default-domain=name”

Description

Specifies the default domain. This is pushed to the client via Cisco Unity attribute MODECFG_DEFDOMAIN.

Attribute

ipsec:split-dns

Type

Cisco AV Pair

Format

String

Local config

split-dns name

Radius config

cisco-avpair=“ipsec:split-dns=name”

Description

Specifies the split DNS name. This is pushed to the client via Cisco Unity attribute MODECFG_SPLITDNS_NAME. You can configure up to 10 split DNS names.

Attribute

ipsec:ipsec-backup-gateway

Type

Cisco AV Pair

Format

String

Local config

backup-gateway name

Radius config

cisco-avpair=“ipsec:ipsec-backup-gateway=name”

Description

Specifies the backup gateway. This is pushed to the client via Cisco Unity attribute MODECFG_BACKUPSERVERS. You can configure up to 10 backup gateways.

Attribute

ipsec:pfs

Type

Cisco AV Pair

Format

Integer

Local config

pfs

Radius config

cisco-avpair=“ipsec:pfs=value”

Description

Specifies IPsec PFS (Perfect Forward Secrecy) enable/disable. This is pushed to the client via Cisco Unity attribute MODECFG_PFS. The value must be 0 to disable and 1 to enable.

Attribute

ipsec:include-local-lan

Type

Cisco AV Pair

Format

Integer

Local config

include-local-lan

Radius config

cisco-avpair=“ipsec:include-local-lan=value”

Description

Enables or disables include local LAN. This is pushed to the client via Cisco Unity attribute MODECFG_INCLUDE_LOCAL_LAN. The value must be 0 to disable and 1 to enable.

Attribute

ipsec:smartcard-removal-disconnect

Type

Cisco AV Pair

Format

Integer

Local config

smartcard-removal-disconnect

Radius config

cisco-avpair=“ipsec:smartcard-removal-disconnect =value”

Description

Enables or disables smartcard removal disconnect. This is pushed to the client via Cisco Unity attribute MODECFG_SMARTCARD_REMOVAL_DISCONNECT. The value must be 0 to disable and 1 to enable.

Attribute

ipsec:configuration-url

Type

Cisco AV Pair

Format

String

Local config

configuration url url

Radius config

cisco-avpair=“ipsec:configuration-url=url”

Description

Specifies the URL for configuration download. This is pushed to the client via Cisco FlexVPN attribute MODECFG_CONFIG_URL.

Attribute

ipsec:configuration-version

Type

Cisco AV Pair

Format

Integer

Local config

configuration version version

Radius config

cisco-avpair=“ipsec:configuration-version=version”

Description

Specifies the version of the configuration to download. This is pushed to the client via Cisco FlexVPN attribute MODECFG_CONFIG_VERSION.


Was this Document Helpful?

FeedbackFeedback

Contact Cisco

  • Open a Support Caselogin required
  • (Requires a Cisco Service Contract)
© 2023 Cisco and/or its affiliates. All rights reserved.