TACACS+ Attribute-Value Pairs
Terminal Access Controller Access Control System Plus (TACACS+) attribute-value (AV) pairs are used to define specific authentication, authorization, and accounting elements in a user profile that is stored on the TACACS+ daemon. This module lists the TACACS+ AV pairs currently supported.
Contents
•Information About TACACS+ Attribute-Value Pairs
Information About TACACS+ Attribute-Value Pairs
The following sections contain information about TACACS+ Attribute-Value Pairs:
•TACACS+ Authentication and Authorization AV Pairs
The first section lists and describes the supported TACACS+ authentication and authorization AV pairs, and it specifies the Cisco IOS release in which they are implemented. The second section lists and describes the supported TACACS+ accounting AV pairs, and it specifies the Cisco IOS release in which they are implemented.
TACACS+ Authentication and Authorization AV Pairs
Table 1 lists and describes the supported TACACS+ authentication and authorization AV pairs and specifies the Cisco IOS release in which they are implemented.
See "Related Documents" section for the documents used to configure TACACS+, and TACACS+ authentication and authorization.
TACACS+ Accounting AV Pairs
Table 2 lists and describes the supported TACACS+ accounting AV pairs and specifies the Cisco IOS release in which they are implemented.
|
|
|
|
|
|
|
|
|
---|---|---|---|---|---|---|---|---|
Abort-Cause |
If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server. |
no |
no |
no |
no |
no |
yes |
yes |
bytes_in |
The number of input bytes transferred during this connection. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
bytes_out |
The number of output bytes transferred during this connection. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Call-Type |
Describes the type of fax activity: fax receive or fax send. |
no |
no |
no |
no |
no |
yes |
yes |
cmd |
The command the user executed. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
data-rate |
This AV pair has been renamed. See nas-rx-speed. |
|||||||
disc-cause |
Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 3 for a list of Disconnect-Cause values and their meanings. |
no |
no |
no |
yes |
yes |
yes |
yes |
disc-cause-ext |
Extends the disc-cause attribute to support vendor-specific reasons why a connection was taken off-line. |
no |
no |
no |
yes |
yes |
yes |
yes |
elapsed_time |
The elapsed time in seconds for the action. Useful when the device does not keep real time. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Email-Server- |
Indicates the IP address of the e-mail server handling the on-ramp fax-mail message. |
no |
no |
no |
no |
no |
yes |
yes |
Email-Server-Ack- |
Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message. |
no |
no |
no |
no |
no |
yes |
yes |
event |
Information included in the accounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Fax-Account-Id- |
Indicates the account ID origin as defined by system administrator for the mmoip aaa receive-id or the mmoip aaa send-id command. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Auth-Status |
Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Connect-Speed |
Indicates the modem speed at which this fax-mail was initially transmitted or received. Possible values are 1200, 4800, 9600, and 14400. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Coverpage-Flag |
Indicates whether or not a cover page was generated by the off-ramp gateway for this fax session. True indicates that a cover page was generated; false means that a cover page was not generated. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Dsn-Address |
Indicates the address to which DSNs will be sent. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Dsn-Flag |
Indicates whether or not DSN has been enabled. True indicates that DSN has been enabled; false means that DSN has not been enabled. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Mdn-Address |
Indicates the address to which MDNs will be sent. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Mdn-Flag |
Indicates whether or not message delivery notification (MDN) has been enabled. True indicates that MDN had been enabled; false means that MDN had not been enabled. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Modem-Time |
Indicates the amount of time in seconds the modem sent fax data (x) and the amount of time in seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax session took 15 seconds. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Msg-Id= |
Indicates a unique fax message identification number assigned by Store and Forward Fax. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Pages |
Indicates the number of pages transmitted or received during this fax session. This page count includes cover pages. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Process-Abort- |
Indicates that the fax session was aborted or successful. True means that the session was aborted; false means that the session was successful. |
no |
no |
no |
no |
no |
yes |
yes |
Fax-Recipient-Count |
Indicates the number of recipients for this fax transmission. Until e-mail servers support Session mode, the number should be 1. |
no |
no |
no |
no |
no |
yes |
yes |
Gateway-Id |
Indicates the name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name |
no |
no |
no |
no |
no |
yes |
yes |
mlp-links-max |
Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. |
no |
no |
no |
yes |
yes |
yes |
yes |
mlp-sess-id |
Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. This attribute is sent in authentication-response packets. |
no |
no |
no |
yes |
yes |
yes |
yes |
nas-rx-speed |
Specifies the average number of bits per second over the course of the connection's lifetime. This attribute is sent in accounting-stop records. |
no |
no |
no |
yes |
yes |
yes |
yes |
nas-tx-speed |
Reports the transmit speed negotiated by the two modems. |
no |
no |
no |
yes |
yes |
yes |
yes |
paks_in |
The number of input packets transferred during this connection. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
paks_out |
The number of output packets transferred during this connection. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
port |
The port the user was logged in to. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
Port-Used |
Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail. |
no |
no |
no |
no |
no |
yes |
yes |
pre-bytes-in |
Records the number of input bytes before authentication. This attribute is sent in accounting-stop records. |
no |
no |
no |
yes |
yes |
yes |
yes |
pre-bytes-out |
Records the number of output bytes before authentication. This attribute is sent in accounting-stop records. |
no |
no |
no |
yes |
yes |
yes |
yes |
pre-paks-in |
Records the number of input packets before authentication. This attribute is sent in accounting-stop records. |
no |
no |
no |
yes |
yes |
yes |
yes |
pre-paks-out |
Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records. |
no |
no |
no |
yes |
yes |
yes |
yes |
pre-session-time |
Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. |
no |
no |
no |
yes |
yes |
yes |
yes |
priv_level |
The privilege level associated with the action. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
protocol |
The protocol associated with the action. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
reason |
Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or when accounting is reconfigured (turned on or off). |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
service |
The service the user used. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
start_time |
The time the action started (in seconds since the epoch, 12:00 a.m. Jan 1 1970). The clock must be configured to receive this information. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
stop_time |
The time the action stopped (in seconds since the epoch.) The clock must be configured to receive this information. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
task_id |
Start and stop records for the same event must have matching (unique) task_id numbers. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
timezone |
The time zone abbreviation for all timestamps included in this packet. |
yes |
yes |
yes |
yes |
yes |
yes |
yes |
xmit-rate |
This AV pair has been renamed. See nas-tx-speed. |
Table 3 lists the cause codes and descriptions for the Disconnect Cause Extended (disc-cause-ext) attribute.
Table 3 Disconnect Cause Extensions
Additional References
The following sections provide references related to TACACS+ Attribute-Value Pairs.
Related Documents
|
|
---|---|
TACACS+ authentication |
"Configuring Authentication" module. |
TACACS+ Authorization |
"Configuring Authorization" module. |
TACACS+ accounting |
"Configuring Accounting" module. |
TACACS+ |
"Configuring TACACS+" module. |
Standards
|
|
---|---|
None. |
— |
MIBs
|
|
---|---|
None. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
None. |
— |