- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
RADIUS Vendor-Proprietary Attributes
Last Updated: September 25, 2008
The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. However, some vendors have extended the RADIUS attribute set for specific applications. This document provides Cisco IOS support information for these vendor-proprietary RADIUS attrubutes.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RADIUS Vendor-Proprietary Attributes" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Supported Vendor-Proprietary RADIUS Attributes
•Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Supported Vendor-Proprietary RADIUS Attributes
Table 73 lists Cisco-supported vendor-proprietary RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified. Refer to Table 74 for a list of descriptions.
Note Attributes implemented in special (AA) or early development (T) releases will be added to the next mainline image.
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Table 74 lists and describes the known vendor-proprietary RADIUS attributes:
|
|
|
---|---|---|
17 |
Change-Password |
Specifies a request to change the password of a user. |
21 |
Password-Expiration |
Specifies an expiration date for a user's password in the user's file entry. |
68 |
Tunnel-ID |
(Ascend 5) Specifies the string assigned by RADIUS for each session using CLID or DNIS tunneling. When accounting is implemented, this value is used for accoutning. |
108 |
My-Endpoint-Disc-Alias |
(Ascend 5) No description available. |
109 |
My-Name-Alias |
(Ascend 5) No description available. |
110 |
Remote-FW |
(Ascend 5) No description available. |
111 |
Multicast-GLeave-Delay |
(Ascend 5) No description available. |
112 |
CBCP-Enable |
(Ascend 5) No description available. |
113 |
CBCP-Mode |
(Ascend 5) No description available. |
114 |
CBCP-Delay |
(Ascend 5) No description available. |
115 |
CBCP-Trunk-Group |
(Ascend 5) No description available. |
116 |
Appletalk-Route |
(Ascend 5) No description available. |
117 |
Appletalk-Peer-Mode |
(Ascend 5) No description available. |
118 |
Route-Appletalk |
(Ascend 5) No description available. |
119 |
FCP-Parameter |
(Ascend 5) No description available. |
120 |
Modem-PortNo |
(Ascend 5) No description available. |
121 |
Modem-SlotNo |
(Ascend 5) No description available. |
122 |
Modem-ShelfNo |
(Ascend 5) No description available. |
123 |
Call-Attempt-Limit |
(Ascend 5) No description available. |
124 |
Call-Block-Duration |
(Ascend 5) No description available. |
125 |
Maximum-Call-Duration |
(Ascend 5) No description available. |
126 |
Router-Preference |
(Ascend 5) No description available. |
127 |
Tunneling-Protocol |
(Ascend 5) No description available. |
128 |
Shared-Profile-Enable |
(Ascend 5) No description available. |
129 |
Primary-Home-Agent |
(Ascend 5) No description available. |
130 |
Secondary-Home-Agent |
(Ascend 5) No description available. |
131 |
Dialout-Allowed |
(Ascend 5) No description available. |
133 |
BACP-Enable |
(Ascend 5) No description available. |
134 |
DHCP-Maximum-Leases |
(Ascend 5) No description available. |
135 |
Primary-DNS-Server |
Identifies a primary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. |
136 |
Secondary-DNS-Server |
Identifies a secondary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. |
137 |
Client-Assign-DNS |
No description available. |
138 |
User-Acct-Type |
No description available. |
139 |
User-Acct-Host |
No description available. |
140 |
User-Acct-Port |
No description available. |
141 |
User-Acct-Key |
No description available. |
142 |
User-Acct-Base |
No description available. |
143 |
User-Acct-Time |
No description available. |
144 |
Assign-IP-Client |
No description available. |
145 |
Assign-IP-Server |
No description available. |
146 |
Assign-IP-Global-Pool |
No description available. |
147 |
DHCP-Reply |
No description available. |
148 |
DHCP-Pool-Number |
No description available. |
149 |
Expect-Callback |
No description available. |
150 |
Event-Type |
No description available. |
151 |
Session-Svr-Key |
No description available. |
152 |
Multicast-Rate-Limit |
No description available. |
153 |
IF-Netmask |
No description available. |
154 |
Remote-Addr |
No description available. |
155 |
Multicast-Client |
No description available. |
156 |
FR-Circuit-Name |
No description available. |
157 |
FR-LinkUp |
No description available. |
158 |
FR-Nailed-Grp |
No description available. |
159 |
FR-Type |
No description available. |
160 |
FR-Link-Mgt |
No description available. |
161 |
FR-N391 |
No description available. |
162 |
FR-DCE-N392 |
No description available. |
163 |
FR-DTE-N392 |
No description available. |
164 |
FR-DCE-N393 |
No description available. |
165 |
FR-DTE-N393 |
No description available. |
166 |
FR-T391 |
No description available. |
167 |
FR-T392 |
No description available. |
168 |
Bridge-Address |
No description available. |
169 |
TS-Idle-Limit |
No description available. |
170 |
TS-Idle-Mode |
No description available. |
171 |
DBA-Monitor |
No description available. |
172 |
Base-Channel-Count |
No description available. |
173 |
Minimum-Channels |
No description available. |
174 |
IPX-Route |
No description available. |
175 |
FT1-Caller |
No description available. |
176 |
Backup |
No description available. |
177 |
Call-Type |
No description available. |
178 |
Group |
No description available. |
179 |
FR-DLCI |
No description available. |
180 |
FR-Profile-Name |
No description available. |
181 |
Ara-PW |
No description available. |
182 |
IPX-Node-Addr |
No description available. |
183 |
Home-Agent-IP-Addr |
Indicates the home agent's IP address (in dotted decimal format) when using Ascend Tunnel Management Protocol (ATMP). |
184 |
Home-Agent-Password |
With ATMP, specifies the password that the foreign agent uses to authenticate itself. |
185 |
Home-Network-Name |
With ATMP, indicates the name of the connection profile to which the home agent sends all packets. |
186 |
Home-Agent-UDP-Port |
Indicates the UDP port number the foreign agent uses to send ATMP messages to the home agent. |
187 |
Multilink-ID |
Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. The Multilink-ID attribute is sent in authentication-response packets. |
188 |
Num-In-Multilink |
Reports the number of sessions remaining in a multilink bundle when the session reported in an accounting-stop packet closes. This attribute applies to sessions that are part of a multilink bundle. The Num-In-Multilink attribute is sent in authentication-response packets and in some accounting-request packets. |
189 |
First-Dest |
Records the destination IP address of the first packet received after authentication. |
190 |
Pre-Input-Octets |
Records the number of input octets before authentication. The Pre-Input-Octets attribute is sent in accounting-stop records. |
191 |
Pre-Output-Octets |
Records the number of output octets before authentication. The Pre-Output-Octets attribute is sent in accounting-stop records. |
192 |
Pre-Input-Packets |
Records the number of input packets before authentication. The Pre-Input-Packets attribute is sent in accounting-stop records. |
193 |
Pre-Output-Packets |
Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records. |
194 |
Maximum-Time |
Specifies the maximum length of time (in seconds) allowed for any session. After the session reaches the time limit, its connection is dropped. |
195 |
Disconnect-Cause |
Specifies the reason a connection was taken offline. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. For more information, refer to the table of Disconnect-Cause Attribute Values and their meanings. |
196 |
Connect-Progress |
Indicates the connection state before the connection is disconnected. |
197 |
Data-Rate |
Specifies the average number of bits per second over the course of the connection's lifetime. The Data-Rate attribute is sent in accounting-stop records. |
198 |
PreSession-Time |
Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. The PreSession-Time attribute is sent in accounting-stop records. |
199 |
Token-Idle |
Indicates the maximum amount of time (in minutes) a cached token can remain alive between authentications. |
201 |
Require-Auth |
Defines whether additional authentication is required for class that has been CLID authenticated. |
202 |
Number-Sessions |
Specifies the number of active sessions (per class) reported to the RADIUS accounting server. |
203 |
Authen-Alias |
Defines the RADIUS server's login name during PPP authentication. |
204 |
Token-Expiry |
Defines the lifetime of a cached token. |
205 |
Menu-Selector |
Defines a string to be used to cue a user to input data. |
206 |
Menu-Item |
Specifies a single menu-item for a user-profile. Up to 20 menu items can be assigned per profile. |
207 |
PW-Warntime |
(Ascend 5) No description available. |
208 |
PW-Lifetime |
Enables you to specify on a per-user basis the number of days that a password is valid. |
209 |
IP-Direct |
When you include this attribute in a user's file entry, a framed route is installed to the routing and bridging tables. Note Packet routing is dependent upon the entire table, not just this newly installed entry. The inclusion of this attribute does not guarantee that all packets should be sent to the specified IP address; thus, this attribute is not fully supported. |
210 |
PPP-VJ-Slot-Comp |
Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link. |
211 |
PPP-VJ-1172 |
Instructs PPP to use the 0x0037 value for VJ compression. |
212 |
PPP-Async-Map |
Gives the Cisco router the asynchronous control character map for the PPP session. The specified control characters are passed through the PPP link as data and used by applications running over the link. |
213 |
Third-Prompt |
Defines a third prompt (after username and password) for additional user input. |
214 |
Send-Secret |
Enables an encrypted password to be used in place of a regular password in outdial profiles. |
215 |
Receive-Secret |
Enables an encrypted password to be verified by the RADIUS server. |
216 |
IPX-Peer-Mode |
(Ascend 5) No description available. |
217 |
IP-Pool-Definition |
Defines a pool of addresses using the following format: X a.b.c Z; where X is the pool index number, a.b.c is the pool's starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment. |
218 |
Assign-IP-Pool |
Tells the router to assign the user and IP address from the IP pool. |
219 |
FR-Direct |
Defines whether the connection profile operates in Frame Relay redirect mode. |
220 |
FR-Direct-Profile |
Defines the name of the Frame Relay profile carrying this connection to the Frame Relay switch. |
221 |
FR-Direct-DLCI |
Indicates the DLCI carrying this connection to the Frame Relay switch. |
222 |
Handle-IPX |
Indicates how NCP watchdog requests will be handled. |
223 |
Netware-Timeout |
Defines, in minutes, how long the RADIUS server responds to NCP watchdog packets. |
224 |
IPX-Alias |
Allows you to define an alias for IPX routers requiring numbered interfaces. |
225 |
Metric |
No description available. |
226 |
PRI-Number-Type |
No description available. |
227 |
Dial-Number |
Defines the number to dial. |
228 |
Route-IP |
Indicates whether IP routing is allowed for the user's file entry. |
229 |
Route-IPX |
Allows you to enable IPX routing. |
230 |
Bridge |
No description available. |
231 |
Send-Auth |
Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication. |
232 |
Send-Passwd |
Enables the RADIUS server to specify the password that is sent to the remote end of a connection on outgoing calls. |
233 |
Link-Compression |
Defines whether to turn on or turn off "stac" compression over a PPP link. Link compression is defined as a numeric value as follows: •0: None •1: Stac •2: Stac-Draft-9 •3: MS-Stac |
234 |
Target-Util |
Specifies the load-threshold percentage value for bringing up an additional channel when PPP multilink is defined. |
235 |
Maximum-Channels |
Specifies allowed/allocatable maximum number of channels. |
236 |
Inc-Channel-Count |
No description available. |
237 |
Dec-Channel-Count |
No description available. |
238 |
Seconds-of-History |
No description available. |
239 |
History-Weigh-Type |
No description available. |
240 |
Add-Seconds |
No description available. |
241 |
Remove-Seconds |
No description available. |
242 |
Data-Filter |
Defines per-user IP data filters. These filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied on a first-match basis; therefore, the order in which filter entries are entered is important. |
243 |
Call-Filter |
Defines per-user IP data filters. On a Cisco router, this attribute is identical to the Data-Filter attribute. |
244 |
Idle-Limit |
Specifies the maximum time (in seconds) that any session can be idle. When the session reaches the idle time limit, its connection is dropped. |
245 |
Preempt-Limit |
No description available. |
246 |
Callback |
Allows you to enable or disable callback. |
247 |
Data-Svc |
No description available. |
248 |
Force-56 |
Determines whether the network access server uses only the 56 K portion of a channel, even when all 64 K appear to be available. |
249 |
Billing Number |
No description available. |
250 |
Call-By-Call |
No description available. |
251 |
Transit-Number |
No description available. |
252 |
Host-Info |
No description available. |
253 |
PPP-Address |
Indicates the IP address reported to the calling unit during PPP IPCP negotiations. |
254 |
MPP-Idle-Percent |
No description available. |
255 |
Xmit-Rate |
(Ascend 5) No description available. |
For more information on vendor-propritary RADIUS attributes, refer to the section "Configuring Router for Vendor-Proprietary RADIUS Server Communication" in the chapter "Configuring RADIUS."
Feature Information for RADIUS Vendor-Proprietary Attributes
Table 75 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 75 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.