Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
RADIUS Attributes

Table of Contents

RADIUS Attributes
Cisco IOS Dictionary of RADIUS AV Pairs
Cisco IOS/PIX Dictionary of RADIUS VSAs
Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs
Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs
Cisco Building Broadband Service Manager Dictionary of RADIUS VSA
Vendor-Proprietary IETF RADIUS AV Pairs
IETF Dictionary of RADIUS AV Pairs
Microsoft MPPE Dictionary of RADIUS VSAs
Ascend Dictionary of RADIUS AV Pairs
Nortel Dictionary of RADIUS VSAs
Juniper Dictionary of RADIUS VSAs

RADIUS Attributes


Cisco Secure Access Control Server for Windows NT/2000 Servers Version 3.0 (Cisco Secure ACS) provides support for many RADIUS attributes. This appendix lists the standard attributes, vendor-proprietary attributes, vendor-specific attributes supported by Cisco Secure ACS for the following vendors' implementations of RADIUS:

  • Cisco IOS RADIUS
  • Cisco VPN 3000 Concentrator RADIUS
  • Cisco VPN 5000 Concentrator RADIUS
  • Cisco Building Broadband Service Manager RADIUS
  • Microsoft RADIUS
  • Ascend RADIUS
  • Nortel RADIUS
  • Juniper RADIUS
  • Internet Engineering Task Force (IETF) RADIUS

You can enable different AV pairs for any supported vendors. The supported RADIUS AV pairs specific to each vendor are listed in this appendix:

Cisco IOS Dictionary of RADIUS AV Pairs

Cisco Secure ACS supports Cisco IOS RADIUS attribute-value (AV) pairs. Before selecting AV pairs for Cisco Secure ACS, confirm that your AAA client is a compatible release of Cisco IOS or compatible AAA client software. For more information, see the "System Requirements" section.


Note   If you specify a given AV pair on Cisco Secure ACS, the corresponding AV pair must be implemented in the Cisco IOS software running on the network device. Always take into consideration which AV pairs your Cisco IOS release supports. If Cisco Secure ACS sends an AV pair that the Cisco IOS software does not support, the attribute is not implemented.


Note   Beginning with Cisco Secure ACS version 2.3, some RADIUS attributes do not appear on the Group Setup page. This is because IP pools and callback supersede the following attributes:

   8, Framed-IP-Address
   19, Callback-Number
   218, Ascend-Assign-IP-Pool

Neither can these attributes be set via RDBMS Synchronization.

Table D-1 lists the supported Cisco IOS RADIUS AV pairs.

Table D-1   Cisco IOS Software RADIUS AV Pairs

Attribute Number Type of Value

User-Name

1

string

User-Password

2

string

CHAP-Password

3

string

NAS-IP Address

4

ipaddr

NAS-Port

5

integer

Service-Type

6

integer

Framed-Protocol

7

integer

Framed-IP-Netmask

9

ipaddr

Framed-Routing

10

integer

Filter-Id

11

string

Framed-MTU

12

integer

Framed-Compression

13

integer

Login-IP-Host

14

ipaddr

Login-Service

15

integer

Login-TCP-Port

16

integer

Old-Password

17

string

Reply-Message

18

string

Expiration

21

date

Framed-Route

22

string

State

24

string

Class

25

string

Vendor specific

26

string

Session-Timeout

27

integer

Idle-Timeout

28

integer

Called-Station-ID

30

string

Calling-Station-ID

31

string

Login-LAT-Service

33

string

Acct-Status-Type

40

integer

Acct-Delay-Time

41

integer

Acct-Input-Octets

42

integer

Acct-Output-Octets

43

integer

Acct-Session-ID

44

string

Acct-Authentic

45

integer

Acct-Session-Time

46

integer

Acct-Input-Packets

47

integer

Acct-Output-Packets

48

integer

Acct-Terminate-Cause

49

integer

NAS-Port-Type

61

integer

NAS-Port-Limit

62

integer

Cisco IOS/PIX Dictionary of RADIUS VSAs

Cisco Secure ACS supports Cisco IOS/PIX vendor-specific attributes (VSAs). The vendor ID for this Cisco RADIUS Implementation is 009. Table D-2 lists the supported Cisco IOS/PIX RADIUS VSAs.


Note   For a discussion of Cisco IOS/PIX RADIUS VSA 1, cisco-av-pair, see AV pair 26 in Table D-7 D-12.


Note   For details about the Cisco IOS H.323 VSAs, refer to Cisco IOS Voice-over-IP documentation.


Note   For details about the Cisco IOS Node Route Processor-Service Selection Gateway VSAs (VSAs 250, 251, and 252), refer to Cisco IOS documentation.

Table D-2   Cisco IOS/PIX RADIUS VSAs

Attribute Number Type of Value

cisco-av-pair

1

string

cisco-vsa-port-string

2

string

cisco-h323-remote-address

23

string

cisco-h323-conf-id

24

string

cisco-h323-setup-time

25

string

cisco-h323-call-origin

26

string

cisco-h323-call-type

27

string

cisco-h323-connect-time

28

string

cisco-h323-disconnect-time

29

string

cisco-h323-disconnect-cause

30

string

cisco-h323-voice-quality

31

string

cisco-h323-gw-id

33

string

cisco-h323-incoming-conn-id

35

string

cisco-h323-credit-amount

101

string

cisco-h323-credit-time

102

string

cisco-h323-return-code

103

string

cisco-h323-prompt-id

104

string

cisco-h323-day-and-time

105

string

cisco-h323-redirect-number

106

string

cisco-h323-preferred-lang

107

string

cisco-h323-redirect-ip-addr

108

string

cisco-h323-billing-model

109

string

cisco-h323-currency

110

string

cisco-ssg-account-info

250

string

cisco-ssg-service-info

251

string

cisco-ssg-control-info

253

string

Cisco VPN 3000 Concentrator Dictionary of RADIUS VSAs

Cisco Secure ACS supports Cisco VPN 3000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076. Table D-3 lists the supported Cisco VPN 3000 Concentrator RADIUS VSAs.


Note   Some of the RADIUS VSAs supported by Cisco VPN 3000 Concentrators are interdependent. Before you implement them, we recommend that you refer to Cisco VPN 3000-series Concentrator documentation.

Table D-3   Cisco VPN 3000 Concentrator RADIUS VSAs

Attribute Number Type of
Value

CVPN3000-Access-Hours

1

string

CVPN3000-Simultaneous-Logins

2

integer

CVPN3000-Primary-DNS

5

ipaddr

CVPN3000-Secondary-DNS

6

ipaddr

CVPN3000-Primary-WINS

7

ipaddr

CVPN3000-Secondary-WINS

8

ipaddr

CVPN3000-SEP-Card-Assignment

9

integer

CVPN3000-Tunneling-Protocols

11

integer

CVPN3000-IPSec-Sec-Association

12

string

CVPN3000-IPSec-Authentication

13

integer

CVPN3000-IPSec-Banner1

15

string

CVPN3000-IPSec-Allow-Passwd-Store

16

integer

CVPN3000-Use-Client-Address

17

integer

CVPN3000-PPTP-Encryption

20

integer

CVPN3000-L2TP-Encryption

21

integer

CVPN3000-IPSec-Split-Tunnel-List

27

string

CVPN3000-IPSec-Default-Domain

28

string

CVPN3000-IPSec-Tunnel-Type

30

integer

CVPN3000-IPSec-Mode-Config

31

integer

CVPN3000-IPSec-User-Group-Lock

33

integer

CVPN3000-IPSec-Over-UDP

34

integer

CVPN3000-IPSec-Over-UDP-Port

35

integer

CVPN3000-IPSec-Banner2

36

string

CVPN3000-PPTP-MPPC-Compression

37

integer

CVPN3000-L2TP-MPPC-Compression

38

integer

CVPN3000-IPSec-IP-Compression

39

integer

CVPN3000-IPSec-IKE-Peer-ID-Check

40

integer

CVPN3000-IKE-Keep-Alives

41

integer

CVPN3000-IPSec-Auth-On-Rekey

42

integer

CVPN3000-Required-Client-Firewall-Vendor-Code

45

integer

CVPN3000-Required-Client-Firewall-Product-Code

46

integer

CVPN3000-Required-Client-Firewall-Description

47

string

CVPN3000-Require-HW-Client-Auth

48

integer

CVPN3000-Require-Individual-User-Auth

49

integer

CVPN3000-Authenticated-User-Idle-Timeout

50

integer

CVPN3000-Cisco-IP-Phone-Bypass

51

integer

CVPN3000-User-Auth-Server-Name

52

string

CVPN3000-User-Auth-Server-Port

53

integer

CVPN3000-User-Auth-Server-Secret

54

string

CVPN3000-IPSec-Split-Tunneling-Policy

55

integer

CVPN3000-IPSec-Required-Client-Firewall-Capability

56

integer

CVPN3000-IPSec-Client-Firewall-Filter-Name

57

string

CVPN3000-IPSec-Client-Firewall-Filter-Optional

58

integer

CVPN3000-IPSec-Backup-Servers

59

integer

CVPN3000-IPSec-Backup-Server-List

60

string

CVPN3000-Strip-Realm

135

integer

Cisco VPN 5000 Concentrator Dictionary of RADIUS VSAs

Cisco Secure ACS supports the Cisco VPN 5000 RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 255. Table D-4 lists the supported Cisco VPN 5000 Concentrator RADIUS VSAs.

Table D-4   Cisco VPN 5000 Concentrator RADIUS VSAs

Attribute Number Type of Value

CVPN5000-Tunnel-Throughput

001

integer

CVPN5000-Client-Assigned-IP

002

string

CVPN5000-Client-Real-IP

003

string

CVPN5000-VPN-GroupInfo

004

string

CVPN5000-VPN-Password

005

string

CVPN5000-Echo

006

integer

CVPN5000-Client-Assigned-IPX

007

integer

Cisco Building Broadband Service Manager Dictionary of RADIUS VSA

Cisco Secure ACS supports a Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263. Table D-5 lists the supported Cisco BBSM RADIUS VSA.

Table D-5   Cisco BBSM RADIUS VSA

Attribute Number Type of Value

CBBSM-Bandwidth

001

integer

Vendor-Proprietary IETF RADIUS AV Pairs

Table D-6 lists the supported vendor-proprietary RADIUS (IETF) attributes

Table D-6   Vendor-Proprietary RADIUS Attributes

No. Vendor-Proprietary Attribute

17

Change-Password

21

Password-Expiration

135

Primary-DNS-Server

136

Secondary-DNS-Server

187

Multilink-ID

188

Num-In-Multilink

190

Pre-Input-Octets

191

Pre-Output-Octets

192

Pre-Input-Packets

193

Pre-Output-Packets

194

Maximum-Time

195

Disconnect-Cause

197

Data-Rate

198

PreSession-Time

208

PW-Lifetime

209

IP-Direct

210

PPP-VJ-Slot-Comp

218

Assign-IP-pool

228

Route-IP

233

Link-Compression

234

Target-Utils

235

Maximum-Channels

242

Data-Filter

243

Call-Filter

244

Idle-Limit

IETF Dictionary of RADIUS AV Pairs

Table D-7 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified. Accounting attributes are listed in Table D-8.

Table D-7   RADIUS (IETF) Attributes

No. Attribute Description

1

User-Name

Name of the user being authenticated.

2

User-Password

User's password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.

3

CHAP-Password

PPP (Point-to-Point Protocol) CHAP (Challenge Handshake Authentication Protocol) response to an Access-Challenge.

4

NAS-IP Address

IP address of the AAA client that is requesting authentication.

5

NAS-Port

Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows:

For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.

For ordinary synchronous network interfaces, the value is 10xxx.

For channels on a primary-rate ISDN (Integrated Services Digital Network) interface, the value is 2ppcc.

For channels on a basic rate ISDN interface, the value is 3bb0c.

For other types of interfaces, the value is 6nnss.

6

Service-Type

Type of service requested or type of service to be provided:

In a request:

Framed—For known PPP or SLIP (Serial Line Internet Protocol) connection.

Administrative User—For enable command.

In a response:

Login—Make a connection.

Framed—Start SLIP or PPP.

Administrative User—Start an EXEC or enable ok.

Exec User—Start an EXEC session.

7

Framed-Protocol

Framing to be used for framed access.

8

Framed-IP-Address

Address to be configured for the user.

9

Framed-IP-Netmask

IP netmask to be configured for the user when the user is a router to a network. This attribute-value results in a static route being added for Framed-IP-Address with the mask specified.

10

Framed-Routing

Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.

11

Filter-Id

Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.

12

Framed-MTU

Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means.

13

Framed-Compression

Compression protocol used for the link. This attribute results in "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.

14

Login-IP-Host

Host to which the user will connect when the Login-Service attribute is included.

15

Login-Service

Service that should be used to connect the user to the login host.

Service is indicated by a numeric value as follows:

0: Telnet

1: Rlogin

2: TCP-Clear

3: PortMaster

4: LAT

16

Login-TCP-Port

TCP (Transmission Control Protocol) port with which the user is to be connected when the Login-Service attribute is also present.

18

Reply-Message

Text to be displayed to the user.

22

Framed-Route

Routing information to be configured for the user on this AAA client. The RADIUS RFC (Request for Comments) format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are currently ignored.

24

State

Allows State information to be maintained between the AAA client and the RADIUS server. This attribute is applicable only to CHAP challenges.

26

Vendor-Specific

Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format:

protocol:attribute sep value

Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. The following is an example:

cisco-avpair= "ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"

The first example causes Cisco's multiple named IP address pools feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a AAA client prompt user to have immediate access to EXEC commands.

27

Session-Timeout

Maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.

28

Idle-Timeout

Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This attribute value becomes the per-user session-timeout. This attribute is not valid for PPP sessions.

34

Login-LAT-Service

System with which the user is to be connected by LAT. This attribute is only available in the EXEC mode.

61

NAS-Port-Type

Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value as follows:

0: Asynchronous

1: Synchronous

2: ISDN-Synchronous

3: ISDN-Asynchronous (V.120)

4: ISDN- Asynchronous (V.110)

5: Virtual

62

Port-Limit

Sets the maximum number of ports to be provided to the user by the network access server.

RADIUS (IETF) Accounting AV Pairs

Table D-8 lists the supported RADIUS (IETF) accounting attributes. If the attribute has a security server-specific format, the format is specified.

Table D-8   RADIUS (IETF) Accounting Attributes

No. Attribute Description

25

Class

Arbitrary value that the AAA client includes in all accounting packets for this user if supplied by the RADIUS server.

30

Called-Station-Id

Allows the AAA client to send the telephone number the user called into as part of the access-request packet, using DNIS (Dialed Number Identification Server) or similar technology. This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI (Primary Rate Interface).

31

Calling-Station-Id

Allows the AAA client to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is supported only on ISDN and for modem calls on the Cisco AS5200 if used with PRI.

40

Acct-Status-Type

Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).

41

Acct-Delay-Time

Number of seconds the client has been trying to send a particular record.

42

Acct-Input-Octets

Number of octets received from the port while this service is being provided.

43

Acct-Output-Octets

Number of octets sent to the port while this service is being delivered.

44

Acct-Session-Id

Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.

45

Acct-Authentic

Way in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.

46

Acct-Session-Time

Number of seconds the user has been receiving service.

47

Acct-Input-Packets

Number of packets received from the port while this service is being provided to a framed user.

48

Acct-Output-Packets

Number of packets sent to the port while this service is being delivered to a framed user.

49

Acct-Terminate-Cause

Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:

1: User request

2: Lost carrier

3: Lost service

4: Idle timeout

5: Session-timeout

6: Admin reset

7: Admin reboot

8: Port error

9: AAA client error

10: AAA client request

11: AAA client reboot

12: Port unneeded

13: Port pre-empted

14: Port suspended

15: Service unavailable

16: Callback

17: User error

18: Host request

61

NAS-Port-Type

Type of physical port the AAA client is using to authenticate the user.

Microsoft MPPE Dictionary of RADIUS VSAs

Cisco Secure ACS supports the Microsoft RADIUS VSAs used for Microsoft Point-to-Point Encryption (MPPE). The vendor ID for this Microsoft RADIUS Implementation is 311. MPPE is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dial-up line, or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network device vendors that Cisco Secure ACS supports. The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSAs:

  • Cisco IOS
  • Cisco VPN 3000
  • Ascend

Table D-9 lists the supported MPPE RADIUS VSAs.

Table D-9   Microsoft MPPE RADIUS VSAs

Attribute Number Type of Value Description

MS-CHAP-Response

1

string

MS-CHAP-Error

2

string

MS-CHAP-CPW-1

3

string

MS-CHAP-CPW-2

4

string

MS-CHAP-LM-Enc-PW

5

string

MS-CHAP-NT-Enc-PW

6

string

MS-MPPE-Encryption-Policy

7

integer

The MS-MPPE-Encryption-Policy attribute signifies whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used, but at least one must be used.

MS-MPPE-Encryption-Types

8

integer

The MS-MPPE-Encryption-Types attribute signifies the types of encryption available for use with MPPE. It is a four octet integer that is interpreted as a string of bits.

MS-CHAP-Domain

10

string

MS-CHAP-Challenge

11

string

MS-CHAP-MPPE-Keys

12

string

The MS-CHAP-MPPE-Keys attribute contains two session keys for use by the MPPE. This attribute is only included in Access-Accept packets.

The MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.

MS-MPPE-Send-Key

16

string

The MS-MPPE-Send-Key attribute contains a session key for use by MPPE. As the name implies, this key is intended for encrypting packets sent from the AAA client to the remote host. This attribute is only included in Access-Accept packets.

MS-MPPE-Recv-Key

17

string

The MS-MPPE-Recv-Key attribute contains a session key for use by MPPE. As the name implies, this key is intended for encrypting packets received by the AAA client from the remote host. This attribute is only included in Access-Accept packets

MS-RAS-Version

18

string

MS-CHAP-NT-Enc-PW

25

string

MS-CHAP2-Response

26

string

MS-CHAP2-CPW

27

string

Ascend Dictionary of RADIUS AV Pairs

Cisco Secure ACS supports the Ascend RADIUS AV pairs. Table D-10 contains Ascend RADIUS dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of the following valid data types:

  • string—0-253 octets
  • abinary—0-254 octets
  • ipaddr—4 octets in network byte order
  • integer—32-bit value in big endian order (high byte first)
  • call filter—Defines a call filter for the profile

Note    RADIUS filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied in the order in which they are entered. If you make changes to a filter in an Ascend RADIUS profile, the changes do not take effect until a call uses that profile.

  • date—32-bit value in big-endian order. For example, seconds since 00:00:00 universal time (UT), January 1, 1970
  • enum—Enumerated values are stored in the user file with dictionary value translations for easy administration.

Table D-10   Ascend RADIUS Attributes

Attribute Number Type of Value
Dictionary of Ascend Attributes

User-Name

1

string

Password

2

string

Challenge-Response

3

string

NAS-Identifier

4

ipaddr

NAS-Port

5

integer

User-Service

6

integer

Framed-Protocol

7

integer

Framed-Address

8

ipaddr

Framed-Netmask

9

ipaddr

Framed-Routing

10

integer

Framed-Filter

11

string

Framed-MTU

12

integer

Framed-Compression

13

integer

Login-Host

14

ipaddr

Login-Service

15

integer

Login-TCP-Port

16

integer

Change-Password

17

string

Reply-Message

18

string

Callback-Number

19

string

Callback-Name

20

string

Framed-Route

22

string

Framed-IPX-Network

23

integer

State

24

string

Class

25

string

Vendor-Specific

26

string

Client-Port-DNIS

30

string

Caller-Id

31

string

Acct-Status-Type

40

integer

Acct-Delay-Time

41

integer

Acct-Input-Octets

42

integer

Acct-Output-Octets

43

integer

Acct-Session-Id

44

integer

Acct-Authentic

45

integer

Acct-Session-Time

46

integer

Acct-Input-Packets

47

integer

Acct-Output-Packets

48

integer

Tunnel-Type

64

string

Tunnel-Medium-Type

65

string

Tunnel-Client-Endpoint

66

string

Tunnel-Server-Endpoint

67

string

Tunnel-ID

68

integer

Ascend-Private-Route

104

string

Ascend-Numbering-Plan-ID

105

integer

Ascend-FR-Link-Status-Dlci

106

integer

Ascend-Calling-Subaddress

107

string

Ascend-Callback-Delay

108

string

Ascend-My-Name-Alias

109

string

Ascend-Remote-FW

110

string

Ascend-Multicast-GLeave-Delay

111

integer

Ascend-CBCP-Enable

112

string

Ascend-CBCP-Mode

113

string

Ascend-CBCP-Delay

114

string

Ascend-CBCP-Trunk-Group

115

string

Ascend-AppleTalk-Route

116

string

Ascend-AppleTalk-Peer-Mode

117

string

Ascend-Route-AppleTalk

118

string

Ascend-FCP-Parameter

119

string

Ascend-Modem-PortNo

120

integer

Ascend-Modem-SlotNo

121

integer

Ascend-Modem-ShelfNo

122

integer

Ascend-Call-Attempt-Limit

123

integer

Ascend-Call-Block_Duration

124

integer

Ascend-Maximum-Call-Duration

125

integer

Ascend-Router-Preference

126

string

Ascend-Tunneling-Protocol

127

string

Ascend-Shared-Profile-Enable

128

string

Ascend-Primary-Home-Agent

129

string

Ascend-Secondary-Home-Agent

130

string

Ascend-Dialout-Allowed

131

integer

Ascend-BACP-Enable

133

string

Ascend-DHCP-Maximum-Leases

134

integer

Ascend-Client-Primary-DNS

135

address

Ascend-Client-Secondary-DNS

136

address

Ascend-Client-Assign-DNS

137

enum

Ascend-User-Acct-Type

138

enum

Ascend-User-Acct-Host

139

address

Ascend-User-Acct-Port

140

integer

Ascend-User-Acct-Key

141

string

Ascend-User-Acct-Base

142

enum

Ascend-User-Acct-Time

143

integer

Support IP Address Allocation from Global Pools

Ascend-Assign-IP-Client

144

ipaddr

Ascend-Assign-IP-Server

145

ipaddr

Ascend-Assign-IP-Global-Pool

146

string

DHCP Server Functions

Ascend-DHCP-Reply

147

integer

Ascend-DHCP-Pool-Number

148

integer

Connection Profile/Telco Option

Ascend-Expect-Callback

149

integer

Event Type for an Ascend-Event Packet

Ascend-Event-Type

150

integer

RADIUS Server Session Key

Ascend-Session-Svr-Key

151

string

Multicast Rate Limit Per Client

Ascend-Multicast-Rate-Limit

152

integer

Connection Profile Fields to Support Interface-Based Routing

Ascend-IF-Netmask

153

ipaddr

Ascend-Remote-Addr

154

ipaddr

Multicast Support

Ascend-Multicast-Client

155

integer

Frame Datalink Profiles

Ascend-FR-Circuit-Name

156

string

Ascend-FR-LinkUp

157

integer

Ascend-FR-Nailed-Group

158

integer

Ascend-FR-Type

159

integer

Ascend-FR-Link-Mgt

160

integer

Ascend-FR-N391

161

integer

Ascend-FR-DCE-N392

162

integer

Ascend-FR-DTE-N392

163

integer

Ascend-FR-DCE-N393

164

integer

Ascend-FR-DTE-N393

165

integer

Ascend-FR-T391

166

integer

Ascend-FR-T392

167

integer

Ascend-Bridge-Address

168

string

Ascend-TS-Idle-Limit

169

integer

Ascend-TS-Idle-Mode

170

integer

Ascend-DBA-Monitor

171

integer

Ascend-Base-Channel-Count

172

integer

Ascend-Minimum-Channels

173

integer

IPX Static Routes

Ascend-IPX-Route

174

string

Ascend-FT1-Caller

175

integer

Ascend-Backup

176

string

Ascend-Call-Type

177

integer

Ascend-Group

178

string

Ascend-FR-DLCI

179

integer

Ascend-FR-Profile-Name

180

string

Ascend-Ara-PW

181

string

Ascend-IPX-Node-Addr

182

string

Ascend-Home-Agent-IP-Addr

183

ipaddr

Ascend-Home-Agent-Password

184

string

Ascend-Home-Network-Name

185

string

Ascend-Home-Agent-UDP-Port

186

integer

Ascend-Multilink-ID

187

integer

Ascend-Num-In-Multilink

188

integer

Ascend-First-Dest

189

ipaddr

Ascend-Pre-Input-Octets

190

integer

Ascend-Pre-Output-Octets

191

integer

Ascend-Pre-Input-Packets

192

integer

Ascend-Pre-Output-Packets

193

integer

Ascend-Maximum-Time

194

integer

Ascend-Disconnect-Cause

195

integer

Ascend-Connect-Progress

196

integer

Ascend-Data-Rate

197

integer

Ascend-PreSession-Time

198

integer

Ascend-Token-Idle

199

integer

Ascend-Token-Immediate

200

integer

Ascend-Require-Auth

201

integer

Ascend-Number-Sessions

202

string

Ascend-Authen-Alias

203

string

Ascend-Token-Expiry

204

integer

Ascend-Menu-Selector

205

string

Ascend-Menu-Item

206

string

RADIUS Password Expiration Options

Ascend-PW-Warntime

207

integer

Ascend-PW-Lifetime

208

integer

Ascend-IP-Direct

209

ipaddr

Ascend-PPP-VJ-Slot-Comp

210

integer

Ascend-PPP-VJ-1172

211

integer

Ascend-PPP-Async-Map

212

integer

Ascend-Third-Prompt

213

string

Ascend-Send-Secret

214

string

Ascend-Receive-Secret

215

string

Ascend-IPX-Peer-Mode

216

integer

Ascend-IP-Pool-Definition

217

string

Ascend-Assign-IP-Pool

218

integer

Ascend-FR-Direct

219

integer

Ascend-FR-Direct-Profile

220

string

Ascend-FR-Direct-DLCI

221

integer

Ascend-Handle-IPX

222

integer

Ascend-Netware-Timeout

223

integer

Ascend-IPX-Alias

224

integer

Ascend-Metric

225

integer

Ascend-PRI-Number-Type

226

integer

Ascend-Dial-Number

227

string

Connection Profile/PPP Options

Ascend-Route-IP

228

integer

Ascend-Route-IPX

229

integer

Ascend-Bridge

230

integer

Ascend-Send-Auth

231

integer

Ascend-Send-Passwd

232

string

Ascend-Link-Compression

233

integer

Ascend-Target-Util

234

integer

Ascend-Max-Channels

235

integer

Ascend-Inc-Channel-Count

236

integer

Ascend-Dec-Channel-Count

237

integer

Ascend-Seconds-Of-History

238

integer

Ascend-History-Weigh-Type

239

integer

Ascend-Add-Seconds

240

integer

Ascend-Remove-Seconds

241

integer

Connection Profile/Session Options

Ascend-Data-Filter

242

call filter

Ascend-Call-Filter

243

call filter

Ascend-Idle-Limit

244

integer

Ascend-Preempt-Limit

245

integer

Connection Profile/Telco Options

Ascend-Callback

246

integer

Ascend-Data-Svc

247

integer

Ascend-Force-56

248

integer

Ascend-Billing-Number

249

string

Ascend-Call-By-Call

250

integer

Ascend-Transit-Number

251

string

Terminal Server Attributes

Ascend-Host-Info

252

string

PPP Local Address Attribute

Ascend-PPP-Address

253

ipaddr

MPP Percent Idle Attribute

Ascend-MPP-Idle-Percent

254

integer

Ascend-Xmit-Rate

255

integer

Nortel Dictionary of RADIUS VSAs

Table D-11 lists the Nortel RADIUS VSAs supported by Cisco Secure ACS. The Nortel vendor ID number is 1584.

Table D-11   Nortel RADIUS VSAs

Attribute Number Type of Value

Bay-Local-IP-Address

035

ipaddr

Bay-Primary-DNS-Server

054

ipaddr

Bay-Secondary-DNS-Server

055

ipaddr

Bay-Primary-NBNS-Server

056

ipaddr

Bay-Secondary-NBNS-Server

057

ipaddr

Bay-User-Level

100

integer

Bay-Audit-Level

101

integer

Juniper Dictionary of RADIUS VSAs

Table D-12 lists the Juniper RADIUS VSAs supported by Cisco Secure ACS. The Juniper vendor ID number is 2636.

Table D-12   Juniper RADIUS VSAs

Attribute Number Type of Value

Juniper-Local-User-Name

001

string

Juniper-Allow-Commands

002

string

Juniper-Deny-Commands

003

string