cc/td/doc/product/access/acs_serv/6510ssg
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cisco  6510 Vendor-Specific RADIUS Attributes

Cisco  6510 Vendor-Specific RADIUS Attributes

The Cisco 6510 Service Selection Gateway (Cisco  6510) uses vendor-specific Remote Access Dial-In User Service (RADIUS) attributes. If using the Cisco  6510 with User Control Point (UCP), specify settings that allow processing of the Cisco  6510 attributes while configuring the CiscoSecure Access Control Server (ACS) component. If using another authentication, authorization, and accounting (AAA) server, you must customize that server's database code to handle processing of the Cisco  6510 vendor-specific attributes.

Note When a user disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the login procedure. To prevent users from being logged on to services indefinitely, be sure to configure the Session-Timeout or Idle-Timeout RADIUS attributes.

Table D-1 lists vendor-specific attributes used by the Cisco  6510. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Cisco Service Selection Dashboard (Cisco SSD) can send requests to the Cisco  6510 to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.


Table D-1: Vendor-Specific RADIUS Attributes for the Cisco  6510
AttrID VendorID SubAttrID SubAttrName SubAttrDataType

26

9

1

Cisco-AVpair

String

26

9

250

Account-Info

String

26

9

251

Service-Info

String

26

9

252

Command-Code

Binary

26

9

253

Control-Info

String

The following sections describe the format of each subattribute.

Note All RADIUS attributes are case-sensitive.

Cisco-AVpair Attribute

The Cisco-AVpair attributes are used to build a Virtual Private Dial-Up Network (VPDN) tunnel.

Note Cisco-AVpair attributes are only used for tunneled services.

The following illustrates the format for Cisco-AVpair attributes in a RADIUS packet:

+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 1 (subattribute ID for Account-Info)

e = len (length of the vendor-specific subattribute)

f = code (Cisco-AVpair code for attribute)

g = value (additional information required by code)

VPDN IP Addresses

This attribute specifies IP addresses of the home gateway to receive the (Layer 2 Forwarding) L2F connection.

Cisco-AVpair = "vpdn:ip-addresses={ip_address1}[,ip_address2...,ip_addressX]"
Note IP addresses can be separated by either a comma or a space.

When more than one home gateway is configured, the Cisco  6510 load balances (round-robin) connections between the home gateways.

Syntax Description

ip_address1

First IP address of the home gateway.

ip_address2...;ip_addressX

Additional IP addresses.

Example

Cisco-AVpair="vpdn:ip-addresses=135.69.255.198"

VPDN Gateway Password

Cisco's implementation of VPDN requires that the network access server (NAS) authenticates with the home gateway and the home gateway authenticates with the NAS. This attribute specifies the Challenge-Handshake Authentication Protocol (CHAP) secret the home gateway uses to authenticate with the Cisco  6510 when negotiating an L2F tunnel.

Cisco-AVpair = "vpdn:gw-password=gateway-pwd"
Note If this parameter is missing, the Cisco  6510 will accept any password from the home gateway.
Syntax Description

gateway_pwd

CHAP secret the home gateway uses to authenticate the L2F tunnel between the Cisco  6510 and the home gateway.

Example

Cisco-AVpair="vpdn:gw-password=hello"

VPDN NAS Password

Cisco's implementation of VPDN requires that the NAS authenticates with the home gateway and the home gateway authenticates with the NAS. This attribute specifies the CHAP secret the Cisco  6510 uses to authenticate with the home gateway when negotiating an L2F tunnel.

Cisco-AVpair = "vpdn:nas-password=nas-pwd"
Syntax Description

nas_pwd

CHAP secret the NAS uses to authenticate the L2F tunnel between the
Cisco  6510 and the home gateway.

Example

Cisco-AVpair="vpdn:nas-password=greetings"

VPDN Tunnel ID

The Cisco  6510 appears as a NAS to the service provider's home gateway. For the Cisco  6510 to be authenticated, the tunnel name must match a NAS name on the home gateway's VPDN incoming statement.

This attribute specifies the name of the tunnel that must match the home gateway's VPDN incoming statement.

Cisco-AVpair = "vpdn:tunnel-id=tunnel_name"
Note If you do not specify a tunnel ID, the Cisco  6510 uses the name specified in the MachineName parameter. This works when only one tunnel will be built to the same home gateway. If you want to build more than one tunnel to the home gateway, the MachineName parameter will restrict your ability to define different virtual-template interface definitions for different users.
Syntax Description

tunnel_name

Name of the tunnel.

Example

Cisco-AVpair="vpdn:tunnel-id=ibm_marketing"

Account-Info Attributes

The Account-Info attributes are used in user profiles and service group profiles.

User profiles define individual users and indicate the username and password, whether or not the user is granted the transparent passthrough service, and the services and groups to which the user is subscribed.

Service group profiles contain a list of services and service groups and can be used to create sophisticated directory structures for locating and logging on to services. When a user is subscribed to a service group, the user automatically is subscribed to all services and groups within that service group. A service group profile includes the name of the service, the password, the service type (outbound), a list of services, and a list of service groups.

The following illustrates the format for Account-Info attributes in a RADIUS packet:

+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 250 (subattribute ID for Account-Info)

e = len (length of the vendor-specific subattribute)

f = code (account-info code for attribute)

g = value (additional information required by code)

Example (RADIUS Freeware Format)
Account-Info = "DD"
Example (CiscoSecure ACS for UNIX and UCP Format)
9,250 = "DD"

Default User Passthrough

This attribute is used in a user profile and determines whether the user's packets not destined for a tunnel are forwarded (usually to the Internet).

Account-Info = "D{value}"
Syntax Description

value

D---Disables access to the default service.

E---Enables access to the default service.

Example
Account-Info = "DD"

Service Name

In user profiles, this attribute subscribes the user to the specified service. In service group profiles, this attribute lists services that belong to the service group.

Account-Info = "Nname"
Syntax Description

name

Name of the service profile.

Example
Account-Info = "NHewlett Packard Intranet Access"
Note There can be multiple instances of this attribute within a user or service profile. Use one attribute for each service.

Service Group

In user profiles, this attribute subscribes a user to a service group. In service group profiles, this attribute lists the service groups that belong to this service group.

Account-Info = "Gname"
Syntax Description

name

Name of the group.

Example
Account-Info = "GServiceGroup1"
Note There can be multiple instances of this attribute within a user or service group profile. Use one attribute for each service group.

Auto Service

This attribute automatically logs the user on to a service when the user accesses the Cisco SSD.

Account-Info = "Aservicename [;username;password]"
Syntax Description

servicename

Name of the service.

username

Username used to access the service.

password

Password used to access the service.

Example
Account-Info = "Agamers.net;jdoe;secret"
Note The user must be subscribed to this service. See the "Service Name" section.

Group Description

This attribute provides a description of the service group to the Cisco SSD. If this attribute is omitted, the service profile name is used.

Account-Info = "Idescription"
Syntax Description

description

Description of the service group.

Example
Account-Info = "IHewlett Packard Intranet Access"

Service-Info Attributes

The Service-Info attributes are used to define a service profile. A service profile includes the name of the service, the service type (passthrough or tunnel), the service access mode (sequential or concurrent), the DNS server IP address, and the networks that exist in the service domain.

The following illustrates the format for Service-Info attributes in a RADIUS packet:

+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 251 (subattribute ID for Service-Info)

e = len (length of the vendor-specific subattribute)

f = code (service-info code for attribute)

g = value (additional information required by code)

Service Name

This attribute defines the name of the service.

Service-Info = "Nname"
Syntax Description

name

Name of the service profile or service that belongs to a service group.

Example
Service-Info = "Nhp.com"

Service Type

This attribute indicates whether the service is accessed through a tunnel or passed through (usually to the Internet).

Service-Info = "Ttype"
Syntax Description

type

P---Passthrough. Indicates the user's packets are forwarded through the
Cisco  6510 (usually to the Internet).

T---Tunnel. Indicates the user's packets are forwarded through an L2F tunnel.

Example
Service-Info = "TP"

Service Mode

This attribute defines whether the user is able to log on to this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential).

Service-Info = "Mmode"
Syntax Description

mode

S---Sequential mode.

C---Concurrent mode.

Example
Service-Info = "MS"

DNS Server Address

This attribute specifies the primary and secondary DNS servers for this service. If two servers are specified, the Cisco  6510 can send DNS requests to the primary DNS server until performance diminished or it fails (failover) or the Cisco  6510 can load balance the requests between the two servers. For more information, see the "Configuring DNS Fault Tolerance Settings" section.

Service-Info = "Dip_address_1[;ip_address_2]"
Syntax Description

ip_address_1

IP address of the primary DNS server.

ip_address_2

IP address of the secondary DNS server (optional).

Example
Service-Info = "D198.46.9.2;198.46.9.3"

Service Route

This attribute specifies networks that exist for a tunneled service beyond the home gateway.

Service-Info = "Rip_address;mask"
Syntax Description

ip_address

IP address.

mask

Subnet mask.

Usage

Use the Service Route attribute to specify networks that exist for a service.

When forwarding an IP packet, the Cisco  6510 searches a connection list that consists of services that are available to the user, ordered from smallest to largest in terms of network size (see the "Filter" section). To determine the service search order, the Cisco  6510 uses the following guidelines:

Note To enable Internet connectivity for the service, add "R0.0.0.0;0.0.0.0" to the service profile.
Example
Service-Info = "R171.99.73.128;255.255.255.192"
Note There can be multiple instances of this attribute within a single service profile.

Service Authentication Type

This attribute specifies whether the Cisco  6510 uses the CHAP or PAP protocol to authenticate users for a tunneled service.

Service-Info = "Aauthen-type"
Syntax Description

authen-type

C---CHAP Authentication.

P---PAP Authentication.

Example
Service-Info = "AC"

Service Next Hop Gateway

This attribute specifies the next hop key for this service. Each Cisco  6510 uses its own next hop gateway table that associates this key with an actual IP address. For information on creating a next hop gateway table, see the "Next Hop Gateway Table Entry" section.

Service-Info = "Gkey"
Syntax Description

key

Name of the next hop. This name must be unique for each service.

Example
Service-Info = "Ghp"

Domain Name

This attribute specifies domain names that get DNS resolution from the DNS server(s) specified in DNS server address.

Service-Info = "Oname1[;name2]...[;nameX]"
Syntax Description

name1

Domain name that gets DNS resolution from this server.

name2...X

Additional domain name(s) that gets DNS resolution from this server.

Usage

Use the DNS Resolution attribute to specify domain names that get DNS resolution from this DNS server.

When forwarding a DNS packet, the Cisco  6510 searches a connection list that consists of services available to the user, ordered from smallest to largest in terms of network size (see the "Filter" section). To determine the DNS search order, the Cisco  6510 uses the following guidelines:

Example
Service-Info = "Ocisco.com;cisco-sales.com"

Service User

This attribute indicates the username provided by the Cisco SSD user to log on to the service and for authentication with the home gateway. This attribute is only used in Accounting Records and should not be configured in a service profile.

Service-Info = "Uusername"
Syntax Description

username

The name provided by the user to authenticate with the home gateway.

Example
Service-Info = "Ujoe@cisco.com"

Control-Info Attributes

The Control-Info attributes are used to define parameters that can be used in user profiles, service profiles, and pseudo-service profiles. This includes configuring the Next Hop Gateway table and defining filters that can be applied to user profiles, service profiles, and the Transparent Passthrough feature.

The following illustrates the format for Control-Info attributes in a RADIUS packet:

+-+-+-+-+-+-+-+-+-+-+...+
|a|b| c |d|e|fg
+-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 253 (subattribute ID for Service-Info)

e = len (length of the vendor-specific subattribute)

f = code (service-info code for attribute)

g = value (additional information required by code)

Filter

This attribute can be used to block or allow access to IP addresses and ports in user profiles, service profiles, and the transparent passthrough profile TPTProfile.

Control-Info = "Fsrc_ip[:src_port_list];src_mask;dst_ip[:dst_port_list]
;dst_mask;flag;filter-ID"
Note This feature prevents users from accessing specific IP addresses and ports. It does not act as a firewall and does not affect downstream traffic.
Syntax Description

src_ip

Source IP address.

src_port_list

List of source port addresses, separated by commas. For example, 0-3,21-34,60. If you do not enter this parameter, ports 0 through 65535 are assumed.

src_mask

Source subnet mask.

dst_ip

Source IP address.

dst_port_list

List of source port addresses, separated by commas. For example, 0-3,21-34,60. If you do not enter this parameter, ports 0 through 65535 are assumed.

dst_mask

Source subnet mask.

flag

P--- Permit.

D--- Deny.

filter-ID

Number between 0 and 65535 used to set the order of the filter in the list.

Usage

Use this attribute to block or allow access to IP addresses and ports in user profiles, service profiles, and the transparent passthrough profile TPTFilterProfile.

The filter list is processed from beginning to end until an explicit IP/mask match is found. If an IP/mask combination is found and there is a port match, the flag specified for the filter is applied.

Note The presence of a filter within a profile implies that all IP/mask combinations that do not appear in the filter list are denied. To permit access to all IP/mask combinations that do not appear in the filter list, add an "explicit permit" to the last line of the filter list:
Service-Info = "F0.0.0.0;0.0.0.0;0.0.0.0;0.0.0.0;P;9999"

To create a filter for transparent passthrough, create a service profile called TPTProfile and start adding filters.

For information on enabling or disabling the transparent passthrough feature, see the "Configuring Transparent Passthrough" section. For information on the transparent passthrough pseudo-service profile, see the "TPTFilterProfile Pseudo-Service Profile" section.

Example
Control-Info = "F172.16.0.0;255.255.255.0;192.168.100.0:20,21;
255.255.0.0;P;1"
Note There can be multiple instances of this attribute within a single profile.

Next Hop Gateway Table Entry

Because multiple Cisco  6510s might access services from different networks, each service profile specifies a next hop key rather than an actual IP address. For each Cisco  6510 to determine the IP address of the next hop, each Cisco  6510 downloads its own next hop gateway table that associates keys with IP addresses. For information on defining next hop keys, see the "Service Next Hop Gateway" section.

Note This attribute is only used in Next Hop Gateway pseudo-service profiles and should not appear in service profiles or user profiles.
Control-Info = "Gkey;ip_address"
Syntax Description

key

The key specified in the Service Next Hop Gateway service profile.

ip_address

IP address of the next hop for this service.

Usage

Use this attribute to create a next hop gateway table for the selected Cisco  6510.

To define the IP address of the next hop for each service, the Cisco  6510 downloads a special service profile that associates the next hop gateway key for each service with an IP address.

To create a next hop gateway table, create a service profile and give it any name. Use this attribute to associate service keys with their IP addresses. When you have finished, repeat this for each Cisco  6510.

Note The name specified in the Cisco  6510's NHGTableProfile parameter must match this name. For more information, see the "NHGTableProfile" section.

For information on downloading this profile to the Cisco  6510, see the "nhgtable download" section.

Example
Control-Info = "GSSG_1;171.99.73.128"

Octets Output

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Output-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the Cisco  6510 uses the Octets attribute.

The Octets Output attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for outbound data.

Control-Info = "Orollover;value"
Syntax Description

rollover

Number of times the 32-bit integer rolled over to 0.

value

Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 4294967296 + value

Example
Control-Info = "O2;153"
Note This attribute is only used for accounting purposes and does not appear in profiles.

Octets Input

Current RADIUS standards only support the counting of up to 32 bits of information with the ACCT-Input-Octets attribute. Standards such as ADSL have much higher throughput.

In order for the accounting server to keep track of and bill for this usage, the Cisco  6510 uses the Octets attribute.

The Octets Input attribute keeps track of how many times the 32-bit integer rolled over and the value of the integer when it overflowed for inbound data.

Control-Info = "Irollover;value"
Syntax Description

rollover

Number of times the 32-bit integer rolled over to 0.

value

Value in the 32-bit integer when the stop record was generated and the service or user was logged out.

Usage

Use this attribute to accurately keep track of and bill for usage. To calculate the actual number of bytes, use the following formula:

rollover * 4294967296 + value

Example
Control-Info = "I3;151"
Note This attribute is only used for accounting purposes and does not appear in profiles.

Sample User and Service Profiles

This section provides samples of user profiles and service profiles used with the
Cisco  6510.

Sample User Profile

The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:

bert Password = "ernie" Session-Timeout = 21600, Account-Info = "GServiceGroup1", Account-Info = "Nhp.com;Hewlett Packard Intranet Access;T", Account-Info = "Ngamers.net;The Gamer's Network;P", Account-Info = "DD"

The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:

user = bert { radius = 6510-SSG-v1.0 { check_items = { 2 = "ernie" } reply_attributes = { 27 = 21600 9,250 = "GServiceGroup1" 9,250 = "Nhp.com;Hewlett Packard Intranet Access;T" 9,250 = "Ngamers.net;The Gamer's Network;P" 9,250 = "DD" } } }

Sample Service Group Profile

The following is an example of a service group profile. The profile is formatted for use with a freeware RADIUS server:

ServiceGroup1 Password = "cisco" Account-Info = "Nhp.com", Account-Info = "Ngamers.net", Account-Info = "GServiceGroup3" Account-Info = "GServiceGroup4" Account-Info = "IStandard User Services"

The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:

user = ServiceGroup1 { radius = 6510-SSG-v1.0 { check_items = { 2 = "cisco" 6 = 5 } reply_attributes = { 9,250 = "Nhp.com" 9,250 = "Ngamers.net" 9,250 = "GServiceGroup3" 9,250 = "GServiceGroup4" 9,250 = "IStandard User Services" } } }

Sample Service Profile

The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:

hp.com        Password = "cisco" Cisco-AVpair = "vpdn:nas-password=hello", Cisco-AVpair = "vpdn:gw-password=hi_there", Cisco-AVpair = "vpdn:ip-addresses=135.69.255.198", Cisco-AVpair = "vpdn:tunnel-id=cisco_eng", Idle-Timeout = 1800, Service-Info = "R171.99.73.128;255.255.255.192", Service-Info = "R171.99.2.0;255.255.255.192", Service-Info = "R171.99.13.0;255.255.255.0", Service-Info = "Ghp", Service-Info = "D171.99.2.81", Service-Info = "MC", Service-Info = "TT" Service-Info = "IHewlett Packard Intranet Access"

The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:

user = hp.com { radius = 6510-SSG-v1.0 { check_items = { 2 = "cisco" } reply_attributes = { 28 = 1800 9,1 = "vpdn:nas-password=hello" 9,1 = "vpdn:gw-password=hi_there" 9,1 = "vpdn:ip-addresses=135.69.255.198" 9,1 = "vpdn:tunnel-id=cisco_eng" 9,251 = "R171.99.73.128;255.255.255.192" 9,251 = "R171.99.2.0;255.255.255.192" 9,251 = "R171.99.13.0;255.255.255.0" 9,251 = "Ghp" 9,251 = "D171.99.2.81" 9,251 = "MC" 9,251 = "TT" 9,251 = "IHewlett Packard Intranet Access" } } }

Sample Pseudo-Service Profile

The following is an example of the Transparent Passthrough Filter Profile (TPTFilterProfile) pseudo-service profile. The profile is formatted for use with a freeware RADIUS server:

hp.com        Password = "cisco" ssg-filter Password = "cisco", Service-Type = Outbound Control-Info = "F172.17.0.0;255.255.0.0;20.0.0.0:80;255.0.0.0;D;1", Control-Info = "F172.21.9.0;255.255.255.0;20.0.0.0:80;255.0.0.0;D;2", Control-Info = "F0.0.0.0;0.0.0.0;0.0.0.0;0.0.0.0;P;9999"

The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:

user = ssg-filter { radius = 6510-SSG-v1.1 { check_items = { 2 = "cisco" 6 = 5 } reply_attributes = { 9,253 = "F172.17.0.0;255.255.0.0;20.0.0.0:80;255.0.0.0;D;1", 9,253 = "F172.21.9.0;255.255.255.0;20.0.0.0:80;255.0.0.0;D;2", 9,253 = "F0.0.0.0;0.0.0.0;0.0.0.0;0.0.0.0;P;9999" } } }


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.