cc/td/doc/product/access/acs_serv/6510ssg
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Cisco 6510 Vendor-Specific RADIUS Attributes

Cisco 6510 Vendor-Specific RADIUS Attributes

The Cisco 6510 Service Selection Gateway uses vendor-specific Remote Access Dial-In User Service (RADIUS) attributes. If you use the Cisco 6510 with Cisco User Control Point (UCP), you specify settings that allow processing of the Cisco 6510 attributes while configuring the CiscoSecure Access Control Server (ACS) component. If you use another authentication, authorization, and accounting (AAA) server, you must customize that server's database code to handle processing of the Cisco 6510 vendor-specific attributes.


Note When a user disconnects from a service without logging off, the connection remains open and the user will be able to reaccess the service without going through the login procedure. To prevent this user from being logged on indefinitely, be sure to configure the Session-Timeout RADIUS attribute.

The following table lists vendor-specific attributes used by the Cisco 6510. By sending an Access-Request packet with the vendor-specific attributes shown in the table, the Dashboard client can send requests to the Cisco 6510 to log on and log off an account and disconnect and connect services. The vendor ID for all of the Cisco-specific attributes is 9.


Table  D-1: Vendor-Specific RADIUS Attributes for the Cisco 6510
AttrID VendorID SubAttrID SubAttrName SubAttrDataType
26 9 1 Cisco-AVpair String
26 9 250 Account-Info String
26 9 251 Service-Info String
26 9 252 Command-Code Binary

The following sections describe the format of each sub-attribute.


Note All RADIUS attributes are case-sensitive.

Cisco-AVpair Attribute

This Cisco-AVpair attributes are used to build a Virtual Private Dial-Up Network (VPDN) tunnel.

The following illustrates the format for Cisco-AVpair attributes:

+-+-+-+-+-+-+-+-+-+-+...+ |a|b| c |d|e|fg +-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 1 (sub-attribute ID for Account-Info)

e = len (length of the vendor-specific sub-attribute)

f = code (Cisco-AVpair code for attribute)

g = value (additional information required by code)

VPDN IP Address

This attribute specifies the IP address of the home gateway to receive the (Layer 2 Forwarding) L2F connection.

Cisco-AVpair = "vpdn:ip-addresses=gateway-ip"
Syntax Description
gateway_ip IP address of the home gateway.
Example

Cisco-AVpair="vpdn:ip-addresses=135.69.255.198"

VPDN Password

This attribute specifies the IP address of the home gateway to receive the L2F connection.

Cisco-AVpair = "vpdn:gw-password=gateway-pwd"
Syntax Description
gateway_pwd Password of the home gateway.
Example

Cisco-AVpair="vpdn:gw-password=hello"

Account-Info Attributes

The Account-Info attributes are used in user profiles. User profiles indicate whether or not the user is granted the default service, the services to which the user is subscribed, and how often Dashboard tests the connection to the Cisco 6510.

The following illustrates the format for Account-Info attributes:

+-+-+-+-+-+-+-+-+-+-+...+ |a|b| c |d|e|fg +-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 250 (sub-attribute ID for Account-Info)

e = len (length of the vendor-specific sub-attribute)

f = code (account-info code for attribute)

g = value (additional information required by code)

Example (RADIUS Freeware Format)
Account-Info = "DD"
Example (CiscoSecure ACS for UNIX and UCP Format)
9,250 = "DD"

Default Service

This attribute determines whether the user's packets not destined for a tunnel are forwarded (usually to the Internet).

Account-Info = "D{value}"
Syntax Description
value D--Disables access to the default service.

E--Enables access to the default service.

Example
Account-Info = "DD"

Service Name

This attribute subscribes the user to the specified service.

Account-Info = "N{name;description;flag}"
Syntax Description
name Name of the service profile.
description Description of the service.
flag I--Internet. Indicates the user's packets are forwarded straight through the Cisco 6510.

T--Tunnel. Indicates the user's packets are forwarded through an L2F tunnel.

Example
Account-Info = "Nhp.com;Hewlett Packard Intranet Access;T"

PING Interval

This attribute is used to define how frequently the Dashboard tests the connection to the Cisco 6510.

Account-Info = "P{seconds}"
Syntax Description
seconds Indicates how often, in seconds, the Dashboard will test the connection to the Cisco 6510.
Example
Account-Info = "P60"

Service-Info Attributes

The Service-Info attributes are used to define the profile of a service. This includes the name of the service, the service type (Internet or tunnel), the service access mode (sequential or concurrent), the DNS server IP address, and the networks that exist on the service.

The following illustrates the format for Service-Info attributes:

+-+-+-+-+-+-+-+-+-+-+...+ |a|b| c |d|e|fg +-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 251 (sub-attribute ID for Service-Info)

e = len (length of the vendor-specific sub-attribute)

f = code (service-info code for attribute)

g = value (additional information required by code)

Authentication Type

This attribute is used to set whether the Cisco 6510 uses the CHAP or PAP protocol to authenticate users on the service.

Service-Info = "A{authen-type}"
Syntax Description
authen-type C--CHAP Authentication.

P--PAP Authentication.

Example
Service-Info = "AC"

Service Name

This attribute is used to include a name and description of the service in accounting records and is not required in service profiles.

Service-Info = "N{name;description}"
Syntax Description
name Name of the service profile.
description Description of the service.
Example
Service-Info = "Nhp.com;Hewlett Packard Intranet Access"

Service Type

This attribute is used to indicate whether the service is an Internet or tunnel connection.

Service-Info = "T{type}"
Syntax Description
type I--Internet. Indicates the user's packets are forwarded straight through the Cisco 6510.

T--Tunnel. Indicates the user's packets are forwarded through an L2F tunnel.

Example
Service-Info = "TI"

Service Mode

This attribute is used to define whether the user is able to log onto this service while simultaneously connected to other services (concurrent) or whether the user cannot access any other services while using this service (sequential).

Account-Info = "M{mode}"
Syntax Description
mode S--Sequential mode.

C--Concurrent mode.

Example
Service-Info = "MS"

Service User

This attribute is used to indicate the username that was provided by the Dashboard user to log on to the service and for authentication with the home gateway. This attribute is only used in Accounting Records.

Service-Info = "U{username}"
Syntax Description
username The name provided by the user which was used to authenticate with the home gateway
Example
Service-Info = "Ujoe@cisco.com"

DNS Service

This attribute specifies the DNS server for this service. Multiple attributes may be specified to indicate a primary DNS server, a secondary DNS server, and so on.

Service-Info = "D{ip_address}"
Syntax Description
ip_address IP address of the DNS server.
Example
Service-Info = "198.46.9.2"

Service Filter

This attribute is used to specify networks that exist for a service beyond the home gateway.

Service-Info = "F{ip_address;mask;flag}"
Syntax Description
ip_address IP address.
mask Subnet mask.
flag A--Allows access to the specified IP address(es).

B--Denies access to the specified IP address(es).

Example
Service-Info = "F171.99.73.128;255.255.255.192;A"
Note There may be multiple instances of this attributes within one service profile.

Command-Code Attributes

The Command-Code attributes are used for communication between the Dashboard and the Cisco 6510. The following parameters are for reference only and are not used in user or service profiles.

The following illustrates the format for Command-Code attributes:

+-+-+-+-+-+-+-+-+-+-+...+ |a|b| c |d|e|fg +-+-+-+-+-+-+-+-+-+-+-+-+...+

a = 26 (RADIUS attribute for vendor specific)

b = len (length of the RADIUS vendor-specific attribute)

c = 9 (Cisco vendor ID)

d = 252 (sub-attribute ID for Command-Code)

e = len (length of the vendor-specific sub-attribute)

f = code (command-code for attribute in binary format)

g = value (additional information required by code in ascii format)


Note All of the following attributes have abinary values. This means that they have both a binary and string value. The examples in this section show the binary value in octal notation.

Account Logon

This attribute is used by the Dashboard to log on a user.

Command-Code = "\001{name}"
Syntax Description
name Account name.
Example
Command-Code = "\001USER1"

Account Logoff

This attribute is used by the Dashboard to log off a user.

Command-Code = "\002{name}"
Syntax Description
name Account name.
Example
Command-Code = "\002USER1"

Account PING

This attribute is used by Dashboard to test the connection to the Cisco 6510.

Command-Code = "\004"
Example
Command-Code = "\004"

Service Logon

This attribute is used by Dashboard to request that the Cisco 6510 logs the user on to a service.

Command-Code = "\013{s_name}"
Syntax Description
s_name Service name.
Example
Command-Code = "\013cisco.com"

Service Logoff

This attribute is used by Dashboard to request that the Cisco 6510 logs the user off of a service.

Command-Code = "\014{s_name}"
Syntax Description
s_name Service name.
Example
Command-Code = "\014cisco.com"

Service Access Order

This attribute is used by the Dashboard to communicate the DNS search order for the service to the Cisco 6510.

Command-Code = "\016{s_order}"
Syntax Description
s_order The DNS server search order, separated by semicolons (;).
Example
Command-Code = "\016cisco.com;microsoft.com;hp.com"

Service Message

This attribute is used by the Cisco 6510 to communicate messages to the Dashboard client.

Command-Code = "\017{message}"
Syntax Description
message Message communicated from the Cisco 6510.
Example
Command-Code = "\017Your session has timed out"

Sample User and Service Profiles

This section provides samples of user profiles and service profiles used with the
Cisco 6510.

Sample User Profile

The following is an example of a user profile. The profile is formatted for use with a freeware RADIUS server:

bert Password = "ernie" Session-Timeout = 3600, Account-Info = "Nhp.com;Hewlett Packard Intranet Access;T", Account-Info = "Ngamers.net;The Gamer's Network;I", Account-Info = "P60", Account-Info = "DD"

The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:

user = bert { radius = 6510-SSG-v1.0 { check_items = { 2 = "ernie" } reply_attributes = { 27 = 3600 9,250 = "Nhp.com;Hewlett Packard Intranet Access;T" 9,250 = "Ngamers.net;The Gamer's Network;I"  9,250 = "P60" 9,250 = "DD" } } }

Sample Service Profile

The following is an example of a service profile. The profile is formatted for use with a freeware RADIUS server:

hp.com    Password = "cisco" Cisco-AVpair = "vpdn:gw-password=hello", Cisco-AVpair = "vpdn:ip-addresses=135.69.255.198", Service-Info = "F171.99.73.128;255.255.255.192;A", Service-Info = "F171.99.2.0;255.255.255.192;A", Service-Info = "F171.99.13.0;255.255.255.0;A", Service-Info = "F171.99.13.21;255.255.255.255;B", Service-Info = "D171.99.2.81", Service-Info = "MC", Service-Info = "TT"

The following is the same profile as above, formatted for UCP or CiscoSecure ACS for UNIX:

user = hp.com { radius = 6510-SSG-v1.0 { check_items = { 2 = "cisco" } reply_attributes = { 9,1 = "vpdn:gw-password=hello" 9,1 = "vpdn:ip-addresses=135.69.255.198" 9,251 = "F171.99.73.128;255.255.255.192;A" 9,251 = "F171.99.2.0;255.255.255.192;A" 9,251 = "F171.99.13.0;255.255.255.0;A" 9,251 = "F171.99.13.21;255.255.255.255;B", 9,251 = "D171.99.2.81" 9,251 = "MC" 9,251 = "TT" } } }

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.