Table Of Contents
RADIUS Attribute-Value Pairs and Dictionary Management
Dictionary of Cisco IOS RADIUS Attribute-Value Pairs
Dictionary of IETF RADIUS Attributes
Dictionary of Ascend RADIUS Attributes
RADIUS Attribute-Value Pairs and Dictionary Management
This chapter provides a list of the dictionaries and their attribute-value pairs that are supported by CiscoSecure Access Control Server (ACS). You can also add your own set of attributes for custom solutions.
The CiscoSecure ACS supports the major proprietary RADIUS sets of attribute-value pairs, including those contained in Cisco IOS Release 11.1, 11.2, 11.3, Ascend-RADIUS, Ascend5-RADIUS, and IETF-RADIUS (the set of RADIUS attribute-value pairs defined by the International Engineering Task Force). As such, you can use the CiscoSecure ACS to service a network access server (NAS) that is running any combination of configured Cisco, Ascend, or IETF-RADIUS-compliant attributes.
To provide this level of support, attribute sets are conveniently stored in units called dictionaries. A NAS that is using a given set of attribute-value pairs can easily exchange data with a CiscoSecure ACS that is loaded with the corresponding dictionary of attributes.
When setting up group and user profiles from the Members page of the Java-based CiscoSecure Administrator advanced configuration program, the available dictionaries are listed under the Options menu (see the section "Assigning RADIUS Attributes to a Group or User Profile," in the CiscoSecure ACS 2.3 for UNIX User Guide chapter "Advanced Group and User Management"). Depending on what attribute sets your NAS supports, you can specify one or more dictionaries as part of a User-Profile setup. By default, you always see dictionaries named RADIUS-Ascend, RADIUS-Ascend5, RADIUS-Cisco, RADIUS-Cisco11.1, RADIUS-Cisco11.2, RADIUS-Cisco11.3, and RADIUS-IETF.
By clicking the Dictionaries tab of the CiscoSecure Administrator advanced configuration program, you can specify custom attribute-value pairs you want on your CiscoSecure ACS. CiscoSecure ACS provides a special management tool that allows you to make a brand-new dictionary, or to make a copy of an existing dictionary and then modify its contents for special purposes. For details, see the sections " Dictionary of Cisco IOS RADIUS Attribute-Value Pairs," " Dictionary of IETF RADIUS Attributes" and " Dictionary of Ascend RADIUS Attributes" later in this chapter.
Depending on your NAS's implementation, the CiscoSecure ACS provides one of the following attribute dictionaries:
•Dictionaries of RADIUS attribute-value pairs supported by Cisco IOS Release 11.1, Cisco IOS Release 11.2, or Cisco IOS Release 11.3
•Dictionary or IETF RADIUS attributes
•Dictionaries of Ascend and Ascend 5 RADIUS attributes
The following sections contain dictionary translations for parsing requests and generating responses. All transactions are composed of attribute-value pairs. The value of each attribute is specified as 1of 5data types:
•string—0 to 253 octets.
•abinary—0 to 254 octets.
•ipaddr—4 octets in network byte order.
•integer—32-bit value in big endian order (high byte first).
•date—32-bit value in big endian order. For example, seconds since 00:00:00 GMT, Jan. 1, 1970.
Enumerated values are stored in the user file with dictionary value translations for easy administration.
Dictionary of Cisco IOS RADIUS Attribute-Value Pairs
Before selecting attribute-value pairs for the CiscoSecure ACS, confirm that your NAS has Cisco IOS Release 11.1 or later or compatible NAS software, for RADIUS support.
Note If you specify a given attribute-value pair on the CiscoSecure ACS, the corresponding attribute-value pair must be implemented in the Cisco IOS software running on the NAS. If the CiscoSecure ACS sends an attribute-value pair to the NAS, and the Cisco IOS software does not support them, the attribute you requested cannot be implemented.
Table 19-1 contains the attribute-value pairs provided in the Cisco IOS software.
Note Because the list of RADIUS Attributes supported by Cisco IOS software changes often, see "RADIUS Vendor-Proprietary Attributes," in the appendix "RADIUS Attributes" in the Security Configuration Guide. For the current and most accurate listing of RADIUS attributes supported by Cisco IOS Release 11.1, 11.2, and 11.3 locate this document at the Cisco documentation web site: http://www.cisco.com/univercd/cc/td/doc/product/software/
ios113ed/113ed_cr/secur_c/scprt6/index.htm.
Table 19-1 Dictionary of Cisco IOS RADIUS Attribute-Value Pairs
Attribute
|
Value
|
Type of Value
|
User-Name
|
1
|
string
|
Password
|
2
|
string
|
CHAP-Password
|
3
|
string
|
Client-Id
|
4
|
ipaddr
|
Client-Port-Id
|
5
|
integer
|
User-Service-Type
|
6
|
integer
|
Framed-Protocol
|
7
|
integer
|
Framed-Address
|
8
|
ipaddr
|
Framed-Netmask
|
9
|
ipaddr
|
Framed-Routing
|
10
|
integer
|
Framed-Filter-Id
|
11
|
string
|
Framed-MTU
|
12
|
integer
|
Framed-Compression
|
13
|
integer
|
Login-Host
|
14
|
ipaddr
|
Login-Service
|
15
|
integer
|
Login-TCP-Port
|
16
|
integer
|
Old-Password
|
17
|
string
|
Port-Message
|
18
|
string
|
Dialback-No
|
19
|
string
|
Dialback-Name
|
20
|
string
|
Expiration
|
21
|
date
|
Framed-Route
|
22
|
string
|
Framed-IPX-Network
|
23
|
ipaddr
|
Challenge-State
|
24
|
string
|
Vendor specific
|
26
|
string
|
Acct-Status-Type
|
40
|
integer
|
Acct-Delay-Time
|
41
|
integer
|
Acct-Input-Octets
|
42
|
integer
|
Acct-Output-Octets
|
43
|
integer
|
Acct-Session-Id
|
44
|
string
|
Acct-Authentic
|
45
|
integer
|
Acct-Session-Time
|
46
|
integer
|
Acct-Input-packets
|
47
|
integer
|
Acct-Output-packets
|
48
|
integer
|
Dictionary of IETF RADIUS Attributes
Table 19-2 lists the dictionary of RADIUS IETF attributes.
Table 19-2 Dictionary of IETF RADIUS Client Attributes
Attribute
|
Value
|
Type of Value
|
User-Name
|
1
|
string
|
User-Password
|
2
|
string
|
CHAP-Password
|
3
|
string
|
NAS-IP-Address
|
4
|
integer
|
NAS-Port
|
5
|
integer
|
Service-Type
|
6
|
integer
|
Framed-Protocol
|
7
|
integer
|
Framed-IP-Address
|
8
|
integer
|
Framed-IP-Netmask
|
9
|
integer
|
Framed-Routing
|
10
|
integer
|
Filter-Id
|
11
|
integer
|
Framed-MTU
|
12
|
integer
|
Framed-Compression
|
13
|
integer
|
Login-IP-Host
|
14
|
integer
|
Login-Service
|
15
|
integer
|
Login-TCP-Port
|
16
|
integer
|
Reply-Message
|
18
|
string
|
Callback-Number
|
19
|
string
|
Callback-Id
|
20
|
string
|
Framed-Route
|
22
|
string
|
Framed-IPX-Network
|
23
|
integer
|
State
|
24
|
string
|
Class
|
25
|
string
|
Vendor-Specific
|
26
|
string
|
Session-Timeout
|
27
|
integer
|
Idle-Timeout
|
28
|
integer
|
Termination-Action
|
29
|
integer
|
Called-Station-Id
|
30
|
integer
|
Calling-Station-Id
|
31
|
string
|
NAS-Identifier
|
32
|
string
|
Proxy-State
|
33
|
string
|
Login-LAT-Service
|
34
|
string
|
Login-LAT-Node
|
35
|
string
|
Login-LAT-Group
|
36
|
string
|
Framed-AppleTalk-Link
|
37
|
integer
|
Framed-AppleTalk-Network
|
38
|
integer
|
Framed-AppleTalk-Zone
|
39
|
integer
|
Acct-Status-Type
|
40
|
integer
|
Acct-Delay-Time
|
41
|
integer
|
Acct-Input-Octets
|
42
|
integer
|
Acct-Output-Octets
|
43
|
integer
|
Acct-Session-Id
|
44
|
string
|
Acct-Authentic
|
45
|
integer
|
Acct-Session-Time
|
46
|
integer
|
Acct-Input-Packets
|
47
|
integer
|
Acct-Output-Packets
|
48
|
integer
|
Acct-Terminate-Cause
|
49
|
integer
|
Acct-Multi-Session-Id
|
50
|
string
|
Acct-Link-Count
|
51
|
integer
|
NAS-Port-Type
|
61
|
integer
|
Port-Limit
|
62
|
integer
|
Login-LAT-Port
|
63
|
string
|
Dictionary of Ascend RADIUS Attributes
Table 19-3 lists the dictionary of supported Ascend attribute-value pairs.
Table 19-3 Dictionary of Ascend RADIUS Attribute-Value Pairs
Supported Attribute
|
Value
|
Type of Value
|
Dictionary of Ascend Attributes
|
User-Name
|
1
|
string
|
Password
|
2
|
string
|
Challenge-Response
|
3
|
string
|
NAS-Identifier
|
4
|
ipaddr
|
NAS-Port
|
5
|
integer
|
User-Service
|
6
|
integer
|
Framed-Protocol
|
7
|
integer
|
Framed-Address
|
8
|
ipaddr
|
Framed-Netmask
|
9
|
ipaddr
|
Framed-Routing
|
10
|
integer
|
Framed-Filter
|
11
|
string
|
Framed-MTU
|
12
|
integer
|
Framed-Compression
|
13
|
integer
|
Login-Host
|
14
|
ipaddr
|
Login-Service
|
15
|
integer
|
Login-TCP-Port
|
16
|
integer
|
Change-Password
|
17
|
string
|
Reply-Message
|
18
|
string
|
Callback-Number
|
19
|
string
|
Callback-Name
|
20
|
string
|
Ascend-PW-Expiration
|
21
|
date
|
Framed-Route
|
22
|
string
|
Framed-IPX-Network
|
23
|
integer
|
State
|
24
|
string
|
Class
|
25
|
string
|
Vendor-Specific
|
26
|
string
|
Client-Port-DNIS
|
30
|
string
|
Caller-Id
|
31
|
string
|
Acct-Status-Type
|
40
|
integer
|
Acct-Delay-Time
|
41
|
integer
|
Acct-Input-Octets
|
42
|
integer
|
Acct-Output-Octets
|
43
|
integer
|
Acct-Session-Id
|
44
|
string
|
Acct-Authentic
|
45
|
integer
|
Acct-Session-Time
|
46
|
integer
|
Acct-Input-Packets
|
47
|
integer
|
Acct-Output-Packets
|
48
|
integer
|
Support IP Address Allocation from Global Pools
|
Ascend-Assign-IP-Client
|
144
|
ipaddr
|
Ascend-Assign-IP-Server
|
145
|
ipaddr
|
Ascend-Assign-IP-Global-Pool
|
146
|
string
|
DHCP Server Functions
|
Ascend-DHCP-Reply
|
147
|
integer
|
Ascend-DHCP-Pool-Number
|
148
|
integer
|
Connection Profile/Telco Option
|
Ascend-Expect-Callback
|
149
|
integer
|
Event Type for an Ascend-Event Packet
|
Ascend-Event-Type
|
150
|
integer
|
RADIUS Server Session Key
|
Ascend-Session-Svr-Key
|
151
|
string
|
Multicast Rate Limit per Client
|
Ascend-Multicast-Rate-Limit
|
152
|
integer
|
Connection Profile Fields to Support Interface-Based Routing
|
Ascend-IF-Netmask
|
153
|
ipaddr
|
Ascend-Remote-Addr
|
154
|
ipaddr
|
Multicast Support
|
Ascend-Multicast-Client
|
155
|
integer
|
Frame Datalink Profiles
|
Ascend-FR-Circuit-Name
|
156
|
string
|
Ascend-FR-LinkUp
|
157
|
integer
|
Ascend-FR-Nailed-Grp
|
158
|
integer
|
Ascend-FR-Type
|
159
|
integer
|
Ascend-FR-Link-Mgt
|
160
|
integer
|
Ascend-FR-N391
|
161
|
integer
|
Ascend-FR-DCE-N392
|
162
|
integer
|
Ascend-FR-DTE-N392
|
163
|
integer
|
Ascend-FR-DCE-N393
|
164
|
integer
|
Ascend-FR-DTE-N393
|
165
|
integer
|
Ascend-FR-T391
|
166
|
integer
|
Ascend-FR-T392
|
167
|
integer
|
Ascend-Bridge-Address
|
168
|
string
|
Ascend-TS-Idle-Limit
|
169
|
integer
|
Ascend-TS-Idle-Mode
|
170
|
integer
|
Ascend-DBA-Monitor
|
171
|
integer
|
Ascend-Base-Channel-Count
|
172
|
integer
|
Ascend-Minimum-Channels
|
173
|
integer
|
IPX Static Routes
|
Ascend-IPX-Route
|
174
|
string
|
Ascend-FT1-Caller
|
175
|
integer
|
Ascend-Backup
|
176
|
string
|
Ascend-Call-Type
|
177
|
integer
|
Ascend-Group
|
178
|
string
|
Ascend-FR-DLCI
|
179
|
integer
|
Ascend-FR-Profile-Name
|
180
|
string
|
Ascend-Ara-PW
|
181
|
string
|
Ascend-IPX-Node-Addr
|
182
|
string
|
Ascend-Home-Agent-IP-Addr
|
183
|
ipaddr
|
Ascend-Home-Agent-Password
|
184
|
string
|
Ascend-Home-Network-Name
|
185
|
string
|
Ascend-Home-Agent-UDP-Port
|
186
|
integer
|
Ascend-Multilink-ID
|
187
|
integer
|
Ascend-Num-In-Multilink
|
188
|
integer
|
Ascend-First-Dest
|
189
|
ipaddr
|
Ascend-Pre-Input-Octets
|
190
|
integer
|
Ascend-Pre-Output-Octets
|
191
|
integer
|
Ascend-Pre-Input-Packets
|
192
|
integer
|
Ascend-Pre-Output-Packets
|
193
|
integer
|
Ascend-Maximum-Time
|
194
|
integer
|
Ascend-Disconnect-Cause
|
195
|
integer
|
Ascend-Connect-Progress
|
196
|
integer
|
Ascend-Data-Rate
|
197
|
integer
|
Ascend-PreSession-Time
|
198
|
integer
|
Ascend-Token-Idle
|
199
|
integer
|
Ascend-Token-Immediate
|
200
|
integer
|
Ascend-Require-Auth
|
201
|
integer
|
Ascend-Number-Sessions
|
202
|
string
|
Ascend-Authen-Alias
|
203
|
string
|
Ascend-Token-Expiry
|
204
|
integer
|
Ascend-Menu-Selector
|
205
|
string
|
Ascend-Menu-Item
|
206
|
string
|
Radius Password Expiration Options
|
Ascend-PW-Warntime
|
207
|
integer
|
Ascend-PW-Lifetime
|
208
|
integer
|
Ascend-IP-Direct
|
209
|
ipaddr
|
Ascend-PPP-VJ-Slot-Comp
|
210
|
integer
|
Ascend-PPP-VJ-1172
|
211
|
integer
|
Ascend-PPP-Async-Map
|
212
|
integer
|
Ascend-Third-Prompt
|
213
|
string
|
Ascend-Send-Secret
|
214
|
string
|
Ascend-Receive-Secret
|
215
|
string
|
Ascend-IPX-Peer-Mode
|
216
|
integer
|
Ascend-IP-Pool-Definition
|
217
|
string
|
Ascend-Assign-IP-Pool
|
218
|
integer
|
Ascend-FR-Direct
|
219
|
integer
|
Ascend-FR-Direct-Profile
|
220
|
string
|
Ascend-FR-Direct-DLCI
|
221
|
integer
|
Ascend-Handle-IPX
|
222
|
integer
|
Ascend-Netware-timeout
|
223
|
integer
|
Ascend-IPX-Alias
|
224
|
integer
|
Ascend-Metric
|
225
|
integer
|
Ascend-PRI-Number-Type
|
226
|
integer
|
Ascend-Dial-Number
|
227
|
string
|
Connection Profile/PPP Options
|
Ascend-Route-IP
|
228
|
integer
|
Ascend-Route-IPX
|
229
|
integer
|
Ascend-Bridge
|
230
|
integer
|
Ascend-Send-Auth
|
231
|
integer
|
Ascend-Send-Passwd
|
232
|
string
|
Ascend-Link-Compression
|
233
|
integer
|
Ascend-Target-Util
|
234
|
integer
|
Ascend-Maximum-Channels
|
235
|
integer
|
Ascend-Inc-Channel-Count
|
236
|
integer
|
Ascend-Dec-Channel-Count
|
237
|
integer
|
Ascend-Seconds-Of-History
|
238
|
integer
|
Ascend-History-Weigh-Type
|
239
|
integer
|
Ascend-Add-Seconds
|
240
|
integer
|
Ascend-Remove-Seconds
|
241
|
integer
|
Connection Profile/Session Options
|
Ascend-Data-Filter
|
242
|
abinary
|
Ascend-Call-Filter
|
243
|
abinary
|
Ascend-Idle-Limit
|
244
|
integer
|
Ascend-Preempt-Limit
|
245
|
integer
|
Connection Profile/Telco Options
|
Ascend-Callback
|
246
|
integer
|
Ascend-Data-Svc
|
247
|
integer
|
Ascend-Force-56
|
248
|
integer
|
Ascend-Billing-Number
|
249
|
string
|
Ascend-Call-By-Call
|
250
|
integer
|
Ascend-Transit-Number
|
251
|
string
|
Terminal Server Attributes
|
Ascend-Host-Info
|
252
|
string
|
PPP Local Address Attribute
|
Ascend-PPP-Address
|
253
|
ipaddr
|
MPP Percent Idle Attribute
|
|
|
Ascend-MPP-Idle-Percent
|
254
|
integer
|