|
|
Before selecting AV pairs for the CiscoSecure ACS 2.0 for Windows NT , confirm that your NAS is running Cisco IOS Software Release 11.2 or later or compatible NAS software, for RADIUS support.
The following table lists the AV pairs provided in the Cisco IOS software.
| Attribute | Value | Type of Value |
|---|---|---|
| User-Name | 1 | string |
| Password | 2 | string |
| CHAP-Password | 3 | string |
| Client-Id | 4 | ipaddr |
| Client-Port-Id | 5 | integer |
| User-Service-Type | 6 | integer |
| Framed-Protocol | 7 | integer |
| Framed-Address | 8 | ipaddr |
| Framed-Netmask | 9 | ipaddr |
| Framed-Routing | 10 | integer |
| Framed-Filter-Id | 11 | string |
| Framed-MTU | 12 | integer |
| Framed-Compression | 13 | integer |
| Login-Host | 14 | ipaddr |
| Login-Service | 15 | integer |
| Login-TCP-Port | 16 | integer |
| Old-Password | 17 | string |
| Port-Message | 18 | string |
| Dialback-No | 19 | string |
| Dialback-Name | 20 | string |
| Expiration | 21 | date |
| Framed-Route | 22 | string |
| Framed-IPX-Network | 23 | ipaddr |
| Challenge-State | 24 | string |
| Vendor specific | 26 | string |
| Acct-Status-Type | 40 | integer |
| Acct-Delay-Time | 41 | integer |
| Acct-Input-Octets | 42 | integer |
| Acct-Output-Octets | 43 | integer |
| Acct-Session-Id | 44 | string |
| Acct-Authentic | 45 | integer |
| Acct-Session-Time | 46 | integer |
| Acct-Input-Packets | 47 | integer |
| Acct-Ouput-Packets | 48 | integer |
The following tables list the supported RADIUS (IETF) attributes and accounting attributes. In cases where the attribute has a security server-specific format, the format is specified.
| Number | Attribute | Description | Cisco IOS Release 11.1 | Cisco IOS Release 11.2 |
|---|---|---|---|---|
| 1 | User-Name | Indicates the name of the user being authenticated. | Yes | Yes |
| 2 | User-Password | Indicates the user's password or the user's input following an Access-Challenge. Passwords longer than 16 characters are encrypted using the IETF Draft #2 (or later) specifications. | Yes | Yes |
| 3 | CHAP-Password | Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to an Access-Challenge. | Yes | Yes |
| 4 | NAS-IP Address | Specifies the IP address of the NAS that is requesting authentication. | Yes | Yes |
| 5 | NAS-Port | Indicates the physical port number of the NAS that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the "radius-server extended-portnames"command.) Each 16-bit number should be viewed as a 5 digit decimal integer for interpretation as follows:
|
Yes | Yes |
| 6 | Service-Type | Indicates the type of service requested or the type of service to be provided:
Exec User--Start an EXEC session. | Yes | Yes |
| 7 | Framed-Protocol | Indicates the framing to be used for framed access. | Yes | Yes |
| 8 | Framed-IP-Address | Indicates the address to be configured for the user. | Yes | Yes |
| 9 | Framed-IP-Netmask | Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified. | Yes | Yes |
| 10 | Framed-Routing | Indicates the routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute. | Yes | Yes |
| 11 | Filter-Id | Indicates the name of the filter list for the user and is formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list, and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer. | Yes | Yes |
| 13 | Framed-Compression | Indicates a compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. | Yes | Yes |
| 14 | Login-IP-Host | Indicates the host to which the user will connect when the Login-Service attribute is included. | Yes | Yes |
| 15 | Login-Service | Indicates the service that should be used to connect the user to the login host. | Yes | Yes |
| 16 | Login-Port | Defines the TCP port with which the user is to be connected when the Login-Service attribute is also present. | Yes | Yes |
| 17 | Change-Password | Specifies a request to change a user's password. | No | 11.2(5)F |
| 18 | Reply-Message | Indicates text that might be displayed to the user. | Yes | Yes |
| 21 | Password-Expiration | Specifies an expiration date for a user's password in the user's file entry. | No | 11.2(5)F |
| 22 | Framed-Route | Provides routing information to be configured for the user on this NAS. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored. | Yes | Yes |
| 24 | State | Allows State information to be maintained between the NAS and the RADIUS server. This attribute is applicable only to CHAP challenges. | Yes | Yes |
| 26 | Vendor-Specific | Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:
protocol : attribute sep value "Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example: cisco-avpair= "ip:addr-pool=first" cisco-avpair= "shell:priv-lvl=15" The first example causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a "NAS Prompt" user to have immediate access to EXEC commands. | Yes | Yes |
| 27 | Session-Timeout | Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout." This attribute is not valid for PPP sessions. | Yes | Yes |
| 28 | Idle-Timeout | Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout." This attribute is not valid for PPP sessions. | Yes | Yes |
| 34 | Login-LAT-Service | Indicates the system with which the user is to be connected by LAT. This attribute is only available in the EXEC mode. | Yes | Yes |
| 35 | Login-LAT-Node | Indicates the node with which the user is to be automatically connected by LAT. | No | No |
| 36 | Login-LAT-Group | Identifies the LAT group codes that this user is authorized to use. | No | No |
| Number | Attribute | Description | Cisco IOS Release 11.1 | Cisco IOS Release 11.2 |
|---|---|---|---|---|
| 25 | Class | Arbitrary value that the NAS includes in all accounting packets for this user if supplied by the RADIUS server. | Yes | Yes |
| 30 | Called-Station-Id | Allows the NAS to send the telephone number the user called as part of the Access-Request packet (using Dialed Number Identification [DNIS] or similar technology). This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. | Yes | Yes |
| 31 | Calling-Station-Id | Allows the NAS to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. | Yes | Yes |
| 40 | Acct-Status-Type | Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop). | Yes | Yes |
| 41 | Acct-Delay-Time | Indicates how many seconds the client has been trying to send a particular record. | Yes | Yes |
| 42 | Acct-Input-Octets | Indicates how many octets have been received from the port over the course of this service being provided. | Yes | Yes |
| 43 | Acct-Output-Octets | Indicates how many octets have been sent to the port in the course of delivering this service. | Yes | Yes |
| 44 | Acct-Session-Id | A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session Ids restart at 1 each time the router is power cycled or the software is reloaded. Contact Cisco Support if this is unsuitable. | Yes | Yes |
| 45 | Acct-Authentic | Indicates how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted. | Yes | Yes |
| 46 | Acct-Session-Time | Indicates how long (in seconds) the user has received service. | Yes | Yes |
| 47 | Acct-Input-Packets | Indicates how many packets have been received from the port over the course of this service being provided to a framed user. | Yes | Yes |
| 48 | Acct-Output-Packets | Indicates how many packets have been sent to the port in the course of delivering this service to a framed user. | Yes | Yes |
| 61 | NAS-Port-Type | Indicates the type of physical port the NAS is using to authenticate the user. | Yes | Yes |
This file contains dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of 5 data types. Valid data types are as follows:
Enumerated values are stored in the user file with dictionary value translations for easy administration.
| Attribute | Value | Type of Value |
|---|---|---|
| Dictionary of Ascend Attributes | ||
| User-Name | 1 | string |
| Password | 2 | string |
| Challenge-Response | 3 | string |
| NAS-Identifier | 4 | ipaddr |
| NAS-Port | 5 | integer |
| User-Service | 6 | integer |
| Framed-Protocol | 7 | integer |
| Framed-Address | 8 | ipaddr |
| Framed-Netmask | 9 | ipaddr |
| Framed-Routing | 10 | integer |
| Framed-Filter | 11 | string |
| Framed-MTU | 12 | integer |
| Framed-Compression | 13 | integer |
| Login-Host | 14 | ipaddr |
| Login-Service | 15 | integer |
| Login-TCP-Port | 16 | integer |
| Change-Password | 17 | string |
| Reply-Message | 18 | string |
| Callback-Number | 19 | string |
| Callback-Name | 20 | string |
| Ascend-PW-Expiration | 21 | date |
| Framed-Route | 22 | string |
| Framed-IPX-Network | 23 | integer |
| State | 24 | string |
| Class | 25 | string |
| Vendor-Specific | 26 | string |
| Client-Port-DNIS | 30 | string |
| Caller-Id | 31 | string |
| Acct-Status-Type | 40 | integer |
| Acct-Delay-Time | 41 | integer |
| Acct-Input-Octets | 42 | integer |
| Acct-Output-Octets | 43 | integer |
| Acct-Session-Id | 44 | integer |
| Acct-Authentic | 45 | integer |
| Acct-Session-Time | 46 | integer |
| Acct-Input-Packets | 47 | integer |
| Acct-Output-Packets | 48 | integer |
| Ascend-Client-Primary-DNS | 135 | address |
| Ascend-Client-Secondary-DNS | 136 | address |
| Ascend-Client-Assign-DNS | 137 | enum |
| Ascend-User-Acct-Type | 138 | enum |
| Ascend-User-Acct-Host | 139 | address |
| Ascend-User-Acct-Port | 140 | integer |
| Ascend-User-Acct-Key | 141 | string |
| Ascend-User-Acct-Base | 142 | enum |
| Ascend-User-Acct-Time | 143 | integer |
| Support IP Address Allocation from Global Pools | ||
| Ascend-Assign-IP-Client | 144 | ipaddr |
| Ascend-Assign-IP-Server | 145 | ipaddr |
| Ascend-Assign-IP-Global-Pool | 146 | string |
| DHCP Server Functions | ||
| Ascend-DHCP-Reply | 147 | integer |
| Ascend-DHCP-Pool-Number | 148 | integer |
| Connection Profile/Telco Option | ||
| Ascend-Expect-Callback | 149 | Integer |
| Event Type for an Ascend-Event Packet | ||
| Ascend-Event-Type | 150 | Integer |
| RADIUS Server Session Key | ||
| Ascend-Session-Svr-Key | 151 | string |
| Multicast Rate Limit Per Client | ||
| Ascend-Multicast-Rate-Limit | 152 | integer |
| Connection Profile Fields to Support Interface-Based Bouting | ||
| Ascend-IF-Netmask | 153 | ipaddr |
| Ascend-Remote-Addr | 154 | ipaddr |
| Multicast Support | ||
| Ascend-Multicast-Client | 155 | integer |
| Frame Datalink Profiles | ||
| Ascend-FR-Circuit-Name | 156 | string |
| Ascend-FR-LinkUp | 157 | integer |
| Ascend-FR-Nailed-Grp | 158 | integer |
| Ascend-FR-Type | 159 | integer |
| Ascend-FR-Link-Mgt | 160 | integer |
| Ascend-FR-N391 | 161 | integer |
| Ascend-FR-DCE-N392 | 162 | integer |
| Ascend-FR-DTE-N392 | 163 | integer |
| Ascend-FR-DCE-N393 | 164 | integer |
| Ascend-FR-DTE-N393 | 165 | integer |
| Ascend-FR-T391 | 166 | integer |
| Ascend-FR-T392 | 167 | integer |
| Ascend-Bridge-Address | 168 | string |
| Ascend-TS-Idle-Limit | 169 | integer |
| Ascend-TS-Idle-Mode | 170 | integer |
| Ascend-DBA-Monitor | 171 | integer |
| Ascend-Base-Channel-Count | 172 | integer |
| Ascend-Minimum-Channels | 173 | integer |
| IPX Static Routes | ||
| Ascend-IPX-Route | 174 | string |
| Ascend-FT1-Caller | 175 | integer |
| Ascend-Backup | 176 | string |
| Ascend-Call-Type | 177 | integer |
| Ascend-Group | 178 | string |
| Ascend-FR-DLCI | 179 | integer |
| Ascend-FR-Profile-Name | 180 | string |
| Ascend-Ara-PW | 181 | string |
| Ascend-IPX-Node-Addr | 182 | string |
| Ascend-Home-Agent-IP-Addr | 183 | ipaddr |
| Ascend-Home-Agent-Password | 184 | string |
| Ascend-Home-Network-Name | 185 | string |
| Ascend-Home-Agent-UDP-Port | 186 | integer |
| Ascend-Multilink-ID | 187 | integer |
| Ascend-Num-In-Multilink | 188 | integer |
| Ascend-First-Dest | 189 | ipaddr |
| Ascend-Pre-Input-Octets | 190 | integer |
| Ascend-Pre-Output-Octets | 191 | integer |
| Ascend-Pre-Input-Packets | 192 | integer |
| Ascend-Pre-Output-Packets | 193 | integer |
| Ascend-Maximum-Time | 194 | integer |
| Ascend-Disconnect-Cause | 195 | integer |
| Ascend-Connect-Progress | 196 | integer |
| Ascend-Data-Rate | 197 | integer |
| Ascend-PreSession-Time | 198 | integer |
| Ascend-Token-Idle | 199 | integer |
| Ascend-Token-Immediate | 200 | integer |
| Ascend-Require-Auth | 201 | integer |
| Ascend-Number-Sessions | 202 | string |
| Ascend-Authen-Alias | 203 | string |
| Ascend-Token-Expiry | 204 | integer |
| Ascend-Menu-Selector | 205 | string |
| Ascend-Menu-Item | 206 | string |
| Radius Password Expiration Options | ||
| Ascend-PW-Warntime | 207 | integer |
| Ascend-PW-Lifetime | 208 | integer |
| Ascend-IP-Direct | 209 | ipaddr |
| Ascend-PPP-VJ-Slot-Comp | 210 | integer |
| Ascend-PPP-VJ-1172 | 211 | integer |
| Ascend-PPP-Async-Map | 212 | integer |
| Ascend-Third-Prompt | 213 | string |
| Ascend-Send-Secret | 214 | string |
| Ascend-Receive-Secret | 215 | string |
| Ascend-IPX-Peer-Mode | 216 | integer |
| Ascend-IP-Pool-Definition | 217 | string |
| Ascend-Assign-IP-Pool | 218 | integer |
| Ascend-FR-Direct | 219 | integer |
| Ascend-FR-Direct-Profile | 220 | string |
| Ascend-FR-Direct-DLCI | 221 | integer |
| Ascend-Handle-IPX | 222 | integer |
| Ascend-Netware-timeout | 223 | integer |
| Ascend-IPX-Alias | 224 | integer |
| Ascend-Metric | 225 | integer |
| Ascend-PRI-Number-Type | 226 | integer |
| Ascend-Dial-Number | 227 | string |
| Connection Profile/PPP Options | ||
| Ascend-Route-IP | 228 | integer |
| Ascend-Route-IPX | 229 | integer |
| Ascend-Bridge | 230 | integer |
| Ascend-Send-Auth | 231 | integer |
| Ascend-Send-Passwd | 232 | string |
| Ascend-Link-Compression | 233 | integer |
| Ascend-Target-Util | 234 | integer |
| Ascend-Maximum-Channels | 235 | integer |
| Ascend-Inc-Channel-Count | 236 | integer |
| Ascend-Dec-Channel-Count | 237 | integer |
| Ascend-Seconds-Of-History | 238 | integer |
| Ascend-History-Weigh-Type | 239 | integer |
| Ascend-Add-Seconds | 240 | integer |
| Ascend-Remove-Seconds | 241 | integer |
| Connection Profile/Session Options | ||
| Ascend-Data-Filter | 242 | abinary |
| Ascend-Call-Filter | 243 | abinary |
| Ascend-Idle-Limit | 244 | integer |
| Ascend-Preempt-Limit | 245 | integer |
| Connection Profile/Telco Options | ||
| Ascend-Callback | 246 | integer |
| Ascend-Data-Svc | 247 | integer |
| Ascend-Force-56 | 248 | integer |
| Ascend-Billing-Number | 249 | string |
| Ascend-Call-By-Call | 250 | integer |
| Ascend-Transit-Number | 251 | string |
| Terminal Server Attributes | ||
| Ascend-Host-Info | 252 | string |
| PPP Local Address Attribute | ||
| Ascend-PPP-Address | 253 | ipaddr |
| MPP Percent Idle Attribute | ||
| Ascend-MPP-Idle-Percent | 254 | integer |
|
|