cc/td/doc/product/access/acs_soft/csacs4nt
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

RADIUS Attribute-Value Pairs

RADIUS Attribute-Value Pairs

CiscoSecure ACS 2.0 for Windows NT provides support for many RADIUS attribute-value (AV) pairs. Included with CiscoSecure ACS 2.0 for Windows NT are the full AV pairs contained in Cisco IOS 11.2, Ascend, and IETF-RADIUS. You can enable different AV pairs for any of the supported AV. Listed in this appendix are the supported AV pairs specific to each vendor.

Cisco IOS Dictionary of AV Pairs

Before selecting AV pairs for the CiscoSecure ACS 2.0 for Windows NT , confirm that your NAS is running Cisco IOS Software Release 11.2 or later or compatible NAS software, for RADIUS support.


Note If you specify a given AV pair on the CiscoSecure ACS 2.0 for Windows NT , the corresponding AV pair must be implemented in the Cisco IOS software running on the NAS. As a result, always consider what AV pairs your IOS supports on the NAS. If the CiscoSecure ACS 2.0 for Windows NT sends those AV pairs to the NAS, and the Cisco IOS does not support them, the attribute you requested cannot be implemented.

The following table lists the AV pairs provided in the Cisco IOS software.


Table B-1: Dictionary of Cisco IOS AV Pairs
Attribute Value Type of Value
User-Name 1 string
Password 2 string
CHAP-Password 3 string
Client-Id 4 ipaddr
Client-Port-Id 5 integer
User-Service-Type 6 integer
Framed-Protocol 7 integer
Framed-Address 8 ipaddr
Framed-Netmask 9 ipaddr
Framed-Routing 10 integer
Framed-Filter-Id 11 string
Framed-MTU 12 integer
Framed-Compression 13 integer
Login-Host 14 ipaddr
Login-Service 15 integer
Login-TCP-Port 16 integer
Old-Password 17 string
Port-Message 18 string
Dialback-No 19 string
Dialback-Name 20 string
Expiration 21 date
Framed-Route 22 string
Framed-IPX-Network 23 ipaddr
Challenge-State 24 string
Vendor specific 26 string
Acct-Status-Type 40 integer
Acct-Delay-Time 41 integer
Acct-Input-Octets 42 integer
Acct-Output-Octets 43 integer
Acct-Session-Id 44 string
Acct-Authentic 45 integer
Acct-Session-Time 46 integer
Acct-Input-Packets 47 integer
Acct-Ouput-Packets 48 integer

RADIUS (IETF) Attributes

The following tables list the supported RADIUS (IETF) attributes and accounting attributes. In cases where the attribute has a security server-specific format, the format is specified.


Table B-2: Table of RADIUS (IETF) AV Pairs
Number Attribute Description Cisco IOS Release 11.1 Cisco IOS Release 11.2
1 User-Name Indicates the name of the user being authenticated. Yes Yes
2 User-Password Indicates the user's password or the user's input following an Access-Challenge. Passwords longer than 16 characters are encrypted using the IETF Draft #2 (or later) specifications. Yes Yes
3 CHAP-Password Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to an Access-Challenge. Yes Yes
4 NAS-IP Address Specifies the IP address of the NAS that is requesting authentication. Yes Yes
5 NAS-Port Indicates the physical port number of the NAS that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the "radius-server extended-portnames"command.) Each 16-bit number should be viewed as a 5 digit decimal integer for interpretation as follows:

  • For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.

  • For ordinary synchronous network interface, the value is 10xxx.

  • For channels on a primary rate ISDN interface, the value is 2ppcc.

  • For channels on a basic rate ISDN interface, the value is 3bb0c.

  • For other types of interfaces, the value is 6nnss.

Yes

Yes
6 Service-Type Indicates the type of service requested or the type of service to be provided:

  • In a request:

Framed for known PPP or SLIP connection.
Administrative-user for enable command.

  • In response:

Login--Make a connection.
Framed--Start SLIP or PPP.
Administrative User--Start an EXEC or enable ok.

Exec User--Start an EXEC session.

Yes Yes
7 Framed-Protocol Indicates the framing to be used for framed access. Yes Yes
8 Framed-IP-Address Indicates the address to be configured for the user. Yes Yes
9 Framed-IP-Netmask Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified. Yes Yes
10 Framed-Routing Indicates the routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute. Yes Yes
11 Filter-Id Indicates the name of the filter list for the user and is formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list, and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer. Yes Yes
13 Framed-Compression Indicates a compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. Yes Yes
14 Login-IP-Host Indicates the host to which the user will connect when the Login-Service attribute is included. Yes Yes
15 Login-Service Indicates the service that should be used to connect the user to the login host. Yes Yes
16 Login-Port Defines the TCP port with which the user is to be connected when the Login-Service attribute is also present. Yes Yes
17 Change-Password Specifies a request to change a user's password. No 11.2(5)F
18 Reply-Message Indicates text that might be displayed to the user. Yes Yes
21 Password-Expiration Specifies an expiration date for a user's password in the user's file entry. No 11.2(5)F
22 Framed-Route Provides routing information to be configured for the user on this NAS. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored. Yes Yes
24 State Allows State information to be maintained between the NAS and the RADIUS server. This attribute is applicable only to CHAP challenges. Yes Yes
26 Vendor-Specific Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:
protocol : attribute sep value

"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example:


cisco-avpair= "ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"

The first example causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a "NAS Prompt" user to have immediate access to EXEC commands.

Yes Yes
27 Session-Timeout Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout." This attribute is not valid for PPP sessions. Yes Yes
28 Idle-Timeout Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout." This attribute is not valid for PPP sessions. Yes Yes
34 Login-LAT-Service Indicates the system with which the user is to be connected by LAT. This attribute is only available in the EXEC mode. Yes Yes
35 Login-LAT-Node Indicates the node with which the user is to be automatically connected by LAT. No No
36 Login-LAT-Group Identifies the LAT group codes that this user is authorized to use. No No

Table B-3: RADIUS (IETF) Accounting Attributes
Number Attribute Description Cisco IOS Release 11.1 Cisco IOS Release 11.2
25 Class Arbitrary value that the NAS includes in all accounting packets for this user if supplied by the RADIUS server. Yes Yes
30 Called-Station-Id Allows the NAS to send the telephone number the user called as part of the Access-Request packet (using Dialed Number Identification [DNIS] or similar technology). This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. Yes Yes
31 Calling-Station-Id Allows the NAS to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. Yes Yes
40 Acct-Status-Type Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop). Yes Yes
41 Acct-Delay-Time Indicates how many seconds the client has been trying to send a particular record. Yes Yes
42 Acct-Input-Octets Indicates how many octets have been received from the port over the course of this service being provided. Yes Yes
43 Acct-Output-Octets Indicates how many octets have been sent to the port in the course of delivering this service. Yes Yes
44 Acct-Session-Id A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session Ids restart at 1 each time the router is power cycled or the software is reloaded. Contact Cisco Support if this is unsuitable. Yes Yes
45 Acct-Authentic Indicates how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted. Yes Yes
46 Acct-Session-Time Indicates how long (in seconds) the user has received service. Yes Yes
47 Acct-Input-Packets Indicates how many packets have been received from the port over the course of this service being provided to a framed user. Yes Yes
48 Acct-Output-Packets Indicates how many packets have been sent to the port in the course of delivering this service to a framed user. Yes Yes
61 NAS-Port-Type Indicates the type of physical port the NAS is using to authenticate the user. Yes Yes

Dictionary of Ascend Attributes

This file contains dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of 5 data types. Valid data types are as follows:

Enumerated values are stored in the user file with dictionary value translations for easy administration.


Table B-4: Dictionary of Supported Ascend AV Pairs
Attribute Value Type of Value
Dictionary of Ascend Attributes
User-Name 1 string
Password 2 string
Challenge-Response 3 string
NAS-Identifier 4 ipaddr
NAS-Port 5 integer
User-Service 6 integer
Framed-Protocol 7 integer
Framed-Address 8 ipaddr
Framed-Netmask 9 ipaddr
Framed-Routing 10 integer
Framed-Filter 11 string
Framed-MTU 12 integer
Framed-Compression 13 integer
Login-Host 14 ipaddr
Login-Service 15 integer
Login-TCP-Port 16 integer
Change-Password 17 string
Reply-Message 18 string
Callback-Number 19 string
Callback-Name 20 string
Ascend-PW-Expiration 21 date
Framed-Route 22 string
Framed-IPX-Network 23 integer
State 24 string
Class 25 string
Vendor-Specific 26 string
Client-Port-DNIS 30 string
Caller-Id 31 string
Acct-Status-Type 40 integer
Acct-Delay-Time 41 integer
Acct-Input-Octets 42 integer
Acct-Output-Octets 43 integer
Acct-Session-Id 44 integer
Acct-Authentic 45 integer
Acct-Session-Time 46 integer
Acct-Input-Packets 47 integer
Acct-Output-Packets 48 integer
Ascend-Client-Primary-DNS 135 address
Ascend-Client-Secondary-DNS 136 address
Ascend-Client-Assign-DNS 137 enum
Ascend-User-Acct-Type 138 enum
Ascend-User-Acct-Host 139 address
Ascend-User-Acct-Port 140 integer
Ascend-User-Acct-Key 141 string
Ascend-User-Acct-Base 142 enum
Ascend-User-Acct-Time 143 integer
Support IP Address Allocation from Global Pools
Ascend-Assign-IP-Client 144 ipaddr
Ascend-Assign-IP-Server 145 ipaddr
Ascend-Assign-IP-Global-Pool 146 string
DHCP Server Functions
Ascend-DHCP-Reply 147 integer
Ascend-DHCP-Pool-Number 148 integer
Connection Profile/Telco Option
Ascend-Expect-Callback 149 Integer
Event Type for an Ascend-Event Packet
Ascend-Event-Type 150 Integer
RADIUS Server Session Key
Ascend-Session-Svr-Key 151 string
Multicast Rate Limit Per Client
Ascend-Multicast-Rate-Limit 152 integer
Connection Profile Fields to Support Interface-Based Bouting
Ascend-IF-Netmask 153 ipaddr
Ascend-Remote-Addr 154 ipaddr
Multicast Support
Ascend-Multicast-Client 155 integer
Frame Datalink Profiles
Ascend-FR-Circuit-Name 156 string
Ascend-FR-LinkUp 157 integer
Ascend-FR-Nailed-Grp 158 integer
Ascend-FR-Type 159 integer
Ascend-FR-Link-Mgt 160 integer
Ascend-FR-N391 161 integer
Ascend-FR-DCE-N392 162 integer
Ascend-FR-DTE-N392 163 integer
Ascend-FR-DCE-N393 164 integer
Ascend-FR-DTE-N393 165 integer
Ascend-FR-T391 166 integer
Ascend-FR-T392 167 integer
Ascend-Bridge-Address 168 string
Ascend-TS-Idle-Limit 169 integer
Ascend-TS-Idle-Mode 170 integer
Ascend-DBA-Monitor 171 integer
Ascend-Base-Channel-Count 172 integer
Ascend-Minimum-Channels 173 integer
IPX Static Routes
Ascend-IPX-Route 174 string
Ascend-FT1-Caller 175 integer
Ascend-Backup 176 string
Ascend-Call-Type 177 integer
Ascend-Group 178 string
Ascend-FR-DLCI 179 integer
Ascend-FR-Profile-Name 180 string
Ascend-Ara-PW 181 string
Ascend-IPX-Node-Addr 182 string
Ascend-Home-Agent-IP-Addr 183 ipaddr
Ascend-Home-Agent-Password 184 string
Ascend-Home-Network-Name 185 string
Ascend-Home-Agent-UDP-Port 186 integer
Ascend-Multilink-ID 187 integer
Ascend-Num-In-Multilink 188 integer
Ascend-First-Dest 189 ipaddr
Ascend-Pre-Input-Octets 190 integer
Ascend-Pre-Output-Octets 191 integer
Ascend-Pre-Input-Packets 192 integer
Ascend-Pre-Output-Packets 193 integer
Ascend-Maximum-Time 194 integer
Ascend-Disconnect-Cause 195 integer
Ascend-Connect-Progress 196 integer
Ascend-Data-Rate 197 integer
Ascend-PreSession-Time 198 integer
Ascend-Token-Idle 199 integer
Ascend-Token-Immediate 200 integer
Ascend-Require-Auth 201 integer
Ascend-Number-Sessions 202 string
Ascend-Authen-Alias 203 string
Ascend-Token-Expiry 204 integer
Ascend-Menu-Selector 205 string
Ascend-Menu-Item 206 string
Radius Password Expiration Options
Ascend-PW-Warntime 207 integer
Ascend-PW-Lifetime 208 integer
Ascend-IP-Direct 209 ipaddr
Ascend-PPP-VJ-Slot-Comp 210 integer
Ascend-PPP-VJ-1172 211 integer
Ascend-PPP-Async-Map 212 integer
Ascend-Third-Prompt 213 string
Ascend-Send-Secret 214 string
Ascend-Receive-Secret 215 string
Ascend-IPX-Peer-Mode 216 integer
Ascend-IP-Pool-Definition 217 string
Ascend-Assign-IP-Pool 218 integer
Ascend-FR-Direct 219 integer
Ascend-FR-Direct-Profile 220 string
Ascend-FR-Direct-DLCI 221 integer
Ascend-Handle-IPX 222 integer
Ascend-Netware-timeout 223 integer
Ascend-IPX-Alias 224 integer
Ascend-Metric 225 integer
Ascend-PRI-Number-Type 226 integer
Ascend-Dial-Number 227 string
Connection Profile/PPP Options
Ascend-Route-IP 228 integer
Ascend-Route-IPX 229 integer
Ascend-Bridge 230 integer
Ascend-Send-Auth 231 integer
Ascend-Send-Passwd 232 string
Ascend-Link-Compression 233 integer
Ascend-Target-Util 234 integer
Ascend-Maximum-Channels 235 integer
Ascend-Inc-Channel-Count 236 integer
Ascend-Dec-Channel-Count 237 integer
Ascend-Seconds-Of-History 238 integer
Ascend-History-Weigh-Type 239 integer
Ascend-Add-Seconds 240 integer
Ascend-Remove-Seconds 241 integer
Connection Profile/Session Options
Ascend-Data-Filter 242 abinary
Ascend-Call-Filter 243 abinary
Ascend-Idle-Limit 244 integer
Ascend-Preempt-Limit 245 integer
Connection Profile/Telco Options
Ascend-Callback 246 integer
Ascend-Data-Svc 247 integer
Ascend-Force-56 248 integer
Ascend-Billing-Number 249 string
Ascend-Call-By-Call 250 integer
Ascend-Transit-Number 251 string
Terminal Server Attributes
Ascend-Host-Info 252 string
PPP Local Address Attribute
Ascend-PPP-Address 253 ipaddr
MPP Percent Idle Attribute
Ascend-MPP-Idle-Percent 254 integer

hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.