cc/td/doc/product/access/acs_soft/csacs4nt
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

TACACS+ Attribute-Value Pairs
Cisco IOS Dictionary of AV Pairs

TACACS+ Attribute-Value Pairs


CiscoSecure ACS provides support for TACACS+ attribute-value (AV) pairs. You can enable different AV pairs for any of the supported attribute-values.

Cisco IOS Dictionary of AV Pairs

Before selecting AV pairs for the CiscoSecure ACS, confirm that your NAS is running Cisco IOS Software Release 11.1 or later or compatible NAS software, for TACACS+ support.


Note      If you specify a given AV pair on the CiscoSecure ACS, the corresponding AV pair must be implemented in the Cisco IOS software running on the NAS. As a result, always consider what AV pairs your IOS supports on the NAS. If the CiscoSecure ACS sends those AV pairs to the NAS, and the Cisco IOS does not support them, the attribute you requested cannot be implemented.


The following table contains the attribute-value pairs provided in the Cisco IOS software.

TACACS+ AV Pairs

Table A-1 and Table A-2 list supported TACACS+ AV pairs and Accounting AV pairs respectively.

Table A-1   Supported TACACS+ AV Pairs

Attribute Description Cisco IOS Release11.1 Cisco IOS Release11.2

service=x

The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included.

Yes

Yes

protocol=x

A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, http, and unknown.

Yes

Yes

cmd=x

A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell" A NULL value indicates that the shell itself is being referred to.

Yes

Yes

cmd-arg=x

An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent.

Yes

Yes

acl=x

ASCII number representing a connection access list. Used only when service=shell.

Yes

Yes

inacl=x

ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip.

Yes

Yes

inacl#<n>

ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connect ion. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx.

No

11.2(4)F

outacl=x

ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces.

Yes

Yes

outacl#<n>

ACSII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx.

No

11.2(4)F

zonelist=x

A numeric zone list value. Used with service=arap. Specifies an AppleTalk zone list for ARA (for example, zonelist=5).

Yes

Yes

addr=x

A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=1.2.3.4.

Yes

Yes

addr-pool=x

Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.

Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the NAS). Use the ip-local pool command to declare local pools. For example:

ip address-pool local

ip local pool boo 1.0.0.1 1.0.0.10

ip local pool moo 2.0.0.1 2.0.0.20

You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address.

Yes

Yes

routing=x

Specifies whether routing information is to be propagated to, and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true).

Yes

Yes

route

Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.

During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:

route="dst_address mask [gateway]"

This indicates a temporary static route that is to be applied. dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a NAS.

If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates.

Yes

Yes

route#<n>

Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx.

No

11.2(4)F

timeout=x

The number of minutes before an ARA session disconnects (for example, timeout=60). A value of zero indicates No timeout. Used with service=arap.

Yes

Yes

idletime=x

Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates No timeout.

Yes

Yes

autocmd=x

Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell.

Yes

Yes

noescape=x

Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true).

Yes

Yes

nohangup=x

Used with service=shell. Specifies the nohangup option. Can be either true or false (for example, nohangup=false).

Yes

Yes

priv-lvl=x

Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest.

Yes

Yes

callback-dialstring

Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

Yes

Yes

callback-line

The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

Yes

Yes

callback-rotary

The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

Yes

Yes

nocallback-verify

Indicates that No callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is No authentication on callback. Not valid for ISDN.

Yes

Yes

tunnel-id

Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn.

No

Yes

ip-addresses

Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn.

No

Yes

nas-password

Specifies the password for the NAS during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.

No

Yes

gw-password

Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.

No

Yes

rte-ftr-in#<n>

Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.

No

11.2(4)F

rte-ftr-out#<n>

Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.

No

11.2(4)F

sap#<n>

Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx.

No

11.2(4)F

sap-fltr-in#<n>

Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.

No

11.2(4)F

sap-fltr-out#<n>

Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.

No

11.2(4)F

pool-def#<n>

Used to define IP address pools on the NAS. Used with service=ppp and protocol=ip.

No

11.2(4)F

.

Table A-2   Supported TACACS+ Accounting AV Pairs

Attribute Description Cisco IOS Release 11.1 Cisco IOS Release 11.2

service

The service the user used.

Yes

Yes

port

The port the user was logged in to.

Yes

Yes

task_id

Start and stop records for the same event must have matching (unique) task_id's.

Yes

Yes

start_time

The time the action started (in seconds since the epoch, 12:00 a.m. Jan 1 1970). The clock must be configured to receive this information.

Yes

Yes

stop_time

The time the action stopped (in seconds since the epoch.) The clock must be configured to receive this information.

Yes

Yes

elapsed_time

The elapsed time in seconds for the action. Useful when the device does not keep real time.

Yes

Yes

timezone

The timezone abbreviation for all timestamps included in this packet.

Yes

Yes

priv_level

The privilege level associated with the action.

Yes

Yes

cmd

The command the user executed.

Yes

Yes

protocol

The protocol associated with the action.

Yes

Yes

bytes_in

The number of input bytes transferred during this connection.

Yes

Yes

bytes_out

The number of output bytes transferred during this connection.

Yes

Yes

paks_in

The number of input packets transferred during this connection.

Yes

Yes

paks_out

The number of output packets transferred during this connection.

Yes

Yes

event

Information included in the acounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping.

Yes

Yes

reason

Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or when accounting is reconfigured (turned on or off).

Yes

Yes


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue Jan 21 06:34:54 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.