Table A-1 Supported TACACS+ AV Pairs
Attribute
|
Description
|
Cisco IOS Release11.1
|
Cisco IOS Release11.2
|
service=x
|
The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included.
|
Yes
|
Yes
|
protocol=x
|
A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, http, and unknown.
|
Yes
|
Yes
|
cmd=x
|
A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell" A NULL value indicates that the shell itself is being referred to.
|
Yes
|
Yes
|
cmd-arg=x
|
An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent.
|
Yes
|
Yes
|
acl=x
|
ASCII number representing a connection access list. Used only when service=shell.
|
Yes
|
Yes
|
inacl=x
|
ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip.
|
Yes
|
Yes
|
inacl#<n>
|
ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connect ion. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx.
|
No
|
11.2(4)F
|
outacl=x
|
ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces.
|
Yes
|
Yes
|
outacl#<n>
|
ACSII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
zonelist=x
|
A numeric zone list value. Used with service=arap. Specifies an AppleTalk zone list for ARA (for example, zonelist=5).
|
Yes
|
Yes
|
addr=x
|
A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=1.2.3.4.
|
Yes
|
Yes
|
addr-pool=x
|
Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.
Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the NAS). Use the ip-local pool command to declare local pools. For example:
ip address-pool local
ip local pool boo 1.0.0.1 1.0.0.10
ip local pool moo 2.0.0.1 2.0.0.20
You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address.
|
Yes
|
Yes
|
routing=x
|
Specifies whether routing information is to be propagated to, and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true).
|
Yes
|
Yes
|
route
|
Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.
During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:
route="dst_address mask [gateway]"
This indicates a temporary static route that is to be applied. dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a NAS.
If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates.
|
Yes
|
Yes
|
route#<n>
|
Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
timeout=x
|
The number of minutes before an ARA session disconnects (for example, timeout=60). A value of zero indicates No timeout. Used with service=arap.
|
Yes
|
Yes
|
idletime=x
|
Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates No timeout.
|
Yes
|
Yes
|
autocmd=x
|
Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell.
|
Yes
|
Yes
|
noescape=x
|
Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true).
|
Yes
|
Yes
|
nohangup=x
|
Used with service=shell. Specifies the nohangup option. Can be either true or false (for example, nohangup=false).
|
Yes
|
Yes
|
priv-lvl=x
|
Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest.
|
Yes
|
Yes
|
callback-dialstring
|
Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.
|
Yes
|
Yes
|
callback-line
|
The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.
|
Yes
|
Yes
|
callback-rotary
|
The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.
|
Yes
|
Yes
|
nocallback-verify
|
Indicates that No callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is No authentication on callback. Not valid for ISDN.
|
Yes
|
Yes
|
tunnel-id
|
Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn.
|
No
|
Yes
|
ip-addresses
|
Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn.
|
No
|
Yes
|
nas-password
|
Specifies the password for the NAS during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.
|
No
|
Yes
|
gw-password
|
Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.
|
No
|
Yes
|
rte-ftr-in#<n>
|
Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
rte-ftr-out#<n>
|
Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
sap#<n>
|
Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
sap-fltr-in#<n>
|
Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
sap-fltr-out#<n>
|
Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.
|
No
|
11.2(4)F
|
pool-def#<n>
|
Used to define IP address pools on the NAS. Used with service=ppp and protocol=ip.
|
No
|
11.2(4)F
|