cc/td/doc/product/access/acs_soft/csacs4nt
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

RADIUS Attribute-Value Pairs
 Cisco IOS Dictionary of RADIUS AV Pairs
 RADIUS (IETF) Attributes
 Dictionary of Ascend RADIUS Attributes

RADIUS Attribute-Value Pairs

CiscoSecure ACS provides support for many Remote Access Dial-In User Service (RADIUS) attribute-value (AV) pairs. Included with CiscoSecure ACS are the full AV pairs contained in Cisco IOS Release 11.2, Ascend, and IETF-RADIUS. You can enable different AV pairs for any of the supported AV. Listed in this appendix are the supported AV pairs specific to each vendor.

Cisco IOS Dictionary of RADIUS AV Pairs

Before selecting AV pairs for the CiscoSecure ACS, confirm that your network access server (NAS) is running Cisco IOS Release 11.2 or later or compatible NAS software, for RADIUS support.

Note      If you specify a given AV pair on the CiscoSecure ACS, the corresponding AV pair must be implemented in the Cisco IOS software running on the NAS. As a result, always consider what AV pairs your Cisco IOS release supports on the NAS. If CiscoSecure ACS sends those AV pairs to the NAS, and the Cisco IOS software does not support them, the attribute you requested cannot be implemented.

Table C-1 lists the AV pairs provided in the Cisco IOS software.

Table C-1   Cisco IOS Software RADIUS AV Pairs

Attribute Value Type of Value

User-Name

1

string

Password

2

string

CHAP-Password

3

string

Client-Id

4

ipaddr

Client-Port-Id

5

integer

User-Service-Type

6

integer

Framed-Protocol

7

integer

Framed-Address

8

ipaddr

Framed-Netmask

9

ipaddr

Framed-Routing

10

integer

Framed-Filter-Id

11

string

Framed-MTU

12

integer

Framed-Compression

13

integer

Login-Host

14

ipaddr

Login-Service

15

integer

Login-TCP-Port

16

integer

Old-Password

17

string

Port-Message

18

string

Dialback-No

19

string

Dialback-Name

20

string

Expiration

21

date

Framed-Route

22

string

Framed-IPX-Network

23

ipaddr

Challenge-State

24

string

Vendor specific

26

string

Acct-Status-Type

40

integer

Acct-Delay-Time

41

integer

Acct-Input-Octets

42

integer

Acct-Output-Octets

43

integer

Acct-Session-Id

44

string

Acct-Authentic

45

integer

Acct-Session-Time

46

integer

Acct-Input-Packets

47

integer

Acct-Ouput-Packets

48

integer

RADIUS (IETF) Attributes

Table C-2 lists the supported RADIUS (IETF) attributes. In cases where the attribute has a security server-specific format, the format is specified.

Table C-2   RADIUS (IETF) AV Pairs

No. Attribute Description Cisco IOS Release 11.1 Cisco IOS Release 11.2

1

User-Name

Name of the user being authenticated.

Yes

Yes

2

User-Password

User's password or input following an Access-Challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.

Yes

Yes

3

CHAP-Password

PPP1 CHAP2 response to an Access-Challenge.

Yes

Yes

4

NAS-IP Address

IP address of the NAS that is requesting authentication.

Yes

Yes

5

NAS-Port

Physical port number of the NAS that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values, depending on the setting of the radius-server extended-portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows:

  • For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.
  • For ordinary synchronous network interfaces, the value is 10xxx.
  • For channels on a primary rate ISDN3 interface, the value is 2ppcc.
  • For channels on a basic rate ISDN interface, the value is 3bb0c.
  • For other types of interfaces, the value is 6nnss.

Yes

Yes

6

Service-Type

Type of service requested or the type of service to be provided:

  • In a request:

Framed for known PPP or SLIP4 connection.

Administrative-user for enable command.

  • In a response:

Login—Make a connection.

Framed—Start SLIP or PPP.

Administrative User—Start an EXEC or enable ok.

Exec User—Start an EXEC session.

Yes

Yes

7

Framed-Protocol

Framing to be used for framed access.

Yes

Yes

8

Framed-IP-Address

Address to be configured for the user.

Yes

Yes

9

Framed-IP-Netmask

IP netmask to be configured for the user when the user is a router to a network. This attribute-value results in a static route being added for Framed-IP-Address with the mask specified.

Yes

Yes

10

Framed-Routing

Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute.

Yes

Yes

11

Filter-Id

Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.

Yes

Yes

13

Framed-Compression

Compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.

Yes

Yes

14

Login-IP-Host

Host to which the user will connect when the Login-Service attribute is included.

Yes

Yes

15

Login-Service

Service that should be used to connect the user to the login host.

Yes

Yes

16

Login-Port

TCP5 port with which the user is to be connected when the Login-Service attribute is also present.

Yes

Yes

17

Change-Password

Request to change a user's password.

No

11.2(5)F

18

Reply-Message

Text to be displayed to the user.

Yes

Yes

21

Password-Expiration

Expiration date for a user's password in the user's file entry.

No

11.2(5)F

22

Framed-Route

Routing information to be configured for the user on this NAS. The RADIUS RFC6 format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored.

Yes

Yes

24

State

Allows State information to be maintained between the NAS and the RADIUS server. This attribute is applicable only to CHAP challenges.

Yes

Yes

26

Vendor-Specific

Allows vendors to support their own extended attributes unsuitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, cisco-avpair. The value is a string of the format:

protocol:attribute sep value
 

"Protocol" is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. For example:

cisco-avpair= "ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"
 

The first example causes Cisco's multiple named ip address pools feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a NAS Prompt user to have immediate access to EXEC commands.

Yes

Yes

27

Session-Timeout

Maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user absolute timeout. This attribute is not valid for PPP sessions.

Yes

Yes

28

Idle-Timeout

Maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user session-timeout. This attribute is not valid for PPP sessions.

Yes

Yes

34

Login-LAT-Service

System with which the user is to be connected by LAT. This attribute is only available in the EXEC mode.

Yes

Yes

35

Login-LAT-Node

Node with which the user is to be automatically connected by LAT7.

No

No

36

Login-LAT-Group

LAT group codes that this user is authorized to use.

No

No

1PPP = Point-to-Point Protocol

2CHAP = Challenge Handshake Authentication Protocol

3ISDN = Integrated Services Digital Network

4SLIP = Serial Line Internet Protocol

5TCP = Transmission Control Protocol

6RFC = Request for Comments

7LAT = local-area transport

RADIUS (IETF) Accounting Attributes

Table C-3 lists the supported RADIUS (IETF) accounting attributes. In cases where the attribute has a security server-specific format, the format is specified.

Table C-3   RADIUS (IETF) Accounting Attributes

Number Attribute Description Cisco IOS Release 11.1 Cisco IOS Release 11.2

25

Class

Arbitrary value that the NAS includes in all accounting packets for this user if supplied by the RADIUS server.

Yes

Yes

30

Called-Station-Id

Allows the NAS to send the telephone number the user called as part of the Access-Request packet (using DNIS1 or similar technology). This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI2.

Yes

Yes

31

Calling-Station-Id

Allows the NAS to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI.

Yes

Yes

40

Acct-Status-Type

Whether this Accounting-Request marks the beginning of the user service (start) or the end (stop).

Yes

Yes

41

Acct-Delay-Time

Number of seconds the client has been trying to send a particular record.

Yes

Yes

42

Acct-Input-Octets

Number of octets received from the port over the course of this service being provided.

Yes

Yes

43

Acct-Output-Octets

Number of octets sent to the port while delivering this service.

Yes

Yes

44

Acct-Session-Id

Unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session Ids restart at 1 each time the router is power cycled or the software is reloaded. Contact Cisco Support if this is unsuitable.

Yes

Yes

45

Acct-Authentic

Way in which the user was authenticated—by RADIUS, by the NAS itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.

Yes

Yes

46

Acct-Session-Time

Number of seconds the user has received service.

Yes

Yes

47

Acct-Input-Packets

Number of packets received from the port over the course of this service being provided to a framed user.

Yes

Yes

48

Acct-Output-Packets

Number of packets sent to the port in the course of delivering this service to a framed user.

Yes

Yes

61

NAS-Port-Type

Type of physical port the NAS is using to authenticate the user.

Yes

Yes

1DNIS = Dialed Number Identification

2PRI = Primary Rate Interface

Dictionary of Ascend RADIUS Attributes

This file contains dictionary translations for parsing requests and generating responses. All transactions are composed of AV pairs. The value of each attribute is specified as one of five valid data types:

Enumerated values are stored in the user file with dictionary value translations for easy administration.

Table C-4   RADIUS (IETF) Accounting Attributes

Attribute Value Type of Value
Dictionary of Ascend Attributes

User-Name

1

string

Password

2

string

Challenge-Response

3

string

NAS-Identifier

4

ipaddr

NAS-Port

5

integer

User-Service

6

integer

Framed-Protocol

7

integer

Framed-Address

8

ipaddr

Framed-Netmask

9

ipaddr

Framed-Routing

10

integer

Framed-Filter

11

string

Framed-MTU

12

integer

Framed-Compression

13

integer

Login-Host

14

ipaddr

Login-Service

15

integer

Login-TCP-Port

16

integer

Change-Password

17

string

Reply-Message

18

string

Callback-Number

19

string

Callback-Name

20

string

Ascend-PW-Expiration

21

date

Framed-Route

22

string

Framed-IPX-Network

23

integer

State

24

string

Class

25

string

Vendor-Specific

26

string

Client-Port-DNIS

30

string

Caller-Id

31

string

Acct-Status-Type

40

integer

Acct-Delay-Time

41

integer

Acct-Input-Octets

42

integer

Acct-Output-Octets

43

integer

Acct-Session-Id

44

integer

Acct-Authentic

45

integer

Acct-Session-Time

46

integer

Acct-Input-Packets

47

integer

Acct-Output-Packets

48

integer

Ascend-Client-Primary-DNS

135

address

Ascend-Client-Secondary-DNS

136

address

Ascend-Client-Assign-DNS

137

enum

Ascend-User-Acct-Type

138

enum

Ascend-User-Acct-Host

139

address

Ascend-User-Acct-Port

140

integer

Ascend-User-Acct-Key

141

string

Ascend-User-Acct-Base

142

enum

Ascend-User-Acct-Time

143

integer

Support IP Address Allocation from Global Pools

Ascend-Assign-IP-Client

144

ipaddr

Ascend-Assign-IP-Server

145

ipaddr

Ascend-Assign-IP-Global-Pool

146

string

DHCP Server Functions

Ascend-DHCP-Reply

147

integer

Ascend-DHCP-Pool-Number

148

integer

Connection Profile/Telco Option

Ascend-Expect-Callback

149

Integer

Event Type for an Ascend-Event Packet

Ascend-Event-Type

150

Integer

RADIUS Server Session Key

Ascend-Session-Svr-Key

151

string

Multicast Rate Limit Per Client

Ascend-Multicast-Rate-Limit

152

integer

Connection Profile Fields to Support Interface-based Routing

Ascend-IF-Netmask

153

ipaddr

Ascend-Remote-Addr

154

ipaddr

Multicast Support

Ascend-Multicast-Client

155

integer

Frame Datalink Profiles

Ascend-FR-Circuit-Name

156

string

Ascend-FR-LinkUp

157

integer

Ascend-FR-Nailed-Grp

158

integer

Ascend-FR-Type

159

integer

Ascend-FR-Link-Mgt

160

integer

Ascend-FR-N391

161

integer

Ascend-FR-DCE-N392

162

integer

Ascend-FR-DTE-N392

163

integer

Ascend-FR-DCE-N393

164

integer

Ascend-FR-DTE-N393

165

integer

Ascend-FR-T391

166

integer

Ascend-FR-T392

167

integer

Ascend-Bridge-Address

168

string

Ascend-TS-Idle-Limit

169

integer

Ascend-TS-Idle-Mode

170

integer

Ascend-DBA-Monitor

171

integer

Ascend-Base-Channel-Count

172

integer

Ascend-Minimum-Channels

173

integer

IPX Static Routes

Ascend-IPX-Route

174

string

Ascend-FT1-Caller

175

integer

Ascend-Backup

176

string

Ascend-Call-Type

177

integer

Ascend-Group

178

string

Ascend-FR-DLCI

179

integer

Ascend-FR-Profile-Name

180

string

Ascend-Ara-PW

181

string

Ascend-IPX-Node-Addr

182

string

Ascend-Home-Agent-IP-Addr

183

ipaddr

Ascend-Home-Agent-Password

184

string

Ascend-Home-Network-Name

185

string

Ascend-Home-Agent-UDP-Port

186

integer

Ascend-Multilink-ID

187

integer

Ascend-Num-In-Multilink

188

integer

Ascend-First-Dest

189

ipaddr

Ascend-Pre-Input-Octets

190

integer

Ascend-Pre-Output-Octets

191

integer

Ascend-Pre-Input-Packets

192

integer

Ascend-Pre-Output-Packets

193

integer

Ascend-Maximum-Time

194

integer

Ascend-Disconnect-Cause

195

integer

Ascend-Connect-Progress

196

integer

Ascend-Data-Rate

197

integer

Ascend-PreSession-Time

198

integer

Ascend-Token-Idle

199

integer

Ascend-Token-Immediate

200

integer

Ascend-Require-Auth

201

integer

Ascend-Number-Sessions

202

string

Ascend-Authen-Alias

203

string

Ascend-Token-Expiry

204

integer

Ascend-Menu-Selector

205

string

Ascend-Menu-Item

206

string

RADIUS Password Expiration Options

Ascend-PW-Warntime

207

integer

Ascend-PW-Lifetime

208

integer

Ascend-IP-Direct

209

ipaddr

Ascend-PPP-VJ-Slot-Comp

210

integer

Ascend-PPP-VJ-1172

211

integer

Ascend-PPP-Async-Map

212

integer

Ascend-Third-Prompt

213

string

Ascend-Send-Secret

214

string

Ascend-Receive-Secret

215

string

Ascend-IPX-Peer-Mode

216

integer

Ascend-IP-Pool-Definition

217

string

Ascend-Assign-IP-Pool

218

integer

Ascend-FR-Direct

219

integer

Ascend-FR-Direct-Profile

220

string

Ascend-FR-Direct-DLCI

221

integer

Ascend-Handle-IPX

222

integer

Ascend-Netware-timeout

223

integer

Ascend-IPX-Alias

224

integer

Ascend-Metric

225

integer

Ascend-PRI-Number-Type

226

integer

Ascend-Dial-Number

227

string

Connection Profile/PPP Options

Ascend-Route-IP

228

integer

Ascend-Route-IPX

229

integer

Ascend-Bridge

230

integer

Ascend-Send-Auth

231

integer

Ascend-Send-Passwd

232

string

Ascend-Link-Compression

233

integer

Ascend-Target-Util

234

integer

Ascend-Maximum-Channels

235

integer

Ascend-Inc-Channel-Count

236

integer

Ascend-Dec-Channel-Count

237

integer

Ascend-Seconds-Of-History

238

integer

Ascend-History-Weigh-Type

239

integer

Ascend-Add-Seconds

240

integer

Ascend-Remove-Seconds

241

integer

Connection Profile/Session Options

Ascend-Data-Filter

242

abinary

Ascend-Call-Filter

243

abinary

Ascend-Idle-Limit

244

integer

Ascend-Preempt-Limit

245

integer

Connection Profile/Telco Options

Ascend-Callback

246

integer

Ascend-Data-Svc

247

integer

Ascend-Force-56

248

integer

Ascend-Billing-Number

249

string

Ascend-Call-By-Call

250

integer

Ascend-Transit-Number

251

string

Terminal Server Attributes

Ascend-Host-Info

252

string

PPP Local Address Attribute

Ascend-PPP-Address

253

ipaddr

MPP Percent Idle Attribute

Ascend-MPP-Idle-Percent

254

integer


hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Jan 20 21:20:47 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.