|
|
This appendix provides a list of the dictionaries and their attribute-value pairs that are supported by CiscoSecure Access Control Server (ACS). This appendix also provides instructions on how you can add your own set of attributes for custom solutions.
The CiscoSecure ACS provides support for many proprietary attribute-value pairs. The CiscoSecure ACS includes the full attribute-value pairs contained in the Cisco IOS Release 11.2, Ascend, and IETF-RADIUS. As such, you can use the CiscoSecure ACS to service a network access server (NAS) that is running any mixture of configured Cisco, Ascend, or IETF-RADIUS compliant attributes.
To provide this level of support, attribute sets are conveniently stored in units called dictionaries. A NAS that is using a given set of attribute-value pairs can easily exchange data with a CiscoSecure ACS that is loaded with the corresponding dictionary of attributes. When setting up group and user profiles from the Members tab, you see the available dictionaries under the options menu (see the section "Assigning RADIUS Attributes to a Group or User Profile," in the chapter "Managing User Authentication and Authorization"). Depending on what attributes your NAS is running, you can specify one or more dictionaries as part of a User-Profile setup. By default, you always see dictionaries named RADIUS-Ascend, RADIUS-Cisco, and RADIUS-IETF.
By clicking on the Dictionaries tab of your CiscoSecure ACS Administrator window, you can specify custom attribute-value pairs you want on your CiscoSecure ACS. CiscoSecure ACS provides a special management tool that allows you to make a brand-new dictionary, or to make a copy of an existing dictionary and then modify its contents for special purposes. For details, see the sections "Dictionary of Cisco IOS Attribute-Value Pairs," "Dictionary of IETF Attributes," and "Dictionary of Ascend Attributes" later in this appendix.
Depending on the implementation of your NAS, the CiscoSecure ACS provides one of the following three attribute dictionaries:
The following sections contain dictionary translations for parsing requests and generating responses. All transactions are composed of attribute-value pairs. The value of each attribute is specified as one of five data types:
Enumerated values are stored in the user file with dictionary value translations for easy administration.
Before selecting attribute-value pairs for the CiscoSecure ACS, confirm that your NAS has Cisco IOS Release 11.2 or later or compatible NAS software, for RADIUS support.
The following table contains the attribute-value pairs provided in the Cisco IOS software.
| Attribute | Value | Type of Value |
|---|---|---|
| User-Name | 1 | string |
| Password | 2 | string |
| CHAP-Password | 3 | string |
| Client-Id | 4 | ipaddr |
| Client-Port-Id | 5 | integer |
| User-Service-Type | 6 | integer |
| Framed-Protocol | 7 | integer |
| Framed-Address | 8 | ipaddr |
| Framed-Netmask | 9 | ipaddr |
| Framed-Routing | 10 | integer |
| Framed-Filter-Id | 11 | string |
| Framed-MTU | 12 | integer |
| Framed-Compression | 13 | integer |
| Login-Host | 14 | ipaddr |
| Login-Service | 15 | integer |
| Login-TCP-Port | 16 | integer |
| Old-Password | 17 | string |
| Port-Message | 18 | string |
| Dialback-No | 19 | string |
| Dialback-Name | 20 | string |
| Expiration | 21 | date |
| Framed-Route | 22 | string |
| Framed-IPX-Network | 23 | ipaddr |
| Challenge-State | 24 | string |
| Vendor specific | 26 | string |
| Acct-Status-Type | 40 | integer |
| Acct-Delay-Time | 41 | integer |
| Acct-Input-Octets | 42 | integer |
| Acct-Output-Octets | 43 | integer |
| Acct-Session-Id | 44 | string |
| Acct-Authentic | 45 | integer |
| Acct-Session-Time | 46 | integer |
| Acct-Input-packets | 47 | integer |
| Acct-Ouput-packets | 48 | integer |
Table E-2 lists the dictionary of RADIUS IETF attributes.
| Attribute | Value | Type of Value |
|---|---|---|
| User-Name | 1 | string |
| User-Password | 2 | string |
| CHAP-Password | 3 | string |
| NAS-IP-Address | 4 | integer |
| NAS-Port | 5 | integer |
| Service-Type | 6 | integer |
| Framed-Protocol | 7 | integer |
| Framed-IP-Address | 8 | integer |
| Framed-IP-Netmask | 9 | integer |
| Framed-Routing | 10 | integer |
| Filter-Id | 11 | integer |
| Framed-MTU | 12 | integer |
| Framed-Compression | 13 | integer |
| Login-IP-Host | 14 | integer |
| Login-Service | 15 | integer |
| Login-TCP-Port | 16 | integer |
| Reply-Message | 18 | string |
| Callback-Number | 19 | string |
| Callback-Id | 20 | string |
| Framed-Route | 22 | string |
| Framed-IPX-Network | 23 | integer |
| State | 24 | string |
| Class | 25 | string |
| Vendor-Specific | 26 | string |
| Session-Timeout | 27 | integer |
| Idle-Timeout | 28 | integer |
| Termination-Action | 29 | integer |
| Called-Station-Id | 30 | integer |
| Calling-Station-Id | 31 | string |
| NAS-Identifier | 32 | string |
| Proxy-State | 33 | string |
| Login-LAT-Service | 34 | string |
| Login-LAT-Node | 35 | string |
| Login-LAT-Group | 36 | string |
| Framed-AppleTalk-Link | 37 | integer |
| Framed-AppleTalk-Network | 38 | integer |
| Framed-AppleTalk-Zone | 39 | integer |
| Acct-Status-Type | 40 | integer |
| Acct-Delay-Time | 41 | integer |
| Acct-Input-Octets | 42 | integer |
| Acct-Output-Octets | 43 | integer |
| Acct-Session-Id | 44 | string |
| Acct-Authentic | 45 | integer |
| Acct-Session-Time | 46 | integer |
| Acct-Input-Packets | 47 | integer |
| Acct-Output-Packets | 48 | integer |
| Acct-Terminate-Cause | 49 | integer |
| Acct-Multi-Session-Id | 50 | string |
| Acct-Link-Count | 51 | integer |
| NAS-Port-Type | 61 | integer |
| Port-Limit | 62 | integer |
| Login-LAT-Port | 63 | string |
Table E-3 lists the dictionary of supported Ascend attribute-value pairs.
| Attribute | Value | Type of Value |
|---|---|---|
| Dictionary of Ascend Attributes | ||
| User-Name | 1 | string |
| Password | 2 | string |
| Challenge-Response | 3 | string |
| NAS-Identifier | 4 | ipaddr |
| NAS-Port | 5 | integer |
| User-Service | 6 | integer |
| Framed-Protocol | 7 | integer |
| Framed-Address | 8 | ipaddr |
| Framed-Netmask | 9 | ipaddr |
| Framed-Routing | 10 | integer |
| Framed-Filter | 11 | string |
| Framed-MTU | 12 | integer |
| Framed-Compression | 13 | integer |
| Login-Host | 14 | ipaddr |
| Login-Service | 15 | integer |
| Login-TCP-Port | 16 | integer |
| Change-Password | 17 | string |
| Reply-Message | 18 | string |
| Callback-Number | 19 | string |
| Callback-Name | 20 | string |
| Ascend-PW-Expiration | 21 | date |
| Framed-Route | 22 | string |
| Framed-IPX-Network | 23 | integer |
| State | 24 | string |
| Class | 25 | string |
| Vendor-Specific | 26 | string |
| Client-Port-DNIS | 30 | string |
| Caller-Id | 31 | string |
| Acct-Status-Type | 40 | integer |
| Acct-Delay-Time | 41 | integer |
| Acct-Input-Octets | 42 | integer |
| Acct-Output-Octets | 43 | integer |
| Acct-Session-Id | 44 | string |
| Acct-Authentic | 45 | integer |
| Acct-Session-Time | 46 | integer |
| Acct-Input-Packets | 47 | integer |
| Acct-Output-Packets | 48 | integer |
| Support IP Address Allocation from Global Pools | ||
| Ascend-Assign-IP-Client | 144 | ipaddr |
| Ascend-Assign-IP-Server | 145 | ipaddr |
| Ascend-Assign-IP-Global-Pool | 146 | string |
| DHCP Server Functions | ||
| Ascend-DHCP-Reply | 147 | integer |
| Ascend-DHCP-Pool-Number | 148 | integer |
| Connection Profile/Telco Option | ||
| Ascend-Expect-Callback | 149 | integer |
| Event Type for an Ascend-Event Packet | ||
| Ascend-Event-Type | 150 | integer |
| RADIUS Server Session Key | ||
| Ascend-Session-Svr-Key | 151 | string |
| Multicast Rate Limit per Client | ||
| Ascend-Multicast-Rate-Limit | 152 | integer |
| Connection Profile Fields to Support Interface-Based Routing | ||
| Ascend-IF-Netmask | 153 | ipaddr |
| Ascend-Remote-Addr | 154 | ipaddr |
| Multicast Support | ||
| Ascend-Multicast-Client | 155 | integer |
| Frame Datalink Profiles | ||
| Ascend-FR-Circuit-Name | 156 | string |
| Ascend-FR-LinkUp | 157 | integer |
| Ascend-FR-Nailed-Grp | 158 | integer |
| Ascend-FR-Type | 159 | integer |
| Ascend-FR-Link-Mgt | 160 | integer |
| Ascend-FR-N391 | 161 | integer |
| Ascend-FR-DCE-N392 | 162 | integer |
| Ascend-FR-DTE-N392 | 163 | integer |
| Ascend-FR-DCE-N393 | 164 | integer |
| Ascend-FR-DTE-N393 | 165 | integer |
| Ascend-FR-T391 | 166 | integer |
| Ascend-FR-T392 | 167 | integer |
| Ascend-Bridge-Address | 168 | string |
| Ascend-TS-Idle-Limit | 169 | integer |
| Ascend-TS-Idle-Mode | 170 | integer |
| Ascend-DBA-Monitor | 171 | integer |
| Ascend-Base-Channel-Count | 172 | integer |
| Ascend-Minimum-Channels | 173 | integer |
| IPX Static Routes | ||
| Ascend-IPX-Route | 174 | string |
| Ascend-FT1-Caller | 175 | integer |
| Ascend-Backup | 176 | string |
| Ascend-Call-Type | 177 | integer |
| Ascend-Group | 178 | string |
| Ascend-FR-DLCI | 179 | integer |
| Ascend-FR-Profile-Name | 180 | string |
| Ascend-Ara-PW | 181 | string |
| Ascend-IPX-Node-Addr | 182 | string |
| Ascend-Home-Agent-IP-Addr | 183 | ipaddr |
| Ascend-Home-Agent-Password | 184 | string |
| Ascend-Home-Network-Name | 185 | string |
| Ascend-Home-Agent-UDP-Port | 186 | integer |
| Ascend-Multilink-ID | 187 | integer |
| Ascend-Num-In-Multilink | 188 | integer |
| Ascend-First-Dest | 189 | ipaddr |
| Ascend-Pre-Input-Octets | 190 | integer |
| Ascend-Pre-Output-Octets | 191 | integer |
| Ascend-Pre-Input-Packets | 192 | integer |
| Ascend-Pre-Output-Packets | 193 | integer |
| Ascend-Maximum-Time | 194 | integer |
| Ascend-Disconnect-Cause | 195 | integer |
| Ascend-Connect-Progress | 196 | integer |
| Ascend-Data-Rate | 197 | integer |
| Ascend-PreSession-Time | 198 | integer |
| Ascend-Token-Idle | 199 | integer |
| Ascend-Token-Immediate | 200 | integer |
| Ascend-Require-Auth | 201 | integer |
| Ascend-Number-Sessions | 202 | string |
| Ascend-Authen-Alias | 203 | string |
| Ascend-Token-Expiry | 204 | integer |
| Ascend-Menu-Selector | 205 | string |
| Ascend-Menu-Item | 206 | string |
| Radius Password Expiration Options | ||
| Ascend-PW-Warntime | 207 | integer |
| Ascend-PW-Lifetime | 208 | integer |
| Ascend-IP-Direct | 209 | ipaddr |
| Ascend-PPP-VJ-Slot-Comp | 210 | integer |
| Ascend-PPP-VJ-1172 | 211 | integer |
| Ascend-PPP-Async-Map | 212 | integer |
| Ascend-Third-Prompt | 213 | string |
| Ascend-Send-Secret | 214 | string |
| Ascend-Receive-Secret | 215 | string |
| Ascend-IPX-Peer-Mode | 216 | integer |
| Ascend-IP-Pool-Definition | 217 | string |
| Ascend-Assign-IP-Pool | 218 | integer |
| Ascend-FR-Direct | 219 | integer |
| Ascend-FR-Direct-Profile | 220 | string |
| Ascend-FR-Direct-DLCI | 221 | integer |
| Ascend-Handle-IPX | 222 | integer |
| Ascend-Netware-timeout | 223 | integer |
| Ascend-IPX-Alias | 224 | integer |
| Ascend-Metric | 225 | integer |
| Ascend-PRI-Number-Type | 226 | integer |
| Ascend-Dial-Number | 227 | string |
| Connection Profile/PPP Options | ||
| Ascend-Route-IP | 228 | integer |
| Ascend-Route-IPX | 229 | integer |
| Ascend-Bridge | 230 | integer |
| Ascend-Send-Auth | 231 | integer |
| Ascend-Send-Passwd | 232 | string |
| Ascend-Link-Compression | 233 | integer |
| Ascend-Target-Util | 234 | integer |
| Ascend-Maximum-Channels | 235 | integer |
| Ascend-Inc-Channel-Count | 236 | integer |
| Ascend-Dec-Channel-Count | 237 | integer |
| Ascend-Seconds-Of-History | 238 | integer |
| Ascend-History-Weigh-Type | 239 | integer |
| Ascend-Add-Seconds | 240 | integer |
| Ascend-Remove-Seconds | 241 | integer |
| Connection Profile/Session Options | ||
| Ascend-Data-Filter | 242 | abinary |
| Ascend-Call-Filter | 243 | abinary |
| Ascend-Idle-Limit | 244 | integer |
| Ascend-Preempt-Limit | 245 | integer |
| Connection Profile/Telco Options | ||
| Ascend-Callback | 246 | integer |
| Ascend-Data-Svc | 247 | integer |
| Ascend-Force-56 | 248 | integer |
| Ascend-Billing-Number | 249 | string |
| Ascend-Call-By-Call | 250 | integer |
| Ascend-Transit-Number | 251 | string |
| Terminal Server Attributes | ||
| Ascend-Host-Info | 252 | string |
| PPP Local Address Attribute | ||
| Ascend-PPP-Address | 253 | ipaddr |
| MPP Percent Idle Attribute | ||
| Ascend-MPP-Idle-Percent | 254 | integer |
|
|