|
|
Remote Authentication Dial-In User Server (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This appendix lists the RADIUS attributes currently supported.
Table 19 lists the supported RADIUS (IETF) attributes. In cases where the attribute has a security server-specific format, the format is specified.
| Number | Attribute | Description | Cisco IOS Release11.1 | Cisco IOS Release11.2 | Cisco IOS Release11.3 |
|---|---|---|---|---|---|
| 1 | User-Name | Indicates the name of the user being authenticated. | yes | yes | yes |
| 2 | User-Password | Indicates the user's password or the user's input following an Access-Challenge. Passwords longer than 16 characters are encrypted using the IETF Draft #2 (or later) specifications. | yes | yes | yes |
| 3 | CHAP-Password | Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to an Access-Challenge. | yes | yes | yes |
| 4 | NAS-IP Address | Specifies the IP address of the network access server that is requesting authentication. | yes | yes | yes |
| 5 | NAS-Port | Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command.) Each 16-bit number should be viewed as a 5-digit decimal integer for interpretation as follows:
For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number. For ordinary synchronous network interface, the value is 10xxx. For channels on a primary rate ISDN interface, the value is 2ppcc. For channels on a basic rate ISDN interface, the value is 3bb0c. For other types of interfaces, the value is 6nnss. | yes | yes | yes |
| 6 | Service-Type | Indicates the type of service requested or the type of service to be provided.
Exec User--Start an EXEC session. | yes | yes | yes |
| 7 | Framed-Protocol | Indicates the framing to be used for framed access. | yes | yes | yes |
| 8 | Framed-IP-Address | Indicates the address to be configured for the user. | yes | yes | yes |
| 9 | Framed-IP-Netmask | Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified. | yes | yes | yes |
| 10 | Framed-Routing | Indicates the routing method for the user when the user is a router to a network. Only "None" and "Send and Listen" values are supported for this attribute. | yes | yes | yes |
| 11 | Filter-Id | Indicates the name of the filter list for the user and is formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list, and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer. | yes | yes | yes |
| 13 | Framed-Compression | Indicates a compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. | yes | yes | yes |
| 14 | Login-IP-Host | Indicates the host to which the user will connect when the Login-Service attribute is included. | yes | yes | yes |
| 15 | Login-Service | Indicates the service that should be used to connect the user to the login host. | yes | yes | yes |
| 16 | Login-Port | Defines the TCP port with which the user is to be connected when the Login-Service attribute is also present. | yes | yes | yes |
| 18 | Reply-Message | Indicates text that might be displayed to the user. | yes | yes | yes |
| 22 | Framed-Route | Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored. | yes | yes | yes |
| 24 | State | Allows state information to be maintained between the network access server and the RADIUS server. This attribute is applicable only to CHAP challenges. | yes | yes | yes |
| 26 | Vendor-Specific | Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:
protocol : attribute sep value
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AVpair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example: cisco-avpair= "ip:addr-pool=first" cisco-avpair= "shell:priv-lvl=15"The first example causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a "NAS Prompt" user to have immediate access to EXEC commands. | yes | yes | yes |
| 27 | Session-Timeout | Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout." This attribute is not valid for PPP sessions. | yes | yes | yes |
| 28 | Idle-Timeout | Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout." This attribute is not valid for PPP sessions. | yes | yes | yes |
| 34 | Login-LAT-Service | Indicates the system with which the user is to be connected by LAT. This attribute is only available in the EXEC mode. | yes | yes | yes |
| 35 | Login-LAT-Node | Indicates the node with which the user is to be automatically connected by LAT. | no | no | no |
| 36 | Login-LAT-Group | Identifies the LAT group codes that this user is authorized to use. | no | no | no |
| 49 | Terminate-Cause | Reports details on why the connection was terminated. | no | no | no |
For more information about RADIUS configuration tasks, refer to the "Configuring RADIUS" chapter.
Table 20 lists the supported RADIUS (IETF) accounting attributes. In cases where the attribute has a security server-specific format, the format is specified.
| Number | Attribute | Description | Cisco IOS Release11.1 | Cisco IOS Release11.2 | Cisco IOS Release11.3 |
|---|---|---|---|---|---|
| 25 | Class | Arbitrary value that the network access server includes in all accounting packets for this user if supplied by the RADIUS server. | yes | yes | yes |
| 30 | Called-Station-Id | Allows the network access server to send the telephone number the user called as part of the Access-Request packet (using Dialed Number Identification [DNIS] or similar technology). This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. | yes | yes | yes |
| 31 | Calling-Station-Id | Allows the network access server to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. | yes | yes | yes |
| 40 | Acct-Status-Type | Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop). | yes | yes | yes |
| 41 | Acct-Delay-Time | Indicates how many seconds the client has been trying to send a particular record. | yes | yes | yes |
| 42 | Acct-Input-Octets | Indicates how many octets have been received from the port over the course of this service being provided. | yes | yes | yes |
| 43 | Acct-Output-Octets | Indicates how many octets have been sent to the port in the course of delivering this service. | yes | yes | yes |
| 44 | Acct-Session-Id | A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session ID numbers restart at 1 each time the router is power cycled or the software is reloaded. | yes | yes | yes |
| 45 | Acct-Authentic | Indicates how the user was authenticated, whether by RADIUS, the network access server itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted. | yes | yes | yes |
| 46 | Acct-Session-Time | Indicates how long (in seconds) the user has received service. | yes | yes | yes |
| 47 | Acct-Input-Packets | Indicates how many packets have been received from the port over the course of this service being provided to a framed user. | yes | yes | yes |
| 48 | Acct-Output-Packets | Indicates how many packets have been sent to the port in the course of delivering this service to a framed user. | yes | yes | yes |
| 50 | Acct-Multi-Session-Id1 | A unique accounting identifier used to link multiple related sessions in a log file.
Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id. | no | no | yes |
| 51 | Acct-Link-Count2 | Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links. | no | no | yes |
| 61 | NAS-Port-Type | Indicates the type of physical port the network access server is using to authenticate the user. | yes | yes | yes |
For more information about configuring RADIUS accounting, refer to the "Configuring RADIUS" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Table 21 lists the supported vendor-proprietary RADIUS attributes:
| Number | Vendor-Proprietary Attribute | Description |
|---|---|---|
| 17 | Change-Password | Specifies a request to change a user's password. |
| 21 | Password-Expiration | Specifies an expiration date for a user's password in the user's file entry. |
| 194 | Maximum-Time | Specifies the maximum length of time (in seconds) allowed for any session. After the session reaches the time limit, its connection is dropped. |
| 195 | Terminate-Cause | Reports details on why the connection was terminated. |
| 208 | PW-Lifetime | Enables you to specify on a per-user basis the number of days that a password is valid. |
| 209 | IP-Direct | Specifies in a user's file entry the IP address to which the Cisco router redirects packets from the user. When you include this attribute in a user's file entry, the Cisco router bypasses all internal routing and bridging tables and sends all packets received on this connection's WAN interface to the specified IP address. |
| 210 | PPP-VJ-Slot-Comp | Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link. |
| 212 | PPP-Async-Map | Gives the Cisco router the asynchronous control character map for the PPP session. The specified control characters are passed through the PPP link as data and used by applications running over the link. |
| 217 | IP-Pool-Definition | Defines a pool of addresses using the following format: X a.b.c Z; where X is the pool index number, a.b.c is the pool's starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment. |
| 218 | Assign-IP-Pool | Tells the router to assign the user and IP address from the IP pool. |
| 228 | Route-IP | Indicates whether IP routing is allowed for the user's file entry. |
| 233 | Link-Compression | Defines whether to turn on or turn off "stac" compression over a PPP link. |
| 234 | Target-Util | Specifies the load-threshold percentage value for bringing up an additional channel when PPP multilink is defined. |
| 235 | Maximum-Channels | Specifies allowed/allocatable maximum number of channels. |
| 242 | Data-Filter | Defines per-user IP data filters. These filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied on a first-match basis; therefore, the order in which filter entries are entered is important. |
| 243 | Call-Filter | Defines per-user IP data filters. On a Cisco router, this attribute is identical to the Data-Filter attribute. |
| 244 | Idle-Limit | Specifies the maximum time (in seconds) that any session can be idle. When the session reaches the idle time limit, its connection is dropped. |
For more information about configuring RADIUS to recognize vendor-proprietary attributes, refer to the "Configuring RADIUS" chapter.
|
|