Attributes of TACACS AV Pairs

Previous page
Table of content
Next page

Attributes of TACACS+ AV Pairs

There are many TACACS+ AV pairs. Some TACACS+ AV pairs are not supported by the NOS that you have implemented. Your best bet is to verify supported AV pairs corresponding to the IOS or PIX OS that you intend to use as an AAA client. For a list of AV pairs that specific Cisco devices support, see www.cisco.com.

The following sections are attributes that are supported by the ACS version 3.1. Each of these attributes is discussed in some detail. Note that all of these attributes are TACACS+ authentication and authorization vendor-specific attributes (VSA).

acl=

This attribute is used in EXEC or Apple Remote Access Protocol (ARAP) authorization to indicate an access class number or an access list number. A sample of this would be

 acl=101

With this AV pair, we are referencing access control list (ACL) 101. Access list 101 would then be an extended IP access list configured on the router.

addr=

This attribute is used to assign an address to a user that connects via a service such as PPP/IP (Point-to-Point Protocol/Internet Protocol), or SLIP (Serial Line Internet Protocol). This attribute is available in Cisco IOS Release 11.0 and up. addr= is used with a service, for example: service=ppp and protocol=ip. Although this attribute is supported in ACS, it has been superceded by IP Pools on the group setup page in ACS.

addr-pool=

This attribute specifies a pool that is predefined. To configure this AV pair, enter the following command:

 addr-pool=bigpool

NOTE

Understand that bigpool is the name of an IP pool that has been defined. This pool can be defined on the AAA client or the ACS.


This attribute has also been superceded by IP Pools in the group setup page.

autocmd=

This attribute is used to send an autocommand to be issued upon authentication. This is an EXEC service and is used with service=shell.

callback-dialstring=, callback-line=, and callback-rotary=

The callback-dialstring sets the phone number for a callback. For example, I could call into my network access server (NAS), and when I authenticate, the callback function is determined and the NAS uses the phone number defined here to call me back. This helps me cut down on phone charges.

The callback-dialstring can be used with the callback-line command, which defines the tty line that is used to call me back. An example of this is callback-line=3. You could also use the callback-rotary AV pair to define the number of a rotary group between 1 and 100 that is used in the callback. callback-rotary is not valid when using Integrated Services Digital Network (ISDN). It is used with service-arap, service=ppp, service=slip, or service=exec.

callback-dialstring has been replaced by the callback information in the group setup page.

cmd=

As seen in the attribute configuration in the preceding section, the cmd attribute specifies a command. You can create a list of permitted commands for a group, or a user.

cmd-arg=

This AV pair is used to specify any command arguments. For example, I have a user that I want to be able to edit access list 121. In ACS, I would provide the following configuration:

 service=shell permit cmd=access-list permit cmd-arg=121

This would allow the users that authenticated with this in their profile to edit access list 121.

dns-servers=

This attribute is used for dial-in Microsoft users to assign the Domain Name System (DNS) servers, primary or secondary. This is negotiated during IP Control Protocol (IPCP) negotiation. Because this is used during a PPP negotiation, it is used with service=ppp and protocol=ip. When you enter these addresses, enter them in dotted decimal, such as dns-servers=4.3.2.4.

gw-password=

This attribute, gw-password, is used in Virtual Private Dial-Up Networking (VPDN) to assign the gateway password to a VPDN client. This occurs during the Layer 2 Forwarding (L2F) authentication. The service that gw-password is used with is still service=ppp; however, the protocol is VPDN, for example, protocol=vpdn.

idletime=

This attribute is pretty straightforward. idletime sets a timeout value for an established connection. The idletime is a value in minutes. For example, idletime=15 sets a 15 minute timeout once the line goes idle. Additionally, idletime=0 would enforce no timeout value.

inacl#n

The inacl#n indicates the number of an access list that should be applied inbound to an interface for the duration of a PPP connection. This is an ACSII value and doesn't work with ISDN interfaces. This access list is removed when the session terminates. inacl is used with service=ppp and protocol=ip or protocol=ipx. The access list assigned here is a per-user access list.

inacl=

inacl= has the same characteristics as the previously discussed inacl#n. inacl= has been available in Cisco IOS Releases 11.0 and up and inacl#n has been available only since release 11.3 and up.

interface-config#<n>

interface-config <n> is an attribute that specifies a specific AAA configuration on an interface, per user, when used with the service=ppp and protocol=lcp. What happens here is that any IOS interface configuration command can be specified within a virtual profile. For example, an interface-config <n> could be ip route cache. You can use multiple instances of the same commands; however, they are distinguished by a unique number.

ip-addresses=

The ip-addresses= attribute is again used in VPDN configurations where the IP addresses are a list of possible IP address destinations of a tunnel endpoint. This is also used with service=ppp and protocol=vpdn, as seen in the attribute gw-password. This list is created using spaces.

link-compression=

The link-compression= attribute determines if "stac" compression is used for a PPP connection. It is a numeric value that ranges from 0 to 3. A value of 0 indicates that no compression is being turned on. A value of 1 determines that the compression to be used is "stac." A value of 2 determines that the compression is "stac-draft-9," and a value of 3 applies MS-stac compression. This became available in Cisco IOS Release 11.3 and later.

load-threshold=n

In dial situations, you can create multilink bundles. As the load on a connection reaches specified limits, a second connection can be brought up to alleviate some of the load from the initial link. The load-threshold=n attribute is used again with the service=ppp and protocol=multilink to code in the value at which another link in a multilink bundle is to be brought up. The possible value that you can use here can be from 1 to 255 where 255 would be 100 percent load on a link.

max-links=n

load-threshold=n can sometimes pose a problem of one user taking up all the links in a multilink bundle. The max-links=n AV pair can fix this problem by again specifying a value between 1 and 255 to determine the number of links that can be used in a bundle. This is also used with the service=ppp and protocol=multilink.

nas-password

Another VPDN configuration, nas-password, specifies the password of the NAS that is used in tunnel authentication during the L2F portion of the connection. This is used with service=ppp and protocol=vpn.

nocallback-verify

This AV pair designates that no callback verification is required and the only value that you should ever see here is a 1. This is used with service=ppp, service=arap, service=slip, and service=shell.

noescape=

You can use the noescape= AV to allow or disallow the user to enter an escape character. The two options that you have here are true or false. This is used with the service=shell AV pair.

nohangup=

The nohangup= AV pair determines whether to hang up the line after an EXEC shell has been terminated. For example, you are authenticated to the command line of a Cisco router, and you type exit. If the nohangup= value is set to true, the line will not hang up, but rather return you to a username prompt. The available values are true or false.

old-prompts=

One of the difficult tasks to accomplish is to migrate to a new version of TACACS without it being apparent to users. The old-prompts= allows you to use old TACACS and XTACACS prompts, thus making a migration transparent to the user.

outacl=

outacl= is similar to outacl#n. It applies an access list to an interface for the duration of a user's connection. The access list needs to be preconfigured on the router prior to using the outacl= attribute. The difference between outacl# and outacl= is that in this format, the ACL number can be for a SLIP outbound access list.

outacl#n

outacl#<n> is an ASCII access list identifier that applies an access list to an interface for the duration of a user's connection. This attribute uses the service=ppp, and protocol=ip or ipx. The per-user access list does not work on ISDN interfaces.

pool-def#n

This AV pair determines an IP address pool that is defined on the NAS. This is used with service=ppp and protocol=ip.

pool-timeout=

This is used along with the pool-def#n AV pair. It sets a timeout value for the addresses served by the pool that is defined in the pool-def#n AV pair. This is used with service=ppp and protocol=ip.

ppp-vj-slot-compression=

This AV pair determines the use of slot compression if sending VJ-compressed packets across a PPP connection.

priv-lvl=

This AV pair is pretty straightforward. In Cisco routers, you have privilege levels from 0 to 15, 0 being user-level privileges and 15 being EXEC-level privileges. The numeric values in between can be customized to provide for specific command sets available to certain users. As a user accesses the shell, service=shell, a check of privilege level is made. This AV pair sets that value.

protocol=

In the hierarchy, you have a service, such as PPP, SLIP, or shell. Underneath those services, you have a subset, which makes up the protocol. For example, if I am accessing the command line of a Cisco router, the service is shell, and the protocol might be IP. The actual values that you can use are lcp, ip, ipx, atalk, vines, lat, tn3270, xremote, telnet, pad, rlogin, vpdn, osicp, deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, or unknown.

route=

When you use the protocol IP and service SLIP or PPP, this AV applies the route that is specified to the interface that is used for access. If a route is not specified, the peer's address is used as the gateway. The configuration of the command is similar to creating a static route. An example of this follows:

 route="10.1.1.1 255.255.255.255 10.0.1.2"

This code enters a static route when the user performs network authorization. This is in all actuality a temporary static route that is removed when the connection is dropped.

route#n

This route#n is similar to the route= AV pair except for the fact that this route is numbered. By numbering the routes, you now have the ability to add multiple routes.

routing=

This AV determines based on a true/false switch whether or not to accept routing information from this interface and to propagate it across the link.

rte-ftr-in#n

This AV pair is actually an input access list that is used to filter routing updates. This filter applies only for the length of the conversation and is removed when disconnected.

rte-ftr-out#n

This AV is similar to the rte-ftr-in#n, only it is applied to outbound updates.

sap-fltr-in#n

This AV pair determines an inbound SAP filter to assign based on an input SAP filter access list. This is applied for the duration of the connection and is also used with the protocol=ipx.

sap-fltr-out#n

Similar to the input SAP filter, this is applied for the duration of the connection in an outbound direction. It is also used with protocol=ipx.

sap#n

This is for static Service Advertising Protocol (SAP) entries to be installed upon connection. This is used with the protocol=ipx.

service=

The service AV is used to determine what type of service you use. You can use the PPP, SLIP, ARAP, and shell service. Additionally, you can use the tty-daemon, system, and connection service. Probably some of the most common services are PPP and shell. You do not have a choice in using this. It must be included.

source-ip=

This AV pair has the same function as the vpdn outgoing global configuration command and is used as the source IP address. All the VPDN packets generated as part of a VPDN tunnel assume this IP address.

timeout=

The timeout= AV is used to define a timeout value for EXEC and ARAP sessions and is used with service=arap. A value of 0 indicates that there is no timeout. A value of 5 indicates 5 minutes.

tunnel-id

The tunnel-id is actually the username that is passed to authenticate over a VPDN. This is the same as the remote name that is configured in the VPDN outgoing commands.

wins-servers=

This AV pair can identify the Windows server that PPP clients request during PPP negotiations. This is used with service PPP. For example:

 wins-servers=10.1.1.3

zonelist=

This AV pair defines the AppleTalk zonelist. It is used with ARAP and service=arap.



Previous page
Table of content
Next page
Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173
Authors: Brandon James Carroll
BUY ON AMAZON
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Sap Bw: a Step By Step Guide for Bw 2.0
Python Programming for the Absolute Beginner, 3rd Edition
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy