Table A-4 lists the supported RADIUS (IETF) attributes. If the attribute has a security server-specific format, the format is specified.
Table A-4. Internet Engineering Task Force (IETF) RADIUS
Attribute | Number | Description | Type of Value | Inbound/Outbound | Multiple |
|---|
User-Name | 1 | Name of the user being authenticated. | string | Inbound | No |
User-Password | 2 | User password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications. | string | Outbound | No |
CHAP-Password | 3 | Point-to-Point Protocol (PPP) Challenge Handshake Authentication Protocol (CHAP) response to an Access-Challenge. | string | Outbound | No |
NAS-IP Address | 4 | IP address of the AAA client that is requesting authentication. | ipaddr | Inbound | No |
NAS-Port | 5 | Physical port number of the AAA client that is authenticating the user. The AAA client port value (32 bits) consists of one or two 16-bit values, depending on the setting of the RADIUS server extended portnames command. Each 16-bit number is a 5-digit decimal integer interpreted as follows: For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number. For ordinary synchronous network interfaces, the value is 10xxx. For channels on a primary-rate Integrated Services Digital Network (ISDN) interface, the value is 2ppcc. For channels on a basic rate ISDN interface, the value is 3bb0c. For other types of interfaces, the value is 6nnss. | integer | Inbound | No |
Service-Type | 6 | Type of service requested or type of service to be provided: In a request: Framed For known PPP or Serial Line Internet Protocol (SLIP) connection. Administrative user For enable command. In a response: Login Make a connection. Framed Start SLIP or PPP. Administrative user Start an EXEC or enable ok. Exec user Start an EXEC session. | integer | Both | No |
Framed-Protocol | 7 | Framing to be used for framed access. | integer | Both | No |
Framed-IP-Address | 8 | Address to be configured for the user. | | | |
Framed-IP-Netmask | 9 | IP netmask to be configured for the user when the user is a router to a network. This AV results in a static route being added for Framed-IP-Address with the mask specified. | ipaddr (maximum length 15 characters) | Outbound | No |
Framed-Routing | 10 | Routing method for the user when the user is a router to a network. Only None and Send and Listen values are supported for this attribute. | integer | Outbound | No |
Filter-Id | 11 | Name of the filter list for the user, formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For framed service, use %d or %d.out as interface output access list and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer. | string | Outbound | Yes |
Framed-MTU | 12 | Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means. | integer (maximum length 10 characters) | Outbound | No |
Framed-Compression | 13 | Compression protocol used for the link. This attribute results in /compress being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. | integer | Outbound | Yes |
Login-IP-Host | 14 | Host to which the user connects when the Login-Service attribute is included. | ipaddr (maximum length 15 characters) | Both | Yes |
Login-Service | 15 | Service that should be used to connect the user to the login host. Service is indicated by a numeric value: 0: Telnet 1: Rlogin 2: TCP-Clear 3: PortMaster 4: LAT | integer | Both | No |
Login-TCP-Port | 16 | Transmission Control Protocol (TCP) port with which the user is to be connected when the Login-Service attribute is also present. | integer (maximum length 10 characters) | Outbound | No |
Reply-Message | 18 | Text to be displayed to the user. | string | Outbound | Yes |
Callback-Number | 19 | | string | Outbound | No |
Callback-Id | 20 | | string | Outbound | No |
Framed-Route | 22 | Routing information to be configured for the user on this AAA client. The RADIUS Request For Comments (RFC) format (net/bits [router [metric]]) and the old style dotted mask (netmask [router [metric]]) are supported. If the router field is omitted or 0 (zero), the peer IP address is used. Metrics are ignored. | string | Outbound | Yes |
Framed-IPX-Network | 23 | | integer | Outbound | No |
State | 24 | Allows state information to be maintained between the AAA client and the RADIUS server. This attribute is only applicable to CHAP challenges. | string (maximum length 253 characters) | Outbound | No |
Class | 25 | Arbitrary value that the AAA client includes in all accounting packets for this user (if supplied by the RADIUS server). | string | Both | Yes |
Vendor-Specific | 26 | Allows vendors to support their own extended attributes. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option is vendor-type 1, cisco-avpair. The value is a string of the format: protocol:attribute sep value protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of TACACS+ authorization features to be used for RADIUS. The following is an example: cisco-avpair= "ip:addr-pool=first" cisco-avpair= "shell:priv-lvl=15" The first example causes the Cisco multiple named IP address pools feature to be activated during IP authorization (during PPP Internet Protocol Control Protocol [IPCP] address assignment). The second example causes a user of a device-hosted administrative session to have immediate access to EXEC commands. | string | Outbound | Yes |
Session-Timeout | 27 | Maximum number of seconds of service to be provided to the user before the session terminates. This AV becomes the per-user absolute timeout. This attribute is not valid for PPP sessions. | integer (maximum length 10 characters) | Outbound | No |
Idle-Timeout | 28 | Maximum number of consecutive seconds of idle connection time allowed to the user before the session terminates. This AV becomes the per-user session timeout. This attribute is not valid for PPP sessions. | integer (maximum length 10 characters) | Outbound | No |
Termination-Action | 29 | | integer | Both | No |
Called-Station-Id | 30 | Allows the AAA client to send the telephone number the call came from as part of the access-request packet using automatic number identification or similar technology. This attribute has the same value as remote-addr in TACACS+. This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI. | string | Inbound | No |
Calling-Station-Id | 31 | Allows the AAA client to send the telephone number the user called into as part of the access-request packet, using dialed number identification server (DNIS) or similar technology. This attribute is only supported on ISDN and for modem calls on the Cisco AS5200 if used with PRI. | string | Inbound | No |
NAS-Identifier | 32 | | string | Inbound | No |
Proxy-State | 33 | Included in proxied RADIUS requests per RADIUS standards. The operation of Cisco Secure ACS does not depend on the contents of this attribute. | string (maximum length 253 characters) | Inbound | No |
Login-LAT-Service | 34 | System with which the user is to be connected by local-area transport (LAT) protocol. This attribute is only available in EXEC mode. | string (maximum length 253 characters) | Inbound | No |
Login-LAT-Node | 35 | | string | Inbound | No |
Login-LAT-Group | 36 | | string | Inbound | No |
Framed-AppleTalk-Link | 37 | | integer | Outbound | No |
Framed-AppleTalk-Network | 38 | | integer | Outbound | Yes |
Framed-AppleTalk-Zone | 39 | | string | Outbound | No |
Acct-Status-Type | 40 | Specifies whether this accounting request marks the beginning of the user service (start) or the end (stop). | integer | Inbound | No |
Acct-Delay-Time | 41 | Number of seconds the client has been trying to send a particular record. | integer | Inbound | No |
Acct-Input-Octets | 42 | Number of octets received from the port while this service is being provided. | integer | Inbound | No |
Acct-Output-Octets | 43 | Number of octets sent to the port while this service is being delivered. | integer | Inbound | No |
Acct-Session-Id | 44 | Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable. | string | Inbound | No |
Acct-Authentic | 45 | Way in which the user was authenticatedby RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted. | integer | Inbound | No |
Acct-Session-Time | 46 | Number of seconds the user has been receiving service. | integer | Inbound | No |
Acct-Input-Packets | 47 | Number of packets received from the port while this service is being provided to a framed user. | integer | Inbound | No |
Acct-Output-Packets | 48 | Number of packets sent to the port while this service is being delivered to a framed user. | integer | Inbound | No |
Acct-Terminate-Cause | 49 | Reports details on why the connection was terminated. Termination causes are indicated by a numeric value: 1: User request 2: Lost carrier 3: Lost service 4: Idle timeout 5: Session-timeout 6: Admin reset 7: Admin reboot 8: Port error 9: AAA client error 10: AAA client request 11: AAA client reboot 12: Port unneeded 13: Port pre-empted 14: Port suspended 15: Service unavailable 16: Callback 17: User error 18: Host request | integer | Inbound | No |
Acct-Multi-Session-Id | 50 | | string | Inbound | No |
Acct-Link-Count | 51 | | integer | Inbound | No |
Acct-Input-Gigawords | 52 | | integer | Inbound | No |
Acct-Output-Gigawords | 53 | | integer | Inbound | No |
Event-Timestamp | 55 | | date | Inbound | No |
CHAP-Challenge | 60 | | string | Inbound | No |
NAS-Port-Type | 61 | Indicates the type of physical port the AAA client is using to authenticate the user. Physical ports are indicated by a numeric value: 0: Asynchronous 1: Synchronous 2: ISDN-Synchronous 3: ISDN-Asynchronous (V.120) 4: ISDN-Asynchronous (V.110) 5: Virtual | integer | Inbound | No |
Port-Limit | 62 | Sets the maximum number of ports to be provided to the user by the network access server. | integer (maximum length 10 characters) | Both | No |
Login-LAT-Port | 63 | | string | Both | No |
Tunnel-Type | 64 | | tagged integer | Both | Yes |
Tunnel-Medium-Type | 65 | | tagged integer | Both | Yes |
Tunnel-Client-Endpoint | 66 | | tagged string | Both | Yes |
Tunnel-Server-Endpoint | 67 | | tagged string | Both | Yes |
Acct-Tunnel-Connection | 68 | | string | Inbound | No |
Tunnel-Password | 69 | | tagged string | Both | Yes |
ARAP-Password | 70 | | string | Inbound | No |
ARAP-Features | 71 | | string | Outbound | No |
ARAP-Zone-Access | 72 | | integer | Outbound | No |
ARAP-Security | 73 | | integer | Inbound | No |
ARAP-Security-Data | 74 | | string | Inbound | No |
Password-Retry | 75 | | integer | Internal use only | No |
Prompt | 76 | | integer | Internal use only | No |
Connect-Info | 77 | | string | Inbound | No |
Configuration-Token | 78 | | string | Internal use only | No |
EAP-Message | 79 | | string | Internal use only | No |
Message-Authenticator | 80 | | string | Outbound | No |
Tunnel-Private-Group-ID | 81 | | tagged string | Both | Yes |
Tunnel-Assignment-ID | 82 | | tagged string | Both | Yes |
Tunnel-Preference | 83 | | tagged integer | Both | No |
Acct-Interim-Interval | 85 | | integer | Outbound | No |
NAS-Port-Id | 87 | | string | Inbound | No |
Framed-Pool | 88 | | string | Internal use only | No |
Tunnel-Client-Auth-ID | 90 | | tagged string | Both | Yes |
Tunnel-Server-Auth-ID | 91 | | tagged string | Both | Yes |
Primary-DNS-Server | 135 | | ipaddr | Both | No |
Secondary-DNS-Server | 136 | | ipaddr | Both | No |
Multilink-ID | 187 | | integer | Inbound | No |
Num-In-Multilink | 188 | | integer | Inbound | No |
Pre-Input-Octets | 190 | | integer | Inbound | No |
Pre-Output-Octets | 191 | | integer | Inbound | No |
Pre-Input-Packets | 192 | | integer | Inbound | No |
Pre-Output-Packets | 193 | | integer | Inbound | No |
Maximum-Time | 194 | | integer | Both | No |
Disconnect-Cause | 195 | | integer | Inbound | No |
Data-Rate | 197 | | integer | Inbound | No |
PreSession-Time | 198 | | integer | Inbound | No |
PW-Lifetime | 208 | | integer | Outbound | No |
IP-Direct | 209 | | ipaddr | Outbound | No |
PPP-VJ-Slot-Comp | 210 | | integer | Outbound | No |
Assign-IP-Pool | 218 | | integer | Outbound | No |
Route-IP | 228 | | integer | Outbound | No |
Link-Compression | 233 | | integer | Outbound | No |
Target-Utils | 234 | | integer | Outbound | No |
Maximum-Channels | 235 | | integer | Outbound | No |
Data-Filter | 242 | | Ascend filter | Outbound | Yes |
Call-Filter | 243 | | Ascend filter | Outbound | Yes |
Idle-Limit | 244 | | integer | Outbound | No |
