RADIUS Vendor-Proprietary Attributes The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. However, some vendors have extended the RADIUS attribute set for specific applications. This document provides Cisco IOS XE support information for these vendor-proprietary RADIUS attrubutes. • Finding Feature Information, page 1 • Supported Vendor-Proprietary RADIUS Attributes, page 1 • Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions, page 8 • Feature Information for RADIUS Vendor-Proprietary Attributes, page 19 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Supported Vendor-Proprietary RADIUS Attributes The table below lists Cisco-supported vendor-proprietary RADIUS attributes and the Cisco IOS XE release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified. Refer to Refer to Vendor-Proprietary RADIUS Attributes table for a list of descriptions. Table 1: Supported Vendor-Proprietary RADIUS Attributes IOS XE 2.1 Vendor-Proprietary Attribute Number yes Change-Password 17 yes Password-Expiration 21 RADIUS Attributes Configuration Guide, Cisco IOS XE Fuji 16.8.x 1
Transcript
RADIUS Vendor-Proprietary Attributes
The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary informationbetween the network access server and the RADIUS server. However, some vendors have extended theRADIUS attribute set for specific applications. This document provides Cisco IOS XE support informationfor these vendor-proprietary RADIUS attrubutes.
• Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions, page 8
• Feature Information for RADIUS Vendor-Proprietary Attributes, page 19
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Supported Vendor-Proprietary RADIUS AttributesThe table below lists Cisco-supported vendor-proprietary RADIUS attributes and the Cisco IOS XE releasein which they are implemented. In cases where the attribute has a security server-specific format, the formatis specified. Refer to Refer to Vendor-Proprietary RADIUS Attributes table for a list of descriptions.
Comprehensive List of Vendor-Proprietary RADIUS AttributeDescriptions
The table below lists and describes the known vendor-proprietary RADIUS attributes:
Table 2: Vendor-Proprietary RADIUS Attributes
DescriptionVendor-Proprietary AttributeNumber
Specifies a request to change thepassword of a user.
Change-Password17
Specifies an expiration date for auser’s password in the user’s fileentry.
Password-Expiration21
(Ascend 5) Specifies the stringassigned by RADIUS for eachsession using CLID or DNIStunneling. When accounting isimplemented, this value is used foraccoutning.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
No description available.Base-Channel-Count172
No description available.Minimum-Channels173
No description available.IPX-Route174
No description available.FT1-Caller175
No description available.Backup176
No description available.Call-Type177
No description available.Group178
No description available.FR-DLCI179
No description available.FR-Profile-Name180
No description available.Ara-PW181
No description available.IPX-Node-Addr182
Indicates the home agent’s IPaddress (in dotted decimal format)when using Ascend TunnelManagement Protocol (ATMP).
Home-Agent-IP-Addr183
With ATMP, specifies thepassword that the foreign agentuses to authenticate itself.
Home-Agent-Password184
With ATMP, indicates the name ofthe connection profile to which thehome agent sends all packets.
Home-Network-Name185
Indicates the UDP port number theforeign agent uses to send ATMPmessages to the home agent.
Home-Agent-UDP-Port186
Reports the identification numberof the multilink bundle when thesession closes. This attributeapplies to sessions that are part ofa multilink bundle. TheMultilink-ID attribute is sent inauthentication-response packets.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
Reports the number of sessionsremaining in a multilink bundlewhen the session reported in anaccounting-stop packet closes. Thisattribute applies to sessions that arepart of a multilink bundle. TheNum-In-Multilink attribute is sentin authentication-response packetsand in some accounting-requestpackets.
Num-In-Multilink188
Records the destination IP addressof the first packet received afterauthentication.
First-Dest189
Records the number of input bytesbefore authentication. ThePre-Bytes-In attribute is sent inaccounting-stop records.
Pre-Bytes-In190
Records the number of output bytesbefore authentication. ThePre-Bytes-Out attribute is sent inaccounting-stop records.
Pre-Bytes-Out191
Records the number of inputpackets before authentication. ThePre-Paks-In attribute is sent inaccounting-stop records.
Pre-Paks-In192
Records the number of outputpackets before authentication. ThePre-Paks-Out attribute is sent inaccounting-stop records.
Pre-Paks-Out193
Specifies the maximum length oftime (in seconds) allowed for anysession. After the session reachesthe time limit, its connection isdropped.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
Specifies the reason a connectionwas taken offline. TheDisconnect-Cause attribute is sentin accounting-stop records. Thisattribute also causes stop recordsto be generated without firstgenerating start records ifdisconnection occurs beforeauthentication is performed. Seethe Vendor-Specific Attributes(VSA) and RADIUSDisconnect-CauseAttribute Valuesfor more information on theirmeanings.
Disconnect-Cause195
Indicates the connection statebefore the connection isdisconnected.
Connect-Progress196
Specifies the average number ofbits per second over the course ofthe connection’s lifetime. TheData-Rate attribute is sent inaccounting-stop records.
Data-Rate197
Specifies the length of time, inseconds, from when a call firstconnects to when it completesauthentication. ThePreSession-Time attribute is sentin accounting-stop records.
PreSession-Time198
Indicates the maximum amount oftime (in minutes) a cached tokencan remain alive betweenauthentications.
Token-Idle199
Defines whether additionalauthentication is required for classthat has been CLID authenticated.
Require-Auth201
Specifies the number of activesessions (per class) reported to theRADIUS accounting server.
Number-Sessions202
Defines the RADIUS server’s loginname during PPP authentication.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
Defines the lifetime of a cachedtoken.
Token-Expiry204
Defines a string to be used to cuea user to input data.
Menu-Selector205
Specifies a single menu-item for auser-profile. Up to 20 menu itemscan be assigned per profile.
Menu-Item206
(Ascend 5) No descriptionavailable.
PW-Warntime207
Enables you to specify on aper-user basis the number of daysthat a password is valid.
PW-Lifetime208
When you include this attribute ina user’s file entry, a framed routeis installed to the routing andbridging tables.
Packet routing isdependent upon the entiretable, not just this newlyinstalled entry. Theinclusion of this attributedoes not guarantee that allpackets should be sent tothe specified IP address;thus, this attribute is notfully supported. Theseattribute limitations occurbecause the Cisco routercannot bypass all internalrouting and bridging tablesand send packets to aspecified IP address.
Note
IP-Direct209
Instructs the Cisco router not to useslot compression when sendingVJ-compressed packets over a PPPlink.
PPP-VJ-Slot-Comp210
Instructs PPP to use the 0x0037value for VJ compression.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
Gives the Cisco router theasynchronous control charactermap for the PPP session. Thespecified control characters arepassed through the PPP link as dataand used by applications runningover the link.
PPP-Async-Map212
Defines a third prompt (afterusername and password) foradditional user input.
Third-Prompt213
Enables an encrypted password tobe used in place of a regularpassword in outdial profiles.
Send-Secret214
Enables an encrypted password tobe verified by the RADIUS server.
Receive-Secret215
(Ascend 5) No descriptionavailable.
IPX-Peer-Mode216
Defines a pool of addresses usingthe following format: X a.b.c Z;where X is the pool index number,a.b.c is the pool’s starting IPaddress, and Z is the number of IPaddresses in the pool. For example,3 10.0.0.1 5 allocates 10.0.0.1through 10.0.0.5 for dynamicassignment.
IP-Pool-Definition217
Tells the router to assign the userand IP address from the IP pool.
Assign-IP-Pool218
Defines whether the connectionprofile operates in Frame Relayredirect mode.
FR-Direct219
Defines the name of the FrameRelay profile carrying thisconnection to the Frame Relayswitch.
FR-Direct-Profile220
Indicates the DLCI carrying thisconnection to the Frame Relayswitch.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
Specifies the load-thresholdpercentage value for bringing upan additional channel when PPPmultilink is defined.
Target-Util234
Specifies allowed/allocatablemaximum number of channels.
Maximum-Channels235
No description available.Inc-Channel-Count236
No description available.Dec-Channel-Count237
No description available.Seconds-of-History238
No description available.History-Weigh-Type239
No description available.Add-Seconds240
No description available.Remove-Seconds241
Defines per-user IP data filters.These filters are retrieved onlywhen a call is placed using aRADIUS outgoing profile oranswered using a RADIUSincoming profile. Filter entries areapplied on a first-match basis;therefore, the order in which filterentries are entered is important.
Data-Filter242
Defines per-user IP data filters. Ona Cisco router, this attribute isidentical to the Data-Filterattribute.
Call-Filter243
Specifies the maximum time (inseconds) that any session can beidle. When the session reaches theidle time limit, its connection isdropped.
RADIUS Vendor-Proprietary AttributesComprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
DescriptionVendor-Proprietary AttributeNumber
Determines whether the networkaccess server uses only the 56 Kportion of a channel, even when all64 K appear to be available.
Force-56248
No description available.Billing Number249
No description available.Call-By-Call250
No description available.Transit-Number251
No description available.Host-Info252
Indicates the IP address reportedto the calling unit during PPP IPCPnegotiations.
PPP-Address253
No description available.MPP-Idle-Percent254
(Ascend 5) No descriptionavailable.
Xmit-Rate255
See the Configuring RADIUS feature module for more information on vendor-propritary RADIUS attributes.
Feature Information for RADIUS Vendor-Proprietary AttributesThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 3: Feature Information for RADIUS Vendor-Proprietary Attributes
Feature InformationReleasesFeature Name
The IETF draft standard forRADIUS specifies a method forcommunicating vendor-proprietaryinformation between the networkaccess server and the RADIUSserver. However, some vendorshave extended the RADIUSattribute set for specificapplications. This documentprovides Cisco IOS XE supportinformation for thesevendor-proprietary RADIUSattrubutes.
In Cisco IOS XE Release 2.1, thisfeature was introduced on the CiscoASR 1000 Series AggregationServices Routers.
