RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T Americas Headquarters

RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T Americas Headquarters
RADIUS Attributes Configuration Guide
Cisco IOS Release 12.4T
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL
FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output,
network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content
is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.
CONTENTS
RADIUS Attributes Overview and RADIUS IETF Attributes 1
Finding Feature Information 1
Information About RADIUS Attributes 1
IETF Attributes Versus VSAs 1
RADIUS Packet Format 2
RADIUS Packet Types 2
RADIUS Files 3
Dictionary File 3
Clients File 4
Users File 4
RADIUS IETF Attributes 5
Supported RADIUS IETF Attributes 5
Comprehensive List of RADIUS Attribute Descriptions 11
Additional References 27
Feature Information for RADIUS Attributes Overview and RADIUS IETF Attributes 29
RADIUS Vendor-Proprietary Attributes 31
Finding Feature Information 31
Supported Vendor-Proprietary RADIUS Attributes 31
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions 45
Feature Information for RADIUS Vendor-Proprietary Attributes 56
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values 57
Finding Feature Information 57
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause
Attribute Values 57
RADIUS Disconnect-Cause Attribute Values 70
Additional References 75
Feature Information for RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause
Attribute Values 76
Connect-Info RADIUS Attribute 77 79
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
iii
Contents
Finding Feature Information 79
Prerequisites for Connect-Info RADIUS Attribute 77 80
How to Verify the Connect-Info RADIUS Attribute 77 80
Configuration Example for Connect-Info RADIUS Attribute 77 80
Configure NAS for AAA and Incoming Modem Calls Example 80
Additional References 81
Feature Information for Connect-Info RADIUS Attribute 77 82
Encrypted Vendor-Specific Attributes 85
Finding Feature Information 85
Prerequisites for Encrypted Vendor-Specific Attributes 85
Information About Encrypted Vendor-Specific Attributes 86
Tagged String VSA 86
Encrypted String VSA 86
Tagged and Encrypted String VSA 87
How to Verify Encrypted Vendor-Specific Attributes 87
Configuration Examples for Encrypted Vendor-Specific Attributes 87
NAS Configuration Example 87
RADIUS User Profile with a Tagged and Encrypted VSA Example 88
Additional References 88
Feature Information for Encrypted Vendor-Specific Attributes 89
RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level 91
Finding Feature Information 91
Prerequisites for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level 91
Information About RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group
Level 92
RADIUS Attribute 5 Format Customization 92
How to Configure RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group
Level 92
Configuring the RADIUS Attribute 5 Format on a Per-Server Group Level 92
Monitoring and Maintaining RADIUS Attribute 5 Format on a Per-Server Group Level 94
Configuration Examples for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server
Group Level 94
RADIUS Attribute 5 Format Specified on a Per-Server Level Example 94
Additional References 95
Feature Information for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server
Group Level 96
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
iv
Contents
RADIUS Attribute 8 Framed-IP-Address in Access Requests 99
Finding Feature Information 99
Prerequisites for RADIUS Attribute 8 Framed-IP-Address in Access Requests 99
Information About RADIUS Attribute 8 Framed-IP-Address in Access Requests 100
How to Configure RADIUS Attribute 8 Framed-IP-Address in Access Requests 100
Configuring RADIUS Attribute 8 in Access Requests 100
Verifying RADIUS Attribute 8 in Access Requests 101
Configuration Examples for RADIUS Attribute 8 Framed-IP-Address in Access Requests 102
NAS Configuration That Sends the IP Address of the Dial-in Host to the RADIUS Server in
the RADIUS Access Request 102
Additional References 102
Feature Information for RADIUS Attribute 8 Framed-IP-Address in Access Requests 104
RADIUS Attribute 82 Tunnel Assignment ID 107
Finding Feature Information 107
Prerequisites for RADIUS Attribute 82 Tunnel Assignment ID 107
Restrictions for RADIUS Attribute 82 Tunnel Assignment ID 107
Information About RADIUS Attribute 82 Tunnel Assignment ID 108
How to Verify if RADIUS Attribute 82 is Being Used by the LAC 108
Configuration Examples for RADIUS Attribute 82 Tunnel Assignment ID 108
LAC Configuration Example 109
LNS Configuration Example 109
RADIUS Configuration Example 109
Additional References 110
Feature Information for RADIUS Attribute 82 Tunnel Assignment ID 111
RADIUS Attribute 104 113
Finding Feature Information 113
Prerequisites for RADIUS Attribute 104 113
Restrictions for RADIUS Attribute 104 114
Information About RADIUS Attribute 104 114
Policy-Based Routing Background 114
Attribute 104 and the Policy-Based Route Map 114
RADIUS Attribute 104 Overview 114
Permit Route Map 115
Default Private Route 115
Route Map Order 115
How to Apply RADIUS Attribute 104 115
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
v
Contents
Applying RADIUS Attribute 104 to Your User Profile 115
Verifying Route Maps 116
Troubleshooting the RADIUS Profile 116
Configuration Examples for RADIUS Attribute 104 117
Route-Map Configuration in Which Attribute 104 Has Been Applied Example 117
Additional References 118
Related Documents 118
Standards 118
MIBs 119
RFCs 119
Technical Assistance 119
Feature Information for RADIUS Attribute 104 119
RADIUS Tunnel Attribute Extensions 121
Finding Feature Information 121
Prerequisites for RADIUS Tunnel Attribute Extensions 121
Restrictions for RADIUS Tunnel Attribute Extensions 121
Information About RADIUS Tunnel Attribute Extensions 122
How RADIUS Tunnel Attribute Extensions Work 122
How to Verify RADIUS Attribute 90 and RADIUS Attribute 91 123
Configuration Examples for RADIUS Tunnel Attribute Extensions 123
L2TP Network Server Configuration Example 123
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example 124
Additional References 124
Feature Information for RADIUS Tunnel Attribute Extensions 125
Glossary 126
V.92 Reporting Using RADIUS Attribute v.92-info 129
Finding Feature Information 129
Prerequisites for V.92 Reporting Using RADIUS Attribute v.92-info 129
Restrictions for V.92 Reporting Using RADIUS Attribute v.92-info 130
Information About V.92 Reporting Using RADIUS Attribute v.92-info 130
V.92 Standard Overview 130
VSA v.92-info 130
How to Monitor and Verify V.92 Call Information 131
Monitoring V.92 Call Information 131
Verifying V.92 Call Information 138
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
vi
Contents
Troubleshooting Tips 141
Additional References 141
Related Documents 142
Standards 142
MIBs 142
RFCs 142
Technical Assistance 143
Feature Information for V.92 Reporting Using RADIUS Attribute v.92-info 143
RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 145
Finding Feature Information 145
Prerequisites for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 145
Restrictions for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 146
Information About RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 146
How the RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements are Used 146
How to Configure RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 146
Configuration Example for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 146
Setting Up the RADIUS Profile for RADIUS Attribute 66 Tunnel-Client-Endpoint
Enhancements Example 147
Additional References 147
Feature Information for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements 148
Glossary 149
RADIUS Attribute Screening 151
Finding Feature Information 151
Prerequisites for RADIUS Attribute Screening 152
Restrictions for RADIUS Attribute Screening 152
Information About RADIUS Attribute Screening 152
How to Screen RADIUS Attributes 153
Configuring RADIUS Attribute Screening 153
Verifying RADIUS Attribute Screening 156
Configuration Examples for RADIUS Attribute Screening 156
Authorization Accept Example 156
Accounting Reject Example 156
Authorization Reject and Accounting Accept Example 157
Rejecting Required Attributes Example 157
Additional References 157
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
vii
Contents
Feature Information for RADIUS Attribute Screening 158
Glossary 159
RADIUS NAS-IP-Address Attribute Configurability 161
Finding Feature Information 161
Prerequisites for RADIUS NAS-IP-Address Attribute Configurability 161
Restrictions for RADIUS NAS-IP-Address Attribute Configurability 162
Information About RADIUS NAS-IP-Address Attribute Configurability 162
Using the RADIUS NAS-IP-Address Attribute Configurability Feature 163
How to Configure RADIUS NAS-IP-Address Attribute Configurability 163
Configuring RADIUS NAS-IP-Address Attribute Configurability 163
Monitoring and Maintaining RADIUS NAS-IP-Address Attribute Configurability 164
Configuration Examples for RADIUS NAS-IP-Address Attribute Configurability 165
Configuring a RADIUS NAS-IP-Address Attribute Configurability Example 165
Additional References 165
Related Documents 166
Standards 166
MIBs 166
RFCs 166
Technical Assistance 167
Feature Information for RADIUS NAS-IP-Address Attribute Configurability 167
AAA Per VC QoS Policy Support 169
Finding Feature Information 169
Prerequisites for AAA Per VC QoS Policy Support 169
Restrictions for AAA Per VC QoS Policy Support 169
Information About AAA Per VC QoS Policy Support 170
RADIUS Push and Pull 170
Interface Policy Map AAA Attributes 171
Configuration Examples for AAA Per VC QoS Policy Support 171
RADIUS Interface Policy Map Profile Example 172
Define the Policy Map on the Router Example 172
Display the Service Policy Example 172
Additional References 172
Feature Information for AAA Per VC QoS Policy Support 174
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
viii
RADIUS Attributes Overview and RADIUS IETF
Attributes
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific
authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the
RADIUS daemon. This module lists the RADIUS attributes currently supported.
•
•
•
•
Finding Feature Information, page 1
Information About RADIUS Attributes, page 1
Additional References, page 27
Feature Information for RADIUS Attributes Overview and RADIUS IETF Attributes, page 29
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About RADIUS Attributes
•
•
•
•
IETF Attributes Versus VSAs, page 1
RADIUS Packet Format, page 2
RADIUS Files, page 3
RADIUS IETF Attributes, page 5
IETF Attributes Versus VSAs
RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes
that are used to communicate AAA information between a client and a server. Because IETF attributes are
standard, the attribute data is predefined and well known; thus all clients and servers who exchange AAA
information via IETF attributes must agree on attribute data such as the exact meaning of the attributes and
the general bounds of the values for each attribute.
RADIUS vendor-specific attributes (VSAs) derived from one IETF attribute--vendor-specific (attribute 26).
Attribute 26 allows a vendor to create an additional 255 attributes however they wish. That is, a vendor can
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
1
RADIUS Packet Format
RADIUS Packet Types
create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26;
thus, the newly created attribute is accepted if the user accepts attribute 26.
See "Chapter 1, "RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values."
for more information on VSAs.
RADIUS Packet Format
The data between a RADIUS server and a RADIUS client is exchanged in RADIUS packets. The data
fields are transmitted from left to right.
Figure 1 shows the fields within a RADIUS packet.
Figure 1
RADIUS Packet Diagram
Each RADIUS packet contains the following information:
•
•
•
•
Code--The code field is one octet; it identifies one of the following types of RADIUS packets:
◦ Access-Request (1)
◦ Access-Accept (2)
◦ Access-Reject (3)
◦ Accounting-Request (4)
◦ Accounting-Response (5)
Identifier--The identifier field is one octet; it helps the RADIUS server match requests and responses
and detect duplicate requests.
Length--The length field is two octets; it specifies the length of the entire packet.
Authenticator--The authenticator field is 16 octets. The most significant octet is transmitted first; it is
used to authenticate the reply from the RADIUS server. Two types of authenticators are as follows:
◦
◦
•
Request-Authentication: Available in Access-Request and Accounting-Request packets
Response-Authenticator: Available in Access-Accept, Access-Reject, Access-Challenge, and
Accounting-Response packets
RADIUS Packet Types, page 2
RADIUS Packet Types
The following list defines the various types of RADIUS packet types that can contain attribute information:
Access-Request--Sent from a client to a RADIUS server. The packet contains information that allows the
RADIUS server to determine whether to allow access to a specific network access server (NAS), which
allows access to the user. Any user performing authentication must submit an Access-Request packet. Once
an Access-Request packet is received, the RADIUS server must forward a reply.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
2
RADIUS Files
Dictionary File
Access-Accept--Once a RADIUS server receives an Access-Request packet, it must send an Access-Accept
packet if all attribute values in the Access-Request packet are acceptable. Access-Accept packets provide
the configuration information necessary for the client to provide service to the user.
Access-Reject--Once a RADIUS server receives an Access-Request packet, it must send an Access-Reject
packet if any of the attribute values are not acceptable.
Access-Challenge--Once the RADIUS server receives an Access-Accept packet, it can send the client an
Access-Challenge packet, which requires a response. If the client does not know how to respond or if the
packets are invalid, the RADIUS server discards the packets. If the client responds to the packet, a new
Access-Request packet should be sent with the original Access-Request packet.
Accounting-Request--Sent from a client to a RADIUS accounting server, which provides accounting
information. If the RADIUS server successfully records the Accounting-Request packet, it must submit an
Accounting Response packet.
Accounting-Response--Sent by the RADIUS accounting server to the client to acknowledge that the
Accounting-Request has been received and recorded successfully.
RADIUS Files
Understanding the types of files used by RADIUS is important for communicating AAA information from
a client to a server. Each file defines a level of authentication or authorization for the user: The dictionary
file defines which attributes the user’s NAS can implement; the clients file defines which users are allowed
to make requests to the RADIUS server; the users files defines which user requests the RADIUS server
authenticates based on security and configuration data.
•
•
•
Dictionary File, page 3
Clients File, page 4
Users File, page 4
Dictionary File
A dictionary file provides a list of attributes that are dependent upon which attributes your NAS supports.
However, you can add your own set of attributes to your dictionary for custom solutions. It defines attribute
values, thereby allowing you to interpret attribute output such as parsing requests. A dictionary file contains
the following information:
•
•
•
Name--The ASCII string “name” of the attribute, such as User-Name.
ID--The numerical “name” of the attribute; for example, User-Name attribute is attribute 1.
Value type--Each attribute can be specified as one of the following five value types:
◦
◦
◦
◦
◦
abinary--0 to 254 octets.
date--32-bit value in big endian order. For example, seconds since 00:00:00 GMT, JAN. 1, 1970.
ipaddr--4 octets in network byte order.
integer--32-bit value in big endian order (high byte first).
string--0 to 253 octets.
When the data type for a particular attribute is an integer, you can optionally expand the integer to equate to
some string. The follow sample dictionary includes an integer-based attribute and its corresponding values:
# dictionary sample of integer entry
#
ATTRIBUTE
Service-Type
VALUE
Service-Type
VALUE
Service-Type
6
Login
Framed
integer
1
2
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
3
RADIUS Attributes Overview and RADIUS IETF Attributes
Clients File
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
Service-Type
Service-Type
Service-Type
Service-Type
Service-Type
Service-Type
Service-Type
Service-Type
Service-Type
Callback-Login
Callback-Framed
Outbound
Administrative
NAS-Prompt
Authenticate-Only
Callback-NAS-Prompt
Call-Check
Callback-Administrative
3
4
5
6
7
8
9
10
11
Clients File
A clients file is important because it contains a list of RADIUS clients that are allowed to send
authentication and accounting requests to the RADIUS server. To receive authentication, the name and
authentication key the client sends the server must be an exact match with the data contained in clients file.
The following is an example of a clients file. The key, as shown in this example, must be the same as the
radius-server key SomeSecret command.
#Client Name
#---------------10.1.2.3:256
nas01
nas02
nas07.foo.com
Key
--------------test
bananas
MoNkEys
SomeSecret
Users File
A RADIUS users file contains an entry for each user that the RADIUS server authenticates; each entry,
which is also referred to as a user profile, establishes an attribute the user can access.
The first line in any user profile is always a “user access” line; that is, the server must check the attributes
on the first line before it can grant access to the user. The first line contains the name of the user, which can
be up to 252 characters, followed by authentication information such as the password of the user.
Additional lines, which are associated with the user access line, indicate the attribute reply that is sent to
the requesting client or server. The attributes sent in the reply must be defined in the dictionary file.
When looking at a user file, please note the the data to the left of the equal (=) character is an attribute
defined in the dictionary file, and the data to the right of the equal character is the configuration data.
Note
A blank line cannot appear anywhere within a user profile.
The following is an example of a RADIUS user profile (Merit Daemon format). In this example, the user
name is cisco.com, the password is cisco, and the user can access five tunnel attributes.
# This user profile includes RADIUS tunneling attributes
cisco.com Password="cisco" Service-Type=Outbound
Tunnel-Type = :1:L2TP
Tunnel-Medium-Type = :1:IP
Tunnel-Server-Endpoint = :1:10.0.0.1
Tunnel-Password = :1:"welcome"
Tunnel-Assignment-ID = :1:"nas"
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
4
RADIUS IETF Attributes
Supported RADIUS IETF Attributes
RADIUS IETF Attributes
Note
In the Cisco IOS Release 12.2 for RADIUS tunnel attributes, 32 tagged tunnel sets are supported for L2TP.
•
•
Supported RADIUS IETF Attributes, page 5
Comprehensive List of RADIUS Attribute Descriptions, page 11
Supported RADIUS IETF Attributes
Table 1 lists Cisco-supported IETF RADIUS attributes and the Cisco IOS release in which they are
implemented. In cases where the attribute has a security server-specific format, the format is specified.
Refer to Table 2 for a description of each listed attribute.
Note
Attributes implemented in special (AA) or early development (T) releases are added to the next mainline
image.
Table 1
Supported RADIUS IETF Attributes
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
1
UserName
yes
yes
yes
yes
yes
yes
yes
yes
2
Useryes
Passwor
d
yes
yes
yes
yes
yes
yes
yes
3
CHAP- yes
Passwor
d
yes
yes
yes
yes
yes
yes
yes
4
NAS-IP
Address
yes
yes
yes
yes
yes
yes
yes
yes
5
NASPort
yes
yes
yes
yes
yes
yes
yes
yes
6
Service- yes
Type
yes
yes
yes
yes
yes
yes
yes
7
Framed- yes
Protocol
yes
yes
yes
yes
yes
yes
yes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
5
RADIUS Attributes Overview and RADIUS IETF Attributes
Supported RADIUS IETF Attributes
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
8
Framed- yes
IPAddress
yes
yes
yes
yes
yes
yes
yes
9
Framed- yes
IPNetmask
yes
yes
yes
yes
yes
yes
yes
10
Framed- yes
Routing
yes
yes
yes
yes
yes
yes
yes
11
Filter-Id yes
yes
yes
yes
yes
yes
yes
yes
12
Framed- yes
MTU
yes
yes
yes
yes
yes
yes
yes
13
Framed- yes
Compres
sion
yes
yes
yes
yes
yes
yes
yes
14
LoginIP-Host
yes
yes
yes
yes
yes
yes
yes
yes
15
LoginService
yes
yes
yes
yes
yes
yes
yes
yes
16
LoginTCPPort
yes
yes
yes
yes
yes
yes
yes
yes
18
Replyyes
Message
yes
yes
yes
yes
yes
yes
yes
19
Callback no
-Number
no
no
no
no
no
yes
yes
20
Callback no
-ID
no
no
no
no
no
no
no
22
Framed- yes
Route
yes
yes
yes
yes
yes
yes
yes
23
Framed- no
IPXNetwork
no
no
no
no
no
no
no
24
State
yes
yes
yes
yes
yes
yes
yes
yes
25
Class
yes
yes
yes
yes
yes
yes
yes
yes
26
Vendor- yes
Specific
yes
yes
yes
yes
yes
yes
yes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
6
RADIUS Attributes Overview and RADIUS IETF Attributes
Supported RADIUS IETF Attributes
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
27
Session- yes
Timeout
yes
yes
yes
yes
yes
yes
yes
28
Idleyes
Timeout
yes
yes
yes
yes
yes
yes
yes
29
Termina no
tionAction
no
no
no
no
no
no
no
30
CalledStationId
yes
yes
yes
yes
yes
yes
yes
yes
31
CallingStationId
yes
yes
yes
yes
yes
yes
yes
yes
32
NASno
Identifie
r
no
no
no
no
no
no
yes
33
ProxyState
no
no
no
no
no
no
no
no
34
LoginLATService
yes
yes
yes
yes
yes
yes
yes
yes
35
LoginLATNode
no
no
no
no
no
no
no
yes
36
LoginLATGroup
no
no
no
no
no
no
no
no
37
Framed- no
AppleTa
lk-Link
no
no
no
no
no
no
no
38
Framed- no
AppleTa
lkNetwork
no
no
no
no
no
no
no
39
Framed- no
AppleTa
lk-Zone
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
7
RADIUS Attributes Overview and RADIUS IETF Attributes
Supported RADIUS IETF Attributes
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
40
AcctStatusType
yes
yes
yes
yes
yes
yes
yes
yes
41
AcctDelayTime
yes
yes
yes
yes
yes
yes
yes
yes
42
AcctInputOctets
yes
yes
yes
yes
yes
yes
yes
yes
43
AcctOutputOctets
yes
yes
yes
yes
yes
yes
yes
yes
44
Acctyes
SessionId
yes
yes
yes
yes
yes
yes
yes
45
Acctyes
Authenti
c
yes
yes
yes
yes
yes
yes
yes
46
Acctyes
SessionTime
yes
yes
yes
yes
yes
yes
yes
47
AcctInputPackets
yes
yes
yes
yes
yes
yes
yes
yes
48
AcctOutputPackets
yes
yes
yes
yes
yes
yes
yes
yes
49
Acctno
Termina
te-Cause
no
no
yes
yes
yes
yes
yes
50
Acctno
MultiSessionId
yes
yes
yes
yes
yes
yes
yes
51
AcctLinkCount
yes
yes
yes
yes
yes
yes
yes
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
8
RADIUS Attributes Overview and RADIUS IETF Attributes
Supported RADIUS IETF Attributes
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
52
Acctno
InputGigawor
ds
no
no
no
no
no
no
no
53
Acctno
OutputGigawor
ds
no
no
no
no
no
no
no
55
EventTimesta
mp
no
no
no
no
no
no
yes
60
CHAP- yes
Challeng
e
yes
yes
yes
yes
yes
yes
yes
61
NASPortType
yes
yes
yes
yes
yes
yes
yes
yes
62
PortLimit
yes
yes
yes
yes
yes
yes
yes
yes
63
LoginLATPort
no
no
no
no
no
no
no
no
64
TunnelType1
no
no
no
no
no
no
yes
yes
65
Tunnel- no
Medium
-Type 1
no
no
no
no
no
yes
yes
66
Tunnel- no
ClientEndpoin
t
no
no
no
no
no
yes
yes
67
Tunnel- no
ServerEndpoin
t1
no
no
no
no
no
yes
yes
no
1 This RADIUS attribute complies with the following two draft IETF documents: RFC 2868 RADIUS Attributes for Tunnel Protocol Support and RFC 2867
RADIUS Accounting Modifications for Tunnel Protocol Support.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
9
RADIUS Attributes Overview and RADIUS IETF Attributes
Supported RADIUS IETF Attributes
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
68
Acctno
TunnelConnecti
on-ID
no
no
no
no
no
yes
yes
69
Tunnel- no
Passwor
d1
no
no
no
no
no
yes
yes
70
ARAP- no
Passwor
d
no
no
no
no
no
no
no
71
ARAP- no
Features
no
no
no
no
no
no
no
72
ARAPZoneAccess
no
no
no
no
no
no
no
no
73
ARAP- no
Security
no
no
no
no
no
no
no
74
ARAP- no
Security
-Data
no
no
no
no
no
no
no
75
Passwor no
d-Retry
no
no
no
no
no
no
no
76
Prompt
no
no
no
no
no
no
yes
yes
77
Connect no
-Info
no
no
no
no
no
no
yes
78
Configur no
ationToken
no
no
no
no
no
no
no
79
EAPno
Message
no
no
no
no
no
no
no
80
Message no
Authenti
cator
no
no
no
no
no
no
no
81
TunnelPrivateGroupID
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
10
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF
11.1
Attribute
11.2
11.3
11.3 AA
11.3T
12.0
12.1
12.2
82
Tunnel- no
Assignm
ent-ID 1
no
no
no
no
no
yes
yes
83
Tunnel- no
Preferen
ce
no
no
no
no
no
no
yes
84
ARAP- no
Challeng
eRespons
e
no
no
no
no
no
no
no
85
AcctInterimInterval
no
no
no
no
no
no
yes
yes
86
Acctno
TunnelPacketsLost
no
no
no
no
no
no
no
87
NASPort-ID
no
no
no
no
no
no
no
no
88
Framed- no
Pool
no
no
no
no
no
no
no
90
Tunnel- no
ClientAuth-ID
no
no
no
no
no
no
yes
2
91
Tunnel- no
ServerAuth-ID
no
no
no
no
no
no
yes
200
IETFno
TokenImmedia
te
no
no
no
no
no
no
no
Comprehensive List of RADIUS Attribute Descriptions
The table below lists and describes IETF RADIUS attributes. In cases where the attribute has a security
server-specific format, the format is specified.
2 This RADIUS attribute complies withRFC 2865 and RFC 2868.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
11
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Table 2
RADIUS IETF Attributes
Number
IETF Attribute
Description
1
User-Name
Indicates the name of the user being
authenticated by the RADIUS server.
2
User-Password
Indicates the user’s password or the
user’s input following an AccessChallenge. Passwords longer than 16
characters are encrypted using RFC 2865
specifications.
3
CHAP-Password
Indicates the response value provided by
a PPP Challenge-Handshake
Authentication Protocol (CHAP) user in
response to an Access-Challenge.
4
NAS-IP Address
Specifies the IP address of the network
access server that is requesting
authentication. The default value is
0.0.0.0/0.
5
NAS-Port
Indicates the physical port number of the
network access server that is
authenticating the user. The NAS-Port
value (32 bits) consists of one or two 16bit values (depending on the setting of the
radius-server extended-portnames
command). Each 16-bit number should
be viewed as a 5-digit decimal integer for
interpretation as follows:
For asynchronous terminal lines, async
network interfaces, and virtual async
interfaces, the value is 00ttt, where ttt is
the line number or async interface unit
number.
For ordinary synchronous network
interface, the value is 10xxx.
For channels on a primary rate ISDN
interface, the value is 2ppcc.
For channels on a basic rate ISDN
interface, the value is 3bb0c.
For other types of interfaces, the value is
6nnss.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
12
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
6
Service-Type
Indicates the type of service requested or
the type of service to be provided.
•
In a request:
Framed for known PPP or SLIP
connection. Administrative-user for
enable command.
•
In response:
Login--Make a connection. Framed--Start
SLIP or PPP. Administrative User--Start
an EXEC or enable ok.
Exec User--Start an EXEC session.
Service type is indicated by a particular
numeric value as follows:
•
•
•
•
•
•
•
•
•
7
Framed-Protocol
1: Login
2: Framed
3: Callback-Login
4: Callback-Framed
5: Outbound
6: Administrative
7: NAS-Prompt
8: Authenticate Only
9: Callback-NAS-Prompt
Indicates the framing to be used for
framed access. No other framing is
allowed.
Framing is indicated by a numeric value
as follows:
•
•
•
•
•
8
Framed-IP-Address
1: PPP
2: SLIP
3: ARA
4: Gandalf-proprietary single-link/
multilink protocol
5: Xylogics-proprietary IPX/SLIP
Indicates the IP address to be configured
for the user, by sending the IP address of
a user to the RADIUS server in the
access-request. To enable this command,
use the radius-server attribute 8
include-in-access-req command in
global configuration mode.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
13
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
9
Framed-IP-Netmask
Indicates the IP netmask to be configured
for the user when the user is a router to a
network. This attribute value results in a
static route being added for Framed-IPAddress with the mask specified.
10
Framed-Routing
Indicates the routing method for the user
when the user is a router to a network.
Only “None” and “Send and Listen”
values are supported for this attribute.
Routing method is indicated by a numeric
value as follows:
•
•
•
•
0: None
1: Send routing packets
2: Listen for routing packets
3: Send routing packets and listen
for routing packets
11
Filter-Id
Indicates the name of the filter list for the
user and is formatted as follows: %d,
%d.in, or %d.out. This attribute is
associated with the most recent servicetype command. For login and EXEC, use
%d or %d.out as the line access list value
from 0 to 199. For Framed service, use
%d or %d.out as interface output access
list, and %d.in for input access list. The
numbers are self-encoding to the protocol
to which they refer.
12
Framed-MTU
Indicates the maximum transmission unit
(MTU) that can be configured for the
user when the MTU is not negotiated by
PPP or some other means.
13
Framed-Compression
Indicates a compression protocol used for
the link. This attribute results in a “/
compress” being added to the PPP or
SLIP autocommand generated during
EXEC authorization. Not currently
implemented for non-EXEC
authorization.
Compression protocol is indicated by a
numeric value as follows:
•
•
•
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
14
0: None
1: VJ-TCP/IP header compression
2: IPX header compression
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
14
Login-IP-Host
Indicates the host to which the user will
connect when the Login-Service attribute
is included. (This begins immediately
after login.)
15
Login-Service
Indicates the service that should be used
to connect the user to the login host.
Service is indicated by a numeric value as
follows:
•
•
•
•
•
0: Telnet
1: Rlogin
2: TCP-Clear
3: PortMaster
4: LAT
16
Login-TCP-Port
Defines the TCP port with which the user
is to be connected when the LoginService attribute is also present.
18
Reply-Message
Indicates text that might be displayed to
the user via the RADIUS server. You can
include this attribute in user files;
however, you cannot exceed a maximum
of 16 Replyp-Message entries per profile.
19
Callback-Number
Defines a dialing string to be used for
callback.
20
Callback-ID
Defines the name (consisting of one or
more octets) of a place to be called, to be
interpreted by the network access server.
22
Framed-Route
Provides routing information to be
configured for the user on this network
access server. The RADIUS RFC format
(net/bits [router [metric]]) and the old
style dotted mask (net mask [router
[metric]]) are supported. If the router
field is omitted or 0, the peer IP address
is used. Metrics are currently ignored.
This attribute is access-request packets.
23
Framed-IPX-Network
Defines the IPX network number
configured for the user.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
15
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
24
State
Allows state information to be
maintained between the network access
server and the RADIUS server. This
attribute is applicable only to CHAP
challenges.
25
Class
(Accounting) Arbitrary value that the
network access server includes in all
accounting packets for this user if
supplied by the RADIUS server.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
16
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
26
Vendor-Specific
Allows vendors to support their own
extended attributes not suitable for
general use. The Cisco RADIUS
implementation supports one vendorspecific option using the format
recommended in the specification.
Cisco's vendor-ID is 9, and the supported
option has vendor-type 1, which is named
“cisco-avpair.” The value is a string of
the format:
protocol : attribute sep value
“Protocol” is a value of the Cisco
“protocol” attribute for a particular type
of authorization. “Attribute” and “value”
are an appropriate AV pair defined in the
Cisco TACACS+ specification, and “sep”
is “=” for mandatory attributes and “*”
for optional attributes. This allows the
full set of features available for TACACS
+ authorization to also be used for
RADIUS. For example:
cisco-avpair= ”ip:addr-pool=first“
cisco-avpair= ”shell:priv-lvl=15“
The first example causes Cisco’s
“multiple named ip address pools”
feature to be activated during IP
authorization (during PPP’s IPCP address
assignment). The second example causes
a user logging in from a network access
server to have immediate access to EXEC
commands.
Table 1 lists supported vendor-specific
RADIUS attributes (IETF attribute 26).
The “TACACS+ Attribute-Value Pairs”
module provides a complete list of
supported TACACS+ attribute-value
(AV) pairs that can be used with IETF
attribute 26. ( RFC 2865 )
27
Session-Timeout
Sets the maximum number of seconds of
service to be provided to the user before
the session terminates. This attribute
value becomes the per-user “absolute
timeout.”
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
17
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
28
Idle-Timeout
Sets the maximum number of consecutive
seconds of idle connection allowed to the
user before the session terminates. This
attribute value becomes the per-user
“session-timeout.”
29
Termination-Action
Termination is indicated by a numeric
value as follows:
•
•
0: Default
1: RADIUS request
30
Called-Station-Id
(Accounting) Allows the network access
server to send the telephone number the
user called as part of the Access-Request
packet (using Dialed Number
Identification Service [DNIS] or similar
technology). This attribute is only
supported on ISDN, and modem calls on
the Cisco AS5200 if used with PRI.
31
Calling-Station-Id
(Accounting) Allows the network access
server to send the telephone number the
call came from as part of the AccessRequest packet (using Automatic
Number Identification or similar
technology). This attribute has the same
value as “remote-addr” from TACACS+.
This attribute is only supported on ISDN,
and modem calls on the Cisco AS5200 if
used with PRI.
32
NAS-Identifier
String identifying the network access
server originating the Access-Request.
Use the radius-server attribute 32
include-in-access-req global
configuration command to send RADIUS
attribute 32 in an Access-Request or
Accounting-Request. By default, the
FQDN is sent in the attribute when the
format is not specified.
33
Proxy-State
Attribute that can be sent by a proxy
server to another server when forwarding
Access-Requests; this must be returned
unmodified in the Access-Accept,
Access-Reject or Access-Challenge and
removed by the proxy server before
sending the response to the network
access server.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
18
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
34
Login-LAT-Service
Indicates the system with which the user
is to be connected by LAT. This attribute
is only available in the EXEC mode.
35
Login-LAT-Node
Indicates the node with which the user is
to be automatically connected by LAT.
36
Login-LAT-Group
Identifies the LAT group codes that this
user is authorized to use.
37
Framed-AppleTalk-Link
Indicates the AppleTalk network number
that should be used for serial links to the
user, which is another AppleTalk router.
38
Framed-AppleTalk- Network
Indicates the AppleTalk network number
that the network access server uses to
allocate an AppleTalk node for the user.
39
Framed-AppleTalk-Zone
Indicates the AppleTalk Default Zone to
be used for this user.
40
Acct-Status-Type
(Accounting) Indicates whether this
Accounting-Request marks the beginning
of the user service (start) or the end
(stop).
41
Acct-Delay-Time
(Accounting) Indicates how many
seconds the client has been trying to send
a particular record.
42
Acct-Input-Octets
(Accounting) Indicates how many octets
have been received from the port over the
course of this service being provided.
43
Acct-Output-Octets
(Accounting) Indicates how many octets
have been sent to the port in the course of
delivering this service.
44
Acct-Session-Id
(Accounting) A unique accounting
identifier that makes it easy to match start
and stop records in a log file. AcctSession ID numbers restart at 1 each time
the router is power cycled or the software
is reloaded. To send this attribute in
access-request packets, use the radiusserver attribute 44 include-in-accessreq command in global configuration
mode.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
19
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
45
Acct-Authentic
(Accounting) Indicates how the user was
authenticated, whether by RADIUS, the
network access server itself, or another
remote authentication protocol. This
attribute is set to “radius” for users
authenticated by RADIUS; “remote” for
TACACS+ and Kerberos; or “local” for
local, enable, line, and if-needed
methods. For all other methods, the
attribute is omitted.
46
Acct-Session-Time
(Accounting) Indicates how long (in
seconds) the user has received service.
47
Acct-Input-Packets
(Accounting) Indicates how many
packets have been received from the port
over the course of this service being
provided to a framed user.
48
Acct-Output-Packets
(Accounting) Indicates how many
packets have been sent to the port in the
course of delivering this service to a
framed user.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
20
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
49
Acct-Terminate-Cause
(Accounting) Reports details on why the
connection was terminated. Termination
causes are indicated by a numeric value
as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
User request
Lost carrier
Lost service
Idle timeout
Session timeout
Admin reset
Admin reboot
Port error
NAS error
NAS request
NAS reboot
Port unneeded
Port pre-empted
Port suspended
Service unavailable
Callback
User error
Host request
Note For attribute 49, Cisco IOS
supports values 1 to 6, 9, 12, and
15 to 18.
50
Acct-Multi-Session-Id
(Accounting) A unique accounting
identifier used to link multiple related
sessions in a log file.
Each linked session in a multilink session
has a unique Acct-Session-Id value, but
shares the same Acct-Multi-Session-Id.
51
Acct-Link-Count
(Accounting) Indicates the number of
links known in a given multilink session
at the time an accounting record is
generated. The network access server can
include this attribute in any accounting
request that might have multiple links.
52
Acct-Input-Gigawords
Indicates how many times the AcctInput-Octets counter has wrapped around
2^32 over the course of the provided
service.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
21
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
53
Acct-Output-Gigawords
Indicates how many times the AcctOutput-Octets counter has wrapped
around 2^32 while delivering service.
55
Event-Timestamp
Records the time that the event occurred
on the NAS; the timestamp sent in
attribute 55 is in seconds since January 1,
1970 00:00 UTC. To send RADIUS
attribute 55 in accounting packets, use the
radius-server attribute 55 include-inacct-req command.
Note Before the Event-Timestamp
attribute can be sent in accounting
packets, you must configure the
clock on the router. (For
information on setting the clock
on your router, refer to the Cisco
IOS Configuration Fundamentals
Configuration Guide , Release
12.4T.) To avoid configuring the
clock on the router every time the
router is reloaded, you can enable
the clock calendar-valid
command. See the Cisco IOS
Configuration Fundamentals
Command Reference for more
information on this command.
60
CHAP-Challenge
Contains the Challenge Handshake
Authentication Protocol challenge sent by
the network access server to a PPP CHAP
user.
61
NAS-Port-Type
Indicates the type of physical port the
network access server is using to
authenticate the user. Physical ports are
indicated by a numeric value as follows:
•
•
•
•
•
•
62
Port-Limit
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
22
0: Asynchronous
1: Synchronous
2: ISDN-Synchronous
3: ISDN-Asynchronous (V.120)
4: ISDN-Asynchronous (V.110)
5: Virtual
Sets the maximum number of ports
provided to the user by the NAS.
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
63
Login-LAT-Port
Defines the port with which the user is to
be connected by LAT.
64
Tunnel-Type3
Indicates the tunneling protocol(s) used.
Cisco IOS software supports two possible
values for this attribute: L2TP and L2F.
If this attribute is not set, L2F is used as a
default.
65
Tunnel-Medium-Type1
Indicates the transport medium type to
use to create a tunnel. This attribute has
only one available value for this release:
IP. If no value is set for this attribute, IP
is used as the default.
3 This RADIUS attribute complies with the following two IETF documents: RFC 2868 , RADIUS Attributes for Tunnel Protocol Support and RFC 2867 ,
RADIUS Accounting Modifications for Tunnel Protocol Support .
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
23
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
66
Tunnel-Client-Endpoint
Contains the address of the initiator end
of the tunnel. It may be included in both
Access-Request and Access-Accept
packets to indicate the address from
which a new tunnel is to be initiated. If
the Tunnel-Client-Endpoint attribute is
included in an Access-Request packet,
the RADIUS server should take the value
as a hint; the server is not obligated to
honor the hint, however. This attribute
should be included in AccountingRequest packets that contain Acct-StatusType attributes with values of either Start
or Stop, in which case it indicates the
address from which the tunnel was
initiated. This attribute, along with the
Tunnel-Server-Endpoint and AcctTunnel-Connection-ID attributes, may be
used to provide a globally unique means
to identify a tunnel for accounting and
auditing purposes.
An enhancement has been added for the
network access server to accept a value of
127.0.0.X for this attribute such that:
127.0.0.0 would indicate that loopback0
IP address is to be used 127.0.0.1 would
indicate that loopback1 IP address is to
be used ... 127.0.0.X would indicate that
loopbackX IP address is to be used
for the actual tunnel client endpoint IP
address. This enhancement adds
scalability across multiple network access
servers.
67
Tunnel-Server-Endpoint1
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
24
Indicates the address of the server end of
the tunnel. The format of this attribute
varies depending on the value of TunnelMedium-Type. Because this release only
supports IP as a tunnel medium type, the
IP address or the host name of LNS is
valid for this attribute.
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
68
Acct-Tunnel-Connection-ID
Indicates the identifier assigned to the
tunnel session. This attribute should be
included in Accounting-Request packets
that contain an Acct-Status-Type attribute
having the value Start, Stop, or any of the
values described above. This attribute,
along with the Tunnel-Client-Endpoint
and Tunnel-Server-Endpoint attributes,
may be used to provide a means to
uniquely identify a tunnel session for
auditing purposes.
69
Tunnel-Password1
Defines the password to be used to
authenticate to a remote server. This
attribute is converted into different AAA
attributes based on the value of TunnelType: AAA_ATTR_l2tp_tunnel_pw
(L2TP), AAA_ATTR_nas_password
(L2F), and AAA_ATTR_gw_password
(L2F).
By default, all passwords received are
encrypted, which can cause authorization
failures when a NAS attempts to decrypt
a non-encrypted password. To enable
attribute 69 to receive non-encrypted
passwords, use the radius-server
attribute 69 clearglobal configuration
command.
70
ARAP-Password
Identifies an Access-Request packet
containing a Framed-Protocol of ARAP.
71
ARAP-Features
Includes password information that the
NAS should send to the user in an ARAP
"feature flags" packet.
72
ARAP-Zone-Access
Indicates how the ARAP zone list for the
user should be used.
73
ARAP-Security
Identifies the ARAP Security Module to
be used in an Access-Challenge packet.
74
ARAP-Security-Data
Contains the actual security module
challenge or response. It can be found in
Access-Challenge and Access-Request
packets.
75
Password-Retry
Indicates how many times a user may
attempt authentication before being
disconnected.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
25
RADIUS Attributes Overview and RADIUS IETF Attributes
Comprehensive List of RADIUS Attribute Descriptions
Number
IETF Attribute
Description
76
Prompt
Indicates to the NAS whether it should
echo the user’s response as it is entered
or not echo it. (0=no echo, 1=echo)
77
Connect-Info
Provides additional call information for
modem calls. This attribute is generated
in start and stop accounting records.
78
Configuration-Token
Indicates a type of user profile to be used.
This attribute should be used in large
distributed authentication networks based
on proxy. It is sent from a RADIUS
Proxy Server to a RADIUS Proxy Client
in an Access-Accept; it should not be sent
to a NAS.
79
EAP-Message
Encapsulates Extended Access Protocol
(EAP) packets that allow the NAS to
authenticate dial-in users via EAP
without having to understand the EAP
protocol.
80
Message-Authenticator
Prevents spoofing Access-Requests using
CHAP, ARAP, or EAP authentication
methods.
81
Tunnel-Private-Group-ID
Indicates the group ID for a particular
tunneled session.
82
Tunnel-Assignment-ID1
Indicates to the tunnel initiator the
particular tunnel to which a session is
assigned.
83
Tunnel-Preference
Indicates the relative preference assigned
to each tunnel. This attribute should be
included if more than one set of tunneling
attributes is returned by the RADIUS
server to the tunnel initiator.
84
ARAP-Challenge-Response
Contains the response to the challenge of
the dial-in client.
85
Acct-Interim-Interval
Indicates the number of seconds between
each interim update in seconds for this
specific session. This value can only
appear in the Access-Accept message.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
26
RADIUS Attributes Overview and RADIUS IETF Attributes
Additional References
Number
IETF Attribute
Description
86
Acct-Tunnel-Packets-Lost
Indicates the number of packets lost on a
given link. This attribute should be
included in Accounting-Request packets
that contain an Acct-Status-Type attribute
having the value Tunnel-Link-Stop.
87
NAS-Port-ID
Contains a text string which identifies the
port of the NAS that is authenticating the
user.
88
Framed-Pool
Contains the name of an assigned address
pool that should be used to assign an
address for the user. If a NAS does not
support multiple address pools, the NAS
should ignore this attribute.
90
Tunnel-Client-Auth-ID
Specifies the name used by the tunnel
initiator (also known as the NAS) when
authenticating tunnel setup with the
tunnel terminator. Supports L2F and
L2TP protocols.
91
Tunnel-Server-Auth-ID
Specifies the name used by the tunnel
terminator (also known as the Home
Gateway) when authenticating tunnel
setup with the tunnel initiator. Supports
L2F and L2TP protocols.
200
IETF-Token-Immediate
Determines how RADIUS treats
passwords received from login-users
when their file entry specifies a handheld security card server.
The value for this attribute is indicated by
a numeric value as follows:
•
•
0: No, meaning that the password is
ignored.
1: Yes, meaning that the password is
used for authentication.
Additional References
The following sections provide references related to RADIUS IETF attributes.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
27
RADIUS Attributes Overview and RADIUS IETF Attributes
Additional References
Related Documents
Related Topic
Document Title
RADIUS
“ Configuring RADIUS ” module.
Authentication
“ Configuring Authentication ” module.
Authorization
“ Configuring Authorization ” module.
Accounting
“ Configuring Accounting ” module.
RADIUS Vendor-Specific Attributes
“ RADIUS Vendor-Proprietary Attributes ”
module.
Standards
Standard
Title
None.
--
MIBs
MIB
MIBs Link
None.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
RFC 2865
Remote Authentication Dial In User Service
(RADIUS)
RFC 2866
RADIUS Accounting
RFC 2867
RADIUS Accounting Modifications for Tunnel
Protocol Support
RFC 2868
RADIUS Attributes for Tunnel Protocol Support
RFC 2869
RADIUS Extensions
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
28
RADIUS Attributes Overview and RADIUS IETF Attributes
Feature Information for RADIUS Attributes Overview and RADIUS IETF Attributes
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attributes Overview and
RADIUS IETF Attributes
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 3
Feature Information for RADIUS Attributes Overview and RADIUS IETF Attributes
Feature Name
Releases
Feature Information
RADIUS IETF Attributes
Cisco IOS Release 11.1
This feature was introduced in
Cisco IOS Release 11.1.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
29
RADIUS IETF Attributes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
30
RADIUS Vendor-Proprietary Attributes
The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the network access server and the RADIUS server. However, some vendors have
extended the RADIUS attribute set for specific applications. This document provides Cisco IOS support
information for these vendor-proprietary RADIUS attrubutes.
•
•
•
•
Finding Feature Information, page 31
Supported Vendor-Proprietary RADIUS Attributes, page 31
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions, page 45
Feature Information for RADIUS Vendor-Proprietary Attributes, page 56
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Supported Vendor-Proprietary RADIUS Attributes
The table below lists Cisco-supported vendor-proprietary RADIUS attributes and the Cisco IOS release in
which they are implemented. In cases where the attribute has a security server-specific format, the format is
specified. Refer to Vendor-Proprietary RADIUS Attributes table for a list of descriptions.
Note
Attributes implemented in special (AA) or early development (T) releases will be added to the next
mainline image.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
31
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Table 4
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
17
Chang no
ePassw
ord
no
yes
yes
yes
yes
yes
yes
no
no
21
Passw no
ordExpira
tion
no
yes
yes
yes
yes
yes
yes
no
no
68
Tunnel no
-ID
no
no
no
no
no
no
yes
yes
yes
108
Myno
Endpoi
ntDiscAlias
no
no
no
no
no
no
no
no
no
109
Myno
NameAlias
no
no
no
no
no
no
no
no
no
110
Remot no
e-FW
no
no
no
no
no
no
no
no
no
111
Multic no
astGLeav
eDelay
no
no
no
no
no
no
no
no
no
112
CBCP- no
Enable
no
no
no
no
no
no
no
no
no
113
CBCP- no
Mode
no
no
no
no
no
no
no
no
no
114
CBCP- no
Delay
no
no
no
no
no
no
no
no
no
115
CBCP- no
TrunkGroup
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
32
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
116
Applet no
alkRoute
no
no
no
no
no
no
no
no
no
117
Applet no
alkPeerMode
no
no
no
no
no
no
no
no
no
118
Route- no
Applet
alk
no
no
no
no
no
no
no
no
no
119
FCPParam
eter
no
no
no
no
no
no
no
no
no
no
120
Mode no
mPortNo
no
no
no
no
no
no
no
no
no
121
Mode no
mSlotNo
no
no
no
no
no
no
no
no
no
122
Mode no
mShelfN
o
no
no
no
no
no
no
no
no
no
123
CallAttem
ptLimit
no
no
no
no
no
no
no
no
no
no
124
Callno
BlockDurati
on
no
no
no
no
no
no
no
no
no
125
Maxim no
umCallDurati
on
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
33
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
126
Router no
Prefere
nce
no
no
no
no
no
no
no
no
no
127
Tunnel no
ingProtoc
ol
no
no
no
no
no
no
no
no
no
128
Shared no
Profile
Enable
no
no
no
no
no
no
no
yes
yes
129
Primar no
yHomeAgent
no
no
no
no
no
no
no
no
no
130
Secon no
daryHomeAgent
no
no
no
no
no
no
no
no
no
131
Dialou no
tAllow
ed
no
no
no
no
no
no
no
no
no
133
BACP no
Enable
no
no
no
no
no
no
no
no
no
134
DHCP no
Maxim
umLeases
no
no
no
no
no
no
no
no
no
135
Primar no
yDNSServer
no
no
no
yes
yes
yes
yes
yes
yes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
34
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
136
Secon no
daryDNSServer
no
no
no
yes
yes
yes
yes
yes
yes
137
Ascen no
dClientAssign
-DNS
no
no
no
no
no
no
no
yes
yes
138
UserAcctType
no
no
no
no
no
no
no
no
no
no
139
UserAcctHost
no
no
no
no
no
no
no
no
no
no
140
UserAcctPort
no
no
no
no
no
no
no
no
no
no
141
UserAcctKey
no
no
no
no
no
no
no
no
no
no
142
UserAcctBase
no
no
no
no
no
no
no
no
no
no
143
UserAcctTime
no
no
no
no
no
no
no
no
no
no
144
Assign no
-IPClient
no
no
no
no
no
no
no
no
no
145
Assign no
-IPServer
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
35
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
146
Assign no
-IPGlobal
-Pool
no
no
no
no
no
no
no
no
no
147
DHCP no
-Reply
no
no
no
no
no
no
no
no
no
148
DHCP no
-PoolNumb
er
no
no
no
no
no
no
no
no
no
149
Expect no
Callba
ck
no
no
no
no
no
no
no
no
no
150
Event- no
Type
no
no
no
no
no
no
no
no
no
151
Ascen
dSessio
n-SvrKey
no
no
no
yes
no
no
yes
yes
yes
yes
152
Ascen no
dMultic
astRateLimit
no
no
yes
no
no
yes
yes
yes
yes
153
IFno
Netma
sk
no
no
no
no
no
no
no
no
no
154
h323- no
Remot
eAddres
s
no
no
no
no
no
no
no
yes
yes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
36
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
155
Ascen no
dMultic
astClient
no
no
yes
no
no
yes
yes
yes
yes
156
FRno
Circuit
-Name
no
no
no
no
no
no
no
no
no
157
FRno
LinkU
p
no
no
no
no
no
no
no
no
no
158
FRno
Nailed
-Grp
no
no
no
no
no
no
no
no
no
159
FRType
no
no
no
no
no
no
no
no
no
no
160
FRLinkMgt
no
no
no
no
no
no
no
no
no
no
161
FRN391
no
no
no
no
no
no
no
no
no
no
162
FRDCEN392
no
no
no
no
no
no
no
no
no
no
163
FRDTEN392
no
no
no
no
no
no
no
no
no
no
164
FRDCEN393
no
no
no
no
no
no
no
no
no
no
165
FRDTEN393
no
no
no
no
no
no
no
no
no
no
166
FRT391
no
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
37
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
167
FRT392
no
no
no
no
no
no
no
no
no
no
168
Bridge no
Addres
s
no
no
no
no
no
no
no
no
no
169
TSIdleLimit
no
no
no
no
no
no
no
no
no
no
170
TSIdleMode
no
no
no
no
no
no
no
no
no
no
171
DBAMonit
or
no
no
no
no
no
no
no
no
no
no
172
Base- no
Chann
elCount
no
no
no
no
no
no
no
no
no
173
Minim no
umChann
els
no
no
no
no
no
no
no
no
no
174
IPXRoute
no
no
no
no
no
no
no
no
no
no
175
FT1Caller
no
no
no
no
no
no
no
no
no
no
176
Ipsec- no
Backu
pGatew
ay
no
no
no
no
no
no
no
yes
yes
177
rmCallType
no
no
no
no
no
no
no
yes
yes
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
38
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
178
Group
no
no
no
no
no
no
no
no
no
no
179
FRDLCI
no
no
no
no
no
no
no
no
no
no
180
FRno
Profile
-Name
no
no
no
no
no
no
no
no
no
181
AraPW
no
no
no
no
no
no
no
no
no
no
182
IPXNodeAddr
no
no
no
no
no
no
no
no
no
no
183
Home- no
AgentIPAddr
no
no
no
no
no
no
no
no
no
184
Home- no
AgentPassw
ord
no
no
no
no
no
no
no
no
no
185
Home- no
Netwo
rkName
no
no
no
no
no
no
no
no
no
186
Home- no
AgentUDPPort
no
no
no
no
no
no
no
no
no
187
Multili no
nk-ID
no
no
yes
yes
yes
yes
yes
yes
yes
188
Ascen no
dNumInMultili
nk
no
no
yes
yes
yes
yes
yes
yes
yes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
39
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
189
FirstDest
no
no
no
no
no
no
no
no
no
no
190
PreInputOctets
no
no
no
yes
yes
yes
yes
yes
no
no
191
Preno
Output
-Octets
no
no
yes
yes
yes
yes
yes
no
no
192
Preno
InputPacket
s
no
no
yes
yes
yes
yes
yes
no
no
193
Preno
Output
Packet
s
no
no
yes
yes
yes
yes
yes
no
no
194
Maxim no
umTime
no
yes
yes
yes
yes
yes
yes
no
no
195
Discon no
nectCause
no
yes
yes
yes
yes
yes
yes
yes
yes
196
Conne no
ctProgre
ss
no
no
no
no
no
yes
yes
yes
yes
197
DataRate
no
no
no
no
yes
yes
yes
yes
yes
yes
198
PreSes no
sionTime
no
no
yes
yes
yes
yes
yes
yes
yes
199
Token- no
Idle
no
no
no
no
no
no
no
yes
yes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
40
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
201
Requir no
e-Auth
no
no
no
no
no
no
no
yes
yes
202
Numb
erSessio
ns
no
no
no
no
no
no
no
no
no
no
203
Authe
nAlias
no
no
no
no
no
no
no
no
no
no
204
Token- no
Expiry
no
no
no
no
no
no
no
no
no
205
Menu- no
Select
or
no
no
no
no
no
no
no
no
no
206
Menu- no
Item
no
no
no
no
no
no
no
no
no
207
PWno
Warnti
me
no
no
no
no
no
no
no
no
no
208
PWLifeti
me
no
no
yes
yes
yes
yes
yes
yes
yes
yes
209
IPDirect
no
no
no
no
yes
yes
yes
yes
yes
yes
210
PPPno
VJSlotCompr
ession
no
yes
yes
yes
yes
yes
yes
yes
yes
211
PPPVJ-11
72
no
no
no
no
no
no
no
no
no
no
212
PPPno
AsyncMap
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
41
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
213
Third- no
Promp
t
no
no
no
no
no
no
no
no
no
214
SendSecret
no
no
no
no
no
no
yes
yes
yes
yes
215
Receiv no
eSecret
no
no
no
no
no
no
no
no
no
216
IPXPeerMode
no
no
no
no
no
no
no
no
no
no
217
IPPool
no
no
yes
yes
yes
yes
yes
yes
yes
yes
218
Static- no
AddrPool
no
yes
yes
yes
yes
yes
yes
yes
yes
219
FRDirect
no
no
no
no
no
no
no
no
no
no
220
FRno
DirectProfile
no
no
no
no
no
no
no
no
no
221
FRno
DirectDLCI
no
no
no
no
no
no
no
no
no
222
Handle no
-IPX
no
no
no
no
no
no
no
no
no
223
Netwa no
reTimeo
ut
no
no
no
no
no
no
no
no
no
224
IPXAlias
no
no
no
no
no
no
no
no
no
no
225
Metric no
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
42
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
226
PRINumb
erType
no
no
no
no
no
no
no
no
no
no
227
DialNumb
er
no
no
no
no
no
no
yes
yes
yes
yes
228
Route- no
IP
no
yes
yes
yes
yes
yes
yes
yes
yes
229
Route- no
IPX
no
no
no
no
no
no
no
no
no
230
Bridge no
no
no
no
no
no
no
no
no
no
231
SendAuth
no
no
no
no
no
no
yes
yes
yes
yes
232
SendPassw
d
no
no
no
no
no
no
no
no
no
no
233
Link- no
Compr
ession
no
yes
yes
yes
yes
yes
yes
yes
yes
234
Target no
-Util
no
no
yes
no
yes
yes
yes
yes
yes
235
Maxim no
umChann
els
no
yes
yes
yes
yes
yes
yes
yes
yes
236
Incno
Chann
elCount
no
no
no
no
no
no
no
no
no
237
Decno
Chann
elCount
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
43
RADIUS Vendor-Proprietary Attributes
Supported Vendor-Proprietary RADIUS Attributes
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
238
Secon
ds-ofHistor
y
no
no
no
no
no
no
no
no
no
no
239
Histor no
yWeigh
-Type
no
no
no
no
no
no
no
no
no
240
AddSecon
ds
no
no
no
no
no
no
no
no
no
no
241
Remov no
eSecon
ds
no
no
no
no
no
no
no
no
no
242
DataFilter
no
no
yes
yes
yes
yes
yes
yes
yes
yes
243
CallFilter
no
no
no
no
no
no
no
no
yes
yes
244
IdleLimit
no
no
yes
yes
yes
yes
yes
yes
yes
yes
245
Preem
ptLimit
no
no
no
no
no
no
no
no
no
no
246
Callba no
ck
no
no
no
no
no
no
no
yes
yes
247
DataServic
e
no
no
no
no
no
no
yes
yes
yes
yes
248
Force- no
56
no
no
no
no
no
yes
yes
yes
yes
249
Billing no
Numb
er
no
no
no
no
no
no
no
no
no
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
44
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Numbe Vendor 11.1
r
Propri
etary
Attribu
te
11.2
11.3
11.3AA 11.3T
12.0
12.1
12.2
12.3
12.4
250
CallByCall
no
no
no
no
no
no
no
no
no
no
251
Transit no
Numb
er
no
no
no
no
no
no
no
no
no
252
HostInfo
no
no
no
no
no
no
no
no
no
no
253
PPPno
Addres
s
no
no
no
no
no
no
no
no
no
254
MPP- no
IdlePercen
t
no
no
no
no
no
no
no
no
no
255
XmitRate
no
no
yes
yes
yes
yes
yes
yes
yes
no
Comprehensive List of Vendor-Proprietary RADIUS Attribute
Descriptions
The table below lists and describes the known vendor-proprietary RADIUS attributes:
Table 5
Vendor-Proprietary RADIUS Attributes
Number
Vendor-Proprietary Attribute
Description
17
Change-Password
Specifies a request to change the
password of a user.
21
Password-Expiration
Specifies an expiration date for a
user’s password in the user’s file
entry.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
45
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
68
Tunnel-ID
(Ascend 5) Specifies the string
assigned by RADIUS for each
session using CLID or DNIS
tunneling. When accounting is
implemented, this value is used
for accoutning.
108
My-Endpoint-Disc-Alias
(Ascend 5) No description
available.
109
My-Name-Alias
(Ascend 5) No description
available.
110
Remote-FW
(Ascend 5) No description
available.
111
Multicast-GLeave-Delay
(Ascend 5) No description
available.
112
CBCP-Enable
(Ascend 5) No description
available.
113
CBCP-Mode
(Ascend 5) No description
available.
114
CBCP-Delay
(Ascend 5) No description
available.
115
CBCP-Trunk-Group
(Ascend 5) No description
available.
116
Appletalk-Route
(Ascend 5) No description
available.
117
Appletalk-Peer-Mode
(Ascend 5) No description
available.
118
Route-Appletalk
(Ascend 5) No description
available.
119
FCP-Parameter
(Ascend 5) No description
available.
120
Modem-PortNo
(Ascend 5) No description
available.
121
Modem-SlotNo
(Ascend 5) No description
available.
122
Modem-ShelfNo
(Ascend 5) No description
available.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
46
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
123
Call-Attempt-Limit
(Ascend 5) No description
available.
124
Call-Block-Duration
(Ascend 5) No description
available.
125
Maximum-Call-Duration
(Ascend 5) No description
available.
126
Router-Preference
(Ascend 5) No description
available.
127
Tunneling-Protocol
(Ascend 5) No description
available.
128
Shared-Profile-Enable
(Ascend 5) No description
available.
129
Primary-Home-Agent
(Ascend 5) No description
available.
130
Secondary-Home-Agent
(Ascend 5) No description
available.
131
Dialout-Allowed
(Ascend 5) No description
available.
133
BACP-Enable
(Ascend 5) No description
available.
134
DHCP-Maximum-Leases
(Ascend 5) No description
available.
135
Primary-DNS-Server
Identifies a primary DNS server
that can be requested by
Microsoft PPP clients from the
network access server during
IPCP negotiation.
136
Secondary-DNS-Server
Identifies a secondary DNS
server that can be requested by
Microsoft PPP clients from the
network access server during
IPCP negotiation.
137
Client-Assign-DNS
No description available.
138
User-Acct-Type
No description available.
139
User-Acct-Host
No description available.
140
User-Acct-Port
No description available.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
47
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
141
User-Acct-Key
No description available.
142
User-Acct-Base
No description available.
143
User-Acct-Time
No description available.
144
Assign-IP-Client
No description available.
145
Assign-IP-Server
No description available.
146
Assign-IP-Global-Pool
No description available.
147
DHCP-Reply
No description available.
148
DHCP-Pool-Number
No description available.
149
Expect-Callback
No description available.
150
Event-Type
No description available.
151
Session-Svr-Key
No description available.
152
Multicast-Rate-Limit
No description available.
153
IF-Netmask
No description available.
154
Remote-Addr
No description available.
155
Multicast-Client
No description available.
156
FR-Circuit-Name
No description available.
157
FR-LinkUp
No description available.
158
FR-Nailed-Grp
No description available.
159
FR-Type
No description available.
160
FR-Link-Mgt
No description available.
161
FR-N391
No description available.
162
FR-DCE-N392
No description available.
163
FR-DTE-N392
No description available.
164
FR-DCE-N393
No description available.
165
FR-DTE-N393
No description available.
166
FR-T391
No description available.
167
FR-T392
No description available.
168
Bridge-Address
No description available.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
48
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
169
TS-Idle-Limit
No description available.
170
TS-Idle-Mode
No description available.
171
DBA-Monitor
No description available.
172
Base-Channel-Count
No description available.
173
Minimum-Channels
No description available.
174
IPX-Route
No description available.
175
FT1-Caller
No description available.
176
Backup
No description available.
177
Call-Type
No description available.
178
Group
No description available.
179
FR-DLCI
No description available.
180
FR-Profile-Name
No description available.
181
Ara-PW
No description available.
182
IPX-Node-Addr
No description available.
183
Home-Agent-IP-Addr
Indicates the home agent’s IP
address (in dotted decimal
format) when using Ascend
Tunnel Management Protocol
(ATMP).
184
Home-Agent-Password
With ATMP, specifies the
password that the foreign agent
uses to authenticate itself.
185
Home-Network-Name
With ATMP, indicates the name
of the connection profile to which
the home agent sends all packets.
186
Home-Agent-UDP-Port
Indicates the UDP port number
the foreign agent uses to send
ATMP messages to the home
agent.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
49
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
187
Multilink-ID
Reports the identification number
of the multilink bundle when the
session closes. This attribute
applies to sessions that are part of
a multilink bundle. The
Multilink-ID attribute is sent in
authentication-response packets.
188
Num-In-Multilink
Reports the number of sessions
remaining in a multilink bundle
when the session reported in an
accounting-stop packet closes.
This attribute applies to sessions
that are part of a multilink bundle.
The Num-In-Multilink attribute is
sent in authentication-response
packets and in some accountingrequest packets.
189
First-Dest
Records the destination IP
address of the first packet
received after authentication.
190
Pre-Input-Octets
Records the number of input
octets before authentication. The
Pre-Input-Octets attribute is sent
in accounting-stop records.
191
Pre-Output-Octets
Records the number of output
octets before authentication. The
Pre-Output-Octets attribute is sent
in accounting-stop records.
192
Pre-Input-Packets
Records the number of input
packets before authentication.
The Pre-Input-Packets attribute is
sent in accounting-stop records.
193
Pre-Output-Packets
Records the number of output
packets before authentication.
The Pre-Output-Packets attribute
is sent in accounting-stop records.
194
Maximum-Time
Specifies the maximum length of
time (in seconds) allowed for any
session. After the session reaches
the time limit, its connection is
dropped.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
50
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
195
Disconnect-Cause
Specifies the reason a connection
was taken offline. The
Disconnect-Cause attribute is sent
in accounting-stop records. This
attribute also causes stop records
to be generated without first
generating start records if
disconnection occurs before
authentication is performed. For
more information, refer to the
table of Disconnect-Cause
Attribute Values and their
meanings.
196
Connect-Progress
Indicates the connection state
before the connection is
disconnected.
197
Data-Rate
Specifies the average number of
bits per second over the course of
the connection’s lifetime. The
Data-Rate attribute is sent in
accounting-stop records.
198
PreSession-Time
Specifies the length of time, in
seconds, from when a call first
connects to when it completes
authentication. The PreSessionTime attribute is sent in
accounting-stop records.
199
Token-Idle
Indicates the maximum amount
of time (in minutes) a cached
token can remain alive between
authentications.
201
Require-Auth
Defines whether additional
authentication is required for
class that has been CLID
authenticated.
202
Number-Sessions
Specifies the number of active
sessions (per class) reported to
the RADIUS accounting server.
203
Authen-Alias
Defines the RADIUS server’s
login name during PPP
authentication.
204
Token-Expiry
Defines the lifetime of a cached
token.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
51
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
205
Menu-Selector
Defines a string to be used to cue
a user to input data.
206
Menu-Item
Specifies a single menu-item for a
user-profile. Up to 20 menu items
can be assigned per profile.
207
PW-Warntime
(Ascend 5) No description
available.
208
PW-Lifetime
Enables you to specify on a peruser basis the number of days that
a password is valid.
209
IP-Direct
When you include this attribute in
a user’s file entry, a framed route
is installed to the routing and
bridging tables.
Note Packet routing is
dependent upon the entire
table, not just this newly
installed entry. The
inclusion of this attribute
does not guarantee that all
packets should be sent to
the specified IP address;
thus, this attribute is not
fully supported. These
attribute limitations occur
because the Cisco router
cannot bypass all internal
routing and bridging tables
and send packets to a
specified IP address.
210
PPP-VJ-Slot-Comp
Instructs the Cisco router not to
use slot compression when
sending VJ-compressed packets
over a PPP link.
211
PPP-VJ-1172
Instructs PPP to use the 0x0037
value for VJ compression.
212
PPP-Async-Map
Gives the Cisco router the
asynchronous control character
map for the PPP session. The
specified control characters are
passed through the PPP link as
data and used by applications
running over the link.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
52
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
213
Third-Prompt
Defines a third prompt (after
username and password) for
additional user input.
214
Send-Secret
Enables an encrypted password to
be used in place of a regular
password in outdial profiles.
215
Receive-Secret
Enables an encrypted password to
be verified by the RADIUS
server.
216
IPX-Peer-Mode
(Ascend 5) No description
available.
217
IP-Pool-Definition
Defines a pool of addresses using
the following format: X a.b.c Z;
where X is the pool index
number, a.b.c is the pool’s
starting IP address, and Z is the
number of IP addresses in the
pool. For example, 3 10.0.0.1 5
allocates 10.0.0.1 through
10.0.0.5 for dynamic assignment.
218
Assign-IP-Pool
Tells the router to assign the user
and IP address from the IP pool.
219
FR-Direct
Defines whether the connection
profile operates in Frame Relay
redirect mode.
220
FR-Direct-Profile
Defines the name of the Frame
Relay profile carrying this
connection to the Frame Relay
switch.
221
FR-Direct-DLCI
Indicates the DLCI carrying this
connection to the Frame Relay
switch.
222
Handle-IPX
Indicates how NCP watchdog
requests will be handled.
223
Netware-Timeout
Defines, in minutes, how long the
RADIUS server responds to NCP
watchdog packets.
224
IPX-Alias
Allows you to define an alias for
IPX routers requiring numbered
interfaces.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
53
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
225
Metric
No description available.
226
PRI-Number-Type
No description available.
227
Dial-Number
Defines the number to dial.
228
Route-IP
Indicates whether IP routing is
allowed for the user’s file entry.
229
Route-IPX
Allows you to enable IPX
routing.
230
Bridge
No description available.
231
Send-Auth
Defines the protocol to use (PAP
or CHAP) for username-password
authentication following CLID
authentication.
232
Send-Passwd
Enables the RADIUS server to
specify the password that is sent
to the remote end of a connection
on outgoing calls.
233
Link-Compression
Defines whether to turn on or turn
off “stac” compression over a
PPP link.
Link compression is defined as a
numeric value as follows:
•
•
•
•
234
Target-Util
Specifies the load-threshold
percentage value for bringing up
an additional channel when PPP
multilink is defined.
235
Maximum-Channels
Specifies allowed/allocatable
maximum number of channels.
236
Inc-Channel-Count
No description available.
237
Dec-Channel-Count
No description available.
238
Seconds-of-History
No description available.
239
History-Weigh-Type
No description available.
240
Add-Seconds
No description available.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
54
0: None
1: Stac
2: Stac-Draft-9
3: MS-Stac
RADIUS Vendor-Proprietary Attributes
Comprehensive List of Vendor-Proprietary RADIUS Attribute Descriptions
Number
Vendor-Proprietary Attribute
Description
241
Remove-Seconds
No description available.
242
Data-Filter
Defines per-user IP data filters.
These filters are retrieved only
when a call is placed using a
RADIUS outgoing profile or
answered using a RADIUS
incoming profile. Filter entries
are applied on a first-match basis;
therefore, the order in which filter
entries are entered is important.
243
Call-Filter
Defines per-user IP data filters.
On a Cisco router, this attribute is
identical to the Data-Filter
attribute.
244
Idle-Limit
Specifies the maximum time (in
seconds) that any session can be
idle. When the session reaches
the idle time limit, its connection
is dropped.
245
Preempt-Limit
No description available.
246
Callback
Allows you to enable or disable
callback.
247
Data-Svc
No description available.
248
Force-56
Determines whether the network
access server uses only the 56 K
portion of a channel, even when
all 64 K appear to be available.
249
Billing Number
No description available.
250
Call-By-Call
No description available.
251
Transit-Number
No description available.
252
Host-Info
No description available.
253
PPP-Address
Indicates the IP address reported
to the calling unit during PPP
IPCP negotiations.
254
MPP-Idle-Percent
No description available.
255
Xmit-Rate
(Ascend 5) No description
available.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
55
RADIUS Vendor-Proprietary Attributes
Feature Information for RADIUS Vendor-Proprietary Attributes
For more information on vendor-propritary RADIUS attributes, refer to the section “ Configuring Router
for Vendor-Proprietary RADIUS Server Communication ” in the chapter “ Configuring RADIUS .”
Feature Information for RADIUS Vendor-Proprietary Attributes
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 6
Feature Information for RADIUS Vendor-Proprietary Attributes
Feature Name
Releases
Feature Information
RADIUS Vendor-Proprietary
Attributes
12.2(1)XE
The IETF draft standard for
RADIUS specifies a method for
communicating vendorproprietary information between
the network access server and the
RADIUS server. However, some
vendors have extended the
RADIUS attribute set for specific
applications. This document
provides Cisco IOS support
information for these vendorproprietary RADIUS attrubutes.
In 12.2(1) XE, this feature was
introduced.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
56
RADIUS Vendor-Specific Attributes and
RADIUS Disconnect-Cause Attribute Values
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendorspecific information between the network access server and the RADIUS server by using the vendorspecific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes (VSA), thereby,
allowing vendors to support their own extended attributes otherwise not suitable for general use.
•
•
•
•
•
Finding Feature Information, page 57
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute
Values, page 57
RADIUS Disconnect-Cause Attribute Values, page 70
Additional References, page 75
Feature Information for RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause
Attribute Values, page 76
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About RADIUS Vendor-Specific Attributes and
RADIUS Disconnect-Cause Attribute Values
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in
the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named
“cisco-avpair.” The value is a string of the following format:
protocol : attribute sep value *
“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization; protocols that
can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP, AIRNET, OUTBOUND. “Attribute” and
“value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
57
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
“sep” is “=” for mandatory attributes and “*” for optional attributes. This allows the full set of features
available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be
activated during IP authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“
If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made
optional.
cisco-avpair= ”ip:addr-pool*first“
The following example shows how to cause a user logging in from a network access server to have
immediate access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Attribute 26 contains the following three elements:
•
•
•
Type
Length
String (also known as data)
◦
◦
◦
◦
Vendor-Id
Vendor-Type
Vendor-Length
Vendor-Data
The figure below shows the packet format for a VSA encapsulated “behind” attribute 26.
Figure 2
Note
VSA Encapsulated Behind Attribute 26
It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as
Vendor-Data) is dependent on the vendor's definition of that attribute.
The table below describes significant fields listed in the Vendor-Specific RADIUS IETF Attributes table
(second table below), which lists supported vendor-specific RADIUS attributes (IETF attribute 26).
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
58
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Table 7
Vendor-Specific Attributes Table Field Descriptions
Field
Description
Number
All attributes listed in the following table are extensions of
IETF attribute 26.
Vendor-Specific Command Codes
A defined code used to identify a particular vendor. Code 9
defines Cisco VSAs, 311 defines Microsoft VSAs, and 529
defines Ascend VSAs.
Sub-Type Number
The attribute ID number. This number is much like the ID
numbers of IETF attributes, except it is a “second layer” ID
number encapsulated behind attribute 26.
Attribute
The ASCII string name of the attribute.
Description
Description of the attribute.
Table 8
Vendor-Specific RADIUS IETF Attributes
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
311
1
MSCHAP-Response
Contains the response
value provided by a
PPP MS-CHAP user in
response to the
challenge. It is only
used in Access-Request
packets. This attribute is
identical to the PPP
CHAP Identifier. ( RFC
2548
26
311
11
MSCHAP-Challenge
Contains the challenge
sent by a network
access server to an MSCHAP user. It can be
used in both AccessRequest and AccessChallenge packets.
( RFC 2548 )
MS-CHAP Attributes
VPDN Attributes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
59
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
1
l2tp-cm-local-windowsize
Specifies the maximum
receive window size for
L2TP control messages.
This value is advertised
to the peer during
tunnel establishment.
26
9
1
l2tp-drop-out-of-order
Respects sequence
numbers on data
packets by dropping
those that are received
out of order. This does
not ensure that sequence
numbers will be sent on
data packets, just how
to handle them if they
are received.
26
9
1
l2tp-hello-interval
Specifies the number of
seconds for the hello
keepalive interval.
Hello packets are sent
when no data has been
sent on a tunnel for the
number of seconds
configured here.
26
9
1
l2tp-hidden-avp
When enabled, sensitive
AVPs in L2TP control
messages are scrambled
or hidden.
26
9
1
l2tp-nosession-timeout
Specifies the number of
seconds that a tunnel
will stay active with no
sessions before timing
out and shutting down.
26
9
1
tunnel-tos-reflect
Copies the IP ToS field
from the IP header of
each payload packet to
the IP header of the
tunnel packet for
packets entering the
tunnel at the LNS.
26
9
1
l2tp-tunnel-authen
If this attribute is set, it
performs L2TP tunnel
authentication.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
60
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
1
l2tp-tunnel-password
Shared secret used for
L2TP tunnel
authentication and AVP
hiding.
26
9
1
l2tp-udp-checksum
This is an authorization
attribute and defines
whether L2TP should
perform UDP
checksums for data
packets. Valid values
are “yes” and “no.” The
default is no.
26
9
3
Fax-Account-Id-Origin
Indicates the account ID
origin as defined by
system administrator for
the mmoip aaa receiveid or the mmoip aaa
send-id commands.
26
9
4
Fax-Msg-Id=
Indicates a unique fax
message identification
number assigned by
Store and Forward Fax.
26
9
5
Fax-Pages
Indicates the number of
pages transmitted or
received during this fax
session. This page count
includes cover pages.
26
9
6
Fax-Coverpage-Flag
Indicates whether or not
a cover page was
generated by the offramp gateway for this
fax session. True
indicates that a cover
page was generated;
false means that a cover
page was not generated.
Store and Forward Fax
Attributes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
61
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
7
Fax-Modem-Time
Indicates the amount of
time in seconds the
modem sent fax data (x)
and the amount of time
in seconds of the total
fax session (y), which
includes both fax-mail
and PSTN time, in the
form x/y. For example,
10/15 means that the
transfer time took 10
seconds, and the total
fax session took 15
seconds.
26
9
8
Fax-Connect-Speed
Indicates the modem
speed at which this faxmail was initially
transmitted or received.
Possible values are
1200, 4800, 9600, and
14400.
26
9
9
Fax-Recipient-Count
Indicates the number of
recipients for this fax
transmission. Until email servers support
Session mode, the
number should be 1.
26
9
10
Fax-Process-Abort-Flag Indicates that the fax
session was aborted or
successful. True means
that the session was
aborted; false means
that the session was
successful.
26
9
11
Fax-Dsn-Address
Indicates the address to
which DSNs will be
sent.
26
9
12
Fax-Dsn-Flag
Indicates whether or not
DSN has been enabled.
True indicates that DSN
has been enabled; false
means that DSN has not
been enabled.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
62
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
13
Fax-Mdn-Address
Indicates the address to
which MDNs will be
sent.
26
9
14
Fax-Mdn-Flag
Indicates whether or not
message delivery
notification (MDN) has
been enabled. True
indicates that MDN had
been enabled; false
means that MDN had
not been enabled.
26
9
15
Fax-Auth-Status
Indicates whether or not
authentication for this
fax session was
successful. Possible
values for this field are
success, failed,
bypassed, or unknown.
26
9
16
Email-Server-Address
Indicates the IP address
of the e-mail server
handling the on-ramp
fax-mail message.
26
9
17
Email-Server-Ack-Flag
Indicates that the onramp gateway has
received a positive
acknowledgment from
the e-mail server
accepting the fax-mail
message.
26
9
18
Gateway-Id
Indicates the name of
the gateway that
processed the fax
session. The name
appears in the following
format:
hostname.domainname.
26
9
19
Call-Type
Describes the type of
fax activity: fax receive
or fax send.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
63
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
20
Port-Used
Indicates the slot/port
number of the Cisco
AS5300 used to either
transmit or receive this
fax-mail.
26
9
21
Abort-Cause
If the fax session aborts,
indicates the system
component that signaled
the abort. Examples of
system components that
could trigger an abort
are FAP (Fax
Application Process),
TIFF (the TIFF reader
or the TIFF writer), faxmail client, fax-mail
server, ESMTP client,
or ESMTP server.
9
23
Remote-Gateway-ID
Indicates the IP address
of the remote gateway.
H323 Attributes
26
(h323-remote-address)
26
9
24
Connection-ID
(h323-conf-id)
26
9
25
Setup-Time
(h323-setup-time)
26
9
26
Call-Origin
(h323-call-origin)
26
9
27
Call-Type
(h323-call-type)
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
64
Identifies the
conference ID.
Indicates the setup time
for this connection in
Coordinated Universal
Time (UTC) formerly
known as Greenwich
Mean Time (GMT) and
Zulu time.
Indicates the origin of
the call relative to the
gateway. Possible
values are originating
and terminating
(answer).
Indicates call leg type.
Possible values are
telephony and VoIP.
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
28
Connect-Time
Indicates the connection
time for this call leg in
UTC.
(h323-connect-time)
26
9
29
Disconnect-Time
(h323-disconnect-time)
26
9
30
Disconnect-Cause
(h323-disconnectcause)
26
9
31
Voice-Quality
(h323-voice-quality)
26
9
33
Gateway-ID
(h323-gw-id)
Indicates the time this
call leg was
disconnected in UTC.
Specifies the reason a
connection was taken
offline per Q.931
specification.
Specifies the
impairment factor
(ICPIF) affecting voice
quality for a call.
Indicates the name of
the underlying gateway.
Large Scale Dialout
Attributes
26
9
1
callback-dialstring
Defines a dialing string
to be used for callback.
26
9
1
data-service
No description
available.
26
9
1
dial-number
Defines the number to
dial.
26
9
1
force-56
Determines whether the
network access server
uses only the 56 K
portion of a channel,
even when all 64 K
appear to be available.
26
9
1
map-class
Allows the user profile
to reference information
configured in a map
class of the same name
on the network access
server that dials out.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
65
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
1
send-auth
Defines the protocol to
use (PAP or CHAP) for
username-password
authentication following
CLID authentication.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
66
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
1
send-name
PPP name
authentication. To apply
for PAP, do not
configure the ppp pap
sent-name password
command on the
interface. For PAP,
“preauth:send-name”
and “preauth:sendsecret” will be used as
the PAP username and
PAP password for
outbound
authentication. For
CHAP, “preauth:sendname” will be used not
only for outbound
authentication, but also
for inbound
authentication. For a
CHAP inbound case,
the NAS will use the
name defined in
“preauth:send-name” in
the challenge packet to
the caller box.
Note The send-name
attribute has
changed over
time: Initially, it
performed the
functions now
provided by both
the send-name
and remotename attributes.
Because the
remote-name
attribute has
been added, the
send-name
attribute is
restricted to its
current behavior.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
67
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
1
send-secret
PPP password
authentication. The
vendor-specific
attributes (VSAs)
“preauth:send-name”
and “preauth:sendsecret” will be used as
the PAP username and
PAP password for
outbound
authentication. For a
CHAP outbound case,
both “preauth:sendname” and
“preauth:send-secret”
will be used in the
response packet.
26
9
1
remote-name
Provides the name of
the remote host for use
in large-scale dial-out.
Dialer checks that the
large-scale dial-out
remote name matches
the authenticated name,
to protect against
accidental user
RADIUS
misconfiguration. (For
example, dialing a valid
phone number but
connecting to the wrong
router.)
Miscellaneous
Attributes
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
68
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Information About RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
2
Cisco-NAS-Port
Specifies additional
vendor specific attribute
(VSA) information for
NAS-Port accounting.
To specify additional
NAS-Port information
in the form an
Attribute-Value Pair
(AVPair) string, use the
radius-server vsa send
global configuration
command.
Note This VSA is
typically used in
Accounting, but
may also be used
in
Authentication
(AccessRequest)
packets.
26
9
1
min-links
Sets the minimum
number of links for
MLP.
26
9
1
proxyacl#<n>
Allows users to
configure the
downloadable user
profiles (dynamic
ACLs) by using the
authentication proxy
feature so that users can
have the configured
authorization to permit
traffic going through the
configured interfaces.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
69
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS Disconnect-Cause Attribute Values
Number
Vendor-Specific
Company Code
Sub-Type Number
Attribute
Description
26
9
1
spi
Carries the
authentication
information needed by
the home agent to
authenticate a mobile
node during
registration. The
information is in the
same syntax as the ip
mobile secure host
<addr> configuration
command. Basically it
contains the rest of the
configuration command
that follows that string,
verbatim. It provides
the Security Parameter
Index (SPI), key,
authentication
algorithm,
authentication mode,
and replay protection
timestamp range.
For more information on configuring your NAS to recognize and use VSAs, refer to the “Configuring
Router to Use Vendor-Specific RADIUS Attributes” section of th e “ Configuring RADIUS ” module.
RADIUS Disconnect-Cause Attribute Values
Disconnect-cause attribute values specify the reason a connection was taken offline. The attribute values
are sent in Accounting request packets. These values are sent at the end of a session, even if the session
fails to be authenticated. If the session is not authenticated, the attribute can cause stop records to be
generated without first generating start records.
The table below lists the cause codes, values, and descriptions for the Disconnect-Cause (195) attribute.
Note
Table 9
The Disconnect-Cause is incremented by 1000 when it is used in RADIUS AVPairs; for example, disccause 4 becomes 1004.
Disconnect-Cause Attribute Values
Cause Code
Value
Description
0
No-Reason
No reason is given for the disconnect.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
70
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS Disconnect-Cause Attribute Values
Cause Code
Value
Description
1
No-Disconnect
The event was not disconnected.
2
Unknown
Reason unknown.
3
Call-Disconnect
The call has been disconnected.
4
CLID-Authentication-Failure
Failure to authenticate number of the
calling-party.
9
No-Modem-Available
A modem in not available to connect the
call.
10
No-Carrier
No carrier detected.
Note Codes 10, 11, and 12 can be sent
if there is a disconnection during
initial modem connection.
11
Lost-Carrier
Loss of carrier.
12
No-Detected-Result-Codes
Failure to detect modem result codes.
20
User-Ends-Session
User terminates a session.
Note Codes 20, 22, 23, 24, 25, 26, 27,
and 28 apply to EXEC sessions.
21
Idle-Timeout
Timeout waiting for user input.
Codes 21, 100, 101, 102, and 120 apply
to all session types.
22
Exit-Telnet-Session
Disconnect due to exiting Telnet session.
23
No-Remote-IP-Addr
Could not switch to SLIP/PPP; the
remote end has no IP address.
24
Exit-Raw-TCP
Disconnect due to exiting raw TCP.
25
Password-Fail
Bad passwords.
26
Raw-TCP-Disabled
Raw TCP disabled.
27
Control-C-Detected
Control-C detected.
28
EXEC-Process-Destroyed
EXEC process destroyed.
29
Close-Virtual-Connection
User closes a virtual connection.
30
End-Virtual-Connection
Virtual connected has ended.
31
Exit-Rlogin
User exists Rlogin.
32
Invalid-Rlogin-Option
Invalid Rlogin option selected.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
71
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS Disconnect-Cause Attribute Values
Cause Code
Value
Description
33
Insufficient-Resources
Insufficient resources.
40
Timeout-PPP-LCP
PPP LCP negotiation timed out.
Note Codes 40 through 49 apply to PPP
sessions.
41
Failed-PPP-LCP-Negotiation
PPP LCP negotiation failed.
42
Failed-PPP-PAP-Auth-Fail
PPP PAP authentication failed.
43
Failed-PPP-CHAP-Auth
PPP CHAP authentication failed.
44
Failed-PPP-Remote-Auth
PPP remote authentication failed.
45
PPP-Remote-Terminate
PPP received a Terminate Request from
remote end.
46
PPP-Closed-Event
Upper layer requested that the session be
closed.
47
NCP-Closed-PPP
PPP session closed because there were no
NCPs open.
48
MP-Error-PPP
PPP session closed because of an MP
error.
49
PPP-Maximum-Channels
PPP session closed because maximum
channels were reached.
50
Tables-Full
Disconnect due to full terminal server
tables.
51
Resources-Full
Disconnect due to full internal resources.
52
Invalid-IP-Address
IP address is not valid for Telnet host.
53
Bad-Hostname
Hostname cannot be validated.
54
Bad-Port
Port number is invalid or missing.
60
Reset-TCP
TCP connection has been reset.
Note Codes 60 through 67 apply to
Telnet or raw TCP sessions.
61
TCP-Connection-Refused
TCP connection has been refused by the
host.
62
Timeout-TCP
TCP connection has timed out.
63
Foreign-Host-Close-TCP
TCP connection has been closed.
64
TCP-Network-Unreachable
TCP network is unreachable.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
72
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS Disconnect-Cause Attribute Values
Cause Code
Value
Description
65
TCP-Host-Unreachable
TCP host is unreachable.
66
TCP-Network-Admin Unreachable
TCP network is unreachable for
administrative reasons.
67
TCP-Port-Unreachable
TCP port in unreachable.
100
Session-Timeout
Session timed out.
101
Session-Failed-Security
Session failed for security reasons.
102
Session-End-Callback
Session terminated due to callback.
120
Invalid-Protocol
Call refused because the detected
protocol is disabled.
150
RADIUS-Disconnect
Disconnected by RADIUS request.
151
Local-Admin-Disconnect
Administrative disconnect.
152
SNMP-Disconnect
Disconnected by SNMP request.
160
V110-Retries
Allowed V.110 retries have been
exceeded.
170
PPP-Authentication-Timeout
PPP authentication timed out.
180
Local-Hangup
Disconnected by local hangup.
185
Remote-Hangup
Disconnected by remote end hangup.
190
T1-Quiesced
Disconnected because T1 line was
quiesced.
195
Call-Duration
Disconnected because the maximum
duration of the call was exceeded.
600
VPN-User-Disconnect
Call disconnected by client (through
PPP).
Code is sent if the LNS receives a PPP
terminate request from the client.
601
VPN-Carrier-Loss
Loss of carrier. This can be the result of a
physical line going dead.
Code is sent when a client is unable to
dial out using a dialer.
602
VPN-No-Resources
No resources available to handle the call.
Code is sent when the client is unable to
allocate memory (running low on
memory).
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
73
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS Disconnect-Cause Attribute Values
Cause Code
Value
Description
603
VPN-Bad-Control-Packet
Bad L2TP or L2F control packets.
This code is sent when an invalid control
packet, such as missing mandatory
Attribute-Value pairs (AVP), from the
peer is received. When using L2TP, the
code will be sent after six retransmits;
when using L2F, the number of
retransmits is user configurable.
Note VPN-Tunnel-Shut will be sent if
there are active sessions in the
tunnel.
604
VPN-Admin-Disconnect
Administrative disconnect. This can be
the result of a VPN soft shutdown, which
is when a client reaches maximum
session limit or exceeds maximum
hopcount.
Code is sent when a tunnel is brought
down by issuing the clear vpdn tunnel
command.
605
VPN-Tunnel-Shut
Tunnel teardown or tunnel setup has
failed.
Code is sent when there are active
sessions in a tunnel and the tunnel goes
down.
Note This code is not sent when tunnel
authentication fails.
606
VPN-Local-Disconnect
Call is disconnected by LNS PPP
module.
Code is sent when the LNS sends a PPP
terminate request to the client. It indicates
a normal PPP disconnection initiated by
the LNS.
607
VPN-Session-Limit
VPN soft shutdown is enabled.
Code is sent when a call has been refused
due to any of the soft shutdown
restrictions previously mentioned.
608
VPN-Call-Redirect
VPN call redirect is enabled.
For Q.850 cause codes and descriptions, see the Cisco IOS Voice Troubleshooting and Monitoring Guide ,
Release 12.4T.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
74
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Additional References
Additional References
The following sections provide references related to RADIUS Vendor-Specific Attributes (VSA) and
RADIUS Disconnect-Cause Attribute Values.
Related Documents
Related Topic
Document Title
Security Features
Cisco IOS Security Configuration Guide: Securing
User Services , Release 15.0.
Security Server Protocols
RADIUS Configuration
“ Configuring RADIUS ” module.
Standards
Standard
Title
Internet Engineering Task Force (IETF) Internet
Draft: Network Access Servers Requirements
Network Access Servers Requirements: Extended
RADIUS Practices
MIBs
MIB
MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
RFC 2865
Remote Authentication Dial In User Service
(RADIUS)
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
75
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Feature Information for RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Vendor-Specific Attributes
and RADIUS Disconnect-Cause Attribute Values
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
76
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
Table 10
Feature Information for RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause
Attribute Values
Feature Name
Releases
Feature Information
RADIUS Vendor-Specific
Attributes (VSA) and RADIUS
Disconnect-Cause Attribute
Values
12.0(30)S3s 12.3(11)YS1
12.2(33)SRC
This document discusses the
Internet Engineering Task Force
(IETF) draft standard, which
specifies a method for
communicating vendor-specific
information between the network
access server and the RADIUS
server by using the vendorspecific attribute (attribute 26).
Attribute 26 encapsulates vendor
specific attributes, thereby,
allowing vendors to support their
own extended attributes otherwise
not suitable for general use.
This feature was introduced into
Cisco IOS Release 12.0(30)S3s.
This feature was integrated into
Cisco IOS Release 12.3(11)YS1.
This feature was integrated into
Cisco IOS Release 12.2(33)SRC.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
77
RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
78
Connect-Info RADIUS Attribute 77
The Connect-Info RADIUS Attribute 77 feature enables the Network Access Server (NAS) to report
Connect-Info (attribute 77) in RADIUS accounting “start” and “stop” records that are sent to the RADIUS
client (dial-in modem). These records allow the transmit and receive connection speeds, modulation, and
compression to be compared in order to analyze a user session over a dial-in modem where speeds are
often different at the end of the connection (after negotiation).
When the network access server (NAS) sends attribute 77 in accounting “start” and “stop” records, the
connect rates can be measured across the platform. The “transmit” speed (the speed at which the NAS
modem sends information) and “receive” speed (the speed at which the NAS receives information) can be
recorded to determine whether user modem connections renegotiate to lower speeds shortly into a session.
If the transmit and receive speeds are different from each other, attribute 77 reports both speeds, which
allows the modem connection speeds that each customer gets from their session.
Attribute 77 is also used to send the Class string for broadband connections such as PPPoX, physical
connection speeds for dial access, and the VRF string for any sessions on router interfaces defined with ip
vrf forwarding command.
Note
This feature requires no configuration.
•
•
•
•
•
•
Finding Feature Information, page 79
Prerequisites for Connect-Info RADIUS Attribute 77, page 80
How to Verify the Connect-Info RADIUS Attribute 77, page 80
Configuration Example for Connect-Info RADIUS Attribute 77, page 80
Additional References, page 81
Feature Information for Connect-Info RADIUS Attribute 77, page 82
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
79
Configure NAS for AAA and Incoming Modem Calls Example
Prerequisites for Connect-Info RADIUS Attribute 77
Prerequisites for Connect-Info RADIUS Attribute 77
Before the NAS can send attribute 77 in accounting “start” and “stop” records, you must perform the
following tasks:
•
•
•
Configure your NAS for authentication, authorization, and accounting (AAA) and to accept incoming
modem calls.
Enable AAA accounting by using the aaa accounting network default start-stop group
radiuscommand in global configuration mode.
Change the modem poll timer by using the modem link-info poll timecommand in global
configuration mode. (Changing the modem poll timer is required on all supported platforms except the
Cisco AS5400).
How to Verify the Connect-Info RADIUS Attribute 77
To verify attribute 77 in your accounting “start” and “stop” records, use the debug radius privileged EXEC
command. The following example shows that Connect-Info appears in the first and last accounting
attributes:
Router# debug radius
RADIUS: code=Acct-Request id=04 len=0134
authenticator=BE A2 F3 BD EE CE 89 C7 - 48 19 32 F5 79 84 94 D5
T=Connect-Info[77]
L=17 V="31200/33600 V34+/LAPM"
T=Acct-Status-Type[40]
L=06 V=Start
[1]
...
RADIUS: code=Acct-Request id=07 len=0226
authenticator=06 AC 03 10 4A 84 44 A4 - 6F D9 68 AA B3 90 44 CB
...
T=Connect-Info[77]
L=1F V="33600 V34+/LAPM (31200/336"
T=Acct-Status-Type[40]
L=06 V=Stop
[2]
...
Note
If the modem negotiation speeds are different, the speeds are shown in a bracket format at the end of the
call.
Configuration Example for Connect-Info RADIUS Attribute 77
•
Configure NAS for AAA and Incoming Modem Calls Example, page 80
Configure NAS for AAA and Incoming Modem Calls Example
The following example is a sample NAS configuration for AAA and incoming modem calls:
interface Serial0:15
no ip address
isdn switch-type primary-net5
isdn incoming-voice modem
!
interface Async1
ip address 10.0.0.10 255.0.0.0
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
80
Connect-Info RADIUS Attribute 77
Additional References
encapsulation ppp
async default routing
async mode interactive
no peer default ip address
ppp authentication chap
!
line 1
modem InOu
transport preferred none
transport input all
autoselect ppp
!
Additional References
The following sections provide references related to the Connect-Info RADIUS Attribute 77 feature.
Related Documents
Related Topic
Document Title
IOS dial technologies
“ Configuring and Managing Cisco Access Servers
and Dial Shelves ” chapter of the Cisco IOS Dial
Technologies Configuration Guide
Cisco IOS Dial Technologies Command Reference
RADIUS and security related information
Cisco IOS Security Command Reference
Standards
Title
Standard
No new or modified standards are supported by this -feature, and support for existing standards has not
been modified by this feature.
MIBs
MIB
MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
RFC 2869
RADIUS Extensions
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
81
Connect-Info RADIUS Attribute 77
Feature Information for Connect-Info RADIUS Attribute 77
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for Connect-Info RADIUS Attribute 77
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
82
Connect-Info RADIUS Attribute 77
Table 11
Feature Information for Connect-Info RADIUS Attribute 77
Feature Name
Releases
Feature Information
Connect-Info RADIUS Attribute
77
12.2(11)T 12.2(33)SRC
The Connect-Info RADIUS
Attribute 77 feature enables the
network access server (NAS) to
report Connect-Info (attribute 77)
in RADIUS accounting “start”
and “stop” records that are sent to
the RADIUS client (dial-in
modem). These “start” and “stop”
records allow the transmit and
receive connection speeds,
modulation, and compression to
be compared in order to analyze a
user session over a dial-in modem
where speeds are often different
at the end of the connection (after
negotiation).
This feature was introduced on
Cisco IOS Release 12.2(11)T.
This feature was integrated into
Cisco IOS Release 12.2(33)SRC.
This feature supports the
following platforms:
•
•
•
•
Cisco AS5300 series
Cisco AS5400 series
Cisco AS5800 series
Cisco AS5850 series
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
83
Configure NAS for AAA and Incoming Modem Calls Example
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
84
Encrypted Vendor-Specific Attributes
The Encrypted Vendor-Specific Attributes feature provides users with a way to centrally manage filters at
a RADIUS server and supports the following types of string vendor-specific attributes (VSAs):
•
•
•
Tagged String VSA, page 86 (similar to Cisco VSA type 1 (Cisco:AVPair (1)) except that this new
VSA is tagged)
Encrypted String VSA, page 86 (similar to Cisco VSA type 1 except that this new VSA is
encrypted)
Tagged and Encrypted String VSA, page 87 (similar to Cisco VSA type 1 except that this new
VSA is tagged and encrypted)
Cisco:AVPairs specify additional authentication and authorization information in the form an AttributeValue Pair (AVPair) string. When Internet Engineering Task Force (IETF) RADIUS attribute 26 (VendorSpecific) is transmitted with a vendor-Id number of “9” and a vendor-type value of “1” (which means that
it is a Cisco AVPair), the RADIUS user profile format for a Cisco AVPair looks as follows: Cisco:AVPair
= “protocol:attribute=value”.
•
•
•
•
•
•
•
Finding Feature Information, page 85
Prerequisites for Encrypted Vendor-Specific Attributes, page 85
Information About Encrypted Vendor-Specific Attributes, page 86
How to Verify Encrypted Vendor-Specific Attributes, page 87
Configuration Examples for Encrypted Vendor-Specific Attributes, page 87
Additional References, page 88
Feature Information for Encrypted Vendor-Specific Attributes, page 89
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Encrypted Vendor-Specific Attributes
Before the RADIUS server can accept tagged and encrypted VSAs, you must configure your server for
AAA authentication and authorization and to accept PPP calls.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
85
Tagged String VSA
Information About Encrypted Vendor-Specific Attributes
For information on performing these tasks, refer to the chapter “PPP Configuration ” in the Cisco IOS Dial
Technologies Configuration Guide, Release 12.4 and the chapters “Configuring Authentication” and
“Configuring Authorization ” in th e Cisco IOS Security Configuration Guide, Release 12.4.
Information About Encrypted Vendor-Specific Attributes
•
•
•
Tagged String VSA, page 86
Encrypted String VSA, page 86
Tagged and Encrypted String VSA, page 87
Tagged String VSA
The figure below displays the packet format for the Tagged String VSA:
Figure 3
Tagged String VSA Format
To retrieve the correct value, the Tag field must be parsed correctly. The value for this field can range only
from 0x01 through 0x1F. If the value is not within the specified range, the RADIUS server ignores the
value and considers the Tag field to be a part of the Attribute String field.
Encrypted String VSA
The figure below displays the packet format for the Encrypted String VSA:
Figure 4
Encrypted String VSA Format
The Salt field ensures the uniqueness of the encryption key that is used to encrypt each instance of the
VSA. The first and most significant bit of the Salt field must be set to 1.
Note
Vendor-type (36) indicates that the attribute is an encrypted string VSA.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
86
Tagged and Encrypted String VSA
How to Verify Encrypted Vendor-Specific Attributes
Tagged and Encrypted String VSA
The figure below displays the packet formats for each of the newly supported VSAs:
Figure 5
Tagged and Encrypted String VSA Format
This VSA is similar to encrypted string VSAs except this VSA has an additional Tag field. If the Tag field
is not within the valid range (0x01 through 0x1F), it is considered to be part of the Salt field.
How to Verify Encrypted Vendor-Specific Attributes
The Encrypted Vendor-Specific Attributes feature requires no configuration. To verify that RADIUStagged and encrypted VSAs are being sent from the RADIUS server, use the following command in
privileged EXEC mode:
Command
Router#
debug radius
Purpose
Displays information associated with RADIUS. The
output of this command shows whether tagged and
encrypted VSAs are being sent from the RADIUS
server.
Configuration Examples for Encrypted Vendor-Specific
Attributes
•
•
NAS Configuration Example, page 87
RADIUS User Profile with a Tagged and Encrypted VSA Example, page 88
NAS Configuration Example
The following example shows how to configure a network access server (NAS) with a basic configuration
using tagged and encrypted VSAs. (This example assumes that the configuration required to make PPP
calls is already enabled.)
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
!
radius-server host 10.2.2.2 auth-port 1645 acct-port 1646
radius-server key cisco
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
87
RADIUS User Profile with a Tagged and Encrypted VSA Example
Additional References
RADIUS User Profile with a Tagged and Encrypted VSA Example
The following is an example of user profile on a RADIUS server that supports tagged and encrypted string
VSAs:
mascot
Password = "password1"
Service-Type = NAS-Prompt,
Framed-Protocol = PPP,
Cisco:Cisco-Enc = "ip:route=10.0.0.0 255.0.0.0"
Cisco.attr Cisco-Enc 36 tag-encstr(*,*)
Additional References
The following sections provide references related to the Encrypted Vendor-Specific Attributes.
Related Documents
Related Topic
Document Title
RADIUS Attributes
Cisco IOS Security Configuration Guide: Securing
User Services , Release 12.4T
Standards
Standard
Title
None
--
MIBs
MIB
MIBs Link
None
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
RFC 2865
Remote Authentication Dial In User Service
(RADIUS)
RFC 2868
RADIUS Attributes for Tunnel Protocol Support
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
88
Encrypted Vendor-Specific Attributes
Feature Information for Encrypted Vendor-Specific Attributes
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for Encrypted Vendor-Specific Attributes
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 12
Feature Information for Encrypted Vendor-Specific Attributes
Feature Name
Releases
Feature Information
Encrypted Vendor-Specific
Attributes
12.2(8)T 12.2(28)SB
12.2(33)SRC
The Encrypted Vendor-Specific
Attributes feature provides users
with a way to centrally manage
filters at a RADIUS server and
supports the Tagged String,
Encrypted String, and Tagged and
Encrypted String vendor-specific
attributes (VSAs).
Cisco IOS XE Release 2.3
This feature was introduced in
Cisco IOS Release 12.2(8)T.
This feature was integrated into
Cisco IOS Release 12.2(28)SB.
This feature was integrated into
Cisco IOS Release 12.2(33)SRC.
In Cisco IOS XE Release 2.3, this
feature was implemented on the
Cisco ASR 1000 series routers.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
89
Encrypted Vendor-Specific Attributes
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
90
RADIUS Attribute 5 NAS-Port Format Specified
on a Per-Server Group Level
The RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level feature allows
configurations to be customized for different RADIUS server groups. This flexibility allows customized
network access server- (NAS-) port formats to be used instead of global formats.
•
•
Finding Feature Information, page 91
Prerequisites for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level,
page 91
Information About RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level,
page 92
How to Configure RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level,
page 92
Configuration Examples for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group
Level, page 94
Additional References, page 95
Feature Information for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group
Level, page 96
•
•
•
•
•
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS Attribute 5 NAS-Port Format
Specified on a Per-Server Group Level
•
You must be running a Cisco IOS image that contains the authentication, authorization, and
accounting (AAA) component.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
91
RADIUS Attribute 5 Format Customization
Information About RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
Information About RADIUS Attribute 5 NAS-Port Format
Specified on a Per-Server Group Level
•
RADIUS Attribute 5 Format Customization, page 92
RADIUS Attribute 5 Format Customization
Prior to Cisco IOS Release 12.3(14)T, Cisco IOS software allowed RADIUS attributes that were sent in
access requests or accounting requests to be customized on a global basis. You could customize how each
configurable attribute should function when communicating with a RADIUS server. Since the
implementation of server groups, global attribute configurations were not flexible enough to address the
different customizations that were required to support the various RADIUS servers with which a router
might be interacting. For example, if you configured the global radius-server attribute nas-port format
commandoption, every service on the router that interacted with a RADIUS server was used in the same
way.
Effective with Cisco IOS Release 12.3(14)T, you can configure your router to support override flexibility
for per-server groups. You can configure services to use specific named methods for different service types
on a RADIUS server. The service types can be set to use their own respective service groups. This
flexibility allows customized NAS-port formats to be used instead of the global formats.
How to Configure RADIUS Attribute 5 NAS-Port Format
Specified on a Per-Server Group Level
•
•
Configuring the RADIUS Attribute 5 Format on a Per-Server Group Level, page 92
Monitoring and Maintaining RADIUS Attribute 5 Format on a Per-Server Group Level, page 94
Configuring the RADIUS Attribute 5 Format on a Per-Server Group Level
To configure your router to support the RADIUS Attribute 5 format on a per-server group level, perform
the following steps.
Note
To use this per-server group capability, you must actively use a named method list within your services.
You can configure one client to use a specific named method while other clients use the default format.
Before performing these steps, you should first configure method lists for AAA as is applicable for your
situation.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
92
RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
How to Configure RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa group server radius group-name
4. server ip-address [auth-port port-number] [acct-port port-number]
5. attribute nas-port format format-type [string]
DETAILED STEPS
Command or Action
Purpose
Step 1 enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3 aaa group server radius group-name
Groups different RADIUS server hosts into distinct lists
and distinct methods and enters server-group
configuration mode.
Example:
Router (config)# aaa group server radius radius1
Step 4 server ip-address [auth-port port-number] [acct-port portnumber]
Configures the IP address of the RADIUS server for the
group server.
Example:
Router (server-group)# server 172.101.159.172 authport 1645 acct-port 1646
Step 5 attribute nas-port format format-type [string]
Configures a service to use specific named methods for
different service types.
•
Example:
The service types can be set to use their own
respective server groups.
Router (server-group)# attribute nas-port format d
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
93
Monitoring and Maintaining RADIUS Attribute 5 Format on a Per-Server Group Level
Configuration Examples for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
Monitoring and Maintaining RADIUS Attribute 5 Format on a Per-Server
Group Level
To monitor and maintain RADIUS Attribute 5 Format on a Per-Server Group Level, perform the following
steps (the debug commands may be used separately):
SUMMARY STEPS
1. enable
2. debug aaa sg-server selection
3. debug radius
DETAILED STEPS
Command or Action
Purpose
Step 1 enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 debug aaa sg-server selection
Displays information about why the RADIUS and TACACS+ server group
system in a router is choosing a particular server.
Example:
Router# debug aaa sg-server selection
Step 3 debug radius
Displays information showing that a server group has been selected for a
particular request.
Example:
Router# debug radius
Configuration Examples for RADIUS Attribute 5 NAS-Port
Format Specified on a Per-Server Group Level
•
RADIUS Attribute 5 Format Specified on a Per-Server Level Example, page 94
RADIUS Attribute 5 Format Specified on a Per-Server Level Example
The following configuration example shows a leased-line PPP client that has chosen to send no RADIUS
Attribute 5 while the default is to use format d:
interface Serial2/0
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
94
RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
Additional References
no ip address
encapsulation ppp
ppp accounting SerialAccounting
ppp authentication pap
aaa accounting network default start-stop group radius
aaa accounting network SerialAccounting start-stop group group1
aaa group server radius group1
server 10.101.159.172 auth-port 1645 acct-port 1646
attribute nas-port none
radius-server host 10.101.159.172 auth-port 1645 acct-port 1646
radius-server attribute nas-port format d
Additional References
The following sections provide references related to RADIUS Attribute 5 (NAS-Port) Format Specified on
a Per-Server Group Level.
Related Documents
Related Topic
Document Title
Cisco IOS commands
Cisco IOS Security Command Reference
Configuring AAA and AAA method lists
Cisco IOS Security Configuration Guide: Securing
User Services , Release 12.4T.
Standards
Standards
Title
None
--
MIBs
MIBs
MIBs Link
None
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs
Title
None
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
95
RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
Feature Information for RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attribute 5 NAS-Port Format
Specified on a Per-Server Group Level
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 13
Feature Information for RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
Feature Name
Releases
Feature Information
RADIUS Attribute 5 (NAS-Port)
Format Specified on a Per-Server
Group Level
12.3(14)T
The RADIUS Attribute 5 (NASPort) Format Specified on a PerServer Group Level feature
allows configurations to be
customized for different RADIUS
server groups. This flexibility
allows customized network
access server- (NAS-) port
formats to be used instead of
global formats.
This feature was introduced in
Cisco IOS Release 12.3(14)T.
The following commands were
introduced or modified: attribute
nas-port format.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
96
RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
97
RADIUS Attribute 5 Format Specified on a Per-Server Level Example
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
98
RADIUS Attribute 8 Framed-IP-Address in
Access Requests
The RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature makes it possible for a
network access server (NAS) to provide the RADIUS server with a hint of the user IP address in advance
of user authentication. An application can be run on the RADIUS server to use this hint and build a table
(map) of user names and IP addresses. With the RADIUS server, service applications can begin preparing
user login information to have available in advance of a successful user authentication with the RADIUS
server.
•
•
•
•
•
•
•
Finding Feature Information, page 99
Prerequisites for RADIUS Attribute 8 Framed-IP-Address in Access Requests, page 99
Information About RADIUS Attribute 8 Framed-IP-Address in Access Requests, page 100
How to Configure RADIUS Attribute 8 Framed-IP-Address in Access Requests, page 100
Configuration Examples for RADIUS Attribute 8 Framed-IP-Address in Access Requests, page 102
Additional References, page 102
Feature Information for RADIUS Attribute 8 Framed-IP-Address in Access Requests, page 104
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS Attribute 8 Framed-IP-Address in
Access Requests
Sending RADIUS attribute 8 in the RADIUS access requests assumes that the login host has been
configured to request its IP address from the NAS server. It also assumes that the login host has been
configured to accept an IP address from the NAS.
The NAS must be configured with a pool of network addresses on the interface supporting the login hosts.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
99
Configuring RADIUS Attribute 8 in Access Requests
Information About RADIUS Attribute 8 Framed-IP-Address in Access Requests
Information About RADIUS Attribute 8 Framed-IP-Address in
Access Requests
When a network device dials in to a NAS that is configured for RADIUS authentication, the NAS begins
the process of contacting the RADIUS server in preparation for user authentication. Typically, the IP
address of the dial-in host is not communicated to the RADIUS server until after successful user
authentication. Communicating the device IP address to the server in the RADIUS access request allows
other applications to begin to take advantage of that information.
As the NAS is setting up communication with the RADIUS server, the NAS assigns an IP address to the
dial-in host from a pool of IP addresses configured at the specific interface. The NAS sends the IP address
of the dial-in host to the RADIUS server as attribute 8. At that time, the NAS sends other user information,
such as the user name, to the RADIUS server.
After the RADIUS server receives the user information from the NAS, it has two options:
•
•
If the user profile on the RADIUS server already includes attribute 8, the RADIUS server can override
the IP address sent by the NAS with the IP address defined as attribute 8 in the user profile. The
address defined in the user profile is returned to the NAS.
If the user profile does not include attribute 8, the RADIUS server can accept attribute 8 from the
NAS, and the same address is returned to the NAS.
The address returned by the RADIUS server is saved in memory on the NAS for the life of the session. If
the NAS is configured for RADIUS accounting, the accounting start packet sent to the RADIUS server
includes the same IP address as in attribute 8. All subsequent accounting packets, updates (if configured),
and stop packets will also include the same IP address provided in attribute 8.
How to Configure RADIUS Attribute 8 Framed-IP-Address in
Access Requests
•
•
Configuring RADIUS Attribute 8 in Access Requests, page 100
Verifying RADIUS Attribute 8 in Access Requests, page 101
Configuring RADIUS Attribute 8 in Access Requests
To send RADIUS attribute 8 in the access request, perform the following steps:
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server attribute 8 include-in-access-req
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
100
Verifying RADIUS Attribute 8 in Access Requests
How to Configure RADIUS Attribute 8 Framed-IP-Address in Access Requests
DETAILED STEPS
Command or Action
Purpose
Step 1 enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3 radius-server attribute 8 include-in-access-req
Sends RADIUS attribute 8 in access-request
packets.
Example:
Router(config)# radius-server attribute 8 include-inaccess-req
Verifying RADIUS Attribute 8 in Access Requests
To verify that RADIUS attribute 8 is being sent in access requests, perform the following steps. Attribute 8
should be present in all PPP access requests.
SUMMARY STEPS
1. enable
2. more system:running-config
3. debug radius
DETAILED STEPS
Command or Action
Step 1 enable
Purpose
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
101
NAS Configuration That Sends the IP Address of the Dial-in Host to the RADIUS Server in the RADIUS Access Request
Configuration Examples for RADIUS Attribute 8 Framed-IP-Address in Access Requests
Command or Action
Step 2 more system:running-config
Purpose
Displays the contents of the current running configuration file. (Note that the
more system:running-config command has replaced the show running-config
command.)
Example:
Router# more system:running-config
Step 3 debug radius
Displays information associated with RADIUS. The output of this command
shows whether attribute 8 is being sent in access requests.
Example:
Router# debug radius
Configuration Examples for RADIUS Attribute 8 Framed-IPAddress in Access Requests
• NAS Configuration That Sends the IP Address of the Dial-in Host to the RADIUS Server in the
RADIUS Access Request, page 102
NAS Configuration That Sends the IP Address of the Dial-in Host to the
RADIUS Server in the RADIUS Access Request
The following example shows a NAS configuration that sends the IP address of the dial-in host to the
RADIUS server in the RADIUS access request. The NAS is configured for RADIUS authentication,
authorization, and accounting (AAA). A pool of IP addresses (async1-pool) has been configured and
applied at interface Async1.
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
!
ip address-pool local
!
interface Async1
peer default ip address pool async1-pool
!
ip local pool async1-pool 209.165.200.225 209.165.200.229
!
radius-server host 172.31.71.146 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server attribute 8 include-in-access-req
radius-server key radhost<xxx>: Example
Additional References
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
102
RADIUS Attribute 8 Framed-IP-Address in Access Requests
Additional References
The following sections provide references related to the RADIUS Attribute 8 (Framed-IP-Address) in
Access Requests feature.
Related Documents
Related Topic
Document Title
Configuring authentication and configuring
RADIUS
“ Configuring Authentication ” and “Configuring
RADIUS ” chapters, Cisco Security Configuration
Guide
RFC 2138 (RADIUS)
RFC 2138 , Remote Authentication Dial In User
Service (RADIUS)
Standards
Standard
Title
No new or modified standards are supported by this -feature, and support for existing standards has not
been modified by this feature.
MIBs
MIB
MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
No new or modified RFCs are supported by this
feature, and support for existing RFCs has not been
modified by this feature.
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
103
RADIUS Attribute 8 Framed-IP-Address in Access Requests
Feature Information for RADIUS Attribute 8 Framed-IP-Address in Access Requests
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attribute 8 Framed-IPAddress in Access Requests
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
104
RADIUS Attribute 8 Framed-IP-Address in Access Requests
Table 14
Feature Name
Feature Information for RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
Releases
RADIUS Attribute 8 (Framed-IP- 12.2(11)T 12.2(28)SB
Address) in Access Requests
12.2(33)SRC
Feature Information
The RADIUS Attribute 8
(Framed-IP-Address) in Access
Requests feature makes it
possible for a network access
server (NAS) to provide the
RADIUS server with a hint of the
user IP address in advance of user
authentication. An application
can be run on the RADIUS server
to use this hint and build a table
(map) of user names and IP
addresses. With the RADIUS
server, service applications can
begin preparing user login
information to have available in
advance of a successful user
authentication with the RADIUS
server.
The following commands were
introduced or modified: radiusserver attribute 8 include-inaccess-req.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
105
NAS Configuration That Sends the IP Address of the Dial-in Host to the RADIUS Server in the RADIUS Access Request
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
106
RADIUS Attribute 82 Tunnel Assignment ID
The RADIUS Attribute 82: Tunnel Assignment ID feature allows the Layer 2 Transport Protocol access
concentrator (LAC) to group users from different per-user or domain RADIUS profiles into the same
active tunnel. Previously, Cisco IOS software assigned a separate virtual private dialup network (VPDN)
tunnel for each per-user or domain RADIUS profile, even if tunnels with identical endpoints already
existed.
This feature improves LAC and L2TP network server (LNS) performance by reducing memory usage,
because fewer tunnel data structures must be maintained. This feature allows the LAC and LNS to handle
a higher volume of users without negatively impacting router performance.
•
•
•
•
•
•
•
•
Finding Feature Information, page 107
Prerequisites for RADIUS Attribute 82 Tunnel Assignment ID, page 107
Restrictions for RADIUS Attribute 82 Tunnel Assignment ID, page 107
Information About RADIUS Attribute 82 Tunnel Assignment ID, page 108
How to Verify if RADIUS Attribute 82 is Being Used by the LAC, page 108
Configuration Examples for RADIUS Attribute 82 Tunnel Assignment ID, page 108
Additional References, page 110
Feature Information for RADIUS Attribute 82 Tunnel Assignment ID, page 111
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS Attribute 82 Tunnel Assignment ID
You must be using a Cisco platform that supports VPDN to use this feature.
Restrictions for RADIUS Attribute 82 Tunnel Assignment ID
This feature is designed only for VPDN dial-in applications. It does not support VPDN dial-out.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
107
RADIUS Attribute 82 Tunnel Assignment ID
Information About RADIUS Attribute 82 Tunnel Assignment ID
Information About RADIUS Attribute 82 Tunnel Assignment ID
The RADIUS Attribute 82: Tunnel Assignment ID feature defines a new avpair, Tunnel-Assignment-ID,
which allows the LAC to group users from different RADIUS profiles into the same tunnel if the chosen
endpoint, tunnel type, and Tunnel-Assignment-ID are identical.
How to Verify if RADIUS Attribute 82 is Being Used by the LAC
There are no configuration steps for the RADIUS Attribute 82: Tunnel Assignment ID feature. This task
verifies the RADIUS attribute 82 used by the LAC during tunnel authorization.
SUMMARY STEPS
1. enable
2. configure terminal
3. Router# debug radius
DETAILED STEPS
Command or Action
Purpose
Step 1 enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3 Router# debug radius
Displays information associated with RADIUS. The output of this command shows
whether attribute 82 is being sent in access requests.
Example:
Router# debug radius
Configuration Examples for RADIUS Attribute 82 Tunnel
Assignment ID
•
•
LAC Configuration Example, page 109
LNS Configuration Example, page 109
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
108
LAC Configuration Example
Configuration Examples for RADIUS Attribute 82 Tunnel Assignment ID
•
RADIUS Configuration Example, page 109
LAC Configuration Example
The following example configures VPDN on the LAC:
hostname lac
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
vpdn enable
vpdn authen-before-forward
interface Serial2/0:23
no ip address
encapsulation ppp
dialer-group 1
isdn switch-type primary-5ess
no fair-queue
dialer-list 1 protocol ip permit
radius-server host lac-radiusd auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key rad123
LNS Configuration Example
The following example configures VPDN on the LNS:
hostname lns
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
vpdn enable
vpdn-group 1
accept-dialin
protocol any
virtual-template 1
interface Loopback0
ip address 10.1.1.3 255.255.255.0
interface Virtual-Template1
ip unnumbered Loopback0
no keepalive
peer default ip address pool mypool
ppp authentication chap
ip local pool mypool 10.1.1.10 10.1.1.50
radius-server host lns-radiusd auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
RADIUS Configuration Example
The following examples configure the RADIUS server to group sessions in a tunnel:
Per-User Configuration
user@router.com Password = "cisco" Service-Type = Outbound,
Tunnel-Type = :1:L2TP,
Tunnel-Server-Endpoint = :1:"10.14.10.54",
Tunnel-Assignment-Id = :1:"router"
client@router.com Password = "cisco" Service-Type = Outbound,
Tunnel-Type = :1:L2TP,
Tunnel-Server-Endpoint = :1:"10.14.10.54",
Tunnel-Assignment-Id = :1:"router"
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
109
RADIUS Attribute 82 Tunnel Assignment ID
Additional References
Domain Configuration
eng.router.com Password = "cisco" Service-Type = Outbound,
Tunnel-Type = :1:L2TP,
Tunnel-Server-Endpoint = :1:"10.14.10.54",
Tunnel-Assignment-Id = :1:"router"
sales.router.com Password = "cisco" Service-Type = Outbound,
Tunnel-Type = :1:L2TP,
Tunnel-Server-Endpoint = :1:"10.14.10.54",
Tunnel-Assignment-Id = :1:"router"
Additional References
The following sections provide references related to the RADIUS Attribute 82: Tunnel Assignment ID
feature.
Related Documents
Related Topic
Document Title
Dial Technologies
Cisco IOS Dial Technologies Configuration Guide ,
Release 12.4T
Wide Area Networks
Cisco IOS Wide-Area Networking Configuration
Guide , Release 12.4T
Standards
Standard
Title
No new or modified standards are supported by this -feature, and support for existing standards has not
been modified by this feature.
MIBs
MIB
MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
No new or modified RFCs are supported by this
feature.
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
110
RADIUS Attribute 82 Tunnel Assignment ID
Feature Information for RADIUS Attribute 82 Tunnel Assignment ID
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attribute 82 Tunnel
Assignment ID
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 15
Feature Information for RADIUS Attribute 82: Tunnel Assignment ID
Feature Name
Releases
Feature Information
RADIUS Attribute 82: Tunnel
Assignment ID
12.2(4)T 12.2(4)T3 12.2(11)T
12.2(27)SB
In 12.2(4)T, this feature was
introduced.
In 12.2(4)T3, support for the
Cisco 7500 series routers was
added.
This feature was integrated into
Cisco IOS Release 12.2(11)T and
support was added for the Cisco
1760, Cisco AS5300, Cisco
AS5350, Cisco AS5400, Cisco
AS5800 and Cisco AS5850
platforms.
This feature was integrated into
Cisco IOS Release 12.2(27)SB.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
111
RADIUS Attribute 82 Tunnel Assignment ID
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
112
RADIUS Attribute 104
The RADIUS Attribute 104 feature allows private routes (attribute 104) to be specified in a RADIUS
authorization profile. The private routes affect only packets that are received on an individual interface.
The routes are stored apart from the global routing table and are not injected into any routing protocols for
redistribution.
•
•
•
•
•
•
•
•
Finding Feature Information, page 113
Prerequisites for RADIUS Attribute 104, page 113
Restrictions for RADIUS Attribute 104, page 114
Information About RADIUS Attribute 104, page 114
How to Apply RADIUS Attribute 104, page 115
Configuration Examples for RADIUS Attribute 104, page 117
Additional References, page 118
Feature Information for RADIUS Attribute 104, page 119
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS Attribute 104
•
•
•
•
•
•
You must be using a Cisco RADIUS server.
You should be familiar with configuring RADIUS.
You should be familiar with policy-based routing (PBR) and private routes.
You should be familiar with configuring access control lists (ACLs).
Before using the RADIUS Attribute 104 feature, you must configure RADIUS AAA authorization and
RADIUS route download.
The following memory bytes are required:
◦
◦
◦
One route map--50 bytes.
One match-set clause--600 bytes.
One extended ACL--366 bytes.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
113
Policy-Based Routing Background
Restrictions for RADIUS Attribute 104
◦
For N number of attribute 104s, the memory requirement is (600+366)*N
+50=1000*N(approximate) per user.
Restrictions for RADIUS Attribute 104
•
•
•
•
If you already have PBR locally (statically) configured under the interface, and you specify attribute
104, the locally configured PBR will be disabled.
If a pseudo next-hop address is involved, there must be a route available in the routing table for the
next-hop address. If a route is not available, the packet will not be policy routed.
Policy routing does not order the match-set clauses and relies on the first match, so you should specify
the attributes in the order in which you want them to be matched.
Metric numbers cannot be used in the attribute.
Information About RADIUS Attribute 104
•
•
Policy-Based Routing Background, page 114
Attribute 104 and the Policy-Based Route Map, page 114
Policy-Based Routing Background
PBR provides a mechanism for the forwarding, or routing of, data packets on the basis of defined policies.
The policies are not wholly dependent on the destination address but rather on other factors, such as type of
service, source address, precedence, port numbers, or protocol type.
Policy-based routing is applied to incoming packets. All packets that are received on an interface that has
policy-based routing enabled are considered for policy-based routing. The router passes the packets through
enhanced packet filters called route maps. On the basis of the criteria that are defined in the route maps, the
packets are forwarded to the appropriate next hop.
Each entry in a route map statement contains a combination of match clauses and set clauses or commands.
The match clauses define the criteria for whether appropriate packets meet the particular policy (that is,
whether the conditions are met). The set clauses provide instruction for how the packets should be routed
after they have met the match criteria. The match clause specifies which set of filters a packet must match
for the corresponding set clause to be applied.
Attribute 104 and the Policy-Based Route Map
This section discusses the attribute 104 feature and how it works with policy-based route maps.
•
•
•
•
RADIUS Attribute 104 Overview, page 114
Permit Route Map, page 115
Default Private Route, page 115
Route Map Order, page 115
RADIUS Attribute 104 Overview
Using the RADIUS Attribute 104 feature, you can specify private routes in your RADIUS authorization
profile. The private routes you specify will affect only packets that are received on an individual interface.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
114
Applying RADIUS Attribute 104 to Your User Profile
Permit Route Map
The routes are stored apart from the global routing table and are not injected into any routing protocols for
redistribution.
Permit Route Map
Route map statements can be marked as “permit” or “deny.” If the statement is marked “permit,” the set
clause is applied to the packets that match the match criteria. For attribute 104, when you are configuring
the route map, you need to mark the route map as “permit,” as follows. See Related Documents, page 118
for where to find information on configuring a route map.
Default Private Route
The policy routing process proceeds through the route map until a match is found. If no match is found in
the route map, the global routing table is consulted. If you have specified a default route in your user
profile, any further routes beyond the default route are effectively ignored.
Route Map Order
You need to specify route maps on the server in the order that you want them to be applied.
How to Apply RADIUS Attribute 104
•
•
•
Applying RADIUS Attribute 104 to Your User Profile, page 115
Verifying Route Maps, page 116
Troubleshooting the RADIUS Profile, page 116
Applying RADIUS Attribute 104 to Your User Profile
You can apply RADIUS attribute 104 to your user profile by adding the following to the RADIUS server
database.
SUMMARY STEPS
1. Apply RADIUS attribute 104 to your user profile.
DETAILED STEPS
Command or Action
Step 1 Apply RADIUS attribute 104 to your
user profile.
Purpose
Ascend-Private-Route=”dest_addr/netmask next_hop”
The destination network address of the router is “dest_addr/netmask”, and the
address of the next-hop router is “next_hop.”
Examples
The following is a sample user profile that creates three private routes that are associated with the caller:
username Password="ascend"; User-Service=Framed-User
Framed-Protocol=PPP,
Framed-Address=10.1.1.1,
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
115
Verifying Route Maps
How to Apply RADIUS Attribute 104
Framed-Netmask=255.0.0.0,
Ascend-Private-Route="172.16.1.1/16 10.10.10.1"
Ascend-Private-Route="192.168.1.1/32 10.10.10.2"
Ascend-Private-Route="10.20.0.0/1 10.10.10.3"
Ascend-Private-Route="10.0.0.0/0 10.10.10.4"
Using the above profile, the private routing table for the connection contains the following routes, including
a default route:
Destination/Mask
172.16.1.1/16
192.168.1.1/32
10.20.20.20/1
10.0.0.0/0
Gateway
10.10.10.1
10.10.10.2
10.10.10.3
10.10.10.4
Verifying Route Maps
You can use the following show commands to verify the route maps that have been configured.
SUMMARY STEPS
1. enable
2. show ip policy
3. show route-map [map-name | dynamic [dynamic-map-name | application [application-name]] | all]
DETAILED STEPS
Command or Action
Step 1 enable
Purpose
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 show ip policy
Displays the route map that is used for policy routing.
Example:
Router# show ip policy
Step 3 show route-map [map-name | dynamic [dynamic-map-name | Displays all route maps that are configured or only the
one that is specified.
application [application-name]] | all]
Example:
Router# show route-map
Troubleshooting the RADIUS Profile
If your private route configuration is not working properly, you may want to reread the section “PolicyBased Routing Background, page 114.” This section may help you determine what is happening to the
packets. In addition, the following debug commands can be used to troubleshoot your RADIUS profile.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
116
Route-Map Configuration in Which Attribute 104 Has Been Applied Example
Configuration Examples for RADIUS Attribute 104
SUMMARY STEPS
1.
2.
3.
4.
enable
debug radius
debug aaa per-user
debug ip policy
DETAILED STEPS
Command or Action
Step 1 enable
Purpose
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 debug radius
Displays information associated with RADIUS.
Example:
Router# debug radius
Step 3 debug aaa per-user
Displays the attributes that are applied to each user as the user authenticates.
Example:
Router# debug aaa per-user
Step 4 debug ip policy
Displays IP routing packet activity.
Example:
Router# debug ip policy
Configuration Examples for RADIUS Attribute 104
•
Route-Map Configuration in Which Attribute 104 Has Been Applied Example, page 117
Route-Map Configuration in Which Attribute 104 Has Been Applied Example
The following output is a typical route-map configuration to which attribute 104 has been applied:
Router# show route-map dynamic
route-map AAA-01/08/04-14:13:59.542-1-AppSpec, permit, sequence 0, identifier 1639994476
Match clauses:
ip address (access-lists): PBR#1 PBR#2
Set clauses:
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
117
Related Documents
Additional References
Policy routing matches: 0 packets, 0 bytes
route-map AAA-01/08/04-14:13:59.542-1-AppSpec, permit, sequence 1, identifier 1640264784
Match clauses:
ip address (access-lists): PBR#3 PBR#4
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map AAA-01/08/04-14:13:59.542-1-AppSpec, permit, sequence 2, identifier 1645563704
Match clauses:
ip address (access-lists): PBR#5 PBR#6
length 10 100
Set clauses:
ip next-hop 10.1.1.1
ip gateway10.1.1.1
Policy routing matches: 0 packets, 0 bytes
Current active dynamic routemaps = 1
Additional References
The following sections provide references related to RADIUS Attribute 104 feature.
•
•
•
•
•
Related Documents, page 118
Standards, page 118
MIBs, page 119
RFCs, page 119
Technical Assistance, page 119
Related Documents
Related Topic
Document Title
Configuring RADIUS
“ Configuring RADIUS ” feature module.
Configuring policy-based routing
“ Classifying Network Traffic ” feature module.
Configuring access control lists
“ IP Access List Overview ” feature module.
Configuring RADIUS AAA authorization and
RADIUS route download
“ RADIUS Route Download ” feature module.
Security commands
Cisco IOS Security Command Reference
Quality of Service (QoS) commands (for policybased routing commands)
Cisco IOS Quality of Service Solutions Command
Reference
Standards
Title
None
--
Standards
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
118
MIBs
Feature Information for RADIUS Attribute 104
MIBs
MIBs
MIBs Link
None
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs
Title
None
--
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attribute 104
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
119
RADIUS Attribute 104
Table 16
Feature Information for RADIUS Attribute 104
Feature Name
Releases
Feature Information
RADIUS Attribute 104
12.3(7)T
The RADIUS Attribute 104
feature allows private routes
(attribute 104) to be specified in a
RADIUS authorization profile.
The private routes affect only
packets that are received on an
individual interface. The routes
are stored apart from the global
routing table and are not injected
into any routing protocols for
redistribution.
This feature was introduced in
Cisco IOS Release 12.3(7)T.
The following commands were
introduced or modified: show ip
policy, show route-map.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
120
RADIUS Tunnel Attribute Extensions
The RADIUS Tunnel Attribute Extensions feature allows a name to be specified (other than the default)
for the tunnel initiator and the tunnel terminator in order to establish a higher level of security when
setting up VPN tunneling.
•
•
•
•
•
•
•
•
•
Finding Feature Information, page 121
Prerequisites for RADIUS Tunnel Attribute Extensions, page 121
Restrictions for RADIUS Tunnel Attribute Extensions, page 121
Information About RADIUS Tunnel Attribute Extensions, page 122
How to Verify RADIUS Attribute 90 and RADIUS Attribute 91, page 123
Configuration Examples for RADIUS Tunnel Attribute Extensions, page 123
Additional References, page 124
Feature Information for RADIUS Tunnel Attribute Extensions, page 125
Glossary, page 126
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS Tunnel Attribute Extensions
To use RADIUS attributes 90 and 91, you must complete the following tasks:
•
•
•
Configure your NAS to support AAA.
Configure your NAS to support RADIUS.
Configure your NAS to support VPN.
Restrictions for RADIUS Tunnel Attribute Extensions
Your RADIUS server must support tagged attributes to use RADIUS tunnel attributes 90 and 91.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
121
How RADIUS Tunnel Attribute Extensions Work
Information About RADIUS Tunnel Attribute Extensions
Information About RADIUS Tunnel Attribute Extensions
The RADIUS Tunnel Attribute Extensions feature introduces RADIUS attribute 90 (Tunnel-Client-AuthID) and RADIUS attribute 91 (Tunnel-Server-Auth-ID). Both attributes help support the provision of
compulsory tunneling in virtual private networks (VPNs) by allowing the user to specify authentication
names for the network access server (NAS) and the RADIUS server.
•
How RADIUS Tunnel Attribute Extensions Work, page 122
How RADIUS Tunnel Attribute Extensions Work
Once a NAS has set up communication with a RADIUS server, you can enable a tunneling protocol. Some
applications of tunneling protocols are voluntary, but others involve compulsory tunneling; that is, a tunnel
is created without any action from the user and without allowing the user any choice in the matter. In those
cases, new RADIUS attributes are needed to carry the tunneling information from the NAS to the RADIUS
server to establish authentication. These new RADIUS attributes are listed in the table below.
Note
Table 17
In compulsory tunneling, any security measures in place apply only to traffic between the tunnel endpoints.
Encryption or integrity protection of tunneled traffic must not be considered as a replacement for end-toend security.
RADIUS Tunnel Attributes
Number
IETF RADIUS Tunnel
Attribute
Equivalent TACACS+
Attribute
90
Tunnel-Client-Auth-ID
tunnel-id
Supported Protocols
•
•
91
Tunnel-Server-Auth-ID
gw-name
•
•
Description
Layer 2
Forwarding (L2F)
Layer 2 Tunneling
Protocol (L2TP)
Specifies the name used
by the tunnel initiator
(also known as the
NAS4) when
authenticating tunnel
setup with the tunnel
terminator.
Layer 2
Forwarding (L2F)
Layer 2 Tunneling
Protocol (L2TP)
Specifies the name used
by the tunnel terminator
(also known as the
Home Gateway5) when
authenticating tunnel
setup with the tunnel
initiator.
RADIUS attribute 90 and RADIUS attribute 91 are included in the following situations:
•
If the RADIUS server accepts the request and the desired authentication name is different from the
default, they must be included it.
4 When L2TP is used, the NAS is referred to as an L2TP access concentrator (LAC).
5 When L2TP is used, the Home Gateway is referred to as an L2TP network server (LNS).
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
122
L2TP Network Server Configuration Example
How to Verify RADIUS Attribute 90 and RADIUS Attribute 91
•
If an accounting request contains Acct-Status-Type attributes with values of either start or stop and
pertains to a tunneled session, they should be included in.
How to Verify RADIUS Attribute 90 and RADIUS Attribute 91
To verify that RADIUS attribute 90 and RADIUS attribute 91 are being sent in access accepts and
accounting requests, use the following command in privileged EXEC mode:
Command
Router#
Purpose
Displays information associated with RADIUS. The
output of this command shows whether attribute 90
and attribute 91 are being sent in access accepts and
accounting requests.
debug radius
Configuration Examples for RADIUS Tunnel Attribute
Extensions
•
•
L2TP Network Server Configuration Example, page 123
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example, page 124
L2TP Network Server Configuration Example
The following example shows how to configure the LNS with a basic L2F and L2TP configuration using
RADIUS tunneling attributes 90 and 91:
aaa new-model
aaa authentication login default none
aaa authentication login console none
aaa authentication ppp default local group radius
aaa authorization network default group radius if-authenticated
!
username l2f-cli-auth-id password 0 l2f-cli-pass
username l2f-svr-auth-id password 0 l2f-svr-pass
username l2tp-svr-auth-id password 0 l2tp-tnl-pass
!
vpdn enable
vpdn search-order domain
!
vpdn-group 1
accept-dialin
protocol l2f
virtual-template 1
terminate-from hostname l2f-cli-auth-id
local name l2f-svr-auth-id
!
vpdn-group 2
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname l2tp-cli-auth-id
local name l2tp-svr-auth-id
!
interface Ethernet1/0
ip address 10.0.0.3 255.255.255.0
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
123
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example
Additional References
no ip route-cache
no ip mroute-cache
!
interface Virtual-Template1
ip unnumbered Ethernet1/0
ppp authentication pap
!
interface Virtual-Template2
ip unnumbered Ethernet1/0
ppp authentication pap
!
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646
radius-server key <deleted>
!
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example
The following is an example of a RADIUS user profile that includes RADIUS tunneling attributes 90 and
91. This entry supports two tunnels, one for L2F and the other for L2TP. The tag entries with :1 support
L2F tunnels, and the tag entries with :2 support L2TP tunnels.
cisco.com Password = "cisco", Service-Type = Outbound
Service-Type = Outbound,
Tunnel-Type = :1:L2F,
Tunnel-Medium-Type = :1:IP,
Tunnel-Client-Endpoint = :1:"10.0.0.2",
Tunnel-Server-Endpoint = :1:"10.0.0.3",
Tunnel-Client-Auth-Id = :1:"l2f-cli-auth-id",
Tunnel-Server-Auth-Id = :1:"l2f-svr-auth-id",
Tunnel-Assignment-Id = :1:"l2f-assignment-id",
Cisco-Avpair = "vpdn:nas-password=l2f-cli-pass",
Cisco-Avpair = "vpdn:gw-password=l2f-svr-pass",
Tunnel-Preference = :1:1,
Tunnel-Type = :2:L2TP,
Tunnel-Medium-Type = :2:IP,
Tunnel-Client-Endpoint = :2:"10.0.0.2",
Tunnel-Server-Endpoint = :2:"10.0.0.3",
Tunnel-Client-Auth-Id = :2:"l2tp-cli-auth-id",
Tunnel-Server-Auth-Id = :2:"l2tp-svr-auth-id",
Tunnel-Assignment-Id = :2:"l2tp-assignment-id",
Cisco-Avpair = "vpdn:l2tp-tunnel-password=l2tp-tnl-pass",
Tunnel-Preference = :2:2
Additional References
The following sections provide references related to RADIUS Tunnel Attribute Extensions.
Related Documents
Related Topic
Document Title
Authentication
“ Configuring Authentication ” module.
RADIUS Attributes
“ RADIUS Attributes Overview and RADIUS IETF
Attributes ” module.
Virtual private dialup networks (VPDN)
Cisco IOS VPDN Configuration Guide , Release
15.0.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
124
RADIUS Tunnel Attribute Extensions
Feature Information for RADIUS Tunnel Attribute Extensions
Standards
Standard
Title
None.
--
MIBs
MIB
MIBs Link
None.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
RFC 2868
RADIUS Attributes for Tunnel Protocol Support
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Tunnel Attribute Extensions
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
125
RADIUS Tunnel Attribute Extensions
Glossary
Table 18
Feature Name
Feature Information for RADIUS Tunnel Attribute Extensions
Releases
Feature Information for RADIUS 12.1(5)T 12.2(4)B3 12.2(13)T
Tunnel Attribute Extensions
Feature Information
The RADIUS Tunnel Attribute
Extensions feature allows a name
to be specified (other than the
default) for the tunnel initiator
and the tunnel terminator in order
to establish a higher level of
security when setting up VPN
tunneling.
This feature was introduced in
Cisco IOS Release 12.1(5)T.
This feature was integrated into
Cisco IOS Release 12.2(4)B3.
This feature was integrated into
Cisco IOS Release 12.2(13)T.
Glossary
Layer 2 Forwarding (L2F) --A Layer 2 tunneling protocol that enables an ISP or other access service to
create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In
particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with
the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel
server to set up tunnels.
Layer 2 Tunnel Protocol (L2TP) --A Layer 2 tunneling protocol that enables an ISP or other access
service to create a virtual tunnel to link customer remote sites or remote users with corporate home
networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP
messages with the remote users and communicates by L2F or L2TP requests and responses with the
customer tunnel server to set up tunnels.
L2TP access concentrator (LAC) --A network access server (NAS) to which the client directly connects
and through which PPP frames are tunneled to the L2TP network server (LNS). The LAC need only
implement the media over which L2TP is to operate to pass traffic to one or more LNSs. The LAC may
tunnel any protocol carried within PPP. The LAC initiates incoming calls and receives outgoing calls. A
LAC is analogous to an L2F network access server.
L2TP network server (LNS) --A termination point for L2TP tunnels, and an access point where PPP
frames are processed and passed to higher-layer protocols. An LNS can operate on any platform that
terminates PPP. The LNS handles the server side of the L2TP protocol. L2TP relies only on the single
medium over which L2TP tunnels arrive. The LNS initiates outgoing calls and receives incoming calls. An
LNS is analogous to a home gateway in L2F technology.
network access server (NAS) --A Cisco platform, or collection of platforms, such as an AccessPath
system, that interfaces between the packet world (such as the Internet) and the circuit-switched world (such
as the PSTN).
tunnel--A virtual pipe between the L2TP access concentrator (LAC) and L2TP network server (LNS) that
can carry multiple PPP sessions.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
126
RADIUS Tunnel Attribute Extensions
virtual private network (VPN)--A system that permits dial-in networks to exist remotely to home networks,
while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2
and higher parts of the network connection at the L2TP network server (LNS) instead of the L2TP access
concentrator (LAC).
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental. © 2000-2009 Cisco
Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
127
RADIUS User Profile with RADIUS Tunneling Attributes 90 and 91 Example
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
128
V.92 Reporting Using RADIUS Attribute v.92info
The V.92 Reporting Using RADIUS Attribute v.92-info feature provides the ability to track V.92 call
information, such as V.92 features that are supported, the Quick Connect feature set that was attempted,
the duration for which the original call was put on hold, and how many times Modem On Hold was
initiated. The vendor-specific attribute (VSA) v.92-info is included in accounting “start” and “stop”
records when modems negotiate a V.92 connection.
•
•
•
•
•
•
•
Finding Feature Information, page 129
Prerequisites for V.92 Reporting Using RADIUS Attribute v.92-info, page 129
Restrictions for V.92 Reporting Using RADIUS Attribute v.92-info, page 130
Information About V.92 Reporting Using RADIUS Attribute v.92-info, page 130
How to Monitor and Verify V.92 Call Information, page 131
Additional References, page 141
Feature Information for V.92 Reporting Using RADIUS Attribute v.92-info, page 143
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for V.92 Reporting Using RADIUS Attribute v.92info
Before the network access server (NAS) can send attribute v.92-info information in accounting “start” and
“stop” records, you must perform the following tasks:
•
•
Configure your NAS for authentication, authorization, and accounting (AAA) and to accept incoming
modem calls.
Enable AAA accounting by using the aaa accounting network default start-stop group radius
command in global configuration mode.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
129
V.92 Standard Overview
Restrictions for V.92 Reporting Using RADIUS Attribute v.92-info
•
Familiarize yourself with the V.92 Quick Connect and V.92 Modem on Hold features. See Related
Documents, page 142.
Restrictions for V.92 Reporting Using RADIUS Attribute v.92info
•
•
If V.92 is not negotiated on your server, V.92 information will not be included in the accounting
record.
Because the attribute v.92-info information is sent as a Cisco VSA, if you configure your RADIUS
server as nonstandard (using a non-Cisco server), the V.92 call information will not be sent by default.
However, you can still get the V.92 call information by first configuring the radius-server vsa
sendcommand with the accounting keyword (that is, radius-server vsa send accounting).
Information About V.92 Reporting Using RADIUS Attribute v.
92-info
•
•
V.92 Standard Overview, page 130
VSA v.92-info, page 130
V.92 Standard Overview
The International Telecommunication Union Telecommunication Standardization Sector (ITU-T) V.92
standard encompasses a number of specifications, including Quick Connect (QC), which dramatically
improves how quickly users can connect with their Internet service provider (ISP), and Modem on Hold
(MoH), which enables users to suspend and reactivate their dial-up connection to either receive or initiate a
telephone call. V.92 also includes pulse code modulation (PCM) upstream, which boosts the upstream data
rates from the user to the ISP to reduce transfer times for large files and e-mail attachments sent by the
user.
VSA v.92-info
The VSA v.92-info information in RADIUS accounting “start” and “stop” records can help you track V.92
feature set information. The VSA is enabled by default for all sessions that reside over a modem call that is
connected using V.92 model modulation.
The VSA information is displayed in the “start” and “stop” records as follows:
v92-info=<V.92 features supported>/<QC Exchange>/<Total MOH time>/<MOH count>
The VSA v92-info has the following four subfields:
•
•
•
•
V.92 features supported--All features that are available for the V.92 modem user who is dialing in.
These features include QC, MoH, and PCM Upstream.
QC Exchange--If QC was initiated, this subfield states what feature set (within QC) was attempted.
Total MOH time--If MoH was initiated, this subfield indicates the duration for which the original call
was put on hold.
MOH count--If MOH was initiated, this field indicates how many times the MOH was initiated.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
130
Monitoring V.92 Call Information
How to Monitor and Verify V.92 Call Information
The following is an example of VSA v92-info information displayed in an accounting record:
v92-info=V.92 QC MOH/QC Requested/60/1
How to Monitor and Verify V.92 Call Information
•
•
•
Monitoring V.92 Call Information, page 131
Verifying V.92 Call Information, page 138
Troubleshooting Tips, page 141
Monitoring V.92 Call Information
To monitor the V.92 information in the accounting “start” and “stop” records, you can perform the
following task using some or all of the debug commands that are listed:
SUMMARY STEPS
1. enable
2. debug aaa accounting
3. debug aaa authentication
4. debug aaa authorization
5. debug isdn event
6. debug modem csm [slot/port | group group-number]
7. debug ppp {negotiation | authentication}
8. debug radius
DETAILED STEPS
Command or Action
Step 1 enable
Purpose
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 debug aaa accounting
Displays information about accountable events as they occur.
Example:
Router# debug aaa accounting
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
131
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
Command or Action
Step 3 debug aaa authentication
Purpose
Displays information about AAA authentication.
Example:
Router# debug aaa authentication
Step 4 debug aaa authorization
Displays information about AAA and TACACS+ authorization.
Example:
Router# debug aaa authorization
Step 5 debug isdn event
Displays ISDN events occurring on the user side (on the router) of
the ISDN interface.
Example:
Router# debug isdn event
Step 6 debug modem csm [slot/port | group group-number] Displays call switching module (CSM) modem call information.
Example:
Router# debug modem csm 1/0 group 1
Step 7 debug ppp {negotiation | authentication}
Displays information on traffic and exchanges in an internetwork
that is implementing the PPP.
Example:
Router# debug ppp authentication
Step 8 debug radius
Displays information associated with RADIUS.
Example:
Router# debug radius
Examples
Debug Output 1
Debug Output 2
The following sample debug outputs display information about a V.92 reporting situation:
01:39:19: ISDN Se7/6:23: RX <- SETUP pd = 8 callref = 0x42A0
01:39:19:
Bearer Capability i = 0x9090A2
01:39:19:
Channel ID i = 0xA18396
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
132
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
01:39:19:
Progress Ind i = 0x8183 - Origination address is non-ISDN
01:39:19:
Calling Party Number i = 0xA1, '60112', Plan:ISDN, Type:National
01:39:19:
Called Party Number i = 0xA1, '50138', Plan:ISDN, Type:National
01:39:19:
Locking Shift to Codeset 6
01:39:19:
Codeset 6 IE 0x28 i = 'ANALOG,savitha'
01:39:19: ISDN Se7/6:23: Incoming call id = 0x0038, dsl 0
01:39:19: ISDN Se7/6:23: NegotiateBchan: bchan 22 intid 0 serv_st 0 chan_st 0 callid
0x0000 ev 0x90 n/w? 0
01:39:19: Negotiated int_id 0 bchan 0 cr=0xC2A0 callid=0x0038 lo_chan 22 final int_id/
bchan 0/22 cause 0x0
01:39:19: ISDN Se7/6:23: LIF_EVENT: ces/callid 1/0x38 CALL_INCOMING
01:39:19: ISDN Se7/6:23: CALL_INCOMING dsl 0 bchan 21
01:39:19: voice_parse_intf_name: Using the old NAS_PORT string
01:39:19: AAA/ACCT/EVENT/(00000007): CALL START
01:39:19: AAA/ACCT(00000000): add node, session 9
01:39:19: AAA/ACCT/NET(00000007): add, count 1
01:39:19: AAA/ACCT/EVENT/(00000007): ATTR REPLACE
01:39:19: ISDN Se7/6:23: CALL_INCOMING: call type is VOICE ULAW, bchan = 21
01:39:19: ISDN Se7/6:23: Event: Received a VOICE call from 60112 on B21 at 64 Kb/s Tone
Value 0
01:39:19: AAA/ACCT/DS0: channel=21, ds1=6, t3=0, slot=7, ds0=117465109
01:39:19: AAA/ACCT/DS0: channel=21, ds1=6, t3=0, slot=7, ds0=117465109
01:39:19: VDEV_ALLOCATE: 1/5 is allocated
01:39:19: ISDN Se7/6:23: RM returned call_type 1 resource type 0 response 2
01:39:19: EVENT_FROM_ISDN: dchan_idb=0x63B3D334, call_id=0x38, ces=0x0
bchan=0x15, event=0x1, cause=0x0
01:39:19: dev in call to isdn : set dnis_collected & fap_notify
01:39:19: EVENT_FROM_ISDN:(0038): DEV_INCALL at slot 1 and port 5
01:39:19: EVENT_FROM_ISDN: decode:calling oct3 0xA1, called oct3 0xA1, oct3a 0x0,mask 0x3D
01:39:19: EVENT_FROM_ISDN: csm_call_info:calling oct3 0xA1, called oct3 0xA1, oct3a
0x0,mask 0x3D
01:39:19: CSM_PROC_IDLE: CSM_EVENT_ISDN_CALL at slot 1, port 5
01:39:19: CSM DSPLIB(1/5/csm_flags=0x12): np_dsplib_prepare_modem
01:39:19: csm_connect_pri_vdev: TS allocated at bp_stream 0, bp_Ch 5, vdev_common
0x62EAD8F4 1/5
01:39:19: ISDN Se7/6:23: EVENT to CSM:DEV_INCALL: calltype=VOICE, bchan=21
01:39:19: ISDN Se7/6:23: TX -> CALL_PROC pd = 8 callref = 0xC2A0
01:39:19:
Channel ID i = 0xA98396
01:39:19: ISDN Se7/6:23: TX -> ALERTING pd = 8 callref = 0xC2A0
01:39:19: CSM DSPLIB(1/5):DSPLIB_MODEM_INIT: Modem session transition to IDLE
01:39:19: CSM DSPLIB(1/5): Modem went offhook
01:39:19: CSM_PROC_IC2_RING: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 5
01:39:19: ISDN Se7/6:23: VOICE_ANS Event: call id 0x38, bchan 21, ces 0
01:39:19: ISDN Se7/6:23: isdn_send_connect(): msg 74, call id 0x38, ces 0 bchan 21, call
type VOICE
01:39:19: ISDN Se7/6:23: TX -> CONNECT pd = 8 callref = 0xC2A0
01:39:19: ISDN Se7/6:23: RX <- CONNECT_ACK pd = 8 callref = 0x42A0
01:39:19: ISDN Se7/6:23: LIF_EVENT: ces/callid 1/0x38 CALL_PROGRESS
01:39:19: ISDN Se7/6:23: event CALL_PROGRESS dsl 0
01:39:19: ISDN Se7/6:23: CALL_PROGRESS: CALL_CONNECTED call id 0x38, bchan 21, dsl 0
01:39:19: EVENT_FROM_ISDN: dchan_idb=0x63B3D334, call_id=0x38, ces=0x0
bchan=0x15, event=0x4, cause=0x0
01:39:19: EVENT_FROM_ISDN:(0038): DEV_CONNECTED at slot 1 and port 5
01:39:19: CSM_PROC_IC6_WAIT_FOR_CONNECT: CSM_EVENT_ISDN_CONNECTED at slot 1, port 5
01:39:19: CSM DSPLIB(1/5): np_dsplib_call_accept
01:39:19: ISDN Se7/6:23: EVENT to CSM:DEV_CONNECTED: calltype=VOICE, bchan=21
01:39:19: CSM DSPLIB(1/5):DSPLIB_MODEM_WAIT_ACTIVE: Modem session transition to ACTIVE
01:39:19: CSM DSPLIB(1/5): Modem state changed to (CONNECT_STATE)
01:39:22: CSM DSPLIB(1/5): Modem state changed to (V8BIS_EXCHANGE_STATE)
01:39:24: CSM DSPLIB(1/5): Modem state changed to (LINK_STATE)
01:39:28: CSM DSPLIB(1/5): Modem state changed to (RANGING_STATE)
01:39:30: CSM DSPLIB(1/5): Modem state changed to (HALF_DUPLEX_TRAIN_STATE)
01:39:45: CSM DSPLIB(1/5): Modem state changed to (TRAINUP_STATE)
01:39:45: CSM DSPLIB(1/5): Modem state changed to (EC_NEGOTIATING_STATE)
01:39:46: CSM DSPLIB(1/5): Modem state changed to (STEADY_STATE)
01:39:46: TTY1/05: DSR came up
01:39:46: tty1/05: Modem: IDLE->(unknown)
01:39:46: TTY1/05: EXEC creation
01:39:46: CHAT1/05: Attempting line activation script
01:39:46: CHAT1/05: Asserting DTR
01:39:50: voice_parse_intf_name: Using the old NAS_PORT string
01:39:50: voice_parse_intf_name: Using the old NAS_PORT string
01:39:50: AAA/AUTHEN/LOGIN (00000007): Pick method list 'default'
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
133
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:50:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
RADIUS/ENCODE(00000007): ask "Username: "
RADIUS/ENCODE(00000007): send packet; GET_USER
TTY1/05: set timer type 10, 30 seconds
TTY1/05: Autoselect(2) sample 7E
TTY1/05: Autoselect(2) sample 7EFF
TTY1/05: Autoselect(2) sample 7EFF7D
TTY1/05: Autoselect(2) sample 7EFF7D23
TTY1/05 Autoselect cmd: ppp negotiate
TTY1/05: EXEC creation
CHAT1/05: Attempting line activation script
CHAT1/05: Asserting DTR
voice_parse_intf_name: Using the old NAS_PORT string
voice_parse_intf_name: Using the old NAS_PORT string
TTY1/05: no timer type 1 to destroy
TTY1/05: no timer type 0 to destroy
As1/05 LCP: I CONFREQ [Closed] id 0 len 50
As1/05 LCP:
ACCM 0x00000000 (0x020600000000)
As1/05 LCP:
MagicNumber 0x00002EB8 (0x050600002EB8)
As1/05 LCP:
PFC (0x0702)
As1/05 LCP:
ACFC (0x0802)
As1/05 LCP:
Callback 6 (0x0D0306)
As1/05 LCP:
MRRU 1614 (0x1104064E)
As1/05 LCP:
EndpointDisc 1 Local
As1/05 LCP:
(0x131701CC7F60A0E7A211D6B549000102)
As1/05 LCP:
(0x2BC43900000000)
As1/05 LCP: Lower layer not up, Fast Starting
voice_parse_intf_name: Using the old NAS_PORT string
voice_parse_intf_name: Using the old NAS_PORT string
As1/05 PPP: Treating connection as a callin
As1/05 PPP: Phase is ESTABLISHING, Passive Open
As1/05 LCP: State is Listen
As1/05 PPP: Authorization required
As1/05 LCP: O CONFREQ [Listen] id 1 len 25
As1/05 LCP:
ACCM 0x000A0000 (0x0206000A0000)
As1/05 LCP:
AuthProto CHAP (0x0305C22305)
As1/05 LCP:
MagicNumber 0x099EBCBA (0x0506099EBCBA)
As1/05 LCP:
PFC (0x0702)
As1/05 LCP:
ACFC (0x0802)
As1/05 LCP: O CONFREJ [Listen] id 0 len 11
As1/05 LCP:
Callback 6 (0x0D0306)
As1/05 LCP:
MRRU 1614 (0x1104064E)
As1/05 LCP: I CONFACK [REQsent] id 1 len 25
As1/05 LCP:
ACCM 0x000A0000 (0x0206000A0000)
As1/05 LCP:
AuthProto CHAP (0x0305C22305)
As1/05 LCP:
MagicNumber 0x099EBCBA (0x0506099EBCBA)
As1/05 LCP:
PFC (0x0702)
As1/05 LCP:
ACFC (0x0802)
As1/05 LCP: I CONFREQ [ACKrcvd] id 1 len 43
As1/05 LCP:
ACCM 0x00000000 (0x020600000000)
As1/05 LCP:
MagicNumber 0x00002EB8 (0x050600002EB8)
As1/05 LCP:
PFC (0x0702)
As1/05 LCP:
ACFC (0x0802)
As1/05 LCP:
EndpointDisc 1 Local
As1/05 LCP:
(0x131701CC7F60A0E7A211D6B549000102)
As1/05 LCP:
(0x2BC43900000000)
As1/05 LCP: O CONFACK [ACKrcvd] id 1 len 43
As1/05 LCP:
ACCM 0x00000000 (0x020600000000)
As1/05 LCP:
MagicNumber 0x00002EB8 (0x050600002EB8)
As1/05 LCP:
PFC (0x0702)
As1/05 LCP:
ACFC (0x0802)
As1/05 LCP:
EndpointDisc 1 Local
As1/05 LCP:
(0x131701CC7F60A0E7A211D6B549000102)
As1/05 LCP:
(0x2BC43900000000)
As1/05 LCP: State is Open
As1/05 PPP: Phase is AUTHENTICATING, by this end
As1/05 CHAP: O CHALLENGE id 1 len 26 from "s5400"
As1/05 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x00002EB8 MSRASV4.00
As1/05 LCP: I IDENTIFY [Open] id 3 len 23 magic 0x00002EB8 MSRAS-1-PTE-PC1
As1/05 CHAP: I RESPONSE id 1 len 34 from "Administrator"
As1/05 PPP: Phase is FORWARDING, Attempting Forward
As1/05 PPP: Phase is AUTHENTICATING, Unauthenticated User
AAA/AUTHEN/PPP (00000007): Pick method list 'default'
As1/05 PPP: Sent CHAP LOGIN Request
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
134
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
0/0"
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
RADIUS/ENCODE(00000007): Unsupported AAA attribute parent-interface
RADIUS/ENCODE(00000007): Unsupported AAA attribute parent-interface-type
RADIUS/ENCODE(00000007): acct_session_id: 9
RADIUS(00000007): sending
RADIUS: Send to unknown id 2 10.107.164.120:1645, Access-Request, len 128
RADIUS: authenticator 13 E4 F2 9F BC 3E CE 52 - CC 93 0C E0 01 0C 73 7B
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: User-Name
[1]
15 "Administrator"
RADIUS: CHAP-Password
[3]
19 *
RADIUS: Called-Station-Id
[30] 7
"50138"
RADIUS: Calling-Station-Id [31] 7
"60112"
RADIUS: Vendor, Cisco
[26] 30
RADIUS:
cisco-nas-port
[2]
24 "Async1/05*Serial7/6:21"
RADIUS: NAS-Port
[5]
6
221
RADIUS: NAS-Port-Type
[61] 6
Async
[0]
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: NAS-IP-Address
[4]
6
10.0.58.107
RADIUS: Received from id 2 10.107.164.120:1645, Access-Accept, len 62
RADIUS: authenticator EF 45 A3 D4 A7 EE D0 65 - 03 50 B4 3E 07 87 2E 2F
RADIUS: Vendor, Cisco
[26] 30
RADIUS:
cisco-nas-port
[2]
24 "Async1/05*Serial7/6:21"
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: Received from id 7
As1/05 PPP: Received LOGIN Response PASS
As1/05 PPP/AAA: Check Attr: interface
As1/05 PPP/AAA: Check Attr: service-type
As1/05 PPP/AAA: Check Attr: Framed-Protocol
As1/05 PPP: Phase is FORWARDING, Attempting Forward
As1/05 PPP: Phase is AUTHENTICATING, Authenticated User
As1/05 AAA/AUTHOR/LCP: Process Author
As1/05 AAA/AUTHOR/LCP: Process Attr: service-type
As1/05 CHAP: O SUCCESS id 1 len 4
AAA/ACCT/NET(00000007): Pick method list 'default'
AAA/ACCT/SETMLIST(00000007): Handle FFFFFFFF, mlist 630B11E4, Name default
AAA/ACCT/EVENT/(00000007): NET UP
AAA/ACCT/NET(00000007): Queueing record is START
As1/05 PPP: Phase is UP
As1/05 AAA/AUTHOR/IPCP: FSM authorization not needed
As1/05 AAA/AUTHOR/FSM: We can start IPCP
As1/05 IPCP: O CONFREQ [Closed] id 1 len 10
As1/05 IPCP:
Address 10.1.1.2 (0x030646010102)
AAA/ACCT(00000007): Accouting method=radius (radius)
RADIUS/ENCODE(00000007): Unsupported AAA attribute timezone
RADIUS/ENCODE(00000007): Unsupported AAA attribute parent-interface
RADIUS/ENCODE(00000007): Unsupported AAA attribute parent-interface-type
RADIUS(00000007): sending
RADIUS: Send to unknown id 8 10.107.164.120:1646, Accounting-Request, len 243
RADIUS: authenticator 41 87 FA 03 EB F9 94 62 - B2 3A 24 B8 27 4C A4 BC
RADIUS: Acct-Session-Id
[44] 10 "00000009"
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: Connect-Info
[77] 26 "52000/28800 V90/V44/LAPM"
RADIUS: Vendor, Cisco
[26] 48
RADIUS:
Cisco AVpair
[1]
42 "v92-info=V.92 QC MOH/No QC Requested/
RADIUS: Vendor, Cisco
[26] 32
RADIUS:
Cisco AVpair
[1]
26 "connect-progress=Call Up"
RADIUS: Authentic
[45] 6
RADIUS
[1]
RADIUS: User-Name
[1]
15 "Administrator"
RADIUS: Acct-Status-Type
[40] 6
Start
[1]
RADIUS: Called-Station-Id
[30] 7
"50138"
RADIUS: Calling-Station-Id [31] 7
"60112"
RADIUS: Vendor, Cisco
[26] 30
RADIUS:
cisco-nas-port
[2]
24 "Async1/05*Serial7/6:21"
RADIUS: NAS-Port
[5]
6
221
RADIUS: NAS-Port-Type
[61] 6
Async
[0]
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: NAS-IP-Address
[4]
6
10.0.58.107
RADIUS: Acct-Delay-Time
[41] 6
0
RADIUS: Received from id 8 10.107.164.120:1646, Accounting-response, len 20
RADIUS: authenticator E5 5C D3 69 88 D5 2E 8E - 49 AF 63 22 01 53 33 7B
AAA/ACCT/NET(00000007): START protocol reply PASS
As1/05 CCP: I CONFREQ [Not negotiated] id 4 len 211
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
135
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:54:
01:39:55:
01:39:55:
01:39:55:
01:39:55:
01:39:55:
01:39:55:
01:39:55:
01:39:55:
As1/05 CCP:
Type254
As1/05 CCP:
(0xFEC90100000000000000000000000000)
As1/05 CCP:
(0x000074FFC7000000000068000000A000)
As1/05 CCP:
(0x00006C20563905000000C0000000A400)
As1/05 CCP:
(0x0000BC000000186400007000E80018C8)
As1/05 CCP:
(0x130017CCF1770000000001000000E8FE)
As1/05 CCP:
(0xC70076CDF17706000000000000000000)
As1/05 CCP:
(0x00000000000000000000000000000000)
As1/05 CCP:
(0x00000000000000000000000000000000)
As1/05 CCP:
(0x00000000000000000000000000000000)
As1/05 CCP:
(0x00000000000000000000220020000001)
As1/05 CCP:
(0x0800000000005016B1CBA2E7D611B549)
As1/05 CCP:
(0x0001022BC439C800000000000000C800)
As1/05 CCP:
(0x00004D000000281FB8)
As1/05 CCP:
MS-PPC supported bits 0x00000006 (0x120600000006)
As1/05 LCP: O PROTREJ [Open] id 2 len 217 protocol CCP
As1/05 LCP: (0x80FD010400D3FEC90100000000000000)
As1/05 LCP: (0x000000000000000074FFC70000000000)
As1/05 LCP: (0x68000000A00000006C20563905000000)
As1/05 LCP: (0xC0000000A4000000BC00000018640000)
As1/05 LCP: (0x7000E80018C8130017CCF17700000000)
As1/05 LCP: (0x01000000E8FEC70076CDF17706000000)
As1/05 LCP: (0x00000000000000000000000000000000)
As1/05 LCP: (0x00000000000000000000000000000000)
As1/05 LCP: (0x00000000000000000000000000000000)
As1/05 LCP: (0x00000000000000000000000000000000)
As1/05 LCP: (0x2200200000010800000000005016B1CB)
As1/05 LCP: (0xA2E7D611B5490001022BC439C8000000)
As1/05 LCP: (0x00000000C80000004D000000281FB812)
As1/05 LCP: (0x0600000006)
As1/05 IPCP: I CONFREQ [REQsent] id 5 len 34
As1/05 IPCP:
Address 0.0.0.0 (0x030600000000)
As1/05 IPCP:
PrimaryDNS 0.0.0.0 (0x810600000000)
As1/05 IPCP:
PrimaryWINS 0.0.0.0 (0x820600000000)
As1/05 IPCP:
SecondaryDNS 0.0.0.0 (0x830600000000)
As1/05 IPCP:
SecondaryWINS 0.0.0.0 (0x840600000000)
As1/05 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 10.2.2.6
As1/05 AAA/AUTHOR/IPCP: Authorization succeeded
As1/05 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 10.2.2.6
As1/05 AAA/AUTHOR/IPCP: no author-info for primary dns
As1/05 AAA/AUTHOR/IPCP: no author-info for primary wins
As1/05 AAA/AUTHOR/IPCP: no author-info for seconday dns
As1/05 AAA/AUTHOR/IPCP: no author-info for seconday wins
As1/05 IPCP: O CONFREJ [REQsent] id 5 len 28
As1/05 IPCP:
PrimaryDNS 0.0.0.0 (0x810600000000)
As1/05 IPCP:
PrimaryWINS 0.0.0.0 (0x820600000000)
As1/05 IPCP:
SecondaryDNS 0.0.0.0 (0x830600000000)
As1/05 IPCP:
SecondaryWINS 0.0.0.0 (0x840600000000)
As1/05 IPCP: I CONFACK [REQsent] id 1 len 10
As1/05 IPCP:
Address 70.1.1.2 (0x030646010102)
As1/05 IPCP: I CONFREQ [ACKrcvd] id 6 len 10
As1/05 IPCP:
Address 0.0.0.0 (0x030600000000)
As1/05 IPCP: O CONFNAK [ACKrcvd] id 6 len 10
As1/05 IPCP:
Address 70.2.2.6 (0x030646020206)
As1/05 IPCP: I CONFREQ [ACKrcvd] id 7 len 10
As1/05 IPCP:
Address 70.2.2.6 (0x030646020206)
As1/05 IPCP: O CONFACK [ACKrcvd] id 7 len 10
As1/05 IPCP:
Address 70.2.2.6 (0x030646020206)
As1/05 IPCP: State is Open
AAA/ACCT/EVENT/(00000007): IPCP_PASS
As1/05 IPCP: Install route to 10.2.2.6
As1/05 IPCP: Add link info for cef entry 10.2.2.6
01:40:50: ISDN Se7/6:23: RX <- DISCONNECT pd = 8 callref = 0x42A0
01:40:50:
Cause i = 0x8190 - Normal call clearing
01:40:50: ISDN Se7/6:23: LIF_EVENT: ces/callid 1/0x38 CALL_DISC
01:40:50: EVENT_FROM_ISDN: dchan_idb=0x63B3D334, call_id=0x38, ces=0x0
bchan=0x15, event=0x0, cause=0x10
01:40:50: EVENT_FROM_ISDN:(0038): DEV_IDLE at slot 1 and port 5
01:40:50: CSM_PROC_IC7_OC6_CONNECTED: CSM_EVENT_ISDN_DISCONNECTED at slot 1, port 5
01:40:50: CSM DSPLIB(1/5): np_dsplib_call_hangup reason 14
01:40:50: CSM(1/5): Enter csm_enter_disconnecting_state
01:40:50: VDEV_DEALLOCATE: slot 1 and port 5 is deallocated
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
136
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
01:40:50: ISDN Se7/6:23: EVENT to CSM:DEV_IDLE: calltype=VOICE, bchan=21
01:40:50: ISDN Se7/6:23: process_disc_ack(): call id 0x38, ces 0, call type VOICE cause
0x10
01:40:50: ISDN Se7/6:23: TX -> RELEASE pd = 8 callref = 0xC2A0
01:40:50: AAA/ACCT/EVENT/(00000007): CALL STOP
01:40:50: AAA/ACCT/CALL STOP(00000007): Sending stop requests
01:40:50: AAA/ACCT(00000007): Send all stops
01:40:50: AAA/ACCT/NET(00000007): STOP
01:40:50: AAA/ACCT/NET(00000007): Queueing record is STOP osr 1
01:40:50: AAA/ACCT(00000007): Accouting method=radius (radius)
01:40:50: RADIUS/ENCODE(00000007): Unsupported AAA attribute timezone
01:40:50: RADIUS/ENCODE(00000007): Unsupported AAA attribute parent-interface
01:40:50: RADIUS/ENCODE(00000007): Unsupported AAA attribute parent-interface-type
01:40:50: RADIUS(00000007): sending
01:40:50: RADIUS: Send to unknown id 9 10.107.164.120:1646, Accounting-Request, len 315
01:40:50: RADIUS: authenticator 2E 6A 04 D0 04 9A D3 D5 - F7 DD 99 E0 C3 99 27 60
01:40:50: RADIUS: Acct-Session-Id
[44] 10 "00000009"
01:40:50: RADIUS: Framed-Protocol
[7]
6
PPP
[1]
01:40:50: RADIUS: Framed-IP-Address
[8]
6
70.2.2.6
01:40:50: RADIUS: Acct-Terminate-Cause[49] 6
lost-carrier
[2]
01:40:50: RADIUS: Vendor, Cisco
[26] 33
01:40:50: RADIUS:
Cisco AVpair
[1]
27 "disc-cause-ext=No Carrier"
01:40:50: RADIUS: Vendor, Cisco
[26] 35
01:40:50: RADIUS:
Cisco AVpair
[1]
29 "connect-progress=LAN Ses Up"
01:40:50: RADIUS: Acct-Session-Time
[46] 6
56
01:40:50: RADIUS: Connect-Info
[77] 26 "52000/28800 V90/V44/LAPM"
01:40:50: RADIUS: Vendor, Cisco
[26] 48
01:40:50: RADIUS:
Cisco AVpair
[1]
42 "v92-info=V.92 QC MOH/No QC Requested/
0/0"
01:40:50: RADIUS: Acct-Input-Octets
[42] 6
285
01:40:50: RADIUS: Acct-Output-Octets [43] 6
295
01:40:50: RADIUS: Acct-Input-Packets [47] 6
5
01:40:50: RADIUS: Acct-Output-Packets [48] 6
5
01:40:50: RADIUS: User-Name
[1]
15 "Administrator"
01:40:50: RADIUS: Acct-Status-Type
[40] 6
Stop
[2]
01:40:50: RADIUS: Called-Station-Id
[30] 7
"50138"
01:40:50: RADIUS: Calling-Station-Id [31] 7
"60112"
01:40:50: RADIUS: Vendor, Cisco
[26] 30
01:40:50: RADIUS:
cisco-nas-port
[2]
24 "Async1/05*Serial7/6:21"
01:40:50: RADIUS: NAS-Port
[5]
6
221
01:40:50: RADIUS: NAS-Port-Type
[61] 6
Async
[0]
01:40:50: RADIUS: Service-Type
[6]
6
Framed
[2]
01:40:50: RADIUS: NAS-IP-Address
[4]
6
10.0.58.107
01:40:50: RADIUS: Acct-Delay-Time
[41] 6
0
01:40:50: RADIUS: Received from id 9 10.107.164.120:1646, Accounting-response, len 20
01:40:50: RADIUS: authenticator D0 3F 32 D7 7C 8C 5E 22 - 9A 69 EF 17 AC 32 81 21
01:40:50: AAA/ACCT/NET(00000007): STOP protocol reply PASS
01:40:50: AAA/ACCT/NET(00000007): Cleaning up from Callback osr 0
01:40:50: AAA/ACCT(00000007): del node, session 9
01:40:50: AAA/ACCT/NET(00000007): free_rec, count 0
01:40:50: AAA/ACCT/NET(00000007) reccnt 0, csr TRUE, osr 0
01:40:50: AAA/ACCT/NET(00000007): Last rec in db, intf not enqueued
01:40:50: ISDN Se7/6:23: RX <- RELEASE_COMP pd = 8 callref = 0x42A0
01:40:50: ISDN Se7/6:23: CCPRI_ReleaseCall(): bchan 22, call id 0x38, call type VOICE
01:40:50: CCPRI_ReleaseChan released b_dsl 0 B_Chan 22
01:40:50: ISDN Se7/6:23: LIF_EVENT: ces/callid 1/0x38 CALL_CLEARED
01:40:50: ISDN Se7/6:23: received CALL_CLEARED call_id 0x38
01:40:50: no resend setup, no redial
01:40:50: no resend setup, no redial
01:40:50: AAA/ACCT/DS0: channel=21, ds1=6, t3=0, slot=7, ds0=117465109
01:40:50: EVENT_FROM_ISDN: dchan_idb=0x63B3D334, call_id=0x38, ces=0x1
bchan=0x15, event=0x0, cause=0x0
01:40:50: ISDN Se7/6:23: EVENT to CSM:DEV_IDLE: calltype=VOICE, bchan=21
01:40:51: CSM DSPLIB(1/5): Modem state changed to (TERMINATING_STATE)
01:40:51: CSM DSPLIB(1/5): Modem went onhook
01:40:51: CSM_PROC_IC8_OC8_DISCONNECTING: CSM_EVENT_MODEM_ONHOOK at slot 1, port 5
01:40:51: CSM(1/5): Enter csm_enter_idle_state
01:40:51: CSM DSPLIB(1/5):DSPLIB_IDLE: Modem session transition to FLUSHING
01:40:51: CSM DSPLIB(1/5):DSPLIB_IDLE: Modem session transition to IDLE
01:40:51: TTY1/05: DSR was dropped
01:40:51: tty1/05: Modem: READY->(unknown)
01:40:52: TTY1/05: dropping DTR, hanging up
01:40:52: DSPLIB(1/5): np_dsplib_process_dtr_notify()
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
137
Verifying V.92 Call Information
How to Monitor and Verify V.92 Call Information
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:52:
01:40:53:
01:40:54:
01:40:55:
01:40:56:
01:40:57:
01:40:57:
01:40:57:
01:40:57:
01:40:57:
01:40:57:
01:40:57:
01:40:57:
01:40:57:
CSM DSPLIB(1/5): Modem went onhook
CSM_PROC_IDLE: CSM_EVENT_MODEM_ONHOOK at slot 1, port 5
TTY1/05: Async Int reset: Dropping DTR
tty1/05: Modem: HANGUP->(unknown)
AAA/ACCT/EVENT/(00000007): NET DOWN
As1/05 IPCP: Remove link info for cef entry 70.2.2.6
As1/05 IPCP: State is Closed
As1/05 PPP: Phase is TERMINATING
As1/05 LCP: State is Closed
As1/05 PPP: Phase is DOWN
As1/05 IPCP: Remove route to 70.2.2.6
As1/05 LCP: State is Closed
TTY1/05: cleanup pending. Delaying DTR
TTY1/05: cleanup pending. Delaying DTR
TTY1/05: cleanup pending. Delaying DTR
TTY1/05: cleanup pending. Delaying DTR
TTY1/05: no timer type 0 to destroy
TTY1/05: no timer type 1 to destroy
TTY1/05: no timer type 3 to destroy
TTY1/05: no timer type 4 to destroy
TTY1/05: no timer type 2 to destroy
Async1/05: allowing modem_process to continue hangup
TTY1/05: restoring DTR
TTY1/05: autoconfigure probe started
As1/05 LCP: State is Closed
Verifying V.92 Call Information
To verify that the V.92 call was correctly established, use the following show commands:
SUMMARY STEPS
1. show modem [slot/port | group number]
2. show port modem log [reverse slot/port] [slot | slot/port]
3. show users [all]
DETAILED STEPS
Command or Action
Step 1 show modem [slot/port | group number]
Purpose
Displays a high-level performance report for all the modems
or a single modem inside Cisco access servers.
Example:
Router# show modem 1/0 group 1
Step 2 show port modem log [reverse slot/port] [slot | slot/port] Displays the events generated by the modem sessions.
Example:
Router# show port modem log
Step 3 show users [all]
Example:
Router# show users
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
138
Displays information about the active lines on the router.
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
Examples
Show Output 1
Show Output 2
The following V.92 reporting outputs are from the show port modem log and show users commands:
Router# show port modem log 1/05
Port 1/05 Events Log
01:46:19: Service Type: DATA_FAX_MODEM
01:46:19: Service Mode: DATA_FAX_MODEM
01:46:19: Session State: IDLE
01:46:19: incoming caller number: 60112
01:46:19: incoming called number: 50138
01:46:19: Service Type: DATA_FAX_MODEM
01:46:19: Service Mode: DATA_FAX_MODEM
01:46:19: Session State: IDLE
01:46:19: Service Type: DATA_FAX_MODEM
01:46:19: Service Mode: DATA_FAX_MODEM
01:46:19: Session State: ACTIVE
01:46:19: Modem State event:
State: Connect
01:46:20: Modem State event:
State: V.8bis Exchange
01:46:20: Modem State event:
State: Link
01:46:20: Modem State event:
State: Ranging
01:46:20: Modem State event:
State: Half Duplex Train
01:46:20: Modem State event:
State: Train Up
01:46:20: Modem State event:
State: EC Negotiating
01:46:20: Modem State event:
State: Steady
01:46:20: Modem Static event:
Connect Protocol
:
LAP-M
Compression
:
V.44
Connected Standard
:
V.90
TX,RX Symbol Rate
:
8000, 3200
TX,RX Carrier Frequency
:
0, 1829
TX,RX Trellis Coding
:
16/No trellis
Frequency Offset
:
0 Hz
Round Trip Delay
:
0 msecs
TX,RX Bit Rate
:
52000, 28800
Robbed Bit Signalling (RBS) pattern
:
255
Digital Pad
:
6 dB
Digital Pad Compensation
:
Enabled
MNP10EC
:
Off-None
QC Exchange
:
No QC Requested
TX,RX Negotiated String Length
:
255, 255
DC TX,RX Negotiated Codewords
:
1024, 1024
DC TX,RX Negotiated History Size
:
4096, 5120
01:46:21: ISDN Se7/6:23: RX <- SERVICE pd = 3 callref = 0x0000
01:46:21:
Change Status i = 0xC0 - in-service
01:46:21:
Channel ID i = 0xA98381
01:46:21: ISDN Se7/6:23: Incoming call id = 0x003A, dsl 0
01:46:21: ISDN Se7/6:23: LIF_EVENT: ces/callid 1/0x0 CHAN_STATUS
01:46:21: ISDN Se7/6:23: CHAN_STATUS B-chan=1, action=2; Maintenance.
01:46:21: ISDN Se7/6:23: TX -> SERVICE ACKNOWLEDGE pd = 3 callref = 0x8000
01:46:21:
Change Status i = 0xC0 - in-service
01:46:21:
Channel ID i =
1
s5400#sh port modem log 1/05
Port 1/05 Events Log
01:46:30: Service Type: DATA_FAX_MODEM
01:46:30: Service Mode: DATA_FAX_MODEM
01:46:30: Session State: IDLE
01:46:30: incoming caller number: 60112
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
139
V.92 Reporting Using RADIUS Attribute v.92-info
How to Monitor and Verify V.92 Call Information
01:46:30:
01:46:30:
01:46:30:
01:46:30:
01:46:30:
01:46:30:
01:46:30:
01:46:30:
incoming called number: 50138
Service Type: DATA_FAX_MODEM
Service Mode: DATA_FAX_MODEM
Session State: IDLE
Service Type: DATA_FAX_MODEM
Service Mode: DATA_FAX_MODEM
Session State: ACTIVE
Modem State event:
State: Connect
01:46:30: Modem State event:
State: V.8bis Exchange
01:46:30: Modem State event:
State: Link
01:46:30: Modem State event:
State: Ranging
01:46:30: Modem State event:
State: Half Duplex Train
01:46:30: Modem State event:
State: Train Up
01:46:31: Modem State event:
State: EC Negotiating
01:46:31: Modem State event:
State: Steady
01:46:31: Modem Static event:
Connect Protocol
Compression
Connected Standard
TX,RX Symbol Rate
TX,RX Carrier Frequency
TX,RX Trellis Coding
Frequency Offset
Round Trip Delay
TX,RX Bit Rate
Robbed Bit Signalling (RBS) pattern
Digital Pad
Digital Pad Compensation
MNP10EC
QC Exchange
TX,RX Negotiated String Length
DC TX,RX Negotiated Codewords
DC TX,RX Negotiated History Size
Diagnostic Code
V.92 Status
01:46:32: Modem Dynamic event:
Sq Value
Signal Noise Ratio
Receive Level
Phase Jitter Frequency
Phase Jitter Level
Far End Echo Level
Phase Roll
Total Retrains
EC Retransmission Count
Characters transmitted, received
Characters received BAD
PPP/SLIP packets transmitted, received
PPP/SLIP packets received (BAD/ABORTED)
EC packets transmitted, received OK
EC packets (Received BAD/ABORTED)
Total Speedshifts
Total MOH Time
Current MOH Time
MOH Status
MOH Count
MOH Request Count
Retrains due to Call Waiting
DC Encoder,Decoder State
DC TX,RX Compression Ratio
DC TX,RX Dictionary Reset Count
Diagnostic Code
01:46:35: Modem State event:
State: Terminate
01:46:35: Service Type: DATA_FAX_MODEM
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
140
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
LAP-M
V.44
V.90
8000, 3200
0, 1829
16/No trellis
0 Hz
0 msecs
52000, 28800
255
6 dB
Enabled
Off-None
No QC Requested
255, 255
1024, 1024
4096, 5120
00 00 00 00 00 00 00 00
V.92 QC MOH
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
6
38 dB
-11 dBm
0 Hz
0 degrees
0 dBm
0 degrees
0
0
0, 0
0
0, 0
0
0, 0
0
0
0 secs
0 secs
Modem is Not on Hold
0
0
0
compressed/compressed
not calculated/not calculated
0, 0
00 00 00 00 00 00 00 00
Troubleshooting Tips
Additional References
01:46:35: Service Mode: DATA_FAX_MODEM
01:46:35: Session State: FLUSHING
01:46:35: Service Type: DATA_FAX_MODEM
01:46:35: Service Mode: DATA_FAX_MODEM
01:46:35: Session State: IDLE
01:46:35: Modem End Connect event:
Call Timer
:
65 secs
Disconnect Reason Info
:
0x220
Type (=0 ): <unknown>
Class (=2 ): EC condition - locally detected
Reason (=32 ): received DISC frame -- normal LAPM termination
Total Retrains
:
0
EC Retransmission Count
:
0
Characters transmitted, received
:
677, 817
Characters received BAD
:
0
PPP/SLIP packets transmitted, received :
10, 10
PPP/SLIP packets received (BAD/ABORTED) :
0
EC packets transmitted, received OK
:
10, 21
EC packets (Received BAD/ABORTED)
:
0
TX,RX Bit Rate
:
52000, 28800
Total Speedshifts
:
0
Total MOH Time
:
0 secs
Current MOH Time
:
0 secs
MOH Status
:
Modem is Not on Hold
MOH Count
:
0
MOH Request Count
:
0
Retrains due to Call Waiting
:
0
DC Encoder,Decoder State
:
compressed/compressed
DC TX,RX Compression Ratio
:
1.67:1/1.65:1
DC TX,RX Dictionary Reset Count
:
0, 1
Diagnostic Code
:
00 00 00 00 00 00 00 00
01:46:37:Modem Link Rate event:
Router# show users
Line
User
Host(s)
* 0 con 0
idle
tty 1/05
Administra Async interface
Interface
User
Mode
Idle
Location
00:00:00
00:00:29
PPP: 70.2.2.6
Idle
Peer Address
Troubleshooting Tips
If you see that V.92 call information is not being reported by AAA, ensure that the call is a V.92 call by
using the show modem command or by looking at the modem logs by using the show modem
logcommand.
Additional References
The following sections provide references related to theV.92 Reporting Using RADIUS Attribute v.92-info
feature.
•
•
•
•
•
Related Documents, page 142
Standards, page 142
MIBs, page 142
RFCs, page 142
Technical Assistance, page 143
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
141
Related Documents
Additional References
Related Documents
Related Topic
Document Title
AAA accounting
“ AAA Accounting ” module.
AAA accounting commands
Cisco IOS Security Command Reference
V.92 Quick Connect feature
V.92 Quick Connect for Cisco AS5300 and Cisco
AS5800 Universal Access Servers
V.92 Modem on Hold feature
V.92 Modem on Hold for Cisco AS5300 and Cisco
AS5800 Universal Access Servers
Standards
Title
None.
--
MIBs
MIBs Link
None.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
Standards
MIBs
http://www.cisco.com/go/mibs
RFCs
RFCs
Title
None.
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
142
Technical Assistance
Feature Information for V.92 Reporting Using RADIUS Attribute v.92-info
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for V.92 Reporting Using RADIUS
Attribute v.92-info
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
143
V.92 Reporting Using RADIUS Attribute v.92-info
Table 19
Feature Information for V.92 Reporting Using RADIUS Attribute v.92-info
Feature Name
Releases
Feature Information
V.92 Reporting Using RADIUS
Attribute v.92-info
12.3(1)
The V.92 Reporting Using
RADIUS Attribute v.92-info
feature provides the ability to
track V.92 call information, such
as V.92 features that are
supported, the Quick Connect
feature set that was attempted, the
duration for which the original
call was put on hold, and how
many times Modem On Hold was
initiated. The vendor-specific
attribute (VSA) v.92-info is
included in accounting “start” and
“stop” records when modems
negotiate a V.92 connection.
This feature was introduced in
Cisco IOS Release 12.3(1).
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
144
RADIUS Attribute 66 Tunnel-Client-Endpoint
Enhancements
The RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements feature allows the hostname of the
network access server (NAS) to be specified--rather than the IP address of the NAS--in RADIUS attribute
66 (Tunnel-Client-Endpoint). This feature makes it easier for users to remember a hostname instead of a
numerical IP address, and helps disguise the numerical IP address of the NAS.
•
•
•
•
•
•
•
•
•
Finding Feature Information, page 145
Prerequisites for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements, page 145
Restrictions for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements, page 146
Information About RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements, page 146
How to Configure RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements, page 146
Configuration Example for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements, page 146
Additional References, page 147
Feature Information for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements, page 148
Glossary, page 149
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS Attribute 66 Tunnel-Client-Endpoint
Enhancements
A Cisco platform that supports VPDN is required. See the Glossary, page 149 for more information about
VPDN.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
145
How the RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements are Used
Restrictions for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
Restrictions for RADIUS Attribute 66 Tunnel-Client-Endpoint
Enhancements
Your Cisco router or access server must be running a Cisco IOS software image that supports virtual
private dialup networks (VPDNs).
Information About RADIUS Attribute 66 Tunnel-ClientEndpoint Enhancements
•
How the RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements are Used, page 146
How the RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements are
Used
Virtual Private Networks (VPNs) use Layer 2 Forwarding (L2F) or Layer 2 Tunnel Protocol (L2TP)
tunnels to tunnel the link layer of high-level protocols (for example, PPP or asynchronous High-Level Data
Link Control (HDLC)). Internet service providers (ISPs) configure their NASs to receive calls from users
and forward the calls to the customer tunnel server. Usually, the ISP maintains only information about the
tunnel server--the tunnel endpoint. The customer maintains the IP addresses, routing, and other user
database functions of the tunnel server users. RADIUS attribute 66 provides the customer with the ability to
specify the hostname of the NAS instead of the IP address of the NAS.
How to Configure RADIUS Attribute 66 Tunnel-ClientEndpoint Enhancements
There are no CLI tasks used to configure RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
on the IOS.
Configuration Example for RADIUS Attribute 66 Tunnel-ClientEndpoint Enhancements
• Setting Up the RADIUS Profile for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
Example, page 147
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
146
Setting Up the RADIUS Profile for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements Example
Additional References
Setting Up the RADIUS Profile for RADIUS Attribute 66 Tunnel-ClientEndpoint Enhancements Example
The following example shows a configuration that allows the user to specify the hostname of the NAS
using RADIUS attribute 66 (Tunnel-Client-Endpoint) in the RADIUS profile:
cisco.com Password = "cisco”
Service-Type = Outbound-User,
Tunnel-Type = :1:L2F,
Tunnel-Medium-Type = :1:IP,
Tunnel-Client-Endpoint = :1:”cisco2”
Tunnel-Server-Endpoint = :1:"172.21.135.4",
Tunnel-Assignment-Id = :1:"nas1",
Tunnel-Password = :1:"cisco"
Additional References
The following sections provide references related to the RADIUS Attribute 66 (Tunnel-Client-Endpoint)
Enhancements feature.
Related Documents
Related Topic
Document Title
RADIUS attribute 66
Cisco IOS Security Configuration Guide: Securing
User Services , Release 15.0.
Standards
Standard
Title
No new or modified standards are supported by this -feature, and support for existing standards has not
been modified by this feature.
MIBs
MIB
MIBs Link
No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
None
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
147
RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
Feature Information for RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attribute 66 Tunnel-ClientEndpoint Enhancements
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
148
RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
Glossary
Table 20
Feature Information for RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
Feature Name
Releases
Feature Information
RADIUS Attribute 66 (TunnelClient-Endpoint) Enhancements
12.1(5)T 12.2(28)SB
The RADIUS Attribute 66
(Tunnel-Client-Endpoint)
Enhancements feature allows the
hostname of the network access
server (NAS) to be specified-rather than the IP address of the
NAS--in RADIUS attribute 66
(Tunnel-Client-Endpoint). This
feature makes it easier for users
to remember a hostname instead
of a numerical IP address, and
helps disguise the numerical IP
address of the NAS.
This feature was introduced in
Cisco IOS Release 12.1(5)T.
This feature was integrated into
Cisco IOS Release12.2(28)SB.
Glossary
L2F --Layer 2 Forwarding Protocol. Protocol that supports the creation of secure virtual private dialup
networks over the Internet.
L2TP --Layer 2 Tunnel Protocol. Protocol that is one of the key building blocks for virtual private
networks in the dial access space and is endorsed by Cisco and other internetworking industry leaders. This
protocol combines the best of Cisco's Layer 2 Forwarding (L2F) protocol and Microsoft's Point-to-Point
Tunneling Protocol (PPTP).
Layer 2 Forwarding Protocol --See L2F.
Layer 2 Tunnel Protocol --See L2TP.
Point-to-Point Protocol --See PPP.
PPP --Point-to-Point Protocol. Successor to SLIP that provides router-to-router and host-to-network
connections over synchronous and asynchronous circuits. Whereas SLIP was designed to work with IP,
PPP was designed to work with several network layer protocols, such as IP, IPX, and ARA. PPP also has
built-in security mechanisms, such as CHAP and PAP. PPP relies on two protocols: LCP and NCP.
RADIUS --Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN
connections and for tracking connection time.
Remote Authentication Dial-In User Service --See RADIUS.
virtual private dialup network --See VPDN.
VPDN --virtual private dialup network. A system that permits dial-in networks to exist remotely to home
networks, while giving the appearance of being directly connected. VPDNs use L2TP and L2F to terminate
the Layer 2 and higher parts of the network connection at the L2TP network server (LNS), instead of the
L2TP access concentrator (LAC).
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
149
RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
150
RADIUS Attribute Screening
The RADIUS Attribute Screening feature allows users to configure a list of “accept” or “reject” RADIUS
attributes on the network access server (NAS) for purposes such as authorization or accounting.
If a NAS accepts and processes all RADIUS attributes received in an Access-Accept packet, unwanted
attributes may be processed, creating a problem for wholesale providers who do not control their
customers’ authentication, authorization, and accounting (AAA) servers. For example, there may be
attributes that specify services to which the customer has not subscribed, or there may be attributes that
may degrade service for other wholesale dial users. The ability to configure the NAS to restrict the use of
specific attributes has therefore become a requirement for many users.
The RADIUS Attribute Screening feature should be implemented in one of the following ways:
•
•
•
•
•
•
•
•
•
•
•
To allow the NAS to accept and process all standard RADIUS attributes for a particular purpose,
except for those on a configured reject list
To allow the NAS to reject (filter out) all standard RADIUS attributes for a particular purpose, except
for those on a configured accept list
Finding Feature Information, page 151
Prerequisites for RADIUS Attribute Screening, page 152
Restrictions for RADIUS Attribute Screening, page 152
Information About RADIUS Attribute Screening, page 152
How to Screen RADIUS Attributes, page 153
Configuration Examples for RADIUS Attribute Screening, page 156
Additional References, page 157
Feature Information for RADIUS Attribute Screening, page 158
Glossary, page 159
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
151
RADIUS Attribute Screening
Prerequisites for RADIUS Attribute Screening
Prerequisites for RADIUS Attribute Screening
Before configuring a RADIUS accept or reject list, you must enable AAA by using the aaa newmodelcommand in global configuration mode.
Restrictions for RADIUS Attribute Screening
NAS Requirements
To enable this feature, your NAS should be configured for authorization with RADIUS groups.
Accept or Reject Lists Limitations
The two filters used to configure accept or reject lists are mutually exclusive; therefore, a user can
configure only one access list or one reject list for each purpose, per server group.
Vendor-Specific Attributes
This feature does not support vendor-specific attribute (VSA) screening; however, a user can specify
attribute 26 (Vendor-Specific) in an accept or reject list, which accepts or reject all VSAs.
Required Attributes Screening Recommendation
It is recommended that users do not reject the following required attributes:
•
For authorization:
•
◦ 6 (Service-Type)
◦ 7 (Framed-Protocol)
For accounting:
◦
◦
◦
◦
4 (NAS-IP-Address)
40 (Acct-Status-Type)
41 (Acct-Delay-Time)
44 (Acct-Session-ID)
If an attribute is required, the rejection is refused, and the attribute is allowed to pass through.
Note
The user does not receive an error at the point of configuring a reject list for required attributes because the
list does not specify a purpose--authorization or accounting. The server determines whether an attribute is
required when it is known what the attribute is to be used for.
Information About RADIUS Attribute Screening
The RADIUS Attribute Screening feature provides the following benefits:
•
Users can configure an accept or reject list consisting of a selection of attributes on the NAS for a
specific purpose so unwanted attributes are not accepted and processed.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
152
Configuring RADIUS Attribute Screening
How to Screen RADIUS Attributes
•
Users may wish to configure an accept list that includes only relevant accounting attributes, thereby
reducing unnecessary traffic and allowing users to customize their accounting data.
How to Screen RADIUS Attributes
•
•
Configuring RADIUS Attribute Screening, page 153
Verifying RADIUS Attribute Screening, page 156
Configuring RADIUS Attribute Screening
To configure a RADIUS attribute accept or reject list for authorization or accounting, use the following
commands:
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authentication ppp default
4. aaa authorization network default group group-name
5. aaa group server radius group-name
6. server ip-address
7. authorization [accept | reject] listname
8. Router(config-sg-radius)# exit
9. radius-server host {hostname | ip-address} [key string
10. radius-server attribute list listname
11. attribute number number [number...]]
DETAILED STEPS
Command or Action
Step 1 enable
Purpose
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
153
RADIUS Attribute Screening
How to Screen RADIUS Attributes
Command or Action
Step 3 aaa authentication ppp default
Purpose
Specifies one or more AAA authentication methods for use on serial
interfaces running PPP.
Example:
group
group-name
Example:
Router(config)# aaa authentication ppp
default group radius-sg
Step 4 aaa authorization network default group group- Sets parameters that restrict network access to the user.
name
Example:
Router(config)# aaa authorization network
default group radius-sg
Step 5 aaa group server radius group-name
Groups different RADIUS server hosts into distinct lists and distinct
methods.
Example:
Router(config)# aaa group server radius
radius-sg
Step 6 server ip-address
Configures the IP address of the RADIUS server for the group
server,
Example:
Router(config-sg-radius)# server 10.1.1.1
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
154
RADIUS Attribute Screening
How to Screen RADIUS Attributes
Command or Action
Step 7 authorization [accept | reject] listname
Purpose
Specifies a filter for the attributes that are returned in an AccessAccept packet from the RADIUS server.
and/or
Example:
Specifies a filter for the attributes that are to be sent to the RADIUS
server in an accounting request.
and/or
Note The accept keyword indicates that all attributes are rejected
Example:
accounting
reject] listname
except for the attributes specified in the listname. The reject
keyword indicates that all attributes are accepted except for
the attributes specified in the listname and all standard
attributes.
[accept |
Example:
Router(config-sg-radius)# authorization
accept min-author
Step 8 Router(config-sg-radius)# exit
Exits server-group configuration mode.
Step 9 radius-server host {hostname | ip-address} [key
string
Specifies a RADIUS server host.
Example:
Router(config)# radius-server host
10.1.1.1 key mykey1
Step 10 radius-server attribute list listname
Example:
Defines the list name given to the set of attributes defined in the
attribute command and enters server-group configuration mode.
Note The listname must be the same as the listname defined in
Step 5.
Router(config)# radius-server attribute
list min-author
Step 11 attribute number number [number...]]
Example:
Router(config-sg-radius)# attribute 6-7
Adds RADIUS attributes to the configured accept or reject list. See
the “ RADIUS Attributes Overview and RADIUS IETF Attributes ”
feature module for more information.
Note This command can be used multiple times to add attributes to
an accept or reject list.
Note The user-password (RADIUS attribute 2) and nas-ip
(RADIUS attribute 4) attributes can be filtered together
successfully in the access request if they are configured to be
filtered. An access request must contain either a userpassword or a CHAP password or a state. Also, either a NAS
IP address or NAS identifier must be present in a RADIUS
accounting request.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
155
Verifying RADIUS Attribute Screening
Configuration Examples for RADIUS Attribute Screening
Verifying RADIUS Attribute Screening
To verify an accept or reject list, use one of the following commands in privileged EXEC mode:
Command
Router#
debug aaa accounting
Router#
debug aaa authentication
Router#
show radius statistics
Purpose
Displays information on accountable events as they
occur.
Displays information on AAA authentication.
Displays the RADIUS statistics for accounting and
authentication packets.
Configuration Examples for RADIUS Attribute Screening
•
•
•
•
Authorization Accept Example, page 156
Accounting Reject Example, page 156
Authorization Reject and Accounting Accept Example, page 157
Rejecting Required Attributes Example, page 157
Authorization Accept Example
The following example shows how to configure an accept list for attribute 6 (Service-Type) and attribute 7
(Framed-Protocol); all other attributes (including VSAs) are rejected for RADIUS authorization.
aaa new-model
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
server 10.1.1.1
authorization accept min-author
!
radius-server host 10.1.1.1 key mykey1
radius-server attribute list min-author
attribute 6-7
Accounting Reject Example
The following example shows how to configure a reject list for attribute 66 (Tunnel-Client-Endpoint) and
attribute 67 (Tunnel-Server-Endpoint); all other attributes (including VSAs) are accepted for RADIUS
accounting.
aaa new-model
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
server 10.1.1.1
accounting reject tnl-x-endpoint
!
radius-server host 10.1.1.1 key mykey1
radius-server attribute list tnl-x-endpoint
attribute 66-67
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
156
Authorization Reject and Accounting Accept Example
Additional References
Authorization Reject and Accounting Accept Example
The following example shows how to configure a reject list for RADIUS authorization and configure an
accept list for RADIUS accounting. Although you cannot configure more than one accept or reject list per
server group for authorization or accounting, you can configure one list for authorization and one list for
accounting per server group.
aaa new-model
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
server 10.1.1.1
authorization reject bad-author
accounting accept usage-only
!
radius-server host 10.1.1.1 key mykey1
radius-server attribute list usage-only
attribute 1,40,42-43,46
!
radius-server attribute list bad-author
attribute 22,27-28,56-59
Rejecting Required Attributes Example
The following example shows debug output for the debug aaa accounting command. In this example,
required attributes 44, 40, and 41 have been added to the reject list “standard.”
Router# debug aaa authorization
AAA/ACCT(6): Accounting method=radius-sg (radius)
RADIUS: attribute 44 cannot be rejected
RADIUS: attribute 61 rejected
RADIUS: attribute 31 rejected
RADIUS: attribute 40 cannot be rejected
RADIUS: attribute 41 cannot be rejected
Additional References
The following sections provide references related to the RADIUS Attribute Screening feature.
Related Documents
Related Topic
Document Title
IOS AAA security features
Cisco IOS Security Configuration Guide: Securing
User Services , Release 12.4T.
Cisco IOS Security Commands
Cisco IOS Security Command Reference
RADIUS
“ Configuring RADIUS ” module.
Standards
Standard
Title
None
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
157
RADIUS Attribute Screening
Feature Information for RADIUS Attribute Screening
MIBs
MIB
MIBs Link
None.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
No new or modified RFCs are supported by this
release.
--
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS Attribute Screening
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
158
RADIUS Attribute Screening
Glossary
Table 21
Feature Information for RADIUS Attribute Screening
Feature Name
Releases
Feature Information
RADIUS Attribute Screening
12.2(1)DX 12.2(2)DD 12.2(4)B
12.2(4)T 12.2(13)T
The RADIUS Attribute Screening
feature allows users to configure
a list of “accept” or “reject”
RADIUS attributes on the
network access server (NAS) for
purposes such as authorization or
accounting.
12.2(33)SRC
This feature was introduced in
12.2(1)DX.
This feature was integrated into
Cisco IOS Release 12.2(2)DD.
This feature was integrated into
Cisco IOS Release 12.2(4)B.
This feature was integrated into
12.2(4)T.
This feature was integrated into
Cisco IOS Release 12.2(33)SRC.
Platform support was added for
the Cisco 7401 ASR router.
The Cisco 7200 series platform
applies to the Cisco IOS Releases
12.2(1)DX, 12.2(2)DD, 12.2(4)B,
12.2(4)T, and 12.2(13)T.
The Cisco 7401 ASR platform
applies to Cisco IOS Release
12.2(13)T only.
The following commands were
introduced or modified by this
feature: accounting (servergroup configuration),
authorization (server-group
configuration), attribute
(server-group configuration),
radius-server attribute list
Glossary
AAA --authentication, authorization, and accounting. Suite of network security services that provide the
primary framework through which access control can be set up on your Cisco router or access server.
attribute --RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard
attributes that are used to communicate AAA information between a client and a server. Because IETF
attributes are standard, the attribute data is predefined and well known; thus all clients and servers who
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
159
RADIUS Attribute Screening
exchange AAA information via IETF attributes must agree on attribute data such as the exact meaning of
the attributes and the general bounds of the values for each attribute.
NAS --network access server. A Cisco platform (or collection of platforms, such as an AccessPath system)
that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the
Public Switched Telephone Network).
RADIUS --Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that
secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco
routers and send authentication requests to a central RADIUS server that contains all user authentication
and network service access information.
VSA --vendor-specific attribute. VSAs are derived from one IETF attribute--vendor-specific (attribute 26).
Attribute 26 allows a vendor to create and implement an additional 255 attributes. That is, a vendor can
create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26:
essentially, Vendor-Specific ="protocol:attribute=value".
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental. © 2001-2002, 2009
Cisco Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
160
RADIUS NAS-IP-Address Attribute
Configurability
The RADIUS NAS-IP-Address Attribute Configurability feature allows an arbitrary IP address to be
configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in
the IP header of the RADIUS packets. This feature may be used for situations in which service providers
are using a cluster of small network access servers (NASs) to simulate a large NAS to improve scalability.
This feature allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS
server.
•
•
•
•
•
•
•
•
Finding Feature Information, page 161
Prerequisites for RADIUS NAS-IP-Address Attribute Configurability, page 161
Restrictions for RADIUS NAS-IP-Address Attribute Configurability, page 162
Information About RADIUS NAS-IP-Address Attribute Configurability, page 162
How to Configure RADIUS NAS-IP-Address Attribute Configurability, page 163
Configuration Examples for RADIUS NAS-IP-Address Attribute Configurability, page 165
Additional References, page 165
Feature Information for RADIUS NAS-IP-Address Attribute Configurability, page 167
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for RADIUS NAS-IP-Address Attribute
Configurability
The following requirements are necessary before configuring this feature:
•
•
Experience with IP Security (IPSec) and configuring both RADIUS servers and authentication,
authorization, and accounting (AAA) is necessary.
RADIUS server and AAA lists must be configured.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
161
RADIUS NAS-IP-Address Attribute Configurability
Restrictions for RADIUS NAS-IP-Address Attribute Configurability
Restrictions for RADIUS NAS-IP-Address Attribute
Configurability
The following restrictions apply if a cluster of RADIUS clients are being used to simulate a single
RADIUS client for scalability. Solutions, or workarounds, to the restrictions are also provided.
•
RADIUS attribute 44, Acct-Session-Id, may overlap among sessions from different NASs.
There are two solutions. Either the radius-server attribute 44 extend-with-addr or radius-server
unique-ident command can be used on NAS routers to specify different prepending numbers for different
NAS routers.
•
RADIUS server-based IP address pool for different NASs must be managed.
The solution is to configure different IP address pool profiles for different NASs on the RADIUS server.
Different NASs use different pool usernames to retrieve them.
•
RADIUS request message for sessions from different NASs must be differentiated.
One of the solutions is to configure different format strings for RADIUS attribute 32, NAS-Identifier, using
the radius-server attribute 32 include-in-access-req command on different NASs.
Information About RADIUS NAS-IP-Address Attribute
Configurability
To simulate a large NAS RADIUS client using a cluster of small NAS RADIUS clients, as shown in
Information About RADIUS NAS-IP-Address Attribute Configurability, page 162, a Network Address
Translation (NAT) or Port Address Translation (PAT) device is inserted in a network. The device is placed
between a cluster of NASs and the IP cloud that is connected to a RADIUS server. When RADIUS traffic
from different NASs goes through the NAT or PAT device, the source IP addresses of the RADIUS packets
are translated to a single IP address, most likely an IP address on a loopback interface on the NAT or PAT
device. Different User Datagram Protocol (UDP) source ports are assigned to RADIUS packets from
different NASs. When the RADIUS reply comes back from the server, the NAT or PAT device receives it,
uses the destination UDP port to translate the destination IP address back to the IP address of the NAS, and
forwards the reply to the corresponding NAS.
The figure below demonstrates how the source IP addresses of several NASs are translated to a single IP
address as they pass through the NAT or PAT device on the way to the IP cloud.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
162
Using the RADIUS NAS-IP-Address Attribute Configurability Feature
How to Configure RADIUS NAS-IP-Address Attribute Configurability
RADIUS servers normally check the source IP address in the IP header of the RADIUS packets to track the
source of the RADIUS requests and to maintain security. The NAT or PAT solution satisfies these
requirements because only a single source IP address is used even though RADIUS packets come from
different NAS routers.
However, when retrieving accounting records from the RADIUS database, some billing systems use
RADIUS attribute 4, NAS-IP-Address, in the accounting records. The value of this attribute is recorded on
the NAS routers as their own IP addresses. The NAS routers are not aware of the NAT or PAT that runs
between them and the RADIUS server; therefore, different RADIUS attribute 4 addresses will be recorded
in the accounting records for users from the different NAS routers. These addresses eventually expose
different NAS routers to the RADIUS server and to the corresponding billing systems.
•
Using the RADIUS NAS-IP-Address Attribute Configurability Feature, page 163
Using the RADIUS NAS-IP-Address Attribute Configurability Feature
The RADIUS NAS-IP-Address Attribute Configurability feature allows you to freely configure an arbitrary
IP address as RADIUS NAS-IP-Address, RADIUS attribute 4. By manually configuring the same IP
address, most likely the IP address on the loopback interface of the NAT or PAT device, for all the routers,
you can hide a cluster of NAS routers behind the NAT or PAT device from the RADIUS server.
How to Configure RADIUS NAS-IP-Address Attribute
Configurability
•
•
Configuring RADIUS NAS-IP-Address Attribute Configurability, page 163
Monitoring and Maintaining RADIUS NAS-IP-Address Attribute Configurability, page 164
Configuring RADIUS NAS-IP-Address Attribute Configurability
Before configuring the RADIUS NAS-IP-Address Attribute Configurability feature, you must have
configured the RADIUS servers or server groups and AAA method lists.
To configure the RADIUS NAS-IP-Address Attribute Configurability feature, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server attribute 4 ip-address
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
163
Monitoring and Maintaining RADIUS NAS-IP-Address Attribute Configurability
How to Configure RADIUS NAS-IP-Address Attribute Configurability
DETAILED STEPS
Command or Action
Purpose
Step 1 enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal
Enters global configuration mode.
Example:
Router# configure terminal
Step 3 radius-server attribute 4 ip-address
Configures an IP address to be used as the RADIUS NASIP-Address, attribute 4.
Example:
Router (config)# radius-server attribute 4
10.2.1.1
Monitoring and Maintaining RADIUS NAS-IP-Address Attribute
Configurability
To monitor the RADIUS attribute 4 address that is being used inside the RADIUS packets, use the debug
radius command.
SUMMARY STEPS
1. enable
2. debug radius
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Example:
Router> enable
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
164
Configuring a RADIUS NAS-IP-Address Attribute Configurability Example
Configuration Examples for RADIUS NAS-IP-Address Attribute Configurability
Step 2
Command or Action
Purpose
debug radius
Displays information associated with RADIUS.
Example:
Router# debug radius
Example
The following sample output is from the debug radius command:
Router# debug radius
RADIUS/ENCODE(0000001C): acct_session_id: 29
RADIUS(0000001C): sending
RADIUS(0000001C): Send Access-Request to 10.0.0.10:1645 id 21645/17, len 81
RADIUS: authenticator D0 27 34 C0 F0 C4 1C 1B - 3C 47 08 A2 7E E1 63 2F
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS: User-Name
[1]
18 "shashi@pepsi.com"
RADIUS: CHAP-Password
[3]
19 *
RADIUS: NAS-Port-Type
[61] 6
Virtual
[5]
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: NAS-IP-Address
[4]
6
10.0.0.21
UDP: sent src=10.1.1.1(21645), dst=10.0.0.10(1645), length=109
UDP: rcvd src=10.0.0.10(1645), dst=10.1.1.1(21645), length=40
RADIUS: Received from id 21645/17 10.0.0.10:1645, Access-Accept, len 32
RADIUS: authenticator C6 99 EC 1A 47 0A 5F F2 - B8 30 4A 4C FF 4B 1D F0
RADIUS: Service-Type
[6]
6
Framed
[2]
RADIUS: Framed-Protocol
[7]
6
PPP
[1]
RADIUS(0000001C): Received from id 21645/17
Configuration Examples for RADIUS NAS-IP-Address
Attribute Configurability
•
Configuring a RADIUS NAS-IP-Address Attribute Configurability Example, page 165
Configuring a RADIUS NAS-IP-Address Attribute Configurability Example
The following example shows that IP address 10.0.0.21 has been configured as the RADIUS NAS-IPAddress attribute:
radius-server attribute 4 10.0.0.21
radius-server host 10.0.0.10 auth-port 1645 acct-port 1646 key cisco
Additional References
The following sections provide references related to RADIUS NAS-IP-Address Attribute Configurability.
•
•
•
Related Documents, page 166
Standards, page 166
MIBs, page 166
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
165
Related Documents
Additional References
•
•
RFCs, page 166
Technical Assistance, page 167
Related Documents
Related Topic
Document Title
Configuring AAA
“Authentication, Authorization, and Accounting
(AAA)” section of Cisco IOS Security
Configuration Guide: Securing User Services
Configuring RADIUS
“ Configuring RADIUS ” module.
RADIUS commands
Cisco IOS Security Command Reference
Standards
Title
Standards
No new or modified standards are supported by this -feature.
MIBs
MIBs
MIBs Link
No new or modified MIBs are supported by this
feature.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs
Title
No new or modified RFCs are supported by this
feature.
--
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
166
Technical Assistance
Feature Information for RADIUS NAS-IP-Address Attribute Configurability
Technical Assistance
Description
Link
The Cisco Support website provides extensive
http://www.cisco.com/techsupport
online resources, including documentation and tools
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information for RADIUS NAS-IP-Address Attribute
Configurability
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
167
RADIUS NAS-IP-Address Attribute Configurability
Table 22
Feature Information for RADIUS NAS-IP-Address Attribute Configurability
Feature Name
Releases
Feature Information
RADIUS NAS-IP-Address
Attribute Configurability
12.3(3)B 12.3(7)T 12.2(28)SB
12.2(33)SRC
This feature allows an arbitrary IP
address to be configured and used
as RADIUS attribute 4, NAS-IPAddress, without changing the
source IP address in the IP header
of the RADIUS packets.
This feature was introduced into
Cisco IOS Release 12.3(3)B.
This feature was integrated into
Cisco IOS Release 12.3(7)T.
This feature was integrated into
Cisco IOS Release 12.2(28)SB.
This feature was integrated into
Cisco IOS Release 12.2(33)SRC.
The radius-server attribute 4
command was introduced this
feature.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
168
AAA Per VC QoS Policy Support
The AAA Per VC QoS Policy Support feature provides the ability to modify an existing quality of service
(QoS) profile applied to a session while that session remains active using new Cisco attribute-value (AV)
pairs that specify service policy output and service policy input.
•
•
•
•
•
•
•
Finding Feature Information, page 169
Prerequisites for AAA Per VC QoS Policy Support, page 169
Restrictions for AAA Per VC QoS Policy Support, page 169
Information About AAA Per VC QoS Policy Support, page 170
Configuration Examples for AAA Per VC QoS Policy Support, page 171
Additional References, page 172
Feature Information for AAA Per VC QoS Policy Support, page 174
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is
supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for AAA Per VC QoS Policy Support
You should be familiar with defining policy maps for managing subscriber sessions, and with configuring
QoS traffic conditioning. See the Additional References, page 172 section for information on these topics.
Restrictions for AAA Per VC QoS Policy Support
Although there are no specific restrictions for using the AAA Per VC QoS Policy Support feature, defect
report CSCef69140 describes a problem whereby in PPPoA sessions, an input service policy cannot be
applied at the ATM virtual circuit (VC) level. Instead, an input service policy, and therefore an input policy
AV pair, must be applied under interface virtual template mode.
Also, read through the configuration guidelines in the Interface Policy Map AAA Attributes section before
using the attributes described in this document.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
169
RADIUS Push and Pull
Information About AAA Per VC QoS Policy Support
Information About AAA Per VC QoS Policy Support
•
•
RADIUS Push and Pull, page 170
Interface Policy Map AAA Attributes, page 171
RADIUS Push and Pull
Cisco Systems software offers applications for the DSL aggregation market and service providers that
make powerful use of dynamic policy maps. Policy maps govern user services to be deployed in the
network and are triggered by a service or by a user--concepts referred to as push and pull. Pull refers to a
policy applied during authentication. Push refers to the dynamic change of policy on the session using
Change of Authorization (CoA) message. Before the AAA Per VC QoS Policy Support feature introduced
in Cisco IOS Release 12.4(2)T, there was no RADIUS push and pull capability for a policy map at the
ATM VC level. RADIUS only supported dynamic bandwidth selection and virtual access interface policy
maps applied during the establishment of a PPP session. The AAA Per VC QoS Policy Support feature
provides support for RADIUS push and pull capability for a policy map at the ATM VC level.
RADIUS pull of policy maps on a VC means that a policy map can be applied on the VC while a PPP over
ATM (PPPoA) session is being established. PPPoA sessions are established between a policy server and a
routing gateway.
Service policies are applied only when a subscriber first authenticates the VC. Software creates an
identifier that is used as the session unique identifier between the router and the RADIUS server using
RADIUS Internet Engineering Task Force (IETF) attribute 44. This identifier is sent with an Access
Request message and all accounting records for that session.
RADIUS push functionality provides the ability to modify an existing QoS profile applied to a session
while that session remains active. A policy server governs the authorization of active sessions with its
ability to send a Change of Authorization (CoA) message (see the figure below). Specific events can trigger
the CoA message and allow modification of the QoS configuration. Implementation of RADIUS push
eliminates the need to preprovision subscribers, allowing QoS policies to be transparently applied where
and when required without the disruption of session reauthentication.
Figure 6
RADIUS Push
These abilities provide a high degree of flexibility, smaller configuration files, and more efficient use of
queueing resources. And perhaps more importantly, RADIUS push and pull eliminates the need to
statically configure a policy map on every VC or VLAN.
This feature is implemented by Cisco AV pairs that identify QoS policies configured on the router from a
RADIUS server by defining service policy output and service policy input. The AV pairs place the
appropriate policy map, which is identified by name, directly on the interface. The interface can be either
an ATM VC or Ethernet VLAN.
After the initial subscriber authentication, authorization process, RADIUS returns the appropriate AV name
for the policy maps to be applied at the VC and virtual-access interface level. The QoS policy maps define
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
170
Interface Policy Map AAA Attributes
Configuration Examples for AAA Per VC QoS Policy Support
the subscriber user experience for broadband service and can be leveraged to deliver higher value services
such as VoIP and video.
Interface Policy Map AAA Attributes
Two new generic Cisco RADIUS VSA attributes are introduced by the AAA Per VC QoS Policy Support
feature, as follows:
cisco-avpair = “atm:vc-qos-policy-in=in-policy-name
”
cisco-avpair = “atm:vc-qos-policy-out=out-policy-name
”
Use these attributes in the RADIUS server profile to define service policy output and service policy input.
The AV pairs place the appropriate policy map, which is identified by name, directly on the interface. The
interface can be either an ATM VC or Ethernet VLAN.
The AAA Per VC QoS Policy Support feature also replaces the following generic Cisco RADIUS vendorspecific attribute (VSA) attributes:
cisco-avpair = “ip:sub-policy-In=in-policy-name
”
cisco-avpair = “ip:sub-policy-Out=out-policy-name
”
with the following new attributes:
cisco-avpair = "ip:sub-qos-policy-in=in-policy-name
”
cisco-avpair = "ip:sub-qos-policy-out=out-policy-name
”
The replaced attributes will be supported for several more software releases, but profiles should be updated
with the new attributes as soon as it is feasible to do so.
Remember the following guidelines as you configure these attributes:
•
•
•
•
A policy map pulled or pushed from the RADIUS server has a higher precedence than a policy map
configured under a permanent virtual circuit (PVC).
The Cisco IOS show policy-map interfaceEXEC command will display the policy map pushed or
pulled from the RADIUS server. This policy map is actually used by the driver, even though the policy
map was configured using the service-policy command under PVC configuration mode.
Once a policy map is pushed or pulled on the VC and successfully installed or updated, any
configuration or removal of the configuration would affect only the running configuration, and not the
driver and actual policy map used by the VC.
You must enable dynamic bandwidth selection using the dbs enablecommand. Dynamic policies that
are pulled and pushed from the RADIUS server must be specifically disabled using the no dbs enable
command.
Configuration Examples for AAA Per VC QoS Policy Support
•
•
•
RADIUS Interface Policy Map Profile Example, page 172
Define the Policy Map on the Router Example, page 172
Display the Service Policy Example, page 172
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
171
RADIUS Interface Policy Map Profile Example
Additional References
RADIUS Interface Policy Map Profile Example
Following is an example of a RADIUS profile defining an input service policy named test_vc:
radius subscriber 2
vsa cisco generic 1 string “atm:vc-qos-policy-in=test_vc”
attribute 1 string “user@cisco.com”
attribute 44 string “00000002”
!
radius client 192.168.1.4 access-ports 1645 1645 accounting-ports 1646 1646
radius host 192.168.1.3 auth-port 1645 acct-port 1646 key 0 cisco
radius host 192.168.1.4 auth-port 1645 acct-port 1646
radius retransmit 0
radius timeout 15
radius key 0 cisco
radius server 192.168.1.4
client 192.168.1.3 shared-secret word
Define the Policy Map on the Router Example
The following example shows the Cisco IOS commands that are used to define the service policy on the
router:
!
interface ATM4/0
no ip address
no atm ilmi-keepalive
pvc 1/101
dbs enable
service-policy input test_vc
!
end
Display the Service Policy Example
The following example shows the report from the show policy-map interfacecommand when the policy
map named test_vc has been pushed on PVC 1/101:
Router# show policy interface atm 4/0
ATM4/0: VC 1/101 Service-policy input: test_vc
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Additional References
The following sections provide references related to the AAA Per VC QoS Policy Support feature.
Related Documents
Related Topic
Service policies and policy maps
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
172
Document Title
•
•
ISA Configuration Guide
ISA Command Reference
AAA Per VC QoS Policy Support
Additional References
Related Topic
Document Title
Cisco VSA attributes
•
Cisco IOS Security Configuration Guide
QoS traffic conditioning
•
Cisco IOS Quality of Service Solutions
Configuration Guide
Cisco IOS Quality of Service Solutions
Command Reference
•
Standards
Standard
Title
No new or modified standards are supported, and
support for existing standards has not been
modified.
--
MIBs
MIB
MIBs Link
No new or modified MIBs are supported, and
support for existing MIBs has not been modified.
To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFC
Title
No new or modified RFCs are supported, and
support for existing RFCs
--
Technical Assistance
Link
Description
The Cisco Support website provides extensive
http://www.cisco.com/cisco/web/support/
online resources, including documentation and tools index.html
for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various
services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services
Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
173
AAA Per VC QoS Policy Support
Feature Information for AAA Per VC QoS Policy Support
Feature Information for AAA Per VC QoS Policy Support
The following table provides release information about the feature or features described in this module.
This table lists only the software release that introduced support for a given feature in a given software
release train. Unless noted otherwise, subsequent releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 23
Feature Name
Feature Information for AAA Per VC QoS Policy Support
Releases
AAA Per VC QoS Policy Support 12.4(2)T 12.2(33)SRE
Feature Information
The AAA Per VC QoS Policy
Support feature provides the
ability to modify an existing
quality of service (QoS) profile
applied to a session while that
session remains active using new
Cisco attribute-value (AV) pairs
that specify service policy output
and service policy input.
In 12.4(2)T, this feature was
introduced on the Cisco 10000.
In Cisco IOS Release
12.2(33)SRE, the AAA Per VC
QoS Policy Support feature was
added for the Cisco 7600 series
router.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.
and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be
actual addresses and phone numbers. Any examples, command display output, network topology diagrams,
and other figures included in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and coincidental.
RADIUS Attributes Configuration Guide Cisco IOS Release 12.4T
174
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising