Appendix: FlexVPN RADIUS Attributes

This chapter describes the RADIUS attributes supported by FlexVPN server.

FlexVPN RADIUS Attributes

The following are the RADIUS attributes categories used by FlexVPN Server:

  • Inbound and bidirectional IETF RADIUS attributes

  • Outbound Local

  • Outbound Remote


Note


For inbound attributes sent by the FlexVPN server to RADIUS that are not listed below, the value is set by the AAA system.


Attribute

User-Name

Type

IETF

Format

String

Attribute ID

1

Description

This attribute is sent by the FlexVPN server to Radius and is derived as follows:

  • AAA based preshared keys—Peer IKEv2 identity

  • EAP authentication—Peer EAP identity

  • User or group authorization—Output of the name mangler or the string specified in the IKEv2 profile authorization commands

  • Accounting—Peer EAP identity or IKEv2 identity

This attribute may also be received from Radius in Access-Accept after successful EAP authentication and specifies the authenticated peer EAP identity.

Attribute

User-Password

Type

IETF

Format

String

Attribute ID

2

Description

This attribute is sent by the FlexVPN server to RADIUS and is derived as follows:

  • AAA based preshared keys—“cisco”

  • User/group authorization—“cisco”

Attribute

Calling-Station-ID

Type

IETF

Format

String

Attribute ID

31

Description

This attribute is sent by FlexVPN server to RADIUS and is derived as follows:

  • AAA based pre-shared keys—IKEv2 initiator address

  • EAP authentication—IKEv2 initiator address

  • User/group authorization—IKEv2 initiator address

Attribute

Service-Type

Type

IETF

Format

String

Attribute ID

6

Description

This attribute is used by FlexVPN server for EAP authentication and the value of this attribute is set to ‘Login’.

Attribute

EAP-Message

Type

IETF

Format

String

Attribute ID

79

Description

This attribute is used by FlexVPN server for EAP authentication to relay EAP packets between EAP server and the Remote Access Client.

Attribute

Message-Authenticator

Type

IETF

Format

String

Attribute ID

80

Description

This attribute is sent by FlexVPN server for EAP authentication. The value for this attribute is set by AAA subsystem.

Attribute

Framed-Pool

Type

IETF

Format

String

Attribute ID

88

Local config

pool name

Radius config

Framed-Pool=pool-name

Description

Specifies the name of IPv4 address pool that is used by FlexVPN server to allocate the IPv4 address to assign to the client. The allocated address is pushed to client via IKEv2 standard config attribute INTERNAL_IP4_ADDRESS.

Attribute

ipsec:group-dhcp-server

Type

Cisco AV Pair

Format

String

Local config

dhcp server {ipddr | host}

Radius config

cisco-avpair=“ipsec: group-dhcp-server=ipaddr

Description

Specifies the IPv4 DHCP server that is used by FlexVPN server to lease IPv4 address to assign to the client. The leased address is pushed to client via IKEv2 standard config attribute INTERNAL_IP4_ADDRESS.

Attribute

ipsec:dhcp-giaddr

Type

Cisco AV Pair

Format

IPaddr

Local config

dhcp giaddr ipaddr

Radius config

cisco-avpair=“psec: dhcp-giaddr=ipaddr

Description

Specifies the IPv4 DHCP gateway IP address that is used by FlexVPN server to contact the DCHP server.

Attribute

ipsec:dhcp-timeout

Type

Cisco AV Pair

Format

Integer

Local config

dhcp timeout seconds

Radius config

cisco-avpair=“ipsec:dhcp-timeout=seconds

Description

Specifies the time to wait for response from IPv4 DHCP server that is used by FlexVPN server to timeout response from the DHCP server.

Attribute

ipsec:ipv6-addr-pool

Type

Cisco AV Pair

Format

String

Local config

ipv6 pool name

Radius config

cisco-avpair=“ipsec:ipv6-addr-pool=pool-name

Description

Specifies the name of IPv6 address pool used by FlexVPN server to allocate the IPv6 address to assign to the client. The allocated address is pushed to the client via IKEv2 standard config attribute INTERNAL_IP6_ADDRESS.

Attribute

ipsec:route-set=prefix

Type

Cisco AV Pair

Format

String

Local config

N/A

Radius config

cisco-avpair=“ipsec:route-set=prefix prefix/length

Example

ipsec:route-set=prefix 192.168.1.0/24

Description

Specifies a subnet protected by FlexVPN server. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_SUBNET.

Note   

This AV pair was introduced in Cisco IOS Release 15.2(2)T.

Attribute

ipsec:route-set=interface

Type

Cisco AV Pair

Format

String

Local config

route set interface

Radius config

cisco-avpair=“ipsec:route-set=interface”

Description

This attribute is used locally and enables sending of VPN interface IP address to the peer via IKEv2 standard config attribute INTERNAL_IP4_SUBNET. This allows running routing protocols such as BGP over VPN.

Note   

In Cisco IOS Release 15.2(2)T, this AV pair replaced the “ipsec:route-set-interface” AV pair.

Attribute

ipsec:route-accept

Type

Cisco AV Pair

Format

String

Local config

route accept any [tag tag-id] [distance distance]

Radius config

cisco-avpair=“ipsec:route-accept=any [tag:tag] [distance:distance]”

Example

ipsec:route-accept=any tag=100

Description

This attribute is used locally and specifies the filter for the subnets received from the peer via IKEv2 standard config attribute INTERNAL_IP4_SUBNET. The attribute also specifies the tag and distance for the routes added by IKEv2 for the filtered subnets.

Note   

In Cisco IOS Release 15.2(2)T, the AV pair “ipsec:route-accept=any” replaced “ipsec:route-accept=accept acl:any” and the AV pair “ipsec:route-accept=none” replaced “ipsec:route-accept=deny”.

Attribute

ipsec:ipsec-flow-limit

Type

Cisco AV Pair

Format

Integer

Local config

ipsec flow-limit limit

Radius config

cisco-avpair=“ipsec:ipsec-flow-limit=limit

Description

This attribute is used by FlexVPN server and specifies the maximum number of IPsec SAs that an IPSec dVTI session can have. There is no limit by default. This parameter is similar to the crypto ipsec profile and set security-policy limit commands.

Attribute

ip:interface-config

Type

Cisco AV Pair

Format

String

Local config

aaa attribute list list

attribute type interface-config string

Radius config

cisco-avpair=“ip:interface-config=interface cmd string”

Example

ip:interface-config=ip vrf forwarding red

Description

This attribute is used locally and specifies an interface configuration mode command string that is applied on the virtual access interface for the session. For local configuration, the IKEv2 authorization policy points to an AAA attribute list that must have interface-config attribute.

Attribute

Tunnel-Type

Type

IETF

Format

Integer

Attribute ID

64

Radius config

Tunnel-Type=type

Description

This attribute specifies the tunnel type (ESP, AH, GRE, etc.) and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

Tunnel-Medium-Type

Type

IETF

Format

Integer

Attribute ID

65,

Radius config

Tunnel-Medium-Type=type

Description

This attribute specifies the tunnel transport type (IPv4, IPv6, etc.) and is received when FlexVPN server fetches preshared key for the session from the RADIUS server.

Attribute

Tunnel-Password

Type

IETF

Format

String

Attribute ID

69

Radius config

Tunnel-Password=string

Description

This attribute specifies the symmetric preshared key and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

ipsec:ikev2-password-local

Type

Cisco AV Pair

Format

String

Radius config

cisco-avpair=“ipsec:ikev2-password-local=string

Description

This attribute specifies the local preshared key and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

ipsec:ikev2-password-remote

Type

Cisco AV Pair

Format

String

Radius config

cisco-avpair=“ipsec:ikev2-password-remote=string

Description

This attribute specifies the remote preshared key and is received when FlexVPN server fetches preshared key for the session from RADIUS server.

Attribute

Framed-IP-Address

Type

IETF

Format

IPaddr

Attribute ID

8

Radius config

Framed-IP-Address=ipaddr

Description

Specifies IPv4 address assigned to the client. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_ADDRESS.

Attribute

Framed-IP-Netmask

Type

IETF

Format

IPaddr

Attribute ID

9

Local config

netmask mask

Radius config

Framed-IP-Netmask=mask

Description

Specifies the subnet mask of the IPv4 address assigned to the client. This is pushed to client via IKEv2 standard configuration attribute INTERNAL_IP4_NETMASK.

Attribute

ipsec:dns-servers

Type

Cisco AV Pair

Format

String

Local config

dns primary [secondary]

Radius config

cisco-avpair=“ipsec:dns-servers=primary secondary

Description

Specifies the primary and secondary IPv4 DNS servers for the client. This is pushed to the client via IKEv2 standard config attribute INTERNAL_IP4_DNS.

Attribute

ipsec:wins-servers

Type

Cisco AV Pair

Format

String

Local config

wins primary [secondary]

Radius config

cisco-avpair=“ipsec:wins-servers=primary secondary

Description

Specifies the primary and secondary IPv4 WINS servers for the client. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_NBNS.

Attribute

ipsec:route-set=access-list

Type

Cisco AV Pair

Format

String

Local config

route set access-list {acl-name | acl-number}

Radius config

cisco-avpair=“ipsec:route-set=access-list {acl-name | acl-number}”

Description

Specifies the IPv4 subnets protected by FlexVPN server. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP4_SUBNET.

Note   

In Cisco IOS Release 15.2(2)T, this AV pair replaced the “ipsec:inacl” AV pair.

Attribute

ipsec:addrv6

Type

Cisco AV Pair

Format

String

Radius config

cisco-avpair=“ipsec:addrv6=ipv6-addr

Description

Specifies the IPv6 address assigned to the client. This is pushed to client via IKEv2 standard configuration attribute INTERNAL_IP6_ADDRESS in the first 16 bytes.

Attribute

ipsec:prefix-len

Type

Cisco AV Pair

Format

Integer

Local config

N/A

Radius config

cisco-avpair=“ipsec:prefix-len=value

Example

ipsec:prefix-len=24

Description

Specifies the prefix length of the IPv6 address assigned to the client. This is pushed to client via IKEv2 standard configuration attribute INTERNAL_IP6_ADDRESS in the last (17th) byte.

Attribute

ipsec:ipv6-dns-servers-addr

Type

Cisco AV Pair

Format

String

Local config

ipv6 dns primary [secondary]

Radius config

cisco-avpair=“ipsec: ipv6-dns-servers-addr=ipaddr1 *ipaddr2”

Description

Specifies the primary and secondary IPv6 DNS servers for the client. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP6_DNS.

Attribute

ipsec:route-set=access-list ipv6

Type

Cisco AV Pair

Format

String

Local config

route set access-list ipv6 acl-name

Radius config

cisco-avpair=“ipsec:route-set=access-list ipv6 acl-name

Description

Specifies IPv6 subnets protected by the FlexVPN server. This is pushed to the client via IKEv2 standard configuration attribute INTERNAL_IP6_SUBNET.

Note   

In Cisco IOS Release 15.2(2)T, this AV pair replaced the “ ipsec:ipv6-subnet-acl” AV pair.

Attribute

ipsec:banner

Type

Cisco AV Pair

Format

String

Local config

banner text

Radius config

cisco-avpair=“ipsec:banner=text

Description

Specifies the banner text. This is pushed to the client via Cisco Unity attribute MODECFG_BANNER.

Attribute

ipsec:default-domain

Type

Cisco AV Pair

Format

String

Local config

def-domain name

Radius config

cisco-avpair=“ipsec:default-domain=name

Description

Specifies the default domain. This is pushed to the client via Cisco Unity attribute MODECFG_DEFDOMAIN.

Attribute

ipsec:split-dns

Type

Cisco AV Pair

Format

String

Local config

split-dns name

Radius config

cisco-avpair=“ipsec:split-dns=name”

Description

Specifies the split DNS name. This is pushed to the client via Cisco Unity attribute MODECFG_SPLITDNS_NAME. You can configure up to 10 split DNS names.

Attribute

ipsec:ipsec-backup-gateway

Type

Cisco AV Pair

Format

String

Local config

backup-gateway name

Radius config

cisco-avpair=“ipsec:ipsec-backup-gateway=name

Description

Specifies the backup gateway. This is pushed to the client via Cisco Unity attribute MODECFG_BACKUPSERVERS. You can configure up to 10 backup gateways.

Attribute

ipsec:pfs

Type

Cisco AV Pair

Format

Integer

Local config

pfs

Radius config

cisco-avpair=“ipsec:pfs=value

Description

Specifies IPsec PFS (Perfect Forward Secrecy) enable/disable. This is pushed to the client via Cisco Unity attribute MODECFG_PFS. The value must be 0 to disable and 1 to enable.

Attribute

ipsec:include-local-lan

Type

Cisco AV Pair

Format

Integer

Local config

include-local-lan

Radius config

cisco-avpair=“ipsec:include-local-lan=value

Description

Enables or disables include local LAN. This is pushed to the client via Cisco Unity attribute MODECFG_INCLUDE_LOCAL_LAN. The value must be 0 to disable and 1 to enable.

Attribute

ipsec:smartcard-removal-disconnect

Type

Cisco AV Pair

Format

Integer

Local config

smartcard-removal-disconnect

Radius config

cisco-avpair=“ipsec:smartcard-removal-disconnect =value

Description

Enables or disables smartcard removal disconnect. This is pushed to the client via Cisco Unity attribute MODECFG_SMARTCARD_REMOVAL_DISCONNECT. The value must be 0 to disable and 1 to enable.

Attribute

ipsec:configuration-url

Type

Cisco AV Pair

Format

String

Local config

configuration url url

Radius config

cisco-avpair=“ipsec:configuration-url=url

Description

Specifies the URL for configuration download. This is pushed to the client via Cisco FlexVPN attribute MODECFG_CONFIG_URL.

Attribute

ipsec:configuration-version

Type

Cisco AV Pair

Format

Integer

Local config

configuration version version

Radius config

cisco-avpair=“ipsec:configuration-version=version

Description

Specifies the version of the configuration to download. This is pushed to the client via Cisco FlexVPN attribute MODECFG_CONFIG_VERSION.