RADIUS Attributes

Available Languages

Download Options

  • PDF     (132.4 KB)
    View with Adobe Reader on a variety of devices
Updated:June 29, 2007

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

RADIUS Attributes

Table Of Contents

RADIUS Attributes

RADIUS Dictionary Attributes

Ascend Binary Attribute Support

Overview

Examples

Configuring a Local Profile

Configuring an LDAP Profile

Trace Output Before Conversion

Trace Output After Conversion


RADIUS Attributes

This appendix lists the RFC 2865 RADIUS attributes with their names and values.

RADIUS attributes carry the specific authentication, authorization information, and configuration details for requests and replies. For more information, see RFC 2865.

RADIUS Dictionary Attributes

Table C-1 lists the standard RADIUS Dictionary attributes.

Table C-1 Standard RADIUS Dictionary Attributes 

Value
Name

1

User-Name

2

User-Password

3

CHAP-Password

4

NAS-IP-Address

5

NAS-Port

6

Service-Type

7

Framed-Protocol

8

Framed-IP-Address

9

Framed-IP-Netmask

10

Framed-Routing

11

Filter-Id

12

Framed-MTU

14

Login-IP-Host

15

Login-Service

16

Login-TCP-Port

17

(unassigned)

18

Reply-Message

19

Callback-Number

20

Callback-Id

21

(unassigned)

22

Framed-Route

23

Framed-IPX-Network

24

State

25

Class

26

Vendor-Specific

27

Session-Timeout

28

Idle-Timeout

29

Termination-Action

30

Called-Station-Id

31

Calling-Station-Id

32

NAS-Identifier

33

Proxy-State

34

Login-LAT-Service

35

Login-LAT-Node

36

Login-LAT-Group

37

Framed-AppleTalk-Link

38

Framed-AppleTalk-Network

39

Framed-AppleTalk-Zone

40-59

(reserved for accounting)

60

CHAP-Challenge

61

NAS-Port-Type

61

NAS-Port-Type

62

Port-Limit

63

Login-LAT-Port


Ascend Binary Attribute Support

This section provides information about support for the Ascend binary attribute.

Overview

Cisco Access Registrar 1.6 supports Ascend-Data-Filter (Ascend attribute 242) with IP filter and generic filter type. Please refer to Ascend document for details of the data syntax. The value for Ascend-Data-Filter is in binary format. This creates some inconvenience for administrators to configuring values for this attribute.

Cisco Access Registrar 1.6 (and above) introduces an implementation-specific attribute 225 (Text-Ascend-Data-Filter). This attribute enables you to define the equivalent Ascend-Data-Filter in text format. AR converts the values of this attribute into binary format and saves them into Ascend-Data-Filter attributes. AR maintains the same order for the multiple values in Text-Ascend-Data-Filter and Ascend-Data-Filter.

The conversion occurs before any Access-Accept packet leaves AR. So the scripts inside AR only deal with Text-Ascend-Data-Filter in place of Ascend-Data-Filter during the whole process. After conversion, the Text-Ascend-Data-Filter is removed, and Ascend-Data-Filter is passed on.

For packets with Ascend-Data-Filter attributes that pass through AR, such as in proxy mode, the original Ascend-Data-Filter is untouched. If any Text-Ascend-Data-Filter attributes are added while processing packets inside AR, they are converted to Ascend-Data-Filter and appended to the original Ascend-Data-Filters right before the packet leaves the server.

Examples

Assume you want to add the following filters to a profile and pass the profile as part of the Access-Accept to the client.

Ascend-Data-Filter = ip out forward tcp dstip 10.1.1.3/16

Ascend-Data-Filter = ip out drop

Ascend-Data-Filter = generic in drop 0 ffff 0080

Ascend-Data-Filter = generic in drop 0 ffff != 0080 more

Ascend-Data-Filter = generic in drop 16 ff aa

Note Refer to Ascend reference for the filter syntax.

Configuring a Local Profile

To configure on local profile:

[ //localhost/Radius/Profiles/default-PPP-users/Attributes ]

Ascend-Idle-Limit = 1800

Framed-Compression = "VJ TCP/IP header compression"

Framed-MTU = 1500

Framed-Protocol = PPP

Framed-Routing = None

Service-Type = Framed

Text-Ascend-Data-Filter = "ip out forward tcp dstip 10.1.1.3/16"

Text-Ascend-Data-Filter = "ip out drop"

Text-Ascend-Data-Filter = "generic in drop 0 ffff 0080"

Text-Ascend-Data-Filter = "generic in drop 0 ffff != 0080 more"

Text-Ascend-Data-Filter = "generic in drop 16 ff aa"

Configuring an LDAP Profile

To configure for LDAP profile, do the following:

[ //localhost/Radius/RemoteServers/test/LDAPToRadiusMappings ]

ldap-attribute-that-contains-ascend-data-filter-in-text = Text-Ascend-Data-Filter

Trace Output Before Conversion

06/17/2000 18:12:35: P29: Trace of Access-Accept packet
06/17/2000 18:12:35: P29:    identifier = 1
06/17/2000 18:12:35: P29:    length = 60
06/17/2000 18:12:35: P29:    reqauth = 4f:93:b4:1c:0d:21:cd:4a:88:4d:e0:00:c6:12:dc:3d
06/17/2000 18:12:35: P29:    Service-Type = Framed
06/17/2000 18:12:35: P29:    Framed-Protocol = PPP
06/17/2000 18:12:35: P29:    Framed-IP-Address = 192.168.0.0
06/17/2000 18:12:35: P29:    Framed-IP-Netmask = 255.255.255.0
06/17/2000 18:12:35: P29:    Framed-Routing = None
06/17/2000 18:12:35: P29:    Framed-MTU = 1500
06/17/2000 18:12:35: P29:    Framed-Compression = VJ TCP/IP header compression
06/17/2000 18:12:35: P29:    Ascend-Idle-Limit = 1800
06/17/2000 18:12:35: P29:    Text-Ascend-Data-Filter = ip out forward tcp dstip 10.1.1.3/16
06/17/2000 18:12:35: P29:    Text-Ascend-Data-Filter = ip out drop
06/17/2000 18:12:35: P29:    Text-Ascend-Data-Filter = generic in drop 0 ffff 0080
06/17/2000 18:12:35: P29:    Text-Ascend-Data-Filter = generic in drop 0 ffff != 0080 more
06/17/2000 18:12:35: P29:    Text-Ascend-Data-Filter = generic in drop 16 ffaa

Trace Output After Conversion

06/17/2000 18:12:35: P29: Trace of Access-Accept packet
06/17/2000 18:12:35: P29: identifier = 1
06/17/2000 18:12:35: P29: length = 60
06/17/2000 18:12:35: P29: reqauth = 4f:93:b4:1c:0d:21:cd:4a:88:4d:e0:00:c6:12:dc:3d
06/17/2000 18:12:35: P29: Service-Type = Framed
06/17/2000 18:12:35: P29: Framed-Protocol = PPP
06/17/2000 18:12:35: P29: Framed-IP-Address = 192.168.0.0
06/17/2000 18:12:35: P29: Framed-IP-Netmask = 255.255.255.0
06/17/2000 18:12:35: P29: Framed-Routing = None
06/17/2000 18:12:35: P29: Framed-MTU = 1500
06/17/2000 18:12:35: P29: Framed-Compression = VJ TCP/IP header compression
06/17/2000 18:12:35: P29: Ascend-Idle-Limit = 1800
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 01:01:00:00:00:00:00:00:0a:01:
01:03:00:10:06:00:00:00:00:00:00:00:00:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 01:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:00:00:00:00:00:00:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 00:00:01:00:00:00:00:02:00:00:
ff:ff:00:00:00:00:00:80:00:00:00:00:00:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 00:00:01:00:00:00:00:02:00:01:
ff:ff:00:00:00:00:00:80:00:00:00:00:01:00
06/17/2000 18:12:35: P29: Ascend-Data-Filter = 00:00:01:00:00:10:00:01:00:00:
ff:00:00:00:00:00:aa:00:00:00:00:00:00:00

Was this Document Helpful?

FeedbackFeedback

Contact Cisco