Access-Hours |
Y |
Y |
Y |
String |
Single |
Name of the time-range
(for example, Business-Hours)
|
Allow-Network-Extension- Mode |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
Authenticated-User-Idle- Timeout |
Y |
Y |
Y |
Integer |
Single |
1 - 35791394 minutes |
Authorization-Required |
Y |
|
|
Integer |
Single |
0 = No
1 = Yes
|
Authorization-Type |
Y |
|
|
Integer |
Single |
0 = None
1 = RADIUS
2 = LDAP
|
Banner1 |
Y |
Y |
Y |
String |
Single |
Banner string for clientless and client SSL VPN, and IPsec clients. |
Banner2 |
Y |
Y |
Y |
String |
Single |
Banner string for clientless and client SSL VPN, and IPsec clients. |
Cisco-AV-Pair |
Y |
Y |
Y |
String |
Multi |
An octet string in the following format:
[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log]
[Operator] [Port]
For more information, see the “Cisco AV Pair Attribute Syntax” section.”
|
Cisco-IP-Phone-Bypass |
Y |
Y |
Y |
Integer |
Single |
0 = Disabled
1 = Enabled
|
Cisco-LEAP-Bypass |
Y |
Y |
Y |
Integer |
Single |
0 = Disabled
1 = Enabled
|
Client-Intercept-DHCP- Configure-Msg |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
Client-Type-Version-Limiting |
Y |
Y |
Y |
String |
Single |
IPsec VPN client version number string |
Confidence-Interval |
Y |
Y |
Y |
Integer |
Single |
10 - 300 seconds |
DHCP-Network-Scope |
Y |
Y |
Y |
String |
Single |
IP address |
DN-Field |
Y |
Y |
Y |
String |
Single |
Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, and use-entire-name. |
Firewall-ACL-In |
|
Y |
Y |
String |
Single |
Access list ID
|
Firewall-ACL-Out |
|
Y |
Y |
String |
Single |
Access list ID
|
Group-Policy |
|
Y |
Y |
String |
Single |
Sets the group policy for the remote access VPN session. For version 8.2 and later, use this attribute instead of IETF-Radius-Class.
You can use one of the three following formats:
-
group policy name
-
OU= group policy name
-
OU= group policy name :
|
IE-Proxy-Bypass-Local |
|
|
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
IE-Proxy-Exception-List |
|
|
|
String |
Single |
A list of DNS domains. Entries must be separated by the new line character sequence (\n).
|
IE-Proxy-Method |
Y |
Y |
Y |
Integer |
Single |
1 = Do not modify proxy settings
2 = Do not use proxy
3 = Auto detect
4 = Use ASA setting
|
IE-Proxy-Server |
Y |
Y |
Y |
Integer |
Single |
IP address |
IETF-Radius-Class |
Y |
Y |
Y |
|
Single |
Sets the group policy for the remote access VPN session. For version 8.2 and later, use this attribute instead of IETF-Radius-Class.
You can use one of the three following formats:
-
group policy name
-
OU= group policy name
-
OU= group policy name :
|
IETF-Radius-Filter-Id |
Y |
Y |
Y |
String |
Single |
Access list name that is defined on the ASA. The setting applies to VPN remote access IPsec and SSL VPN clients. |
IETF-Radius-Framed-IP-Address |
Y |
Y |
Y |
String |
Single |
An IP address. The setting applies to VPN remote access IPsec and SSL VPN clients.
|
IETF-Radius-Framed-IP-Netmask |
Y |
Y |
Y |
String |
Single |
An IP address mask. The setting applies to VPN remote access IPsec and SSL VPN clients.
|
IETF-Radius-Idle-Timeout |
Y |
Y |
Y |
Integer |
Single |
Seconds |
IETF-Radius-Service-Type |
Y |
Y |
Y |
Integer |
Single |
1 = Login
2 = Framed
5 = Remote access
6 = Administrative
7 = NAS prompt
|
IETF-Radius-Session-Timeout |
Y |
Y |
Y |
Integer |
Single |
Seconds |
IKE-Keep-Alives |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
IPsec-Allow-Passwd-Store |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
IPsec-Authentication |
Y |
Y |
Y |
Integer |
Single |
0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI (RSA)
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos or Active Directory
|
IPsec-Auth-On-Rekey |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
IPsec-Backup-Server-List |
Y |
Y |
Y |
String |
Single |
Server addresses (space delimited)
|
IPsec-Backup-Servers |
Y |
Y |
Y |
String |
Single |
1 = Use client-configured list
2 = Disabled and clear client list
3 = Use backup server list
|
IPsec-Client-Firewall-Filter- Name |
Y |
|
|
String |
Single |
Specifies the name of the filter to be pushed to the client as firewall policy.
|
IPsec-Client-Firewall-Filter- Optional |
Y |
Y |
Y |
Integer |
Single |
0 = Required
1 = Optional
|
IPsec-Default-Domain |
Y |
Y |
Y |
String |
Single |
Specifies the single default domain name to send to the client (1 - 255 characters).
|
IPsec-Extended-Auth-On-Rekey |
|
Y |
Y |
String |
Single |
String
|
IPsec-IKE-Peer-ID-Check |
Y |
Y |
Y |
Integer |
Single |
1 = Required
2 = If supported by peer certificate
3 = Do not check
|
IPsec-IP-Compression |
Y |
Y |
Y |
Integer |
Single |
0 = Disabled
1 = Enabled
|
IPsec-Mode-Config |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
IPsec-Over-UDP |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
IPsec-Over-UDP-Port |
Y |
Y |
Y |
Integer |
Single |
4001 - 49151; The default is 10000.
|
IPsec-Required-Client-Firewall-Capability |
Y |
Y |
Y |
Integer |
Single |
0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server
|
IPsec-Sec-Association |
Y |
|
|
String |
Single |
Name of the security association |
IPsec-Split-DNS-Names |
Y |
Y |
Y |
String |
Single |
Specifies the list of secondary domain names to send to the client (1 - 255 characters).
|
IPsec-Split-Tunneling-Policy |
Y |
Y |
Y |
Integer |
Single |
0 = Tunnel everything
1 = Split tunneling
2 = Local LAN permitted
|
IPsec-Split-Tunnel-List |
Y |
Y |
Y |
String |
Single |
Specifies the name of the network or access list that describes the split tunnel inclusion list.
|
IPsec-Tunnel-Type |
Y |
Y |
Y |
Integer |
Single |
1 = LAN-to-LAN
2 = Remote access
|
L2TP-Encryption |
Y |
|
|
Integer |
Single |
Bitmap:
1 = Encryption required
2 = 40 bit
4 = 128 bits
8 = Stateless-Req
15 = 40/128-Encr/Stateless-Req
|
L2TP-MPPC-Compression |
Y |
|
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
MS-Client-Subnet-Mask |
Y |
Y |
Y |
String |
Single |
An IP address |
PFS-Required |
Y |
Y |
Y |
Boolean |
Single |
0 = No
1 = Yes
|
Port-Forwarding-Name |
Y |
Y |
|
String |
Single |
Name string (for example, “Corporate-Apps”)
|
PPTP-Encryption |
Y |
|
|
Intger |
Single |
Bitmap:
1 = Encryption required
2 = 40 bit
4 = 128 bits
8 = Stateless-Req
Example:
15 = 40/128-Encr/Stateless-Req
|
PPTP-MPPC-Compression |
Y |
|
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
Primary-DNS |
Y |
Y |
Y |
String |
Single |
An IP address
|
Primary-WINS |
Y |
Y |
Y |
String |
Single |
An IP address
|
Privilege-Level |
|
|
|
Integer |
Single |
For usernames, 0 - 15
|
Required-Client- Firewall-Vendor-Code |
Y |
Y |
Y |
Integer |
Single |
1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)
|
Required-Client-Firewall- Description |
Y |
Y |
Y |
String |
Single |
—
|
Required-Client-Firewall- Product-Code |
Y |
Y |
Y |
Integer |
Single |
Cisco Systems Products:
1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)
Zone Labs Products:
1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity
NetworkICE Product:
1 = BlackIce Defender/Agent
Sygate Products:
1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent
|
Require-HW-Client-Auth |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
Require-Individual-User-Auth |
Y |
Y |
Y |
Integer |
Single |
0 = Disabled
1 = Enabled
|
Secondary-DNS |
Y |
Y |
Y |
String |
Single |
An IP address
|
Secondary-WINS |
Y |
Y |
Y |
String |
Single |
An IP address
|
SEP-Card-Assignment |
|
|
|
Integer |
Single |
Not used
|
Simultaneous-Logins |
Y |
Y |
Y |
Integer |
Single |
0 - 2147483647
|
Strip-Realm |
Y |
Y |
Y |
Boolean |
Single |
0 = Disabled
1 = Enabled
|
TACACS-Authtype |
Y |
Y |
Y |
Integer |
Single |
—
|
TACACS-Privilege-Level |
Y |
Y |
Y |
Integer |
Single |
—
|
Tunnel-Group-Lock |
|
Y |
Y |
String |
Single |
Name of the tunnel group or “none”
|
Tunneling-Protocols |
Y |
Y |
Y |
Integer |
Single |
1 = PPTP
2 = L2TP
4 = IPSec (IKEv1)
8 = L2TP/IPSec
16 = WebVPN
32 = SVC
64 = IPsec (IKEv2)
8 and 4 are mutually exclusive
(0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values).
|
Use-Client-Address |
Y |
|
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
User-Auth-Server-Name |
Y |
|
|
String |
Single |
IP address or hostname
|
User-Auth-Server-Port |
Y |
Y |
Y |
Integer |
Single |
Port number for server protocol
|
User-Auth-Server-Secret |
Y |
|
|
String |
Single |
Server password
|
WebVPN-ACL-Filters |
|
Y |
|
String |
Single |
Webtype access list name
|
WebVPN-Apply-ACL-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
With Version 8.0 and later, this attribute is not required.
|
WebVPN-Citrix-Support-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
With Version 8.0 and later, this attribute is not required.
|
WebVPN-Enable-functions |
|
|
|
Integer |
Single |
Not used - deprecated |
WebVPN-Exchange-Server- Address |
|
|
|
String |
Single |
Not used - deprecated |
WebVPN-Exchange-Server- NETBIOS-Name |
|
|
|
String |
Single |
Not used - deprecated |
WebVPN-File-Access-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-File-Server-Browsing-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-File-Server-Entry- Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-Forwarded-Ports |
|
Y |
|
String |
Single |
Port-forward list name
|
WebVPN-Homepage |
Y |
Y |
|
String |
Single |
A URL such as http://www.example.com
|
WebVPN-Macro-Substitution-Value1 |
Y |
Y |
|
String |
Single |
See the SSL VPN Deployment Guide for examples at the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html
|
WebVPN-Macro-Substitution-Value2 |
Y |
Y |
|
String |
Single |
See the SSL VPN Deployment Guide for examples at the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html
|
WebVPN-Port-Forwarding- Auto-Download-Enable |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-Port-Forwarding- Enable |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-Port-Forwarding- Exchange-Proxy-Enable |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-Port-Forwarding- HTTP-Proxy-Enable |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-Single-Sign-On- Server-Name |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-SVC-Client-DPD |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-SVC-Compression |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-SVC-Enable |
Y |
Y |
|
Boolean |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-SVC-Gateway-DPD |
Y |
Y |
|
Integer |
Single |
0 = Disabled
n = Dead peer detection value in seconds (30 - 3600)
|
WebVPN-SVC-Keepalive |
Y |
Y |
|
Integer |
Single |
0 = Disabled
n = Keepalive value in seconds (15 - 600)
|
WebVPN-SVC-Keep-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-SVC-Rekey-Method |
Y |
Y |
|
Integer |
Single |
0 = None
1 = SSL
2 = New tunnel
3 = Any (sets to SSL)
|
WebVPN-SVC-Rekey-Period |
Y |
Y |
|
Integer |
Single |
0 = Disabled
n = Retry period in minutes
(4 - 10080)
|
WebVPN-SVC-Required-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-URL-Entry-Enable |
Y |
Y |
|
Integer |
Single |
0 = Disabled
1 = Enabled
|
WebVPN-URL-List |
|
Y |
|
String |
Single |
URL list name |