Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This appendix describes the following types of RADIUS attributes supported in Broadband Network Gateway (BNG): RADIUS IETF Attributes, page RADIUS Vendor-Specific Attributes, page 3 RADIUS ADSL Attributes, page 8 RADIUS ASCEND Attributes, page 9 RADIUS Microsoft Attributes, page 9 RADIUS Disconnect-Cause Attributes, page 0 RADIUS IETF Attributes IETF Attributes Versus VSAs RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. Because IETF attributes are standard, the attribute data is predefined and well known; thus all clients and servers who exchange AAA information via IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute. RADIUS vendor-specific attributes (VSAs) derived from one IETF attribute-vendor-specific (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes however they wish. That is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26; thus, the newly created attribute is accepted if the user accepts attribute 26. Table : Supported RADIUS IETF Attributes Acct-Authentic 45 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02
RADIUS IETF Attributes Acct-Delay-Time Acct-Input-Giga-Words Acct-Input-Octets Acct-Input-Packets Acct-Interim-Interval Acct-Link-Count Acct-Output-Giga-Words Acct-Output-Octets Acct-Output-Packets Acct-Session-Time Acct-Status- Acct-Terminate-Cause CHAP-Challenge CHAP-Password Dynamic-Author-Error-Cause Event-Timestamp Filter-Id Framed-Protocol Framed-IP-Address Framed-Route login-ip-addr-host Multilink-Session-ID Nas-Identifier NAS-IP-Address NAS-Port Reply-Message Service- Tunnel-Assignment-Id Tunnel-Packets-Lost X-Ascend-Client-Primary-DNS X-Ascend-Client-Secondary-DNS "" 4 52 42 47 85 5 53 43 48 46 40 49 40 3 0 55 7 8 22 4 50 32 4 5 8 6 32 86 35 36 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 2 OL-2648-02
RADIUS Vendor-Specific Attributes NAS-IPv6-Address Delegated-IPv6-Prefix Stateful-IPv6-Address-Pool Framed-IPv6-Prefix Framed-Interface-Id Framed-IPv6-Pool Framed-IPv6-Route login-ip-addr-host 95 23 23 97 96 00 99 98 RADIUS Vendor-Specific Attributes The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-id is 9, and the supported option has vendor-type, which is named "cisco-avpair." The value is a of this format: protocol : attribute sep value * "Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization; protocols that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP, AIRNET, OUTBOUND. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment): cisco-avpair= "ip:addr-pool=first" If you insert an "*", the AV pair "ip:addr-pool=first" becomes optional. Note that any AV pair can be made optional. IETF Attribute 26 (Vendor-Specific) encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. cisco-avpair= "ip:addr-pool*first" The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands: cisco-avpair= "shell:priv-lvl=5" Attribute 26 contains these three elements: Length Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 3
RADIUS Vendor-Specific Attributes String (also known as data) Vendor-ID Vendor- Vendor-Length Vendor-Data Note It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as Vendor-Data) is dependent on the vendor's definition of that attribute. Table 2: Supported Cisco Vendor-Specific Present in AAA message type access-loop-encapsulation, accounting-list, CoA, acct-input-gigawords-ipv4 acct-input-octets-ipv4 acct-input-packets-ipv4 acct-input-gigawords-ipv6 acct-input-octets-ipv6 acct-input-packets-ipv6 acct-output-gigawords-ipv4 acct-output-octets-ipv4 acct-output-packets-ipv4 acct-output-gigawords-ipv6 acct-output-octets-ipv6 acct-output-packets-ipv6 acct-policy-in Access-request acct-policy-map Access-request acct-policy-out Access-request actual-data-rate-downstream, Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 4 OL-2648-02
RADIUS Vendor-Specific Attributes Present in AAA message type actual-data-rate-upstream, actual-interleaving-delay-downstream, actual-interleaving-delay-upstream, addr-pool Note This is for IPv4 subscriber. addrv6, attainable-data-rate-downstream, attainable-data-rate-upstream, circuit-id-tag, cisco-nas-port 2, client-mac-address, command CoA connect-progress connect-rx-speed, connect-tx-speed, delegated-ipv6-pool dhcp-client-id dhcp-vendor-class dhcpv6-class disc-cause-ext disconnect-cause idle-timeout, CoA Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 5
RADIUS Vendor-Specific Attributes Present in AAA message type if-handle inacl intercept-id ip-addresses ipv4-unnumbered Note This AVPair is preferred for BNG in Cisco IOS XR Software, and it is equivalent to the ip-unnumbered AVPair in Cisco IOS Software. ipv6_inacl, CoA ipv6_outacl, CoA ipv6-dns-servers-addr ipv6-enable ipv6-mtu ipv6-strict-rpf ipv6-unreachable l2tp-tunnel-password login-ip-host maximum-interleaving-delay-downstream maximum-interleaving-delay-upstream maximum-data-rate-downstream maximum-data-rate-upstream md-dscp md-ip-addr ipaddr md-port minimum-data-rate-downstream minimum-data-rate-downstream-low-power Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 6 OL-2648-02
RADIUS Vendor-Specific Attributes Present in AAA message type minimum-data-rate-upstream minimum-data-rate-upstream-low-power outacl parent-if-handle parent-session-id pppoe_session_id primary-dns ipaddr qos-policy-in, CoA qos-policy-out, CoA redirect-vrf remote-id-tag sa, CoA sd RADIUS CoA secondary-dns ipaddr service-name Stateful-IPv6-Address-Pool sub-qos-policy-in sub-qos-policy-out Tunnel-Client-endpoint ipaddr, tunnel-id tunnel-medium-type Tunnel-Server-endpoint ipaddr, tunnel-tos-reflect tunnel-tos-setting tunnel-type username Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 7
Vendor-Specific Attributes for Account Operations Present in AAA message type vpdn-template vpn-id vpn-vrf vrf-id, wins-server ipaddr Vendor-Specific Attributes for Account Operations Table 3: Supported Vendor-Specific Attributes for Account Operations RADIUS AVP Action subscriber:command=account-logon account logon subscriber:command=account-logoff account logoff subscriber:command=account-update account update subscriber:sa=<service-name> service activate subscriber:sd=<service-name> service de-activate RADIUS ADSL Attributes Table 4: Supported RADIUS ADSL Attributes Access-Loop-Encapsulation Actual-Interleaving-Delay-Downstream Actual-Interleaving-Delay-Upstream Actual-Data-Rate-Downstream Actual-Data-Rate-Upstream Attainable-Data-Rate-Downstream Attainable-Data-Rate-Upstream Agent-Circuit-Id 44 42 40 30 29 34 33 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 8 OL-2648-02
RADIUS ASCEND Attributes IWF-Session Maximum-Interleaving-Delay-Downstream Maximum-Interleaving-Delay-Upstream Maximum-Data-Rate-Downstream Maximum-Data-Rate-Upstream Minimum-Data-Rate-Downstream Minimum-Data-Rate-Downstream-Low-Power Minimum-Data-Rate-Upstream Minimum-Data-Rate-Upstream-Low-Power Agent-Remote-Id boolean social 254 4 39 36 35 32 38 3 37 2 RADIUS ASCEND Attributes Table 5: Supported RADIUS Ascend Attributes Ascend-Client-Primary-DNS Ascend-Client-Secondary-DNS Ascend-Connection-Progress Ascend-Disconnect-Cause Ascend-Multilink-Session-ID Ascend-Num-In-Multilink 35 36 96 95 87 88 RADIUS Microsoft Attributes Table 6: Supported RADIUS Microsoft Attributes MS-st-NBNS-Server MS-2nd-NBNS-Server MS-CHAP-ERROR 30 3 2 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 9
RADIUS Disconnect-Cause Attributes MS-Primary-DNS MS-Secondary-DNS 28 29 RADIUS Disconnect-Cause Attributes Disconnect-cause attribute values specify the reason a connection was taken offline. The attribute values are sent in Accounting request packets. These values are sent at the end of a session, even if the session fails to be authenticated. If the session is not authenticated, the attribute can cause stop records to be generated without first generating start records. lists the cause codes, values, and descriptions for the Disconnect-Cause (95) attribute. Note The Disconnect-Cause is incremented by 000 when it is used in RADIUS AVPairs; for example, disc-cause 4 becomes 004. Table 7: Supported Disconnect-Cause Attributes Cause Code 0 2 3 4 9 0 2 No-Reason No-Disconnect Unknown Call-Disconnect CLID-Authentication-Failure No-Modem-Available No-Carrier Lost-Carrier No-Detected-Result-Codes Description No reason is given for the disconnect. The event was not disconnected. Reason unknown. The call has been disconnected. Failure to authenticate number of the calling-party. A modem in not available to connect the call. No carrier detected. Note Codes 0,, and 2 can be sent if there is a disconnection during initial modem connection. Loss of carrier. Failure to detect modem result codes. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 0 OL-2648-02
RADIUS Disconnect-Cause Attributes Cause Code 20 2 22 23 24 25 26 27 28 29 30 3 32 33 40 4 42 43 44 45 User-Ends-Session Idle-Timeout Exit-Telnet-Session No-Remote-IP-Addr Exit-Raw-TCP Password-Fail Raw-TCP-Disabled Control-C-Detected EXEC-Process-Destroyed Close-Virtual-Connection End-Virtual-Connection Exit-Rlogin Invalid-Rlogin-Option Insufficient-Resources Timeout-PPP-LCP Failed-PPP-LCP-Negotiation Failed-PPP-PAP-Auth-Fail Failed-PPP-CHAP-Auth Failed-PPP-Remote-Auth PPP-Remote-Terminate Description User terminates a session. Note Codes 20, 22, 23, 24, 25, 26, 27, and 28 apply to EXEC sessions. Timeout waiting for user input. Note Codes 2, 00, 0, 02, and 20 apply to all session types. Disconnect due to exiting Telnet session. Could not switch to SLIP/PPP; the remote end has no IP address. Disconnect due to exiting raw TCP. Bad passwords. Raw TCP disabled. Control-C detected. EXEC process destroyed. User closes a virtual connection. Virtual connected has ended. User exists Rlogin. Invalid Rlogin option selected. Insufficient resources. PPP LCP negotiation timed out. Note Codes 40 through 49 apply to PPP sessions. PPP LCP negotiation failed. PPP PAP authentication failed. PPP CHAP authentication failed. PPP remote authentication failed. PPP received a Terminate Request from remote end. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02
RADIUS Disconnect-Cause Attributes Cause Code 46 47 48 49 50 5 52 53 54 60 6 62 63 64 65 66 67 00 0 02 20 50 PPP-Closed-Event NCP-Closed-PPP MP-Error-PPP PPP-Maximum-Channels Tables-Full Resources-Full Invalid-IP-Address Bad-Hostname Bad-Port Reset-TCP TCP-Connection-Refused Timeout-TCP Foreign-Host-Close-TCP TCP-Network-Unreachable TCP-Host-Unreachable TCP-Network-Admin Unreachable TCP-Port-Unreachable Session-Timeout Session-Failed-Security Session-End-Callback Invalid-Protocol RADIUS-Disconnect Description Upper layer requested that the session be closed. PPP session closed because there were no NCPs open. PPP session closed because of an MP error. PPP session closed because maximum channels were reached. Disconnect due to full terminal server tables. Disconnect due to full internal resources. IP address is not valid for Telnet host. Hostname cannot be validated. Port number is invalid or missing. TCP connection has been reset. Note Codes 60 through 67 apply to Telnet or raw TCP sessions. TCP connection has been refused by the host. TCP connection has timed out. TCP connection has been closed. TCP network is unreachable. TCP host is unreachable. TCP network is unreachable for administrative reasons. TCP port in unreachable. Session timed out. Session failed for security reasons. Session terminated due to callback. Call refused because the detected protocol is disabled. Disconnected by RADIUS request. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 2 OL-2648-02
RADIUS Disconnect-Cause Attributes Cause Code 5 52 60 70 80 85 90 95 600 60 602 603 Local-Admin-Disconnect SNMP-Disconnect V0-Retries PPP-Authentication-Timeout Local-Hangup Remote-Hangup T-Quiesced Call-Duration VPN-User-Disconnect VPN-Carrier-Loss VPN-No-Resources VPN-Bad-Control-Packet Description Administrative disconnect. Disconnected by SNMP request. Allowed V.0 retries have been exceeded. PPP authentication timed out. Disconnected by local hangup. Disconnected by remote end hangup. Disconnected because T line was quiesced. Disconnected because the maximum duration of the call was exceeded. Call disconnected by client (through PPP). Code is sent if the LNS receives a PPP terminate request from the client. Loss of carrier. This can be the result of a physical line going dead. Code is sent when a client is unable to dial out using a dialer. No resources available to handle the call. Code is sent when the client is unable to allocate memory (running low on memory). Bad L2TP or L2F control packets. This code is sent when an invalid control packet, such as missing mandatory Attribute- pairs (AVP), from the peer is received. When using L2TP, the code will be sent after six retransmits; when using L2F, the number of retransmits is user configurable. Note VPN-Tunnel-Shut will be sent if there are active sessions in the tunnel. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 3
RADIUS Disconnect-Cause Attributes Cause Code 604 605 606 607 608 VPN-Admin-Disconnect VPN-Tunnel-Shut VPN-Local-Disconnect VPN-Session-Limit VPN-Call-Redirect Description Administrative disconnect. This can be the result of a VPN soft shutdown, which is when a client reaches maximum session limit or exceeds maximum hopcount. Code is sent when a tunnel is brought down by issuing the clear vpdn tunnel command. Tunnel teardown or tunnel setup has failed. Code is sent when there are active sessions in a tunnel and the tunnel goes down. Note This code is not sent when tunnel authentication fails. Call is disconnected by LNS PPP module. Code is sent when the LNS sends a PPP terminate request to the client. It indicates a normal PPP disconnection initiated by the LNS. VPN soft shutdown is enabled. Code is sent when a call has been refused due to any of the soft shutdown restrictions previously mentioned. VPN call redirect is enabled. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 4 OL-2648-02