thus, the newly created attribute is accepted if the user accepts attribute 26.

Similar documents
thus, the newly created attribute is accepted if the user accepts attribute 26.

RADIUS Attributes. RADIUS IETF Attributes

RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes. In This Appendix. RADIUS Attributes Overview. IETF Attributes Versus VSAs

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring RADIUS Servers

DIAMETER Attributes. BNG DIAMETER Gx Application AVPs

Vendor-Proprietary Attribute

RADIUS Attributes Configuration Guide

Implementing ADSL and Deploying Dial Access for IPv6

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS. Last Updated: November 2, 2012

RADIUS Vendor-Proprietary Attributes

RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements

Configuring Client-Initiated Dial-In VPDN Tunneling

Configuring Security for the ML-Series Card

RADIUS Tunnel Attribute Extensions

Configuring NAS-Initiated Dial-In VPDN Tunneling

Per VRF AAA. Finding Feature Information. Last Updated: January 18, 2012

HP VSR1000 Virtual Services Router

Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, Release 4.2.x

virtual-template virtual-template template-number no virtual-template Syntax Description

Configuring RADIUS and TACACS+ Servers

RADIUS Logical Line ID

RADIUS Configuration Guide, Cisco IOS XE Everest (Cisco ASR 900 Series)

RADIUS Configuration Guide Cisco IOS XE Release 2

RADIUS Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)

Configuring Security on the GGSN

Configuring Authentication, Authorization, and Accounting Functions

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S

RADIUS Commands. Cisco IOS Security Command Reference SR

AAA Support for IPv6

HPE FlexNetwork MSR Router Series

RADIUS Attributes Configuration Guide, Cisco IOS Release 15S

VPDN Tunnel Management

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

DHCP Server RADIUS Proxy

RADIUS Attributes Configuration Guide, Cisco IOS Release 12.2SX

Configuring the Managed IPv6 Layer 2 Tunnel Protocol Network Server

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008

TACACS+ Attribute-Value Pairs

Configuring the DHCP Server On-Demand Address Pool Manager

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S (ASR 1000)

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

IPv4 and IPv6 Commands

Encrypted Vendor-Specific Attributes

Remote Access MPLS-VPNs

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

IP Router Command Reference

Finding Feature Information

Configuring the Physical Subscriber Line for RADIUS Access and Accounting

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Fuji 16.8.x

Configuring the DHCP Server On-Demand Address Pool Manager

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Fuji 16.7.x

Cisco IOS VPDN Command Reference

Configuring Virtual Private Networks

Configuring Basic AAA on an Access Server

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T

QoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

HWTACACS Technology White Paper

ppp accounting through quit

show aaa servers sg show aaa servers sg sg-name Syntax Description

Configuring the Managed IPv6 Layer 2 Tunnel Protocol Network Server

TACACS Attribute-Value Pairs

WiFi Command Reference

Configuring Accounting

Configuring Modem Transport Support for VoIP

management server password through sessions throttle

Configuring Accounting

PPPoE Service Selection

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

QoS: Per-Session Shaping and Queuing on LNS

PPP configuration commands

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Cisco ASR 9000 Series Aggregation Services Router System Security Command Reference, Release 4.1

Cisco recommends that you have knowledge of End-to-End Layer 1 connectivity is User Priority (UP).

Lawful Intercept Architecture

Configuring Dynamic Addressing on the GGSN

Configuring DHCP Services for Accounting and Security

Symbols & Numerics I N D E X

isco Cisco PPPoE Baseline Architecture for the Cisco UAC

Network Working Group Request for Comments: 2059 Category: Informational January 1997

Virtual Private Networks (VPNs)

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

HP 5120 SI Switch Series

Dynamic Domain Name Server Updates

Passwords and Privileges Commands

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

Cisco ASR9000 Deployment Guide Series

Configuring Dynamic Addressing on the GGSN

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400

Define Interface Policy-Map AV Pairs AAA

Transcription:

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This appendix describes the following types of RADIUS attributes supported in Broadband Network Gateway (BNG): RADIUS IETF Attributes, page RADIUS Vendor-Specific Attributes, page 3 RADIUS ADSL Attributes, page 8 RADIUS ASCEND Attributes, page 9 RADIUS Microsoft Attributes, page 9 RADIUS Disconnect-Cause Attributes, page 0 RADIUS IETF Attributes IETF Attributes Versus VSAs RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. Because IETF attributes are standard, the attribute data is predefined and well known; thus all clients and servers who exchange AAA information via IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute. RADIUS vendor-specific attributes (VSAs) derived from one IETF attribute-vendor-specific (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes however they wish. That is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26; thus, the newly created attribute is accepted if the user accepts attribute 26. Table : Supported RADIUS IETF Attributes Acct-Authentic 45 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02

RADIUS IETF Attributes Acct-Delay-Time Acct-Input-Giga-Words Acct-Input-Octets Acct-Input-Packets Acct-Interim-Interval Acct-Link-Count Acct-Output-Giga-Words Acct-Output-Octets Acct-Output-Packets Acct-Session-Time Acct-Status- Acct-Terminate-Cause CHAP-Challenge CHAP-Password Dynamic-Author-Error-Cause Event-Timestamp Filter-Id Framed-Protocol Framed-IP-Address Framed-Route login-ip-addr-host Multilink-Session-ID Nas-Identifier NAS-IP-Address NAS-Port Reply-Message Service- Tunnel-Assignment-Id Tunnel-Packets-Lost X-Ascend-Client-Primary-DNS X-Ascend-Client-Secondary-DNS "" 4 52 42 47 85 5 53 43 48 46 40 49 40 3 0 55 7 8 22 4 50 32 4 5 8 6 32 86 35 36 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 2 OL-2648-02

RADIUS Vendor-Specific Attributes NAS-IPv6-Address Delegated-IPv6-Prefix Stateful-IPv6-Address-Pool Framed-IPv6-Prefix Framed-Interface-Id Framed-IPv6-Pool Framed-IPv6-Route login-ip-addr-host 95 23 23 97 96 00 99 98 RADIUS Vendor-Specific Attributes The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-id is 9, and the supported option has vendor-type, which is named "cisco-avpair." The value is a of this format: protocol : attribute sep value * "Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization; protocols that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP, AIRNET, OUTBOUND. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment): cisco-avpair= "ip:addr-pool=first" If you insert an "*", the AV pair "ip:addr-pool=first" becomes optional. Note that any AV pair can be made optional. IETF Attribute 26 (Vendor-Specific) encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use. cisco-avpair= "ip:addr-pool*first" The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands: cisco-avpair= "shell:priv-lvl=5" Attribute 26 contains these three elements: Length Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 3

RADIUS Vendor-Specific Attributes String (also known as data) Vendor-ID Vendor- Vendor-Length Vendor-Data Note It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as Vendor-Data) is dependent on the vendor's definition of that attribute. Table 2: Supported Cisco Vendor-Specific Present in AAA message type access-loop-encapsulation, accounting-list, CoA, acct-input-gigawords-ipv4 acct-input-octets-ipv4 acct-input-packets-ipv4 acct-input-gigawords-ipv6 acct-input-octets-ipv6 acct-input-packets-ipv6 acct-output-gigawords-ipv4 acct-output-octets-ipv4 acct-output-packets-ipv4 acct-output-gigawords-ipv6 acct-output-octets-ipv6 acct-output-packets-ipv6 acct-policy-in Access-request acct-policy-map Access-request acct-policy-out Access-request actual-data-rate-downstream, Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 4 OL-2648-02

RADIUS Vendor-Specific Attributes Present in AAA message type actual-data-rate-upstream, actual-interleaving-delay-downstream, actual-interleaving-delay-upstream, addr-pool Note This is for IPv4 subscriber. addrv6, attainable-data-rate-downstream, attainable-data-rate-upstream, circuit-id-tag, cisco-nas-port 2, client-mac-address, command CoA connect-progress connect-rx-speed, connect-tx-speed, delegated-ipv6-pool dhcp-client-id dhcp-vendor-class dhcpv6-class disc-cause-ext disconnect-cause idle-timeout, CoA Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 5

RADIUS Vendor-Specific Attributes Present in AAA message type if-handle inacl intercept-id ip-addresses ipv4-unnumbered Note This AVPair is preferred for BNG in Cisco IOS XR Software, and it is equivalent to the ip-unnumbered AVPair in Cisco IOS Software. ipv6_inacl, CoA ipv6_outacl, CoA ipv6-dns-servers-addr ipv6-enable ipv6-mtu ipv6-strict-rpf ipv6-unreachable l2tp-tunnel-password login-ip-host maximum-interleaving-delay-downstream maximum-interleaving-delay-upstream maximum-data-rate-downstream maximum-data-rate-upstream md-dscp md-ip-addr ipaddr md-port minimum-data-rate-downstream minimum-data-rate-downstream-low-power Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 6 OL-2648-02

RADIUS Vendor-Specific Attributes Present in AAA message type minimum-data-rate-upstream minimum-data-rate-upstream-low-power outacl parent-if-handle parent-session-id pppoe_session_id primary-dns ipaddr qos-policy-in, CoA qos-policy-out, CoA redirect-vrf remote-id-tag sa, CoA sd RADIUS CoA secondary-dns ipaddr service-name Stateful-IPv6-Address-Pool sub-qos-policy-in sub-qos-policy-out Tunnel-Client-endpoint ipaddr, tunnel-id tunnel-medium-type Tunnel-Server-endpoint ipaddr, tunnel-tos-reflect tunnel-tos-setting tunnel-type username Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 7

Vendor-Specific Attributes for Account Operations Present in AAA message type vpdn-template vpn-id vpn-vrf vrf-id, wins-server ipaddr Vendor-Specific Attributes for Account Operations Table 3: Supported Vendor-Specific Attributes for Account Operations RADIUS AVP Action subscriber:command=account-logon account logon subscriber:command=account-logoff account logoff subscriber:command=account-update account update subscriber:sa=<service-name> service activate subscriber:sd=<service-name> service de-activate RADIUS ADSL Attributes Table 4: Supported RADIUS ADSL Attributes Access-Loop-Encapsulation Actual-Interleaving-Delay-Downstream Actual-Interleaving-Delay-Upstream Actual-Data-Rate-Downstream Actual-Data-Rate-Upstream Attainable-Data-Rate-Downstream Attainable-Data-Rate-Upstream Agent-Circuit-Id 44 42 40 30 29 34 33 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 8 OL-2648-02

RADIUS ASCEND Attributes IWF-Session Maximum-Interleaving-Delay-Downstream Maximum-Interleaving-Delay-Upstream Maximum-Data-Rate-Downstream Maximum-Data-Rate-Upstream Minimum-Data-Rate-Downstream Minimum-Data-Rate-Downstream-Low-Power Minimum-Data-Rate-Upstream Minimum-Data-Rate-Upstream-Low-Power Agent-Remote-Id boolean social 254 4 39 36 35 32 38 3 37 2 RADIUS ASCEND Attributes Table 5: Supported RADIUS Ascend Attributes Ascend-Client-Primary-DNS Ascend-Client-Secondary-DNS Ascend-Connection-Progress Ascend-Disconnect-Cause Ascend-Multilink-Session-ID Ascend-Num-In-Multilink 35 36 96 95 87 88 RADIUS Microsoft Attributes Table 6: Supported RADIUS Microsoft Attributes MS-st-NBNS-Server MS-2nd-NBNS-Server MS-CHAP-ERROR 30 3 2 Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 9

RADIUS Disconnect-Cause Attributes MS-Primary-DNS MS-Secondary-DNS 28 29 RADIUS Disconnect-Cause Attributes Disconnect-cause attribute values specify the reason a connection was taken offline. The attribute values are sent in Accounting request packets. These values are sent at the end of a session, even if the session fails to be authenticated. If the session is not authenticated, the attribute can cause stop records to be generated without first generating start records. lists the cause codes, values, and descriptions for the Disconnect-Cause (95) attribute. Note The Disconnect-Cause is incremented by 000 when it is used in RADIUS AVPairs; for example, disc-cause 4 becomes 004. Table 7: Supported Disconnect-Cause Attributes Cause Code 0 2 3 4 9 0 2 No-Reason No-Disconnect Unknown Call-Disconnect CLID-Authentication-Failure No-Modem-Available No-Carrier Lost-Carrier No-Detected-Result-Codes Description No reason is given for the disconnect. The event was not disconnected. Reason unknown. The call has been disconnected. Failure to authenticate number of the calling-party. A modem in not available to connect the call. No carrier detected. Note Codes 0,, and 2 can be sent if there is a disconnection during initial modem connection. Loss of carrier. Failure to detect modem result codes. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 0 OL-2648-02

RADIUS Disconnect-Cause Attributes Cause Code 20 2 22 23 24 25 26 27 28 29 30 3 32 33 40 4 42 43 44 45 User-Ends-Session Idle-Timeout Exit-Telnet-Session No-Remote-IP-Addr Exit-Raw-TCP Password-Fail Raw-TCP-Disabled Control-C-Detected EXEC-Process-Destroyed Close-Virtual-Connection End-Virtual-Connection Exit-Rlogin Invalid-Rlogin-Option Insufficient-Resources Timeout-PPP-LCP Failed-PPP-LCP-Negotiation Failed-PPP-PAP-Auth-Fail Failed-PPP-CHAP-Auth Failed-PPP-Remote-Auth PPP-Remote-Terminate Description User terminates a session. Note Codes 20, 22, 23, 24, 25, 26, 27, and 28 apply to EXEC sessions. Timeout waiting for user input. Note Codes 2, 00, 0, 02, and 20 apply to all session types. Disconnect due to exiting Telnet session. Could not switch to SLIP/PPP; the remote end has no IP address. Disconnect due to exiting raw TCP. Bad passwords. Raw TCP disabled. Control-C detected. EXEC process destroyed. User closes a virtual connection. Virtual connected has ended. User exists Rlogin. Invalid Rlogin option selected. Insufficient resources. PPP LCP negotiation timed out. Note Codes 40 through 49 apply to PPP sessions. PPP LCP negotiation failed. PPP PAP authentication failed. PPP CHAP authentication failed. PPP remote authentication failed. PPP received a Terminate Request from remote end. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02

RADIUS Disconnect-Cause Attributes Cause Code 46 47 48 49 50 5 52 53 54 60 6 62 63 64 65 66 67 00 0 02 20 50 PPP-Closed-Event NCP-Closed-PPP MP-Error-PPP PPP-Maximum-Channels Tables-Full Resources-Full Invalid-IP-Address Bad-Hostname Bad-Port Reset-TCP TCP-Connection-Refused Timeout-TCP Foreign-Host-Close-TCP TCP-Network-Unreachable TCP-Host-Unreachable TCP-Network-Admin Unreachable TCP-Port-Unreachable Session-Timeout Session-Failed-Security Session-End-Callback Invalid-Protocol RADIUS-Disconnect Description Upper layer requested that the session be closed. PPP session closed because there were no NCPs open. PPP session closed because of an MP error. PPP session closed because maximum channels were reached. Disconnect due to full terminal server tables. Disconnect due to full internal resources. IP address is not valid for Telnet host. Hostname cannot be validated. Port number is invalid or missing. TCP connection has been reset. Note Codes 60 through 67 apply to Telnet or raw TCP sessions. TCP connection has been refused by the host. TCP connection has timed out. TCP connection has been closed. TCP network is unreachable. TCP host is unreachable. TCP network is unreachable for administrative reasons. TCP port in unreachable. Session timed out. Session failed for security reasons. Session terminated due to callback. Call refused because the detected protocol is disabled. Disconnected by RADIUS request. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 2 OL-2648-02

RADIUS Disconnect-Cause Attributes Cause Code 5 52 60 70 80 85 90 95 600 60 602 603 Local-Admin-Disconnect SNMP-Disconnect V0-Retries PPP-Authentication-Timeout Local-Hangup Remote-Hangup T-Quiesced Call-Duration VPN-User-Disconnect VPN-Carrier-Loss VPN-No-Resources VPN-Bad-Control-Packet Description Administrative disconnect. Disconnected by SNMP request. Allowed V.0 retries have been exceeded. PPP authentication timed out. Disconnected by local hangup. Disconnected by remote end hangup. Disconnected because T line was quiesced. Disconnected because the maximum duration of the call was exceeded. Call disconnected by client (through PPP). Code is sent if the LNS receives a PPP terminate request from the client. Loss of carrier. This can be the result of a physical line going dead. Code is sent when a client is unable to dial out using a dialer. No resources available to handle the call. Code is sent when the client is unable to allocate memory (running low on memory). Bad L2TP or L2F control packets. This code is sent when an invalid control packet, such as missing mandatory Attribute- pairs (AVP), from the peer is received. When using L2TP, the code will be sent after six retransmits; when using L2F, the number of retransmits is user configurable. Note VPN-Tunnel-Shut will be sent if there are active sessions in the tunnel. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x OL-2648-02 3

RADIUS Disconnect-Cause Attributes Cause Code 604 605 606 607 608 VPN-Admin-Disconnect VPN-Tunnel-Shut VPN-Local-Disconnect VPN-Session-Limit VPN-Call-Redirect Description Administrative disconnect. This can be the result of a VPN soft shutdown, which is when a client reaches maximum session limit or exceeds maximum hopcount. Code is sent when a tunnel is brought down by issuing the clear vpdn tunnel command. Tunnel teardown or tunnel setup has failed. Code is sent when there are active sessions in a tunnel and the tunnel goes down. Note This code is not sent when tunnel authentication fails. Call is disconnected by LNS PPP module. Code is sent when the LNS sends a PPP terminate request to the client. It indicates a normal PPP disconnection initiated by the LNS. VPN soft shutdown is enabled. Code is sent when a call has been refused due to any of the soft shutdown restrictions previously mentioned. VPN call redirect is enabled. Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 4.2.x 4 OL-2648-02

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback