Полезная информация

cc/td/doc/product/software/ios120/12cgcr/secur_c
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

RADIUS Attributes

RADIUS Attributes

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This appendix lists the RADIUS attributes currently supported.

How to Use This Appendix

This appendix is divided into two different sections:

The first section lists the Cisco IOS releases in which supported Internet Engineering Task Force (IETF) RADIUS and vendor-proprietary RADIUS are implemented. The second section provides a comprehensive list and description of both IETF RADIUS and vendor-proprietary RADIUS attributes.

Supported RADIUS Attributes

Table 28 lists and describes Cisco-supported IETF RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.


Note Attributes implemented in special (AA) or early development (T) releases will be added to the next mainline image.


Table 28: Supported RADIUS (IETF) Attributes
Number Attribute 11.1 11.2 11.3 11.3 AA 11.3T 12.0

1

User-Name

yes

yes

yes

yes

yes

yes

2

User-Password

yes

yes

yes

yes

yes

yes

3

CHAP-Password

yes

yes

yes

yes

yes

yes

4

NAS-IP Address

yes

yes

yes

yes

yes

yes

5

NAS-Port

yes

yes

yes

yes

yes

yes

6

Service-Type

yes

yes

yes

yes

yes

yes

7

Framed-Protocol

yes

yes

yes

yes

yes

yes

8

Framed-IP-Address

yes

yes

yes

yes

yes

yes

9

Framed-IP-Netmask

yes

yes

yes

yes

yes

yes

10

Framed-Routing

yes

yes

yes

yes

yes

yes

11

Filter-Id

yes

yes

yes

yes

yes

yes

12

Framed-MTU

yes

yes

yes

yes

yes

yes

13

Framed-Compression

yes

yes

yes

yes

yes

yes

14

Login-IP-Host

yes

yes

yes

yes

yes

yes

15

Login-Service

yes

yes

yes

yes

yes

yes

16

Login-TCP-Port

yes

yes

yes

yes

yes

yes

18

Reply-Message

yes

yes

yes

yes

yes

yes

19

Callback-Number

no

no

no

no

no

no

20

Callback-ID

no

no

no

no

no

no

22

Framed-Route

yes

yes

yes

yes

yes

yes

23

Framed-IPX-Network

no

no

no

no

no

no

24

State

yes

yes

yes

yes

yes

yes

25

Class

yes

yes

yes

yes

yes

yes

26

Vendor-Specific

yes

yes

yes

yes

yes

yes

27

Session-Timeout

yes

yes

yes

yes

yes

yes

28

Idle-Timeout

yes

yes

yes

yes

yes

yes

29

Termination-Action

no

no

no

no

no

no

30

Called-Station-Id

yes

yes

yes

yes

yes

yes

31

Calling-Station-Id

yes

yes

yes

yes

yes

yes

32

NAS-Identifier

no

no

no

no

no

no

33

Proxy-State

no

no

no

no

no

no

34

Login-LAT-Service

yes

yes

yes

yes

yes

yes

35

Login-LAT-Node

no

no

no

no

no

no

36

Login-LAT-Group

no

no

no

no

no

no

37

Framed-AppleTalk-Link

no

no

no

no

no

no

38

Framed-AppleTalk-Network

no

no

no

no

no

no

39

Framed-AppleTalk-Zone

no

no

no

no

no

no

40

Acct-Status-Type

yes

yes

yes

yes

yes

yes

41

Acct-Delay-Time

yes

yes

yes

yes

yes

yes

42

Acct-Input-Octets

yes

yes

yes

yes

yes

yes

43

Acct-Output-Octets

yes

yes

yes

yes

yes

yes

44

Acct-Session-Id

yes

yes

yes

yes

yes

yes

45

Acct-Authentic

yes

yes

yes

yes

yes

yes

46

Acct-Session-Time

yes

yes

yes

yes

yes

yes

47

Acct-Input-Packets

yes

yes

yes

yes

yes

yes

48

Acct-Output-Packets

yes

yes

yes

yes

yes

yes

49

Acct-Terminate-Cause

yes

yes

yes

yes

yes

yes

50

Acct-Multi-Session-Id1

no

no

no

no

no

no

51

Acct-Link-Count2

no

no

no

no

no

no

60

CHAP-Challenge

no

no

no

no

no

no

61

NAS-Port-Type

yes

yes

yes

yes

yes

yes

62

Port-Limit

yes

yes

yes

yes

yes

yes

63

Login-LAT-Port

no

no

no

no

no

no

200

IETF-Token-Immediate

no

no

no

no

no

no

1Only stop records contain multi-session IDs. This is because start records are issued before any multilink processing takes place.
2Only stop records contain link counts. This is because start records are issued before any multilink processing takes place.

Table 29 lists and describes Cisco-supported vendor-proprietary RADIUS attributes and the Cisco  IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.


Note Attributes implemented in special (AA) or early development (T) releases will be added to the next mainline image.


Table 29: Supported Vendor-Proprietary RADIUS Attributes
Number Vendor-Proprietary Attribute 11.1 11.2 11.3 11.3AA 11.3T 12.0

17

Change-Password

no

no

yes

yes

yes

yes

21

Password-Expiration

no

no

yes

yes

yes

yes

64

Tunnel-Type

no

no

no

no

no

no

65

Tunnel-Medium-Type

no

no

no

no

no

no

66

Tunnel-Client-Endpoint

no

no

no

no

no

no

67

Tunnel-Server-Endpoint

no

no

no

no

no

no

68

Tunnel-ID

no

no

no

no

no

no

108

My-Endpoint-Disc-Alias

no

no

no

no

no

no

109

My-Name-Alias

no

no

no

no

no

no

110

Remote-FW

no

no

no

no

no

no

111

Multicast-GLeave-Delay

no

no

no

no

no

no

112

CBCP-Enable

no

no

no

no

no

no

113

CBCP-Mode

no

no

no

no

no

no

114

CBCP-Delay

no

no

no

no

no

no

115

CBCP-Trunk-Group

no

no

no

no

no

no

116

Appletalk-Route

no

no

no

no

no

no

117

Appletalk-Peer-Mode

no

no

no

no

no

no

118

Route-Appletalk

no

no

no

no

no

no

119

FCP-Parameter

no

no

no

no

no

no

120

Modem-PortNo

no

no

no

no

no

no

121

Modem-SlotNo

no

no

no

no

no

no

122

Modem-ShelfNo

no

no

no

no

no

no

123

Call-Attempt-Limit

no

no

no

no

no

no

124

Call-Block-Duration

no

no

no

no

no

no

125

Maximum-Call-Duration

no

no

no

no

no

no

126

Router-Preference

no

no

no

no

no

no

127

Tunneling-Protocol

no

no

no

no

no

no

128

Shared-Profile-Enable

no

no

no

no

no

no

129

Primary-Home-Agent

no

no

no

no

no

no

130

Secondary-Home-Agent

no

no

no

no

no

no

131

Dialout-Allowed

no

no

no

no

no

no

133

BACP-Enable

no

no

no

no

no

no

134

DHCP-Maximum-Leases

no

no

no

no

no

no

135

Primary-DNS-Server

no

no

no

no

yes

yes

136

Secondary-DNS-Server

no

no

no

no

yes

yes

137

Client-Assign-DNS

no

no

no

no

no

no

138

User-Acct-Type

no

no

no

no

no

no

139

User-Acct-Host

no

no

no

no

no

no

140

User-Acct-Port

no

no

no

no

no

no

141

User-Acct-Key

no

no

no

no

no

no

142

User-Acct-Base

no

no

no

no

no

no

143

User-Acct-Time

no

no

no

no

no

no

144

Assign-Ip-Client

no

no

no

no

no

no

145

Assign-IP-Server

no

no

no

no

no

no

146

Assign-IP-Global-Pool

no

no

no

no

no

no

147

DHCP-Reply

no

no

no

no

no

no

148

DHCP-Pool-Number

no

no

no

no

no

no

149

Expect-Callback

no

no

no

no

no

no

150

Event-Type

no

no

no

no

no

no

151

Session-Svr-Key

no

no

no

no

no

no

152

Multicast-Rate-Limit

no

no

no

no

no

no

153

IF-Netmask

no

no

no

no

no

no

154

Remote-Addr

no

no

no

no

no

no

155

Multicast-Client

no

no

no

no

no

no

156

FR-Circuit-Name

no

no

no

no

no

no

157

FR-LinkUp

no

no

no

no

no

no

158

FR-Nailed-Grp

no

no

no

no

no

no

159

FR-Type

no

no

no

no

no

no

160

FR-Link-Mgt

no

no

no

no

no

no

161

FR-N391

no

no

no

no

no

no

162

FR-DCE-N392

no

no

no

no

no

no

163

FR-DTE-N392

no

no

no

no

no

no

164

FR-DCE-N393

no

no

no

no

no

no

165

FR-DTE-N393

no

no

no

no

no

no

166

FR-T391

no

no

no

no

no

no

167

FR-T392

no

no

no

no

no

no

168

Bridge-Address

no

no

no

no

no

no

169

TS-Idle-Limit

no

no

no

no

no

no

170

TS-Idle-Mode

no

no

no

no

no

no

171

DBA-Monitor

no

no

no

no

no

no

172

Base-Channel-Count

no

no

no

no

no

no

173

Minimum-Channels

no

no

no

no

no

no

174

IPX-Route

no

no

no

no

no

no

175

FT1-Caller

no

no

no

no

no

no

176

Backup

no

no

no

no

no

no

177

Call-Type

no

no

no

no

no

no

178

Group

no

no

no

no

no

no

179

FR-DLCI

no

no

no

no

no

no

180

FR-Profile-Name

no

no

no

no

no

no

181

Ara-PW

no

no

no

no

no

no

182

IPX-Node-Addr

no

no

no

no

no

no

183

Home-Agent-IP-Addr

no

no

no

no

no

no

184

Home-Agent-Password

no

no

no

no

no

no

185

Home-Network-Name

no

no

no

no

no

no

186

Home-Agent-UDP-Port

no

no

no

no

no

no

187

Multilink-ID

no

no

no

no

yes

yes

188

Num-In-Multilink

no

no

no

no

yes

yes

189

First-Dest

no

no

no

no

no

no

190

Pre-Input-Octets

no

no

no

no

yes

yes

191

Pre-Output-Octets

no

no

no

no

yes

yes

192

Pre-Input-Packets

no

no

no

no

yes

yes

193

Pre-Output-Packets

no

no

no

no

yes

yes

194

Maximum-Time

no

no

yes

yes

yes

yes

195

Disconnect-Cause

no

no

yes

yes

yes

yes

196

Connect-Progress

no

no

no

no

no

no

197

Data-Rate

no

no

no

no

yes

yes

198

PreSession-Time

no

no

no

no

yes

yes

199

Token-Idle

no

no

no

no

no

no

201

Require-Auth

no

no

no

no

no

no

202

Number-Sessions

no

no

no

no

no

no

203

Authen-Alias

no

no

no

no

no

no

204

Token-Expiry

no

no

no

no

no

no

205

Menu-Selector

no

no

no

no

no

no

206

Menu-Item

no

no

no

no

no

no

207

PW-Warntime

no

no

no

no

no

no

208

PW-Lifetime

no

no

yes

yes

yes

yes

209

IP-Direct

no

no

yes

yes

yes

yes

210

PPP-VJ-Slot-Comp

no

no

yes

yes

yes

yes

211

PPP-VJ-1172

no

no

no

no

no

no

212

PPP-Async-Map

no

no

no

no

no

no

213

Third-Prompt

no

no

no

no

no

no

214

Send-Secret

no

no

no

no

no

no

215

Receive-Secret

no

no

no

no

no

no

216

IPX-Peer-Mode

no

no

no

no

no

no

217

IP-Pool-Definition

no

no

yes

yes

yes

yes

218

Assign-IP-Pool

no

no

yes

yes

yes

yes

219

FR-Direct

no

no

no

no

no

no

220

FR-Direct-Profile

no

no

no

no

no

no

221

FR-Direct-DLCI

no

no

no

no

no

no

222

Handle-IPX

no

no

no

no

no

no

223

Netware-Timeout

no

no

no

no

no

no

224

IPX-Alias

no

no

no

no

no

no

225

Metric

no

no

no

no

no

no

226

PRI-Number-Type

no

no

no

no

no

no

227

Dial-Number

no

no

no

no

no

no

228

Route-IP

no

no

yes

yes

yes

yes

229

Route-IPX

no

no

no

no

no

no

230

Bridge

no

no

no

no

no

no

231

Send-Auth

no

no

no

no

no

no

232

Send-Passwd

no

no

no

no

no

no

233

Link-Compression

no

no

yes

yes

yes

yes

234

Target-Util

no

no

yes

yes

yes

yes

235

Maximum-Channels

no

no

yes

yes

yes

yes

236

Inc-Channel-Count

no

no

no

no

no

no

237

Dec-Channel-Count

no

no

no

no

no

no

238

Seconds-of-History

no

no

no

no

no

no

239

History-Weigh-Type

no

no

no

no

no

no

240

Add-Seconds

no

no

no

no

no

no

241

Remove-Seconds

no

no

no

no

no

no

242

Data-Filter

no

no

yes

yes

yes

yes

243

Call-Filter

no

no

yes

yes

yes

yes

244

Idle-Limit

no

no

yes

yes

yes

yes

245

Preempt-Limit

no

no

no

no

no

no

246

Callback

no

no

no

no

no

no

247

Data-Svc

no

no

no

no

no

no

248

Force-56

no

no

no

no

no

no

249

Billing Number

no

no

no

no

no

no

250

Call-By-Call

no

no

no

no

no

no

251

Transit-Number

no

no

no

no

no

no

252

Host-Info

no

no

no

no

no

no

253

PPP-Address

no

no

no

no

no

no

254

MPP-Idle-Percent

no

no

no

no

no

no

255

Xmit-Rate

no

no

no

no

no

no

For more information about Cisco's implementation of RADIUS, refer to the "Configuring RADIUS" chapter.

Comprehensive List of RADIUS Attributes

The following two sections provide a comprehensive listing and description of known RADIUS attributes:

RADIUS IETF Attributes

Table 30 lists and describes IETF RADIUS attributes. In cases where the attribute has a security server-specific format, the format is specified.


Table 30: RADIUS (IETF) Attributes
Number Attribute Description

1

User-Name

Indicates the name of the user being authenticated.

2

User-Password

Indicates the user's password or the user's input following an Access-Challenge. Passwords longer than 16 characters are encrypted using the IETF Draft #2 (or later) specifications.

3

CHAP-Password

Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to an Access-Challenge.

4

NAS-IP Address

Specifies the IP address of the network access server that is requesting authentication.

5

NAS-Port

Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command.) Each 16-bit number should be viewed as a 5-digit decimal integer for interpretation as follows:

For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number.

For ordinary synchronous network interface, the value is 10xxx.

For channels on a primary rate ISDN interface, the value is 2ppcc.

For channels on a basic rate ISDN interface, the value is 3bb0c.

For other types of interfaces, the value is 6nnss.

6

Service-Type

Indicates the type of service requested or the type of service to be provided.

  • In a request:

Framed for known PPP or SLIP connection.
Administrative-user for enable command.

  • In response:

Login---Make a connection.
Framed---Start SLIP or PPP.
Administrative User---Start an EXEC or enable ok.

Exec User---Start an EXEC session.

Service type is indicated by a particular numeric value as follows:

  • 1: Login

  • 2: Framed

  • 3: Callback-Login

  • 4: Callback-Framed

  • 5: Outbound

  • 6: Administrative

  • 7: NAS-Prompt

  • 8: Authenticate Only

  • 9: Callback-NAS-Prompt

7

Framed-Protocol

Indicates the framing to be used for framed access.

Framing is indicated by a numeric value as follows:

  • 1: PPP

  • 2: SLIP

  • 3: ARA

  • 4: Gandalf-proprietary single-link/multilink protocol

  • 5: Xylogics-proprietary IPX/SLIP

8

Framed-IP-Address

Indicates the IP address to be configured for the user.

9

Framed-IP-Netmask

Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified.

10

Framed-Routing

Indicates the routing method for the user when the user is a router to a network. Only "None" and "Send and Listen" values are supported for this attribute.

Routing method is indicated by a numeric value as follows:

  • 0: None

  • 1: Send routing packets

  • 2: Listen for routing packets

  • 3: Send routing packets and listen for routing packets

11

Filter-Id

Indicates the name of the filter list for the user and is formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list, and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.

12

Framed-MTU

Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means.

13

Framed-Compression

Indicates a compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization.

Compression protocol is indicated by a numeric value as follows:

  • 0: None

  • 1: VJ-TCP/IP header compression

  • 2: IPX header compression

14

Login-IP-Host

Indicates the host to which the user will connect when the Login-Service attribute is included.

15

Login-Service

Indicates the service that should be used to connect the user to the login host.

Service is indicated by a numeric value as follows:

  • 0: Telnet

  • 1: Rlogin

  • 2: TCP-Clear

  • 3: PortMaster

  • 4: LAT

16

Login-TCP-Port

Defines the TCP port with which the user is to be connected when the Login-Service attribute is also present.

18

Reply-Message

Indicates text that might be displayed to the user.

19

Callback-Number

Defines a dialing string to be used for callback.

20

Callback-ID

Defines the name (consisting of one or more octets) of a place to be called, to be interpreted by the network access server.

22

Framed-Route

Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored.

23

Framed-IPX-Network

Defines the IPX network number configured for the user.

24

State

Allows state information to be maintained between the network access server and the RADIUS server. This attribute is applicable only to CHAP challenges.

25

Class

(Accounting) Arbitrary value that the network access server includes in all accounting packets for this user if supplied by the RADIUS server.

26

Vendor-Specific

Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:


protocol : attribute sep value

"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AVpair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example:


cisco-avpair= "ip:addr-pool=first"
cisco-avpair= "shell:priv-lvl=15"

The first example causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a user logging in from a network access server to have immediate access to EXEC commands.

Table 31 provides a complete list of supported TACACS+ attribute/value (AV) pairs that can be used with IETF Attribute 26.

Cisco has added two new vendor-specific RADIUS attributes (IETF Attribute 26) to enable RADIUS to support MS-CHAP:

  • Vendor ID Number: 311 (Microsoft)
    Vendor Type Number: 11
    Attribute: MSCHAP-Challenge
    Description: Contains the challenge sent by a network access server to an MS-CHAP user. It can be used in both Access-Request and Access-Challenge packets.

  • Vendor ID Number 311: (Microsoft)
    Vendor Type Number: 11
    Attribute: MSCHAP-Response
    Description: Contains the response value provided by a PPP MS-CHAP user in response to the challenge. It is only used in Access-Request packets. This attribute is identical to the PPP CHAP Identifier.

27

Session-Timeout

Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout." This attribute is not valid for PPP sessions.

28

Idle-Timeout

Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout." This attribute is not valid for PPP sessions.

29

Termination-Action

Termination is indicated by a numeric value as follows:

  • 0: Default

  • 1: RADIUS request

30

Called-Station-Id

(Accounting) Allows the network access server to send the telephone number the user called as part of the Access-Request packet (using Dialed Number Identification [DNIS] or similar technology). This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI.

31

Calling-Station-Id

(Accounting) Allows the network access server to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI.

32

NAS-Identifier

String identifying the network access server originating the Access-Request.

33

Proxy-State

Attribute that can be sent by a proxy server to another server when forwarding Access-Requests; this must be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge and removed by the proxy server before sending the response to the network access server.

34

Login-LAT-Service

Indicates the system with which the user is to be connected by LAT. This attribute is only available in the EXEC mode.

35

Login-LAT-Node

Indicates the node with which the user is to be automatically connected by LAT.

36

Login-LAT-Group

Identifies the LAT group codes that this user is authorized to use.

37

Framed-AppleTalk-Link

Indicates the AppleTalk network number that should be used for serial links to the user, which is another AppleTalk router.

38

Framed-AppleTalk-Network

Indicates the AppleTalk network number that the network access server uses to allocate an AppleTalk node for the user.

39

Framed-AppleTalk-Zone

Indicates the AppleTalk Default Zone to be used for this user.

40

Acct-Status-Type

(Accounting) Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop).

41

Acct-Delay-Time

(Accounting) Indicates how many seconds the client has been trying to send a particular record.

42

Acct-Input-Octets

(Accounting) Indicates how many octets have been received from the port over the course of this service being provided.

43

Acct-Output-Octets

(Accounting) Indicates how many octets have been sent to the port in the course of delivering this service.

44

Acct-Session-Id

(Accounting) A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session ID numbers restart at 1 each time the router is power cycled or the software is reloaded.

45

Acct-Authentic

(Accounting) Indicates how the user was authenticated, whether by RADIUS, the network access server itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.

46

Acct-Session-Time

(Accounting) Indicates how long (in seconds) the user has received service.

47

Acct-Input-Packets

(Accounting) Indicates how many packets have been received from the port over the course of this service being provided to a framed user.

48

Acct-Output-Packets

(Accounting) Indicates how many packets have been sent to the port in the course of delivering this service to a framed user.

49

Acct-Terminate-Cause

(Accounting) Reports details on why the connection was terminated.

Termination causes are indicated by a numeric value as follows:

  • 1: User request

  • 2: Lost carrier

  • 3: Lost service

  • 4: Idle timeout

  • 5: Session-timeout

  • 6: Admin reset

  • 7: Admin reboot

  • 8: Port error

  • 9: NAS error

  • 10: NAS request

  • 11: NAS reboot

  • 12: Port unneeded

  • 13: Port pre-empted

  • 14: Port suspended

  • 15: Service unavailable

  • 16: Callback

  • 17: User error

  • 18: Host request

50

Acct-Multi-Session-Id1

(Accounting) A unique accounting identifier used to link multiple related sessions in a log file.

Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id.

51

Acct-Link-Count2

(Accounting) Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links.

60

CHAP-Challenge

Contains the Challenge Handshake Authentication Protocol challenge sent by the network access server to a PPP CHAP user.

61

NAS-Port-Type

Indicates the type of physical port the network access server is using to authenticate the user.

Physical ports are indicated by a numeric value as follows:

  • 0: Asynchronous

  • 1: Synchronous

  • 2: ISDN-Synchronous

  • 3: ISDN-Asynchronous (V.120)

  • 4: ISDN- Asynchronous (V.110)

  • 5: Virtual

62

Port-Limit

Sets the maximum number of ports to be provided to the user by the network access server.

63

Login-LAT-Port

Defines the port with which the user is to be connected by LAT.

200

IETF-Token-Immediate

Determines how RADIUS treats passwords received from login-users when their file entry specifies a hand-held security card server.

The value for this attribute is indicated by a numeric value as follows:

  • 0: No, meaning that the password is ignored.

  • 1: Yes, meaning that the password is used for authentication.

1Only stop records contain multi-session IDs. This is because start records are issued before any multilink processing takes place.
2Only stop records contain link counts. This is because start records are issued before any multilink processing takes place.

Table 31 lists the supported TACACS+ AV pairs and their meanings for the Vendor-Specific (26) attribute. For more information about TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix.


Table 31: Supported TACACS+ AV Pairs
Attribute Description

service=x

The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included.

protocol=x

A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, osicp, deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, and unknown.

cmd=x

A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to.

cmd-arg=x

An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified, and they are order-dependent.

acl=x

ASCII number representing a connection access list. Used only when service=shell.

inacl=x

ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. Per-user access lists do not currently work with ISDN interfaces.

inacl#<n>

ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connection. Used with service=ppp and protocol=ip, and service=ppp and protocol =ipx. Per-user access lists do not currently work with ISDN interfaces.

outacl=x

ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces.

outacl#<n>

ASCII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. Per-user access lists do not currently work with ISDN interfaces.

zonelist=x

A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5).

addr=x

A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=10.2.3.4.

addr-pool=x

Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.

Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example:

ip address-pool local

ip local pool boo 10.0.0.1 10.0.0.10

ip local pool moo 10.0.0.1 10.0.0.20

You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address.

routing=x

Specifies whether routing information is to be propagated to and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true).

route

Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.

During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:

route="dst_address mask [gateway]"

This indicates a temporary static route that is to be applied. The dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server.

If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates.

route#<n>

Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx.

timeout=x

The number of minutes before an EXEC or ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap.

idletime=x

Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout.

autocmd=x

Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell.

noescape=x

Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true).

nohangup=x

Used with service=shell. Specifies the nohangup option, which means that after an EXEC shell is terminated, the user is presented with another login (username) prompt. Can be either true or false (for example, nohangup=false).

priv-lvl=x

Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest.

callback-dialstring

Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service might choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

callback-line

The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

callback-rotary

The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

nocallback-verify

Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN.

tunnel-id

Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn.

ip-addresses

Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn.

nas-password

Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.

gw-password

Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.

rte-ftr-in#<n>

Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.

rte-ftr-out#<n>

Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.

sap#<n>

Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx.

sap-fltr-in#<n>

Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.

sap-fltr-out#<n>

Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.

pool-def#<n>

Defines IP address pools on the network access server. Used with service=ppp and protocol=ip.

pool-timeout=

Defines (in conjunction with pool-def) IP address pools on the network access server. During IPCP address negotiation, if an IP pool name is specified for a user (see the addr-pool attribute), a check is made to see if the named pool is defined on the network access server. If it is, the pool is consulted for an IP address.

source-ip=x

Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command.

max-links=<n>

Restricts the number of links that a user can have in a multilink bundle. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255.

load-threshold=<n>

Sets the load threshold at which additional links are either added to or deleted from the multilink bundle. If the load goes above the specified value, additional links are added. If the load goes below the specified value, links are deleted. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255.

interface-config=

Specifies user-specific AAA interface configuration information with virtual profiles. The information that follows the equal sign (=) can be any Cisco IOS interface configuration command.

ppp-vj-slot-
compression

Instructs the Cisco router not to use slot compression when sending Van Jacobsen-compressed packets over a PPP link.

link-compression=

Defines whether to turn on or turn off "stac" compression over a PPP link.

Link compression is defined as a numeric value as follows:

  • 0: None

  • 1: Stac

  • 2: Stac-Draft-9

  • 3: MS-Stac

old-prompts

Allows providers to make the prompts in TACACS+ appear identical to those of earlier systems (TACACS and Extended TACACS). This allows administrators to upgrade from TACACS/Extended TACACS to TACACS+ transparently to users.

dns-servers=

Identifies a DNS server (primary or secondary) that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each DNS server is entered in dotted decimal format.

wins-servers=

Identifies a Windows NT server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each Windows NT server is entered in dotted decimal format.

Table 32 lists the supported TACACS+ accounting AV pairs and their meanings for the Vendor-Specific (26) attribute. For more information about TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix.


Table 32: Supported TACACS+ Accounting AV Pairs
Attribute Description

service

The service the user used.

port

The port the user was logged in to.

task_id

Start and stop records for the same event must have matching (unique) task_id numbers.

start_time

The time the action started (in seconds since the epoch, 12:00 a.m. Jan 1 1970). The clock must be configured to receive this information.

stop_time

The time the action stopped (in seconds since the epoch.) The clock must be configured to receive this information.

elapsed_time

The elapsed time in seconds for the action. Useful when the device does not keep real time.

timezone

The time zone abbreviation for all timestamps included in this packet.

priv_level

The privilege level associated with the action.

cmd

The command the user executed.

protocol

The protocol associated with the action.

bytes_in

The number of input bytes transferred during this connection.

bytes_out

The number of output bytes transferred during this connection.

paks_in

The number of input packets transferred during this connection.

paks_out

The number of output packets transferred during this connection.

event

Information included in the accounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping.

reason

Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or when accounting is reconfigured (turned on or off).

mlp-sess-id

Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. This attribute is sent in authentication-response packets.

mlp-links-max

Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated.

disc-cause

Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 34 for a list of Disconnect-Cause values and their meanings.

disc-cause-ext

Extends the disc-cause attribute to support vendor-specific reasons that a connection was taken off-line.

pre-bytes-in

Records the number of input bytes before authentication. This attribute is sent in accounting-stop records.

pre-bytes-out

Records the number of output bytes before authentication. This attribute is sent in accounting-stop records.

pre-paks-in

Records the number of input packets before authentication. This attribute is sent in accounting-stop records.

pre-paks-out

Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records.

pre-session-time

Specifies the length of time, in seconds, from when a call first connects to when it completes authentication.

data-rate

Specifies the average number of bits per second over the course of the connection's lifetime. This attribute is sent in accounting-stop records.

xmit-rate

Reports the transmit speed negotiated by the two modems.

RADIUS Vendor-Proprietary Attributes

Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Table 33 lists the known vendor-proprietary RADIUS attributes:


Table 33: Vendor-Proprietary RADIUS Attributes
Number Vendor-Proprietary Attribute Description

17

Change-Password

Specifies a request to change a user's password.

21

Password-Expiration

Specifies an expiration date for a user's password in the user's file entry.

64

Tunnel-Type

(Ascend 5) No description available.

65

Tunnel-Medium-Type

(Ascend 5) No description available.

66

Tunnel-Client-Endpoint

(Ascend 5) No description available.

67

Tunnel-Server-Endpoint

(Ascend 5) No description available.

68

Tunnel-ID

(Ascend 5) No description available.

108

My-Endpoint-Disc-Alias

(Ascend 5) No description available.

109

My-Name-Alias

(Ascend 5) No description available.

110

Remote-FW

(Ascend 5) No description available.

111

Multicast-GLeave-Delay

(Ascend 5) No description available.

112

CBCP-Enable

(Ascend 5) No description available.

113

CBCP-Mode

(Ascend 5) No description available.

114

CBCP-Delay

(Ascend 5) No description available.

115

CBCP-Trunk-Group

(Ascend 5) No description available.

116

Appletalk-Route

(Ascend 5) No description available.

117

Appletalk-Peer-Mode

(Ascend 5) No description available.

118

Route-Appletalk

(Ascend 5) No description available.

119

FCP-Parameter

(Ascend 5) No description available.

120

Modem-PortNo

(Ascend 5) No description available.

121

Modem-SlotNo

(Ascend 5) No description available.

122

Modem-ShelfNo

(Ascend 5) No description available.

123

Call-Attempt-Limit

(Ascend 5) No description available.

124

Call-Block-Duration

(Ascend 5) No description available.

125

Maximum-Call-Duration

(Ascend 5) No description available.

126

Router-Preference

(Ascend 5) No description available.

127

Tunneling-Protocol

(Ascend 5) No description available.

128

Shared-Profile-Enable

(Ascend 5) No description available.

129

Primary-Home-Agent

(Ascend 5) No description available.

130

Secondary-Home-Agent

(Ascend 5) No description available.

131

Dialout-Allowed

(Ascend 5) No description available.

133

BACP-Enable

(Ascend 5) No description available.

134

DHCP-Maximum-Leases

(Ascend 5) No description available.

135

Primary-DNS-Server

Identifies a primary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation.

136

Secondary-DNS-Server

Identifies a secondary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation.

137

Client-Assign-DNS

No description available.

138

User-Acct-Type

No description available.

139

User-Acct-Host

No description available.

140

User-Acct-Port

No description available.

141

User-Acct-Key

No description available.

142

User-Acct-Base

No description available.

143

User-Acct-Time

No description available.

144

Assign-Ip-Client

No description available.

145

Assign-IP-Server

No description available.

146

Assign-IP-Global-Pool

No description available.

147

DHCP-Reply

No description available.

148

DHCP-Pool-Number

No description available.

149

Expect-Callback

No description available.

150

Event-Type

No description available.

151

Session-Svr-Key

No description available.

152

Multicast-Rate-Limit

No description available.

153

IF-Netmask

No description available.

154

Remote-Addr

No description available.

155

Multicast-Client

No description available.

156

FR-Circuit-Name

No description available.

157

FR-LinkUp

No description available.

158

FR-Nailed-Grp

No description available.

159

FR-Type

No description available.

160

FR-Link-Mgt

No description available.

161

FR-N391

No description available.

162

FR-DCE-N392

No description available.

163

FR-DTE-N392

No description available.

164

FR-DCE-N393

No description available.

165

FR-DTE-N393

No description available.

166

FR-T391

No description available.

167

FR-T392

No description available.

168

Bridge-Address

No description available.

169

TS-Idle-Limit

No description available.

170

TS-Idle-Mode

No description available.

171

DBA-Monitor

No description available.

172

Base-Channel-Count

No description available.

173

Minimum-Channels

No description available.

174

IPX-Route

No description available.

175

FT1-Caller

No description available.

176

Backup

No description available.

177

Call-Type

No description available.

178

Group

No description available.

179

FR-DLCI

No description available.

180

FR-Profile-Name

No description available.

181

Ara-PW

No description available.

182

IPX-Node-Addr

No description available.

183

Home-Agent-IP-Addr

Indicates the home agent's IP address (in dotted decimal format) when using Ascend Tunnel Management Protocol (ATMP).

184

Home-Agent-Password

With ATMP, specifies the password that the foreign agent uses to authenticate itself.

185

Home-Network-Name

With ATMP, indicates the name of the connection profile to which the home agent sends all packets.

186

Home-Agent-UDP-Port

Indicates the UDP port number the foreign agent uses to send ATMP messages to the home agent.

187

Multilink-ID

Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. The Multilink-ID attribute is sent in authentication-response packets.

188

Num-In-Multilink

Reports the number of sessions remaining in a multilink bundle when the session reported in an accounting-stop packet closes. This attribute applies to sessions that are part of a multilink bundle. The Num-In-Multilink attribute is sent in authentication-response packets and in some accounting-request packets.

189

First-Dest

Records the destination IP address of the first packet received after authentication.

190

Pre-Input-Octets

Records the number of input octets before authentication. The Pre-Input-Octets attribute is sent in accounting-stop records.

191

Pre-Output-Octets

Records the number of output octets before authentication. The Pre-Output-Octets attribute is sent in accounting-stop records.

192

Pre-Input-Packets

Records the number of input packets before authentication. The Pre-Input-Packets attribute is sent in accounting-stop records.

193

Pre-Output-Packets

Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records.

194

Maximum-Time

Specifies the maximum length of time (in seconds) allowed for any session. After the session reaches the time limit, its connection is dropped.

195

Disconnect-Cause

Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 34 for a list of Disconnect-Cause values and their meanings.

196

Connect-Progress

Indicates the connection state before the connection is disconnected.

197

Data-Rate

Specifies the average number of bits per second over the course of the connection's lifetime. The Data-Rate attribute is sent in accounting-stop records.

198

PreSession-Time

Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. The PreSession-Time attribute is sent in accounting-stop records.

199

Token-Idle

Indicates the maximum amount of time (in minutes) a cached token can remain alive between authentications.

201

Require-Auth

Defines whether additional authentication is required for class that has been CLID authenticated.

202

Number-Sessions

Specifies the number of active sessions (per class) reported to the RADIUS accounting server.

203

Authen-Alias

Defines the RADIUS server's login name during PPP authentication.

204

Token-Expiry

Defines the lifetime of a cached token.

205

Menu-Selector

Defines a string to be used to cue a user to input data.

206

Menu-Item

Specifies a single menu-item for a user-profile. Up to 20 menu items can be assigned per profile.

207

PW-Warntime

(Ascend 5) No description available.

208

PW-Lifetime

Enables you to specify on a per-user basis the number of days that a password is valid.

209

IP-Direct

Specifies in a user's file entry the IP address to which the Cisco router redirects packets from the user. When you include this attribute in a user's file entry, the Cisco router bypasses all internal routing and bridging tables and sends all packets received on this connection's WAN interface to the specified IP address.

210

PPP-VJ-Slot-Comp

Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link.

211

PPP-VJ-1172

Instructs PPP to use the 0x0037 value for VJ compression.

212

PPP-Async-Map

Gives the Cisco router the asynchronous control character map for the PPP session. The specified control characters are passed through the PPP link as data and used by applications running over the link.

213

Third-Prompt

Defines a third prompt (after username and password) for additional user input.

214

Send-Secret

Enables an encrypted password to be used in place of a regular password in outdial profiles.

215

Receive-Secret

Enables an encrypted password to be verified by the RADIUS server.

216

IPX-Peer-Mode

(Ascend 5) No description available.

217

IP-Pool-Definition

Defines a pool of addresses using the following format: X a.b.c Z; where X is the pool index number, a.b.c is the pool's starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment.

218

Assign-IP-Pool

Tells the router to assign the user and IP address from the IP pool.

219

FR-Direct

Defines whether the connection profile operates in Frame Relay redirect mode.

220

FR-Direct-Profile

Defines the name of the Frame Relay profile carrying this connection to the Frame Relay switch.

221

FR-Direct-DLCI

Indicates the DLCI carrying this connection to the Frame Relay switch.

222

Handle-IPX

Indicates how NCP watchdog requests will be handled.

223

Netware-Timeout

Defines, in minutes, how long the RADIUS server responds to NCP watchdog packets.

224

IPX-Alias

Allows you to define an alias for IPX routers requiring numbered interfaces.

225

Metric

No description available.

226

PRI-Number-Type

No description available.

227

Dial-Number

No description available.

228

Route-IP

Indicates whether IP routing is allowed for the user's file entry.

229

Route-IPX

Allows you to enable IPX routing.

230

Bridge

No description available.

231

Send-Auth

Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication.

232

Send-Passwd

No description available.

233

Link-Compression

Defines whether to turn on or turn off "stac" compression over a PPP link.

Link compression is defined as a numeric value as follows:

  • 0: None

  • 1: Stac

  • 2: Stac-Draft-9

  • 3: MS-Stac

234

Target-Util

Specifies the load-threshold percentage value for bringing up an additional channel when PPP multilink is defined.

235

Maximum-Channels

Specifies allowed/allocatable maximum number of channels.

236

Inc-Channel-Count

No description available.

237

Dec-Channel-Count

No description available.

238

Seconds-of-History

No description available.

239

History-Weigh-Type

No description available.

240

Add-Seconds

No description available.

241

Remove-Seconds

No description available.

242

Data-Filter

Defines per-user IP data filters. These filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied on a first-match basis; therefore, the order in which filter entries are entered is important.

243

Call-Filter

Defines per-user IP data filters. On a Cisco router, this attribute is identical to the Data-Filter attribute.

244

Idle-Limit

Specifies the maximum time (in seconds) that any session can be idle. When the session reaches the idle time limit, its connection is dropped.

245

Preempt-Limit

No description available.

246

Callback

Allows you to enable or disable callback.

247

Data-Svc

No description available.

248

Force-56

No description available.

249

Billing Number

No description available.

250

Call-By-Call

No description available.

251

Transit-Number

No description available.

252

Host-Info

No description available.

253

PPP-Address

Indicates the IP address reported to the calling unit during PPP IPCP negotiations.

254

MPP-Idle-Percent

No description available.

255

Xmit-Rate

(Ascend 5) No description available.

Table 34 lists the values and their meanings for the Disconnect-Cause (195) attribute.


Table 34: Disconnect-Cause Attribute Values
Value Description

Unknown (2)

Reason unknown.

CLID-Authentication-Failure (4)

Failure to authenticate calling-party number.

No-Carrier (10)

No carrier detected. This value applies to modem connections.

Lost-Carrier (11)

Loss of carrier. This value applies to modem connections.

No-Detected-Result-Codes (12)

Failure to detect modem result codes. This value applies to modem connections.

User-Ends-Session (20)

User terminates a session. This value applies to EXEC sessions.

Idle-Timeout (21)

Timeout waiting for user input. This value applies to all session types.

Exit-Telnet-Session (22)

Disconnect due to exiting Telnet session. This value applies to EXEC sessions.

No-Remote-IP-Addr (23)

Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions.

Exit-Raw-TCP (24)

Disconnect due to exiting raw TCP. This value applies to EXEC sessions.

Password-Fail (25)

Bad passwords. This value applies to EXEC sessions.

Raw-TCP-Disabled (26)

Raw TCP disabled. This value applies to EXEC sessions.

Control-C-Detected (27)

Control-C detected. This value applies to EXEC sessions.

EXEC-Process-Destroyed (28)

EXEC process destroyed. This value applies to EXEC sessions.

Timeout-PPP-LCP (40)

PPP LCP negotiation timed out. This value applies to PPP sessions.

Failed-PPP-LCP-Negotiation (41)

PPP LCP negotiation failed. This value applies to PPP sessions.

Failed-PPP-PAP-Auth-Fail (42)

PPP PAP authentication failed. This value applies to PPP sessions.

Failed-PPP-CHAP-Auth (43)

PPP CHAP authentication failed. This value applies to PPP sessions.

Failed-PPP-Remote-Auth (44)

PPP remote authentication failed. This value applies to PPP sessions.

PPP-Remote-Terminate (45)

PPP received a Terminate Request from remote end. This value applies to PPP sessions.

PPP-Closed-Event (46)

Upper layer requested that the session be closed. This value applies to PPP sessions.

Session-Timeout (100)

Session timed out. This value applies to all session types.

Session-Failed-Security (101)

Session failed for security reasons. This value applies to all session types.

Session-End-Callback (102)

Session terminated due to callback. This value applies to all session types.

Invalid-Protocol (120)

Call refused because the detected protocol is disabled. This value applies to all session types.


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.