|
|
This appendix provides a list of the dictionaries and their attribute-value pairs that are supported by CiscoSecure Access Control Server (ACS). You can also add your own set of attributes for custom solutions.
The CiscoSecure ACS supports many proprietary sets of attribute-value pairs. Including those contained in the Cisco IOS Release 11.2, Ascend-RADIUS, and IETF-RADIUS (the set of RADIUS attribute-value pairs defined by the International Engineering Task Force). As such, you can use the CiscoSecure ACS to service a network access server (NAS) that is running any combination of configured Cisco, Ascend, or IETF-RADIUS-compliant attributes.
To provide this level of support, attribute sets are conveniently stored in units called dictionaries. A NAS that is using a given set of attribute-value pairs can easily exchange data with a CiscoSecure ACS that is loaded with the corresponding dictionary of attributes.
When setting up group and user profiles from the Members page of the Java-based CiscoSecure Administrator advanced configuration program, the available dictionaries are listed under the Options menu (see the section "Assigning RADIUS Attributes to a Group or User Profile," in the chapter "Advanced Group and User Management"). Depending on what attribute sets your NAS supports, you can specify one or more dictionaries as part of a User-Profile setup. By default, you always see dictionaries named RADIUS-Ascend, RADIUS-Cisco, and RADIUS-IETF.
By clicking the Dictionaries tab of the CiscoSecure Administrator advanced configuration program, you can specify custom attribute-value pairs you want on your CiscoSecure ACS. CiscoSecure ACS provides a special management tool that allows you to make a brand-new dictionary, or to make a copy of an existing dictionary and then modify its contents for special purposes. For details, see the sections "Dictionary of Cisco IOS RADIUS Attribute-Value Pairs," "Dictionary of IETF RADIUS Attributes" and "Dictionary of Ascend RADIUS Attributes" later in this appendix.
Depending on your NAS's implementation, the CiscoSecure ACS provides one of the following three attribute dictionaries:
The following sections contain dictionary translations for parsing requests and generating responses. All transactions are composed of attribute-value pairs. The value of each attribute is specified as one of five data types:
Enumerated values are stored in the user file with dictionary value translations for easy administration.
Before selecting attribute-value pairs for the CiscoSecure ACS, confirm that your NAS has Cisco IOS Release 11.2 or later or compatible NAS software, for RADIUS support.
The following table contains the attribute-value pairs provided in the Cisco IOS software.
| Attribute | Value | Type of Value |
|---|---|---|
| User-Name | 1 | string |
| Password | 2 | string |
| CHAP-Password | 3 | string |
| Client-Id | 4 | ipaddr |
| Client-Port-Id | 5 | integer |
| User-Service-Type | 6 | integer |
| Framed-Protocol | 7 | integer |
| Framed-Address | 8 | ipaddr |
| Framed-Netmask | 9 | ipaddr |
| Framed-Routing | 10 | integer |
| Framed-Filter-Id | 11 | string |
| Framed-MTU | 12 | integer |
| Framed-Compression | 13 | integer |
| Login-Host | 14 | ipaddr |
| Login-Service | 15 | integer |
| Login-TCP-Port | 16 | integer |
| Old-Password | 17 | string |
| Port-Message | 18 | string |
| Dialback-No | 19 | string |
| Dialback-Name | 20 | string |
| Expiration | 21 | date |
| Framed-Route | 22 | string |
| Framed-IPX-Network | 23 | ipaddr |
| Challenge-State | 24 | string |
| Vendor specific | 26 | string |
| Acct-Status-Type | 40 | integer |
| Acct-Delay-Time | 41 | integer |
| Acct-Input-Octets | 42 | integer |
| Acct-Output-Octets | 43 | integer |
| Acct-Session-Id | 44 | string |
| Acct-Authentic | 45 | integer |
| Acct-Session-Time | 46 | integer |
| Acct-Input-packets | 47 | integer |
| Acct-Ouput-packets | 48 | integer |
Table E-2 lists the dictionary of RADIUS IETF attributes.
Table E-3 lists the dictionary of supported Ascend attribute-value pairs.
|
|