|
|
CiscoSecure ACS 2.3 for Windows NT (CiscoSecure ACS) provides support for Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any of the supported attribute values.
Before selecting TACACS+ AV pairs for CiscoSecure ACS, confirm that your network access server (NAS) is running Cisco IOS Release 11.1 or later or compatible software.
For more information on TACACS+ AV pairs, see the Cisco IOS documentation.
| Attribute | Description | 11.1 | 11.2 | 11.3 |
|---|---|---|---|---|
acl= | ASCII number representing a connection access list. Used only when service=shell. | yes | yes | yes |
autocmd= | Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet domain.com). Used only with service=shell. | yes | yes | yes |
callback-line | The number of a TTY line to use for callback (for example, callback-line=4). Use with service=arap, service=slip, service=ppp, and service=shell. Not valid for ISDN. | yes | yes | yes |
callback-rotary | The number of a rotary group (from 0 through 100) to use for callback (for example, callback-rotary=34). Use with service=arap, service=slip, service=ppp, and service=shell. Not valid for ISDN. | yes | yes | yes |
cmd-arg= | An argument to a shell (EXEC) command. You can specify multiple cmd-arg attributes. Attributes are executed in order from left to right. | yes | yes | yes |
cmd= | A shell (EXEC) command. The command name for a shell command. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to. | yes | yes | yes |
dns-servers= | Identifies a primary or backup DNS server that can be requested by Microsoft PPP clients from the NAS during IPCP negotiation. Use with service=ppp and protocol=ip. Enter the IP address for each DNS server. | no | no | yes |
gw-password | Specifies the password for the home gateway during the L2F tunnel authentication. Use with service=ppp and protocol=vpdn. | no | yes | yes |
idletime= | Sets a value, in minutes, after which an idle session is terminated. Does not work with PPP. A value of zero indicates no timeout. | yes | yes | yes |
inacl#<n> | ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connection. Use with service=ppp and protocol=ip and with service=ppp and protocol =ipx. Per-user access lists do not work with ISDN. | no | no | yes |
inacl= | ASCII identifier for an interface input access list. Use with service=ppp and protocol=ip. Per-user access lists do not work with ISDN. | yes | yes | yes |
interface-config= | Specifies user-specific AAA interface configuration information with Virtual Profiles. The information that follows the equal sign (=) can be any Cisco IOS interface configuration command. | no | no | yes |
ip-addresses | List of possible IP addresses, separated by spaces, that can be used for the end-point of a tunnel. Use with service=ppp and protocol=vpdn. | no | yes | yes |
link-compression= | Defines whether to turn on or turn off Stac compression over a PPP link. Link compression is one of the following:
| no | no | yes |
load-threshold=<n> | Sets the load threshold for the caller at which additional links are either added to or deleted from the multilink bundle. If the load goes above the specified value, additional links are added. If the load goes below the specified value, links are deleted. Use with service=ppp and protocol=multilink. The value <n> is a number from 1 through 255 | no | no | yes |
max-links=<n> | Restricts the number of links that a user can have in a multilink bundle. Use with service=ppp and protocol=multilink. The value <n> is a number from 1 through 255. | no | no | yes |
nas-password | Specifies the password for the NAS during the L2F tunnel authentication. Use with service=ppp and protocol=vpdn. | no | yes | yes |
nocallback-verify | Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Use with service=arap, service=slip, service=ppp, and service=shell. There is no authentication on callback. Not valid for ISDN. | yes | yes | yes |
noescape= | Disables use of the escape character. Use with service=shell. Can be either true or false (for example, noescape=true). | yes | yes | yes |
nohangup= | Use with service=shell. Specifies the nohangup option, which means that after an EXEC shell is terminated, the user is presented with another login (username) prompt. Can be either true or false (for example, nohangup=false). | yes | yes | yes |
old-prompts | Allows the prompts in TACACS+ to appear identical to those of earlier systems (TACACS and Extended TACACS). This allows you to make the upgrade from TACACS or Extended TACACS to TACACS+ transparent to users. | yes | yes | yes |
outacl#<n> | ASCII access list identifier for an interface output access list to be installed and applied to an interface during the current condition. Use with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. Per-user access lists do not work with ISDN. | no | no | yes |
outacl= | ASCII identifier for an interface output access list. Use with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must already be configured on the router. Per-user access lists do not work with ISDN. | yes | yes | yes |
pool-def#<n> | Defines IP address pools on the NAS. Use with service=ppp and protocol=ip. | no | no | yes |
pool-timeout= | In conjunction with pool-def, defines IP address pools on the NAS. During IPCP address negotiation, if an IP pool name is specified for a user (see the addr-pool attribute), a check is made that the named pool is defined on the NAS. If it is, the pool is consulted for an IP address. | no | yes | yes |
ppp-vj-slot- | Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link. | no | no | yes |
priv-lvl= | Privilege level to be assigned for the EXEC. Use with service=shell. Privilege levels range from 0 (lowest) through 15 (highest). | yes | yes | yes |
protocol= | A protocol that is a subset of a service. (for example, any PPP NCP). Values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, osicp, deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, and unknown. | yes | yes | yes |
route | Specifies a route to be applied to an interface. Use with service=slip, service=ppp, and protocol=ip. During network authorization, you can use this attribute to specify a per-user static route to be installed by TACACS+ as follows: This indicates a temporary static route to be applied. The dst_address, mask, and gateway must be in dotted-decimal notation, with the same meanings as in the ip route configuration command on a NAS. If gateway is omitted, the peer's address is the gateway. The route is deleted when the connection terminates. | yes | yes | yes |
route#<n> | Like route, this attribute specifies a route to be applied to an interface, but these routes are numbered, allowing you to use multiple routes. Use with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. | no | no | yes |
routing= | Specifies whether routing information is to be propagated to and accepted from this interface. Use with service=slip, service=ppp, and protocol=ip. Equivalent to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true). | yes | yes | yes |
rte-ftr-in#<n> | Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Use with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. | no | no | yes |
rte-ftr-out#<n> | Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Use with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. | no | no | yes |
sap#<n> | Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Use with service=ppp and protocol=ipx. | no | no | yes |
sap-fltr-in#<n> | Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Use with service=ppp and protocol=ipx. | no | no | yes |
sap-fltr-out#<n> | Specifies an output SAP filter access list definition to be installed and applied on the interface during the connection. Use with service=ppp and protocol=ipx. | no | no | yes |
service= | The primary service. Specify a service attribute to request authorization or accounting of that service. Values are slip, ppp, arap, shell, tty-daemon, connection, and system. Note This attribute is required. | yes | yes | yes |
source-ip= | The source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command. | no | yes | yes |
timeout= | The number of minutes before an EXEC or ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Use with service=arap. | yes | yes | yes |
tunnel-id | Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is similar to the remote name in the vpdn outgoing command. Use with service=ppp and protocol=vpdn. | no | yes | yes |
wins-servers= | Identifies a Windows NT server to be requested by Microsoft PPP clients from the NAS during IPCP negotiation. Use with service=ppp and protocol=ip. Enter the IP address of each Windows NT server. | no | no | yes |
zonelist= | Specifies an AppleTalk zonelist for ARA (for example, zonelist=5). A number. Use with service=arap. | yes | yes | yes |
.
| Attribute | Description | 11.1 | 11.2 | 11.3 |
|---|---|---|---|---|
bytes_in | The number of input bytes transferred during this connection. | yes | yes | yes |
bytes_out | The number of output bytes transferred during this connection. | yes | yes | yes |
cmd | The command the user executed. | yes | yes | yes |
data-rate | This AV pair has been renamed. See nas-rx-speed. |
|
|
|
disc-cause | Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting stop records. This attribute also causes stop records to be generated without first generating start records if disconnected before authentication. See the Cisco IOS documentation for a list of Disconnect-Cause values and their meanings. | no | no | yes |
disc-cause-ext | Extends the disc-cause attribute to support vendor-specific reasons that a connection was taken off-line. | no | no | yes |
elapsed_time | The elapsed time in seconds for the action. Useful when the device does not keep real time. | yes | yes | yes |
event | Information included in the accounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping. | yes | yes | yes |
mlp-links-max | Gives the count of links known to have been in a given multilink session at the time the accounting record is generated. | no | no | yes |
mlp-sess-id | Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. This attribute is sent in authentication-response packets. | no | no | yes |
nas-rx-speed | Specifies the average number of bits per second over the course of the connection's lifetime. This attribute is sent in accounting stop records. | no | no | yes |
nas-tx-speed | Reports the transmit speed negotiated by the two modems. | no | no | yes |
paks_in | The number of input packets transferred during this connection. | yes | yes | yes |
paks_out | The number of output packets transferred during this connection. | yes | yes | yes |
port | The port into which the user was logged. | yes | yes | yes |
pre-bytes-in | Records the number of input bytes before authentication. This attribute is sent in accounting stop records. | no | no | yes |
pre-bytes-out | Records the number of output bytes before authentication. This attribute is sent in accounting stop records. | no | no | yes |
pre-paks-in | Records the number of input packets before authentication. This attribute is sent in accounting stop records. | no | no | yes |
pre-paks-out | Records the number of output packets before authentication. This attribute is sent in accounting stop records as Pre-Output-Packets. | no | no | yes |
pre-session-time | Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. | no | no | yes |
priv_level | The privilege level associated with the action. | yes | yes | yes |
protocol | The protocol associated with the action. | yes | yes | yes |
reason | Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or accounting reconfiguration (turned on or off). | yes | yes | yes |
service | The service the user used. | yes | yes | yes |
start_time | The time, in seconds since 12:00 a.m. January 1, 1970, that the action started. The clock must be configured to receive this information. | yes | yes | yes |
stop_time | The time, in seconds since 12:00 a.m. January 1, 1970, that the action stopped. The clock must be configured to receive this information. | yes | yes | yes |
task_id | Start and stop records for the same event must have matching (unique) task_id numbers. | yes | yes | yes |
timezone | The time zone abbreviation for all timestamps included in this packet. | yes | yes | yes |
xmit-rate | This AV pair has been renamed. See nas-tx-speed. |
|
|
|
|
|