|
|
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. This appendix lists the RADIUS attributes currently supported.
This appendix is divided into two different sections:
The first section lists the Cisco IOS releases in which supported Internet Engineering Task Force (IETF) RADIUS and vendor-proprietary RADIUS are implemented. The second section provides a comprehensive list and description of both IETF RADIUS and vendor-proprietary RADIUS attributes.
Table 28 lists and describes Cisco-supported IETF RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.
| Number | Attribute | 11.1 | 11.2 | 11.3 | 11.3 AA | 11.3T | 12.0 |
|---|---|---|---|---|---|---|---|
1 | User-Name | yes | yes | yes | yes | yes | yes |
2 | User-Password | yes | yes | yes | yes | yes | yes |
3 | CHAP-Password | yes | yes | yes | yes | yes | yes |
4 | NAS-IP Address | yes | yes | yes | yes | yes | yes |
5 | NAS-Port | yes | yes | yes | yes | yes | yes |
6 | Service-Type | yes | yes | yes | yes | yes | yes |
7 | Framed-Protocol | yes | yes | yes | yes | yes | yes |
8 | Framed-IP-Address | yes | yes | yes | yes | yes | yes |
9 | Framed-IP-Netmask | yes | yes | yes | yes | yes | yes |
10 | Framed-Routing | yes | yes | yes | yes | yes | yes |
11 | Filter-Id | yes | yes | yes | yes | yes | yes |
12 | Framed-MTU | yes | yes | yes | yes | yes | yes |
13 | Framed-Compression | yes | yes | yes | yes | yes | yes |
14 | Login-IP-Host | yes | yes | yes | yes | yes | yes |
15 | Login-Service | yes | yes | yes | yes | yes | yes |
16 | Login-TCP-Port | yes | yes | yes | yes | yes | yes |
18 | Reply-Message | yes | yes | yes | yes | yes | yes |
19 | Callback-Number | no | no | no | no | no | no |
20 | Callback-ID | no | no | no | no | no | no |
22 | Framed-Route | yes | yes | yes | yes | yes | yes |
23 | Framed-IPX-Network | no | no | no | no | no | no |
24 | State | yes | yes | yes | yes | yes | yes |
25 | Class | yes | yes | yes | yes | yes | yes |
26 | Vendor-Specific | yes | yes | yes | yes | yes | yes |
27 | Session-Timeout | yes | yes | yes | yes | yes | yes |
28 | Idle-Timeout | yes | yes | yes | yes | yes | yes |
29 | Termination-Action | no | no | no | no | no | no |
30 | Called-Station-Id | yes | yes | yes | yes | yes | yes |
31 | Calling-Station-Id | yes | yes | yes | yes | yes | yes |
32 | NAS-Identifier | no | no | no | no | no | no |
33 | Proxy-State | no | no | no | no | no | no |
34 | Login-LAT-Service | yes | yes | yes | yes | yes | yes |
35 | Login-LAT-Node | no | no | no | no | no | no |
36 | Login-LAT-Group | no | no | no | no | no | no |
37 | Framed-AppleTalk-Link | no | no | no | no | no | no |
38 | Framed-AppleTalk-Network | no | no | no | no | no | no |
39 | Framed-AppleTalk-Zone | no | no | no | no | no | no |
40 | Acct-Status-Type | yes | yes | yes | yes | yes | yes |
41 | Acct-Delay-Time | yes | yes | yes | yes | yes | yes |
42 | Acct-Input-Octets | yes | yes | yes | yes | yes | yes |
43 | Acct-Output-Octets | yes | yes | yes | yes | yes | yes |
44 | Acct-Session-Id | yes | yes | yes | yes | yes | yes |
45 | Acct-Authentic | yes | yes | yes | yes | yes | yes |
46 | Acct-Session-Time | yes | yes | yes | yes | yes | yes |
47 | Acct-Input-Packets | yes | yes | yes | yes | yes | yes |
48 | Acct-Output-Packets | yes | yes | yes | yes | yes | yes |
49 | Acct-Terminate-Cause | yes | yes | yes | yes | yes | yes |
50 | Acct-Multi-Session-Id1 | no | no | no | no | no | no |
51 | Acct-Link-Count2 | no | no | no | no | no | no |
60 | CHAP-Challenge | no | no | no | no | no | no |
61 | NAS-Port-Type | yes | yes | yes | yes | yes | yes |
62 | Port-Limit | yes | yes | yes | yes | yes | yes |
63 | Login-LAT-Port | no | no | no | no | no | no |
200 | IETF-Token-Immediate | no | no | no | no | no | no |
Table 29 lists and describes Cisco-supported vendor-proprietary RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.
| Number | Vendor-Proprietary Attribute | 11.1 | 11.2 | 11.3 | 11.3AA | 11.3T | 12.0 |
|---|---|---|---|---|---|---|---|
17 | Change-Password | no | no | yes | yes | yes | yes |
21 | Password-Expiration | no | no | yes | yes | yes | yes |
64 | Tunnel-Type | no | no | no | no | no | no |
65 | Tunnel-Medium-Type | no | no | no | no | no | no |
66 | Tunnel-Client-Endpoint | no | no | no | no | no | no |
67 | Tunnel-Server-Endpoint | no | no | no | no | no | no |
68 | Tunnel-ID | no | no | no | no | no | no |
108 | My-Endpoint-Disc-Alias | no | no | no | no | no | no |
109 | My-Name-Alias | no | no | no | no | no | no |
110 | Remote-FW | no | no | no | no | no | no |
111 | Multicast-GLeave-Delay | no | no | no | no | no | no |
112 | CBCP-Enable | no | no | no | no | no | no |
113 | CBCP-Mode | no | no | no | no | no | no |
114 | CBCP-Delay | no | no | no | no | no | no |
115 | CBCP-Trunk-Group | no | no | no | no | no | no |
116 | Appletalk-Route | no | no | no | no | no | no |
117 | Appletalk-Peer-Mode | no | no | no | no | no | no |
118 | Route-Appletalk | no | no | no | no | no | no |
119 | FCP-Parameter | no | no | no | no | no | no |
120 | Modem-PortNo | no | no | no | no | no | no |
121 | Modem-SlotNo | no | no | no | no | no | no |
122 | Modem-ShelfNo | no | no | no | no | no | no |
123 | Call-Attempt-Limit | no | no | no | no | no | no |
124 | Call-Block-Duration | no | no | no | no | no | no |
125 | Maximum-Call-Duration | no | no | no | no | no | no |
126 | Router-Preference | no | no | no | no | no | no |
127 | Tunneling-Protocol | no | no | no | no | no | no |
128 | Shared-Profile-Enable | no | no | no | no | no | no |
129 | Primary-Home-Agent | no | no | no | no | no | no |
130 | Secondary-Home-Agent | no | no | no | no | no | no |
131 | Dialout-Allowed | no | no | no | no | no | no |
133 | BACP-Enable | no | no | no | no | no | no |
134 | DHCP-Maximum-Leases | no | no | no | no | no | no |
135 | Primary-DNS-Server | no | no | no | no | yes | yes |
136 | Secondary-DNS-Server | no | no | no | no | yes | yes |
137 | Client-Assign-DNS | no | no | no | no | no | no |
138 | User-Acct-Type | no | no | no | no | no | no |
139 | User-Acct-Host | no | no | no | no | no | no |
140 | User-Acct-Port | no | no | no | no | no | no |
141 | User-Acct-Key | no | no | no | no | no | no |
142 | User-Acct-Base | no | no | no | no | no | no |
143 | User-Acct-Time | no | no | no | no | no | no |
144 | Assign-Ip-Client | no | no | no | no | no | no |
145 | Assign-IP-Server | no | no | no | no | no | no |
146 | Assign-IP-Global-Pool | no | no | no | no | no | no |
147 | DHCP-Reply | no | no | no | no | no | no |
148 | DHCP-Pool-Number | no | no | no | no | no | no |
149 | Expect-Callback | no | no | no | no | no | no |
150 | Event-Type | no | no | no | no | no | no |
151 | Session-Svr-Key | no | no | no | no | no | no |
152 | Multicast-Rate-Limit | no | no | no | no | no | no |
153 | IF-Netmask | no | no | no | no | no | no |
154 | Remote-Addr | no | no | no | no | no | no |
155 | Multicast-Client | no | no | no | no | no | no |
156 | FR-Circuit-Name | no | no | no | no | no | no |
157 | FR-LinkUp | no | no | no | no | no | no |
158 | FR-Nailed-Grp | no | no | no | no | no | no |
159 | FR-Type | no | no | no | no | no | no |
160 | FR-Link-Mgt | no | no | no | no | no | no |
161 | FR-N391 | no | no | no | no | no | no |
162 | FR-DCE-N392 | no | no | no | no | no | no |
163 | FR-DTE-N392 | no | no | no | no | no | no |
164 | FR-DCE-N393 | no | no | no | no | no | no |
165 | FR-DTE-N393 | no | no | no | no | no | no |
166 | FR-T391 | no | no | no | no | no | no |
167 | FR-T392 | no | no | no | no | no | no |
168 | Bridge-Address | no | no | no | no | no | no |
169 | TS-Idle-Limit | no | no | no | no | no | no |
170 | TS-Idle-Mode | no | no | no | no | no | no |
171 | DBA-Monitor | no | no | no | no | no | no |
172 | Base-Channel-Count | no | no | no | no | no | no |
173 | Minimum-Channels | no | no | no | no | no | no |
174 | IPX-Route | no | no | no | no | no | no |
175 | FT1-Caller | no | no | no | no | no | no |
176 | Backup | no | no | no | no | no | no |
177 | Call-Type | no | no | no | no | no | no |
178 | Group | no | no | no | no | no | no |
179 | FR-DLCI | no | no | no | no | no | no |
180 | FR-Profile-Name | no | no | no | no | no | no |
181 | Ara-PW | no | no | no | no | no | no |
182 | IPX-Node-Addr | no | no | no | no | no | no |
183 | Home-Agent-IP-Addr | no | no | no | no | no | no |
184 | Home-Agent-Password | no | no | no | no | no | no |
185 | Home-Network-Name | no | no | no | no | no | no |
186 | Home-Agent-UDP-Port | no | no | no | no | no | no |
187 | Multilink-ID | no | no | no | no | yes | yes |
188 | Num-In-Multilink | no | no | no | no | yes | yes |
189 | First-Dest | no | no | no | no | no | no |
190 | Pre-Input-Octets | no | no | no | no | yes | yes |
191 | Pre-Output-Octets | no | no | no | no | yes | yes |
192 | Pre-Input-Packets | no | no | no | no | yes | yes |
193 | Pre-Output-Packets | no | no | no | no | yes | yes |
194 | Maximum-Time | no | no | yes | yes | yes | yes |
195 | Disconnect-Cause | no | no | yes | yes | yes | yes |
196 | Connect-Progress | no | no | no | no | no | no |
197 | Data-Rate | no | no | no | no | yes | yes |
198 | PreSession-Time | no | no | no | no | yes | yes |
199 | Token-Idle | no | no | no | no | no | no |
201 | Require-Auth | no | no | no | no | no | no |
202 | Number-Sessions | no | no | no | no | no | no |
203 | Authen-Alias | no | no | no | no | no | no |
204 | Token-Expiry | no | no | no | no | no | no |
205 | Menu-Selector | no | no | no | no | no | no |
206 | Menu-Item | no | no | no | no | no | no |
207 | PW-Warntime | no | no | no | no | no | no |
208 | PW-Lifetime | no | no | yes | yes | yes | yes |
209 | IP-Direct | no | no | no | no | no | no |
210 | PPP-VJ-Slot-Comp | no | no | yes | yes | yes | yes |
211 | PPP-VJ-1172 | no | no | no | no | no | no |
212 | PPP-Async-Map | no | no | no | no | no | no |
213 | Third-Prompt | no | no | no | no | no | no |
214 | Send-Secret | no | no | no | no | no | no |
215 | Receive-Secret | no | no | no | no | no | no |
216 | IPX-Peer-Mode | no | no | no | no | no | no |
217 | IP-Pool-Definition | no | no | yes | yes | yes | yes |
218 | Assign-IP-Pool | no | no | yes | yes | yes | yes |
219 | FR-Direct | no | no | no | no | no | no |
220 | FR-Direct-Profile | no | no | no | no | no | no |
221 | FR-Direct-DLCI | no | no | no | no | no | no |
222 | Handle-IPX | no | no | no | no | no | no |
223 | Netware-Timeout | no | no | no | no | no | no |
224 | IPX-Alias | no | no | no | no | no | no |
225 | Metric | no | no | no | no | no | no |
226 | PRI-Number-Type | no | no | no | no | no | no |
227 | Dial-Number | no | no | no | no | no | no |
228 | Route-IP | no | no | yes | yes | yes | yes |
229 | Route-IPX | no | no | no | no | no | no |
230 | Bridge | no | no | no | no | no | no |
231 | Send-Auth | no | no | no | no | no | no |
232 | Send-Passwd | no | no | no | no | no | no |
233 | Link-Compression | no | no | yes | yes | yes | yes |
234 | Target-Util | no | no | yes | yes | yes | yes |
235 | Maximum-Channels | no | no | yes | yes | yes | yes |
236 | Inc-Channel-Count | no | no | no | no | no | no |
237 | Dec-Channel-Count | no | no | no | no | no | no |
238 | Seconds-of-History | no | no | no | no | no | no |
239 | History-Weigh-Type | no | no | no | no | no | no |
240 | Add-Seconds | no | no | no | no | no | no |
241 | Remove-Seconds | no | no | no | no | no | no |
242 | Data-Filter | no | no | yes | yes | yes | yes |
243 | Call-Filter | no | no | no | no | no | no |
244 | Idle-Limit | no | no | yes | yes | yes | yes |
245 | Preempt-Limit | no | no | no | no | no | no |
246 | Callback | no | no | no | no | no | no |
247 | Data-Svc | no | no | no | no | no | no |
248 | Force-56 | no | no | no | no | no | no |
249 | Billing Number | no | no | no | no | no | no |
250 | Call-By-Call | no | no | no | no | no | no |
251 | Transit-Number | no | no | no | no | no | no |
252 | Host-Info | no | no | no | no | no | no |
253 | PPP-Address | no | no | no | no | no | no |
254 | MPP-Idle-Percent | no | no | no | no | no | no |
255 | Xmit-Rate | no | no | no | yes | yes | yes |
For more information about Cisco's implementation of RADIUS, refer to the "Configuring RADIUS" chapter.
The following two sections provide a comprehensive listing and description of known RADIUS attributes:
Table 30 lists and describes IETF RADIUS attributes. In cases where the attribute has a security server-specific format, the format is specified.
| Number | Attribute | Description |
|---|---|---|
1 | User-Name | Indicates the name of the user being authenticated. |
2 | User-Password | Indicates the user's password or the user's input following an Access-Challenge. Passwords longer than 16 characters are encrypted using the IETF Draft #2 (or later) specifications. |
3 | CHAP-Password | Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to an Access-Challenge. |
4 | NAS-IP Address | Specifies the IP address of the network access server that is requesting authentication. |
5 | NAS-Port | Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command.) Each 16-bit number should be viewed as a 5-digit decimal integer for interpretation as follows: For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number. For ordinary synchronous network interface, the value is 10xxx. For channels on a primary rate ISDN interface, the value is 2ppcc. For channels on a basic rate ISDN interface, the value is 3bb0c. For other types of interfaces, the value is 6nnss. |
6 | Service-Type | Indicates the type of service requested or the type of service to be provided.
Exec User—Start an EXEC session. Service type is indicated by a particular numeric value as follows:
|
7 | Framed-Protocol | Indicates the framing to be used for framed access. Framing is indicated by a numeric value as follows:
|
8 | Framed-IP-Address | Indicates the IP address to be configured for the user. |
9 | Framed-IP-Netmask | Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified. |
10 | Framed-Routing | Indicates the routing method for the user when the user is a router to a network. Only "None" and "Send and Listen" values are supported for this attribute. Routing method is indicated by a numeric value as follows:
|
11 | Filter-Id | Indicates the name of the filter list for the user and is formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list, and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer. |
12 | Framed-MTU | Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means. |
13 | Framed-Compression | Indicates a compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. Compression protocol is indicated by a numeric value as follows:
|
14 | Login-IP-Host | Indicates the host to which the user will connect when the Login-Service attribute is included. |
15 | Login-Service | Indicates the service that should be used to connect the user to the login host. Service is indicated by a numeric value as follows:
|
16 | Login-TCP-Port | Defines the TCP port with which the user is to be connected when the Login-Service attribute is also present. |
18 | Reply-Message | Indicates text that might be displayed to the user. |
19 | Callback-Number | Defines a dialing string to be used for callback. |
20 | Callback-ID | Defines the name (consisting of one or more octets) of a place to be called, to be interpreted by the network access server. |
22 | Framed-Route | Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored. |
23 | Framed-IPX-Network | Defines the IPX network number configured for the user. |
24 | State | Allows state information to be maintained between the network access server and the RADIUS server. This attribute is applicable only to CHAP challenges. |
25 | Class | (Accounting) Arbitrary value that the network access server includes in all accounting packets for this user if supplied by the RADIUS server. |
26 | Vendor-Specific | Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format: protocol : attribute sep value
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AVpair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example: cisco-avpair= "ip:addr-pool=first" cisco-avpair= "shell:priv-lvl=15"
The first example causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a user logging in from a network access server to have immediate access to EXEC commands. Table 31 provides a complete list of supported TACACS+ attribute/value (AV) pairs that can be used with IETF Attribute 26. Cisco has added two new vendor-specific RADIUS attributes (IETF Attribute 26) to enable RADIUS to support MS-CHAP:
|
27 | Session-Timeout | Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout." |
28 | Idle-Timeout | Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout." |
29 | Termination-Action | Termination is indicated by a numeric value as follows:
|
30 | Called-Station-Id | (Accounting) Allows the network access server to send the telephone number the user called as part of the Access-Request packet (using Dialed Number Identification [DNIS] or similar technology). This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. |
31 | Calling-Station-Id | (Accounting) Allows the network access server to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI. |
32 | NAS-Identifier | String identifying the network access server originating the Access-Request. |
33 | Proxy-State | Attribute that can be sent by a proxy server to another server when forwarding Access-Requests; this must be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge and removed by the proxy server before sending the response to the network access server. |
34 | Login-LAT-Service | Indicates the system with which the user is to be connected by LAT. This attribute is only available in the EXEC mode. |
35 | Login-LAT-Node | Indicates the node with which the user is to be automatically connected by LAT. |
36 | Login-LAT-Group | Identifies the LAT group codes that this user is authorized to use. |
37 | Framed-AppleTalk-Link | Indicates the AppleTalk network number that should be used for serial links to the user, which is another AppleTalk router. |
38 | Framed-AppleTalk-Network | Indicates the AppleTalk network number that the network access server uses to allocate an AppleTalk node for the user. |
39 | Framed-AppleTalk-Zone | Indicates the AppleTalk Default Zone to be used for this user. |
40 | Acct-Status-Type | (Accounting) Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop). |
41 | Acct-Delay-Time | (Accounting) Indicates how many seconds the client has been trying to send a particular record. |
42 | Acct-Input-Octets | (Accounting) Indicates how many octets have been received from the port over the course of this service being provided. |
43 | Acct-Output-Octets | (Accounting) Indicates how many octets have been sent to the port in the course of delivering this service. |
44 | Acct-Session-Id | (Accounting) A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session ID numbers restart at 1 each time the router is power cycled or the software is reloaded. |
45 | Acct-Authentic | (Accounting) Indicates how the user was authenticated, whether by RADIUS, the network access server itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted. |
46 | Acct-Session-Time | (Accounting) Indicates how long (in seconds) the user has received service. |
47 | Acct-Input-Packets | (Accounting) Indicates how many packets have been received from the port over the course of this service being provided to a framed user. |
48 | Acct-Output-Packets | (Accounting) Indicates how many packets have been sent to the port in the course of delivering this service to a framed user. |
49 | Acct-Terminate-Cause | (Accounting) Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:
|
50 | Acct-Multi-Session-Id1 | (Accounting) A unique accounting identifier used to link multiple related sessions in a log file. Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id. |
51 | Acct-Link-Count2 | (Accounting) Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links. |
60 | CHAP-Challenge | Contains the Challenge Handshake Authentication Protocol challenge sent by the network access server to a PPP CHAP user. |
61 | NAS-Port-Type | Indicates the type of physical port the network access server is using to authenticate the user. Physical ports are indicated by a numeric value as follows:
|
62 | Port-Limit | Sets the maximum number of ports to be provided to the user by the network access server. |
63 | Login-LAT-Port | Defines the port with which the user is to be connected by LAT. |
200 | IETF-Token-Immediate | Determines how RADIUS treats passwords received from login-users when their file entry specifies a hand-held security card server. The value for this attribute is indicated by a numeric value as follows:
|
Table 31 lists the supported TACACS+ AV pairs and their meanings for the Vendor-Specific (26) attribute. For more information about TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix.
| Attribute | Description |
|---|---|
service=x | The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included. |
protocol=x | A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, osicp, deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, and unknown. |
cmd=x | A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to. |
cmd-arg=x | An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified, and they are order-dependent. |
acl=x | ASCII number representing a connection access list. Used only when service=shell. |
inacl=x | ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. Per-user access lists do not currently work with ISDN interfaces. |
inacl#<n> | ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connection. Used with service=ppp and protocol=ip, and service=ppp and protocol =ipx. Per-user access lists do not currently work with ISDN interfaces. |
outacl=x | ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces. |
outacl#<n> | ASCII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. Per-user access lists do not currently work with ISDN interfaces. |
zonelist=x | A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5). |
addr=x | A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=10.2.3.4. |
addr-pool=x | Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip. Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example: You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address. |
routing=x | Specifies whether routing information is to be propagated to and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true). |
route | Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip. During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows: This indicates a temporary static route that is to be applied. The dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server. If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates. |
route#<n> | Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. |
timeout=x | The number of minutes before an EXEC or ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap. |
idletime=x | Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. |
autocmd=x | Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell. |
noescape=x | Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true). |
nohangup=x | Used with service=shell. Specifies the nohangup option, which means that after an EXEC shell is terminated, the user is presented with another login (username) prompt. Can be either true or false (for example, nohangup=false). |
priv-lvl=x | Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest. |
callback-dialstring | Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service might choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. |
callback-line | The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. |
callback-rotary | The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. |
nocallback-verify | Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN. |
tunnel-id | Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn. |
ip-addresses | Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn. |
nas-password | Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. |
gw-password | Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. |
rte-ftr-in#<n> | Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. |
rte-ftr-out#<n> | Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. |
sap#<n> | Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx. |
sap-fltr-in#<n> | Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. |
sap-fltr-out#<n> | Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. |
pool-def#<n> | Defines IP address pools on the network access server. Used with service=ppp and protocol=ip. |
pool-timeout= | Defines (in conjunction with pool-def) IP address pools on the network access server. During IPCP address negotiation, if an IP pool name is specified for a user (see the addr-pool attribute), a check is made to see if the named pool is defined on the network access server. If it is, the pool is consulted for an IP address. |
source-ip=x | Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command. |
max-links=<n> | Restricts the number of links that a user can have in a multilink bundle. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255. |
load-threshold=<n> | Sets the load threshold at which additional links are either added to or deleted from the multilink bundle. If the load goes above the specified value, additional links are added. If the load goes below the specified value, links are deleted. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255. |
interface-config= | Specifies user-specific AAA interface configuration information with virtual profiles. The information that follows the equal sign (=) can be any Cisco IOS interface configuration command. |
ppp-vj-slot- | Instructs the Cisco router not to use slot compression when sending Van Jacobsen-compressed packets over a PPP link. |
link-compression= | Defines whether to turn on or turn off "stac" compression over a PPP link. Link compression is defined as a numeric value as follows:
|
old-prompts | Allows providers to make the prompts in TACACS+ appear identical to those of earlier systems (TACACS and Extended TACACS). This allows administrators to upgrade from TACACS/Extended TACACS to TACACS+ transparently to users. |
dns-servers= | Identifies a DNS server (primary or secondary) that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each DNS server is entered in dotted decimal format. |
wins-servers= | Identifies a Windows NT server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each Windows NT server is entered in dotted decimal format. |
Table 32 lists the supported TACACS+ accounting AV pairs and their meanings for the Vendor-Specific (26) attribute. For more information about TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix.
| Attribute | Description |
|---|---|
service | The service the user used. |
port | The port the user was logged in to. |
task_id | Start and stop records for the same event must have matching (unique) task_id numbers. |
start_time | The time the action started (in seconds since the epoch, 12:00 a.m. Jan 1 1970). The clock must be configured to receive this information. |
stop_time | The time the action stopped (in seconds since the epoch.) The clock must be configured to receive this information. |
elapsed_time | The elapsed time in seconds for the action. Useful when the device does not keep real time. |
timezone | The time zone abbreviation for all timestamps included in this packet. |
priv_level | The privilege level associated with the action. |
cmd | The command the user executed. |
protocol | The protocol associated with the action. |
bytes_in | The number of input bytes transferred during this connection. |
bytes_out | The number of output bytes transferred during this connection. |
paks_in | The number of input packets transferred during this connection. |
paks_out | The number of output packets transferred during this connection. |
event | Information included in the accounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping. |
reason | Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or when accounting is reconfigured (turned on or off). |
mlp-sess-id | Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. This attribute is sent in authentication-response packets. |
mlp-links-max | Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. |
disc-cause | Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 34 for a list of Disconnect-Cause values and their meanings. |
disc-cause-ext | Extends the disc-cause attribute to support vendor-specific reasons that a connection was taken off-line. |
pre-bytes-in | Records the number of input bytes before authentication. This attribute is sent in accounting-stop records. |
pre-bytes-out | Records the number of output bytes before authentication. This attribute is sent in accounting-stop records. |
pre-paks-in | Records the number of input packets before authentication. This attribute is sent in accounting-stop records. |
pre-paks-out | Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records. |
pre-session-time | Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. |
data-rate | Specifies the average number of bits per second over the course of the connection's lifetime. This attribute is sent in accounting-stop records. |
xmit-rate | Reports the transmit speed negotiated by the two modems. |
Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Table 33 lists the known vendor-proprietary RADIUS attributes:
| Number | Vendor-Proprietary Attribute | Description |
|---|---|---|
17 | Change-Password | Specifies a request to change a user's password. |
21 | Password-Expiration | Specifies an expiration date for a user's password in the user's file entry. |
64 | Tunnel-Type | (Ascend 5) No description available. |
65 | Tunnel-Medium-Type | (Ascend 5) No description available. |
66 | Tunnel-Client-Endpoint | (Ascend 5) No description available. |
67 | Tunnel-Server-Endpoint | (Ascend 5) No description available. |
68 | Tunnel-ID | (Ascend 5) No description available. |
108 | My-Endpoint-Disc-Alias | (Ascend 5) No description available. |
109 | My-Name-Alias | (Ascend 5) No description available. |
110 | Remote-FW | (Ascend 5) No description available. |
111 | Multicast-GLeave-Delay | (Ascend 5) No description available. |
112 | CBCP-Enable | (Ascend 5) No description available. |
113 | CBCP-Mode | (Ascend 5) No description available. |
114 | CBCP-Delay | (Ascend 5) No description available. |
115 | CBCP-Trunk-Group | (Ascend 5) No description available. |
116 | Appletalk-Route | (Ascend 5) No description available. |
117 | Appletalk-Peer-Mode | (Ascend 5) No description available. |
118 | Route-Appletalk | (Ascend 5) No description available. |
119 | FCP-Parameter | (Ascend 5) No description available. |
120 | Modem-PortNo | (Ascend 5) No description available. |
121 | Modem-SlotNo | (Ascend 5) No description available. |
122 | Modem-ShelfNo | (Ascend 5) No description available. |
123 | Call-Attempt-Limit | (Ascend 5) No description available. |
124 | Call-Block-Duration | (Ascend 5) No description available. |
125 | Maximum-Call-Duration | (Ascend 5) No description available. |
126 | Router-Preference | (Ascend 5) No description available. |
127 | Tunneling-Protocol | (Ascend 5) No description available. |
128 | Shared-Profile-Enable | (Ascend 5) No description available. |
129 | Primary-Home-Agent | (Ascend 5) No description available. |
130 | Secondary-Home-Agent | (Ascend 5) No description available. |
131 | Dialout-Allowed | (Ascend 5) No description available. |
133 | BACP-Enable | (Ascend 5) No description available. |
134 | DHCP-Maximum-Leases | (Ascend 5) No description available. |
135 | Primary-DNS-Server | Identifies a primary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. |
136 | Secondary-DNS-Server | Identifies a secondary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. |
137 | Client-Assign-DNS | No description available. |
138 | User-Acct-Type | No description available. |
139 | User-Acct-Host | No description available. |
140 | User-Acct-Port | No description available. |
141 | User-Acct-Key | No description available. |
142 | User-Acct-Base | No description available. |
143 | User-Acct-Time | No description available. |
144 | Assign-Ip-Client | No description available. |
145 | Assign-IP-Server | No description available. |
146 | Assign-IP-Global-Pool | No description available. |
147 | DHCP-Reply | No description available. |
148 | DHCP-Pool-Number | No description available. |
149 | Expect-Callback | No description available. |
150 | Event-Type | No description available. |
151 | Session-Svr-Key | No description available. |
152 | Multicast-Rate-Limit | No description available. |
153 | IF-Netmask | No description available. |
154 | Remote-Addr | No description available. |
155 | Multicast-Client | No description available. |
156 | FR-Circuit-Name | No description available. |
157 | FR-LinkUp | No description available. |
158 | FR-Nailed-Grp | No description available. |
159 | FR-Type | No description available. |
160 | FR-Link-Mgt | No description available. |
161 | FR-N391 | No description available. |
162 | FR-DCE-N392 | No description available. |
163 | FR-DTE-N392 | No description available. |
164 | FR-DCE-N393 | No description available. |
165 | FR-DTE-N393 | No description available. |
166 | FR-T391 | No description available. |
167 | FR-T392 | No description available. |
168 | Bridge-Address | No description available. |
169 | TS-Idle-Limit | No description available. |
170 | TS-Idle-Mode | No description available. |
171 | DBA-Monitor | No description available. |
172 | Base-Channel-Count | No description available. |
173 | Minimum-Channels | No description available. |
174 | IPX-Route | No description available. |
175 | FT1-Caller | No description available. |
176 | Backup | No description available. |
177 | Call-Type | No description available. |
178 | Group | No description available. |
179 | FR-DLCI | No description available. |
180 | FR-Profile-Name | No description available. |
181 | Ara-PW | No description available. |
182 | IPX-Node-Addr | No description available. |
183 | Home-Agent-IP-Addr | Indicates the home agent's IP address (in dotted decimal format) when using Ascend Tunnel Management Protocol (ATMP). |
184 | Home-Agent-Password | With ATMP, specifies the password that the foreign agent uses to authenticate itself. |
185 | Home-Network-Name | With ATMP, indicates the name of the connection profile to which the home agent sends all packets. |
186 | Home-Agent-UDP-Port | Indicates the UDP port number the foreign agent uses to send ATMP messages to the home agent. |
187 | Multilink-ID | Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. The Multilink-ID attribute is sent in authentication-response packets. |
188 | Num-In-Multilink | Reports the number of sessions remaining in a multilink bundle when the session reported in an accounting-stop packet closes. This attribute applies to sessions that are part of a multilink bundle. The Num-In-Multilink attribute is sent in authentication-response packets and in some accounting-request packets. |
189 | First-Dest | Records the destination IP address of the first packet received after authentication. |
190 | Pre-Input-Octets | Records the number of input octets before authentication. The Pre-Input-Octets attribute is sent in accounting-stop records. |
191 | Pre-Output-Octets | Records the number of output octets before authentication. The Pre-Output-Octets attribute is sent in accounting-stop records. |
192 | Pre-Input-Packets | Records the number of input packets before authentication. The Pre-Input-Packets attribute is sent in accounting-stop records. |
193 | Pre-Output-Packets | Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records. |
194 | Maximum-Time | Specifies the maximum length of time (in seconds) allowed for any session. After the session reaches the time limit, its connection is dropped. |
195 | Disconnect-Cause | Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 34 for a list of Disconnect-Cause values and their meanings. |
196 | Connect-Progress | Indicates the connection state before the connection is disconnected. |
197 | Data-Rate | Specifies the average number of bits per second over the course of the connection's lifetime. The Data-Rate attribute is sent in accounting-stop records. |
198 | PreSession-Time | Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. The PreSession-Time attribute is sent in accounting-stop records. |
199 | Token-Idle | Indicates the maximum amount of time (in minutes) a cached token can remain alive between authentications. |
201 | Require-Auth | Defines whether additional authentication is required for class that has been CLID authenticated. |
202 | Number-Sessions | Specifies the number of active sessions (per class) reported to the RADIUS accounting server. |
203 | Authen-Alias | Defines the RADIUS server's login name during PPP authentication. |
204 | Token-Expiry | Defines the lifetime of a cached token. |
205 | Menu-Selector | Defines a string to be used to cue a user to input data. |
206 | Menu-Item | Specifies a single menu-item for a user-profile. Up to 20 menu items can be assigned per profile. |
207 | PW-Warntime | (Ascend 5) No description available. |
208 | PW-Lifetime | Enables you to specify on a per-user basis the number of days that a password is valid. |
209 | IP-Direct | Specifies in a user's file entry the IP address to which the Cisco router redirects packets from the user. When you include this attribute in a user's file entry, the Cisco router bypasses all internal routing and bridging tables and sends all packets received on this connection's WAN interface to the specified IP address. |
210 | PPP-VJ-Slot-Comp | Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link. |
211 | PPP-VJ-1172 | Instructs PPP to use the 0x0037 value for VJ compression. |
212 | PPP-Async-Map | Gives the Cisco router the asynchronous control character map for the PPP session. The specified control characters are passed through the PPP link as data and used by applications running over the link. |
213 | Third-Prompt | Defines a third prompt (after username and password) for additional user input. |
214 | Send-Secret | Enables an encrypted password to be used in place of a regular password in outdial profiles. |
215 | Receive-Secret | Enables an encrypted password to be verified by the RADIUS server. |
216 | IPX-Peer-Mode | (Ascend 5) No description available. |
217 | IP-Pool-Definition | Defines a pool of addresses using the following format: X a.b.c Z; where X is the pool index number, a.b.c is the pool's starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment. |
218 | Assign-IP-Pool | Tells the router to assign the user and IP address from the IP pool. |
219 | FR-Direct | Defines whether the connection profile operates in Frame Relay redirect mode. |
220 | FR-Direct-Profile | Defines the name of the Frame Relay profile carrying this connection to the Frame Relay switch. |
221 | FR-Direct-DLCI | Indicates the DLCI carrying this connection to the Frame Relay switch. |
222 | Handle-IPX | Indicates how NCP watchdog requests will be handled. |
223 | Netware-Timeout | Defines, in minutes, how long the RADIUS server responds to NCP watchdog packets. |
224 | IPX-Alias | Allows you to define an alias for IPX routers requiring numbered interfaces. |
225 | Metric | No description available. |
226 | PRI-Number-Type | No description available. |
227 | Dial-Number | No description available. |
228 | Route-IP | Indicates whether IP routing is allowed for the user's file entry. |
229 | Route-IPX | Allows you to enable IPX routing. |
230 | Bridge | No description available. |
231 | Send-Auth | Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication. |
232 | Send-Passwd | No description available. |
233 | Link-Compression | Defines whether to turn on or turn off "stac" compression over a PPP link. Link compression is defined as a numeric value as follows:
|
234 | Target-Util | Specifies the load-threshold percentage value for bringing up an additional channel when PPP multilink is defined. |
235 | Maximum-Channels | Specifies allowed/allocatable maximum number of channels. |
236 | Inc-Channel-Count | No description available. |
237 | Dec-Channel-Count | No description available. |
238 | Seconds-of-History | No description available. |
239 | History-Weigh-Type | No description available. |
240 | Add-Seconds | No description available. |
241 | Remove-Seconds | No description available. |
242 | Data-Filter | Defines per-user IP data filters. These filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied on a first-match basis; therefore, the order in which filter entries are entered is important. |
243 | Call-Filter | Defines per-user IP data filters. On a Cisco router, this attribute is identical to the Data-Filter attribute. |
244 | Idle-Limit | Specifies the maximum time (in seconds) that any session can be idle. When the session reaches the idle time limit, its connection is dropped. |
245 | Preempt-Limit | No description available. |
246 | Callback | Allows you to enable or disable callback. |
247 | Data-Svc | No description available. |
248 | Force-56 | No description available. |
249 | Billing Number | No description available. |
250 | Call-By-Call | No description available. |
251 | Transit-Number | No description available. |
252 | Host-Info | No description available. |
253 | PPP-Address | Indicates the IP address reported to the calling unit during PPP IPCP negotiations. |
254 | MPP-Idle-Percent | No description available. |
255 | Xmit-Rate | (Ascend 5) No description available. |
Table 34 lists the values and their meanings for the Disconnect-Cause (195) attribute.
| Value | Description |
|---|---|
Unknown (2) | Reason unknown. |
CLID-Authentication-Failure (4) | Failure to authenticate calling-party number. |
No-Carrier (10) | No carrier detected. This value applies to modem connections. |
Lost-Carrier (11) | Loss of carrier. This value applies to modem connections. |
No-Detected-Result-Codes (12) | Failure to detect modem result codes. This value applies to modem connections. |
User-Ends-Session (20) | User terminates a session. This value applies to EXEC sessions. |
Idle-Timeout (21) | Timeout waiting for user input. This value applies to all session types. |
Exit-Telnet-Session (22) | Disconnect due to exiting Telnet session. This value applies to EXEC sessions. |
No-Remote-IP-Addr (23) | Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions. |
Exit-Raw-TCP (24) | Disconnect due to exiting raw TCP. This value applies to EXEC sessions. |
Password-Fail (25) | Bad passwords. This value applies to EXEC sessions. |
Raw-TCP-Disabled (26) | Raw TCP disabled. This value applies to EXEC sessions. |
Control-C-Detected (27) | Control-C detected. This value applies to EXEC sessions. |
EXEC-Process-Destroyed (28) | EXEC process destroyed. This value applies to EXEC sessions. |
Timeout-PPP-LCP (40) | PPP LCP negotiation timed out. This value applies to PPP sessions. |
Failed-PPP-LCP-Negotiation (41) | PPP LCP negotiation failed. This value applies to PPP sessions. |
Failed-PPP-PAP-Auth-Fail (42) | PPP PAP authentication failed. This value applies to PPP sessions. |
Failed-PPP-CHAP-Auth (43) | PPP CHAP authentication failed. This value applies to PPP sessions. |
Failed-PPP-Remote-Auth (44) | PPP remote authentication failed. This value applies to PPP sessions. |
PPP-Remote-Terminate (45) | PPP received a Terminate Request from remote end. This value applies to PPP sessions. |
PPP-Closed-Event (46) | Upper layer requested that the session be closed. This value applies to PPP sessions. |
Session-Timeout (100) | Session timed out. This value applies to all session types. |
Session-Failed-Security (101) | Session failed for security reasons. This value applies to all session types. |
Session-End-Callback (102) | Session terminated due to callback. This value applies to all session types. |
Invalid-Protocol (120) | Call refused because the detected protocol is disabled. This value applies to all session types. |
Posted: Wed Aug 30 14:37:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.