Table of Contents

How to Use This Appendix
Supported RADIUS Attributes
Comprehensive List of RADIUS Attributes

RADIUS IETF Attributes
RADIUS Vendor-Proprietary Attributes

RADIUS Attributes

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting elements in a user profile, which is stored on the RADIUS daemon. This appendix lists the RADIUS attributes currently supported.

How to Use This Appendix

This appendix is divided into two sections:

• Supported RADIUS Attributes

• Comprehensive List of RADIUS Attributes

The first section lists the Cisco IOS releases in which supported Internet Engineering Task Force (IETF) RADIUS and vendor-proprietary RADIUS attributes are implemented. The second section provides a comprehensive list and description of both IETF RADIUS and vendor-proprietary RADIUS attributes.

Supported RADIUS Attributes

Table 31 lists Cisco-supported IETF RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.

Note Attributes implemented in special (AA) or early development (T) releases will be added to the next mainline image.

Table 31: Supported RADIUS IETF Attributes

Number	IETF Attribute	11.1	11.2	11.3	11.3 AA	11.3T	12.0	12.1
1	User-Name	yes	yes	yes	yes	yes	yes	yes
2	User-Password	yes	yes	yes	yes	yes	yes	yes
3	CHAP-Password	yes	yes	yes	yes	yes	yes	yes
4	NAS-IP Address	yes	yes	yes	yes	yes	yes	yes
5	NAS-Port	yes	yes	yes	yes	yes	yes	yes
6	Service-Type	yes	yes	yes	yes	yes	yes	yes
7	Framed-Protocol	yes	yes	yes	yes	yes	yes	yes
8	Framed-IP-Address	yes	yes	yes	yes	yes	yes	yes
9	Framed-IP-Netmask	yes	yes	yes	yes	yes	yes	yes
10	Framed-Routing	yes	yes	yes	yes	yes	yes	yes
11	Filter-Id	yes	yes	yes	yes	yes	yes	yes
12	Framed-MTU	yes	yes	yes	yes	yes	yes	yes
13	Framed-Compression	yes	yes	yes	yes	yes	yes	yes
14	Login-IP-Host	yes	yes	yes	yes	yes	yes	yes
15	Login-Service	yes	yes	yes	yes	yes	yes	yes
16	Login-TCP-Port	yes	yes	yes	yes	yes	yes	yes
18	Reply-Message	yes	yes	yes	yes	yes	yes	yes
19	Callback-Number	no	no	no	no	no	no	yes
20	Callback-ID	no	no	no	no	no	no	no
22	Framed-Route	yes	yes	yes	yes	yes	yes	yes
23	Framed-IPX-Network	no	no	no	no	no	no	no
24	State	yes	yes	yes	yes	yes	yes	yes
25	Class	yes	yes	yes	yes	yes	yes	yes
26	Vendor-Specific	yes	yes	yes	yes	yes	yes	yes
27	Session-Timeout	yes	yes	yes	yes	yes	yes	yes
28	Idle-Timeout	yes	yes	yes	yes	yes	yes	yes
29	Termination-Action	no	no	no	no	no	no	yes
30	Called-Station-Id	yes	yes	yes	yes	yes	yes	yes
31	Calling-Station-Id	yes	yes	yes	yes	yes	yes	yes
32	NAS-Identifier	no	no	no	no	no	no	no
33	Proxy-State	no	no	no	no	no	no	no
34	Login-LAT-Service	yes	yes	yes	yes	yes	yes	yes
35	Login-LAT-Node	no	no	no	no	no	no	no
36	Login-LAT-Group	no	no	no	no	no	no	no
37	Framed-AppleTalk-Link	no	no	no	no	no	no	no
38	Framed-AppleTalk-Network	no	no	no	no	no	no	no
39	Framed-AppleTalk-Zone	no	no	no	no	no	no	no
40	Acct-Status-Type	yes	yes	yes	yes	yes	yes	yes
41	Acct-Delay-Time	yes	yes	yes	yes	yes	yes	yes
42	Acct-Input-Octets	yes	yes	yes	yes	yes	yes	yes
43	Acct-Output-Octets	yes	yes	yes	yes	yes	yes	yes
44	Acct-Session-Id	yes	yes	yes	yes	yes	yes	yes
45	Acct-Authentic	yes	yes	yes	yes	yes	yes	yes
46	Acct-Session-Time	yes	yes	yes	yes	yes	yes	yes
47	Acct-Input-Packets	yes	yes	yes	yes	yes	yes	yes
48	Acct-Output-Packets	yes	yes	yes	yes	yes	yes	yes
49	Acct-Terminate-Cause	no	no	no	yes	yes	yes	yes
50	Acct-Multi-Session-Id1	no	yes	yes	yes	yes	yes	yes
51	Acct-Link-Count2	no	yes	yes	yes	yes	yes	yes
60	CHAP-Challenge	yes	yes	yes	yes	yes	yes	yes
61	NAS-Port-Type	yes	yes	yes	yes	yes	yes	yes
62	Port-Limit	yes	yes	yes	yes	yes	yes	yes
63	Login-LAT-Port	no	no	no	no	no	no	no
64	Tunnel-Type3	no	no	no	no	no	no	yes
65	Tunnel-Medium-Type3	no	no	no	no	no	no	yes
66	Tunnel-Client-Endpoint	no	no	no	no	no	no	yes
67	Tunnel-Server-Endpoint3	no	no	no	no	no	no	yes
69	Tunnel-Password3	no	no	no	no	no	no	yes
82	Tunnel-Assignment-ID3	no	no	no	no	no	no	yes
85	Acct-Interim-Interval	no	no	no	no	no	no	yes
200	IETF-Token-Immediate	no	no	no	no	no	no	no

1Only stop records contain multi-session IDs. This is because start records are issued before any multilink processing takes place. 2Only stop records contain link counts. This is because start records are issued before any multilink processing takes place. 3This RADIUS attribute complies with the following two draft IETF documents: "RADIUS Attributes for Tunnel Protocol Support" and "RADIUS Accounting Modifications for Tunnel Protocol Support."

Table 32 lists Cisco-supported vendor-proprietary RADIUS attributes and the Cisco IOS release in which they are implemented. In cases where the attribute has a security server-specific format, the format is specified.

Note Attributes implemented in special (AA) or early development (T) releases will be added to the next mainline image.

Table 32: Supported Vendor-Proprietary RADIUS Attributes

Number	Vendor-Proprietary Attribute	11.1	11.2	11.3	11.3AA	11.3T	12.0	12.1
17	Change-Password	no	no	yes	yes	yes	yes	yes
21	Password-Expiration	no	no	yes	yes	yes	yes	yes
68	Tunnel-ID	no	no	no	no	no	no	no
108	My-Endpoint-Disc-Alias	no	no	no	no	no	no	no
109	My-Name-Alias	no	no	no	no	no	no	no
110	Remote-FW	no	no	no	no	no	no	no
111	Multicast-GLeave-Delay	no	no	no	no	no	no	no
112	CBCP-Enable	no	no	no	no	no	no	no
113	CBCP-Mode	no	no	no	no	no	no	no
114	CBCP-Delay	no	no	no	no	no	no	no
115	CBCP-Trunk-Group	no	no	no	no	no	no	no
116	Appletalk-Route	no	no	no	no	no	no	no
117	Appletalk-Peer-Mode	no	no	no	no	no	no	no
118	Route-Appletalk	no	no	no	no	no	no	no
119	FCP-Parameter	no	no	no	no	no	no	no
120	Modem-PortNo	no	no	no	no	no	no	no
121	Modem-SlotNo	no	no	no	no	no	no	no
122	Modem-ShelfNo	no	no	no	no	no	no	no
123	Call-Attempt-Limit	no	no	no	no	no	no	no
124	Call-Block-Duration	no	no	no	no	no	no	no
125	Maximum-Call-Duration	no	no	no	no	no	no	no
126	Router-Preference	no	no	no	no	no	no	no
127	Tunneling-Protocol	no	no	no	no	no	no	no
128	Shared-Profile-Enable	no	no	no	no	no	no	no
129	Primary-Home-Agent	no	no	no	no	no	no	no
130	Secondary-Home-Agent	no	no	no	no	no	no	no
131	Dialout-Allowed	no	no	no	no	no	no	no
133	BACP-Enable	no	no	no	no	no	no	no
134	DHCP-Maximum-Leases	no	no	no	no	no	no	no
135	Primary-DNS-Server	no	no	no	no	yes	yes	yes
136	Secondary-DNS-Server	no	no	no	no	yes	yes	yes
137	Client-Assign-DNS	no	no	no	no	no	no	no
138	User-Acct-Type	no	no	no	no	no	no	no
139	User-Acct-Host	no	no	no	no	no	no	no
140	User-Acct-Port	no	no	no	no	no	no	no
141	User-Acct-Key	no	no	no	no	no	no	no
142	User-Acct-Base	no	no	no	no	no	no	no
143	User-Acct-Time	no	no	no	no	no	no	no
144	Assign-IP-Client	no	no	no	no	no	no	no
145	Assign-IP-Server	no	no	no	no	no	no	no
146	Assign-IP-Global-Pool	no	no	no	no	no	no	no
147	DHCP-Reply	no	no	no	no	no	no	no
148	DHCP-Pool-Number	no	no	no	no	no	no	no
149	Expect-Callback	no	no	no	no	no	no	no
150	Event-Type	no	no	no	no	no	no	no
151	Session-Svr-Key	no	no	no	yes	no	no	yes
152	Multicast-Rate-Limit	no	no	no	yes	no	no	yes
153	IF-Netmask	no	no	no	no	no	no	no
154	Remote-Addr	no	no	no	no	no	no	no
155	Multicast-Client	no	no	no	yes	no	no	yes
156	FR-Circuit-Name	no	no	no	no	no	no	no
157	FR-LinkUp	no	no	no	no	no	no	no
158	FR-Nailed-Grp	no	no	no	no	no	no	no
159	FR-Type	no	no	no	no	no	no	no
160	FR-Link-Mgt	no	no	no	no	no	no	no
161	FR-N391	no	no	no	no	no	no	no
162	FR-DCE-N392	no	no	no	no	no	no	no
163	FR-DTE-N392	no	no	no	no	no	no	no
164	FR-DCE-N393	no	no	no	no	no	no	no
165	FR-DTE-N393	no	no	no	no	no	no	no
166	FR-T391	no	no	no	no	no	no	no
167	FR-T392	no	no	no	no	no	no	no
168	Bridge-Address	no	no	no	no	no	no	no
169	TS-Idle-Limit	no	no	no	no	no	no	no
170	TS-Idle-Mode	no	no	no	no	no	no	no
171	DBA-Monitor	no	no	no	no	no	no	no
172	Base-Channel-Count	no	no	no	no	no	no	no
173	Minimum-Channels	no	no	no	no	no	no	no
174	IPX-Route	no	no	no	no	no	no	no
175	FT1-Caller	no	no	no	no	no	no	no
176	Backup	no	no	no	no	no	no	no
177	Call-Type	no	no	no	no	no	no	no
178	Group	no	no	no	no	no	no	no
179	FR-DLCI	no	no	no	no	no	no	no
180	FR-Profile-Name	no	no	no	no	no	no	no
181	Ara-PW	no	no	no	no	no	no	no
182	IPX-Node-Addr	no	no	no	no	no	no	no
183	Home-Agent-IP-Addr	no	no	no	no	no	no	no
184	Home-Agent-Password	no	no	no	no	no	no	no
185	Home-Network-Name	no	no	no	no	no	no	no
186	Home-Agent-UDP-Port	no	no	no	no	no	no	no
187	Multilink-ID	no	no	no	yes	yes	yes	yes
188	Num-In-Multilink	no	no	no	yes	yes	yes	yes
189	First-Dest	no	no	no	no	no	no	no
190	Pre-Input-Octets	no	no	no	yes	yes	yes	yes
191	Pre-Output-Octets	no	no	no	yes	yes	yes	yes
192	Pre-Input-Packets	no	no	no	yes	yes	yes	yes
193	Pre-Output-Packets	no	no	no	yes	yes	yes	yes
194	Maximum-Time	no	no	yes	yes	yes	yes	yes
195	Disconnect-Cause	no	no	yes	yes	yes	yes	yes
196	Connect-Progress	no	no	no	no	no	no	yes
197	Data-Rate	no	no	no	no	yes	yes	yes
198	PreSession-Time	no	no	no	yes	yes	yes	yes
199	Token-Idle	no	no	no	no	no	no	no
201	Require-Auth	no	no	no	no	no	no	no
202	Number-Sessions	no	no	no	no	no	no	no
203	Authen-Alias	no	no	no	no	no	no	no
204	Token-Expiry	no	no	no	no	no	no	no
205	Menu-Selector	no	no	no	no	no	no	no
206	Menu-Item	no	no	no	no	no	no	no
207	PW-Warntime	no	no	no	no	no	no	no
208	PW-Lifetime	no	no	yes	yes	yes	yes	yes
209	IP-Direct	no	no	no	no	no	no	no
210	PPP-VJ-Slot-Comp	no	no	yes	yes	yes	yes	yes
211	PPP-VJ-1172	no	no	no	no	no	no	no
212	PPP-Async-Map	no	no	no	no	no	no	no
213	Third-Prompt	no	no	no	no	no	no	no
214	Send-Secret	no	no	no	no	no	no	yes
215	Receive-Secret	no	no	no	no	no	no	no
216	IPX-Peer-Mode	no	no	no	no	no	no	no
217	IP-Pool-Definition	no	no	yes	yes	yes	yes	yes
218	Assign-IP-Pool	no	no	yes	yes	yes	yes	yes
219	FR-Direct	no	no	no	no	no	no	no
220	FR-Direct-Profile	no	no	no	no	no	no	no
221	FR-Direct-DLCI	no	no	no	no	no	no	no
222	Handle-IPX	no	no	no	no	no	no	no
223	Netware-Timeout	no	no	no	no	no	no	no
224	IPX-Alias	no	no	no	no	no	no	no
225	Metric	no	no	no	no	no	no	no
226	PRI-Number-Type	no	no	no	no	no	no	no
227	Dial-Number	no	no	no	no	no	no	yes
228	Route-IP	no	no	yes	yes	yes	yes	yes
229	Route-IPX	no	no	no	no	no	no	no
230	Bridge	no	no	no	no	no	no	no
231	Send-Auth	no	no	no	no	no	no	yes
232	Send-Passwd	no	no	no	no	no	no	no
233	Link-Compression	no	no	yes	yes	yes	yes	yes
234	Target-Util	no	no	no	yes	no	yes	yes
235	Maximum-Channels	no	no	yes	yes	yes	yes	yes
236	Inc-Channel-Count	no	no	no	no	no	no	no
237	Dec-Channel-Count	no	no	no	no	no	no	no
238	Seconds-of-History	no	no	no	no	no	no	no
239	History-Weigh-Type	no	no	no	no	no	no	no
240	Add-Seconds	no	no	no	no	no	no	no
241	Remove-Seconds	no	no	no	no	no	no	no
242	Data-Filter	no	no	yes	yes	yes	yes	yes
243	Call-Filter	no	no	no	no	no	no	no
244	Idle-Limit	no	no	yes	yes	yes	yes	yes
245	Preempt-Limit	no	no	no	no	no	no	no
246	Callback	no	no	no	no	no	no	no
247	Data-Svc	no	no	no	no	no	no	yes
248	Force-56	no	no	no	no	no	no	yes
249	Billing Number	no	no	no	no	no	no	no
250	Call-By-Call	no	no	no	no	no	no	no
251	Transit-Number	no	no	no	no	no	no	no
252	Host-Info	no	no	no	no	no	no	no
253	PPP-Address	no	no	no	no	no	no	no
254	MPP-Idle-Percent	no	no	no	no	no	no	no
255	Xmit-Rate	no	no	no	yes	yes	yes	yes

Comprehensive List of RADIUS Attributes

The following two sections provide a comprehensive listing and description of known RADIUS attributes:

• RADIUS IETF Attributes

• RADIUS Vendor-Proprietary Attributes

RADIUS IETF Attributes

Table 33 lists and describes IETF RADIUS attributes. In cases where the attribute has a security server-specific format, the format is specified.

Table 33: RADIUS IETF Attributes

Number	IETF Attribute	Description
1	User-Name	Indicates the name of the user being authenticated.
2	User-Password	Indicates the user's password or the user's input following an Access-Challenge. Passwords longer than 16 characters are encrypted using the IETF Draft #2 (or later) specifications.
3	CHAP-Password	Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to an Access-Challenge.
4	NAS-IP Address	Specifies the IP address of the network access server that is requesting authentication.
5	NAS-Port	Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command). Each 16-bit number should be viewed as a 5-digit decimal integer for interpretation as follows: For asynchronous terminal lines, async network interfaces, and virtual async interfaces, the value is 00ttt, where ttt is the line number or async interface unit number. For ordinary synchronous network interface, the value is 10xxx. For channels on a primary rate ISDN interface, the value is 2ppcc. For channels on a basic rate ISDN interface, the value is 3bb0c. For other types of interfaces, the value is 6nnss.
6	Service-Type	Indicates the type of service requested or the type of service to be provided. In a request: Framed for known PPP or SLIP connection. Administrative-user for enable command. In response: Login---Make a connection. Framed---Start SLIP or PPP. Administrative User---Start an EXEC or enable ok. Exec User---Start an EXEC session. Service type is indicated by a particular numeric value as follows: 1: Login 2: Framed 3: Callback-Login 4: Callback-Framed 5: Outbound 6: Administrative 7: NAS-Prompt 8: Authenticate Only 9: Callback-NAS-Prompt
7	Framed-Protocol	Indicates the framing to be used for framed access. Framing is indicated by a numeric value as follows: 1: PPP 2: SLIP 3: ARA 4: Gandalf-proprietary single-link/multilink protocol 5: Xylogics-proprietary IPX/SLIP
8	Framed-IP-Address	Indicates the IP address to be configured for the user.
9	Framed-IP-Netmask	Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified.
10	Framed-Routing	Indicates the routing method for the user when the user is a router to a network. Only "None" and "Send and Listen" values are supported for this attribute. Routing method is indicated by a numeric value as follows: 0: None 1: Send routing packets 2: Listen for routing packets 3: Send routing packets and listen for routing packets
11	Filter-Id	Indicates the name of the filter list for the user and is formatted as follows: %d, %d.in, or %d.out. This attribute is associated with the most recent service-type command. For login and EXEC, use %d or %d.out as the line access list value from 0 to 199. For Framed service, use %d or %d.out as interface output access list, and %d.in for input access list. The numbers are self-encoding to the protocol to which they refer.
12	Framed-MTU	Indicates the maximum transmission unit (MTU) that can be configured for the user when the MTU is not negotiated by PPP or some other means.
13	Framed-Compression	Indicates a compression protocol used for the link. This attribute results in a "/compress" being added to the PPP or SLIP autocommand generated during EXEC authorization. Not currently implemented for non-EXEC authorization. Compression protocol is indicated by a numeric value as follows: 0: None 1: VJ-TCP/IP header compression 2: IPX header compression
14	Login-IP-Host	Indicates the host to which the user will connect when the Login-Service attribute is included.
15	Login-Service	Indicates the service that should be used to connect the user to the login host. Service is indicated by a numeric value as follows: 0: Telnet 1: Rlogin 2: TCP-Clear 3: PortMaster 4: LAT
16	Login-TCP-Port	Defines the TCP port with which the user is to be connected when the Login-Service attribute is also present.
18	Reply-Message	Indicates text that might be displayed to the user.
19	Callback-Number	Defines a dialing string to be used for callback.
20	Callback-ID	Defines the name (consisting of one or more octets) of a place to be called, to be interpreted by the network access server.
22	Framed-Route	Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the router field is omitted or 0, the peer IP address is used. Metrics are currently ignored.
23	Framed-IPX-Network	Defines the IPX network number configured for the user.
24	State	Allows state information to be maintained between the network access server and the RADIUS server. This attribute is applicable only to CHAP challenges.
25	Class	(Accounting) Arbitrary value that the network access server includes in all accounting packets for this user if supplied by the RADIUS server.
26	Vendor-Specific	Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format: protocol : attribute sep value "Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example: cisco-avpair= "ip:addr-pool=first" cisco-avpair= "shell:priv-lvl=15" The first example causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment). The second example causes a user logging in from a network access server to have immediate access to EXEC commands. Table 34 lists supported vendor-specific RADIUS attributes (IETF attribute 26). The "TACACS+ Attribute-Value Pairs" appendix provides a complete list of supported TACACS+ attribute-value (AV) pairs that can be used with IETF attribute 26.
27	Session-Timeout	Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout."
28	Idle-Timeout	Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout."
29	Termination-Action	Termination is indicated by a numeric value as follows: 0: Default 1: RADIUS request
30	Called-Station-Id	(Accounting) Allows the network access server to send the telephone number the user called as part of the Access-Request packet (using Dialed Number Identification Service [DNIS] or similar technology). This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI.
31	Calling-Station-Id	(Accounting) Allows the network access server to send the telephone number the call came from as part of the Access-Request packet (using Automatic Number Identification or similar technology). This attribute has the same value as "remote-addr" from TACACS+. This attribute is only supported on ISDN, and modem calls on the Cisco AS5200 if used with PRI.
32	NAS-Identifier	String identifying the network access server originating the Access-Request.
33	Proxy-State	Attribute that can be sent by a proxy server to another server when forwarding Access-Requests; this must be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge and removed by the proxy server before sending the response to the network access server.
34	Login-LAT-Service	Indicates the system with which the user is to be connected by LAT. This attribute is only available in the EXEC mode.
35	Login-LAT-Node	Indicates the node with which the user is to be automatically connected by LAT.
36	Login-LAT-Group	Identifies the LAT group codes that this user is authorized to use.
37	Framed-AppleTalk-Link	Indicates the AppleTalk network number that should be used for serial links to the user, which is another AppleTalk router.
38	Framed-AppleTalk- Network	Indicates the AppleTalk network number that the network access server uses to allocate an AppleTalk node for the user.
39	Framed-AppleTalk-Zone	Indicates the AppleTalk Default Zone to be used for this user.
40	Acct-Status-Type	(Accounting) Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop).
41	Acct-Delay-Time	(Accounting) Indicates how many seconds the client has been trying to send a particular record.
42	Acct-Input-Octets	(Accounting) Indicates how many octets have been received from the port over the course of this service being provided.
43	Acct-Output-Octets	(Accounting) Indicates how many octets have been sent to the port in the course of delivering this service.
44	Acct-Session-Id	(Accounting) A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session ID numbers restart at 1 each time the router is power cycled or the software is reloaded.
45	Acct-Authentic	(Accounting) Indicates how the user was authenticated, whether by RADIUS, the network access server itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.
46	Acct-Session-Time	(Accounting) Indicates how long (in seconds) the user has received service.
47	Acct-Input-Packets	(Accounting) Indicates how many packets have been received from the port over the course of this service being provided to a framed user.
48	Acct-Output-Packets	(Accounting) Indicates how many packets have been sent to the port in the course of delivering this service to a framed user.
49	Acct-Terminate-Cause	(Accounting) Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows: 1. User request 2. Lost carrier 3. Lost service 4. Idle timeout 5. Session timeout 6. Admin reset 7. Admin reboot 8. Port error 9. NAS error 10.  NAS request 11.  NAS reboot 12.  Port unneeded 13.  Port pre-empted 14.  Port suspended 15.  Service unavailable 16.  Callback 17.  User error 18.  Host request Note For attribute 49, Cisco IOS supports values 1 to 6, 9, 12, and 15 to 18.
50	Acct-Multi-Session-Id1	(Accounting) A unique accounting identifier used to link multiple related sessions in a log file. Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id.
51	Acct-Link-Count2	(Accounting) Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links.
60	CHAP-Challenge	Contains the Challenge Handshake Authentication Protocol challenge sent by the network access server to a PPP CHAP user.
61	NAS-Port-Type	Indicates the type of physical port the network access server is using to authenticate the user. Physical ports are indicated by a numeric value as follows: 0: Asynchronous 1: Synchronous 2: ISDN-Synchronous 3: ISDN-Asynchronous (V.120) 4: ISDN-Asynchronous (V.110) 5: Virtual
62	Port-Limit	Sets the maximum number of ports provided to the user by the NAS.
63	Login-LAT-Port	Defines the port with which the user is to be connected by LAT.
64	Tunnel-Type3	Indicates the tunneling protocol(s) used. Cisco IOS software supports two possible values for this attribute: L2TP and L2F. If this attribute is not set, L2F is used as a default.
65	Tunnel-Medium-Type3	Indicates the transport medium type to use to create a tunnel. This attribute only has one available value for this release: IP. If no value is set for this attribute, IP is used as the default.
66	Tunnel-Client-Endpoint	Contains the address of the initiator end of the tunnel. It may be included in both Access-Request and Access-Accept packets to indicate the address from which a new tunnel is to be initiated. If the Tunnel-Client-Endpoint attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint; the server is not obligated to honor the hint, however. This attribute should be included in Accounting-Request packets that contain Acct-Status-Type attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This attribute, along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection-ID attributes, may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes. An enhancement has been added for the network access server to accept a value of 127.0.0.X for this attribute such that: 127.0.0.0 would indicate that loopback0 IP address is to be used 127.0.0.1 would indicate that loopback1 IP address is to be used ... 127.0.0.X would indicate that loopbackX IP address is to be used for the actual tunnel client endpoint IP address. This enhancement adds scalability across multiple network access servers.
67	Tunnel-Server-Endpoint3	Indicates the address of the server end of the tunnel. The format of this attribute varies depending on the value of Tunnel-Medium-Type. Because this release only supports IP as a tunnel medium type, the IP address or the host name of LNS is valid for this attribute.
69	Tunnel-Password3	Defines the password to be used to authenticate to a remote server. This attribute is converted into different AAA attributes based on the value of Tunnel-Type: AAA_ATTR_l2tp_tunnel_pw (L2TP), AAA_ATTR_nas_password (L2F), and AAA_ATTR_gw_password (L2F).
82	Tunnel-Assignment-ID3	Indicates to the tunnel initiator the particular tunnel to which a session is assigned.
85	Acct-Interim-Interval	Indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.
200	IETF-Token-Immediate	Determines how RADIUS treats passwords received from login-users when their file entry specifies a hand-held security card server. The value for this attribute is indicated by a numeric value as follows: 0: No, meaning that the password is ignored. 1: Yes, meaning that the password is used for authentication.

1Only stop records contain multi-session IDs. This is because start records are issued before any multilink processing takes place. 2Only stop records contain link counts. This is because start records are issued before any multilink processing takes place. 3This RADIUS attribute complies with the following two IETF documents: "RADIUS Attributes for Tunnel Protocol Support" and "RADIUS Accounting Modifications for Tunnel Protocol Support."

Table 34 lists supported vendor-specific RADIUS attributes (IETF attribute 26).

Table 34: Vendor-Specific RADIUS IETF Attributes

Number	Vendor-Specific Company Code	Sub-Type Number	Attribute	Description
MS-CHAP Attributes
26	311	1	MSCHAP-Response	Contains the response value provided by a PPP MS-CHAP user in response to the challenge. It is only used in Access-Request packets. This attribute is identical to the PPP CHAP Identifier.
26	311	11	MSCHAP-Challenge	Contains the challenge sent by a network access server to an MS-CHAP user. It can be used in both Access-Request and Access-Challenge packets.
VPDN Attributes
26	9	1	l2tp-busy-disconnect	If a vpdn-group on an LNS uses a virtual-template that is configured to be pre-cloned, this attribute will control the disposition of a new L2TP session that finds no pre-cloned interface to which to connect. If the attribute is true (the default), the session will be disconnected by the LNS. Otherwise, a new interface will be cloned from the virtual-template.
26	9	1	l2tp-cm-local-window-size	Specifies the maximum receive window size for L2TP control messages. This value is advertised to the peer during tunnel establishment.
26	9	1	l2tp-drop-out-of-order	Respects sequence numbers on data packets by dropping those that are received out of order. This does not ensure that sequence numbers will be sent on data packets, just how to handle them if they are received.
26	9	1	l2tp-hello-interval	Specifies the number of seconds for the hello keepalive interval. Hello packets are sent when no data has been sent on a tunnel for the number of seconds configured here.
26	9	1	l2tp-hidden-avp	When enabled, sensitive AVPs in L2TP control messages are scrambled or hidden.
26	9	1	l2tp-nosession-timeout	Specifies the number of seconds that a tunnel will stay active with no sessions before timing out and shutting down.
26	9	1	l2tp-tos-reflect	Copies the IP ToS field from the IP header of each payload packet to the IP header of the tunnel packet for packets entering the tunnel at the LNS.
26	9	1	l2tp-tunnel-authen	If this attribute is set, it performs L2TP tunnel authentication.
26	9	1	l2tp-tunnel-password	Shared secret used for L2TP tunnel authentication and AVP hiding.
26	9	1	l2tp-udp-checksum	This is an authorization attribute and defines whether L2TP should perform UDP checksums for data packets. Valid values are "yes" and "no." The default is no.
Store and Forward Fax Attributes
26	9	3	Fax-Account-Id-Origin	Indicates the account ID origin as defined by system administrator for the mmoip aaa receive-id or the mmoip aaa send-id commands.
26	9	4	Fax-Msg-Id=	Indicates a unique fax message identification number assigned by Store and Forward Fax.
26	9	5	Fax-Pages	Indicates the number of pages transmitted or received during this fax session. This page count includes cover pages.
26	9	6	Fax-Coverpage-Flag	Indicates whether or not a cover page was generated by the off-ramp gateway for this fax session. True indicates that a cover page was generated; false means that a cover page was not generated.
26	9	7	Fax-Modem-Time	Indicates the amount of time in seconds the modem sent fax data (x) and the amount of time in seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax session took 15 seconds.
26	9	8	Fax-Connect-Speed	Indicates the modem speed at which this fax-mail was initially transmitted or received. Possible values are 1200, 4800, 9600, and 14400.
26	9	9	Fax-Recipient-Count	Indicates the number of recipients for this fax transmission. Until e-mail servers support Session mode, the number should be 1.
26	9	10	Fax-Process-Abort-Flag	Indicates that the fax session was aborted or successful. True means that the session was aborted; false means that the session was successful.
26	9	11	Fax-Dsn-Address	Indicates the address to which DSNs will be sent.
26	9	12	Fax-Dsn-Flag	Indicates whether or not DSN has been enabled. True indicates that DSN has been enabled; false means that DSN has not been enabled.
26	9	13	Fax-Mdn-Address	Indicates the address to which MDNs will be sent.
26	9	14	Fax-Mdn-Flag	Indicates whether or not message delivery notification (MDN) has been enabled. True indicates that MDN had been enabled; false means that MDN had not been enabled.
26	9	15	Fax-Auth-Status	Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown.
26	9	16	Email-Server-Address	Indicates the IP address of the e-mail server handling the on-ramp fax-mail message.
26	9	17	Email-Server-Ack-Flag	Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message.
26	9	18	Gateway-Id	Indicates the name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name.
26	9	19	Call-Type	Describes the type of fax activity: fax receive or fax send.
26	9	20	Port-Used	Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail.
26	9	21	Abort-Cause	If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server.
H323 Attributes
26	9	23	h323-remote-address	Indicates the IP address of the remote gateway.
26	9	24	h323-conf-id	Identifies the conference ID.
26	9	25	h323-setup-time	Indicates the setup time for this connection in Coordinated Universal Time (UTC) formerly known as Greenwich Mean Time (GMT) and Zulu time.
26	9	26	h323-call-origin	Indicates the origin of the call relative to the gateway. Possible values are originating and terminating (answer).
26	9	27	h323-call-type	Indicates call leg type. Possible values are telephony and VoIP.
26	9	28	h323-connect-time	Indicates the connection time for this call leg in UTC.
26	9	29	h323-disconnect-time	Indicates the time this call leg was disconnected in UTC.
26	9	30	h323-disconnect-cause	Specifies the reason a connection was taken offline per Q.931 specification.
26	9	31	h323-voice-quality	Specifies the impairment factor (ICPIF) affecting voice quality for a call.
26	9	33	h323-gw-id	Indicates the name of the underlying gateway.
Large Scale Dialout Attributes
26	9	1	callback-dialstring	Defines a dialing string to be used for callback.
26	9	1	data-service	No description available.
26	9	1	dial-number	Defines the number to dial.
26	9	1	force-56	Determines whether the network access server uses only the 56 K portion of a channel, even when all 64 K appear to be available.
26	9	1	map-class	Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out.
26	9	1	send-auth	Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication.
Miscellaneous Attributes
26	9	2	Cisco-NAS-Port	Specifies additional vendor specific attribute (VSA) information for NAS-Port accounting.
26	9	1	min-links	Sets the minimum number of links for MLP.
26	9	1	proxyacl#<n>	Allows users to configure the downloadable user profiles (dynamic ACLs) by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces.
26	9	1	spi	Carries the authentication information needed by the home agent to authenticate a mobile node during registration. The information is in the same syntax as the ip mobile secure host <addr> configuration command. Basically it contains the rest of the configuration command that follows that string, verbatim. It provides the Security Parameter Index (SPI), key, authentication algorithm, authentication mode, and replay protection timestamp range.

RADIUS Vendor-Proprietary Attributes

Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Table 35 lists the known vendor-proprietary RADIUS attributes:

Table 35: Vendor-Proprietary RADIUS Attributes

Number	Vendor-Proprietary Attribute	Description
17	Change-Password	Specifies a request to change a user's password.
21	Password-Expiration	Specifies an expiration date for a user's password in the user's file entry.
68	Tunnel-ID	(Ascend 5) No description available.
108	My-Endpoint-Disc-Alias	(Ascend 5) No description available.
109	My-Name-Alias	(Ascend 5) No description available.
110	Remote-FW	(Ascend 5) No description available.
111	Multicast-GLeave-Delay	(Ascend 5) No description available.
112	CBCP-Enable	(Ascend 5) No description available.
113	CBCP-Mode	(Ascend 5) No description available.
114	CBCP-Delay	(Ascend 5) No description available.
115	CBCP-Trunk-Group	(Ascend 5) No description available.
116	Appletalk-Route	(Ascend 5) No description available.
117	Appletalk-Peer-Mode	(Ascend 5) No description available.
118	Route-Appletalk	(Ascend 5) No description available.
119	FCP-Parameter	(Ascend 5) No description available.
120	Modem-PortNo	(Ascend 5) No description available.
121	Modem-SlotNo	(Ascend 5) No description available.
122	Modem-ShelfNo	(Ascend 5) No description available.
123	Call-Attempt-Limit	(Ascend 5) No description available.
124	Call-Block-Duration	(Ascend 5) No description available.
125	Maximum-Call-Duration	(Ascend 5) No description available.
126	Router-Preference	(Ascend 5) No description available.
127	Tunneling-Protocol	(Ascend 5) No description available.
128	Shared-Profile-Enable	(Ascend 5) No description available.
129	Primary-Home-Agent	(Ascend 5) No description available.
130	Secondary-Home-Agent	(Ascend 5) No description available.
131	Dialout-Allowed	(Ascend 5) No description available.
133	BACP-Enable	(Ascend 5) No description available.
134	DHCP-Maximum-Leases	(Ascend 5) No description available.
135	Primary-DNS-Server	Identifies a primary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation.
136	Secondary-DNS-Server	Identifies a secondary DNS server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation.
137	Client-Assign-DNS	No description available.
138	User-Acct-Type	No description available.
139	User-Acct-Host	No description available.
140	User-Acct-Port	No description available.
141	User-Acct-Key	No description available.
142	User-Acct-Base	No description available.
143	User-Acct-Time	No description available.
144	Assign-IP-Client	No description available.
145	Assign-IP-Server	No description available.
146	Assign-IP-Global-Pool	No description available.
147	DHCP-Reply	No description available.
148	DHCP-Pool-Number	No description available.
149	Expect-Callback	No description available.
150	Event-Type	No description available.
151	Session-Svr-Key	No description available.
152	Multicast-Rate-Limit	No description available.
153	IF-Netmask	No description available.
154	Remote-Addr	No description available.
155	Multicast-Client	No description available.
156	FR-Circuit-Name	No description available.
157	FR-LinkUp	No description available.
158	FR-Nailed-Grp	No description available.
159	FR-Type	No description available.
160	FR-Link-Mgt	No description available.
161	FR-N391	No description available.
162	FR-DCE-N392	No description available.
163	FR-DTE-N392	No description available.
164	FR-DCE-N393	No description available.
165	FR-DTE-N393	No description available.
166	FR-T391	No description available.
167	FR-T392	No description available.
168	Bridge-Address	No description available.
169	TS-Idle-Limit	No description available.
170	TS-Idle-Mode	No description available.
171	DBA-Monitor	No description available.
172	Base-Channel-Count	No description available.
173	Minimum-Channels	No description available.
174	IPX-Route	No description available.
175	FT1-Caller	No description available.
176	Backup	No description available.
177	Call-Type	No description available.
178	Group	No description available.
179	FR-DLCI	No description available.
180	FR-Profile-Name	No description available.
181	Ara-PW	No description available.
182	IPX-Node-Addr	No description available.
183	Home-Agent-IP-Addr	Indicates the home agent's IP address (in dotted decimal format) when using Ascend Tunnel Management Protocol (ATMP).
184	Home-Agent-Password	With ATMP, specifies the password that the foreign agent uses to authenticate itself.
185	Home-Network-Name	With ATMP, indicates the name of the connection profile to which the home agent sends all packets.
186	Home-Agent-UDP-Port	Indicates the UDP port number the foreign agent uses to send ATMP messages to the home agent.
187	Multilink-ID	Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. The Multilink-ID attribute is sent in authentication-response packets.
188	Num-In-Multilink	Reports the number of sessions remaining in a multilink bundle when the session reported in an accounting-stop packet closes. This attribute applies to sessions that are part of a multilink bundle. The Num-In-Multilink attribute is sent in authentication-response packets and in some accounting-request packets.
189	First-Dest	Records the destination IP address of the first packet received after authentication.
190	Pre-Input-Octets	Records the number of input octets before authentication. The Pre-Input-Octets attribute is sent in accounting-stop records.
191	Pre-Output-Octets	Records the number of output octets before authentication. The Pre-Output-Octets attribute is sent in accounting-stop records.
192	Pre-Input-Packets	Records the number of input packets before authentication. The Pre-Input-Packets attribute is sent in accounting-stop records.
193	Pre-Output-Packets	Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records.
194	Maximum-Time	Specifies the maximum length of time (in seconds) allowed for any session. After the session reaches the time limit, its connection is dropped.
195	Disconnect-Cause	Specifies the reason a connection was taken offline. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 36 for a list of Disconnect-Cause values and their meanings.
196	Connect-Progress	Indicates the connection state before the connection is disconnected.
197	Data-Rate	Specifies the average number of bits per second over the course of the connection's lifetime. The Data-Rate attribute is sent in accounting-stop records.
198	PreSession-Time	Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. The PreSession-Time attribute is sent in accounting-stop records.
199	Token-Idle	Indicates the maximum amount of time (in minutes) a cached token can remain alive between authentications.
201	Require-Auth	Defines whether additional authentication is required for class that has been CLID authenticated.
202	Number-Sessions	Specifies the number of active sessions (per class) reported to the RADIUS accounting server.
203	Authen-Alias	Defines the RADIUS server's login name during PPP authentication.
204	Token-Expiry	Defines the lifetime of a cached token.
205	Menu-Selector	Defines a string to be used to cue a user to input data.
206	Menu-Item	Specifies a single menu-item for a user-profile. Up to 20 menu items can be assigned per profile.
207	PW-Warntime	(Ascend 5) No description available.
208	PW-Lifetime	Enables you to specify on a per-user basis the number of days that a password is valid.
209	IP-Direct	Specifies in a user's file entry the IP address to which the Cisco router redirects packets from the user. When you include this attribute in a user's file entry, the Cisco router bypasses all internal routing and bridging tables and sends all packets received on this connection's WAN interface to the specified IP address.
210	PPP-VJ-Slot-Comp	Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link.
211	PPP-VJ-1172	Instructs PPP to use the 0x0037 value for VJ compression.
212	PPP-Async-Map	Gives the Cisco router the asynchronous control character map for the PPP session. The specified control characters are passed through the PPP link as data and used by applications running over the link.
213	Third-Prompt	Defines a third prompt (after username and password) for additional user input.
214	Send-Secret	Enables an encrypted password to be used in place of a regular password in outdial profiles.
215	Receive-Secret	Enables an encrypted password to be verified by the RADIUS server.
216	IPX-Peer-Mode	(Ascend 5) No description available.
217	IP-Pool-Definition	Defines a pool of addresses using the following format: X a.b.c Z; where X is the pool index number, a.b.c is the pool's starting IP address, and Z is the number of IP addresses in the pool. For example, 3 10.0.0.1 5 allocates 10.0.0.1 through 10.0.0.5 for dynamic assignment.
218	Assign-IP-Pool	Tells the router to assign the user and IP address from the IP pool.
219	FR-Direct	Defines whether the connection profile operates in Frame Relay redirect mode.
220	FR-Direct-Profile	Defines the name of the Frame Relay profile carrying this connection to the Frame Relay switch.
221	FR-Direct-DLCI	Indicates the DLCI carrying this connection to the Frame Relay switch.
222	Handle-IPX	Indicates how NCP watchdog requests will be handled.
223	Netware-Timeout	Defines, in minutes, how long the RADIUS server responds to NCP watchdog packets.
224	IPX-Alias	Allows you to define an alias for IPX routers requiring numbered interfaces.
225	Metric	No description available.
226	PRI-Number-Type	No description available.
227	Dial-Number	Defines the number to dial.
228	Route-IP	Indicates whether IP routing is allowed for the user's file entry.
229	Route-IPX	Allows you to enable IPX routing.
230	Bridge	No description available.
231	Send-Auth	Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication.
232	Send-Passwd	No description available.
233	Link-Compression	Defines whether to turn on or turn off "stac" compression over a PPP link. Link compression is defined as a numeric value as follows: 0: None 1: Stac 2: Stac-Draft-9 3: MS-Stac
234	Target-Util	Specifies the load-threshold percentage value for bringing up an additional channel when PPP multilink is defined.
235	Maximum-Channels	Specifies allowed/allocatable maximum number of channels.
236	Inc-Channel-Count	No description available.
237	Dec-Channel-Count	No description available.
238	Seconds-of-History	No description available.
239	History-Weigh-Type	No description available.
240	Add-Seconds	No description available.
241	Remove-Seconds	No description available.
242	Data-Filter	Defines per-user IP data filters. These filters are retrieved only when a call is placed using a RADIUS outgoing profile or answered using a RADIUS incoming profile. Filter entries are applied on a first-match basis; therefore, the order in which filter entries are entered is important.
243	Call-Filter	Defines per-user IP data filters. On a Cisco router, this attribute is identical to the Data-Filter attribute.
244	Idle-Limit	Specifies the maximum time (in seconds) that any session can be idle. When the session reaches the idle time limit, its connection is dropped.
245	Preempt-Limit	No description available.
246	Callback	Allows you to enable or disable callback.
247	Data-Svc	No description available.
248	Force-56	Determines whether the network access server uses only the 56 K portion of a channel, even when all 64 K appear to be available.
249	Billing Number	No description available.
250	Call-By-Call	No description available.
251	Transit-Number	No description available.
252	Host-Info	No description available.
253	PPP-Address	Indicates the IP address reported to the calling unit during PPP IPCP negotiations.
254	MPP-Idle-Percent	No description available.
255	Xmit-Rate	(Ascend 5) No description available.

Table 36 lists the values and descriptions for the Disconnect-Cause (195) attribute.

Table 36: Disconnect-Cause Attribute Values

Value	Description
Unknown (2)	Reason unknown.
CLID-Authentication-Failure (4)	Failure to authenticate calling-party number.
No-Carrier (10)	No carrier detected. This value applies to modem connections.
Lost-Carrier (11)	Loss of carrier. This value applies to modem connections.
No-Detected-Result-Codes (12)	Failure to detect modem result codes. This value applies to modem connections.
User-Ends-Session (20)	User terminates a session. This value applies to EXEC sessions.
Idle-Timeout (21)	Timeout waiting for user input. This value applies to all session types.
Exit-Telnet-Session (22)	Disconnect due to exiting Telnet session. This value applies to EXEC sessions.
No-Remote-IP-Addr (23)	Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions.
Exit-Raw-TCP (24)	Disconnect due to exiting raw TCP. This value applies to EXEC sessions.
Password-Fail (25)	Bad passwords. This value applies to EXEC sessions.
Raw-TCP-Disabled (26)	Raw TCP disabled. This value applies to EXEC sessions.
Control-C-Detected (27)	Control-C detected. This value applies to EXEC sessions.
EXEC-Process-Destroyed (28)	EXEC process destroyed. This value applies to EXEC sessions.
Timeout-PPP-LCP (40)	PPP LCP negotiation timed out. This value applies to PPP sessions.
Failed-PPP-LCP-Negotiation (41)	PPP LCP negotiation failed. This value applies to PPP sessions.
Failed-PPP-PAP-Auth-Fail (42)	PPP PAP authentication failed. This value applies to PPP sessions.
Failed-PPP-CHAP-Auth (43)	PPP CHAP authentication failed. This value applies to PPP sessions.
Failed-PPP-Remote-Auth (44)	PPP remote authentication failed. This value applies to PPP sessions.
PPP-Remote-Terminate (45)	PPP received a Terminate Request from remote end. This value applies to PPP sessions.
PPP-Closed-Event (46)	Upper layer requested that the session be closed. This value applies to PPP sessions.
Session-Timeout (100)	Session timed out. This value applies to all session types.
Session-Failed-Security (101)	Session failed for security reasons. This value applies to all session types.
Session-End-Callback (102)	Session terminated due to callback. This value applies to all session types.
Invalid-Protocol (120)	Call refused because the detected protocol is disabled. This value applies to all session types.

Posted: Tue Jul 18 13:18:51 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.