Using and Configuring Features Version 3.4

Appendix A. Remote AAA Attributes

This section identifies the remote AAA Attributes used by Radius, TACACS and TACACS+ servers.

Radius

IBM Vendor ID: 211

Authorization Attributes

Standard Drafted

TUNNEL_TYPE
64
TUNNEL_MEDIUM_TYPE
65
TUNNEL_CLIEN_TYPE
66
TUNNEL_SERVER_EP
67
TUNNEL_CONN_ID
68
TUNNEL_PASSWORD
69

values

TUNNEL_TYPE
integer
1 PPTP

2 L2F

3 L2TP

TUNNEL_MEDIUM_TYPE
integer
1 IP

TUNNEL_SERVER_EP
string

ip address

IBM Vendor Specific

NAS_TUNNEL_PASSWORD
101
INBYTES_AH
110
INBYTES_ESP
111
OUTBYTES_AH
112
OUTBYTES_ESP
113
INPKTS_BAD
114
OUTPKTS_BAD
115
INPKTS_BAD_AH
116
INPKTS_BAD_ESP
117
OUTPKTS_BAD_AH
118
OUTPKTS_BAD_ESP
119
INPKTS_AH
120
AH INPKTS_ESP
121
OUTPKTS_AH
122
AH OUTPKTS_ESP
123
INPKTS_BAD_AH_RPLY
124
INPKTS_BAD_ESP_RPLY
125
INBYTES_WRAP
128
OUTBYTES_WRAP
129
INB_AH_WRAP
130
INB_ESP_WRAP
131
OUB_AH_WRAP
132
OUB_ESP_WRAP
133
POLICY_NAME
135
P1_ID
136
TRANSFORMS
137
REFR_CNT
138
COMPR
139
ESP_ALGO
140
AH_ALGO
141
ESPAUTH_ALGO
142
P1_NAME
143
VC-ACTIVE
177
VC-IDLETIME
179
VC-SUSPENDTIME
180
CALLBACK_FLAGS
210
ENCRYPTION
211
HOSTNAME
213
DIALOUT
214
SUBNETMASK
215
PRIVILEGE
216

Keywords

Keywords are used for Radius servers that allow the entry of vendor specific fields <keyword>=<value>.

KWD_VC_ACTIVE
VCN
KWD_VC_IDLETIME
VCI
KWD_VC_SUSPENDTIME
VCS
KWD_CALLBACK_FLAGS
CBF
KWD_ENCRYPTION
ENC
KWD_HOSTNAME
HSN
KWD_DIALOUT
DOF
KWD_SUBNETMASK
SNM
KWD_PRIVILEGE
PRV

Values

CALLBACK_FLAGS

REQ
required callback
ROAM
roaming callback

DIALOUT

TRUE
enable dialout for this user
FALSE
disable dialout for this user
ONLY
only allow dialout for this user (not dial in)

PRIVILEGE:

ADMIN

OPER

MONITOR

Example of RADIUS Configuration File

The following is an example of a RADIUS configuration file:

VENDOR IBM 211
ATTRIBUTE User-Name 1 string
ATTRIBUTE User-Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer #
ATTRIBUTE Old-Password 17 string
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string #
ATTRIBUTE Unassigned 21 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 integer
ATTRIBUTE State 24 string
ATTRIBUTE Class 25 string
ATTRIBUTE Vendor-Specific 26 string
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-Appletalk-Link 37 integer
ATTRIBUTE Framed-Appletalk-Net 38 integer
ATTRIBUTE Framed-Appletalk-Zone 39 string
ATTRIBUTE Acct-Status-Type 40 integer
ATTRIBUTE Acct-Delay-Time 41 integer
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Authentic 45 integer
ATTRIBUTE Acct-Session-Time 46 integer
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
ATTRIBUTE Acct-Terminate-Cause 49 integer
ATTRIBUTE Acct-Multi-Session-Id 50 string
ATTRIBUTE Acct-Link-Count 51 integer
ATTRIBUTE CHAP-Challenge 60 string
ATTRIBUTE NAS-Port-Type 61 integer
ATTRIBUTE Port-Limit 62 integer
ATTRIBUTE Login-LAT-Port 63 string
--------------------- START IBM -----------------------
ATTRIBUTE Tunnel-Type 64 integer
ATTRIBUTE Tunnel-Medium 65 integer
ATTRIBUTE Tunnel-Client-EP 66 string
ATTRIBUTE Tunnel-Server-EP 67 string
ATTRIBUTE Tunnel-Conn-ID 68 string
ATTRIBUTE Tunnel-Password 69 string
ATTRIBUTE Tunnel-NAS-Password 101 string
ATTRIBUTE VC-ACTIVE 177 integer
ATTRIBUTE VC-IDLETIME 179 integer
ATTRIBUTE VC-SUSPENDTIME 180 integer
ATTRIBUTE IBM-Callback-Flags 210 string
ATTRIBUTE IBM-Encryption 211 string
ATTRIBUTE IBM-DialOut 214 string
ATTRIBUTE IBM-Hostname 213 string
ATTRIBUTE IBM-Subnetmask 215 string
ATTRIBUTE IBM-Privilege 216 string
ATTRIBUTE IBM-ipsec-inb-ah 110 integer
ATTRIBUTE IBM-ipsec-inb-esp 111 integer
ATTRIBUTE IBM-ipsec-ob-ah 112 integer
ATTRIBUTE IBM-ipsec-ob-esp 113 integer
ATTRIBUTE IBM-ipsec-ip-bad 114 integer
ATTRIBUTE IBM-ipsec-op-bad 115 integer
ATTRIBUTE IBM-ipsec-ip-bad-ah 116 integer
ATTRIBUTE IBM-ipsec-ip-bad-esp 117 integer
ATTRIBUTE IBM-ipsec-op-bad-ah 118 integer
ATTRIBUTE IBM-ipsec-op-bad-esp 119 integer
ATTRIBUTE IBM-ipsec-ip-ah 120 integer
ATTRIBUTE IBM-ipsec-ip-esp 121 integer
ATTRIBUTE IBM-ipsec-op-ah 122 integer
ATTRIBUTE IBM-ipsec-op-esp 123 integer
ATTRIBUTE IBM-ipsec-ip-bad-ah-r 124 integer
ATTRIBUTE IBM-ipsec-ip-bad-esp-r 125 integer
ATTRIBUTE IBM-ipsec-inb-wrap 128 integer
ATTRIBUTE IBM-ipsec-ob-wrap 129 integer
ATTRIBUTE IBM-ipsec-ib-ah-wrap 130 integer
ATTRIBUTE IBM-ipsec-ib-esp-wrap 131 integer
ATTRIBUTE IBM-ipsec-ob-ah-wrap 132 integer
ATTRIBUTE IBM-ipsec-ob-esp-wrap 133 integer
ATTRIBUTE IBM-ipsec-policy-name 135 string
ATTRIBUTE IBM-ipsec-p1-id 136 string
ATTRIBUTE IBM-ipsec-p1-name 143 string
ATTRIBUTE IBM-ipsec-esp-algo 140 string
ATTRIBUTE IBM-ipsec-ah-algo 141 string
ATTRIBUTE IBM-ipsec-esp-algo 142 string

VALUE Tunnel-Type L2TP 3
VALUE Tunnel-Type L2F 2
VALUE Tunnel-Type PPTP 1
VALUE Tunnel-Medium IP 1
VALUE VC-ACTIVE YES 1
VALUE VC-ACTIVE NO 0
VALUE IBM-Callback-Flags Required REQ
VALUE IBM-Callback-Flags Roaming OAM
VALUE IBM-Dialout Enable TRUE
VALUE IBM-Dialout Disable FALSE
VALUE IBM-Dialout ONLY ONLY
VALUE IBM-Privilege Administrator ADMIN
VALUE IBM-Privilege Operator OPER
VALUE IBM-Privilege Monitor MONITOR

TACACS+

Authentication

Authorization
PPP service=ppp protocol=ip
LOGIN service=shell cmd=null pri_lvl*0

Standard TACACS+ Attributes
service
protocol
cmd
addr
timeout
priv_lvl 0 (monitor privilege), 1 (operator privilege), 15 (administrator privilege)
callback-dialstring

IBM Specific Attributes
encryption_key 16 hex characters
dial_out TRUE FALSE ONLY

Accounting
task_id
start_time
stop_time
elasped_time
timezone
event
reason
bytes
bytes_in
bytes_out
paks
paks_in
paks_out
status
err_msg

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]

TUNNEL_TYPE		64
TUNNEL_MEDIUM_TYPE		65
TUNNEL_CLIEN_TYPE		66
TUNNEL_SERVER_EP		67
TUNNEL_CONN_ID		68
TUNNEL_PASSWORD		69


values

TUNNEL_TYPE		integer
1	PPTP
2	L2F
3	L2TP

TUNNEL_MEDIUM_TYPE		integer
1	IP

TUNNEL_SERVER_EP		string
	ip address

NAS_TUNNEL_PASSWORD		101
INBYTES_AH		110
INBYTES_ESP		111
OUTBYTES_AH		112
OUTBYTES_ESP		113
INPKTS_BAD		114
OUTPKTS_BAD		115
INPKTS_BAD_AH		116
INPKTS_BAD_ESP		117
OUTPKTS_BAD_AH		118
OUTPKTS_BAD_ESP		119
INPKTS_AH		120
AH INPKTS_ESP		121
OUTPKTS_AH		122
AH OUTPKTS_ESP		123
INPKTS_BAD_AH_RPLY		124
INPKTS_BAD_ESP_RPLY		125
INBYTES_WRAP		128
OUTBYTES_WRAP		129
INB_AH_WRAP		130
INB_ESP_WRAP		131
OUB_AH_WRAP		132
OUB_ESP_WRAP		133
POLICY_NAME		135
P1_ID		136
TRANSFORMS		137
REFR_CNT		138
COMPR		139
ESP_ALGO		140
AH_ALGO		141
ESPAUTH_ALGO		142
P1_NAME		143
VC-ACTIVE		177
VC-IDLETIME		179
VC-SUSPENDTIME		180
CALLBACK_FLAGS		210
ENCRYPTION		211
HOSTNAME		213
DIALOUT		214
SUBNETMASK		215
PRIVILEGE		216

KWD_VC_ACTIVE		VCN
KWD_VC_IDLETIME		VCI
KWD_VC_SUSPENDTIME		VCS
KWD_CALLBACK_FLAGS		CBF
KWD_ENCRYPTION		ENC
KWD_HOSTNAME		HSN
KWD_DIALOUT		DOF
KWD_SUBNETMASK		SNM
KWD_PRIVILEGE		PRV

Values

CALLBACK_FLAGS
REQ		required callback
ROAM		roaming callback

DIALOUT
TRUE		enable dialout for this user
FALSE		disable dialout for this user
ONLY		only allow dialout for this user (not dial in)

PRIVILEGE:
ADMIN
OPER
MONITOR

VENDOR IBM 211
ATTRIBUTE	User-Name	1	string
ATTRIBUTE	User-Password	2	string
ATTRIBUTE	CHAP-Password	3	string
ATTRIBUTE	NAS-IP-Address	4	ipaddr
ATTRIBUTE	NAS-Port	5	integer
ATTRIBUTE	Service-Type	6	integer
ATTRIBUTE	Framed-Protocol	7	integer
ATTRIBUTE	Framed-IP-Address	8	ipaddr
ATTRIBUTE	Framed-IP-Netmask	9	ipaddr
ATTRIBUTE	Framed-Routing	10	integer
ATTRIBUTE	Filter-Id	11	string
ATTRIBUTE	Framed-MTU	12	integer
ATTRIBUTE	Framed-Compression	13	integer
ATTRIBUTE	Login-IP-Host	14	ipaddr
ATTRIBUTE	Login-Service	15	integer
ATTRIBUTE	Login-TCP-Port	16	integer #
ATTRIBUTE	Old-Password	17	string
ATTRIBUTE	Reply-Message	18	string
ATTRIBUTE	Callback-Number	19	string
ATTRIBUTE	Callback-Id	20	string #
ATTRIBUTE	Unassigned	21	string
ATTRIBUTE	Framed-Route	22	string
ATTRIBUTE	Framed-IPX-Network	23	integer
ATTRIBUTE	State	24	string
ATTRIBUTE	Class	25	string
ATTRIBUTE	Vendor-Specific	26	string
ATTRIBUTE	Session-Timeout	27	integer
ATTRIBUTE	Idle-Timeout	28	integer
ATTRIBUTE	Termination-Action	29	integer
ATTRIBUTE	Called-Station-Id	30	string
ATTRIBUTE	Calling-Station-Id	31	string
ATTRIBUTE	NAS-Identifier	32	string
ATTRIBUTE	Proxy-State	33	string
ATTRIBUTE	Login-LAT-Service	34	string
ATTRIBUTE	Login-LAT-Node	35	string
ATTRIBUTE	Login-LAT-Group	36	string
ATTRIBUTE	Framed-Appletalk-Link	37	integer
ATTRIBUTE	Framed-Appletalk-Net	38	integer
ATTRIBUTE	Framed-Appletalk-Zone	39	string
ATTRIBUTE	Acct-Status-Type	40	integer
ATTRIBUTE	Acct-Delay-Time	41	integer
ATTRIBUTE	Acct-Input-Octets	42	integer
ATTRIBUTE	Acct-Output-Octets	43	integer
ATTRIBUTE	Acct-Session-Id	44	string
ATTRIBUTE	Acct-Authentic	45	integer
ATTRIBUTE	Acct-Session-Time	46	integer
ATTRIBUTE	Acct-Input-Packets	47	integer
ATTRIBUTE	Acct-Output-Packets	48	integer
ATTRIBUTE	Acct-Terminate-Cause	49	integer
ATTRIBUTE	Acct-Multi-Session-Id	50	string
ATTRIBUTE	Acct-Link-Count	51	integer
ATTRIBUTE	CHAP-Challenge	60	string
ATTRIBUTE	NAS-Port-Type	61	integer
ATTRIBUTE	Port-Limit	62	integer
ATTRIBUTE	Login-LAT-Port	63	string
--------------------- START IBM -----------------------
ATTRIBUTE	Tunnel-Type	64	integer
ATTRIBUTE	Tunnel-Medium	65	integer
ATTRIBUTE	Tunnel-Client-EP	66	string
ATTRIBUTE	Tunnel-Server-EP	67	string
ATTRIBUTE	Tunnel-Conn-ID	68	string
ATTRIBUTE	Tunnel-Password	69	string
ATTRIBUTE	Tunnel-NAS-Password	101	string
ATTRIBUTE	VC-ACTIVE	177	integer
ATTRIBUTE	VC-IDLETIME	179	integer
ATTRIBUTE	VC-SUSPENDTIME	180	integer
ATTRIBUTE	IBM-Callback-Flags	210	string
ATTRIBUTE	IBM-Encryption	211	string
ATTRIBUTE	IBM-DialOut	214	string
ATTRIBUTE	IBM-Hostname	213	string
ATTRIBUTE	IBM-Subnetmask	215	string
ATTRIBUTE	IBM-Privilege	216	string
ATTRIBUTE	IBM-ipsec-inb-ah	110	integer
ATTRIBUTE	IBM-ipsec-inb-esp	111	integer
ATTRIBUTE	IBM-ipsec-ob-ah	112	integer
ATTRIBUTE	IBM-ipsec-ob-esp	113	integer
ATTRIBUTE	IBM-ipsec-ip-bad	114	integer
ATTRIBUTE	IBM-ipsec-op-bad	115	integer
ATTRIBUTE	IBM-ipsec-ip-bad-ah	116	integer
ATTRIBUTE	IBM-ipsec-ip-bad-esp	117	integer
ATTRIBUTE	IBM-ipsec-op-bad-ah	118	integer
ATTRIBUTE	IBM-ipsec-op-bad-esp	119	integer
ATTRIBUTE	IBM-ipsec-ip-ah	120	integer
ATTRIBUTE	IBM-ipsec-ip-esp	121	integer
ATTRIBUTE	IBM-ipsec-op-ah	122	integer
ATTRIBUTE	IBM-ipsec-op-esp	123	integer
ATTRIBUTE	IBM-ipsec-ip-bad-ah-r	124	integer
ATTRIBUTE	IBM-ipsec-ip-bad-esp-r	125	integer
ATTRIBUTE	IBM-ipsec-inb-wrap	128	integer
ATTRIBUTE	IBM-ipsec-ob-wrap	129	integer
ATTRIBUTE	IBM-ipsec-ib-ah-wrap	130	integer
ATTRIBUTE	IBM-ipsec-ib-esp-wrap	131	integer
ATTRIBUTE	IBM-ipsec-ob-ah-wrap	132	integer
ATTRIBUTE	IBM-ipsec-ob-esp-wrap	133	integer
ATTRIBUTE	IBM-ipsec-policy-name	135	string
ATTRIBUTE	IBM-ipsec-p1-id	136	string
ATTRIBUTE	IBM-ipsec-p1-name	143	string
ATTRIBUTE	IBM-ipsec-esp-algo	140	string
ATTRIBUTE	IBM-ipsec-ah-algo	141	string
ATTRIBUTE	IBM-ipsec-esp-algo	142	string

VALUE	Tunnel-Type	L2TP	3
VALUE	Tunnel-Type	L2F	2
VALUE	Tunnel-Type	PPTP	1
VALUE	Tunnel-Medium	IP	1
VALUE	VC-ACTIVE	YES	1
VALUE	VC-ACTIVE	NO	0
VALUE	IBM-Callback-Flags	Required	REQ
VALUE	IBM-Callback-Flags	Roaming	OAM
VALUE	IBM-Dialout	Enable	TRUE
VALUE	IBM-Dialout	Disable	FALSE
VALUE	IBM-Dialout	ONLY	ONLY
VALUE	IBM-Privilege	Administrator	ADMIN
VALUE	IBM-Privilege	Operator	OPER
VALUE	IBM-Privilege	Monitor	MONITOR