Date created: 12/03/14 14:10:01. Last modified: 03/03/17 08:57:08

Cisco AVPairs

Standard RADIUS Attributes:

Full PPP user:

Framed-Protocol = PPP,
Framed-IP-Address = 10.0.0.1,
Framed-IP-Netmask = 255.255.255.255,
Framed-MTU = 1492,
Framed-Compression = Van-Jacobson-TCP-IP, or "None"
Service-Type = Framed-User, or "Framed"
Session-Timeout = 0 # Max time a user may receive service
Idle-Timeout = 300 # Max idle time out does not include control traffic

Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP, or "IPv4"
Tunnel-Password = password-returned-to-LAC,
Tunnel-Server-Endpoint = 20.20.20.20, # LNS IP returned to LAC
Tunnel-Client-Auth-ID = LAC-username-returned-to-LAC,
Tunnel-Server-Auth-ID = LNS-username-returned-to-LAC

 

Multiple tunnel end-points (LNS') using preferences, lowest is higher priority (more preferred), equal for round-robin:

Tunnel-Type = :1:L2TP,
Tunnel-Medium-Type = :1:IPv4,
Tunnel-Client-Auth-ID = :1:lac-username,
Tunnel-Server-Auth-ID = :1:lns1-username,
Tunnel-Password = :1:lns1-password,
Tunnel-Server-Endpoint = :1:10.10.10.10,
Tunnel-Preference = :1:100,
Tunnel-Type += :2:L2TP,
Tunnel-Medium-Type += :2:IPv4,
Tunnel-Client-Auth-ID += :2:lac-username,
Tunnel-Server-Auth-ID += :1:lns2-username,
Tunnel-Password += :1:lns1-password,
Tunnel-Server-Endpoint += :2:20.20.20.20
Tunnel-Preference += :1:100

Cisco Specific AV Pairs

Taken from Cisco IOS Security Configuration Guide - RADIUS Vendor-Specific Attributes (VSA) http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat3.pdf

The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named “cisco-avpair.”

The value is a string of the following format:
protocol : attribute sep value *

“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization; protocols that can be used include IP, IPX, VPDN, VOIP , SHELL, RSVP, SIP, AIRNET, OUTBOUND. “Attribute” and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and “sep” is “=” for mandatory attributes and “*” for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be activated during IP authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“

If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made optional.
cisco-avpair= ”ip:addr-pool*first“

The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“

Cisco new style ("ip") VSAs

# Assign a DHCP pool already configured on the LNS
Cisco-AVPair = "ip:addr-pool="

# Push two static routes to the LNS which route via the this PPP session and another backup path
Cisco-AVPair = "ip:route=192.168.0.0 255.255.255.0 0.0.0.0 150 tag 150",
Cisco-AVPair += "ip:route=192.168.0.0 255.255.255.0 10.0.0.2 160 tag 160"

# Static route insite vrf:
Cisco-AVPair = "ip:route=vrf CUST-ABC 192.168.0.0 255.255.255.0 10.0.0.2"

# Set VAI in VRF
Cisco-AVpair = "ip:vrf-id=CUST-ABC"

# Set VAI QoS policy
Cisco-AVPair = "ip:sub-qos-policy-out=PM-ADSL-3-LEVEL-QOS"
Cisco-AVPair = "ip:sub-qos-policy-in="
Cisco-AVPair = "ip:qos-policy-out="
Cisco-AVPair = "ip:qos-policy-in="
# The old style "lcp:interface-config=rate-limit input/output" policer isn't supported for newer boxes like the ASR1K's, instead a policy map with a policer must be applied
Cisco-AVPair += ip:sub-qos-policy-in=PM-10M-POLICE
Cisco-AVPair += ip:sub-qos-policy-out=PM-10M-POLICE

policy-map PM-10M-POLICE
 class class-default
  police 10240000 1920000 3840000 conform-action transmit  exceed-action drop

# Set VAI unnumbered loopback interface
Cisco-AVpair = "ip:ip-unnumbered=Loopback1610"


# OTHERS

# DNS servers
Cisco-AVPair = "ip:dns-servers=10.0.0.1 10.0.0.2"

# Traffic Class
Cisco-ACPair = "ip:traffic-class="

# Interface ACL
Cisco-AVPair = "ip:inacl=permit icmp 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255"
Cisco-AVPair = "ip:outacl="

# I think these are used for AAA/Firewall rules being stored in RADIUS?
Cisco-AVPair = "ip:source-ip=11.22.33.44"
Cisco-AVPair = "ip:source-port=1111"
Cisco-AVPair = "ip:destination-ip=55.66.77.88"
Cisco-AVPair = "ip:destination-port=2222"

 

Cisco old style ("lcp") VSAs The lcp:interface-config command forces the router to create full VAIs instead of subinterface VAIs. Full VAIs consume more memory and are less scalable, and they follow a significantly slower and different path when sessions are established.

# Set VAI in VRF
# Old stype lcp AV pairs can be used with new style IP values, there is no IP value for uRPF for example so it has to be enabled with
Cisco AV-pair = "lcp:interface-config=ip verify unicast reverse-path"

Cisco-Avpair = "lcp:interface-config=ip vrf forwarding CUST-ABC"

# Set VAI inboud VRF (add the PPP session IP to the VRF table to use with PBR)
Cisco-AVPair = "lcp:interface-config=ip vrf receive CUST-1-VRF"

# Set multiple AV pairs that need to be in order using # with integer
Cisco-AVPair = "lcp:interface-config#1=ip policy route-map CUST-MGMT-PBR",
Cisco-AVPair += "lcp:interface-config#2=ip vrf receive CUST-1-VRF",
Cisco-AVPair += "lcp:interface-config#3=ip vrf receive MGMT-VRF"

# Set VAI keepalive timer
Cisco-AVPair = "lcp:interface-config=keepalive 2 5"

# Set VAI Policy Based Routing route-map
Cisco-AVPair = "lcp:interface-config=ip policy route-map MY-PBR-MAP"

# Set VAI Policer (on newer platforms after the 7200's like the ASR1K's this must be a policy map)
Cisco-AVPair = "lcp:interface-config=rate-limit input 256000 7500 7500 conform-action transmit exceed-action drop",                      
Cisco-AVPair += "lcp:interface-config=rate-limit output 1024000 20000 20000 conform-action transmit exceed-action drop"

# Set VAI QoS policy
Cisco-AVPair = "lcp:interface-config=service-policy output PM-ADSL-8M-POLICE"

# Set VAI unnumbered loopback interface
Cisco-AVPair = "lcp:interface-config=ip unnumbered Loopback100"

# Disable IP uRPF on VAI
Cisco-AVPair = "lcp:interface-config=no ip verify unicast reverse-path"

# Enable NetFlow explorter per subscriber
Cisco-AVPair += "lcp:interface-config=ip flow monitor flow_v5_monitor input"
Cisco-AVPair += "lcp:interface-config=ip flow monitor flow_v5_monitor output

 

Adding multiple AVPairs in order:

Cisco-AVPair = "lcp:interface-config#1=ip policy route-map MY-PBR-MAP",
Cisco-AVPair += "lcp:interface-config#2=ip vrf receive CUST-ABC",
Cisco-AVPair += "lcp:interface-config#3=ip unnumbered Loopback100"