Date created: Wednesday, December 3, 2014 2:10:01 PM. Last modified: Tuesday, September 22, 2020 9:38:12 AM
Cisco AVPairs
Standard RADIUS Attributes:
Full PPP user:
Framed-Protocol = PPP, Framed-IP-Address = 10.0.0.1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1492, Framed-Compression = Van-Jacobson-TCP-IP, or "None" Service-Type = Framed-User, or "Framed" Session-Timeout = 0 # Max time a user may receive service Idle-Timeout = 300 # Max idle time out does not include control traffic Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, or "IPv4" Tunnel-Password = password-returned-to-LAC, Tunnel-Server-Endpoint = 20.20.20.20, # LNS IP returned to LAC Tunnel-Client-Auth-ID = LAC-username-returned-to-LAC, Tunnel-Server-Auth-ID = LNS-username-returned-to-LAC
Multiple tunnel end-points (LNS') using preferences, lowest is higher priority (more preferred), equal for round-robin:
Tunnel-Type = :1:L2TP, Tunnel-Medium-Type = :1:IPv4, Tunnel-Client-Auth-ID = :1:lac-username, Tunnel-Server-Auth-ID = :1:lns1-username, Tunnel-Password = :1:lns1-password, Tunnel-Server-Endpoint = :1:10.10.10.10, Tunnel-Preference = :1:100, Tunnel-Type += :2:L2TP, Tunnel-Medium-Type += :2:IPv4, Tunnel-Client-Auth-ID += :2:lac-username, Tunnel-Server-Auth-ID += :1:lns2-username, Tunnel-Password += :1:lns1-password, Tunnel-Server-Endpoint += :2:20.20.20.20 Tunnel-Preference += :1:100
Cisco Specific AV Pairs
Taken from Cisco IOS Security Configuration Guide - RADIUS Vendor-Specific Attributes (VSA) http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat3.pdf
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named “cisco-avpair.”
The value is a string of the following format:
protocol : attribute sep value *
“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization; protocols that can be used include IP, IPX, VPDN, VOIP , SHELL, RSVP, SIP, AIRNET, OUTBOUND. “Attribute” and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and “sep” is “=” for mandatory attributes and “*” for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be activated during IP authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“
If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made optional.
cisco-avpair= ”ip:addr-pool*first“
The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Cisco new style ("ip") VSAs
# Assign a DHCP pool already configured on the LNS Cisco-AVPair = "ip:addr-pool=" # Push two static routes to the LNS which route via the this PPP session and another backup path Cisco-AVPair = "ip:route=192.168.0.0 255.255.255.0 0.0.0.0 150 tag 150", Cisco-AVPair += "ip:route=192.168.0.0 255.255.255.0 10.0.0.2 160 tag 160" # Static route insite vrf: Cisco-AVPair = "ip:route=vrf CUST-ABC 192.168.0.0 255.255.255.0 10.0.0.2" # Set VAI in VRF Cisco-AVpair = "ip:vrf-id=CUST-ABC" # Set VAI QoS policy Cisco-AVPair = "ip:sub-qos-policy-out=PM-ADSL-3-LEVEL-QOS" Cisco-AVPair = "ip:sub-qos-policy-in=" Cisco-AVPair = "ip:qos-policy-out=" Cisco-AVPair = "ip:qos-policy-in=" # The old style "lcp:interface-config=rate-limit input/output" policer isn't supported for newer boxes like the ASR1K's, instead a policy map with a policer must be applied Cisco-AVPair += ip:sub-qos-policy-in=PM-10M-POLICE Cisco-AVPair += ip:sub-qos-policy-out=PM-10M-POLICE policy-map PM-10M-POLICE class class-default police 10240000 1920000 3840000 conform-action transmit exceed-action drop # Set VAI unnumbered loopback interface Cisco-AVpair = "ip:ip-unnumbered=Loopback1610" # OTHERS # DNS servers Cisco-AVPair = "ip:dns-servers=10.0.0.1 10.0.0.2" # Traffic Class Cisco-ACPair = "ip:traffic-class=" # Interface ACL config specified in-line in RADIUS profile Cisco-AVPair = "ip:inacl=permit icmp 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255" Cisco-AVPair = "ip:outacl="
# Interface ACL that is pre-defined on the router called "myacl" and the direction to apply the ACL is outbound:
Filter-Id = "myacl.out" # I think these are used for AAA/Firewall rules being stored in RADIUS? Cisco-AVPair = "ip:source-ip=11.22.33.44" Cisco-AVPair = "ip:source-port=1111" Cisco-AVPair = "ip:destination-ip=55.66.77.88" Cisco-AVPair = "ip:destination-port=2222"
Cisco old style ("lcp") VSAs The lcp:interface-config command forces the router to create full VAIs instead of subinterface VAIs. Full VAIs consume more memory and are less scalable, and they follow a significantly slower and different path when sessions are established.
# Set VAI in VRF # Old stype lcp AV pairs can be used with new style IP values, there is no IP value for uRPF for example so it has to be enabled with Cisco AV-pair = "lcp:interface-config=ip verify unicast reverse-path" Cisco-Avpair = "lcp:interface-config=ip vrf forwarding CUST-ABC" # Set VAI inboud VRF (add the PPP session IP to the VRF table to use with PBR) Cisco-AVPair = "lcp:interface-config=ip vrf receive CUST-1-VRF" # Set multiple AV pairs that need to be in order using # with integer Cisco-AVPair = "lcp:interface-config#1=ip policy route-map CUST-MGMT-PBR", Cisco-AVPair += "lcp:interface-config#2=ip vrf receive CUST-1-VRF", Cisco-AVPair += "lcp:interface-config#3=ip vrf receive MGMT-VRF" # Set VAI keepalive timer Cisco-AVPair = "lcp:interface-config=keepalive 2 5" # Set VAI Policy Based Routing route-map Cisco-AVPair = "lcp:interface-config=ip policy route-map MY-PBR-MAP" # Set VAI Policer (on newer platforms after the 7200's like the ASR1K's this must be a policy map) Cisco-AVPair = "lcp:interface-config=rate-limit input 256000 7500 7500 conform-action transmit exceed-action drop", Cisco-AVPair += "lcp:interface-config=rate-limit output 1024000 20000 20000 conform-action transmit exceed-action drop" # Set VAI QoS policy Cisco-AVPair = "lcp:interface-config=service-policy output PM-ADSL-8M-POLICE" # Set VAI unnumbered loopback interface Cisco-AVPair = "lcp:interface-config=ip unnumbered Loopback100" # Disable IP uRPF on VAI Cisco-AVPair = "lcp:interface-config=no ip verify unicast reverse-path"
# Enable NetFlow explorter per subscriber
Cisco-AVPair += "lcp:interface-config=ip flow monitor flow_v5_monitor input"
Cisco-AVPair += "lcp:interface-config=ip flow monitor flow_v5_monitor output
Adding multiple AVPairs in order:
Cisco-AVPair = "lcp:interface-config#1=ip policy route-map MY-PBR-MAP", Cisco-AVPair += "lcp:interface-config#2=ip vrf receive CUST-ABC", Cisco-AVPair += "lcp:interface-config#3=ip unnumbered Loopback100"
Previous page: Routing and Forwarding Information
Next page: FreeRADIUS - ADSL User Templates