| Attribute |
Description |
| service=x |
The primary service. Specifying a service attribute
indicates that this is a request for authorization or accounting of
that service. Current values are slip, ppp, arap,
shell, tty-daemon, connection, and system.
This attribute must always be included. |
| protocol=x |
A protocol that is a subset of a service. An example
would be any PPP NCP. Currently known values are lcp, ip, ipx,
atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, osicp,
deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, and unknown.
|
| acl=x |
ASCII number representing a connection access list.
Used only when service=shell. |
| inacl=x |
ASCII identifier for an interface input access list.
Used with service=ppp and protocol=ip. Per-user access lists do not
currently work with ISDN interfaces. |
| inacl#<n> |
ASCII access list identifier for an input access list
to be installed and applied to an interface for the duration of the
current connection. Used with service=ppp and protocol=ip, and service=ppp
and protocol =ipx. Per-user access lists do not currently work with
ISDN interfaces. |
| outacl=x |
ASCII identifier for an interface output access list.
Used with service=ppp and protocol=ip, and service service=ppp and
protocol=ipx. Contains an IP output access list for SLIP or PPP/IP
(for example, outacl=4). The access list itself must be preconfigured
on the router. Per-user access lists do not currently work with ISDN
interfaces. |
| outacl#<n> |
ASCII access list identifier for an interface output
access list to be installed and applied to an interface for the duration
of the current condition. Used with service=ppp and protocol=ip, and
service=ppp and protocol=ipx. Per-user access lists do not currently
work with ISDN interfaces. |
| zonelist=x |
A numeric zonelist value. Used with service=arap. Specifies
an AppleTalk zonelist for ARA (for example, zonelist=5). |
| addr=x |
A network address. Used with service=slip, service=ppp,
and protocol=ip. Contains the IP address that the remote host should
use when connecting via SLIP or PPP/IP. For example, addr=10.2.3.4.
|
| addr-pool=x |
Specifies the name of a local pool from which to get the address
of the remote host. Used with service=ppp and protocol=ip.
Note that addr-pool works in conjunction with local pooling. It
specifies the name of a local pool (which must be preconfigured
on the network access server). Use the ip-local pool command
to declare local pools. For example:
ip address-pool local
ip local pool boo 10.0.0.1 10.0.0.10
ip local pool moo 10.0.0.1 10.0.0.20
You can then use TACACS+ to return addr-pool=boo or addr-pool=moo
to indicate the address pool from which you want to get this remote
node's address.
|
| routing=x |
Specifies whether routing information is to be propagated
to and accepted from this interface. Used with service=slip, service=ppp,
and protocol=ip. Equivalent in function to the /routing flag in SLIP
and PPP commands. Can either be true or false (for example, routing=true).
|
| route |
Specifies a route to be applied to an interface. Used with service=slip,
service=ppp, and protocol=ip.
During network authorization, the route attribute can be used to
specify a per-user static route, to be installed by TACACS+ as follows:
route="dst_address mask [gateway]"
This indicates a temporary static route that is to be applied.
The dst_address, mask, and gateway are expected
to be in the usual dotted-decimal notation, with the same meanings
as in the familiar ip route configuration command on a network
access server.
If gateway is omitted, the peer's address is the gateway.
The route is expunged when the connection terminates.
|
| route#<n> |
Like the route AV pair, this specifies a route to be
applied to an interface, but these routes are numbered, allowing multiple
routes to be applied. Used with service=ppp and protocol=ip, and service=ppp
and protocol=ipx. |
| timeout=x |
The number of minutes before an EXEC, PPP or ARA session
disconnects (for example, timeout=60). A value of zero indicates no
timeout. Used with service=arap. When used with service=ppp and protocol=lcp
(not used for serial connections), this value must be in seconds. |
| idletime=x |
Sets a value, in minutes, after which an idle session
is terminated. Does not work for PPP. A value of zero indicates no
timeout. |
| autocmd=x |
Specifies an autocommand to be executed at EXEC startup
(for example, autocmd=telnet muruga.com). Used only with service=shell.
|
| noescape=x |
Prevents user from using an escape character. Used
with service=shell. Can be either true or false (for example, noescape=true).
|
| nohangup=x |
Used with service=shell. Specifies the nohangup option,
which means that after an EXEC shell is terminated, the user is presented
with another login (username) prompt. Can be either true or false
(for example, nohangup=false). |
| priv-lvl=x |
Privilege level to be assigned for the EXEC. Used with
service=shell. Privilege levels range from 0 to 15, with 15 being
the highest. |
| callback-dialstring |
Sets the telephone number for a callback (for example:
callback-dialstring=408-555-1212). Value is NULL, or a dial-string.
A NULL value indicates that the service might choose to get the dialstring
through other means. Used with service=arap, service=slip, service=ppp,
service=shell. Not valid for ISDN. |
| callback-line |
The number of a TTY line to use for callback (for example:
callback-line=4). Used with service=arap, service=slip, service=ppp,
service=shell. Not valid for ISDN. |
| callback-rotary |
The number of a rotary group (between 0 and 100 inclusive)
to use for callback (for example: callback-rotary=34). Used with service=arap,
service=slip, service=ppp, service=shell. Not valid for ISDN. |
| nocallback-verify |
Indicates that no callback verification is required.
The only valid value for this parameter is 1 (for example, nocallback-verify=1).
Used with service=arap, service=slip, service=ppp, service=shell.
There is no authentication on callback. Not valid for ISDN. |
| tunnel-id |
Specifies the username that will be used to authenticate
the tunnel over which the individual user MID will be projected. This
is analogous to the remote name in the vpdn outgoing
command. Used with service=ppp and protocol=vpdn. |
| ip-addresses |
Space-separated list of possible IP addresses that
can be used for the end-point of a tunnel. Used with service=ppp and
protocol=vpdn. |
| nas-password |
Specifies the password for the network access server
during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.
|
| gw-password |
Specifies the password for the home gateway during
the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.
|
| rte-ftr-in#<n> |
Specifies an input access list definition to be installed
and applied to routing updates on the current interface for the duration
of the current connection. Used with service=ppp and protocol=ip,
and with service=ppp and protocol=ipx. |
| rte-ftr-out#<n> |
Specifies an output access list definition to be installed
and applied to routing updates on the current interface for the duration
of the current connection. Used with service=ppp and protocol=ip,
and with service=ppp and protocol=ipx. |
| sap#<n> |
Specifies static Service Advertising Protocol (SAP)
entries to be installed for the duration of a connection. Used with
service=ppp and protocol=ipx. |
| sap-fltr-in#<n> |
Specifies an input SAP filter access list definition
to be installed and applied on the current interface for the duration
of the current connection. Used with service=ppp and protocol=ipx.
|
| sap-fltr-out#<n> |
Specifies an output SAP filter access list definition
to be installed and applied on the current interface for the duration
of the current connection. Used with service=ppp and protocol=ipx.
|
| pool-def#<n> |
Defines IP address pools on the network access server.
Used with service=ppp and protocol=ip. |
| pool-timeout= |
Defines (in conjunction with pool-def) IP address pools
on the network access server. During IPCP address negotiation, if
an IP pool name is specified for a user (see the addr-pool attribute),
a check is made to see if the named pool is defined on the network
access server. If it is, the pool is consulted for an IP address.
|
| source-ip=x |
Used as the source IP address of all VPDN packets generated
as part of a VPDN tunnel. This is equivalent to the Cisco vpdn
outgoing global configuration command. |
| max-links=<n> |
Restricts the number of links that a user can have
in a multilink bundle. Used with service=ppp and protocol=multilink.
The range for <n> is from 1 to 255. |
| load-threshold=<n> |
Sets the load threshold at which additional links are
either added to or deleted from the multilink bundle. If the load
goes above the specified value, additional links are added. If the
load goes below the specified value, links are deleted. Used with
service=ppp and protocol=multilink. The range for <n> is from
1 to 255. |
| interface-config= |
Specifies user-specific AAA interface configuration
information with virtual profiles. The information that follows the
equal sign (=) can be any Cisco IOS interface configuration command.
|
| ppp-vj-slot-compression |
Instructs the Cisco router not to use slot compression
when sending Van Jacobsen-compressed packets over a PPP link. |
| link-compression= |
Defines whether to turn on or turn off "stac" compression over
a PPP link.
Link compression is defined as a numeric value as follows:
- 0: None
- 1: Stac
- 2: Stac-Draft-9
- 3: MS-Stac
|
| old-prompts |
Allows providers to make the prompts in TACACS+ appear
identical to those of earlier systems (TACACS and Extended TACACS).
This allows administrators to upgrade from TACACS/Extended TACACS
to TACACS+ transparently to users. |
| dns-servers= |
Identifies a DNS server (primary or secondary) that
can be requested by Microsoft PPP clients from the network access
server during IPCP negotiation. To be used with service=ppp and protocol=ip.
The IP address identifying each DNS server is entered in dotted decimal
format. |
| wins-servers= |
Identifies a Windows NT server that can be requested
by Microsoft PPP clients from the network access server during IPCP
negotiation. To be used with service=ppp and protocol=ip. The IP address
identifying each Windows NT server is entered in dotted decimal format.
|
| Attribute |
Description |
| service |
The service the user used. |
| port |
The port the user was logged in to. |
| task_id |
Start and stop records for the same event must have
matching (unique) task_id numbers. |
| start_time |
The time the action started (in seconds since the epoch,
12:00 a.m. Jan 1 1970). The clock must be configured to receive this
information. |
| stop_time |
The time the action stopped (in seconds since the epoch.)
The clock must be configured to receive this information. |
| elapsed_time |
The elapsed time in seconds for the action. Useful
when the device does not keep real time. |
| timezone |
The time zone abbreviation for all timestamps included
in this packet. |
| priv_level |
The privilege level associated with the action. |
| cmd |
The command the user executed. |
| protocol |
The protocol associated with the action. |
| bytes_in |
The number of input bytes transferred during this connection.
|
| bytes_out |
The number of output bytes transferred during this
connection. |
| paks_in |
The number of input packets transferred during this
connection. |
| paks_out |
The number of output packets transferred during this
connection. |
| event |
Information included in the accounting packet that
describes a state change in the router. Events described are accounting
starting and accounting stopping. |
| reason |
Information included in the accounting packet that
describes the event that caused a system change. Events described
are system reload, system shutdown, or when accounting is reconfigured
(turned on or off). |
| mlp-sess-id |
Reports the identification number of the multilink
bundle when the session closes. This attribute applies to sessions
that are part of a multilink bundle. This attribute is sent in authentication-response
packets. |
| mlp-links-max |
Gives the count of links which are known to have been
in a given multilink session at the time the accounting record is
generated. |
| disc-cause |
Specifies the reason a connection was taken off-line.
The Disconnect-Cause attribute is sent in accounting-stop records.
This attribute also causes stop records to be generated without first
generating start records if disconnection occurs before authentication
is performed. |
| disc-cause-ext |
Extends the disc-cause attribute to support vendor-specific
reasons that a connection was taken off-line. |
| disc-cause-ext |
Extends the disc-cause attribute to support vendor-specific
reasons that a connection was taken off-line. |
| pre-bytes-in |
Records the number of input bytes before authentication.
This attribute is sent in accounting-stop records. |
| pre-bytes-out |
Records the number of output bytes before authentication.
This attribute is sent in accounting-stop records. |
| pre-paks-in |
Records the number of input packets before authentication.
This attribute is sent in accounting-stop records. |
| pre-paks-out |
Records the number of output packets before authentication.
The Pre-Output-Packets attribute is sent in accounting-stop records.
|
| pre-session-time |
Specifies the length of time, in seconds, from when
a call first connects to when it completes authentication. |
| data-rate |
Specifies the average number of bits per second over
the course of the connection's lifetime. This attribute is sent in
accounting-stop records. |
| xmit-rate |
Reports the transmit speed negotiated by the two modems.
|