Click here to show toolbars of the Web Online Help System: show toolbars
 

ClearBox Serverâ„¢ v1.2 User's Guide

List of TACACS+ Attribute-Value Pairs

Authorization AV Pairs

Attribute Description
service=x The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included.
protocol=x A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, osicp, deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, and unknown.
acl=x ASCII number representing a connection access list. Used only when service=shell.
inacl=x ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. Per-user access lists do not currently work with ISDN interfaces.
inacl#<n> ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connection. Used with service=ppp and protocol=ip, and service=ppp and protocol =ipx. Per-user access lists do not currently work with ISDN interfaces.
outacl=x ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces.
outacl#<n> ASCII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. Per-user access lists do not currently work with ISDN interfaces.
zonelist=x A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5).
addr=x A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=10.2.3.4.
addr-pool=x

Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.

Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example: 

ip address-pool local
ip local pool boo 10.0.0.1 10.0.0.10
ip local pool moo 10.0.0.1 10.0.0.20

You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address.

routing=x Specifies whether routing information is to be propagated to and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true).
route

Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.

During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:

route="dst_address mask [gateway]"

This indicates a temporary static route that is to be applied. The dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server.

If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates.

route#<n> Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx.
timeout=x The number of minutes before an EXEC, PPP or ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap. When used with service=ppp and protocol=lcp (not used for serial connections), this value must be in seconds.
idletime=x Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout.
autocmd=x Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell.
noescape=x Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true).
nohangup=x Used with service=shell. Specifies the nohangup option, which means that after an EXEC shell is terminated, the user is presented with another login (username) prompt. Can be either true or false (for example, nohangup=false).
priv-lvl=x Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest.
callback-dialstring Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service might choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.
callback-line The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.
callback-rotary The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.
nocallback-verify Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN.
tunnel-id Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn.
ip-addresses Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn.
nas-password Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.
gw-password Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.
rte-ftr-in#<n> Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.
rte-ftr-out#<n> Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.
sap#<n> Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx.
sap-fltr-in#<n> Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.
sap-fltr-out#<n> Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.
pool-def#<n> Defines IP address pools on the network access server. Used with service=ppp and protocol=ip.
pool-timeout= Defines (in conjunction with pool-def) IP address pools on the network access server. During IPCP address negotiation, if an IP pool name is specified for a user (see the addr-pool attribute), a check is made to see if the named pool is defined on the network access server. If it is, the pool is consulted for an IP address.
source-ip=x Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command.
max-links=<n> Restricts the number of links that a user can have in a multilink bundle. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255.
load-threshold=<n> Sets the load threshold at which additional links are either added to or deleted from the multilink bundle. If the load goes above the specified value, additional links are added. If the load goes below the specified value, links are deleted. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255.
interface-config= Specifies user-specific AAA interface configuration information with virtual profiles. The information that follows the equal sign (=) can be any Cisco IOS interface configuration command.
ppp-vj-slot-compression Instructs the Cisco router not to use slot compression when sending Van Jacobsen-compressed packets over a PPP link.
link-compression=

Defines whether to turn on or turn off "stac" compression over a PPP link.

Link compression is defined as a numeric value as follows:

  • 0: None
  • 1: Stac
  • 2: Stac-Draft-9
  • 3: MS-Stac
old-prompts Allows providers to make the prompts in TACACS+ appear identical to those of earlier systems (TACACS and Extended TACACS). This allows administrators to upgrade from TACACS/Extended TACACS to TACACS+ transparently to users.
dns-servers= Identifies a DNS server (primary or secondary) that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each DNS server is entered in dotted decimal format.
wins-servers= Identifies a Windows NT server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each Windows NT server is entered in dotted decimal format.

Accounting AV Pairs

Attribute Description
service The service the user used.
port The port the user was logged in to.
task_id Start and stop records for the same event must have matching (unique) task_id numbers.
start_time The time the action started (in seconds since the epoch, 12:00 a.m. Jan 1 1970). The clock must be configured to receive this information.
stop_time The time the action stopped (in seconds since the epoch.) The clock must be configured to receive this information.
elapsed_time The elapsed time in seconds for the action. Useful when the device does not keep real time.
timezone The time zone abbreviation for all timestamps included in this packet.
priv_level The privilege level associated with the action.
cmd The command the user executed.
protocol The protocol associated with the action.
bytes_in The number of input bytes transferred during this connection.
bytes_out The number of output bytes transferred during this connection.
paks_in The number of input packets transferred during this connection.
paks_out The number of output packets transferred during this connection.
event Information included in the accounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping.
reason Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or when accounting is reconfigured (turned on or off).
mlp-sess-id Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. This attribute is sent in authentication-response packets.
mlp-links-max Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated.
disc-cause Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed.
disc-cause-ext Extends the disc-cause attribute to support vendor-specific reasons that a connection was taken off-line.
disc-cause-ext Extends the disc-cause attribute to support vendor-specific reasons that a connection was taken off-line.
pre-bytes-in Records the number of input bytes before authentication. This attribute is sent in accounting-stop records.
pre-bytes-out Records the number of output bytes before authentication. This attribute is sent in accounting-stop records.
pre-paks-in Records the number of input packets before authentication. This attribute is sent in accounting-stop records.
pre-paks-out Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records.
pre-session-time Specifies the length of time, in seconds, from when a call first connects to when it completes authentication.
data-rate Specifies the average number of bits per second over the course of the connection's lifetime. This attribute is sent in accounting-stop records.
xmit-rate Reports the transmit speed negotiated by the two modems.

© 2001-2003 XPerience Technologies. www.xperiencetech.com

Created by chm2web html help conversion utility.