- RADIUS Dictionary Files
- Airespace
- Alcatel-Lucent
- Aruba
- Brocade
- Certificate
- Cisco
- Cisco IOS RADIUS Change of Authorization (CoA)
- Cisco VSA: cisco-av-pair
- Cisco-BBSM
- Cisco-VPN3000 and ASA
- CWA
- Device
- EndPoints
- Guest
- H3C
- HP
- Identity Mapping
- IdentityGroup
- InternalUser
- Juniper
- MDM
- Microsoft
- Motorola-Symbol
- MSE
- Network Access
- Normalised RADIUS
- PassiveID
- RADIUS
- Ruckus
- Session
- Threat
- WISPr
The Type field in the tables below use one of five data types as defined in RFC2865 - Remote Authentication Dial In User Service (RADIUS).
- text : 1-253 octets containing UTF-8 encoded characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead. Note that type "text" is a subset of type "string".
- string : 1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.
- address : 32-bit value, most significant octet first.
- integer : 32-bit unsigned value, most significant octet first.
- time : 32-bit unsigned value, most significant octet first -- seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.
See the Internet Assigned Numbers Authority's RADIUS Types document for the authoritative list of RADIUS types and values.
RADIUS Dictionary Files
See the fantastic collection of
Airespace
Legacy RADIUS Dictionary file for Cisco AireOS Controller
The RADIUS dictionary below is provided in ISE by default.
| Attribute | # | Type | ISE Version | Available |
Usage Description |
| Aire-Data-Bandwidth-Average-DownStream-Contract | 7 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied for a client for non-realtime traffic such as TCP. This value is specific for downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile | |
| Aire-Data-Bandwidth-Average-UpStream-Contract | 13 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile | |
| Aire-Data-Bandwidth-Burst-DownStream-Contract | 9 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right. | |
| Aire-Data-Bandwidth-Burst-UpStream-Contract | 15 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile. | |
| Aire-Real-Time-Bandwidth-Average-DownStream-Contract | 8 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile. | |
| Aire-Real-Time-Bandwidth-Average-UpStream-Contract | 14 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Average Contract value overrides the Average Real-Time Rate value present in the WLAN or QoS Profile. | |
| Aire-Real-Time-Bandwidth-Burst-DownStream-Contract | 10 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile. | |
| Aire-Real-Time-Bandwidth-Burst-UpStream-Contract | 16 | int32 | Authentication Authorization |
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile. | |
| Airespace-8021p-Tag | 4 | string | Authentication Authorization |
802.1p VLAN tag received from the client, defining the access priority. This tag maps to the QoS Level for client-to-network packets. This attribute defines the 802.1p priority to be applied to the client. When present in a RADIUS Access Accept, the 802.1p value overrides the default specified in the WLAN profile. | |
| Airespace-ACL-Name | 6 | string | Authentication Authorization |
Match based on Airespace-ACL-Name assigned to the user | |
| Airespace-DSCP | 3 | string | Authentication Authorization |
Match based on Airespace-DSCP. This value might be assigned to entire WLAN or it also can be returned as part of Access-Accept from Radius server | |
| Airespace-Guest-Role-Name | 11 | string | Authentication Authorization |
Match based on Airespace-Guest-Role value. Normally attribute value is initially assigned from Radius server during authentication process. The goal of attribute is to assign QoS role to a guest user | |
| Airespace-Interface-Name | 5 | string | Authentication Authorization |
Match based on Interface Nmae value. The Interface-Name attribute indicates the VLAN interface a client is to be associated to. Note: This attribute only works when MAC filtering is enabled or if 802.1X or WPA is used as the security policy. | |
| Airespace-QOS-Level | 2 | string | Authentication Authorization |
Match based on QoS Level. The QoS-Level attribute indicates the Quality of Service level to be applied to the mobile client's traffic within the switching fabric, as well as over the air. | |
| Airespace-Wlan-Id | 1 | string | Authentication Authorization |
Match based on WLAN ID value. On single WLC each WLAN has unique ID, at the same time on different WLC SSID name might be identical but WLAN ID value might be different. |
Alcatel-Lucent
Attribute |
# | Type | ISE Version | Usage Description |
| Alcatel-Acce-Priv-F-R1 | 39 | hex | Configures functional read privileges for the user. | |
| Alcatel-Acce-Priv-F-R2 | 40 | hex | Configures functional read privileges for the user. | |
| Alcatel-Acce-Priv-F-W1 | 41 | hex | Configures functional write privileges for the user. | |
| Alcatel-Acce-Priv-F-W2 | 42 | hex | Configures functional write privileges for the user. | |
| Alcatel-Acce-Priv-G1 | 37 | |||
| Alcatel-Acce-Priv-G2 | 38 | |||
| Alcatel-Acce-Priv-R1 | 33 | |||
| Alcatel-Acce-Priv-R2 | 34 | |||
| Alcatel-Acce-Priv-W1 | 35 | |||
| Alcatel-Acce-Priv-W2 | 36 | |||
| Alcatel-Access-Policy-List | 100 | string | a) For 802.1X and MAC authenticated users, this attribute overwrites the initial role that is applied based on the policy list associated with the assigned UNP. b) For Captive-Portal authenticated users, this attribute assigns a post-login role for the user. |
|
| Alcatel-Access-Priv | 16 | |||
| Alcatel-Asa-Access | 9 | string | Specifies that the user has access to the switch. The only valid value is all. | |
| Alcatel-Auth-Group | 1 | integer | The authenticated VLAN number. The only protocol associated with this attribute is Ethernet II. If other protocols are required use the protocol attribute instead. | |
| Alcatel-Auth-Group-Protocol | 8 | string | The protocol associated with the VLAN. Must be configured for access to other protocols. Values include: IP_E2, IP_SNAP, IPX_E2, IPX_NOV, IPX_LLC, IPX_SNAP | |
| Alcatel-Client-IP-Addr | 4 | address | The IP address used for Telnet only. | |
| Alcatel-End-User-Profile | 10 | string | Specifies the name of an end-user profile associated. | |
| Alcatel-Group-Desc | 5 | string | Description of the authenticated VLAN | |
| Alcatel-Nms-Description | 23 | |||
| Alcatel-Nms-First-Name | 21 | |||
| Alcatel-Nms-Group | 20 | |||
| Alcatel-Nms-Last-Name | 22 | string | ||
| Alcatel-Port-Desc | 6 | Description of the port. This attribute is currently defined in the Alcatel dictionary as:
(Access-Request, Accounting-Request Start, Accounting-Request Interim and Accounting-Request Stop).The attribute is set with the alias configured for the port. When the alias is not set, VSA will be an empty string. |
||
| Alcatel-Profil-Numb | 7 | |||
| Alcatel-Redirection-Status | 102 | string | ||
| Alcatel-Redirection-URL | 101 | string | Configures ClearPass to send redirection URL as part of RADIUS response redirecting the user Web traffic. | |
| Alcatel-Slot-Port | 2 | string | Slots(s)/port(s) valid for the user | |
| Alcatel-Time-of-Day | 3 | string | The time of day valid for the user to authenticate. | |
| OmniSwitch AOS Release 8 Network Configuration Guide |
Aruba
| Attribute | # | Type | ISE Version | Usage Description |
| Aruba-Admin-Role | 4 | This VSA returns the management role to be assigned to the user post management authentication. This role canbe seen using the command show mgmt-role in the command-line interface. | ||
| Aruba-AirGroup-Device-Type | 27 | integer | A value of 1 for this VSA indicates that the device authenticating on the network isapersonal device and a value of 2 indicates that it is a shared device. | |
| Aruba-AirGroup-Shared-Role | 26 | string | This VSA contains a comma separated list of user roles with whom the device is shared. | |
| Aruba-AirGroup-Shared-User | 25 | string | This VSA contains a comma separated list of user names with whom the device is shared. | |
| Aruba-AirGroup-User-Name | 24 | string | A device owner or username associated with the device. | |
| Aruba-AP-Group | 10 | string | String that identifies the name of anArubaAP Group. | |
| Aruba-AS-Credential-Hash | 30 | string | The Auth survivability feature uses the VSA for Instant APs. The CPPM sends the NT hash of the password to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable. | |
| Aruba-AS-User-Name | 29 | string | The Auth survivability feature uses the VSA for Instant APs. The CPPM sends the actual user name to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable. | |
| Aruba-Auth-Survivability | 28 | string | The Instant AP Auth survivability feature uses the VSA to indicate that the CPPM server sends the and values. This attribute is just used as a flag with no specific value required. | |
| Aruba-CPPM-Role | 23 | |||
| Aruba-Device-Type | 12 | string | String thatidentifies anArubadevice on the network. | |
| Aruba-Essid-Name | 5 | string | String that identifies the name of the ESSID. | |
| Aruba-Framed-IPv6-Address | 11 | string | This attribute is used for RADIUS accounting for IPv6 users. | |
| Aruba-Location-Id | 6 | string | String that identifies the name of the AP location. | |
| Aruba-Mdps-Device-Iccid | 17 | ICCID is used as input attribute by the Onboard application while performing thedevice authorization to the internal RADIUS server within theCPPM. ICCID checks against role mappings or enforcement policies to determine if the device isauthorized to be onboarded. | ||
| Aruba-Mdps-Device-Imei | 16 | string | IMEI is used as input attribute by the Onboard application while performing thedevice authorization to the internal RADIUS server within the CPPM. IMEI checksagainst role mappings or enforcement policies to determine if the device is authorized to be onboarded. | |
| Aruba-Mdps-Device-Name | 19 | string | The device name is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM.Device name checks against role mappings or enforcement policies to determine ifthe device is authorized to be onboarded. | |
| Aruba-Mdps-Device-Product | 20 | string | The device product is used as input attribute by the Onboard application whileperforming the device authorization to the internalRADIUS server within the CPPM.Device Product checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. | |
| Aruba-Mdps-Device-Profile | 33 | Attribute allows CPPM to signal back to the onboard process the device profile that should be applied to the device based on applied role mappings. | ||
| Aruba-Mdps-Device-Serial | 22 | string | The device serial number is used as input attribute by the Onboard application whileperforming the device authorization to the internal RADIUS server within the CPPM.Device Serial checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. | |
| Aruba-Mdps-Device-Udid | 15 | string | UDID is unique device identifier which is usedas input attribute by the Onboardapplication while performing the device authorization to the internal RADIUS serverwithin the ClearPass Policy Manager (CPPM). The UDID is used to check againstrole mappings or enforcement policies to determine if the device is authorized to be onboarded. | |
| Aruba-Mdps-Device-Version | 21 | string | The device version is used as input attribute by the Onboardapplication whileperforming the device authorization to the internal RADIUS server within the CPPM.Device Version checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. | |
| Aruba-Mdps-Max-Devices | 18 | string | Used by Onboard as a way to define and enforce the maximum number of devices that can beprovisioned by a given user. | |
| Aruba-Mdps-Provisioning-Settings | 32 | string | Attribute allows the CPPM to signal back to the onboard process the context of the device provisioning settings that should be applied to the device based on applied role mappings. | |
| Aruba-MMS-User-Template | 8 | string | String that identifies the name of anArubauser template. | |
| Aruba-Named-User-Vlan | 9 | string | This VSA returns a VLAN name for a user. This vlan name on a controllercould be mapped to user-definedname or or multiple VLAN IDs. | |
| Aruba-No-DHCP-Fingerprint | 14 | string | This VSA prevents thecontrollerfrom deriving a role and VLAN based on DHCP finger printing. | |
| Aruba-Port-Identifier | 7 | string | Stringthat identifies the Port ID. | |
| Aruba-Priv-Admin-User | 3 | integer | If this VSA is set in the RADIUS accept message, the user can bypass the enable prompt. | |
| Aruba-User-Role | 1 | string | This VSA returns the role, to be assigned to the user postauthentication. The userwill be granted access based on the role attributes defined in the role. | |
| Aruba-User-Vlan | 2 | integer | This VSA is used to return the VLAN to be used by the client. The range for this VSA value is 1 –4094, inclusive. | |
| Aruba-WorkSpace-App-Name | 31 | string | This VSA identifies an application supported by Aruba WorkSpace. | |
Brocade
| Attribute | Values | Type | ISE Version | Usage Description |
| Brocade-Auth-Role | 1 | string | The user logs in using the permissions specified with Brocade-Auth-Role. The valid permissions include root, admin, switchAdmin, zoneAdmin, securityAdmin, basic SwitchAdmin, fabricAdmin, operator, and user. You must use quotation marks around "password" and "role". | |
| Brocade-AVPairs1 | 2 | string | Admin Domain or Virtual Fabric member list | |
| Brocade-AVPairs2 | 3 | string | Admin Domain or Virtual Fabric member list | |
| Brocade-AVPairs3 | 4 | string | Admin Domain or Virtual Fabric member list | |
| Brocade-AVPairs4 | 5 | string | Admin Domain or Virtual Fabric member list | |
| Brocade-Passwd-ExpiryDate | 6 | string | Date when password will expire Format: MM/DD/YYYY in UTC | |
| Brocade-Passwd-WarnPeriod | 7 | integer | Days till warrining message regarding password expiry | |
Certificate
| Attribute | Type / Values | ISE Version | Available | Usage Description |
| Binary Encoded | Binary certificate | Authorization | Check binary certificate value | |
| Days to Expiry | 0-15 | This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires. | ||
| Extended Key Usage - Name | Authorization | |||
| clientAuth | Match based on presence or absence of Client Authentication purpose in extended key usage field | |||
| codeSigning | Match based on presence or absence of Code Signing purpose in extended key usage field | |||
| emailProtection | Match based on presence or absence of Email Protection purpose in extended key usage field | |||
| msCodeCom | Match based on presence or absence of Microsoft Commercial Code Signing purpose in extended key usage field | |||
| msCTLSign | Match based on presence or absence of Microsoft Trust List Signing purpose in extended key usage field | |||
| msCodeInd | Match based on presence or absence of Microsoft Individual Code Signing purpose in extended key usage field | |||
| msEFS | Match based on presence or absence of Microsoft Encrypted File System purpose in extended key usage field | |||
| msSGC | Match based on presence or absence of Microsoft Server Gated Crypto purpose in extended key usage field | |||
| nsSGC | Match based on presence or absence of Netscape Server Gated Cryptoo purpose in extended key usage field | |||
| OCSPSigning | Match based on presence or absence of OCSP signing purpose in extended key usage field | |||
| serverAuth | Match based on presence or absence of Server Authentication purpose in extended key usage field | |||
| timeStamping | Match based on presence or absence of Trusted Timestamping purpose in extended key usage field | |||
| Extended Key Usage - OID | ||||
| Is Expired | boolean | True False This Boolean attribute indicates whether a certificate has expired or not. If you want to allow certificate renewal only when the certificate is near expiry and not after it has expired, use this attribute in authorization policy condition. |
||
| Issuer | string | Authorization | Match based on entire issuer subject value | |
| Issuer - Common Name | string | Authorization | Match based on any data in the issuer field | |
| Issuer - Country | string | Authorization | Match based on country name value in issuer field | |
| Issuer - Domain Component | string | Authorization | Match based on issuer domain name value | |
| Issuer - Email | string | Authorization | Match based on issuer email address value | |
| Issuer - Location | string | Authorization | Match based on issuer LocalityName value | |
| Issuer - Organization | string | Authorization | Match based on issuer Organization value | |
| Issuer - Organization Unit | string | Authorization | Match based on issuer Organization Unit value | |
| Issuer - Serial Number | string | Authorization | Match based on issuer Serial Number value | |
| Issuer - State or Province | string | Authorization | Match based on issuer State or Province value | |
| Issuer - Street Address | string | Authorization | Match based on issuer Street Addressvalue | |
| Issuer - User ID | string | Authorization | Match based on issuer User IDvalue | |
| Key Usage | string | Authorization | ||
| cRLSign | Use when the subject public key is to verify a signature on revocation information, such as a CRL | |||
| dataEncipherment | Use when the public key is used for encrypting user data, other than cryptographic keys. | |||
| decipherOnly | Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement. | |||
| digitalSignature | Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. | |||
| encipherOnly | Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. | |||
| keyAgreement | Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers. | |||
| keyCertSign | Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates. | |||
| keyEncipherment | Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment. | |||
| nonRepudiation | Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing). | |||
| Serial Number | string | Authorization | Match based on identity certificate Serial Number | |
| Subject | string | Authorization | Match based on entire Subject value provided in Identity certificate | |
| Subject - Common Name | string | Authorization | Match based on Subject Common name of identity certificate | |
| Subject - Country | string | Authorization | Match based on country value from Identity certificate subject | |
| Subject - Domain Component | string | Authorization | Match based on domain component from Identity certificate subject | |
| Subject - Email | string | Authorization | Match based on email address from Identity certificate subject | |
| Subject - Location | string | Authorization | Match based on location from Identity certificate subject | |
| Subject - Organization | string | Authorization | Match based on organization from Identity certificate subject | |
| Subject - Organization Unit | string | Authorization | Match based on organizational unit from Identity certificate subject | |
| Subject - Serial Number | string | Authorization | Match based on serial number from Identity certificate subject | |
| Subject - State or Province | string | Authorization | Match based on state province value from Identity certificate subject | |
| Subject - Street Address | string | Authorization | Match based on street address value from Identity certificate subject | |
| Subject - User ID | string | Authorization | Match based on User ID value from Identity certificate subject | |
| Subject Alternative Name | string | Authorization | Match based on Subject Alternative Name value from Identity certificate | |
| Subject Alternative Name - DNS | string | Authorization | Match based on Subject Alternative Name value with type DNS from Identity certificate | |
| Subject Alternative Name - EMail | string | Authorization | Match based on Subject Alternative Name value with type email from Identity certificate | |
| Subject Alternative Name - Other Name | string | Authorization | Match based on Subject Alternative Name value with type other from Identity certificate | |
| Template Name | string | Authorization | Match based on certificate template name |
Cisco
This RADIUS dictionary is provided in ISE by default.
| Attribute | # | Type | ISE Version | Usage Description |
| cisco-abort-cause | 21 | If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server. | ||
| cisco-account-info | 250 | |||
| cisco-assign-ip-pool | 218 | |||
| cisco-av-pair | 1 | The Cisco RADIUS implementation supports one vendor-specific option using the format recommendedin the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named“cisco-avpair.” The value is a string | ||
| cisco-call-filter | 243 | |||
| cisco-call-id | 141 | |||
| cisco-call-type | 19 | Type of call activity: fax receive or fax send. | ||
| cisco-command-code | 252 | |||
| cisco-control-info | 253 | |||
| cisco-data-filter | 242 | |||
| cisco-data-rate | 197 | |||
| cisco-disconnect-cause | 195 | |||
| cisco-email-server-ack-flag | 17 | Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message | ||
| cisco-email-server-address | 16 | IP address of the e-mail server handling the on-ramp fax-mail message. | ||
| cisco-fax-account-id-origin | 3 | Account ID origin as defined by the system administrator for the mmoip aaa receive-id or mmoip aaa send-id command | ||
| cisco-fax-auth-status | 15 | Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown. | ||
| cisco-fax-connect-speed | 8 | Modem speed at which this fax mail was initially sent or received. Possible values are 1200, 4800, 9600, and 14400. | ||
| cisco-fax-coverpage-flag | 6 | True/false flag that indicates whether a cover page was generated by the off-ramp gateway for this fax session. True indicates that a coverpage was generated, and false indicates that a cover page was not generated. | ||
| cisco-fax-dsn-address | 11 | Address to which DSNs are sent. | ||
| cisco-fax-dsn-flag | 12 | True/false flag to indicate whether DSN is enabled. True indicates that DSN is enabled, and false indicates that DSN is not enabled | ||
| cisco-fax-mdn-address | 13 | Address to which MDNs are sent. | ||
| cisco-fax-mdn-flag | 14 | True/False flag to indicate whether MDN is enabled. True indicates that MDN is enabled, and false indicates that MDN is not enabled | ||
| cisco-fax-modem-time | 7 | Number of seconds it takes to send fax data  and to complete the entire fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds and that the full fax session took 15 seconds. |
||
| cisco-fax-msg-id | 4 | Unique fax message identification number assigned by store-and-forward fax. | ||
| cisco-fax-pages | 5 | Number of pages sent or received during a fax session including cover pages. | ||
| cisco-fax-process-abort-flag | 10 | True/false flag that indicates whether the fax session was aborted or successful. True indicates that the session was aborted, and false indicates that the session was successful. | ||
| cisco-fax-recipient-count | 9 | Number of recipients for this fax transmission. Until e-mail servers support session mode, the number should be 1. | ||
| cisco-gateway-id | 18 | Name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name | ||
| cisco-gw-final-xlated-cdn | 113 | |||
| cisco-gw-final-xlated-cgn | 117 | |||
| cisco-gw-rxd-cdn | 112 | |||
| cisco-gw-rxd-cgn | 116 | |||
| cisco-h323-billing-model | 109 | |||
| cisco-h323-credit-amount | 101 | h323-credit-amount=1.00 | Total amount available to user, for announce via IVR or other | |
| cisco-h323-credit-time | 102 | |||
| cisco-h323-currency | 110 | h323-currency=USD | Currency code. ISO 4217 | |
| cisco-h323-preferred-lang | 107 | h323-preferred-lang=en | Preferred IVR language, if available. ISO 639-1 | |
| cisco-h323-prompt-id | 104 | |||
| cisco-h323-redirect-ip-address | 108 | |||
| cisco-h323-redirect-number | 106 | |||
| cisco-h323-return-code | 103 | h323-return-code=0 | Return code. 0 for success. | |
| cisco-h323-time-and-day | 105 | |||
| cisco-idle-limit | 244 | |||
| cisco-incoming-req-uri | 146 | |||
| cisco-ip-direct | 209 | |||
| cisco-ip-pool-definition | 217 | |||
| cisco-link-compression | 233 | |||
| cisco-maximum-channels | 235 | |||
| cisco-maximum-time | 194 | |||
| cisco-method | 143 | |||
| cisco-multilink-id | 187 | |||
| cisco-nas-port | 2 | Specifies additional vendor specific attribute (VSA) information for NAS-Port accounting. To specify additional NAS-Port information in the form an Attribute-Value Pair (AVPair) string, use the radius-server vsa send global configuration command. Note This VSA is typically used in Accounting, but may also be used in Authentication (Access-Request) packets. | ||
| cisco-next-hop-dn | 149 | |||
| cisco-next-hop-ip | 148 | |||
| cisco-num-in-multilink | 188 | |||
| cisco-outgoing-req-uri | 147 | |||
| cisco-policy-down | 38 | |||
| cisco-policy-up | 37 | |||
| cisco-port-used | 20 | Slot/port number used to send or receive this fax mail. | ||
| cisco-ppp-async-map | 212 | |||
| cisco-ppp-vj-slot-comp | 210 | Slot/port number used to send or receive this fax mail. | ||
| cisco-pre-input-octets | 190 | |||
| cisco-pre-input-packets | 192 | |||
| cisco-pre-output-octets | 191 | |||
| cisco-pre-output-packets | 193 | |||
| cisco-presession-time | 198 | |||
| cisco-prev-hop-ip | 145 | String of the form
ip-address[:port][/protocol] where “port” is an optional parameter giving the transport layer port number and the default is 5060. where “protocol” is an optional parameter giving the transport layer protocol and the default is UDP. Valid values: TCP and UDP ; because the proxy does not support TCP, this parameter is never included. |
||
| cisco-prev-hop-via | 144 | |||
| cisco-pw-lifetime | 208 | |||
| cisco-release-source | 115 | |||
| cisco-remote-media-address | 114 | |||
| cisco-route-ip | 228 | |||
| cisco-service-info | 251 | The value "Z" indicates that authorization is required. | ||
| cisco-session-protocol | 142 | string | Available strings:
|
|
| cisco-sip-conf-id | 100 | |||
| cisco-sip-hdr | 150 | String including SIP header formatted as per RFC 2543. | ||
| cisco-subscriber | 111 | |||
| cisco-target-util | 234 | |||
| cisco-xmit-rate | 255 | |||
| h323-call-origin | 26 | Indicates the origin of the call relative to the gateway. Possible values are originating and terminating, which are equivalent to originate and answer in the Call-Origin field | ||
| h323-call-type | 27 | Indicates call leg type. Possible values are telephony and VoIP | ||
| h323-conf-id | 24 | Identifies the conference ID. | ||
| h323-connect-time | 28 | Indicates the connection time for this call leg in UTC. | ||
| h323-disconnect-cause | 30 | Specifies the reason a connection was taken offline per the Q.931 specification. | ||
| h323-disconnect-time | 29 | Indicates the time this call leg was disconnected in UTC | ||
| h323-gw-id | 33 | Indicates the name of the underlying gateway. | ||
| h323-incoming-conf-id | 35 | Integer | On each gateway (both originating and terminating), the h323-incoming-conf-id is created by making a persistent and static copy of the h323-conf-id. After this h323-incoming-conf-id is created, it is never updated or changed for the duration of the session. The h323-incoming-conf-id value is always the same for legs 1 and 2, or for legs 3 and 4, and it need not be the same for all four legs of a call |
|
| h323-remote-address | 23 | Indicates the IP address of the remote gateway | ||
| h323-setup-time | 25 | Indicates the setup time for this connection in Coordinated Universal Time (UTC), formerly known as Greenwich Mean Time (GMT) and Zulu time. | ||
| h323-voice-quality | 31 | Specifies the impairment/calculated planning impairment factor (ICPIF) affecting voice quality for a call | ||
Cisco IOS RADIUS Change of Authorization (CoA)
Session Aware Networking (SAN) support for RADIUS change of authorization (CoA)
Session Aware Networking supports RADIUS change of authorization (CoA) commands for session query, reauthentication, and termination, port bounce and port shutdown, and service template activation and deactivation.
Cisco VSA: cisco-av-pair
Cisco has a general purpose vendor-specific attribute (VSA) called the cisco-av-pair . It is attribute/value pair string with the format: <attribute>=<value> .
| Name | cisco-av-pair Value | Notes |
| ACL IPv6 (Filter-ID) | ipv6:inacl=<ACL_NAME> | |
| Security Group | cts:security-group-tag=<NUMBER> cts:sgt-name=<NAME> cts:vn=<VIRTUAL_NETWORK> |
Example: cisco-av-pair = cts:security-group-tag=0004-0 |
| Voice Domain Permission | device-traffic-class=voice | |
| Web Redirection (CWA, MDM, NSP, CPP) |
url-redirect-acl=<ACL_NAME> url-redirect=<URL> |
|
| Auto Smart Port | auto-smart-port=<NAME> |
|
| Assess Vulnerabilities | on-demand-scan-interval=<hours: 1-9999> periodic-scan-enabled=<0|1> va-adapter-instance=<ADAPTER_INSTANCE> |
- interval, in hours - periodic-scan-enabled: 0=false, 1=true |
| MACSec Policy | linksec-policy=[must-not-secure | must-secure | should-secure] | |
| NEAT | device-traffic-class=switch | |
| Interface Template | interface-template-name=<NAME> | |
| Web Authentication (Local Web Auth) |
priv-lvl=15 | |
| AVC Profile Name |
avc-profile-name=<NAME> | |
| UDN Lookup | UDN:<Private-group-id> UDN:<Private-group-name> UDN:<Private-group-owner> |
|
| Unique Identifier | duid=<RADIUS_ATTRIBUTE_VALUE> | This option is primarily to share value of DUID retrieved during cert based authentication(Eg. EAP TLS) from Certificate attribute(Eg. SAN URI) to overcome MAC Address Randomization. |
| Pre-shared Key | psk-mode=ascii psk=<PRE_SHARED_KEY> |
Used for wireless Multi and Individual Pre-Shared Keys |
Cisco-BBSM
This RADIUS dictionary is provided in ISE by default.
| Attribute | # | Type | ISE Version | Usage Description |
| CBBSM-Bandwidth | 1 | integer | Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263 | |
Cisco-VPN3000 and ASA
This RADIUS dictionary is provided in ISE by default.
You may also see the list of attributes supported by the ASA v9.0.
| Attribute | # | Type | ISE Version | Description or Value(s) |
| PIX7x-Access-Hours | 1 | String | 1.0 | Name of the time range, for example, Business-hours |
| PIX7x-Access-List-Inbound | 86 | String | 1.0 | ACL ID |
| PIX7x-Access-List-Outbound | 87 | String | 1.0 | ACL ID |
| PIX7x-Address-Pools | 217 | String | 1.0 | Name of IP local pool |
| PIX7x-Allow-Alpha-Only-Passwords | 4 | 1.0 | Not supported on ASA? | |
| PIX7x-Allow-Network-Extension-Mode | 64 | Boolean | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-Auth-Server-Password | 23 | String | 1.0 | Not supported on ASA? |
| PIX7x-Auth-Server-Priority | 32 | ? | 1.0 | Not supported on ASA? |
| PIX7x-Auth-Server-Type | 22 | ? | 1.0 | Not supported on ASA? |
| PIX7x-Authd-User-Idle-Timeout or Authenticated-User-Idle-Timeout |
50 | Integer | 1.0 | 1 - 35791394 minutes |
| PIX7x-Cisco-IP-Phone-Bypass | 51 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-Client-Type | 150 | Integer | 1.0 | 1 = Cisco VPN Client (IKEv1) 2 = AnyConnect Client SSL VPN 3 = Clientless SSL VPN 4 = Cut-Through-Proxy 5 = L2TP/IPsec SSL VPN 6 = AnyConnect Client IPsec VPN (IKEv2) |
| PIX7x-Client-Type-Version-Limiting | 77 | String | 1.0 | IPsec VPN version number string |
| PIX7x-DHCP-Network-Scope | 61 | String | 1.0 | IP Address |
| PIX7x-Extended-Authentication-On-Rekey | 122 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IE-Proxy-Bypass-Local | 83 | Integer | 1.0 | 0 = None 1 = Local |
| PIX7x-IE-Proxy-Exception-List | 82 | String | 1.0 | New line (\n) separated list of DNS domains |
| PIX7x-IE-proxy-lockdown | 134 | ? | 1.0 | Not supported on ASA? |
| PIX7x-IE-Proxy-PAC-URL | 133 | String | 1.0 | PAC Address String |
| PIX7x-IE-Proxy-Server | 80 | String | 1.0 | IP address |
| PIX7x-IE-Proxy-Server-Policy | 81 | Integer | 1.0 | 1 = No Modify 2 = No Proxy 3 = Auto detect 4 = Use Concentrator Setting |
| PIX7x-IKE-Keep-Alives | 41 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IKE-Keepalive-Retry-Interval | 84 | Integer | 1.0 | 2 - 10 seconds |
| PIX7x-IKE-retry-timeout | 129 | Integer | 1.0 | Not supported on ASA? |
| PIX7x-IPSec-Allow-Passwd-Store | 16 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IPSec-Auth-On-Rekey | 42 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IPSec-Authentication | 13 | Integer | 1.0 | 0 = None 1 = RADIUS 2 = LDAP (authorization only) 3 = NT Domain 4 = SDI 5 = Internal 6 = RADIUS with Expiry 7 = Kerberos/Active Directory |
| PIX7x-IPSec-Authorization-Required | 66 | Integer | 1.0 | 0 = No 1 = Yes |
| PIX7x-IPSec-Authorization-Type | 65 | Integer | 1.0 | 0 = None 1 = RADIUS 2 = LDAP |
| PIX7x-IPSec-Backup-Server-List | 60 | String | 1.0 | Server Addresses (space delimited) |
| PIX7x-IPSec-Backup-Servers | 59 | String | 1.0 | 1 = Use Client-Configured list 2 = Disable and clear client list 3 = Use Backup Server list |
| PIX7x-IPSec-Banner1 | 15 | String | 1.0 | Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL |
| PIX7x-IPSec-Banner2 | 36 | String | 1.0 | Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured. |
| PIX7x-IPSec-Client-Fw-Filter-Name | 57 | String | 1.0 | Specifies the name of the filter to be pushed to the client as firewall policy |
| PIX7x-IPSec-Client-Fw-Filter-Opt or IPsec-Client-Firewall-Filter-Optional |
58 | Integer | 1.0 | 0 = Required 1 = Optional |
| PIX7x-IPSec-Confidence-Level or IKE-KeepAlive-Confidence-Interval |
68 | Integer | 1.0 | 10 - 300 seconds |
| PIX7x-IPSec-Default-Domain | 28 | String | 1.0 | Specifies the single default domain name to send to the client (1-255 characters). |
| PIX7x-IPSec-DN-Field or Authorization-DN-Field |
67 | String | 1.0 | Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name |
| PIX7x-IPSec-Group-Name | 26 | String | 1.0 | Not supported on ASA? |
| PIX7x-IPSec-Group-Policy or Group-Policy |
25 | String | 1.0 | Sets the group policy for the remote access VPN session. For Versions 8.2 and later, use this attribute instead of IETF-Radius-Class. You can use one of the three following formats:
|
| PIX7x-IPSec-IKE-Peer-ID-Check | 40 | Integer | 1.0 | 1 = Required 2 = If supported by peer certificate 3 = Do not check |
| PIX7x-IPSec-IP-Compression | 39 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IPSec-Mode-Config | 31 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IPSec-Over-UDP | 34 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-IPSec-Over-UDP-Port | 35 | Integer | 1.0 | 4001 - 49151. The default is10000. |
| PIX7x-IPSec-Reqrd-Client-Fw-Cap or IPsec-Required-Client-Firewall-Capability |
56 | Integer | 0 = None 1 = Policy defined by remote FW Are-You-There (AYT) 2 = Policy pushed CPP 4 = Policy from server |
|
| PIX7x-IPSec-Sec-Association | 12 | String | 1.0 | Name of the security association |
| PIX7x-IPSec-Split-DNS-Names | 29 | String | 1.0 | Specifies the list of secondary domain names to send to the client (1-255 characters). |
| PIX7x-IPSec-Split-Tunnel-List | 27 | String | 1.0 | Specifies the name of the network/ACL that describes the split tunnel inclusion list. |
| PIX7x-IPSec-Split-Tunneling-Policy | 55 | Integer | 1.0 | 0 = No split tunneling 1 = Split tunneling 2 = Local LAN permitted |
| PIX7x-IPSec-Tunnel-Type | 30 | Integer | 1.0 | 1 = LAN-to-LAN 2 = Remote access |
| PIX7x-IPSec-User-Group-Lock | 33 | ? | 1.0 | Not supported on ASA? |
| PIX7x-IPv6-Address-Pools | 218 | String | 1.0 | Name of IP local pool-IPv6 |
| PIX7x-IPv6-VPN-Filter | 219 | String | 1.0 | ACL value |
| PIX7x-L2TP-Encryption | 21 | Integer | 1.0 | Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Req 15= 40/128-Encr/Stateless-Req |
| PIX7x-L2TP-Min-Auth-Protocol | 19 | ? | 1.0 | Not supported on ASA? |
| PIX7x-L2TP-MPPC-Compression | 38 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-LEAP-Bypass | 75 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-Member-Of | 145 | String | 1.0 | Comma-delimited string, for example: Engineering, Sales An administrative attribute that can be used in dynamic access policies. It does not set a group policy. |
| PIX7x-Min-Password-Length | 3 | ? | 1.0 | Not supported on ASA? |
| PIX7x-MS-Client-Icpt-DHCP-Conf-Msg or Intercept-DHCP-Configure-Msg |
62 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-MS-Client-Subnet-Mask | 63 | Boolean | 1.0 | An IP address |
| PIX7x-NAC-Default-ACL | 92 | String | 1.0 | ACL |
| PIX7x-NAC-Enable | 89 | Integer | 1.0 | 0 = No 1 = Yes |
| PIX7x-NAC-Revalidation-Timer | 91 | Integer | 1.0 | 300 - 86400 seconds |
| PIX7x-NAC-Settings | 141 | String | 1.0 | Name of the NAC policy |
| PIX7x-NAC-Status-Query-Timer | 90 | Integer | 1.0 | 30 - 1800 seconds |
| PIX7x-Perfect-Forward-Secrecy-Enable | 88 | 1.0 | 0 = No 1 = Yes |
|
| PIX7x-Port-Forwarding-Name or WebVPN-Port-Forwarding-Name |
79 | String | 1.0 | String name (example, “Corporate-Apps”). This text replaces the default string, “Application Access,” on the clientless portal home page. |
| PIX7x-PPTP-Encryption | 20 | Integer | 1.0 | Bitmap: 1 = Encryption required 2 = 40 bits 4 = 128 bits 8 = Stateless-Required 15= 40/128-Encr/Stateless-Req |
| PIX7x-PPTP-Min-Auth-Protocol | 18 | ? | 1.0 | Not supported on ASA? |
| PIX7x-PPTP-MPPC-Compression | 37 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-Primary-DNS | 5 | String | 1.0 | An IP address |
| PIX7x-Primary-WINS | 7 | String | 1.0 | An IP address |
| PIX7x-Priority-On-SEP | 10 | ? | 1.0 | Not supported on ASA? |
| PIX7x-Privilege-Level | 220 | Integer | 1.0 | An integer between 0 and 15. |
| PIX7x-Reqrd-Client-Fw-Description | 47 | String | 1.0 | String |
| PIX7x-Reqrd-Client-Fw-Product-Code | 46 | Integer | 1.0 | Cisco Systems Products:
|
| PIX7x-Reqrd-Client-Fw-Vendor-Code | 45 | Integer | 1.0 | 1 = Cisco Systems (with Cisco Integrated Client) 2 = Zone Labs 3 = NetworkICE 4 = Sygate 5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent) |
| PIX7x-Request-Auth-Vector | 24 | ? | 1.0 | Not supported on ASA? |
| PIX7x-Require-HW-Client-Auth | 48 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-Require-Individual-User-Auth | 49 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-Secondary-DNS | 6 | String | 1.0 | An IP address |
| PIX7x-Secondary-WINS | 8 | String | 1.0 | An IP address |
| PIX7x-SEP-Card-Assignment | 9 | Integer | 1.0 | Not used |
| PIX7x-Session-Subtype | 152 | Integer | 1.0 | 0 = None 1 = Clientless 2 = Client 3 = Client Only Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4. |
| PIX7x-Session-Type | 151 | Integer | 1.0 | 0 = None 1 = AnyConnect Client SSL VPN 2 = AnyConnect Client IPSec VPN (IKEv2) 3 = Clientless SSL VPN 4 = Clientless Email Proxy 5 = Cisco VPN Client (IKEv1) 6 = IKEv1 LAN-LAN 7 = IKEv2 LAN-LAN 8 = VPN Load Balancing |
| PIX7x-Simultaneous-Logins | 2 | Integer | 1.0 | 0 - 2147483647 |
| PIX7x-Strip-Realm | 135 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-SVC-Ask | 131 | Integer | 1.0 | 0 = Disabled 1 = Enabled 3 = Enable default service 5 = Enable default clientless (2 and 4 not used) |
| PIX7x-SVC-Ask-Timeout | 132 | Integer | 1.0 | 5 - 120 seconds |
| PIX7x-SVC-Keepalive | 107 | Integer | 1.0 | 0 = Off 15 - 600 seconds |
| PIX7x-SVC-Modules | 127 | String | 1.0 | String (name of a module) |
| PIX7x-SVC-Profiles | 128 | String | 1.0 | String (name of a profile) |
| PIX7x-Tunnel-Group-Lock | 85 | String | 1.0 | Name of the tunnel group or “none” |
| PIX7x-Tunnel-Group-Name | 146 | String | 1.0 | 1 - 253 characters |
| PIX7x-Tunneling-Protocols | 11 | Integer | 1.0 | 1 = PPTP 2 = L2TP 4 = IPSec (IKEv1) 8 = L2TP/IPSec 16 = WebVPN 32 = SVC 64 = IPsec (IKEv2) 8 and 4 are mutually exclusive (0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values). |
| PIX7x-Use-Client-Address | 17 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-User-Auth-Server-Name | 52 | String | 1.0 | IP address or hostname |
| PIX7x-User-Auth-Server-Port | 53 | Integer | 1.0 | Port number for server protocol |
| PIX7x-User-Auth-Server-Secret | 54 | String | 1.0 | Server password |
| PIX7x-VLAN | 140 | Integer | 1.0 | 0 - 4094 |
| PIX7x-WebVPN-Access-List | 73 | String | 1.0 | Access-List name |
| PIX7x-WebVPN-ActiveX-Relay | 137 | Integer | 1.0 | 0 = Disabled Otherwise = Enabled |
| PIX7x-WebVPN-Apply-ACL | 102 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Auto-HTTP-Signon | 124 | String | 1.0 | Reserved |
| PIX7x-WebVPN-Citrix-Metaframe-Enable | 101 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Content-Filter | 69 | Bitmap | 1.0 | 1 = Java ActiveX 2 = Java Script 4 = Image 8 = Cookies in images |
| PIX7x-WebVPN-Customization | 113 | String | 1.0 | Name of the customization |
| PIX7x-WebVPN-Default-Homepage | 76 | String | 1.0 | A URL such as http://example.com |
| PIX7x-WebVPN-Deny-Message | 116 | String | 1.0 | Valid string (up to 500 characters) |
| PIX7x-WebVPN-Download_Max-Size | 157 | Integer | 1.0 | 0x7fffffff |
| PIX7x-WebVPN-Enable-functions | 70 | ? | 1.0 | Not supported on ASA? |
| PIX7x-WebVPN-File-Access-Enable | 94 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-File-Server-Browsing-Enable | 96 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-File-Server-Entry-Enable | 95 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List | 78 | String | 1.0 | Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com) |
| PIX7x-WebVPN-Hidden-Shares | 126 | Integer | 1.0 | 0 = None 1 = Visible |
| PIX7x-WebVPN-Home-Page-Use-Smart-Tunnel | 228 | Boolean | 1.0 | Enabled if clientless home page is to be rendered through Smart Tunnel. |
| PIX7x-WebVPN-HTTP-Compression | 120 | Integer | 1.0 | 0 = Off 1 = Deflate Compression |
| PIX7x-WebVPN-HTTP-Proxy-IP-Address | 74 | String | 1.0 | Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443) |
| PIX7x-WebVPN-Idle-Timeout-Alert-Interval | 148 | Integer | 1.0 | 0 (Disabled) - 30 |
| PIX7x-WebVPN-Keepalive-Ignore | 121 | Integer | 1.0 | 0-900 |
| WebVPN-Macro-Substitution | 223 | String | 1.0 |
Unbounded. For examples, see the SSL VPN Deployment Guide |
| PIX7x-WebVPN-Macro-Substitution or WebVPN-Macro-Substitution |
224 | String | 1.0 | Unbounded. For examples, see the SSL VPN Deployment Guide |
| PIX7x-WebVPN-Port-Forwarding-Enable | 97 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Port-Forwarding-Exchange-Proxy-Enable | 98 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Port-Forwarding-HTTP-Proxy | 99 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Port-Forwarding-List | 72 | String | 1.0 | Port forwarding list name |
| PIX7x-WebVPN-Post-Max-Size | 159 | Integer | 1.0 | 0x7fffffff |
| PIX7x-WebVPN-Session-Timeout-Alert-Interval | 149 | Integer | 1.0 | 0 (Disabled) - 30 |
| PIX7x-WebVPN-Smart-Card-Removal-Disconnect | 225 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-Smart-Tunnel | 136 | String | 1.0 | Name of a smart tunnel |
| PIX7x-WebVPN-Smart-Tunnel-Auto-Sign-On | 139 | String | 1.0 | Name of a Smart Tunnel auto sign-on list appended by the domain name |
| PIX7x-WebVPN-Smart-Tunnel-Auto-Start | 138 | Integer | 1.0 | 0 = Disabled 1 = Enabled 2 = Auto Start |
| PIX7x-WebVPN-Smart-Tunnel-Tunnel-Policy | 227 | String | 1.0 | One of "e networkname," "i networkname," or "a," where networkname is the name of a smart tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels. |
| PIX7x-WebVPN-SSL-VPN-Client-Enable | 103 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-SSL-VPN-Client-Keep-Installation | 105 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-SSL-VPN-Client-Required | 104 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-SSO-Server-Name | 114 | String | 1.0 | Valid string |
| PIX7x-WebVPN-Storage-Key | 162 | String | 1.0 | ? |
| PIX7x-WebVPN-Storage-Objects | 161 | String | 1.0 | ? |
| PIX7x-WebVPN-SVC-Client-DPD-Frequency or SVC-DPD-Interval-Client |
108 | Integer | 1.0 | 0 = Off 5 - 3600 seconds |
| PIX7x-WebVPN-SVC-Compression | 112 | Integer | 1.0 | 0 = Off 1 = Deflate Compression |
| PIX7x-WebVPN-SVC-DTLS-Enable | 123 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-SVC-DTLS-MTU | 125 | Integer | 1.0 | MTU value is from 256-1406 bytes. |
| PIX7x-WebVPN-SVC-Gateway-DPD-Frequency or SVC-DPD-Interval-Gateway |
109 | Integer | 1.0 | 0 = Off 5 - 3600 seconds |
| PIX7x-WebVPN-SVC-Rekey-Method | 111 | Integer | 1.0 | 0 = Off 1 = SSL 2 = New Tunnel |
| PIX7x-WebVPN-SVC-Rekey-Time | 110 | Integer | 1.0 | 0 = Disabled 1- 10080 minutes |
| PIX7x-WebVPN-UNIX-Group-ID(GID) | 222 | Integer | 1.0 | Valid UNIX group IDs |
| PIX7x-WebVPN-UNIX-User-ID(UIDs) | 221 | Integer | 1.0 | Valid UNIX user IDs |
| PIX7x-WebVPN-Upload-Max-Size | 158 | Integer | 1.0 | 0x7fffffff |
| PIX7x-WebVPN-URL-Entry-Enable | 93 | Integer | 1.0 | 0 = Disabled 1 = Enabled |
| PIX7x-WebVPN-URL-List | 71 | String | 1.0 | URL list name |
| PIX7x-WebVPN-User-Storage | 160 | String | 1.0 | ? |
| PIX7x-WebVPN-VDI | 163 | String | 1.0 | List of settings |
CWA
| Attribute | Values | ISE Version | Usage Description |
| CWA_ExternalGroups | String | 1.3 | External group name where user logging in from the CWA portal belongs to. |
| CWA_Username | String | 1.3 | Username used during login from the CWA portal. |
Device
| Attribute | Values | ISE Version | Usage Description |
| Device Type | 1.2 | Device type defined during network device configuration. | |
| Location | 1.2 | Location of the network device defined during device configuration. | |
| Model Name | 1.2 | The model name of the network device defined during device creation. | |
| Network Device Profile | 2.0 | The profile of network device defined during creation of device. | |
| Software Version | 1.2 | Software version of the network device defined during device creation, | |
EndPoints
| Attribute | Values | ISE Version | Usage Description |
| BYODRegistration | string | 1.2 | BYOD registration status of the endpoint. can be: No: Not registered via BYOD Unknown: unknown status Yes: registered via BYOD |
| EndPointPolicy | string | 1.2 | Policy assignment of the endpoint. |
| LastAUPAcceptanceHours | 1.4 | The time in hours when AUP was accepted the last time. | |
| LogicalProfile | string | 1.2 | Logical profile that summarizes multiple regular profiles. |
| OperatingSystem | string | 1.3 | Operating system of the endpoint. |
| PortalUser | string | 1.3 | Guest user that logged in to the portal with this endpoint. |
| PostureApplicable | string | 1.2 | A string specifying if posture is applicable for an endpoint, can be: No: posture not applicable Yes: posture applicable |
Guest
| Attribute | Values | ISE Version | Usage Description |
| Company | string | 1.2 | A string defining the company of the guest user. |
| EmailAddress | string | 1.2 | Email address of the guest user. |
| Firstname | string | 1.2 | First name of the guest user. |
| LanguageNotification | string | 1.2 | A string specifying the language for notification messages of the guest user. |
| Lastname | string | 1.2 | Last name of the guest user. |
| OptionalData1 | - | 1.2 | Optional data 1 |
| OptionalData2 | - | 1.2 | Optional data 2 |
| OptionalData3 | - | 1.2 | Optional data 3 |
| OptionalData4 | - | 1.2 | Optional data 4 |
| OptionalData5 | - | 1.2 | Optional data 5 |
| PasswordModifiedByUser | boolean | 1.2 | Boolean telling if password of the guest user was modified, can be: false: password was not modified true: password was modified |
| PhoneNumber | string | 1.2 | The phone number of the guest user. |
| TimeZone | string | 1.2 | Time zone of the guest user. |
| UserName | string | 1.2 | Username of the guest user. |
H3C
| Attribute | # | Type | ISE Version | Usage Description |
| H3C-Backup-NAS-IP | 207 | 2.0 | Backup source IP address for sending RADIUS packets | |
| H3C-Command | 20 | 2.0 | Operation for the session, used for session control. It can be: 1: Trigger-Request 2: Terminate-Request 3: SetPolicy 4: Result 5: PortalClear |
|
| H3C-Connect_Id | 26 | 2.0 | Index of the user connection | |
| H3C-Control-Identifier | 24 | 2.0 | Identifier for retransmitted packets. for retransmitted packets of the same session, this attribute must take the same value; while for retransmitted packets of different sessions, this attribute may take the same value. The response of a retransmitted packet must also carry the same attribute. For Accounting-Request packets of the start, stop and interim update type, the Control-Identifier attribute, if present, makes no sense. |
|
| H3C-Exec-Privilege | 29 | 2.0 | Priority of the EXEC user, can be: 0: Visit 1: Monitor 2: System 3: Manage |
|
| H3C-Ftp-Directory | 28 | 2.0 | Working directory of the FTP user. For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client. | |
| H3C-Input-Average-Rate | 2 | 2.0 | Average rate in the direction from the user to NAS [bps] | |
| H3C-Input-Basic-Rate | 3 | 2.0 | Basic rate in the direction from the user to NAS [bps] | |
| H3C-Input-Interval-Gigawords | 205 | 2.0 | Result of bytes input within an accounting interval divided by 4GB | |
| H3C-Input-Interval-Octets | 201 | 2.0 | Bytes input within a real-time accounting interval | |
| H3C-Input-Interval-Packets | 203 | 2.0 | Packets input within an accounting interval, in the unit set on the switch | |
| H3C-Input-Peak-Rate | 1 | 2.0 | Peak rate in the direction from the user to NAS [bps] | |
| H3C-Ip-Host-Addr | 60 | 2.0 | IP address and MAC address of the user carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. | |
| H3C-NAS-Startup-Timestamp | 59 | 2.0 | Startup time of NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan 1, 17970 (UTC) | |
| H3C-Output-Interval-Gigawords | 206 | 2.0 | Result of bytes output within an accounting interval divided by 4GB | |
| H3C-Output-Interval-Octets | 202 | 2.0 | Bytes output within a real-time accounting interval | |
| H3C-Output-Interval-Packets | 204 | 2.0 | Packets output within an accounting interval, in the unit set on the switch | |
| H3C-Product-ID | 255 | 2.0 | Product name | |
| H3C-Remanent-Volume | 15 | 2.0 | Remaining traffic of the connection, in different units for different server types. | |
| H3C-Result-Code | 25 | 2.0 | Result of the Trigger-Request or SetPolicy operation, which can be: 0: Succeeded Any other value: Failed |
|
| H3C-Security-Level | 141 | 2.0 | Security level assigned after SSL VPN user passes security authentication | |
| H3C-User-Group | 140 | 2.0 | User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with SSL VPN device. | |
| H3C-User-HeartBeat | 62 | 2.0 | Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the list on the AP and is used for verifying the handshake messages from 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets. | |
| H3C-User-Notify | 61 | 2.0 | Information that needs to be sent from the server to the client transparently | |
HP
| Attribute | # | Type | ISE Version | Usage Description |
| HP-Bandwidth-Max-Egress | 48 | integer | 2.0 | Percentage of port bandwidth allowed for egress. |
| HP-Bandwidth-Max-Ingress | 46 | integer | 2.0 | Percentage of port bandwidth allowed for ingress. |
| HP-Capability-Advert | 255 | octets | 2.0 | This attribute defines the capabilities of the NAS, listing all special RADIUS attributes it supports. |
| HP-Command-Exception | 3 | integer | 2.0 | The flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others. A one (1) means deny all listed commands and permit all others. |
| HP-Command-String | 2 | regex | 2.0 | List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters. |
| HP-Cos | 40 | string | 2.0 | Assigns 802.1p priority to all inbound packets on port. This attribute should contain the desired CoS priority (as string) repeated 8 times. The reason for the repetition is that this attribute is meant to form a map to translate different CoS priorities in packets egressing on the port. Values: 1-2: Low 0,3: Normal 4-5: High 6-7: Critical |
| HP-Egress-VLAN-Name | 65 | string | 2.0 | Allows egress traffic for specified VLAN name. |
| HP-Egress-VLANID | 64 | integer | 2.0 | Allows egress traffic for specified VLAN ID. The first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) ot 0x32 (untagged). The next 12 bits are padding 0x000 and the dinal 12 bits are the VLAN ID as an integer value. Example: VLAN 17 as a tagged egress VLAN would be 0x31000011. |
| HP-Management-Protocol | 26 | integer | 2.0 | Management protocol that can be used, can be: 5: HTTP 6: HTTPS |
| HP-Nas-Filter-Rule | 61 | string | 2.0 | ACE (multiple attributes from ACL) applied to client. Example: permit in tcp from any to any |
| HP-Nas-Rules-IPv6 | 63 | integer | 2.0 | Allows to filter also IPv6 traffic using ACL and attribute HP-Nas-Filter-Rile. If this option is configured to "1", the any keyword used as destination applies to both IPv4 and IPv6 destinations for the selected traffic type. If option is "2", IPv6 traffic is ignored. |
| HP-Port-Auth-Mode-Dot1x | 13 | integer | 2.0 | Temporarily alters the 802.1X authentication mode to be either port-based or user-based depending on the value in the VSA. 1: port-based 2: user-based |
| HP-Port-Client-Limit-Dot1x | 10 | integer | 2.0 | Temporarily alters the 802.1X authentication client limit to the value container in the VSA. Values range from 0 to 32 clients. 0 - means VSA is disabled |
| HP-Port-Client-Limit-MA | 11 | integer | 2.0 | Temporarily alters the MAC authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. 0 - means VSA is disabled |
| HP-Port-Client-Limit-WA | 12 | integer | 2.0 | Temporarily alters the web-based authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. 0 - means VSA is disabled |
| HP-Privilege-Level | 1 | integer | 2.0 | Privilege level of the user, can be: 1: SuperUser 2: Monitor 16: HelpDeskManager 17: NetworkAdministrator 18: SystemAdministrator 19: WebUserAdministrator |
Identity Mapping
| Attribute | Values | ISE Version | Usage Description |
IdentityGroup
| Attribute | Values | ISE Version | Usage Description |
| Description | string | 1.2, 1.3, 1.4 | The description of the identity group where user belongs to. |
| Name | string | 1.2, 1.3, 1.4 | The name of identity group where user belongs to. |
InternalUser
| Attribute | Values | ISE Version | Usage Description |
| Description | string | 1.2 | Description of the internal user. |
| EnableFlag | string | 1.2 | A string defining the account is enabled. |
| Firstname | string | 1.2 | A string defining first name of the user. |
| IdentityGroup | string | 1.2 | The identity group the internal user belongs to. |
| Lastname | string | 1.2 | A string defining last name of the user. |
| Name | string | 1.2 | A string defining an username. |
| UserType | string | 1.2 | ? |
Juniper
| Attribute | # | Type | ISE Version | Available | Usage Description |
| Juniper-Allow-Commands | 2 | regex | 2.0 | Authentication Authorization |
Contains operational mode commands in the form of regular expression that user is allowed to use in addition to commands authorized by user's login class permission bits. maximum length 247 characters Note: This attribute is used only in Access-Accept. |
| Juniper-Allow-Configuration | 4 | regex | 2.0 | Authentication Authorization |
Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user's login class permission bits. Note: This attribute is used only in Access-Accept. |
| Juniper-cell-overhead | 41 | integer | 2.0 | Authentication Authorization |
|
| Juniper-Configuration-Change | 9 | string | 2.0 | Authentication Authorization |
Indicates the interactive command that results in a configuration (database) change. Note: This attribute is used only in Accounting-Request. |
| Juniper-CoS-Parameter | 39 | string | 2.0 | Authentication Authorization |
|
| Juniper-CoS-Traffic-Control-Profile | 38 | string | 2.0 | Authentication Authorization |
|
| Juniper-CTP-Group | 21 | 2.0 | Authentication Authorization |
1: Read_Only 2: Admin 3: Privileged_Admin 4: Auditor |
|
| Juniper-CTPView-APP-Group | 22 | 2.0 | Authentication Authorization |
1: Net_View 2: Net_Admin 3: Global_Admin |
|
| Juniper-CTPView-OS-Group | 23 | 2.0 | Authentication Authorization |
1: Web_Manager 2: System_Admin 3: Auditor |
|
| Juniper-Deny-Commands | 3 | regex | 2.0 | Authentication Authorization |
Contains extended regular expression that denies the user permission to run operation mode commands authorized by the user's login class permission bits. maximum length 247 characters. Note: This attribute is used only in Access-Accept. |
| Juniper-Deny-Configuration | 5 | regex | 2.0 | Authentication Authorization |
Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user's login class permission bits. Note: This attribute is used only in Access-Accept. |
| Juniper-encapsulation-overhead | 40 | integer | 2.0 | Authentication Authorization |
|
| Juniper-Firewall-filter-name | 44 | string | 2.0 | Authentication Authorization |
|
| Juniper-Interactive-Command | 8 | string | 2.0 | Authentication Authorization |
Indicates the interactive command entered by the user. Note: This attribute is used only in Accounting-Request. |
| Juniper-Interface-id | 35 | string | 2.0 | Authentication Authorization |
Identifier of the interface. |
| Juniper-Ip-Pool-Name | 36 | string | 2.0 | Authentication Authorization |
The name of the IP pool defined on the device. |
| Juniper-Keep-Alive | 37 | integer | 2.0 | Authentication Authorization |
|
| Juniper-Local-Group-Name | 46 | string | 2.0 | Authentication Authorization |
|
| Juniper-Local-Interface | 47 | string | 2.0 | Authentication Authorization |
Interface to apply to the E Series side of the connection. The value can be one of the following:
- IP address (with subnet mask) |
| Juniper-Local-User-Name | 1 | string | 2.0 | Authentication Authorization |
Indicates the name of the user template used by the user when logging in to a device. maximum length 247 characters |
| Juniper-Policer-Parameter | 45 | string | 2.0 | Authentication Authorization |
|
| Juniper-Primary-Dns | 31 | IP address | 2.0 | Authentication Authorization |
B-RAS user's DNS address negotiated during IPCP |
| Juniper-Primary-Wins | 32 | IP address | 2.0 | Authentication Authorization |
B-RAS user's WINS (NBNS) address negotiated during IPCP |
| Juniper-rx-connect-speed | 43 | integer | 2.0 | Authentication Authorization |
Defines the receive connect speed. |
| Juniper-Secondary-Dns | 33 | IP address | 2.0 | Authentication Authorization |
B-RAS user's DNS address negotiated during IPCP |
| Juniper-Secondary-Wins | 34 | IP address | 2.0 | Authentication Authorization |
B-RAS user's WINS (NBNS) address negotiated during IPCP |
| Juniper-Switching-Filter | 48 | string | 2.0 | Authentication Authorization |
Contains the string that works like an ACL. The form of string is following: "Match < >, Action < >" where we can match on MAC address, IP address, port, VLAN, ... |
| Juniper-tx-connect-speed | 42 | integer | 2.0 | Authentication Authorization |
Defines the transmit connect speed. |
| Juniper-User-Permissions | 10 | string | 2.0 | Authentication Authorization |
Contains information server uses to specify user permissions. It is specified in a form of a list of permission flags separated by a space. Permission Flags: access, access-control, admin, admin-control, all-control, clear, configure, control, field, firewall, firewall-control, floppy, flow-tap, flow-tap-operation, idp-profiler-operation, interface, interface-control, maintenance, network, pgcp-session-mirroring, pgcp-session-mirroring-control, reset, rollback, routing, routing-control, secret, secret-control, security, security-control, shell, snmp, snmp-control, system, system-control, trace, trace-control, view, view-configuration |
| Juniper-VoIP-Vlan | 49 | integer | 2.0 | Authentication Authorization |
Voice VLAN returned from RADIUS server. |
MDM
After you add the MDM server definition in Cisco ISE, the MDM dictionary attributes are available in Cisco ISE that you can use in authorization policies. You can view the dictionary attributes that are available for use in authorization policies.
| Attribute | Type / Values | ISE Version | Available | Usage Description |
| DaysSinceLastCheckin | Days count | 2.1 | Authorization | How many days elapsed from last MDM check for particular endpoint |
| DeviceCompliantStatus | String | Authorization | ||
| Compliant | Attribute validate that complaint status been confirmed by MDM server for particular endpoint | |||
| NonCompliant | Attribute validate that non complaint status been confirmed by MDM server for particular endpoint | |||
| DeviceRegisterStatus | String | Authorization | ||
| Registered | Endpoint is known to MDM server and been previously registered | |||
| UnRegistered | Endpoint is unknown to MDM server and has not been registered | |||
| DiskEncryptionStatus | String | Authorization | ||
| Off | Disk encryption is not enabled on the endpoint | |||
| On | Disk encryption is enabled on the endpoint | |||
| IMEI | String | Authorization | IMEI value. Match based on endpoint IMEI value from MDM server response | |
| JailBrokenStatus | String | Authorization | ||
| Broken | Match endpoint status JailBroken based on MDM server response | |||
| UnBroken | Match endpoint status UnJailBroken based on MDM server response | |||
| Manufacturer | String | Authorization | Manufacturer name. Match based on mobile device manufacturer name from MDM server response | |
| MDMFailureReason | 2.1 | Authorization | FailureReason value | |
| MDMServerName | MDMServerName | Authorization | Match based on MDMServerName from endpoint attributes | |
| MDMServerReachable | String | Authorization | ||
| Reachable | Match reachable status of MDM server | |||
| UnReachable | Match unreachable status of MDM server | |||
| MEID | String | Authorization | MEID Value. Match based on endpoint mobile equipment identifier(MEID) value from MDM server response | |
| Model | String | Authorization | Model Value. Match based on mobile device model from MDM server response | |
| OsVersion | String | Authorization | OsVersion Value. Match based on mobile device OS version from MDM server response | |
| PhoneNumber | String | Authorization | PhoneNumber Value. Match based on phone number of mobile device | |
| PinLockStatus | String | Authorization | ||
| Off | Pinlock disabled on endpoint | |||
| On | Pinlock enabled on endpoint | |||
| SerialNumber | String | Authorization | SerialNumber Value. Match based on mobile device serial number from MDM server response | |
| ServerType | String | 2.1 | Authorization | |
| Server on which endpoint registered belongs to Desktop Device Manager type (ex: Microsoft System Center) | ||||
| Server on which endpoint registered belongs to Mobile Device Manager type (regular MDM server) | ||||
| UDID | UDID Value | Authorization | UDID Value. Match based on Unique Device Identifier (Apple specific) | |
| UserNotified | String | 2.1 | Authorization | |
| No | User has not been notified previously about requirement to register device (Desktop Device Manager specific check) | |||
| Yes | User was notified previously about requirement to register device (Desktop Device Manager specific check) |
Microsoft
Defined in RFC2548 Microsoft Vendor-specific RADIUS Attributes.
This RADIUS dictionary is provided in ISE by default.
| Attribute | # | Type | ISE Version | Available | Description |
| MS-Acct-Auth-Type | 23 | integer | 1.2 | Authentication Authorization |
Represents the method used to authenticate the dial-up user: 1: PAP 2: CHAP 3: MS-CHAP-1 4: MS-CHAP-2 5: EAP |
| MS-Acct-EAP-Type | 24 | integer | 1.2 | Authentication Authorization |
Represents the EAP type used to authenticate the dial-up user: 4: MD5 5: OTP 6: Generic Token Card 13: TLS |
| MS-AFW-Protection-Level | 49 | integer | 1.2 | Authentication Authorization |
Specifies a NAP protection level. Used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access. |
| MS-AFW-Zone | 48 | integer | 1.2 | Authentication Authorization |
Specifies a NAP zone. Used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access. |
| MS-ARAP-PW-Change-Reason | 21 | integer | 1.2 | Authentication Authorization |
Used to indicate reason for a server-initiated password change: 1: Just-Change-Password 2: Expired-Password 3: Admin-Requires-Password-Change 4: Password-Too-Short |
| MS-BAP-Usage | 13 | integer | 1.2 | Authentication Authorization |
Describes wheter the use of BAP is allowed, diasllowed or required on new multilink calls: 0: BAP usage not allowed 1: BAP usage allowed 2: BAP usage required |
| MS-CHAP-Challenge | 11 | string | 1.2 | Authentication Authorization |
Contains the challenge sent by NAS to MS-CHAP suer. |
| MS-CHAP-CPW-1 | 3 | string | 1.2 | Authentication Authorization |
Allows the user to change their password if it has expired. Note: Attribute is only used in Access-Request packets and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject. The string of MS-CHAP-Error indicated that the user password had expired and MS-CHAP version is equal 2. |
| MS-CHAP-CPW-2 | 4 | string | 1.2 | Authentication Authorization |
Allows the user to change their password if it has expired. Note: Attribute is only used in Access-Request packets and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject. The string of MS-CHAP-Error indicated that the user password had expired and MS-CHAP version is less than 2. |
| MS-CHAP-Domain | 10 | string | 1.2 | Authentication Authorization |
Indicates the Windows NT domain in which user was authenticated. |
| MS-CHAP-Error | 2 | string | 1.2 | Authentication Authorization |
Contains error data related to the preceding MS-CHAP exchange. Note: Only used in Access-Reject. |
| MS-CHAP-LM-Enc-PW | 5 | string | 1.2 | Authentication Authorization |
Contains the new Windows NT password encrypted with the old LAN Manager password hash. Note: Attribute is used only in Access-Request packets, in conjuction with the MS-CHAP-CPW-2 attribute. It should be only included if an MS-CHAP-Error attribute was included in immediately preceding Access-Reject. |
| MS-CHAP-MPPE-Keys | 12 | string | 1.2 | Authentication Authorization |
Contains two session keys for use by the MPPE. Note: This attribute is only included in Access-Accept. |
| MS-CHAP-NT-Enc-PW | 6 | string | 1.2 | Authentication Authorization |
Contains the new Windows NT password encrypted with the old Windows NT password hash. Note: Attribute is used only in Access-Request packets, in conjuction with the MS-CHAP-CPW-2 attribute. It should be only included if an MS-CHAP-Error attribute was included in immediately preceding Access-Reject. |
| MS-CHAP-Response | 1 | string | 1.2 | Authentication Authorization |
Contains the response value provided by a MS-CHAP user in response to the challenge. Note: Only used in Access-Request. |
| MS-CHAP2-CPW | 27 | octets | 1.2 | Authentication Authorization |
Allows the user to change their password if it has expired. Used only in conjunction with MS-CHAP-NT-Enc-PW and should only be included if an MS-CHAP-Error attribute was included in the Access-Reject packet and MS-CHAP version is 3. |
| MS-CHAP2-Response | 25 | octets | 1.2 | Authentication Authorization |
Contains the response value provided by an MS-CHAP-V2 peer in response to the challenge. |
| MS-CHAP2-Success | 26 | octets | 1.2 | Authentication Authorization |
Contains 42-octet authenticator response string. This string must be included in Message field of MS-CHAP-V2 Success sent from NAS. |
| MS-Extended-Quarantine-State | 57 | integer | 1.2 | Authentication Authorization |
Indicates the level of network access that RADIUS server authorizes to the endpoint. Used to specify additional information about a restricted access decision by a RADIUS server. |
| MS-Filter | 22 | octets | 1.2 | Authentication Authorization |
Used to transmit traffic filters. If multiple MS-Filter attributes are contained within a packet, they must be in order and must be consecutive attributes in packets. |
| MS-HCAP-Location-Group-Name | 59 | string | 1.2 | Authentication Authorization |
Used to specify location group information received over an HCAP interface by a RADIUS client. |
| MS-HCAP-User-Groups | 58 | string | 1.2 | Authentication Authorization |
Used to specify user groups information received over an HCAP interface by a RADIUS client. |
| MS-HCAP-User-Name | 60 | string | 1.2 | Authentication Authorization |
Used to indicate user identity information received over an HCAP interface by a RADIUS client. |
| MS-Identity-Type | 41 | integer | 1.2 | Authentication Authorization |
Indicates whether a RADIUS server performs only a machine health check. If value is 0x00000001, RADIUS server must not perform authentication; instead it must perform a machine health check on this request. If value is different or a RADIUS server doesn't receive this attribute, it should perform authentication as well as a machine health check on this request. |
| MS-IPv4-Remediation-Servers | 52 | list of IP addresses | 1.2 | Authentication Authorization |
Contains a list of servers that are reachable by an endpoint whose access is restricted, so that endpoint can remediate itself. |
| MS-IPv6-Filter | 51 | octets | 1.2 | Authentication Authorization |
Used to limit the inbound and/or outbound access of the endpoint. |
| MS-IPv6-Remediation-Servers | 53 | octetes | 1.2 | Authentication Authorization |
Specifies the IPv6 addresses of the remediation servers. |
| MS-Link-Drop-Time-Limit | 15 | integer | 1.2 | Authentication Authorization |
Indicates the length of the time (in seconds) that a link must be underutilized before it is dropped. |
| MS-Link-Utilization-Threshold | 14 | integer | 1.2 | Authentication Authorization |
Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. |
| MS-Machine-Name | 50 | string | 1.2 | Authentication Authorization |
It is used to communicate the machine name of the endpoint requesting network access. |
| MS-MPPE-Encryption-Policy | 7 | integer | 1.2 | Authentication Authorization |
Signifies whether the use of encryption is allowed or required. 1 means encryption-allowed (you can use any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute) 2 means encryption-required (you can use any of the encryption types specified in MS-MPPE-Encryption-Types attribute) |
| MS-MPPE-Encryption-Types | 8 | integer | 1.2 | Authentication Authorization |
(nteger (four-octet integer interpreted as a string of bits) Signifies the types of encryption available for use with MPPE. |
| MS-MPPE-Recv-Key | 17 | string | 1.2 | Authentication Authorization |
Contains a session key for use by MPPE. This key is for encrypting packets that AAA client receives from the remote host. Note: This attribute is included only in Access-Accept. |
| MS-MPPE-Send-Key | 16 | string | 1.2 | Authentication Authorization |
Contains a session key for use by MPPE. This key is for encrypting packets sent from AAA client to the remote host. Note: This attributed is used only in Access-Accept. |
| MS-Network-Access-Server-Type | 47 | integer | 1.2 | Authentication Authorization |
It is used to specify the type of the network access server making the request. 0: Unspecified 1: Terminal-Server-Gateway 2: Remote-Access-Server 3: DHCP-sServer 4: Wireless-Access-Point 5: HRA 6: HCAP-Server |
| MS-New-ARAP-Password | 20 | string | 1.2 | Authentication Authorization |
Used to transmit the new ARAP password during ARAP password change operation. |
| MS-Old-ARAP-Password | 19 | string | 1.2 | Authentication Authorization |
Used to transmit the old ARAP password during an ARAP password change operation. |
| MS-Primary-DNS-Server | 28 | IP address | 1.2 | Authentication Authorization |
Used to indicate the address of the primary DNS server used by the PPP peer. |
| MS-Primary-NBNS-Server | 30 | IP address | 1.2 | Authentication Authorization |
Used to indicate the address of the primary NetBIOS Name Server (NBNS) to be used by the PPP peer. |
| MS-Quarantine-Grace-Time | 46 | integer | 1.2 | Authentication Authorization |
Applies a timeout to the endpoint requesting network access set to expire at the time given by the attribute's value. |
| MS-Quarantine-IPFilter | 36 | octets | 1.2 | Authentication Authorization |
Used to specify the set of IP filters to be provisioned for the endpoint associated with a RADIUS Access-Request. |
| MS-Quarantine-Session-Timeout | 37 | integer | 1.2 | Authentication Authorization |
Used to specify a timeout value used by a RRAS server. |
| MS-Quarantine-SOH | 55 | octets | 1.2 | Authentication Authorization |
It is used to carry Statement of Health information from endpoint when EAP is not used. |
| MS-Quarantine-State | 45 | integer | 1.2 | Authentication Authorization |
Gives an access rights accordingly to the endpoint requesting network access. 0: Full access 1: Restricted access 2: On probation (full access within a limited time period) |
| MS-Quarantine-User-Class | 44 | string | 1.2 | Authentication Authorization |
It is used to carry the name of a special DHCP user class. |
| MS-RAS-Client-Name | 34 | string | 1.2 | Authentication Authorization |
Used to specify the name of the endpoint generating request. |
| MS-RAS-Client-Version | 35 | string | 1.2 | Authentication Authorization |
Used to specify the version of the endpoint generating request. |
| MS-RAS-Correlation | 56 | octets | 1.2 | Authentication Authorization |
Used by the NAD to send an identifier, which is used for a correlation of logs events to the RADIUS server. |
| MS-RAS-Vendor | 9 | integer | 1.2 | Authentication Authorization |
Used to indicate the manufacturer of the RADIUS client machine. |
| MS-RAS-Version | 18 | integer | 1.2 | Authentication Authorization |
Used to indicate the version of the RADIUS client software. |
| MS-RNAP-Not-Quarantine-Capable | 54 | integer | 1.2 | Authentication Authorization |
Indicates whether or not the endpoint requesting network access is NAP capable. 0: endpoint sent an SoH 1: endpoint didn't send an SoH |
| MS-Secondary-DNS-Server | 29 | IP address | 1.2 | Authentication Authorization |
Used to indicate the address of the secondary DNS server used by the PPP peer. |
| MS-Secondary-NBNS-Server | 31 | IP address | 1.2 | Authentication Authorization |
Used to indicate the address of the secondary NBNS server used by the PPP peer. |
| MS-Service-Class | 42 | string | 1.2 | Authentication Authorization |
Used to specify which group of DHCP scopes will supply an IP address to the endpoint requesting access. |
| MS-TSG-Device-Redirection | 63 | integer | 1.2 | Authentication Authorization |
Specifies filters used by a Remote Desktop Gateway (RDG) server. |
| MS-User-IPv4-Address | 61 | IP address | 1.2 | Authentication Authorization |
Specifies the IP address of the endpoint as known to the RADIUS client. |
| MS-User-Security-Identity | 40 | string | 1.2 | Authentication Authorization |
Used to specify the security-identifier (SID) of the user requesting access. |
Motorola-Symbol
| Attribute | # | Type / Value |
ISE Version | Available | Description |
| Symbol-Admin-Role | 1 | String | 2.0 | Authentication Authorization |
Permissions for remote user |
| Monitor | User with read-only access to a WLC or AP | ||||
| Helpdesk | User can clear statistics, reboot devices and create or copy tech support files | ||||
| NetworkAdmin | User responsible for configuration of parameters such as Layer 2, Layer 3, Wireless, RADIUS, DHCP and Smart-RF | ||||
| SysAdmin | User responsible for configuring general switch settings such as upgrading images, changing boot partitions, time and administrative access | ||||
| WebAdmin | User responsible for adding guest user accounts for Captive Portal authentication | ||||
| SuperUser | User with full administrative privileges | ||||
| Symbol-Allowed-ESSID | 3 | String | 2.0 | Authentication Authorization |
ESSID(s) name that user is permitted to associate with |
| Symbol-Allowed-Radio | 6 | String | 2.0 | Authentication Authorization |
Indicates one or more Radio name(s) that user is permitted to associated with. Must match one or more keywords defined in the radio description fields |
| Symbol-Current-ESSID | 2 | String | 2.0 | Authentication Authorization |
ESSID the user is currently associated with |
| Symbol-Downlink-Limit | 10 | integer | 2.0 | Authentication Authorization |
Indicates amount of bandwidth in Kbps that the user is permitted to receive from AP. Traffic that exceeds the value will be dropped by WLC or AP. 0 means disabled |
| Symbol-Expiry-Date-Time | 7 | 2.0 | Authentication Authorization |
Indicates the date and time the user is no longer authorized to access the network. String in format MM/DD/YYYY-HH:MM |
|
| Symbol-Login-Source | 100 | 2.0 | Authentication Authorization |
Indicates the management interfaces the user is permitted to access on WLC or AP | |
| HTTP | Allowing HTTP login management access using Web-UI | ||||
| SSH | Allowing SSH login management access | ||||
| Telnet | Allowing Telnet login management access | ||||
| Console | Allowing Console login management access | ||||
| All | Allowing all login management accesses | ||||
| Symbol-Posture-Status | 9 | string | 2.0 | Authentication Authorization |
NAP compliance state of user. This attribute is used with the Symantec LAN Enforcer endpoint inspection solution. |
| Symbol-QoS-Profile | 5 | integer | 2.0 | Authentication Authorization |
Specifies the static WMM Access Category to be assigned to the user. Once assigned traffic is forwarded from AP to the user, it will be prioritized using the assigned QoS value. Supported values: 1 - Best Effort 2 - Background 3 - Video 4 - Voice |
| Symbol-Start-Date-Time | 8 | string | 2.0 | Authentication Authorization |
Indicates the date and time the user is initially permitted to access the network. Format MM/DD/YYYY-HH:MM |
| Symbol-Uplink-Limit | 11 | integer | 2.0 | Authentication Authorization |
Indicates the amount of bandwidth in Kbps that the user is permitted to transmitt to AP. Traffic that exceeds the defined value will be dropped by WLC or AP. |
| Symbol-User-Group | 12 | string | 2.0 | Authentication Authorization |
Indicates the group on the WLC or AP that the user is associated with |
| Symbol-WLAN-Index | 4 | integer | 2.0 | Authentication Authorization |
Indicates the WLAN index number of the WLAN the user is associated with |
MSE
These attributes are used by the Cisco Mobility Services Engine (MSE). For more information, please see the ISE Design & Integration Guides for Cisco Mobility Services Engine (MSE).
| Attribute | Values | ISE Version | Usage Description |
| MapLocation | string | 2.0 | The location of the device on the map using MSE. |
Network Access
This dictionary contains session attributes which can be collected during authentication process either from Radius flow (for example: EPA tunnel/EAP chaining result) or as a result of authentication process on ISE itself (Use case/ ISE host name)
| Attribute | Type / Values | ISE Version | Available | Usage Description |
| AD-Host-DNS-Domain | ||||
| AD-Host-Join-Point | ||||
| AD-User-DNS-Domain | ||||
| AD-User-Join-Point | ||||
| AuthenticationIdentityStore | ||||
| AuthenticationMethod | string | Authentication Authorization |
||
| CHAP/MD5 | Match authentication request with CHAP/MD5 authentication | |||
| Lookup | Match authentication request with host Lookup (MAB) | |||
| MSCHAPv1 | Match authentication with MSCHAPv1 as an authentication method | |||
| MSCHAPv2 | Match authentication with MSCHAPv2 as an authentication method | |||
| PAP_ASC|| | Match authentication with PAP_ASC|| as an authentication method | |||
| x509_PKI | Certificate based authentication matching | |||
| AuthenticationStatus | string | Authorization | ||
| AuthenticationFailed | Match session for which user/endpoint authentication failed | |||
| AuthenticationPassed | Match session for which user/endpoint authentication passed | |||
| ProcessError | Match session for which user/endpoint authentication has finished with process error | |||
| UnknownUser | Match session for which user/endpoint authentication has finished user unknown error | |||
| Device IP Address | IP address | Authentication Authorization |
Match by IP address of Network Access Device. This is the address configured by user under Network Device in ISE GUI during device creation | |
| EapAuthentication | string | Authorization | The EAP method that is used during authentication of a user of a machine | |
| EAP-GTC | Match session which is using EAP-GTC as EAP authentication method | |||
| EAP-MD5 | Match session which is using EAP-MD5as EAP authentication method | |||
| EAP-MSCHAPv2 | Match session which is usingEAP-MSCHAPv2as EAP authentication method | |||
| EAP-TLS | Match session which is using EAP-TLS as EAP authentication method | |||
| LEAP | Match session which is using LEAP as EAP authentication method | |||
| EapChainingResult | string | Authorization | Result of EAP-FAST specific way to bind user and machine authentication together | |
| No chaining | Match session with no EAP Chaining in place | |||
| User and machine both succeeded | Match session with successful machine and user authentication confirmed by EAP Chaining | |||
| User failed and machine succeeded | Match session with successful machine and failed user authentication confirmed by EAP Chaining | |||
| User succeeded and machine failed | Match session with failed machine and successful user authentication confirmed by EAP Chaining | |||
| EAPTunnel | string | Authentication Authorization |
The EAP method that is used for tunnel establishment. | |
| EAP-FAST | 1.0 | Match EAP requests with EAP-FAST | ||
| EAP-TTLS | 2.0 | Match EAP requests with EAP-TTLS | ||
| PEAP | 1.0 | Match EAP requests with PEAP | ||
| GroupsOrAttributesProcessFailure | Authorization | |||
| ISE Host Name | string | Authentication Authorization |
ISE HostName value. Match the name of ISE server where authentication request been landed | |
| MachineAuthenticationIdentityStore | ||||
| NetworkDeviceName | string | Authentication Authorization |
Network Device name value. Match based on Name of Network device configured by user under Network Device in ISE GUI during device creation | |
| Protocol | string | Authentication Authorization |
Protocol name RADIUS: Match authentication request which has the been done over the Radius protocol TACACS+: Match authentication request which has been done over the TACACS+ protocol |
|
| RADIUS Server | ||||
| RADIUS Server Sequence | ||||
| SessionLimitExceeded | boolean | 1.4 | Authentication Authorization |
|
| False | Session limit from the guest type has not been reached yet for particular guest user (Applicable only for guest users) | |||
| True | Session limit from the guest type has been reached for particular guest user (Applicable only for guest users) | |||
| UseCase | string | |||
| EAP Chaining | 1.1 | Using this attribute you can match by your authorization policy sessions where EAP changing been used during authentication | ||
| Guest Flow | 1.0 | This attribute can be used to matching sessions that successfully finished guest flow (Either guest authentication passed, or AUP accepted for the hot spot) | ||
| Easy Wired Flow | 2.1 | Easy Connect | ||
| Proxy | 1.2 | |||
| Host Lookup | 1.0 | |||
| UserName | string | Authentication Authorization |
Username value. Match User name presented in radius Access-Request | |
| WasMachineAuthenticated | boolean | 1.0 | Authorization | Use for detecting Machine Access Registration (MAR) |
Normalised RADIUS
| Attribute | Type / Values | ISE Version | Available | Usage Description |
| RadiusFlowType | string | 2.0 | Authentication Authorization |
|
| Wired802_1x | Indicates user authentication method as wired 802.1x | |||
| WiredMAB | Indicates user authentication method as wired MAB | |||
| WiredWebAuth | Indicates user authentication method as wired web authentication | |||
| Wireless802_1x | Indicates user authentication method as wireless 802.1x | |||
| WirelessMAB | Indicates user authentication method as wireless MAB | |||
| WirelessWebAuth | Indicates user authentication method as wireless web authentication | |||
| SSID | string | 2.0 | Authentication Authorization |
Offers possibility to map vendor specific attribute (for example RADIUS:Called-Station-ID) to this common attribute so that policy rules can use friendly name. This can be specific to network device profile. |
PassiveID
After you enable PassiveID service on the node, PassiveID dictionary is available
| Attribute | Type | ISE Version | Available | Usage Description |
| PassiveID_Groups | string | 2.1 | Authorization | Specifies the domain controller group |
| PassiveID_Username | string | 2.1 | Authorization | Specifies the name of the user |
RADIUS
From
- RFC 2865 - Remote Authentication Dial In User Service (RADIUS)
- RFC 2866 - RADIUS Accounting
- RFC2867 RADIUS Accounting Modifications for Tunnel Protocol Support
- RFC2868 RADIUS Attributes for Tunnel Protocol Support
- RFC2869 RADIUS Extensions
| Attribute | # | Type | ISE Version | Available | Usage Description |
| User-Name | 1 | string | 1.0 | Authentication | The name of the user to be authenticated. Length >= 3 characters. |
| User-Password | 2 | string | 1.0 | Authentication | The password of the user to be authenticated, or the user's input following an Access-Challenge. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password Attribute. |
| CHAP-Password | 3 | string | 1.0 | Authentication | The response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. |
| NAS-IP-Address | 4 | address | 1.0 | Authentication | The identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret. |
| NAS-Port | 5 | integer | 1.0 | Authentication | The physical port number of the NAS which is authenticating the user |
| Service-Type | 6 | integer | 1.0 | Authentication | The type of service the user has requested, or the type of service to be provided. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead. Values:
|
| Framed-Protocol | 7 | integer | ? | Authentication | The framing to be used for framed access. Values:
|
| Framed-IP-Address | 8 | address | ? | Authentication | The address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint. |
| Framed-IP-Netmask | 9 | address | ? | Authentication | The IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint. |
| Framed-Routing | 10 | integer | ? | Authentication | the routing method for the user, when the user is a router to a network. Values: 0 None 1 Send routing packets 2 Listen for routing packets 3 Send and Listen |
| Filter-ID | 11 | text | ? | Authentication | The name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet. Identifying a filter list by name allows the filter to be used on different NASes without regard to filter-list implementation details. On ASA, applies only to full tunnel IPsec and SSL VPN clients |
| Framed-MTU | 12 | integer | ? | Authentication | The Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that value, but the server is not required to honor the hint. Values range from 64 to 65535. |
| Framed-Compression | 13 | Authentication | A compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint. More than one compression protocol Attribute MAY be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic. Values:
|
||
| Login-IP-Host | 14 | address | ? | Authentication | The system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint. |
| Login-Service | 15 | integer | ? | Authentication | The service to use to connect the user to the login host. It is only used in Access-Accept packets. Values:
|
| Login-TCP-Port | 16 | integer | ? | Authentication | The TCP port with which the user is to be connected, when the Login-Service Attribute is also present. It is only used in Access-Accept packets. |
| (unassigned) | 17 | - | - | - | ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED. |
| Reply-Message | 18 | text | ? | Authentication | Text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple Reply-Message's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet. |
| Callback-Number | 19 | string | ? | Authentication | a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint. |
| Callback-Id | 20 | string | ? | the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets. | |
| (unassigned) | 21 | - | - | - | ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED. |
| Framed-Route | 22 | text | ? | routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times. | |
| Framed-IPX-Network | 23 | integer | ? | the IPX Network number to be configured for the user. It is used in Access-Accept packets. | |
| State | 24 | string | ? | Authentication | This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action Attribute with the value of RADIUS-Request. If the NAS performs the Termination-Action by sending a new Access-Request upon termination of the current session, it MUST include the State attribute unchanged in that Access-Request. In either usage, the client MUST NOT interpret the attribute locally. A packet must have only zero or one State Attribute. Usage of the State Attribute is implementation dependent. |
| Class | 25 | string | ? | Authentication | This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally. |
| Vendor-Specific | 26 | string | 1.0 | Authentication | This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage. It MUST not affect the operation of the RADIUS protocol. Servers not equipped to interpret the vendor-specific information sent by a client MUST ignore it (although it may be reported). Clients which do not receive desired vendor-specific information SHOULD make an attempt to operate without it, although they may do so (and report they are doing so) in a degraded mode. Values with Cisco:
|
| Session-Timeout | 27 | integer | 1.0 | Authentication | This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge. |
| Idle-Timeout | 28 | integer | 1.0 | Authentication | This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge. |
| Termination-Action | 29 | integer | 1.0 | Authentication | This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets. Values:
|
| Called-Station-ID | 30 | string | 1.0 | Authentication | This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets. |
| Calling-Station-ID | 31 | string | 1.0 | Authentication | This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets. |
| NAS-Identifier | 32 | string | 1.0 | Authentication | This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret. |
| Proxy-State | 33 | string | ? | Authentication | This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy-State in the packet) before forwarding the response to the NAS. If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes. The content of any Proxy-State other than the one added by the current server should be treated as opaque octets and MUST NOT affect operation of the protocol. Usage of the Proxy-State Attribute is implementation dependent. |
| Login-LAT-Service | 34 | string | ? | Authentication | This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint. Administrators use the service attribute when dealing with clustered systems, such as a VAX or Alpha cluster. In such an environment several different time sharing hosts share the same resources (disks, printers, etc.), and administrators often configure each to offer access (service) to each of the shared resources. In this case, each host in the cluster advertises its services through LAT broadcasts. Sophisticated users often know which service providers (machines) are faster and tend to use a node name when initiating a LAT connection. Alternately, some administrators want particular users to use certain machines as a primitive form of load balancing (although LAT knows how to do load balancing itself). |
| Login-LAT-Node | 35 | string | Authentication | This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint. | |
| Login-LAT-Group | 36 | string | Authentication | This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
LAT supports 256 different group codes, which LAT uses as a form of access rights. LAT encodes the group codes as a 256 bit bitmap. |
|
| Framed-AppleTalk-Link | 37 | integer | Authentication | This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It
is never used when the user is not another router. |
|
| Framed-AppleTalk-Network | 38 | integer | Authentication | This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified. | |
| Framed-AppleTalk-Zone | 39 | string | Authentication | This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed. | |
| 40 | integer | Accounting | Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop). | ||
| 41 | integer | Accounting | Number of seconds the client has been trying to send a particular record. | ||
| 42 | integer | Accounting | Number of octets received from the port while this service is being provided. | ||
| Acct-Output-Octets | 43 | integer | Accounting | Number of octets sent to the port while this service is being delivered. | |
| 44 | string | Accounting | Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable. | ||
| Acct-Authentic | 45 | integer | Accounting | Way in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted. | |
| Acct-Session- Time |
46 | integer | Accounting | Number of seconds the user has been receiving service. | |
| Acct-Input-Packets | 47 | integer | Accounting | Number of packets received from the port while this service is being provided to a framed user. | |
| Acct-Output-Packets | 48 | integer | Accounting | Number of packets sent to the port while this service is being delivered to a framed user. | |
| Acct-Terminate-Cause | 49 | integer | Accounting |
Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:
|
|
| Acct-Multi-Session-Id | 50 | string | Accounting | (Accounting) A unique accounting identifier used to link multiple related sessions in a log file. Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id. |
|
| Acct-Link-Count | 51 | integer | Accounting | (Accounting) Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links. | |
| Acct-Input-Gigawords | 52 | integer | Accounting | Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of the provided service. | |
| Acct-Output-Gigawords | 53 | integer | Accounting | Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 while delivering service. | |
| ??? | 54 | ??? | Accounting | ||
| Event-Timestamp | 55 | date | Accounting | Records the time that the event occurred on the NAS, the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC. To send RADIUS attribute 55 in accounting packets, use the radius-server attribute 55 include-in-acct-req command. Note: Before the Event-Timestamp attribute can be sent in accounting packets, you must configure the clock on the network device. (For information on setting the clock on your network device, see the “Performing Basic System Management” section in the “Basic System Management” chapter of Network Management Configuration Guide.) To avoid configuring the clock on the network device every time the network device is reloaded, you can enable the clock calendar-valid command. (For more information about this command, see the“Setting Time and Calendar Services” section in the “Basic System Management” chapter of Network Management Configuration Guide. |
|
| ??? | 56 | Accounting | |||
| ??? | 57 | Accounting | |||
| ??? | 58 | Accounting | |||
| ??? | 59 | Accounting | |||
| CHAP-Challenge | 60 | string | ? | Authentication | This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets.
If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute. |
| NAS-Port-Type | 61 | integer | 1.0 | Authentication | This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.
|
| Port-Limit | 62 | integer | Authentication | This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint. | |
| Login-LAT-Port | 63 | string | Authentication | This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
The String field is one or more octets, and contains the identity of the LAT port to use. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper and lower case alphabetics, and the ISO Latin-1 character set extension. All LAT string comparisons are case insensitive. |
|
| Tunnel-Type | 64 | integer | Authentication | Indicates the tunneling protocol(s) used. Cisco software supports one possible value for this attribute: L2TP. | |
| Tunnel-Medium-Type | 65 | integer | Authentication | Indicates the transport medium type used to create a tunnel. This attribute has only one available value for this release: IP. If no value is set for this attribute, IP is used as the default. | |
| Tunnel-Client-Endpoint | 66 | string | Authentication | Contains the address of the initiator end of the tunnel. It may be included in both Access-Request and Access-Accept packets to indicate the address from which a new tunnel is to be initiated. If the Tunnel-Client-Endpoint attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint. This attribute should be included in Accounting-Request packets that contain Acct-Status-Type attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This attribute, along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection-ID attributes, may be used to provide a globally unique method to identify a tunnel for accounting and auditing purposes. An enhancement has been added for the network access server to accept a value of 127.0.0.X for this attribute such that: 127.0.0.0 would indicate that loopback0 IP address has to be used, 127.0.0.1 would indicate that loopback1 IP address has to be used. 127.0.0.X would indicate that loopbackX IP address has to be used for the actual tunnel client endpoint IP address. This enhancement adds scalability across multiple network access servers. |
|
| Tunnel-Server-Endpoint | 67 | string | Authentication | Indicates the address of the server end of the tunnel. The format of this attribute varies depending on the value of Tunnel-Medium-Type. Depending on your release only IP as a tunnel medium type may be supported and the IP address or the host name of LNS is valid for this attribute. | |
| Acct-Tunnel- Connection |
68 | string | Indicates the identifier assigned to the tunnel session. This attribute should be included in Accounting-Request packets that contain an Acct-Status-Type attribute having the value Start, Stop, or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint attributes, may be used to provide a method to uniquely identify a tunnel session for auditing purposes. | ||
| Tunnel-Password | 69 | string | Defines the password to be used to authenticate to a remote server. This attribute is converted into different AAA attributes based on the value of Tunnel-Type: AAA_ATTR_l2tp_tunnel_pw (L2TP), AAA_ATTR_nas_password (L2F), and AAA_ATTR_gw_password (L2F). By default, all passwords received are encrypted, which can cause authorization failures when a NAS attempts to decrypt a non-encrypted password. To enable attribute 69 to receive non-encrypted passwords, use the radius-server attribute 69 clear command in global configuration mode. |
||
| ARAP-Password | 70 | string | Identifies an Access-Request packet containing a Framed-Protocol of AppleTalk Remote Access Control (ARAP). | ||
| ARAP-Features | 71 | string | Includes password information that the NAS should send to the user in an ARAP feature flags packet. | ||
| ARAP-Zone- Access |
72 | integer | Indicates how the ARAP zone list for the user should be used. | ||
| ARAP-Security | 73 | integer | Identifies the ARAP Security Module to be used in an Access-Challenge packet. | ||
| ARAP-Security-Data | 74 | string | Contains the actual security module challenge or response in Access-Challenge and Access-Request packets. | ||
| Password-Retry | 75 | integer | Indicates the number of times a user may attempt authentication before being disconnected. | ||
|
Prompt |
76 | integer | Indicates to the NAS whether it should echo the user’s response as it is entered or not echo it. (0 = no echo, 1 = echo) | ||
| Connect-Info | 77 | string | Provides additional call information for modem calls. This attribute is generated in start and stop accounting records. | ||
| Configuration- Token |
78 | string | Indicates the type of user profile to be used. This attribute should be used in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept; it should not be sent to a NAS. | ||
| EAP-Message | 79 | string | Encapsulates Extended Access Protocol (EAP) packets that allow the NAS to authenticate dial-in users using EAP without having to understand the EAP protocol. | ||
| Message-Authenticator | 80 | string | Prevents spoofing Access-Requests using CHAP, ARAP, or EAP authentication methods. | ||
| Tunnel-Private-Group-ID | 81 | string | Authentication | Indicates the group ID for a particular tunneled session. | |
| Tunnel- Assignment-ID |
82 | string | Indicates to the tunnel initiator the particular tunnel to which a session is assigned. | ||
| Tunnel-Preference | 83 | integer | Authentication | Indicates the relative preference assigned to each tunnel. This attribute should be included if more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator. | |
| ARAP-Challenge-Response | 84 | Contains the response to the challenge of the dial-in client. | |||
| Acct-Interim-Interval | 85 | integer | Indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message. | ||
| Acct-Tunnel-Packets-Lost | 86 | Indicates the number of packets lost on a given link. This attribute should be included in Accounting-Request packets that contain an Acct-Status-Type attribute having the value Tunnel-Link-Stop. | |||
| NAS-Port-Id | 87 | string | Authentication | Contains a text string which identifies the port of the NAS that is authenticating the user. | |
| Framed-Pool | 88 | string | Authentication | Contains the name of an assigned address pool that should be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore this attribute. | |
| ??? | 89 | ||||
| Tunnel-Client-Auth-ID | 90 | string | Authentication | Specifies the name used by the tunnel initiator (also known as the NAS) when authenticating tunnel setup with the tunnel terminator. Supports L2F and L2TP protocols. | |
| Tunnel-Server-Auth-ID | 91 | string | Authentication | Specifies the name used by the tunnel terminator (also known as the Home Gateway) when authenticating tunnel setup with the tunnel initiator. Supports L2F and L2TP protocols. | |
| NAS-IPv6-Address | 95 | Authentication | |||
| Framed-Interface-Id | 96 | Authentication | |||
| Framed-IPv6-Prefix | 97 | Authentication | |||
| Login-IPv6-Host | 98 | Authentication | |||
| ... | |||||
| Error-Cause | 101 | Authentication | |||
| ... | |||||
| Delegated-IPv6-Prefix | 123 | Authentication | |||
| ... | |||||
| Primary-DNS-Server | 135 | ipaddr | |||
| Secondary-DNS-Server | 136 | ipaddr | |||
| ... | |||||
| Framed-IPv6-Address | 168 | Authentication | |||
| DNS-Server-IPv6-Address | 169 | Authentication | |||
| Route-IPv6-Information | 170 | Authentication | |||
| Delegated-IPv6-Prefix-Pool | 171 | Authentication | |||
| Stateful-IPv6-Address-Pool | 172 | Authentication | |||
| ... | |||||
| Multilink-ID | 187 | integer | |||
| Num-In-Multilink | 188 | integer | |||
| Pre-Input-Octets | 190 | integer | |||
| Pre-Output-Octets | 191 | integer | |||
| Pre-Input-Packets | 192 | integer | |||
| Pre-Output-Packets | 193 | integer | |||
| Maximum-Time | 194 | integer | |||
| Disconnect-Cause | 195 | integer | |||
| ??? | 196 | ||||
| Data-Rate | 197 | integer | |||
| PreSession-Time | 198 | integer | |||
| ??? | 199 | ||||
| IETF-Token-Immediate | 200 | Determines how RADIUS treats passwords received from login-users when their file entry specifies a hand-held security card server. The value for this attribute is indicated by a numeric value as follows:
|
|||
| ... | |||||
| Digest-Response | 206 | integer | Authentication | ||
| ??? | 207 | integer | |||
| PW-Lifetime | 208 | integer | |||
| IP-Direct | 209 | ipaddr | |||
| PPP-VJ-Slot- Comp |
210 | integer | |||
| ... | |||||
| Assign-IP-pool | 218 | integer | |||
| ... | |||||
| Route-IP | 228 | integer | |||
| ... | |||||
| Link-Compression | 233 | integer | |||
| Target-Utils | 234 | integer | |||
| Maximum-Channels | 235 | integer | |||
| ... | |||||
| Data-Filter | 242 | Ascend filter | |||
| Call-Filter | 243 | Ascend filter | |||
| Idle-Limit | 244 | integer |
Ruckus
| Attribute | # | Type | ISE Version | Usage Description |
| Ruckus-Acct-Status | 126 | integer | 2.0 | Sent by the RADIUS server to indicate if the authenticator should send an accounting packet for this user. |
| Ruckus-Grace-Period | 6 | integer | 2.0 | Specifies a grace period before re-authentication is required (WISPr or captive portal only). Range is 1-14400 minutes. |
| Ruckus-Location | 5 | string | 2.0 | Reports the location of the device. This is configurable value in the device location setting. |
| Ruckus-SCG-CBlade-IP | 7 | integer | 2.0 | IP address of the C blade used by the device for request. |
| Ruckus-SCG-DBlade-IP | 8 | integer | 2.0 | IP address of the D blade used by the device for request. |
| Ruckus-Session-Type | 125 | integer | 2.0 | Sent by RADIUS server to indicate the forwarding policy to be used for the client. |
| Ruckus-SSID | 3 | string | 2.0 | Station WLAN name sent from device to the RADIUS server. |
| Ruckus-Sta-RSSI | 2 | integer | 2.0 | Station RSSI sent from the device to the RADIUS server (Interim-Update, Stop). |
| Ruckus-User-Groups | 1 | string | 2.0 | User role assignment - the role must already exists on the ZoneDirector. |
| Ruckus-WlanID | 4 | integer | 2.0 | WLAN ID number sent from the device to the RADIUS server as part of the Access-Request message to identify the WLAN interface. |
Session
Attributes in here are systematically generated by ISE
| Attribute | Type / Values | ISE Version | Available |
Usage Description |
| Agent-Request-Type | ||||
| ANCPolicy | ||||
| CurrentDate | ||||
| CurrentDay | ||||
| CurrentMonth | ||||
| CurrentTime | ||||
| CurrentWeekDay | ||||
| CurrentYear | ||||
| Device-OS | ||||
| EPSStatus | ||||
| OS-Architecture | ||||
| Posture Status | string | 1.0 | Authorization | |
| Compliant | 1.0 | This value is matched for endpoints that completed the posture flow and was compliant | ||
| NonCompliant | 1.0 | This value is matched for endpoints that completed the posture flow and was non compliant or terminated posture process | ||
| Unknown | 1.0 | This value is matched for endpoint that did not yet go through the posture flow, does not have a posture agent | ||
| SessionSource | ||||
| URL-Redirected |
Threat
| Attribute | Values | ISE Version | Usage Description |
| Qualys-CVSS_Base_Score | 0-10 | 2.1 | Create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values. |
| Qualys-CVSS_Temporal_Score | 0-10 | 2.1 | Create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values. |
WISPr
| Attribute | Values | Type | ISE Version | Usage Description |
| WISPr-Bandwidth-Max-Down | 8 | integer | 2.0 | Limit the maximum downstream bandwidth. |
| WISPr-Bandwidth-Max-Up | 7 | integer | 2.0 | Limit the maximum upstream bandwidth. |
| WISPr-Bandwidth-Min-Down | 6 | integer | 2.0 | Limit the minimum downstream bandwidth. |
| WISPr-Bandwidth-Min-Up | 5 | integer | 2.0 | Limit the minimum upstream bandwidth. |
| WISPr-Billing-Class-Of-Service | 11 | string | 2.0 | A service type for billing. |
| WISPr-Location-ID | 1 | string | 2.0 | ID of the location of the client. Concatenation of the ISO Country Code, E.164 Country Code, E.164 Area Code and SSID/Zone parameters configured in profile. |
| WISPr-Location-Name | 2 | string | 2.0 | The name of the location of the client. |
| WISPr-Logoff-URL | 3 | string | 2.0 | URL of a log out page. |
| WISPr-Redirection-URL | 4 | string | 2.0 | URL which the clients will be redirected to after successful login. |
| WISPr-Session-Terminate-End-Of-Day | 10 | string | 2.0 | The end of the subscruber session at the end of the billing day. |
| WISPr-Session-Terminate-Time | 9 | string | 2.0 | Time, when the user should be disconnected; in "YYYY-MM-DDThh:mm:ssTZD", where Y - year; M - month; D - day; T - separator; h - hour (in 24h format); m - minute; s - second; TZD - time zone. |