cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
77974
Views
61
Helpful
0
Comments
thomas
Cisco Employee
Cisco Employee


 
The Type field in the tables below use one of five data types as defined in RFC2865 - Remote Authentication Dial In User Service (RADIUS).

  • text : 1-253 octets containing UTF-8 encoded characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead. Note that type "text" is a subset of type "string".
  • string : 1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.
  • address : 32-bit value, most significant octet first.
  • integer : 32-bit unsigned value, most significant octet first.
  • time : 32-bit unsigned value, most significant octet first --  seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.

See the Internet Assigned Numbers Authority's RADIUS Types document for the authoritative list of RADIUS types and values.

 

RADIUS Dictionary Files

See the fantastic collection of RADIUS Vendor Dictionaries for 3rd Parties if you don't see what you need here.

 

Airespace

Legacy RADIUS Dictionary file for Cisco AireOS Controller

 

The RADIUS dictionary below is provided in ISE by default.

Attribute # Type ISE Version Available
Usage Description
Aire-Data-Bandwidth-Average-DownStream-Contract 7 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied for a client for non-realtime traffic such as TCP. This value is specific for downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile
Aire-Data-Bandwidth-Average-UpStream-Contract 13 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile
Aire-Data-Bandwidth-Burst-DownStream-Contract 9 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
Aire-Data-Bandwidth-Burst-UpStream-Contract 15 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile.
Aire-Real-Time-Bandwidth-Average-DownStream-Contract 8 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile.
Aire-Real-Time-Bandwidth-Average-UpStream-Contract 14 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Average Contract value overrides the Average Real-Time Rate value present in the WLAN or QoS Profile.
Aire-Real-Time-Bandwidth-Burst-DownStream-Contract 10 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile.
Aire-Real-Time-Bandwidth-Burst-UpStream-Contract 16 int32   Authentication
Authorization
This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile.
Airespace-8021p-Tag 4 string   Authentication
Authorization
802.1p VLAN tag received from the client, defining the access priority. This tag maps to the QoS Level for client-to-network packets. This attribute defines the 802.1p priority to be applied to the client. When present in a RADIUS Access Accept, the 802.1p value overrides the default specified in the WLAN profile.
Airespace-ACL-Name 6 string   Authentication
Authorization
Match based on Airespace-ACL-Name assigned to the user
Airespace-DSCP 3 string   Authentication
Authorization
Match based on Airespace-DSCP. This value might be assigned to entire WLAN or it also can be returned as part of Access-Accept from Radius server
Airespace-Guest-Role-Name 11 string   Authentication
Authorization
Match based on Airespace-Guest-Role value. Normally attribute value is initially assigned from Radius server during authentication process. The goal of attribute is to assign QoS role to a guest user
Airespace-Interface-Name 5 string   Authentication
Authorization
Match based on Interface Nmae value. The Interface-Name attribute indicates the VLAN interface a client is to be associated to. Note: This attribute only works when MAC filtering is enabled or if 802.1X or WPA is used as the security policy.
Airespace-QOS-Level 2 string   Authentication
Authorization
Match based on QoS Level. The QoS-Level attribute indicates the Quality of Service level to be applied to the mobile client's traffic within the switching fabric, as well as over the air.
Airespace-Wlan-Id 1 string   Authentication
Authorization
Match based on WLAN ID value. On single WLC each WLAN has unique ID, at the same time on different WLC SSID name might be identical but WLAN ID value might be different.

 

Alcatel-Lucent

 

Attribute
# Type ISE Version Usage Description
Alcatel-Acce-Priv-F-R1 39 hex   Configures functional read privileges for the user.
Alcatel-Acce-Priv-F-R2 40 hex   Configures functional read privileges for the user.
Alcatel-Acce-Priv-F-W1 41 hex   Configures functional write privileges for the user.
Alcatel-Acce-Priv-F-W2 42 hex   Configures functional write privileges for the user.
Alcatel-Acce-Priv-G1 37      
Alcatel-Acce-Priv-G2 38      
Alcatel-Acce-Priv-R1 33      
Alcatel-Acce-Priv-R2 34      
Alcatel-Acce-Priv-W1 35      
Alcatel-Acce-Priv-W2 36      
Alcatel-Access-Policy-List 100 string   a) For 802.1X and MAC authenticated users, this attribute overwrites the initial role that is applied based on the policy list associated with the assigned UNP.
b) For Captive-Portal authenticated users, this attribute assigns a post-login role for the user.
Alcatel-Access-Priv 16      
Alcatel-Asa-Access 9 string   Specifies that the user has access to the switch. The only valid value is all.
Alcatel-Auth-Group 1 integer   The authenticated VLAN number. The only protocol associated with this attribute is Ethernet II. If other protocols are required use the protocol attribute instead.
Alcatel-Auth-Group-Protocol 8 string   The protocol associated with the VLAN. Must be configured for access to other protocols. Values include: IP_E2, IP_SNAP, IPX_E2, IPX_NOV, IPX_LLC, IPX_SNAP
Alcatel-Client-IP-Addr 4 address   The IP address used for Telnet only.
Alcatel-End-User-Profile 10 string   Specifies the name of an end-user profile associated.
Alcatel-Group-Desc 5 string   Description of the authenticated VLAN
Alcatel-Nms-Description 23      
Alcatel-Nms-First-Name 21      
Alcatel-Nms-Group 20      
Alcatel-Nms-Last-Name 22 string    
Alcatel-Port-Desc 6     Description of the port. This attribute is currently defined in the Alcatel dictionary as:
  • RADIUS attribute type = 26 (VSA)
  • VSA Vendor ID = 800
  • VSA Type = 26
  • VSA format = string
This attribute is included in all RADIUS messages sent by Alcatel-Lucent OmniSwitch
(Access-Request, Accounting-Request Start, Accounting-Request Interim and Accounting-Request Stop).The attribute is set with the alias con­figured for the port. When the alias is not set, VSA will be an empty string.
Alcatel-Profil-Numb 7      
Alcatel-Redirection-Status 102 string    
Alcatel-Redirection-URL 101 string   Configures ClearPass to send redirection URL as part of RADIUS response redirecting the user Web traffic.
Alcatel-Slot-Port 2 string   Slots(s)/port(s) valid for the user
Alcatel-Time-of-Day 3 string   The time of day valid for the user to authenticate.
OmniSwitch AOS Release 8 Network Configuration Guide        

 

Aruba

Attribute # Type ISE Version Usage Description
Aruba-Admin-Role 4     This VSA returns the management role to be assigned to the user post management authentication. This role canbe seen using the command show mgmt-role in the command-line interface.
Aruba-AirGroup-Device-Type 27 integer   A value of 1 for this VSA indicates that the device authenticating on the network isapersonal device and a value of 2 indicates that it is a shared device.
Aruba-AirGroup-Shared-Role 26 string   This VSA contains a comma separated list of user roles with whom the device is shared.
Aruba-AirGroup-Shared-User 25 string   This VSA contains a comma separated list of user names with whom the device is shared.
Aruba-AirGroup-User-Name 24 string   A device owner or username associated with the device.
Aruba-AP-Group 10 string   String that identifies the name of anArubaAP Group.
Aruba-AS-Credential-Hash 30 string   The Auth survivability feature uses the VSA for Instant APs. The CPPM sends the NT hash of the password to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable.
Aruba-AS-User-Name 29 string   The Auth survivability feature uses the VSA for Instant APs. The CPPM sends the actual user name to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable.
Aruba-Auth-Survivability 28 string   The Instant AP Auth survivability feature uses the VSA to indicate that the CPPM server sends the  Aruba-AS-User-Name and  Aruba-AS-Credential-Hash values. This attribute is just used as a flag with no specific value required.
Aruba-CPPM-Role 23      
Aruba-Device-Type 12 string   String thatidentifies anArubadevice on the network.
Aruba-Essid-Name 5 string   String that identifies the name of the ESSID.
Aruba-Framed-IPv6-Address 11 string   This attribute is used for RADIUS accounting for IPv6 users.
Aruba-Location-Id 6 string   String that identifies the name of the AP location.
Aruba-Mdps-Device-Iccid 17     ICCID is used as input attribute by the Onboard application while performing thedevice authorization to the internal RADIUS server within theCPPM. ICCID checks against role mappings or enforcement policies to determine if the device isauthorized to be onboarded.
Aruba-Mdps-Device-Imei 16 string   IMEI is used as input attribute by the Onboard application while performing thedevice authorization to the internal RADIUS server within the CPPM. IMEI checksagainst role mappings or enforcement policies to determine if the device is authorized to be onboarded.
Aruba-Mdps-Device-Name 19 string   The device name is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM.Device name checks against role mappings or enforcement policies to determine ifthe device is authorized to be onboarded.
Aruba-Mdps-Device-Product 20 string   The device product is used as input attribute by the Onboard application whileperforming the device authorization to the internalRADIUS server within the CPPM.Device Product checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
Aruba-Mdps-Device-Profile 33     Attribute allows CPPM to signal back to the onboard process the device profile that should be applied to the device based on applied role mappings.
Aruba-Mdps-Device-Serial 22 string   The device serial number is used as input attribute by the Onboard application whileperforming the device authorization to the internal RADIUS server within the CPPM.Device Serial checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
Aruba-Mdps-Device-Udid 15 string   UDID is unique device identifier which is usedas input attribute by the Onboardapplication while performing the device authorization to the internal RADIUS serverwithin the ClearPass Policy Manager (CPPM). The UDID is used to check againstrole mappings or enforcement policies to determine if the device is authorized to be onboarded.
Aruba-Mdps-Device-Version 21 string   The device version is used as input attribute by the Onboardapplication whileperforming the device authorization to the internal RADIUS server within the CPPM.Device Version checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
Aruba-Mdps-Max-Devices 18 string   Used by Onboard as a way to define and enforce the maximum number of devices that can beprovisioned by a given user.
Aruba-Mdps-Provisioning-Settings 32 string   Attribute allows the CPPM to signal back to the onboard process the context of the device provisioning settings that should be applied to the device based on applied role mappings.
Aruba-MMS-User-Template 8 string   String that identifies the name of anArubauser template.
Aruba-Named-User-Vlan 9 string   This VSA returns a VLAN name for a user. This vlan name on a controllercould be mapped to user-definedname or or multiple VLAN IDs.
Aruba-No-DHCP-Fingerprint 14 string   This VSA prevents thecontrollerfrom deriving a role and VLAN based on DHCP finger printing.
Aruba-Port-Identifier 7 string   Stringthat identifies the Port ID.
Aruba-Priv-Admin-User 3 integer   If this VSA is set in the RADIUS accept message, the user can bypass the enable prompt.
Aruba-User-Role 1 string   This VSA returns the role, to be assigned to the user postauthentication. The userwill be granted access based on the role attributes defined in the role.
Aruba-User-Vlan 2 integer   This VSA is used to return the VLAN to be used by the client. The range for this VSA value is 1 4094, inclusive.
Aruba-WorkSpace-App-Name 31 string   This VSA identifies an application supported by Aruba WorkSpace.
         

 

Brocade

Attribute Values Type ISE Version Usage Description
Brocade-Auth-Role 1 string   The user logs in using the permissions specified with Brocade-Auth-Role. The valid permissions include root, admin, switchAdmin, zoneAdmin, securityAdmin, basic SwitchAdmin, fabricAdmin, operator, and user. You must use quotation marks around "password" and "role".
Brocade-AVPairs1 2 string   Admin Domain or Virtual Fabric member list
Brocade-AVPairs2 3 string   Admin Domain or Virtual Fabric member list
Brocade-AVPairs3 4 string   Admin Domain or Virtual Fabric member list
Brocade-AVPairs4 5 string   Admin Domain or Virtual Fabric member list
Brocade-Passwd-ExpiryDate 6 string   Date when password will expire Format: MM/DD/YYYY in UTC
Brocade-Passwd-WarnPeriod 7 integer   Days till warrining message regarding password expiry
         

 

Certificate

Attribute Type / Values ISE Version Available Usage Description
Binary Encoded Binary certificate   Authorization Check binary certificate value
Days to Expiry 0-15     This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires.
Extended Key Usage - Name     Authorization  
  clientAuth     Match based on presence or absence of Client Authentication purpose in extended key usage field
  codeSigning     Match based on presence or absence of Code Signing purpose in extended key usage field
  emailProtection     Match based on presence or absence of Email Protection purpose in extended key usage field
  msCodeCom     Match based on presence or absence of Microsoft Commercial Code Signing purpose in extended key usage field
  msCTLSign     Match based on presence or absence of Microsoft Trust List  Signing purpose in extended key usage field
  msCodeInd     Match based on presence or absence of Microsoft Individual Code Signing purpose in extended key usage field
  msEFS     Match based on presence or absence of Microsoft Encrypted File System purpose in extended key usage field
  msSGC     Match based on presence or absence of Microsoft Server Gated Crypto purpose in extended key usage field
  nsSGC     Match based on presence or absence of Netscape Server Gated Cryptoo purpose in extended key usage field
  OCSPSigning     Match based on presence or absence of OCSP signing purpose in extended key usage field
  serverAuth     Match based on presence or absence of Server Authentication purpose in extended key usage field
  timeStamping     Match based on presence or absence of Trusted Timestamping purpose in extended key usage field
Extended Key Usage - OID        
Is Expired boolean     True
False
This Boolean attribute indicates whether a certificate has expired or not. If you want to allow certificate renewal only when the certificate is near expiry and not after it has expired, use this attribute in authorization policy condition.
Issuer string   Authorization Match based on entire issuer subject value
Issuer - Common Name string   Authorization Match based on any data in the issuer field
Issuer - Country string   Authorization Match based on country name value in issuer field
Issuer - Domain Component string   Authorization Match based on issuer domain name value
Issuer - Email string   Authorization Match based on issuer email address value
Issuer - Location string   Authorization Match based on issuer LocalityName value
Issuer - Organization string   Authorization Match based on issuer Organization value
Issuer - Organization Unit string   Authorization Match based on issuer Organization Unit value
Issuer - Serial Number string   Authorization Match based on issuer Serial Number  value
Issuer - State or Province string   Authorization Match based on issuer State or Province  value
Issuer - Street Address string   Authorization Match based on issuer Street Addressvalue
Issuer - User ID string   Authorization Match based on issuer User IDvalue
Key Usage string   Authorization  
  cRLSign     Use when the subject public key is to verify a signature on revocation information, such as a CRL
  dataEncipherment     Use when the public key is used for encrypting user data, other than cryptographic keys.
  decipherOnly     Use only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
  digitalSignature     Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing.
  encipherOnly     Use only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement.
  keyAgreement     Use when the sender and receiver of the public key need to derive the key without using encryption. This key can then can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers.
  keyCertSign     Use when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
  keyEncipherment     Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment.
  nonRepudiation     Use when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing).
Serial Number string   Authorization Match based on identity certificate Serial Number
Subject string   Authorization Match based on entire Subject value provided in Identity certificate
Subject - Common Name string   Authorization Match based on Subject Common name of identity certificate
Subject - Country string   Authorization Match based on country value from Identity certificate subject
Subject - Domain Component string   Authorization Match based on domain component from Identity certificate subject
Subject - Email string   Authorization Match based on email address from Identity certificate subject
Subject - Location string   Authorization Match based on location from Identity certificate subject
Subject - Organization string   Authorization Match based on organization from Identity certificate subject
Subject - Organization Unit string   Authorization Match based on organizational unit from Identity certificate subject
Subject - Serial Number string   Authorization Match based on serial number from Identity certificate subject
Subject - State or Province string   Authorization Match based on state province value from Identity certificate subject
Subject - Street Address string   Authorization Match based on street address value from Identity certificate subject
Subject - User ID string   Authorization Match based on User ID value from Identity certificate subject
Subject Alternative Name string   Authorization Match based on Subject Alternative Name value from Identity certificate
Subject Alternative Name - DNS string   Authorization Match based on Subject Alternative Name value with type DNS from Identity certificate
Subject Alternative Name - EMail string   Authorization Match based on Subject Alternative Name value with type email from Identity certificate
Subject Alternative Name - Other Name string   Authorization Match based on Subject Alternative Name value with type other from Identity certificate
Template Name string   Authorization Match based on certificate template name

 

Cisco

This RADIUS dictionary is provided in ISE by default.

Attribute # Type ISE Version Usage Description
cisco-abort-cause 21     If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server.
cisco-account-info 250      
cisco-assign-ip-pool 218      
cisco-av-pair 1     The Cisco RADIUS implementation supports one vendor-specific option using the format recommendedin the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named“cisco-avpair.” The value is a string
cisco-call-filter 243      
cisco-call-id 141      
cisco-call-type 19     Type of call activity: fax receive or fax send.
cisco-command-code 252      
cisco-control-info 253      
cisco-data-filter 242      
cisco-data-rate 197      
cisco-disconnect-cause 195      
cisco-email-server-ack-flag 17     Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message
cisco-email-server-address 16     IP address of the e-mail server handling the on-ramp fax-mail message.
cisco-fax-account-id-origin 3     Account ID origin as defined by the system administrator for the mmoip aaa receive-id or mmoip aaa send-id command
cisco-fax-auth-status 15     Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown.
cisco-fax-connect-speed 8     Modem speed at which this fax mail was initially sent or received. Possible values are 1200, 4800, 9600, and 14400.
cisco-fax-coverpage-flag 6     True/false flag that indicates whether a cover page was generated by the off-ramp gateway for this fax session. True indicates that a coverpage was generated, and false indicates that a cover page was not generated.
cisco-fax-dsn-address 11     Address to which DSNs are sent.
cisco-fax-dsn-flag 12     True/false flag to indicate whether DSN is enabled. True indicates that DSN is enabled, and false indicates that DSN is not enabled
cisco-fax-mdn-address 13     Address to which MDNs are sent.
cisco-fax-mdn-flag 14     True/False flag to indicate whether MDN is enabled. True indicates that MDN is enabled, and false indicates that MDN is not enabled
cisco-fax-modem-time 7     Number of seconds it takes to send fax data and to complete the entire fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds and that the full fax session took 15 seconds.
cisco-fax-msg-id 4     Unique fax message identification number assigned by store-and-forward fax.
cisco-fax-pages 5     Number of pages sent or received during a fax session including cover pages.
cisco-fax-process-abort-flag 10     True/false flag that indicates whether the fax session was aborted or successful. True indicates that the session was aborted, and false indicates that the session was successful.
cisco-fax-recipient-count 9     Number of recipients for this fax transmission. Until e-mail servers support session mode, the number should be 1.
cisco-gateway-id 18     Name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name
cisco-gw-final-xlated-cdn 113      
cisco-gw-final-xlated-cgn 117      
cisco-gw-rxd-cdn 112      
cisco-gw-rxd-cgn 116      
cisco-h323-billing-model 109      
cisco-h323-credit-amount 101 h323-credit-amount=1.00   Total amount available to user, for announce via IVR or other
cisco-h323-credit-time 102      
cisco-h323-currency 110 h323-currency=USD   Currency code. ISO 4217
cisco-h323-preferred-lang 107 h323-preferred-lang=en   Preferred IVR language, if available. ISO 639-1
cisco-h323-prompt-id 104      
cisco-h323-redirect-ip-address 108      
cisco-h323-redirect-number 106      
cisco-h323-return-code 103 h323-return-code=0   Return code. 0 for success.
cisco-h323-time-and-day 105      
cisco-idle-limit 244      
cisco-incoming-req-uri 146      
cisco-ip-direct 209      
cisco-ip-pool-definition 217      
cisco-link-compression 233      
cisco-maximum-channels 235      
cisco-maximum-time 194      
cisco-method 143      
cisco-multilink-id 187      
cisco-nas-port 2     Specifies additional vendor specific attribute (VSA) information for NAS-Port accounting. To specify additional NAS-Port information in the form an Attribute-Value Pair (AVPair) string, use the radius-server vsa send global configuration command. Note This VSA is typically used in Accounting, but may also be used in Authentication (Access-Request) packets.
cisco-next-hop-dn 149      
cisco-next-hop-ip 148      
cisco-num-in-multilink 188      
cisco-outgoing-req-uri 147      
cisco-policy-down 38      
cisco-policy-up 37      
cisco-port-used 20     Slot/port number used to send or receive this fax mail.
cisco-ppp-async-map 212      
cisco-ppp-vj-slot-comp 210     Slot/port number used to send or receive this fax mail.
cisco-pre-input-octets 190      
cisco-pre-input-packets 192      
cisco-pre-output-octets 191      
cisco-pre-output-packets 193      
cisco-presession-time 198      
cisco-prev-hop-ip 145     String of the form

ip-address[:port][/protocol]

where “port” is an optional parameter giving the transport layer port number and the default is 5060.

where “protocol” is an optional parameter giving the transport layer protocol and the default is UDP.

Valid values: TCP and UDP ; because the proxy does not support TCP, this parameter is never included.

cisco-prev-hop-via 144      
cisco-pw-lifetime 208      
cisco-release-source 115      
cisco-remote-media-address 114      
cisco-route-ip 228      
cisco-service-info 251     The value "Z" indicates that authorization is required.
cisco-session-protocol 142 string   Available strings:
  • other
  • cisco
  • h323
  • multicast
  • sipv2
  • sdp
  • frf11-trunk
  • cisco-switched
  • MarsAnalog
  • C1000Isdn
  • aal2-trunk
cisco-sip-conf-id 100      
cisco-sip-hdr 150     String including SIP header formatted as per RFC 2543.
cisco-subscriber 111      
cisco-target-util 234      
cisco-xmit-rate 255      
h323-call-origin 26     Indicates the origin of the call relative to the gateway. Possible values are originating and terminating, which are equivalent to originate and answer in the Call-Origin field
h323-call-type 27     Indicates call leg type. Possible values are telephony and VoIP
h323-conf-id 24     Identifies the conference ID.
h323-connect-time 28     Indicates the connection time for this call leg in UTC.
h323-disconnect-cause 30     Specifies the reason a connection was taken offline per the Q.931 specification.
h323-disconnect-time 29     Indicates the time this call leg was disconnected in UTC
h323-gw-id 33     Indicates the name of the underlying gateway.
h323-incoming-conf-id 35 Integer   On each gateway (both originating and terminating), the h323-incoming-conf-id is created by making a persistent and static copy of the h323-conf-id. After this h323-incoming-conf-id is created, it is never updated or changed for the duration of the session.
The h323-incoming-conf-id value is always the same for legs 1 and 2, or for legs 3 and 4, and it need not be the same for all four legs of a call
h323-remote-address 23     Indicates the IP address of the remote gateway
h323-setup-time 25     Indicates the setup time for this connection in Coordinated Universal Time (UTC), formerly known as Greenwich Mean Time (GMT) and Zulu time.
h323-voice-quality 31     Specifies the impairment/calculated planning impairment factor (ICPIF) affecting voice quality for a call
         

 

Cisco IOS RADIUS Change of Authorization (CoA)

Session Aware Networking (SAN) support for RADIUS change of authorization (CoA)
Session Aware Networking supports RADIUS change of authorization (CoA) commands for session query, reauthentication, and termination, port bounce and port shutdown, and service template activation and deactivation.

 

Cisco VSA: cisco-av-pair

Cisco has a general purpose vendor-specific attribute (VSA) called the cisco-av-pair . It is attribute/value pair string with the format: <attribute>=<value> .

Name cisco-av-pair Value Notes
ACL IPv6 (Filter-ID) ipv6:inacl=<ACL_NAME>  
Security Group cts:security-group-tag=<NUMBER>
cts:sgt-name=<NAME>
cts:vn=<VIRTUAL_NETWORK>

Example:

cisco-av-pair = cts:security-group-tag=0004-0
cisco-av-pair = cts:sgt-name=Employees

Voice Domain Permission device-traffic-class=voice  
Web Redirection (CWA, MDM, NSP, CPP)
 
url-redirect-acl=<ACL_NAME>
url-redirect=<URL>
 
Auto Smart Port auto-smart-port=<NAME>
 
 
Assess Vulnerabilities on-demand-scan-interval=<hours: 1-9999>
periodic-scan-enabled=<0|1>
va-adapter-instance=<ADAPTER_INSTANCE>
- interval, in hours
- periodic-scan-enabled: 0=false, 1=true
MACSec Policy linksec-policy=[must-not-secure | must-secure | should-secure]  
NEAT device-traffic-class=switch  
Interface Template interface-template-name=<NAME>  
Web Authentication (Local Web Auth)
 
priv-lvl=15  
AVC Profile Name
 
avc-profile-name=<NAME>  
UDN Lookup UDN:<Private-group-id>
UDN:<Private-group-name>
UDN:<Private-group-owner>
 
Unique Identifier duid=<RADIUS_ATTRIBUTE_VALUE> This option is primarily to share value of DUID retrieved during cert based authentication(Eg. EAP TLS) from Certificate attribute(Eg. SAN URI) to overcome MAC Address Randomization.
Pre-shared Key psk-mode=ascii
psk=<PRE_SHARED_KEY>
Used for wireless Multi and Individual Pre-Shared Keys

 

 

Cisco-BBSM

This RADIUS dictionary is provided in ISE by default.

Attribute # Type ISE Version Usage Description
CBBSM-Bandwidth 1 integer   Cisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263
         

 

Cisco-VPN3000 and ASA

This RADIUS dictionary is provided in ISE by default.
You may also see the list of attributes supported by the ASA v9.0.

Attribute # Type ISE Version Description or Value(s)
PIX7x-Access-Hours 1 String 1.0 Name of the time range, for example, Business-hours
PIX7x-Access-List-Inbound 86 String 1.0 ACL ID
PIX7x-Access-List-Outbound 87 String 1.0 ACL ID
PIX7x-Address-Pools 217 String 1.0 Name of IP local pool
PIX7x-Allow-Alpha-Only-Passwords 4   1.0 Not supported on ASA?
PIX7x-Allow-Network-Extension-Mode 64 Boolean 1.0 0 = Disabled
1 = Enabled
PIX7x-Auth-Server-Password 23 String 1.0 Not supported on ASA?
PIX7x-Auth-Server-Priority 32 ? 1.0 Not supported on ASA?
PIX7x-Auth-Server-Type 22 ? 1.0 Not supported on ASA?
PIX7x-Authd-User-Idle-Timeout
or
Authenticated-User-Idle-Timeout
50 Integer 1.0 1 - 35791394 minutes
PIX7x-Cisco-IP-Phone-Bypass 51 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-Client-Type 150 Integer 1.0 1 = Cisco VPN Client (IKEv1)
2 = AnyConnect Client SSL VPN
3 = Clientless SSL VPN
4 = Cut-Through-Proxy
5 = L2TP/IPsec SSL VPN
6 = AnyConnect Client IPsec VPN (IKEv2)
PIX7x-Client-Type-Version-Limiting 77 String 1.0 IPsec VPN version number string
PIX7x-DHCP-Network-Scope 61 String 1.0 IP Address
PIX7x-Extended-Authentication-On-Rekey 122 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IE-Proxy-Bypass-Local 83 Integer 1.0 0 = None
1 = Local
PIX7x-IE-Proxy-Exception-List 82 String 1.0 New line (\n) separated list of DNS domains
PIX7x-IE-proxy-lockdown 134 ? 1.0 Not supported on ASA?
PIX7x-IE-Proxy-PAC-URL 133 String 1.0 PAC Address String
PIX7x-IE-Proxy-Server 80 String 1.0 IP address
PIX7x-IE-Proxy-Server-Policy 81 Integer 1.0 1 = No Modify
2 = No Proxy
3 = Auto detect
4 = Use Concentrator Setting
PIX7x-IKE-Keep-Alives 41 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IKE-Keepalive-Retry-Interval 84 Integer 1.0 2 - 10 seconds
PIX7x-IKE-retry-timeout 129 Integer 1.0 Not supported on ASA?
PIX7x-IPSec-Allow-Passwd-Store 16 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IPSec-Auth-On-Rekey 42 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IPSec-Authentication 13 Integer 1.0 0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory
PIX7x-IPSec-Authorization-Required 66 Integer 1.0 0 = No
1 = Yes
PIX7x-IPSec-Authorization-Type 65 Integer 1.0 0 = None
1 = RADIUS
2 = LDAP
PIX7x-IPSec-Backup-Server-List 60 String 1.0 Server Addresses (space delimited)
PIX7x-IPSec-Backup-Servers 59 String 1.0 1 = Use Client-Configured list
2 = Disable and clear client list
3 = Use Backup Server list
PIX7x-IPSec-Banner1 15 String 1.0 Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL
PIX7x-IPSec-Banner2 36 String 1.0 Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured.
PIX7x-IPSec-Client-Fw-Filter-Name 57 String 1.0 Specifies the name of the filter to be pushed to the client as firewall policy
PIX7x-IPSec-Client-Fw-Filter-Opt
or
IPsec-Client-Firewall-Filter-Optional
58 Integer 1.0 0 = Required
1 = Optional
PIX7x-IPSec-Confidence-Level
or
IKE-KeepAlive-Confidence-Interval
68 Integer 1.0 10 - 300 seconds
PIX7x-IPSec-Default-Domain 28 String 1.0 Specifies the single default domain name to send to the client (1-255 characters).
PIX7x-IPSec-DN-Field
or
Authorization-DN-Field
67 String 1.0 Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name
PIX7x-IPSec-Group-Name 26 String 1.0 Not supported on ASA?
PIX7x-IPSec-Group-Policy
or
Group-Policy
25 String 1.0 Sets the group policy for the remote access VPN session. For Versions 8.2 and later, use this attribute instead of IETF-Radius-Class. You can use one of the three following formats:
  • group policy name
  • OU= group policy name
  • OU= group policy name ;
PIX7x-IPSec-IKE-Peer-ID-Check 40 Integer 1.0 1 = Required
2 = If supported by peer certificate
3 = Do not check
PIX7x-IPSec-IP-Compression 39 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IPSec-Mode-Config 31 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IPSec-Over-UDP 34 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-IPSec-Over-UDP-Port 35 Integer 1.0 4001 - 49151. The default is10000.
PIX7x-IPSec-Reqrd-Client-Fw-Cap
or
IPsec-Required-Client-Firewall-Capability
56 Integer   0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server
PIX7x-IPSec-Sec-Association 12 String 1.0 Name of the security association
PIX7x-IPSec-Split-DNS-Names 29 String 1.0 Specifies the list of secondary domain names to send to the client (1-255 characters).
PIX7x-IPSec-Split-Tunnel-List 27 String 1.0 Specifies the name of the network/ACL that describes the split tunnel inclusion list.
PIX7x-IPSec-Split-Tunneling-Policy 55 Integer 1.0 0 = No split tunneling
1 = Split tunneling
2 = Local LAN permitted
PIX7x-IPSec-Tunnel-Type 30 Integer 1.0 1 = LAN-to-LAN
2 = Remote access
PIX7x-IPSec-User-Group-Lock 33 ? 1.0 Not supported on ASA?
PIX7x-IPv6-Address-Pools 218 String 1.0 Name of IP local pool-IPv6
PIX7x-IPv6-VPN-Filter 219 String 1.0 ACL value
PIX7x-L2TP-Encryption 21 Integer 1.0 Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Req
15= 40/128-Encr/Stateless-Req
PIX7x-L2TP-Min-Auth-Protocol 19 ? 1.0 Not supported on ASA?
PIX7x-L2TP-MPPC-Compression 38 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-LEAP-Bypass 75 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-Member-Of 145 String 1.0 Comma-delimited string, for example:
Engineering, Sales
An administrative attribute that can be used in dynamic access policies. It does not set a group policy.
PIX7x-Min-Password-Length 3 ? 1.0 Not supported on ASA?
PIX7x-MS-Client-Icpt-DHCP-Conf-Msg
or
Intercept-DHCP-Configure-Msg
62 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-MS-Client-Subnet-Mask 63 Boolean 1.0 An IP address
PIX7x-NAC-Default-ACL 92 String 1.0 ACL
PIX7x-NAC-Enable 89 Integer 1.0 0 = No
1 = Yes
PIX7x-NAC-Revalidation-Timer 91 Integer 1.0 300 - 86400 seconds
PIX7x-NAC-Settings 141 String 1.0 Name of the NAC policy
PIX7x-NAC-Status-Query-Timer 90 Integer 1.0 30 - 1800 seconds
PIX7x-Perfect-Forward-Secrecy-Enable 88   1.0 0 = No
1 = Yes
PIX7x-Port-Forwarding-Name
or
WebVPN-Port-Forwarding-Name
79 String 1.0 String name (example, “Corporate-Apps”).
This text replaces the default string, “Application Access,” on the clientless portal home page.
PIX7x-PPTP-Encryption 20 Integer 1.0 Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Required
15= 40/128-Encr/Stateless-Req
PIX7x-PPTP-Min-Auth-Protocol 18 ? 1.0 Not supported on ASA?
PIX7x-PPTP-MPPC-Compression 37 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-Primary-DNS 5 String 1.0 An IP address
PIX7x-Primary-WINS 7 String 1.0 An IP address
PIX7x-Priority-On-SEP 10 ? 1.0 Not supported on ASA?
PIX7x-Privilege-Level 220 Integer 1.0 An integer between 0 and 15.
PIX7x-Reqrd-Client-Fw-Description 47 String 1.0 String
PIX7x-Reqrd-Client-Fw-Product-Code 46 Integer 1.0 Cisco Systems Products:
  • 1= Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)
  • Zone Labs Products:
    1 = Zone Alarm
    2 = Zone AlarmPro
    3 = Zone Labs Integrity
  • NetworkICE Product:
    1 = BlackIce Defender/Agent
  • Sygate Products:
    1 = Personal Firewall
    2 = Personal Firewall Pro
    3 = Security Agent
PIX7x-Reqrd-Client-Fw-Vendor-Code 45 Integer 1.0 1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)
PIX7x-Request-Auth-Vector 24 ? 1.0 Not supported on ASA?
PIX7x-Require-HW-Client-Auth 48 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-Require-Individual-User-Auth 49 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-Secondary-DNS 6 String 1.0 An IP address
PIX7x-Secondary-WINS 8 String 1.0 An IP address
PIX7x-SEP-Card-Assignment 9 Integer 1.0 Not used
PIX7x-Session-Subtype 152 Integer 1.0 0 = None
1 = Clientless
2 = Client
3 = Client Only
Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4.
PIX7x-Session-Type 151 Integer 1.0 0 = None
1 = AnyConnect Client SSL VPN
2 = AnyConnect Client IPSec VPN (IKEv2)
3 = Clientless SSL VPN
4 = Clientless Email Proxy
5 = Cisco VPN Client (IKEv1)
6 = IKEv1 LAN-LAN
7 = IKEv2 LAN-LAN
8 = VPN Load Balancing
PIX7x-Simultaneous-Logins 2 Integer 1.0 0 - 2147483647
PIX7x-Strip-Realm 135 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-SVC-Ask 131 Integer 1.0 0 = Disabled
1 = Enabled
3 = Enable default service
5 = Enable default clientless
(2 and 4 not used)
PIX7x-SVC-Ask-Timeout 132 Integer 1.0 5 - 120 seconds
PIX7x-SVC-Keepalive 107 Integer 1.0 0 = Off
15 - 600 seconds
PIX7x-SVC-Modules 127 String 1.0 String (name of a module)
PIX7x-SVC-Profiles 128 String 1.0 String (name of a profile)
PIX7x-Tunnel-Group-Lock 85 String 1.0 Name of the tunnel group or “none”
PIX7x-Tunnel-Group-Name 146 String 1.0 1 - 253 characters
PIX7x-Tunneling-Protocols 11 Integer 1.0 1 = PPTP
2 = L2TP
4 = IPSec (IKEv1)
8 = L2TP/IPSec
16 = WebVPN
32 = SVC
64 = IPsec (IKEv2)
8 and 4 are mutually exclusive
(0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values).
PIX7x-Use-Client-Address 17 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-User-Auth-Server-Name 52 String 1.0 IP address or hostname
PIX7x-User-Auth-Server-Port 53 Integer 1.0 Port number for server protocol
PIX7x-User-Auth-Server-Secret 54 String 1.0 Server password
PIX7x-VLAN 140 Integer 1.0 0 - 4094
PIX7x-WebVPN-Access-List 73 String 1.0 Access-List name
PIX7x-WebVPN-ActiveX-Relay 137 Integer 1.0 0 = Disabled
Otherwise = Enabled
PIX7x-WebVPN-Apply-ACL 102 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Auto-HTTP-Signon 124 String 1.0 Reserved
PIX7x-WebVPN-Citrix-Metaframe-Enable 101 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Content-Filter 69 Bitmap 1.0 1 = Java ActiveX
2 = Java Script
4 = Image
8 = Cookies in images
PIX7x-WebVPN-Customization 113 String 1.0 Name of the customization
PIX7x-WebVPN-Default-Homepage 76 String 1.0 A URL such as http://example.com
PIX7x-WebVPN-Deny-Message 116 String 1.0 Valid string (up to 500 characters)
PIX7x-WebVPN-Download_Max-Size 157 Integer 1.0 0x7fffffff
PIX7x-WebVPN-Enable-functions 70 ? 1.0 Not supported on ASA?
PIX7x-WebVPN-File-Access-Enable 94 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-File-Server-Browsing-Enable 96 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-File-Server-Entry-Enable 95 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List 78 String 1.0 Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com)
PIX7x-WebVPN-Hidden-Shares 126 Integer 1.0 0 = None
1 = Visible
PIX7x-WebVPN-Home-Page-Use-Smart-Tunnel 228 Boolean 1.0 Enabled if clientless home page is to be rendered through Smart Tunnel.
PIX7x-WebVPN-HTTP-Compression 120 Integer 1.0 0 = Off
1 = Deflate Compression
PIX7x-WebVPN-HTTP-Proxy-IP-Address 74 String 1.0 Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443)
PIX7x-WebVPN-Idle-Timeout-Alert-Interval 148 Integer 1.0 0 (Disabled) - 30
PIX7x-WebVPN-Keepalive-Ignore 121 Integer 1.0 0-900
WebVPN-Macro-Substitution 223 String
1.0
Unbounded.
For examples, see the SSL VPN Deployment Guide
PIX7x-WebVPN-Macro-Substitution
or
WebVPN-Macro-Substitution
224 String 1.0 Unbounded.
For examples, see the SSL VPN Deployment Guide
PIX7x-WebVPN-Port-Forwarding-Enable 97 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Port-Forwarding-Exchange-Proxy-Enable 98 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Port-Forwarding-HTTP-Proxy 99 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Port-Forwarding-List 72 String 1.0 Port forwarding list name
PIX7x-WebVPN-Post-Max-Size 159 Integer 1.0 0x7fffffff
PIX7x-WebVPN-Session-Timeout-Alert-Interval 149 Integer 1.0 0 (Disabled) - 30
PIX7x-WebVPN-Smart-Card-Removal-Disconnect 225 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-Smart-Tunnel 136 String 1.0 Name of a smart tunnel
PIX7x-WebVPN-Smart-Tunnel-Auto-Sign-On 139 String 1.0 Name of a Smart Tunnel auto sign-on list appended by the domain name
PIX7x-WebVPN-Smart-Tunnel-Auto-Start 138 Integer 1.0 0 = Disabled
1 = Enabled
2 = Auto Start
PIX7x-WebVPN-Smart-Tunnel-Tunnel-Policy 227 String 1.0 One of "e networkname," "i networkname," or "a," where networkname is the name of a smart tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels.
PIX7x-WebVPN-SSL-VPN-Client-Enable 103 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-SSL-VPN-Client-Keep-Installation 105 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-SSL-VPN-Client-Required 104 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-SSO-Server-Name 114 String 1.0 Valid string
PIX7x-WebVPN-Storage-Key 162 String 1.0 ?
PIX7x-WebVPN-Storage-Objects 161 String 1.0 ?
PIX7x-WebVPN-SVC-Client-DPD-Frequency
or
SVC-DPD-Interval-Client
108 Integer 1.0 0 = Off
5 - 3600 seconds
PIX7x-WebVPN-SVC-Compression 112 Integer 1.0 0 = Off
1 = Deflate Compression
PIX7x-WebVPN-SVC-DTLS-Enable 123 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-SVC-DTLS-MTU 125 Integer 1.0 MTU value is from 256-1406 bytes.
PIX7x-WebVPN-SVC-Gateway-DPD-Frequency
or
SVC-DPD-Interval-Gateway
109 Integer 1.0 0 = Off
5 - 3600 seconds
PIX7x-WebVPN-SVC-Rekey-Method 111 Integer 1.0 0 = Off
1 = SSL
2 = New Tunnel
PIX7x-WebVPN-SVC-Rekey-Time 110 Integer 1.0 0 = Disabled
1- 10080 minutes
PIX7x-WebVPN-UNIX-Group-ID(GID) 222 Integer 1.0 Valid UNIX group IDs
PIX7x-WebVPN-UNIX-User-ID(UIDs) 221 Integer 1.0 Valid UNIX user IDs
PIX7x-WebVPN-Upload-Max-Size 158 Integer 1.0 0x7fffffff
PIX7x-WebVPN-URL-Entry-Enable 93 Integer 1.0 0 = Disabled
1 = Enabled
PIX7x-WebVPN-URL-List 71 String 1.0 URL list name
PIX7x-WebVPN-User-Storage 160 String 1.0 ?
PIX7x-WebVPN-VDI 163 String 1.0 List of settings

 

CWA

Attribute Values ISE Version Usage Description
CWA_ExternalGroups String 1.3 External group name where user logging in from the CWA portal belongs to.
CWA_Username String 1.3 Username used during login from the CWA portal.
       

 

Device

Attribute Values ISE Version Usage Description
Device Type   1.2 Device type defined during network device configuration.
Location   1.2 Location of the network device defined during device configuration.
Model Name   1.2 The model name of the network device defined during device creation.
Network Device Profile   2.0 The profile of network device defined during creation of device.
Software Version   1.2 Software version of the network device defined during device creation,
       

 

EndPoints

Attribute Values ISE Version Usage Description
BYODRegistration string 1.2 BYOD registration status of the endpoint. can be:
No: Not registered via BYOD
Unknown: unknown status
Yes: registered via BYOD
EndPointPolicy string 1.2 Policy assignment of the endpoint.
LastAUPAcceptanceHours   1.4 The time in hours when AUP was accepted the last time.
LogicalProfile string 1.2 Logical profile that summarizes multiple regular profiles.
OperatingSystem string 1.3 Operating system of the endpoint.
PortalUser string 1.3 Guest user that logged in to the portal with this endpoint.
PostureApplicable string 1.2 A string specifying if posture is applicable for an endpoint, can be:
No: posture not applicable
Yes: posture applicable
       

 

Guest

Attribute Values ISE Version Usage Description
Company string 1.2 A string defining the company of the guest user.
EmailAddress string 1.2 Email address of the guest user.
Firstname string 1.2 First name of the guest user.
LanguageNotification string 1.2 A string specifying the language for notification messages of the guest user.
Lastname string 1.2 Last name of the guest user.
OptionalData1 - 1.2 Optional data 1
OptionalData2 - 1.2 Optional data 2
OptionalData3 - 1.2 Optional data 3
OptionalData4 - 1.2 Optional data 4
OptionalData5 - 1.2 Optional data 5
PasswordModifiedByUser boolean 1.2 Boolean telling if password of the guest user was modified, can be:
false: password was not modified
true: password was modified
PhoneNumber string 1.2 The phone number of the guest user.
TimeZone string 1.2 Time zone of the guest user.
UserName string 1.2 Username of the guest user.
       

 

H3C

Attribute # Type ISE Version Usage Description
H3C-Backup-NAS-IP 207   2.0 Backup source IP address for sending RADIUS packets
H3C-Command 20   2.0 Operation for the session, used for session control. It can be:
1: Trigger-Request
2: Terminate-Request
3: SetPolicy
4: Result
5: PortalClear
H3C-Connect_Id 26   2.0 Index of the user connection
H3C-Control-Identifier 24   2.0 Identifier for retransmitted packets. for retransmitted packets of the same session, this attribute must take the same value; while for retransmitted packets of different sessions, this attribute may take the same value. The response of a retransmitted packet must also carry the same attribute.
For Accounting-Request packets of the start, stop and interim update type, the Control-Identifier attribute, if present, makes no sense.
H3C-Exec-Privilege 29   2.0 Priority of the EXEC user, can be:
0: Visit
1: Monitor
2: System
3: Manage
H3C-Ftp-Directory 28   2.0 Working directory of the FTP user. For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client.
H3C-Input-Average-Rate 2   2.0 Average rate in the direction from the user to NAS [bps]
H3C-Input-Basic-Rate 3   2.0 Basic rate in the direction from the user to NAS [bps]
H3C-Input-Interval-Gigawords 205   2.0 Result of bytes input within an accounting interval divided by 4GB
H3C-Input-Interval-Octets 201   2.0 Bytes input within a real-time accounting interval
H3C-Input-Interval-Packets 203   2.0 Packets input within an accounting interval, in the unit set on the switch
H3C-Input-Peak-Rate 1   2.0 Peak rate in the direction from the user to NAS [bps]
H3C-Ip-Host-Addr 60   2.0 IP address and MAC address of the user carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.
H3C-NAS-Startup-Timestamp 59   2.0 Startup time of NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan 1, 17970 (UTC)
H3C-Output-Interval-Gigawords 206   2.0 Result of bytes output within an accounting interval divided by 4GB
H3C-Output-Interval-Octets 202   2.0 Bytes output within a real-time accounting interval
H3C-Output-Interval-Packets 204   2.0 Packets output within an accounting interval, in the unit set on the switch
H3C-Product-ID 255   2.0 Product name
H3C-Remanent-Volume 15   2.0 Remaining traffic of the connection, in different units for different server types.
H3C-Result-Code 25   2.0 Result of the Trigger-Request or SetPolicy operation, which can be:
0: Succeeded
Any other value: Failed
H3C-Security-Level 141   2.0 Security level assigned after SSL VPN user passes security authentication
H3C-User-Group 140   2.0 User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with SSL VPN device.
H3C-User-HeartBeat 62   2.0 Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the list on the AP and is used for verifying the handshake messages from 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets.
H3C-User-Notify 61   2.0 Information that needs to be sent from the server to the client transparently
         

 

HP

Attribute # Type ISE Version Usage Description
HP-Bandwidth-Max-Egress 48 integer 2.0 Percentage of port bandwidth allowed for egress.
HP-Bandwidth-Max-Ingress 46 integer 2.0 Percentage of port bandwidth allowed for ingress.
HP-Capability-Advert 255 octets 2.0 This attribute defines the capabilities of the NAS, listing all special RADIUS attributes it supports.
HP-Command-Exception 3 integer 2.0 The flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others. A one (1) means deny all listed commands and permit all others.
HP-Command-String 2 regex 2.0 List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters.
HP-Cos 40 string 2.0 Assigns 802.1p priority to all inbound packets on port. This attribute should contain the desired CoS priority (as string) repeated 8 times. The reason for the repetition is that this attribute is meant to form a map to translate different CoS priorities in packets egressing on the port.
Values:
1-2: Low
0,3: Normal
4-5: High
6-7: Critical
HP-Egress-VLAN-Name 65 string 2.0 Allows egress traffic for specified VLAN name.
HP-Egress-VLANID 64 integer 2.0 Allows egress traffic for specified VLAN ID. The first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) ot 0x32 (untagged). The next 12 bits are padding 0x000 and the dinal 12 bits are the VLAN ID as an integer value.
Example: VLAN 17 as a tagged egress VLAN would be 0x31000011.
HP-Management-Protocol 26 integer 2.0 Management protocol that can be used, can be:
5: HTTP
6: HTTPS
HP-Nas-Filter-Rule 61 string 2.0 ACE (multiple attributes from ACL) applied to client.
Example: permit in tcp from any to any
HP-Nas-Rules-IPv6 63 integer 2.0 Allows to filter also IPv6 traffic using ACL and attribute HP-Nas-Filter-Rile.
If this option is configured to "1", the any keyword used as destination applies to both IPv4 and IPv6 destinations for the selected traffic type.
If option is "2", IPv6 traffic is ignored.
HP-Port-Auth-Mode-Dot1x 13 integer 2.0 Temporarily alters the 802.1X authentication mode to be either port-based or user-based depending on the value in the VSA.
1: port-based
2: user-based
HP-Port-Client-Limit-Dot1x 10 integer 2.0 Temporarily alters the 802.1X authentication client limit to the value container in the VSA. Values range from 0 to 32 clients.
0 - means VSA is disabled
HP-Port-Client-Limit-MA 11 integer 2.0 Temporarily alters the MAC authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients.
0 - means VSA is disabled
HP-Port-Client-Limit-WA 12 integer 2.0 Temporarily alters the web-based authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients. 0 - means VSA is disabled
HP-Privilege-Level 1 integer 2.0 Privilege level of the user, can be:
1: SuperUser
2: Monitor
16: HelpDeskManager
17: NetworkAdministrator
18: SystemAdministrator
19: WebUserAdministrator
       

 

Identity Mapping

Attribute Values ISE Version Usage Description
       
       

 

IdentityGroup

Attribute Values ISE Version Usage Description
Description string 1.2, 1.3, 1.4 The description of the identity group where user belongs to.
Name string 1.2, 1.3, 1.4 The name of identity group where user belongs to.
       

 

InternalUser

Attribute Values ISE Version Usage Description
Description string 1.2 Description of the internal user.
EnableFlag string 1.2 A string defining the account is enabled.
Firstname string 1.2 A string defining first name of the user.
IdentityGroup string 1.2 The identity group the internal user belongs to.
Lastname string 1.2 A string defining last name of the user.
Name string 1.2 A string defining an username.
UserType string 1.2 ?
       

 

Juniper

Attribute # Type ISE Version Available Usage Description
Juniper-Allow-Commands 2 regex 2.0 Authentication
Authorization
Contains operational mode commands in the form of regular expression that user is allowed to use in addition to commands authorized by user's login class permission bits. maximum length 247 characters
Note: This attribute is used only in Access-Accept.
Juniper-Allow-Configuration 4 regex 2.0 Authentication
Authorization
Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user's login class permission bits.
Note: This attribute is used only in Access-Accept.
Juniper-cell-overhead 41 integer 2.0 Authentication
Authorization
 
Juniper-Configuration-Change 9 string 2.0 Authentication
Authorization
Indicates the interactive command that results in a configuration (database) change.
Note: This attribute is used only in Accounting-Request.
Juniper-CoS-Parameter 39 string 2.0 Authentication
Authorization
 
Juniper-CoS-Traffic-Control-Profile 38 string 2.0 Authentication
Authorization
 
Juniper-CTP-Group 21   2.0 Authentication
Authorization
 
1: Read_Only
2: Admin
3: Privileged_Admin
4: Auditor
Juniper-CTPView-APP-Group 22   2.0 Authentication
Authorization
 
1: Net_View
2: Net_Admin
3: Global_Admin
Juniper-CTPView-OS-Group 23   2.0 Authentication
Authorization
 
1: Web_Manager
2: System_Admin
3: Auditor
Juniper-Deny-Commands 3 regex 2.0 Authentication
Authorization
Contains extended regular expression that denies the user permission to run operation mode commands authorized by the user's login class permission bits. maximum length 247 characters.
Note: This attribute is used only in Access-Accept.
Juniper-Deny-Configuration 5 regex 2.0 Authentication
Authorization
Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user's login class permission bits.
Note: This attribute is used only in Access-Accept.
Juniper-encapsulation-overhead 40 integer 2.0 Authentication
Authorization
 
Juniper-Firewall-filter-name 44 string 2.0 Authentication
Authorization
 
Juniper-Interactive-Command 8 string 2.0 Authentication
Authorization
Indicates the interactive command entered by the user.
Note: This attribute is used only in Accounting-Request.
Juniper-Interface-id 35 string 2.0 Authentication
Authorization
Identifier of the interface.
Juniper-Ip-Pool-Name 36 string 2.0 Authentication
Authorization
The name of the IP pool defined on the device.
Juniper-Keep-Alive 37 integer 2.0 Authentication
Authorization
 
Juniper-Local-Group-Name 46 string 2.0 Authentication
Authorization
 
Juniper-Local-Interface 47 string 2.0 Authentication
Authorization
Interface to apply to the E Series side of the connection. The value can be one of the following:

- IP address (with subnet mask)
- the loopback interface

Juniper-Local-User-Name 1 string 2.0 Authentication
Authorization
Indicates the name of the user template used by the user when logging in to a device. maximum length 247 characters
Juniper-Policer-Parameter 45 string 2.0 Authentication
Authorization
 
Juniper-Primary-Dns 31 IP address 2.0 Authentication
Authorization
B-RAS user's DNS address negotiated during IPCP
Juniper-Primary-Wins 32 IP address 2.0 Authentication
Authorization
B-RAS user's WINS (NBNS) address negotiated during IPCP
Juniper-rx-connect-speed 43 integer 2.0 Authentication
Authorization
Defines the receive connect speed.
Juniper-Secondary-Dns 33 IP address 2.0 Authentication
Authorization
B-RAS user's DNS address negotiated during IPCP
Juniper-Secondary-Wins 34 IP address 2.0 Authentication
Authorization
B-RAS user's WINS (NBNS) address negotiated during IPCP
Juniper-Switching-Filter 48 string 2.0 Authentication
Authorization
Contains the string that works like an ACL. The form of string is following:
"Match < >, Action < >"
where we can match on MAC address, IP address, port, VLAN, ...
Juniper-tx-connect-speed 42 integer 2.0 Authentication
Authorization
Defines the transmit connect speed.
Juniper-User-Permissions 10 string 2.0 Authentication
Authorization
Contains information server uses to specify user permissions. It is specified in a form of a list of permission flags separated by a space.
Permission Flags: access, access-control, admin, admin-control, all-control, clear, configure, control, field, firewall, firewall-control, floppy, flow-tap, flow-tap-operation, idp-profiler-operation, interface, interface-control, maintenance, network, pgcp-session-mirroring, pgcp-session-mirroring-control, reset, rollback, routing, routing-control, secret, secret-control, security, security-control, shell, snmp, snmp-control, system, system-control, trace, trace-control, view, view-configuration
Juniper-VoIP-Vlan 49 integer 2.0 Authentication
Authorization
Voice VLAN returned from RADIUS server.

 

MDM

After you add the MDM server definition in Cisco ISE, the MDM dictionary attributes are available in Cisco ISE that you can use in authorization policies. You can view the dictionary attributes that are available for use in authorization policies.

Attribute Type / Values ISE Version Available Usage Description
DaysSinceLastCheckin Days count 2.1 Authorization How many days elapsed from last MDM check for particular endpoint
DeviceCompliantStatus String   Authorization  
  Compliant     Attribute validate that complaint status been confirmed by MDM server for particular endpoint
  NonCompliant     Attribute validate that non complaint status been confirmed by MDM server for particular endpoint
DeviceRegisterStatus String   Authorization  
  Registered     Endpoint is known to MDM server and been previously registered
  UnRegistered     Endpoint is unknown to MDM server and has not been registered
DiskEncryptionStatus String   Authorization  
  Off     Disk encryption is not enabled on the endpoint
  On     Disk encryption is enabled on the endpoint
IMEI String   Authorization IMEI value. Match based on endpoint IMEI value from MDM server response
JailBrokenStatus String   Authorization  
  Broken     Match endpoint status JailBroken based on MDM server response
  UnBroken     Match endpoint status UnJailBroken based on MDM server response
Manufacturer String   Authorization Manufacturer name. Match based on mobile device manufacturer name from MDM server response
MDMFailureReason   2.1 Authorization FailureReason value
MDMServerName MDMServerName   Authorization Match based on MDMServerName from endpoint attributes
MDMServerReachable String   Authorization  
  Reachable     Match reachable status of MDM server
  UnReachable     Match unreachable status of MDM server
MEID String   Authorization MEID Value. Match based on endpoint mobile equipment identifier(MEID) value from MDM server response
Model String   Authorization Model Value. Match based on mobile device model from MDM server response
OsVersion String   Authorization OsVersion Value. Match based on mobile device OS version from MDM server response
PhoneNumber String   Authorization PhoneNumber Value. Match based on phone number of mobile device
PinLockStatus String   Authorization  
  Off     Pinlock disabled on endpoint
  On     Pinlock enabled on endpoint
SerialNumber String   Authorization SerialNumber Value. Match based on mobile device serial number from MDM server response
ServerType String 2.1 Authorization  
  DesktopDeviceManager     Server on which endpoint registered belongs to Desktop Device Manager type (ex: Microsoft System Center)
  MobileDeviceManager     Server on which endpoint registered belongs to Mobile Device Manager type (regular MDM server)
UDID UDID Value   Authorization UDID Value. Match based on Unique Device Identifier (Apple specific)
UserNotified String 2.1 Authorization  
  No     User has not been notified previously about requirement to register device (Desktop Device Manager specific check)
  Yes     User was notified previously about requirement to register device (Desktop Device Manager specific check)

 

Microsoft

Defined in RFC2548 Microsoft Vendor-specific RADIUS Attributes.
This RADIUS dictionary is provided in ISE by default.

Attribute # Type ISE Version Available Description
MS-Acct-Auth-Type 23 integer 1.2 Authentication
Authorization
Represents the method used to authenticate the dial-up user:
1: PAP
2: CHAP
3: MS-CHAP-1
4: MS-CHAP-2
5: EAP
MS-Acct-EAP-Type 24 integer 1.2 Authentication
Authorization
Represents the EAP type used to authenticate the dial-up user:
4: MD5
5: OTP
6: Generic Token Card
13: TLS
MS-AFW-Protection-Level 49 integer 1.2 Authentication
Authorization
Specifies a NAP protection level. Used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access.
MS-AFW-Zone 48 integer 1.2 Authentication
Authorization
Specifies a NAP zone. Used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access.
MS-ARAP-PW-Change-Reason 21 integer 1.2 Authentication
Authorization
Used to indicate reason for a server-initiated password change:
1: Just-Change-Password
2: Expired-Password
3: Admin-Requires-Password-Change
4: Password-Too-Short
MS-BAP-Usage 13 integer 1.2 Authentication
Authorization
Describes wheter the use of BAP is allowed, diasllowed or required on new multilink calls:
0: BAP usage not allowed
1: BAP usage allowed
2: BAP usage required
MS-CHAP-Challenge 11 string 1.2 Authentication
Authorization
Contains the challenge sent by NAS to MS-CHAP suer.
MS-CHAP-CPW-1 3 string 1.2 Authentication
Authorization
Allows the user to change their password if it has expired.
Note: Attribute is only used in Access-Request packets and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject. The string of MS-CHAP-Error indicated that the user password had expired and MS-CHAP version is equal 2.
MS-CHAP-CPW-2 4 string 1.2 Authentication
Authorization
Allows the user to change their password if it has expired.
Note: Attribute is only used in Access-Request packets and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject. The string of MS-CHAP-Error indicated that the user password had expired and MS-CHAP version is less than 2.
MS-CHAP-Domain 10 string 1.2 Authentication
Authorization
Indicates the Windows NT domain in which user was authenticated.
MS-CHAP-Error 2 string 1.2 Authentication
Authorization
Contains error data related to the preceding MS-CHAP exchange.
Note: Only used in Access-Reject.
MS-CHAP-LM-Enc-PW 5 string 1.2 Authentication
Authorization
Contains the new Windows NT password encrypted with the old LAN Manager password hash.
Note: Attribute is used only in Access-Request packets, in conjuction with the MS-CHAP-CPW-2 attribute. It should be only  included if an MS-CHAP-Error attribute was included in immediately preceding Access-Reject.
MS-CHAP-MPPE-Keys 12 string 1.2 Authentication
Authorization
Contains two session keys for use by the MPPE.
Note: This attribute is only included in Access-Accept.
MS-CHAP-NT-Enc-PW 6 string 1.2 Authentication
Authorization
Contains the new Windows NT password encrypted with the old Windows NT password hash. Note: Attribute is used only in Access-Request packets, in conjuction with the MS-CHAP-CPW-2 attribute. It should be only  included if an MS-CHAP-Error attribute was included in immediately preceding Access-Reject.
MS-CHAP-Response 1 string 1.2 Authentication
Authorization
Contains the response value provided by a MS-CHAP user in response to the challenge.
Note: Only used in Access-Request.
MS-CHAP2-CPW 27 octets 1.2 Authentication
Authorization
Allows the user to change their password if it has expired. Used only in conjunction with MS-CHAP-NT-Enc-PW and should only be included if an MS-CHAP-Error attribute was included in the Access-Reject packet and MS-CHAP version is 3.
MS-CHAP2-Response 25 octets 1.2 Authentication
Authorization
Contains the response value provided by an MS-CHAP-V2 peer in response to the challenge.
MS-CHAP2-Success 26 octets 1.2 Authentication
Authorization
Contains 42-octet authenticator response string. This string must be included in Message field of MS-CHAP-V2 Success sent from NAS.
MS-Extended-Quarantine-State 57 integer 1.2 Authentication
Authorization
Indicates the level of network access that RADIUS server authorizes to the endpoint.
Used to specify additional information about a restricted access decision by a RADIUS server.
MS-Filter 22 octets 1.2 Authentication
Authorization
Used to transmit traffic filters. If multiple MS-Filter attributes are contained within a packet, they must be in order and must be consecutive attributes in packets.
MS-HCAP-Location-Group-Name 59 string 1.2 Authentication
Authorization
Used to specify location group information received over an HCAP interface by a RADIUS client.
MS-HCAP-User-Groups 58 string 1.2 Authentication
Authorization
Used to specify user groups information received over an HCAP interface by a RADIUS client.
MS-HCAP-User-Name 60 string 1.2 Authentication
Authorization
Used to indicate user identity information received over an HCAP interface by a RADIUS client.
MS-Identity-Type 41 integer 1.2 Authentication
Authorization
Indicates whether a RADIUS server performs only a machine health check.
If value is 0x00000001, RADIUS server must not perform authentication; instead it must perform a machine health check on this request.
If value is different or a RADIUS server doesn't receive this attribute, it should perform authentication as well as a machine health check on this request.
MS-IPv4-Remediation-Servers 52 list of IP addresses 1.2 Authentication
Authorization
Contains a list of servers that are reachable by an endpoint whose access is restricted, so that endpoint can remediate itself.
MS-IPv6-Filter 51 octets 1.2 Authentication
Authorization
Used to limit the inbound and/or outbound access of the endpoint.
MS-IPv6-Remediation-Servers 53 octetes 1.2 Authentication
Authorization
Specifies the IPv6 addresses of the remediation servers.
MS-Link-Drop-Time-Limit 15 integer 1.2 Authentication
Authorization
Indicates the length of the time (in seconds) that a link must be underutilized before it is dropped.
MS-Link-Utilization-Threshold 14 integer 1.2 Authentication
Authorization
Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination.
MS-Machine-Name 50 string 1.2 Authentication
Authorization
It is used to communicate the machine name of the endpoint requesting network access.
MS-MPPE-Encryption-Policy 7 integer 1.2 Authentication
Authorization
Signifies whether the use of encryption is allowed or required.
1 means encryption-allowed (you can use any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute)
2 means encryption-required (you can use any of the encryption types specified in MS-MPPE-Encryption-Types attribute)
MS-MPPE-Encryption-Types 8 integer 1.2 Authentication
Authorization
(nteger (four-octet integer interpreted as a string of bits)
Signifies the types of encryption available for use with MPPE.
MS-MPPE-Recv-Key 17 string 1.2 Authentication
Authorization
Contains a session key for use by MPPE. This key is for encrypting packets that AAA client receives from the remote host.
Note: This attribute is included only in Access-Accept.
MS-MPPE-Send-Key 16 string 1.2 Authentication
Authorization
Contains a session key for use by MPPE. This key is for encrypting packets sent from AAA client to the remote host.
Note: This attributed is used only in Access-Accept.
MS-Network-Access-Server-Type 47 integer 1.2 Authentication
Authorization
It is used to specify the type of the network access server making the request.
0: Unspecified
1: Terminal-Server-Gateway
2: Remote-Access-Server
3: DHCP-sServer
4: Wireless-Access-Point
5: HRA
6: HCAP-Server
MS-New-ARAP-Password 20 string 1.2 Authentication
Authorization
Used to transmit the new ARAP password during ARAP password change operation.
MS-Old-ARAP-Password 19 string 1.2 Authentication
Authorization
Used to transmit the old ARAP password during an ARAP password change operation.
MS-Primary-DNS-Server 28 IP address 1.2 Authentication
Authorization
Used to indicate the address of the primary DNS server used by the PPP peer.
MS-Primary-NBNS-Server 30 IP address 1.2 Authentication
Authorization
Used to indicate the address of the primary NetBIOS Name Server (NBNS) to be used by the PPP peer.
MS-Quarantine-Grace-Time 46 integer 1.2 Authentication
Authorization
Applies a timeout to the endpoint requesting network access set to expire at the time given by the attribute's value.
MS-Quarantine-IPFilter 36 octets 1.2 Authentication
Authorization
Used to specify the set of IP filters to be provisioned for the endpoint associated with a RADIUS Access-Request.
MS-Quarantine-Session-Timeout 37 integer 1.2 Authentication
Authorization
Used to specify a timeout value used by a RRAS server.
MS-Quarantine-SOH 55 octets 1.2 Authentication
Authorization
It is used to carry Statement of Health information from endpoint when EAP is not used.
MS-Quarantine-State 45 integer 1.2 Authentication
Authorization
Gives an access rights accordingly to the endpoint requesting network access.
0: Full access
1: Restricted access
2: On probation (full access within a limited time period)
MS-Quarantine-User-Class 44 string 1.2 Authentication
Authorization
It is used to carry the name of a special DHCP user class.
MS-RAS-Client-Name 34 string 1.2 Authentication
Authorization
Used to specify the name of the endpoint generating request.
MS-RAS-Client-Version 35 string 1.2 Authentication
Authorization
Used to specify the version of the endpoint generating request.
MS-RAS-Correlation 56 octets 1.2 Authentication
Authorization
Used by the NAD to send an identifier, which is used for a correlation of logs events to the RADIUS server.
MS-RAS-Vendor 9 integer 1.2 Authentication
Authorization
Used to indicate the manufacturer of the RADIUS client machine.
MS-RAS-Version 18 integer 1.2 Authentication
Authorization
Used to indicate the version of the RADIUS client software.
MS-RNAP-Not-Quarantine-Capable 54 integer 1.2 Authentication
Authorization
Indicates whether or not the endpoint requesting network access is NAP capable.
0: endpoint sent an SoH
1: endpoint didn't send an SoH
MS-Secondary-DNS-Server 29 IP address 1.2 Authentication
Authorization
Used to indicate the address of the secondary DNS server used by the PPP peer.
MS-Secondary-NBNS-Server 31 IP address 1.2 Authentication
Authorization
Used to indicate the address of the secondary NBNS server used by the PPP peer.
MS-Service-Class 42 string 1.2 Authentication
Authorization
Used to specify which group of DHCP scopes will supply an IP address to the endpoint requesting access.
MS-TSG-Device-Redirection 63 integer 1.2 Authentication
Authorization
Specifies filters used by a Remote Desktop Gateway (RDG) server.
MS-User-IPv4-Address 61 IP address 1.2 Authentication
Authorization
Specifies the IP address of the endpoint as known to the RADIUS client.
MS-User-Security-Identity 40 string 1.2 Authentication
Authorization
Used to specify the security-identifier (SID) of the user requesting access.
           

 

Motorola-Symbol

Attribute # Type / Value
ISE Version Available Description
Symbol-Admin-Role 1 String 2.0 Authentication
Authorization
Permissions for remote user
    Monitor     User with read-only access to a WLC or AP
    Helpdesk     User can clear statistics, reboot devices and create or copy tech support files
    NetworkAdmin     User responsible for configuration of parameters such as Layer 2, Layer 3, Wireless, RADIUS, DHCP and Smart-RF
    SysAdmin     User responsible for configuring general switch settings such as upgrading images, changing boot partitions, time and administrative access
    WebAdmin     User responsible for adding guest user accounts for Captive Portal authentication
    SuperUser     User with full administrative privileges
Symbol-Allowed-ESSID 3 String 2.0 Authentication
Authorization
ESSID(s) name that user is permitted to associate with
Symbol-Allowed-Radio 6 String 2.0 Authentication
Authorization
Indicates one or more Radio name(s) that user is permitted to associated with. Must match one or more keywords defined in the radio description fields
Symbol-Current-ESSID 2 String 2.0 Authentication
Authorization
ESSID the user is currently associated with
Symbol-Downlink-Limit 10 integer 2.0 Authentication
Authorization
Indicates amount of bandwidth in Kbps that the user is permitted to receive from AP. Traffic that exceeds the value will be dropped by WLC or AP.
0 means disabled
Symbol-Expiry-Date-Time 7   2.0 Authentication
Authorization
Indicates the date and time the user is no longer authorized to access the network.
String in format MM/DD/YYYY-HH:MM
Symbol-Login-Source 100   2.0 Authentication
Authorization
Indicates the management interfaces the user is permitted to access on WLC or AP
    HTTP     Allowing HTTP login management access using Web-UI
    SSH     Allowing SSH login management access
    Telnet     Allowing Telnet login management access
    Console     Allowing Console login management access
    All     Allowing all login management accesses
Symbol-Posture-Status 9 string 2.0 Authentication
Authorization
NAP compliance state of user. This attribute is used with the Symantec LAN Enforcer endpoint inspection solution.
Symbol-QoS-Profile 5 integer 2.0 Authentication
Authorization
Specifies the static WMM Access Category to be assigned to the user. Once assigned traffic is forwarded from AP to the user, it will be prioritized using the assigned QoS value.
Supported values:
1 - Best Effort
2 - Background
3 - Video
4 - Voice
Symbol-Start-Date-Time 8 string 2.0 Authentication
Authorization
Indicates the date and time the user is initially permitted to access the network.
Format MM/DD/YYYY-HH:MM
Symbol-Uplink-Limit 11 integer 2.0 Authentication
Authorization
Indicates the amount of bandwidth in Kbps that the user is permitted to transmitt to AP. Traffic that exceeds the defined value will be dropped by WLC or AP.
Symbol-User-Group 12 string 2.0 Authentication
Authorization
Indicates the group on the WLC or AP that the user is associated with
Symbol-WLAN-Index 4 integer 2.0 Authentication
Authorization
Indicates the WLAN index number of the WLAN the user is associated with
           

 

MSE

These attributes are used by the Cisco Mobility Services Engine (MSE). For more information, please see the ISE Design &amp; Integration Guides for Cisco Mobility Services Engine (MSE).

Attribute Values ISE Version Usage Description
MapLocation string 2.0 The location of the device on the map using MSE.
       

 

Network Access

This dictionary contains session attributes which can be collected during authentication process either from Radius flow (for example: EPA tunnel/EAP chaining  result) or as a result of authentication process on ISE itself (Use case/ ISE host name)

Attribute Type / Values ISE Version Available Usage Description
AD-Host-DNS-Domain        
AD-Host-Join-Point        
AD-User-DNS-Domain        
AD-User-Join-Point        
AuthenticationIdentityStore        
AuthenticationMethod string   Authentication
Authorization
 
  CHAP/MD5     Match authentication request with CHAP/MD5 authentication
  Lookup     Match authentication request with host Lookup (MAB)
  MSCHAPv1     Match authentication with MSCHAPv1 as an authentication method
  MSCHAPv2     Match authentication with MSCHAPv2 as an authentication method
  PAP_ASC||     Match authentication with PAP_ASC|| as an authentication method
  x509_PKI     Certificate based authentication matching
AuthenticationStatus string   Authorization  
  AuthenticationFailed     Match session for which user/endpoint authentication failed
  AuthenticationPassed     Match session for which user/endpoint authentication passed
  ProcessError     Match session for which user/endpoint authentication has finished with process error
  UnknownUser     Match session for which user/endpoint authentication has finished user unknown error
Device IP Address IP address   Authentication
Authorization
Match by IP address of Network Access Device. This is the address configured by user under Network Device in ISE GUI during device creation
EapAuthentication string   Authorization The EAP method that is used during authentication of a user of a machine
  EAP-GTC     Match session which is using EAP-GTC as EAP authentication method
  EAP-MD5     Match session which is using EAP-MD5as EAP authentication method
  EAP-MSCHAPv2     Match session which is usingEAP-MSCHAPv2as EAP authentication method
  EAP-TLS     Match session which is using EAP-TLS as EAP authentication method
  LEAP     Match session which is using LEAP as EAP authentication method
EapChainingResult string   Authorization Result of EAP-FAST specific way to bind user and machine authentication together
  No chaining     Match session with no EAP Chaining in place
  User and machine both succeeded     Match session with successful machine and user authentication confirmed by EAP Chaining
  User failed and machine succeeded     Match session with successful machine and failed user authentication confirmed by EAP Chaining
  User succeeded and machine failed     Match session with failed machine and successful user authentication confirmed by EAP Chaining
EAPTunnel string   Authentication
Authorization
The EAP method that is used for tunnel establishment.
  EAP-FAST 1.0   Match EAP requests with EAP-FAST
  EAP-TTLS 2.0   Match EAP requests with EAP-TTLS
  PEAP 1.0   Match EAP requests with PEAP
GroupsOrAttributesProcessFailure     Authorization  
ISE Host Name string   Authentication
Authorization
ISE HostName value. Match the name of ISE server where authentication request been landed
MachineAuthenticationIdentityStore        
NetworkDeviceName string   Authentication
Authorization
Network Device name value. Match based on Name of Network device configured by user under Network Device in ISE GUI during device creation
Protocol string   Authentication
Authorization
Protocol name
RADIUS: Match authentication request which has the been done over the Radius protocol
TACACS+: Match authentication request which has been done over the TACACS+ protocol
RADIUS Server        
RADIUS Server Sequence        
SessionLimitExceeded boolean 1.4 Authentication
Authorization
 
  False     Session limit from the guest type has not been reached yet for particular guest user (Applicable only for guest users)
  True     Session limit from the guest type has been reached for particular guest user (Applicable only for guest users)
UseCase string      
  EAP Chaining 1.1   Using this attribute you can match  by your authorization policy sessions where EAP changing been used during authentication
  Guest Flow 1.0   This attribute can be used to matching sessions that successfully finished guest flow (Either guest authentication passed, or AUP accepted for the hot spot)
  Easy Wired Flow 2.1   Easy Connect
  Proxy 1.2    
  Host Lookup 1.0    
UserName string   Authentication
Authorization
Username value. Match User name presented in radius Access-Request
WasMachineAuthenticated boolean 1.0 Authorization Use for detecting Machine Access Registration (MAR)
         

 

Normalised RADIUS

Attribute Type / Values ISE Version Available Usage Description
RadiusFlowType string 2.0 Authentication
Authorization
 
  Wired802_1x     Indicates user authentication method as wired 802.1x
  WiredMAB     Indicates user authentication method as wired MAB
  WiredWebAuth     Indicates user authentication method as wired web authentication
  Wireless802_1x     Indicates user authentication method as wireless 802.1x
  WirelessMAB     Indicates user authentication method as wireless MAB
  WirelessWebAuth     Indicates user authentication method as wireless web authentication
SSID string 2.0 Authentication
Authorization
Offers possibility to map vendor specific attribute (for example RADIUS:Called-Station-ID) to this common attribute so that policy rules can use friendly name. This can be specific to network device profile.

 

PassiveID

After you enable PassiveID service on the node, PassiveID dictionary is available

Attribute Type ISE Version Available Usage Description
PassiveID_Groups string 2.1 Authorization Specifies the domain controller group
PassiveID_Username string 2.1 Authorization Specifies the name of the user

 

RADIUS

From

Attribute # Type ISE Version Available Usage Description
User-Name 1 string 1.0 Authentication The name of the user to be authenticated.
Length >= 3 characters.
User-Password 2 string 1.0 Authentication The password of the user to be authenticated, or the user's input following an Access-Challenge. A one-  way MD5 hash is calculated over a stream of octets consisting of   the shared secret followed by the Request Authenticator. This   value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password Attribute.
CHAP-Password 3 string 1.0 Authentication The response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge.
NAS-IP-Address 4 address 1.0 Authentication The identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.
Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
NAS-Port 5 integer 1.0 Authentication The physical port number of the NAS which is authenticating the user
Service-Type 6 integer 1.0 Authentication The type of service the user has requested, or the type of service to be provided. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.
Values:
  • 1 Login: The user should be connected to a host.
  • 2 Framed: A Framed Protocol should be started for the User, such as PPP or SLIP.
  • 3 Callback Login: The user should be disconnected and called back, then connected to a host.
  • 4 Callback Framed: The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP.
  • 5 Outbound: The user should be granted access to outgoing devices.
  • 6 Administrative: The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed.
  • 7 NAS Prompt: The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.
  • 8 Authenticate Only: Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself).
  • 9 Callback NAS Prompt: The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed.
  • 10 Call Check: Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes. It is recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name.
  • 11 Callback Administrative: The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed.
Framed-Protocol 7 integer ? Authentication The framing to be used for framed access.
Values:
  • 1 PPP
  • 2 SLIP
  • 3 AppleTalk Remote Access Protocol (ARAP)
  • 4 Gandalf proprietary SingleLink/MultiLink protocol
  • 5 Xylogics proprietary IPX/SLIP
  • 6 X.75 Synchronous
Framed-IP-Address 8 address ? Authentication The address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.
Framed-IP-Netmask 9 address ? Authentication The IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.
Framed-Routing 10 integer ? Authentication the routing method for the user, when the user is a router to a network.
Values:
0 None
1 Send routing packets
2 Listen for routing packets
3 Send and Listen
Filter-ID 11 text ? Authentication The name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.
Identifying a filter list by name allows the filter to be used on different NASes without regard to filter-list implementation details.
On ASA, applies only to full tunnel IPsec and SSL VPN clients
Framed-MTU 12 integer ? Authentication The Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that value, but the server is not required to honor the hint.
Values range from 64 to 65535.
Framed-Compression 13     Authentication A compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint. More than one compression protocol Attribute MAY be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.
Values:
  • 0 None
  • 1 VJ TCP/IP header compression
  • 2 IPX header compression
  • 3 Stac-LZS compression
Login-IP-Host 14 address ? Authentication The system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as
  a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.
Login-Service 15 integer ? Authentication The service to use to connect the user to the login host. It is only used in Access-Accept packets.
Values:
  • 0 Telnet
  • 1 Rlogin
  • 2 TCP Clear
  • 3 PortMaster (proprietary)
  • 4 LAT
  • 5 X25-PAD
  • 6 X25-T3POS
  • 8 TCP Clear Quiet (suppresses any NAS-generated connect string)
Login-TCP-Port 16 integer ? Authentication The TCP port with which the user is to be connected, when the Login-Service Attribute is also present.
It is only used in Access-Accept packets.
(unassigned) 17 - - - ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED.
Reply-Message 18 text ? Authentication Text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple Reply-Message's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.
Callback-Number 19 string ? Authentication a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.
Callback-Id 20 string ?   the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets.
(unassigned) 21 - - - ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED.
Framed-Route 22 text ?   routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.
Framed-IPX-Network 23 integer ?   the IPX Network number to be configured for the user. It is used in Access-Accept packets.
State 24 string ? Authentication This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.  This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action Attribute with the value of RADIUS-Request. If the NAS performs the Termination-Action by sending a new Access-Request upon termination of the current session, it MUST include the State attribute unchanged in that Access-Request.  In either usage, the client MUST NOT interpret the attribute locally. A packet must have only zero or one State Attribute.  Usage of the State Attribute is implementation dependent.
Class 25 string ? Authentication This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally.
Vendor-Specific 26 string 1.0 Authentication This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage. It MUST not affect the operation of the RADIUS protocol.  Servers not equipped to interpret the vendor-specific information sent by a client MUST ignore it (although it may be reported). Clients which do not receive desired vendor-specific information SHOULD make an attempt to operate without it, although they may do so (and report they are doing so) in a degraded mode.
Values with Cisco:
  • audit-session-id=[96-bit hex string]
  •  
Session-Timeout 27 integer 1.0 Authentication This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt.
  This Attribute is available to be sent by the server to the client
  in an Access-Accept or Access-Challenge.
Idle-Timeout 28 integer 1.0 Authentication This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.
Termination-Action 29 integer 1.0 Authentication This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.
Values:
  • 0 Default
  • 1 RADIUS-Request
Called-Station-ID 30 string 1.0 Authentication This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.
Calling-Station-ID 31 string 1.0 Authentication This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.
NAS-Identifier 32 string 1.0 Authentication This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.  Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
Proxy-State 33 string ? Authentication This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy-State in the packet) before forwarding the response to the NAS.
If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes.
The content of any Proxy-State other than the one added by the current server should be treated as opaque octets and MUST NOT affect operation of the protocol.
Usage of the Proxy-State Attribute is implementation dependent.
Login-LAT-Service 34 string ? Authentication This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint. Administrators use the service attribute when dealing with clustered systems, such as a VAX or Alpha cluster. In such an environment several different time sharing hosts share the same resources (disks, printers, etc.), and administrators often configure each to offer access (service) to each of the shared resources. In this case, each host in the cluster advertises its services through LAT broadcasts. Sophisticated users often know which service providers (machines) are faster and tend to use a node name when initiating a LAT connection. Alternately, some administrators want particular users to use certain machines as a primitive form of load balancing (although LAT knows how to do load balancing itself).
Login-LAT-Node 35 string   Authentication This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
Login-LAT-Group 36 string   Authentication This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.

LAT supports 256 different group codes, which LAT uses as a form of access rights. LAT encodes the group codes as a 256 bit bitmap.
Administrators can assign one or more of the group code bits at the LAT service provider; it will only accept LAT connections that have these group codes set in the bit map. The administrators assign a bitmap of authorized group codes to each user; LAT gets these from the operating system, and uses these in its requests to the service providers.

Framed-AppleTalk-Link 37 integer   Authentication This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It

  is never used when the user is not another router.

Framed-AppleTalk-Network 38 integer   Authentication This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified.
Framed-AppleTalk-Zone 39 string   Authentication This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed.

Acct-Status-Type

40 integer   Accounting Specifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).

Acct-Delay-Time

41 integer   Accounting Number of seconds the client has been trying to send a particular record.

Acct-Input-Octets

42 integer   Accounting Number of octets received from the port while this service is being provided.
Acct-Output-Octets 43 integer   Accounting Number of octets sent to the port while this service is being delivered.

Acct-Session-Id

44 string   Accounting Unique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.
Acct-Authentic 45 integer   Accounting Way in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.
Acct-Session-
Time
46 integer   Accounting Number of seconds the user has been receiving service.
Acct-Input-Packets 47 integer   Accounting Number of packets received from the port while this service is being provided to a framed user.
Acct-Output-Packets 48 integer   Accounting Number of packets sent to the port while this service is being delivered to a framed user.
Acct-Terminate-Cause 49 integer   Accounting

Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:

  • 1: User request
  • 2: Lost carrier
  • 3: Lost service
  • 4: Idle timeout
  • 5: Session-timeout
  • 6: Admin reset
  • 7: Admin reboot
  • 8: Port error
  • 9: AAA client error
  • 10: AAA client request
  • 11: AAA client reboot
  • 12: Port unneeded
  • 13: Port pre-empted
  • 14: Port suspended
  • 15: Service unavailable
  • 16: Callback
  • 17: User error
  • 18: Host request
Acct-Multi-Session-Id 50 string   Accounting (Accounting) A unique accounting identifier used to link multiple related sessions in a log file.
Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id.
Acct-Link-Count 51 integer   Accounting (Accounting) Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links.
Acct-Input-Gigawords 52 integer   Accounting Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of the provided service.
Acct-Output-Gigawords 53 integer   Accounting Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 while delivering service.
??? 54 ???   Accounting  
Event-Timestamp 55 date   Accounting Records the time that the event occurred on the NAS, the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC. To send RADIUS attribute 55 in accounting packets, use the radius-server attribute 55 include-in-acct-req command.
Note: Before the Event-Timestamp attribute can be sent in accounting packets, you must configure the clock on the network device. (For information on setting the clock on your network device, see the “Performing Basic System Management” section in the “Basic System Management” chapter of Network Management Configuration Guide.) To avoid configuring the clock on the network device every time the network device is reloaded, you can enable the clock calendar-valid command. (For more information about this command, see the“Setting Time and Calendar Services” section in the “Basic System Management” chapter of Network Management Configuration Guide.
??? 56     Accounting  
??? 57     Accounting  
??? 58     Accounting  
??? 59     Accounting  
CHAP-Challenge 60 string ? Authentication This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets.

If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute.

NAS-Port-Type 61 integer 1.0 Authentication This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.
  • 0 Async
  • 1 Sync
  • 2 ISDN Sync
  • 3 ISDN Async V.120
  • 4 ISDN Async V.110
  • 5 Virtual: "Virtual" refers to a connection to the NAS via some transport protocol, instead of through a physical port
  • 6 PIAFS: a form of wireless ISDN commonly used in Japan, and stands for PHS (Personal Handyphone System) Internet Access Forum Standard (PIAFS).
  • 7 HDLC Clear Channel
  • 8 X.25
  • 9 X.75
  • 10 G.3 Fax
  • 11 SDSL - Symmetric DSL
  • 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation
  • 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone
  • 14 IDSL - ISDN Digital Subscriber Line
  • 15 Ethernet
  • 16 xDSL - Digital Subscriber Line of unknown type
  • 17 Cable
  • 18 Wireless - Other
  • 19 Wireless - IEEE 802.11
Port-Limit 62 integer   Authentication This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint.
Login-LAT-Port 63 string   Authentication This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.

The String field is one or more octets, and contains the identity of the LAT port to use. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper and lower case alphabetics, and the ISO Latin-1 character set extension. All LAT string comparisons are case insensitive.

Tunnel-Type 64 integer   Authentication Indicates the tunneling protocol(s) used. Cisco software supports one possible value for this attribute: L2TP.
Tunnel-Medium-Type 65 integer   Authentication Indicates the transport medium type used to create a tunnel. This attribute has only one available value for this release: IP. If no value is set for this attribute, IP is used as the default.
Tunnel-Client-Endpoint 66 string   Authentication Contains the address of the initiator end of the tunnel. It may be included in both Access-Request and Access-Accept packets to indicate the address from which a new tunnel is to be initiated. If the Tunnel-Client-Endpoint attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint. This attribute should be included in Accounting-Request packets that contain Acct-Status-Type attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This attribute, along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection-ID attributes, may be used to provide a globally unique method to identify a tunnel for accounting and auditing purposes.
An enhancement has been added for the network access server to accept a value of 127.0.0.X for this attribute such that:
127.0.0.0 would indicate that loopback0 IP address has to be used, 127.0.0.1 would indicate that loopback1 IP address has to be used. 127.0.0.X would indicate that loopbackX IP address has to be used for the actual tunnel client endpoint IP address. This enhancement adds scalability across multiple network access servers.
Tunnel-Server-Endpoint 67 string   Authentication Indicates the address of the server end of the tunnel. The format of this attribute varies depending on the value of Tunnel-Medium-Type. Depending on your release only IP as a tunnel medium type may be supported and the IP address or the host name of LNS is valid for this attribute.
Acct-Tunnel-
Connection
68 string     Indicates the identifier assigned to the tunnel session. This attribute should be included in Accounting-Request packets that contain an Acct-Status-Type attribute having the value Start, Stop, or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint attributes, may be used to provide a method to uniquely identify a tunnel session for auditing purposes.
Tunnel-Password 69 string     Defines the password to be used to authenticate to a remote server. This attribute is converted into different AAA attributes based on the value of Tunnel-Type: AAA_ATTR_l2tp_tunnel_pw (L2TP), AAA_ATTR_nas_password (L2F), and AAA_ATTR_gw_password (L2F).
By default, all passwords received are encrypted, which can cause authorization failures when a NAS attempts to decrypt a non-encrypted password. To enable attribute 69 to receive non-encrypted passwords, use the radius-server attribute 69 clear command in global configuration mode.
ARAP-Password 70 string     Identifies an Access-Request packet containing a Framed-Protocol of AppleTalk Remote Access Control (ARAP).
ARAP-Features 71 string     Includes password information that the NAS should send to the user in an ARAP feature flags packet.
ARAP-Zone-
Access
72 integer     Indicates how the ARAP zone list for the user should be used.
ARAP-Security 73 integer     Identifies the ARAP Security Module to be used in an Access-Challenge packet.
ARAP-Security-Data 74 string     Contains the actual security module challenge or response in Access-Challenge and Access-Request packets.
Password-Retry 75 integer     Indicates the number of times a user may attempt authentication before being disconnected.

Prompt

76 integer     Indicates to the NAS whether it should echo the user’s response as it is entered or not echo it. (0 = no echo, 1 = echo)
Connect-Info 77 string     Provides additional call information for modem calls. This attribute is generated in start and stop accounting records.
Configuration-
Token
78 string     Indicates the type of user profile to be used. This attribute should be used in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept; it should not be sent to a NAS.
EAP-Message 79 string     Encapsulates Extended Access Protocol (EAP) packets that allow the NAS to authenticate dial-in users using EAP without having to understand the EAP protocol.
Message-Authenticator 80 string     Prevents spoofing Access-Requests using CHAP, ARAP, or EAP authentication methods.
Tunnel-Private-Group-ID 81 string   Authentication Indicates the group ID for a particular tunneled session.
Tunnel-
Assignment-ID
82 string     Indicates to the tunnel initiator the particular tunnel to which a session is assigned.
Tunnel-Preference 83 integer   Authentication Indicates the relative preference assigned to each tunnel. This attribute should be included if more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator.
ARAP-Challenge-Response 84       Contains the response to the challenge of the dial-in client.
Acct-Interim-Interval 85 integer     Indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.
Acct-Tunnel-Packets-Lost 86       Indicates the number of packets lost on a given link. This attribute should be included in Accounting-Request packets that contain an Acct-Status-Type attribute having the value Tunnel-Link-Stop.
NAS-Port-Id 87 string   Authentication Contains a text string which identifies the port of the NAS that is authenticating the user.
Framed-Pool 88 string   Authentication Contains the name of an assigned address pool that should be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore this attribute.
??? 89        
Tunnel-Client-Auth-ID 90 string   Authentication Specifies the name used by the tunnel initiator (also known as the NAS) when authenticating tunnel setup with the tunnel terminator. Supports L2F and L2TP protocols.
Tunnel-Server-Auth-ID 91 string   Authentication Specifies the name used by the tunnel terminator (also known as the Home Gateway) when authenticating tunnel setup with the tunnel initiator. Supports L2F and L2TP protocols.
NAS-IPv6-Address 95     Authentication  
Framed-Interface-Id 96     Authentication  
Framed-IPv6-Prefix 97     Authentication  
Login-IPv6-Host 98     Authentication  
...          
Error-Cause 101     Authentication  
...          
Delegated-IPv6-Prefix 123     Authentication  
...          
Primary-DNS-Server 135 ipaddr      
Secondary-DNS-Server 136 ipaddr      
...          
Framed-IPv6-Address 168     Authentication  
DNS-Server-IPv6-Address 169     Authentication  
Route-IPv6-Information 170     Authentication  
Delegated-IPv6-Prefix-Pool 171     Authentication  
Stateful-IPv6-Address-Pool 172     Authentication  
...          
Multilink-ID 187 integer      
Num-In-Multilink 188 integer      
Pre-Input-Octets 190 integer      
Pre-Output-Octets 191 integer      
Pre-Input-Packets 192 integer      
Pre-Output-Packets 193 integer      
Maximum-Time 194 integer      
Disconnect-Cause 195 integer      
??? 196        
Data-Rate 197 integer      
PreSession-Time 198 integer      
??? 199        
IETF-Token-Immediate 200       Determines how RADIUS treats passwords received from login-users when their file entry specifies a hand-held security card server.
The value for this attribute is indicated by a numeric value as follows:
  • 0: No—the password is ignored.
  • 1: Yes—the password is used for authentication.
...          
Digest-Response 206 integer   Authentication  
??? 207 integer      
PW-Lifetime 208 integer      
IP-Direct 209 ipaddr      
PPP-VJ-Slot-
Comp
210 integer      
...          
Assign-IP-pool 218 integer      
...          
Route-IP 228 integer      
...          
Link-Compression 233 integer      
Target-Utils 234 integer      
Maximum-Channels 235 integer      
...          
Data-Filter 242 Ascend filter      
Call-Filter 243 Ascend filter      
Idle-Limit 244 integer      

 

Ruckus

Attribute # Type ISE Version Usage Description
Ruckus-Acct-Status 126 integer 2.0 Sent by the RADIUS server to indicate if the authenticator should send an accounting packet for this user.
Ruckus-Grace-Period 6 integer 2.0 Specifies a grace period before re-authentication is required (WISPr or captive portal only). Range is 1-14400 minutes.
Ruckus-Location 5 string 2.0 Reports the location of the device. This is configurable value in the device location setting.
Ruckus-SCG-CBlade-IP 7 integer 2.0 IP address of the C blade used by the device for request.
Ruckus-SCG-DBlade-IP 8 integer 2.0 IP address of the D blade used by the device for request.
Ruckus-Session-Type 125 integer 2.0 Sent by RADIUS server to indicate the forwarding policy to be used for the client.
Ruckus-SSID 3 string 2.0 Station WLAN name sent from device to the RADIUS server.
Ruckus-Sta-RSSI 2 integer 2.0 Station RSSI sent from the device to the RADIUS server (Interim-Update, Stop).
Ruckus-User-Groups 1 string 2.0 User role assignment - the role must already exists on the ZoneDirector.
Ruckus-WlanID 4 integer 2.0 WLAN ID number sent from the device to the RADIUS server as part of the Access-Request message to identify the WLAN interface.

 

Session

Attributes in here are systematically generated by ISE

Attribute Type / Values ISE Version
Available
Usage Description
Agent-Request-Type        
ANCPolicy        
CurrentDate        
CurrentDay        
CurrentMonth        
CurrentTime        
CurrentWeekDay        
CurrentYear        
Device-OS        
EPSStatus        
OS-Architecture        
Posture Status string 1.0 Authorization  
  Compliant 1.0   This value is matched for endpoints that completed the posture flow and was compliant
  NonCompliant 1.0   This value is matched for endpoints that completed the posture flow and was non compliant or terminated posture process
  Unknown 1.0   This value is matched for endpoint that did not yet go through the posture flow, does not have a posture agent
SessionSource        
URL-Redirected        

 

Threat

Attribute Values ISE Version Usage Description
Qualys-CVSS_Base_Score 0-10 2.1 Create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values.
Qualys-CVSS_Temporal_Score 0-10 2.1 Create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values.

 

WISPr

Attribute Values Type ISE Version Usage Description
WISPr-Bandwidth-Max-Down 8 integer 2.0 Limit the maximum downstream bandwidth.
WISPr-Bandwidth-Max-Up 7 integer 2.0 Limit the maximum upstream bandwidth.
WISPr-Bandwidth-Min-Down 6 integer 2.0 Limit the minimum downstream bandwidth.
WISPr-Bandwidth-Min-Up 5 integer 2.0 Limit the minimum upstream bandwidth.
WISPr-Billing-Class-Of-Service 11 string 2.0 A service type for billing.
WISPr-Location-ID 1 string 2.0 ID of the location of the client. Concatenation of the ISO Country Code, E.164 Country Code, E.164 Area Code and SSID/Zone parameters configured in profile.
WISPr-Location-Name 2 string 2.0 The name of the location of the client.
WISPr-Logoff-URL 3 string 2.0 URL of a log out page.
WISPr-Redirection-URL 4 string 2.0 URL which the clients will be redirected to after successful login.
WISPr-Session-Terminate-End-Of-Day 10 string 2.0 The end of the subscruber session at the end of the billing day.
WISPr-Session-Terminate-Time 9 string 2.0 Time, when the user should be disconnected; in "YYYY-MM-DDThh:mm:ssTZD", where Y - year; M - month; D - day; T - separator; h - hour (in 24h format); m - minute; s - second; TZD - time zone.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: