Radius VSA 26 cisco-avpair

Unanswered Question
Nov 2nd, 2009
User Badges:

Hi all,


I couldn't find any details how to use RADIUS Vendor-Specific Attributes (VSA)26 , cisco av-pair but only some samples like:

cisco-avpair= "shell:priv-lvl=15"

Is there a FULL list of these attributes with correct syntax explained for IOS 12.4 and ASA 8.x anywhere? Much appreciated your response.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
darpotter Tue, 11/03/2009 - 02:01
User Badges:
  • Silver, 250 points or more

For the most part you can put any IOS TACACS+ attribute inti the cisco-av-pair using the format


service:attr=value


eg


ip:ip-addr=x.x.x.x

ip:inacl=blah


There's an IOS dictionary here: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_TACAtr.pdf


What isnt documented very well are the instances of cisco-ac-pair that various groups within Cisco have created for their own devices.



pengfang Tue, 11/03/2009 - 21:30
User Badges:

Thanks for reply. The problem is there're no any explanations how to use these attributes, such as these attributes belong to what "service", "value" and what application applied for.

darpotter Wed, 11/04/2009 - 04:54
User Badges:
  • Silver, 250 points or more

For ASA with RADIUS the most likely service is just going to be "ip" isnt it?


ACS already sends ip:inacl=xxxx to PIX/ASA as part of the Downloadable ACLs feature.


AFAIK thats the only support the ASA has for cisco-av-pair.

Actions

This Discussion