Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

where can be found cisco-av-pair syntax ?

I want to download per user or per group ACL from ACS to IOS router ;

where can I find the syntax to code the CISCO av-pair, in ACS, to allow such functions ?

thanks in advance

2 REPLIES
New Member

Re: where can be found cisco-av-pair syntax ?

the general RADIUS attribute reference page is here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/sec_vcg.htm#999546

look at attr 26 here. it says that cisco-avpair supports the T+ values.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fappendx/fradattr/scfrdat1.htm#1004779

Allows vendors to support their own extended attributes not suitable for

general use. The Cisco RADIUS implementation supports one

vendor-specific option using the format recommended in the

specification. Cisco's vendor-ID is 9, and the supported option has

vendor-type 1, which is named "cisco-avpair." The value is a string of

the format:

protocol : attribute sep value

"Protocol" is a value of the Cisco "protocol" attribute for a particular

type of authorization. "Attribute" and "value" are an appropriate AV

pair defined in the Cisco TACACS+ specification, and "sep" is "=" for

mandatory attributes and "*" for optional attributes. This allows the

full set of features available for TACACS+ authorization to also be used

for RADIUS. For example:

cisco-avpair= "ip:addr-pool=first"

cisco-avpair= "shell:priv-lvl=15"

T+ list:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fappendx/scftacat.htm

You'll find ACLs in that T+ list.

New Member

where can be found cisco-av-pair syntax ?

Hi,

i used next AV string, is it the right one:

lcp:interface-config#1=switchport protected

i want to send "switchport protected" to the port.

the switch does not accept it.

3387
Views
5
Helpful
2
Replies