where can be found cisco-av-pair syntax ?

guillerm · ‎01-26-2004

I want to download per user or per group ACL from ACS to IOS router ;

where can I find the syntax to code the CISCO av-pair, in ACS, to allow such functions ?

thanks in advance

sanpatel · ‎01-26-2004

the general RADIUS attribute reference page is here:

look at attr 26 here. it says that cisco-avpair supports the T+ values.

Allows vendors to support their own extended attributes not suitable for

general use. The Cisco RADIUS implementation supports one

vendor-specific option using the format recommended in the

specification. Cisco's vendor-ID is 9, and the supported option has

vendor-type 1, which is named "cisco-avpair." The value is a string of

the format:

protocol : attribute sep value

"Protocol" is a value of the Cisco "protocol" attribute for a particular

type of authorization. "Attribute" and "value" are an appropriate AV

pair defined in the Cisco TACACS+ specification, and "sep" is "=" for

mandatory attributes and "*" for optional attributes. This allows the

full set of features available for TACACS+ authorization to also be used

for RADIUS. For example:

cisco-avpair= "ip:addr-pool=first"

cisco-avpair= "shell:priv-lvl=15"

T+ list:

You'll find ACLs in that T+ list.

plotniku7 · ‎11-13-2012

Hi,

i used next AV string, is it the right one:

lcp:interface-config#1=switchport protected

i want to send "switchport protected" to the port.

the switch does not accept it.