User Guide for Cisco Secure ACS Appliance 3.2 - TACACS+ Attribute-Value Pairs [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

TACACS+ Attribute-Value Pairs

Cisco IOS AV Pair Dictionary

TACACS+ AV Pairs

TACACS+ Accounting AV Pairs

TACACS+ Attribute-Value Pairs

CiscoSecure AccessControlServer (ACS) Appliance supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value.

Cisco IOS AV Pair Dictionary

Before selecting TACACS+ AV pairs for CiscoSecure ACS, confirm that your AAA client is running CiscoIOS Release 11.2 or later. Earlier versions of Cisco IOS work with CiscoSecure ACS but do not fully support the TACACS+ features in CiscoSecure ACS.

Note If you specify a given AV pair in CiscoSecure ACS, you must also enable the corresponding AV pair in the CiscoIOS software running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If CiscoSecure ACS sends an AV pair to the AAA client that the CiscoIOS software does not support, that attribute is not implemented.

For more information on TACACS+ AV pairs, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients.

Note All TACACS+ values are strings. The concept of value "type" does not exist in TACACS+ as it does in Remote Access Dial-In User Service (RADIUS).

TACACS+ AV Pairs

Note Beginning with CiscoSecure ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes:

addr
addr-pool
callback-dialstring

Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA).

CiscoSecure ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ AV pairs supported in CiscoSecure ACS are as follows:

•acl=

•addr=

•addr-pool=

•autocmd=

•callback-dialstring

•callback-line

•callback-rotary

•cmd-arg=

•cmd=

•dns-servers=

•gw-password

•idletime=

•inacl#n

•inacl=

•interface-config=

•ip-addresses

•link-compression=

•load-threshold=n

•max-links=n

•nas-password

•nocallback-verify

•noescape=

•nohangup=

•old-prompts

•outacl#n

•outacl=

•pool-def#n

•pool-timeout=

•ppp-vj-slot-
compression

•priv-lvl=

•protocol=

•route

•route#n

•routing=

•rte-ftr-in#n

•rte-ftr-out#n

•sap#n

•sap-fltr-in#n

•sap-fltr-out#n

•service=

•source-ip=

•timeout=

•tunnel-id

•wins-servers=

•zonelist=

TACACS+ Accounting AV Pairs

CiscoSecure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ accounting AV pairs supported in CiscoSecure ACS are as follows:

•bytes_in

•bytes_out

•cmd

•data-rate

•disc-cause

•disc-cause-ext

•elapsed_time

•event

•mlp-links-max

•mlp-sess-id

•nas-rx-speed

•nas-tx-speed

•paks_in

•paks_out

•port

•pre-bytes-in

•pre-bytes-out

•pre-paks-in

•pre-paks-out

•pre-session-time

•priv_level

•protocol

•reason

•service

•start_time

•stop_time

•task_id

•timezone

•xmit-rate

	User Guide for Cisco Secure ACS Appliance 3.2
	TACACS+ Attribute-Value Pairs
User Guide for Cisco Secure ACS Appliance 3.2 Preface Overview Deployment Considerations Interface Configuration Network Configuration Shared Profile Components User Group Management User Management System Configuration: Basic System Configuration: Advanced System Configuration: Authentication and Certificates Logs and Reports Administrators and Administrative Policy User Databases Unknown User Policy User Group Mapping and Specification Troubleshooting TACACS+ Attribute-Value Pairs RADIUS Attributes VPDN Processing RDBMS Synchronization Import Definitions Internal Architecture Index	Download this chapter TACACS+ Attribute-Value Pairs Download the complete book User Guide for Cisco Secure ACS Appliance (whole-book pdf) (PDF - 6 MB) Feedback Table Of Contents TACACS+ Attribute-Value Pairs Cisco IOS AV Pair Dictionary TACACS+ AV Pairs TACACS+ Accounting AV Pairs TACACS+ Attribute-Value Pairs CiscoSecure AccessControlServer (ACS) Appliance supports Terminal Access Controller Access Control System (TACACS+) attribute-value (AV) pairs. You can enable different AV pairs for any supported attribute value. Cisco IOS AV Pair Dictionary Before selecting TACACS+ AV pairs for CiscoSecure ACS, confirm that your AAA client is running CiscoIOS Release 11.2 or later. Earlier versions of Cisco IOS work with CiscoSecure ACS but do not fully support the TACACS+ features in CiscoSecure ACS. Note If you specify a given AV pair in CiscoSecure ACS, you must also enable the corresponding AV pair in the CiscoIOS software running on the AAA client. Therefore, you must consider which AV pairs your Cisco IOS release supports. If CiscoSecure ACS sends an AV pair to the AAA client that the CiscoIOS software does not support, that attribute is not implemented. For more information on TACACS+ AV pairs, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. Note All TACACS+ values are strings. The concept of value "type" does not exist in TACACS+ as it does in Remote Access Dial-In User Service (RADIUS). TACACS+ AV Pairs Note Beginning with CiscoSecure ACS 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes: addr addr-pool callback-dialstring Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA). CiscoSecure ACS supports many TACACS+ AV pairs. For descriptions of these attributes, refer to Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ AV pairs supported in CiscoSecure ACS are as follows: •acl= •addr= •addr-pool= •autocmd= •callback-dialstring •callback-line •callback-rotary •cmd-arg= •cmd= •dns-servers= •gw-password •idletime= •inacl#n •inacl= •interface-config= •ip-addresses •link-compression= •load-threshold=n •max-links=n •nas-password •nocallback-verify •noescape= •nohangup= •old-prompts •outacl#n •outacl= •pool-def#n •pool-timeout= •ppp-vj-slot- compression •priv-lvl= •protocol= •route •route#n •routing= •rte-ftr-in#n •rte-ftr-out#n •sap#n •sap-fltr-in#n •sap-fltr-out#n •service= •source-ip= •timeout= •tunnel-id •wins-servers= •zonelist= TACACS+ Accounting AV Pairs CiscoSecure ACS supports many TACACS+ accounting AV pairs. For descriptions of these attributes, see Cisco IOS documentation for the release of Cisco IOS running on your AAA clients. TACACS+ accounting AV pairs supported in CiscoSecure ACS are as follows: •bytes_in •bytes_out •cmd •data-rate •disc-cause •disc-cause-ext •elapsed_time •event •mlp-links-max •mlp-sess-id •nas-rx-speed •nas-tx-speed •paks_in •paks_out •port •pre-bytes-in •pre-bytes-out •pre-paks-in •pre-paks-out •pre-session-time •priv_level •protocol •reason •service •start_time •stop_time •task_id •timezone •xmit-rate
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks