About the ciscoavpair Radius Attribute

The first attribute in the Cisco IOS/PIX 6.0 RADIUS implementation, cisco-av-pair, supports the inclusion of many AV pairs by using the following format:

attribute sep value where attribute and value are an AV pair supported by the releases of IOS implemented on your AAA clients, and sep is = for mandatory attributes and asterisk (*) for optional attributes. You can then use the full set of Terminal Access Controller Access Control System (TACACS+) authorization features for RADIUS.

Note The attribute name in an AV pair is case sensitive. Typically, attribute names are all in lowercase letters.

The following is an example of two AV pairs included in a single Cisco IOS/PIX 6.0 RADIUS

cisco-av-pair attribute:

ip:addr-pool=first shell:priv-lvl=15

The first example activates the Cisco multiple named IP address pools feature during IP authorization (during PPP IPCP address assignment). The second example immediately grants access to a user of a device-hosted administrative session to EXEC commands.

In IOS, support for Network Admission Control (NAC) includes the use of the following AV pairs:

• url-redirect—Enables the AAA client to intercept an HTTP request and redirect it to a new URL. This pair is especially useful if the result of posture validation indicates that the NAC-client computer requires an update or patch that you have made available on a remediation web server. For example, a user can be redirected to a remediation web server to download and apply a new virus DAT file or an operating system patch. For example:


• posture-token—Enables ACS to send a text version of a system posture token (SPT) derived by posture validation. The SPT is always sent in numeric format and using the posture-token AV pair renders the result of a posture validation request more easily read on the AAA client. For example:


Caution The posture-token AV pair is the only way that ACS notifies the AAA client of the SPT that posture validation returns. Because you manually configure the posture-token AV pair, errors in configuring the posture-token can cause the incorrect system posture token to be sent to the AAA client or; if the AV pair name is mistyped, the AAA client will not receive the system posture token at all.

For a list of valid SPTs, see Posture Tokens, page 14-3.

• status-query-timeout—Overrides the status-query default value of the AAA client with the value that you specify, in seconds. For example:


For more information about AV pairs that IOS supports, refer to the documentation for the releases of IOS implemented on your AAA clients.

+1 0

Post a comment