ISE Network Access Attributes

 

 

 

The Type field in the tables below use one of five data types as defined in RFC 2865 - Remote Authentication Dial In User Service (RADIUS).

  • text : 1-253 octets containing UTF-8 encoded characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead. Note that type "text" is a subset of type "string".
  • string : 1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.
  • address : 32-bit value, most significant octet first.
  • integer : 32-bit unsigned value, most significant octet first.
  • time : 32-bit unsigned value, most significant octet first --  seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.

 

 

 

 

RADIUS Dictionary Files

Legacy RADIUS Dictionary file for Cisco AireOS Controller

 

 

 

Airespace

This RADIUS dictionary is provided in ISE by default.

 

Attribute#Type

ISE Version

Available
Usage Description
Aire-Data-Bandwidth-Average-DownStream-Contract7int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied for a client for non-realtime traffic such as TCP. This value is specific for downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile

Aire-Data-Bandwidth-Average-UpStream-Contract13int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Average Contract value overrides the Average Data Rate value present in the WLAN or QoS Profile

Aire-Data-Bandwidth-Burst-DownStream-Contract9int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile. The fields are transmitted from left to right.
Aire-Data-Bandwidth-Burst-UpStream-Contract15int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for non-realtime traffic such as TCP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Data Bandwidth Burst Contract value overrides the Burst Data Rate value present in the WLAN or QoS Profile.

Aire-Real-Time-Bandwidth-Average-DownStream-Contract8int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile.

Aire-Real-Time-Bandwidth-Average-UpStream-Contract14int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Average Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Average Contract value overrides the Average Real-Time Rate value present in the WLAN or QoS Profile.

Aire-Real-Time-Bandwidth-Burst-DownStream-Contract10int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to downstream direction from wired to wireless. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile.

Aire-Real-Time-Bandwidth-Burst-UpStream-Contract16int32

Authentication

Authorization

This attribute is a rate limiting value. It indicates the Data Bandwidth Burst Contract that will be applied to a client for realtime traffic such as UDP. This value is specific to upstream direction from wireless to wired. When present in a RADIUS Access Accept, the Real Time Bandwidth Burst Contract value overrides the Burst Real-Time Rate value present in the WLAN or QoS Profile.

Airespace-8021p-Tag4string

Authentication

Authorization

802.1p VLAN tag received from the client, defining the access priority. This tag maps to the QoS Level for client-to-network packets. This attribute defines the 802.1p priority to be applied to the client. When present in a RADIUS Access Accept, the 802.1p value overrides the default specified in the WLAN profile.

Airespace-ACL-Name

6string

Authentication

Authorization

Match based on Airespace-ACL-Name assigned to the user
Airespace-DSCP3string

Authentication

Authorization

Match based on Airespace-DSCP. This value might be assigned to entire WLAN or it also can be returned as part of Access-Accept from Radius server

Airespace-Guest-Role-Name

11string

Authentication

Authorization

Match based on Airespace-Guest-Role value. Normally attribute value is initially assigned from Radius server during authentication process. The goal of attribute is to assign QoS role to a guest user

Airespace-Interface-Name

5string

Authentication

Authorization

Match based on Interface Nmae value. The Interface-Name attribute indicates the VLAN interface a client is to be associated to.

Note: This attribute only works when MAC filtering is enabled or if 802.1X or WPA is used as the security policy.

Airespace-QOS-Level2string

Authentication

Authorization

Match based on QoS Level. The QoS-Level attribute indicates the Quality of Service level to be applied to the mobile client's traffic within the switching fabric, as well as over the air.

Airespace-Wlan-Id

1string

Authentication

Authorization

Match based on WLAN ID value. On single WLC each WLAN has unique ID, at the same time on different WLC SSID name might be identical but WLAN ID value might be different.

 

 

 

 

Alcatel-Lucent

 

Attribute

#TypeISE VersionUsage Description
Alcatel-Acce-Priv-F-R139hexConfigures functional read privileges for the user.
Alcatel-Acce-Priv-F-R240hexConfigures functional read privileges for the user.
Alcatel-Acce-Priv-F-W141hexConfigures functional write privileges for the user.
Alcatel-Acce-Priv-F-W242hexConfigures functional write privileges for the user.
Alcatel-Acce-Priv-G137
Alcatel-Acce-Priv-G238
Alcatel-Acce-Priv-R133
Alcatel-Acce-Priv-R234
Alcatel-Acce-Priv-W135
Alcatel-Acce-Priv-W236
Alcatel-Access-Policy-List100string

a) For 802.1X and MAC authenticated users, this attribute overwrites the initial role that is applied based on the policy list associated with the assigned UNP.

b) For Captive-Portal authenticated users, this attribute assigns a post-login role for the user.

Alcatel-Access-Priv16
Alcatel-Asa-Access9stringSpecifies that the user has access to the switch. The only valid value is all.
Alcatel-Auth-Group1integerThe authenticated VLAN number. The only protocol associated with this attribute is Ethernet II. If other protocols are required use the protocol attribute instead.
Alcatel-Auth-Group-Protocol8stringThe protocol associated with the VLAN. Must be configured for access to other protocols. Values include: IP_E2, IP_SNAP, IPX_E2, IPX_NOV, IPX_LLC, IPX_SNAP
Alcatel-Client-IP-Addr4addressThe IP address used for Telnet only.
Alcatel-End-User-Profile10stringSpecifies the name of an end-user profile associated.
Alcatel-Group-Desc5stringDescription of the authenticated VLAN
Alcatel-Nms-Description23
Alcatel-Nms-First-Name21
Alcatel-Nms-Group20
Alcatel-Nms-Last-Name22string
Alcatel-Port-Desc6

Description of the port.    This attribute is currently defined in the Alcatel dictionary as:

 

•       RADIUS attribute type = 26 (VSA)

•       VSA Vendor ID = 800

•       VSA Type = 26

•       VSA format = string

 

   This attribute is included in all RADIUS messages sent by Alcatel-Lucent OmniSwitch   
(Access-Request, Accounting-Request Start, Accounting-Request Interim and    Accounting-Request Stop).The attribute is set with the alias    configured for the port. When the alias is not set, VSA will    be an empty string.

Alcatel-Profil-Numb7
Alcatel-Redirection-Status102string
Alcatel-Redirection-URL101stringConfigures ClearPass to send redirection URL as part of RADIUS response redirecting the user Web traffic.
Alcatel-Slot-Port2stringSlots(s)/port(s) valid for the user
Alcatel-Time-of-Day3stringThe time of day valid for the user to authenticate.

OmniSwitch AOS Release 8 Network Configuration Guide

 

https://books.google.pl/books?id=r2zrBwAAQBAJ&pg=PA78&lpg=PA78&dq=%22Alcatel-Auth-Group%22&source=bl&ots=wDwKRw7SKy&sig=…

 

 

Aruba

 

Attribute

#TypeISE VersionUsage Description
Aruba-Admin-Role4

This VSA returns the management role to be assigned to the user post management authentication. This role can be seen using the command show

mgmt-role in the command-line interface.

Aruba-AirGroup-Device-Type27integerA value of 1 for this VSA indicates that the device authenticating on the network is a personal device and a value of 2 indicates that it is a shared device.
Aruba-AirGroup-Shared-Role26string

This VSA contains a comma separated list of user roles with whom the device is shared.

Aruba-AirGroup-Shared-User25stringThis VSA contains a comma separated list of user names with whom the device is shared.
Aruba-AirGroup-User-Name24stringA device owner or username associated with the device.
Aruba-AP-Group10stringString that identifies the name of an Aruba AP Group.
Aruba-AS-Credential-Hash30stringThe Auth survivability feature uses the VSA for Instant APs. The CPPM sends the NT hash of the password to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable.
Aruba-AS-User-Name29stringThe Auth survivability feature uses the VSA for Instant APs. The CPPM sends the actual user name to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable.
Aruba-Auth-Survivability28stringThe Instant AP Auth survivability feature uses the VSA to indicate that the CPPM server sends the  Aruba-AS-User-Name and  Aruba-AS-Credential-Hash values. This attribute is just used as a flag with no specific value required.
Aruba-CPPM-Role23
Aruba-Device-Type12stringString that identifies an Aruba device on the network.
Aruba-Essid-Name5stringString that identifies the name of the ESSID.
Aruba-Framed-IPv6-Address11stringThis attribute is used for RADIUS accounting for IPv6 users.
Aruba-Location-Id6stringString that identifies the name of the AP location.
Aruba-Mdps-Device-Iccid17

ICCID is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. ICCID checks

against role mappings or enforcement policies to determine if the device is authorized to be onboarded.

Aruba-Mdps-Device-Imei16string

IMEI is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. IMEI checks against role mappings or enforcement policies to determine if the device is

authorized to be onboarded.

Aruba-Mdps-Device-Name19string

The device name is used as input attribute by the Onboard application while

performing the device authorization to the internal RADIUS server within the CPPM. Device name checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.

Aruba-Mdps-Device-Product20string

The device product is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Product checks against role mappings or enforcement policies to determine

if the device is authorized to be onboarded.

Aruba-Mdps-Device-Profile33Attribute allows CPPM to signal back to the onboard process the device profile that should be applied to the device based on applied role mappings.
Aruba-Mdps-Device-Serial22string

The device serial number is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Serial checks against role mappings or enforcement policies to determine if

the device is authorized to be onboarded.

Aruba-Mdps-Device-Udid15string

UDID is unique device identifier which is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the ClearPass Policy Manager (CPPM). The UDID is used to check against role mappings or enforcement policies to determine if the device is authorized to be

onboarded.

Aruba-Mdps-Device-Version21string

The device version is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Version checks against role mappings or enforcement policies to determine

if the device is authorized to be onboarded.

Aruba-Mdps-Max-Devices18string

Used by Onboard as a way to define and enforce the maximum number of devices

that can be provisioned by a given user.

Aruba-Mdps-Provisioning-Settings32stringAttribute allows the CPPM to signal back to the onboard process the context of the device provisioning settings that should be applied to the device based on applied role mappings.
Aruba-MMS-User-Template8stringString that identifies the name of an Aruba user template.
Aruba-Named-User-Vlan9string

This VSA returns a VLAN name for a user. This vlan name on a controller could be

mapped to user-defined name or or multiple VLAN IDs.

Aruba-No-DHCP-Fingerprint14string

This VSA prevents the controller from deriving a role and VLAN based on DHCP

finger printing.

Aruba-Port-Identifier7stringString that identifies the Port ID.
Aruba-Priv-Admin-User3integer

If this VSA is set in the RADIUS accept message, the user can bypass the enable

prompt.

Aruba-User-Role1stringThis VSA returns the role, to be assigned to the user post authentication. The user will be granted access based on the role attributes defined in the role.
Aruba-User-Vlan2integerThis VSA is used to return the VLAN to be used by the client. The range for this VSA value is 1 4094, inclusive.
Aruba-WorkSpace-App-Name31stringThis VSA identifies an application supported by Aruba WorkSpace.

 

 

 

 

Brocade

 

Attribute

ValuesTypeISE VersionUsage Description
Brocade-Auth-Role1stringThe user logs in using the permissions specified with Brocade-Auth-Role. The valid permissions include root, admin, switchAdmin, zoneAdmin, securityAdmin, basic SwitchAdmin, fabricAdmin, operator, and user. You must use quotation marks around "password" and "role".
Brocade-AVPairs12stringAdmin Domain or Virtual Fabric member list
Brocade-AVPairs23stringAdmin Domain or Virtual Fabric member list
Brocade-AVPairs34stringAdmin Domain or Virtual Fabric member list
Brocade-AVPairs45stringAdmin Domain or Virtual Fabric member list
Brocade-Passwd-ExpiryDate6string

Date when password will expire

Format: MM/DD/YYYY in UTC

Brocade-Passwd-WarnPeriod7integerDays till warrining message regarding password expiry

 

 

Creating the user

 

Certificate

 

Attribute

Type / ValuesISE VersionAvailableUsage Description
Binary EncodedBinary certificateAuthorizationCheck binary certificate value
Days to Expiry0-15

This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires.

Extended Key Usage - NameAuthorization
clientAuthMatch based on presence or absence of Client Authentication purpose in extended key usage field
codeSigningMatch based on presence or absence of Code Signing purpose in extended key usage field
emailProtectionMatch based on presence or absence of Email Protection purpose in extended key usage field
msCodeComMatch based on presence or absence of Microsoft Commercial Code Signing purpose in extended key usage field
msCTLSignMatch based on presence or absence of Microsoft Trust List  Signing purpose in extended key usage field
msCodeIndMatch based on presence or absence of Microsoft Individual Code Signing purpose in extended key usage field
msEFSMatch based on presence or absence of Microsoft Encrypted File System purpose in extended key usage field
msSGCMatch based on presence or absence of Microsoft Server Gated Crypto purpose in extended key usage field
nsSGCMatch based on presence or absence of Netscape Server Gated Cryptoo purpose in extended key usage field
OCSPSigningMatch based on presence or absence of OCSP signing purpose in extended key usage field
serverAuthMatch based on presence or absence of Server Authentication purpose in extended key usage field
timeStampingMatch based on presence or absence of Trusted Timestamping purpose in extended key usage field
Extended Key Usage - OID
Is Expiredboolean

True

False

This Boolean attribute indicates whether a certificate has expired or not. If you want to allow certificate renewal only when the certificate is near expiry and not after it has expired, use this attribute in authorization policy condition.

IssuerstringAuthorizationMatch based on entire issuer subject value
Issuer - Common NamestringAuthorizationMatch based on any data in the issuer field
Issuer - CountrystringAuthorizationMatch based on country name value in issuer field
Issuer - Domain ComponentstringAuthorizationMatch based on issuer domain name value
Issuer - EmailstringAuthorizationMatch based on issuer email address value
Issuer - LocationstringAuthorizationMatch based on issuer LocalityName value
Issuer - OrganizationstringAuthorizationMatch based on issuer Organization value
Issuer - Organization UnitstringAuthorizationMatch based on issuer Organization Unit value
Issuer - Serial NumberstringAuthorizationMatch based on issuer Serial Number  value
Issuer - State or ProvincestringAuthorizationMatch based on issuer State or Province  value
Issuer - Street AddressstringAuthorizationMatch based on issuer Street Address value
Issuer - User IDstringAuthorizationMatch based on issuer User ID value
Key UsagestringAuthorization
cRLSignUse when the subject public key is to verify a signature on revocation information, such as a CRL
dataEnciphermentUse when the public key is used for encrypting user data, other than cryptographic keys.
decipherOnlyUse only when key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement.
digitalSignatureUse when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing.
encipherOnlyUse only when key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement.
keyAgreementUse when the sender and receiver of the public key need to derive the key without using encryption. This key can then can be used to encrypt messages between the sender and receiver. Key agreement is typically used with Diffie-Hellman ciphers.
keyCertSignUse when the subject public key is used to verify a signature on certificates. This extension can be used only in CA certificates.
keyEnciphermentUse when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment.
nonRepudiationUse when the public key is used to verify digital signatures used to provide a non-repudiation service. Non-repudiation protects against the signing entity falsely denying some action (excluding certificate or CRL signing).
Serial NumberstringAuthorizationMatch based on identity certificate Serial Number
SubjectstringAuthorizationMatch based on entire Subject value provided in Identity certificate
Subject - Common NamestringAuthorizationMatch based on Subject Common name of identity certificate
Subject - CountrystringAuthorizationMatch based on country value from Identity certificate subject
Subject - Domain ComponentstringAuthorizationMatch based on domain component from Identity certificate subject
Subject - EmailstringAuthorizationMatch based on email address from Identity certificate subject
Subject - LocationstringAuthorizationMatch based on location from Identity certificate subject
Subject - OrganizationstringAuthorizationMatch based on organization from Identity certificate subject
Subject - Organization UnitstringAuthorizationMatch based on organizational unit from Identity certificate subject
Subject - Serial NumberstringAuthorizationMatch based on serial number from Identity certificate subject
Subject - State or ProvincestringAuthorizationMatch based on state province value from Identity certificate subject
Subject - Street AddressstringAuthorizationMatch based on street address value from Identity certificate subject
Subject - User IDstringAuthorizationMatch based on User ID value from Identity certificate subject
Subject Alternative NamestringAuthorizationMatch based on Subject Alternative Name value from Identity certificate
Subject Alternative Name - DNSstringAuthorizationMatch based on Subject Alternative Name value with type DNS from Identity certificate
Subject Alternative Name - EMailstringAuthorizationMatch based on Subject Alternative Name value with type email from Identity certificate
Subject Alternative Name - Other NamestringAuthorizationMatch based on Subject Alternative Name value with type other from Identity certificate
Template NamestringAuthorizationMatch based on certificate template name

 

 

 

Cisco

This RADIUS dictionary is provided in ISE by default.

 

Attribute

#TypeISE VersionUsage Description
cisco-abort-cause21If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server.
cisco-account-info250
cisco-assign-ip-pool218
cisco-av-pair1The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named “cisco-avpair.” The value is a string
cisco-call-filter243
cisco-call-id141
cisco-call-type19Type of call activity: fax receive or fax send.
cisco-command-code252
cisco-control-info253
cisco-data-filter242
cisco-data-rate197
cisco-disconnect-cause195
cisco-email-server-ack-flag17Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message
cisco-email-server-address16IP address of the e-mail server handling the on-ramp fax-mail message.
cisco-fax-account-id-origin3Account ID origin as defined by the system administrator for the mmoip aaa receive-id or mmoip aaa send-id command
cisco-fax-auth-status15Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown.
cisco-fax-connect-speed8Modem speed at which this fax mail was initially sent or received. Possible values are 1200, 4800, 9600, and 14400.
cisco-fax-coverpage-flag6True/false flag that indicates whether a cover page was generated by the off-ramp gateway for this fax session. True indicates that a coverpage was generated, and false indicates that a cover page was not generated.
cisco-fax-dsn-address11Address to which DSNs are sent.
cisco-fax-dsn-flag12True/false flag to indicate whether DSN is enabled. True indicates that DSN is enabled, and false indicates that DSN is not enabled
cisco-fax-mdn-address13Address to which MDNs are sent.
cisco-fax-mdn-flag14True/False flag to indicate whether MDN is enabled. True indicates that MDN is enabled, and false indicates that MDN is not enabled
cisco-fax-modem-time7Number of seconds it takes to send fax data and to complete the entire fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds and that the full fax session took 15 seconds.
cisco-fax-msg-id4Unique fax message identification number assigned by store-and-forward fax.
cisco-fax-pages5Number of pages sent or received during a fax session including cover pages.
cisco-fax-process-abort-flag10True/false flag that indicates whether the fax session was aborted or successful. True indicates that the session was aborted, and false indicates that the session was successful.
cisco-fax-recipient-count9Number of recipients for this fax transmission. Until e-mail servers support session mode, the number should be 1.
cisco-gateway-id18Name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name
cisco-gw-final-xlated-cdn113
cisco-gw-final-xlated-cgn117
cisco-gw-rxd-cdn112
cisco-gw-rxd-cgn116
cisco-h323-billing-model109
cisco-h323-credit-amount101h323-credit-amount=1.00Total amount available to user, for announce via IVR or other
cisco-h323-credit-time102
cisco-h323-currency110h323-currency=USDCurrency code. ISO 4217
cisco-h323-preferred-lang107h323-preferred-lang=enPreferred IVR language, if available. ISO 639-1
cisco-h323-prompt-id104
cisco-h323-redirect-ip-address108
cisco-h323-redirect-number106
cisco-h323-return-code103h323-return-code=0Return code. 0 for success.
cisco-h323-time-and-day105
cisco-idle-limit244
cisco-incoming-req-uri146
cisco-ip-direct209
cisco-ip-pool-definition217
cisco-link-compression233
cisco-maximum-channels235
cisco-maximum-time194
cisco-method143
cisco-multilink-id187
cisco-nas-port2Specifies additional vendor specific attribute (VSA) information for NAS-Port accounting. To specify additional NAS-Port information in the form an Attribute-Value Pair (AVPair) string, use the radius-server vsa send global configuration command. Note This VSA is typically used in Accounting, but may also be used in Authentication (Access-Request) packets.
cisco-next-hop-dn149
cisco-next-hop-ip148
cisco-num-in-multilink188
cisco-outgoing-req-uri147
cisco-policy-down38
cisco-policy-up37
cisco-port-used20Slot/port number used to send or receive this fax mail.
cisco-ppp-async-map212
cisco-ppp-vj-slot-comp210Slot/port number used to send or receive this fax mail.
cisco-pre-input-octets190
cisco-pre-input-packets192
cisco-pre-output-octets191
cisco-pre-output-packets193
cisco-presession-time198
cisco-prev-hop-ip145

String of the form

ip-address[:port][/protocol]

where “port” is an optional parameter giving the transport layer port number and the default is 5060.

where “protocol” is an optional parameter giving the transport layer protocol and the default is UDP.

Valid values: TCP and UDP ; because the proxy does not support TCP, this parameter is never included.

cisco-prev-hop-via144
cisco-pw-lifetime208
cisco-release-source115
cisco-remote-media-address114
cisco-route-ip228
cisco-service-info251The value "Z" indicates that authorization is required.
cisco-session-protocol142string

Available strings:

  • other
  • cisco
  • h323
  • multicast
  • sipv2
  • sdp
  • frf11-trunk
  • cisco-switched
  • MarsAnalog
  • C1000Isdn
  • aal2-trunk
cisco-sip-conf-id100
cisco-sip-hdr150String including SIP header formatted as per RFC 2543.
cisco-subscriber111
cisco-target-util234
cisco-xmit-rate255
h323-call-origin26Indicates the origin of the call relative to the gateway. Possible values are originating and terminating, which are equivalent to originate and answer in the Call-Origin field
h323-call-type27Indicates call leg type. Possible values are telephony and VoIP
h323-conf-id24Identifies the conference ID.
h323-connect-time28Indicates the connection time for this call leg in UTC.
h323-disconnect-cause30Specifies the reason a connection was taken offline per the Q.931 specification.
h323-disconnect-time29Indicates the time this call leg was disconnected in UTC
h323-gw-id33Indicates the name of the underlying gateway.
h323-incoming-conf-id35Integer

On each gateway (both originating and terminating), the h323-incoming-conf-id is created by making a persistent and static copy of the h323-conf-id. After this h323-incoming-conf-id is created, it is never updated or changed for the duration of the session.

The h323-incoming-conf-id value is always the same for legs 1 and 2, or for legs 3 and 4, and it need not be the same for all four legs of a call

h323-remote-address23Indicates the IP address of the remote gateway
h323-setup-time25Indicates the setup time for this connection in Coordinated Universal Time (UTC), formerly known as Greenwich Mean Time (GMT) and Zulu time.
h323-voice-quality31Specifies the impairment/calculated planning impairment factor (ICPIF) affecting voice quality for a call

 

 

Cisco-BBSM

This RADIUS dictionary is provided in ISE by default.

 

Attribute

#TypeISE VersionUsage Description
CBBSM-Bandwidth1integerCisco Building Broadband Service Manager (BBSM) RADIUS VSA. The vendor ID for this Cisco RADIUS Implementation is 5263

 

 

Cisco-VPN3000 and ASA

 

This RADIUS dictionary is provided in ISE by default.

You may also see the list of attributes supported by the ASA v9.0.

 

Attribute#TypeISE Version Description or Value(s)
PIX7x-Access-Hours1String1.0Name of the time range, for example, Business-hours
PIX7x-Access-List-Inbound86String1.0ACL ID
PIX7x-Access-List-Outbound87String1.0ACL ID
PIX7x-Address-Pools217String1.0Name of IP local pool
PIX7x-Allow-Alpha-Only-Passwords41.0Not supported on ASA?
PIX7x-Allow-Network-Extension-Mode64Boolean1.0

0 = Disabled

1 = Enabled

PIX7x-Auth-Server-Password23String1.0Not supported on ASA?
PIX7x-Auth-Server-Priority32?1.0Not supported on ASA?
PIX7x-Auth-Server-Type22?1.0Not supported on ASA?

PIX7x-Authd-User-Idle-Timeout

or

Authenticated-User-Idle-Timeout

50Integer1.01 - 35791394 minutes
PIX7x-Cisco-IP-Phone-Bypass51Integer1.0

0 = Disabled

1 = Enabled

PIX7x-Client-Type150Integer1.0

1 = Cisco VPN Client (IKEv1)

2 = AnyConnect Client SSL VPN

3 = Clientless SSL VPN

4 = Cut-Through-Proxy

5 = L2TP/IPsec SSL VPN

6 = AnyConnect Client IPsec VPN (IKEv2)

PIX7x-Client-Type-Version-Limiting77String1.0IPsec VPN version number string
PIX7x-DHCP-Network-Scope61String1.0IP Address
PIX7x-Extended-Authentication-On-Rekey122Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IE-Proxy-Bypass-Local83Integer1.0

0 = None

1 = Local

PIX7x-IE-Proxy-Exception-List82String1.0New line (\n) separated list of DNS domains
PIX7x-IE-proxy-lockdown134?1.0Not supported on ASA?
PIX7x-IE-Proxy-PAC-URL133String1.0PAC Address String
PIX7x-IE-Proxy-Server80String1.0IP address
PIX7x-IE-Proxy-Server-Policy81Integer1.0

1 = No Modify

2 = No Proxy

3 = Auto detect

4 = Use Concentrator Setting

PIX7x-IKE-Keep-Alives41Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IKE-Keepalive-Retry-Interval

84Integer1.02 - 10 seconds
PIX7x-IKE-retry-timeout129Integer1.0Not supported on ASA?
PIX7x-IPSec-Allow-Passwd-Store16Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IPSec-Auth-On-Rekey42Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IPSec-Authentication13Integer1.0

0 = None

1 = RADIUS

2 = LDAP (authorization only)

3 = NT Domain

4 = SDI

5 = Internal

6 = RADIUS with Expiry

7 = Kerberos/Active Directory

PIX7x-IPSec-Authorization-Required66Integer1.0

0 = No

1 = Yes

PIX7x-IPSec-Authorization-Type65Integer1.0

0 = None

1 = RADIUS

2 = LDAP

PIX7x-IPSec-Backup-Server-List60String1.0Server Addresses (space delimited)
PIX7x-IPSec-Backup-Servers59String1.0

1 = Use Client-Configured list

2 = Disable and clear client list

3 = Use Backup Server list

PIX7x-IPSec-Banner115String1.0Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL
PIX7x-IPSec-Banner236String1.0Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured.
PIX7x-IPSec-Client-Fw-Filter-Name57String1.0Specifies the name of the filter to be pushed to the client as firewall policy

PIX7x-IPSec-Client-Fw-Filter-Opt

or

IPsec-Client-Firewall-Filter-Optional

58Integer1.0

0 = Required

1 = Optional

PIX7x-IPSec-Confidence-Level

or

IKE-KeepAlive-Confidence-Interval

68Integer1.010 - 300 seconds
PIX7x-IPSec-Default-Domain28String1.0Specifies the single default domain name to send to the client (1-255 characters).

PIX7x-IPSec-DN-Field

or

Authorization-DN-Field

67String1.0Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name
PIX7x-IPSec-Group-Name26String1.0Not supported on ASA?

PIX7x-IPSec-Group-Policy

or

Group-Policy

25String1.0

Sets the group policy for the remote access VPN session. For Versions 8.2 and later, use this attribute instead of IETF-Radius-Class. You can use one of the three following formats:

  • group policy name
  • OU= group policy name
  • OU= group policy name ;
PIX7x-IPSec-IKE-Peer-ID-Check40Integer1.0

1 = Required

2 = If supported by peer certificate

3 = Do not check

PIX7x-IPSec-IP-Compression39Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IPSec-Mode-Config31Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IPSec-Over-UDP34Integer1.0

0 = Disabled

1 = Enabled

PIX7x-IPSec-Over-UDP-Port35Integer1.04001 - 49151. The default is10000.

PIX7x-IPSec-Reqrd-Client-Fw-Cap

or

IPsec-Required-Client-Firewall-Capability

56Integer

0 = None

1 = Policy defined by remote FW Are-You-There (AYT)

2 = Policy pushed CPP

4 = Policy from server

PIX7x-IPSec-Sec-Association12String1.0Name of the security association
PIX7x-IPSec-Split-DNS-Names29String1.0Specifies the list of secondary domain names to send to the client (1-255 characters).
PIX7x-IPSec-Split-Tunnel-List27String1.0Specifies the name of the network/ACL that describes the split tunnel inclusion list.
PIX7x-IPSec-Split-Tunneling-Policy55Integer1.0

0 = No split tunneling

1 = Split tunneling

2 = Local LAN permitted

PIX7x-IPSec-Tunnel-Type30Integer1.0

1 = LAN-to-LAN

2 = Remote access

PIX7x-IPSec-User-Group-Lock33?1.0Not supported on ASA?
PIX7x-IPv6-Address-Pools218String1.0Name of IP local pool-IPv6
PIX7x-IPv6-VPN-Filter219String1.0ACL value
PIX7x-L2TP-Encryption21Integer1.0

Bitmap:

1 = Encryption required

2 = 40 bits

4 = 128 bits

8 = Stateless-Req

15= 40/128-Encr/Stateless-Req

PIX7x-L2TP-Min-Auth-Protocol19?1.0Not supported on ASA?
PIX7x-L2TP-MPPC-Compression38Integer1.0

0 = Disabled

1 = Enabled

PIX7x-LEAP-Bypass75Integer1.0

0 = Disabled

1 = Enabled

PIX7x-Member-Of145String1.0

Comma-delimited string, for example:

Engineering, Sales

An administrative attribute that can be used in dynamic access policies. It does not set a group policy.

PIX7x-Min-Password-Length3?1.0Not supported on ASA?

PIX7x-MS-Client-Icpt-DHCP-Conf-Msg

or

Intercept-DHCP-Configure-Msg

62Integer1.0

0 = Disabled

1 = Enabled

PIX7x-MS-Client-Subnet-Mask63Boolean1.0An IP address
PIX7x-NAC-Default-ACL92String1.0ACL
PIX7x-NAC-Enable89Integer1.0

0 = No

1 = Yes

PIX7x-NAC-Revalidation-Timer91Integer1.0300 - 86400 seconds
PIX7x-NAC-Settings141String1.0Name of the NAC policy
PIX7x-NAC-Status-Query-Timer90Integer1.030 - 1800 seconds
PIX7x-Perfect-Forward-Secrecy-Enable881.0

0 = No

1 = Yes

PIX7x-Port-Forwarding-Name

or

WebVPN-Port-Forwarding-Name

79String1.0

String name (example, “Corporate-Apps”).

This text replaces the default string, “Application Access,” on the clientless portal home page.

PIX7x-PPTP-Encryption20Integer1.0

Bitmap:

1 = Encryption required

2 = 40 bits

4 = 128 bits

8 = Stateless-Required

15= 40/128-Encr/Stateless-Req

PIX7x-PPTP-Min-Auth-Protocol18?1.0Not supported on ASA?
PIX7x-PPTP-MPPC-Compression37Integer1.0

0 = Disabled

1 = Enabled

PIX7x-Primary-DNS5String1.0An IP address
PIX7x-Primary-WINS7String1.0An IP address
PIX7x-Priority-On-SEP10?1.0Not supported on ASA?
PIX7x-Privilege-Level220Integer1.0An integer between 0 and 15.
PIX7x-Reqrd-Client-Fw-Description47String1.0String
PIX7x-Reqrd-Client-Fw-Product-Code46Integer1.0

Cisco Systems Products:

1= Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:
1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity

NetworkICE Product:
1 = BlackIce Defender/Agent

Sygate Products:
1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent

PIX7x-Reqrd-Client-Fw-Vendor-Code45Integer1.0

1 = Cisco Systems (with Cisco Integrated Client)

2 = Zone Labs

3 = NetworkICE

4 = Sygate

5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

PIX7x-Request-Auth-Vector24?1.0Not supported on ASA?
PIX7x-Require-HW-Client-Auth48Integer1.0

0 = Disabled

1 = Enabled

PIX7x-Require-Individual-User-Auth49Integer1.0

0 = Disabled

1 = Enabled

PIX7x-Secondary-DNS6String1.0An IP address
PIX7x-Secondary-WINS8String1.0An IP address
PIX7x-SEP-Card-Assignment9Integer1.0Not used
PIX7x-Session-Subtype152Integer1.0

0 = None

1 = Clientless

2 = Client

3 = Client Only

Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4.

PIX7x-Session-Type151Integer1.0

0 = None

1 = AnyConnect Client SSL VPN

2 = AnyConnect Client IPSec VPN (IKEv2)

3 = Clientless SSL VPN

4 = Clientless Email Proxy

5 = Cisco VPN Client (IKEv1)

6 = IKEv1 LAN-LAN

7 = IKEv2 LAN-LAN

8 = VPN Load Balancing

PIX7x-Simultaneous-Logins2Integer1.00 - 2147483647
PIX7x-Strip-Realm135Integer1.0

0 = Disabled

1 = Enabled

PIX7x-SVC-Ask131Integer1.0

0 = Disabled

1 = Enabled

3 = Enable default service

5 = Enable default clientless

(2 and 4 not used)

PIX7x-SVC-Ask-Timeout132Integer1.05 - 120 seconds
PIX7x-SVC-Keepalive107Integer1.0

0 = Off

15 - 600 seconds

PIX7x-SVC-Modules127String1.0String (name of a module)
PIX7x-SVC-Profiles128String1.0String (name of a profile)
PIX7x-Tunnel-Group-Lock85String1.0Name of the tunnel group or “none”
PIX7x-Tunnel-Group-Name146String1.01 - 253 characters
PIX7x-Tunneling-Protocols11Integer1.0

1 = PPTP

2 = L2TP

4 = IPSec (IKEv1)

8 = L2TP/IPSec

16 = WebVPN

32 = SVC

64 = IPsec (IKEv2)

8 and 4 are mutually exclusive

(0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values).

PIX7x-Use-Client-Address17Integer1.0

0 = Disabled

1 = Enabled

PIX7x-User-Auth-Server-Name52String1.0IP address or hostname
PIX7x-User-Auth-Server-Port53Integer1.0Port number for server protocol
PIX7x-User-Auth-Server-Secret54String1.0Server password
PIX7x-VLAN140Integer1.00 - 4094
PIX7x-WebVPN-Access-List73String1.0Access-List name
PIX7x-WebVPN-ActiveX-Relay137Integer1.0

0 = Disabled

Otherwise = Enabled

PIX7x-WebVPN-Apply-ACL102Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Auto-HTTP-Signon124String1.0Reserved
PIX7x-WebVPN-Citrix-Metaframe-Enable101Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Content-Filter69Bitmap1.0

1 = Java ActiveX

2 = Java Script

4 = Image

8 = Cookies in images

PIX7x-WebVPN-Customization113String1.0Name of the customization
PIX7x-WebVPN-Default-Homepage76String1.0A URL such as http://example.com
PIX7x-WebVPN-Deny-Message116String1.0Valid string (up to 500 characters)
PIX7x-WebVPN-Download_Max-Size157Integer1.00x7fffffff
PIX7x-WebVPN-Enable-functions70?1.0Not supported on ASA?
PIX7x-WebVPN-File-Access-Enable94Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-File-Server-Browsing-Enable96Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-File-Server-Entry-Enable95Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List78String1.0Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com)
PIX7x-WebVPN-Hidden-Shares126Integer1.0

0 = None

1 = Visible

PIX7x-WebVPN-Home-Page-Use-Smart-Tunnel228Boolean1.0Enabled if clientless home page is to be rendered through Smart Tunnel.
PIX7x-WebVPN-HTTP-Compression120Integer1.0

0 = Off

1 = Deflate Compression

PIX7x-WebVPN-HTTP-Proxy-IP-Address74String1.0Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443)
PIX7x-WebVPN-Idle-Timeout-Alert-Interval148Integer1.00 (Disabled) - 30
PIX7x-WebVPN-Keepalive-Ignore121Integer1.00-900
WebVPN-Macro-Substitution223String

1.0

Unbounded.

For examples, see the SSL VPN Deployment Guide

PIX7x-WebVPN-Macro-Substitution

or

WebVPN-Macro-Substitution

224String1.0

Unbounded.

For examples, see the SSL VPN Deployment Guide

PIX7x-WebVPN-Port-Forwarding-Enable97Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Port-Forwarding-Exchange-Proxy-Enable98Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Port-Forwarding-HTTP-Proxy99Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Port-Forwarding-List72String1.0Port forwarding list name
PIX7x-WebVPN-Post-Max-Size159Integer1.00x7fffffff
PIX7x-WebVPN-Session-Timeout-Alert-Interval149Integer1.00 (Disabled) - 30
PIX7x-WebVPN-Smart-Card-Removal-Disconnect225Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-Smart-Tunnel136String1.0Name of a smart tunnel
PIX7x-WebVPN-Smart-Tunnel-Auto-Sign-On139String1.0Name of a Smart Tunnel auto sign-on list appended by the domain name
PIX7x-WebVPN-Smart-Tunnel-Auto-Start138Integer1.0

0 = Disabled

1 = Enabled

2 = Auto Start

PIX7x-WebVPN-Smart-Tunnel-Tunnel-Policy227String1.0One of "e networkname," "i networkname," or "a," where networkname is the name of a smart tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels.
PIX7x-WebVPN-SSL-VPN-Client-Enable103Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-SSL-VPN-Client-Keep-Installation105Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-SSL-VPN-Client-Required104Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-SSO-Server-Name114String1.0Valid string
PIX7x-WebVPN-Storage-Key162String1.0?
PIX7x-WebVPN-Storage-Objects161String1.0?

PIX7x-WebVPN-SVC-Client-DPD-Frequency

or

SVC-DPD-Interval-Client

108Integer1.0

0 = Off

5 - 3600 seconds

PIX7x-WebVPN-SVC-Compression112Integer1.0

0 = Off

1 = Deflate Compression

PIX7x-WebVPN-SVC-DTLS-Enable123Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-SVC-DTLS-MTU125Integer1.0MTU value is from 256-1406 bytes.

PIX7x-WebVPN-SVC-Gateway-DPD-Frequency

or

SVC-DPD-Interval-Gateway

109Integer1.0

0 = Off

5 - 3600 seconds

PIX7x-WebVPN-SVC-Rekey-Method111Integer1.0

0 = Off

1 = SSL

2 = New Tunnel

PIX7x-WebVPN-SVC-Rekey-Time110Integer1.0

0 = Disabled

1- 10080 minutes

PIX7x-WebVPN-UNIX-Group-ID(GID)222Integer1.0Valid UNIX group IDs
PIX7x-WebVPN-UNIX-User-ID(UIDs)221Integer1.0Valid UNIX user IDs
PIX7x-WebVPN-Upload-Max-Size158Integer1.00x7fffffff
PIX7x-WebVPN-URL-Entry-Enable93Integer1.0

0 = Disabled

1 = Enabled

PIX7x-WebVPN-URL-List71String1.0URL list name
PIX7x-WebVPN-User-Storage160String1.0?
PIX7x-WebVPN-VDI163String1.0List of settings

 

 

 

CWA

 

Attribute

ValuesISE VersionUsage Description
CWA_ExternalGroupsString1.3External group name where user logging in from the CWA portal belongs to.
CWA_UsernameString1.3Username used during login from the CWA portal.

 

 

 

Device

 

Attribute

ValuesISE VersionUsage Description
Device Type1.2Device type defined during network device configuration.
Location1.2Location of the network device defined during device configuration.
Model Name1.2The model name of the network device defined during device creation.
Network Device Profile2.0The profile of network device defined during creation of device.
Software Version1.2Software version of the network device defined during device creation,

 

 

 

EndPoints

 

Attribute

ValuesISE VersionUsage Description
BYODRegistrationstring1.2

BYOD registration status of the endpoint. can be:

No: Not registered via BYOD

Unknown: unknown status

Yes: registered via BYOD

EndPointPolicystring1.2Policy assignment of the endpoint.
LastAUPAcceptanceHours1.4The time in hours when AUP was accepted the last time.
LogicalProfilestring1.2Logical profile that summarizes multiple regular profiles.
OperatingSystemstring1.3Operating system of the endpoint.
PortalUserstring1.3Guest user that logged in to the portal with this endpoint.
PostureApplicablestring1.2

A string specifying if posture is applicable for an endpoint, can be:

No: posture not applicable

Yes: posture applicable

 

 

Guest

 

Attribute

ValuesISE VersionUsage Description
Companystring1.2A string defining the company of the guest user.
EmailAddressstring1.2Email address of the guest user.
Firstnamestring1.2First name of the guest user.
LanguageNotificationstring1.2A string specifying the language for notification messages of the guest user.
Lastnamestring1.2Last name of the guest user.
OptionalData1-1.2Optional data 1
OptionalData2-1.2Optional data 2
OptionalData3-1.2Optional data 3
OptionalData4-1.2Optional data 4
OptionalData5-1.2Optional data 5
PasswordModifiedByUserboolean1.2

Boolean telling if password of the guest user was modified, can be:

false: password was not modified

true: password was modified

PhoneNumberstring1.2The phone number of the guest user.
TimeZonestring1.2Time zone of the guest user.
UserNamestring1.2Username of the guest user.

 

 

 

H3C


Attribute#TypeISE VersionUsage Description
H3C-Backup-NAS-IP2072.0Backup source IP address for sending RADIUS packets
H3C-Command202.0

Operation for the session, used for session control. It can be:

1: Trigger-Request

2: Terminate-Request

3: SetPolicy

4: Result

5: PortalClear

H3C-Connect_Id262.0Index of the user connection
H3C-Control-Identifier242.0

Identifier for retransmitted packets. for retransmitted packets of the same session, this attribute must take the same value; while for retransmitted packets of different sessions, this attribute may take the same value. The response of a retransmitted packet must also carry the same attribute.

For Accounting-Request packets of the start, stop and interim update type, the Control-Identifier attribute, if present, makes no sense.

H3C-Exec-Privilege292.0

Priority of the EXEC user, can be:

0: Visit

1: Monitor

2: System

3: Manage

H3C-Ftp-Directory282.0Working directory of the FTP user. For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client.
H3C-Input-Average-Rate22.0Average rate in the direction from the user to NAS [bps]
H3C-Input-Basic-Rate32.0Basic rate in the direction from the user to NAS [bps]
H3C-Input-Interval-Gigawords2052.0Result of bytes input within an accounting interval divided by 4GB
H3C-Input-Interval-Octets2012.0Bytes input within a real-time accounting interval
H3C-Input-Interval-Packets2032.0Packets input within an accounting interval, in the unit set on the switch
H3C-Input-Peak-Rate12.0Peak rate in the direction from the user to NAS [bps]
H3C-Ip-Host-Addr602.0IP address and MAC address of the user carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.
H3C-NAS-Startup-Timestamp592.0Startup time of NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan 1, 17970 (UTC)
H3C-Output-Interval-Gigawords2062.0Result of bytes output within an accounting interval divided by 4GB
H3C-Output-Interval-Octets2022.0Bytes output within a real-time accounting interval
H3C-Output-Interval-Packets2042.0Packets output within an accounting interval, in the unit set on the switch
H3C-Product-ID2552.0Product name
H3C-Remanent-Volume152.0Remaining traffic of the connection, in different units for different server types.
H3C-Result-Code252.0

Result of the Trigger-Request or SetPolicy operation, which can be:

0: Succeeded

Any other value: Failed

H3C-Security-Level1412.0Security level assigned after SSL VPN user passes security authentication
H3C-User-Group1402.0User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with SSL VPN device.
H3C-User-HeartBeat622.0Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the list on the AP and is used for verifying the handshake messages from 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets.
H3C-User-Notify612.0Information that needs to be sent from the server to the client transparently

 

 

HP

 

Attribute#TypeISE VersionUsage Description
HP-Bandwidth-Max-Egress48integer2.0Percentage of port bandwidth allowed for egress.
HP-Bandwidth-Max-Ingress46integer2.0Percentage of port bandwidth allowed for ingress.
HP-Capability-Advert255octets2.0This attribute defines the capabilities of the NAS, listing all special RADIUS attributes it supports.
HP-Command-Exception3integer2.0The flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others. A one (1) means deny all listed commands and permit all others.
HP-Command-String2regex2.0List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters.
HP-Cos40string2.0

Assigns 802.1p priority to all inbound packets on port. This attribute should contain the desired CoS priority (as string) repeated 8 times. The reason for the repetition is that this attribute is meant to form a map to translate different CoS priorities in packets egressing on the port.

Values:

1-2: Low

0,3: Normal

4-5: High

6-7: Critical

HP-Egress-VLAN-Name65string2.0Allows egress traffic for specified VLAN name.
HP-Egress-VLANID64integer2.0

Allows egress traffic for specified VLAN ID. The first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) ot 0x32 (untagged). The next 12 bits are padding 0x000 and the dinal 12 bits are the VLAN ID as an integer value.

Example: VLAN 17 as a tagged egress VLAN would be 0x31000011.

HP-Management-Protocol26integer2.0

Mangement protocol that can be used, can be:

5: HTTP

6: HTTPS

HP-Nas-Filter-Rule61string2.0

ACE (multiple attributes from ACL) applied to client.

Example: permit in tcp from any to any

HP-Nas-Rules-IPv663integer2.0

Allows to filter also IPv6 traffic using ACL and attribute HP-Nas-Filter-Rile.

If this option is configured to "1", the any keyword used as destination applies to both IPv4 and IPv6 destinations for the selected traffic type.

If option is "2", IPv6 traffic is ignored.

HP-Port-Auth-Mode-Dot1x13integer2.0

Temporarily alters the 802.1X authentication mode to be either port-based or user-based depending on the value in the VSA.

1: port-based

2: user-based

HP-Port-Client-Limit-Dot1x10integer2.0

Temporarily alters the 802.1X authentication client limit to the value container in the VSA. Values range from 0 to 32 clients.

0 - means VSA is disabled

HP-Port-Client-Limit-MA11integer2.0

Temporarily alters the MAC authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients.

0 - means VSA is disabled

HP-Port-Client-Limit-WA12integer2.0

Temporarily alters the web-based authentication client limit to the value contained in the VSA. Values range from 0 to 256 clients.

0 - means VSA is disabled
HP-Privilege-Level1integer2.0

Privilege level of the user, can be:

1: SuperUser

2: Monitor

16: HelpDeskManager

17: NetworkAdministrator

18: SystemAdministrator

19: WebUserAdministrator

 

 

Identity Mapping

 

Attribute

ValuesISE VersionUsage Description

 

 

IdentityGroup

 

Attribute

ValuesISE VersionUsage Description
Descriptionstring1.2, 1.3, 1.4The description of the identity group where user belongs to.
Namestring1.2, 1.3, 1.4The name of identity group where user belongs to.

 

 

InternalUser

 

Attribute

ValuesISE VersionUsage Description
Descriptionstring1.2Description of the internal user.
EnableFlagstring1.2A string defining the account is enabled.
Firstnamestring1.2A string defining first name of the user.
IdentityGroupstring1.2The identity group the internal user belongs to.
Lastnamestring1.2A string defining last name of the user.
Namestring1.2A string defining an username.
UserTypestring1.2?

 

 

Juniper

 

Attribute#TypeISE VersionAvailableUsage Description
Juniper-Allow-Commands2regex2.0

Authentication

Authorization

Contains operational mode commands in the form of regular expression that user is allowed to use in addition to commands authorized by user's login class permission bits. maximum length 247 characters

Note: This attribute is used only in Access-Accept.

Juniper-Allow-Configuration4regex2.0

Authentication

Authorization

Contains an extended regular expression that enables the user to run configuration mode commands in addition to the commands authorized by the user's login class permission bits.

Note: This attribute is used only in Access-Accept.

Juniper-cell-overhead41integer2.0

Authentication

Authorization

Juniper-Configuration-Change9string2.0

Authentication

Authorization

Indicates the interactive command that results in a configuration (database) change.

Note: This attribute is used only in Accounting-Request.

Juniper-CoS-Parameter39string2.0

Authentication

Authorization

Juniper-CoS-Traffic-Control-Profile38string2.0

Authentication

Authorization

Juniper-CTP-Group212.0

Authentication

Authorization

 

1: Read_Only

2: Admin

3: Privileged_Admin

4: Auditor

Juniper-CTPView-APP-Group222.0

Authentication

Authorization

 

1: Net_View

2: Net_Admin

3: Global_Admin

Juniper-CTPView-OS-Group232.0

Authentication

Authorization

 

1: Web_Manager

2: System_Admin

3: Auditor

Juniper-Deny-Commands3regex2.0

Authentication

Authorization

Contains extended regular expression that denies the user permission to run operation mode commands authorized by the user's login class permission bits. maximum length 247 characters.

Note: This attribute is used only in Access-Accept.

Juniper-Deny-Configuration5regex2.0

Authentication

Authorization

Contains an extended regular expression that denies the user permission to run configuration commands authorized by the user's login class permission bits.

Note: This attribute is used only in Access-Accept.

Juniper-encapsulation-overhead40integer2.0

Authentication

Authorization

Juniper-Firewall-filter-name44string2.0

Authentication

Authorization

Juniper-Interactive-Command8string2.0

Authentication

Authorization

Indicates the interactive command entered by the user.

Note: This attribute is used only in Accounting-Request.

Juniper-Interface-id35string2.0

Authentication

Authorization

Identifier of the interface.
Juniper-Ip-Pool-Name36string2.0

Authentication

Authorization

The name of the IP pool defined on the device.
Juniper-Keep-Alive37integer2.0

Authentication

Authorization

Juniper-Local-Group-Name46string2.0

Authentication

Authorization

Juniper-Local-Interface47string2.0

Authentication

Authorization

Interface to apply to the E Series side of the connection. The value can be one of the following:

- IP address (with subnet mask)

- the loopback interface

Juniper-Local-User-Name1string2.0

Authentication

Authorization

Indicates the name of the user template used by the user when logging in to a device. maximum length 247 characters
Juniper-Policer-Parameter45string2.0

Authentication

Authorization

Juniper-Primary-Dns31IP address2.0

Authentication

Authorization

B-RAS user's DNS address negotiated during IPCP
Juniper-Primary-Wins32IP address2.0

Authentication

Authorization

B-RAS user's WINS (NBNS) address negotiated during IPCP
Juniper-rx-connect-speed43integer2.0

Authentication

Authorization

Defines the receive connect speed.
Juniper-Secondary-Dns33IP address2.0

Authentication

Authorization

B-RAS user's DNS address negotiated during IPCP
Juniper-Secondary-Wins34IP address2.0

Authentication

Authorization

B-RAS user's WINS (NBNS) address negotiated during IPCP
Juniper-Switching-Filter48string2.0

Authentication

Authorization

Contains the string that works like an ACL. The form of string is following:

"Match < >, Action < >"

where we can match on MAC address, IP address, port, VLAN, ...

Juniper-tx-connect-speed42integer2.0

Authentication

Authorization

Defines the transmit connect speed.
Juniper-User-Permissions10string2.0

Authentication

Authorization

Contains information server uses to specify user permissions. It is specified in a form of a list of permission flags separated by a space.

Permission Flags: access, access-control, admin, admin-control, all-control, clear, configure, control, field, firewall, firewall-control, floppy, flow-tap, flow-tap-operation, idp-profiler-operation, interface, interface-control, maintenance, network, pgcp-session-mirroring, pgcp-session-mirroring-control, reset, rollback, routing, routing-control, secret, secret-control, security, security-control, shell, snmp, snmp-control, system, system-control, trace, trace-control, view, view-configuration

Juniper-VoIP-Vlan49integer2.0

Authentication

Authorization

Voice VLAN returned from RADIUS server.

 

 

MDM


After you add the MDM server definition in Cisco ISE, the MDM dictionary attributes are available in Cisco ISE that you can use in authorization policies. You can view the dictionary attributes that are available for use in authorization policies.

 

Attribute

Type / ValuesISE VersionAvailableUsage Description

DaysSinceLastCheckin

Days count2.1Authorization
How many days elapsed from last MDM check for particular endpoint

DeviceCompliantStatus

StringAuthorization
CompliantAttribute validate that complaint status been confirmed by MDM server for particular endpoint
NonCompliantAttribute validate that non complaint status been confirmed by MDM server for particular endpoint

DeviceRegisterStatus

StringAuthorization
RegisteredEndpoint is known to MDM server and been previously registered
UnRegisteredEndpoint is unknown to MDM server and has not been registered

DiskEncryptionStatus

StringAuthorization
OffDisk encryption is not enabled on the endpoint
OnDisk encryption is enabled on the endpoint

IMEI

StringAuthorizationIMEI value. Match based on endpoint IMEI value from MDM server response

JailBrokenStatus

StringAuthorization
BrokenMatch endpoint status JailBroken based on MDM server response
UnBrokenMatch endpoint status UnJailBroken based on MDM server response

Manufacturer

StringAuthorizationManufacturer name. Match based on mobile device manufacturer name from MDM server response

MDMFailureReason

2.1AuthorizationFailureReason value

MDMServerName

MDMServerNameAuthorizationMatch based on MDMServerName from endpoint attributes

MDMServerReachable

StringAuthorization
ReachableMatch reachable status of MDM server
UnReachableMatch unreachable status of MDM server

MEID

StringAuthorizationMEID Value. Match based on endpoint mobile equipment identifier(MEID) value from MDM server response

Model

StringAuthorizationModel Value. Match based on mobile device model from MDM server response

OsVersion

StringAuthorizationOsVersion Value. Match based on mobile device OS version from MDM server response

PhoneNumber

StringAuthorizationPhoneNumber Value. Match based on phone number of mobile device

PinLockStatus

StringAuthorization
OffPinlock disabled on endpoint
OnPinlock enabled on endpoint

SerialNumber

StringAuthorizationSerialNumber Value. Match based on mobile device serial number from MDM server response

ServerType

String2.1Authorization
DesktopDeviceManagerServer on which endpoint registered belongs to Desktop Device Manager type (ex: Microsoft System Center)
MobileDeviceManagerServer on which endpoint registered belongs to Mobile Device Manager type (regular MDM server)

UDID

UDID ValueAuthorizationUDID Value. Match based on Unique Device Identifier (Apple specific)

UserNotified

String2.1Authorization
NoUser has not been notified previously about requirement to register device (Desktop Device Manager specific check)
YesUser was notified previously about requirement to register device (Desktop Device Manager specific check)

 

 

Microsoft

This RADIUS dictionary is provided in ISE by default.

 

Attribute

#TypeISE VersionAvailable Description
MS-Acct-Auth-Type23integer1.2

Authentication

Authorization

Represents the method used to authenticate the dial-up user:

1: PAP

2: CHAP

3: MS-CHAP-1

4: MS-CHAP-2

5: EAP

MS-Acct-EAP-Type24integer1.2

Authentication

Authorization

Represents the EAP type used to authenticate the dial-up user:

4: MD5

5: OTP

6: Generic Token Card

13: TLS

MS-AFW-Protection-Level49integer1.2

Authentication

Authorization

Specifies a NAP protection level. Used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access.
MS-AFW-Zone48integer1.2

Authentication

Authorization

Specifies a NAP zone. Used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access.

MS-ARAP-PW-Change-Reason21integer1.2

Authentication

Authorization

Used to indicate reason for a server-initiated password change:

1: Just-Change-Password

2: Expired-Password

3: Admin-Requires-Password-Change

4: Password-Too-Short

MS-BAP-Usage13integer1.2

Authentication

Authorization

Describes wheter the use of BAP is allowed, diasllowed or required on new multilink calls:

0: BAP usage not allowed

1: BAP usage allowed

2: BAP usage required

MS-CHAP-Challenge11string1.2

Authentication

Authorization

Contains the challenge sent by NAS to MS-CHAP suer.
MS-CHAP-CPW-13string1.2

Authentication

Authorization

Allows the user to change their password if it has expired.

Note: Attribute is only used in Access-Request packets and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject. The string of MS-CHAP-Error indicated that the user password had expired and MS-CHAP version is equal 2.

MS-CHAP-CPW-24string1.2

Authentication

Authorization

Allows the user to change their password if it has expired.

Note: Attribute is only used in Access-Request packets and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject. The string of MS-CHAP-Error indicated that the user password had expired and MS-CHAP version is less than 2.

MS-CHAP-Domain10string1.2

Authentication

Authorization

Indicates the Windows NT domain in which user was authenticated.
MS-CHAP-Error2string1.2

Authentication

Authorization

Contains error data related to the preceding MS-CHAP exchange.

Note: Only used in Access-Reject.

MS-CHAP-LM-Enc-PW5string1.2

Authentication

Authorization

Contains the new Windows NT password encrypted with the old LAN Manager password hash.

Note: Attribute is used only in Access-Request packets, in conjuction with the MS-CHAP-CPW-2 attribute. It should be only  included if an MS-CHAP-Error attribute was included in immediately preceding Access-Reject.

MS-CHAP-MPPE-Keys12string1.2

Authentication

Authorization

Contains two session keys for use by the MPPE.

Note: This attribute is only included in Access-Accept.

MS-CHAP-NT-Enc-PW6string1.2

Authentication

Authorization

Contains the new Windows NT password encrypted with the old Windows NT password hash.

Note: Attribute is used only in Access-Request packets, in conjuction with the MS-CHAP-CPW-2 attribute. It should be only  included if an MS-CHAP-Error attribute was included in immediately preceding Access-Reject.
MS-CHAP-Response1string1.2

Authentication

Authorization

Contains the response value provided by a MS-CHAP user in response to the challenge.

Note: Only used in Access-Request.

MS-CHAP2-CPW27octets1.2

Authentication

Authorization

Allows the user to change their password if it has expired. Used only in conjunction with MS-CHAP-NT-Enc-PW and should only be included if an MS-CHAP-Error attribute was included in the Access-Reject packet and MS-CHAP version is 3.
MS-CHAP2-Response25octets1.2

Authentication

Authorization

Contains the response value provided by an MS-CHAP-V2 peer in response to the challenge.
MS-CHAP2-Success26octets1.2

Authentication

Authorization

Contains 42-octet authenticator response string. This string must be included in Message field of MS-CHAP-V2 Success sent from NAS.
MS-Extended-Quarantine-State57integer1.2

Authentication

Authorization

Indicates the level of network access that RADIUS server authorizes to the endpoint.

Used to specify additional information about a restricted access decision by a RADIUS server.

MS-Filter22octets1.2

Authentication

Authorization

Used to transmit traffic filters. If multiple MS-Filter attributes are contained within a packet, they must be in order and must be consecutive attributes in packets.
MS-HCAP-Location-Group-Name59string1.2

Authentication

Authorization

Used to specify location group information received over an HCAP interface by a RADIUS client.
MS-HCAP-User-Groups58string1.2

Authentication

Authorization

Used to specify user groups information received over an HCAP interface by a RADIUS client.
MS-HCAP-User-Name60string1.2

Authentication

Authorization

Used to indicate user identity information received over an HCAP interface by a RADIUS client.
MS-Identity-Type41integer1.2

Authentication

Authorization

Indicates whether a RADIUS server performs only a machine health check.

If value is 0x00000001, RADIUS server must not perform authentication; instead it must perform a machine health check on this request.

If value is different or a RADIUS server doesn't receive this attribute, it should perform authentication as well as a machine health check on this request.

MS-IPv4-Remediation-Servers52list of IP addresses1.2

Authentication

Authorization

Contains a list of servers that are reachable by an endpoint whose access is restricted, so that endpoint can remediate itself.
MS-IPv6-Filter51octets1.2

Authentication

Authorization

Used to limit the inbound and/or outbound access of the endpoint.
MS-IPv6-Remediation-Servers53octetes1.2

Authentication

Authorization

Specifies the IPv6 addresses of the remediation servers.
MS-Link-Drop-Time-Limit15integer1.2

Authentication

Authorization

Indicates the length of the time (in seconds) that a link must be underutilized before it is dropped.
MS-Link-Utilization-Threshold14integer1.2

Authentication

Authorization

Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination.
MS-Machine-Name50string1.2

Authentication

Authorization

It is used to communicate the machine name of the endpoint requesting network access.
MS-MPPE-Encryption-Policy7integer1.2

Authentication

Authorization

Signifies whether the use of encryption is allowed or required.

1 means encryption-allowed (you can use any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute)

2 means encryption-required (you can use any of the encryption types specified in MS-MPPE-Encryption-Types attribute)

MS-MPPE-Encryption-Types8integer1.2

Authentication

Authorization

(nteger (four-octet integer interpreted as a string of bits)

Signifies the types of encryption available for use with MPPE.

MS-MPPE-Recv-Key17string1.2

Authentication

Authorization

Contains a session key for use by MPPE. This key is for encrypting packets that AAA client receives from the remote host.

Note: This attribute is included only in Access-Accept.

MS-MPPE-Send-Key16string1.2

Authentication

Authorization

Contains a session key for use by MPPE. This key is for encrypting packets sent from AAA client to the remote host.

Note: This attributed is used only in Access-Accept.

MS-Network-Access-Server-Type47integer1.2

Authentication

Authorization

It is used to specify the type of the network access server making the request.

0: Unspecified

1: Terminal-Server-Gateway

2: Remote-Access-Server

3: DHCP-sServer

4: Wireless-Access-Point

5: HRA

6: HCAP-Server

MS-New-ARAP-Password20string1.2

Authentication

Authorization

Used to transmit the new ARAP password during ARAP password change operation.
MS-Old-ARAP-Password19string1.2

Authentication

Authorization

Used to transmit the old ARAP password during an ARAP password change operation.
MS-Primary-DNS-Server28IP address1.2

Authentication

Authorization

Used to indicate the address of the primary DNS server used by the PPP peer.
MS-Primary-NBNS-Server30IP address1.2

Authentication

Authorization

Used to indicate the address of the primary NetBIOS Name Server (NBNS) to be used by the PPP peer.
MS-Quarantine-Grace-Time46integer1.2

Authentication

Authorization

Applies a timeout to the endpoint requesting network access set to expire at the time given by the attribute's value.
MS-Quarantine-IPFilter36octets1.2

Authentication

Authorization

Used to specify the set of IP filters to be provisioned for the endpoint associated with a RADIUS Access-Request.
MS-Quarantine-Session-Timeout37integer1.2

Authentication

Authorization

Used to specify a timeout value used by a RRAS server.
MS-Quarantine-SOH55octets1.2

Authentication

Authorization

It is used to carry Statement of Health information from endpoint when EAP is not used.
MS-Quarantine-State45integer1.2

Authentication

Authorization

Gives an access rights accordingly to the endpoint requesting network access.

0: Full access

1: Restricted access

2: On probation (full access within a limited time period)

MS-Quarantine-User-Class44string1.2

Authentication

Authorization

It is used to carry the name of a special DHCP user class.
MS-RAS-Client-Name34string1.2

Authentication

Authorization

Used to specify the name of the endpoint generating request.
MS-RAS-Client-Version35string1.2

Authentication

Authorization

Used to specify the version of the endpoint generating request.
MS-RAS-Correlation56octets1.2

Authentication

Authorization

Used by the NAD to send an identifier, which is used for a correlation of logs events to the RADIUS server.
MS-RAS-Vendor9integer1.2

Authentication

Authorization

Used to indicate the manufacturer of the RADIUS client machine.
MS-RAS-Version18integer1.2

Authentication

Authorization

Used to indicate the version of the RADIUS client software.
MS-RNAP-Not-Quarantine-Capable54integer1.2

Authentication

Authorization

Indicates whether or not the endpoint requesting network access is NAP capable.

0: endpoint sent an SoH

1: endpoint didn't send an SoH

MS-Secondary-DNS-Server29IP address1.2

Authentication

Authorization

Used to indicate the address of the secondary DNS server used by the PPP peer.
MS-Secondary-NBNS-Server31IP address1.2

Authentication

Authorization

Used to indicate the address of the secondary NBNS server used by the PPP peer.
MS-Service-Class42string1.2

Authentication

Authorization

Used to specify which group of DHCP scopes will supply an IP address to the endpoint requesting access.
MS-TSG-Device-Redirection63integer1.2

Authentication

Authorization

Specifies filters used by a Remote Desktop Gateway (RDG) server.

MS-User-IPv4-Address61IP address1.2

Authentication

Authorization

Specifies the IP address of the endpoint as known to the RADIUS client.
MS-User-Security-Identity40string1.2

Authentication

Authorization

Used to specify the security-identifier (SID) of the user requesting access.

 

 

Motorola-Symbol

 

Attribute#Type / Value
ISE VersionAvailableDescription
Symbol-Admin-Role1String2.0

Authentication

Authorization
Permissions for remote user
MonitorUser with read-only access to a WLC or AP
HelpdeskUser can clear statistics, reboot devices and create or copy tech support files
NetworkAdminUser responsible for configuration of parameters such as Layer 2, Layer 3, Wireless, RADIUS, DHCP and Smart-RF
SysAdminUser responsible for configuring general switch settings such as upgrading images, changing boot partitions, time and administrative access
WebAdminUser responsible for adding guest user accounts for Captive Portal authentication
SuperUserUser with full administrative privileges

Symbol-Allowed-ESSID

3String2.0

Authentication

Authorization

ESSID(s) name that user is permitted to associate with

Symbol-Allowed-Radio6String2.0

Authentication

Authorization
Indicates one or more Radio name(s) that user is permitted to associated with. Must match one or more keywords defined in the radio description fields
Symbol-Current-ESSID2String2.0

Authentication

Authorization
ESSID the user is currently associated with
Symbol-Downlink-Limit10integer2.0

Authentication

Authorization

Indicates amount of bandwidth in Kbps that the user is permitted to receive from AP. Traffic that exceeds the value will be dropped by WLC or AP.

0 means disabled

Symbol-Expiry-Date-Time72.0

Authentication

Authorization

Indicates the date and time the user is no longer authorized to access the network.

String in format MM/DD/YYYY-HH:MM

Symbol-Login-Source1002.0

Authentication

Authorization

Indicates the management interfaces the user is permitted to access on WLC or AP

HTTPAllowing HTTP login management access using Web-UI
SSHAllowing SSH login management access
TelnetAllowing Telnet login management access
ConsoleAllowing Console login management access
AllAllowing all login management accesses
Symbol-Posture-Status9string2.0

Authentication

Authorization
NAP compliance state of user. This attribute is used with the Symantec LAN Enforcer endpoint inspection solution.
Symbol-QoS-Profile5integer2.0

Authentication

Authorization

Specifies the static WMM Access Category to be assigned to the user. Once assigned traffic is forwarded from AP to the user, it will be prioritized using the assigned QoS value.

Supported values:

1 - Best Effort

2 - Background

3 - Video

4 - Voice

Symbol-Start-Date-Time8string2.0

Authentication

Authorization

Indicates the date and time the user is initially permitted to access the network.

Format MM/DD/YYYY-HH:MM

Symbol-Uplink-Limit11integer2.0

Authentication

Authorization
Indicates the amount of bandwidth in Kbps that the user is permitted to transmitt to AP. Traffic that exceeds the defined value will be dropped by WLC or AP.
Symbol-User-Group12string2.0

Authentication

Authorization
Indicates the group on the WLC or AP that the user is associated with
Symbol-WLAN-Index4integer2.0

Authentication

Authorization
Indicates the WLAN index number of the WLAN the user is associated with

 

 

MSE

 

These attributes are used by the Cisco Mobility Services Engine (MSE). For more information, please see the ISE Design & Integration Guides for Cisco Mobility Services Engine (MSE).

 

Attribute

ValuesISE VersionUsage Description
MapLocationstring2.0The location of the device on the map using MSE.

 

 

Network Access

 

This dictionary contains session attributes which can be collected during authentication process either from Radius flow (for example: EPA tunnel/EAP chaining  result) or as a result of authentication process on ISE itself (Use case/ ISE host name)

 

Attribute

Type / ValuesISE VersionAvailableUsage Description
AD-Host-DNS-Domain
AD-Host-Join-Point
AD-User-DNS-Domain
AD-User-Join-Point
AuthenticationIdentityStore

AuthenticationMethod

string

Authentication

Authorization

CHAP/MD5Match authentication request with CHAP/MD5 authentication
Lookup

 

Match authentication request with host Lookup (MAB)
MSCHAPv1

 

Match authentication with MSCHAPv1 as an authentication method
MSCHAPv2

 

Match authentication with MSCHAPv2 as an authentication method
PAP_ASC||

 

Match authentication with PAP_ASC|| as an authentication method
x509_PKI

 

Certificate based authentication matching

AuthenticationStatus

string

Authorization

AuthenticationFailedMatch session for which user/endpoint authentication failed
AuthenticationPassedMatch session for which user/endpoint authentication passed
ProcessErrorMatch session for which user/endpoint authentication has finished with process error
UnknownUserMatch session for which user/endpoint authentication has finished user unknown error

Device IP Address

IP address

Authentication

Authorization

Match by IP address of Network Access Device. This is the address configured by user under Network Device in ISE GUI during device creation

EapAuthentication

string

Authorization

The EAP method that is used during authentication of a user of a machine

EAP-GTCMatch session which is using EAP-GTC as EAP authentication method
EAP-MD5Match session which is using EAP-MD5 as EAP authentication method
EAP-MSCHAPv2Match session which is using EAP-MSCHAPv2 as EAP authentication method
EAP-TLSMatch session which is using EAP-TLS as EAP authentication method
LEAPMatch session which is using LEAP as EAP authentication method

EapChainingResult

string

Authorization

Result of EAP-FAST specific way to bind user and machine authentication together
No chainingMatch session with no EAP Chaining in place
User and machine both succeededMatch session with successful machine and user authentication confirmed by EAP Chaining
User failed and machine succeededMatch session with successful machine and failed user authentication confirmed by EAP Chaining
User succeeded and machine failedMatch session with failed machine and successful user authentication confirmed by EAP Chaining

EAPTunnel

string

Authentication

Authorization

The EAP method that is used for tunnel establishment.

EAP-FAST

1.0

Match EAP requests with EAP-FAST
EAP-TTLS2.0Match EAP requests with EAP-TTLS
PEAP1.0Match EAP requests with PEAP

GroupsOrAttributesProcessFailure

Authorization

ISE Host Name

string

Authentication

Authorization

ISE HostName value. Match the name of ISE server where authentication request been landed

MachineAuthenticationIdentityStore

NetworkDeviceName

string

Authentication

Authorization

Network Device name value. Match based on Name of Network device configured by user under Network Device in ISE GUI during device creation

Protocol

string

Authentication

Authorization

Protocol name

RADIUS: Match authentication request which has the been done over the Radius protocol

TACACS+: Match authentication request which has been done over the TACACS+ protocol

RADIUS Server

RADIUS Server Sequence

SessionLimitExceeded

boolean1.4

Authentication

Authorization

FalseSession limit from the guest type has not been reached yet for particular guest user (Applicable only for guest users)
TrueSession limit from the guest type has been reached for particular guest user (Applicable only for guest users)

UseCase

string

 

EAP Chaining

1.1

Using this attribute you can match  by your authorization policy sessions where EAP changing been used during authentication
Guest Flow1.0This attribute can be used to matching sessions that successfully finished guest flow (Either guest authentication passed, or AUP accepted for the hot spot)
Easy Wired Flow2.1Easy Connect
Proxy1.2
Host Lookup1.0

UserName

string

Authentication

Authorization

Username value. Match User name presented in radius Access-Request

WasMachineAuthenticated

boolean1.0AuthorizationUse for detecting Machine Access Registration (MAR)

 

 

Normalised RADIUS

 

Attribute

Type / ValuesISE VersionAvailableUsage Description

RadiusFlowType

string2.0

Authentication

Authorization

Wired802_1xIndicates user authentication method as wired 802.1x
WiredMABIndicates user authentication method as wired MAB
WiredWebAuthIndicates user authentication method as wired web authentication
Wireless802_1xIndicates user authentication method as wireless 802.1x
WirelessMABIndicates user authentication method as wireless MAB
WirelessWebAuthIndicates user authentication method as wireless web authentication

SSID

string2.0

Authentication

Authorization

Offers possibility to map vendor specific attribute (for example RADIUS:Called-Station-ID) to this common attribute so that policy rules can use friendly name. This can be specific to network device profile.

 

 

PassiveID

 

After you enable PassiveID service on the node, PassiveID dictionary is available

 

 

Attribute

TypeISE VersionAvailableUsage Description
PassiveID_Groupsstring2.1AuthorizationSpecifies the domain controller group
PassiveID_Usernamestring2.1AuthorizationSpecifies the name of the user

 

 

RADIUS

 

From

RFC 2865 - Remote Authentication Dial In User Service (RADIUS)

RFC 2866 - RADIUS Accounting

 

Attribute#TypeISE VersionAvailableUsage Description
User-Name1string1.0

Authentication

The name of the user to be authenticated.

Length >= 3 characters.

User-Password2string1.0AuthenticationThe password of the user to be authenticated, or the user's input following an Access-Challenge. A one-  way MD5 hash is calculated over a stream of octets consisting of   the shared secret followed by the Request Authenticator. This   value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password Attribute.
CHAP-Password3string1.0Authentication

The response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge.

NAS-IP-Address4address1.0

Authentication

The identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.

Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.

NAS-Port5integer1.0Authentication

The physical port number of the NAS which is authenticating the user

Service-Type6integer1.0

Authentication

The type of service the user has requested, or the type of service to be provided. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.

Values:

  • 1 Login: The user should be connected to a host.
  • 2 Framed: A Framed Protocol should be started for the User, such as PPP or SLIP.
  • 3 Callback Login: The user should be disconnected and called back, then connected to a host.
  • 4 Callback Framed: The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP.
  • 5 Outbound: The user should be granted access to outgoing devices.
  • 6 Administrative: The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed.
  • 7 NAS Prompt: The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.
  • 8 Authenticate Only: Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself).
  • 9 Callback NAS Prompt: The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed.
  • 10 Call Check: Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes. It is recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name.
  • 11 Callback Administrative: The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed.
Framed-Protocol7integer?AuthenticationThe framing to be used for framed access.

Values:

  • 1 PPP
  • 2 SLIP
  • 3 AppleTalk Remote Access Protocol (ARAP)
  • 4 Gandalf proprietary SingleLink/MultiLink protocol
  • 5 Xylogics proprietary IPX/SLIP
  • 6 X.75 Synchronous
Framed-IP-Address8address?AuthenticationThe address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.
Framed-IP-Netmask9address?Authentication

The IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.

Framed-Routing10integer?Authentication

the routing method for the user, when the user is a router to a network.

Values:

0 None

1 Send routing packets

2 Listen for routing packets

3 Send and Listen

Filter-ID11text?Authentication

The name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.

Identifying a filter list by name allows the filter to be used on different NASes without regard to filter-list implementation details.

On ASA, applies only to full tunnel IPsec and SSL VPN clients

Framed-MTU12integer?Authentication

The Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that value, but the server is not required to honor the hint.

Values range from 64 to 65535.

Framed-Compression13Authentication

A compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint. More than one compression protocol Attribute MAY be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.

Values:

  • 0 None
  • 1 VJ TCP/IP header compression
  • 2 IPX header compression
  • 3 Stac-LZS compression
Login-IP-Host14address?AuthenticationThe system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as

  a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.

Login-Service15integer?Authentication

The service to use to connect the user to the login host. It is only used in Access-Accept packets.

Values:

  • 0 Telnet
  • 1 Rlogin
  • 2 TCP Clear
  • 3 PortMaster (proprietary)
  • 4 LAT
  • 5 X25-PAD
  • 6 X25-T3POS
  • 8 TCP Clear Quiet (suppresses any NAS-generated connect string)
Login-TCP-Port16integer?AuthenticationThe TCP port with which the user is to be connected, when the Login-Service Attribute is also present.

It is only used in Access-Accept packets.

(unassigned)17---ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED.
Reply-Message18text?Authentication

Text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple Reply-Message's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.

Callback-Number19string?Authentication

a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.

Callback-Id20string?

the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets.

(unassigned)21---ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED.
Framed-Route22text?

routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and

  can appear multiple times.

Framed-IPX-Network23integer?

the IPX Network number to be configured for the user. It is used in Access-Accept packets.

State24string?Authentication

This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.  This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action Attribute with the value of RADIUS-Request. If the NAS performs the Termination-Action by sending a new Access-Request upon termination of the current session, it MUST include the State attribute unchanged in that Access-Request.  In either usage, the client MUST NOT interpret the attribute locally. A packet must have only zero or one State Attribute.  Usage of the State Attribute is implementation dependent.

Class25string?Authentication

This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally.

Vendor-Specific26string1.0Authentication

This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage. It MUST not affect the operation of the RADIUS protocol.  Servers not equipped to interpret the vendor-specific information sent by a client MUST ignore it (although it may be reported). Clients which do not receive desired vendor-specific information SHOULD make an attempt to operate without it, although they may do so (and report they are doing so) in a degraded mode.

 

Values with Cisco:

  • audit-session-id=[96-bit hex string]
Session-Timeout27integer1.0AuthenticationThis Attribute sets the maximum number of seconds of service to be

  provided to the user before termination of the session or prompt.

  This Attribute is available to be sent by the server to the client

  in an Access-Accept or Access-Challenge.

Idle-Timeout28integer1.0Authentication

This Attribute sets the maximum number of consecutive seconds of

  idle connection allowed to the user before termination of the

  session or prompt. This Attribute is available to be sent by the

  server to the client in an Access-Accept or Access-Challenge.

Termination-Action29integer1.0Authentication

This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.

Values:

  • 0 Default
  • 1 RADIUS-Request
Called-Station-ID30string1.0AuthenticationThis Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.
Calling-Station-ID31string1.0Authentication

This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.

NAS-Identifier32string1.0Authentication

This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.  Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.

Proxy-State33string?Authentication

This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy-State in the packet) before forwarding the response to the NAS.

If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes.

The content of any Proxy-State other than the one added by the current server should be treated as opaque octets and MUST NOT affect operation of the protocol.

Usage of the Proxy-State Attribute is implementation dependent.

Login-LAT-Service34string?Authentication

This Attribute indicates the system with which the user is to be

  connected by LAT. It MAY be used in Access-Accept packets, but

  only when LAT is specified as the Login-Service. It MAY be used

  in an Access-Request packet as a hint to the server, but the

  server is not required to honor the hint.

  Administrators use the service attribute when dealing with

  clustered systems, such as a VAX or Alpha cluster. In such an

  environment several different time sharing hosts share the same

  resources (disks, printers, etc.), and administrators often

  configure each to offer access (service) to each of the shared

  resources. In this case, each host in the cluster advertises its

  services through LAT broadcasts.

  Sophisticated users often know which service providers (machines)

  are faster and tend to use a node name when initiating a LAT

  connection. Alternately, some administrators want particular

  users to use certain machines as a primitive form of load

  balancing (although LAT knows how to do load balancing itself).

Login-LAT-Node35stringAuthentication

This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.

Login-LAT-Group36stringAuthentication

This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.

LAT supports 256 different group codes, which LAT uses as a form of access rights. LAT encodes the group codes as a 256 bit bitmap.

Administrators can assign one or more of the group code bits at the LAT service provider; it will only accept LAT connections that have these group codes set in the bit map. The administrators assign a bitmap of authorized group codes to each user; LAT gets these from the operating system, and uses these in its requests to the service providers.

Framed-AppleTalk-Link37integerAuthentication

This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It

  is never used when the user is not another router.

Framed-AppleTalk-Network38integerAuthentication

This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified.

Framed-AppleTalk-Zone39stringAuthentication

This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed.

Acct-Status-Type

40integerAccountingSpecifies whether this accounting-request marks the beginning of the user service (start) or the end (stop).

Acct-Delay-Time

41integerAccountingNumber of seconds the client has been trying to send a particular record.

Acct-Input-Octets

42integerAccountingNumber of octets received from the port while this service is being provided.
Acct-Output-Octets43integerAccountingNumber of octets sent to the port while this service is being delivered.

Acct-Session-Id

44stringAccountingUnique accounting identifier that makes it easy to match start and stop records in a log file. The Acct-Session-Id restarts at 1 each time the router is power cycled or the software is reloaded. Contact Cisco support if this is unsuitable.
Acct-Authentic45integerAccountingWay in which the user was authenticated—by RADIUS, by the AAA client itself, or by another remote authentication protocol. This attribute is set to radius for users authenticated by RADIUS; to remote for TACACS+ and Kerberos; or to local for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.
Acct-Session-
Time
46integerAccountingNumber of seconds the user has been receiving service.
Acct-Input-Packets47integerAccountingNumber of packets received from the port while this service is being provided to a framed user.
Acct-Output-Packets48integerAccountingNumber of packets sent to the port while this service is being delivered to a framed user.
Acct-Terminate-Cause49integerAccounting

Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:

  • 1: User request
  • 2: Lost carrier
  • 3: Lost service
  • 4: Idle timeout
  • 5: Session-timeout
  • 6: Admin reset
  • 7: Admin reboot
  • 8: Port error
  • 9: AAA client error
  • 10: AAA client request
  • 11: AAA client reboot
  • 12: Port unneeded
  • 13: Port pre-empted
  • 14: Port suspended
  • 15: Service unavailable
  • 16: Callback
  • 17: User error
  • 18: Host request
Acct-Multi-Session-Id50stringAccounting
Acct-Link-Count51integerAccounting
Acct-Input-Gigawords52integerAccounting
Acct-Output-Gigawords53integerAccounting
???54???Accounting
Event-Timestamp55dateAccounting
???56Accounting
???57Accounting
???58Accounting
???59Accounting
CHAP-Challenge60string?Authentication

This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets.

If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute.

NAS-Port-Type61integer1.0Authentication

This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.

  • 0 Async
  • 1 Sync
  • 2 ISDN Sync
  • 3 ISDN Async V.120
  • 4 ISDN Async V.110
  • 5 Virtual: "Virtual" refers to a connection to the NAS via some transport protocol, instead of through a physical port
  • 6 PIAFS: a form of wireless ISDN commonly used in Japan, and stands for PHS (Personal Handyphone System) Internet Access Forum Standard (PIAFS).
  • 7 HDLC Clear Channel
  • 8 X.25
  • 9 X.75
  • 10 G.3 Fax
  • 11 SDSL - Symmetric DSL
  • 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation
  • 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone
  • 14 IDSL - ISDN Digital Subscriber Line
  • 15 Ethernet
  • 16 xDSL - Digital Subscriber Line of unknown type
  • 17 Cable
  • 18 Wireless - Other
  • 19 Wireless - IEEE 802.11
Port-Limit62integerAuthentication

This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint.

Login-LAT-Port63stringAuthentication

This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.

The String field is one or more octets, and contains the identity of the LAT port to use. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper and lower case alphabetics, and the ISO Latin-1 character set extension. All LAT string comparisons are case insensitive.

Tunnel-Type64integerAuthentication
Tunnel-Medium-Type65integerAuthentication
Tunnel-Client-Endpoint66stringAuthentication
Tunnel-Server-Endpoint67stringAuthentication
Acct-Tunnel-
Connection
68string
Tunnel-Password69string
ARAP-Password70string
ARAP-Features71string
ARAP-Zone-
Access
72integer
ARAP-Security73integer
ARAP-Security-Data74string
Password-Retry75integer

Prompt

76integer
Connect-Info77string
Configuration-
Token
78string
EAP-Message79string
Message-Authenticator80string
Tunnel-Private-Group-ID81stringAuthentication
Tunnel-
Assignment-ID
82string
Tunnel-Preference83integerAuthentication
???84
Acct-Interim-Interval85integer
???86
NAS-Port-Id87stringAuthentication
Framed-Pool88stringAuthentication
???89
Tunnel-Client-Auth-ID90stringAuthentication
Tunnel-Server-Auth-ID91stringAuthentication
NAS-IPv6-Address95Authentication
Framed-Interface-Id96Authentication
Framed-IPv6-Prefix97Authentication
Login-IPv6-Host98Authentication
...
Error-Cause101Authentication
...
Delegated-IPv6-Prefix123Authentication
...
Primary-DNS-Server135ipaddr
Secondary-DNS-Server136ipaddr
...
Framed-IPv6-Address168Authentication
DNS-Server-IPv6-Address169Authentication
Route-IPv6-Information170Authentication
Delegated-IPv6-Prefix-Pool171Authentication
Stateful-IPv6-Address-Pool172Authentication
...
Multilink-ID187integer
Num-In-Multilink188integer
Pre-Input-Octets190integer
Pre-Output-Octets191integer
Pre-Input-Packets192integer
Pre-Output-Packets193integer
Maximum-Time194integer
Disconnect-Cause195integer
???196
Data-Rate197integer
PreSession-Time198integer
...
Digest-Response206integerAuthentication
???207integer
PW-Lifetime208integer
IP-Direct209ipaddr
PPP-VJ-Slot-
Comp
210integer
...
Assign-IP-pool218integer
...
Route-IP228integer
...
Link-Compression233integer
Target-Utils234integer
Maximum-Channels235integer
...
Data-Filter242Ascend filter
Call-Filter243Ascend filter
Idle-Limit244integer

 

 

 

 

 

Ruckus

 

Attribute#TypeISE VersionUsage Description
Ruckus-Acct-Status126integer2.0Sent by the RADIUS server to indicate if the authenticator should send an accounting packet for this user.
Ruckus-Grace-Period6integer2.0Specifies a grace period before re-authentication is required (WISPr or captive portal only). Range is 1-14400 minutes.
Ruckus-Location5string2.0Reports the location of the device. This is configurable value in the device location setting.
Ruckus-SCG-CBlade-IP7integer2.0IP address of the C blade used by the device for request.
Ruckus-SCG-DBlade-IP8integer2.0IP address of the D blade used by the device for request.
Ruckus-Session-Type125integer2.0Sent by RADIUS server to indicate the forwarding policy to be used for the client.
Ruckus-SSID3string2.0Station WLAN name sent from device to the RADIUS server.
Ruckus-Sta-RSSI2integer2.0Station RSSI sent from the device to the RADIUS server (Interim-Update, Stop).
Ruckus-User-Groups1string2.0User role assignment - the role must already exists on the ZoneDirector.
Ruckus-WlanID4integer2.0WLAN ID number sent from the device to the RADIUS server as part of the Access-Request message to identify the WLAN interface.

 

 

Session

Attributes in here are systematically generated by ISE

Attribute

Type / ValuesISE Version
Available
Usage Description
Agent-Request-Type
ANCPolicy
CurrentDate
CurrentDay
CurrentMonth
CurrentTime
CurrentWeekDay
CurrentYear
Device-OS
EPSStatus
OS-Architecture

Posture Status

string1.0Authorization

Compliant

1.0

This value is matched for endpoints that completed the posture flow and was compliant
NonCompliant1.0This value is matched for endpoints that completed the posture flow and was non compliant or terminated posture process
Unknown1.0This value is matched for endpoint that did not yet go through the posture flow, does not have a posture agent
SessionSource
URL-Redirected

 

 

Threat

 

Attribute

ValuesISE VersionUsage Description

Qualys-CVSS_Base_Score

0-102.1

Create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values.

Qualys-CVSS_Temporal_Score

0-102.1Create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints based on the attribute values.

 

 

WISPr

 

Attribute

ValuesTypeISE VersionUsage Description
WISPr-Bandwidth-Max-Down8integer2.0Limit the maximum downstream bandwidth.
WISPr-Bandwidth-Max-Up7integer2.0Limit the maximum upstream bandwidth.
WISPr-Bandwidth-Min-Down6integer2.0Limit the minimum downstream bandwidth.
WISPr-Bandwidth-Min-Up5integer2.0Limit the minimum upstream bandwidth.
WISPr-Billing-Class-Of-Service11string2.0A service type for billing.
WISPr-Location-ID1string2.0ID of the location of the client. Concatenation of the ISO Country Code, E.164 Country Code, E.164 Area Code and SSID/Zone parameters configured in profile.
WISPr-Location-Name2string2.0The name of the location of the client.
WISPr-Logoff-URL3string2.0URL of a log out page.
WISPr-Redirection-URL4string2.0URL which the clients will be redirected to after successful login.
WISPr-Session-Terminate-End-Of-Day10string2.0The end of the subscruber session at the end of the billing day.
WISPr-Session-Terminate-Time9string2.0Time, when the user should be disconnected; in "YYYY-MM-DDThh:mm:ssTZD", where Y - year; M - month; D - day; T - separator; h - hour (in 24h format); m - minute; s - second; TZD - time zone.