See also

RFC 2865 describing the RADIUS protocol.

RADIUS attribute support

When using an authentication method that relies on a RADIUS server the RADIUS attributes attached to the Access-Accept response can be used to provide values to be forwarded as IKE configuration attributes or information with regards to dynamic system configuration.

This concerns the following IKE authentication methods:

The following tables link to all of the supported RADIUS attributes and document which IKE configuration attribute they are converted to (if any) as well as their compatibility with the various RADIUS authentication methods:

Standard attributes:

RADIUS attribute

IKE configuration attribute

Authentication Method Support

eap-radius

psk-radius

Framed-IP-Address

INTERNAL_IP4_ADDRESS

Yes

Yes

Framed-IPv6-Address

INTERNAL_IP6_ADDRESS

Yes

Yes

Framed-Route

N/A

No

with dynamic-gre

Framed-IPv6-Route

N/A

No

with dynamic-gre

Framed-IP-Netmask

INTERNAL_IP4_NETMASK

Yes

No

DNS-Server-IPv6-Address

INTERNAL_IP6_DNS

Yes

Yes

6WIND Vendor-Specific attributes:

RADIUS attribute

IKE configuration attribute

Authentication Method Support

eap-radius

psk-radius

ike:internal-ip-subnet

INTERNAL_IP4_SUBNET

No

with dynamic-gre

INTERNAL_IP6_SUBNET

ike:psk-remote

N/A

No

Yes

ike:local-ts

N/A

No

Yes

ike:remote-ts

N/A

No

Yes

ip-address

N/A

No

with dynamic-gre

l3vrf

N/A

No

with dynamic-gre

qos:egress-template

N/A

No

with dynamic-gre

Microsoft Vendor-Specific attributes:

RADIUS attribute

IKE configuration attribute

Authentication Method Support

eap-radius

psk-radius

MS-Primary-DNS-Server

INTERNAL_IP4_DNS

Yes

No

MS-Secondary-DNS-Server

INTERNAL_IP4_DNS

Yes

No

MS-Primary-NBNS-Server

INTERNAL_IP4_NBNS

Yes

No

MS-Secondary-NBNS-Server

INTERNAL_IP4_NBNS

Yes

No

Cisco Vendor-Specific attributes:

RADIUS attribute

IKE configuration attribute

Authentication Method Support

eap-radius

psk-radius

CVPN3000-Primary-DNS

INTERNAL_IP4_DNS

Yes

No

CVPN3000-Secondary-DNS

INTERNAL_IP4_DNS

Yes

No

CVPN3000-Primary-WINS

INTERNAL_IP4_NBNS

Yes

No

CVPN3000-Secondary-WINS

INTERNAL_IP4_NBNS

Yes

No

CVPN3000-IPSec-Banner1

UNITY_BANNER

Yes

No

CVPN3000-IPSec-Banner2

UNITY_BANNER

Yes

No

CVPN3000-IPSec-Default-Domain

UNITY_DEF_DOMAIN

Yes

No

CVPN3000-IPSec-Split-DNS-Names

UNITY_SPLITDNS_NAME

Yes

No

CVPN3000-IPSec-Split-Tunneling-Policy

UNITY_SPLIT_INCLUDE

Yes

No

UNITY_LOCAL_LAN

CVPN3000-IPSec-Split-Tunnel-List

N/A

Yes

No

Standard attributes

Framed-IP-Address

Supported by: eap-radius, psk-radius.

Used to supply an IPv4 VIP to the IKE peer.

The IPv4 address specified this way is forwarded to the IKE peer as an INTERNAL_IP4_ADDRESS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all addresses specified this way are gathered into a pool dedicated to the IKE SA being authenticated. VIPs will then be drawn from this pool when requested by the IKE peer.

Framed-IPv6-Address

Supported by: eap-radius, psk-radius.

Used to supply an IPv6 VIP to the IKE peer.

The IPv6 address specified this way is forwarded to the IKE peer as an INTERNAL_IP6_ADDRESS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all addresses specified this way are gathered into a pool from which they can be drawn when requested by the IKE peer.

Framed-Route

Supported by: psk-radius (with dynamic-gre).

Used to install an IPv4 route via the local dynamic GRE interface.

If the l3vrf RADIUS attribute is also present, the routes will be installed in the specified L3VRF.

Must be an IPv4 subnet in CIDR notation, optionally followed by tag and a decimal number.

Examples:
  • 10.1.2.0/24 will install a route to 10.1.2.0/24 via the dynamic GRE interface.

  • 10.6.0.0/16 tag 1234 will install a route to 10.6.0.0/16 via the dynamic GRE interface, with tag 1234.

This attribute can be specified any number of times, all of the routes specified this way will be installed.

See also

RFC 2865#section-5.22 describing Framed-Route

Framed-IPv6-Route

Supported by: psk-radius (with dynamic-gre).

Used to install an IPv6 route via the local dynamic GRE interface.

If the l3vrf RADIUS attribute is also present, the routes will be installed in the specified L3VRF.

Must be an IPv6 subnet in CIDR notation, optionally followed by tag and a decimal number.

Examples:
  • fd00:1:2::/64 will install a route to fd00:1:2::/64 via the dynamic GRE interface.

  • fd00:6::/32 tag 789 will install a route to fd00:6::/32 via the dynamic GRE interface, with tag 789.

This attribute can be specified any number of times, all of the routes specified this way will be installed.

See also

RFC 3162#section-2.5 describing Framed-IPv6-Route

Framed-IP-Netmask

Supported by: eap-radius.

Used to supply an IPv4 netmask to the IKE peer.

The netmask specified this way is forwarded to the IKE peer as an INTERNAL_IP4_NETMASK IKE attribute in a Configuration Payload exchange.

At most one INTERNAL_IP4_NETMASK IKE attribute is allowed according to RFC 7296#section-3.15.1. However, since the Framed-IP-Netmask RADIUS attribute does not have this limitation the Virtual Service Router will forward as many INTERNAL_IP_NETMASK IKE attributes as there are Framed-IP-Netmask RADIUS attributes.

See also

DNS-Server-IPv6-Address

Supported by: eap-radius.

Used to supply the IPv6 address of a DNS server to the IKE peer.

The IPv6 address is forwarded to the IKE peer as an INTERNAL_IP6_DNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

6WIND Vendor-Specific attributes

A 6WIND Vendor-Specific RADIUS attribute uses the 6WIND PEN (7336) as the Vendor-Id and follow the TLV sub-layout described in RFC 2865#section-5.26.

All of the sub-attributes described below are of a type referred to as 6WIND-AVPair, consisting of a vendor type of 1 and an ASCII string as an Attribute-Specific value. This string is of the form Attr=Value with Attr being a string containing the name of the 6WIND-AVPair attribute and Value being the value whose expected format will depend on Attr.

For example, l3vrf=abc as a value to a 6WIND-AVPair sub-attribute represents an l3vrf attribute with a value of abc.

Note

Only the first = character serves as a delimiter. For example a 6WIND-AVPair sub-attribute with a value of ike:psk-remote=abc=123 represents an ike:psk-remote attribute with a value of abc=123.

See also

ike:internal-ip-subnet

Supported by: psk-radius (with dynamic-gre).

Used to supply an IPv4 or IPv6 subnet to the IKE peer.

A subnet specified this way is forwarded to the IKE peer as an INTERNAL_IP4_SUBNET or INTERNAL_IP6_SUBNET IKE attribute in a Configuration Payload exchange.

The value must be an ASCII string that contains either an IP subnet in CIDR notation or the interface keyword followed by the name of an interface whose IPv4 and IPv6 addresses should be forwarded.

Examples:
  • ike:internal-ip-subnet=10.12.34.0/24

  • ike:internal-ip-subnet=fd00:56:78::/64

  • ike:internal-ip-subnet=interface Loopback1

Note

When obtaining addresses from an interface the maximum prefix length for the relevant IP version will be used (32 for IPv4 and 128 for IPv6).

This attribute also exists under the specialized ike:internal-ip4-subnet and ike:internal-ip6-subnet forms. These may be used to restrict which protocol family is considered when forwarding addresses from an interface.

Examples:
  • ike:internal-ip4-subnet=interface Loopback4

  • ike:internal-ip6-subnet=interface Loopback6

This attribute can be specified any number of times, all of the subnets specified this way will be forwarded via the appropriate IKE attribute.

Note

When using the local dynamic GRE interface to perform cross-VRF encapsulation and using interface names as values, these interfaces must be located in the VRF of plaintext packets and not in the link-VRF.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET

ike:psk-remote

Supported by: psk-radius.

Used to supply a PSK to the IKE daemon in order to authenticate the IKE peer.

The value must be the PSK as raw bytes (not limited to printable characters).

Also exists as ike:psk-remote-hex, in which case the value must be an ASCII string containing the hexadecimal encoding of the PSK. This hexadecimal value may include a 0x prefix and may contain both lower and uppercase letters. If this value contains an odd number of characters, the leftmost 4 bits of the result will be set to 0 (e.g. 0x1 results in 0x01).

Examples:
  • ike:psk-radius=foo

  • ike:psk-radius-hex=666f6F

  • ike:psk-radius-hex=0x123

This attribute should only be specified once. If specified multiple times, only one of the attributes will be selected depending on how the attributes are ordered in the Access-Accept response.

ike:local-ts

Supported by: psk-radius.

Used to supply a traffic selector to narrow child SAs local traffic selectors (TSr).

The narrowing is performed on top of the one already done based on the vpn security-policy local-ts and vpn security-policy traffic-selectors local-ts configuration commands.

The value must be an IPv4 or IPv6 subnet.

Examples:
  • ike:local-ts=192.0.2.0/24

  • ike:local-ts=2001:db8:1::/64

This attribute may be specified multiple times. The narrowing is then performed based on the list of traffic selectors.

ike:remote-ts

Supported by: psk-radius.

Used to supply a traffic selector to narrow child SAs remote traffic selectors (TSi).

The narrowing is performed on top of the one already done based on the vpn security-policy remote-ts and vpn security-policy traffic-selectors remote-ts configuration commands.

The value must be an IPv4 or IPv6 subnet.

Examples:
  • ike:remote-ts=198.51.100.0/24

  • ike:remote-ts=2001:db8:2::/64

This attribute may be specified multiple times. The narrowing is then performed based on the list of traffic selectors.

ip-address

Supported by: psk-radius (with dynamic-gre).

Used to assign an IP address to the local dynamic GRE interface.

The value must be an ASCII string containing either an IP address or the interface keyword followed by the name of an interface whose IP addresses should be copied. The ip addresses will be appplied with the maximum prefix length for the relevant IP version (32 for IPv4 and 128 for IPv6).

Examples:
  • ip-address=10.1.2.3

  • ip-address=fd00:1::2:3

  • ip-address=interface Loopback1

This attribute also exists under the specialized ip4-address and ip6-address forms for IPv4 and IPv6 respectively. These may be used to restrict which protocol family is considered when obtaining addresses from an interface.

Examples:
  • ip4-address=interface Loopback4

  • ip6-address=interface Loopback6

This attribute can be specified any number of times, all of the addresses specified this way will be installed.

Note

When using the local dynamic GRE interface to perform cross-VRF encapsulation and using interface names as values, these interfaces must be located in the VRF of plaintext packets and not in the link-VRF.

l3vrf

Supported by: psk-radius (with dynamic-gre).

Used to specify the name of an L3VRF to which the local dynamic GRE interface should be attached.

Also affects which L3VRF the routes specified by Framed-Route and Framed-IPv6-Route attributes are installed in.

The value must be an ASCII string containing the name of the target L3VRF.

Example:
  • l3vrf=user6-l3vrf

This attribute should only be specified once. If specified multiple times, only one of the attributes will be selected depending on how the attributes are ordered in the Access-Accept response.

qos:egress-template

Supported by: psk-radius (with dynamic-gre).

Used to specify the QoS template to apply on the local dynamic GRE interface.

The value must be an ASCII string containing the name of the QoS template defined in the gre-template.

Example:

  • qos:egress-template=SILVER-1000K

This attribute should only be specified once. If specified multiple times, only one of the attributes will be selected depending on how the attributes are ordered in the Access-Accept response.

Microsoft Vendor-Specific attributes

MS-Primary-DNS-Server

Supported by: eap-radius.

Used to supply the IPv4 address of a DNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS

MS-Secondary-DNS-Server

Supported by: eap-radius.

Used to supply the IPv4 address of a DNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS

MS-Primary-NBNS-Server

Supported by: eap-radius.

Used to supply the IPv4 address of a NBNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS

MS-Secondary-NBNS-Server

Supported by: eap-radius.

Used to supply the IPv4 address of a NBNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS

Cisco Vendor-Specific attributes

CVPN3000-Primary-DNS

Supported by: eap-radius.

Used to supply the IPv4 address of a DNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS

CVPN3000-Secondary-DNS

Supported by: eap-radius.

Used to supply the IPv4 address of a DNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS

CVPN3000-Primary-WINS

Supported by: eap-radius.

Used to supply the IPv4 address of a NBNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS

CVPN3000-Secondary-WINS

Supported by: eap-radius.

Used to supply the IPv4 address of a NBNS server to the IKE peer.

The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS IKE attribute in a Configuration Payload exchange.

This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.

See also

RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS

CVPN3000-IPSec-Banner1

Supported by: eap-radius.

The value of this attribute is forwarded to the IKE peer as a private IKE configuration attribute of type 28672 (UNITY_BANNER).

This attribute can be specified any number of times.

CVPN3000-IPSec-Banner2

Supported by: eap-radius.

The value of this attribute is forwarded to the IKE peer as a private IKE configuration attribute of type 28672 (UNITY_BANNER).

This attribute can be specified any number of times.

CVPN3000-IPSec-Default-Domain

Supported by: eap-radius.

The value of this attribute is forwarded to the IKE peer as a private IKE configuration attribute of type 28674 (UNITY_DEF_DOMAIN).

This attribute can be specified any number of times.

CVPN3000-IPSec-Split-DNS-Names

Supported by: eap-radius.

The value of this attribute is forwarded to the IKE peer as a private IKE configuration attribute of type 28675 (UNITY_SPLITDNS_NAME).

This attribute can be specified any number of times.

CVPN3000-IPSec-Split-Tunneling-Policy

Supported by: eap-radius.

The value of this attribute determines which type of private IKE configuration attribute is used to forward the value of the CVPN3000-IPSec-Split-Tunnel-List attribute:

  • A value of 1 maps to a type value of 28676 (UNITY_SPLIT_INCLUDE).

  • A value of 2 maps to a type value of 28678 (UNITY_LOCAL_LAN).

  • Any other value will be ignored.

This attribute should only be specified once. If specified multiple times, only one of the valid attributes will be selected depending on how they are ordered in the Access-Accept response.

CVPN3000-IPSec-Split-Tunnel-List

Supported by: eap-radius.

The value of this attribute is forwarded to the IKE peer via a private IKE configuration attribute determined by the value of the CVPN3000-IPSec-Split-Tunneling-Policy RADIUS attribute for the given RADIUS user. In the absence of a valid CVPN3000-IPSec-Split-Tunneling-Policy RADIUS attribute, forwarding will not occur.

This attribute can be specified any number of times.