See also
RFC 2865 describing the RADIUS protocol.
RADIUS attribute support¶
When using an authentication method that relies on a RADIUS server the
RADIUS attributes attached to the Access-Accept
response can be used to
provide values to be forwarded as IKE configuration attributes or information
with regards to dynamic system configuration.
This concerns the following IKE authentication methods:
Remote peer authentication by EAP via RADIUS (
eap-radius
)Remote peer authentication by PSK via RADIUS (
psk-radius
)
The following tables link to all of the supported RADIUS attributes and document which IKE configuration attribute they are converted to (if any) as well as their compatibility with the various RADIUS authentication methods:
RADIUS attribute |
IKE configuration attribute |
Authentication Method Support |
|
---|---|---|---|
|
|
||
INTERNAL_IP4_ADDRESS |
Yes |
Yes |
|
INTERNAL_IP6_ADDRESS |
Yes |
Yes |
|
N/A |
No |
with |
|
N/A |
No |
with |
|
INTERNAL_IP4_NETMASK |
Yes |
No |
|
INTERNAL_IP6_DNS |
Yes |
Yes |
6WIND Vendor-Specific attributes:
RADIUS attribute |
IKE configuration attribute |
Authentication Method Support |
|
---|---|---|---|
|
|
||
INTERNAL_IP4_SUBNET |
No |
with |
|
INTERNAL_IP6_SUBNET |
|||
N/A |
No |
Yes |
|
N/A |
No |
Yes |
|
N/A |
No |
Yes |
|
N/A |
No |
with |
|
N/A |
No |
with |
|
N/A |
No |
with |
Microsoft Vendor-Specific attributes:
RADIUS attribute |
IKE configuration attribute |
Authentication Method Support |
|
---|---|---|---|
|
|
||
INTERNAL_IP4_DNS |
Yes |
No |
|
INTERNAL_IP4_DNS |
Yes |
No |
|
INTERNAL_IP4_NBNS |
Yes |
No |
|
INTERNAL_IP4_NBNS |
Yes |
No |
Cisco Vendor-Specific attributes:
RADIUS attribute |
IKE configuration attribute |
Authentication Method Support |
|
---|---|---|---|
|
|
||
INTERNAL_IP4_DNS |
Yes |
No |
|
INTERNAL_IP4_DNS |
Yes |
No |
|
INTERNAL_IP4_NBNS |
Yes |
No |
|
INTERNAL_IP4_NBNS |
Yes |
No |
|
UNITY_BANNER |
Yes |
No |
|
UNITY_BANNER |
Yes |
No |
|
UNITY_DEF_DOMAIN |
Yes |
No |
|
UNITY_SPLITDNS_NAME |
Yes |
No |
|
UNITY_SPLIT_INCLUDE |
Yes |
No |
|
UNITY_LOCAL_LAN |
|||
N/A |
Yes |
No |
Standard attributes¶
Framed-IP-Address¶
Supported by: eap-radius
, psk-radius
.
Used to supply an IPv4 VIP to the IKE peer.
The IPv4 address specified this way is forwarded to the IKE peer as an
INTERNAL_IP4_ADDRESS
IKE attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all addresses specified this way are gathered into a pool dedicated to the IKE SA being authenticated. VIPs will then be drawn from this pool when requested by the IKE peer.
See also
Assigning a virtual IP and configuration attributes from a RADIUS server
RFC 2865#section-5.8 describing
Framed-IP-Address
RFC 7296#section-3.15.1 describing
INTERNAL_IP4_ADDRESS
Framed-IPv6-Address¶
Supported by: eap-radius
, psk-radius
.
Used to supply an IPv6 VIP to the IKE peer.
The IPv6 address specified this way is forwarded to the IKE peer as an
INTERNAL_IP6_ADDRESS
IKE attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all addresses specified this way are gathered into a pool from which they can be drawn when requested by the IKE peer.
See also
Assigning a virtual IP and configuration attributes from a RADIUS server
RFC 6911#section-3.1 describing
Framed-IPv6-Address
RFC 7296#section-3.15.1 describing
INTERNAL_IP6_ADDRESS
Framed-Route¶
Supported by: psk-radius
(with dynamic-gre
).
Used to install an IPv4 route via the local dynamic GRE interface.
If the l3vrf RADIUS attribute is also present, the routes will be installed in the specified L3VRF.
Must be an IPv4 subnet in CIDR notation, optionally followed by tag
and a
decimal number.
- Examples:
10.1.2.0/24
will install a route to10.1.2.0/24
via the dynamic GRE interface.10.6.0.0/16 tag 1234
will install a route to10.6.0.0/16
via the dynamic GRE interface, with tag1234
.
This attribute can be specified any number of times, all of the routes specified this way will be installed.
See also
RFC 2865#section-5.22 describing Framed-Route
Framed-IPv6-Route¶
Supported by: psk-radius
(with dynamic-gre
).
Used to install an IPv6 route via the local dynamic GRE interface.
If the l3vrf RADIUS attribute is also present, the routes will be installed in the specified L3VRF.
Must be an IPv6 subnet in CIDR notation, optionally followed by tag
and a
decimal number.
- Examples:
fd00:1:2::/64
will install a route tofd00:1:2::/64
via the dynamic GRE interface.fd00:6::/32 tag 789
will install a route tofd00:6::/32
via the dynamic GRE interface, with tag789
.
This attribute can be specified any number of times, all of the routes specified this way will be installed.
See also
RFC 3162#section-2.5 describing Framed-IPv6-Route
Framed-IP-Netmask¶
Supported by: eap-radius
.
Used to supply an IPv4 netmask to the IKE peer.
The netmask specified this way is forwarded to the IKE peer as an
INTERNAL_IP4_NETMASK
IKE attribute in a Configuration Payload exchange.
At most one INTERNAL_IP4_NETMASK
IKE attribute is allowed according to
RFC 7296#section-3.15.1. However, since the Framed-IP-Netmask
RADIUS
attribute does not have this limitation the Virtual Service Router will forward as many
INTERNAL_IP_NETMASK
IKE attributes as there are Framed-IP-Netmask
RADIUS
attributes.
See also
RFC 2865#section-5.9 describing
Framed-IP-Netmask
RFC 7296#section-3.15.1 describing
INTERNAL_IP4_NETMASK
DNS-Server-IPv6-Address¶
Supported by: eap-radius
.
Used to supply the IPv6 address of a DNS server to the IKE peer.
The IPv6 address is forwarded to the IKE peer as an INTERNAL_IP6_DNS
IKE
attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 6911#section-3.2 describing
DNS-Server-IPv6-Address
RFC 7296#section-3.15.1 describing
INTERNAL_IP6_DNS
6WIND Vendor-Specific attributes¶
A 6WIND Vendor-Specific RADIUS attribute uses the 6WIND PEN (7336
) as the
Vendor-Id and follow the TLV sub-layout described in RFC 2865#section-5.26.
All of the sub-attributes described below are of a type referred to as
6WIND-AVPair
, consisting of a vendor type of 1
and an ASCII string as an
Attribute-Specific value. This string is of the form Attr=Value
with Attr
being a string containing the name of the 6WIND-AVPair
attribute and Value
being the value whose expected format will depend on Attr
.
For example, l3vrf=abc
as a value to a 6WIND-AVPair
sub-attribute represents
an l3vrf attribute with a value of abc
.
Note
Only the first =
character serves as a delimiter. For example a
6WIND-AVPair
sub-attribute with a value of ike:psk-remote=abc=123
represents an ike:psk-remote
attribute with a value of abc=123
.
See also
RFC 2865#section-5.26 describing RADIUS Vendor-Specific attributes
ike:internal-ip-subnet¶
Supported by: psk-radius
(with dynamic-gre
).
Used to supply an IPv4 or IPv6 subnet to the IKE peer.
A subnet specified this way is forwarded to the IKE peer as an
INTERNAL_IP4_SUBNET
or INTERNAL_IP6_SUBNET
IKE attribute in a
Configuration Payload exchange.
The value must be an ASCII string that contains either an IP subnet in
CIDR notation or the interface
keyword followed by the name of an interface
whose IPv4 and IPv6 addresses should be forwarded.
- Examples:
ike:internal-ip-subnet=10.12.34.0/24
ike:internal-ip-subnet=fd00:56:78::/64
ike:internal-ip-subnet=interface Loopback1
Note
When obtaining addresses from an interface the maximum prefix length for the relevant IP version will be used (32 for IPv4 and 128 for IPv6).
This attribute also exists under the specialized ike:internal-ip4-subnet
and
ike:internal-ip6-subnet
forms. These may be used to restrict which protocol
family is considered when forwarding addresses from an interface.
- Examples:
ike:internal-ip4-subnet=interface Loopback4
ike:internal-ip6-subnet=interface Loopback6
This attribute can be specified any number of times, all of the subnets specified this way will be forwarded via the appropriate IKE attribute.
Note
When using the local dynamic GRE interface to perform cross-VRF encapsulation and using interface names as values, these interfaces must be located in the VRF of plaintext packets and not in the link-VRF.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_SUBNET
and
INTERNAL_IP6_SUBNET
ike:psk-remote¶
Supported by: psk-radius
.
Used to supply a PSK to the IKE daemon in order to authenticate the IKE peer.
The value must be the PSK as raw bytes (not limited to printable characters).
Also exists as ike:psk-remote-hex
, in which case the value must be an ASCII
string containing the hexadecimal encoding of the PSK. This hexadecimal value
may include a 0x
prefix and may contain both lower and uppercase letters. If
this value contains an odd number of characters, the leftmost 4 bits of the
result will be set to 0 (e.g. 0x1
results in 0x01
).
- Examples:
ike:psk-radius=foo
ike:psk-radius-hex=666f6F
ike:psk-radius-hex=0x123
This attribute should only be specified once. If specified multiple times, only
one of the attributes will be selected depending on how the attributes are
ordered in the Access-Accept
response.
ike:local-ts¶
Supported by: psk-radius
.
Used to supply a traffic selector to narrow child SAs local traffic selectors (TSr).
The narrowing is performed on top of the one already done based on the vpn security-policy local-ts and vpn security-policy traffic-selectors local-ts configuration commands.
The value must be an IPv4 or IPv6 subnet.
- Examples:
ike:local-ts=192.0.2.0/24
ike:local-ts=2001:db8:1::/64
This attribute may be specified multiple times. The narrowing is then performed based on the list of traffic selectors.
ike:remote-ts¶
Supported by: psk-radius
.
Used to supply a traffic selector to narrow child SAs remote traffic selectors (TSi).
The narrowing is performed on top of the one already done based on the vpn security-policy remote-ts and vpn security-policy traffic-selectors remote-ts configuration commands.
The value must be an IPv4 or IPv6 subnet.
- Examples:
ike:remote-ts=198.51.100.0/24
ike:remote-ts=2001:db8:2::/64
This attribute may be specified multiple times. The narrowing is then performed based on the list of traffic selectors.
ip-address¶
Supported by: psk-radius
(with dynamic-gre
).
Used to assign an IP address to the local dynamic GRE interface.
The value must be an ASCII string containing either an IP address or the
interface
keyword followed by the name of an interface whose IP addresses
should be copied. The ip addresses will be appplied with the maximum prefix
length for the relevant IP version (32 for IPv4 and 128 for IPv6).
- Examples:
ip-address=10.1.2.3
ip-address=fd00:1::2:3
ip-address=interface Loopback1
This attribute also exists under the specialized ip4-address
and ip6-address
forms for IPv4 and IPv6 respectively. These may be used to restrict which
protocol family is considered when obtaining addresses from an interface.
- Examples:
ip4-address=interface Loopback4
ip6-address=interface Loopback6
This attribute can be specified any number of times, all of the addresses specified this way will be installed.
Note
When using the local dynamic GRE interface to perform cross-VRF encapsulation and using interface names as values, these interfaces must be located in the VRF of plaintext packets and not in the link-VRF.
l3vrf¶
Supported by: psk-radius
(with dynamic-gre
).
Used to specify the name of an L3VRF to which the local dynamic GRE interface should be attached.
Also affects which L3VRF the routes specified by Framed-Route and Framed-IPv6-Route attributes are installed in.
The value must be an ASCII string containing the name of the target L3VRF.
- Example:
l3vrf=user6-l3vrf
This attribute should only be specified once. If specified multiple times, only
one of the attributes will be selected depending on how the attributes are
ordered in the Access-Accept
response.
qos:egress-template¶
Supported by: psk-radius
(with dynamic-gre
).
Used to specify the QoS template to apply on the local dynamic GRE interface.
The value must be an ASCII string containing the name of the QoS template defined in the gre-template.
Example:
qos:egress-template=SILVER-1000K
This attribute should only be specified once. If specified multiple times, only
one of the attributes will be selected depending on how the attributes are
ordered in the Access-Accept
response.
Microsoft Vendor-Specific attributes¶
MS-Primary-DNS-Server¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a DNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS
IKE
attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS
MS-Secondary-DNS-Server¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a DNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS
IKE
attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS
MS-Primary-NBNS-Server¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a NBNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS
IKE attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS
MS-Secondary-NBNS-Server¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a NBNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS
IKE attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS
Cisco Vendor-Specific attributes¶
CVPN3000-Primary-DNS¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a DNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS
IKE
attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS
CVPN3000-Secondary-DNS¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a DNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_DNS
IKE
attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_DNS
CVPN3000-Primary-WINS¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a NBNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS
IKE attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS
CVPN3000-Secondary-WINS¶
Supported by: eap-radius
.
Used to supply the IPv4 address of a NBNS server to the IKE peer.
The IPv4 address is forwarded to the IKE peer as an INTERNAL_IP4_NBNS
IKE attribute in a Configuration Payload exchange.
This attribute can be specified any number of times, all of the addresses specified this way will be forwarded.
See also
RFC 7296#section-3.15.1 describing INTERNAL_IP4_NBNS
CVPN3000-IPSec-Banner1¶
Supported by: eap-radius
.
The value of this attribute is forwarded to the IKE peer as a private IKE
configuration attribute of type 28672
(UNITY_BANNER
).
This attribute can be specified any number of times.
CVPN3000-IPSec-Banner2¶
Supported by: eap-radius
.
The value of this attribute is forwarded to the IKE peer as a private IKE
configuration attribute of type 28672
(UNITY_BANNER
).
This attribute can be specified any number of times.
CVPN3000-IPSec-Default-Domain¶
Supported by: eap-radius
.
The value of this attribute is forwarded to the IKE peer as a private IKE
configuration attribute of type 28674
(UNITY_DEF_DOMAIN
).
This attribute can be specified any number of times.
CVPN3000-IPSec-Split-DNS-Names¶
Supported by: eap-radius
.
The value of this attribute is forwarded to the IKE peer as a private IKE
configuration attribute of type 28675
(UNITY_SPLITDNS_NAME
).
This attribute can be specified any number of times.
CVPN3000-IPSec-Split-Tunneling-Policy¶
Supported by: eap-radius
.
The value of this attribute determines which type of private IKE configuration attribute is used to forward the value of the CVPN3000-IPSec-Split-Tunnel-List attribute:
A value of
1
maps to a type value of28676
(UNITY_SPLIT_INCLUDE
).A value of
2
maps to a type value of28678
(UNITY_LOCAL_LAN
).Any other value will be ignored.
This attribute should only be specified once. If specified multiple times, only
one of the valid attributes will be selected depending on how they are ordered
in the Access-Accept
response.
CVPN3000-IPSec-Split-Tunnel-List¶
Supported by: eap-radius
.
The value of this attribute is forwarded to the IKE peer via a private IKE configuration attribute determined by the value of the CVPN3000-IPSec-Split-Tunneling-Policy RADIUS attribute for the given RADIUS user. In the absence of a valid CVPN3000-IPSec-Split-Tunneling-Policy RADIUS attribute, forwarding will not occur.
This attribute can be specified any number of times.