< Home

HWTACACS Attributes

HWTACACS uses different attributes to define authorization and accounting to be performed. The attributes are carried by the argN field. This section describes HWTACACS attributes in detail.

Overview of HWTACACS Attributes

Table 1 describes the HWTACACS attributes supported by the device. The device can only parse the attributes included in the table.

Table 1 HWTACACS attributes for common use

Attribute Name

Description

acl

Authorization ACL ID.

addr

A network address.

autocmd

An auto-command to run after a user logs in to the device.

bytes_in

Number of input bytes transmitted during this connection. K, M, and G represent KByte, MByte, and GByte. No unit is displayed if byte is used.

bytes_out

Number of output bytes transmitted during this connection. K, M, and G represent KByte, MByte, and GByte. No unit is displayed if byte is used.

callback-line

The line number to use for a callback, such as a mobile number.

cmd

Command name for a shell command that is to be run. The maximum length is 251 characters. The complete command is encapsulated when the command is recorded and the first keyword is encapsulated when the command is authorized.

cmd-arg

Parameter in the command line to be authorized. The cmd-arg=<cr> is added at the end of the command line.

disc_cause
Cause for a connection to be taken offline. Only Accounting-Stop packets carry this attribute. Disconnection causes include:
  • 1 (a user requests to go offline)
  • 2 (data forwarding is interrupted)
  • 3 (service is interrupted)
  • 4 (idle timeout)
  • 5 (session timeout)
  • 7 (the administrator requests to go offline)
  • 9 (the NAS is faulty)
  • 10 (the NAS requests to go offline)
  • 12 (the port is suspended)
  • 17 (user information is incorrect)
  • 18 (a host requests to go offline)

disc_cause_ext
Extension of the disc-cause attribute to support vendor-specific causes for a connection to be taken offline. Only Accounting-Stop packets carry this attribute. Extended disconnection causes include:
  • 1022 (unknown reason)
  • 1020 (the EXEC terminal tears down the connection)
  • 1022 (an online Telnet user forcibly disconnects this user)
  • 1023 (the user cannot be switched to the SLIP/PPP client due to no remote IP address)
  • 1042 (PPP PAP authentication fails)
  • 1045 (PPP receives a Terminate packet from the remote end)
  • 1046 (the upper-layer device requests the device to tear down the PPP connection)
  • 1063 (PPP handshake fails)
  • 1100 (session times out)

dnaverage

Average downstream rate, in bit/s.

dnpeak

Peak downstream rate, in bit/s.

dns-servers

IP address of the primary DNS server.

elapsed_time

Online duration of a user, in seconds.

ftpdir

Initial directory of an FTP user.

gw-password

Password for the gateway during the L2TP tunnel authentication. The value is a string of 1 to 248 characters. If the value contains more than 248 characters, only the first 248 characters are valid.

idletime

Period after which an idle session is terminated. If a user does not perform any operation within this period, the system disconnects the user.

l2tp-hello-interval

Interval for sending L2TP Hello packets. This attribute is currently not supported.

l2tp-hidden-avp

Attribute value pair (AVP) of L2TP. This attribute is currently not supported.

l2tp-nosession-timeout

Number of seconds that a tunnel remains active with no sessions before timeout or shutdown. This attribute is currently not supported.

l2tp-group-num

L2TP group number. Other L2TP attributes take effect only if this attribute is delivered. Otherwise, other L2TP attributes are ignored.

l2tp-tos-reflect

TOS of L2TP. The device does not support this attribute.

l2tp-tunnel-authen

Whether an L2TP tunnel is authenticated:

  • 0: not authenticated
  • 1: authenticated

l2tp-udp-checksum

Whether L2TP should perform UDP checksums for data packets.

nocallback-verify

No callback authentication is required.

nohangup

Whether the device automatically disconnects a user who has executed the autocmd command. This attribute is valid only after the autocmd attribute is configured. The value can be true or false:

  • true: The user is not disconnected.
  • false: The user is disconnected.

paks_in

Number of packets received by the device.

paks_out

Number of packets sent by the device.

priv-lvl

User level.

protocol
A protocol that is a subset of a service. It is valid only for PPP and connection services. Legal values matching service types are as follows:
  • Connection service type: pad, telnet
  • PPP service type: ip, vpdn
  • Other service types: This attribute is not used.

task_id

Task ID. The task IDs recorded when a task starts and ends must be the same.

timezone

Time zone for all timestamps included in this packet.

tunnel-id

User name used to authenticate a tunnel in establishment. The value is a string of 1 to 29 characters. If the value contains more than 29 characters, only the first 29 characters are valid.

tunnel-type

Tunnel type. The device supports only L2TP tunnels. For L2TP tunnels, the value is 3.

service

Service type, which can be accounting or authorization.

source-ip

Local IP address of a tunnel.

upaverage

Average upstream rate, in bit/s.

uppeak

Peak upstream rate, in bit/s.

HWTACACS Attributes Available in Packets

Depending on usage scenarios, HWTACACS authorization packets can also be classified into EXEC authorization packets, command line authorization packets, and access user authorization packets. Different authorization packets carry different attributes. For details, see Table 2. The following describes the use of HWTACACS authorization packets for different usage scenarios:
  • EXEC authorization packets: Used by the HWTACACS server to control rights of the management users logging in through Telnet, console port, SSH, and FTP.
  • Command line authorization packets: Used by the device to authorize each command line executed by the user. Only authorized command lines can be executed.
  • Access user authorization packets: Used by the HWTACACS server to control the rights of NAC users such as 802.1X and Portal users.
Depending on connection types, HWTACACS accounting packets can also be classified into network accounting packets, connection accounting packets, EXEC accounting packets, system accounting packets, and command accounting packets. Different accounting packets carry different attributes. For details, see Table 3. The following describes the use of HWTACACS accounting packets for different connection types:
  • Network accounting packets: Used when networks are accessed by PPP users. For example, when a PPP user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
  • Connection accounting packets: Used when users log in to the server through Telnet or FTP clients. When a user connects to the device, the user can run commands to access a remote server and obtain files from the server. The device sends an accounting start packet when the user connects to the remote server and an accounting stop packet when the user disconnects from the remote server.
  • EXEC accounting packets: Used when users log in to the device through Telnet or FTP. When a user connects to a network, the server sends an accounting start packet; when the user is using network services, the server periodically sends interim accounting packets; when the user goes offline, the server sends an accounting stop packet.
  • System accounting packets: Used during fault diagnosis. The server records the system-level events to help administrators monitor the device and locate network faults.
  • Command accounting packets: When an administrator runs any command on the device, the device sends the command to the HWTACACS server through a command accounting stop packet so that the server can record the operations performed by the administrator.
  • Y: The packet supports this attribute.
  • N: The packet does not support this attribute.
Table 2 HWTACACS attributes available in authorization packets

Attribute

Command Line Authorization Packet

EXEC Authorization Response Packet

Access User Authorization Response Packet

acl

N

Y

N

addr

N

N

Y

addr-pool

N

N

Y

autocmd

N

Y

N

callback-line

N

Y

Y

cmd

Y

N

N

cmd-arg

Y

N

N

dnaverage

N

N

Y

dnpeak

N

N

Y

dns-servers

N

N

Y

ftpdir

N

Y

N

gw-password

N

N

Y

idletime

N

Y

N

ip-addresses

N

N

Y

l2tp-group-num

N

N

Y

l2tp-tunnel-authen

N

N

Y

nocallback-verify

N

Y

N

nohangup

N

Y

N

priv-lvl

N

Y

N

source-ip

N

N

Y

tunnel-type

N

N

Y

tunnel-id

N

N

Y

upaverage

N

N

Y
Table 3 HWTACACS attributes available in accounting packets

Attribute

Network Accounting Start Packet

Network Accounting Stop Packet

Network Interim Accounting Packet

Connection Accounting Start Packet

Connection Accounting Stop Packet

EXEC Accounting Start Packet

EXEC Accounting Stop Packet

EXEC Interim Accounting Packet

System Accounting Stop Packet

Command Line Accounting Stop Packet

addr

Y

Y

Y

Y

Y

N

N

N

N

N

bytes_in

N

Y

Y

N

Y

N

Y

Y

N

N

bytes_out

N

Y

Y

N

Y

N

Y

Y

N

N

cmd

N

N

N

Y

Y

N

N

N

N

Y

disc_cause

N

Y

N

N

N

N

Y

Y

N

N

disc_cause_ext

N

Y

N

N

N

N

Y

Y

N

N

elapsed_time

N

Y

Y

N

Y

N

Y

Y

Y

N

paks_in

N

Y

Y

N

Y

N

Y

Y

N

N

paks_out

N

Y

Y

N

Y

N

Y

Y

N

N

priv-lvl

N

N

N

N

N

N

N

N

N

Y

protocol

Y

Y

Y

Y

Y

N

N

N

N

N

service

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

task_id

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

timezone

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

tunnel-id

N

N

N

N

N

N

N

N

N

N

tunnel-type

Y

N

N

N

N

N

N

N

N

N
Parent Topic: HWTACACS AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic