Cisco Systems OL-24201-01 manual Dial-in Support Attributes, ACS Response

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Dial-in Support Attributes

The user attributes on Active Directory are supported on the following servers:

•Windows server 2003

•Windows server 2003 R2

•Windows server 2008

•Windows server 2008 R2

ACS does not support Dial-in users on Windows 2000.

ACS Response

If you enable the dial-in check on ACS Active Directory and the user's dial-in option is 'Deny Access' on Active Directory, the authentication request is rejected with a message in the log, indicating that dial-in access is denied. If a user fails an MSCHAP v1/v2 authentication if the dial-in is not enabled, ACS should set on the EAP response a proper error code (NT error = 649).

In case that the callback options are enabled, the ACS RADIUS response contains the returned Service Type and Callback Number attributes as follows:

•If callback option is Set by Caller or Always Callback To, the service-type attribute should be queried on Active Directory during the user authentication. The service-type can be the following:

–3 = Callback Login

–4 = Callback Framed

–9 = Callback NAS Prompt

This attribute should be returned to the device on Service-type RADIUS attribute. If ACS is already configured to return service-type attribute on the RADIUS response, the service-type value queried for the user on Active Directory replaces it.

•If the Callback option is Always Callback To, the callback number should also be queried on the Active Directory user. This value is set on the RADIUS response on the Cisco-AV-Pair attribute with the following values:

–cisco-av-pair=lcp:callback-dialstring=[callback number value]

–cisco-av-pair=Shell:callback-dialstring=[callback number value]

–cisco-av-pair=Slip:callback-dialstring=[callback number value]

–cisco-av-pair=Arap:callback-dialstring=[callback number value]

The callback number value is also returned on the RADIUS response, using the RADIUS attribute CallbackNumber (#19).

•If callback option is Set by Caller, the RADIUS response contains the following attributes with no value:

–cisco-av-pair=lcp:callback-dialstring=

–cisco-av-pair=Shell:callback-dialstring=

–cisco-av-pair=Slip:callback-dialstring=

–cisco-av-pair=Arap:callback-dialstring=