authorization group identifier; service; protocol; attribute-value pair
AV-pairs - authorization attributes in Tacacs+ any av-pair consist from two fields: avp name field and avp data field (service=ppp, protocol=ip, etc)
You can use follow av-pairs:
service= slip, ppp, arap, shell, tty-daemon, connection, system, firewall
protocol= lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, h323, unknown
cmd= shell (exec) command. Must be if service=shell can be cmd=NULL
cmd-arg= argument to shell (exec) command can be multiple
acl= number connection access-list (service=shell cmd=NULL)
inacl= identifier for interface in access-list
outacl= identifier for interface out access-list
zonelist= numeric zonelist value (AppleTalk only)
addr= network address
addr-pool= identifier of address-pool
routing= boolean (is routing information on interface) permit/deny send routing updates throught this interface
route= route for this interface <dst_addr> <mask> [<routing_addr>]
timeout= timer for connection (minutes), 0 - no timeout
idletime= idle-timeout for connection (minutes)
autocmd= auto-command to run (service=shell cmd=NULL)
noescape= boolean (service=shell cmd=NULL)
nohangup= boolean (service=shell cmd=NULL)
priv_lvl= privilege level
remote_user= remoute userid (TAC_PLUS_AUTHEN_METH_RCMD)
remote_host= remote host (TAC_PLUS_AUTHEN_METH_RCMD)
callback-dialstring= NULL or dialstring, NULL - for request from user
callback-line= line for callback
callback-rotary= rotary
nocallback-verify= do not require authentication after callback
SOME EXTERNAL AVPAIRS (NOT IN RFC, BUT WITH CISCO SUPPORT) - very-very useful.... inacl#<n> setup multiline access-list (<n>-row number) inacl#1=permit ip any any inacl#2=deny igrp ...
outacl#<n>
route#<n> multiline route entries
rte-ftr-in#<n> input access list definition for routing updates on interface rte-ftr-in#0=router igrp 60 rte-ftr-in#1=permit 0.0.3.4 255.255.0.0 rte-ftr-in#2=deny any
rte-ftr-out#<n> output acl for routing update
sap#<n> static saps
route#<n> route table
sap-fltr-in#<n> input sap filter list sap-fltr-out#<n> output sap filter list
pool-def#<n> address pool definition pool-def#1=DIALUP 10.1.1.1 10.1.1.100 pool-def#2=INTERNAL 192.168.0.1 192.168.0.100
VoIP AVP: h323-billing-model=0/1 (credit/postpaid or debit/prepaid) h323-credit-time= h323-credit-amount=
as i understand RFC, you can add your own av-pairs if client understand it (be careful, sometimes it can be wrong for some clients), we don't do any control for av-pairs in database - be carefull!