RADIUS attributes
Commonly used standard RADIUS attributes
No. | Attribute | Description |
---|---|---|
1 | User-Name | Name of the user to be authenticated. |
2 | User-Password | User password for PAP authentication, only present in Access-Request packets when PAP authentication is used. |
3 | CHAP-Password | Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used. |
4 | NAS-IP-Address | IP address for the server to use to identify the client. Typically, a client is identified by the IP address of its access interface. This attribute is only present in Access-Request packets. |
5 | NAS-Port | Physical port of the NAS that the user accesses. |
6 | Service-Type | Type of service that the user has requested or type of service to be provided. |
7 | Framed-Protocol | Encapsulation protocol for framed access. |
8 | Framed-IP-Address | IP address assigned to the user. |
11 | Filter-ID | Name of the filter list. |
12 | Framed-MTU | MTU for the data link between the user and NAS. For example, this attribute can be used to define the maximum size of EAP packets allowed to be processed in 802.1X EAP authentication. |
14 | Login-IP-Host | IP address of the NAS interface that the user accesses. |
15 | Login-Service | Type of service that the user uses for login. |
18 | Reply-Message | Text to be displayed to the user, which can be used by the server to communicate information, for example, the authentication failure reason. |
26 | Vendor-Specific | Vendor-specific proprietary attribute. A packet can contain one or more proprietary attributes, each of which can contain one or more subattributes. |
27 | Session-Timeout | Maximum service duration for the user before termination of the session. |
28 | Idle-Timeout | Maximum idle time permitted for the user before termination of the session. |
31 | Calling-Station-Id | User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute includes the MAC address of the user in the format HHHH-HHHH-HHHH. |
32 | NAS-Identifier | Identification that the NAS uses to identify itself to the RADIUS server. |
40 | Acct-Status-Type | Type of the Accounting-Request packet. Possible values include:
|
45 | Acct-Authentic | Authentication method used by the user. Possible values include:
|
60 | CHAP-Challenge | CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication. |
61 | NAS-Port-Type | Type of the physical port of the NAS that is authenticating the user. Possible values include:
If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201. |
64 | Tunnel-Type | Tunneling protocols used. The value 13 represents VLAN. |
65 | Tunnel-Medium-Type | Transport medium type to use for creating a tunnel. For VLAN assignment, the value must be 6 to indicate the 802 media plus Ethernet. |
79 | EAP-Message | Used to encapsulate EAP packets to allow RADIUS to support EAP authentication. |
80 | Message-Authenticator | Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. |
81 | Tunnel-Private-Group-ID | Group ID for a tunnel session. To assign VLANs, the NAS conveys VLAN IDs by using this attribute. |
87 | NAS-Port-Id | String for describing the port of the NAS that is authenticating the user. |
Proprietary RADIUS subattributes (vendor ID 25506)
Table 4 lists all proprietary RADIUS subattributes with a vendor ID of 25506. Support for these subattributes depends on the device model.
Table 4: Proprietary RADIUS subattributes (vendor ID 25506)
No. | Subattribute | Description |
---|---|---|
1 | Input-Peak-Rate | Peak rate in the direction from the user to the NAS, in bps. |
2 | Input-Average-Rate | Average rate in the direction from the user to the NAS, in bps. |
3 | Input-Basic-Rate | Basic rate in the direction from the user to the NAS, in bps. |
4 | Output-Peak-Rate | Peak rate in the direction from the NAS to the user, in bps. |
5 | Output-Average-Rate | Average rate in the direction from the NAS to the user, in bps. |
6 | Output-Basic-Rate | Basic rate in the direction from the NAS to the user, in bps. |
15 | Remanent_Volume | Total amount of data available for the connection, in different units for different server types. |
17 | ISP-ID | ISP domain where the user obtains authorization information. |
20 | Command | Operation for the session, used for session control. Possible values include:
|
25 | Result_Code | Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure. |
26 | Connect_ID | Index of the user connection. |
28 | Ftp_Directory | FTP, SFTP, or SCP user working directory. When the RADIUS client acts as the FTP, SFTP, or SCP server, this attribute is used to set the working directory for an FTP, SFTP, or SCP user on the RADIUS client. |
29 | Exec_Privilege | EXEC user priority. |
59 | NAS_Startup_Timestamp | Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC). |
60 | Ip_Host_Addr | User IP address and MAC address included in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. |
61 | User_Notify | Information that must be sent from the server to the client transparently. |
62 | User_HeartBeat | Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and verifies the handshake packets from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets. |
98 | Multicast_Receive_Group | IP address of the multicast group that the user's host joins as a receiver. This subattribute can appear multiple times in a multicast packet to indicate that the user belongs to multiple multicast groups. |
100 | IP6_Multicast_Receive_Group | IPv6 address of the multicast group that the user's host joins as a receiver. This subattribute can appear multiple times in a multicast packet to indicate that the user belongs to multiple multicast groups. |
101 | MLD-Access-Limit | Maximum number of MLD multicast groups that the user can join concurrently. |
102 | local-name | L2TP local tunnel name. |
103 | IGMP-Access-Limit | Maximum number of IGMP multicast groups that the user can join concurrently. |
104 | VPN-Instance | MPLS L3VPN instance to which a user belongs. |
105 | ANCP-Profile | ANCP profile name. |
135 | Client-Primary-DNS | IP address of the primary DNS server. |
136 | Client-Secondary-DNS | IP address of the secondary DNS server. |
144 | Acct_IPv6_Input_Octets | Bytes of IPv6 packets in the inbound direction. The measurement unit depends on the configuration on the device. |
145 | Acct_IPv6_Output_Octets | Bytes of IPv6 packets in the outbound direction. The measurement unit depends on the configuration on the device. |
146 | Acct_IPv6_Input_Packets | Number of IPv6 packets in the inbound direction. The measurement unit depends on the configuration on the device. |
147 | Acct_IPv6_Output_Packets | Number of IPv6 packets in the outbound direction. The measurement unit depends on the configuration on the device. |
148 | Acct_IPv6_Input_Gigawords | Bytes of IPv6 packets in the inbound direction. The measurement unit is 4G bytes. |
149 | Acct_IPv6_Output_Gigawords | Bytes of IPv6 packets in the outbound direction. The measurement unit is 4G bytes. |
210 | Av-Pair | Vendor-specific attribute pair. Available attribute pairs include:
|
230 | Nas-Port | Interface through which the user is connected to the NAS. |
246 | Auth_Detail_Result | Accounting details. The server sends Access-Accept packets with subattributes 246 and 250 in the following situations:
|
247 | Input-Committed-Burst-Size | Committed burst size from the user to the NAS, in bits. The total length cannot exceed 4 bytes for this field. This subattribute must be assigned together with the Input-Average-Rate attribute. |
248 | Output-Committed-Burst-Size | Committed burst size from the NAS to the user, in bits. The total length cannot exceed 4 bytes for this field. This subattribute must be assigned together with the Output-Average-Rate attribute. |
249 | authentication-type | Authentication type. The value can be:
If the packet does not contain this subattribute, common authentication applies. |
250 | WEB-URL | Redirect URL for users. |
251 | Subscriber-ID | Family plan ID. |
252 | Subscriber-Profile | QoS policy name for the family plan of the subscriber. |
255 | Product_ID | Product name. |