RADIUS attributes
Commonly used standard RADIUS attributes
No. | Attribute | Description |
---|---|---|
1 | User-Name | Name of the user to be authenticated. |
2 | User-Password | User password for PAP authentication, present only in Access-Request packets in PAP authentication mode. |
3 | CHAP-Password | Digest of the user password for CHAP authentication, present only in Access-Request packets in CHAP authentication mode. |
4 | NAS-IP-Address | IP address for the server to identify a client. Usually, a client is identified by the IP address of the access interface on the NAS, namely the NAS IP address. This attribute is present in only Access-Request packets. |
5 | NAS-Port | Physical port of the NAS that the user accesses. |
6 | Service-Type | Type of service that the user has requested or type of service to be provided. |
7 | Framed-Protocol | Encapsulation protocol for framed access. |
8 | Framed-IP-Address | IP address assigned to the user. |
11 | Filter-ID | Name of the filter list. |
12 | Framed-MTU | Maximum transmission unit (MTU) for the data link between the user and NAS. For example, with 802.1X EAP authentication, NAS uses this attribute to notify the server of the MTU for EAP packets, so as to avoid oversized EAP packets. |
14 | Login-IP-Host | IP address of the NAS interface that the user accesses. |
15 | Login-Service | Type of the service that the user uses for login. |
18 | Reply-Message | Text to be displayed to the user, which can be used by the server to indicate, for example, the reason of the authentication failure. |
26 | Vendor-Specific | Vendor specific attribute. A packet can contain one or more such proprietary attributes, each of which can contain one or more sub-attributes. |
27 | Session-Timeout | Maximum duration of service to be provided to the user before termination of the session. |
28 | Idle-Timeout | Maximum idle time permitted for the user before termination of the session. |
31 | Calling-Station-Id | User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. |
32 | NAS-Identifier | Identification that the NAS uses for indicating itself. |
40 | Acct-Status-Type | Type of the Accounting-Request packet. Possible values are as follows:
|
45 | Acct-Authentic | Authentication method used by the user. Possible values are as follows:
|
60 | CHAP-Challenge | CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication. |
61 | NAS-Port-Type | Type of the physical port of the NAS that is authenticating the user. Possible values are as follows:
If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201. |
79 | EAP-Message | Used for encapsulating EAP packets to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol. |
80 | Message-Authenticator | Used for authentication and checking of authentication packets to prevent spoofing Access-Requests. This attribute is used when RADIUS supports EAP authentication. |
87 | NAS-Port-Id | String for describing the port of the NAS that is authenticating the user. |
HPE proprietary RADIUS sub-attributes
No. | Sub-attribute | Description |
---|---|---|
1 | Input-Peak-Rate | Peak rate in the direction from the user to the NAS, in bps. |
2 | Input-Average-Rate | Average rate in the direction from the user to the NAS, in bps. |
3 | Input-Basic-Rate | Basic rate in the direction from the user to the NAS, in bps. |
4 | Output-Peak-Rate | Peak rate in the direction from the NAS to the user, in bps. |
5 | Output-Average-Rate | Average rate in the direction from the NAS to the user, in bps. |
6 | Output-Basic-Rate | Basic rate in the direction from the NAS to the user, in bps. |
15 | Remanent_Volume | Remaining, available total traffic of the connection, in different units for different server types. |
20 | Command | Operation for the session, used for session control. It can be:
|
24 | Control_Identifier | Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this attribute may take the same value. The client response of a retransmitted packet must also carry this attribute and the value of the attribute must be the same. For Accounting-Request packets of the start, stop, and interim update types, the Control-Identifier attribute is ineffective. |
25 | Result_Code | Result of the Trigger-Request or SetPolicy operation. A value of zero means the operation succeeded. Any other value means the operation failed. |
26 | Connect_ID | Index of the user connection. |
28 | Ftp_Directory | Working directory of the FTP user. For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client. |
29 | Exec_Privilege | Priority of the EXEC user. |
59 | NAS_Startup_Timestamp | Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC). |
60 | Ip_Host_Addr | User IP address and MAC address carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. |
61 | User_Notify | Information to be sent from the server to the client transparently. |
62 | User_HeartBeat | Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the device and is used for verifying the handshake messages from the 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets. |
140 | User_Group | User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device. |
141 | Security_Level | Security level assigned after the SSL VPN user passes security authentication. |
201 | Input-Interval-Octets | Bytes input within a real-time accounting interval. |
202 | Output-Interval-Octets | Bytes output within a real-time accounting interval. |
203 | Input-Interval-Packets | Packets input within an accounting interval, in the unit set on the device. |
204 | Output-Interval-Packets | Packets output within an accounting interval, in the unit set on the device. |
205 | Input-Interval-Gigawords | Result of bytes input within an accounting interval divided by 4G bytes. |
206 | Output-Interval-Gigawords | Result of bytes output within an accounting interval divided by 4G bytes. |
207 | Backup-NAS-IP | Backup source IP address for sending RADIUS packets. |
255 | Product_ID | Product name. |