RADIUS attributes

Commonly used standard RADIUS attributes

No.

Attribute

Description

1

User-Name

Name of the user to be authenticated.

2

User-Password

User password for PAP authentication, present only in Access-Request packets in PAP authentication mode.

3

CHAP-Password

Digest of the user password for CHAP authentication, present only in Access-Request packets in CHAP authentication mode.

4

NAS-IP-Address

IP address for the server to identify a client. Usually, a client is identified by the IP address of the access interface on the NAS, namely the NAS IP address. This attribute is present in only Access-Request packets.

5

NAS-Port

Physical port of the NAS that the user accesses.

6

Service-Type

Type of service that the user has requested or type of service to be provided.

7

Framed-Protocol

Encapsulation protocol for framed access.

8

Framed-IP-Address

IP address assigned to the user.

11

Filter-ID

Name of the filter list.

12

Framed-MTU

Maximum transmission unit (MTU) for the data link between the user and NAS. For example, with 802.1X EAP authentication, NAS uses this attribute to notify the server of the MTU for EAP packets, so as to avoid oversized EAP packets.

14

Login-IP-Host

IP address of the NAS interface that the user accesses.

15

Login-Service

Type of the service that the user uses for login.

18

Reply-Message

Text to be displayed to the user, which can be used by the server to indicate, for example, the reason of the authentication failure.

26

Vendor-Specific

Vendor specific attribute. A packet can contain one or more such proprietary attributes, each of which can contain one or more sub-attributes.

27

Session-Timeout

Maximum duration of service to be provided to the user before termination of the session.

28

Idle-Timeout

Maximum idle time permitted for the user before termination of the session.

31

Calling-Station-Id

User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH.

32

NAS-Identifier

Identification that the NAS uses for indicating itself.

40

Acct-Status-Type

Type of the Accounting-Request packet. Possible values are as follows:

  • 1—Start.

  • 2—Stop.

  • 3—Interim-Update.

  • 4—Reset-Charge.

  • 7—Accounting-On. (Defined in 3GPP, the 3rd Generation Partnership Project.)

  • 8—Accounting-Off. (Defined in 3GPP.)

  • 9 to 14—Reserved for tunnel accounting.

  • 15—Reserved for failed.

45

Acct-Authentic

Authentication method used by the user. Possible values are as follows:

  • 1—RADIUS.

  • 2—Local.

  • 3—Remote.

60

CHAP-Challenge

CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.

61

NAS-Port-Type

Type of the physical port of the NAS that is authenticating the user. Possible values are as follows:

  • 15—Ethernet.

  • 16—Any type of ADSL.

  • 17—Cable (with cable for cable TV).

  • 19—WLAN-IEEE 802.11.

  • 201—VLAN.

  • 202—ATM.

If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.

79

EAP-Message

Used for encapsulating EAP packets to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol.

80

Message-Authenticator

Used for authentication and checking of authentication packets to prevent spoofing Access-Requests. This attribute is used when RADIUS supports EAP authentication.

87

NAS-Port-Id

String for describing the port of the NAS that is authenticating the user.

HPE proprietary RADIUS sub-attributes

No.

Sub-attribute

Description

1

Input-Peak-Rate

Peak rate in the direction from the user to the NAS, in bps.

2

Input-Average-Rate

Average rate in the direction from the user to the NAS, in bps.

3

Input-Basic-Rate

Basic rate in the direction from the user to the NAS, in bps.

4

Output-Peak-Rate

Peak rate in the direction from the NAS to the user, in bps.

5

Output-Average-Rate

Average rate in the direction from the NAS to the user, in bps.

6

Output-Basic-Rate

Basic rate in the direction from the NAS to the user, in bps.

15

Remanent_Volume

Remaining, available total traffic of the connection, in different units for different server types.

20

Command

Operation for the session, used for session control. It can be:

  • 1—Trigger-Request.

  • 2—Terminate-Request.

  • 3—SetPolicy.

  • 4—Result.

  • 5—PortalClear.

24

Control_Identifier

Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this attribute may take the same value. The client response of a retransmitted packet must also carry this attribute and the value of the attribute must be the same.

For Accounting-Request packets of the start, stop, and interim update types, the Control-Identifier attribute is ineffective.

25

Result_Code

Result of the Trigger-Request or SetPolicy operation. A value of zero means the operation succeeded. Any other value means the operation failed.

26

Connect_ID

Index of the user connection.

28

Ftp_Directory

Working directory of the FTP user.

For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client.

29

Exec_Privilege

Priority of the EXEC user.

59

NAS_Startup_Timestamp

Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).

60

Ip_Host_Addr

User IP address and MAC address carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.

61

User_Notify

Information to be sent from the server to the client transparently.

62

User_HeartBeat

Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the device and is used for verifying the handshake messages from the 802.1X user. This attribute exists in only Access-Accept and Accounting-Request packets.

140

User_Group

User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device.

141

Security_Level

Security level assigned after the SSL VPN user passes security authentication.

201

Input-Interval-Octets

Bytes input within a real-time accounting interval.

202

Output-Interval-Octets

Bytes output within a real-time accounting interval.

203

Input-Interval-Packets

Packets input within an accounting interval, in the unit set on the device.

204

Output-Interval-Packets

Packets output within an accounting interval, in the unit set on the device.

205

Input-Interval-Gigawords

Result of bytes input within an accounting interval divided by 4G bytes.

206

Output-Interval-Gigawords

Result of bytes output within an accounting interval divided by 4G bytes.

207

Backup-NAS-IP

Backup source IP address for sending RADIUS packets.

255

Product_ID

Product name.