RADIUS attributes

This section provides tables of commonly used standard RADIUS attributes and HPE proprietary RADIUS sub-attributes.

Commonly used standard RADIUS attributes

No.

Attribute

Description

1

User-Name

Name of the user to be authenticated.

2

User-Password

User password for PAP authentication, only present in Access-Request packets when PAP authentication is used.

3

CHAP-Password

Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used.

4

NAS-IP-Address

IP address for the server to use to identify a client. Usually, a client is identified by the IP address of its access interface. This attribute is only present in Access-Request packets.

5

NAS-Port

Physical port of the NAS that the user accesses.

6

Service-Type

Type of service that the user has requested or type of service to be provided.

7

Framed-Protocol

Encapsulation protocol for framed access.

8

Framed-IP-Address

IP address assigned to the user.

11

Filter-ID

Name of the filter list.

12

Framed-MTU

MTU for the data link between the user and NAS. For example, with 802.1X EAP authentication, NAS notifies the server of the MTU for EAP packets using this attribute to avoid oversized EAP packets.

14

Login-IP-Host

IP address of the NAS interface that the user accesses.

15

Login-Service

Type of the service that the user uses for login.

18

Reply-Message

Text to be displayed to the user, which can be used by the server to indicate, for example, the reason of the authentication failure.

26

Vendor-Specific

Vendor specific attribute. A packet can contain one or more such proprietary attributes, each of which can contain one or more sub-attributes.

27

Session-Timeout

Maximum service duration for the user before termination of the session.

28

Idle-Timeout

Maximum idle time permitted for the user before termination of the session.

31

Calling-Station-Id

User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH.

32

NAS-Identifier

Identification that the NAS uses to identify itself to the RADIUS server.

40

Acct-Status-Type

Type of the Accounting-Request packet:

  • 1—Start.

  • 2—Stop.

  • 3—Interim-Update.

  • 4—Reset-Charge.

  • 7—Accounting-On (Defined in 3GPP, the 3rd Generation Partnership Project).

  • 8—Accounting-Off (Defined in 3GPP).

  • 9 to 14—Reserved for tunnel accounting.

  • 15—Reserved for failed.

45

Acct-Authentic

Authentication method used by the user:

  • 1—RADIUS.

  • 2—Local.

  • 3—Remote.

60

CHAP-Challenge

CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.

61

NAS-Port-Type

Type of the physical port of the NAS that is authenticating the user:

  • 15—Ethernet.

  • 16—Any type of ADSL.

  • 17—Cable (with cable for cable TV).

  • 19—WLAN-IEEE 802.11.

  • 201—VLAN.

  • 202—ATM.

If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201.

79

EAP-Message

Used to encapsulate EAP packets to allow RADIUS to support EAP authentication.

80

Message-Authenticator

Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used.

87

NAS-Port-Id

String for describing the port of the NAS that is authenticating the user.

HPE proprietary RADIUS sub-attributes

No.

Sub-attribute

Description

1

Input-Peak-Rate

Peak rate in the direction from the user to the NAS, in bps.

2

Input-Average-Rate

Average rate in the direction from the user to the NAS, in bps.

3

Input-Basic-Rate

Basic rate in the direction from the user to the NAS, in bps.

4

Output-Peak-Rate

Peak rate in the direction from the NAS to the user, in bps.

5

Output-Average-Rate

Average rate in the direction from the NAS to the user, in bps.

6

Output-Basic-Rate

Basic rate in the direction from the NAS to the user, in bps.

15

Remanent_Volume

Total remaining available traffic for the connection, in different units for different server types.

20

Command

Operation for the session, used for session control:

  • 1—Trigger-Request.

  • 2—Terminate-Request.

  • 3—SetPolicy.

  • 4—Result.

  • 5—PortalClear.

24

Control_Identifier

Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this attribute may take the same value. The client response of a retransmitted packet must also carry this attribute, and the value of this attribute must be the same.

For Accounting-Request packets of the start, stop, and interim update types, the Control-Identifier attribute, if present, has no effect.

25

Result_Code

Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure.

26

Connect_ID

Index of the user connection.

28

Ftp_Directory

FTP user working directory. When the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client.

29

Exec_Privilege

EXEC user priority

59

NAS_Startup_Timestamp

Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).

60

Ip_Host_Addr

User IP address and MAC address carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.

61

User_Notify

Information that must be sent from the server to the client transparently.

62

User_HeartBeat

Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and is used for verifying the handshake messages from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets.

140

User_Group

User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device.

141

Security_Level

Security level assigned after the SSL VPN user passes security authentication.

201

Input-Interval-Octets

Number of bytes input within a real-time accounting interval.

202

Output-Interval-Octets

Number of bytes output within a real-time accounting interval.

203

Input-Interval-Packets

Number of packets input within an accounting interval, in the unit set on the NAS.

204

Output-Interval-Packets

Number of packets output within an accounting interval, in the unit set on the NAS.

205

Input-Interval-Gigawords

Amount of bytes input within an accounting interval, in units of 4G bytes.

206

Output-Interval-Gigawords

Amount of bytes output within an accounting interval, in units of 4G bytes.

207

Backup-NAS-IP

Backup source IP address for sending RADIUS packets.

255

Product_ID

Product name.