RADIUS attributes
This section provides tables of commonly used standard RADIUS attributes and HPE proprietary RADIUS sub-attributes.
Commonly used standard RADIUS attributes
No. | Attribute | Description |
---|---|---|
1 | User-Name | Name of the user to be authenticated. |
2 | User-Password | User password for PAP authentication, only present in Access-Request packets when PAP authentication is used. |
3 | CHAP-Password | Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used. |
4 | NAS-IP-Address | IP address for the server to use to identify a client. Usually, a client is identified by the IP address of its access interface. This attribute is only present in Access-Request packets. |
5 | NAS-Port | Physical port of the NAS that the user accesses. |
6 | Service-Type | Type of service that the user has requested or type of service to be provided. |
7 | Framed-Protocol | Encapsulation protocol for framed access. |
8 | Framed-IP-Address | IP address assigned to the user. |
11 | Filter-ID | Name of the filter list. |
12 | Framed-MTU | MTU for the data link between the user and NAS. For example, with 802.1X EAP authentication, NAS notifies the server of the MTU for EAP packets using this attribute to avoid oversized EAP packets. |
14 | Login-IP-Host | IP address of the NAS interface that the user accesses. |
15 | Login-Service | Type of the service that the user uses for login. |
18 | Reply-Message | Text to be displayed to the user, which can be used by the server to indicate, for example, the reason of the authentication failure. |
26 | Vendor-Specific | Vendor specific attribute. A packet can contain one or more such proprietary attributes, each of which can contain one or more sub-attributes. |
27 | Session-Timeout | Maximum service duration for the user before termination of the session. |
28 | Idle-Timeout | Maximum idle time permitted for the user before termination of the session. |
31 | Calling-Station-Id | User identification that the NAS sends to the server. For the LAN access service provided by an HPE device, this attribute carries the MAC address of the user in the format HHHH-HHHH-HHHH. |
32 | NAS-Identifier | Identification that the NAS uses to identify itself to the RADIUS server. |
40 | Acct-Status-Type | Type of the Accounting-Request packet:
|
45 | Acct-Authentic | Authentication method used by the user:
|
60 | CHAP-Challenge | CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication. |
61 | NAS-Port-Type | Type of the physical port of the NAS that is authenticating the user:
If the port is an ATM or Ethernet one and VLANs are implemented on it, the value of this attribute is 201. |
79 | EAP-Message | Used to encapsulate EAP packets to allow RADIUS to support EAP authentication. |
80 | Message-Authenticator | Used for authentication and verification of authentication packets to prevent spoofing Access-Requests. This attribute is present when EAP authentication is used. |
87 | NAS-Port-Id | String for describing the port of the NAS that is authenticating the user. |
HPE proprietary RADIUS sub-attributes
No. | Sub-attribute | Description |
---|---|---|
1 | Input-Peak-Rate | Peak rate in the direction from the user to the NAS, in bps. |
2 | Input-Average-Rate | Average rate in the direction from the user to the NAS, in bps. |
3 | Input-Basic-Rate | Basic rate in the direction from the user to the NAS, in bps. |
4 | Output-Peak-Rate | Peak rate in the direction from the NAS to the user, in bps. |
5 | Output-Average-Rate | Average rate in the direction from the NAS to the user, in bps. |
6 | Output-Basic-Rate | Basic rate in the direction from the NAS to the user, in bps. |
15 | Remanent_Volume | Total remaining available traffic for the connection, in different units for different server types. |
20 | Command | Operation for the session, used for session control:
|
24 | Control_Identifier | Identification for retransmitted packets. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this attribute may take the same value. The client response of a retransmitted packet must also carry this attribute, and the value of this attribute must be the same. For Accounting-Request packets of the start, stop, and interim update types, the Control-Identifier attribute, if present, has no effect. |
25 | Result_Code | Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure. |
26 | Connect_ID | Index of the user connection. |
28 | Ftp_Directory | FTP user working directory. When the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory for an FTP user on the RADIUS client. |
29 | Exec_Privilege | EXEC user priority |
59 | NAS_Startup_Timestamp | Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC). |
60 | Ip_Host_Addr | User IP address and MAC address carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. |
61 | User_Notify | Information that must be sent from the server to the client transparently. |
62 | User_HeartBeat | Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and is used for verifying the handshake messages from the 802.1X user. This attribute only exists in Access-Accept and Accounting-Request packets. |
140 | User_Group | User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device. |
141 | Security_Level | Security level assigned after the SSL VPN user passes security authentication. |
201 | Input-Interval-Octets | Number of bytes input within a real-time accounting interval. |
202 | Output-Interval-Octets | Number of bytes output within a real-time accounting interval. |
203 | Input-Interval-Packets | Number of packets input within an accounting interval, in the unit set on the NAS. |
204 | Output-Interval-Packets | Number of packets output within an accounting interval, in the unit set on the NAS. |
205 | Input-Interval-Gigawords | Amount of bytes input within an accounting interval, in units of 4G bytes. |
206 | Output-Interval-Gigawords | Amount of bytes output within an accounting interval, in units of 4G bytes. |
207 | Backup-NAS-IP | Backup source IP address for sending RADIUS packets. |
255 | Product_ID | Product name. |