[Contents] [Prev] [Next] [Index] [Report an Error]


ERX-Supported RADIUS Attribute Descriptions

Table A-1 provides a description of all ERX-supported RADIUS attributes, sorted by standard number. Table A-2 lists all Juniper Networks vendor-specific attribute (VSA) formats, also sorted by standard number.

Table A-1 ERX-supported attributes 
Standard Number
Attribute Name
Description
[1]
User-Name
  • Name of user to be authenticated
  • Configurable username override
[2]
User-Password
  • Password of user to be authenticated
  • Configurable password override
  • PAP (Password Authentication Protocol)
[3]
CHAP-Password
Response value provided by a PPP Challenge Handshake Authorization Protocol (CHAP) user in the response to an access challenge
[4]
NAS-IP-Address
[5]
NAS-Port
[6]
Service-Type
  • Type of service the user has requested or the type of service to be provided
  • Admin, Login, NAS Prompt, or Framed only
[7]
Framed-Protocol
  • Framing protocol used for framed access
  • Standard value of 1 set for PPP
[8]
Framed-IP-Address
[9]
Framed-IP-Netmask
  • IP network to be configured for the user when the user is a router to a network
  • Absence implies 255.255.255.255
[11]
Filter-Id
  • Name of the filter list for the user
  • Interpreted as input policy name
[13]
Framed-Compression
Always set to "none."
[18]
Reply-Message
  • Text that may be displayed to the user
  • Only the first instance of this attribute is used
[22]
Framed-Route
Provides routing information to be configured for the user on the NAS
[24]
State
  • An arbitrary value that the ERX includes in new Access-Request packets from the previous Accept-Challenge
  • Applicable for CLI/telnet only
[25]
Class
An arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server
[26]
Vendor-Specific
Juniper Networks Enterprise number 0x0000130A
[26-1]
Juniper-Virtual-Router
  • Virtual router name for the B-RAS user's IP interface
  • Allowed only from RADIUS server in default virtual router context
  • For restricted users, specifies the only VR that the user may access.
  • For nonrestricted users, specifies the initial VR that the user accesses.
  • See the enable command in ERX System Basics Configuration Guide, Chapter 6, Passwords and Security.
[26-2]
Address-Pool-Name
  • Name of an assigned address pool that should be used to assign an address for the user
  • Same as RADIUS attribute 88, Framed-Pool
[26-3]
Local-Interface
Interface to apply to the ERX side of the connection
[26-4]
Primary-DNS
  • B-RAS user's DNS address negotiated during IPCP
  • 4-octet IP address
[26-5]
Secondary-DNS
  • B-RAS user's DNS address negotiated during IPCP
  • 4-octet IP address
[26-6]
Primary-WINS (NBNS)
  • B-RAS user's WINS (NBNS) address negotiated during IPCP
  • 4-octet IP address
[26-7]
Secondary-WINS (NBNS)
  • B-RAS user's WINS (NBNS) address negotiated during IPCP
  • 4-octet IP address
[26-8]
Tunnel-Virtual-Router
Virtual router name for tunnel connection
[26-9]
Tunnel-Password
Tunnel password in cleartext
[26-10]
Ingress-Policy-Name
Input policy name to apply to B-RAS user's interface
[26-11]
Egress-Policy-Name
Output policy name to apply to B-RAS user's interface
[26-12]
Ingress-Statistics
Enable or disable input statistics on B-RAS user's interface
[26-13]
Egress-Statistics
Enable or disable output statistics on B-RAS user's interface
[26-14]
Atm-Service-Category
ATM service category to apply to B-RAS user's interface
[26-15]
Atm-PCR
  • Peak cell rate
  • 4-octet integer
[26-16]
Atm-SCR
  • Sustained cell rate or CBR, depending on the Atm-Service-Category RADIUS attribute [26-14]
  • 4-octet integer
[26-17]
Atm-MBS
  • Maximum burst rate
  • 4-octet integer
[26-18]
Juniper-Initial-CLI-Access-Level
  • Specifies the initial level of access to CLI commands
  • See the enable command in ERX System Basics Configuration Guide, Chapter 6, Passwords and Security.
[26-19]
Juniper-Allow-All-VR-Access
  • Specifies user access to all virtual routers
  • See the enable command in ERX System Basics Configuration Guide, Chapter 6, Passwords and Security.
[26-20]
Juniper-Alt-CLI-Access-Level
  • Specifies other levels of access to CLI commands
  • See the enable command in ERX System Basics Configuration Guide, Chapter 6, Passwords and Security.
[26-21]
Juniper-Alt-CLI-Virtual-Router-
Name
  • For restricted users, specifies other VRs that the user may access.
  • See the enable command in ERX System Basics Configuration Guide, Chapter 6, Passwords and Security.
[26-22]
Sa-Validate
  • Enable or disable source address validation on a user's interface
  • 4-octet integer
[26-23]
Igmp-Enable
  • Enable or disable IGMP on a user's interface
  • Allows the end user to register for the reception of multicast services
  • 4-octet integer
[26-24]
Pppoe-Description
The string pppoe <mac addr> sent to the RADIUS server supplied by PPPoE
[26-25]
Redirect-VR-Name
  • Virtual router name indicating the VR context in which to authenticate the user
  • Behavior is similar to that of a remote domain-map lookup.
[26-26]
QoS-Profile-Name
Name of the QoS profile to attach to the user's interface
[26-31]
SSC-Service-Bundle-Name
Specifies the SSC service bundle
[26-34]
Framed-Ip-Route-Tag
Route tag to apply to returned framed-ip-address
[26-42]
Input-Gigapkts
Number of times input-packets attribute rolls over its 4-octet field
[26-43]
Output-Gigapkts
Number of times output-packets attribute rolls over its 4-octet field
[27]
Session-Timeout
Maximum number of seconds of service to be provided to the user before termination of the session
[28]
Idle-Timeout
Maximum number of consecutive seconds of idle connection allowed to the user before termination of the session
[30]
Called-Station-Id
  • Allows the NAS to send the phone number that the user called
  • Not supported for non tunneled or LAC session side.
  • For the LNS (L2TP), the format is the string passed in the Called Number AVP.
[31]
Calling-Station-Id
[32]
NAS-Identifier
  • Identifies the NAS originating the request
  • System-wide configurable hostname or VR-sensitive configurable NAS-identifier name
[40]
Acct-Status-Type
Indicates whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update)
[41]
Acct-Delay-Time
Indicates how many seconds the client has been trying to send a particular record
[42]
Acct-Input-Octets
  • Indicates how many octets have been received from the port during the time this service has been provided
  • PPP payload only
[43]
Acct-Output-Octets
  • Indicates how many octets have been sent to the port during the time this service has been provided
  • PPP payload only
[44]
Acct-Session-Id
  • Unique accounting identifier that makes it easy to match start and stop records in a log file
  • See the radius acct-session-id-format and the radius include acct-session-id access-request commands in Chapter 2, Configuring RADIUS Attributes.
[45]
Acct-Authentic
  • Indicates how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol
  • Always 1
[46]
Acct-Session-Time
Indicates how long in seconds that the user has received service
[47]
Acct-Input-Packets
  • Indicates how many packets have been received from the port during the time this service has been provided to a framed user
  • PPP payload only
[48]
Acct-Output-Packets
  • Indicates how many packets have been sent to the port in the course of delivering this service to a framed user
  • PPP payload only
[49]
Acct-Terminate-Cause
Contains the reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:
  • User Request (1) - user initiated the disconnect (log out)
  • Idle Timeout (4) - idle timer has expired
  • Session Timeout (5) - client reached the maximum continuous time allowed on the service or session
  • Admin Reset (6) - system administrator terminated the session
  • Port Error (8) - PVC failed; no hardware or no interface
  • NAS Error (9) - negotiation failures, connection failures, or address lease expiration
  • NAS Request (10) - PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, Tunnel disconnect, or an unaccounted-for error
[52]
Acct-Input-Gigawords
  • Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update
  • PPP payload only
[53]
Acct-Output-Gigawords
  • Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update
  • PPP payload only
[55]
Event-Timestamp
Records the time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC
[60]
CHAP-Challenge
Contains the CHAP challenge sent by the NAS to a PPP CHAP user
[61]
NAS-Port-Type
[62]
Port-Limit
Specifies the maximum number of Multilink Point-to-Point protocol (MP) member links allowed for the subscriber
[64]
Tunnel-Type
  • Tunneling protocol(s) to be used (in the case of a tunnel initiator) or the tunneling protocol in use (in the case of a tunnel terminator)
  • Only L2TP and L2F supported at this time
[65]
Tunnel-Medium-Type
  • Transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports
  • Only Ipv4 supported at this time
[66]
Tunnel-Client Endpoint
Address of the initiator end of the tunnel
[67]
Tunnel-Server-Endpoint
Address of the server end of the tunnel
[68]
Acct-Tunnel-Connection
  • Indicates the identifier assigned to the tunnel session
  • Value is L2TP call-serial number
[69]
Tunnel-Password
Password to be used to authenticate to a remote server
[77]
Connect-Info
Sent from the NAS to indicate the nature of the user's connection
[82]
Tunnel-Assignment-Id
Indicate to the tunnel initiator the particular tunnel to which a session is to be assigned
[83]
Tunnel-Preference
  • If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel.
  • Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only)
[85]
Acct-Interval-Interval
Number of seconds between each interim accounting update in seconds for this specific session
[86]
Acct-Tunnel-Packets-Lost
Number of packets lost on a given link
[87]
NAS-Port-Id
  • Text string that identifies the physical interface of the NAS that is authenticating the user
  • If the PPP user connects via ATM slot 12, port 2, vpi 100, vci 101, then the NAS-Port-Id value in the RADIUS packets will be atm 12/2:100.101
  • If the user is a PPP user that started as a result of the ERX LNS feature (that is, no physical port), then the NAS-Port-Id value is as follows: media:local address:peer address:local tunnel id:peer tunnel id:local session id:peer session id:call serial number

>    For example: ip:172.81.1.98:172.81.1.99:18d:cb8:ce6:9f4:6

>    In this case, the local information refers to the LNS, and the peer information refers to the LAC

  • NAS-Port-Id usually contains one of the following:

>    atm <slot> / <port>:<vpi>.<vci>

>    fastEthernet <slot> / <port> [:<vlan>]

>    gigabitEthernet <slot> / <port> [<vlan>

>    serial <slot>/<port> [:<sonetPath> [/<sonetTributary (x/x/x)> [/<fractionalInterface>] ] ]

>    from LNS - ip:local ip:peer ip:local tid:peer tid:local sid:peer sid:call serial number

    tid - tunnel id

    sid - session id

[88]
Framed-Pool
Name of an assigned address pool that should be used to assign an address for the user
[90]
Tunnel-Client-Auth-Id
Name used by the tunnel initiator during the authentication phase of tunnel establishment
[91]
Tunnel-Server-Auth-Id
Name used by the tunnel terminator during the authentication phase of tunnel establishment
[242]
Ascend-Data-Filter
  • RADIUS policy definitions allow you to configure a policy that consists of Filter/Forward rules based on classified packet flows.
  • The RADIUS policy definitions use the Ascend-Data-Filter format or Filter-Id, Ingress-Policy-Name, and Egress-Policy-Name.

See Table A-2 for Juniper Networks VSA formats for RADIUS. The ERX system uses the vendor ID assigned to Juniper Networks (0x0000130A) by the Internet Assigned Numbers Authority (IANA).

Table A-2 ERX system RADIUS VSA formats  
Standard Number
Attribute Name
Length
Subtype Length
Value
[26-1]
Juniper-Virtual-Router
len
sublen
string: virtual-router-name
[26-2]
Address-Pool-Name
len
sublen
string: address-pool-name
[26-3]
Local-Interface
len
sublen
string: local-interface
[26-4]
Primary-DNS
12
6
string: primary-dns-address
[26-5]
Secondary-DNS
12
6
string: secondary-dns-address
[26-6]
Primary-WINS (NBNS)
12
6
string: primary-wins-address
[26-7]
Secondary-WINS (NBNS)
12
6
string: secondary-wins-address
[26-8]
Tunnel-Virtual-Router
len
sublen
string: tunnel-virtual-router
[26-9]
Tunnel-Password
len
sublen
string: tunnel-password
[26-10]
Ingress-Policy-Name
len
sublen
string: input-policy-name
[26-11]
Egress-Policy-Name
len
sublen
string: output-policy-name
[26-12]
Ingress-Statistics
12
6
integer: 0 = disable, 1 = enable
[26-13]
Egress-Statistics
12
6
integer: 0 = disable, 1 = enable
[26-14]
Atm-Service-Category
12
6
integer: 1= UBR, 2= UBR PCR, 3=NRT VBR, 4=CBR
[26-15]
Atm-PCR
12
6
integer: 4-octet
[26-16]
Atm-SCR
12
6
integer: 4-octet
[26-17]
Atm-MBS
12
6
integer: 4-octet
[26-18]
Juniper-Initial-CLI-Access-Level
len
sublen
single attribute: enter 0, 1, 5, 10, or 15
[26-19]
Juniper-Allow-All-VR-Access
len
sublen
integer: 0 = disable, 1 = enable
[26-20]
Juniper-Alt-CLI-Access-Level
len
sublen
single attribute; enter 0, 1, 5, 10, or 15
[26-21]
Juniper-Alt-CLI-Virtual-Router-Name
len
sublen
string: virtual-router-name
[26-22]
Sa-Validate
len
sublen
integer: 0 = disable, 1 = enable
[26-23]
Igmp-Enable
len
sublen
integer: 0 = disable, 1 = enable
[26-24]
Pppoe-Description
string: pppoe<mac addr>
[26-25]
Redirect-VR-Name
len
sublen
authentication-redirection
[26-26]
QoS-Profile-Name
len
sublen
string:qos-profile-name
[26-31]
SSC-Service-Bundle-Name
len
sublen
string
[26-34]
Framed-Ip-Route-Tag
12
6
integer: 4-octet
[26-42]
Acct-Input-Gigapackets
12
6
integer
[26-43]
Acct-Output-GigaPackets
12
6
integer

For more information about RADIUS attributes, see the following resources:


[Contents] [Prev] [Next] [Index] [Report an Error]