CLI Commands Used to Modify RADIUS Attributes

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Configuring RADIUS Attributes > CLI Commands Used to Modify RADIUS Attributes
CLI Commands Used to Modify RADIUS Attributes
This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands.

For many attributes, you can configure the router to include the attribute in RADIUS messages. To see a list of attributes that are included in or excluded from RADIUS messages, use the show radius attributes-included command, which is described in Including or Excluding Attributes in RADIUS Messages.

You can also configure the router to ignore many attributes that it receives in Access-Accept messages. To see a list of attributes that the router ignores, use the show radius attributes-ignored command, which is described in Ignoring Attributes When Receiving Access-Accept Messages.

For a complete list of RADIUS attributes supported by JUNOSe software, see Appendix A, RADIUS Attribute Descriptions.

RADIUS IETF Attributes

This section describes the RADIUS IETF attributes that you can configure using CLI commands. The attributes are listed numerically—each attribute is followed by a list of the commands that you can use to manage the attribute and descriptions of each command.

[4] NAS-IP-Address

Use the following commands to configure, manage, and display information for the NAS-IP-Address RADIUS attribute.

radius override nas-ip-addr tunnel-client-endpoint

radius override nas-info

show radius override

radius override nas-ip-addr tunnel-client-endpoint
Use to configure the RADIUS client (LNS) to use the tunnel-client-endpoint (LAC) IP address for the NAS-IP-Address attribute.

Example
host1(config)#radius override nas-ip-addr tunnel-client-endpoint
Use the no version to restore the default address.
radius override nas-info
Use in the correct virtual router context to override standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.

Example
host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info 
Use the no version to restore standard use of the NAS-IP-Address and NAS-Identifier attributes.
show radius override
Use to display the current setting for the NAS-IP-Address and the NAS-Identifier. These settings can be changed with the radius override nas-ip-addr tunnel-client-endpoint and radius override nas-info commands.

Example
host1#show radius override
nas-ip-addr:          nas-ip-addr
nas-port-id:           nas-port-id
calling-station-id:   calling-station-id
nas-info:              from current virtual router 
[5] NAS-Port

Use the following commands to manage and display information for the NAS-Port RADIUS attribute:

radius include nas-port

radius nas-port-format

radius pppoe nas-port-format unique

radius vlan nas-port-format stacked

show radius nas-port-format

show radius pppoe nas-port-format

show radius vlan nas-port-format

radius include nas-port
Use to include the NAS-Port attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include nas-port acct-start enable
Use the no version to restore the default, enable.
radius nas-port-format
For ATM and Ethernet only

Use to set the NAS-Port format attribute to either 0ssssppp or ssss0ppp.

The format is a 4-octet integer. The remaining bits are not changed (8 bits VPI and 16 bits VCI; or 12 bits S-VLAN and 12 bits VLAN).

The s indicates a bit used to represent the slot; the p indicates a bit used to represent the port from which the authentication request originates.

Example: If the PPP user is received on a VC from the card in slot 7, port 2, then the bit pattern is either 00111010 (for 0ssssppp) or 01110010 (for ssss0ppp).
host1(config)#radius nas-port-format Ossssppp
Use the no version to restore the default.
radius pppoe nas-port-format unique
Use to set the NAS-Port attribute to a unique value for subscribers on PPPoE interface. This unique value is derived from the subscriber's profileHandle.

Example
host1(config)#radius pppoe nas-port-format unique 
Use the no version to return to the default, in which the value is determined by the interface.
radius vlan nas-port-format stacked
Use to include the S-VLAN ID, in addition to the VLAN ID, in the NAS-Port attribute for subscribers on Ethernet interfaces.

The VLAN ID is always included whether the S-VLAN ID inclusion feature is enabled or disabled.

The radius pppoe nas-port-format unique command overrides this command.

Example
host1(config)#radius vlan nas-port-format stacked 
Use the no version to return to the default, in which the S-VLAN ID is not included.
show radius nas-port-format
Use to display the setting for the NAS-Port attribute.

Example
host1#show radius nas-port-format
0ssssppp
show radius pppoe nas-port-format
Use to display the status of the setting for the NAS-Port attribute for PPPoE interfaces.

Example
host1#show radius pppoe nas-port-format
unique
show radius vlan nas-port-format
Use to display the status of the S-VLAN ID setting for the NAS-Port attribute for VLAN interfaces. The string vlan stacked indicates that the S-VLAN ID is included.

Example
host1#show radius vlan nas-port-format
vlan stacked
[8] Framed-IP-Address

Use the following command to manage the Framed-IP-Addr RADIUS attribute.

radius include framed-ip-addr

radius include framed-ip-addr
Use to include the Framed-Ip-Address attribute in Acct-Start and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include framed-ip-addr acct-start enable
Use the no version to restore the default, enable.
[9] Framed-Ip-Netmask

Use the following commands to manage the Framed-IP-Netmask RADIUS attribute.

radius include framed-ip-netmask

radius ignore framed-ip-netmask

radius include framed-ip-netmask
Use to include the Framed-Ip-Netmask attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include framed-ip-netmask acct-start enable
Use the no version to restore the default, enabled.
radius ignore framed-ip-netmask
Use to cause the Framed-Ip-Netmask attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

If the subnet mask is specified by the Frame-Ip-Netmask attribute in the RADIUS user profile, the router passes the mask and IP address to the CPE during IPCP negotiations. When this command is enabled, the default subnet mask 255.255.255.255 is provided by AAA and used for IPCP negotiations.

Enabling the command guards against any breaks in the negotiation.

Example
host1(config)#radius ignore framed-ip-netmask disable
Use the no version to restore the default, enable.
[13] Framed-Compression

Use the following command to manage the Framed-Compression RADIUS attribute.

radius include framed-compression

radius include framed-compression
Use to include the Framed-Compression attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include framed-compression acct-start disable
Use the no version to restore the default, enable.
[25] Class

Use the following command to manage the Class RADIUS attribute.

radius include class

radius include class
Use to include the Class attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include class acct-start disable 
Use the no version to restore the default, enable.
[30] Called-Station-Id

Use the following command to manage the Called-Station-Id RADIUS attribute.

radius include called-station-id

radius include called-station-id
Use to include the Called-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Called-Station-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include called-station-id acct-start enable
Use the no version to restore the default, enable.
[31] Calling-Station-Id

Use the following commands to manage and display information for the Calling-Station-Id RADIUS attribute.

radius calling-station-format

radius calling-station-delimiter

radius include calling-station-id

radius override calling-station-id remote-circuit-id

show radius calling-station-format

show radius calling-station-delimiter

show radius override

radius calling-station-format

Use to specify the format of the Calling-Station-Id attribute on a virtual router. Configure RADIUS client to use either delimited format or fixed format.

delimited format—When the PPP user is terminated at the non-LNS E-series router, the format is:

<delimit> <system name> <delimit> <interface> <delimit> <VPI> <delimit> <VCI><delimit>

Where <interface> is one of the following:

<port name>—The default setting

<VP description>—If you used the atm vp-description command to assign a text description to an individual VP on an ATM interface

<VC description>—If you used the atm atm1483 description command to assign a text description to VCs on an ATM 1483 subinterface and you used the atm1483 export-subinterface-description command to enable sending of VC interface descriptors to AAA

fixed-format—All fields are in ASCII, making the format up to 15 characters in length (the number of characters for each field is shown in brackets):

For ATM: <system name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]>

For Ethernet: <system name [4]> <slot [2]> <port [1]> <VLAN [8]>
In the case of PPP terminated at the LNS, the Calling-Station-Id attribute is based on the received L2TP calling number AVP.

Example
host1(config)#radius calling-station-format delimited
Attribute 31, Calling-Station-Id, is used with Attribute 30, Called-Station-Id, in a standard way when the router is the LNS and the LAC is a dial-up LAC (not an E-series router). When the LNS receives the Calling-Station-Id and Called-Station-Id AVPs, the router includes the values as they are, with no format changes in the RADIUS messages.

Use the no version to return the Calling-Station-Id format to delimited.
radius calling-station-delimiter
Use to specify the Calling-Station-Id attribute's delimiter for DSL PPP users.

The delimiter is one special character you select to set off items in the Calling-Station-Id's definition (for example, # or %).

Example
host1(config)#radius calling-station-delimiter &
Use the no version to remove the delimiter.
radius include calling-station-id
Use to include the Calling-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include calling-station acct-start disable 
Use the no version to restore the default, enable.
radius override calling-station-id remote-circuit-id
Use to configure RADIUS to override the standard use of the Calling-Station-Id attribute and instead use the remote circuit ID transmitted from a DSLAM device.

Example
host1(config)#radius override calling-station-id remote-circuit-id
Use the no version to restore the default Calling-Station-ID value, which is the telephone number from which the call originated.
show radius calling-station-format
Use to display the format for the Calling-Station-Id attribute.

Example
host1#show radius calling-station-format
delimited
show radius calling-station-delimiter
Use to display the delimiter used in the Calling-Station-Id for authenticated ATM PPP users.

Example
host1#show radius calling-station-delimiter
&
show radius override
Use to display the current override settings configured for NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32] RADIUS.

You can use the radius override calling-station-id remote-circuit-id command to override the standard Calling-Station-Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM.

Example
host1#show radius override
nas-ip-addr:        nas-ip-addr
nas-port-id:         remote-circuit-id
calling-station-id: remote-circuit-id
nas-info:            from current virtual router
[32] NAS-Identifier

Use the following commands to manage and display information for the NAS-Identifier RADIUS attribute.

radius nas-identifier

radius include nas-identifier

radius override nas-info

radius remote-circuit-id-format

radius remote-circuit-id-delimiter

show radius nas-identifier

show radius override

show radius remote-circuit-id-format

show radius remote-circuit-id-delimiter

radius nas-identifier
Use to set a value for the NAS-Identifier attribute. This value is used in the NAS-Identifier attribute for authentication and accounting requests.

Example
host1(config)#radius nas-identifier fox
Use the no version to delete the NAS-Identifier.
radius include nas-identifier
Use to include the NAS-Identifier attribute in Access-Request, Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include nas-identifier acct-start disable 
Use the no version to restore the default, enable.
radius override nas-info
Use in the correct virtual router context to override the standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.

Example
host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info 
Use the no version to restore the standard use of the NAS-IP-Address and NAS-Identification attributes.
radius remote-circuit-id-format
Use to configure the format of the PPPoE remote circuit ID value captured from a DSLAM.

You can format the PPPoE remote circuit ID value to include the NAS-Identifier attribute with either or both of the agent-circuit-id (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option (option 82). You can also include either or both of the agent-circuit-id and agent-remote-id suboptions without the NAS-Identifier attribute.

For information about how to use this command, see Configuring PPPoE Remote Circuit ID Capture in JUNOSe Link Layer Configuration Guide, Chapter 7, Configuring Point-to-Point Protocol over Ethernet.

Example
host1(config)#radius remote-circuit-id-format nas-identifier agent-circuit-id 
agent-remote-id
Use the no version to restore the default format, agent-circuit-id.
radius remote-circuit-id-delimiter
Use to configure the delimiter character that the router uses to set off multiple components in the format of the PPPoE remote circuit ID value captured from a DSLAM.

For information about how to use this command, see Configuring PPPoE Remote Circuit ID Capture in JUNOSe Link Layer Configuration Guide, Chapter 7, Configuring Point-to-Point Protocol over Ethernet.

Example
host1(config)#radius remote-circuit-id-delimiter !
Use the no version to restore the default delimiter character, #.
show radius nas-identifier
Use to display the NAS-Identifier value.

Example
host1#show radius nas-identifier
fox
show radius override
Use to display the current setting for both the NAS-IP-Address and the NAS-Identifier. This setting can be changed with the radius override nas-info command, which is used for AAA broadcast accounting.

Example
host1#show radius override
nas-ip-addr: nas-ip-addr
nas-info:     from authentication virtual router
show radius remote-circuit-id-format
Use to display the format configured for the PPPoE remote circuit ID value captured from a DSLAM.

The command output displays the components (agent-circuit-id, agent-remote-id, and nas-identifier) included in the PPPoE remote circuit ID value and the order in which these components appear.

The default format is agent-circuit-ID.

Example
host1#show radius remote-circuit-id-format
nas-identifier agent-circuit-id agent-remote-id 
show radius remote-circuit-id-delimiter
Use to display the delimiter character configured to set off components in the PPPoE remote circuit ID value captured from a DSLAM.

The default delimiter character is #.

Example
host1#show radius remote-circuit-id-delimiter
!
[41] Acct-Delay-Time

Use the following commands to manage and display information for the Acct-Delay-Timer RADIUS attribute.

radius include acct-delay-time

radius include acct-delay-time
Use to include the Acct-Delay-Time attribute in Acct-On or Acct-Off messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-delay-time acct-on enable
Use the no version to restore the default, enable.
[44] Acct-Session-Id

Use the following commands to manage and display information for the Acct-Session-Id RADIUS attribute.

radius include acct-session-id

radius acct-session-id-format

show radius acct-session-id-format

radius include acct-session-id
Use to include the Acct-Session-Id attribute in Access-Request, Acct-On, or Acct-Off messages.

You can control inclusion of the Acct-Session-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-session-id access-request disable 
Use the no version to restore the default, enable.
radius acct-session-id-format

Use to set the Acct-Session-Id attribute format. Two formats are supported:

description—Configures RADIUS client to use the generic format: erx <interface identifier>:<hex number>. For example: erx atm 12/1:0.3:0000ef1

decimal—Configures the RADIUS client to use a decimal format. For example: 435264
Example
host1(config)#radius acct-session-id-format decimal
Use the no version to negate the Acct-Session-Id format.
show radius acct-session-id-format
Use to display the format used for the Acct-Session-Id attribute.

Example
host1#show radius acct-session-id-format
decimal
[45] Acct-Authentic

Use the following command to manage the Acct-Authentic RADIUS attribute.

radius include acct-authentic

radius include acct-authentic
Use to include the Acct-Authentic attribute in Acct-On or Acct-Off messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-authentic acct-on enable
Use the no version to restore the default, enable.
[49] Acct-Terminate-Cause

Use the following command to manage the Acct-Terminate-Cause RADIUS attribute.

radius include acct-terminate-cause

radius include acct-terminate-cause
Use to include the Acct-Terminate-Cause attribute in Acct-Off messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-terminate-cause acct-off enable
Use the no version to restore the default, enable.
[50] Acct-Multi-Session-Id

Use the following command to manage the Acct-Multi-Session-Id RADIUS attribute.

radius include acct-multi-session-id

radius include acct-multi-session-id
Use to include the Acct-Multi-Session-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Acct-Multi-Session-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-multi-session-id acct-stop disable
Use the no version to restore the default, enable for accounting messages and disable for access requests.
[51] Acct-Link-Count

Use the following command to manage the Acct-Link-Count RADIUS attribute.

radius include acct-link-count

radius include acct-link-count
Use to include the Acct-Link-Count attribute in Acct-Start and Acct-Stop messages.

You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-link-count acct-stop disable
Use the no version to restore the default, enable.
[52] Acct-Input-Gigawords

Use the following command to manage the Acct-Input-Gigawords RADIUS attribute.

radius include input-gigawords

radius include input-gigawords
Use to include the Acct-Input-Gigawords attribute in Acct-Stop messages.

You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.

Example
host1(config)#radius include input-gigawords acct-stop disable
Use the no version to restore the default, enable.
[53] Output-Gigawords

Use the following command to manage the Acct-Output-Gigawords RADIUS attribute.

radius include output-gigawords

radius include output-gigawords
Use to include the Acct-Output-Gigawords attribute in Acct-Stop messages.

You can control inclusion of the Acct-Output-Gigawords attribute by enabling or disabling this command.

Example
host1(config)#radius include output-gigawords acct-stop enable
Use the no version to restore the default, enable.
[55] Event-Timestamp

Use the following command to manage the Acct-Output-Gigawords RADIUS attribute.

radius include event-timestamp

radius include event-timestamp
Use to include the Event-Timestamp attribute in Acct-Start, Acct-Stop, Acct-On, or Acct-Off messages.

You can control inclusion of the Event-Timestamp attribute by enabling or disabling this command.

Example
host1(config)#radius include event-timestamp acct-on enable
Use the no version to restore the default, enable.
[61] NAS-Port-Type

Use the following commands to manage and display information for the NAS-Port-Type RADIUS attribute.

radius dsl-port-type

radius ethernet-port-type

radius include nas-port-type

show radius dsl-port-type

show radius ethernet-port-type

radius dsl-port-type

Use to configure the NAS-Port-Type attribute for the DSL port type.

This attribute can have several values. If the interface (port) is DSL, then the attribute can have any value listed in the command and uses the value configured. If the interface (port) is Ethernet, then it sets the attribute to Ethernet and disregards the parameter set with this command. Options include:

adsl-cap—Asymmetric DSL, carrierless amplitude phase (CAP) modulation

adsl-dmt—Asymmetric DSL, discrete multitone (DMT)

idsl—ISDN DSL

sdsl—Symmetric DSL

virtual—Virtual

xdsl—DSL of unknown type
Example
host1(config)#radius dsl-port-type xdsl
Use the no version to restore the default, xdsl.
radius ethernet-port-type
Use to set the NAS-Port-Type attribute for Ethernet interfaces to ethernet or virtual.

Example
host1(config)#radius ethernet-port-type virtual
Use the no version to restore the default, ethernet.
radius include nas-port-type
Use to include the NAS-Port-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include nas-port-type acct-start enable
Use the no version to restore the default, enable.
show radius dsl-port-type
Use to display the DSL port type for NAS-Port-Type attribute for ATM users.

Example
host1#show radius dsl-port-type
xdsl
show radius ethernet-port-type
Use to display the NAS-Port-Type attribute for Ethernet interfaces.

Example
host1#show radius ethernet-port-type
virtual
[64] Tunnel-Type

Use the following command to manage the Tunnel-Type RADIUS attribute.

radius include tunnel-type

radius include tunnel-type
Use to include the Tunnel-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the Tunnel-Type attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-type access-request enable
Use the no version to restore the default, enable.
[65] Tunnel-Medium-Type

Use the following command to manage the Tunnel-Type-Medium RADIUS attribute.

radius include tunnel-medium-type

radius include tunnel-medium-type
Use to include the Tunnel-Medium-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the Tunnel-Medium-Type attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-medium-type acct-start enable
Use the no version to restore the default, enable.
[66] Tunnel-Client-Endpoint

Use the following command to manage the Tunnel-Client-Endpoint RADIUS attribute.

radius include tunnel-client-endpoint

radius include tunnel-client-endpoint
Use to include the Tunnel-Client-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the Tunnel-Client-Endpoint attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-client-endpoint acct-start enable
Use the no version to restore the default, enable.
[67] Tunnel-Server-Endpoint

Use the following command to manage the Tunnel-Server-Endpoint RADIUS attribute.

radius include tunnel-server-endpoint

radius include tunnel-server-endpoint
Use to include the Tunnel-Server-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the Tunnel-Server-Endpoint attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-server-endpoint acct-stop disable
Use the no version to restore the default, enable.
[68] Acct-Tunnel-Connection

Use the following command to manage the Acct-Tunnel-Connection RADIUS attribute.

radius include acct-tunnel-connection

radius include acct-tunnel-connection
Use to include the Acct-Tunnel-Connection attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Acct-Tunnel-Connection attribute by enabling or disabling this command.

Example
host1(config)#radius include acct-tunnel-connection acct-stop enable
Use the no version to restore the default, enable.
[77] Connect-Info

Use the following commands to manage and display information for the Connect-Info RADIUS attribute.

radius connect-info-format l2tp-connect-speed

radius include connect-info

show radius connect-info-format

radius connect-info-format
Use on the LNS to enable the generation of the RADIUS Connect-Info attribute and to specify the attribute's format. The attribute is based on the L2TP connect-speed AVPs for received (RX) speed (AVP 38) and transmit (TX) speed (AVP 24). See Configuring the RX Speed on the LAC for information about generating the RX and TX speed AVPs.

The Connect-Info attribute is a string in the following format; the attribute is generated whenever the TX speed is not zero.
tx-speed [ /rx-speed ]
The TX speed is always included in the attribute when the speed is not zero; however, inclusion of the RX speed depends on the keyword you use with the command.
Use the l2tp-connect-speed keyword to specify that the RX speed is only included when it is not zero and differs from the TX speed.

Example
host1(config)#radius connect-info-format l2tp-connect-speed
Use the l2tp-connect-speed-rx-when-equal keyword to specify that the RX speed is always included when it is not zero.

Example
host1(config)#radius connect-info-format l2tp-connect-speed-rx-when-equal
Use the no version to disable the inclusion of the RX speed when it is the same as the TX speed.

radius include connect-info
Use to include the Connect-Info attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Connect-Info attribute by enabling or disabling this command.

Example
host1(config)#radius include connect-info access-request disable
Use the no version to restore the default, enable.
show radius connect-info-format
Use to display the format for the Connect-Info attribute.

Example
host1(config)#show radius connect-info-format
l2tp-connect-speed-rx-when-equal
[82] Tunnel-Assignment-Id

Use the following command to manage the Tunnel-Assignment-Id RADIUS attribute.

radius include tunnel-assignment-id

radius include tunnel-assignment-id
Use to include the Tunnel-Assignment-Id attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the Tunnel-Assignment-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-assignment-id acct-stop enable
Use the no version to restore the default, enable.
[83] Tunnel-Preference

Use the following command to manage the Tunnel-Preference RADIUS attribute.

radius include tunnel-preference

radius include tunnel-preference
Use to include the Tunnel-Preference attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the Tunnel-Preference attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-preference acct-start enable
Use the no version to restore the default, enable.
[87] NAS-Port-Id

Use the following commands to manage and show information for the NAS-Port-Id RADIUS attribute.

radius include nas-port-id

radius override nas-port-id remote-circuit-id

aaa intf-desc-format include

show aaa intf-desc-format

show radius override

radius include nas-port-id
Use to include the NAS-Port-Id attribute in the Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the NAS-Port-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include nas-port-id access-request enable
Use the no version to restore the default, enable.
radius override nas-port-id remote-circuit-id
Use to configure RADIUS to override the standard use of the NAS-Port-Id attribute and instead use the remote circuit ID transmitted from a DSLAM device.

Example
host1(config)#radius override nas-port-id remote-circuit-id
Use the no version to restore the default NAS-Port-ID value, which is the physical interface of the NAS that is authenticating the user.
aaa intf-desc-format include
Use to specify whether the router includes the subinterface number or adapter in the interface description it passes to RADIUS for inclusion in the NAS-Port-Id attribute. By default, the subinterface and adapter are sent (the commands are enabled).

Examples
host1#aaa intf-desc-format include sub-intf disable
host1#aaa intf-desc-format include adapter enable
Use the no version to remove the configuration.
show aaa intf-desc-format
Use to display whether the router includes or excludes the subinterface number or adapter in the interface description that the router passes to RADIUS for inclusion in the NAS-Port-Id attribute.

Example
host1#show aaa intf-desc-format
exclude sub-interface 
include adapter 
show radius override
Use to display the current override settings configured for the NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32] RADIUS attributes.

You can use the radius override nas-port-id remote-circuit-id command to override the standard NAS-Port-Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM.

Example
host1#show radius override
nas-ip-addr:        nas-ip-addr
nas-port-id:         remote-circuit-id
calling-station-id: remote-circuit-id
nas-info:            from current virtual router
[90] Tunnel-Client-Auth-Id

Use the following command to manage the Tunnel-Client-Auth-Id RADIUS attribute.

radius include tunnel-client-auth-id

radius include tunnel-client-auth-id
Use to include the Tunnel-Client-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Tunnel-Client-Auth-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-client-auth-id access-request disable
Use the no version to restore the default, enable.
[91] Tunnel-Server-Auth-Id

Use the following command to manage the Tunnel-Server-Auth-Id RADIUS attribute.

radius include tunnel-server-auth-id

radius include tunnel-server-auth-id
Use to include the Tunnel-Server-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Tunnel-Server-Auth-Id attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-server-auth-id acct-start enable
Use the no version to restore the default, enable.
[188] Ascend-Num-In-Multilink

Use the following command to manage the Ascend-Num-In-Multilink RADIUS attribute.

radius include ascend-num-in-multilink

radius include ascend-num-in-multilink
Use to include the Ascend-Num-In-Multilink attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Ascend-Num-In-Multilink attribute by enabling or disabling this command.

Example
host1(config)#radius include ascend-num-in-multilink acct-start enable
Use the no version to restore the default, disable.
All Tunnel Server Attributes

Use the following command to manage all tunnel server RADIUS attribute.

radius include tunnel-server-attributes

radius include tunnel-server-attributes
Use to include all supported tunnel server attributes in Access-Request, Acct-Start, or Acct-Stop messages.

When the router functions as an LNS with a terminating PPP, then the LAC tunnel attributes are included.

You can control inclusion of all tunnel server attributes by enabling or disabling this command.

Example
host1(config)#radius include tunnel-server-attributes access-request enable
Use the no version to restore the default, disable.
All Include Attributes

Use the following commands to display the RADIUS attributes that are included or excluded from RADIUS messages.

show radius attributes-included

show radius attributes-ignored

show radius attributes-included

Use to display the RADIUS attributes that are included in and excluded from Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages. You use the radius include commands to configure attribute inclusion or exclusion.

Field descriptions

Attribute Name—Name of the RADIUS attribute

Account On—Include status of the attribute in Acct-On messages: enabled, disabled, not configurable (n/c)

Account Off—Include status of the attribute in Acct-Off messages: enabled, disabled, n/c

Access Request—Include status of the attribute in Access Request messages: enabled, disabled, n/c

Account Start—Include status of the attribute in Acct-Start messages: enabled, disabled, n/c

Account Stop—Include status of the attribute in Acct-Stop messages: enabled, disabled, n/c

Example
host1#show radius attributes-included
                             Account   Account    Access    Account    Account
      Attribute Name           On        Off     Request     Start       Stop
--------------------------   -------   -------   --------   --------   --------
acct-authentic               enabled   enabled   n/c        n/c        n/c
acct-delay-time              enabled   enabled   n/c        n/c        n/c
acct-link-count              n/c       n/c       n/c        enabled    enabled
acct-multi-session-id        n/c       n/c       disabled   enabled    enabled
acct-session-id              enabled   enabled   enabled    n/c        n/c
acct-terminate-cause         n/c       enabled   n/c        n/c        n/c
acct-tunnel-connection       n/c       n/c       enabled    enabled    enabled
ascend-num-in-multilink      n/c       n/c       disabled   disabled   disabled
called-station-id            n/c       n/c       enabled    enabled    enabled
calling-station-id           n/c       n/c       enabled    enabled    enabled
class                        n/c       n/c       n/c        enabled    enabled
connect-info                 n/c       n/c       enabled    enabled    enabled
dhcp-options                 n/c       n/c       disabled   disabled   disabled
dhcp-mac-address             n/c       n/c       disabled   disabled   disabled
dhcp-gi-address              n/c       n/c       disabled   disabled   disabled
egress-policy-name(vsa)      n/c       n/c       n/c        enabled    enabled
event-timestamp              enabled   enabled   n/c        enabled    enabled
framed-compression           n/c       n/c       n/c        enabled    enabled
framed-ip-address            n/c       n/c       n/c        enabled    n/c
framed-ip-netmask            n/c       n/c       n/c        enabled    enabled
ingress-policy-name(vsa)     n/c       n/c       n/c        enabled    enabled
input-gigapkts(vsa)          n/c       n/c       n/c        n/c        enabled
input-gigawords              n/c       n/c       n/c        n/c        enabled
l2tp-ppp-disconnect-cause    n/c       n/c       n/c        n/c        disabled
interface-description        n/c       n/c       enabled    enabled    enabled
mlppp-bundle-name            n/c       n/c       enabled    enabled    enabled
nas-identifier               enabled   enabled   enabled    enabled    enabled
nas-port                     n/c       n/c       enabled    enabled    enabled
nas-port-id                  n/c       n/c       enabled    enabled    enabled
nas-port-type                n/c       n/c       enabled    enabled    enabled
output-gigapkts(vsa)         n/c       n/c       n/c        n/c        enabled
output-gigawords             n/c       n/c       n/c        n/c        enabled
pppoe-description(vsa)       n/c       n/c       enabled    enabled    enabled
profile-service-descr(vsa)   n/c       n/c       disabled   disabled   disabled
tunnel-assignment-id         n/c       n/c       n/c        enabled    enabled
tunnel-client-auth-id        n/c       n/c       enabled    enabled    enabled
tunnel-client-endpoint       n/c       n/c       enabled    enabled    enabled
tunnel-interface-id          n/c       n/c       disabled   disabled   disabled
tunnel-medium-type           n/c       n/c       enabled    enabled    enabled
tunnel-preference            n/c       n/c       n/c        enabled    enabled
tunnel-server-attributes     n/c       n/c       disabled   disabled   disabled
tunnel-server-auth-id        n/c       n/c       enabled    enabled    enabled
tunnel-server-endpoint       n/c       n/c       enabled    enabled    enabled
tunnel-type                  n/c       n/c       enabled    enabled    enabled
show radius attributes-ignored
Use to display the RADIUS attributes that are ignored in Access-Accept messages. You use the radius ignore command to configure whether or not the router ignores attributes.

Example
host1#show radius attributes-ignored
attribute framed-ip-netmask ignored from RADIUS server
attribute atm-category (vsa) ignored from RADIUS server
attribute atm-mbs (vsa) accepted from RADIUS server
attribute atm-pcr (vsa) ignored from RADIUS server
attribute atm-scr (vsa) accepted from RADIUS server
attribute egress-policy-name (vsa) accepted from RADIUS server
attribute ingress-policy-name (vsa) accepted from RADIUS server
attribute virtual-router accepted from RADIUS server 
Juniper Networks Vendor-Specific Attributes

This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.

[26-1] Virtual-Router

Use the following command to manage the Virtual-Router RADIUS attribute.

radius ignore virtual-router

radius ignore virtual-router
Use to cause the Virtual-Router attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

Example
host1(config)#radius ignore virtual-router enable
Use the no version to restore the default, disable.
[26-10] Ingress-Policy-Name

Use the following commands to manage the Ingress-Policy-Name RADIUS attribute.

radius include ingress-policy-name

radius ignore ingress-policy-name

radius include ingress-policy-name
Use to include the Ingress-Policy-Name attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include ingress-policy-name acct-start enable
Use the no version to restore the default.
radius ignore ingress-policy-name
Use to cause the Ingress-Policy-Name attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command. The default is disable.

Example
host1(config)#radius ignore ingress-policy-name enable
Use the no version to restore the default, enable.
[26-11] Egress-Policy-Name

Use the following commands to manage the Egress-Policy-Name RADIUS attribute.

radius include egress-policy-name

radius ignore egress-policy-name

radius include egress-policy-name
Use to include the Egress-Policy-Name attribute in Acct-Start or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include egress-policy-name acct-start enable 
Use the no version to restore the default, enable.
radius ignore egress-policy-name
Use to cause the Egress-Policy-Name attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

Example
host1(config)#radius ignore egress-policy-name enable 
Use the no version to restore the default, disable.
[26-14] Atm-Service-Category

Use the following command to manage the ATM-Service-Category RADIUS attribute.

radius ignore atm-service-category

radius ignore atm-service-category
Use to cause the Atm-Service-Category attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

Example
host1(config)#radius ignore atm-service-category enable
Use the no version to restore the default, disable.
[26-15] Atm-PCR

Use the following command to manage the ATM-PCR RADIUS attribute.

radius ignore atm-pcr

radius ignore atm-pcr
Use to cause the Atm-PCR attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

Example
host1(config)#radius ignore atm-pcr enable
Use the no version to restore the default, disable.
[26-16] Atm-SCR

Use the following command to manage the ATM-SCR RADIUS attribute.

radius ignore atm-scr

radius ignore atm-scr
Use to cause the Atm-SCR attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

Example
host1(config)#radius ignore atm-scr enable
Use the no version to restore the default, disable.
[26-17] Atm-MBS

Use the following command to manage the ATM-MBS RADIUS attribute.

radius ignore atm-mbs

radius ignore atm-mbs
Use to cause the Atm-MBS attribute to be ignored in Access-Accept messages.

You can control this behavior by enabling or disabling this command.

Example
host1(config)#radius ignore atm-mbs enable
Use the no version to restore the default, disable.
[26-24] Pppoe-Description

Use the following command to manage the Pppoe-Description RADIUS attribute.

radius include pppoe-description

radius include pppoe-description
Use to include the Pppoe-Description attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the Pppoe-Description attribute by enabling or disabling this command.

Example
host1(config)#radius include pppoe-description acct-start enable
Use the no version to restore the default, enable.
[26-35] Acct-Input-Gigapackets

Use the following command to manage the Acct-Input-Gigapackets RADIUS attribute.

radius include input-gigapkts

radius include input-gigapkts
Use to include Acct-Input-Gigapackets in Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include input-gigapkts acct-stop disable
Use the no version to restore the default, enable.
[26-36] Acct-Output-Gigapackets

Use the following command to manage the Acct-Output-Gigapackets RADIUS attribute.

radius include output-gigapkts

radius include output-gigapkts
Use to include the Acct-Output-Gigapackets attribute in Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include output-gigapkts acct-stop disable
Use the no version to restore the default, enable.
[26-44] Tunnel-Interface-Id

Use the following command to manage the Tunnel-Interface-Id RADIUS attribute.

radius include tunnel-interface-id

radius include tunnel-interface-id
Use to include the Tunnel-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include tunnel-interface-id enable 
Use the no version to restore the default, disable.
[26-51] L2TP-PPP-Disconnect-Cause

Use the following command to manage the L2TP-PPP-Disconnect-Cause RADIUS attribute.

radius include l2tp-ppp-disconnect-cause

radius include l2tp-ppp-disconnect-cause
Use to include the L2TP-PPP-Disconnect-Cause attribute in Acct-Stop and Acct-Tunnel-Link-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include l2tp-ppp-disconnect-cause acct-stop-enable 
Use the no version to restore the default, disable.
[26-53] Profile-Service-Description

Use the following command to manage the Profile-Service-Description RADIUS attribute.

radius include profile-service-description

radius include profile-service-description
Use to include the Profile-Service-Description attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include profile-service-description acct-stop enable 
Use the no version to restore the default, disable.
[26-55] DHCP-Options

Use the following command to manage the DHCP-Options RADIUS attribute.

radius include dhcp-options

radius include dhcp-options
Use to include the DHCP-Options attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include dhcp-options acct-stop enable
Use the no version to restore the default, disable.
[26-56] DHCP-MAC-Address

Use the following command to manage the DHCP-MAC-Address RADIUS attribute.

radius include dhcp-mac-address

radius include dhcp-mac-address
Use to include the DHCP-MAC-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include dhcp-mac-address acct-stop enable
Use the no version to restore the default, disable.
[26-57] DHCP-GI-Address

Use the following command to manage the DHCP-GI-Address RADIUS attribute.

radius include dhcp-gi-address

radius include dhcp-gi-address
Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.

You can control inclusion of the attribute by enabling or disabling this command.

Example
host1(config)#radius include dhcp-gi-address acct-stop enable
Use the no version to restore the default, disable.
[26-62] MLPPP-Bundle-Name

Use the following command to manage the MLPPP-Bundle-Name RADIUS attribute.

radius include mlppp-bundle-name

radius include mlppp-bundle-name
Use to include the MLPPP-Bundle-Name attribute in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages.

You can control inclusion of the MLPPP-Bundle-Name attribute by enabling or disabling this command.

There is no explicit command to include the MLPPP-Bundle-Name attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages.

Example
host1(config)#radius include mlppp-bundle-name acct-start enable
Use the no version to restore the default, disable.
[26-63] Interface-Description

Use the following command to manage the Interface-Description RADIUS attribute.

radius include interface-description

radius include interface-description
Use to include the Interface-Description attribute, with the subscriber's access interface description, in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages.

You can control inclusion of the Interface-Description attribute by enabling or disabling this command. Inclusion is disabled by default.

There is no explicit command to include the Interface-Description attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages.

Example
host1(config)#radius include interface-description acct-start enable
Use the no version to restore the default, disable.
Including or Excluding Attributes in RADIUS Messages

For many attributes, you can configure the router to include or exclude the attribute in RADIUS messages. To see a list of the attributes that you can include or exclude, use the show radius attributes-included command.

radius include
Use to enable or disable the inclusion of RADIUS attributes in Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages.

Examples
host1(config)#radius include ingress-policy-name acct-start enable
host1(config)#radius include tunnel-type access-request disable
Use the no version to restore the default, disable.
Ignoring Attributes When Receiving Access-Accept Messages

You can configure the router to ignore or use many attributes that it receives in Access-Accept messages. To see the list of attributes that the router uses or ignores, use the show radius attributes-ignored command.

radius ignore
Use to specify that a RADIUS attribute be ignored or be accepted from Access-Accept messages.

Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute.

Examples
host1(config)#radius ignore atm-scr enable
host1(config)#radius ignore framed-ip-netmask disable
Use the no version to restore the default, exclude.
Monitoring RADIUS Included and Ignored Attributes

Use the commands described in this section to monitor the status of RADIUS attributes that are included or ignored in RADIUS messages.

show radius attributes-included

Use to display the RADIUS attributes that are included in and excluded from Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages.

Field descriptions

Attribute Name—Name of the RADIUS attribute

Account On—Include status of the attribute in Acct-On messages: enabled, disabled, not configurable (n/c)

Account Off—Include status of the attribute in Acct-Off messages: enabled, disabled, n/c

Access Request—Include status of the attribute in Access Request messages: enabled, disabled, n/c

Account Start—Include status of the attribute in Acct-Start messages: enabled, disabled, n/c

Account Stop—Include status of the attribute in Acct-Stop messages: enabled, disabled, n/c

Example
host1#show radius attributes-included
                             Account   Account    Access    Account    Account
      Attribute Name           On        Off     Request     Start       Stop
--------------------------   -------   -------   --------   --------   --------
acct-authentic               enabled   enabled   n/c        n/c        n/c
acct-delay-time              enabled   enabled   n/c        n/c        n/c
acct-link-count              n/c       n/c       n/c        enabled    enabled
acct-multi-session-id        n/c       n/c       disabled   enabled    enabled
acct-session-id              enabled   enabled   enabled    n/c        n/c
acct-terminate-cause         n/c       enabled   n/c        n/c        n/c
acct-tunnel-connection       n/c       n/c       enabled    enabled    enabled
ascend-num-in-multilink      n/c       n/c       disabled   disabled   disabled
called-station-id            n/c       n/c       enabled    enabled    enabled
calling-station-id           n/c       n/c       enabled    enabled    enabled
class                        n/c       n/c       n/c        enabled    enabled
connect-info                 n/c       n/c       enabled    enabled    enabled
dhcp-options                 n/c       n/c       disabled   disabled   disabled
dhcp-mac-address             n/c       n/c       disabled   disabled   disabled
dhcp-gi-address              n/c       n/c       disabled   disabled   disabled
egress-policy-name(vsa)      n/c       n/c       n/c        enabled    enabled
event-timestamp              enabled   enabled   n/c        enabled    enabled
framed-compression           n/c       n/c       n/c        enabled    enabled
framed-ip-address            n/c       n/c       n/c        enabled    n/c
framed-ip-netmask            n/c       n/c       n/c        enabled    enabled
ingress-policy-name(vsa)     n/c       n/c       n/c        enabled    enabled
input-gigapkts(vsa)          n/c       n/c       n/c        n/c        enabled
input-gigawords              n/c       n/c       n/c        n/c        enabled
l2tp-ppp-disconnect-cause    n/c       n/c       n/c        n/c        disabled
mlppp-bundle-name            n/c       n/c       enabled    enabled    enabled
nas-identifier               enabled   enabled   enabled    enabled    enabled
nas-port                     n/c       n/c       enabled    enabled    enabled
nas-port-id                  n/c       n/c       enabled    enabled    enabled
nas-port-type                n/c       n/c       enabled    enabled    enabled
output-gigapkts(vsa)         n/c       n/c       n/c        n/c        enabled
output-gigawords             n/c       n/c       n/c        n/c        enabled
pppoe-description(vsa)       n/c       n/c       enabled    enabled    enabled
profile-service-descr(vsa)   n/c       n/c       disabled   disabled   disabled
tunnel-assignment-id         n/c       n/c       n/c        enabled    enabled
tunnel-client-auth-id        n/c       n/c       enabled    enabled    enabled
tunnel-client-endpoint       n/c       n/c       enabled    enabled    enabled
tunnel-interface-id          n/c       n/c       disabled   disabled   disabled
tunnel-medium-type           n/c       n/c       enabled    enabled    enabled
tunnel-preference            n/c       n/c       n/c        enabled    enabled
tunnel-server-attributes     n/c       n/c       disabled   disabled   disabled
tunnel-server-auth-id        n/c       n/c       enabled    enabled    enabled
tunnel-server-endpoint       n/c       n/c       enabled    enabled    enabled
tunnel-type                  n/c       n/c       enabled    enabled    enabled
show radius attributes-ignored
Use to display the RADIUS attributes that are ignored in Access-Accept messages.

Example
host1#show radius attributes-ignored
attribute framed-ip-netmask ignored from RADIUS server
attribute atm-category (vsa) ignored from RADIUS server
attribute atm-mbs (vsa) accepted from RADIUS server
attribute atm-pcr (vsa) ignored from RADIUS server
attribute atm-scr (vsa) accepted from RADIUS server
attribute egress-policy-name (vsa) accepted from RADIUS server
attribute ingress-policy-name (vsa) accepted from RADIUS server
attribute virtual-router accepted from RADIUS server 

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]