CLI Commands Used to Modify RADIUS Attributes
This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands.
For many attributes, you can configure the router to include the attribute in RADIUS messages. To see a list of attributes that are included in or excluded from RADIUS messages, use the show radius attributes-included command, which is described in Including or Excluding Attributes in RADIUS Messages.
You can also configure the router to ignore many attributes that it receives in Access-Accept messages. To see a list of attributes that the router ignores, use the show radius attributes-ignored command, which is described in Ignoring Attributes When Receiving Access-Accept Messages.
For a complete list of RADIUS attributes supported by JUNOSe software, see Appendix A, RADIUS Attribute Descriptions.
RADIUS IETF Attributes
This section describes the RADIUS IETF attributes that you can configure using CLI commands. The attributes are listed numerically—each attribute is followed by a list of the commands that you can use to manage the attribute and descriptions of each command.
[4] NAS-IP-Address
Use the following commands to configure, manage, and display information for the NAS-IP-Address RADIUS attribute.
radius override nas-ip-addr tunnel-client-endpoint
- Use to configure the RADIUS client (LNS) to use the tunnel-client-endpoint (LAC) IP address for the NAS-IP-Address attribute.
- Example
host1(config)#radius override nas-ip-addr tunnel-client-endpoint
radius override nas-info
- Use in the correct virtual router context to override standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.
- Example
host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info
show radius override
- Use to display the current setting for the NAS-IP-Address and the NAS-Identifier. These settings can be changed with the radius override nas-ip-addr tunnel-client-endpoint and radius override nas-info commands.
- Example
host1#show radius override
nas-ip-addr: nas-ip-addr
nas-port-id: nas-port-id
calling-station-id: calling-station-id
nas-info: from current virtual router
[5] NAS-Port
Use the following commands to manage and display information for the NAS-Port RADIUS attribute:
- radius include nas-port
- radius nas-port-format
- radius nas-port-format extended
- radius pppoe nas-port-format unique
- radius vlan nas-port-format stacked
- show radius nas-port-format
- show radius nas-port-format extended
- show radius pppoe nas-port-format
- show radius vlan nas-port-format
radius include nas-port
- Use to include the NAS-Port attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include nas-port acct-start enable
radius nas-port-format
- Use to set the NAS-Port format attribute for ATM and Ethernet only to either 0ssssppp or ssss0ppp.
- The format is a 4-octet integer. The remaining bits are not changed (8 bits VPI and 16 bits VCI; or 12 bits S-VLAN and 12 bits VLAN).
- The s indicates a bit used to represent the slot; the p indicates a bit used to represent the port from which the authentication request originates.
- Example: If the PPP user is received on a VC from the card in slot 7, port 2, then the bit pattern is either 00111010 (for 0ssssppp) or 01110010 (for ssss0ppp).
host1(config)#radius nas-port-format Ossssppp
radius nas-port-format extended atm
radius nas-port-format extended ethernet
- Use to set the NAS-Port format attribute for ATM, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces on the E320 router only.
- The format attribute set using the radius nas-port-format command does not accommodate the number of bits required by the ATM interface specifier (slot/adapter/port/vpi/vci) or the Gigabit Ethernet and 10-Gigabit Ethernet interface specifier [ slot/adapter/port ] [ .vlanSubinterface ]. Issuing this command enables you to encode the interface information in the attribute by specifying the number of bits available for each field in the interface specifier.
- The default number of bits for each field in the interface specifier for ATM interfaces are:
- The default number of bits for each field in the interface specifier for Gigabit Ethernet and 10-Gigabit Ethernet interfaces are:
- To set valid S-VLAN widths on Gigabit Ethernet and 10-Gigabit Ethernet interfaces, you must include S-VLAN IDs in the NAS-Port attribute by issuing the radius vlan nas-port-format stacked command.
- The total number of bits for all fields cannot exceed 32. When the total number of bits is less than 32, the NAS-Port attribute is right-justified and the extra bits are set to 0. If you do not specify a value for a field, the number of bits is set to 0.
- Example 1—Sets the field widths for ATM interfaces
host1(config)#radius nas-port-format extended atm field-widths slot 4 adapter 1 vpi 7 vpi 17
host1(config)#radius nas-port-format extended ethernet field-widths slot 4 adapter 1 port 3 vlan 12
radius pppoe nas-port-format unique
- Use to set the NAS-Port attribute to a unique value for subscribers on PPPoE interface. This unique value is derived from the subscriber's profileHandle.
- Example
host1(config)#radius pppoe nas-port-format unique
radius vlan nas-port-format stacked
- Use to include the S-VLAN ID, in addition to the VLAN ID, in the NAS-Port attribute for subscribers on Ethernet interfaces.
- The VLAN ID is always included whether the S-VLAN ID inclusion feature is enabled or disabled.
- The radius pppoe nas-port-format unique command overrides this command.
- Example
host1(config)#radius vlan nas-port-format stacked
show radius nas-port-format
show radius nas-port-format extended
- Use to display the setting for the NAS-Port attribute.
- Example 1—Displays information about NAS-Port attribute
host1#show radius nas-port-format
0ssssppp
host1#show radius nas-port-format extended atm
extended atm field-width slot 5 adapter 0 port 4 vpi 4 vci 12
show radius pppoe nas-port-format
host1#show radius pppoe nas-port-format
unique
show radius vlan nas-port-format
- Use to display the status of the S-VLAN ID setting for the NAS-Port attribute for VLAN interfaces. The string vlan stacked indicates that the S-VLAN ID is included.
- Example
host1#show radius vlan nas-port-format
vlan stacked
[8] Framed-IP-Address
Use the following command to manage the Framed-IP-Addr RADIUS attribute.
radius include framed-ip-addr
- Use to include the Framed-Ip-Address attribute in Acct-Start and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include framed-ip-addr acct-start enable
[9] Framed-Ip-Netmask
Use the following commands to manage the Framed-IP-Netmask RADIUS attribute.
radius include framed-ip-netmask
- Use to include the Framed-Ip-Netmask attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include framed-ip-netmask acct-start enable
radius ignore framed-ip-netmask
- Use to cause the Framed-Ip-Netmask attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- If the subnet mask is specified by the Frame-Ip-Netmask attribute in the RADIUS user profile, the router passes the mask and IP address to the CPE during IPCP negotiations. When this command is enabled, the default subnet mask 255.255.255.255 is provided by AAA and used for IPCP negotiations.
- Enabling the command guards against any breaks in the negotiation.
- Example
host1(config)#radius ignore framed-ip-netmask disable
[13] Framed-Compression
Use the following command to manage the Framed-Compression RADIUS attribute.
radius include framed-compression
- Use to include the Framed-Compression attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include framed-compression acct-start disable
[25] Class
Use the following command to manage the Class RADIUS attribute.
radius include class
- Use to include the Class attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include class acct-start disable
[30] Called-Station-Id
Use the following command to manage the Called-Station-Id RADIUS attribute.
radius include called-station-id
- Use to include the Called-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Called-Station-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include called-station-id acct-start enable
[31] Calling-Station-Id
Use the following commands to manage and display information for the Calling-Station-Id RADIUS attribute.
- radius calling-station-format
- radius calling-station-delimiter
- radius include calling-station-id
- radius override calling-station-id remote-circuit-id
- show radius calling-station-format
- show radius calling-station-delimiter
- show radius override
radius calling-station-format
- Use to specify the format of the Calling-Station-Id [31] attribute on a virtual router.
- For each field in angle brackets (<>) in the Calling-Station-Id formats, the virtual router supplies the actual value for your configuration, unless otherwise specified.
- To specify that the RADIUS client use the delimited format when the PPP user is terminated at the non-LNS E-series router, use the delimited keyword.
- Format for ATM interfaces:
<delimiter> <system name> <delimiter> <interface> <delimiter> <VPI> <delimiter> <VCI><delimiter> - Format for Ethernet interfaces:
<delimiter> <system name> <delimiter> <interface> <delimiter> <VLAN>
Where <interface> is one of the following items:
- <port name>—The default setting
- <VP description>—Appears if you use the atm vp-description command to assign a text description to an individual VP on an ATM interface
- <VC description>—Appears if you use the atm atm1483 description command to assign a text description to VCs on an ATM 1483 subinterface and you use the atm1483 export-subinterface-description command to enable sending of VC interface descriptors to AAA
- To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields, use the fixed-format keyword. The maximum number of characters for each field is shown in square brackets ([ ]).
- Format for ATM interfaces:
<system name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]> - Format for Ethernet interfaces:
<system name [4]> <slot [2]> <port [1]> <VLAN [8]> - Format for serial interfaces:
<system name [4]> <slot [2]> <port [1]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
- In the case of PPP terminated at the LNS, the Calling-Station-Id attribute is based on the received L2TP calling number AVP.
- To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields with a 1-byte slot field, 1-byte adapter field, and 1-byte port field, use the fixed-format-adapter-embedded keyword. The maximum number of characters for each field is shown in square brackets ([ ]).
- Format for ATM interfaces:
<system name [4]> <slot [1]> <adapter [1]> <port [1]>
<VPI [3]> <VCI [5]> - Format for Ethernet interfaces:
<system name [4]> <slot [1]> <adapter [1]> <port [1]>
<VLAN [8]> - Format for serial interfaces:
<system name [4]> <slot [1]> <adapter [1]> <port [1]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
- For E320 routers, <adapter> is the number of the bay in which the I/O adapter (IOA) resides, either 0 (representing the upper IOA bay) or 1 (representing the lower IOA bay). For ERX-7xx models, ERX-14xx models, and ERX-310 routers, <adapter> is always shown as 0 (zero).
- Slot numbers 0 through 16 are shown as ASCII characters in the 1-byte slot field according to the following translation:
For example, slot 16 is shown as the ASCII character uppercase G.
- To specify that the RADIUS client use a fixed format of up to 17 characters consisting of all ASCII fields with a 2-byte slot field, 1-byte adapter field, and 2-byte port field, use the fixed-format-adapter-new-field keyword. The maximum number of characters for each field is shown in square brackets ([ ]).
- Format for ATM interfaces:
<system name [4]> <slot [2]> <adapter [1]> <port [2]>
<VPI [3]> <VCI [5]> - Format for Ethernet interfaces:
<system name [4]> <slot [2]> <adapter [1]> <port [2]>
<VLAN [8]> - Format for serial interfaces:
<system name [4]> <slot [2]> <adapter [1]> <port [2]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
- For E320 routers, <adapter> is the number of the bay in which the I/O adapter (IOA) resides, either 0 or 1. For ERX-7xx models, ERX-14xx models, and ERX-310 routers, <adapter> is always shown as 0 (zero).
- Slot numbers 0 through 16 are shown as integers in the 2-byte slot field.
- Attribute 31, Calling-Station-Id, is used with Attribute 30, Called-Station-Id, in a standard way when the router is the LNS and the LAC is a dial-up LAC (not an E-series router). When the LNS receives the Calling-Station-Id and Called-Station-Id AVPs, the router includes the values as they are, with no format changes in the RADIUS messages.
- Example 1
host1(config)#radius calling-station-format fixed-format
For example, when you configure this Calling-Station-Id format on an E320 router for an ATM interface on slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as '14' '2' '003' '00004'. The adapter number does not appear in this format.
host1(config)#radius calling-station-format fixed-format-adapter-embedded
For example, when you configure this Calling-Station-Id format on an E320 router for an ATM interface on slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as 'E' '1' '2' '003' '00004'.
host1(config)#radius calling-station-format fixed-format-adapter-new-field
For example, when you configure this Calling-Station-Id format on an E320 router for an ATM interface on slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as '14' '1' '02' '003' '00004'.
radius calling-station-delimiter
- Use to specify the Calling-Station-Id attribute's delimiter for DSL PPP users.
- The delimiter is one special character you select to set off items in the Calling-Station-Id's definition (for example, # or %).
- Example
host1(config)#radius calling-station-delimiter &
radius include calling-station-id
- Use to include the Calling-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include calling-station-id acct-start disable
radius override calling-station-id remote-circuit-id
- Use to configure RADIUS to override the standard use of the Calling-Station-Id attribute and instead use the remote circuit ID transmitted from a DSLAM device.
- Example
host1(config)#radius override calling-station-id remote-circuit-id
show radius calling-station-format
host1#show radius calling-station-format
fixed-format-adapter-new-field
show radius calling-station-delimiter
- Use to display the delimiter used in the Calling-Station-Id for authenticated ATM PPP users.
- Example
host1#show radius calling-station-delimiter
&
show radius override
- Use to display the current override settings configured for NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32] RADIUS.
- You can use the radius override calling-station-id remote-circuit-id command to override the standard Calling-Station-Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM.
- Example
host1#show radius override
nas-ip-addr: nas-ip-addr
nas-port-id: remote-circuit-id
calling-station-id: remote-circuit-id
nas-info: from current virtual router
[32] NAS-Identifier
Use the following commands to manage and display information for the NAS-Identifier RADIUS attribute.
- radius nas-identifier
- radius include nas-identifier
- radius override nas-info
- radius remote-circuit-id-format
- radius remote-circuit-id-delimiter
- show radius nas-identifier
- show radius override
- show radius remote-circuit-id-format
- show radius remote-circuit-id-delimiter
radius nas-identifier
- Use to set a value for the NAS-Identifier attribute. This value is used in the NAS-Identifier attribute for authentication and accounting requests.
- Example
host1(config)#radius nas-identifier fox
radius include nas-identifier
- Use to include the NAS-Identifier attribute in Access-Request, Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include nas-identifier acct-start disable
radius override nas-info
- Use in the correct virtual router context to override the standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.
- Example
host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info
radius remote-circuit-id-format
- Use to configure the format of the PPPoE remote circuit ID value captured from a DSLAM.
- You can format the PPPoE remote circuit ID value to include either or both of the agent-circuit-ID (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option (option 82) or the PPPoE intermediate agent tags.
- By default, the router formats the PPPoE remote circuit ID to include only the agent-circuit-id suboption.
- You can use this command to configure the following nondefault formats for the PPPoE remote circuit ID value:
- Include either or both of the agent-circuit-id and agent-remote-id suboptions, with or without the NAS-Identifier [32] RADIUS attribute
- Append the agent-circuit-id suboption value to an interface specifier that is consistent with the recommended format in the DSL Forum Technical Report (TR)-101—Migration to Ethernet-Based DSL Aggregation (April 2006).
- For more information about how to use this command, see Using the PPPoE Remote Circuit ID to Identify Subscribers and Configuring PPPoE Remote Circuit ID Capture in JUNOSe Link Layer Configuration Guide, Chapter 7, Configuring Point-to-Point Protocol over Ethernet.
- Examples
host1(config)#radius remote-circuit-id-format nas-identifier agent-circuit-id agent-remote-id
host1(config)#radius remote-circuit-id-format dsl-forum-1
radius remote-circuit-id-delimiter
- Use to configure the delimiter character that the router uses to set off multiple components in the format of the PPPoE remote circuit ID value captured from a DSLAM.
- For information about how to use this command, see Configuring PPPoE Remote Circuit ID Capture in JUNOSe Link Layer Configuration Guide, Chapter 7, Configuring Point-to-Point Protocol over Ethernet.
- Example
host1(config)#radius remote-circuit-id-delimiter !
show radius nas-identifier
host1#show radius nas-identifier
fox
show radius override
- Use to display the current setting for both the NAS-IP-Address and the NAS-Identifier. This setting can be changed with the radius override nas-info command, which is used for AAA broadcast accounting.
- Example
host1#show radius override
nas-ip-addr: nas-ip-addr
nas-info: from authentication virtual router
show radius remote-circuit-id-format
- Use to display the format configured for the PPPoE remote circuit ID value captured from a DSLAM.
- If the PPPoE remote circuit ID value is configured to include any or all of the agent-circuit-id, agent-remote-id, and nas-identifier components, the display lists the components included and the order in which they appear.
- If the PPPoE remote circuit ID value is configured to use the format for the dsl-forum-1 keyword of the radius remote-circuit-id-format command, the display indicates that this format is in effect.
- The default format is agent-circuit-ID.
- Example
host1#show radius remote-circuit-id-format
nas-identifier agent-circuit-id agent-remote-id
show radius remote-circuit-id-delimiter
- Use to display the delimiter character configured to set off components in the PPPoE remote circuit ID value captured from a DSLAM.
- The default delimiter character is #.
- Example
host1#show radius remote-circuit-id-delimiter
!
[41] Acct-Delay-Time
Use the following commands to manage and display information for the Acct-Delay-Timer RADIUS attribute.
radius include acct-delay-time
- Use to include the Acct-Delay-Time attribute in Acct-On or Acct-Off messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-delay-time acct-on enable
[44] Acct-Session-Id
Use the following commands to manage and display information for the Acct-Session-Id RADIUS attribute.
radius include acct-session-id
- Use to include the Acct-Session-Id attribute in Access-Request, Acct-On, or Acct-Off messages.
- You can control inclusion of the Acct-Session-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-session-id access-request disable
radius acct-session-id-format
- description—Configures RADIUS client to use the generic format: erx <interface identifier>:<hex number>. For example:
- decimal—Configures the RADIUS client to use a decimal format. For example: 435264
host1(config)#radius acct-session-id-format decimal
show radius acct-session-id-format
host1#show radius acct-session-id-format
decimal
[45] Acct-Authentic
Use the following command to manage the Acct-Authentic RADIUS attribute.
radius include acct-authentic
- Use to include the Acct-Authentic attribute in Acct-On or Acct-Off messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-authentic acct-on enable
[49] Acct-Terminate-Cause
Use the following command to manage the Acct-Terminate-Cause RADIUS attribute.
radius include acct-terminate-cause
- Use to include the Acct-Terminate-Cause attribute in Acct-Off messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-terminate-cause acct-off disable
[50] Acct-Multi-Session-Id
Use the following command to manage the Acct-Multi-Session-Id RADIUS attribute.
radius include acct-multi-session-id
- Use to include the Acct-Multi-Session-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Acct-Multi-Session-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-multi-session-id acct-stop disable
[51] Acct-Link-Count
Use the following command to manage the Acct-Link-Count RADIUS attribute.
radius include acct-link-count
- Use to include the Acct-Link-Count attribute in Acct-Start and Acct-Stop messages.
- You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-link-count acct-stop disable
[52] Acct-Input-Gigawords
Use the following command to manage the Acct-Input-Gigawords RADIUS attribute.
radius include input-gigawords
- Use to include the Acct-Input-Gigawords attribute in Acct-Stop messages.
- You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.
- Example
host1(config)#radius include input-gigawords acct-stop disable
[53] Output-Gigawords
Use the following command to manage the Acct-Output-Gigawords RADIUS attribute.
radius include output-gigawords
- Use to include the Acct-Output-Gigawords attribute in Acct-Stop messages.
- You can control inclusion of the Acct-Output-Gigawords attribute by enabling or disabling this command.
- Example
host1(config)#radius include output-gigawords acct-stop enable
[55] Event-Timestamp
Use the following command to manage the Acct-Output-Gigawords RADIUS attribute.
radius include event-timestamp
- Use to include the Event-Timestamp attribute in Acct-Start, Acct-Stop, Acct-On, or Acct-Off messages.
- You can control inclusion of the Event-Timestamp attribute by enabling or disabling this command.
- Example
host1(config)#radius include event-timestamp acct-on enable
[61] NAS-Port-Type
Use the following commands to manage and display information for the NAS-Port-Type RADIUS attribute.
- radius dsl-port-type
- radius ethernet-port-type
- radius include nas-port-type
- show radius dsl-port-type
- show radius ethernet-port-type
radius dsl-port-type
- Use to configure the NAS-Port-Type attribute for the DSL port type.
- This attribute can have several values. If the interface (port) is DSL, then the attribute can have any value listed in the command and uses the value configured. If the interface (port) is Ethernet, then it sets the attribute to Ethernet and disregards the parameter set with this command. Options include:
- adsl-cap—Asymmetric DSL, carrierless amplitude phase (CAP) modulation
- adsl-dmt—Asymmetric DSL, discrete multitone (DMT)
- idsl—ISDN DSL
- sdsl—Symmetric DSL
- virtual—Virtual
- xdsl—DSL of unknown type
host1(config)#radius dsl-port-type xdsl
radius ethernet-port-type
host1(config)#radius ethernet-port-type virtual
radius include nas-port-type
- Use to include the NAS-Port-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include nas-port-type acct-start enable
show radius dsl-port-type
host1#show radius dsl-port-type
xdsl
show radius ethernet-port-type
host1#show radius ethernet-port-type
virtual
[64] Tunnel-Type
Use the following command to manage the Tunnel-Type RADIUS attribute.
radius include tunnel-type
- Use to include the Tunnel-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the Tunnel-Type attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-type access-request enable
[65] Tunnel-Medium-Type
Use the following command to manage the Tunnel-Type-Medium RADIUS attribute.
radius include tunnel-medium-type
- Use to include the Tunnel-Medium-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the Tunnel-Medium-Type attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-medium-type acct-start enable
[66] Tunnel-Client-Endpoint
Use the following command to manage the Tunnel-Client-Endpoint RADIUS attribute.
radius include tunnel-client-endpoint
- Use to include the Tunnel-Client-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the Tunnel-Client-Endpoint attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-client-endpoint acct-start enable
[67] Tunnel-Server-Endpoint
Use the following command to manage the Tunnel-Server-Endpoint RADIUS attribute.
radius include tunnel-server-endpoint
- Use to include the Tunnel-Server-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the Tunnel-Server-Endpoint attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-server-endpoint acct-stop disable
[68] Acct-Tunnel-Connection
Use the following command to manage the Acct-Tunnel-Connection RADIUS attribute.
radius include acct-tunnel-connection
- Use to include the Acct-Tunnel-Connection attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Acct-Tunnel-Connection attribute by enabling or disabling this command.
- Example
host1(config)#radius include acct-tunnel-connection acct-stop enable
[77] Connect-Info
Use the following commands to manage and display information for the Connect-Info RADIUS attribute.
- radius connect-info-format l2tp-connect-speed
- radius include connect-info
- show radius connect-info-format
radius connect-info-format
- Use on the LNS to enable the generation of the RADIUS Connect-Info attribute and to specify the attribute's format. The attribute is based on the L2TP connect-speed AVPs for received (RX) speed (AVP 38) and transmit (TX) speed (AVP 24). See Configuring the RX Speed on the LAC for information about generating the RX and TX speed AVPs.
- The Connect-Info attribute is a string in the following format; the attribute is generated whenever the TX speed is not zero.
tx-speed [ /rx-speed ]
- Use the l2tp-connect-speed keyword to specify that the RX speed is only included when it is not zero and differs from the TX speed.
- Example
host1(config)#radius connect-info-format l2tp-connect-speed
host1(config)#radius connect-info-format l2tp-connect-speed-rx-when-equal
radius include connect-info
- Use to include the Connect-Info attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Connect-Info attribute by enabling or disabling this command.
- Example
host1(config)#radius include connect-info access-request disable
show radius connect-info-format
host1(config)#show radius connect-info-format
l2tp-connect-speed-rx-when-equal
[82] Tunnel-Assignment-Id
Use the following command to manage the Tunnel-Assignment-Id RADIUS attribute.
radius include tunnel-assignment-id
- Use to include the Tunnel-Assignment-Id attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the Tunnel-Assignment-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-assignment-id acct-stop enable
[83] Tunnel-Preference
Use the following command to manage the Tunnel-Preference RADIUS attribute.
radius include tunnel-preference
- Use to include the Tunnel-Preference attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the Tunnel-Preference attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-preference acct-start enable
[87] NAS-Port-Id
Use the following commands to manage and show information for the NAS-Port-Id RADIUS attribute.
- aaa intf-desc-format include
- radius include nas-port-id
- radius override nas-port-id remote-circuit-id
- show aaa intf-desc-format
- show radius override
aaa intf-desc-format include
- Use to specify whether the router includes the subinterface number or adapter in the interface description it passes to RADIUS for inclusion in the NAS-Port-Id attribute. By default, the subinterface and adapter are sent (the commands are enabled).
- Examples
host1#aaa intf-desc-format include sub-intf disable
host1#aaa intf-desc-format include adapter enable
radius include nas-port-id
- Use to include the NAS-Port-Id attribute in the Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the NAS-Port-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include nas-port-id access-request enable
radius override nas-port-id remote-circuit-id
- Use to configure RADIUS to override the standard use of the NAS-Port-Id attribute and instead use the remote circuit ID transmitted from a DSLAM device.
- Example
host1(config)#radius override nas-port-id remote-circuit-id
show aaa intf-desc-format
- Use to display whether the router includes or excludes the subinterface number or adapter in the interface description that the router passes to RADIUS for inclusion in the NAS-Port-Id attribute.
- Example
host1#show aaa intf-desc-format
exclude sub-interface
include adapter
show radius override
- Use to display the current override settings for the NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32] attributes.
- You can use the radius override nas-port-id remote-circuit-id command to override the standard NAS-Port-Id attribute with the PPPoE remote circuit ID transmitted from the DSLAM.
- Example
host1#show radius override
nas-ip-addr: nas-ip-addr
nas-port-id: remote-circuit-id
calling-station-id: remote-circuit-id
nas-info: from current virtual router
[90] Tunnel-Client-Auth-Id
Use the following command to manage the Tunnel-Client-Auth-Id RADIUS attribute.
radius include tunnel-client-auth-id
- Use to include the Tunnel-Client-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Tunnel-Client-Auth-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-client-auth-id access-request disable
[91] Tunnel-Server-Auth-Id
Use the following command to manage the Tunnel-Server-Auth-Id RADIUS attribute.
radius include tunnel-server-auth-id
- Use to include the Tunnel-Server-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Tunnel-Server-Auth-Id attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-server-auth-id acct-start enable
[188] Ascend-Num-In-Multilink
Use the following command to manage the Ascend-Num-In-Multilink attribute.
radius include ascend-num-in-multilink
- Use to include the Ascend-Num-In-Multilink attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Ascend-Num-In-Multilink attribute by enabling or disabling this command.
- Example
host1(config)#radius include ascend-num-in-multilink acct-start enable
All Tunnel Server Attributes
Use the following command to manage all tunnel server RADIUS attributes.
radius include tunnel-server-attributes
- Use to include all supported tunnel server attributes in Access-Request, Acct-Start, or Acct-Stop messages.
- When the router functions as an LNS with a terminating PPP, then the LAC tunnel attributes are included.
- You can control inclusion of all tunnel server attributes by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-server-attributes access-request enable
Juniper Networks Vendor-Specific Attributes
This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.
[26-1] Virtual-Router
Use the following command to manage the Virtual-Router RADIUS attribute.
radius ignore virtual-router
- Use to cause the Virtual-Router attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- Example
host1(config)#radius ignore virtual-router enable
[26-10] Ingress-Policy-Name
Use the following commands to manage the Ingress-Policy-Name RADIUS attribute.
radius include ingress-policy-name
- Use to include the Ingress-Policy-Name attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include ingress-policy-name acct-start enable
radius ignore ingress-policy-name
- Use to cause the Ingress-Policy-Name attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command. The default is disable.
- Example
host1(config)#radius ignore ingress-policy-name enable
[26-11] Egress-Policy-Name
Use the following commands to manage the Egress-Policy-Name RADIUS attribute.
radius include egress-policy-name
- Use to include the Egress-Policy-Name attribute in Acct-Start or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include egress-policy-name acct-start enable
radius ignore egress-policy-name
- Use to cause the Egress-Policy-Name attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- Example
host1(config)#radius ignore egress-policy-name enable
[26-14] Service-Category
Use the following command to manage the Service-Category RADIUS attribute.
radius ignore atm-service-category
- Use to cause the Service-Category attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- Example
host1(config)#radius ignore atm-service-category enable
[26-15] PCR
Use the following command to manage the PCR RADIUS attribute.
radius ignore atm-pcr
- Use to cause the PCR attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- Example
host1(config)#radius ignore atm-pcr enable
[26-16] SCR
Use the following command to manage the SCR RADIUS attribute.
radius ignore atm-scr
- Use to cause the SCR attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- Example
host1(config)#radius ignore atm-scr enable
[26-17] MBS
Use the following command to manage the MBS RADIUS attribute.
radius ignore atm-mbs
- Use to cause the MBS attribute to be ignored in Access-Accept messages.
- You can control this behavior by enabling or disabling this command.
- Example
host1(config)#radius ignore atm-mbs enable
[26-24] Pppoe-Description
Use the following command to manage the Pppoe-Description RADIUS attribute.
radius include pppoe-description
- Use to include the Pppoe-Description attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the Pppoe-Description attribute by enabling or disabling this command.
- Example
host1(config)#radius include pppoe-description acct-start enable
[26-35] Acct-Input-Gigapackets
Use the following command to manage the Acct-Input-Gigapackets RADIUS attribute.
radius include input-gigapkts
- Use to include Acct-Input-Gigapackets in Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include input-gigapkts acct-stop disable
[26-36] Acct-Output-Gigapackets
Use the following command to manage the Acct-Output-Gigapackets RADIUS attribute.
radius include output-gigapkts
- Use to include the Acct-Output-Gigapackets attribute in Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include output-gigapkts acct-stop disable
[26-44] Tunnel-Interface-Id
Use the following command to manage the Tunnel-Interface-Id RADIUS attribute.
radius include tunnel-interface-id
- Use to include the Tunnel-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include tunnel-interface-id enable
[26-51] Disconnect-Cause
Use the following command to manage the Disconnect-Cause RADIUS attribute.
radius include l2tp-ppp-disconnect-cause
- Use to include the Disconnect-Cause attribute in Acct-Stop and Acct-Tunnel-Link-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include l2tp-ppp-disconnect-cause acct-stop-enable
[26-53] Service-Description
Use the following command to manage the Service-Description RADIUS attribute.
radius include profile-service-description
- Use to include the Service-Description attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include profile-service-description acct-stop enable
[26-55] DHCP-Options
Use the following command to manage the DHCP-Options RADIUS attribute.
radius include dhcp-options
- Use to include the DHCP-Options attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include dhcp-options acct-stop enable
[26-56] DHCP-MAC-Address
Use the following command to manage the DHCP-MAC-Address RADIUS attribute.
radius include dhcp-mac-address
- Use to include the DHCP-MAC-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include dhcp-mac-address acct-stop enable
[26-57] DHCP-GI-Address
Use the following command to manage the DHCP-GI-Address RADIUS attribute.
radius include dhcp-gi-address
- Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the attribute by enabling or disabling this command.
- Example
host1(config)#radius include dhcp-gi-address acct-stop enable
[26-62] MLPPP-Bundle-Name
Use the following command to manage the MLPPP-Bundle-Name RADIUS attribute.
radius include mlppp-bundle-name
- Use to include the MLPPP-Bundle-Name attribute in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages.
- You can control inclusion of the MLPPP-Bundle-Name attribute by enabling or disabling this command.
- There is no explicit command to include the MLPPP-Bundle-Name attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages.
- Example
host1(config)#radius include mlppp-bundle-name acct-start enable
[26-63] Interface-Desc
Use the following command to manage the Interface-Desc RADIUS attribute.
radius include interface-description
- Use to include the Interface-Desc attribute, with the subscriber's access interface description, in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages.
- You can control inclusion of the Interface-Desc attribute by enabling or disabling this command. Inclusion is disabled by default.
- There is no explicit command to include the Interface-Desc attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages.
- Example
host1(config)#radius include interface-description acct-start enable
[26-81] L2C-Information
Use the following command to manage the L2C-Information RADIUS attribute.
radius include access-loop-parameters
- Use to include the L2C-Information attribute in Access-Request messages.
- You can control inclusion of the L2C-Information attribute by enabling or disabling this command. Inclusion is disabled by default.
- Example
host1(config)#radius include access-loop-parameters access-request enable
[26-92] L2C-Up-Stream-Data
Use the following command to manage the L2C-Up-Stream-Data RADIUS attribute.
radius include l2c-upstream-data
- Use to include the L2C-Up-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the L2C-Up-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default.
- Example
host1(config)#radius include l2c-upstream-data access-request enable
[26-93] L2C-Down-Stream-Data
Use the following command to manage the L2C-Down-Stream-Data RADIUS attribute.
radius include l2c-downstream-data
- Use to include the L2C-Down-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages.
- You can control inclusion of the L2C-Down-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default.
- Example
host1(config)#radius include l2c-downstream-data access-request enable
DSL Forum Vendor-Specific Attributes
You can use the radius include dsl-forum-attributes command to control the inclusion of a set of DSL Forum VSAs in Access-Request, Acct-Start, Acct-Stop, and (if Acct-Stop messages are specified) Interim-Acct messages that the router sends to RADIUS.
The DSL Forum VSAs, as defined in DSL Forum Vendor-Specific RADIUS Attributes—draft-mammoliti-radius-dsl-vsa-02.txt (September 2006 expiration), convey information about the associated subscriber for and data rate of the DSL. This information is not otherwise available in the standard set of RADIUS attributes or Juniper Networks VSAs. A service provider might find it useful to enable inclusion of the DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of their DSL connection.
The router receives data containing one or more of the DSL Forum VSAs from a DSLAM connected to the router via a PPPoE interface. When you enable the inclusion of the DSL Forum VSAs in these RADIUS messages, the router includes all of the following attributes in the specified message type, provided that the VSA is available in the information that the router receives from the DSLAM.
 |
NOTE: The router uses the vendor ID assigned to the DSL Forum (3561, or DE9 in hexadecimal format) by the Internet Assigned Numbers Authority (IANA) for the DSL Forum VSAs. |
For information about enabling the QoS downstream rate application to obtain downstream rates from the Actual-Data-Rate-Downstream [26-130] DSL Forum VSA, see QoS Downstream Rate in JUNOSe Quality of Service Configuration Guide, Chapter 11, Configuring QoS Parameters.
For a more detailed description of the DSL Forum VSAs, see DSL Forum VSAs in Appendix A, RADIUS Attribute Descriptions.
radius include dsl-forum-attributes
- Use to include the set of DSL Forum VSAs in Access-Request, Acct-Start, and Acct-Stop messages that the router sends to RADIUS. If you enable inclusion of the DSL Forum VSAs in Acct-Stop messages, the router also includes the VSAs in Interim-Acct messages.
- You can control inclusion of the DSL Forum VSAs in the specified message type by enabling or disabling this command. Inclusion is disabled by default.
- When you enable inclusion of the DSL Forum VSAs for a specified message type, the router includes in that message all of the DSL Forum attributes that it receives from the DSLAM.
- Example
host1(config)#radius include dsl-forum-attributes access-request enable
Including or Excluding Attributes in RADIUS Messages
For many attributes, you can configure the router to include or exclude the attribute in RADIUS messages. To see a list of the attributes that you can include or exclude, use the show radius attributes-included command.
radius include
- Use to enable or disable the inclusion of RADIUS attributes in Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages.
- Examples
host1(config)#radius include ingress-policy-name acct-start enable
host1(config)#radius include tunnel-type access-request disable
Ignoring Attributes When Receiving Access-Accept Messages
You can configure the router to ignore or use many attributes that it receives in Access-Accept messages. To see the list of attributes that the router uses or ignores, use the show radius attributes-ignored command.
radius ignore
- Use to specify that a RADIUS attribute be ignored or be accepted from Access-Accept messages.
- Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute.
- Examples
host1(config)#radius ignore atm-scr enable
host1(config)#radius ignore framed-ip-netmask disable
Monitoring RADIUS Included and Ignored Attributes
Use the commands described in this section to monitor the status of RADIUS attributes that are included or ignored in RADIUS messages.
show radius attributes-included
- Use to display the RADIUS attributes that are included in and excluded from Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages.
- Field descriptions
- Attribute Name—Name of the RADIUS attribute
- Account On—Include status of the attribute in Acct-On messages: enabled, disabled, not configurable (n/c)
- Account Off—Include status of the attribute in Acct-Off messages: enabled, disabled, n/c
- Access Request—Include status of the attribute in Access Request messages: enabled, disabled, n/c
- Account Start—Include status of the attribute in Acct-Start messages: enabled, disabled, n/c
- Account Stop—Include status of the attribute in Acct-Stop messages: enabled, disabled, n/c
host1#show radius attributes-included
Account Account Access Account Account
Attribute Name On Off Request Start Stop
-------------------------- ------- ------- -------- -------- --------
acct-authentic enabled enabled n/c n/c n/c
acct-delay-time enabled enabled n/c n/c n/c
acct-link-count n/c n/c n/c enabled enabled
acct-multi-session-id n/c n/c disabled enabled enabled
acct-session-id enabled enabled enabled n/c n/c
acct-terminate-cause n/c enabled n/c n/c n/c
acct-tunnel-connection n/c n/c enabled enabled enabled
ascend-num-in-multilink n/c n/c disabled disabled disabled
called-station-id n/c n/c enabled enabled enabled
calling-station-id n/c n/c enabled enabled enabled
class n/c n/c n/c enabled enabled
connect-info n/c n/c enabled enabled enabled
dhcp-options n/c n/c disabled disabled disabled
dhcp-mac-address n/c n/c disabled disabled disabled
dhcp-gi-address n/c n/c disabled disabled disabled
dsl-forum-attributes n/c n/c disabled disabled disabled
egress-policy-name(vsa) n/c n/c n/c enabled enabled
event-timestamp enabled enabled n/c enabled enabled
framed-compression n/c n/c n/c enabled enabled
framed-ip-address n/c n/c n/c enabled n/c
framed-ip-netmask n/c n/c n/c enabled enabled
ingress-policy-name(vsa) n/c n/c n/c enabled enabled
input-gigapkts(vsa) n/c n/c n/c n/c enabled
input-gigawords n/c n/c n/c n/c enabled
l2tp-ppp-disconnect-cause n/c n/c n/c n/c disabled
interface-description n/c n/c enabled enabled enabled
mlppp-bundle-name n/c n/c enabled enabled enabled
nas-identifier enabled enabled enabled enabled enabled
nas-port n/c n/c enabled enabled enabled
nas-port-id n/c n/c enabled enabled enabled
nas-port-type n/c n/c enabled enabled enabled
output-gigapkts(vsa) n/c n/c n/c n/c enabled
output-gigawords n/c n/c n/c n/c enabled
pppoe-description(vsa) n/c n/c enabled enabled enabled
profile-service-descr(vsa) n/c n/c disabled disabled disabled
tunnel-assignment-id n/c n/c n/c enabled enabled
tunnel-client-auth-id n/c n/c enabled enabled enabled
tunnel-client-endpoint n/c n/c enabled enabled enabled
tunnel-interface-id n/c n/c disabled disabled disabled
tunnel-medium-type n/c n/c enabled enabled enabled
tunnel-preference n/c n/c n/c enabled enabled
tunnel-server-attributes n/c n/c disabled disabled disabled
tunnel-server-auth-id n/c n/c enabled enabled enabled
tunnel-server-endpoint n/c n/c enabled enabled enabled
tunnel-type n/c n/c enabled enabled enabled
show radius attributes-ignored
host1#show radius attributes-ignored
attribute framed-ip-netmask ignored from RADIUS server
attribute atm-category (vsa) ignored from RADIUS server
attribute atm-mbs (vsa) accepted from RADIUS server
attribute atm-pcr (vsa) ignored from RADIUS server
attribute atm-scr (vsa) accepted from RADIUS server
attribute egress-policy-name (vsa) accepted from RADIUS server
attribute ingress-policy-name (vsa) accepted from RADIUS server
attribute virtual-router accepted from RADIUS server