Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Standard and Vendor-Specific RADIUS Attributes

 

RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework

The AAA Service Framework supports RADIUS attributes and vendor-specific attributes (VSAs). This support provides tunable parameters that the subscriber access management feature uses when creating subscribers and services.

RADIUS attributes are carried as part of standard RADIUS request and reply messages. The subscriber management access feature uses the RADIUS attributes to exchange specific authentication, authorization, and accounting information. VSAs allow the subscriber access management feature to pass implementation-specific information that provide extended capabilities, such as service activation or deactivation, and enabling and disabling filters.

When you use dynamic profiles, the AAA Service Framework supports the use of Junos OS predefined variables to specify the RADIUS attribute or VSA for the information obtained from the RADIUS server.

Benefits of Using RADIUS Standard Attributes and VSAs

  • RADIUS standard attributes are necessary to communicate with an external RADIUS server for subscriber authentication, authorization, and accounting.

  • Vendor-specific attributes extend the functionality of the RADIUS server beyond that provided by the public standard attributes, enabling the implementation of many useful features necessary for subscriber management and service support.

RADIUS IETF Attributes Supported by the AAA Service Framework

Table 1 describes the RADIUS IETF attributes that the Junos OS AAA Service Framework supports. Some attributes correspond to Juniper Networks predefined variables; see Junos OS Predefined Variables That Correspond to RADIUS Attributes and VSAs

Note

A “Yes” entry in the Dynamic CoA Support column indicates that the attribute can be dynamically configured by Access-Accept messages and dynamically modified by CoA-Request messages.

Table 1: Supported RADIUS IETF Attributes

Attribute Number

Attribute Name

Description

Dynamic CoA

Support

1

User-Name

  • Name of user to be authenticated.

  • Configurable username override.

  • Non-standard use for LLID preauthentication feature.

No

2

User-Password

  • Password of user to be authenticated by Password Authentication Protocol (PAP).

  • Configurable password override.

  • Non-standard use for LLID preauthentication feature.

No

3

CHAP-Password

Value provided by a PPP (CHAP) user in response to the challenge.

No

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication of the user.

No

5

NAS-Port

Physical port number of the NAS that is authenticating the user.

For a tunneled PPP user in an L2TP LNS session, there is no physical port. In this case, the port value is reported as 4194303.

No

6

Service-Type

Type of service the user has requested or the type of service to be provided.

No

7

Framed-Protocol

Framing type used for framed access.

No

8

Framed-IP-Address

  • IP address to be configured for the user.

  • 0.0.0.0 or absence is interpreted as 255.255.255.254.

No

9

Framed-IP-Netmask

  • IP network to be configured for the user when the user is a router or switch to a network.

  • Absence implies 255.255.255.255.

No

11

Filter-Id

Name of a subscriber firewall filter, formatted as follows:

  • For an IPv4 input filter—IPv4-ingress:ingress-filter-name

  • For an IPv4 output filter—IPv4-egress:egress-filter-name

  • For an IPv6 input filter—IPv6-ingress:ingress-filter-name

  • For an IPv6 output filter—IPv6-egress:egress-filter-name

RADIUS accounting request messages, Acct-Start and Acct-Stop, can include more than one Filter-Id attribute, one of each of the listed types.

However, RADIUS Access-Accept messages can include only one attribute instance. The value is always treated as an IPv4 input filter name.

Yes

12

Framed-MTU

Maximum Transmission Unit configured for the user, when it is not negotiated by some other means (such as PPP).

No

18

Reply-Message

  • Text that may be displayed to the user.

  • Only the first instance of this attribute is used.

No

22

Framed-Route

String that provides routing information to be configured for the user on the NAS in the format:

<addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>]

If authd detects the IP address in the Framed-Route to be bad—for example, if the format is incorrect—the subscriber is not allowed to log in. Starting in Junos OS Release 19.1, the subscriber is allowed to log in, but without that route or the default route. For customers that use multiple framed routes, this behavior enables the subscriber to have partial access to the network using the routes that are accepted rather than not being allowed any access.

Starting in Junos OS Release 18.2R1, if this attribute does not include the subnet mask, the MX Series router ignores the attribute but connects the session.

Yes

24

State

String enabling state information to be maintained between the device and the RADIUS server.

No

25

Class

Arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server.

No

27

Session-Timeout

Maximum number of consecutive seconds of service to be provided to the user before termination of the session.

No

28

Idle-Timeout

Maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

No

31

Calling-Station-ID

Phone number from which the call originated.

No

32

NAS-Identifier

NAS originating the request.

No

40

Acct-Status-Type

Whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update).

No

41

Acct-Delay-Time

Number of seconds the client has been trying to send a particular record.

No

42

Acct-Input-Octets

Number of octets that have been received from the port during the time this service has been provided.

No

43

Acct-Output-Octets

Number of octets that have been sent to the port during the time this service has been provided.

No

44

Acct-Session-ID

Unique accounting identifier that makes it easy to match start and stop records in a log file. The identifier can be in one of the following formats:

  • decimal—For example, 435264

  • description—In the generic format, jnpr interface-specifier:subscriber-session-id; For example, jnpr fastEthernet 3/2.6:1010101010101

No

45

Acct-Authentic

Method by which user was authentication: whether by RADIUS, the NAS itself, or another remote authentication protocol.

No

46

Acct-Session-Time

Number of seconds that the user has received service

No

47

Acct-Input-Packets

Number of packets that have been received from the port during the time this service has been provided to a framed user.

No

48

Acct-Output-Packets

Number of packets that have been sent to the port in the course of delivering this service to a framed user.

No

49

Acct-Terminate-Cause

Reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:

  • User Request (1)—User initiated the disconnect (log out).

  • Idle Timeout (4)—Idle timer has expired.

  • Session Timeout (5)—Client reached the maximum continuous time allowed on the service or session.

  • Admin Reset (6)—System administrator terminated the session.

  • Port Error (8)—PVC failed; no hardware or no interface.

  • NAS Error (9)—Negotiation failures, connection failures, or address lease expiration.

  • NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, tunnel disconnect, or an unaccounted-for error.

No

52

Acct-Input-Gigawords

Number of times the Acct-Input-Octets counter has wrapped around 232 during the time this service has been provided. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update.

No

53

Acct-Output-Gigawords

Number of times the Acct-Output-Octets counter has wrapped around 232 in the course of delivering this service. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update.

No

55

Event-Timestamp

Time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC.

No

61

NAS-Port-Type

Type of physical port the NAS is using to authenticate the user.

For a tunneled PPP user in an L2TP LNS session, there is no physical port. In this case, the port type is Virtual.

No

64

Tunnel-Type

  • Tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol already in use (in the case of a tunnel terminator).

  • Only L2TP tunnels are currently supported.

No

65

Tunnel-Medium-Type

  • Transport medium to use when creating a tunnel for protocols that can operate over multiple transports.

  • Only IPv4 is currently supported.

No

66

Tunnel-Client-Endpoint

Address of the initiator end of the tunnel (LAC).

No

67

Tunnel-Server-Endpoint

Address of the server end of the tunnel (LNS).

No

68

Acct-Tunnel-Connection

Identifier assigned to the tunnel session. Value is the same as the Call Serial Number AVP received from the LAC in the ICRQ message.

No

69

Tunnel-Password

Encrypted password used to authenticate to a remote server. Recommended over using VSA Tunnel-Password [26-9] because of the encryption. Do not use both this attribute and the VSA.

No

77

Connect-Info

  • Information sent from the NAS that describes the subscriber’s connection, such as transmit speed.

  • Non-standard use for LLID preauthentication feature.

No

82

Tunnel-Assignment -Id

Tunnel to which a session is assigned. When user profiles share the same values for Tunnel-Assignment-Id, Tunnel-Server-Endpoint, and Tunnel-Type, the LAC can group these users into the same tunnel. This grouping enables fewer tunnels to be created. (LAC)

No

83

Tunnel-Preference

  • Included in each set of tunneling attributes to indicate the relative preference assigned to each tunnel when more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator.

  • Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only).

No

85

Acct-Interim-Interval

Number of seconds between each interim accounting update for this session.

The router uses the following guidelines for interim accounting:

  • Attribute value is within the acceptable range (from 600 through 86,400 seconds)—Accounting is updated at the specified interval.

  • Attribute value of 0—No RADIUS accounting is performed.

  • Attribute value is less than the minimum acceptable value—Accounting is updated at the minimum interval (600 seconds).

  • Attribute value is greater than the maximum acceptable value—Accounting is updated at the maximum interval (86,400 seconds).

Note: Values are rounded up to the next higher multiple of 10 minutes. For example, a setting of 900 seconds (15 minutes) is rounded up to 20 minutes (1200 seconds).

No

87

NAS-Port-Id

Text string that identifies the physical interface of the NAS that is authenticating the user.

For a tunneled PPP user in an L2TP LNS session, there is no physical port, and the NAS-Port-Id value has the following format:

media:local address:peer address:

local tunnel id:peer tunnel id:

local session id:peer session id:

call serial number
. For example,

Ip:198.51.100.1:192.168.0.2:

3341:21031:16138:11846:2431.

The local information refers to the LNS and the peer information refers to the LAC.

No

88

Framed-Pool

Name of an assigned address pool to use to assign an address for the user.

No

90

Tunnel-Client-Auth-Id

Name of the tunnel initiator (LAC) used during the authentication phase of tunnel establishment.

No

91

Tunnel-Server-Auth-Id

Name of the tunnel terminator (LNS) used during the authentication phase of tunnel establishment.

No

95

NAS-IPv6-Address

Address of the NAS that is requesting authentication of the user.

No

96

Framed-Interface-ID

Interface identifier that is configured for the user.

No

97

Framed-IPv6-Prefix

IPv6 prefix and address that are configured for the user. Prefix lengths of 128 are associated with host addresses. Prefix lengths less than 128 are associated with NDRA prefixes.

No

98

Login-IPv6-Host

System the user connects to when the Login-Service attribute is included.

No

99

Framed-IPv6-Route

IPv6 routing information that is configured for the user.

Yes

100

Framed-IPv6-Pool

Name of the assigned pool used to assign the address and IPv6 prefix for the user.

No

101

Error-Cause

Reason that the RADIUS server does not honor Disconnect-Request or CoA-Request messages. Depending on the value, can be included in COA or Disconnect NAK messages.

  • 201—Residual Session Context Removed (Disconnect ACK only)

  • 202—Invalid EAP Packet (Ignored)

  • 401—Unsupported Attribute; request contains unsupported attribute.

  • 402—Missing Attribute; critical attribute missing from request

  • 403—NAS Identification Mismatch

  • 404—Invalid Request

  • 405—Unsupported Service

  • 406—Unsupported Extension

  • 407—Invalid Attribute Value

  • 501—Administratively Prohibited

  • 502—Request Not Routable (Proxy)

  • 503—Session Context Not Found

  • 504—Session Context Not Removable

  • 505—Other Proxy Processing Error

  • 506—Resources Unavailable

  • 507—Request Initiated

  • 508—Multiple Session Selection Unsupported

Yes

123

Delegated-IPv6-Prefix

IPv6 prefix that is delegated to the user.

No

168

Framed-IPv6-Address

IPv6 address of the authenticated user. The Framed-IPv6-Address attribute is sent if the IPv6 address is assigned to the subscriber.

No

242

Ascend-Data-Filter

Binary data that specifies RADIUS policy definitions.

Yes

Juniper Networks VSAs Supported by the AAA Service Framework

Table 2 describes Juniper Networks VSAs supported by the Junos OS AAA Service Framework. The AAA Service Framework uses vendor ID 4874, which is assigned to Juniper Networks by the Internet Assigned Numbers Authority (IANA). Some VSAs correspond to Juniper Networks predefined variables; see Junos OS Predefined Variables That Correspond to RADIUS Attributes and VSAs.

Note

A “Yes” entry in the Dynamic CoA Support column indicates that the attribute can be dynamically configured by Access-Accept messages and dynamically modified by CoA-Request messages.

Table 2: Supported Juniper Networks VSAs

Attribute Number

Attribute Name

Description

Value

Dynamic CoA

Support

26-1

Virtual-Router

Client logical system:routing instance name. Allowed only from AAA server for default logical system:routing instance.

When this VSA is not included in the subscriber profile, the routing instance assigned to the subscriber—the one in which the subscriber session comes up—varies by subscriber type.

For DHCP and PPPoE subscribers, it is the default routing instance.

For L2TP tunnel subscribers, it is the routing instance in which the tunnel resides, whether default or non-default. If the tunnel routing instance is not default and you want the L2TP session to be in the default routing instance, you must use the Virtual-Router VSA to set the desired routing instance.

string: logical system:routing instance

No

26-4

Primary-DNS

Client DNS address negotiated during IPCP.

integer: 4-byte primary-dns-address

No

26-5

Secondary-DNS

Client DNS address negotiated during IPCP

integer: 4-byte secondary-dns-address

No

26-6

Primary-WINS

Client WINS (NBNS) address negotiated during IPCP.

integer: 4-byte primary-wins-address

No

26-7

Secondary-WINS

Client WINS (NBNS) address negotiated during IPCP.

integer: 4-byte secondary-wins-address

No

26-8

Tunnel-Virtual-Router

Virtual router name for tunnel connection.

string: tunnel-virtual-router

No

26-9

Tunnel-Password

Tunnel password in cleartext.

Do not use both this VSA and the standard RADIUS attribute Tunnel-Password [69]. We recommend that you use the standard attribute because the password is encrypted when that attribute is used.

string: tunnel-password

No

26-10

Ingress-Policy-Name

Input policy name to apply to client interface.

string: input-policy-name

Yes

26-11

Egress-Policy-Name

Output policy name to apply to client interface.

string: output-policy-name

Yes

26-23

IGMP-Enable

Whether IGMP is enabled or disabled on a client interface.

integer:

  • 0=disable

  • 1=enable

Yes

26-24

PPPoE-Description

Client MAC address.

string: pppoe client-mac-address

No

26-25

Redirect-VRouter-Name

Client logical system:routing instance name indicating to which logical system:routing instance the request is redirected for user authentication.

string: logical-system:routing-instance

No

26-30

Tunnel-Nas-Port-Method

Method that determines whether the RADIUS server conveys to the LNS the physical NAS port number identifier and the type of the physical port, such as Ethernet or ATM. This information is conveyed only when the VSA value is 1.

The VSA is formatted such that the first octet indicates the tunnel and the remaining three bytes are the attribute value.

4-octet integer:

  • 0 = none

  • 1 = Cisco CLID

Yes

26-31

Service-Bundle

SSC service bundle.

string bundle-name

No

26-33

Tunnel-Max-Sessions

Maximum number of sessions allowed in a tunnel.

integer: 4-octet

No

26-34

Framed-IP-Route-Tag

Route tag to apply to returned framed-ip-address.

integer: 4-octet

No

26-42

Input-Gigapackets

Number of times the input-packets attribute rolls over its 4-octet field.

integer

No

26-43

Output-Gigapackets

Number of times the output-packets attribute rolls over its 4-octet field.

integer

No

26-47

Ipv6-Primary-DNS

Client primary IPv6 DNS address negotiated by DHCP.

hexadecimal string: ipv6-primary-dns-address

No

26-48

Ipv6-Secondary-DNS

Client secondary IPv6 DNS address negotiated by DHCP.

hexadecimal string: ipv6-secondary-dns-address

No

26-51

Disconnect-Cause

Disconnect cause when a tunneled subscriber is disconnected, and L2TP layer of the LNS initiates the termination. The PPP Disconnect Cause Code (L2TP AVP 46) is included in VSA 26-51 in the Accounting-Stop message that the router sends to the RADIUS server.

hexadecimal string: disconnect-cause

No

26-55

DHCP-Options

Client DHCP options.

Starting in Junos OS Release 17.4R1, includes only DHCPv4 options. In earlier releases, includes both DHCPv4 and DHCPv6 options.

hexadecimal string: dhcp-options

No

26-56

DHCP-MAC-Address

Client MAC address.

string: mac-address

No

26-57

DHCP-GI-Address

DHCP relay agent IP address.

integer: 4-octet

No

26-58

LI-Action

Traffic mirroring action.

For dynamic CoA, VSA 26-58 changes the action on the mirrored traffic identified by VSA 26-59.

CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs.

If the CoA action is to stop mirroring (VSA 26-58 value is 0), then the values of the other three attributes in the CoA message must match the existing attribute values, or the action fails.

salt-encrypted integer

0=stop mirroring

1=start mirroring

2=no action

Yes

26-59

Med-Dev-Handle

Identifier that associates mirrored traffic to a specific subscriber.

For dynamic CoA, VSA 26-58 changes the action on the mirrored traffic identified by VSA 26-59.

CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs.

salt-encrypted string

No

26-60

Med-Ip-Address

IP address of content destination device to which mirrored traffic is forwarded.

CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs.

salt-encrypted IP address

No

26-61

Med-Port-Number

UDP port in the content destination device to which mirrored traffic is forwarded.

CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs.

salt-encrypted integer

No

26-63

Interface-Desc

Text string that identifies the subscriber’s access interface.

string: interface-description

No

26-64

Tunnel-Group

Name of the tunnel group (profile) assigned to a domain map.

string: tunnel-group-name

No

26-65

Activate-Service

Service to activate for the subscriber. Tagged VSA, which supports 8 tags (1-8).

string: service-name

Yes

26-66

Deactivate-Service

Service to deactivate for the subscriber.

string: service-name

Yes

26-67

Service-Volume

Amount of traffic, in MB, that can use the service; service is deactivated when the volume is exceeded. Tagged VSA, which supports 8 tags (1-8).

integer

  • range = 0 through 16777215 MB

  • 0 = no limit

Yes

26-68

Service-Timeout

Number of seconds that the service can be active; service is deactivated when the timeout expires. Tagged VSA, which supports 8 tags (1-8).

integer

  • range = 0 through 16777215 seconds

  • 0 = no timeout

Yes

26-69

Service-Statistics

Whether statistics for the service is enabled or disabled. Tagged VSA, which supports 8 tags (1-8).

integer

  • 0 = disable

  • 1 = enable time statistics

  • 2 = enable time and volume statistics

Yes

26-71

IGMP-Access-Name

Access list to use for the group (G) filter.

string: 32-octet

Yes

26-72

IGMP-Access-Src-Name

Access list to use for the source-group (S,G) filter.

string: 32-octet

Yes

26-74

MLD-Access-Name

Access list to use for the group (G) filter.

string: 32-octet

Yes

26-75

MLD-Access-Src-Name

Access list to use for the source-group (S,G) filter.

string: 32-octet

Yes

26-77

MLD-Version

MLD protocol version.

integer: 1-octet

  • 1=MLD version 1

  • 2=MLD version 2

Yes

26-78

IGMP-Version

IGMP protocol version.

integer: 1-octet

  • 1=IGMP version 1

  • 2=IGMP version 2

  • 3=IGMP version 3

Yes

26-83

Service-Session

Name of the service.

string: service-name

No

26-91

Tunnel-Switch-Profile

Tunnel switch profile that determines whether a subscriber session is switched to a second session to a remote LNS. Takes precedence over tunnel switch profiles applied in any other manner.

string: profile-name

No

26-92

L2C-Up-Stream-Data

Actual upstream rate access loop parameter (ASCII encoded) as defined in GSMP extensions for Layer 2 control (L2C) Topology Discovery and Line Configuration.

string: actual upstream rate access loop parameter (ASCII encoded)

No

26-93

L2C-Down-Stream-Data

Actual downstream rate access loop parameter (ASCII encoded) as defined in GSMP extensions for Layer 2 control (L2C) Topology Discovery and Line Configuration.

string: actual downstream rate access loop parameter (ASCII encoded)

No

26-94

Tunnel-Tx-Speed-Method

Method that determines the source from which the transmit speed is derived. Overrides global configuration in the CLI.

integer: 4-octet

  • 0 = none

  • 1 = static Layer 2

  • 2 = dynamic layer 2. This method is not supported; the static Layer 2 method is used instead.

  • 3 = CoS. This method is not supported; the actual method is used instead.

  • 4 = actual

  • 5 = ANCP

  • 6 = PPPoE IA tags

No

26-97

IGMP-Immediate-Leave

IGMP Immediate Leave.

integer: 4-octet

  • 0=disable

  • 1=enable

Yes

26-100

MLD-Immediate-Leave

MLD Immediate Leave.

integer: 4-octet

  • 0=disable

  • 1=enable

Yes

26-106

IPv6-Ingress-Policy-Name

Input policy name to apply to a user IPv6 interface.

string: policy-name

Yes

26-107

IPv6-Egress-Policy-Name

Output policy name to apply to a user IPv6 interface.

string: policy-name

Yes

26-108

CoS-Parameter-Type

CoS traffic-shaping parameter type and description:

  • T01: Scheduler-map name

  • T02: Shaping rate

  • T03: Guaranteed rate

  • T04: Delay-buffer rate

  • T05: Excess rate

  • T06Traffic-control profile

  • T07: Shaping mode

  • T08: Byte adjust

  • T09: Adjust minimum

  • T10: Excess-rate high

  • T11: Excess-rate low

  • T12: Shaping rate burst

  • T13: Guaranteed rate burst

Two parts, delimited by white space:

  • Parameter type

  • Parameter value

Examples:

  • T01 smap_basic

  • T02 50m

  • T03 1m

  • T04 2000

  • T05 200

  • T06 tcp-gold

  • T07 frame-mode

  • T08 50

Yes

26-109

DHCP-Guided-Relay-Server

IP address of DHCP server that DHCP relay agent uses to forward the discover PDUs.

integer: 4-byte ip-address

No

26-110

Acc-Loop-Cir-Id

Identification of the subscriber node connection to the access node.

string: up to 63 ASCII characters

No

26-111

Acc-Aggr-Cir-Id-Bin

Unique identification of the DSL line.

integer: 8-octet

No

26-112

Acc-Aggr-Cir-Id-Asc

Identification of the uplink on the access node, as in the following examples:

  • Ethernet access aggregation—ethernet slot/port [:inner-vlan-id] [:outer-vlan-id]

  • ATM aggregation—atm slot/port:vpi.vci

string: up to 63 ASCII characters

No

26-113

Act-Data-Rate-Up

Actual upstream data rate of the subscriber’s synchronized DSL link.

integer: 4-octet

No

26-114

Act-Data-Rate-Dn

Actual downstream data rate of the subscriber’s synchronized DSL link.

integer: 4-octet

No

26-115

Min-Data-Rate-Up

Minimum upstream data rate configured for the subscriber.

integer: 4-octet

No

26-116

Min-Data-Rate-Dn

Minimum downstream data rate configured for the subscriber.

integer: 4-octet

No

26-117

Att-Data-Rate-Up

Maximum upstream data rate that the subscriber can attain.

integer: 4-octet

No

26-118

Att-Data-Rate-Dn

Maximum downstream data rate that the subscriber can attain.

integer: 4-octet

No

26-119

Max-Data-Rate-Up

Maximum upstream data rate configured for the subscriber.

integer: 4-octet

No

26-120

Max-Data-Rate-Dn

Maximum downstream data rate configured for the subscriber.

integer: 4-octet

No

26-121

Min-LP-Data-Rate-Up

Minimum upstream data rate in low power state configured for the subscriber.

integer: 4-octet

No

26-122

Min-LP-Data-Rate-Dn

Minimum downstream data rate in low power state configured for the subscriber.

integer: 4-octet

No

26-123

Max-Interlv-Delay-Up

Maximum one-way upstream interleaving delay configured for the subscriber.

integer: 4-octet

No

26-124

Act-Interlv-Delay-Up

Subscriber’s actual one-way upstream interleaving delay..

integer: 4-octet

No

26-125

Max-Interlv-Delay-Dn

Maximum one-way downstream interleaving delay configured for the subscriber.

integer: 4-octet

No

26-126

Act-Interlv-Delay-Dn

Subscriber’s actual one-way downstream interleaving delay.

integer: 4-octet

No

26-127

DSL-Line-State

State of the DSL line.

integer: 4-octet

  • 1 = Show uptime

  • 2 = Idle

  • 3 = Silent

No

26-128

DSL-Type

Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated.

integer: 4-octet

No

26-130

Qos-Set-Name

Interface set to apply to the dynamic profile.

string: interface-set-name

No

26-140

Service-Interim-Acct-Interval

Amount of time between interim accounting updates for this service. Tagged VSA, which supports 8 tags (1-8).

  • range = 600 through 86400 seconds

  • 0 = disabled

Note: Values are rounded up to the next higher multiple of 10 minutes. For example, a setting of 900 seconds (15 minutes) is rounded up to 20 minutes (1200 seconds).

Yes

26-141

Downstream-Calculated-

QoS-Rate

Calculated (adjusted) downstream QoS rate in Kbps as set by the ANCP configuration.

range = 1000 through 4,294,967,295

No

26-142

Upstream-Calculated-

QoS-Rate

Calculated (adjusted) upstream QoS rate in Kbps as set by the ANCP configuration.

range = 1000 through 4,294,967,295

No

26-143

Max-Clients-Per-Interface

Maximum allowable client sessions per interface. For DHCP clients, this value is the maximum sessions per logical interface. For PPPoE clients, this value is the maximum sessions (PPPoE interfaces) per PPPoE underlying interface.

integer: 4-octet

No

26-146

CoS-Scheduler-Pmt-Type

CoS scheduler parameter type and description:

  • Null: CoS scheduler name

  • T01: CoS scheduler transmit rate

  • T02: CoS scheduler buffer size

  • T03: CoS scheduler priority

  • T04: CoS scheduler drop-profile low

  • T05: CoS scheduler drop-profile medium-low

  • T06: CoS scheduler drop-profile medium-high

  • T07: CoS scheduler drop-profile high

  • T08: CoS scheduler drop-profile any

Three parts, delimited by white space:

  • Scheduler name

  • Parameter type

  • Parameter value

Examples:

  • be_sched

  • be_sched T01 12m

  • be_sched T02 26

Yes

26-151

IPv6-Acct-Input-Octets

IPv6 receive octets.

integer

No

26-152

IPv6-Acct-Output-Octets

IPv6 transmit octets.

integer

No

26-153

IPv6-Acct-Input-Packets

IPv6 receive packets.

integer

No

26-154

IPv6-Acct-Output-Packets

IPv6 transmit packets.

integer

No

26-155

IPv6-Acct-Input-Gigawords

IPv6 receive gigawords.

integer

No

26-156

IPv6-Acct-Output-Gigawords

IPv6 transmit gigawords.

integer

No

26-158

PPPoE-Padn

Route add for PPPoE sessions

string

No

26-160

Vlan-Map-Id

Trunk VLAN tag corresponding to the core-facing trunk physical interface.

Vlan-Map-Id (26-160), Inner-Vlan-Map-Id (26-184), and Core-Facing-Interface (26-185) collectively represent the network service provider-facing location for the subscriber for the Layer 2 cross-connect in a Layer 2 wholesale configuration.

integer

No

26-161

IPv6-Delegated-Pool-Name

Address pool used to locally allocate a delegated prefix (IA_PD).

string

No

26-162

Tx-Connect-Speed

Indication of transmit speed of the user’s connection.

string

No

26-163

Rx-Connect-Speed

Indication of receive speed of the user’s connection.

string

No

26-164

IPv4-Release-Control

Indicates to server status of on-demand address allocation and deallocation.

string

No

26-173

Service-Activate-Type

Indication of service activation type. This is a tagged attribute.

integer: 4-octet

  • 1 = dynamic-profile for residential services

  • 2 = op-script for business services

No

26-174

Client-Profile-Name

Enables RADIUS to override an assigned client dynamic profile with the included profile.

string

No

26-177

Cos-Shaping-Rate

Effective downstream shaping rate for subscriber.

string

No

26-179

Service-Volume-Gigawords

Amount of traffic, in 4GB units, that can use the service; service is deactivated when the volume is exceeded. Tagged VSA, which supports 8 tags (1-8).

integer

  • range = 0 through 16777215 4GB units

  • 0 = no limit

Yes

26-180

Update-Service

New values of service and time quotas for existing service. Tagged VSA, which supports 8 tags (1-8).

string: service-name

Yes

26-181

DHCPv6-Guided-Relay-Server

IPv6 addresses of DHCPv6 servers to which DHCPv6 relay agent forwards the Solicit and subsequent PDUs. Use multiple instances of the VSA to specify a list of servers.

hexadecimal string: ipv6-address

No

26-182

Acc-Loop-Remote-Id

Reports the ANCP Access-Loop-Remote-ID attribute.

string

No

26-183

Acc-Loop-Encap

Reports the ANCP Access-Loop-Encapsulation attribute.

hexadecimal string

No

26-184

Inner-Vlan-Map-Id

Inner VLAN tag allocated from the ranges provisioned on the core-facing physical interface, used to swap (replace) the autosensed VLAN tag on the access interface.

Vlan-Map-Id (26-160), Inner-Vlan-Map-Id (26-184), and Core-Facing-Interface (26-185) collectively represent the network service provider-facing location for the subscriber for the Layer 2 cross-connect in a Layer 2 wholesale configuration.

integer

No

26-185

Core-Facing-Interface

Name of the core-facing physical interface that forwards the Layer 2 wholesale session’s downstream and upstream traffic relative to the network service provider (NSP) router.

Vlan-Map-Id (26-160), Inner-Vlan-Map-Id (26-184), and Core-Facing-Interface (26-185) collectively represent the network service provider-facing location for the subscriber for the Layer 2 cross-connect in a Layer 2 wholesale configuration.

string

No

26-189

DHCP-First-Relay-IPv4-Address

IPv4 address of the first relay link of a client/server binding.

integer: 4-byte ip-address

No

26-190

DHCP-First-Relay-IPv6-Address

IPv6 address of the first relay link of a client/server binding.

hexadecimal string: ipv6-address

No

26-191

Input-Interface-Filter

Name of an input filter to be attached to a family any interface.

string

Yes

26-192

Output-Interface-Filter

Name of an output filter to be attached to a family any interface.

string

Yes

26-193

Pim-Enable

Enable or disable PIM on a BRAS user’s interface.

integer: 4-octet

  • 0 = disable

  • any nonzero value = enable

Yes

26-194

Bulk-CoA-Transaction-Id

A common identifier or tag to associate the series of related CoA Requests as a transaction. This attribute is untagged and value 0 is reserved.

integer: 4-octet

Yes

26-195

Bulk-CoA-Identifier

A unique identifier for each CoA Request message that is part of the same transaction as specified by the Bulk-CoA-Transaction-Id VSA. This attribute is untagged and the value 0 is reserved.

integer: 4-octet

Yes

26-196

IPv4-Input-Service-Set

Name of an IPv4 input service set to be attached.

string

Yes

26-197

IPv4-Output-Service-Set

Name of an IPv4 output service set to be attached.

string

Yes

26-198

IPv4-Input-Service-Filter

Name of an IPv4 input service filter to be attached.

string

Yes

26-199

IPv4-Output-Service-Filter

Name of an IPv4 output service filter to be attached.

string

Yes

26-200

IPv6-Input-Service-Set

Name of an IPv6 input service set to be attached.

string

Yes

26-201

IPv6-Output-Service-Set

Name of an IPv6 output service set to be attached.

string

Yes

26-202

IPv6-Input-Service-Filter

Name of an IPv6 input service filter to be attached.

string

Yes

26-203

IPv6-Output-Service-Filter

Name of an IPv6 output service filter to be attached.

string

Yes

26-204

Adv-Pcef-Profile-Name

Name of a PCEF profile to be attached.

string

Yes

26-205

Adv-Pcef-Rule-Name

Name of a PCC rule to activate.

string

Yes

26-206

Reauthentication-On-Renew

Reason that the client application is reauthenticated.

integer

  • 0 = disable

  • 1 = Initiate reauthentication when DHCP renew request is received from the client

  • all other values = invalid

No

26-207

DHCPv6-Options

DHCPv6 client and server options exchanged with the RADIUS server as TLV options.

In releases earlier than Junos OS Release 17.4.1R1, this VSA is not supported. DHCPv6 options are included instead in 26-55, DHCP-Options.

hexadecimal string

No

26-208

DHCP-Header

DHCPv4 packet header sent to the RADIUS server; used to instantiate dynamic subscriber interfaces.

hexadecimal string

No

26-209

DHCPv6-Header

DHCPv6 packet header sent to the RADIUS server; used to instantiate dynamic subscriber interfaces.

hexadecimal string

No

26-210

Acct-Request-Reason

Reason for sending an Accounting-Request message.

integer: 4-octet

  • 0x0001 = Acct-Start-Ack; that is, receipt of an Acct response for the Acct-Start message

    0x0002 = Periodic/Timed interval interim

    0x0004 = IP active

    0x0008 = IP inactive

    0x0010 = IPv6 active

    0x0020 = IPv6 inactive

    0x0040 = Session active

    0x0080 = Session inactive

    0x0100 = Line speed change

    0x0200 = Address assignment change

    0x0400 = Completion of processing of CoA request

No

26-211

Inner-Tag-Protocol-Id

Protocol identifier for the inner VLAN tag

hexadecimal string:

  • range = 0x600 through 0xffff.

  • 0x8100 = Inner VLAN tag for designated L2BSA subscribers

No

26-212

Routing-Services

Determines whether the routing services capability is enabled or disabled.

integer: 4-octet

  • 0x0000 = Disable installation of routing services.

  • 0x0001 = Enable installation of routing services.

Any value other than 0 or 1 is rejected.

No

26-213

Interface-Set-Targeting-Weight

Specify a weight for an interface set to associate it and its member links with an aggregated Ethernet member link for targeted distribution.

integer: 4-octet

No

26-214

Interface-Targeting-Weight

Specify a weight for an interface to associate it with an interface set and thus with the set’s aggregated Ethernet member link for targeted distribution. When an interface set does not have a weight, then the interface weight value for the first authorized subscriber interface is used for the set.

integer: 4-octet

No

26–216

Hybrid-Access-DSL-Downstream-Speed

Specify a downstream bandwidth for the DSL leg of a hybrid access tunnel for a subscriber. Used by the PFE for load-balancing traffic across the DSL and LTE legs.

32-bit integer

No

26–217

Hybrid-Access-LTE-Downstream-Speed

Specify a downstream bandwidth for the LTE leg of the hybrid access tunnel for a subscriber. Used by the Packet Forwarding Engine for load-balancing traffic across the DSL and LTE legs.

32-bit integer

No

26–219

PON-Access-Type

Type of PON transmission system in use:

  • 0—OTHER

  • 1—GPON

  • 2—XG-PON1

  • 3—TWDM-PON

  • 4—XGS-PON

  • 5—WDM-PON

  • 7—UNKNOWN

32-bit integer

No

26–220

ONT/ONU-Average-Data-Rate-Downstream

(PON) Average downstream data rate for ONT/ONU, in Kbps

32-bit integer

No

26–221

ONT/ONU-Peak-Data-Rate-Downstream

(PON) Peak downstream data rate for ONT/ONU, in Kbps

32-bit integer

No

26–222

ONT/ONU-Maximum-Data-Rate-Upstream

(PON) Maximum upstream data rate for ONT/ONU, in Kbps

32-bit integer

No

26–223

ONT/ONU-Assured-Data-Rate-Upstream

(PON) Assured upstream data rate for ONT/ONU, in Kbps

32-bit integer

No

26–224

PON-Tree-Maximum-Data-Rate-Upstream

(PON) Maximum upstream data rate for the PON tree, in Kbps

32-bit integer

No

26–225

PON-Tree-Maximum-Data-Rate-Downstream

(PON) Maximum downstream data rate for the PON tree, in Kbps

32-bit integer

No

26–226

Expected-Throughput-Upstream

(G.fast) Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps

32-bit integer

No

26–227

Expected-Throughput-Downstream

(G.fast) Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps

32-bit integer

No

26–228

Attainable-Expected-Throughput-Upstream

(G.fast) Maximum attainable expected upstream throughput, in Kbps

32-bit integer

No

26–229

Attainable-Expected-Throughput-Downstream

(G.fast) Maximum attainable expected downstream throughput, in Kbps

32-bit integer

No

26–230

Gamma-Data-Rate-Upstream

(G.fast) Actual upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

32-bit integer

No

26–231

Gamma-Data-Rate-Downstream

(G.fast) Actual downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

32-bit integer

No

26–232

Attainable-Gamma-Data-Rate-Upstream

(G.fast) Maximum attainable upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

32-bit integer

No

26–233

Attainable-Gamma-Data-Rate-Downstream

(G.fast) Maximum attainable downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

32-bit integer

No

AAA Access Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS

Table 3 shows the RADIUS attributes and Juniper Networks VSAs (vendor ID 4874) support in AAA access messages. A checkmark in a column indicates that the message type supports that attribute.

Table 3: AAA Access Messages: Supported RADIUS Attributes and Juniper Networks VSAs

Attribute Number

Attribute Name

Access Request

Access Accept

Access Reject

Access Challenge

CoA Request

Disconnect Request

1

User-Name

2

User-Password

3

CHAP-Password

4

NAS-IP-Address

5

NAS-Port

6

Service-Type

7

Framed-Protocol

8

Framed-IP-Address

9

Framed-IP-Netmask

11

Filter-Id

12

Framed-MTU

18

Reply-Message

22

Framed-Route

24

State

25

Class

26-1

Virtual-Router

26-4

Primary-DNS

26-5

Secondary-DNS

26-6

Primary-WINS

26-7

Secondary-WINS

26-8

Tunnel-Virtual-Router

26-9

Tunnel-Password

26-10

Ingress-Policy-Name

26-11

Egress-Policy-Name

26-23

IGMP-Enable

26-24

PPPoE-Description

26-25

Redirect-VR-Name

26-31

Service-Bundle

26-33

Tunnel-Maximum-Sessions

26-34

Framed-IP-Route-Tag

26-47

Ipv6-Primary-DNS

26-48

Ipv6-Secondary-DNS

26-55

DHCP-Options

26-56

DHCP-MAC-Address

26-57

DHCP-GI-Address

26-58

LI-Action

26-59

Med-Dev-Handle

26-60

Med-Ip-Address

26-61

Med-Port-Number

26-63

Interface-Desc

26-64

Tunnel-Group

26-65

Activate-Service

26-66

Deactivate-Service

26-67

Service-Volume

26-68

Service-Timeout

26-69

Service-Statistics

26-71

IGMP-Access-Name

26-72

IGMP-Access-Src-Name

26-74

MLD-Access-Name

26-75

MLD-Access-Src-Name

26-77

MLD-Version

26-78

IGMP-Version

26-91

Tunnel-Switch-Profile

26-92

L2C-Up-Stream-Data

26-93

L2C-Down-Stream-Data

26-94

Tunnel-Tx-Speed-Method

26-97

IGMP-Immediate-Leave

26-100

MLD-Immediate-Leave

26-106

IPv6-Ingress-Policy-Name

26-107

IPv6-Egress-Policy-Name

26-108

CoS-Parameter-Type

26-109

DHCP-Guided-Relay-Server

26-110

Acc-Loop-Cir-Id

26-111

Acc-Aggr-Cir-Id-Bin

26-112

Acc-Aggr-Cir-Id-Asc

26-113

Act-Data-Rate-Up

26-114

Act-Data-Rate-Dn

26-115

Min-Data-Rate-Up

26-116

Min-Data-Rate-Dn

26-117

Att-Data-Rate-Up

26-118

Att-Data-Rate-Dn

26-119

Max-Data-Rate-Up

26-120

Max-Data-Rate-Dn

26-121

Min-LP-Data-Rate-Up

26-122

Min-LP-Data-Rate-Dn

26-123

Max-Interlv-Delay-Up

26-124

Act-Interlv-Delay-Up

26-125

Max-Interlv-Delay-Dn

26-126

Act-Interlv-Delay-Dn

26-127

DSL-Line-State

26-128

DSL-Type

26-130

QoS-Set-Name

26-140

Service-Interim-Account-Interval

26-141

Downstream-Calculated-QoS-Rate

26-142

Upstream-Calculated-QoS-Rate

26-143

Max-Clients-Per-Interface

26-146

Cos-Scheduler-Pmt-Type

26-158

PPPoE-Padn

26-160

Vlan-Map-Id

26-161

IPv6-Delegated-Pool-Name

26-162

Tx-Connect-Speed

26-163

Rx-Connect-Speed

26-164

IPv4-Release-Control

26-173

Service-Activate-Type

26-174

Client-Profile-Name

26-179

Service-Volume-Gigawords

26-180

Update-Service

26-181

DHCPv6-Guided-Relay-Server

26-182

Acc-Loop-Remote-Id

26-183

Acc-Loop-Encap

26-184

Inner-Vlan-Map-Id

26-189

DHCP-First-Relay-IPv4-Address

26-190

DHCP-First-Relay-IPv6-Address

26-191

Input-Interface-Filter

26-192

Output-Interface-Filter

26-193

Pim-Enable

26-194

Bulk-CoA-Transaction-Id

26-195

Bulk-CoA-Identifier

26-196

IPv4-Input-Service-Set

26-197

IPv4-Output-Service-Set

26-198

IPv4-Input-Service-Filter

26-199

IPv4-Output-Service-Filter

26-200

IPv6-Input-Service-Set

26-201

IPv6-Output-Service-Set

26-202

IPv6-Input-Service-Filter

26-203

IPv6-Output-Service-Filter

26-204

Adv-Pcef-Profile-Name

26-205

Adv-Pcef-Rule-Name

26-206

Re-Authentication-On-Renew

26-207

DHCPv6-Options

26-208

DHCP-Header

26-209

DHCPv6-Header

26-211

Inner-Tag-Protocol-Id

26-212

Routing-Services

26-213

Interface-Set-Targeting-Weight

26-214

Interface-Targeting-Weight

26–216

Hybrid-Access-DSL-Downstream-Speed

26-217

Hybrid-Access-LTE-Downstream-Speed

26–219

PON-Access-Type

26–220

ONT/ONU-Average-Data-Rate-Downstream

26–221

ONT/ONU-Peak-Data-Rate-Downstream

26–222

ONT/ONU-Maximum-Data-Rate-Upstream

26–223

ONT/ONU-Assured-Data-Rate-Upstream

26–224

PON-Tree-Maximum-Data-Rate-Upstream

26–225

PON-Tree-Maximum-Data-Rate-Downstream

26–226

Expected-Throughput-Upstream

26–227

Expected-Throughput-Downstream

26–228

Attainable-Expected-Throughput-Upstream

26–229

Attainable-Expected-Throughput-Downstream

26–230

Gamma-Data-Rate-Upstream

26–231

Gamma-Data-Rate-Downstream

26–232

Attainable-Gamma-Data-Rate-Upstream

26–233

Attainable-Gamma-Data-Rate-Downstream

27

Session-Timeout

28

Idle-Timeout

31

Calling-Station-ID

32

NAS-Identifier

44

Acct-Session-ID

61

NAS-Port-Type

64

Tunnel-Type

65

Tunnel-Medium-Type

66

Tunnel-Client-Endpoint

67

Tunnel-Server-Endpoint

68

Acct-Tunnel-Connection

69

Tunnel-Password

82

Tunnel-Assignment-Id

83

Tunnel-Preference

85

Acct-Interim-Interval

87

NAS-Port-Id

88

Framed-Pool

90

Tunnel-Client-Auth-Id

91

Tunnel-Server-Auth-Id

95

NAS-IPv6-Address

96

Framed-Interface-ID

97

Framed-IPv6-Prefix

98

Login-IPv6-Host

99

Framed-IPv6-Route

100

Framed-IPv6-Pool

101

Error-Cause

123

Delegated-IPv6-Prefix

168

Framed-IP-Address

242

Ascend-Data-Filter

AAA Accounting Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS

Table 4 shows the RADIUS attributes and Juniper Networks VSAs support in AAA accounting messages. A checkmark in a column indicates that the message type supports that attribute.

Table 4: AAA Accounting Messages—Supported RADIUS Attributes and Juniper Networks VSAs

Attribute Number

Attribute Name

Acct Start

Acct Stop

Interim Acct

Acct On

Acct Off

1

User-Name

3

CHAP-Password

4

NAS-IP-Address

5

NAS-Port

6

Service-Type

7

Framed-Protocol

8

Framed-IP-Address

9

Framed-IP-Netmask

11

Filter-Id

22

Framed-Route

25

Class

26-1

Virtual-Router

26-10

Ingress-Policy-Name

26-11

Egress-Policy-Name

26-24

PPPoE-Description

26-42

Input-Gigapackets

26-43

Output-Gigapackets

26-47

Ipv6-Primary-DNS

26-48

Ipv6-Secondary-DNS

26-51

Disconnect-Cause

26-55

DHCP-Options

26-56

DHCP-MAC-Address

26-57

DHCP-GI-Address

26-63

Interface-Desc

26-83

Service-Session

26-92

L2C-Up-Stream-Data

26-93

L2C-Down-Stream-Data

26-110

Acc-Loop-Cir-Id

26-111

Acc-Aggr-Cir-Id-Bin

26-112

Acc-Aggr-Cir-Id-Asc

26-113

Act-Data-Rate-Up

26-114

Act-Data-Rate-Dn

26-115

Min-Data-Rate-Up

26-116

Min-Data-Rate-Dn

26-117

Att-Data-Rate-Up

26-118

Att-Data-Rate-Dn

26-119

Max-Data-Rate-Up

26-120

Max-Data-Rate-Dn

26-121

Min-LP-Data-Rate-Up

26-122

Min-LP-Data-Rate-Dn

26-123

Max-Interlv-Delay-Up

26-124

Act-Interlv-Delay-Up

26-125

Max-Interlv-Delay-Dn

26-126

Act-Interlv-Delay-Dn

26-127

DSL-Line-State

26-128

DSL-Type

26-141

Downstream-Calculated-QoS-Rate

26-142

Upstream-Calculated-QoS-Rate

26-151

IPv6-Acct-Input-Octets

26-152

IPv6-Acct-Output-Octets

26-153

IPv6-Acct-Input-Packets

26-154

IPv6-Acct-Output-Packets

26-155

IPv6-Acct-Input-Gigawords

26-156

IPv6-Acct-Output-Gigawords

26-160

Vlan-Map-Id

26-162

Tx-Connect-Speed

26-163

Rx-Connect-Speed

26-164

IPv4-Release-Control

26-177

Cos-Shaping-Rate

26-182

Acc-Loop-Remote-Id

26-183

Acc-Loop-Encap

26-184

Inner-Vlan-Map-Id

26-185

Core-Facing-Interface

26-188

DHCP-First-Relay-IPv4-Address

26-190

DHCP-First-Relay-IPv6-Address

26-191

Input-Interface-Filter

26-192

Output-Interface-Filter

26-207

DHCPv6-Options

26-210

Acct-Request-Reason

26–219

PON-Access-Type

26–220

ONT/ONU-Average-Data-Rate-Downstream

26–221

ONT/ONU-Peak-Data-Rate-Downstream

26–222

ONT/ONU-Maximum-Data-Rate-Upstream

26–223

ONT/ONU-Assured-Data-Rate-Upstream

26–224

PON-Tree-Maximum-Data-Rate-Upstream

26–225

PON-Tree-Maximum-Data-Rate-Downstream

26–226

Expected-Throughput-Upstream

26–227

Expected-Throughput-Downstream

26–228

Attainable-Expected-Throughput-Upstream

26–229

Attainable-Expected-Throughput-Downstream

26–230

Gamma-Data-Rate-Upstream

26–231

Gamma-Data-Rate-Downstream

26–232

Attainable-Gamma-Data-Rate-Upstream

26–233

Attainable-Gamma-Data-Rate-Downstream

31

Calling-Station-ID

32

NAS-Identifier

40

Acct-Status-Type

41

Acct-Delay-Time

42

Acct-Input-Octets

43

Acct-Output-Octets

44

Acct-Session-ID

45

Acct-Authentic

46

Acct-Session-Time

47

Acct-Input-Packets

48

Acct-Output-Packets

49

Acct-Terminate-Cause

52

Acct-Input-Gigawords

53

Acct-Output-Gigawords

55

Event-Timestamp

61

NAS-Port-Type

64

Tunnel-Type

65

Tunnel-Medium-Type

66

Tunnel-Client-Endpoint

67

Tunnel-Server-Endpoint

68

Acct-Tunnel-Connection

77

Connect-Info

82

Tunnel-Assignment-Id

87

NAS-Port-Id

90

Tunnel-Client-Auth-Id

91

Tunnel-Server-Auth-Id

99

Framed-IPv6-Route

100

Framed-IPv6-Pool

123

Delegated-IPv6-Prefix

DSL Forum Vendor-Specific Attributes

Broadband access lines have many characteristics that are not supported by standard RADIUS attributes. A telecommunications and networking industry consortium, formerly called the DSL Forum and since 2008 called the Broadband Forum, develops standards and specifications for broadband technologies and products. The DSL Forum concentrated only on digital subscriber lines. The forum changed its name as it expanded the scope of its work to other broadband access technologies, such as passive optical networking (PON).

The DSL Forum defined RADIUS vendor-specific attributes (VSAs) to convey that information to the RADIUS server for processing. These VSAs include information about the access lines, the subscribers using the lines, and data rates on the lines. Subscriber management does not process the VSA values—the router simply passes the values received from the subscriber to the RADIUS server, without performing any parsing or manipulation. However, you can manage the content of the VSAs either by using the client configuration to restrict the DSL Forum VSAs that the client sends, or by configuring the RADIUS server to ignore unwanted DSL Forum VSAs.

The terminology used with the DSL Forum VSAs can be confusing. Each of these VSAs is actually a subattribute of the DSL Forum RADIUS VSA. The DSL Forum RADIUS VSA is simply a container for the subattributes that transports them to the RADIUS server. The DSL Forum RADIUS VSA provides the following information that applies to each subattribute:

  • Type = 26. This value indicates that the subattribute is a vendor-specific attribute.

  • Vendor-ID = 3561. This value is the vendor ID (enterprise number) assigned to the Broadband Forum by the Internet Assigned Numbers Authority (IANA).

Each subattribute is a TLV; that is, it specifies type, length, and value information:

  • The vendor type is a number assigned by the Broadband Forum that identifies the subattribute. This number is sometimes referred to as the attribute number.

  • The vendor length is a number that specifies the length of the entire subattribute.

  • The value field contains information specific to the subattribute, such as data rates or access line identifiers.

After the name changed to the Broadband Forum, the forum added PON VSAs. We still refer to them as DSL Forum VSAs because they are subattributes of the DSL Forum VSA. Some of the VSAs previously used only for DSL networks are also used for PON networks.

Note

The full designation for a DSL Forum VSA is 26–3561–type. The vendor ID is critical to distinguishing between VSAs. For example, 26-3561-1 is a different attribute than 26-4874-1; 4874 is a Juniper Networks enterprise number. When the enterprise is clear from the context, our documentation may omit the enterprise number. For example, when a table refers to attributes for only one enterprise, we may omit the number to make the table easier to read.

The following documents provide information about the attributes:

  • RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes

  • RFC 5515, Layer 2 Tunneling Protocol (L2TP) Access Line Information Attribute Value Pair (AVP) Extensions

  • RFC 6320, Protocol for Access Node Control Mechanism in Broadband Networks

  • RFC 6320-EXT, Access Extensions for the Access Node Control Protocol

  • Broadband Forum technical report TR-101, Migration to Ethernet-Based Broadband Aggregation

Table 5 describes the DSL Forum VSAs. Starting in Junos OS Release 19.3R1, we support the PON and DSL G.fast VSAs.

Table 5: DSL Forum VSAs (Vendor ID 3561)

Type

Name

Description

Access Type

Value

1

Agent-Circuit-Id

Identifier for the subscriber agent circuit ID (ACI) that corresponds to the access node interface from which subscriber requests are initiated.

For auto-sensed VLANs, the ACI is extracted from DHCP discover, DHCPv6 solicit, or PPPoE PADI messages, stored in the VLAN shared database entry, and then presented in the RADIUS Access-Request message in this VSA.

DSL, PON

string

2

Agent-Remote-Id

Unique identifier for the subscriber associated with the access node interface from which requests are initiated.

For auto-sensed VLANs, the ARI is extracted from DHCP discover, DHCPv6 solicit, or PPPoE PADI messages, stored in the VLAN shared database entry, and then presented in the RADIUS Access-Request message in this VSA.

DSL, PON

string

3

Access-Aggregation-Circuit-ID-ASCII

ASCII identifier for the subscriber access line, based on its network-facing logical appearance

If the string begins with a # sign, then the remainder of the string represents a logical intermediate node (DPU-C or PON tree) in the access network to which the subscriber is attached. The string is used as the name of a CoS Level 2 interface set that groups subscribers.

DSL, PON

string

6

Access-Aggregation-Circuit-ID-Binary

Binary identifier for the subscriber access line

DSL, PON

string

129

Actual-Data-Rate-

Upstream

Actual upstream data rate of the subscriber’s synchronized DSL link, in bps

DSL

32-bit integer

130

Actual-Data-Rate-

Downstream

Actual downstream data rate of the subscriber’s synchronized DSL link, in bps

DSL

32-bit integer

131

Minimum-Data-Rate-

Upstream

Minimum upstream data rate configured for the subscriber, in bps

DSL

32-bit integer

132

Minimum-Data-Rate-

Downstream

Minimum downstream data rate configured for the subscriber, in bps

DSL

32-bit integer

133

Attainable-Data-Rate-

Upstream

Upstream data rate that the subscriber can attain, in bps

DSL

32-bit integer

134

Attainable-Data-Rate-

Downstream

Downstream data rate that the subscriber can attain, in bps

DSL

32-bit integer

135

Maximum-Data-Rate-

Upstream

Maximum upstream data rate configured for the subscriber, in bps

DSL

32-bit integer

136

Maximum-Data-Rate-

Downstream

Maximum downstream data rate configured for the subscriber, in bps

DSL

32-bit integer

137

Minimum-Data-Rate-

Upstream-Low-Power

Minimum upstream data rate in low power state configured for the subscriber, in bps

DSL

32-bit integer

138

Minimum-Data-Rate-

Downstream-Low-Power

Minimum downstream data rate in low power state configured for the subscriber, in bps

DSL

32-bit integer

139

Maximum-Interleaving-

Delay-Upstream

Maximum one-way upstream interleaving delay configured for the subscriber, in milliseconds

DSL

32-bit integer

140

Actual-Interleaving-

Delay-Upstream

Subscriber’s actual one-way upstream interleaving delay, in milliseconds

DSL

32-bit integer

141

Maximum-Interleaving-

Delay-Downstream

Maximum one-way downstream interleaving delay configured for the subscriber, in milliseconds

DSL

32-bit integer

142

Actual-Interleaving-

Delay-Downstream

Subscriber’s actual one-way downstream interleaving delay, in milliseconds

DSL

32-bit integer

144

Access-Loop-

Encapsulation

Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated

DSL, PON

string: 3-byte

145

DSL-Type

Type of DSL transmission system in use:

  • 0—OTHER

  • 1—ADSL1

  • 2—ADSL2

  • 3—ADSL2+

  • 4—VDSL1

  • 5—VDSL2

  • 6—SDSL

  • 8—G.fast

  • 9—VDSL2 Annex Q

  • 10—SDSL bonded

  • 11—VDSL2 bonded

  • 12—G.fast bonded

  • 13—VDSL2 Annex Q bonded

DSL

32-bit integer

146

PON-Access-Type

Type of PON transmission system in use:

  • 0—OTHER

  • 1—GPON

  • 2—XG-PON1

  • 3—TWDM-PON

  • 4—XGS-PON

  • 5—WDM-PON

  • 7—UNKNOWN

PON

32-bit integer

147

ONT/ONU-Average-Data-Rate-Downstream

Average downstream data rate for ONT/ONU, in Kbps

PON

32-bit integer

148

ONT/ONU-Peak-Data-Rate-Downstream

Peak downstream data rate for ONT/ONU, in Kbps

PON

32-bit integer

149

ONT/ONU-Maximum-Data-Rate-Upstream

Maximum upstream data rate for ONT/ONU, in Kbps

PON

32-bit integer

150

ONT/ONU-Assured-Data-Rate-Upstream

Assured upstream data rate for ONT/ONU, in Kbps

PON

32-bit integer

151

PON-Tree-Maximum-Data-Rate-Upstream

Maximum upstream data rate for the PON tree, in Kbps

PON

32-bit integer

152

PON-Tree-Maximum-Data-Rate-Downstream

Maximum downstream data rate for the PON tree, in Kbps

PON

32-bit integer

155

Expected-Throughput-Upstream

Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps

G.fast (DSL)

32-bit integer

156

Expected-Throughput-Downstream

Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps

G.fast (DSL)

32-bit integer

157

Attainable-Expected-Throughput-Upstream

Maximum attainable expected upstream throughput, in Kbps

G.fast (DSL)

32-bit integer

158

Attainable-Expected-Throughput-Downstream

Maximum attainable expected downstream throughput, in Kbps

G.fast (DSL)

32-bit integer

159

Gamma-Data-Rate-Upstream

Actual upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

G.fast (DSL)

32-bit integer

160

Gamma-Data-Rate-Downstream

Actual downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

G.fast (DSL)

32-bit integer

161

Attainable-Gamma-Data-Rate-Upstream

Maximum attainable upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

G.fast (DSL)

32-bit integer

162

Attainable-Gamma-Data-Rate-Downstream

Maximum attainable downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps

G.fast (DSL)

32-bit integer

254

IWF-Session

Indication that the interworking function (IWF) has been performed for the subscriber’s PPPoA over PPPoE session

DSL

No data field required

DSL Forum VSAs and PPPoE-IA Tags

In addition to using information received in ANCP messages, the ANCP agent on the router can use access line information conveyed in PPPoE packets, such as the PADI and PADO discovery packets. For PPPoE subscribers that connect through an access node that is running ANCP, the access node adds access-line information to PPPoE intermediate agent (PPPoE-IA) tags. These tags are located in the discovery packets that it passes to the router during the establishment of dynamic PPPoE sessions. Similarly to the way access line information is carried in sub-attributes of the DSL Forum VSA, this information is contained in sub-tags in the PPPoE Vendor-Specific-Tag (0x105). The sub-tags are also called tags. The data represents a current, accurate snapshot of the values at the moment that the subscriber connection is initiated.

Table 6 shows the PPPoE-IA tags that correspond to the DSL Forum VSAs. The tag value is simply the hexadecimal equivalent of the VSA type number. The vendor ID is the same for both the DSL Forum VSAs and the PPPoE tags: 3561 (0xDE9).

Table 6: Correlation Between DSL Forum VSAs and PPPoE-IA Tags

VSA Type

VSA Name

PPPoE Tag

1

Agent-Circuit-Id

0x01

2

Agent-Remote-Id

0x02

3

Access-Aggregation-Circuit-ID-ASCII

0x03

6

Access-Aggregation-Circuit-ID-Binary

0x06

129

Actual-Data-Rate-

Upstream

0x81

130

Actual-Data-Rate-Downstream

0x82

131

Minimum-Data-Rate-Upstream

0x83

132

Minimum-Data-Rate-Downstream

0x84

133

Attainable-Data-Rate-Upstream

0x85

134

Attainable-Data-Rate-Downstream

0x86

135

Maximum-Data-Rate-Upstream

0x87

136

Maximum-Data-Rate-Downstream

0x88

137

Minimum-Data-Rate-Upstream-Low-Power

0x89

138

Minimum-Data-Rate-Downstream-Low-Power

0x8A

139

Maximum-Interleaving-Delay-Upstream

0x8B

140

Actual-Interleaving-Delay-Upstream

0x8C

141

Maximum-Interleaving-Delay-Downstream

0x8D

142

Actual-Interleaving-Delay-Downstream

0x8D

144

Access-Loop-Encapsulation

0x90

145

DSL-Type

0x91

146

PON-Access-Type

0x92

147

ONT/ONU-Average-Data-Rate-Downstream

0x93

148

ONT/ONU-Peak-Data-Rate-Downstream

0x94

149

ONT/ONU-Maximum-Data-Rate-Upstream

0x95

150

ONT/ONU-Assured-Data-Rate-Upstream

0x96

151

PON-Tree-Maximum-Data-Rate-Upstream

0x97

152

PON-Tree-Maximum-Data-Rate-Downstream

0x98

155

Expected-Throughput-Upstream

0x9B

156

Expected-Throughput-Downstream

0x9C

157

Attainable-Expected-Throughput-Upstream

0x9D

158

Attainable-Expected-Throughput-Downstream

0x9E

159

Gamma-Data-Rate-Upstream

0x9F

160

Gamma-Data-Rate-Downstream

0xA0

161

Attainable-Gamma-Data-Rate-Upstream

0xA1

162

Attainable-Gamma-Data-Rate-Downstream

0xA2

254

IWF-Session

0xFE

DSL Forum VSAs Support in AAA Access and Accounting Messages for Junos OS

Table 7 lists the DSL Forum VSAs supported by Junos OS in RADIUS Access-Request, Acct-Start, Acct-Stop, Interim-Acct, and CoA-Request messages. A checkmark in a column indicates that the message type supports that attribute.

Note

The DSL Forum vendor ID is 3561 is omitted from the attribute number to simplify the table. For example, the full designation for DSL Forum VSA Agent-Circuit-Id is 26–3561–1.

Table 7: RADIUS Message Support for DSL Forum VSAs (Vendor ID 3561)

Attribute Number

Attribute Name

Access Request

Acct Start

Acct Stop

Interim Acct

CoA Request

26-1

Agent-Circuit-Id

26-2

Agent-Remote-Id

26–3

Access-Aggregation-Circuit-ID-ASCII

26–6

Access-Aggregation-Circuit-ID-Binary

26-129

Actual-Data-Rate-Upstream

26-130

Actual-Data-Rate-Downstream

26-131

Minimum-Data-Rate-Upstream

26-132

Minimum-Data-Rate-Downstream

26-133

Attainable-Data-Rate-Upstream

26-134

Attainable-Data-Rate-Downstream

26-135

Maximum-Data-Rate-Upstream

26-136

Maximum-Data-Rate-Downstream

26-137

Minimum-Data-Rate-Upstream-Low-Power

26-138

Minimum-Data-Rate-Downstream-Low-Power

26-139

Maximum-Interleaving-Delay-Upstream

26-140

Actual-Interleaving-Delay-Upstream

26-141

Maximum-Interleaving-Delay-Downstream

26-142

Actual-Interleaving-Delay-Downstream

26-144

Access-Loop-Encapsulation

26-145

DSL-Type

26-146

PON-Access-Type

26-147

ONT/ONU-Average-Data-Rate-Downstream

26-148

ONT/ONU-Peak-Data-Rate-Downstream

26-149

ONT/ONU-Maximum-Data-Rate-Upstream

26-150

ONT/ONU-Assured-Data-Rate-Upstream

26-151

PON-Tree-Maximum-Data-Rate-Upstream

26-152

PON-Tree-Maximum-Data-Rate-Downstream

26-155

Expected-Throughput-Upstream

26-156

Expected-Throughput-Downstream

26-157

Attainable-Expected-Throughput-Upstream

26-158

Attainable-Expected-Throughput-Downstream

26-159

Gamma-Data-Rate-Upstream

26-160

Gamma-Data-Rate-Downstream

26-161

Attainable-Gamma-Data-Rate-Upstream

26-162

Attainable-Gamma-Data-Rate-Downstream

26-254

IWF-Session

RADIUS Support for Microsoft Corporation VSAs for DNS Server Addresses

Starting in Junos OS Release 15.1, the Junos OS AAA implementation supports RADIUS VSAs that identify the primary and secondary DNS servers for IANA private enterprise number 311 (Microsoft Corporation). For example, during PPP authentication, the router receives the VSAs from a RADIUS server and uses the attributes to provision customer premise equipment.

The two VSAs are shown in the following table, and are described in RFC 2548 (Microsoft Vendor-specific RADIUS Attributes)

Table 8: Microsoft Vendor-Specific RADIUS Attributes for DNS Server Addresses

Attribute Number

Attribute Name

Description

Value

26-28

MS-Primary-DNS-Server

IP address of the primary Domain Name Server.

This VSA can be included in Access-Accept and Accounting-Request packets.

integer: 4-octet primary-dns-address

26-29

MS-Secondary-DNS-Server

IP address of the secondary Domain Name Server.

This VSA can be included in Access-Accept and Accounting-Request packets.

integer: 4-octet secondary-dns-address

Support for Cisco Systems VSAs

Cisco Systems, IANA private enterprise number 9, uses a single VSA, Cisco-AVPair (26-1). This VSA conveys different information based on the values it contains. In some subscriber access networks, which have a BNG connected to both a RADIUS server and a Cisco BroadHop application that is used as the Policy Control and Charging Rules Function (PCRF) server for provisioning services using RADIUS change of authorization (CoA) messages, you can use this VSA in RADIUS messages to activate and deactivate services. You cannot modify any attributes in authentication, accounting, or CoA responses in the RADIUS messages that the BNG sends. See Processing Cisco VSAs in RADIUS Messages for Service Provisioning for more information.

Any Cisco VSAs other than the ones used to provision the services are considered as unsupported attributes.

Subscriber Management RADIUS Dictionary Files

The Juniper Networks RADIUS dictionary that is used by default for subscriber management is updated when software features that affect the file are added or changed. The dictionary is not updated for every Junos OS release. The dictionary includes Juniper Networks vendor-specific attributes that are used by Junos OS, JunosE OS, or both.

Note

The VSA names in the dictionary begin with the prefix “Jnpr-” or “Unisphere". By convention, both prefixes are omitted from the Tech Library documentation to reduce confusion in feature discussions.

Interface Text Descriptions for Inclusion in RADIUS Attributes

RADIUS attributes such as NAS-Port-ID (87) and Calling-Station-ID (31) include a description that identifies the physical interface that is used to authenticate subscribers. The default format for nonchannelized interfaces is as follows:

interface-type-slot/adapter/port.subinterface[:svlan-vlan]

For example, consider physical interface ge-1/2/0, with a subinterface of 100 and SVLAN identifier of 100. The interface description used in the NAS-Port-ID is ge-1/2/0.100:100.

Starting in Junos OS Release 17.3R1, a different format is used for channelized interfaces. For channelized interfaces, the default interface description is as follows:

interface-type-slot/adapter/logical-port-number.subinterface[:svlan-vlan]

The channel information (logical port number) is determined by this formula:

Logical port number = 100 + (actual-port-number x 20) + channel-number

For example, consider a channelized interface 3 on port 2 where the:

  • Physical interface is xe-0/1/2:3.

  • Subinterface is 4.

  • SVLAN is 5.

  • VLAN is 6.

Using the formula, the logical port number = 100 + (2 x 20) + 3 = 143. Consequently, the default interface description is xe-0/1/143.4-5.6.

You can optionally configure the interface description format in an access profile to exclude the adapter, channel, or subinterface information.

For example, if you exclude the subinterface from the nonchannelized interface description format, the description becomes ge-1/2/0:100. If you exclude the channel information from the channelized interface description format, the description becomes xe-0/1/2.4-5.6.

Release History Table
Release
Description
Starting in Junos OS Release 17.3R1, a different format is used for channelized interfaces.
Starting in Junos OS Release 15.1, the Junos OS AAA implementation supports RADIUS VSAs that identify the primary and secondary DNS servers for IANA private enterprise number 311 (Microsoft Corporation).