Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    radius include

    Syntax

    radius include attributeName
    { access-request | acct-on | acct-off | acct-start | acct-stop } { enable | disable }

    no radius include attributeName
    { access-request | acct-on | acct-off | acct-start | acct-stop }

    Release Information

    Command introduced before JunosE Release 7.1.0.
    l2c-access-loop-parameters attribute added in JunosE Release 7.2.0.
    l2cd attributes added in JunosE Release 9.0.0.
    framed-interface-id and framed-ipv6-prefix attributes, and acct-stop support for framed-ip-addr attribute added in JunosE Release 9.0.0.
    downstream-calculated-qos-rate and upstream-calculated-qos-rate attributes added in JunosE Release 9.1.0.
    ipv6-accounting, delegated-ipv6-prefix, framed-ipv6-pool, framed-ipv6-route, ipv6-local-interface, ipv6-nd-ra-prefix, ipv6-primary-dns, ipv6-secondary-dns, and ipv6-virtual-router attributes added in JunosE Release 10.2.0.

    icr-partition-id attribute added in JunosE Release 10.3.0.
    framed-route attribute added in JunosE Release 11.3.0.
    ipv6-egress-policy-name and ipv6-ingress-policy-name attributes added in JunosE Release 13.0.0.
    dhcp-option82-circuitid and dhcp-option82-remoteid attributes added in JunosE Release 13.1.0.
    qos-profile-name, ds-lite-tunnel-name, and pcp-server-name attributes added in JunosE Release 13.2.0.

    Description

    Configures the inclusion of RADIUS attributes in RADIUS messages. Not all attributes are available in all message types. The listed attributes are included by default except where noted. The no version restores the default.

    Options

    • attributeName—One of the following RADIUS attributes; not all attributes are available in all message types.

      Attributes available for Access-Request, Acct-Start, and Acct-Stop messages:

      • acct-multi-session-id—Includes RADIUS attribute 50, Acct-Multi-Session-Id
      • acct-tunnel-connection—Includes RADIUS attribute 68, Acct-Tunnel-Connection
      • ascend-num-in-multilink—Includes RADIUS attribute 188, Ascend-Num-In-Multilink
      • called-station-id—Includes RADIUS attribute 30, Called-Station-Id
      • calling-station-id—Includes RADIUS attribute 31, Calling-Station-Id
      • connect-info—Includes RADIUS attribute 77, Connect-Info
      • dhcp-options—Includes RADIUS attribute 26-55, DHCP-Options
      • dhcp-option82—Includes RADIUS attribute 26–159, DHCP-Option 82
      • dhcp-option82-circuitid—Includes RADIUS attribute 26–1, DHCP-Option 82
      • dhcp-option82-remoteid—Includes RADIUS attribute 26–2, DHCP-Option 82
      • dhcp-gi-address—Includes RADIUS attribute 26-57, DHCP-GI-Address
      • dhcp-mac-address—Includes RADIUS attribute 26-56, DHCP-MAC Address
      • downstream-calculated-qos-rate—Excluded by default; includes RADIUS attribute 26-141, Downstream-Calculated-Qos-Rate
      • framed-interface-id—Excluded by default; includes RADIUS attribute 96, Framed-Interface-Id, if an IPv6 interface ID is assigned to the subscriber
      • framed-ip-addr—Includes RADIUS attribute 8, Framed-IP-Address, if an IP address is assigned to the subscriber
      • framed-ipv6-prefix—Excluded by default; includes RADIUS attribute 97, Framed-Ipv6-Prefix, if at least one IPv6 prefix is assigned to the subscriber
      • icr-partition-id—Excluded by default; includes RADIUS attribute 26-150, ICR-Partition-Id, which is a user-configured value of up to 128 characters
      • interface-description—Excluded by default; includes RADIUS attribute 26-63, Interface-Desc; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2c-downstream-data—Excluded by default; includes RADIUS attribute 26-92, L2C-Down-Stream-Data
      • l2c-upstream-data—Excluded by default; includes RADIUS attribute 26-93, L2C-Up-Stream-Data
      • l2cd-acc-loop-cir-id—Excluded by default; includes RADIUS attribute 26-110, Acc-Loop-Cir-Id; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-acc-aggr-cir-id-bib—Excluded by default; includes RADIUS attribute 26-111, Acc-Aggr-Cir-Id-Bin; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-acc-aggr-cir-id-asc—Excluded by default; includes RADIUS attribute 26-112, Acc-Aggr-Cir-Id-Asc; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-act-data-rate-up—Excluded by default; includes RADIUS attribute 26-113, Act-Data-Rate-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-act-data-rate-dn—Excluded by default; includes RADIUS attribute 26-114, Act-Data-Rate-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-min-data-rate-up—Excluded by default; includes RADIUS attribute 26-115, Min-Data-Rate-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-min-data-rate-dn—Excluded by default; includes RADIUS attribute 26-116, Min-Data-Rate-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-att-data-rate-up—Excluded by default; includes RADIUS attribute 26-117, Att-Data-Rate-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-att-data-rate-dn—Excluded by default; includes RADIUS attribute 26-118, Att-Data-Rate-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-max-data-rate-up—Excluded by default; includes RADIUS attribute 26-119, Max-Data-Rate-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-max-data-rate-dn—Excluded by default; includes RADIUS attribute 26-120, Max-Data-Rate-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-min-lp-data-rate-up—Excluded by default; includes RADIUS attribute 26-121, Min-LP-Data-Rate-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-min-lp-data-rate-dn—Excluded by default; includes RADIUS attribute 26-122, Min-LP-Data-Rate-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-max-interlv-delay-up—Excluded by default; includes RADIUS attribute 26-123, Max-Interlv-Delay-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-act-interlv-delay-up—Excluded by default; includes RADIUS attribute 26-124, Act-Interlv-Delay-Up; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-max-interlv-delay-dn—Excluded by default; includes RADIUS attribute 26-125, Max-Interlv-Delay-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-act-interlv-delay-dn—Excluded by default; includes RADIUS attribute 26-126, Act-Interlv-Delay-Dn; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-dsl-line-state—Excluded by default; includes RADIUS attribute 26-127, DSL-Line-State; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • l2cd-dsl-type—Excluded by default; includes RADIUS attribute 26-128, DSL-Type; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • mlppp-bundle-name—Excluded by default; includes RADIUS attribute 26-62, MLPPP-Bundle-Name; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • nas-port—Includes RADIUS attribute 5, NAS-Port
      • nas-port-id—Includes RADIUS attribute 87, NAS-Port-Id

        Note: For subscribers connected over the link aggregation group (LAG) interface in DHCP standalone authenticate mode, RADIUS uses the LAG interface ID for the Nas-Port-Id attribute.

      • nas-port-type—Includes RADIUS attribute 61, NAS-Port-Type

        Note: For subscribers connected over the LAG interface in DHCP standalone authenticate mode, RADIUS calculates the value of the Nas-Port-Type attribute.

      • pppoe-description—Includes RADIUS attribute 26-24, Pppoe-Description
      • profile-service-description—Includes RADIUS attribute 26-53, Service-Description
      • tunnel-client-auth-id—Includes RADIUS attribute 90, Tunnel-Client-Auth-Id
      • tunnel-client-endpoint—Includes RADIUS attribute 66, Tunnel-Client-Endpoint
      • tunnel-interface-id—Excluded by default; includes RADIUS attribute 26-44, Tunnel-Interface-ID
      • tunnel-medium-type—Includes RADIUS attribute 65, Tunnel-Medium-Type
      • tunnel-server-attributes—Excluded by default; includes all supported tunnel server attributes; that is, the attributes of the tunnel client when PPP is terminated at the LNS on the router
      • tunnel-server-auth-id—Includes RADIUS attribute 91, Tunnel-Server-Auth-Id
      • tunnel-server-endpoint—Includes RADIUS attribute 67, Tunnel-Server-Endpoint
      • tunnel-type—Includes RADIUS attribute 64, Tunnel-Type
      • upstream-calculated-qos-rate—Excluded by default; includes RADIUS attribute 26-142, Upstream-Calculated-Qos-Rate

      Attributes available for Access-Request messages only:

      • access-loop-parameters—Excluded by default; includes RADIUS attribute 26-81, L2c-Information

      Attributes available for Acct-Start and Acct-Stop messages only:

      • acct-link-count—Includes RADIUS attribute 51, Acct-Link-Count
      • class—Includes RADIUS attribute 25, Class
      • ds-lite-tunnel-name —Excluded by default; includes RADIUS attribute 144, DS-Lite-Tunnel-Name; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • egress-policy-name—Includes RADIUS attribute 26-11, Egress-Policy-Name
      • framed-compression—Includes RADIUS attribute 13, Framed-Compression
      • framed-ip-netmask—Includes RADIUS attribute 9, Framed-IP-Netmask
      • framed-route—Excluded by default; includes RADIUS attribute 22, Framed-Route
      • ingress-policy-name—Includes RADIUS attribute 26-10, Ingress-Policy-Name
      • tunnel-assignment-id—Includes RADIUS attribute 82, Tunnel-Assignment-Id
      • tunnel-preference—Includes RADIUS attribute 83, Tunnel-Preference
      • ipv6-ingress-policy-name—Includes RADIUS attribute 26-106, Ipv6-Ingress-Policy-Name; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • ipv6-egress-policy-name—Includes RADIUS attribute 26-107, Ipv6-Egress-Policy-Name; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • pcp-server-name—Excluded by default; includes RADIUS attribute 26-165, PCP-Server-Name; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages
      • qos-profile-name—Excluded by default; includes RADIUS attribute 26-26, QoS-Profile-Name; attribute automatically included in Interim-Acct messages when included in Acct-Stop messages

        Note:

        • The QoS profile names configured through the SRC software and CLI are not included in the RADIUS accounting messages. Only the profile name received from the RADIUS server in the Access-Accept messages is included in the RADIUS accounting messages.
        • The QoS profile name configured locally is not sent in the authentication Access-Request messages.
        • The QoS profile name returned by the RADIUS server is sent in the subsequent RADIUS accounting messages even after the QoS profile name configured through RADIUS is overridden with the QoS profile name configured through the CLI; this is a limitation.

      Attributes available for Acct-Stop messages only:

      • delegated-ipv6-prefix—Excluded by default; includes RADIUS attribute 123, Delegated-Ipv6-Prefix
        • The attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages
        • When prefix delegation occurs, an immediate-update (if enabled) message, which contains the delegated prefix information, is sent to the RADIUS server
        • When the prefix to be delegated to clients is obtained from the IPv6 local address server and not the RADIUS server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command is configured, the delegated prefix is sent to the RADIUS server in this attribute in the immediate accounting, Acct-Stop, or Interim-Acct messages
        • When the prefix to be delegated to clients is allocated from the IPv6 local address server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command is not configured, the delegated prefix is sent to the RADIUS server in the Framed-Ipv6-Prefix attribute in the immediate accounting, Acct-Stop, or Interim-Acct messages
        • For static interfaces, although the prefix configured using the CLI command is used for DHCPv6 Prefix Delegation instead of the value returned by the RADIUS server, the immediate accounting, Acct-Stop, or Interim-Acct messages contain the prefix returned from the RADIUS server
        • If this attribute is not returned from the RADIUS server, the immediate accounting, Acct-Stop, or Interim-Acct messages do not report this attribute
      • framed-ipv6-pool—Excluded by default; includes RADIUS attribute 100, Framed-IPv6-Pool; the attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages; if this attribute is configured in the AAA domain map using the CLI and is not returned from RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the domain map
      • framed-ipv6-route—Excluded by default; includes RADIUS attribute 99, Framed-IPv6-Route; the attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages; when this attribute is not returned from the RADIUS server in the Access-Accept message, the immediate accounting, Acct-Stop, or Interim-Acct messages do not report this attribute
      • input-gigapkts—Includes RADIUS attribute 26-35, Acct-Input-Gigapackets
      • input-gigawords—Includes RADIUS attribute 52, Acct-Input-Gigawords
      • ipv6-accounting—Excluded by default; automatically included in Interim-Acct messages when included in Acct-Stop messages; includes the following RADIUS attributes:
        • IPv6-Acct-Input-Octets [26-151]
        • IPv6-Acct-Output-Octets [26-152]
        • IPv6-Acct-Input-Packets [26-153]
        • IPv6-Acct-Output-Packets [26-154]
        • IPv6-Acct-Input-Gigawords [26-155]
        • IPv6-Acct-Output-Gigawords [26-156]
      • ipv6-local-interface—Excluded by default; includes RADIUS attribute 26-46, Ipv6-Local-Interface; the attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages; if IPv6 local interface is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the domain map
      • ipv6-nd-ra-prefix—Excluded by default; includes RADIUS attribute 26-129, Ipv6-NdRa-Prefix; the attribute value received from the RADIUS server in the Access-Accept message is included in the accounting messages; for dynamic interfaces, if the Ipv6-NdRa-Prefix attribute is configured in the profile and is not returned from RADIUS server, this attribute is not included in the Acct-Start, Acct-Stop, and Interim-Acct messages

        Note: When you attempt to configure the Ipv6-NdRa-Prefix attribute using the dynamic configuration manager (DCM) profile, the prefix is not successfully configured and the subscriber does not come up. In this scenario, the RADIUS server rejects the authentication request from the subscriber and records an error message stating that address allocation failed. However, if you attempt to configure the Ipv6-NdRa-Prefix attribute using the RADIUS profile, the prefix is correctly configured and the subscriber comes up successfully. This behavior is expected when the DCM profile is used to configure the Ipv6-NdRa-Prefix attribute.

        This scenario occurs when router advertisements are enabled in the DCM profile and the RADIUS server returns only the Framed-Interface-Id attribute. Because the AAA server requires one of the following attributes to authenticate IPv6 subscribers, and none of these attributes are returned from the RADIUS server, the logging in of subscribers fails:

        • Ipv6-NdRa-Prefix (VSA 26-129)
        • Framed-IPv6-Prefix (RADIUS IETF attribute 97)
        • Framed-IPv6-Route (RADIUS IETF attribute 99)
        • Framed-IPv6-Pool (RADIUS IETF attribute 100)
        • Delegated-IPv6-Prefix (RADIUS IETF attribute 123)
      • ipv6-primary-dns—Excluded by default; includes RADIUS attribute 26-47, Ipv6-Primary-DNS; the attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages; if the IPv6 primary DNS server is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the AAA domain map
      • ipv6-secondary-dns—Excluded by default; includes RADIUS attribute 26-48, Ipv6-Secondary-DNS; the attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages; if the IPv6 secondary DNS server is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the AAA domain map
      • ipv6-virtual-router—Excluded by default; includes RADIUS attribute 26-45, Ipv6-Virtual-Router
        • The attribute value received from the RADIUS server in the Access-Accept message is used in the accounting messages
        • If the IPv6 virtual router is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the domain map
        • If IPv6 virtual router is not configured in the AAA domain map and is not returned from the RADIUS server, it is not included in the Acct-Start message because the value is not yet known
        • If the IPv6 virtual router context is configured from the profile, it is reported in the immediate-update message for DHCPv6 prefix delegation
        • If you configure the default virtual router as the authentication virtual router for the domain map using the ipv6-router-name command in Domain Map Configuration Mode and the IPv6-Virtual-Router RADIUS VSA attribute [26-45] is returned from the RADIUS server in the Access-Accept message, the IPv6 virtual router context returned from the RADIUS server overrides the IPv6 virtual router context configured in the AAA domain map. If you configure a nondefault virtual router as the authentication virtual router for the AAA domain map and the IPv6-Virtual-Router RADIUS VSA attribute [26-45] is returned from the RADIUS server in the Access-Accept message, the IPv6 virtual router context in the AAA domain map takes precedence over the IPv6 virtual router context returned from the RADIUS server.
      • l2tp-ppp-disconnect-cause—Includes RADIUS attribute 26-51, Disconnect-Cause
      • output-gigapkts—Includes RADIUS attribute 26-36, Acct-Output-Gigapackets
      • output-gigawords—Includes RADIUS attribute 53, Acct-Output-Gigawords

      Attributes available for Access-Request, Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages:

      • nas-identifier—Includes RADIUS attribute 32, NAS-Identifier

      Attributes available for Access-Request, Acct-On, and Acct-Off messages:

      • acct-session-id—Includes RADIUS attribute 44, Acct-Session-Id; can be optionally included in the change-of-authorization (COA) message from the RADIUS server or in the user login request if the packet mirroring operation is required; the Acct-Session-Id VSA is used:
        • In the RADIUS-initiated COA message to start the mirroring session when the user is already logged in
        • As a trigger in user-initiated mirroring to identify the user whose traffic is to be mirrored

      Attributes available for Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages:

      • event-timestamp—Includes RADIUS attribute 55, Event-Timestamp

      Attributes available for Acct-On and Acct-Off messages only:

      • acct-authentic—Includes RADIUS attribute 45, Acct-Authentic
      • acct-delay-time—Includes RADIUS attribute 41, Acct-Delay-Time

      Attributes available for Acct-Off messages only:

      • acct-terminate-cause—Includes RADIUS attribute 49, Acct-Terminate-Cause
    • access-request—Specifies RADIUS Access-Request messages
    • acct-on—Specifies RADIUS Acct-On messages
    • acct-off—Specifies RADIUS Acct-Off messages
    • acct-start—Specifies RADIUS Acct-Start messages
    • acct-stop—Specifies RADIUS Acct-Stop messages
    • enable—Enables attribute inclusion
    • disable—Disables attribute inclusion; the attribute is excluded

    Mode

    Global Configuration

    Published: 2014-08-20