Related Documentation
Juniper Networks VSAs
Table 1 lists Juniper Networks VSA formats for RADIUS. JunosE Software uses the vendor ID assigned to Juniper Networks (vendor ID 4874) by the Internet Assigned Numbers Authority (IANA).
Table 1: Juniper Networks (Vendor ID 4874) VSA Formats
Attribute Number | Attribute Name | Description | Length | Subtype Length | Value |
|---|---|---|---|---|---|
[26-1] | Virtual-Router |
| len | sublen | string: virtual-router-name |
[26-2] | Local-Address-Pool |
| len | sublen | string: address-pool-name |
[26-3] | Local-Interface | Interface to apply to the E Series side of the connection The interface value can be one of the following:
| len | sublen | string: local-interface |
[26-4] | Primary-DNS |
| 12 | 6 | integer: 4-byte primary-dns-address |
[26-5] | Secondary-DNS |
| 12 | 6 | integer: 4-byte secondary-dns-address |
[26-6] | Primary-WINS (NBNS) |
| 12 | 6 | integer: 4-byte primary-wins-address |
[26-7] | Secondary-WINS (NBNS) |
| 12 | 6 | integer: 4-byte secondary-wins- |
[26-8] | Tunnel-Virtual-Router | For tunneled connections, specifies the virtual router associated with the tunnel connection | len | sublen | string: tunnel-virtual-router |
[26-9] | Tunnel-Password | Tunnel password in cleartext | len | sublen | string: tunnel-password |
[26-10] | Ingress-Policy-Name | IPv4 input policy name to apply to B-RAS user’s interface | len | sublen | string: input-policy-name |
[26-11] | Egress-Policy-Name | IPv4 output policy name to apply to B-RAS user’s interface | len | sublen | string: output-policy-name |
[26-12] | Ingress-Statistics | Enable or disable input statistics on B-RAS user’s interface | 12 | 6 | integer: 0 = disable, |
[26-13] | Egress-Statistics | Enable or disable output statistics on B-RAS user’s interface | 12 | 6 | integer: 0 = disable, |
[26-14] | Service-Category | ATM service category to apply to B-RAS user’s interface | 12 | 6 | integer: 1= UBR, |
[26-15] | PCR |
| 12 | 6 | integer: 4-octet |
[26-16] | SCR |
| 12 | 6 | integer: 4-octet |
[26-17] | Mbs |
| 12 | 6 | integer: 4-octet |
[26-18] | Init-CLI-Access-Level |
| len | sublen | single attribute: enter 0, 1, 5, 10, or 15 |
[26-19] | Allow-All-VR-Access |
| len | sublen | integer: 0 = disable, |
[26-20] | Alt-CLI-Access-Level |
| len | sublen | single attribute; enter 0, 1, 5, 10, or 15 |
[26-21] | Alt-CLI-Vrouter-Name |
| len | sublen | string: virtual-router-name |
[26-22] | Sa-Validate |
| len | sublen | integer: 0 = disable, |
[26-23] | Igmp-Enable |
| len | sublen | integer: 0 = disable, |
[26-24] | Pppoe-Description | The string pppoe <mac addr> sent to the RADIUS server supplied by PPPoE | len | sublen | string: pppoe<mac addr> |
[26-25] | Redirect-Vrouter-Name |
| len | sublen | authentication- |
[26-26] | QoS-Profile-Name | Name of the QoS profile to attach to the user’s interface | len | sublen | string: qos-profile-name |
[26-28] | PppoE-Url | PPPoE URL that is passed to PPPoE subscribers | len | sublen | string:URL |
[26-30] | Tunnel-Nas-Port-Method | Conveys nasPort and nasPort type in tunnel | 12 | 6 | 4-octet integer: |
[26-31] | Service-Bundle | Specifies the SRC service bundle | len | sublen | string |
[26-33] | Tunnel-Max-Sessions | Maximum number of sessions allowed in a tunnel | 12 | 6 | integer: 4-octet |
[26-34] | Framed-Ip-Route-Tag | Route tag to apply to returned framed-ip-address | 12 | 6 | integer: 4-octet |
[26-35] | Tunnel-Dialout-Number | Dial number in L2TP dial-out | len | sublen | string:dial-out-number |
[26-36] | PPP-Username | Username used in PPP L2TP dial-out sessions at the LNS for L2TP dial-out | len | sublen | string: ppp-username |
[26-37] | PPP-Password | Password used in PPP L2TP dial-out sessions at the LNS for L2TP dial-out | len | sublen | string: ppp-password |
[26-38] | PPP-Protocol | PPP authentication protocol used for L2TP dial-out sessions at the LNS | 12 | 6 | integer: 0 = none; |
[26-39] | Tunnel-Min-Bps | Minimum line speed for L2TP dial-out | 12 | 6 | integer |
[26-40] | Tunnel-Max-Bps | Maximum line speed for L2TP dial-out | 12 | 6 | integer |
[26-41] | Tunnel-Bearer-Type | Bearer capability required for L2TP dial-out | 12 | 6 | integer: 0 = none; |
[26-42] | Input-GigaPkts | Number of times input-packets attribute rolls over its 4-octet field | 12 | 6 | integer |
[26-43] | Output-GigaPkts | Number of times output-packets attribute rolls over its 4-octet field | 12 | 6 | integer |
[26-44] | Tunnel-Interface-Id | Tunnel interface selector that AAA caches as part of the tunnel-session profile and the user’s profile. This attribute is available to the RADIUS authentication and accounting servers. | len | sublen | string: tunnel selector |
[26-45] | Ipv6-Virtual-Router | Virtual router name for B-RAS user’s IPv6 interface | len | sublen | string: virtual-router-name |
[26-46] | Ipv6-Local-Interface | Local IPv6 interface to apply to the E Series side of the connection | len | sublen | string: ipv6-local-interface |
[26-47] | Ipv6-Primary-DNS | B-RAS user’s primary IPv6 DNS address negotiated by DHCP | len | sublen | hexadecimal string: ipv6-primary-dns- |
[26-48] | Ipv6-Secondary-DNS | B-RAS user’s secondary IPv6 DNS address negotiated by DHCP | len | sublen | hexadecimal string: ipv6-primary-dns- |
[26-51] | Disconnect-Cause | L2TP PPP disconnect cause information received by the LAC | len | sublen | string:l2tp-ppp- |
[26-52] | Radius-Client-Address | RADIUS relay server’s IP address | 12 | 6 | integer:4-octet |
[26-53] | Service-Description | AAA profile service description string | len | sublen | string:profile-service- |
[26-54] | L2tp-Recv-Window-Size |
| 12 | 6 | integer:4-octet |
[26-55] | DHCP-Options | Client’s DHCP options | len | sublen | string:dhcp-options |
[26-56] | DHCP-MAC-Address | Client’s MAC address | len | sublen | string:mac-address |
[26-57] | DHCP-GI-Address | DHCP relay agent’s IP address | 12 | 6 | integer:4-octet |
[26-58] | LI-Action | Packet mirroring action | len | sublen | Salt encrypted integer: 0 = stop monitoring; 1 = start monitoring; 2 = no action |
[26-59] | Med-Dev-Handle | Hexadecimal string used to determine mirror header attributes, prepended to each mirrored packet that is sent to the analyzer device | len | sublen | Salt encrypted string; hexadecimal string of 4 bytes or 8 bytes |
[26-60] | Med-Ip-Address | IP address of analyzer device to which mirrored packets are forwarded | len | sublen | Salt encrypted IP address |
[26-61] | Med-Port-Number | UDP port in the analyzer device to which mirrored packets are forwarded | len | sublen | Salt encrypted integer |
[26-62] | MLPPP-Bundle-Name | Text string that identifies the Multilink PPP bundle name | len | sublen | string:mlppp-bundle- |
[26-63] | Interface-Desc | Text string that identifies the subscriber’s access interface | len | sublen | string:interface- |
[26-64] | Tunnel-Group | Name of the tunnel group assigned to a domain map | len | sublen | string:tunnel-group- |
[26-65] | Activate-Service | Service to activate for the subscriber | len | sublen | string:service-name |
[26-66] | Deactivate-Service | Service to deactivate for the subscriber | len | sublen | string:service-name |
[26-67] | Service-Volume-tagX | Amount of traffic, in MB, that can use the service; service is deactivated when the volume is exceeded | 12 | 6 | integer: volume in MB; 0 = infinite volume |
[26-68] | Service-Timeout-tagX | Number of seconds that the service can be active; service is deactivated when the timeout expires | 12 | 6 | integer: time in seconds; 0 = no timeout |
[26-69] | Service-Statistics-tagX | Enable or disable statistics for the service | 12 | 6 | integer: 0 = disable; |
[26-70] | Ignore-DF-Bit | Enable or disable the ignore don’t fragment (DF) bit feature on a B-RAS user's interface | 12 | 6 | integer: 0 = disable; |
[26-71] | IGMP-Access-Name | Access List to use for the group (G) filter | len | sublen | string:32-octet |
[26-72] | IGMP-Access-Src-Name | Access List to use for the source-group (S,G) filter | len | sublen | string:32-octet |
[26-73] | IGMP-OIF-Map-Name | Multicast OIF (outgoing interface) mapping | len | sublen | string:32-octet |
[26-74] | MLD-Access-Name | Access List to use for the group (G) filter | len | sublen | string:32-octet |
[26-75] | MLD-Access-Src-Name | Access List to use for the source-group (S,G) filter | len | sublen | string:32-octet |
[26-76] | MLD-OIF-Map-Name | Multicast OIF (outgoing interface) mapping | len | sublen | string:32-octet |
[26-77] | MLD-Version | MLD Protocol Version (MLD Version 1 = 1; MLD Version 2 = 2) | 12 | 6 | integer:1-octet |
[26-78] | IGMP-Version | IGMP Protocol Version (IGMP Version 1=1; | 12 | 6 | integer:1-octet |
[26-79] | IP-Mcast-Adm-Bw-Limit | The maximum multicast bandwidth that will be admitted on an IP interface, in Kbps | 12 | 6 | integer:4-octet |
[26-80] | IPv6-Mcast-Adm-Bw- | The maximum multicast bandwidth that will be admitted on an IPv6 interface, in Kbps | 12 | 6 | integer:4-octet |
[26-81] | L2c-Information | Series of type length
value (tlv) fields (binary) representing the access loop parameters
as defined in GSMP extensions for layer2 control (L2C) Topology Discovery
and Line Configuration—draft-wadhwa-gsmp- | len | sublen | string: format is a series of type length value (tlv)
fields |
[26-82] | Qos-Parameters | Name of the QoS parameter instance to create on the user’s
interface, followed by the value of the parameter. For example, the
max-bandwidth 4000000 parameter instance represents the parameter
name that was defined using the qos-parameter- | len | sublen | string: format is parameter name parameter value, where parameter name is ASCII name of a parameter name found in the QoS parameter definition and parameter value is the ASCII representation of 0–21474836470; multiple instances of this VSA can be returned from RADIUS using this format |
[26-83] | Service-Session | Name of the service (including parameter values) that is associated with service manager statistics | len | sublen | string:service-name |
[26-84] | Mobile-IP-Algorithm | Authentication algorithm used for Mobile IP registration | 12 | 6 | integer: 4-octet |
[26-85] | Mobile-IP-SPI | Security parameter index for Mobile IP registration | 12 | 6 | integer: 4-octet |
[26-86] | Mobile-IP-Key | Security association MD-5 key for Mobile IP registration | len | sublen | string: 32-octet |
[26-87] | Mobile-IP-Replay | Replay time stamp for Mobile IP registration | 12 | 6 | integer: 4-octet |
[26-88] | Mobile-IP-Access- | Access control list to filter on basis of care-of address | len | sublen | string: 32-octet |
[26-89] | Mobile-IP-Lifetime | Registration lifetime for Mobile IP registration | 12 | 6 | integer: 4-octet |
[26-90] | L2TP-Resynch-Method | L2TP peer resynchronization method | 12 | 6 | integer: 0 = disabled; 1= failover protocol; |
[26-91] | Tunnel-Switch-Profile |
| len | sublen | string: tunnel-switch-profile |
[26-92] | L2C-Up-Stream-Data | Actual upstream rate
access loop parameter (ASCII encoded) as defined in GSMP extensions
for layer2 control (L2C) Topology Discovery and Line Configuration—draft-wadhwa-gsmp- | len | sublen | string: actual upstream rate access loop parameter (ASCII encoded) |
[26-93] | L2C-Down-Stream-Data | Actual downstream
rate access loop parameter (ASCII encoded) as defined in GSMP extensions
for layer2 control (L2C) Topology Discovery and Line Configuration—draft-wadhwa-gsmp- | len | sublen | string: actual downstream rate access loop parameter (ASCII encoded) |
[26-94] | Tunnel-Tx-Speed-Method | The method that the router uses to calculate the transmit connect speed of the subscriber’s access interface. This speed is reported in L2TP Transmit (TX) Speed AVP 24. During the establishment of an L2TP tunnel session, the LAC sends AVP 24 to the LNS to convey the transmit speed of the subscriber’s access interface. | 12 | 6 | integer: |
[26-95] | IGMP-Query-Interval | IGMP Query Interval | 12 | 6 | integer: 4-octet |
[26-96] | IGMP-Max-Resp-Time | IGMP Maximum Response Time | 12 | 6 | integer: 4-octet |
[26-97] | IGMP-Immediate-Leave | IGMP Immediate Leave | 12 | 6 | 4-octet integer: |
[26-98] | MLD-Query-Interval | MLD Query Interval | 12 | 6 | integer: 4-octet |
[26-99] | MLD-Max-Resp-Time | MLD Maximum Response Time | 12 | 6 | integer: 4-octet |
[26-100] | MLD-Immediate-Leave | MLD Immediate Leave | 12 | 6 | integer: 4-octet; |
[26-101] | IP-Block-Multicast | Block all multicast traffic with a scope larger than link-local (for example, global) and prevent mroute creation under these conditions. This attribute does not affect reception of link-local multicast packets. | 12 | 6 | integer: 4-octet; |
[26-102] | IGMP-Explicit-Tracking | Enable or disable explicit host tracking for IPv4 IGMP interfaces. This option enables the router to explicitly track each individual host that is joined to a group or channel on a particular multi-access network. | 12 | 6 | integer: 4-octet; |
[26-103] | IGMP-No-Tracking-V2-Grps | Disable IGMP explicit host tracking for groups that contain IGMP V2 hosts. This attribute is valid only if IGMP V3 is enabled on the interface. | 12 | 6 | integer: 4-octet; |
[26-104] | MLD-Explicit-Tracking | Enable or disable explicit host tracking for IPv6 MLD interfaces. This option enables the router to explicitly track each individual host that is joined to a group or channel on a particular multi-access network. | 12 | 6 | integer: 4-octet; |
[26-105] | MLD-No-Tracking-V1-Grps | Disable MLD explicit host tracking for groups that contain MLD V1 hosts. This attribute is valid only if MLD V2 is enabled on the interface. | 12 | 6 | integer: 4-octet; |
[26-106] | Ipv6-Ingress-Policy-Name | IPv6 ingress policy that is applied to the subscriber interface | len | sublen | string: Ipv6-Ingress-Policy-Name |
[26-107] | Ipv6-Egress-Policy-Name | IPv6 egress policy that is applied to the subscriber interface | len | sublen | string: Ipv6-Egress-Policy-Name |
[26-110] | Acc-Loop-Cir-Id | Identification of the subscriber node connection to the access node | len | sublen | string: up to 63 ASCII characters |
[26-111] | Acc-Aggr-Cir-Id-Bin | Unique identification of the DSL line | len | sublen | integer: 8-octet |
[26-112] | Acc-Aggr-Cir-Id-Asc | Identification of the uplink on the access node. For example:
| len | sublen | string: up to 63 ASCII characters |
[26-113] | Act-Data-Rate-Up | Actual upstream data rate of the subscriber’s synchronized DSL link | 12 | 6 | integer: 4-octet |
[26-114] | Act-Data-Rate-Dn | Actual downstream data rate of the subscriber’s synchronized DSL link | 12 | 6 | integer: 4-octet |
[26-115] | Min-Data-Rate-Up | Minimum upstream data rate configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-116] | Min-Data-Rate-Dn | Minimum downstream data rate configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-117] | Att-Data-Rate-Up | Upstream data rate that the subscriber can attain | 12 | 6 | integer: 4-octet |
[26-118] | Att-Data-Rate-Dn | Downstream data rate that the subscriber can attain | 12 | 6 | integer: 4-octet |
[26-119] | Max-Data-Rate-Up | Maximum upstream data rate configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-120] | Max-Data-Rate-Dn | Maximum downstream data rate configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-121] | Min-LP-Data-Rate-Up | Minimum upstream data rate in low power state configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-122] | Min-LP-Data-Rate-Dn | Minimum downstream data rate in low power state configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-123] | Max-Interlv-Delay-Up | Maximum one-way upstream interleaving delay configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-124] | Act-Interlv-Delay-Up | Subscriber’s actual one-way upstream interleaving delay | 12 | 6 | integer: 4-octet |
[26-125] | Max-Interlv-Delay-Dn | Maximum one-way downstream interleaving delay configured for the subscriber | 12 | 6 | integer: 4-octet |
[26-126] | Act-Interlv-Delay-Dn | Subscriber’s actual one-way downstream interleaving delay | 12 | 6 | integer: 4-octet |
[26-127] | DSL-Line-State | State of the DSL line | 12 | 6 | 4-octet integer |
[26-128] | DSL-Type | Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated | 11 | 5 | string: 3-byte |
[26-129] | Ipv6-NdRa-Prefix | Prefix value in IPv6 Neighbor Discovery route advertisements | len | sublen | hexadecimal string |
[26-130] | QoS-Interfaceset-Name | Name of the QoS interface set to attach to the subscriber interface | len | sublen | string: qos-interfaceset-name |
[26-140] | Service-Interim-Acct- | Amount of time between interim accounting updates for this service. | 12 | 6 | integer: time in the range 600–86400 seconds; |
[26-141] | Downstream-Calculated- | Calculated downstream QoS rate in Kbps as set by the ANCP configuration | 12 | 6 | integer: 4-octet |
[26-142] | Upstream-Calculated- | Calculated downstream QoS rate in Kbps as set by the ANCP configuration | 12 | 6 | integer: 4-octet |
[26-143] | Max-Clients-Per-Interface | Maximum number of PPPoE client sessions supported per interface. For DHCP clients, this value is the maximum number of PPPoE sessions per logical interface. For PPPoE, this value is the maximum number of PPPoE subinterfaces per a PPPoE major interface. See JunosE Release Notes, Appendix A, System Maximums corresponding to your software release for information about the maximum number of PPPoE subinterfaces supported for each line module. | 12 | 6 | integer: 4-octet |
[26-144] | PPP-Monitor-Ingress- Only | Enable or disable monitoring of only ingress traffic to determine inactivity of a PPP session and subsequent disconnection of an inactive session. If this option is disabled or not configured, the router monitors both ingress traffic and egress traffic to determine session inactivity. | 12 | 6 | integer: |
[26-147] | Backup-Address-Pool | Name of the backup local address pool that can be used to assign addresses to users being authenticated by a RADIUS server, when the existing addresses in the primary local address pool are fully exhausted. The authentication server overrides the backup local address pool name configured using this attribute with the backup local address pool name received in the RADIUS-Access-Accept message. | len | sublen | string: Backup-address-pool-name |
[26-150] | ICR-Partition-Id | Used in all the RADIUS authentication and accounting (Acct-Start, Acct-Stop, and Interim-Acct messages for both user and service accounting) messages corresponding to a subscriber to determine the partition in which the subscriber has logged in | len | sublen | string:icr-partition-id |
[26–151] | Ipv6-Acct-Input-Octets | Number of times that IPv6 octets have been received from the port during the time this service has been provided | 12 | 6 | 4–octet integer |
[26–152] | Ipv6-Acct-Output-Octets | Number of times that IPv6 octets have been sent to the port during the time this service has been provided | 12 | 6 | 4–octet integer |
[26–153] | Ipv6-Acct-Input-Packets | Number of times that IPv6 packets have been received from the port during the time this service has been provided to a framed user | 12 | 6 | 4–octet integer |
[26–154] | Ipv6-Acct-Output-Packets | Number of times that IPv6 packets have been sent to the port in the course of delivering this service to a framed user | 12 | 6 | 4–octet integer |
[26–155] | Ipv6-Acct-Input-Gigawords | Number of times that the IPv6-Acct-Input-Octets counter has wrapped around 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update | 12 | 6 | 4–octet integer |
[26–156] | Ipv6-Acct-Output-Gigawords | Number of times that the IPv6-Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update | 12 | 6 | 4–octet integer |
[26-157] | Ipv6-Ndra-Pool | Used in RADIUS Access-Accept message to inform the E Series router to allocate IPv6 Neighbor Discovery router advertisement prefix from this pool for the subscriber. If CLI knob aaa dhcpv6-ndra-pool override is disabled, JunosE interprets this attribute as Neighbor Discovery router advertisement local address pool name. | len | sublen | String: 16 alpha-numeric characters |
[26-161] | Delegated-Ipv6-Pool | Used in RADIUS Access-Accept message to inform the E Series router to allocate IPv6 Neighbor Discovery router advertisement prefix from this pool for the subscriber. If CLI knob aaa dhcpv6-ndra-pool override is enabled, JunosE interprets this attribute as DHCPV6 PD pool name. | len | sublen | String: 16 alpha-numeric characters |
[26-164] | Ipv4-release-control | Causes the PPP application to notify the RADIUS server regarding IPv4 addresses released by a subscriber in a dual-stack network, when an IPCP negotiation for IPv4 sessions is terminated or if the IPv4 session becomes inactive. This attribute is added to RADIUS messages only if the subscriber session is of a dual-stack type and if the IPv4 address is allocated from the RADIUS server and not from local address pools. | len | sublen | String: 32 alpha-numeric characters |
[26-165] | PCP-Server-Name | Specifies the PCP server name to which DHCP clients send PCP requests. A PCP client must know the fully qualified domain name (FQDN) of a PCP server, before it can communicate with the latter in order to perform the relevant PCP functions. | len | sublen | String: 245 octets(alpha-numeric characters, dashes, periods) |
