[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

RADIUS IETF Attributes

Table 46 describes the RADIUS IETF attributes supported by JUNOSe software. The attributes are sorted by standard number.




 Table 46:  RADIUS IETF Attributes Supported by JUNOSe Software 

 Attribute Number
 Attribute Name
 Description

 [1]

 User-Name


   Name of user to be authenticated
   Configurable username override



 [2]

 User-Password


   Password of user to be authenticated
   Configurable password override
   Password Authentication Protocol (PAP) 



 [3]

 CHAP-Password

 Response value provided by a Point-to-Point Protocol (PPP) Challenge Handshake Authorization Protocol (CHAP) user in the response to an access challenge


 [4]

 NAS-IP-Address 


   IP address of the network access server (NAS) that is requesting authentication of the user
   You can use the radius update-source-addr command to override this behavior; see Chapter 1, Configuring Remote Access.



 [5]

 NAS-Port


   Physical port number of the NAS that is authenticating the user
   See the radius nas-port-format, radius pppoe nas-port-format unique, and radius vlan nas-port-format stacked commands in Chapter 3, Configuring RADIUS Attributes.



 [6] 

 Service-Type


   Type of service the user has requested or the type of service to be provided
   Admin, Login, NAS Prompt, or Framed only



 [7]

 Framed-Protocol


   Framing protocol used for framed access
   Standard value of 1 set for PPP
   Nonstandard value of 1008 set for dynamic ATM 



 [8]

 Framed-IP-Address


   IP address to be configured for the user
   0.0.0.0 or absence is interpreted as 255.255.255.254
   See the radius include framed-ip-add acct-start command in Chapter 3, Configuring RADIUS Attributes.



 [9]

 Framed-IP-Netmask


   IP network to be configured for the user when the user is a router to a network
   Absence implies 255.255.255.255



 [11]

 Filter-Id


   Name of the filter list for the user
   Interpreted as input policy name



 [12]

 Framed-MTU 


   The maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). 
   When sent in an Access-Request with an EAP-Message, indicates the maximum size of the EAP-Message string that the external server supports. 



 [13] 

 Framed-Compression

 Always set to none.


 [18]

 Reply-Message


   Text that may be displayed to the user
   Only the first instance of this attribute is used



 [22]

 Framed-Route

 String that provides routing information to be configured for the user on the NAS; in the format: 
 <addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>]


 [24]

 State


   An arbitrary value that the router includes in new Access-Request packets from the previous Accept-Challenge
   Applicable for CLI, telnet, or EAP message exchange 



 [25]

 Class

 An arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server


 [26]

 Vendor-Specific

 Juniper Networks Enterprise number 0x0000130A


 [27] 

 Session-Timeout

 Maximum number of consecutive seconds of service to be provided to the user before termination of the session


 [28] 

 Idle-Timeout

 Maximum number of consecutive seconds of idle connection provided to the user before termination of the session


 [30]

 Called-Station-Id


   Allows the NAS to send the phone number that the user called
   Not supported for nontunneled or LAC session side 
   For the LNS, the format is the string passed in the Called Number AVP
   For RADIUS relay server, indicates the subscriber's wireless access point 



 [31]

 Calling-Station-Id


   Allows the NAS to send the phone number from which the call originated 
   See the radius calling-station-format and the radius calling-station-delimiter commands in Chapter 3, Configuring RADIUS Attributes.
   For RADIUS relay server, indicates the subscriber's MAC address 



 [32] 

 NAS-Identifier


   Identifies the NAS originating the request
   System-wide configurable hostname or VR-sensitive configurable NAS-identifier name



 [33]

 Proxy-State

  E-series router's port ID and IP address


 [40] 

 Acct-Status-Type

 Indicates whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update)


 [41] 

 Acct-Delay-Time

 Indicates how many seconds the client has been trying to send a particular record


 [42] 

 Acct-Input-Octets


   Indicates how many octets have been received from the port during the time this service has been provided
   IP subscriber manager—Statistics are reported
   PPP—Statistics are counted according to the rules of the generic interface MIB



 [43] 

 Acct-Output-Octets


   Indicates how many octets have been sent to the port during the time this service has been provided
   IP subscriber manager—Statistics are reported
   PPP—Statistics are counted according to the rules of the generic interface MIB



 [44]

 Acct-Session-Id 


   Unique accounting identifier that makes it easy to match start and stop records in a log file
   See the radius acct-session-id-format and the radius include acct-session-id access-request commands in Chapter 3, Configuring RADIUS Attributes.



 [45]

 Acct-Authentic


   Indicates how the user was authenticated: whether by RADIUS, the NAS itself, or another remote authentication protocol
   Always 1



 [46] 

 Acct-Session-Time

 Indicates how long in seconds that the user has received service


 [47] 

 Acct-Input-Packets


   Indicates how many packets have been received from the port during the time this service has been provided to a framed user
   IP subscriber manager—Statistics are reported
   PPP—Statistics are counted according to the rules of the generic interface MIB



 [48] 

 Acct-Output-Packets


   Indicates how many packets have been sent to the port in the course of delivering this service to a framed user
   IP subscriber manager—Statistics are reported
   PPP—Statistics are counted according to the rules of the generic interface MIB



 [49] 

 Acct-Terminate-Cause

 Contains the reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:

   User Request (1)—User initiated the disconnect (log out)
   Idle Timeout (4)—Idle timer has expired
   Session Timeout (5)—Client reached the maximum continuous time allowed on the service or session
   Admin Reset (6)—System administrator terminated the session
   Port Error (8)—PVC failed; no hardware or no interface
   NAS Error (9)—Negotiation failures, connection failures, or address lease expiration
   NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, Tunnel disconnect, or an unaccounted-for error



 [50]

 Acct-Multi-Session-Id 


   String constructed from the Acct-Session-ID of the first PPP link established for the Multilink PPP bundle and the internal Multilink PPP bundle ID. 
   This string is the hexidecimal ASCII characters for two 4-octet unsigned integers. Example: 0a34331200001249.



 [51]

 Acct-Link-Count

 A value that increments with each link that joins the MLPPP bundle. This attribute does not indicate the number of active links. For more details, see RFC 2866—RADIUS Accounting (June 2000). 


 [52] 

 Acct-Input-Gigawords


   Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update
   IP subscriber manager—Statistics are reported
   PPP—Statistics are counted according to the rules of the generic interface MIB



 [53] 

 Acct-Output-Gigawords


   Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update
   IP subscriber manager—Statistics are reported
   PPP—Statistics are counted according to the rules of the generic interface MIB



 [55] 

 Event-Timestamp

 Records the time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC


 [60] 

 CHAP-Challenge

 Contains the CHAP challenge sent by the NAS to a PPP CHAP user


 [61]

 NAS-Port-Type


   Indicates the type of physical port the NAS is using to authenticate the user
   See the radius dsl-port-type and the radius ethernet-port-type commands in Chapter 3, Configuring RADIUS Attributes.



 [62]

 Port-Limit

 Specifies the maximum number of MLPPP member links allowed for the subscriber


 [64] 

 Tunnel-Type


   Which tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol in use (in the case of a tunnel terminator)
   Only L2TP tunnels supported at this time



 [65] 

 Tunnel-Medium-Type


   Transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports
   Only IPv4 supported at this time



 [66] 

 Tunnel-Client-Endpoint

 Address of the initiator end of the tunnel


 [67]

 Tunnel-Server-Endpoint

 Address of the server end of the tunnel


 [68] 

 Acct-Tunnel-Connection


   Indicates the identifier assigned to the tunnel session
   Value is L2TP call-serial number



 [69] 

 Tunnel-Password

 Password to be used to authenticate to a remote server


 [77] 

 Connect-Info

 Sent from the NAS to indicate the nature of the user's connection


 [79]

 EAP-Message 

 Encapsulates EAP packets, which allows the NAS to authenticate users through EAP without having to understand the EAP protocol


 [80]

 Message-Authenticator

 Must be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge messages that include EAP-Message attributes


 [82] 

 Tunnel-Assignment-Id

 Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned


 [83]

 Tunnel-Preference


   If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel.
   Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only)



 [85]

 Acct-Interim-Interval

 Number of seconds between each interim accounting update for this session


 [86]

 Acct-Tunnel-Packets-Lost

 Number of packets lost on a given link


 [87] 

 NAS-Port-Id


   Text string that identifies the physical interface of the NAS that is authenticating the user
   If the PPP user connects via ATM slot 12, port 2, subinterface 3, vpi 100, vci 101, then the NAS-Port-Id value in the RADIUS packets will be atm 12/2.3:100.101
   If the user is a PPP user that started as a result of the E-series LNS feature (that is, no physical port), then the NAS-Port-Id value is as follows: media:local address:peer address:local tunnel id:peer tunnel id:local session id:peer session id:call serial number

  
     For example: ip:172.81.1.98:172.81.1.99:18d:cb8:ce6:9f4:6
     In this case, the local information refers to the LNS, and the peer information refers to the LAC
  

   NAS-Port-Id usually contains one of the following:

  
     atm <slot> / <port><.subinterface>:<vpi>.<vci>
     FastEthernet <slot> / <port><.subinterface> [:<vlan>]
     GigabitEthernet <slot> / <port><.subinterface> [<vlan>
     serial <slot>/<port> [:<sonetPath> [/<sonetTributary (x/x/x)> [/<fractionalInterface>] ] ]
     from LNS—ip:local ip:peer ip:local tid:peer tid:local sid:peer sid:call serial number 
  
 tid—tunnel id
 sid—session id
 NOTE: Releases before 4.0.0 did not pass the subinterface number to RADIUS for inclusion in the NAS-Port-Id. If you do not want the subinterface number to be included, you must enter the aaa intf-desc-format include sub-intf disable command to omit the subinterface.


 [88]

 Framed-Pool

 Name of an assigned address pool that should be used to assign an address for the user


 [90]

 Tunnel-Client-Auth-Id

 Name used by the tunnel initiator during the authentication phase of tunnel establishment


 [91] 

 Tunnel-Server-Auth-Id

 Name used by the tunnel terminator during the authentication phase of tunnel establishment


 [96]

 Framed-Interface-Id

 IPv6 interface identifier configured by the user


 [97]

 Framed-Ipv6-Prefix

 Provides the IPv6 prefix that is delegated to a downstream CPE 


 [99]

 Framed-Ipv6-Route 

 Provides routing information to be configured for the user on the NAS


 [101]

 Error-Cause

 4-octet field that contains an integer that specifies the cause of the error


 [135]

 Ascend-Primary-DNS


   Indicates the IP address of the primary DNS 
   The format is 1 byte of type (135), 1 byte of length (length=6), 
4 bytes of value (IPv4 address) 



 [136]

 Ascend-Secondary-DNS


   Indicates the IP address of the secondary DNS 
   The format is 1 byte of type (136), 1 byte of length (length=6), 
4 bytes of value (IPv4 address) 



 [188]

 Ascend-Num-In-Multilink

 Current number of links in a multilink bundle 


 [242]

 Ascend-Data-Filter

 RADIUS policy definitions used to configure a policy to classify packet flows and perform filter, forward, packet marking, rate-limit profile, and traffic class actions

Attribute Number	Attribute Name	Description
[1]	User-Name	Name of user to be authenticated Configurable username override
[2]	User-Password	Password of user to be authenticated Configurable password override Password Authentication Protocol (PAP)
[3]	CHAP-Password	Response value provided by a Point-to-Point Protocol (PPP) Challenge Handshake Authorization Protocol (CHAP) user in the response to an access challenge
[4]	NAS-IP-Address	IP address of the network access server (NAS) that is requesting authentication of the user You can use the radius update-source-addr command to override this behavior; see Chapter 1, Configuring Remote Access.
[5]	NAS-Port	Physical port number of the NAS that is authenticating the user See the radius nas-port-format, radius pppoe nas-port-format unique, and radius vlan nas-port-format stacked commands in Chapter 3, Configuring RADIUS Attributes.
[6]	Service-Type	Type of service the user has requested or the type of service to be provided Admin, Login, NAS Prompt, or Framed only
[7]	Framed-Protocol	Framing protocol used for framed access Standard value of 1 set for PPP Nonstandard value of 1008 set for dynamic ATM
[8]	Framed-IP-Address	IP address to be configured for the user 0.0.0.0 or absence is interpreted as 255.255.255.254 See the radius include framed-ip-add acct-start command in Chapter 3, Configuring RADIUS Attributes.
[9]	Framed-IP-Netmask	IP network to be configured for the user when the user is a router to a network Absence implies 255.255.255.255
[11]	Filter-Id	Name of the filter list for the user Interpreted as input policy name
[12]	Framed-MTU	The maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). When sent in an Access-Request with an EAP-Message, indicates the maximum size of the EAP-Message string that the external server supports.
[13]	Framed-Compression	Always set to none.
[18]	Reply-Message	Text that may be displayed to the user Only the first instance of this attribute is used
[22]	Framed-Route	String that provides routing information to be configured for the user on the NAS; in the format: <addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>]
[24]	State	An arbitrary value that the router includes in new Access-Request packets from the previous Accept-Challenge Applicable for CLI, telnet, or EAP message exchange
[25]	Class	An arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server
[26]	Vendor-Specific	Juniper Networks Enterprise number 0x0000130A
[27]	Session-Timeout	Maximum number of consecutive seconds of service to be provided to the user before termination of the session
[28]	Idle-Timeout	Maximum number of consecutive seconds of idle connection provided to the user before termination of the session
[30]	Called-Station-Id	Allows the NAS to send the phone number that the user called Not supported for nontunneled or LAC session side For the LNS, the format is the string passed in the Called Number AVP For RADIUS relay server, indicates the subscriber's wireless access point
[31]	Calling-Station-Id	Allows the NAS to send the phone number from which the call originated See the radius calling-station-format and the radius calling-station-delimiter commands in Chapter 3, Configuring RADIUS Attributes. For RADIUS relay server, indicates the subscriber's MAC address
[32]	NAS-Identifier	Identifies the NAS originating the request System-wide configurable hostname or VR-sensitive configurable NAS-identifier name
[33]	Proxy-State	E-series router's port ID and IP address
[40]	Acct-Status-Type	Indicates whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update)
[41]	Acct-Delay-Time	Indicates how many seconds the client has been trying to send a particular record
[42]	Acct-Input-Octets	Indicates how many octets have been received from the port during the time this service has been provided IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB
[43]	Acct-Output-Octets	Indicates how many octets have been sent to the port during the time this service has been provided IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB
[44]	Acct-Session-Id	Unique accounting identifier that makes it easy to match start and stop records in a log file See the radius acct-session-id-format and the radius include acct-session-id access-request commands in Chapter 3, Configuring RADIUS Attributes.
[45]	Acct-Authentic	Indicates how the user was authenticated: whether by RADIUS, the NAS itself, or another remote authentication protocol Always 1
[46]	Acct-Session-Time	Indicates how long in seconds that the user has received service
[47]	Acct-Input-Packets	Indicates how many packets have been received from the port during the time this service has been provided to a framed user IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB
[48]	Acct-Output-Packets	Indicates how many packets have been sent to the port in the course of delivering this service to a framed user IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB
[49]	Acct-Terminate-Cause	Contains the reason the service (a PPP session) was terminated. The service can be terminated for the following reasons: User Request (1)—User initiated the disconnect (log out) Idle Timeout (4)—Idle timer has expired Session Timeout (5)—Client reached the maximum continuous time allowed on the service or session Admin Reset (6)—System administrator terminated the session Port Error (8)—PVC failed; no hardware or no interface NAS Error (9)—Negotiation failures, connection failures, or address lease expiration NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, Tunnel disconnect, or an unaccounted-for error
[50]	Acct-Multi-Session-Id	String constructed from the Acct-Session-ID of the first PPP link established for the Multilink PPP bundle and the internal Multilink PPP bundle ID. This string is the hexidecimal ASCII characters for two 4-octet unsigned integers. Example: 0a34331200001249.
[51]	Acct-Link-Count	A value that increments with each link that joins the MLPPP bundle. This attribute does not indicate the number of active links. For more details, see RFC 2866—RADIUS Accounting (June 2000).
[52]	Acct-Input-Gigawords	Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB
[53]	Acct-Output-Gigawords	Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update IP subscriber manager—Statistics are reported PPP—Statistics are counted according to the rules of the generic interface MIB
[55]	Event-Timestamp	Records the time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC
[60]	CHAP-Challenge	Contains the CHAP challenge sent by the NAS to a PPP CHAP user
[61]	NAS-Port-Type	Indicates the type of physical port the NAS is using to authenticate the user See the radius dsl-port-type and the radius ethernet-port-type commands in Chapter 3, Configuring RADIUS Attributes.
[62]	Port-Limit	Specifies the maximum number of MLPPP member links allowed for the subscriber
[64]	Tunnel-Type	Which tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol in use (in the case of a tunnel terminator) Only L2TP tunnels supported at this time
[65]	Tunnel-Medium-Type	Transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports Only IPv4 supported at this time
[66]	Tunnel-Client-Endpoint	Address of the initiator end of the tunnel
[67]	Tunnel-Server-Endpoint	Address of the server end of the tunnel
[68]	Acct-Tunnel-Connection	Indicates the identifier assigned to the tunnel session Value is L2TP call-serial number
[69]	Tunnel-Password	Password to be used to authenticate to a remote server
[77]	Connect-Info	Sent from the NAS to indicate the nature of the user's connection
[79]	EAP-Message	Encapsulates EAP packets, which allows the NAS to authenticate users through EAP without having to understand the EAP protocol
[80]	Message-Authenticator	Must be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge messages that include EAP-Message attributes
[82]	Tunnel-Assignment-Id	Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned
[83]	Tunnel-Preference	If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel. Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only)
[85]	Acct-Interim-Interval	Number of seconds between each interim accounting update for this session
[86]	Acct-Tunnel-Packets-Lost	Number of packets lost on a given link
[87]	NAS-Port-Id	Text string that identifies the physical interface of the NAS that is authenticating the user If the PPP user connects via ATM slot 12, port 2, subinterface 3, vpi 100, vci 101, then the NAS-Port-Id value in the RADIUS packets will be atm 12/2.3:100.101 If the user is a PPP user that started as a result of the E-series LNS feature (that is, no physical port), then the NAS-Port-Id value is as follows: media:local address:peer address:local tunnel id:peer tunnel id:local session id:peer session id:call serial number For example: ip:172.81.1.98:172.81.1.99:18d:cb8:ce6:9f4:6 In this case, the local information refers to the LNS, and the peer information refers to the LAC NAS-Port-Id usually contains one of the following: atm <slot> / <port><.subinterface>:<vpi>.<vci> FastEthernet <slot> / <port><.subinterface> [:<vlan>] GigabitEthernet <slot> / <port><.subinterface> [<vlan> serial <slot>/<port> [:<sonetPath> [/<sonetTributary (x/x/x)> [/<fractionalInterface>] ] ] from LNS—ip:local ip:peer ip:local tid:peer tid:local sid:peer sid:call serial number tid—tunnel id sid—session id `NOTE:` Releases before 4.0.0 did not pass the subinterface number to RADIUS for inclusion in the NAS-Port-Id. If you do not want the subinterface number to be included, you must enter the aaa intf-desc-format include sub-intf disable command to omit the subinterface.
[88]	Framed-Pool	Name of an assigned address pool that should be used to assign an address for the user
[90]	Tunnel-Client-Auth-Id	Name used by the tunnel initiator during the authentication phase of tunnel establishment
[91]	Tunnel-Server-Auth-Id	Name used by the tunnel terminator during the authentication phase of tunnel establishment
[96]	Framed-Interface-Id	IPv6 interface identifier configured by the user
[97]	Framed-Ipv6-Prefix	Provides the IPv6 prefix that is delegated to a downstream CPE
[99]	Framed-Ipv6-Route	Provides routing information to be configured for the user on the NAS
[101]	Error-Cause	4-octet field that contains an integer that specifies the cause of the error
[135]	Ascend-Primary-DNS	Indicates the IP address of the primary DNS The format is 1 byte of type (135), 1 byte of length (length=6), 4 bytes of value (IPv4 address)
[136]	Ascend-Secondary-DNS	Indicates the IP address of the secondary DNS The format is 1 byte of type (136), 1 byte of length (length=6), 4 bytes of value (IPv4 address)
[188]	Ascend-Num-In-Multilink	Current number of links in a multilink bundle
[242]	Ascend-Data-Filter	RADIUS policy definitions used to configure a policy to classify packet flows and perform filter, forward, packet marking, rate-limit profile, and traffic class actions

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]