Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Subscriber AAA Access Messages
Authorization and authentication access messages identify subscribers before the RADIUS server grants or denies them access to the network or network services. When an application requests user authentication, the request must have certain authenticating attributes, such as a user’s name, password, and the particular type of service the user is requesting. This information is sent in the authentication request via the RADIUS protocol to the RADIUS server. In response, the RADIUS server grants or denies the request.
The router supports the following types of authentication and authorization messages:
- Access-Request—Requests client authentication. RADIUS responds to a client authentication request with either an Access-Accept, an Access-Reject, or an Access-Challenge message. An Access-Request message can contain a number of RADIUS attributes.
- Access-Accept—Grants the client’s access request and can provide specific configuration information necessary to begin delivery of service to the user.
- Access-Reject—Sent if any value of the received attributes is not acceptable.
- Access-Challenge—Sent to the client, requesting additional authentication information.
- Change-of-Authorization-Request (CoA-Request)—Dynamically modifies session attributes, such as data filters.
- Disconnect-Request—Immediately terminates a user session.
Supported RADIUS IETF Attributes
Table 37 lists the Access-Request, Access-Accept, Access-Reject, Access-Challenge, CoA, and Disconnect-Request attributes supported by JunosE Software. The following notes are referenced in Table 37:
- Attribute is used by Access-Request messages when terminating a PPP connection at the LNS or the initiating LAC.
- Attribute is used to support pass-through exchange of EAP messages.
- Attribute is used by Access-Challenge messages to set the PPP retransmission timeout used for EAP request packets.
Table 37 lists the RADIUS IETF attributes supported for Access-Request, Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request messages.
Table 37: AAA Access Message RADIUS IETF Attributes Supported
Attribute Number | Attribute Name | Access- Request | Access- Accept | Access- Reject | Access- | CoA- | Disconnect- |
|---|---|---|---|---|---|---|---|
[1] | User-Name | ✓ | ✓ | – | – | ✓ | ✓ |
[2] | User-Password | ✓ | – | – | – | – | – |
[3] | CHAP-Password | ✓ | – | – | – | – | – |
[4] | NAS-IP-Address | ✓ | – | – | – | – | – |
[5] | NAS-Port | ✓ | – | – | – | – | – |
[6] | Service-Type | ✓ | ✓ | – | – | – | – |
[7] | Framed-Protocol | ✓ | ✓ | – | – | – | – |
[8] | Framed-IP-Address | ✓ | ✓ | – | – | ✓ | – |
[9] | Framed-IP-Netmask | – | ✓ | – | – | – | – |
[11] | Filter-Id | – | ✓ | – | – | – | – |
[12] | Framed-MTU | ✓ | ✓ | – | – | – | – |
[18] | Reply-Message | – | ✓ | ✓ | ✓ | – | – |
[22] | Framed-Route | – | ✓ | – | – | – | – |
[24] | State | – | – | ✓ | ✓ | – | – |
[25] | Class | – | ✓ | – | – | – | – |
[27] | Session-Timeout (See Note 3.) | – | ✓ | ✓ | ✓ | – | – |
[28] | Idle-Timeout | – | ✓ | – | – | – | – |
[30] | Called-Station-Id | ✓ | – | – | – | – | – |
[31] | Calling-Station-Id | ✓ | – | – | – | ✓ | – |
[32] | NAS-Identifier | ✓ | – | – | – | – | – |
[33] | Proxy-State | ✓ | – | – | – | – | – |
[44] | Acct-Session-Id | ✓ | – | – | – | ✓ | – |
[50] | Acct-Multi-Session-Id | ✓ | – | – | – | – | ✓ |
[60] | CHAP-Challenge | ✓ | – | – | – | – | – |
[61] | NAS-Port-Type | ✓ | – | – | – | – | – |
[62] | Port-Limit | – | ✓ | – | – | – | – |
[64] | Tunnel-Type | ✓ | ✓ | – | – | – | – |
[65] | Tunnel-Medium-Type | ✓ | ✓ | – | – | – | – |
[66] | Tunnel-Client-Endpoint | ✓ | ✓ | – | – | – | – |
[67] | Tunnel-Server-Endpoint | ✓ | ✓ | – | – | – | – |
[68] | Acct-Tunnel-Connection | ✓ | – | – | – | – | – |
[69] | Tunnel-Password | – | ✓ | – | – | – | – |
[77] | Connect-Info | ✓ | – | – | – | – | – |
[79] | EAP-Message | ✓ | ✓ | ✓ | ✓ | – | – |
[80] | Message-Authenticator | ✓ | ✓ | ✓ | ✓ | – | – |
[82] | Tunnel-Assignment-Id | – | ✓ | – | – | – | – |
[83] | Tunnel-Preference | – | ✓ | – | – | – | – |
[85] | Acct-Interim-Interval | – | ✓ | – | – | – | – |
[87] | NAS-Port-Id | ✓ | – | – | – | ✓ | – |
[88] | Framed-Pool | – | ✓ | – | – | – | – |
[90] | Tunnel-Client-Auth-Id | ✓ | ✓ | – | – | – | – |
[91] | Tunnel-Server-Auth-Id | ✓ | ✓ | – | – | – | – |
[96] | Framed-Interface-Id | – | ✓ | – | – | – | – |
[97] | Framed-Ipv6-Prefix | – | ✓ | – | – | – | – |
[99] | Framed-Ipv6-Route | – | ✓ | – | – | – | – |
[100] | Framed-IPv6-Pool | – | ✓ | – | – | – | – |
[101] | Error-Cause | – | – | – | – | ✓ | ✓ |
[123] | Delegated-IPv6-Prefix | – | ✓ | – | – | – | – |
[135] | Ascend-Primary-Dns | – | ✓ | – | – | – | – |
[136] | Ascend-Secondary-Dns | – | ✓ | – | – | – | – |
[188] | Ascend-Num-In-Multilink | ✓ | – | – | – | – | – |
[242] | Ascend-Data-Filter | – | ✓ | – | – | – | – |
Supported Juniper Networks VSAs
Table 38 lists the Juniper Networks (Vendor ID 4874) VSAs supported for Access-Request, Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request messages.
Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported
Attribute Number | Attribute Name | Access- Request | Access- Accept | Access- Reject | CoA- | Disconnect- |
|---|---|---|---|---|---|---|
[26-1] | Virtual-Router | – | ✓ | – | ✓ | – |
[26-2] | Local-Address-Pool | – | ✓ | – | – | – |
[26-3] | Local-Loopback-Interface | – | ✓ | – | – | – |
[26-4] | Primary-DNS | – | ✓ | – | – | – |
[26-5] | Secondary-DNS | – | ✓ | – | – | – |
[26-6] | Primary-WINS (NBNS) | – | ✓ | – | – | – |
[26-7] | Secondary-WINS (NBNS) | – | ✓ | – | – | – |
[26-8] | Tunnel-Virtual-Router | – | ✓ | – | – | – |
[26-9] | Tunnel-Password | – | ✓ | – | – | – |
[26-10] | Ingress-Policy-Name | – | ✓ | – | – | – |
[26-11] | Egress-Policy-Name | – | ✓ | – | – | – |
[26-12] | Ingress-Statistics | – | ✓ | – | – | – |
[26-13] | Egress-Statistics | – | ✓ | – | – | – |
[26-14] | Service-Category | – | ✓ | – | – | – |
[26-15] | PCR | – | ✓ | – | – | – |
[26-16] | SCR | – | ✓ | – | – | – |
[26-17] | Mbs | – | ✓ | – | – | – |
[26-22] | Sa-Validate | – | ✓ | – | – | – |
[26-23] | IGMP-Enable | – | ✓ | – | – | – |
[26-24] | Pppoe-Description | ✓ | – | – | – | – |
[26-25] | Redirect-Vrouter-Name | – | ✓ | – | – | – |
[26-26] | Qos-Profile-Name | – | ✓ | – | – | – |
[26-30] | Tunnel-Nas-Port-Method | – | ✓ | – | – | – |
[26-31] | SSC-Service-Bundle-Name | – | ✓ | – | – | – |
[26-33] | Tunnel-Max-Sessions | – | ✓ | – | – | – |
[26-34] | Framed-IP-Route-Tag | – | ✓ | – | – | – |
[26-44] | Tunnel-Interface-ID | ✓ | – | – | – | – |
[26-45] | Ipv6-Virtual-Router | – | ✓ | – | – | – |
[26-46] | Ipv6-Local-Interface | – | ✓ | – | – | – |
[26-47] | Ipv6-Primary-DNS | – | ✓ | – | – | – |
[26-48] | Ipv6-Secondary-DNS | – | ✓ | – | – | – |
[26-52] | RADIUS-Client-Address | ✓ | – | – | – | – |
[26-53] | Service-Description | ✓ | – | – | – | – |
[26-54] | L2tp-Recv-Window-Size | – | ✓ | – | – | – |
[26-55] | DHCP-Options | ✓ | – | – | – | – |
[26-56] | DHCP-MAC-Address | ✓ | – | – | – | – |
[26-57] | DHCP-GI-Address | ✓ | – | – | – | – |
[26-58] | LI-Action | – | ✓ | – | ✓ | – |
[26-59] | Med-Dev-Handle | – | ✓ | – | ✓ | – |
[26-60] | Med-Ip-Address | – | ✓ | – | ✓ | – |
[26-61] | Med-Port-Number | – | ✓ | – | ✓ | – |
[26-62] | MLPPP-Bundle-Name | ✓ | – | – | – | – |
[26-63] | Interface-Desc | ✓ | – | – | – | – |
[26-64] | Tunnel-Group | – | ✓ | – | – | – |
[26-65] | Activate-Service | – | ✓ | – | ✓ | – |
[26-66] | Deactivate-Service | – | ✓ | – | ✓ | – |
[26-67] | Service-Volume | – | ✓ | – | ✓ | – |
[26-68] | Service-Timeout | – | ✓ | – | ✓ | – |
[26-69] | Service-Statistics | – | ✓ | – | ✓ | – |
[26-70] | Ignore-DF-Bit | – | ✓ | – | – | – |
[26-71] | IGMP-Access-Name | – | ✓ | – | – | – |
[26-72] | IGMP-Access-Src-Name | – | ✓ | – | – | – |
[26-73] | IGMP-OIF-Map-Name | – | ✓ | – | – | – |
[26-74] | MLD-Access-Name | – | ✓ | – | – | – |
[26-75] | MLD-Access-Src-Name | – | ✓ | – | – | – |
[26-76] | MLD-OIF-Map-Name | – | ✓ | – | – | – |
[26-77] | MLD-Version | – | ✓ | – | – | – |
[26-78] | IGMP-Version | – | ✓ | – | – | – |
[26-79] | IP-Mcast-Adm-Bw-Limit | – | ✓ | – | – | – |
[26-80] | IPv6-Mcast-Adm-Bw-Limit | – | ✓ | – | – | – |
[26-81] | L2c-Information | ✓ | – | – | – | – |
[26-82] | QoS-Parameters | – | ✓ | – | – | – |
[26-84] | Mobile-IP-Algorithm | – | ✓ | – | – | – |
[26-85] | Mobile-IP-SPI | – | ✓ | – | – | – |
[26-86] | Mobile-IP-Key | – | ✓ | – | – | – |
[26-87] | Mobile-IP-Replay | – | ✓ | – | – | – |
[26-88] | Mobile-IP-Access-Control-List | – | ✓ | – | – | – |
[26-89] | Mobile-IP-Lifetime | – | ✓ | – | – | – |
[26-90] | L2TP-Resynch-Method | – | ✓ | – | – | – |
[26-91] | Tunnel-Switch-Profile | – | ✓ | – | – | – |
[26-92] | L2C-Up-Stream-Data | ✓ | – | – | – | – |
[26-93] | L2C-Down-Stream-Data | ✓ | – | – | – | – |
[26-94] | Tunnel-Tx-Speed-Method | – | ✓ | – | – | – |
[26-95] | IGMP-Query-Interval | – | ✓ | – | – | – |
[26-96] | IGMP-Max-Resp-Time | – | ✓ | – | – | – |
[26-97] | IGMP-Immediate-Leave | – | ✓ | – | – | – |
[26-98] | MLD-Query-Interval | – | ✓ | – | – | – |
[26-99] | MLD-Max-Resp-Time | – | ✓ | – | – | – |
[26-100] | MLD-Immediate-Leave | – | ✓ | – | – | – |
[26-110] | Acc-Loop-Cir-Id | ✓ | – | – | – | – |
[26-111] | Acc-Aggr-Cir-Id-Bin | ✓ | – | – | – | – |
[26-112] | Acc-Aggr-Cir-Id-Asc | ✓ | – | – | – | – |
[26-113] | Act-Data-Rate-Up | ✓ | – | – | – | – |
[26-114] | Act-Data-Rate-Dn | ✓ | – | – | – | – |
[26-115] | Min-Data-Rate-Up | ✓ | – | – | – | – |
[26-116] | Min-Data-Rate-Dn | ✓ | – | – | – | – |
[26-117] | Att-Data-Rate-Up | ✓ | – | – | – | – |
[26-118] | Att-Data-Rate-Dn | ✓ | – | – | – | – |
[26-119] | Max-Data-Rate-Up | ✓ | – | – | – | – |
[26-120] | Max-Data-Rate-Dn | ✓ | – | – | – | – |
[26-121] | Min-LP-Data-Rate-Up | ✓ | – | – | – | – |
[26-122] | Min-LP-Data-Rate-Dn | ✓ | – | – | – | – |
[26-123] | Max-Interlv-Delay-Up | ✓ | – | – | – | – |
[26-124] | Act-Interlv-Delay-Up | ✓ | – | – | – | – |
[26-125] | Max-Interlv-Delay-Dn | ✓ | – | – | – | – |
[26-126] | Act-Interlv-Delay-Dn | ✓ | – | – | – | – |
[26-127] | DSL-Line-State | ✓ | – | – | – | – |
[26-128] | DSL-Type | ✓ | – | – | – | – |
[26-129] | Ipv6-NdRa-Prefix | – | ✓ | – | – | – |
[26-130] | QoS-Interfaceset-Name | – | ✓ | – | – | – |
[26-140] | Service-Interim-Acct-Interval | – | ✓ | – | ✓ | – |
[26-141] | Downstream-Calculated-Qos- | ✓ | ✓ | – | ✓ | – |
[26-142] | Upstream-Calculated-Qos-Rate | ✓ | ✓ | – | ✓ | – |
[26-143] | Max-Clients-Per-Interface | – | ✓ | – | – | – |
[26-144] | PPP-Monitor-Ingress-Only | — | ✓ | — | — | — |
[26-147] | Backup-Address-Pool | — | ✓ | — | — | — |
[26-150] | ICR-Partition-Id | ✓ | — | — | — | — |
[26-159] | DHCP-Option 82 | ✓ | — | — | ✓ | — |
