CLI Commands Used to Modify RADIUS Attributes

This section discusses the RADIUS Internet Engineering Task Force (IETF) attributes and the Juniper Networks vendor-specific attributes that you can configure using CLI commands.

For many attributes, you can configure the router to include the attribute in RADIUS messages. For more information, see Including or Excluding Attributes in RADIUS Messages.

You can also configure the router to ignore many attributes that it receives in Access-Accept messages. For more information, see Ignoring Attributes When Receiving Access-Accept Messages.

For a complete list of RADIUS attributes supported by JunosE Software, see RADIUS IETF Attributes.

RADIUS IETF Attributes

This section describes the RADIUS IETF attributes that you can configure using CLI commands. The attributes are listed numerically—each attribute is followed by a list of the commands that you can use to manage the attribute and descriptions of each command.

[4] NAS-IP-Address

Use the following commands to configure, manage, and display information for the NAS-IP-Address RADIUS attribute.

radius override nas-ip-addr tunnel-client-endpoint
radius override nas-info

radius override nas-ip-addr tunnel-client-endpoint

Use to configure the RADIUS client (LNS) to use the tunnel-client-endpoint (LAC) IP address for the NAS-IP-Address attribute.
See radius override nas-ip-addr tunnel-client-endpoint

Example
host1(config)#radius override nas-ip-addr tunnel-client-endpoint
Use the no version to restore the default address.

radius override nas-info

Use in the correct virtual router context to override standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.
Example
host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info
Use the no version to restore standard use of the NAS-IP-Address and NAS-Identifier attributes.
See radius override nas-info

[5] NAS-Port

Use the following commands to manage and display information for the NAS-Port RADIUS attribute:

radius include nas-port
radius nas-port-format
radius nas-port-format extended
radius pppoe nas-port-format unique
radius vlan nas-port-format stacked

Note: For subscribers connected over the LAG interface in DHCP standalone authenticate mode, RADIUS derives a unique value from the subscriber’s profileHandle and uses the value for the Nas-Port attribute. The radius nas-port-format, radius vlan nas-port-format stacked, and radius pppoe nas-port-format commands do not affect the value of the Nas-Port attribute.

For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see Propagation of LAG Subscriber Information to AAA and RADIUS.

radius include nas-port

Use to include the NAS-Port attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You control inclusion of the attribute by enabling or disabling this command.
Example
host1(config)#radius include nas-port acct-start enable
Use the no version to restore the default, enable.
See radius include

radius nas-port-format

Use to set the NAS-Port format attribute for ATM and Ethernet only to either 0ssssppp or ssss0ppp.
The format is a 4-octet integer. The remaining bits are not changed (8 bits VPI and 16 bits VCI; or 12 bits S-VLAN and 12 bits VLAN).
The s indicates a bit used to represent the slot; the p indicates a bit used to represent the port from which the authentication request originates.
See radius nas-port-format

Example: If the PPP user is received on a VC from the card in slot 7, port 2, then the bit pattern is either 00111010 (for 0ssssppp) or 01110010 (for ssss0ppp).
host1(config)#radius nas-port-format Ossssppp
Use the no version to restore the default.

radius nas-port-format extended atm

radius nas-port-format extended ethernet

Use to set the NAS-Port format attribute for ATM, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces on the E120 and E320 routers only.
The format attribute set using the radius nas-port-format command does not accommodate the number of bits required by the ATM interface specifier (slot/adapter/port/vpi/vci) or the Gigabit Ethernet and 10-Gigabit Ethernet interface specifier [ slot/adapter/port ] [ .vlanSubinterface ]. Issuing this command enables you to encode the interface information in the attribute by specifying the number of bits available for each field in the interface specifier.
Note: You must use this command with the extended keyword when you configure the NAS-Port format attribute on routers that have line modules that support more than seven physical ports.
The default number of bits for each field in the interface specifier for ATM interfaces are:
- Slot—5 bits
- Adapter—0 bits
- Port—3 bits
- VPI—8 bits
- VCI—16 bits
The default number of bits for each field in the interface specifier for Gigabit Ethernet and 10-Gigabit Ethernet interfaces are:
- Slot—5 bits
- Adapter—0 bits
- Port—3 bits
- VLAN—12 bits
- S-VLAN—12 bits
To set valid S-VLAN widths on Gigabit Ethernet and 10-Gigabit Ethernet interfaces, you must include S-VLAN IDs in the NAS-Port attribute by issuing the radius vlan nas-port-format stacked command.
The total number of bits for all fields cannot exceed 32. When the total number of bits is less than 32, the NAS-Port attribute is right-justified and the extra bits are set to 0. If you do not specify a value for a field, the number of bits is set to 0.
See radius nas-port-format extended

Example 1—Sets the field widths for ATM interfaces
host1(config)#radius nas-port-format extended atm field-widths slot 4
adapter 1 vpi 7 vpi 17
Example 2—Sets the field widths for Gigabit Ethernet and 10-Gigabit Ethernet interfaces
host1(config)#radius nas-port-format extended ethernet field-widths slot 4 adapter 1 port 3 vlan 12
Use the no version to restore the default behavior of the radius nas-port-format command.

radius pppoe nas-port-format unique

Use to set the NAS-Port attribute to a unique value for subscribers on PPPoE interface. This unique value is derived from the subscriber’s profileHandle.
See radius pppoe nas-port-format unique

Example
host1(config)#radius pppoe nas-port-format unique
Use the no version to return to the default, in which the value is determined by the interface.

radius vlan nas-port-format stacked

Use to include the S-VLAN ID, in addition to the VLAN ID, in the NAS-Port attribute for subscribers on Ethernet interfaces.
The VLAN ID is always included whether the S-VLAN ID inclusion feature is enabled or disabled.
The radius pppoe nas-port-format unique command overrides this command.
See radius vlan nas-port-format stacked

Example
host1(config)#radius vlan nas-port-format stacked
Use the no version to return to the default, in which the S-VLAN ID is not included.

[8] Framed-IP-Address

Use the following command to manage the Framed-IP-Address RADIUS attribute.

radius include framed-ip-addr

radius include framed-ip-addr

Use to include the Framed-IP-Address attribute in Acct-Start and Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
For RADIUS to include this attribute, an IP address must be assigned to the subscriber.
See radius include

Example
host1(config)#radius include framed-ip-addr acct-start enable
Use the no version to restore the default, enable.

[9] Framed-Ip-Netmask

Use the following commands to manage the Framed-IP-Netmask RADIUS attribute.

radius include framed-ip-netmask
radius ignore framed-ip-netmask

radius include framed-ip-netmask

Use to include the Framed-Ip-Netmask attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include framed-ip-netmask acct-start enable
Use the no version to restore the default, enable.

radius ignore framed-ip-netmask

Use to cause the Framed-Ip-Netmask attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
If the subnet mask is specified by the Frame-Ip-Netmask attribute in the RADIUS user profile, the router passes the mask and IP address to the CPE during IPCP negotiations. When this command is enabled, the default subnet mask 255.255.255.255 is provided by AAA and used for IPCP negotiations.
Enabling the command guards against any breaks in the negotiation.
See radius ignore

Example
host1(config)#radius ignore framed-ip-netmask disable
Use the no version to restore the default, enable.

[13] Framed-Compression

Use the following command to manage the Framed-Compression RADIUS attribute.

radius include framed-compression

radius include framed-compression

Use to include the Framed-Compression attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include framed-compression acct-start disable
Use the no version to restore the default, enable.

[22] Framed-Route

Use the following commands to manage the Framed-Route RADIUS attribute.

radius include framed-route

radius include framed-route

Use to include the Framed-Route attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include framed-route acct-start enable
Use the no version to restore the default, disable.

[25] Class

Use the following command to manage the Class RADIUS attribute.

radius include class

radius include class

Use to include the Class attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include class acct-start disable
Use the no version to restore the default, enable.

[30] Called-Station-Id

Use the following command to manage the Called-Station-Id RADIUS attribute.

radius include called-station-id

radius include called-station-id

Use to include the Called-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Called-Station-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include called-station-id acct-start enable
Use the no version to restore the default, enable.

[31] Calling-Station-Id

Use the following commands to manage information for the Calling-Station-Id RADIUS attribute.

radius calling-station-format
radius calling-station-delimiter
radius include calling-station-id

radius override calling-station-id remote-circuit-id

Note: For subscribers connected over the LAG interface in DHCP standalone authenticate mode, The radius override calling-station-id remote-circuit-id command enables RADIUS to use the PPPoE remote circuit ID for the Calling-Station-Id attribute. By default, RADIUS uses a delimited format for the interface description. The radius calling-station-format command does not affect the value of the Calling-Station-Id attribute.

For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see Propagation of LAG Subscriber Information to AAA and RADIUS.

radius calling-station-format

Use to specify the format of the Calling-Station-Id [31] attribute on a virtual router.
For each field in angle brackets (<>) in the Calling-Station-Id formats, the virtual router supplies the actual value for your configuration, unless otherwise specified.
To specify that the RADIUS client use the delimited format when the PPP user is terminated at the non-LNS E Series router, use the delimited keyword.
- Format for ATM interfaces:
  <delimiter> <system name> <delimiter> <interface> <delimiter> <VPI> <delimiter> <VCI><delimiter>
- Format for Ethernet interfaces:
  <delimiter> <system name> <delimiter> <interface> <delimiter> <VLAN>
  Where <interface> is one of the following items:
- <port name>—The default setting
- <VP description>—Appears if you use the atm vp-description command to assign a text description to an individual VP on an ATM interface
- <VC description>—Appears if you use the atm atm1483 description command to assign a text description to VCs on an ATM 1483 subinterface and you use the atm1483 export-subinterface-description command to enable sending of VC interface descriptors to AAA
To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields, use the fixed-format keyword. The maximum number of characters for each field is shown in square brackets ([ ]).
- Format for ATM interfaces:
  <system name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]>
- Format for Ethernet interfaces:
  <system name [4]> <slot [2]> <port [1]> <VLAN [8]>
- Format for serial interfaces:
  <system name [4]> <slot [2]> <port [1]> <0 [8]>
  Where the final 8-byte field is always 0 (zero).
- In the case of PPP terminated at the LNS, the Calling-Station-Id attribute is based on the received L2TP calling number AVP.
To specify that the RADIUS client use a fixed format of up to 15 characters consisting of all ASCII fields with a 1-byte slot field, 1-byte adapter field, and 1-byte port field, use the fixed-format-adapter-embedded keyword. The maximum number of characters for each field is shown in square brackets ([ ]).
- Format for ATM interfaces:
  <system name [4]> <slot [1]> <adapter [1]> <port [1]>
  <VPI [3]> <VCI [5]>
- Format for Ethernet interfaces:
  <system name [4]> <slot [1]> <adapter [1]> <port [1]>
  <VLAN [8]>
- Format for serial interfaces:
  <system name [4]> <slot [1]> <adapter [1]> <port [1]> <0 [8]>
  Where the final 8-byte field is always 0 (zero).
- For E120 and E320 routers, <adapter> is the number of the bay in which the I/O adapter (IOA) resides, either 0 (representing the right IOA bay on the E120 router or the upper IOA bay on the E320 router) or 1 (representing the left IOA bay on the E120 router or the lower IOA bay on the E320 router). For ERX7xx models, ERX14xx models, and ERX310 routers, <adapter> is always shown as 0 (zero).
- Slot numbers 0 through 16 are shown as ASCII characters in the 1-byte slot field according to the following translation:
  Slot Number
  ASCII
  Character
  Slot Number
  ASCII Character
  0
  0
  9
  9
  1
  1
  10
  A
  2
  2
  11
  B
  3
  3
  12
  C
  4
  4
  13
  D
  5
  5
  14
  E
  6
  6
  15
  F
  7
  7
  16
  G
  8
  8
  –
  –
  For example, slot 16 is shown as the ASCII character uppercase G.

Slot Number	ASCII Character	Slot Number	ASCII Character
0	0	9	9
1	1	10	A
2	2	11	B
3	3	12	C
4	4	13	D
5	5	14	E
6	6	15	F
7	7	16	G
8	8	–	–

To specify that the RADIUS client use a fixed format of up to 17 characters consisting of all ASCII fields with a 2-byte slot field, 1-byte adapter field, and 2-byte port field, use the fixed-format-adapter-new-field keyword. The maximum number of characters for each field is shown in square brackets ([ ]).

Note: You must use this command with the fixed-format-adapter-new-field keyword when you configure the format of the Calling-Station-ID attribute on routers that have line modules that support more than seven physical ports.

Format for ATM interfaces:
<system name [4]> <slot [2]> <adapter [1]> <port [2]>
<VPI [3]> <VCI [5]>
Format for Ethernet interfaces:
<system name [4]> <slot [2]> <adapter [1]> <port [2]>
<VLAN [8]>
Format for serial interfaces:
<system name [4]> <slot [2]> <adapter [1]> <port [2]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
For E120 and E320 routers, <adapter> is the number of the bay in which the I/O adapter (IOA) resides, either 0 or 1. For ERX7xx models, ERX14xx models, and ERX310 routers, <adapter> is always shown as 0 (zero).
Slot numbers 0 through 16 are shown as integers in the 2-byte slot field.

To specify that the format of the Calling-Station-Id [31] attribute include a 4-byte stacked VLAN (S-VLAN) ID for Ethernet interfaces when the RADIUS client uses the fixed-format, fixed-format-adapter-embedded, or fixed-format-adapter-new-field format, use the fixed-format stacked, fixed-format-adapter-embedded stacked, or fixed-format-adapter-new-field stacked keywords, respectively. The maximum number of characters for each field is shown in square brackets ([ ]).

Note: The use of the stacked keyword is not supported for VLAN subinterfaces based on agent-circuit-identifier information, otherwise known as ACI VLANs. When you issue the radius calling-station-format fixed-format stacked, radius calling-station-format fixed-format-adapter-embedded stacked, or radius calling-station-format fixed-format-adapter-new-field stacked command for an ACI VLAN, the values that appear in the 4-byte S-VLAN ID and 4-byte VLAN ID fields are incorrect.

Format for Ethernet interfaces that use fixed-format stacked:
<system name [4]> <slot [2]> <port [1] <S-VLAN [4] <VLAN [4]>
Format for Ethernet interfaces that use fixed-format-adapter-embedded stacked:
<system name [4]> <slot [1]> <adapter [1]><port [1] <S-VLAN [4] <VLAN [4]>
Format for Ethernet interfaces that use fixed-format-adapter-new-field stacked:
<system name [4]> <slot [2]> <adapter [1]><port [2] <S-VLAN [4] <VLAN [4]>
By default, these formats do not include the S-VLAN ID unless you specify the optional stacked keyword. If you include the stacked keyword, the S-VLAN ID is displayed in decimal format in the range 0–4095.
The S-VLAN ID field in the Calling-Station-Id [31] attribute is set to 0 (zero) under the following conditions:
You do not specify the optional stacked keyword.
You specify the optional stacked keyword but the Ethernet interface does not have an S-VLAN ID.

Attribute 31, Calling-Station-Id, is used with Attribute 30, Called-Station-Id, in a standard way when the router is the LNS and the LAC is a dial-up LAC (not an E Series router). When the LNS receives the Calling-Station-Id and Called-Station-Id AVPs, the router includes the values as they are, with no format changes in the RADIUS messages.
Example 1
host1(config)#radius calling-station-format fixed-format
For example, when you configure this Calling-Station-Id format on an E320 router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘14’ ‘2’ ‘003’ ‘00004’. The adapter number does not appear in this format.
Example 2
host1(config)#radius calling-station-format fixed-format-adapter-embedded
For example, when you configure this Calling-Station-Id format on an E320 router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘E’ ‘1’ ‘2’ ‘003’ ‘00004’.
Example 3
host1(config)#radius calling-station-format fixed-format-adapter-new-field
For example, when you configure this Calling-Station-Id format on an E320 router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as ‘14’ ‘1’ ‘02’ ‘003’ ‘00004’.
Example 4
host1(config)#radius calling-station-format fixed-format-adapter-new-field stacked
For example, when you configure this Calling-Station-Id format on an E320 router for an Ethernet interface on system name western, slot 4, adapter 1, port 3, S-VLAN ID 8, and VLAN ID 12, the virtual router displays the format in ASCII as ‘west’ ‘04’ ‘1’ ‘03’ ‘0008’ ‘0012’.
Use the no version to restore the default Calling-Station-Id format, delimited.
See radius calling-station-format

radius calling-station-delimiter

Use to specify the Calling-Station-Id attribute’s delimiter for DSL PPP users.
The delimiter is one special character you select to set off items in the Calling-Station-Id’s definition (for example, # or %).
See radius calling-station-delimiter

Example
host1(config)#radius calling-station-delimiter &
Use the no version to remove the delimiter.

radius include calling-station-id

Use to include the Calling-Station-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include calling-station-id acct-start disable
Use the no version to restore the default, enable.

radius override calling-station-id remote-circuit-id

Use to configure RADIUS to override the standard use of the Calling-Station-Id attribute and instead use the remote circuit ID transmitted from a DSLAM device.
See radius override calling-station-id remote-circuit-id

Example
host1(config)#radius override calling-station-id remote-circuit-id
Use the no version to restore the default Calling-Station-ID value, which is the telephone number from which the call originated.

[32] NAS-Identifier

Use the following commands to manage and display information for the NAS-Identifier RADIUS attribute.

radius nas-identifier
radius include nas-identifier
radius override nas-info
radius remote-circuit-id-format
radius remote-circuit-id-delimiter

radius nas-identifier

Use to set a value for the NAS-Identifier attribute. This value is used in the NAS-Identifier attribute for authentication and accounting requests.
Example
host1(config)#radius nas-identifier fox
Use the no version to delete the NAS-Identifier.
See radius nas-identifier

radius include nas-identifier

Use to include the NAS-Identifier attribute in Access-Request, Acct-Start, Acct-Stop, Acct-On, and Acct-Off messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include nas-identifier acct-start disable
Use the no version to restore the default, enable.

radius override nas-info

Use in the correct virtual router context to override the standard use of NAS-IP-Address and NAS-Identifier attributes for AAA broadcast accounting; specifies that the attributes for the authentication virtual router be included in accounting packets instead of the attributes for the virtual router that generates the accounting information.
See radius override nas-info

Example
host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info
Use the no version to restore the standard use of the NAS-IP-Address and NAS-Identification attributes.

radius remote-circuit-id-format

Use to configure the format of the PPPoE remote circuit ID value captured from a DSLAM.
You can format the PPPoE remote circuit ID value to include either or both of the agent-circuit-ID (suboption 1) and agent-remote-id (suboption 2) suboptions of the DHCP relay agent information option (option 82) or the PPPoE intermediate agent tags.
By default, the router formats the PPPoE remote circuit ID to include only the agent-circuit-id suboption.
You can use this command to configure the following nondefault formats for the PPPoE remote circuit ID value:
- Include either or both of the agent-circuit-id and agent-remote-id suboptions, with or without the NAS-Identifier [32] RADIUS attribute
- Append the agent-circuit-id suboption value to an interface specifier that is consistent with the recommended format in the DSL Forum Technical Report (TR)-101—Migration to Ethernet-Based DSL Aggregation (April 2006).
For more information about how to use this command, see the Using the PPPoE Remote Circuit ID to Identify Subscribers and Configuring PPPoE Remote Circuit ID Capture sections in JunosE Link Layer Configuration Guide.
See radius remote-circuit-id-format

Examples
host1(config)#radius remote-circuit-id-format nas-identifier agent-circuit-id agent-remote-id host1(config)#radius remote-circuit-id-format dsl-forum-1
Use the no version to restore the default format, agent-circuit-id.

radius remote-circuit-id-delimiter

Use to configure the delimiter character that the router uses to set off multiple components in the format of the PPPoE remote circuit ID value captured from a DSLAM.
For information about how to use this command, see the Configuring PPPoE Remote Circuit ID Capture section in JunosE Link Layer Configuration Guide.
See radius remote-circuit-id-delimiter

Example
host1(config)#radius remote-circuit-id-delimiter !
Use the no version to restore the default delimiter character, #.

[41] Acct-Delay-Time

Use the following commands to manage and display information for the Acct-Delay-Timer RADIUS attribute.

radius include acct-delay-time

radius include acct-delay-time

Use to include the Acct-Delay-Time attribute in Acct-On or Acct-Off messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include acct-delay-time acct-on enable
Use the no version to restore the default, enable.

[44] Acct-Session-Id

Use the following commands to manage and display information for the Acct-Session-Id RADIUS attribute.

radius include acct-session-id
radius acct-session-id-format

Note: The Acct-Session-Id VSA is used:

In the RADIUS-initiated change-of-authorization (CoA) message to start the mirroring session when the user is already logged in
As a trigger in user-initiated mirroring to identify the user whose traffic is to be mirrored

This VSA can be optionally included in the CoA message from the RADIUS server or in the user login request if the packet mirroring operation is required.

radius include acct-session-id

Use to include the Acct-Session-Id attribute in Access-Request, Acct-On, or Acct-Off messages.
You can control inclusion of the Acct-Session-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include acct-session-id access-request disable
Use the no version to restore the default, enable.

radius acct-session-id-format

Use to set the Acct-Session-Id attribute format. Two formats are supported:

description—Configures RADIUS client to use the generic format: erx <interface identifier>:<hex number>. For example: erx atm 12/1:0.3:0000ef1

Note: For subscribes connected over the LAG interface in DHCP standalone authenticate mode, the LAG interface ID is used as the interface identifier. For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see Propagation of LAG Subscriber Information to AAA and RADIUS.

decimal—Configures the RADIUS client to use a decimal format. For example: 435264

See radius acct-session-id-format

Example
host1(config)#radius acct-session-id-format decimal
Use the no version to negate the Acct-Session-Id format.

[45] Acct-Authentic

Use the following command to manage the Acct-Authentic RADIUS attribute.

radius include acct-authentic

radius include acct-authentic

Use to include the Acct-Authentic attribute in Acct-On or Acct-Off messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include acct-authentic acct-on enable
Use the no version to restore the default, enable.

[49] Acct-Terminate-Cause

Use the following command to manage the Acct-Terminate-Cause RADIUS attribute.

radius include acct-terminate-cause

radius include acct-terminate-cause

Use to include the Acct-Terminate-Cause attribute in Acct-Off messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include.

Example
host1(config)#radius include acct-terminate-cause acct-off disable
Use the no version to restore the default, enable.

[50] Acct-Multi-Session-Id

Use the following command to manage the Acct-Multi-Session-Id RADIUS attribute.

radius include acct-multi-session-id

radius include acct-multi-session-id

Use to include the Acct-Multi-Session-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Acct-Multi-Session-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include acct-multi-session-id acct-stop disable
Use the no version to restore the default, enable for accounting messages and disable for access requests.

[51] Acct-Link-Count

Use the following command to manage the Acct-Link-Count RADIUS attribute.

radius include acct-link-count

radius include acct-link-count

Use to include the Acct-Link-Count attribute in Acct-Start and Acct-Stop messages.
You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include acct-link-count acct-stop disable
Use the no version to restore the default, enable.

[52] Acct-Input-Gigawords

Use the following command to manage the Acct-Input-Gigawords RADIUS attribute.

radius include input-gigawords

radius include input-gigawords

Use to include the Acct-Input-Gigawords attribute in Acct-Stop messages.
You can control inclusion of the Acct-Input-Gigawords attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include input-gigawords acct-stop disable
Use the no version to restore the default, enable.

[53] Output-Gigawords

Use the following command to manage the Acct-Output-Gigawords RADIUS attribute.

radius include output-gigawords

radius include output-gigawords

Use to include the Acct-Output-Gigawords attribute in Acct-Stop messages.
You can control inclusion of the Acct-Output-Gigawords attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include output-gigawords acct-stop enable
Use the no version to restore the default, enable.

[55] Event-Timestamp

Use the following command to manage the Acct-Output-Gigawords RADIUS attribute.

radius include event-timestamp

radius include event-timestamp

Use to include the Event-Timestamp attribute in Acct-Start, Acct-Stop, Acct-On, or Acct-Off messages.
You can control inclusion of the Event-Timestamp attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include event-timestamp acct-on enable
Use the no version to restore the default, enable.

[61] NAS-Port-Type

Use the following commands to manage and display information for the NAS-Port-Type RADIUS attribute.

radius dsl-port-type
radius ethernet-port-type

radius include nas-port-type

Note: For subscribers connected over the LAG interface in DHCP standalone authenticate mode, RADIUS calculates the value of the Nas-Port-Type attribute.

For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see Propagation of LAG Subscriber Information to AAA and RADIUS.

radius dsl-port-type

Use to configure the NAS-Port-Type attribute for the DSL port type.
This attribute can have several values. If the interface (port) is DSL, then the attribute can have any value listed in the command and uses the value configured. If the interface (port) is Ethernet, then it sets the attribute to Ethernet and disregards the parameter set with this command. Options include:
- adsl-cap—Asymmetric DSL, carrierless amplitude phase (CAP) modulation
- adsl-dmt—Asymmetric DSL, discrete multitone (DMT)
- idsl—ISDN DSL
- sdsl—Symmetric DSL
- virtual—Virtual
- xdsl—DSL of unknown type
Example
host1(config)#radius dsl-port-type xdsl
Use the no version to restore the default, xdsl.
See radius dsl-port-type

radius ethernet-port-type

Use to set the NAS-Port-Type attribute for Ethernet interfaces to ethernet or virtual.
See radius ethernet-port-type

Example
host1(config)#radius ethernet-port-type virtual
Use the no version to restore the default, ethernet.

radius include nas-port-type

Use to include the NAS-Port-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include nas-port-type acct-start enable
Use the no version to restore the default, enable.

[64] Tunnel-Type

Use the following command to manage the Tunnel-Type RADIUS attribute.

radius include tunnel-type

radius include tunnel-type

Use to include the Tunnel-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the Tunnel-Type attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-type access-request enable
Use the no version to restore the default, enable.

[65] Tunnel-Medium-Type

Use the following command to manage the Tunnel-Medium-Type RADIUS attribute.

radius include tunnel-medium-type

radius include tunnel-medium-type

Use to include the Tunnel-Medium-Type attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the Tunnel-Medium-Type attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-medium-type acct-start enable
Use the no version to restore the default, enable.

[66] Tunnel-Client-Endpoint

Use the following command to manage the Tunnel-Client-Endpoint RADIUS attribute.

radius include tunnel-client-endpoint

radius include tunnel-client-endpoint

Use to include the Tunnel-Client-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the Tunnel-Client-Endpoint attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-client-endpoint acct-start enable
Use the no version to restore the default, enable.

[67] Tunnel-Server-Endpoint

Use the following command to manage the Tunnel-Server-Endpoint RADIUS attribute.

radius include tunnel-server-endpoint

radius include tunnel-server-endpoint

Use to include the Tunnel-Server-Endpoint attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the Tunnel-Server-Endpoint attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-server-endpoint acct-stop disable
Use the no version to restore the default, enable.

[68] Acct-Tunnel-Connection

Use the following command to manage the Acct-Tunnel-Connection RADIUS attribute.

radius include acct-tunnel-connection

radius include acct-tunnel-connection

Use to include the Acct-Tunnel-Connection attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Acct-Tunnel-Connection attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include acct-tunnel-connection acct-stop enable
Use the no version to restore the default, enable.

[77] Connect-Info

Use the following commands to manage and display information for the Connect-Info RADIUS attribute.

radius connect-info-format l2tp-connect-speed
radius include connect-info

radius connect-info-format

Use on the LNS to enable the generation of the RADIUS Connect-Info attribute and to specify the attribute’s format. The attribute is based on the L2TP connect-speed AVPs for received (RX) speed (AVP 38) and transmit (TX) speed (AVP 24). See Configuring the RX Speed on the LAC for information about generating the RX and TX speed AVPs.
The Connect-Info attribute is a string in the following format; the attribute is generated whenever the TX speed is not zero.
tx-speed [ /rx-speed ]
The TX speed is always included in the attribute when the speed is not zero; however, inclusion of the RX speed depends on the keyword you use with the command.
- Use the l2tp-connect-speed keyword to specify that the RX speed is only included when it is not zero and differs from the TX speed.
- Example
  host1(config)#radius connect-info-format l2tp-connect-speed
- Use the l2tp-connect-speed-rx-when-equal keyword to specify that the RX speed is always included when it is not zero.
- Example
  host1(config)#radius connect-info-format l2tp-connect-speed-rx-when-equal
Use the no version to disable the inclusion of the RX speed when it is the same as the TX speed.
See radius connect-info-format

radius include connect-info

Use to include the Connect-Info attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Connect-Info attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include connect-info access-request disable
Use the no version to restore the default, enable.

[82] Tunnel-Assignment-Id

Use the following command to manage the Tunnel-Assignment-Id RADIUS attribute.

radius include tunnel-assignment-id

radius include tunnel-assignment-id

Use to include the Tunnel-Assignment-Id attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the Tunnel-Assignment-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-assignment-id acct-stop enable
Use the no version to restore the default, enable.

[83] Tunnel-Preference

Use the following command to manage the Tunnel-Preference RADIUS attribute.

radius include tunnel-preference

radius include tunnel-preference

Use to include the Tunnel-Preference attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the Tunnel-Preference attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-preference acct-start enable
Use the no version to restore the default, enable.

[87] NAS-Port-Id

Use the following commands to manage and show information for the NAS-Port-Id RADIUS attribute.

aaa intf-desc-format include
radius include nas-port-id
radius override nas-port-id remote-circuit-id

Note: For subscribes connected over the LAG interface in DHCP standalone authenticate mode, RADIUS uses the LAG interface ID for the Nas-Port-Id attribute.

For more information about subscribers connected over the LAG interface in DHCP standalone authenticate mode, see Propagation of LAG Subscriber Information to AAA and RADIUS.

aaa intf-desc-format include

Use to specify whether the router includes the subinterface number or adapter in the interface description it passes to RADIUS for inclusion in the NAS-Port-Id attribute. By default, the subinterface and adapter are sent (the commands are enabled).
Examples
host1#aaa intf-desc-format include sub-intf disable host1#aaa intf-desc-format include adapter enable
Use the no version to remove the configuration.
See aaa intf-desc-format include

radius include nas-port-id

Use to include the NAS-Port-Id attribute in the Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the NAS-Port-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include nas-port-id access-request enable
Use the no version to restore the default, enable.

radius override nas-port-id remote-circuit-id

Use to configure RADIUS to override the standard use of the NAS-Port-Id attribute and instead use the remote circuit ID transmitted from a DSLAM device.
See radius override nas-port-id remote-circuit-id

Example
host1(config)#radius override nas-port-id remote-circuit-id
Use the no version to restore the default NAS-Port-ID value, which is the physical interface of the NAS that is authenticating the user.

[90] Tunnel-Client-Auth-Id

Use the following command to manage the Tunnel-Client-Auth-Id RADIUS attribute.

radius include tunnel-client-auth-id

radius include tunnel-client-auth-id

Use to include the Tunnel-Client-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Tunnel-Client-Auth-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-client-auth-id access-request disable
Use the no version to restore the default, enable.

[91] Tunnel-Server-Auth-Id

Use the following command to manage the Tunnel-Server-Auth-Id RADIUS attribute.

radius include tunnel-server-auth-id

radius include tunnel-server-auth-id

Use to include the Tunnel-Server-Auth-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Tunnel-Server-Auth-Id attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-server-auth-id acct-start enable
Use the no version to restore the default, enable.

[96] Framed-Interface-Id

Use the following command to manage the Framed-Interface-Id RADIUS attribute.

radius include framed-interface-id

radius include framed-interface-id

Use to include the Framed-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Framed-Interface-Id attribute by enabling or disabling this command.
For RADIUS to include this attribute, an IPv6 interface ID must be assigned to the subscriber.
See radius include

Example
host1(config)#radius include framed-interface-id acct-start enable
Use the no version to restore the default, disable.

[97] Framed-Ipv6-Prefix

Use the following command to manage the Framed-Ipv6-Prefix RADIUS attribute.

radius include framed-ipv6-prefix

radius include framed-ipv6-prefix

Use to include the Framed-Ipv6-Prefix attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Framed-Ipv6-Prefix attribute by enabling or disabling this command.
For RADIUS to include this attribute, at least one IPv6 prefix must be assigned to the subscriber.
See radius include

Example
host1(config)#radius include framed-ipv6-prefix acct-start enable
Use the no version to restore the default, disable.

[99] Framed-Ipv6-Route

Use the following command to manage the Framed-Ipv6-Route RADIUS attribute.

radius include framed-ipv6-route

radius include framed-ipv6-route

Use to include the Framed-Ipv6-Route attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the Framed-Ipv6-Route attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
When the Framed-Ipv6-Route attribute is not returned from the RADIUS server in the Access-Accept message, the immediate accounting, Acct-Stop, or Interim-Acct messages do not report this attribute.
See radius include

Example
host1(config)#radius include framed- ipv6-route acct-start enable
Use the no version to restore the default, disable.

[100] Framed-Ipv6-Pool

Use the following command to manage the Framed-Ipv6-Pool RADIUS attribute.

radius include framed-ipv6-pool

radius include framed-ipv6-pool

Use to include the Framed-Ipv6-Pool attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the Framed-Ipv6-Pool attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
If the IPv6 pool name is configured in the AAA domain map using the CLI and is not returned from RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the domain map.
See radius include

Example
host1(config)#radius include framed- ipv6-pool acct-start enable
Use the no version to restore the default, disable.

[123] Delegated-Ipv6-Prefix

Use the following command to manage the Delegated-Ipv6-Prefix RADIUS attribute.

radius include delegated-ipv6-prefix

radius include delegated-ipv6-prefix

Use to include the Delegated-Ipv6-Prefix attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the Delegated-Ipv6-Prefix attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
When prefix delegation occurs, an immediate-update (if enabled) message, which contains the delegated prefix information, is sent to the RADIUS server.
When the prefix to be delegated to clients is obtained from the IPv6 local address server than the RADIUS server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command is configured, the delegated prefix is sent to the RADIUS server in the Delegated-Ipv6-Prefix attribute in the immediate accounting, Acct-Stop, or Interim-Acct messages.
When the prefix to be delegated to clients is allocated from the IPv6 local address server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command is not configured, the delegated prefix is sent to the RADIUS server in the Framed-Ipv6-Prefix attribute in the immediate accounting, Acct-Stop, or Interim-Acct messages.
For static interfaces, although the prefix configured using the CLI command is used for DHCPv6 Prefix Delegation instead of the value returned by the RADIUS server, the immediate accounting, Acct-Stop, or Interim-Acct messages contain the prefix returned from the RADIUS server. If this attribute is not returned from the RADIUS server, the immediate accounting, Acct-Stop, or Interim-Acct messages do not report this attribute.
See radius include

Example
host1(config)#radius include delegated-ipv6-prefix acct-start enable
Use the no version to restore the default, disable.

[188] Ascend-Num-In-Multilink

Use the following command to manage the Ascend-Num-In-Multilink attribute.

radius include ascend-num-in-multilink

radius include ascend-num-in-multilink

Use to include the Ascend-Num-In-Multilink attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Ascend-Num-In-Multilink attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include ascend-num-in-multilink acct-start enable
Use the no version to restore the default, disable.

All Tunnel Server Attributes

Use the following command to manage all tunnel server RADIUS attributes.

radius include tunnel-server-attributes

radius include tunnel-server-attributes

Use to include all supported tunnel server attributes in Access-Request, Acct-Start, or Acct-Stop messages.
When the router functions as an LNS with a terminating PPP, then the LAC tunnel attributes are included.
You can control inclusion of all tunnel server attributes by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-server-attributes access-request enable
Use the no version to restore the default, disable.

Juniper Networks Vendor-Specific Attributes

This section describes the Juniper Networks vendor-specific attributes (VSAs) that you can configure using CLI commands. The attributes are listed numerically and are followed by descriptions about the commands that you can use to manage the attribute.

[26-1] Virtual-Router

Use the following command to manage the Virtual-Router RADIUS attribute.

radius ignore virtual-router

radius ignore virtual-router

Use to cause the Virtual-Router attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
See radius ignore

Example
host1(config)#radius ignore virtual-router enable
Use the no version to restore the default, disable.

[26-10] Ingress-Policy-Name

Use the following commands to manage the Ingress-Policy-Name RADIUS attribute.

radius include ingress-policy-name
radius ignore ingress-policy-name

radius include ingress-policy-name

Use to include the Ingress-Policy-Name attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include ingress-policy-name acct-start enable
Use the no version to restore the default.

radius ignore ingress-policy-name

Use to cause the Ingress-Policy-Name attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command. The default is disable.
See radius ignore

Example
host1(config)#radius ignore ingress-policy-name enable
Use the no version to restore the default, enable.

[26-11] Egress-Policy-Name

Use the following commands to manage the Egress-Policy-Name RADIUS attribute.

radius include egress-policy-name
radius ignore egress-policy-name

radius include egress-policy-name

Use to include the Egress-Policy-Name attribute in Acct-Start or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include egress-policy-name acct-start enable
Use the no version to restore the default, enable.

radius ignore egress-policy-name

Use to cause the Egress-Policy-Name attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
See radius ignore

Example
host1(config)#radius ignore egress-policy-name enable
Use the no version to restore the default, disable.

[26-14] Service-Category

Use the following command to manage the Service-Category RADIUS attribute.

radius ignore atm-service-category

radius ignore atm-service-category

Use to cause the Service-Category attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
See radius ignore

Example
host1(config)#radius ignore atm-service-category enable
Use the no version to restore the default, disable.

[26-15] PCR

Use the following command to manage the PCR RADIUS attribute.

radius ignore atm-pcr

radius ignore atm-pcr

Use to cause the PCR attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
See radius ignore

Example
host1(config)#radius ignore atm-pcr enable
Use the no version to restore the default, disable.

[26-16] SCR

Use the following command to manage the SCR RADIUS attribute.

radius ignore atm-scr

radius ignore atm-scr

Use to cause the SCR attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
See radius ignore

Example
host1(config)#radius ignore atm-scr enable
Use the no version to restore the default, disable.

[26-17] MBS

Use the following command to manage the MBS RADIUS attribute.

radius ignore atm-mbs

radius ignore atm-mbs

Use to cause the MBS attribute to be ignored in Access-Accept messages.
You can control this behavior by enabling or disabling this command.
See radius ignore

Example
host1(config)#radius ignore atm-mbs enable
Use the no version to restore the default, disable.

[26-24] Pppoe-Description

Use the following command to manage the Pppoe-Description RADIUS attribute.

radius include pppoe-description

radius include pppoe-description

Use to include the Pppoe-Description attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the Pppoe-Description attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include pppoe-description acct-start enable
Use the no version to restore the default, enable.

[26-35] Acct-Input-Gigapackets

Use the following command to manage the Acct-Input-Gigapackets RADIUS attribute.

radius include input-gigapkts

radius include input-gigapkts

Use to include Acct-Input-Gigapackets in Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
see radius include

Example
host1(config)#radius include input-gigapkts acct-stop disable
Use the no version to restore the default, enable.

[26-36] Acct-Output-Gigapackets

Use the following command to manage the Acct-Output-Gigapackets RADIUS attribute.

radius include output-gigapkts

radius include output-gigapkts

Use to include the Acct-Output-Gigapackets attribute in Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include output-gigapkts acct-stop disable
Use the no version to restore the default, enable.

[26-44] Tunnel-Interface-Id

Use the following command to manage the Tunnel-Interface-Id RADIUS attribute.

radius include tunnel-interface-id

radius include tunnel-interface-id

Use to include the Tunnel-Interface-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include tunnel-interface-id enable
Use the no version to restore the default, disable.

[26-45] Ipv6-Virtual-Router

Use the following command to manage the IPv6-Virtual-Router RADIUS attribute.

radius include ipv6-virtual-router

radius include ipv6-virtual-router

Use to include the Ipv6-Virtual-Router attribute in Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
If the IPv6 virtual router is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the domain map.
If IPv6 virtual router is not configured in the AAA domain map and is not returned from the RADIUS server, it is not included in the Acct-Start message because the value is not yet known. If the IPv6 virtual router context is configured from the profile, it is reported in the immediate-update message for DHCPv6 prefix delegation.
See radius include

Example
host1(config)#radius include ipv6-virtual-router acct-start enable
Use the no version to restore the default, disable.

[26-46] Ipv6-Local-Interface

Use the following command to manage the Ipv6-Local-Interface RADIUS attribute.

radius include ipv6-local-interface

radius include ipv6-local-interface

Use to include the Ipv6-Local-Interface attribute in Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
If IPv6 local interface is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the domain map.
See radius include

Example
host1(config)#radius include ipv6-local-interface acct-start enable
Use the no version to restore the default, disable.

[26-47] Ipv6-Primary-DNS

Use the following command to manage the IPv6-Primary-DNS RADIUS attribute.

radius include ipv6-primary-dns

radius include ipv6-primary-dns

Use to include the IPv6-Primary-DNS attribute in Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
If the IPv6 primary DNS server is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the AAA domain map.
See radius include

Example
host1(config)#radius include ipv6-primary-dns acct-start enable
Use the no version to restore the default, disable.

[26-48] Ipv6-Secondary-DNS

Use the following command to manage the Ipv6-Secondary-DNS RADIUS attribute.

radius include ipv6-secondary-dns

radius include ipv6-secondary-dns

Use to include the Ipv6-Secondary-DNS attribute in Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS server in the Access-Accept message is used in the accounting messages.
If the IPv6 secondary DNS server is configured in the AAA domain map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop, or Interim-Acct messages report the value configured in the AAA domain map.
See radius include

Example
host1(config)#radius include ipv6-secondary-dns acct-start enable
Use the no version to restore the default, disable.

[26-51] Disconnect-Cause

Use the following command to manage the Disconnect-Cause RADIUS attribute.

radius include l2tp-ppp-disconnect-cause

radius include l2tp-ppp-disconnect-cause

Use to include the Disconnect-Cause attribute in Acct-Stop and Acct-Tunnel-Link-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include l2tp-ppp-disconnect-cause acct-stop-enable
Use the no version to restore the default, disable.

[26-53] Service-Description

Use the following command to manage the Service-Description RADIUS attribute.

radius include profile-service-description

radius include profile-service-description

Use to include the Service-Description attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include profile-service-description acct-stop enable
Use the no version to restore the default, disable.

[26-55] DHCP-Options

Use the following command to manage the DHCP-Options RADIUS attribute.

radius include dhcp-options

radius include dhcp-options

Use to include the DHCP-Options attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include dhcp-options acct-stop enable
Use the no version to restore the default, disable.

[26-56] DHCP-MAC-Address

Use the following command to manage the DHCP-MAC-Address RADIUS attribute.

radius include dhcp-mac-address

radius include dhcp-mac-address

Use to include the DHCP-MAC-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include dhcp-mac-address acct-stop enable
Use the no version to restore the default, disable.

[26-57] DHCP-GI-Address

Use the following command to manage the DHCP-GI-Address RADIUS attribute.

radius include dhcp-gi-address

radius include dhcp-gi-address

Use to include the DHCP-GI-Address attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
See radius include

Example
host1(config)#radius include dhcp-gi-address acct-stop enable
Use the no version to restore the default, disable.

[26-62] MLPPP-Bundle-Name

Use the following command to manage the MLPPP-Bundle-Name RADIUS attribute.

radius include mlppp-bundle-name

radius include mlppp-bundle-name

Use to include the MLPPP-Bundle-Name attribute in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages.
You can control inclusion of the MLPPP-Bundle-Name attribute by enabling or disabling this command.
There is no explicit command to include the MLPPP-Bundle-Name attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages.
See radius include

Example
host1(config)#radius include mlppp-bundle-name acct-start enable
Use the no version to restore the default, disable.

[26-63] Interface-Desc

Use the following command to manage the Interface-Desc RADIUS attribute.

radius include interface-description

radius include interface-description

Use to include the Interface-Desc attribute, with the subscriber’s access interface description, in Access-Request, Acct-Start, Interim-Acct, or Acct-Stop messages.
You can control inclusion of the Interface-Desc attribute by enabling or disabling this command. Inclusion is disabled by default.
There is no explicit command to include the Interface-Desc attribute in Interim-Acct messages; however, the attribute is automatically included in Interim-Acct messages when the attribute is enabled for Acct-Stop messages.
See radius include

Example
host1(config)#radius include interface-description acct-start enable
Use the no version to restore the default, disable.

[26-81] L2C-Information

Use the following command to manage the L2C-Information RADIUS attribute.

radius include access-loop-parameters

radius include access-loop-parameters

Use to include the L2C-Information attribute in Access-Request messages.
You can control inclusion of the L2C-Information attribute by enabling or disabling this command. Inclusion is disabled by default.
See radius include

Example
host1(config)#radius include access-loop-parameters access-request enable
Use the no version to restore the default, disable.

[26-92] L2C-Up-Stream-Data

Use the following command to manage the L2C-Up-Stream-Data RADIUS attribute.

radius include l2c-upstream-data

radius include l2c-upstream-data

Use to include the L2C-Up-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the L2C-Up-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default.
See radius include

Example
host1(config)#radius include l2c-upstream-data access-request enable
Use the no version to restore the default, disable.

[26-93] L2C-Down-Stream-Data

Use the following command to manage the L2C-Down-Stream-Data RADIUS attribute.

radius include l2c-downstream-data

radius include l2c-downstream-data

Use to include the L2C-Down-Stream-Data attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the L2C-Down-Stream-Data attribute by enabling or disabling this command. Inclusion is disabled by default.

Example
host1(config)#radius include l2c-downstream-data access-request enable
Use the no version to restore the default, disable.
See radius include

[26-129] Ipv6-NdRa-Prefix

Use the following command to manage the Ipv6-NdRa-Prefix RADIUS attribute.

radius include ipv6-nd-ra-prefix

radius include ipv6-nd-ra-prefix

Use to include the IPv6-NdRa-Prefix attribute in Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
The value of this attribute received from the RADIUS server in the Access-Accept message is included in the accounting messages.
For dynamic interfaces, if the Ipv6-NdRa-Prefix attribute is configured in the profile and is not returned from RADIUS server, this attribute is not included in the Acct-Start, Acct-Stop, and Interim-Acct messages.
See radius include

Example
host1(config)#radius include ipv6-nd-ra-prefix acct-start enable
Use the no version to restore the default, disable.

[26-141] Downstream-Calculated-Qos-Rate

The Downstream-Calculated-Qos-Rate RADIUS attribute enables RADIUS to receive calculated QoS rates from ANCP.

Use the following command to manage the Downstream-Calculated-Qos-Rate RADIUS attribute.

radius include downstream-calculated-qos-rate access-request
radius include downstream calculated-qos-rate acct-start
radius include downstream-calculated-qos-rate acct-stop

radius include downstream-calculated-qos-rate

Use to include the Downstream-Calculated-Qos-Rate attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the Downstream-Calculated-Qos-Rate attribute by enabling or disabling this command. Inclusion is disabled by default.
Example
host1(config)#radius include downstream-calculated-qos-rate access-request enable
Use the no version to restore the default, disable.
See radius include

[26-142] Upstream-Calculated-Qos-Rate

The Upstream-Calculated-Qos-Rate RADIUS attribute enables RADIUS to receive calculated QoS rates from ANCP.

Use the following commands to manage the Upstream-Calculated-Qos-Rate RADIUS attribute.

radius include upstream-calculated-qos-rate access-request
radius include upstream calculated-qos-rate acct-start
radius include upstream-calculated-qos-rate acct-stop

radius include upstream-calculated-qos-rate

Use to include the Upstream-Calculated-Qos-Rate attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can control inclusion of the Upstream-Calculated-Qos-Rate attribute by enabling or disabling this command. Inclusion is disabled by default.
Example
host1(config)#radius include upstream-calculated-qos-rate access-request enable
Use the no version to restore the default, disable.
See radius include

[26-143] Max-Clients-Per-Interface

The Max-Clients-Per-Interface RADIUS attribute is the maximum number of PPPoE client sessions supported per interface. For DHCP clients, this value is the maximum number of PPPoE sessions per logical interface. For PPPoE, this value is the maximum number of PPPoE subinterfaces per PPPoE major interface. See JunosE Release Notes, Appendix A, System Maximums corresponding to your software release for information about the maximum number of PPPoE subinterfaces per PPPoE major interface supported for each line module.

Use the following command to manage the Max-Clients-Per-Interface RADIUS attribute.

radius ignore pppoe-max-session

radius ignore pppoe-max-session

Use to cause the Max-Clients-Per-Interface attribute to be ignored in Access-Accept messages returned by the RADIUS server.
You can control this behavior by enabling or disabling this command. Ignoring the Max-Clients-Per-Interface attribute is enabled by default.
Example 1—Ignores the Max-Clients-Per-Interface attribute returned by the RADIUS server; this is the default behavior
host1(config)#radius ignore pppoe-max-session enable
Example 2—Accepts the Max-Clients-Per-Interface attribute returned by the RADIUS server
host1(config)#radius ignore pppoe-max-session disable
When you issue this command, the router passes the value of the Max-Clients-Per-Interface attribute to the PPP application. PPP, in turn, sends this value to the PPPoE application, which determines whether or not to tear down the PPPoe interface based on the maximum session limit for this subscriber.
Use the no version to restore the default, enable.

[26-150] ICR-Partition-Id

Use the following commands to manage the ICR-Partition-Id RADIUS attribute.

radius include icr-partition-id
radius icr-partition-accounting

radius include icr-partition-id

Use to include the ICR-Partition-Id attribute in Access-Request, Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling or disabling this command.
Example
host1(config)#radius include icr-partition-id acct-start enable
Use the no version to restore the default, disable.

radius icr-partition-accounting

Use to enable or disable sending of the ICR Partition-Accounting-On or Partition-Accounting-Off messages to the RADIUS servers
Both Partition-Accounting messages include the ICR-Partition-Id VSA. Also, both these messages are sent to the RADIUS accounting server configured on the virtual router where the ICR partition is configured or the virtual router on which the ICR control interface is set up.
You can configure ICR partition accounting per virtual router.
Example
host1(config)#radius icr-partition-accounting enable
Use the no version to restore the default, disable.

All IPv6 Accounting Attributes

Use the following command to manage all IPv6 accounting attributes:

radius include ipv6-accounting

radius include ipv6-accounting

Use to include the following supported IPv6 accounting attributes in Acct-Stop messages:
- IPv6-Acct-Input-Octets [26-151]
- IPv6-Acct-Output-Octets [26-152]
- IPv6-Acct-Input-Packets [26-153]
- IPv6-Acct-Output-Packets [26-154]
- IPv6-Acct-Input-Gigawords [26-155]
- IPv6-Acct-Output-Gigawords [26-156]
If you enable inclusion of the IPv6 accounting-related VSAs in Acct-Stop messages, the router also includes the VSAs in Interim-Acct messages.
You can control inclusion of the IPv6 accounting attributes by enabling or disabling this command.
See radius include

Example
host1(config)#radius include ipv6-accounting acct-stop enable
Use the no version to restore the default, disable.

[26-159] DHCP-Option 82

Use the following command to manage the DHCP Option 82 RADIUS attribute.

radius include dhcp-option-82

radius include dhcp-option-82

Use to include the DHCP Option 82 attribute in Access-Request, Acct-Start, and Acct-Stop messages.
You can configure RADIUS to include the dhcp-option-82 attribute
See radius include

Example
host1(config)#radius include dhcp-option-82
Use the no version to restore the default, disable.

ANCP-Related Juniper Networks VSAs

You use the radius include command to specify information about Access Node Control Protocol (ANCP), also known as Layer 2 Control (L2C), that you want to include in the RADIUS Access-Request, Acct-Start, and Acct-Stop messages. Also, if you specify Acct-Stop messages, the router includes ANCP information in Interim-Acct messages that the router sends to RADIUS. By default, the router does not include the ANCP-related information provided by the Juniper Networks VSAs in RADIUS messages.

These Juniper Networks ANCP-related VSAs are based on definitions in GSMP extensions for layer2 control (L2C) Topology Discovery and Line Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006 expiration).

radius include l2cd-keyword

Use to include ANCP-related Juniper Networks VSAs in Access-Request, Acct-Start, and Acct-Stop messages that the router sends to RADIUS. If you enable inclusion of the ANCP-related VSAs in Acct-Stop messages, the router also includes the VSAs in Interim-Acct messages. Inclusion is disabled by default.
You must enable ANCP discovery with the discovery-mode command prior to configuring the radius include command with the ANCP-related VSAs. Configuring discovery mode enables the RADIUS authentication server to retrieve ANCP information.

Table 44 lists the ANCP (L2C)-related keywords that you can use in the radius include command and the associated Juniper Networks VSAs. The table also indicates the mappings between ANCP parameters and the VSAs.

Table 44: ANCP (L2C)-Related Keywords for radius include Command

Command Keyword	Juniper Networks VSA Number	Juniper Networks VSA Name	ANCP Type	ANCP Subtype
l2cd-acc-loop-cir-id	[26-110]	Acc-Loop-Cir-Id	1	–
l2cd-acc-aggr-cir-id-bin	[26-111]	Acc-Aggr-Cir-Id-Bin	2	–
l2cd-acc-aggr-cir-id-asc	[26-112]	Acc-Aggr-Cir-Id-Asc	3	–
l2cd-act-data-rate-up	[26-113]	Act-Data-Rate-Up	4	129
l2cd-act-data-rate-dn	[26-114]	Act-Data-Rate-Dn	4	130
l2cd-min-data-rate-up	[26-115]	Min-Data-Rate-Up	4	131
l2cd-min-data-rate-dn	[26-116]	Min-Data-Rate-Dn	4	132
l2cd-att-data-rate-up	[26-117]	Att-Data-Rate-Up	4	133
l2cd-att-data-rate-dn	[26-118]	Att-Data-Rate-Dn	4	134
l2cd-max-data-rate-up	[26-119]	Max-Data-Rate-Up	4	135
l2cd-max-data-rate-dn	[26-120]	Max-Data-Rate-Dn	4	136
l2cd-min-lp-data-rate-up	[26-121]	Min-LP-Data-Rate-Up	4	137
l2cd-min-lp-data-rate-dn	[26-122]	Min-LP-Data-Rate-Dn	4	138
l2cd-max-interlv-delay-up	[26-123]	Max-Interlv-Delay-Up	4	139
l2cd-act-interlv-delay-up	[26-124]	Act-Interlv-Delay-Up	4	140
l2cd-max-interlv-delay-dn	[26-125]	Max-Interlv-Delay-Dn	4	141
l2cd-act-interlv-delay-dn	[26-126]	Act-Interlv-Delay-Dn	4	142
l2cd-dsl-line-state	[26-127]	DSL-Line-State	4	143
l2cd-dsl-type	[26-128]	DSL-Type	4	144

Example
host1(config)#radius include l2cd-acc-loop-cir-id acct-start enable
Use the no version to restore the default behavior, disable.
Note: JunosE Software continues to support DSL Forum VSAs (vendor ID 3561) that you can use to include DSL-related information in RADIUS messages. See DSL Forum VSAs.
See radius include

DSL Forum Vendor-Specific Attributes

You can use the radius include dsl-forum-attributes command to control the inclusion of a set of DSL Forum VSAs in Access-Request, Acct-Start, Acct-Stop, and (if Acct-Stop messages are specified) Interim-Acct messages that the router sends to RADIUS.

The DSL Forum VSAs, as defined in RFC 4679—DSL Forum Vendor-Specific RADIUS Attributes (September 2006), convey information about the associated subscriber for and data rate of the DSL. A service provider might find it useful to enable inclusion of the DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of service based on the data rate of their DSL connection.

Note: JunosE Software also supports several Juniper Networks VSAs that you can use to include DSL-related information. See ANCP-Related Juniper Networks VSAs and Juniper Networks VSAs .

The router receives data containing one or more of the DSL Forum VSAs from a DSLAM connected to the router via a PPPoE interface. When you enable the inclusion of the DSL Forum VSAs in these RADIUS messages, the router includes all of the following attributes in the specified message type, provided that the VSA is available in the information that the router receives from the DSLAM.

Note: The router uses the vendor ID assigned to the DSL Forum (3561, or DE9 in hexadecimal format) by the Internet Assigned Numbers Authority (IANA) for the DSL Forum VSAs.

Agent-Circuit-Id [26-1]	Maximum-Data-Rate-Downstream [26-136]
Agent-Remote-Id [26-2]	Minimum-Data-Rate-Upstream-Low-Power [26-137]
Actual-Data-Rate-Upstream [26-129]	Minimum-Data-Rate-Downstream-Low-Power [26-138]
Actual-Data-Rate-Downstream [26-130]	Maximum-Interleaving-Delay-Upstream [26-139]
Minimum-Data-Rate-Upstream [26-131]	Actual-Interleaving-Delay-Upstream [26-140]
Minimum-Data-Rate-Downstream [26-132]	Maximum-Interleaving-Delay-Downstream [26-141]
Attainable-Data-Rate-Upstream [26-133]	Actual-Interleaving-Delay-Downstream [26-142]
Attainable-Data-Rate-Downstream [26-134]	Access-Loop-Encapsulation [26-144]
Maximum-Data-Rate-Upstream [26-135]	IWF-Session [26-254]

For information about enabling the QoS downstream rate application to obtain downstream rates from the Actual-Data-Rate-Downstream [26-130] DSL Forum VSA, see the Configuring the Downstream Rate Using QoS Parameters chapter in JunosE Quality of Service Configuration Guide.

For a more detailed description of the DSL Forum VSAs, see DSL Forum VSAs .

radius include dsl-forum-attributes

Use to include the set of DSL Forum VSAs in Access-Request, Acct-Start, and Acct-Stop messages that the router sends to RADIUS. If you enable inclusion of the DSL Forum VSAs in Acct-Stop messages, the router also includes the VSAs in Interim-Acct messages.
You can control inclusion of the DSL Forum VSAs in the specified message type by enabling or disabling this command. Inclusion is disabled by default.
When you enable inclusion of the DSL Forum VSAs for a specified message type, the router includes in that message all of the DSL Forum attributes that it receives from the DSLAM.
Example
host1(config)#radius include dsl-forum-attributes access-request enable
Use the no version to restore the default behavior, disable.
See radius include dsl-forum-attributes

Including or Excluding Attributes in RADIUS Messages

For many attributes, you can configure the router to include or exclude the attribute in RADIUS messages.

radius include

Use to enable or disable the inclusion of RADIUS attributes in Acct-On, Acct-Off, Access-Request, Acct-Start, and Acct-Stop messages.
Examples
host1(config)#radius include ingress-policy-name acct-start enable host1(config)#radius include tunnel-type access-request disable
Use the no version to restore the default, disable.
See radius include

Ignoring Attributes When Receiving Access-Accept Messages

You can configure the router to ignore or use many attributes that it receives in Access-Accept messages.

radius ignore

Use to specify that a RADIUS attribute be ignored or be accepted from Access-Accept messages.
Use the enable keyword to specify that the RADIUS client ignore the attribute from the RADIUS server or the disable keyword to use the attribute.
Examples
host1(config)#radius ignore atm-scr enable host1(config)#radius ignore framed-ip-netmask disable
Use the no version to restore the default, enable.
See radius include

CLI Commands Used to Modify RADIUS Attributes

RADIUS IETF Attributes

[4] NAS-IP-Address

Related Documentation

[5] NAS-Port

Related Documentation

[8] Framed-IP-Address

[9] Framed-Ip-Netmask

[13] Framed-Compression

[22] Framed-Route

[25] Class

[30] Called-Station-Id

[31] Calling-Station-Id

Related Documentation

[32] NAS-Identifier

Related Documentation

[41] Acct-Delay-Time

[44] Acct-Session-Id

[45] Acct-Authentic

[49] Acct-Terminate-Cause

[50] Acct-Multi-Session-Id

[51] Acct-Link-Count

[52] Acct-Input-Gigawords

[53] Output-Gigawords

[55] Event-Timestamp

[61] NAS-Port-Type

Related Documentation

[64] Tunnel-Type

[65] Tunnel-Medium-Type

[66] Tunnel-Client-Endpoint

[67] Tunnel-Server-Endpoint

[68] Acct-Tunnel-Connection

[77] Connect-Info

Related Documentation

[82] Tunnel-Assignment-Id

[83] Tunnel-Preference

[87] NAS-Port-Id

Related Documentation

[90] Tunnel-Client-Auth-Id

[91] Tunnel-Server-Auth-Id

[96] Framed-Interface-Id

[97] Framed-Ipv6-Prefix

[99] Framed-Ipv6-Route

[100] Framed-Ipv6-Pool

[123] Delegated-Ipv6-Prefix

[188] Ascend-Num-In-Multilink

All Tunnel Server Attributes

Juniper Networks Vendor-Specific Attributes

[26-1] Virtual-Router

[26-10] Ingress-Policy-Name

[26-11] Egress-Policy-Name

[26-14] Service-Category

[26-15] PCR

[26-16] SCR

[26-17] MBS

[26-24] Pppoe-Description

[26-35] Acct-Input-Gigapackets

[26-36] Acct-Output-Gigapackets

[26-44] Tunnel-Interface-Id

[26-45] Ipv6-Virtual-Router

[26-46] Ipv6-Local-Interface

[26-47] Ipv6-Primary-DNS

[26-48] Ipv6-Secondary-DNS

[26-51] Disconnect-Cause

[26-53] Service-Description

[26-55] DHCP-Options

[26-56] DHCP-MAC-Address

[26-57] DHCP-GI-Address

[26-62] MLPPP-Bundle-Name

[26-63] Interface-Desc

[26-81] L2C-Information

[26-92] L2C-Up-Stream-Data

[26-93] L2C-Down-Stream-Data

[26-129] Ipv6-NdRa-Prefix

[26-141] Downstream-Calculated-Qos-Rate

[26-142] Upstream-Calculated-Qos-Rate

[26-143] Max-Clients-Per-Interface

[26-150] ICR-Partition-Id

All IPv6 Accounting Attributes

[26-159] DHCP-Option 82