RADIUS IETF Attributes

Table 51 describes the RADIUS IETF attributes supported by JunosE Software. The attributes are sorted by standard number.

Table 51: RADIUS IETF Attributes Supported by JunosE Software

Attribute Number

Attribute Name

Description

[1]

User-Name

  • Name of user to be authenticated
  • Configurable username override

[2]

User-Password

  • Password of user to be authenticated
  • Configurable password override
  • Password Authentication Protocol (PAP)

[3]

CHAP-Password

Response value provided by a Point-to-Point Protocol (PPP) Challenge Handshake Authorization Protocol (CHAP) user in the response to an access challenge

[4]

NAS-IP-Address

  • IP address of the network access server (NAS) that is requesting authentication of the user
  • You can use the radius update-source-addr command to override this behavior; see Configuring Remote Access.

[5]

NAS-Port

  • Physical port number of the NAS that is authenticating the user
  • See the radius nas-port-format, radius pppoe nas-port-format unique, and radius vlan nas-port-format stacked commands in Configuring RADIUS Attributes.

[6]

Service-Type

  • Type of service the user has requested or the type of service to be provided
  • Admin, Login, NAS Prompt, or Framed only

[7]

Framed-Protocol

  • Framing protocol used for framed access
  • Standard value of 1 set for PPP
  • Nonstandard value of 1008 set for dynamic ATM

[8]

Framed-IP-Address

  • IP address to be configured for the user
  • 0.0.0.0 or absence is interpreted as 255.255.255.254
  • See the radius include framed-ip-add acct-start command in Configuring RADIUS Attributes.

[9]

Framed-IP-Netmask

  • IP network to be configured for the user when the user is a router to a network
  • Absence implies 255.255.255.255

[11]

Filter-Id

  • Name of the filter list for the user
  • Interpreted as input policy name

[12]

Framed-MTU

  • The maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP).
  • When sent in an Access-Request with an EAP-Message, indicates the maximum size of the EAP-Message string that the external server supports.

[13]

Framed-Compression

Always set to none.

[18]

Reply-Message

  • Text that may be displayed to the user
  • Only the first instance of this attribute is used

[22]

Framed-Route

String that provides routing information to be configured for the user on the NAS; in the format:

<addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>]

[24]

State

  • An arbitrary value that the router includes in new Access-Request packets from the previous Accept-Challenge
  • Applicable for CLI, telnet, or EAP message exchange

[25]

Class

An arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server

[26]

Vendor-Specific

Juniper Networks Enterprise number 0x0000130A

[27]

Session-Timeout

Maximum number of consecutive seconds of service to be provided to the user before termination of the session

[28]

Idle-Timeout

Maximum number of consecutive seconds of idle connection provided to the user before termination of the session

[30]

Called-Station-Id

  • Allows the NAS to send the phone number that the user called
  • Not supported for nontunneled or LAC session side
  • For the LNS, the format is the string passed in the Called Number AVP
  • For RADIUS relay server, indicates the subscriber’s wireless access point

[31]

Calling-Station-Id

  • Allows the NAS to send the phone number from which the call originated
  • See the radius calling-station-format and the radius calling-station-delimiter commands in Configuring RADIUS Attributes.
  • For RADIUS relay server, indicates the subscriber’s MAC address

[32]

NAS-Identifier

  • Identifies the NAS originating the request
  • System-wide configurable hostname or VR-sensitive configurable NAS-identifier name

[33]

Proxy-State

E Series router’s port ID and IP address

[40]

Acct-Status-Type

Indicates whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update)

[41]

Acct-Delay-Time

Indicates how many seconds the client has been trying to send a particular record

[42]

Acct-Input-Octets

  • Indicates how many octets have been received from the port during the time this service has been provided
  • IP subscriber manager—Statistics are reported
  • PPP—Statistics are counted according to the rules of the generic interface MIB

[43]

Acct-Output-Octets

  • Indicates how many octets have been sent to the port during the time this service has been provided
  • IP subscriber manager—Statistics are reported
  • PPP—Statistics are counted according to the rules of the generic interface MIB

[44]

Acct-Session-Id

  • Unique accounting identifier that makes it easy to match start and stop records in a log file
  • See the radius acct-session-id-format and the radius include acct-session-id access-request commands in Configuring RADIUS Attributes.

[45]

Acct-Authentic

  • Indicates how the user was authenticated: whether by RADIUS, the NAS itself, or another remote authentication protocol
  • Always 1

[46]

Acct-Session-Time

Indicates how long in seconds that the user has received service

[47]

Acct-Input-Packets

  • Indicates how many packets have been received from the port during the time this service has been provided to a framed user
  • IP subscriber manager—Statistics are reported
  • PPP—Statistics are counted according to the rules of the generic interface MIB

[48]

Acct-Output-Packets

  • Indicates how many packets have been sent to the port in the course of delivering this service to a framed user
  • IP subscriber manager—Statistics are reported
  • PPP—Statistics are counted according to the rules of the generic interface MIB

[49]

Acct-Terminate-Cause

Contains the reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:

  • User Request (1)—User initiated the disconnect (log out)
  • Idle Timeout (4)—Idle timer has expired
  • Session Timeout (5)—Client reached the maximum continuous time allowed on the service or session
  • Admin Reset (6)—System administrator terminated the session
  • Port Error (8)—PVC failed; no hardware or no interface
  • NAS Error (9)—Negotiation failures, connection failures, or address lease expiration
  • NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, Tunnel disconnect, or an unaccounted-for error

[50]

Acct-Multi-Session-Id

  • String constructed from the Acct-Session-ID of the first PPP link established for the Multilink PPP bundle and the internal Multilink PPP bundle ID.
  • This string is the hexidecimal ASCII characters for two 4-octet unsigned integers. Example: 0a34331200001249.

[51]

Acct-Link-Count

A value that increments with each link that joins the MLPPP bundle. This attribute does not indicate the number of active links. For more details, see RFC 2866—RADIUS Accounting (June 2000).

[52]

Acct-Input-Gigawords

  • Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 during the time this service has been provided, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update
  • IP subscriber manager—Statistics are reported
  • PPP—Statistics are counted according to the rules of the generic interface MIB

[53]

Acct-Output-Gigawords

  • Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update
  • IP subscriber manager—Statistics are reported
  • PPP—Statistics are counted according to the rules of the generic interface MIB

[55]

Event-Timestamp

Records the time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC

[60]

CHAP-Challenge

Contains the CHAP challenge sent by the NAS to a PPP CHAP user

[61]

NAS-Port-Type

  • Indicates the type of physical port the NAS is using to authenticate the user
  • See the radius dsl-port-type and the radius ethernet-port-type commands in Configuring RADIUS Attributes.

[62]

Port-Limit

Specifies the maximum number of MLPPP member links allowed for the subscriber

[64]

Tunnel-Type

  • Which tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol in use (in the case of a tunnel terminator)
  • Only L2TP tunnels supported at this time

[65]

Tunnel-Medium-Type

  • Transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports
  • Only IPv4 supported at this time

[66]

Tunnel-Client-Endpoint

Address of the initiator end of the tunnel

[67]

Tunnel-Server-Endpoint

Address of the server end of the tunnel

[68]

Acct-Tunnel-Connection

  • Indicates the identifier assigned to the tunnel session
  • Value is L2TP call-serial number

[69]

Tunnel-Password

Password to be used to authenticate to a remote server

[77]

Connect-Info

Sent from the NAS to indicate the nature of the user’s connection

[79]

EAP-Message

Encapsulates EAP packets, which allows the NAS to authenticate users through EAP without having to understand the EAP protocol

[80]

Message-Authenticator

Must be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge messages that include EAP-Message attributes

[82]

Tunnel-Assignment-Id

Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned

[83]

Tunnel-Preference

  • If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute is included in each set to indicate the relative preference assigned to each tunnel.
  • Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only)

[85]

Acct-Interim-Interval

Number of seconds between each interim accounting update for this session

[86]

Acct-Tunnel-Packets-Lost

Number of packets lost on a given link

[87]

NAS-Port-Id

  • Text string that identifies the physical interface of the NAS that is authenticating the user
  • If the PPP user connects via ATM slot 12, port 2, subinterface 3, vpi 100, vci 101, then the NAS-Port-Id value in the RADIUS packets will be atm 12/2.3:100.101
  • If the user is a PPP user that started as a result of the E Series LNS feature (that is, no physical port), then the NAS-Port-Id value is as follows: media:local address:peer address:local tunnel id:peer tunnel id:local session id:peer session id:call serial number
    • For example: ip:172.81.1.98:172.81.1.99:18d:cb8:ce6:9f4:6
    • In this case, the local information refers to the LNS, and the peer information refers to the LAC
  • NAS-Port-Id usually contains one of the following:
    • atm <slot> / <port><.subinterface>:<vpi>.<vci>
    • FastEthernet <slot> / <port><.subinterface> [:<vlan>]
    • GigabitEthernet <slot> / <port><.subinterface> [<vlan>
    • serial <slot>/<port> [:<sonetPath> [/<sonetTributary (x/x/x)> [/<fractionalInterface>] ] ]
    • from LNS—ip:local ip:peer ip:local tid:peer tid:local sid:peer sid:call serial number

      tid—tunnel id

      sid—session id

NOTE: Releases before 4.0.0 did not pass the subinterface number to RADIUS for inclusion in the NAS-Port-Id. If you do not want the subinterface number to be included, you must enter the aaa intf-desc-format include sub-intf disable command to omit the subinterface.

[88]

Framed-Pool

Name of an assigned address pool that should be used to assign an address for the user

[90]

Tunnel-Client-Auth-Id

Name used by the tunnel initiator during the authentication phase of tunnel establishment

[91]

Tunnel-Server-Auth-Id

Name used by the tunnel terminator during the authentication phase of tunnel establishment

[96]

Framed-Interface-Id

IPv6 interface identifier configured by the user

[97]

Framed-Ipv6-Prefix

Provides the IPv6 prefix that is delegated to a downstream CPE

[99]

Framed-Ipv6-Route

Provides routing information to be configured for the user on the NAS

[100]

Framed-Ipv6-Pool

Name of the local address pool from which an IPv6 prefix is assigned to the requesting router

[101]

Error-Cause

4-octet field that contains an integer that specifies the cause of the error

[123]

Delegated-Ipv6-Prefix

IPv6 prefix to be delegated to clients using the DHCPv6 Prefix Delegation mechanism

[135]

Ascend-Primary-DNS

  • Indicates the IP address of the primary DNS
  • The format is 1 byte of type (135), 1 byte of length (length=6),
    4 bytes of value (IPv4 address)

[136]

Ascend-Secondary-DNS

  • Indicates the IP address of the secondary DNS
  • The format is 1 byte of type (136), 1 byte of length (length=6),
    4 bytes of value (IPv4 address)

[188]

Ascend-Num-In-Multilink

Current number of links in a multilink bundle

[242]

Ascend-Data-Filter

RADIUS policy definitions used to configure a policy to classify packet flows and perform filter, forward, packet marking, rate-limit profile, and traffic class actions

Copyright© 1999-2011 Juniper Networks, Inc. All rights reserved.