Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Defining RADIUS Packets for Flexible RADIUS Plug-Ins


Flexible RADIUS Plug-Ins Overview

With flexible RADIUS accounting and authentication plug-ins, you can define the content of RADIUS packets that the service activation engine (SAE) sends to RADIUS servers. You can specify which attributes are included in different types of RADIUS packets (for example, session Start or Stop requests, or Accounting-On or Accounting-Off requests). You can also specify what information is contained in the attribute fields.

A RADIUS attribute configuration consists of RADIUS attribute instances. Each instance defines attributes for a specific type of packet—for example, Start requests or Accounting-Off requests.

Within each attribute instance, you define individual RADIUS attributes. The following is a RADIUS attribute instance for authentication requests:

Each RADIUS packet template can consist of multiple RADIUS attribute instances.

Using Default RADIUS Templates

The SRC module comes with two default templates:

  • stdAcct—Defines RADIUS accounting packets and is used in the default RADIUS flexible accounting plug-in instance flexRadiusAcct

  • stdAuth—Defines RADIUS authentication packets and is used in the default RADIUS flexible authentication plug-in instance flexRadiusAuth

Naming RADIUS Attribute Instances

Attribute instances define attributes for a specific type of RADIUS packet. The name that you assign to an attribute instance specifies the type of packet to which the attribute definition is applied. Table 12 lists the available packet types.

Table 12: RADIUS Attribute Instance Names

Attribute Instance (Packet Type)

Type of RADIUS Packet to Which Attribute Definition Is Applied


Any accounting request


Any authentication request


Any authorization response


DHCP response


Accounting-Off requests


Accounting-On requests


Accounting-On or Accounting-Off requests


Start requests


Start, Stop, or Interim Update requests


Stop or Interim Update requests


Service Session Start, Stop, or Interim requests


Any service authorization response


Service Session Start requests


Service Session Stop or Interim requests


Subscriber Session Start, Stop, or Interim requests


Any subscriber authorization response


Subscriber Session Start requests


Subscriber Session Stop, or Interim requests

Defining RADIUS Attributes

RADIUS attribute definitions consist of a RADIUS attribute and a value for the RADIUS attribute.

You can define values for standard RADIUS attributes or JunosE vendor-specific attributes (VSAs).

Standard RADIUS Attributes

For standard RADIUS attributes, use a name or number as defined in RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000), RFC 2866—RADIUS Accounting (June 2000), or RFC 2869—RADIUS Extensions (June 2000). For a full list, see

Juniper Networks VSAs

For Juniper Networks VSAs, use one of the following formats:

  • Vendor-Specific.4874.<vsa#>.<type>

  • 26.4874.<vsa#>.<type>

where <type> is one of the following:

  • text—Indicates that the value is 1–253 octets containing UTF-8 encoded characters

  • string—Indicates that the value is 1–253 octets containing binary data

  • address—Indicates that the value is a 32-bit value

  • integer—Indicates that the value is a 32-bit unsigned value

  • time—Indicates that the value is a 32-bit unsigned value, seconds since 00:00:00 UTC, January 1, 1970

The following is an example of RADIUS attribute instances that define RADIUS VSAs.

Defining the Values of RADIUS Attributes

The values of RADIUS attributes can be a standard value (see Table 13) or an expression. Expressions are evaluated with Python. For example: lowWord(inOctets) extracts the lower 32 bits of the 64-bit inOctets counter. You can define multiple values for an expression in a comma-separated list.

Table 13: Standard Values for RADIUS Attributes


Type of Plug-In



User and service tracking



Service tracking



User authorization and service accounting

This attribute must be configured in the RADIUS Access-Request packet with an empty value. The RADIUS server sends a unique value with the RADIUS Access-Response packet. This attribute value in the RADIUS Accounting-Request packet is used for service accounting.


User and service tracking

Provides access to the DHCP packet. See Sending DHCP Options to the JunosE Router for details.





User and service tracking

Seconds since 1970-01-01T00:00Z


User and service tracking



User and service tracking



Service tracking

64-bit counter


Service tracking



User and service tracking



User and service tracking



User and service tracking



Service tracking

64-bit counter


Service tracking



Service tracking

64-bit counter


Service tracking




Configured NAS-ID



Configured NAS-IP


User and service authorization

ID provided by the subscriber; the loginId value is not separated into UID and domain name.


User and service tracking

Name that the subscriber uses to log in to the portal


User and service tracking

NAS IP address of the router


User and service tracking

32-bit integer


Service tracking

64-bit counter


Service tracking



User and service authorization



User and service tracking

ID of the port on the JunosE router—for example, FastEthernet 3/1:2001


User and service tracking

Name that the subscriber uses for DHCP/PPP authentication


User tracking, user and service authorization

For service tracking, this value is taken from the RADIUS Access-Accept response. If the response does not contain a value, the RADIUS class defined in the service definition is used.

This attribute can be set by an authorization response.


User and service authorization

This attribute can only be set.


User and service tracking



User tracking and authorization

This attribute can be set by an authorization response.


Service tracking

Sets an arbitrary attribute (for example, class) to the name of the service


Service tracking

Named service session; empty for default session


Service tracking



User and service tracking



User and service tracking



User tracking, user and service authorization

This attribute can be set by an authorization response.


User authorization

This attribute can only be set. It is sent to session tracking events and can be returned by service authorization events. It can be set and retrieved through the portal API and can also be defined through an LDAP attribute in the service definition.

If the attribute is defined multiple times, the following precedence is observed:

  1. Service definition (lowest)

  2. Authorization

  3. API call (highest)

    NOTE: The SAE does not enforce a volume quota directly; it only makes the attribute available to an external application that can control the volume quota.


User authorization



DHCP authorization



User authorization



User authorization

This attribute can only be set.


DHCP authorization



User and service authorization



User and service authorization



User and service authorization



User authorization



User authorization



User authorization

Text. Substitutions can be set only for service sessions.


User authorization



DHCP authorization



User and service tracking



User and service tracking



User and service authorization



User and service tracking



User and service tracking



User and service tracking



Service tracking

RADIUS class of the associated subscriber session


Service tracking

RADIUS session ID of the associated subscriber session

Configuring a RADIUS Packet Template (SRC CLI)

You can define RADIUS packets for flexible RADIUS accounting and authentication plug-ins in two ways.

  • Define attributes in a template, and then apply the template to flexible RADIUS accounting and authentication plug-ins.

  • Define attributes in the packet definition configuration of a flexible plug-in instance. These definitions override definitions in packet templates.

Use the following configuration statements to configure a RADIUS packet template:

To configure a template:

  1. From configuration mode, access the RADIUS packet template configuration. In this sample procedure, the stdAcct template is configured in the west-region service activation engine (SAE) group.

  2. Create an attribute instance using the names in Flexible RADIUS Plug-Ins Overview, and enter the configuration for the RADIUS attribute instance.

  3. Add RADIUS attribute definitions to the attribute instance. Repeat this step for each attribute.

    For example:

  4. (Optional) Verify the configuration of your attribute instance.

  5. (Optional) Verify the configuration of the RADIUS packet template.


    You must configure any one of the following values to set the Chargeable-User-Identity attribute value in the accounting-request packet.

    • userSessionProperties.CUI

    • getUserSessionProperties().CUI

    • getUserSessionProperties().get(“CUI”)

    • getUserSessionProperties()[CUI]

    • userSessionProperties().CUI

Using Flexible RADIUS Packet Definitions

This topic shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.

  • To use the Challenge Handshake Authentication Protocol (CHAP) to authenticate subscribers, include the Chap-Password and optionally the Chap-Challenge attributes in authentication requests. (We recommend that you use Chap-Password only. Use Chap-Challenge only if required.) To use a CHAP password, include the following in attribute instance auth:

  • To cause the Calling-Station-Id attribute to use the subscriber’s MAC address:

  • To set the value to prefix N followed by the service name and the prefix S followed by the service session name:

  • To construct a value for the Nas-Port-Id attribute by concatenating the value of routerName, a space, and the Nas-Port-ID on the router:

    For example, the constructed value might be:

    • The following example sets the User-Name attribute as follows:

    • Sets the value to accountingId, or

    • If accountingId is empty, sets the value to loginName, or

    • If loginName is also empty, sets the value to NN

    • To extract the lower 32 bits of the 64-bit inOctet counter:

  • To set the counter fields in the RADIUS packet to the appropriate 32-bit values:

    • The inOctets and outOctets are 64-bit values and must be split into lower 32-bit (Acct-*-Octets) and upper 32-bit (Acct-*-Gigawords) values.

    • The inPacket and outPacket counters are 32-bit values and can be assigned directly.

    • The ipv6InOctets and ipv6OutOctets are 64-bit values and must be split into lower 32-bit (Ipv6-Acct-*-Octets) and upper 32-bit (Ipv6-Acct-*-Gigawords) values.

    • The ipv6InPackets and ipv6OutPackets counters are 32-bit values and can be assigned directly.

  • You can map the user session property values to SAE radius-packet-template for service tracking plug-in.

    • If the user property attribute contains a hyphen (-), use the following format:

    • If the user property attribute does not contain a hyphen (-), use the following format:

Setting Values in Authentication Response Packets

You can use some special attribute values to set values in authentication response packets. For example:

  • setRadiusClass(ATTR)

  • setSessionTimeout(ATTR)

  • setSessionVolumeQuota(ATTR)

Flexible RADIUS Plug-Ins Overview lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.

When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.

Below are some examples.

  • To set a session timeout:

  • To set the RADIUS class:

  • To set the service bundle in VSA 31:

  • To set the session volume quota:

Selecting IP Address Pools Using DHCP Response Packets

For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.

  • Framed IP address—Selects the pool from which the address is allocated; if the framed IP address is not available, the DHCP server allocates the next available address in the pool; use the setUserIpAddress value.

  • Framed IP pool—Name of the address pool on the router from which an IP address is assigned; use the setPoolName value.

  • Virtual router name—Name of the virtual router on which the address pool is located; use the setAuthVirtualRouterName value.

You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.


Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.