Technical Documentation

RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework

The AAA Service Framework supports RADIUS attributes and vendor-specific attributes (VSAs)—this support provides tunable parameters that the subscriber access management feature uses when creating subscribers and services.

RADIUS attributes are carried as part of standard RADIUS request and reply messages. The subscriber management access feature uses the RADIUS attributes to exchange specific authentication, authorization and accounting information. VSAs allow the subscriber access management feature to pass implementation-specific information that provide extended capabilities, such as service activation or deactivation, and enabling and disabling filters.

Table 1 describes the supported RADIUS IETF attributes. Table 2 describes the supported Juniper Networks VSAs.

RADIUS IETF Attributes Supported by the AAA Service Framework

Table 1 describes the RADIUS IETF attributes supported by the JUNOS Software AAA Service Framework.

Table 1: Supported RADIUS IETF Attributes

Attribute Number Attribute Name Description

1

User-Name

  • Name of user to be authenticated
  • Configurable username override

2

User-Password

  • Password of user to be authenticated by Password Authentication Protocol (PAP)
  • Configurable password override

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication of the user

5

NAS-Port

Physical port number of the NAS that is authenticating the user

6

Service-Type

Type of service the user has requested or the type of service to be provided

8

Framed-IP-Address

  • IP address to be configured for the user
  • 0.0.0.0 or absence is interpreted as 255.255.255.254

9

Framed-IP-Netmask

  • IP network to be configured for the user when the user is a router to a network
  • Absence implies 255.255.255.255

11

Filter-ID

  • Name of the filter list for the user
  • Interpreted as input policy name

12

Framed-MTU

  • Maximum Transmission Unit to be configured for the user when it is not negotiated by some other means (such as PPP).
  • When sent in an Access-Request with an EAP-Message, indicates the maximum size of the EAP-Message string that the external server supports.

18

Reply-Message

  • Text that may be displayed to the user
  • Only the first instance of this attribute is used

22

Framed-Route

String that provides routing information to be configured for the user on the NAS; in the format:

<addr>[/<maskLen>] [<nexthop> [<cost>]] (tag <tagValue>] [distance <distValue>]

25

Class

Arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server

27

Session-Timeout

Maximum number of consecutive seconds of service to be provided to the user before termination of the session

32

NAS-Identifier

NAS originating the request

40

Acct-Status-Type

Indicates whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update)

41

Acct-Delay-Time

Indicates how many seconds the client has been trying to send a particular record

42

Acct-Input-Octets

Indicates how many octets have been received from the port during the time this service has been provided

43

Acct-Output-Octets

Indicates how many octets have been sent to the port during the time this service has been provided

44

Acct-Session-ID

Unique accounting identifier that makes it easy to match start and stop records in a log file. The identifier can be in one of the following formats:

  • decimal—For example, 435264
  • description—In the generic format, jnpr interface-specifier:subscriber-session-id; Ffor example, jnpr fastEthernat 3/2.6:1010101010101

45

Acct-Authentic

Indicates how the user was authenticated: whether by RADIUS, the NAS itself, or another remote authentication protocol

46

Acct-Session-Time

Indicates how long in seconds that the user has received service

47

Acct-Input-Packets

Indicates how many packets have been received from the port during the time this service has been provided to a framed user

48

Acct-Output-Packets

Indicates how many packets have been sent to the port in the course of delivering this service to a framed user

49

Acct-Terminate-Cause

Contains the reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:

  • User Request (1)—User initiated the disconnect (log out)
  • Idle Timeout (4)—Idle timer has expired
  • Session Timeout (5)—Client reached the maximum continuous time allowed on the service or session
  • Admin Reset (6)—System administrator terminated the session
  • Port Error (8)—PVC failed; no hardware or no interface
  • NAS Error (9)—Negotiation failures, connection failures, or address lease expiration
  • NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, Tunnel disconnect, or an unaccounted-for error

52

Acct-Input-Gigawords

Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 during the time this service has been provided. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update

53

Acct-Output-Gigawords

Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update

55

Event-Timestamp

Records the time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC

61

NAS-Port-Type

Indicates the type of physical port the NAS is using to authenticate the user

85

Acct-Interim-Interval

Number of seconds between each interim accounting update for this session

87

NAS-Port-ID

Text string that identifies the physical interface of the NAS that is authenticating the user

88

Framed-Pool

Name of an assigned address pool that should be used to assign an address for the user

Juniper Networks VSAs Supported by the AAA Service Framework

Table 2 describes Juniper Networks VSAs supported by the JUNOS Software AAA Service Framework. The AAA Service Framework uses vendor ID 4874, which is assigned to Juniper Networks by the Internet Assigned Numbers Authority (IANA).

Table 2: Supported Juniper Networks VSAs

Attribute Number Attribute Name Description Value

26-4

Primary-DNS

Client DNS address negotiated during IPCP

integer: 4-byte primary-dns-address

26-5

Secondary-DNS

Client DNS address negotiated during IPCP

integer: 4-byte secondary-dns-address

26-6

Primary-WINS

Client WINS (NBNS) address negotiated during IPCP

integer: 4-byte primary-wins-address

26-7

Secondary-WINS

Client WINS (NBNS) address negotiated during IPCP

integer: 4-byte secondary-wins-address

26-10

Ingress-Policy-Name

Input policy name to apply to client interface

string: input-policy-name

26-11

Egress-Policy-Name

Output policy name to apply to client interface

string: output-policy-name

26-12

Ingress-Statistics

Enable or disable input statistics on client interface

integer:

  • 0=disable
  • 1=enable

26-13

Egress-Statistics

Enable or disable output statistics on client interface

integer:

  • 0=disable
  • 1=enable

26-23

IGMP-Enable

Enable or disable IGMP on a client interface

integer:

  • 0=disable
  • 1=enable

26-34

Framed-IP-Route-Tag

Route tag to apply to returned framed-ip-address

integer: 4-octet

26-42

Input-Gigapackets

Number of times input-packets attribute rolls over its 4-octet field

integer

26-43

Output-Gigapackets

Number of times output-packets attribute rolls over its 4-octet field

integer

26-56

DHCP-MAC-Address

Client MAC address

string: mac-address

26-57

DHCP-GI-Address

DHCP relay agent IP address

integer: 4-octet

26-63

Interface

Text string that identifies the subscriber’s access interface

string: interface-description

26-65

Activate-Service

Service to activate for the subscriber

string: service-name

26-66

Deactivate-Service

Service to deactivate for the subscriber

string: service-name

26-70

Ignore-DF-Bit

Enable or disable the ignore don’t fragment (DF) bit feature on a client interface

integer:

  • 0=disable
  • 1=enable

26-71

IGMP-Access-Group-Name

Access List to use for the group (G) filter

string: 32-octet

26-72

IGMP-Access-Source-Group-Name

Access List to use for the source-group (S,G) filter

string: 32-octet

26-74

MLD-Access-Group-Name

Access List to use for the group (G) filter

string: 32-octet

26-75

MLD-Access-Source-Group-Name

Access List to use for the source-group (S,G) filter

string: 32-octet

26-77

MLD-Version

MLD Protocol Version

integer: 1-octet

  • 1=MLD version
  • 2=MLD version

26-78

IGMP-Version

IGMP Protocol Version

integer: 1-octet

  • 1=IGMP version
  • 2=IGMP version
  • 3=IGMP version

26-83

Acct-Service-Session

Name of the service (including parameter values) that is associated with service manager statistics

string: service-name

26-97

IGMP-Immediate-Leave

IGMP Immediate Leave

integer: 4-octet

  • 0=disable
  • 1=enable

26-100

MLD-Immediate-Leave

MLD Immediate Leave

integer: 4-octet

  • 0=disable
  • 1=enable

Published: 2009-07-15