Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

RADIUS IETF Attributes Supported by the AAA Service Framework

Table 1 describes the RADIUS IETF attributes that the Junos OS AAA Service Framework supports.

Note: A “Yes” entry in the Dynamic CoA Support column indicates that the attribute can be dynamically configured by Access-Accept messages and dynamically modified by CoA-Request messages.

Table 1: Supported RADIUS IETF Attributes

Attribute Number

Attribute Name

Description

Dynamic CoA
Support

1

User-Name

  • Name of user to be authenticated.
  • Configurable username override.

No

2

User-Password

  • Password of user to be authenticated by Password Authentication Protocol (PAP).
  • Configurable password override.

No

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication of the user.

No

5

NAS-Port

Physical port number of the NAS that is authenticating the user.

For a tunneled PPP user in an L2TP LNS session, there is no physical port. In this case, the port value is reported as 4194303.

No

6

Service-Type

Type of service the user has requested or the type of service to be provided.

No

8

Framed-IP-Address

  • IP address to be configured for the user.
  • 0.0.0.0 or absence is interpreted as 255.255.255.254.

No

9

Framed-IP-Netmask

  • IP network to be configured for the user when the user is a router or switch to a network.
  • Absence implies 255.255.255.255.

No

11

Filter-Id

Name of a subscriber firewall filter, formatted as follows:

  • For an IPv4 input filter—IPv4-ingress:ingress-filter-name
  • For an IPv4 output filter—IPv4-egress:egress-filter-name
  • For an IPv6 input filter—IPv6-ingress:ingress-filter-name
  • For an IPv6 output filter—IPv6-egress:egress-filter-name

RADIUS accounting request messages, Acct-Start and Acct-Stop, can include more than one Filter-Id attribute, one of each of the listed types.

However, RADIUS Access-Accept messages can include only one attribute instance. The value is always treated as an IPv4 input filter name.

Yes

18

Reply-Message

  • Text that may be displayed to the user.
  • Only the first instance of this attribute is used.

No

22

Framed-Route

String that provides routing information to be configured for the user on the NAS in the format:

<addr>[/<maskLen>] [<nexthop> [<cost>]] [tag <tagValue>] [distance <distValue>]

Yes

25

Class

Arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server.

No

27

Session-Timeout

Maximum number of consecutive seconds of service to be provided to the user before termination of the session.

No

31

Calling-Station-ID

Phone number from which the call originated.

No

32

NAS-Identifier

NAS originating the request.

No

40

Acct-Status-Type

Whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update).

No

41

Acct-Delay-Time

Number of seconds the client has been trying to send a particular record.

No

42

Acct-Input-Octets

Number of octets that have been received from the port during the time this service has been provided.

No

43

Acct-Output-Octets

Number of octets that have been sent to the port during the time this service has been provided.

No

44

Acct-Session-ID

Unique accounting identifier that makes it easy to match start and stop records in a log file. The identifier can be in one of the following formats:

  • decimal—For example, 435264
  • description—In the generic format, jnpr interface-specifier:subscriber-session-id; For example, jnpr fastEthernet 3/2.6:1010101010101

No

45

Acct-Authentic

Method by which user was authentication: whether by RADIUS, the NAS itself, or another remote authentication protocol.

No

46

Acct-Session-Time

Number of seconds that the user has received service

No

47

Acct-Input-Packets

Number of packets that have been received from the port during the time this service has been provided to a framed user.

No

48

Acct-Output-Packets

Number of packets that have been sent to the port in the course of delivering this service to a framed user.

No

49

Acct-Terminate-Cause

Reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:

  • User Request (1)—User initiated the disconnect (log out).
  • Idle Timeout (4)—Idle timer has expired.
  • Session Timeout (5)—Client reached the maximum continuous time allowed on the service or session.
  • Admin Reset (6)—System administrator terminated the session.
  • Port Error (8)—PVC failed; no hardware or no interface.
  • NAS Error (9)—Negotiation failures, connection failures, or address lease expiration.
  • NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel establishment failure, PPP bundle failure, IP address lease expiration, PPP keep-alive failure, tunnel disconnect, or an unaccounted-for error.

No

52

Acct-Input-Gigawords

Number of times the Acct-Input-Octets counter has wrapped around 232 during the time this service has been provided. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update.

No

53

Acct-Output-Gigawords

Number of times the Acct-Output-Octets counter has wrapped around 232 in the course of delivering this service. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update.

No

55

Event-Timestamp

Time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC.

No

61

NAS-Port-Type

Type of physical port the NAS is using to authenticate the user.

For a tunneled PPP user in an L2TP LNS session, there is no physical port. In this case, the port type is Virtual.

No

64

Tunnel-Type

  • Tunneling protocol to use (in the case of a tunnel initiator) or the tunneling protocol already in use (in the case of a tunnel terminator).
  • Only L2TP tunnels are currently supported.

No

65

Tunnel-Medium-Type

  • Transport medium to use when creating a tunnel for protocols that can operate over multiple transports.
  • Only IPv4 is currently supported.

No

66

Tunnel-Client-Endpoint

Address of the initiator end of the tunnel (LAC).

No

67

Tunnel-Server-Endpoint

Address of the server end of the tunnel (LNS).

No

69

Tunnel-Password

Encrypted password used to authenticate to a remote server. Recommended over using VSA Tunnel-Password [26-9] because of the encryption. Do not use both this attribute and the VSA.

No

82

Tunnel-Assignment -Id

Tunnel to which a session is assigned. When user profiles share the same values for Tunnel-Assignment-Id, Tunnel-Server-Endpoint, and Tunnel-Type, the LAC can group these users into the same tunnel. This grouping enables fewer tunnels to be created. (LAC)

No

83

Tunnel-Preference

  • Included in each set of tunneling attributes to indicate the relative preference assigned to each tunnel when more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator.
  • Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the Tunnel-Link-Stop packets (LAC only).

No

85

Acct-Interim-Interval

Number of seconds between each interim accounting update for this session.

The router uses the following guidelines for interim accounting:

  • Attribute value is within the acceptable range (from 600 through 86,400 seconds)—Accounting is updated at the specified interval.
  • Attribute value of 0—No RADIUS accounting is performed.
  • Attribute value is less than the minimum acceptable value—Accounting is updated at the minimum interval (600 seconds).
  • Attribute value is greater than the maximum acceptable value—Accounting is updated at the maximum interval (86,400 seconds).

Note: Values are rounded up to the next higher multiple of 10 minutes. For example, a setting of 900 seconds (15 minutes) is rounded up to 20 minutes (1200 seconds).

No

87

NAS-Port-Id

Text string that identifies the physical interface of the NAS that is authenticating the user.

For a tunneled PPP user in an L2TP LNS session, there is no physical port, and the NAS-Port-Id value has the following format:
media:local address:peer address:
local tunnel id:peer tunnel id:
local session id:peer session id:
call serial number. For example,
Ip:172.20.0.1:192.168.0.2:
3341:21031:16138:11846:2431.
The local information refers to the LNS and the peer information refers to the LAC.

No

88

Framed-Pool

Name of an assigned address pool to use to assign an address for the user.

No

90

Tunnel-Client-Auth-Id

Name of the tunnel initiator (LAC) used during the authentication phase of tunnel establishment.

No

91

Tunnel-Server-Auth-Id

Name of the tunnel terminator (LNS) used during the authentication phase of tunnel establishment.

No

95

NAS-IPv6-Address

Address of the NAS that is requesting authentication of the user.

No

96

Framed-Interface-ID

Interface identifier that is configured for the user.

No

97

Framed-IPv6-Prefix

IPv6 prefix and address that are configured for the user. Prefix lengths of 128 are associated with host addresses. Prefix lengths less than 128 are associated with NDRA prefixes.

No

98

Login-IPv6-Host

System the user connects to when the Login-Service attribute is included.

No

99

Framed-IPv6-Route

IPv6 routing information that is configured for the user.

Yes

100

Framed-IPv6-Pool

Name of the assigned pool used to assign the address and IPv6 prefix for the user.

No

123

Delegated-IPv6-Prefix

IPv6 prefix that is delegated to the user.

No

242

Ascend-Data-Filter

Binary data that specifies RADIUS policy definitions.

Yes

 

Related Documentation

 

Published: 2013-07-31

Previous Page Next Page