exclude (RADIUS Attributes)
Syntax
exclude {
acc-aggr-cir-id-asc [ access-request | accounting-start | accounting-stop ];
acc-aggr-cir-id-bin [ access-request | accounting-start | accounting-stop ];
acc-loop-cir-id [ access-request | accounting-start | accounting-stop ];
acc-loop-encap [ access-request | accounting-start | accounting-stop ];
acc-loop-remote-id [ access-request | accounting-start | accounting-stop ];
accounting-authentic [ accounting-off | accounting-on | accounting-start | accounting-stop ]
accounting-delay-time [ accounting-off | accounting-on | accounting-start | accounting-stop ];
accounting-session-id access-request;
accounting-terminate-cause accounting-off;
acct-request-reason [ accounting-start | accounting-stop ];
acct-tunnel-connection [ access-request | accounting-start | accounting-stop ];
act-data-rate-dn [ access-request | accounting-start | accounting-stop ];
act-data-rate-up [ access-request | accounting-start | accounting-stop ];
act-interlv-delay-dn [ access-request | accounting-start | accounting-stop ];
act-interlv-delay-up [ access-request | accounting-start | accounting-stop ];
att-data-rate-dn [ access-request | accounting-start | accounting-stop ];
att-data-rate-up [ access-request | accounting-start | accounting-stop ];
called-station-id [ access-request | accounting-start | accounting-stop ];
calling-station-id [ access-request | accounting-start | accounting-stop ];
chargeable-user-identity access-request;
class [ accounting-start | accounting-stop ];
cos-shaping-rate [ accounting-start | accounting-stop ];
delegated-ipv6-prefix [ accounting-start | accounting-stop ];
dhcp-gi-address [ access-request | accounting-start | accounting-stop ];
dhcp-header access-request;
dhcp-mac-address [ access-request | accounting-start | accounting-stop ];
dhcp-options [ access-request | accounting-start | accounting-stop ];
dhcpv6-header access-request;
dhcpv6-options [ access-request | accounting-start | accounting-stop ];
downstream-calculated-qos-rate [ access-request | accounting-start | accounting-stop ];
dsl-forum-attributes [ access-request | accounting-start | accounting-stop ];
dsl-line-state [ access-request | accounting-start | accounting-stop ];
dsl-type [ access-request | accounting-start | accounting-stop ];
dynamic-iflset-name [ accounting-start | accounting-stop ];
event-timestamp [ accounting-off | accounting-on | accounting-start | accounting-stop ];
filter-id [ accounting-start | accounting-stop ];
first-relay-ipv4-address [ access-request | accounting-start | accounting-stop ];
first-relay-ipv6-address [ access-request | accounting-start | accounting-stop ];
framed-interface-id [ access-request | accounting-start | accounting-stop ];
framed-ip-address [ access-request | accounting-start | accounting-stop ];
framed-ip-netmask [ access-request | accounting-start | accounting-stop ];
framed-ip-route [ accounting-start | accounting-stop ];
framed-ipv6-address [ access-request | accounting-start | accounting-stop ];
framed-ipv6-pool [ accounting-start | accounting-stop ];
framed-ipv6-prefix [ accounting-start | accounting-stop ];
framed-ipv6-route [ accounting-start | accounting-stop ];
framed-pool [ accounting-start | accounting-stop ]; input-ipv6-gigawords accounting-stop;
input-filter [ accounting-start | accounting-stop ];
input-gigapackets accounting-stop;
input-gigawords accounting-stop;
input-ipv6-octets accounting-stop;
input-ipv6-packets accounting-stop;
interface-description [ access-request | accounting-start | accounting-stop ];
l2c-downstream-data [ access-request | accounting-start | accounting-stop ];
l2c-upstream-data [ access-request | accounting-start | accounting-stop ];
l2tp-rx-connect-speed [ access-request | accounting-start | accounting-stop ];
l2tp-tx-connect-speed [ access-request | accounting-start | accounting-stop ];
max-data-rate-dn [ access-request | accounting-start | accounting-stop ];
max-data-rate-up [ access-request | accounting-start | accounting-stop ];
max-interlv-delay-dn [ access-request | accounting-start | accounting-stop ];
max-interlv-delay-up [ access-request | accounting-start | accounting-stop ];
min-data-rate-dn [ access-request | accounting-start | accounting-stop ];
min-data-rate-up [ access-request | accounting-start | accounting-stop ];
min-lp-data-rate-dn [ access-request | accounting-start | accounting-stop ];
min-lp-data-rate-up [ access-request | accounting-start | accounting-stop ];
nas-identifier [ access-request | accounting-off | accounting-on | accounting-start | accounting-stop ];
nas-port [ access-request | accounting-start | accounting-stop ];
nas-port-id [ access-request | accounting-start | accounting-stop ];
nas-port-type [ access-request | accounting-start | accounting-stop ];
output-filter [ accounting-start | accounting-stop ];
output-gigapackets accounting-stop;
output-gigawords accounting-stop;
output-ipv6-gigawords accounting-stop;
output-ipv6-octets accounting-stop;
output-ipv6-packets accounting-stop;
pppoe-description [ access-request | accounting-start | accounting-stop ];
standard-attribute number {
packet-type [ access-request | accounting-off | accounting-on | accounting-start | accounting-stop ];
}
tunnel-assignment-id [ access-request | accounting-start | accounting-stop ];
tunnel-client-auth-id [ access-request | accounting-start | accounting-stop ];
tunnel-client-endpoint [ access-request | accounting-start | accounting-stop ];
tunnel-medium-type [ access-request | accounting-start | accounting-stop ];
tunnel-server-auth-id [ access-request | accounting-start | accounting-stop ];
tunnel-server-endpoint [ access-request | accounting-start | accounting-stop ];
tunnel-type [ access-request | accounting-start | accounting-stop ];
upstream-calculated-qos-rate [ access-request | accounting-start | accounting-stop ];
vendor-id id-number {
vendor-attribute vsa-number {
packet-type [ access-request | accounting-off | accounting-on | accounting-start | accounting-stop ];
}
}
virtual-router [ access-request | accounting-start | accounting-stop ];
}
Hierarchy Level
[edit access profile profile-name radius attributes]
Description
Configure the router or switch to exclude the specified
attributes from being sent in the specified type of RADIUS message.
Exclusion can be useful, for example, for attributes that do not change
values over the lifetime of a subscriber. By not sending these attributes,
you reduce the packet size without losing information. Contrast this
behavior with that provided by the ignore statement.
You can specify attribute exclusion for multiple RADIUS message types by enclosing the message types, separated by spaces, within brackets ([ ]). You do not need brackets when specifying a single message type.
Starting in Junos OS Release 18.1R1, you can specify standard RADIUS attributes with the attribute number. You can specify VSAs with the IANA-assigned vendor ID and the VSA number. With this flexible configuration method, you can configure any standard attribute and VSA supported by your platform to be excluded. The configuration has no effect if you configure unsupported attributes, vendors, and VSAs.
The legacy method allows you to configure only those attributes and VSAs for which the statement syntax includes a specific option. Consequently, you can use the legacy method to exclude only a subset of all attributes that can be received in Access-Accept messages.
Not all attributes are available in all types of RADIUS messages.
If you exclude an attribute from Acct-Off messages, the attributes are then excluded from Interim-Acct messages.
VSAs with dedicated option names include Juniper Networks (IANA vendor ID 4874) and DSL Forum (vendor ID 3561) VSAs.
Options
RADIUS attribute—RADIUS standard attribute or VSA:
acc-aggr-cir-id-asc—Exclude Juniper Networks VSA 26-112, Acc-Aggr-Cir-Id-Asc.acc-aggr-cir-id-bin—Exclude Juniper Networks VSA 26-111, Acc-Aggr-Cir-Id-Bin.acc-loop-cir-id—Exclude Juniper Networks VSA 26-110, Acc-Loop-Cir-Id.acc-loop-encap—Exclude Juniper Networks VSA 26-183, Acc-Loop-Encap.acc-loop-remote-id—Exclude Juniper Networks VSA 26-182, Acc-Loop-Remote-Id.accounting-authentic—Exclude RADIUS attribute 45, Acct-Authentic.accounting-delay-time—Exclude RADIUS attribute 41, Acct-Delay-Time.accounting-session-id—Exclude RADIUS attribute 44, Acct-Session-Id.accounting-terminate-cause—Exclude RADIUS attribute 49, Acct-Terminate-Cause.acct-request-reason—Exclude Juniper Networks VSA 26-210, Acct-Request-Reason.acct-tunnel-connection—Exclude RADIUS attribute 68, Acct-Tunnel-Connection.act-data-rate-dn—Exclude Juniper Networks VSA 26-114, Act-Data-Rate-Dn.act-data-rate-up—Exclude Juniper Networks VSA 26-113, Act-Data-Rate-Up.act-interlv-delay-dn—Exclude Juniper Networks VSA 26-126, Act-Interlv-Delay-Dn.act-interlv-delay-up—Exclude Juniper Networks VSA 26-124, Act-Interlv-Delay-Up.att-data-rate-dn—Exclude Juniper Networks VSA 26-118, Att-Data-Rate-Dn.att-data-rate-up—Exclude Juniper Networks VSA 26-117, Att-Data-Rate-Up.called-station-id—Exclude RADIUS attribute 30, Called-Station-Id.calling-station-id—Exclude RADIUS attribute 31, Calling-Station-Id.chargeable-user-identity—Exclude RADIUS attribute 89, Chargeable-User-Identity.class—Exclude RADIUS attribute 25, Class.cos-shaping-rate—Exclude Juniper Networks VSA 26-177, Cos-Shaping-Rate.delegated-ipv6-prefix—Exclude RADIUS attribute 123, Delegated-IPv6-Prefix.dhcp-gi-address—Exclude Juniper Networks VSA 26-57, DHCP-GI-Address.dhcp-header—Exclude Juniper Networks VSA 26-208, DHCP-Header.dhcp-mac-address—Exclude Juniper Networks VSA 26-56, DHCP-MAC-Address.dhcp-options—Exclude Juniper Networks VSA 26-55, DHCP-Options.dhcpv6-header—Exclude Juniper Networks VSA 26-209, DHCPv6-Header.dhcpv6-options—Exclude Juniper Networks VSA 26-207, DHCPv6-Options.dynamic-iflset-name—Exclude Juniper Networks VSA 26-130, Qos-Set-Name.downstream-calculated-qos-rate—Exclude Juniper Networks VSA 26-141.dsl-forum-attributes—Exclude DSL Forum VSA (vendor ID 3561) as described in RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes.dsl-line-state—Exclude Juniper Networks VSA 26-127, DSL-Line-State.dsl-type—Exclude Juniper Networks VSA 26-128, DSL-Type.event-timestamp—Exclude RADIUS attribute 55, Event-Timestamp.filter-id—Exclude RADIUS attribute 11, Filter-Id.first-relay-ipv4-address—Exclude Juniper Networks VSA 26-189, DHCP-First-Relay-IPv4-Address.first-relay-ipv6-address—Exclude Juniper Networks VSA 26-190, DHCP-First-Relay-IPv6-Address.framed-interface-id—Exclude RADIUS attribute 96, Framed-Interface-ID.framed-ip-address—Exclude RADIUS attribute 8, Framed-IP-Address.framed-ip-netmask—Exclude RADIUS attribute 9, Framed-IP-Netmask.framed-ip-route—Exclude RADIUS attribute 22, Framed-Route.framed-ipv6-address—Exclude RADIUS attribute 168, Framed-IPv6-Address.framed-ipv6-pool—Exclude RADIUS attribute 100, Framed-IPv6-Pool.framed-ipv6-prefix—Exclude RADIUS attribute 97, Framed-IPv6-Prefix.framed-ipv6-route—Exclude RADIUS attribute 99, Framed-IPv6-Route.framed-pool—Exclude RADIUS attribute 88, Framed-Pool.input-filter—Exclude Juniper Networks VSA 26-10, Ingress-Policy-Name.input-gigapackets—Exclude Juniper Networks VSA 26-42, Acct-Input-Gigapackets.input-gigawords—Exclude RADIUS attribute 52, Acct-Input-Gigawords.input-ipv6-gigawords—Exclude Juniper Networks VSA 26-155, Acct-Input-IPv6-Gigawords.input-ipv6-octets—Exclude Juniper Networks VSA 26-151, Acct-Input-IPv6-Octets.input-ipv6-packets—Exclude Juniper Networks VSA 26-153, Acct-Input-IPv6-Packets.interface-description—Exclude Juniper Networks VSA 26-53, Interface-Desc.l2c-downstream-data—Exclude Juniper Networks VSA 26-93, L2C-Down-Stream-Data.l2c-upstream-data—Exclude Juniper Networks VSA 26-92, L2C-Up-Stream-Data.l2tp-rx-connect-speed—Exclude Juniper Networks VSA 26-163, Rx-Connect-Speed.l2tp-tx-connect-speed—Exclude Juniper Networks VSA 26-162, Tx-Connect-Speed.max-data-rate-dn—Exclude Juniper Networks VSA 26-120, Max-Data-Rate-Dn.max-data-rate-up—Exclude Juniper Networks VSA 26-119, Max-Data-Rate-Up.max-interlv-delay-dn—Exclude Juniper Networks VSA 26-125, Max-Interlv-Delay-Dn.max-interlv-delay-up—Exclude Juniper Networks VSA 26-123, Max-Interlv-Delay-Up.min-data-rate-dn—Exclude Juniper Networks VSA 26-116, Min-Data-Rate-Dn.min-data-rate-up—Exclude Juniper Networks VSA 26-115, Min-Data-Rate-Up.min-lp-data-rate-dn—Exclude Juniper Networks VSA 26-122, Min-Lp-Data-Rate-Dn.min-lp-data-rate-up—Exclude Juniper Networks VSA 26-121, Min-Lp-Data-Rate-Up.nas-identifier—Exclude RADIUS attribute 32, NAS-Identifier.nas-port—Exclude RADIUS attribute 5, NAS-Port.nas-port-id—Exclude RADIUS attribute 87, NAS-Port-Id.nas-port-type—Exclude RADIUS attribute 61, NAS-Port-Type.output-filter—Exclude Juniper Networks VSA 26-11, Egress-Policy-Name.output-gigapackets—Exclude Juniper Networks VSA 26-43, Acct-Output-Gigapackets.output-gigawords—Exclude RADIUS attribute 53, Acct-Output-Gigawords.output-ipv6-gigawords—Exclude Juniper Networks VSA 26-156, Acct-Output-IPv6-Gigawords.output-ipv6-octets—Exclude Juniper Networks VSA 26-152, Acct-Output-IPv6-Octets.output-ipv6-packets—Exclude Juniper Networks VSA 26-154, Acct-Output-IPv6-Packets.packet-type—Specify the RADIUS message type to exclude; term required when excluding a standard attribute or VSA by number rather than name. You can enclose multiple values in square brackets to specify a list of message types. Message types include Access-Request, Accounting-Off, Accounting-Off, Accounting-Start, and Accounting-Stop.pppoe-description—Exclude Juniper Networks VSA 26-24, PPPoE-Description.standard-attribute number—RADIUS standard attribute number supported by your platform. If you configure an unsupported attribute, that configuration has no effect. When you use this option, you must use thepacket-typeterm to specify the message from which the attribute is excluded.tunnel-assignment-id—Exclude RADIUS attribute 82, Tunnel-Assignment-ID.tunnel-client-auth-id—Exclude RADIUS attribute 90. Tunnel-Client-Auth-ID.tunnel-client-endpoint—Exclude RADIUS attribute 66, Tunnel-Client-Endpoint.tunnel-medium-type—Exclude RADIUS attribute 65, Tunnel-Medium-Type.tunnel-server-auth-id—Exclude RADIUS attribute 91, Tunnel-Server-Auth-ID.tunnel-server-endpoint—Exclude RADIUS attribute 67, Tunnel-Server-Endpoint.tunnel-type—Exclude RADIUS attribute 64, Tunnel-Type.upstream-calculated-qos-rate—Exclude Juniper Networks VSA 26-142vendor-attribute vsa-number—Number identifying a VSA belonging to the specified vendor; both must be supported by your platform. If you configure an unsupported VSA, that configuration has no effect. When you use this option, you must use thepacket-typeterm to specify the message from which the attribute is excluded.vendor-id id-number—IANA vendor ID supported by your platform. If you configure an unsupported vendor ID, that configuration has no effect.virtual-router—Exclude Juniper Networks VSA 26-1.
RADIUS message type:
access-request—RADIUS Access-Request messages.accounting-off—RADIUS Accounting-Off messages.accounting-on—RADIUS Accounting-On messages.accounting-start—RADIUS Accounting-Start messages.accounting-stop—RADIUS Accounting-Stop messages.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.1.
downstream-calculated-qos-rate, dsl-forum-attributes, and upstream-calculated-qos-rate options added in Junos
OS Release 11.4.
cos-shaping-rate and filter-id options
added in Junos OS Release 13.2.
pppoe-description option added in Junos OS Release
14.2.
virtual-router option added in Junos OS Release 15.1.
first-relay-ipv4-address and first-relay-ipv6-address options added in Junos OS Release 16.1.
acc-loop-encap and acc-loop-remote-id options
added in Junos OS Release 16.1R4.
access-request option support for all tunnel attributes
added in Junos OS Release 15.1R7, 16.1R5, 16.2R2, 17.1R2, 17.2R2,
and 17.3R1 for MX Series.
packet-type, standard-attribute, vendor-attribute, and vendor-id options added in
Junos OS Release 18.1R1.