ON THIS PAGE
RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework
RADIUS IETF Attributes Supported by the AAA Service Framework
Juniper Networks VSAs Supported by the AAA Service Framework
AAA Access Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS
AAA Accounting Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS
DSL Forum VSAs Support in AAA Access and Accounting Messages for Junos OS
RADIUS Support for Microsoft Corporation VSAs for DNS Server Addresses
Interface Text Descriptions for Inclusion in RADIUS Attributes
Standard and Vendor-Specific RADIUS Attributes
RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework
The AAA Service Framework supports RADIUS attributes and vendor-specific attributes (VSAs). This support provides tunable parameters that the subscriber access management feature uses when creating subscribers and services.
RADIUS attributes are carried as part of standard RADIUS request and reply messages. The subscriber management access feature uses the RADIUS attributes to exchange specific authentication, authorization, and accounting information. VSAs allow the subscriber access management feature to pass implementation-specific information that provide extended capabilities, such as service activation or deactivation, and enabling and disabling filters.
When you use dynamic profiles, the AAA Service Framework supports the use of Junos OS predefined variables to specify the RADIUS attribute or VSA for the information obtained from the RADIUS server.
Benefits of Using RADIUS Standard Attributes and VSAs
-
RADIUS standard attributes are necessary to communicate with an external RADIUS server for subscriber authentication, authorization, and accounting.
-
Vendor-specific attributes extend the functionality of the RADIUS server beyond that provided by the public standard attributes, enabling the implementation of many useful features necessary for subscriber management and service support.
RADIUS IETF Attributes Supported by the AAA Service Framework
Table 1 describes the RADIUS IETF attributes that the Junos OS AAA Service Framework supports. Some attributes correspond to Juniper Networks predefined variables; see predefined-variable-defaults (Dynamic Client Profiles)
A “Yes” entry in the Dynamic CoA Support column indicates that the attribute can be dynamically configured by Access-Accept messages and dynamically modified by CoA-Request messages.
Attribute Number |
Attribute Name |
Description |
Dynamic CoA Support |
---|---|---|---|
1 |
User-Name |
|
No |
2 |
User-Password |
|
No |
3 |
CHAP-Password |
Value provided by a PPP (CHAP) user in response to the challenge. You can configure an override of the CHAP challenge response. When you configure an override CHAP password, the User-Password attribute contains the override, and the CHAP-Password attribute is not included in the Access-Request. |
No |
4 |
NAS-IP-Address |
IP address of the network access server (NAS) that is requesting authentication of the user. |
No |
5 |
NAS-Port |
Physical port number of the NAS that is authenticating the user. For a tunneled PPP user in an L2TP LNS session, there is no physical port. In this case, the port value is reported as 4194303. |
No |
6 |
Service-Type |
Type of service the user has requested or the type of service to be provided. |
No |
7 |
Framed-Protocol |
Framing type used for framed access. |
No |
8 |
Framed-IP-Address |
|
No |
9 |
Framed-IP-Netmask |
|
No |
11 |
Filter-Id |
Name of a subscriber firewall filter, formatted as follows:
RADIUS accounting request messages, Acct-Start and Acct-Stop, can include more than one Filter-Id attribute, one of each of the listed types. However, RADIUS Access-Accept messages can include only one attribute instance. The value is always treated as an IPv4 input filter name. |
Yes |
12 |
Framed-MTU |
Maximum Transmission Unit configured for the user, when it is not negotiated by some other means (such as PPP). |
No |
18 |
Reply-Message |
|
No |
22 |
Framed-Route |
String that provides routing information to be configured for the user on the NAS in the format:
If authd detects the IP address in the Framed-Route to be bad—for example, if the format is incorrect—the subscriber is not allowed to log in. Starting in Junos OS Release 19.1, the subscriber is allowed to log in, but without that route or the default route. For customers that use multiple framed routes, this behavior enables the subscriber to have partial access to the network using the routes that are accepted rather than not being allowed any access. Starting in Junos OS Release 18.2R1, if this attribute does not include the subnet mask, the MX Series router ignores the attribute but connects the session. |
No |
24 |
State |
String enabling state information to be maintained between the device and the RADIUS server. |
No |
25 |
Class |
Arbitrary value that the NAS includes in all accounting packets for the user if supplied by the RADIUS server. |
No |
27 |
Session-Timeout |
Maximum number of consecutive seconds of service to be provided to the user before termination of the session. |
Yes Not supported for DHCP sessions. |
28 |
Idle-Timeout |
Maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. |
No |
31 |
Calling-Station-ID |
Phone number from which the call originated. |
No |
32 |
NAS-Identifier |
NAS originating the request. |
No |
40 |
Acct-Status-Type |
Whether this Accounting-Request marks the beginning of the user service (Start), the end (Stop), or the interim (Interim-Update). |
No |
41 |
Acct-Delay-Time |
Number of seconds the client has been trying to send a particular record. |
No |
42 |
Acct-Input-Octets |
Number of octets that have been received from the port during the time this service has been provided. |
No |
43 |
Acct-Output-Octets |
Number of octets that have been sent to the port during the time this service has been provided. |
No |
44 |
Acct-Session-ID |
Unique accounting identifier that makes it easy to match start and stop records in a log file. The identifier can be in one of the following formats:
|
No |
45 |
Acct-Authentic |
Method by which user was authentication: whether by RADIUS, the NAS itself, or another remote authentication protocol. |
No |
46 |
Acct-Session-Time |
Number of seconds that the user has received service |
No |
47 |
Acct-Input-Packets |
Number of packets that have been received from the port during the time this service has been provided to a framed user. |
No |
48 |
Acct-Output-Packets |
Number of packets that have been sent to the port in the course of delivering this service to a framed user. |
No |
49 |
Acct-Terminate-Cause |
Reason the service (a PPP session) was terminated. The service can be terminated for the following reasons:
|
No |
52 |
Acct-Input-Gigawords |
Number of times the Acct-Input-Octets counter has wrapped around 232 during the time this service has been provided. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update. |
No |
53 |
Acct-Output-Gigawords |
Number of times the Acct-Output-Octets counter has wrapped around 232 in the course of delivering this service. Can be present in Accounting-Request records only where the Acct-Status-Type is set to Stop or Interim-Update. |
No |
55 |
Event-Timestamp |
Time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC. |
No |
61 |
NAS-Port-Type |
Type of physical port the NAS is using to authenticate the user. For a tunneled PPP user in an L2TP LNS session, there is no
physical port. In this case, the port type is |
No |
64 |
Tunnel-Type |
|
No |
65 |
Tunnel-Medium-Type |
|
No |
66 |
Tunnel-Client-Endpoint |
Address of the initiator end of the tunnel (LAC). |
No |
67 |
Tunnel-Server-Endpoint |
Address of the server end of the tunnel (LNS). |
No |
68 |
Acct-Tunnel-Connection |
Identifier assigned to the tunnel session. Value is the same as the Call Serial Number AVP received from the LAC in the ICRQ message. |
No |
69 |
Tunnel-Password |
Encrypted password used to authenticate to a remote server. Recommended over using VSA Tunnel-Password [26-9] because of the encryption. Do not use both this attribute and the VSA. |
No |
77 |
Connect-Info |
|
No |
82 |
Tunnel-Assignment -Id |
Tunnel to which a session is assigned. When user profiles share the same values for Tunnel-Assignment-Id, Tunnel-Server-Endpoint, and Tunnel-Type, the LAC can group these users into the same tunnel. This grouping enables fewer tunnels to be created. (LAC) |
No |
83 |
Tunnel-Preference |
|
No |
85 |
Acct-Interim-Interval |
Number of seconds between each interim accounting update for this session. The router uses the following guidelines for interim accounting:
Note:
Values are rounded up to the next higher multiple of 10 minutes. For example, a setting of 900 seconds (15 minutes) is rounded up to 20 minutes (1200 seconds). |
No |
87 |
NAS-Port-Id |
Text string that identifies the physical interface of the NAS that is authenticating the user. For a tunneled PPP user in an L2TP LNS session, there is no physical port, and the NAS-Port-Id value has the following format: media:local address:peer address:local tunnel id:peer tunnel id:local session id:peer session id:call serial number. For example, Ip:198.51.100.1:192.168.0.2:3341:21031:16138:11846:2431. The local information refers to the LNS and the peer information refers to the LAC. |
No |
88 |
Framed-Pool |
Name of an assigned address pool to use to assign an address for the user. |
No |
90 |
Tunnel-Client-Auth-Id |
Name of the tunnel initiator (LAC) used during the authentication phase of tunnel establishment. |
No |
91 |
Tunnel-Server-Auth-Id |
Name of the tunnel terminator (LNS) used during the authentication phase of tunnel establishment. |
No |
95 |
NAS-IPv6-Address |
Address of the NAS that is requesting authentication of the user. |
No |
96 |
Framed-Interface-ID |
Interface identifier that is configured for the user. |
No |
97 |
Framed-IPv6-Prefix |
IPv6 prefix and address that are configured for the user. Prefix lengths of 128 are associated with host addresses. Prefix lengths less than 128 are associated with NDRA prefixes. |
No |
98 |
Login-IPv6-Host |
System the user connects to when the Login-Service attribute is included. |
No |
99 |
Framed-IPv6-Route |
IPv6 routing information that is configured for the user. |
Yes |
100 |
Framed-IPv6-Pool |
Name of the assigned pool used to assign the address and IPv6 prefix for the user. |
No |
101 |
Error-Cause |
Reason that the RADIUS server does not honor Disconnect-Request or CoA-Request messages. Depending on the value, can be included in CoA NAK or Disconnect NAK messages.
|
No |
123 |
Delegated-IPv6-Prefix |
IPv6 prefix that is delegated to the user. |
No |
168 |
Framed-IPv6-Address |
IPv6 address of the authenticated user. The Framed-IPv6-Address attribute is sent if the IPv6 address is assigned to the subscriber. |
No |
242 |
Ascend-Data-Filter |
Binary data that specifies RADIUS policy definitions. |
Yes |
Juniper Networks VSAs Supported by the AAA Service Framework
Table 2 describes Juniper Networks VSAs supported by the Junos OS AAA Service Framework. The AAA Service Framework uses vendor ID 2636, which is assigned to Juniper Networks by the Internet Assigned Numbers Authority (IANA). Some VSAs correspond to Juniper Networks predefined variables; see Junos OS Predefined Variables That Correspond to RADIUS Attributes and VSAs.
A “Yes” entry in the Dynamic CoA Support column indicates that the attribute can be dynamically configured by Access-Accept messages and dynamically modified by CoA-Request messages.
Attribute Number |
Attribute Name |
Description |
Value |
Dynamic CoA Support |
---|---|---|---|---|
26-1 |
Virtual-Router |
Client logical system:routing instance name. Allowed only from AAA server for default logical system:routing instance. When this VSA is not included in the subscriber profile, the routing instance assigned to the subscriber—the one in which the subscriber session comes up—varies by subscriber type. For DHCP and PPPoE subscribers, it is the default routing instance. For L2TP tunnel subscribers, it is the routing instance in which the tunnel resides, whether default or non-default. If the tunnel routing instance is not default and you want the L2TP session to be in the default routing instance, you must use the Virtual-Router VSA to set the desired routing instance. |
string: logical system:routing instance |
No |
26-4 |
Primary-DNS |
Client DNS address negotiated during IPCP. |
integer: 4-byte primary-dns-address |
No |
26-5 |
Secondary-DNS |
Client DNS address negotiated during IPCP |
integer: 4-byte secondary-dns-address |
No |
26-6 |
Primary-WINS |
Client WINS (NBNS) address negotiated during IPCP. |
integer: 4-byte primary-wins-address |
No |
26-7 |
Secondary-WINS |
Client WINS (NBNS) address negotiated during IPCP. |
integer: 4-byte secondary-wins-address |
No |
26-8 |
Tunnel-Virtual-Router |
Virtual router name for tunnel connection. |
string: tunnel-virtual-router |
No |
26-9 |
Tunnel-Password |
Tunnel password in cleartext. Do not use both this VSA and the standard RADIUS attribute Tunnel-Password [69]. We recommend that you use the standard attribute because the password is encrypted when that attribute is used. |
string: tunnel-password |
No |
26-10 |
Ingress-Policy-Name |
Input policy name to apply to client interface. |
string: input-policy-name |
Yes |
26-11 |
Egress-Policy-Name |
Output policy name to apply to client interface. |
string: output-policy-name |
Yes |
26-23 |
IGMP-Enable |
Whether IGMP is enabled or disabled on a client interface. |
integer:
|
Yes |
26-24 |
PPPoE-Description |
Client MAC address. |
string: pppoe client-mac-address |
No |
26-25 |
Redirect-VRouter-Name |
Client logical system:routing instance name indicating to which logical system:routing instance the request is redirected for user authentication. |
string: logical-system:routing-instance |
No |
26-30 |
Tunnel-Nas-Port-Method |
Method that determines whether the RADIUS server conveys to the LNS the physical NAS port number identifier and the type of the physical port, such as Ethernet or ATM. This information is conveyed only when the VSA value is 1. The VSA is formatted such that the first octet indicates the tunnel and the remaining three bytes are the attribute value. |
4-octet integer:
|
Yes |
26-31 |
Service-Bundle |
SSC service bundle. |
string bundle-name |
No |
26-33 |
Tunnel-Max-Sessions |
Maximum number of sessions allowed in a tunnel. |
integer: 4-octet |
No |
26-34 |
Framed-IP-Route-Tag. Supported only on JunosE for ERX and E320 platforms. |
Route tag to apply to returned framed-ip-address. |
integer: 4-octet |
No |
26-42 |
Input-Gigapackets |
Number of times the input-packets attribute rolls over its 4-octet field. |
integer |
No |
26-43 |
Output-Gigapackets |
Number of times the output-packets attribute rolls over its 4-octet field. |
integer |
No |
26-47 |
Ipv6-Primary-DNS |
Client primary IPv6 DNS address negotiated by DHCP. |
hexadecimal string: ipv6-primary-dns-address |
No |
26-48 |
Ipv6-Secondary-DNS |
Client secondary IPv6 DNS address negotiated by DHCP. |
hexadecimal string: ipv6-secondary-dns-address |
No |
26-51 |
Disconnect-Cause |
Disconnect cause when a tunneled subscriber is disconnected, and L2TP layer of the LNS initiates the termination. The PPP Disconnect Cause Code (L2TP AVP 46) is included in VSA 26-51 in the Accounting-Stop message that the router sends to the RADIUS server. |
hexadecimal string: disconnect-cause |
No |
26-55 |
DHCP-Options |
Client DHCP options. Starting in Junos OS Release 17.4R1, includes only DHCPv4 options. In earlier releases, includes both DHCPv4 and DHCPv6 options. |
hexadecimal string: dhcp-options |
No |
26-56 |
DHCP-MAC-Address |
Client MAC address. |
string: mac-address |
No |
26-57 |
DHCP-GI-Address |
DHCP relay agent IP address. |
integer: 4-octet |
No |
26-58 |
LI-Action |
Traffic mirroring action. For dynamic CoA, VSA 26-58 changes the action on the mirrored traffic identified by VSA 26-59. CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs. If the CoA action is to stop mirroring (VSA 26-58 value is 0), then the values of the other three attributes in the CoA message must match the existing attribute values, or the action fails. |
salt-encrypted integer 0=stop mirroring 1=start mirroring 2=no action |
Yes |
26-59 |
Med-Dev-Handle |
Identifier that associates mirrored traffic to a specific subscriber. For dynamic CoA, VSA 26-58 changes the action on the mirrored traffic identified by VSA 26-59. CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs. |
salt-encrypted string |
No |
26-60 |
Med-Ip-Address |
IP address of content destination device to which mirrored traffic is forwarded. CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs. |
salt-encrypted IP address |
No |
26-61 |
Med-Port-Number |
UDP port in the content destination device to which mirrored traffic is forwarded. CoA-Request messages that include any of the RADIUS-based mirroring attributes (VSAs 26-58, 26-59, 26-60, or 26-61) must always include all four VSAs. |
salt-encrypted integer |
No |
26-63 |
Interface-Desc |
Text string that identifies the subscriber’s access interface. |
string: interface-description |
No |
26-64 |
Tunnel-Group |
Name of the tunnel group (profile) assigned to a domain map. |
string: tunnel-group-name |
No |
26-65 |
Activate-Service |
Service to activate for the subscriber. Tagged VSA, which supports 8 tags (1-8). |
string: service-name |
Yes |
26-66 |
Deactivate-Service |
Service to deactivate for the subscriber. |
string: service-name |
Yes |
26-67 |
Service-Volume |
Amount of traffic, in MB, that can use the service; service is deactivated when the volume is exceeded. Tagged VSA, which supports 8 tags (1-8). |
integer
|
Yes |
26-68 |
Service-Timeout |
Number of seconds that the service can be active; service is deactivated when the timeout expires. Tagged VSA, which supports 8 tags (1-8). |
integer
|
Yes |
26-69 |
Service-Statistics |
Whether statistics for the service is enabled or disabled. Tagged VSA, which supports 8 tags (1-8). |
integer
|
Yes |
26-71 |
IGMP-Access-Name |
Access list to use for the group (G) filter. |
string: 32-octet |
Yes |
26-72 |
IGMP-Access-Src-Name |
Access list to use for the source-group (S,G) filter. |
string: 32-octet |
Yes |
26-74 |
MLD-Access-Name |
Access list to use for the group (G) filter. |
string: 32-octet |
Yes |
26-75 |
MLD-Access-Src-Name |
Access list to use for the source-group (S,G) filter. |
string: 32-octet |
Yes |
26-77 |
MLD-Version |
MLD protocol version. |
integer: 1-octet
|
Yes |
26-78 |
IGMP-Version |
IGMP protocol version. |
integer: 1-octet
|
Yes |
26-83 |
Service-Session |
Name of the service. |
string: service-name |
No |
26-91 |
Tunnel-Switch-Profile |
Tunnel switch profile that determines whether a subscriber session is switched to a second session to a remote LNS. Takes precedence over tunnel switch profiles applied in any other manner. |
string: profile-name |
No |
26-92 |
L2C-Up-Stream-Data |
Actual upstream rate access loop parameter (ASCII encoded) as defined in GSMP extensions for Layer 2 control (L2C) Topology Discovery and Line Configuration. |
string: actual upstream rate access loop parameter (ASCII encoded) |
No |
26-93 |
L2C-Down-Stream-Data |
Actual downstream rate access loop parameter (ASCII encoded) as defined in GSMP extensions for Layer 2 control (L2C) Topology Discovery and Line Configuration. |
string: actual downstream rate access loop parameter (ASCII encoded) |
No |
26-94 |
Tunnel-Tx-Speed-Method |
Method that determines the source from which the transmit speed is derived. Overrides global configuration in the CLI. |
integer: 4-octet
|
No |
26-97 |
IGMP-Immediate-Leave |
IGMP Immediate Leave. |
integer: 4-octet
|
Yes |
26-100 |
MLD-Immediate-Leave |
MLD Immediate Leave. |
integer: 4-octet
|
Yes |
26-106 |
IPv6-Ingress-Policy-Name |
Input policy name to apply to a user IPv6 interface. |
string: policy-name |
Yes |
26-107 |
IPv6-Egress-Policy-Name |
Output policy name to apply to a user IPv6 interface. |
string: policy-name |
Yes |
26-108 |
CoS-Parameter-Type |
CoS traffic-shaping parameter type and description:
|
Two parts, delimited by white space:
Examples:
|
Yes |
26-109 |
DHCP-Guided-Relay-Server |
IP address of DHCP server that DHCP relay agent uses to forward the discover PDUs. |
integer: 4-byte ip-address |
No |
26-110 |
Acc-Loop-Cir-Id |
Identification of the subscriber node connection to the access node. |
string: up to 63 ASCII characters |
No |
26-111 |
Acc-Aggr-Cir-Id-Bin |
Unique identification of the DSL line. |
integer: 8-octet |
No |
26-112 |
Acc-Aggr-Cir-Id-Asc |
Identification of the uplink on the access node, as in the following examples:
|
string: up to 63 ASCII characters |
No |
26-113 |
Act-Data-Rate-Up |
Actual upstream data rate of the subscriber’s synchronized DSL link. |
integer: 4-octet |
No |
26-114 |
Act-Data-Rate-Dn |
Actual downstream data rate of the subscriber’s synchronized DSL link. |
integer: 4-octet |
No |
26-115 |
Min-Data-Rate-Up |
Minimum upstream data rate configured for the subscriber. |
integer: 4-octet |
No |
26-116 |
Min-Data-Rate-Dn |
Minimum downstream data rate configured for the subscriber. |
integer: 4-octet |
No |
26-117 |
Att-Data-Rate-Up |
Maximum upstream data rate that the subscriber can attain. |
integer: 4-octet |
No |
26-118 |
Att-Data-Rate-Dn |
Maximum downstream data rate that the subscriber can attain. |
integer: 4-octet |
No |
26-119 |
Max-Data-Rate-Up |
Maximum upstream data rate configured for the subscriber. |
integer: 4-octet |
No |
26-120 |
Max-Data-Rate-Dn |
Maximum downstream data rate configured for the subscriber. |
integer: 4-octet |
No |
26-121 |
Min-LP-Data-Rate-Up |
Minimum upstream data rate in low power state configured for the subscriber. |
integer: 4-octet |
No |
26-122 |
Min-LP-Data-Rate-Dn |
Minimum downstream data rate in low power state configured for the subscriber. |
integer: 4-octet |
No |
26-123 |
Max-Interlv-Delay-Up |
Maximum one-way upstream interleaving delay configured for the subscriber. |
integer: 4-octet |
No |
26-124 |
Act-Interlv-Delay-Up |
Subscriber’s actual one-way upstream interleaving delay.. |
integer: 4-octet |
No |
26-125 |
Max-Interlv-Delay-Dn |
Maximum one-way downstream interleaving delay configured for the subscriber. |
integer: 4-octet |
No |
26-126 |
Act-Interlv-Delay-Dn |
Subscriber’s actual one-way downstream interleaving delay. |
integer: 4-octet |
No |
26-127 |
DSL-Line-State |
State of the DSL line. |
integer: 4-octet
|
No |
26-128 |
DSL-Type |
Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated. |
integer: 4-octet |
No |
26-130 |
Qos-Set-Name |
Interface set to apply to the dynamic profile. |
string: interface-set-name |
No |
26-140 |
Service-Interim-Acct-Interval |
Amount of time between interim accounting updates for this service. Tagged VSA, which supports 8 tags (1-8). |
Note:
Values are rounded up to the next higher multiple of 10 minutes. For example, a setting of 900 seconds (15 minutes) is rounded up to 20 minutes (1200 seconds). |
Yes |
26-141 |
Downstream-Calculated-QoS-Rate |
Calculated (adjusted) downstream QoS rate in Kbps as set by the ANCP configuration. A change in value results in an immediate Interim-Accounting request. |
range = 1000 through 4,294,967,295 |
No |
26-142 |
Upstream-Calculated-QoS-Rate |
Calculated (adjusted) upstream QoS rate in Kbps as set by the ANCP configuration. A change in value results in an immediate Interim-Accounting request. |
range = 1000 through 4,294,967,295 |
No |
26-143 |
Max-Clients-Per-Interface |
Maximum allowable client sessions per interface. For DHCP clients, this value is the maximum sessions per logical interface. For PPPoE clients, this value is the maximum sessions (PPPoE interfaces) per PPPoE underlying interface. |
integer: 4-octet |
No |
26-146 |
CoS-Scheduler-Pmt-Type |
CoS scheduler parameter type and description:
|
Three parts, delimited by white space:
Examples:
|
Yes |
26-151 |
IPv6-Acct-Input-Octets |
IPv6 receive octets. |
integer |
No |
26-152 |
IPv6-Acct-Output-Octets |
IPv6 transmit octets. |
integer |
No |
26-153 |
IPv6-Acct-Input-Packets |
IPv6 receive packets. |
integer |
No |
26-154 |
IPv6-Acct-Output-Packets |
IPv6 transmit packets. |
integer |
No |
26-155 |
IPv6-Acct-Input-Gigawords |
IPv6 receive gigawords. |
integer |
No |
26-156 |
IPv6-Acct-Output-Gigawords |
IPv6 transmit gigawords. |
integer |
No |
26-158 |
PPPoE-Padn |
Route add for PPPoE sessions |
string |
No |
26-160 |
Vlan-Map-Id |
Trunk VLAN tag corresponding to the core-facing trunk physical interface. Vlan-Map-Id (26-160), Inner-Vlan-Map-Id (26-184), and Core-Facing-Interface (26-185) collectively represent the network service provider-facing location for the subscriber for the Layer 2 cross-connect in a Layer 2 wholesale configuration. |
integer |
No |
26-161 |
IPv6-Delegated-Pool-Name |
Address pool used to locally allocate a delegated prefix (IA_PD). |
string |
No |
26-162 |
Tx-Connect-Speed |
Indication of transmit speed of the user’s connection. |
string |
No |
26-163 |
Rx-Connect-Speed |
Indication of receive speed of the user’s connection. |
string |
No |
26-164 |
IPv4-Release-Control |
Indicates to server status of on-demand address allocation and deallocation. |
string |
No |
26-173 |
Service-Activate-Type |
Indication of service activation type. This is a tagged attribute. |
integer: 4-octet
|
No |
26-174 |
Client-Profile-Name |
Enables RADIUS to override an assigned client dynamic profile with the included client-profile-name-string. Enables RADIUS to distinguish different dynamic profiles used on the router when the version-alias-string is included. |
string |
No |
26-177 |
Cos-Shaping-Rate |
Effective downstream shaping rate for subscriber. |
string |
No |
26-178 | Action-Reason |
Indicates detailed reason for CoA response. Typically used for CoA failures. |
String: "100 In progress" "104 Service active" "120 Service not found" "122 Execution failure" "105 Initial processing performed" "123 No services" "124 Services limit exceeded" "125 Bulk request message limit exceeded" "128 Maximum concurrent CoAs" "126 CoA request timeout" "127 Logout in progress" |
No |
26-179 |
Service-Volume-Gigawords |
Amount of traffic, in 4GB units, that can use the service; service is deactivated when the volume is exceeded. Tagged VSA, which supports 8 tags (1-8). |
integer
|
Yes |
26-180 |
Update-Service |
New values of service and time quotas for existing service. Tagged VSA, which supports 8 tags (1-8). |
string: service-name |
Yes |
26-181 |
DHCPv6-Guided-Relay-Server |
IPv6 addresses of DHCPv6 servers to which DHCPv6 relay agent forwards the Solicit and subsequent PDUs. Use multiple instances of the VSA to specify a list of servers. |
hexadecimal string: ipv6-address |
No |
26-182 |
Acc-Loop-Remote-Id |
Reports the ANCP Access-Loop-Remote-ID attribute. |
string |
No |
26-183 |
Acc-Loop-Encap |
Reports the ANCP Access-Loop-Encapsulation attribute. |
hexadecimal string |
No |
26-184 |
Inner-Vlan-Map-Id |
Inner VLAN tag allocated from the ranges provisioned on the core-facing physical interface, used to swap (replace) the autosensed VLAN tag on the access interface. Vlan-Map-Id (26-160), Inner-Vlan-Map-Id (26-184), and Core-Facing-Interface (26-185) collectively represent the network service provider-facing location for the subscriber for the Layer 2 cross-connect in a Layer 2 wholesale configuration. |
integer |
No |
26-185 |
Core-Facing-Interface |
Name of the core-facing physical interface that forwards the Layer 2 wholesale session’s downstream and upstream traffic relative to the network service provider (NSP) router. Vlan-Map-Id (26-160), Inner-Vlan-Map-Id (26-184), and Core-Facing-Interface (26-185) collectively represent the network service provider-facing location for the subscriber for the Layer 2 cross-connect in a Layer 2 wholesale configuration. |
string |
No |
26-189 |
DHCP-First-Relay-IPv4-Address |
IPv4 address of the first relay link of a client/server binding. |
integer: 4-byte ip-address |
No |
26-190 |
DHCP-First-Relay-IPv6-Address |
IPv6 address of the first relay link of a client/server binding. |
hexadecimal string: ipv6-address |
No |
26-191 |
Input-Interface-Filter |
Name of an input filter to be attached to a |
string |
Yes |
26-192 |
Output-Interface-Filter |
Name of an output filter to be attached to a |
string |
Yes |
26-193 |
Pim-Enable |
Enable or disable PIM on a BRAS user’s interface. |
integer: 4-octet
|
Yes |
26-194 |
Bulk-CoA-Transaction-Id |
A common identifier or tag to associate the series of related CoA Requests as a transaction. This attribute is untagged and value 0 is reserved. |
integer: 4-octet |
Yes |
26-195 |
Bulk-CoA-Identifier |
A unique identifier for each CoA Request message that is part of the same transaction as specified by the Bulk-CoA-Transaction-Id VSA. This attribute is untagged and the value 0 is reserved. |
integer: 4-octet |
Yes |
26-196 |
IPv4-Input-Service-Set |
Name of an IPv4 input service set to be attached. |
string |
Yes |
26-197 |
IPv4-Output-Service-Set |
Name of an IPv4 output service set to be attached. |
string |
Yes |
26-198 |
IPv4-Input-Service-Filter |
Name of an IPv4 input service filter to be attached. |
string |
Yes |
26-199 |
IPv4-Output-Service-Filter |
Name of an IPv4 output service filter to be attached. |
string |
Yes |
26-200 |
IPv6-Input-Service-Set |
Name of an IPv6 input service set to be attached. |
string |
Yes |
26-201 |
IPv6-Output-Service-Set |
Name of an IPv6 output service set to be attached. |
string |
Yes |
26-202 |
IPv6-Input-Service-Filter |
Name of an IPv6 input service filter to be attached. |
string |
Yes |
26-203 |
IPv6-Output-Service-Filter |
Name of an IPv6 output service filter to be attached. |
string |
Yes |
26-204 |
Adv-Pcef-Profile-Name |
Name of a PCEF profile to be attached. |
string |
Yes |
26-205 |
Adv-Pcef-Rule-Name |
Name of a PCC rule to activate. |
string |
Yes |
26-206 |
Reauthentication-On-Renew |
Reason that the client application is reauthenticated. |
integer
|
No |
26-207 |
DHCPv6-Options |
DHCPv6 client and server options exchanged with the RADIUS server as TLV options. In releases earlier than Junos OS Release 17.4.1R1, this VSA is not supported. DHCPv6 options are included instead in 26-55, DHCP-Options. |
hexadecimal string |
No |
26-208 |
DHCP-Header |
DHCPv4 packet header sent to the RADIUS server; used to instantiate dynamic subscriber interfaces. |
hexadecimal string |
No |
26-209 |
DHCPv6-Header |
DHCPv6 packet header sent to the RADIUS server; used to instantiate dynamic subscriber interfaces. |
hexadecimal string |
No |
26-210 |
Acct-Request-Reason |
Reason for sending an Accounting-Request message. |
integer: 4-octet
|
No |
26-211 |
Inner-Tag-Protocol-Id |
Protocol identifier for the inner VLAN tag |
hexadecimal string:
|
No |
26-212 |
Routing-Services |
Determines whether the routing services capability is enabled or disabled. |
integer: 4-octet
Any value other than 0 or 1 is rejected. |
No |
26-213 |
Interface-Set-Targeting-Weight |
Specify a weight for an interface set to associate it and its member links with an aggregated Ethernet member link for targeted distribution. |
integer: 4-octet |
No |
26-214 |
Interface-Targeting-Weight |
Specify a weight for an interface to associate it with an interface set and thus with the set’s aggregated Ethernet member link for targeted distribution. When an interface set does not have a weight, then the interface weight value for the first authorized subscriber interface is used for the set. |
integer: 4-octet |
No |
26–216 |
Hybrid-Access-DSL-Downstream-Speed |
Specify a downstream bandwidth for the DSL leg of a hybrid access tunnel for a subscriber. Used by the PFE for load-balancing traffic across the DSL and LTE legs. |
32-bit integer |
No |
26–217 |
Hybrid-Access-LTE-Downstream-Speed |
Specify a downstream bandwidth for the LTE leg of the hybrid access tunnel for a subscriber. Used by the Packet Forwarding Engine for load-balancing traffic across the DSL and LTE legs. |
32-bit integer |
No |
26–218 |
Connection-Status-Message |
Specifies connection parameters as an encoding that is presented to the remote peer/client (such as a home gateway). This is a logical extension to the Reply-Message attribute (18) and has the same format and semantics. The authd process uses only the first instance if it receives multiple instances of this attribute. |
string |
Yes |
26–219 |
PON-Access-Type |
Type of PON transmission system in use:
|
32-bit integer |
No |
26–220 |
ONT/ONU-Average-Data-Rate-Downstream |
(PON) Average downstream data rate for ONT/ONU, in Kbps |
32-bit integer |
No |
26–221 |
ONT/ONU-Peak-Data-Rate-Downstream |
(PON) Peak downstream data rate for ONT/ONU, in Kbps |
32-bit integer |
No |
26–222 |
ONT/ONU-Maximum-Data-Rate-Upstream |
(PON) Maximum upstream data rate for ONT/ONU, in Kbps |
32-bit integer |
No |
26–223 |
ONT/ONU-Assured-Data-Rate-Upstream |
(PON) Assured upstream data rate for ONT/ONU, in Kbps |
32-bit integer |
No |
26–224 |
PON-Tree-Maximum-Data-Rate-Upstream |
(PON) Maximum upstream data rate for the PON tree, in Kbps |
32-bit integer |
No |
26–225 |
PON-Tree-Maximum-Data-Rate-Downstream |
(PON) Maximum downstream data rate for the PON tree, in Kbps |
32-bit integer |
No |
26–226 |
Expected-Throughput-Upstream |
(G.fast) Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps |
32-bit integer |
No |
26–227 |
Expected-Throughput-Downstream |
(G.fast) Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps |
32-bit integer |
No |
26–228 |
Attainable-Expected-Throughput-Upstream |
(G.fast) Maximum attainable expected upstream throughput, in Kbps |
32-bit integer |
No |
26–229 |
Attainable-Expected-Throughput-Downstream |
(G.fast) Maximum attainable expected downstream throughput, in Kbps |
32-bit integer |
No |
26–230 |
Gamma-Data-Rate-Upstream |
(G.fast) Actual upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
32-bit integer |
No |
26–231 |
Gamma-Data-Rate-Downstream |
(G.fast) Actual downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
32-bit integer |
No |
26–232 |
Attainable-Gamma-Data-Rate-Upstream |
(G.fast) Maximum attainable upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
32-bit integer |
No |
26–233 |
Attainable-Gamma-Data-Rate-Downstream |
(G.fast) Maximum attainable downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
32-bit integer |
No |
AAA Access Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS
Table 3 shows the RADIUS attributes and Juniper Networks VSAs (vendor ID 4874) support in AAA access messages. A checkmark in a column indicates that the message type supports that attribute.
Attribute Number |
Attribute Name |
Access Request |
Access Accept |
Access Reject |
Access Challenge |
CoA Request |
Disconnect Request |
---|---|---|---|---|---|---|---|
1 |
User-Name |
✓ |
✓ |
– |
– |
– |
✓ |
2 |
User-Password |
✓ |
– |
– |
– |
– |
– |
3 |
CHAP-Password |
✓ |
– |
– |
– |
– |
– |
4 |
NAS-IP-Address |
✓ |
– |
– |
– |
– |
– |
5 |
NAS-Port |
✓ |
– |
– |
– |
– |
– |
6 |
Service-Type |
✓ |
✓ |
– |
– |
– |
– |
7 |
Framed-Protocol |
✓ |
✓ |
– |
– |
– |
– |
8 |
Framed-IP-Address |
✓ |
✓ |
– |
– |
✓ |
– |
9 |
Framed-IP-Netmask |
– |
✓ |
– |
– |
– |
– |
11 |
Filter-Id |
– |
✓ |
– |
– |
– |
– |
12 |
Framed-MTU |
✓ |
– |
– |
– |
– |
– |
18 |
Reply-Message |
– |
✓ |
✓ |
✓ |
– |
– |
22 |
Framed-Route |
– |
✓ |
– |
– |
– |
– |
24 |
State |
✓ |
✓ |
– |
✓ |
– |
– |
25 |
Class |
– |
✓ |
– |
– |
✓ |
– |
26-1 |
Virtual-Router |
✓ |
✓ |
– |
– |
✓ |
– |
26-4 |
Primary-DNS |
– |
✓ |
– |
– |
– |
– |
26-5 |
Secondary-DNS |
– |
✓ |
– |
– |
– |
– |
26-6 |
Primary-WINS |
– |
✓ |
– |
– |
– |
– |
26-7 |
Secondary-WINS |
– |
✓ |
– |
– |
– |
– |
26-8 |
Tunnel-Virtual-Router |
– |
✓ |
– |
– |
– |
– |
26-9 |
Tunnel-Password |
– |
✓ |
– |
– |
– |
– |
26-10 |
Ingress-Policy-Name |
– |
✓ |
– |
– |
– |
– |
26-11 |
Egress-Policy-Name |
– |
✓ |
– |
– |
– |
– |
26-23 |
IGMP-Enable |
– |
✓ |
– |
– |
– |
– |
26-24 |
PPPoE-Description |
✓ |
– |
– |
– |
– |
– |
26-25 |
Redirect-VR-Name |
– |
✓ |
– |
– |
– |
– |
26-31 |
Service-Bundle |
– |
✓ |
– |
– |
– |
– |
26-33 |
Tunnel-Maximum-Sessions |
– |
✓ |
– |
– |
– |
– |
26-34 |
Framed-IP-Route-Tag. Supported only on JunosE for ERX and E320 platforms. |
– |
✓ |
– |
– |
– |
– |
26-47 |
Ipv6-Primary-DNS |
– |
✓ |
– |
– |
– |
– |
26-48 |
Ipv6-Secondary-DNS |
– |
✓ |
– |
– |
– |
– |
26-55 |
DHCP-Options |
✓ |
– |
– |
– |
– |
– |
26-56 |
DHCP-MAC-Address |
✓ |
✓ |
– |
– |
– |
– |
26-57 |
DHCP-GI-Address |
✓ |
– |
– |
– |
– |
– |
26-58 |
LI-Action |
– |
✓ |
– |
– |
✓ |
– |
26-59 |
Med-Dev-Handle |
– |
✓ |
– |
– |
✓ |
– |
26-60 |
Med-Ip-Address |
– |
✓ |
– |
– |
✓ |
– |
26-61 |
Med-Port-Number |
– |
✓ |
– |
– |
✓ |
– |
26-63 |
Interface-Desc |
✓ |
– |
– |
– |
– |
– |
26-64 |
Tunnel-Group |
– |
✓ |
– |
– |
– |
– |
26-65 |
Activate-Service |
– |
✓ |
– |
– |
✓ |
– |
26-66 |
Deactivate-Service |
– |
✓ |
– |
– |
✓ |
– |
26-67 |
Service-Volume |
– |
✓ |
– |
– |
✓ |
– |
26-68 |
Service-Timeout |
– |
✓ |
– |
– |
✓ |
– |
26-69 |
Service-Statistics |
– |
✓ |
– |
– |
✓ |
– |
26-71 |
IGMP-Access-Name |
– |
✓ |
– |
– |
– |
– |
26-72 |
IGMP-Access-Src-Name |
– |
✓ |
– |
– |
– |
– |
26-74 |
MLD-Access-Name |
– |
✓ |
– |
– |
– |
– |
26-75 |
MLD-Access-Src-Name |
– |
✓ |
– |
– |
– |
– |
26-77 |
MLD-Version |
– |
✓ |
– |
– |
– |
– |
26-78 |
IGMP-Version |
– |
✓ |
– |
– |
– |
– |
26-91 |
Tunnel-Switch-Profile |
– |
✓ |
– |
– |
– |
– |
26-92 |
L2C-Up-Stream-Data |
✓ |
– |
– |
– |
– |
– |
26-93 |
L2C-Down-Stream-Data |
✓ |
– |
– |
– |
– |
– |
26-94 |
Tunnel-Tx-Speed-Method |
– |
✓ |
– |
– |
– |
– |
26-97 |
IGMP-Immediate-Leave |
– |
✓ |
– |
– |
– |
|
26-100 |
MLD-Immediate-Leave |
– |
✓ |
– |
– |
– |
– |
26-106 |
IPv6-Ingress-Policy-Name |
– |
✓ |
– |
– |
– |
– |
26-107 |
IPv6-Egress-Policy-Name |
– |
✓ |
– |
– |
– |
– |
26-108 |
CoS-Parameter-Type |
– |
✓ |
– |
– |
✓ |
– |
26-109 |
DHCP-Guided-Relay-Server |
– |
✓ |
– |
– |
– |
– |
26-110 |
Acc-Loop-Cir-Id |
✓ |
– |
– |
– |
– |
– |
26-111 |
Acc-Aggr-Cir-Id-Bin |
✓ |
– |
– |
– |
– |
– |
26-112 |
Acc-Aggr-Cir-Id-Asc |
✓ |
– |
– |
– |
– |
– |
26-113 |
Act-Data-Rate-Up |
✓ |
– |
– |
– |
– |
– |
26-114 |
Act-Data-Rate-Dn |
✓ |
– |
– |
– |
– |
– |
26-115 |
Min-Data-Rate-Up |
✓ |
– |
– |
– |
– |
– |
26-116 |
Min-Data-Rate-Dn |
✓ |
– |
– |
– |
– |
– |
26-117 |
Att-Data-Rate-Up |
✓ |
– |
– |
– |
– |
– |
26-118 |
Att-Data-Rate-Dn |
✓ |
– |
– |
– |
– |
– |
26-119 |
Max-Data-Rate-Up |
✓ |
– |
– |
– |
– |
– |
26-120 |
Max-Data-Rate-Dn |
✓ |
– |
– |
– |
– |
– |
26-121 |
Min-LP-Data-Rate-Up |
✓ |
– |
– |
– |
– |
– |
26-122 |
Min-LP-Data-Rate-Dn |
✓ |
– |
– |
– |
– |
– |
26-123 |
Max-Interlv-Delay-Up |
✓ |
– |
– |
– |
– |
– |
26-124 |
Act-Interlv-Delay-Up |
✓ |
– |
– |
– |
– |
– |
26-125 |
Max-Interlv-Delay-Dn |
✓ |
– |
– |
– |
– |
– |
26-126 |
Act-Interlv-Delay-Dn |
✓ |
– |
– |
– |
– |
– |
26-127 |
DSL-Line-State |
✓ |
– |
– |
– |
– |
– |
26-128 |
DSL-Type |
✓ |
– |
– |
– |
– |
– |
26-130 |
QoS-Set-Name |
– |
✓ |
– |
– |
– |
– |
26-140 |
Service-Interim-Account-Interval |
– |
✓ |
– |
– |
✓ |
– |
26-141 |
Downstream-Calculated-QoS-Rate |
✓ |
– |
– |
– |
– |
– |
26-142 |
Upstream-Calculated-QoS-Rate |
✓ |
– |
– |
– |
– |
– |
26-143 |
Max-Clients-Per-Interface |
– |
✓ |
– |
– |
– |
– |
26-146 |
Cos-Scheduler-Pmt-Type |
– |
✓ |
– |
– |
✓ |
– |
26-158 |
PPPoE-Padn |
– |
✓ |
– |
– |
– |
– |
26-160 |
Vlan-Map-Id |
– |
✓ |
– |
– |
– |
– |
26-161 |
IPv6-Delegated-Pool-Name |
– |
✓ |
– |
– |
– |
– |
26-162 |
Tx-Connect-Speed |
✓ |
– |
– |
– |
– |
– |
26-163 |
Rx-Connect-Speed |
✓ |
– |
– |
– |
– |
– |
26-164 |
IPv4-Release-Control |
✓ |
– |
– |
– |
– |
– |
26-173 |
Service-Activate-Type |
– |
✓ |
– |
– |
✓ |
– |
26-174 |
Client-Profile-Name |
– |
✓ |
– |
– |
– |
– |
26-179 |
Service-Volume-Gigawords |
– |
✓ |
– |
– |
✓ |
– |
26-180 |
Update-Service |
– |
– |
– |
– |
✓ |
– |
26-181 |
DHCPv6-Guided-Relay-Server |
– |
✓ |
– |
– |
– |
– |
26-182 |
Acc-Loop-Remote-Id |
✓ |
– |
– |
– |
– |
– |
26-183 |
Acc-Loop-Encap |
✓ |
– |
– |
– |
– |
– |
26-184 |
Inner-Vlan-Map-Id |
– |
✓ |
– |
– |
– |
– |
26-189 |
DHCP-First-Relay-IPv4-Address |
✓ |
– |
– |
– |
– |
– |
26-190 |
DHCP-First-Relay-IPv6-Address |
✓ |
– |
– |
– |
– |
– |
26-191 |
Input-Interface-Filter |
✓ |
– |
– |
– |
✓ |
– |
26-192 |
Output-Interface-Filter |
✓ |
– |
– |
– |
✓ |
– |
26-193 |
Pim-Enable |
– |
✓ |
– |
– |
– |
– |
26-194 |
Bulk-CoA-Transaction-Id |
– |
– |
– |
– |
✓ |
– |
26-195 |
Bulk-CoA-Identifier |
– |
– |
– |
– |
✓ |
– |
26-196 |
IPv4-Input-Service-Set |
✓ |
– |
– |
– |
– |
– |
26-197 |
IPv4-Output-Service-Set |
✓ |
– |
– |
– |
– |
– |
26-198 |
IPv4-Input-Service-Filter |
✓ |
– |
– |
– |
– |
– |
26-199 |
IPv4-Output-Service-Filter |
✓ |
– |
– |
– |
– |
– |
26-200 |
IPv6-Input-Service-Set |
✓ |
– |
– |
– |
– |
– |
26-201 |
IPv6-Output-Service-Set |
✓ |
– |
– |
– |
– |
– |
26-202 |
IPv6-Input-Service-Filter |
✓ |
– |
– |
– |
– |
– |
26-203 |
IPv6-Output-Service-Filter |
✓ |
– |
– |
– |
– |
– |
26-204 |
Adv-Pcef-Profile-Name |
✓ |
– |
– |
– |
– |
– |
26-205 |
Adv-Pcef-Rule-Name |
✓ |
– |
– |
– |
– |
– |
26-206 |
Re-Authentication-On-Renew |
– |
✓ |
– |
– |
– |
– |
26-207 |
DHCPv6-Options |
✓ |
✓ |
– |
– |
– |
– |
26-208 |
DHCP-Header |
✓ |
– |
– |
– |
– |
– |
26-209 |
DHCPv6-Header |
✓ |
– |
– |
– |
– |
– |
26-211 |
Inner-Tag-Protocol-Id |
– |
✓ |
– |
– |
– |
– |
26-212 |
Routing-Services |
– |
✓ |
– |
– |
– |
– |
26-213 |
Interface-Set-Targeting-Weight |
– |
✓ |
– |
– |
– |
– |
26-214 |
Interface-Targeting-Weight |
– |
✓ |
– |
– |
– |
– |
26–216 |
Hybrid-Access-DSL-Downstream-Speed |
– |
✓ |
– |
– |
– |
– |
26-217 |
Hybrid-Access-LTE-Downstream-Speed |
– |
✓ |
– |
– |
– |
– |
26–218 |
Connection-Status-Message |
– |
✓ |
– |
– |
✓ |
– |
26–219 |
PON-Access-Type |
✓ |
– |
– |
– |
– |
– |
26–220 |
ONT/ONU-Average-Data-Rate-Downstream |
✓ |
– |
– |
– |
– |
– |
26–221 |
ONT/ONU-Peak-Data-Rate-Downstream |
✓ |
– |
– |
– |
– |
– |
26–222 |
ONT/ONU-Maximum-Data-Rate-Upstream |
✓ |
– |
– |
– |
– |
– |
26–223 |
ONT/ONU-Assured-Data-Rate-Upstream |
✓ |
– |
– |
– |
– |
– |
26–224 |
PON-Tree-Maximum-Data-Rate-Upstream |
✓ |
– |
– |
– |
– |
– |
26–225 |
PON-Tree-Maximum-Data-Rate-Downstream |
✓ |
– |
– |
– |
– |
– |
26–226 |
Expected-Throughput-Upstream |
✓ |
– |
– |
– |
– |
– |
26–227 |
Expected-Throughput-Downstream |
✓ |
– |
– |
– |
– |
– |
26–228 |
Attainable-Expected-Throughput-Upstream |
✓ |
– |
– |
– |
– |
– |
26–229 |
Attainable-Expected-Throughput-Downstream |
✓ |
– |
– |
– |
– |
– |
26–230 |
Gamma-Data-Rate-Upstream |
✓ |
– |
– |
– |
– |
– |
26–231 |
Gamma-Data-Rate-Downstream |
✓ |
– |
– |
– |
– |
– |
26–232 |
Attainable-Gamma-Data-Rate-Upstream |
✓ |
– |
– |
– |
– |
– |
26–233 |
Attainable-Gamma-Data-Rate-Downstream |
✓ |
– |
– |
– |
– |
– |
27 |
Session-Timeout |
– |
✓ |
– |
✓ |
✓ |
– |
28 |
Idle-Timeout |
– |
✓ |
– |
✓ |
– |
– |
31 |
Calling-Station-ID |
✓ |
– |
– |
– |
✓ |
– |
32 |
NAS-Identifier |
✓ |
– |
– |
– |
– |
– |
44 |
Acct-Session-ID |
✓ |
– |
– |
– |
✓ |
✓ |
61 |
NAS-Port-Type |
✓ |
– |
– |
– |
– |
– |
64 |
Tunnel-Type |
✓ |
✓ |
– |
– |
– |
– |
65 |
Tunnel-Medium-Type |
✓ |
✓ |
– |
– |
– |
– |
66 |
Tunnel-Client-Endpoint |
✓ |
✓ |
– |
– |
– |
– |
67 |
Tunnel-Server-Endpoint |
✓ |
✓ |
– |
– |
– |
– |
68 |
Acct-Tunnel-Connection |
✓ |
✓ |
– |
– |
– |
– |
69 |
Tunnel-Password |
– |
✓ |
– |
– |
– |
– |
82 |
Tunnel-Assignment-Id |
✓ |
✓ |
– |
– |
– |
– |
83 |
Tunnel-Preference |
– |
✓ |
– |
– |
– |
– |
85 |
Acct-Interim-Interval |
– |
✓ |
– |
– |
– |
– |
87 |
NAS-Port-Id |
✓ |
– |
– |
– |
✓ |
– |
88 |
Framed-Pool |
– |
✓ |
– |
– |
– |
– |
90 |
Tunnel-Client-Auth-Id |
✓ |
✓ |
– |
– |
– |
– |
91 |
Tunnel-Server-Auth-Id |
✓ |
✓ |
– |
– |
– |
– |
95 |
NAS-IPv6-Address |
✓ |
– |
– |
– |
– |
– |
96 |
Framed-Interface-ID |
– |
✓ |
– |
– |
– |
– |
97 |
Framed-IPv6-Prefix |
– |
✓ |
– |
– |
– |
– |
98 |
Login-IPv6-Host |
✓ |
✓ |
– |
– |
– |
– |
99 |
Framed-IPv6-Route |
– |
✓ |
– |
– |
– |
– |
100 |
Framed-IPv6-Pool |
– |
✓ |
– |
– |
– |
– |
123 |
Delegated-IPv6-Prefix |
– |
✓ |
– |
– |
– |
– |
168 |
Framed-IP-Address |
– |
✓ |
– |
– |
– |
– |
242 |
Ascend-Data-Filter |
– |
✓ |
– |
– |
✓ |
– |
AAA Accounting Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS
Table 4 shows the RADIUS attributes and Juniper Networks VSAs support in AAA accounting messages. A checkmark in a column indicates that the message type supports that attribute.
Attribute Number |
Attribute Name |
Acct Start |
Acct Stop |
Interim Acct |
Acct On |
Acct Off |
---|---|---|---|---|---|---|
1 |
User-Name |
✓ |
✓ |
✓ |
– |
– |
3 |
CHAP-Password |
✓ |
– |
– |
– |
– |
4 |
NAS-IP-Address |
✓ |
✓ |
✓ |
✓ |
✓ |
5 |
NAS-Port |
✓ |
✓ |
✓ |
– |
– |
6 |
Service-Type |
✓ |
✓ |
✓ |
– |
– |
7 |
Framed-Protocol |
✓ |
✓ |
✓ |
– |
– |
8 |
Framed-IP-Address |
✓ |
✓ |
✓ |
– |
– |
9 |
Framed-IP-Netmask |
✓ |
✓ |
✓ |
– |
– |
11 |
Filter-Id |
– |
✓ |
✓ |
– |
– |
22 |
Framed-Route |
✓ |
✓ |
✓ |
– |
– |
25 |
Class |
✓ |
✓ |
✓ |
– |
– |
26-1 |
Virtual-Router |
✓ |
✓ |
✓ |
– |
– |
26-10 |
Ingress-Policy-Name |
✓ |
✓ |
✓ |
– |
– |
26-11 |
Egress-Policy-Name |
✓ |
✓ |
✓ |
– |
– |
26-24 |
PPPoE-Description |
✓ |
✓ |
✓ |
– |
– |
26-42 |
Input-Gigapackets |
– |
✓ |
✓ |
– |
– |
26-43 |
Output-Gigapackets |
– |
✓ |
✓ |
– |
– |
26-47 |
Ipv6-Primary-DNS |
✓ |
✓ |
✓ |
– |
– |
26-48 |
Ipv6-Secondary-DNS |
✓ |
✓ |
✓ |
– |
– |
26-51 |
Disconnect-Cause |
– |
✓ |
– |
– |
– |
26-55 |
DHCP-Options |
✓ |
✓ |
✓ |
– |
– |
26-56 |
DHCP-MAC-Address |
✓ |
✓ |
✓ |
– |
– |
26-57 |
DHCP-GI-Address |
✓ |
✓ |
✓ |
– |
– |
26-63 |
Interface-Desc |
✓ |
✓ |
✓ |
– |
– |
26-83 |
Service-Session |
– |
✓ |
✓ |
– |
– |
26-92 |
L2C-Up-Stream-Data |
✓ |
✓ |
✓ |
– |
– |
26-93 |
L2C-Down-Stream-Data |
✓ |
✓ |
✓ |
– |
– |
26-110 |
Acc-Loop-Cir-Id |
✓ |
✓ |
✓ |
– |
– |
26-111 |
Acc-Aggr-Cir-Id-Bin |
✓ |
✓ |
✓ |
– |
– |
26-112 |
Acc-Aggr-Cir-Id-Asc |
✓ |
✓ |
✓ |
– |
– |
26-113 |
Act-Data-Rate-Up |
✓ |
✓ |
✓ |
– |
– |
26-114 |
Act-Data-Rate-Dn |
✓ |
✓ |
✓ |
– |
– |
26-115 |
Min-Data-Rate-Up |
✓ |
✓ |
✓ |
– |
– |
26-116 |
Min-Data-Rate-Dn |
✓ |
✓ |
✓ |
– |
– |
26-117 |
Att-Data-Rate-Up |
✓ |
✓ |
✓ |
– |
– |
26-118 |
Att-Data-Rate-Dn |
✓ |
✓ |
✓ |
– |
– |
26-119 |
Max-Data-Rate-Up |
✓ |
✓ |
✓ |
– |
– |
26-120 |
Max-Data-Rate-Dn |
✓ |
✓ |
✓ |
– |
– |
26-121 |
Min-LP-Data-Rate-Up |
✓ |
✓ |
✓ |
– |
– |
26-122 |
Min-LP-Data-Rate-Dn |
✓ |
✓ |
✓ |
– |
– |
26-123 |
Max-Interlv-Delay-Up |
✓ |
✓ |
✓ |
– |
– |
26-124 |
Act-Interlv-Delay-Up |
✓ |
✓ |
✓ |
– |
– |
26-125 |
Max-Interlv-Delay-Dn |
✓ |
✓ |
✓ |
– |
– |
26-126 |
Act-Interlv-Delay-Dn |
✓ |
✓ |
✓ |
– |
– |
26-127 |
DSL-Line-State |
✓ |
✓ |
✓ |
– |
– |
26-128 |
DSL-Type |
✓ |
✓ |
✓ |
– |
– |
26-141 |
Downstream-Calculated-QoS-Rate |
✓ |
✓ |
✓ |
– |
– |
26-142 |
Upstream-Calculated-QoS-Rate |
✓ |
✓ |
✓ |
– |
– |
26-151 |
IPv6-Acct-Input-Octets |
– |
✓ |
✓ |
– |
– |
26-152 |
IPv6-Acct-Output-Octets |
– |
✓ |
✓ |
– |
– |
26-153 |
IPv6-Acct-Input-Packets |
– |
✓ |
✓ |
– |
– |
26-154 |
IPv6-Acct-Output-Packets |
– |
✓ |
✓ |
– |
– |
26-155 |
IPv6-Acct-Input-Gigawords |
– |
✓ |
✓ |
– |
– |
26-156 |
IPv6-Acct-Output-Gigawords |
– |
✓ |
✓ |
– |
– |
26-160 |
Vlan-Map-Id |
✓ |
✓ |
✓ |
– |
– |
26-162 |
Tx-Connect-Speed |
✓ |
✓ |
✓ |
– |
– |
26-163 |
Rx-Connect-Speed |
✓ |
✓ |
✓ |
– |
– |
26-164 |
IPv4-Release-Control |
– |
– |
✓ |
– |
– |
26-177 |
Cos-Shaping-Rate |
✓ |
✓ |
✓ |
– |
– |
26-182 |
Acc-Loop-Remote-Id |
✓ |
✓ |
– |
– |
– |
26-183 |
Acc-Loop-Encap |
✓ |
✓ |
– |
– |
– |
26-184 |
Inner-Vlan-Map-Id |
✓ |
✓ |
– |
– |
– |
26-185 |
Core-Facing-Interface |
✓ |
✓ |
– |
– |
– |
26-188 |
DHCP-First-Relay-IPv4-Address |
✓ |
✓ |
✓ |
– |
– |
26-190 |
DHCP-First-Relay-IPv6-Address |
✓ |
✓ |
✓ |
– |
– |
26-191 |
Input-Interface-Filter |
✓ |
✓ |
✓ |
– |
– |
26-192 |
Output-Interface-Filter |
✓ |
✓ |
✓ |
– |
– |
26-207 |
DHCPv6-Options |
✓ |
✓ |
✓ |
– |
– |
26-210 |
Acct-Request-Reason |
✓ |
– |
✓ |
– |
– |
26–219 |
PON-Access-Type |
✓ |
✓ |
✓ |
– |
– |
26–220 |
ONT/ONU-Average-Data-Rate-Downstream |
✓ |
✓ |
✓ |
– |
– |
26–221 |
ONT/ONU-Peak-Data-Rate-Downstream |
✓ |
✓ |
✓ |
– |
– |
26–222 |
ONT/ONU-Maximum-Data-Rate-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–223 |
ONT/ONU-Assured-Data-Rate-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–224 |
PON-Tree-Maximum-Data-Rate-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–225 |
PON-Tree-Maximum-Data-Rate-Downstream |
✓ |
✓ |
✓ |
– |
– |
26–226 |
Expected-Throughput-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–227 |
Expected-Throughput-Downstream |
✓ |
✓ |
✓ |
– |
– |
26–228 |
Attainable-Expected-Throughput-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–229 |
Attainable-Expected-Throughput-Downstream |
✓ |
✓ |
✓ |
– |
– |
26–230 |
Gamma-Data-Rate-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–231 |
Gamma-Data-Rate-Downstream |
✓ |
✓ |
✓ |
– |
– |
26–232 |
Attainable-Gamma-Data-Rate-Upstream |
✓ |
✓ |
✓ |
– |
– |
26–233 |
Attainable-Gamma-Data-Rate-Downstream |
✓ |
✓ |
✓ |
– |
– |
31 |
Calling-Station-ID |
✓ |
✓ |
✓ |
– |
– |
32 |
NAS-Identifier |
✓ |
✓ |
✓ |
✓ |
✓ |
40 |
Acct-Status-Type |
✓ |
✓ |
✓ |
✓ |
✓ |
41 |
Acct-Delay-Time |
✓ |
✓ |
✓ |
✓ |
✓ |
42 |
Acct-Input-Octets |
– |
✓ |
✓ |
– |
– |
43 |
Acct-Output-Octets |
– |
✓ |
✓ |
– |
– |
44 |
Acct-Session-ID |
✓ |
✓ |
✓ |
✓ |
✓ |
45 |
Acct-Authentic |
✓ |
✓ |
✓ |
✓ |
✓ |
46 |
Acct-Session-Time |
– |
✓ |
✓ |
– |
– |
47 |
Acct-Input-Packets |
– |
✓ |
✓ |
– |
– |
48 |
Acct-Output-Packets |
– |
✓ |
✓ |
– |
– |
49 |
Acct-Terminate-Cause |
– |
✓ |
✓ |
– |
– |
52 |
Acct-Input-Gigawords |
– |
✓ |
✓ |
– |
– |
53 |
Acct-Output-Gigawords |
– |
✓ |
✓ |
– |
– |
55 |
Event-Timestamp |
✓ |
✓ |
✓ |
✓ |
✓ |
61 |
NAS-Port-Type |
✓ |
✓ |
✓ |
– |
– |
64 |
Tunnel-Type |
✓ |
✓ |
✓ |
– |
– |
65 |
Tunnel-Medium-Type |
✓ |
✓ |
✓ |
– |
– |
66 |
Tunnel-Client-Endpoint |
✓ |
✓ |
✓ |
– |
– |
67 |
Tunnel-Server-Endpoint |
✓ |
✓ |
✓ |
– |
– |
68 |
Acct-Tunnel-Connection |
✓ |
✓ |
✓ |
– |
– |
77 |
Connect-Info |
✓ |
✓ |
– |
– |
– |
82 |
Tunnel-Assignment-Id |
✓ |
✓ |
✓ |
– |
– |
87 |
NAS-Port-Id |
✓ |
✓ |
✓ |
– |
– |
90 |
Tunnel-Client-Auth-Id |
✓ |
✓ |
✓ |
– |
– |
91 |
Tunnel-Server-Auth-Id |
✓ |
✓ |
✓ |
– |
– |
99 |
Framed-IPv6-Route |
✓ |
✓ |
✓ |
– |
– |
100 |
Framed-IPv6-Pool |
✓ |
✓ |
✓ |
– |
– |
123 |
Delegated-IPv6-Prefix |
✓ |
✓ |
✓ |
– |
– |
DSL Forum Vendor-Specific Attributes
Broadband access lines have many characteristics that are not supported by standard RADIUS attributes. A telecommunications and networking industry consortium, formerly called the DSL Forum and since 2008 called the Broadband Forum, develops standards and specifications for broadband technologies and products. The DSL Forum concentrated only on digital subscriber lines. The forum changed its name as it expanded the scope of its work to other broadband access technologies, such as passive optical networking (PON).
The DSL Forum defined RADIUS vendor-specific attributes (VSAs) to convey that information to the RADIUS server for processing. These VSAs include information about the access lines, the subscribers using the lines, and data rates on the lines. Subscriber management does not process the VSA values—the router simply passes the values received from the subscriber to the RADIUS server, without performing any parsing or manipulation. However, you can manage the content of the VSAs either by using the client configuration to restrict the DSL Forum VSAs that the client sends, or by configuring the RADIUS server to ignore unwanted DSL Forum VSAs.
The terminology used with the DSL Forum VSAs can be confusing. Each of these VSAs is actually a subattribute of the DSL Forum RADIUS VSA. The DSL Forum RADIUS VSA is simply a container for the subattributes that transports them to the RADIUS server. The DSL Forum RADIUS VSA provides the following information that applies to each subattribute:
Type = 26. This value indicates that the subattribute is a vendor-specific attribute.
Vendor-ID = 3561. This value is the vendor ID (enterprise number) assigned to the Broadband Forum by the Internet Assigned Numbers Authority (IANA).
Each subattribute is a TLV; that is, it specifies type, length, and value information:
The vendor type is a number assigned by the Broadband Forum that identifies the subattribute. This number is sometimes referred to as the attribute number.
The vendor length is a number that specifies the length of the entire subattribute.
The value field contains information specific to the subattribute, such as data rates or access line identifiers.
After the name changed to the Broadband Forum, the forum added PON VSAs. We still refer to them as DSL Forum VSAs because they are subattributes of the DSL Forum VSA. Some of the VSAs previously used only for DSL networks are also used for PON networks.
The full designation for a DSL Forum VSA is 26–3561–type. The vendor ID is critical to distinguishing between VSAs. For example, 26-3561-1 is a different attribute than 26-4874-1; 4874 is a Juniper Networks enterprise number. When the enterprise is clear from the context, our documentation may omit the enterprise number. For example, when a table refers to attributes for only one enterprise, we may omit the number to make the table easier to read.
The following documents provide information about the attributes:
RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes
RFC 5515, Layer 2 Tunneling Protocol (L2TP) Access Line Information Attribute Value Pair (AVP) Extensions
RFC 6320, Protocol for Access Node Control Mechanism in Broadband Networks
RFC 6320 Draft Extension, Access Extensions for the Access Node Control Protocol
Broadband Forum technical report TR-101, Migration to Ethernet-Based Broadband Aggregation
Table 5 describes the DSL Forum VSAs. Starting in Junos OS Release 19.3R1, we support the PON and DSL G.fast VSAs.
Type |
Name |
Description |
Access Type |
Value |
---|---|---|---|---|
1 |
Agent-Circuit-Id |
Identifier for the subscriber agent circuit ID (ACI) that corresponds to the access node interface from which subscriber requests are initiated. For auto-sensed VLANs, the ACI is extracted from DHCP discover, DHCPv6 solicit, or PPPoE PADI messages, stored in the VLAN shared database entry, and then presented in the RADIUS Access-Request message in this VSA. |
DSL, PON |
string |
2 |
Agent-Remote-Id |
Unique identifier for the subscriber associated with the access node interface from which requests are initiated. For auto-sensed VLANs, the ARI is extracted from DHCP discover, DHCPv6 solicit, or PPPoE PADI messages, stored in the VLAN shared database entry, and then presented in the RADIUS Access-Request message in this VSA. |
DSL, PON |
string |
3 |
Access-Aggregation-Circuit-ID-ASCII |
ASCII identifier for the subscriber access line, based on its network-facing logical appearance If the string begins with a # sign, then the remainder of the string represents a logical intermediate node (DPU-C or PON tree) in the access network to which the subscriber is attached. The string is used as the name of a CoS Level 2 interface set that groups subscribers. |
DSL, PON |
string |
6 |
Access-Aggregation-Circuit-ID-Binary |
Binary identifier for the subscriber access line |
DSL, PON |
string |
129 |
Actual-Data-Rate-Upstream |
Actual upstream data rate of the subscriber’s synchronized DSL link, in bps |
DSL |
32-bit integer |
130 |
Actual-Data-Rate-Downstream |
Actual downstream data rate of the subscriber’s synchronized DSL link, in bps |
DSL |
32-bit integer |
131 |
Minimum-Data-Rate-Upstream |
Minimum upstream data rate configured for the subscriber, in bps |
DSL |
32-bit integer |
132 |
Minimum-Data-Rate-Downstream |
Minimum downstream data rate configured for the subscriber, in bps |
DSL |
32-bit integer |
133 |
Attainable-Data-Rate-Upstream |
Upstream data rate that the subscriber can attain, in bps |
DSL |
32-bit integer |
134 |
Attainable-Data-Rate-Downstream |
Downstream data rate that the subscriber can attain, in bps |
DSL |
32-bit integer |
135 |
Maximum-Data-Rate-Upstream |
Maximum upstream data rate configured for the subscriber, in bps |
DSL |
32-bit integer |
136 |
Maximum-Data-Rate-Downstream |
Maximum downstream data rate configured for the subscriber, in bps |
DSL |
32-bit integer |
137 |
Minimum-Data-Rate-Upstream-Low-Power |
Minimum upstream data rate in low power state configured for the subscriber, in bps |
DSL |
32-bit integer |
138 |
Minimum-Data-Rate-Downstream-Low-Power |
Minimum downstream data rate in low power state configured for the subscriber, in bps |
DSL |
32-bit integer |
139 |
Maximum-Interleaving-Delay-Upstream |
Maximum one-way upstream interleaving delay configured for the subscriber, in milliseconds |
DSL |
32-bit integer |
140 |
Actual-Interleaving-Delay-Upstream |
Subscriber’s actual one-way upstream interleaving delay, in milliseconds |
DSL |
32-bit integer |
141 |
Maximum-Interleaving-Delay-Downstream |
Maximum one-way downstream interleaving delay configured for the subscriber, in milliseconds |
DSL |
32-bit integer |
142 |
Actual-Interleaving-Delay-Downstream |
Subscriber’s actual one-way downstream interleaving delay, in milliseconds |
DSL |
32-bit integer |
144 |
Access-Loop-Encapsulation |
Encapsulation used by the subscriber associated with the DSLAM interface from which requests are initiated |
DSL, PON |
string: 3-byte |
145 |
DSL-Type |
Type of DSL transmission system in use:
|
DSL |
32-bit integer |
146 |
PON-Access-Type |
Type of PON transmission system in use:
|
PON |
32-bit integer |
147 |
ONT/ONU-Average-Data-Rate-Downstream |
Average downstream data rate for ONT/ONU, in Kbps |
PON |
32-bit integer |
148 |
ONT/ONU-Peak-Data-Rate-Downstream |
Peak downstream data rate for ONT/ONU, in Kbps |
PON |
32-bit integer |
149 |
ONT/ONU-Maximum-Data-Rate-Upstream |
Maximum upstream data rate for ONT/ONU, in Kbps |
PON |
32-bit integer |
150 |
ONT/ONU-Assured-Data-Rate-Upstream |
Assured upstream data rate for ONT/ONU, in Kbps |
PON |
32-bit integer |
151 |
PON-Tree-Maximum-Data-Rate-Upstream |
Maximum upstream data rate for the PON tree, in Kbps |
PON |
32-bit integer |
152 |
PON-Tree-Maximum-Data-Rate-Downstream |
Maximum downstream data rate for the PON tree, in Kbps |
PON |
32-bit integer |
155 |
Expected-Throughput-Upstream |
Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps |
G.fast (DSL) |
32-bit integer |
156 |
Expected-Throughput-Downstream |
Expected upstream throughput, which is the net data rate reduced by expected rate loss, in Kbps |
G.fast (DSL) |
32-bit integer |
157 |
Attainable-Expected-Throughput-Upstream |
Maximum attainable expected upstream throughput, in Kbps |
G.fast (DSL) |
32-bit integer |
158 |
Attainable-Expected-Throughput-Downstream |
Maximum attainable expected downstream throughput, in Kbps |
G.fast (DSL) |
32-bit integer |
159 |
Gamma-Data-Rate-Upstream |
Actual upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
G.fast (DSL) |
32-bit integer |
160 |
Gamma-Data-Rate-Downstream |
Actual downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
G.fast (DSL) |
32-bit integer |
161 |
Attainable-Gamma-Data-Rate-Upstream |
Maximum attainable upstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
G.fast (DSL) |
32-bit integer |
162 |
Attainable-Gamma-Data-Rate-Downstream |
Maximum attainable downstream data rate (net data rate) for the local loop, adjusted down by any throughput capability limitations, in Kbps |
G.fast (DSL) |
32-bit integer |
254 |
IWF-Session |
Indication that the interworking function (IWF) has been performed for the subscriber’s PPPoA over PPPoE session |
DSL |
No data field required |
DSL Forum VSAs and PPPoE-IA Tags
In addition to using information received in ANCP messages, the ANCP agent on the router can use access line information conveyed in PPPoE packets, such as the PADI and PADR discovery packets. For PPPoE subscribers that connect through an access node that is running ANCP, the access node adds access-line information to PPPoE intermediate agent (PPPoE-IA) tags. These tags are located in the discovery packets that it passes to the router during the establishment of dynamic PPPoE sessions. Similarly to the way access line information is carried in sub-attributes of the DSL Forum VSA, this information is contained in sub-tags in the PPPoE Vendor-Specific-Tag (0x105). The sub-tags are also called tags. The data represents a current, accurate snapshot of the values at the moment that the subscriber connection is initiated.
Table 6 shows the PPPoE-IA tags that correspond to the DSL Forum VSAs. The tag value is simply the hexadecimal equivalent of the VSA type number. The vendor ID is the same for both the DSL Forum VSAs and the PPPoE tags: 3561 (0xDE9).
VSA Type |
VSA Name |
PPPoE Tag |
---|---|---|
1 |
Agent-Circuit-Id |
0x01 |
2 |
Agent-Remote-Id |
0x02 |
3 |
Access-Aggregation-Circuit-ID-ASCII |
0x03 |
6 |
Access-Aggregation-Circuit-ID-Binary |
0x06 |
129 |
Actual-Data-Rate-Upstream |
0x81 |
130 |
Actual-Data-Rate-Downstream |
0x82 |
131 |
Minimum-Data-Rate-Upstream |
0x83 |
132 |
Minimum-Data-Rate-Downstream |
0x84 |
133 |
Attainable-Data-Rate-Upstream |
0x85 |
134 |
Attainable-Data-Rate-Downstream |
0x86 |
135 |
Maximum-Data-Rate-Upstream |
0x87 |
136 |
Maximum-Data-Rate-Downstream |
0x88 |
137 |
Minimum-Data-Rate-Upstream-Low-Power |
0x89 |
138 |
Minimum-Data-Rate-Downstream-Low-Power |
0x8A |
139 |
Maximum-Interleaving-Delay-Upstream |
0x8B |
140 |
Actual-Interleaving-Delay-Upstream |
0x8C |
141 |
Maximum-Interleaving-Delay-Downstream |
0x8D |
142 |
Actual-Interleaving-Delay-Downstream |
0x8D |
144 |
Access-Loop-Encapsulation |
0x90 |
145 |
DSL-Type |
0x91 |
146 |
PON-Access-Type |
0x92 |
147 |
ONT/ONU-Average-Data-Rate-Downstream |
0x93 |
148 |
ONT/ONU-Peak-Data-Rate-Downstream |
0x94 |
149 |
ONT/ONU-Maximum-Data-Rate-Upstream |
0x95 |
150 |
ONT/ONU-Assured-Data-Rate-Upstream |
0x96 |
151 |
PON-Tree-Maximum-Data-Rate-Upstream |
0x97 |
152 |
PON-Tree-Maximum-Data-Rate-Downstream |
0x98 |
155 |
Expected-Throughput-Upstream |
0x9B |
156 |
Expected-Throughput-Downstream |
0x9C |
157 |
Attainable-Expected-Throughput-Upstream |
0x9D |
158 |
Attainable-Expected-Throughput-Downstream |
0x9E |
159 |
Gamma-Data-Rate-Upstream |
0x9F |
160 |
Gamma-Data-Rate-Downstream |
0xA0 |
161 |
Attainable-Gamma-Data-Rate-Upstream |
0xA1 |
162 |
Attainable-Gamma-Data-Rate-Downstream |
0xA2 |
254 |
IWF-Session |
0xFE |
DSL Forum VSAs Support in AAA Access and Accounting Messages for Junos OS
Table 7 lists the DSL Forum VSAs supported by Junos OS in RADIUS Access-Request, Acct-Start, Acct-Stop, Interim-Acct, and CoA-Request messages. A checkmark in a column indicates that the message type supports that attribute.
The DSL Forum vendor ID is 3561 is omitted from the attribute number to simplify the table. For example, the full designation for DSL Forum VSA Agent-Circuit-Id is 26–3561–1.
Attribute Number |
Attribute Name |
Access Request |
Acct Start |
Acct Stop |
Interim Acct |
CoA Request |
---|---|---|---|---|---|---|
26-1 |
Agent-Circuit-Id |
✓ |
✓ |
✓ |
✓ |
✓ |
26-2 |
Agent-Remote-Id |
✓ |
✓ |
✓ |
✓ |
✓ |
26–3 |
Access-Aggregation-Circuit-ID-ASCII |
✓ |
✓ |
✓ |
✓ |
– |
26–6 |
Access-Aggregation-Circuit-ID-Binary |
✓ |
✓ |
✓ |
✓ |
– |
26-129 |
Actual-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-130 |
Actual-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-131 |
Minimum-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-132 |
Minimum-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-133 |
Attainable-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-134 |
Attainable-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-135 |
Maximum-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-136 |
Maximum-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-137 |
Minimum-Data-Rate-Upstream-Low-Power |
✓ |
✓ |
✓ |
✓ |
– |
26-138 |
Minimum-Data-Rate-Downstream-Low-Power |
✓ |
✓ |
✓ |
✓ |
– |
26-139 |
Maximum-Interleaving-Delay-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-140 |
Actual-Interleaving-Delay-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-141 |
Maximum-Interleaving-Delay-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-142 |
Actual-Interleaving-Delay-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-144 |
Access-Loop-Encapsulation |
✓ |
✓ |
✓ |
✓ |
– |
26-145 |
DSL-Type |
✓ |
✓ |
✓ |
✓ |
– |
26-146 |
PON-Access-Type |
✓ |
✓ |
✓ |
✓ |
– |
26-147 |
ONT/ONU-Average-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-148 |
ONT/ONU-Peak-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-149 |
ONT/ONU-Maximum-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-150 |
ONT/ONU-Assured-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-151 |
PON-Tree-Maximum-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-152 |
PON-Tree-Maximum-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-155 |
Expected-Throughput-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-156 |
Expected-Throughput-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-157 |
Attainable-Expected-Throughput-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-158 |
Attainable-Expected-Throughput-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-159 |
Gamma-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-160 |
Gamma-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-161 |
Attainable-Gamma-Data-Rate-Upstream |
✓ |
✓ |
✓ |
✓ |
– |
26-162 |
Attainable-Gamma-Data-Rate-Downstream |
✓ |
✓ |
✓ |
✓ |
– |
26-254 |
IWF-Session |
✓ |
✓ |
✓ |
✓ |
– |
RADIUS Support for Microsoft Corporation VSAs for DNS Server Addresses
Starting in Junos OS Release 15.1, the Junos OS AAA implementation supports RADIUS VSAs that identify the primary and secondary DNS servers for IANA private enterprise number 311 (Microsoft Corporation). For example, during PPP authentication, the router receives the VSAs from a RADIUS server and uses the attributes to provision customer premise equipment.
The two VSAs are shown in the following table, and are described in RFC 2548 (Microsoft Vendor-specific RADIUS Attributes)
Attribute Number |
Attribute Name |
Description |
Value |
---|---|---|---|
26-28 |
MS-Primary-DNS-Server |
IP address of the primary Domain Name Server. This VSA can be included in Access-Accept and Accounting-Request packets. |
integer: 4-octet primary-dns-address |
26-29 |
MS-Secondary-DNS-Server |
IP address of the secondary Domain Name Server. This VSA can be included in Access-Accept and Accounting-Request packets. |
integer: 4-octet secondary-dns-address |
See Also
Support for Cisco Systems VSAs
Cisco Systems, IANA private enterprise number 9, uses a single VSA, Cisco-AVPair (26-1). This VSA conveys different information based on the values it contains. In some subscriber access networks, which have a Junos based BNG connected to both a RADIUS server and a Cisco BroadHop application that is used as the Policy Control and Charging Rules Function (PCRF) server for provisioning services using RADIUS change of authorization (CoA) messages, you can use this VSA in RADIUS messages to activate and deactivate services. You cannot modify any attributes in authentication, accounting, or CoA responses in the RADIUS messages that the BNG sends. See Processing Cisco VSAs in RADIUS Messages for Service Provisioning for more information.
Any Cisco VSAs other than the ones used to provision the services are considered as unsupported attributes.
Subscriber Management RADIUS Dictionary Files
The Juniper Networks RADIUS dictionary that is used by default for subscriber management is updated when software features that affect the file are added or changed. The dictionary is not updated for every Junos OS release. The dictionary includes Juniper Networks vendor-specific attributes that are used by Junos OS, JunosE OS, or both.
The VSA names in the dictionary begin with the prefix “Jnpr-” or “Unisphere". By convention, both prefixes are omitted from the Tech Library documentation to reduce confusion in feature discussions.
-
Junos OS Release 18.4 Subscriber Management RADIUS Dictionary [DCT]
-
Junos OS Release 18.2 Subscriber Management RADIUS Dictionary [DCT]
-
Junos OS Release 17.4 Subscriber Management RADIUS Dictionary [DCT]
-
Junos OS Release 17.1 Subscriber Management RADIUS Dictionary [DCT]
-
Junos OS Release 16.2 Subscriber Management RADIUS Dictionary [DCT]
-
Junos OS Release 16.1 Subscriber Management RADIUS Dictionary [DCT]
-
Junos OS Release 15.1 Subscriber Management RADIUS Dictionary [DCT]
Interface Text Descriptions for Inclusion in RADIUS Attributes
RADIUS attributes such as NAS-Port-ID (87) and Calling-Station-ID (31) include a description that identifies the physical interface that is used to authenticate subscribers. The default format for nonchannelized interfaces is as follows:
interface-type-slot/adapter/port.subinterface[:svlan-vlan]
For example, consider physical interface ge-1/2/0, with a subinterface of 100 and SVLAN identifier of 100. The interface description used in the NAS-Port-ID is ge-1/2/0.100:100.
Starting in Junos OS Release 17.3R1, a different format is used for channelized interfaces. For channelized interfaces, the default interface description is as follows:
interface-type-slot/adapter/logical-port-number.subinterface[:svlan-vlan]
The channel information (logical port number) is determined by this formula:
Logical port number = 100 + (actual-port-number x 20) + channel-number
For example, consider a channelized interface 3 on port 2 where the:
Physical interface is xe-0/1/2:3.
Subinterface is 4.
SVLAN is 5.
VLAN is 6.
Using the formula, the logical port number = 100 + (2 x 20) + 3 = 143. Consequently, the default interface description is xe-0/1/143.4-5.6.
You can optionally configure the interface description format in an access profile to exclude the adapter, channel, or subinterface information.
For example, if you exclude the subinterface from the nonchannelized interface description format, the description becomes ge-1/2/0:100. If you exclude the channel information from the channelized interface description format, the description becomes xe-0/1/2.4-5.6.
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.