Juniper Mist RADIUS Attributes
SUMMARY Use this information to understand the RADIUS attributes that have been implemented in Juniper Mist™ access points (APs).
Authentication Attributes
RADIUS services can be enabled on the Mist APs for WLAN user authentication. RADIUS services are required for WLANs implementing IEEE 802.1X authentication.
During authentication, the AP sends user information to the RADIUS server in an Access-Request message. The RADIUS server returns one of these responses:
-
Access-Reject—Unconditionally denies access to the requested network resource. Failure reasons can include an invalid credential or an inactive account.
-
Access-Challenge—Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication when a secure tunnel is established between the user and the Radius Server such as authentication using Extensible Authentication Protocol (EAP).
-
Access-Accept—Permits access to the requested network resource. The Access-Request often includes additional configuration information for the user using return attributes.
IETF Standard Authentication Attributes
The following table describes the standard authentication attributes that have been implemented in Juniper Mist APs in accordance with RFC 2865. Additional extensions have also been implemented following the recommendations in RFC 2868 and RFC 2869.
Attribute Name | Type | RFC | Description |
---|---|---|---|
User-Name | 1 | RFC 2865 | The User-Name attribute is forwarded in the Access-Request and indicates the name of the user to be authenticated. |
User-Password | 2 | RFC 2865 | The User-Password attribute is forwarded in the Access-Request. It indicates the password of the user to be authenticated, or the user’s input following an Access-Challenge. |
NAS-IP-Address | 4 | RFC 2865 |
The NAS-IP-Address attribute is forwarded in the Access-Request and indicates the IP Address of the AP requesting user authentication. You can configure this attribute in the RADIUS settings for a WLAN. All APs on a WLAN send the configured value. |
Service-Type | 6 | RFC 2865 | The Service-Type attribute is forwarded in the Access-Request and indicates the type of service the user has requested, or the type of service to be provided. The attribute value is always set to Framed-User by the AP for 802.1X/EAP WLANs or to Call-Check for the MAC-Auth enabled WLANs. |
Framed-MTU | 12 | RFC 2865 | The Framed-MTU attribute is forwarded in the Access-Request and indicates the Maximum Transmission Unit (MTU) to be configured for the user. The attribute value is always set to 1200 by the AP. |
State | 24 | RFC 2865 | The State attribute is available to be forwarded in the Access-Challenge. It must be sent unmodified from the client to the server in the Access-Request reply to that challenge, if any. |
Called-Station-Id | 30 | RFC 2865 | The Called-Station-Id attribute is forwarded in the Access-Request and indicates the BSSID and ESSID that the authenticating user is associated with. The Access Point will forward the attribute value using the following formatting: XX-XX-XX-XX-XX-XX:ESSID. |
Calling-Station-Id | 31 | RFC 2865 | The Calling-Station-Id attribute is forwarded in the Access-Request and indicates the MAC address of the authenticating user. It is only used in Access-Request packets. The Access Point will forward the attribute value using the following formatting: XX-XX-XX-XX-XX-XX. |
NAS-Identifier | 32 | RFC 2865 |
The NAS-Identifier attribute is forwarded in the Access-Request. You can configure this attribute in the RADIUS settings for a WLAN. All access points on a WLAN send the configured value. You can use variables to send the device name, model, MAC address, and site name. The variables are: {{DEVICE_NAME}} {{DEVICE_MODEL}} {{DEVICE_MAC}} {{SITE_NAME}} |
Proxy-State | 33 | RFC 2865 | The proxy-state attribute is sent by proxy-server to another server when forwarding Access-Requests; this must be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge and removed by the proxy server before sending the response to the network access server |
NAS-Port-Type | 61 | RFC 2865 | The NAS-Port-Type attribute is forwarded in the Access-Request and indicates the type of physical connection for the authenticating user. The attribute value is always set to Wireless-802.11 by the Access Point. |
Connection-Info | 77 | RFC 2869 | The Connection-Info attribute is forwarded in the Access-Request and indicates the data-rate and radio type of the authenticating user. The Access Point will forward the attribute value using the following formatting: CONNECT XXMbps 802.11X. |
EAP-Message | 79 | RFC 2869 | The EAP-Message attribute is forwarded in the Access-Request, Access-Challenge, Access-Accept and Access-Reject and encapsulates Extended Access Protocol (EAP) packets. |
Message-Authenticator | 80 | RFC 2869 | The Message-Authenticator attribute is forwarded in the Access-Request and may be used to prevent spoofing of CHAP, ARAP or EAP Access-Request packets. |
Tunnel-Private-Group-ID | 81 | RFC 2868 |
The Tunnel-Private-Group-ID attribute is forwarded in the Access-Accept and indicates the numerical VLAN ID to be assigned to the authenticating user. The attribute value must be set to a numerical value between 1 and 4094 or a string representing a named VLAN. |
Filter-Id | 11 | RFC 2865 | The Filter-Id attribute may be forwarded in the
Access-Accept and indicates user role client will be
associated with. User Groups are used by the Mist WxLAN policy
framework to assign network firewall rules. Format: Group-Name Example: employee |
Supported Vendor-Specific Attributes
The following table outlines vendor-specific attributes (VSAs) that are supported by Juniper Mist Access Points in accordance with RFC 2865.
Attribute Name | Type | Vendor ID | Attribute Number | Formatting |
Description |
---|---|---|---|---|---|
Airespace-Interface-Name | 26 | 14179 | 5 | String |
The Airespace-Interface-Name attribute may be forwarded in the Access-Accept to indicate the dynamic VLAN membership of an 802.1X or RADIUS MAC authenticated user. Returned attribute value is always a string formatted name of the VLAN. VLAN Name to VLAN ID translation must be configured under WLAN using VLAN IDs or Variables. Format: VLAN-Name Example: employee-vlan |
Airespace-ACL-name | 26 | 14179 | 6 |
String |
The Airespace-ACL-Name attribute may be forwarded in the Access-Accept and indicates user role client will be associated with. User Groups are used by Mist WxLAN policy framework to assign granular network resource restrictions. Format: Group-Name Example: employee |
Aruba-User-Role | 26 | 14823 | 1 | String |
The Aruba-User-Role attribute may be forwarded in the Access-Accept and indicates user role client will be associated with. User Groups are used by Mist WxLAN policy framework to assign granular network resource restrictions. Format: Group-Name Example: employee |
Cisco-AVPair | 26 | 9 | 1 | String |
The Cisco-AVPair attribute may be forwarded in the Access-Accept to indicate to the Mist Access Point that a client needs to be redirected for portal authentication and specify the redirect-URL location. This attribute is typically used for Guest Access integrations with Cisco ISE or Aruba Clearpass RADIUS servers or to enable Posture Redirect functionality for 802.1X/EAP users. AVPair URL Redirect Format: url-redirect=<URL value> Example: url-redirect=https://ise28.89mistilbs.org:8443/portal/gateway?sessionId=0a004b1c/Jtf4peiJ5A8nPreloHRRITWvmhDCbnH3qXQ8MngtoA&portal=71984f36-f55e-4439-ba6e-903d9f77c216&action=cwa&token=1f7dca2cc907b1ad56ee4880e1cfa1ae AVPair PSK The Cisco-AVPair attribute may also contain PSK attribute, indicating to the Mist Access Point which passphrase is assigned to a certain client. Note that to provide a PSK value to the AP, two Cisco AVPair attributes must be sent simultaneously, one indicating that PSK will be sent in ASCII format and another AVPair providing the actual Pre-Shared Key value. Format: psk-mode=ascii & psk=<passphrase> |
Eleven-Authentication-Find-Key | 26 | 52970 | 3 | TLV |
The Eleven-Authentication-Find-Key attribute is used to supply additional information to the supported RADIUS servers to simplify wireless client PSK lookup via RADIUS, removing the need to pre-associate a wireless client MAC with a particular PSK ahead of time. This attribute is a TLV according to the RFC6929 that contains multiple sub-attributes inside. |
Eleven-EAPOL-Frame-2 (sub-attribute) | 1 | Octets | Eleven-EAPOL-Frame-2 sub attribute contains the second EAPOL frame sent by the wireless client to the Access Point during a 4way handshake | ||
Eleven-EAPOL-Anonce (sub-attribute) | 2 | Octets | Eleven-EAPOL-Anonce sub attribute contains the first EAPOL frame sent by the Access Point to the wireless client during a 4way handshake | ||
Eleven-EAPOL-SSID (sub-attribute) | 3 | String | Eleven-EAPOL-SSID sub-attribute contains current SSID name that the wireless client is trying to associate to | ||
Eleven-EAPOL-APMAC (sub-attribute) | 4 | Octets | Eleven-EAPOL-APMAC sub-attribute contains BSSID in xxxxxxxxxxxx format | ||
Eleven-EAPOL-STMAC (sub-attribute) | 5 | Octets | Eleven-EAPOL-STMAC sub-attribute contains wireless client MAC address in xxxxxxxxxxxx format |
RADIUS Accounting Attributes
You can enable or disable RADIUS Accounting Servers in the WLAN configuration. You can use RADIUS accounting information to track users' network usage for billing purposes and to gather data for general network monitoring.
The following accounting configurations are supported:
-
Start-Stop—Juniper Mist APs forward Accounting-Requests at the start and end of the user sessions. This behavior is enabled by default, as soon as at least one accounting server is configured under WLAN.
-
Start-Interim-Stop—Juniper Mist APs forward Accounting-Requests at the start and end of the user sessions and periodically during the lifetime of the sessions. The Framed-IP-Address attribute will be included in the accounting messages.
Note:The Interim-Update interval can also be dynamically overridden by sending Acct-Interim-Interval (85) AVP from the RADIUS server.
The following table describes the standard RADIUS accounting attributes that have been implemented in the Juniper Mist Access Points in accordance with RFC 2866.
Attribute Name | Type | RFC | Description |
---|---|---|---|
User-Name | 1 | RFC 2865 | The User-Name attribute is forwarded in the Accounting-Request and indicates the name of the user. |
NAS-IP-Address | 4 | RFC 2865 |
The NAS-IP-Address attribute is forwarded in the Accounting-Request and indicates the IP Address of the Access Point. |
Framed-IP-Address | 8 | RFC 2865 | The Framed-IP-Address attribute is forwarded in the
Accounting-Request packets and indicates current or last-known IP
address of the wireless client. It is only sent when Interim
Accounting is enabled on the WLAN. Note: during the first client connection, when client has not yet obtained an IP address, Framed-IP-Address AVP will be missing in the first Accounting-Start packet. However, as soon as the AP learns client IP address, it will send asynchronous (outside of normal Interim-Accounting update interval) Accounting Interim-Update message with Framed-IP-Address information. |
Class | 25 | RFC 2865 | The Class attribute is optionally forwarded in the Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is enabled. Mist Access Points support sending multiple Class attributes for each client. |
Called-Station-Id | 30 | RFC 2865 | The Called-Station-Id attribute is forwarded in the Accounting-Request and indicates the BSSID and ESSID that the user is associated with. The Access Point will forward the attribute value using the following formatting: XX-XX-XX-XX-XX-XX:ESSID. |
Calling-Station-Id | 31 | RFC 2865 | The Calling-Station-Id attribute is forwarded in the Accounting-Request and indicates the MAC address of the user. The Access Point will forward the attribute value using the following formatting: XX-XX-XX-XX-XX-XX. |
NAS-Identifier | 32 | RFC 2865 | The NAS-Identifier attribute is forwarded in the Accounting-Request and indicates the user defined identifier configured under WLAN settings. |
Acct-Status-Type | 40 | RFC 2866 | The Acct-Status-Type attribute is forwarded in the Accounting-Request and indicates whether the Accounting-Request marks the status of the accounting update. Supported values include Start, Stop and Interim-Update. |
Acct-Delay-Time | 41 | RFC 2866 | The Acct-Delay-Time attribute is forwarded in the Accounting-Request and indicates how many seconds the Access Point has been trying to send the accounting record for. This value is subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. |
Acct-Input-Octets | 42 | RFC 2866 | The Acct-Input-Octets attribute is forwarded in the Accounting-Request and indicates how many octets have been received from the user over the course of the connection. This attribute may only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
Acct-Output-Octets | 43 | RFC 2866 | The Acct-Output-Octets attribute is forwarded in the Accounting-Request and indicates how many octets have been forwarded to the user over the course of the connection. This attribute may only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
Acct-Session-Id | 44 | RFC 2866 | The Acct-Session-Id attribute is forwarded in the Accounting-Request and provides a unique identifier to make it easy to match start, stop and interim records in an accounting log file. |
Account-Authentic | 45 | RFC 2866 | The Account-Authentic attribute is forwarded in the Accounting-Request and indicates how the user was authenticated. When RADIUS accounting is enabled the Access Point will set this value to RADIUS. |
Acct-Session-Time | 46 | RFC 2866 | The Acct-Session-Time attribute is forwarded in the Accounting-Request and indicates how many seconds the user has received service for. This attribute may only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
Acct-Input-Packets | 47 | RFC 2866 | The Acct-Input-Packets attribute is forwarded in the Accounting-Request and indicates how many packets have been received from the user over the course of the connection. This attribute may only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
Acct-Output-Packets | 48 | RFC 2866 | The Acct-Output-Packets attribute is forwarded in the Accounting-Request and indicates how many packets have been forwarded to the user over the course of the connection. This attribute may only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
Acct-Terminate-Cause | 49 | RFC 2866 | The Acct-Terminate-Cause attribute is forwarded in the Accounting-Request and indicates how the session was terminated. This attribute may only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
Event-Timestamp | 55 | RFC 2869 | The Event-Timestamp attribute is forwarded in the Accounting-Request and indicates the time that the accounting event occurred on the Access Point. |
NAS-Port-Type | 61 | RFC 2865 | The NAS-Port-Type attribute is forwarded in the
Accounting-Request and indicates the type of physical
connection for the user. This attribute value is always set to
Wireless-802.11 by the Mist Access Point.
|
Dynamic Authorization Extensions
The RADIUS authentication protocol originally did not support unsolicited messages sent from the RADIUS server to the Access Point. However, there are many instances in which it is desirable for changes to be made to session characteristics without requiring the Access Point to initiate the exchange.
To overcome these limitations several vendors have implemented additional RADIUS extensions that support unsolicited messages sent from the RADIUS server to an Access Point. These extensions support Disconnect and Change-of-Authorization (CoA) messages that can be used to terminate an active user session or change the characteristics of an active session.
-
Disconnect-Request—Causes a user session to be terminated. The Disconnect-Request packet identifies the NAS as well as the user session to be terminated by inclusion of the identification attributes shown in table 3.0.
-
CoA-Request—Causes session information to be dynamically updated on the Access Point.
Disconnect-Request Attributes
The following table describes the required dynamic authorization attributes for Disconnect Requests.
The minimum set of attributes outlined in the table is sufficient for the Disconnect to work. If additional attributes are sent by the RADIUS server, some will also be evaluated (for example NAS-IP-Address value must match current IP address of the Mist AP, or Acct-Session-Id must match wireless client session ID), while other attributes that are not supported will be ignored (for example Acct-Terminate-Cause).
Attribute Name | Vendor | Attribute Number | Description |
---|---|---|---|
Event-Timestamp | IETF | 55 | Time at which Disconnect-Request has been issued. Time will be checked by the Mist AP. If clock drift is too big, Disconnect Request will be discarded.Event-Timestamp attribute validation can be optionally disabled under WLAN configuration. |
Calling-Station-Id | IETF | 31 | MAC address of the user in XX-XX-XX-XX-XX-XX format. |
CoA-Request Attributes
The following table describes the required dynamic authorization attributes for CoA Requests.
The minimum set of attributes outlined in the table is sufficient for the CoA to work. Other attributes also will be evaluated if sent by the RADIUS server and supported by Juniper Mist. For example, NAS-IP-Address value must match current IP address of the Juniper Mist AP, or Acct-Session-Id must match the wireless client's session ID. Attributes that are not supported will be ignored (for example, any additional Cisco-AVPair attributes).
For more information about CoA, see .Change of Authorization (CoA)
Attribute Name | Vendor | Attribute Number | Description |
---|---|---|---|
Event-Timestamp | IETF | 55 | Time at which Disconnect-Request has been issued. Time will be checked by the Mist AP. If clock drift is too big, Disconnect Request will be discarded.Event-Timestamp attribute validation can be optionally disabled under WLAN configuration |
Calling-Station-Id | IETF | 31 | MAC address of the user in XX-XX-XX-XX-XX-XX format. |
Cisco-AVPair | Cisco (9) | 1 | subscriber-command:reauthenticate |