| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The following sections describe the most frequently used Radius attributes. Each attribute is described as follows:
ATTRIBUTE name value type |
| Users: | user-flags |
|
| Hints: | hints-flags |
|
| Huntgroups: | huntgroup-flags |
|
| Additivity: | additivity | |
| Proxy propagated: | prop |
These values have the following meaning:
The entry N/A for any of this fields signifies "not applicable".
14.1 Authentication Attributes 14.2 Accounting Attributes 14.3 Radius Internal Attributes
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
These are the attributes the NAS uses in authentication packets and expects to get back in authentication replies. These can be used in matching rules.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
CHAP-Password
ATTRIBUTE CHAP-Password 3 string |
| Users: | L- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | No |
This attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets.
The CHAP challenge value is found in the CHAP-Challenge attribute (60) if present in the packet, otherwise in the request authenticator field.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Callback-Id
ATTRIBUTE Callback-Id 20 string |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
This attribute indicates the name of a place to be called, to be interpreted by the NAS. It may be used in Access-Accept packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Callback-Number
ATTRIBUTE Callback-Number 19 string |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
This attribute indicates a dialing string to be used for callback. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Called-Station-Id
ATTRIBUTE Called-Station-Id 30 string |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Calling-Station-Id
ATTRIBUTE Calling-Station-Id 31 string |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using automatic number identification (ANI) or similar technology. It is only used in Access-Request packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Class
ATTRIBUTE Class 25 string |
| Users: | LR |
|
| Hints: | LR |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Compression
ATTRIBUTE Framed-Compression 13 integer |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
VALUE Framed-Compression None 0 VALUE Framed-Compression Van-Jacobson-TCP-IP 1 |
This attribute indicates a compression protocol to be used for the link. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.
More than one compression protocol attribute may be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-IP-Address
ATTRIBUTE Framed-IP-Address 8 ipaddr |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.
The value 0xFFFFFFFF (255.255.255.255) indicates that
the NAS should
allow the user to select an address. The value 0xFFFFFFFE
(255.255.255.254)
indicates that the NAS should select an address for the user (e.g. assigned
from a pool of addresses kept by the NAS). Other valid values indicate
that the NAS should use that value as the user's IP.
When used in a RHS, the value of this attribute can
optionally be followed by a plus sign. This usage means that
the value of NAS-Port-Id must be added to this IP before
replying. For example,
Framed-IP-Address = 10.10.0.1+ |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-IP-Netmask
ATTRIBUTE Framed-IP-Netmask 9 ipaddr |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-MTU
ATTRIBUTE Framed-MTU 12 integer |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Protocol
ATTRIBUTE Framed-Protocol 7 integer |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
VALUE Framed-Protocol PPP 1 VALUE Framed-Protocol SLIP 2 |
This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Route
ATTRIBUTE Framed-Route 22 string |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
This attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Routing
ATTRIBUTE Framed-Routing 10 integer |
| Users: | -R |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
VALUE Framed-Routing None 0 VALUE Framed-Routing Broadcast 1 VALUE Framed-Routing Listen 2 VALUE Framed-Routing Broadcast-Listen 3 |
This attribute indicates the routing method for the user when the user is a router to a network. It is only used in Access-Accept packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Idle-Timeout
ATTRIBUTE Idle-Timeout 28 integer |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-IP-Address
ATTRIBUTE NAS-IP-Address 4 ipaddr |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute indicates the identifying IP of the NAS
which is requesting authentication of the user. It is only used
in Access-Request packets. Each Access-Request packet should contain
either a NAS-IP-Address or a NAS-Identifier attribute
(14.1.16 NAS-Identifier).
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-Identifier
ATTRIBUTE NAS-Identifier 32 string |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute contains a string identifying the NAS originating
the access request. It is only used in Access-Request packets.
Either NAS-IP-Address or NAS-Identifier should be present in an
Access-Request packet.
See section 14.1.15 NAS-IP-Address.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-Port-Id
ATTRIBUTE NAS-Port-Id 5 integer |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute indicates the physical port number of the NAS that is authenticating the user. It is only used in Access-Request packets. Note that here we are using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number.
Some NASes try to encode various information in the NAS-Port-Id
attribute value. For example, the MAX Ascend terminal server constructs
NAS-Port-Id by concatenating the line type (one digit), the line number
(two digits), and the channel number (two digits), thus producing
a five-digit port number. In order to normalize such encoded
port numbers we recommend using a rewrite function (see section 5.12 Rewrite functions -- `raddb/rewrite').
A rewrite function for MAX Ascend servers is provided in the
distribution.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-Port-Type
ATTRIBUTE NAS-Port-Type 61 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Append | |
| Proxy propagated: | No |
VALUE NAS-Port-Type Async 0 VALUE NAS-Port-Type Sync 1 VALUE NAS-Port-Type ISDN 2 VALUE NAS-Port-Type ISDN-V120 3 VALUE NAS-Port-Type ISDN-V110 4 |
This attribute indicates the type of the physical port of the NAS
that is authenticating the user. It can be used instead of or in
addition to the NAS-Port-Id (14.1.17 NAS-Port-Id) attribute. It
is only used in
Access-Request packets. Either NAS-Port or NAS-Port-Type or
both should be present in an Access-Request packet, if the NAS
differentiates among its ports.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Reply-Message
ATTRIBUTE Reply-Message 18 string |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Append | |
| Proxy propagated: | Yes |
This attribute indicates text that may be displayed to the user.
When used in an Access-Accept, it is the success message.
When used in an Access-Reject, it is the failure message. It may indicate a dialog message to prompt the user before another Access-Request attempt.
When used in an Access-Challenge, it may indicate a dialog message to prompt the user for a response.
Multiple Reply-Message attributes may be included, and if any
are displayed,
they must be displayed in the same order as they appear in in the
packet.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Service-Type
ATTRIBUTE Service-Type 6 integer |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3 VALUE Service-Type Callback-Framed-User 4 VALUE Service-Type Outbound-User 5 VALUE Service-Type Administrative-User 6 VALUE Service-Type NAS-Prompt-User 7 VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Call-Check 10 |
This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets.
When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated.
When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service.
The meaning of various service types is as follows:
Login-User
Framed-User
Framed-IP-Address attribute (see section 14.1.8 Framed-IP-Address) will
supply the IP to be used.
Callback-Login-User
Callback-Framed-User
Outbound-User
Administrative-User
NAS-Prompt
Authenticate-Only
Call-Check
Callback-NAS-Prompt
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Session-Timeout
ATTRIBUTE Session-Timeout 27 integer |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
State
ATTRIBUTE State 24 string |
| Users: | LR |
|
| Hints: | LR |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.
This attribute is available to be sent by the server to the client
in an Access-Accept that also includes a Termination-Action
attribute with the value RADIUS-Request. If the NAS performs
the termination action by sending a new Access-Request upon
termination of the current session, it must include the State
attribute unchanged in that Access-Request.
In either usage, no interpretation by the client should be made.
A packet may have only one State attribute.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Termination-Action
ATTRIBUTE Termination-Action 29 integer |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
VALUE Termination-Action Default 0 VALUE Termination-Action RADIUS-Request 1 |
This attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
User-Name
ATTRIBUTE User-Name 1 string |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | LR |
|
| Additivity: | Replace | |
| Proxy propagated: | Yes |
This attribute indicates the name of the user to be authenticated or
accounted. It is used in Access-Request and Accounting attributes.
The length of the user name is usually limited by some arbitrary value.
By default, Radius supports user names up to 32 characters long. This
value can be modified by redefining the RUT_USERNAME macro in the
`include/radutmp.h' file in the distribution directory and recompiling the
program.
Some NASes have peculiarities about sending long user names. For example, the Specialix Jetstream 8500 24-port access server inserts a `/' character after the 10th character if the user name is longer than 10 characters. In such cases, we recommend applying rewrite functions in order to bring the user name to its normal form (see section 5.12 Rewrite functions -- `raddb/rewrite').
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
User-Password
ATTRIBUTE User-Password 2 string |
| Users: | L- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | No |
This attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets.
On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the request authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password attribute.
If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the string field of the User-Password attribute.
If necessary, this operation is repeated, with each XOR result being used along with the shared secret to generate the next hash to XOR the next segment of the password, up to no more than 128 characters.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Vendor-Specific (This message will disappear, once this node revised.)
ATTRIBUTE Vendor-Specific 26 string |
| Users: | LR |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute is available to allow vendors to support their own extended attributes not suitable for general usage. <FIXME> some more detail over the VSAs? How does GNU Radius handle unknown VSAs? </>
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
These are attributes the NAS sends along with accounting requests. These attributes can not be used in matching rules.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Authentic
ATTRIBUTE Acct-Authentic 45 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
VALUE Acct-Authentic RADIUS 1 VALUE Acct-Authentic Local 2 VALUE Acct-Authentic Remote 3 |
This attribute may be included in an Accounting-Request to indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated should not generate accounting records.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Delay-Time
ATTRIBUTE Acct-Delay-Time 41 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Input-Octets
ATTRIBUTE Acct-Input-Octets 42 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute indicates how many octets have been received from
the port over the course of this service being provided, and can
only be present in Accounting-Request records where
Acct-Status-Type is set to Stop.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Input-Packets
ATTRIBUTE Acct-Input-Packets 47 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute indicates how many packets have been received from
the port over the course of this service being provided to a
framed user, and can only be present in Accounting-Request records
where Acct-Status-Type is set to Stop.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Output-Octets
ATTRIBUTE Acct-Output-Octets 43 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute indicates how many octets have been sent to the
port in the course of delivering this service, and can only be
present in Accounting-Request records where Acct-Status-Type
is set to Stop.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Output-Packets
ATTRIBUTE Acct-Output-Packets 48 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute indicates how many packets have been sent to the
port in the course of delivering this service to a framed user,
and can only be present in Accounting-Request records where
Acct-Status-Type is set to Stop.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Session-Id
ATTRIBUTE Acct-Session-Id 44 string |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute is a unique accounting ID to make it easy to match
start and stop records in a log file. The start and stop records
for a given session must have the same Acct-Session-Id. An
Accounting-Request packet must have an Acct-Session-Id. An
Access-Request packet may have an Acct-Session-Id; if it does,
then the NAS must use the same Acct-Session-Id in the
Accounting-Request
packets for that session.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Session-Time
ATTRIBUTE Acct-Session-Time 46 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
This attribute indicates how many seconds the user has received
service for, and can only be present in Accounting-Request records
where Acct-Status-Type is set to Stop.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Status-Type
ATTRIBUTE Acct-Status-Type 40 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 VALUE Acct-Status-Type Alive 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8 |
This attribute indicates whether this Accounting-Request marks the
beginning of the user service (Start) or the end (Stop).
It may also be used to mark the start of accounting (for example,
upon booting) by specifying Accounting-On and to mark the end of
accounting (for example, just before a scheduled reboot) by specifying
Accounting-Off.
A special value Alive or Interim-Update indicates the packet that
contains some additional data to the initial Start record or to the
last Alive record.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Terminate-Cause
ATTRIBUTE Acct-Terminate-Cause 49 integer |
| Users: | -- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | N/A | |
| Proxy propagated: | N/A |
VALUE Acct-Terminate-Cause User-Request 1 VALUE Acct-Terminate-Cause Lost-Carrier 2 VALUE Acct-Terminate-Cause Lost-Service 3 VALUE Acct-Terminate-Cause Idle-Timeout 4 VALUE Acct-Terminate-Cause Session-Timeout 5 VALUE Acct-Terminate-Cause Admin-Reset 6 VALUE Acct-Terminate-Cause Admin-Reboot 7 VALUE Acct-Terminate-Cause Port-Error 8 VALUE Acct-Terminate-Cause NAS-Error 9 VALUE Acct-Terminate-Cause NAS-Request 10 VALUE Acct-Terminate-Cause NAS-Reboot 11 VALUE Acct-Terminate-Cause Port-Unneeded 12 VALUE Acct-Terminate-Cause Port-Preempted 13 VALUE Acct-Terminate-Cause Port-Suspended 14 VALUE Acct-Terminate-Cause Service-Unavailable 15 VALUE Acct-Terminate-Cause Callback 16 VALUE Acct-Terminate-Cause User-Error 17 VALUE Acct-Terminate-Cause Host-Request 18 |
This attribute indicates how the session was terminated, and can
only be present in Accounting-Request records where
Acct-Status-Type is set to Stop.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
These are attributes used by GNU Radius during the processing of a request. They are never returned to the NAS. Mostly, they are used in matching rules.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Ext-Program
ATTRIBUTE Acct-Ext-Program 2008 string |
| Users: | -- |
|
| Hints: | -R |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | N/A |
The Acct-Ext-Program attribute can be used in RHS of an
`raddb/hints' to require the execution of an external accounting
program or filter. If the attribute value starts with a vertical bar
(`|'), then the attribute specifies the filter program to be used.
If it starts with a slash (`/'), then it is understood as
the full pathname and arguments for the external program to be executed.
Using any other character as the start of this string results in error.
The command line can reference any attributes from both check and reply pairlists using attribute macros (see section 5.14 Macro Substitution).
Before the execution of the program, radiusd switches to the
uid and gid of the user daemon and the group daemon. You can
override these defaults by setting variables exec-program-user
and exec-program-group in configuration file to proper values
(see section The option statement).
The accounting program must exit with status 0 to indicate a successful accounting.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Type
ATTRIBUTE Acct-Type 2003 integer |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Append | |
| Proxy propagated: | N/A |
VALUE Acct-Type None 0 VALUE Acct-Type System 1 VALUE Acct-Type Detail 2 VALUE Acct-Type SQL 3 |
The Acct-Type allows one to control which accounting methods
must be used for a given user or group of users. In the absence
of this attribute, all currently enabled accounting types are used.
See section 8. Accounting, for more information about accounting types.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Auth-Failure-Trigger This attribute specifies an external program or a Scheme expression to be run upon an authentication failure. The handling of this attribute depends upon its value:
If the value of Auth-Failure-Trigger begins with `/', it
is taken to contain a command line for invoking an external
program. In this case radiusd invokes the program much the
same way it does when handling Exec-Program attribute, i.e. the
program is invoked with standard input closed, its standard output and
standard error are captured and redirected to
`radlog/radius.stderr' file, the return value of the
program is ignored.
If the value of Auth-Failure-Trigger begins with `(', it
is executed it as a Scheme expression. The return value of the
expression is ignored.
This attribute is designed as a means to provide special handling for authentication failures. It can be used, for example, to increase failure counters and to block accounts after a specified number of authentication failures occurs. See section 7.10 Controlling Authentication Probes, for the detailed discussion of its usage.
<FIXME> There is no corresponding Auth-Success-Trigger...
Exec-Program or Scheme-Procedure may be used for the
purpose, the latter, however, is not able to execute s-exps. At
the time of this writing the release 1.3 is being prepared, so I do
not want to introduce any possibly destabilizing changes. This will be
fixed in future releases. </>
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Auth-Data
ATTRIBUTE Auth-Data 2006 string |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Replace | |
| Proxy propagated: | N/A |
The Auth-Data can be used to pass additional data to the
authentication methods that need them. In version 1.3
of GNU Radius, this attribute may be used in conjunction with the
SQL and Pam authentication types. When used with the
Pam authentication type, this attribute holds the name
of the PAM service to use. This attribute is temporarily
appended to the authentication request, so its value can be
referenced to as %C{Auth-Data}.
See section 5.11.2 Authentication Server Parameters, for an example of
of using the Auth-Data attribute in `raddb/sqlserver':
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Auth-Type
ATTRIBUTE Auth-Type 1000 integer |
| Users: | L- |
|
| Hints: | -R |
|
| Huntgroups: | -R |
|
| Additivity: | Append | |
| Proxy propagated: | No |
VALUE Auth-Type Local 0 VALUE Auth-Type System 1 VALUE Auth-Type Crypt-Local 3 VALUE Auth-Type Reject 4 VALUE Auth-Type SQL 252 VALUE Auth-Type Pam 253 VALUE Auth-Type Accept 254 |
This attribute tells the server which type of authentication to apply to a particular user. It can be used in the LHS of the user's profile (see section 7. Authentication.)
Radius interprets values of Auth-Type attribute as follows:
Local
User-Password attribute from the record is taken
as a cleantext password and is compared against the User-Password value
from the input packet.
System
Crypt-Local
User-Password attribute from the record is taken
as an MD5 hash on the user's password. Radius generates MD5 hash
on the supplied User-Password value and compares the two strings.
Reject
Accept
SQL
Mysql
Mysql is an alias maintained for compatibility
with other versions of Radius.
Pam
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Crypt-Password
ATTRIBUTE Crypt-Password 1006 string |
| Users: | L- |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Append | |
| Proxy propagated: | No |
This attribute is intended to be used in user's profile LHS.
It specifies the MD5 hash of the user's password. When this attribute
is present, Auth-Type = Crypt-Local is assumed. If both Auth-Type
and Crypt-Password are present, the value of Auth-Type is
ignored.
See section 14.3.5 Auth-Type.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Exec-Program-Wait
ATTRIBUTE Exec-Program-Wait 1039 string |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
When present in the RHS, the Exec-Program-Wait attribute specifies
the program to be executed when the entry matches. If the attribute
value string starts with vertical bar (`|'), then the attribute
specifies the filter program to be used. If it starts with
slash (`/'), then it is understood as the full
pathname and arguments for the external program to be executed. Using
any other character as the start of this string results in error.
14.3.7.1 Running an External Program 14.3.7.2 Using an External Filter
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The command line can reference any attributes from both check and reply pairlists using attribute macros see section 5.14 Macro Substitution.
Before the execution of the program, radiusd switches to
uid and gid of the user daemon and the group daemon. You can
override these defaults by setting the variable exec-program-user
in the configuration file to a proper value.
See section The option statement.
The daemon will wait until the program terminates. The return value of its execution determines whether the entry matches. If the program exits with a nonzero code, then the match fails. If it exits with a zero code, the match succeeds. In this case the standard output of the program is read and parsed as if it were a pairlist. The attributes thus obtained are added to the entry's reply attributes.
Suppose the `users' file contains the following entry:
DEFAULT Auth-Type = System,
Simultaneous-Use = 1
Exec-Program-Wait = "/usr/local/sbin/telauth \
%C{User-Name} \
%C{Calling-Station-Id}"
|
Then, upon successful matching, the program
`/usr/local/sbin/telauth' will be executed. It will get as its
arguments the values of the User-Name and Calling-Station-Id
attributes from the request pairs.
The `/usr/local/sbin/telauth' can, for example, contain the following:
#! /bin/sh
DB=/var/db/userlist
if grep "$1:$2" $DB; then
echo "Service-Type = Login,"
echo "Session-Timeout = 1200"
exit 0
else
echo "Reply-Message = \
\"You are not authorized to log in\""
exit 1
fi
|
It is assumed that `/var/db/userlist' contains a list of
username:caller-id pairs for those users that are
authorized to use login service.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
If the value of Exec-Program-Wait attribute begins with `|',
radiusd strips this character from the value and uses the
resulting string
as a name of the predefined external filter. Such filter must be
declared in `raddb/config' (see section 5.1.10 filters statement).
DEFAULT Auth-Type = System,
Simultaneous-Use = 1
Exec-Program-Wait = "|myfilter"
|
and let the `raddb/config' contain the following (6):
filters {
filter myfilter {
exec-path "/usr/libexec/myfilter";
error-log "myfilter.log";
auth {
input-format "%C{User-Name}
%C{Calling-Station-Id}";
wait-reply yes;
};
};
};
|
/usr/libexec/myfilter will be invoked, if it hasn't already been
started for this thread. Any output it sends to its standard error
will be redirected to the file `myfilter.log' in the current
logging directory. A string consisting of the user's login name and
his calling station ID followed by a newline will be sent to the
program.
The following is a sample /usr/libexec/myfilter written
in the shell:
#! /bin/sh
DB=/var/db/userlist
while read NAME CLID
do
if grep "$1:$2" $DB; then
echo "0 Service-Type = Login, Session-Timeout = 1200"
else
echo "1 Reply-Message = \
\"You are not authorized to log in\""
fi
done
|
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Exec-Program
ATTRIBUTE Exec-Program 1038 string |
| Users: | -R |
|
| Hints: | -- |
|
| Huntgroups: | -- |
|
| Additivity: | Replace | |
| Proxy propagated: | No |
When present in the RHS, the Exec-Program attribute specifies
the full pathname and arguments for the program to be executed when the
entry matches.
The command line can reference any attributes from both check and reply pairlists, using attribute macros (see section 5.14 Macro Substitution).
Before the execution of the program, radiusd switches to the
uid and gid of the user daemon and the group daemon. You can
override these defaults by setting variables exec-program-user
and exec-program-group in configuration file to proper values
The option statement.
The daemon does not wait for the process to terminate.
Suppose the `users' file contains the following entry:
DEFAULT Auth-Type = System,
Simultaneous-Use = 1
Exec-Program = "/usr/local/sbin/logauth \
%C{User-Name} \
%C{Calling-Station-Id}"
|
Then, upon successful matching, the program
`/usr/local/sbin/logauth' will be executed. It will get as its
arguments the values of the User-Name and Calling-Station-Id
attributes from the request pairs.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Fall-Through
ATTRIBUTE Fall-Through 1036 integer |
| Users: | LR |
|
| Hints: | LR |
|
| Huntgroups: | -- |
|
| Additivity: | Append | |
| Proxy propagated: | No |
VALUE Fall-Through No 0 VALUE Fall-Through Yes 1 |
The Fall-Through attribute should be used in the reply list.
If its value is set to Yes in a particular record, that
tells Radius to continue looking up other records
even when the record at hand matches the request. It can be used to provide
default values for several profiles.
Consider the following example. Let's suppose the `users' file contains the following:
johns Auth-Type = SQL
Framed-IP-Address = 11.10.10.251,
Fall-Through = Yes
smith Auth-Type = SQL
Framed-IP-Address = 11.10.10.252,
Fall-Through = Yes
DEFAULT NAS-IP-Address = 11.10.10.1
Service-Type = Framed-User,
Framed-Protocol = PPP
|
Then after successful matching of a particular user's record,
the matching will continue until it finds the DEFAULT entry,
which will add its RHS to the reply pairs for
this request. The effect is that, if user `johns' authenticates
successfully she gets the following reply pairs:
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 11.10.10.251
|
whereas user smith gets
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 11.10.10.252
|
Note that the attribute Fall-Through itself
is never returned to the NAS.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Group
ATTRIBUTE Group 1005 string |
| Users: | L- |
|
| Hints: | L- |
|
| Huntgroups: | LR |
|
| Additivity: | Append | |
| Proxy propagated: | No |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Hint
ATTRIBUTE Hint 1040 string |
| Users: | L- |
|
| Hints: | -R |
|
| Huntg |