13.1 Authentication Attributes

These are the attributes the NAS uses in authentication packets and expects to get back in authentication replies. These can be used in matching rules.

13.1.1 CHAP-Password

ATTRIBUTE CHAP-Password 3 string

This attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets.

The CHAP challenge value is found in the CHAP-Challenge attribute (60) if present in the packet, otherwise in the request authenticator field.

13.1.2 Callback-Id

ATTRIBUTE Callback-Id 20 string

This attribute indicates the name of a place to be called, to be interpreted by the NAS. It may be used in Access-Accept packets.

13.1.3 Callback-Number

ATTRIBUTE Callback-Number 19 string

This attribute indicates a dialing string to be used for callback. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.

13.1.4 Called-Station-Id

ATTRIBUTE Called-Station-Id 30 string

This attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.

13.1.5 Calling-Station-Id

ATTRIBUTE Calling-Station-Id 31 string

This attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using automatic number identification (ANI) or similar technology. It is only used in Access-Request packets.

13.1.6 Class

ATTRIBUTE Class 25 string

This attribute is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported.

13.1.7 Framed-Compression

ATTRIBUTE Framed-Compression 13 integer

VALUE      Framed-Compression  None                 0       
VALUE      Framed-Compression  Van-Jacobson-TCP-IP  1       

This attribute indicates a compression protocol to be used for the link. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.

More than one compression protocol attribute may be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.

13.1.8 Framed-IP-Address

ATTRIBUTE Framed-IP-Address 8 ipaddr

This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.

The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user's IP.

When used in a RHS, the value of this attribute can optionally be followed by a plus sign. This usage means that the value of NAS-Port-Id must be added to this IP before replying. For example,

        Framed-IP-Address = 10.10.0.1+

13.1.9 Framed-IP-Netmask

ATTRIBUTE Framed-IP-Netmask 9 ipaddr

This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.

13.1.10 Framed-MTU

ATTRIBUTE Framed-MTU 12 integer

This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.

13.1.11 Framed-Protocol

ATTRIBUTE Framed-Protocol 7 integer

VALUE      Framed-Protocol   PPP                  1       
VALUE      Framed-Protocol   SLIP                 2       

This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets.

13.1.12 Framed-Route

ATTRIBUTE Framed-Route 22 string

This attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.

13.1.13 Framed-Routing

ATTRIBUTE Framed-Routing 10 integer

VALUE      Framed-Routing    None                 0       
VALUE      Framed-Routing    Broadcast            1       
VALUE      Framed-Routing    Listen               2       
VALUE      Framed-Routing    Broadcast-Listen     3       

This attribute indicates the routing method for the user when the user is a router to a network. It is only used in Access-Accept packets.

13.1.14 Idle-Timeout

ATTRIBUTE Idle-Timeout 28 integer

This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.

13.1.15 NAS-IP-Address

ATTRIBUTE NAS-IP-Address 4 ipaddr

This attribute indicates the identifying IP of the NAS which is requesting authentication of the user. It is only used in Access-Request packets. Each Access-Request packet should contain either a NAS-IP-Address or a NAS-Identifier attribute (NAS-Identifier).

13.1.16 NAS-Identifier

ATTRIBUTE NAS-Identifier 32 string

This attribute contains a string identifying the NAS originating the access request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier should be present in an Access-Request packet.

See section NAS-IP-Address.

13.1.17 NAS-Port-Id

ATTRIBUTE NAS-Port-Id 5 integer

This attribute indicates the physical port number of the NAS that is authenticating the user. It is only used in Access-Request packets. Note that here we are using “port” in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number.

Some NASes try to encode various information in the NAS-Port-Id attribute value. For example, the MAX Ascend terminal server constructs NAS-Port-Id by concatenating the line type (one digit), the line number (two digits), and the channel number (two digits), thus producing a five-digit port number. In order to normalize such encoded port numbers we recommend using a rewrite function (see section Rewrite functions — ‘raddb/rewrite’). A rewrite function for MAX Ascend servers is provided in the distribution.

13.1.18 NAS-Port-Type

ATTRIBUTE NAS-Port-Type 61 integer

VALUE      NAS-Port-Type     Async                0       
VALUE      NAS-Port-Type     Sync                 1       
VALUE      NAS-Port-Type     ISDN                 2       
VALUE      NAS-Port-Type     ISDN-V120            3       
VALUE      NAS-Port-Type     ISDN-V110            4       

This attribute indicates the type of the physical port of the NAS that is authenticating the user. It can be used instead of or in addition to the NAS-Port-Id (NAS-Port-Id) attribute. It is only used in Access-Request packets. Either NAS-Port or NAS-Port-Type or both should be present in an Access-Request packet, if the NAS differentiates among its ports.

13.1.19 Reply-Message

ATTRIBUTE Reply-Message 18 string

This attribute indicates text that may be displayed to the user.

When used in an Access-Accept, it is the success message.

When used in an Access-Reject, it is the failure message. It may indicate a dialog message to prompt the user before another Access-Request attempt.

When used in an Access-Challenge, it may indicate a dialog message to prompt the user for a response.

Multiple Reply-Message attributes may be included, and if any are displayed, they must be displayed in the same order as they appear in in the packet.

13.1.20 Service-Type

ATTRIBUTE Service-Type 6 integer

VALUE      Service-Type      Login-User           1       
VALUE      Service-Type      Framed-User          2       
VALUE      Service-Type      Callback-Login-User  3       
VALUE      Service-Type      Callback-Framed-User 4       
VALUE      Service-Type      Outbound-User        5       
VALUE      Service-Type      Administrative-User  6       
VALUE      Service-Type      NAS-Prompt-User      7       
VALUE      Service-Type      Authenticate-Only    8       
VALUE      Service-Type      Call-Check           10      

This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets.

When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated.

When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service.

The meaning of various service types is as follows:

Login-User

The user should be connected to a host.

Framed-User

A framed protocol, such as PPP or SLIP, should be started for the user. The Framed-IP-Address attribute (see section Framed-IP-Address) will supply the IP to be used.

Callback-Login-User

The user should be disconnected and called back, then connected to a host.

Callback-Framed-User

The user should be disconnected and called back; then a framed protocol, such as PPP or SLIP, should be started for the user.

Outbound-User

The user should be granted access to outgoing devices.

Administrative-User

The user should be granted access to the administrative interface to the NAS, from which privileged commands can be executed.

NAS-Prompt

The user should be provided a command prompt on the NAS, from which nonprivileged commands can be executed.

Authenticate-Only

Only authentication is requested, and no authorization information needs to be returned in the Access-Accept.

Call-Check

Callback-NAS-Prompt

The user should be disconnected and called back, then provided a command prompt on the NAS, from which nonprivileged commands can be executed.

13.1.21 Session-Timeout

ATTRIBUTE Session-Timeout 27 integer

This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.

13.1.22 State

ATTRIBUTE State 24 string

This attribute is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

This attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action attribute with the value RADIUS-Request. If the NAS performs the termination action by sending a new Access-Request upon termination of the current session, it must include the State attribute unchanged in that Access-Request.

In either usage, no interpretation by the client should be made. A packet may have only one State attribute.

13.1.23 Termination-Action

ATTRIBUTE Termination-Action 29 integer

VALUE      Termination-Action  Default              0       
VALUE      Termination-Action  RADIUS-Request       1       

This attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.

13.1.24 User-Name

ATTRIBUTE User-Name 1 string

This attribute indicates the name of the user to be authenticated or accounted. It is used in Access-Request and Accounting attributes. The length of the user name is usually limited by some arbitrary value. By default, Radius supports user names up to 32 characters long. This value can be modified by redefining the RUT_USERNAME macro in the ‘include/radutmp.h’ file in the distribution directory and recompiling the program.

Some NASes have peculiarities about sending long user names. For example, the Specialix Jetstream 8500 24-port access server inserts a ‘/’ character after the 10th character if the user name is longer than 10 characters. In such cases, we recommend applying rewrite functions in order to bring the user name to its normal form (see section Rewrite functions — ‘raddb/rewrite’).

13.1.25 User-Password

ATTRIBUTE User-Password 2 string

This attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets.

On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the request authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password attribute.

If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the string field of the User-Password attribute.

If necessary, this operation is repeated, with each XOR result being used along with the shared secret to generate the next hash to XOR the next segment of the password, up to no more than 128 characters.

13.1.26 Vendor-Specific

(This message will disappear, once this node revised.)

ATTRIBUTE Vendor-Specific 26 string

This attribute is available to allow vendors to support their own extended attributes not suitable for general usage.

This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.