RADIUS Attributes

RADIUS attributes are Attribute fields in RADIUS packets, which carry dedicated authentication, authorization, and accounting information. This chapter covers the following sections:

Standard RADIUS Attributes
Huawei Proprietary RADIUS Attributes
Huawei-supported Extended RADIUS Attributes of Other Vendors
RADIUS Attributes Available in Packets
RADIUS Attributes Precautions

Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are supported by all mainstream vendors. For details, see Table 1.

Choose Columns...

**Table 1** Standard RADIUS attributes
Attribute No.	Attribute Name	Attribute Type	Description
1	User-Name	string	User name for authentication. The user name format can be user name@domain name, or just user name.
2	User-Password	string	User password for authentication, which is only valid for the Password Authentication Protocol (PAP).
3	CHAP-Password	string	Response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge.
4	NAS-IP-Address	ipaddr	Internet Protocol (IP) address of the NAS carried in authentication request packets. By default, the attribute value is the source IP address of the authentication request packets sent by the NAS. You can change the attribute value to the specified IP address on the NAS using the radius-attribute nas-ip ip-address command.
5	NAS-Port	integer	Physical port number of the network access server that is authenticating the user, which is in either of the following formats: new: slot ID (8 bits) + sub-slot ID (4 bits) + port number (8 bits) + Virtual Local Area Network (VLAN) ID (12 bits) old: slot ID (12 bits) + port number (8 bits) + VLAN ID (12 bits)
6	Service-Type	integer	Service type of the user to be authenticated: 2 (Framed): PPP users, 802.1X users, static users, and MAC authentication users (with the fixed user name format) 6 (Administrative): administrator 8 (Authenticate Only): reauthentication only
7	Framed-Protocol	integer	Encapsulation protocol of Frame services: For a non-management user, the value is fixed as 1. For a management user, the value is fixed as 6.
8	Framed-IP-Address	ipaddr	User IP address.
11	Filter-Id	string	User group name IPv4 Access Control List (ACL) ID. NOTE: When this attribute carries the IPv4 ACL ID, the IPv4 ACL IDs must range from 3000 to 3999. A RADIUS packet cannot carry the user group name or IPv4 ACL ID simultaneously.
12	Framed-MTU	integer	Maximum transmission unit (MTU) of the data link between user and NAS. For example, in 802.1X Extensible Authentication Protocol (EAP) authentication, the NAS specifies the maximum length of the EAP packet in this attribute. An EAP packet larger than the link MTU may be lost.
14	Login-IP-Host	ipaddr	Management user IP address: If the value is 0 or 0xFFFFFFFF, the IP address of management user is not checked. If this attribute uses other values, the NAS checks whether the management user IP address is the same as the delivered attribute value.
15	Login-Service	integer	Service to use to connect the user to the login host: 0: Telnet 5: X25-PAD 50: SSH 51: FTP 52: Terminal NOTE: An attribute can contain multiple service types.
18	Reply-Message	string	This attribute determines whether a user is authenticated: When an Access-Accept packet is returned, the user is successfully authenticated. When an Access-Reject packet is returned, the user fails authentication.
19	Callback-Number	string	Information sent from the authentication server and to be displayed to a user, such as a mobile number.
24	State	string	This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.
25	Class	string	If the RADIUS server sends a RADIUS Access-Accept packet carrying the Class attribute to the NAS, the subsequent RADIUS Accounting-Request packets sent from the NAS must carry the Class attribute with the same value.
26	Vendor-Specific	string	Vendor-specific attribute. For details, see Table 2. A packet can carry one or more private attributes. Each private attribute contains one or more sub-attributes.
27	Session-Timeout	integer	In the Access-Request packet, this attribute indicates the maximum number of seconds a user should be allowed to remain connected. In the Access-Challenge packet, this attribute indicates the duration for which EAP authentication users are reauthenticated. When the value of this attribute is 0: If the aaa-author session-timeout invalid-value enable command is not configured, the session-timeout attribute delivered by the server does not take effect and the period for disconnecting or reauthenticating users depends on the device configuration. If the aaa-author session-timeout invalid-value enable command is configured, the session-timeout attribute delivered by the server takes effect and the device does not disconnect or reauthenticate users.
28	Idle-Timeout	integer	Maximum number of consecutive seconds of idle connection the user is allowed before termination of the session or prompt. NOTE: This attribute is only valid for administrators.
29	Termination-Action	integer	What action the NAS should take when the specified service is completed: 0: forcible disconnection 1: reauthentication NOTE: This attribute is only valid for 802.1X authentication users.
30	Called-Station-Id	string	This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Generally, It is the NAS MAC address for wired users.
31	Calling-Station-Id	string	This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology.
32	NAS-Identifier	string	String identifying the NAS device originating the Access-Request. By default, the attribute value is the host name of the NAS device. You can change the attribute value to the VLAN ID of the user using the radius-server nas-identifier-format { hostname \| vlan-id } command.
40	Acct-Status-Type	integer	Accounting-Request type: 1: Accounting-Start packet 2: Accounting-Stop packet 3: Interim-Accounting packet
41	Acct-Delay-Time	integer	Number of seconds the client has been trying to send the accounting packet (excluding the network transmission time).
44	Acct-Session-Id	string	Accounting session ID. The Accounting-Start, Interim-Accounting, and Accounting-Stop packets of the same accounting session must have the same session ID. The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) + Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4 bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) Tick (6 bits) + User ID prefix (2 bits) + User ID (5 bits).
45	Acct-Authentic	integer	User authentication mode: 1: RADIUS authentication 2: Local authentication 3: Other remote authentications
46	Acct-Session-Time	integer	How long (in seconds) the user has received service. NOTE: If the administrator modifies the system time after the user goes online, the online time calculated by the device may be incorrect.
49	Acct-Terminate-Cause	string	Cause of a terminated session: User-Request (1): The user requests termination of service. Lost Carrier (2): The connection is torn down due to a handshake failure or heartbeat timeout, such as an ARP probe failure or PPP handshake failure. Lost Service (3): The connection initiated by the peer device is torn down. Idle Timeout (4): The idle timer expires. Session Timeout (5): The session times out or the traffic threshold is reached. Admin Reset (6): The administrator forces the user to go offline. Admin Reboot (7): The administrator restarts the NAS. Port Error (8): A port fails. NAS Error (9): The NAS encounters an internal error. NAS Request (10): The NAS ends the session due to resource changes. NAS Reboot (11): The NAS automatically restarts. Port Unneeded (12): The port is Down. Port Preempted (13): The port is preempted. Port Suspended (14): The port is suspended. Service Unavailable (15): The service is unavailable. Callback (16): NAS is terminating the current session to perform a callback for a new session. User Error (17): User authentication fails or times out. Host Request (18): A host sends a request.
60	CHAP-Challenge	string	Challenge field in CHAP authentication. This field is generated by the NAS for Message Digest algorithm 5 (MD5) calculation.
61	NAS-Port-Type	integer	NAS port type. The attribute value can be configured in the interface view. By default, the type is Ethernet (15).
64	Tunnel-Type	integer	Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.
65	Tunnel-Medium-Type	integer	Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.
79	EAP-Message	string	Encapsulates Extended Access Protocol (EAP) packets so that RADIUS supports EAP authentication. When an EAP packet is longer than 253 bytes, the packet is encapsulated into multiple attributes. A RADIUS packet can carry multiple EAP-Message attributes.
80	Message-Authenticator	string	Authenticates and verifies authentication packets to prevent spoofing packets. This attribute is used only when RADIUS supports EAP authentication.
81	Tunnel-Private-Group-ID	string	Tunnel private group ID, which is used to deliver user VLAN IDs.
85	Acct-Interim-Interval	integer	Interim accounting interval. The value ranges from 60 to 3932100, in seconds. It is recommended that the interval be at least 600 seconds.
87	NAS-Port-Id	string	Port of the NAS that is authenticating the user. The NAS-Port-Id attribute has the following formats: New: For Ethernet access users, the NAS-Port-Id is in the format "slot=xx; subslot=xx; port=xxx; vlanid=xxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 15, "port" 0 to 255, "vlanid" 1 to 4094. For ADSL access users, the NAS-Port-Id is in the format "slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255, and "VCI" 0 to 65535. Old: For Ethernet access users, the NAS-Port-Id is in the format "port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VLAN ID (9 characters)." For ADSL access users: port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain fewer bytes than specified.
88	Framed-Pool	string	Address pool, which is only included in the Access-Accept packet. It is used as authorization information in Efficient VPN.
89	Chargeable-User-Identity	string	Charging ID delivered by the server. To configure a device to support this attribute, run the radius-server support chargeable-user-identity [ not-reject ] command.

Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in RFC2865 can be used to extend RADIUS for implementing functions not supported by standard RADIUS attributes. Table 2 describes Huawei proprietary RADIUS attributes.

Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.

Choose Columns...

**Table 2** Huawei proprietary RADIUS attributes
Attribute No.	Attribute Name	Attribute Type	Description
26-26	HW-Connect-ID	integer	Index of a user connection.
26-28	HW-FTP-Directory	string	Initial directory of an FTP user.
26-29	HW-Exec-Privilege	integer	Management user (such as Telnet user) priority, ranging from 0 to 15. The priority that is greater than or equal to 16 is ineffective.
26-59	HW-NAS-Startup-Time-Stamp	integer	NAS start time, represented by the number of seconds elapsed since 00:00:00 of January 1, 1970.
26-60	HW-IP-Host-Address	string	User IP address and MAC address carried in authentication and accounting packets, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address are separated by a space. If the user's IP address is detected to be invalid during authentication, the IP address is set to 255.255.255.255.
26-135	HW-Client-Primary-DNS	ipaddr	Primary DNS address delivered by the RADIUS server after a user is successfully authenticated.
26-136	HW-Client-Secondary-DNS	ipaddr	Secondary DNS address delivered by the RADIUS server after a user is successfully authenticated.
26-138	HW-Domain-Name	string	Name of the domain used for user authentication. This attribute can be the domain name contained in a user name or the name of a forcible domain.
26-146	HW-Service-Scheme	string	Service scheme name. A service scheme contains user authorization information and policies.
26-153	HW-Access-Type	integer	User access type carried in the authentication and accounting request packets sent by the RADIUS client to the RADIUS server.
26-178	HW-IPv6-Redirect-ACL	string	Redirection IPv6 ACL. Redirection is performed for only the users matching the ACL rules. The ACL number or ACL name can be delivered. The ACL name must start with a character. NOTE: Only wired users support the authorization of this attribute. The value range of acl-number is from 3000 to 3999. After the authentication mode multi-share command is configured in the authentication profile, authorization redirection ACL will not be supported.
26-244	HW-Reachable-Detect	string	Server reachability detection information. Authentication packets carrying this attribute are server detection packets.
26-254	HW-Version	string	Software version of the device.
26-255	HW-Product-ID	string	NAS product name.

Huawei-supported Extended RADIUS Attributes of Other Vendors

Huawei devices support some extended RADIUS attributes of Microsoft. For details, see Table 3.

**Table 3** Huawei-supported extended RADIUS attributes of other vendors
Attribute No.	Attribute Name	Attribute Type	Description
MICROSOFT-16	MS-MPPE-Send-Key	string	This attribute indicates the MPPE sending key.
MICROSOFT-17	MS-MPPE-Recv-Key	string	This attribute indicates the MPPE receiving key.

RADIUS Attributes Available in Packets

Different RADIUS packets carry different RADIUS attributes.

For the RADIUS attributes available in authentication packets, see Table 4.
For the RADIUS attributes available in accounting packets, see Table 5.
For the RADIUS attributes available in authorization packets, see Table 6.

The following describes the values in the tables:

1: indicates that the attribute must appear once in the packet.
0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
0-1: indicates that the attribute can appear once or does not appear in the packet.
0+: indicates that the attribute may appear multiple times or does not appear in the packet.

Choose Columns...

**Table 4** RADIUS attributes available in authentication packets
Attribute No.	Access-Request	Access-Accept	Access-Reject	Access-Challenge
User-Name(1)	1	0-1	0	0
User-Password(2)	0-1	0	0	0
CHAP-Password(3)	0-1	0	0	0
NAS-IP-Address(4)	1	0	0	0
NAS-Port(5)	1	0	0	0
Service-Type(6)	1	0-1	0	0
Framed-Protocol(7)	1	0-1	0	0
Framed-IP-Address(8)	0-1	0-1	0	0
Framed-IP-Netmask(9)	0	0-1	0	0
Filter-Id(11)	0	0-1	0	0
Framed-Mtu(12)	0-1	0	0	0
Login-IP-Host(14)	0-1	0-1	0	0
Login-Service(15)	0	0-1	0	0
Reply-Message(18)	0	0-1	0-1	0-1
Callback-Number(19)	0	0-1	0	0
State(24)	0-1	0-1	0	0-1
Class(25)	0	0-1	0	0
Session-Timeout(27)	0	0-1	0-1	0-1
Idle-Timeout(28)	0	0-1	0	0
Termination-Action(29)	0	0-1	0	0-1
Called-Station-Id(30)	0-1	0	0	0
Calling-Station-Id(31)	1	0-1	0	0
NAS-Identifier(32)	1	0	0	0
Acct-Session-id(44)	1	0	0	0
CHAP-Challenge(60)	0-1	0	0	0
NAS-Port-Type(61)	1	0	0	0
Tunnel-Type(64)	0	0-1	0	0
Tunnel-Medium-Type(65)	0	0-1	0	0
EAP-Message(79)	0-1	0-1	0-1	0-1
Message-Authenticator(80)	0-1	0-1	0-1	0-1
Tunnel-Private-Group-ID(81)	0	0-1	0-1	0
Acct-Interim-Interval(85)	0	0-1	0	0
NAS-Port-Id(87)	0-1	0	0	0
Framed-Pool(88)	0	1	0	0
Chargeable-User-Identity(89)	0-1	0-1	0	0
HW-Input-Committed-Information-Rate(26-2)	0	0-1	0	0
HW-Output-Committed-Information-Rate(26-5)	0	0-1	0	0
HW-Connect-ID(26-26)	1	0	0	0
Ftp-directory(26-28)	0	0-1	0	0
HW-Exec-Privilege(26-29)	0	0-1	0	0
HW-NAS-Startup-Time-Stamp(26-59)	1	0	0	0
HW-IP-Host-Address(26-60)	1	0	0	0
HW-Client-Primary-DNS(26-135)	0	0-1	0	0
HW-Client-Secondary-DNS(26-136)	0	0-1	0	0
HW-Domain-Name(26-138)	1	0	0	0
HW-Service-Scheme(26-146)	0	0-1	0	0
HW-Access-Type(26-153)	1	0-1	0	0
HW-UCL-Group(26-160)	0	0-1	0	0
HW-Reachable-Detect(26-244)	0	0	0	0
HW-Version(26-254)	1	0	0	0
HW-Product-ID(26-255)	1	0	0	0
MS-MPPE-Send-Key(MICROSOFT-16)	0	0-1	0	0
MS-MPPE-Recv-Key(MICROSOFT-17)	0	0-1	0	0

Choose Columns...

**Table 5** RADIUS attributes available in accounting packets
Attribute No.	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)
User-Name(1)	1	1	1	0	0
NAS-IP-Address(4)	1	1	1	0	0
NAS-Port(5)	1	1	1	0	0
Service-Type(6)	1	1	1	0	0
Framed-Protocol(7)	1	1	1	0	0
Framed-IP-Address(8)	1	1	1	0	0
Class(25)	0-1	0-1	0-1	0	0
Session-Timeout(27)	0	0	0	0-1	0-1
Called-Station-Id(30) NOTE: For users who access the network through PPP authentication, this attribute is optional. If the authentication request packet does not carry this attribute, then neither does the accounting request packet.	1	1	1	0	0
Calling-Station-Id(31)	1	1	1	0	0
NAS-Identifier(32)	1	1	1	0	0
Acct-Status-Type(40)	1	1	1	0	0
Acct-Delay-Time(41)	0-1	1	1	0	0
Acct-Session-Id(44)	1	1	1	0	0
Acct-Authentic(45)	1	1	1	0	0
Acct-Session-Time(46)	0	1	1	0	0
Acct-Terminate-Cause(49)	0	0	1	0	0
Event-Timestamp(55)	1	1	1	0	0
NAS-Port-Type(61)	1	1	1	0	0
NAS-Port-Id(87)	1	1	1	0	0
Chargeable-User-Identity(89)	0-1	0-1	0-1	0	0
HW-Input-Committed-Information-Rate(26-2)	1	1	1	0	0
HW-Output-Committed-Information-Rate(26-5)	1	1	1	0	0
HW-Domain-Name(26-138)	1	1	1	0	0
MS-MPPE-Send-Key(MICROSOFT-16)	0	0	0	0	0
MS-MPPE-Recv-Key(MICROSOFT-17)	0	0	0	0	0

Choose Columns...

**Table 6** RADIUS attributes available in CoA/DM packets
Attribute No.	CoA REQUEST	CoA ACK	CoA NAK	DM REQUEST	DM ACK	DM NAK
User-Name(1)	0-1	0-1	0-1	0-1	0-1	0-1
NAS-IP-Address(4)	0-1	0-1	0-1	0-1	0-1	0-1
NAS-Port(5)	0-1	0	0	0-1	0	0
Framed-IP-Address(8)	0-1	0-1	0-1	0-1	0-1	0-1
Filter-Id(11)	0-1	0	0	0	0	0
Session-Timeout(27)	0-1	0	0	0	0	0
Idle-Timeout(28)	0-1	0	0	0	0	0
Termination-Action(29)	0-1	0	0	0	0	0
Calling-Station-Id(31)	0-1	0-1	0-1	0-1	0-1	0-1
NAS-Identifier(32)	0	0-1	0-1	0	0	0
Acct-Session-Id(44)	1	1	1	1	1	1
Tunnel-Type(64)	0-1	0	0	0	0	0
Tunnel-Medium-Type(65)	0-1	0	0	0	0	0
Tunnel-Private-Group-ID(81)	0-1	0	0	0	0	0
Acct-Interim-Interval(85)	0-1	0	0	0	0	0
NAS-Port-Id(87)	0-1	0	0	0-1	0	0
HW-Input-Committed-Information-Rate(26-2)	0-1	0	0	0	0	0
HW-Output-Committed-Information-Rate(26-5)	0-1	0	0	0	0	0
HW-Service-Scheme(26-146)	0-1	0	0	0	0	0
HW-UCL-Group(26-160)	0-1	0	0	0	0	0
MS-MPPE-Send-Key(MICROSOFT-16)	0	0	0	0	0	0
MS-MPPE-Recv-Key(MICROSOFT-17)	0	0	0	0	0	0

RADIUS Attributes Precautions

Dynamic VLAN: If dynamic VLAN delivery is configured on the server, authorization information includes the delivered VLAN attribute. After the device receives the delivered VLAN attribute, it changes the VLAN of the user to the delivered VLAN.

The delivered VLAN does not change or affect the interface configuration. The delivered VLAN, however, takes precedence over the VLAN configured on the interface. That is, the delivered VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline.

The following standard RADIUS attributes are used for dynamic VLAN delivery:

(064) Tunnel-Type (It must be set to VLAN or 13.)
(065) Tunnel-Medium-Type (It must be set to 802 or 6.)
(081) Tunnel-Private-Group-ID (For devices running versions earlier than V200R012C00, it can be the VLAN ID or VLAN description. For devices running V200R012C00 and later versions, it can be the VLAN ID, VLAN description, VLAN name, or VLAN pool.)

To ensure that the RADIUS server delivers VLAN information correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.