RADIUS Attributes

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon.

This appendix describes the following types of RADIUS attributes supported in Broadband Network Gateway (BNG):

RADIUS IETF Attributes

IETF Attributes Versus VSAs

RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. Because IETF attributes are standard, the attribute data is predefined and well known; thus all clients and servers who exchange AAA information via IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.

RADIUS vendor-specific attributes (VSAs) derived from one IETF attribute-vendor-specific (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes however they wish. That is, a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26; thus, the newly created attribute is accepted if the user accepts attribute 26.

Table 1. Supported RADIUS IETF Attributes

Name

Value

Type

Acct-Authentic integer 45
Acct-Delay-Time integer 41
Acct-Input-Giga-Words integer 52
Acct-Input-Octets integer 42
Acct-Input-Packets integer 47
Acct-Interim-Interval integer 85
Acct-Link-Count integer 51
Acct-Output-Giga-Words integer 53
Acct-Output-Octets integer 43
Acct-Output-Packets integer 48
Acct-Session-Time integer 46
Acct-Status-Type integer 40
Acct-Terminate-Cause integer 49
CHAP-Challenge binary 40
CHAP-Password binary 3
Dynamic-Author-Error-Cause integer 101
Event-Timestamp integer 55
Filter-Id binary 11
Framed-Protocol integer 7
Framed-IP-Address ipv4addr 8

Framed-IP-Netmask

ipv4addr

9

Framed-Route "string" 22
login-ip-addr-host ipv4addr 14
Multilink-Session-ID string 50
Nas-Identifier string 32
NAS-IP-Address ipv4addr 4
NAS-Port integer 5
Reply-Message binary 18
Service-Type integer 6
Tunnel-Assignment-Id string 32
Tunnel-Packets-Lost integer 86
X-Ascend-Client-Primary-DNS ipv4addr 135
X-Ascend-Client-Secondary-DNS ipv4addr 136
NAS-IPv6-Address string 95
Delegated-IPv6-Prefix binary 123
Stateful-IPv6-Address-Pool binary 123
Framed-IPv6-Prefix binary 97
Framed-Interface-Id binary 96
Framed-IPv6-Pool string 100
Framed-IPv6-Route string 99
login-ip-addr-host string 98

IETF Tagged Attributes on LAC

The IETF Tagged Attributes support on L2TP Access Concentrator (LAC) provides a means of grouping tunnel attributes referring to the same tunnel in an Access-Accept packet sent from the RADIUS server to the LAC. The Access-Accept packet can contain multiple instances of same RADIUS attributes, but with different tags. The tagged attributes support ensures that all attributes pertaining to a given tunnel contain the same value in their respective tag fields, and that each set includes an appropriately-valued instance of the Tunnel-Preference attribute. This conforms to the tunnel attributes that are to be used in a multi-vendor network environment, thereby eliminating interoperability issues among Network Access Servers (NASs) manufactured by different vendors.

For details of RADIUS Attributes for Tunnel Protocol Support, refer RFC 2868.

These examples describe the format of IETF Tagged Attributes:

Tunnel-Type = :0:L2TP, Tunnel-Medium-Type = :0:IP, Tunnel-Server-Endpoint = :0:"1.1.1.1", Tunnel-Assignment-Id = :0:"1", Tunnel-Preference = :0:1, Tunnel-Password = :0:"hello"

A tag value of 0 is used in the above example in the format of :0:, to group those attributes in the same packet that refer to the same tunnel. Similar examples are:

Tunnel-Type = :1:L2TP, Tunnel-Medium-Type = :1:IP, Tunnel-Server-Endpoint = :1:"2.2.2.2", Tunnel-Assignment-Id = :1:"1", Tunnel-Preference = :1:1, Tunnel-Password = :1:"hello"

Tunnel-Type = :2:L2TP, Tunnel-Medium-Type = :2:IP, Tunnel-Server-Endpoint = :2:"3.3.3.3", Tunnel-Assignment-Id = :2:"1", Tunnel-Preference = :2:2, Tunnel-Password = :2:"hello"

Tunnel-Type = :3:L2TP, Tunnel-Medium-Type = :3:IP, Tunnel-Server-Endpoint = :3:"4.4.4.4", Tunnel-Assignment-Id = :3:"1", Tunnel-Preference = :3:2, Tunnel-Password = :3:"hello"

Tunnel-Type = :4:L2TP, Tunnel-Medium-Type = :4:IP, Tunnel-Server-Endpoint = :4:"5.5.5.5", Tunnel-Assignment-Id = :4:"1", Tunnel-Preference = :4:3, Tunnel-Password = :4:"hello"

Tunnel-Type = :5:L2TP, Tunnel-Medium-Type = :5:IP, Tunnel-Server-Endpoint = :5:"6.6.6.6", Tunnel-Assignment-Id = :5:"1", Tunnel-Preference = :5:3, Tunnel-Password = :5:"hello"

Table 2. Supported IETF Tagged Attributes

IETF Tagged Attribute Name

Value

Type

Tunnel-Type integer 64
Tunnel-Medium-Type integer 65
Tunnel-Client-Endpoint string 66
Tunnel-Server-Endpoint string 67
Tunnel-Password string 69
Tunnel-Assignment-ID string 82
Tunnel-Preference integer 83
Tunnel-Client-Auth-ID string 90
Tunnel-Server-Auth-ID string 91

RADIUS Vendor-Specific Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.

The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of this format:

protocol : attribute sep value *

"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization; protocols that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP, AIRNET, OUTBOUND. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.

For example, the following AV pair causes Cisco's "multiple named ip address pools" feature to be activated during IP authorization (during PPP's IPCP address assignment):

cisco-avpair= "ip:addr-pool=first"

If you insert an "*", the AV pair "ip:addr-pool=first" becomes optional. Note that any AV pair can be made optional.

IETF Attribute 26 (Vendor-Specific) encapsulates vendor specific attributes, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.

cisco-avpair= "ip:addr-pool*first"

The following example shows how to cause a user logging in from a network access server to have immediate access to EXEC commands:

cisco-avpair= "shell:priv-lvl=15"

The following example shows how to configure avpair aaa attribute to enable IPv6 router advertisements from an IPv4 subscriber interface:

Cisco-avpair= "ipv6:start-ra-on-ipv6-enable=1"

Attribute 26 contains these three elements:

  • Type

  • Length

  • String (also known as data)

    • Vendor-ID

    • Vendor-Type

    • Vendor-Length

    • Vendor-Data


Note


It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as Vendor-Data) is dependent on the vendor's definition of that attribute.


Table 3. Supported Cisco Vendor-Specific RADIUS Attributes

Name

Value

Type

Present in AAA message type

access-loop-encapsulation binary 1 Access-accept, Accounting-request
accounting-list string 1 Access-accept, CoA, Accounting-request
acct-input-gigawords-ipv4 integer 1 Accounting-request
acct-input-octets-ipv4 integer 1 Accounting-request
acct-input-packets-ipv4 integer 1 Accounting-request
acct-input-gigawords-ipv6 integer 1 Accounting-request
acct-input-octets-ipv6 integer 1 Accounting-request
acct-input-packets-ipv6 integer 1 Accounting-request
acct-output-gigawords-ipv4 integer 1 Accounting-request
acct-output-octets-ipv4 integer 1 Accounting-request
acct-output-packets-ipv4 integer 1 Accounting-request
acct-output-gigawords-ipv6 integer 1 Accounting-request
acct-output-octets-ipv6 integer 1 Accounting-request
acct-output-packets-ipv6 integer 1 Accounting-request
acct-policy-in string 1 Access-request
acct-policy-map string 1 Access-request
acct-policy-out string 1 Access-request
actual-data-rate-downstream integer 1 Access-accept, Accounting-request
actual-data-rate-upstream integer 1 Access-accept, Accounting-request
actual-interleaving-delay-downstream integer 1 Access-accept, Accounting-request
actual-interleaving-delay-upstream integer 1 Access-accept, Accounting-request
addr-pool

Note

 

This is for IPv4 subscriber.

string 1 Access-accept
addrv6 string 1 Access-accept, Accounting-request
attainable-data-rate-downstream integer 1 Access-accept, Accounting-request
attainable-data-rate-upstream integer 1 Access-accept, Accounting-request
circuit-id-tag string 1 Access-accept, Accounting-request
cisco-dhcp-relay-giaddr string 50 Access-request
cisco-dhcp-subscriber-id string 65 Access-request
cisco-dhcp-user-class string 47 Access-request
cisco-dhcp-vendor-class string 48 Access-request
cisco-dhcpv4-option-to-aaa string 90 Access-request
cisco-dhcpv6-link-address string 66 Access-request
cisco-nas-port string 2 Access-accept, Accounting-request
cisco-relay-information-option string 46 Access-request
cisco-vsa-in-acl string 57 Access-accept, CoA
cisco-vsa-ipv6-in-acl string 61 Access-accept, CoA
cisco-vsa-ipv6-out-acl string 62 Access-accept, CoA
cisco-vsa-parent-session-id string 52 Access-accept
cisco-vsa-out-acl string 58 Access-accept, CoA
cisco-vsa-service-name string 51 Access-accept
cisco-vsa-sub-activate-service string 60 Access-accept, CoA
cisco-vsa-sub-deactivate-service string 63 Access-accept, CoA
cisco-vsa-sub-pbr-policy-in string 59 Access-accept, CoA
cisco-vsa-sub-qos-pol-in string 55 Access-accept, CoA
cisco-vsa-sub-qos-pol-out string 56 Access-accept, CoA
client-mac-address string 1 Access-accept, Accounting-request
command string 1 CoA
connect-progress string 1 Accounting-request
connect-rx-speed integer 1 Access-accept, Accounting-request
connect-tx-speed integer 1 Access-accept, Accounting-request
delegated-ipv6-pool string 1 Access-accept
dhcp-class string 1 Access-accept
dhcp-client-id string 1 Accounting-request
dhcp-vendor-class string 1 Access-request, Accounting-request
dhcpv4-ip-lease string 1 Access-accept
dhcpv4-option string 1 Access-accept
dhcpv6-class string 1 Access-accept
dhcpv6-ip-lease string 1 Access-accept
dhcpv6-option string 1 Access-accept
disc-cause-ext string 1 Accounting-request
disconnect-cause string 1 Accounting-request
dual-stack-delay integer 1 Access-accept
idlethreshold integer 1 Access-accept, CoA
idle-timeout integer 1 Access-accept, CoA
idle-timeout-direction string 1 Access-accept, CoA
if-handle integer 1 Accounting-request
inacl string 1 Access-accept
intercept-id integer 1 Access-accept
ip-addresses string 1 Access-request, Accounting-request

ipv4-default-gateway

string

1

Access-Accept

ipv4-unnumbered

Note

 
This attribute-value pair (AVP) is preferred for BNG in Cisco IOS XR Software, and it is equivalent to the ip-unnumbered AVP in Cisco IOS Software.
string 1 Access-accept
ipv6_inacl string 1 Access-accept, CoA
ipv6_outacl string 1 Access-accept, CoA
ipv6-addr-pool string 1 Access-accept
ipv6-dns-servers-addr string 1 Access-accept
ipv6-enable integer 1 Access-accept
ipv6-mtu integer 1 Access-accept
ipv6-strict-rpf integer 1 Access-accept
ipv6-unreachable integer 1 Access-accept
l2tp-tunnel-password string 1 Access-accept

ipv6 nd start-ra-on-ipv6-enable

Integer

1

Access-accept

login-ip-host string 1 Accounting-request
maximum-interleaving-delay-downstream integer 1 Access-request, Accounting-request
maximum-interleaving-delay-upstream integer 1 Access-request, Accounting-request
maximum-data-rate-downstream integer 1 Access-request, Accounting-request
maximum-data-rate-upstream integer 1 Access-request, Accounting-request
md-dscp integer 1 Access-accept
md-ip-addr ipaddr 1 Access-accept
md-port integer 1 Access-accept
minimum-data-rate-downstream integer 1 Access-request, Accounting-request
minimum-data-rate-downstream-low-power integer 1 Access-request, Accounting-request
minimum-data-rate-upstream integer 1 Access-request, Accounting-request
minimum-data-rate-upstream-low-power integer 1 Access-request, Accounting-request
outacl string 1 Access-accept
parent-if-handle integer 1 Access-request, Accounting-request
parent-session-id string 1 Accounting-request
parsed-user-attribute

string

1

Access-accept

pppoe_session_id integer 1 Accounting-request
primary-dns ipaddr 1 Access-accept
qos-policy-in string 1 Access-accept, CoA
qos-policy-out string 1 Access-accept, CoA
redirect-vrf string 1 Access-accept
remote-id-tag string 1 Access-request, Accounting-request
sa string 1 Access-accept, CoA
sd string 1 RADIUS CoA
secondary-dns ipaddr 1 Access-accept
service-name string 1 Accounting-request
Stateful-IPv6-Address-Pool string 1 Access-accept
sub-pbr-policy-in string 1 Access-accept, CoA
sub-qos-policy-in string 1 Access-accept
sub-qos-policy-out string 1 Access-accept
Tunnel-Client-endpoint ipaddr 1 Access-accept, Accounting-request
tunnel-id string 1 Access-accept
tunnel-medium-type string 1 Access-accept
Tunnel-Server-endpoint ipaddr 1 Access-accept, Accounting-request
tunnel-tos-reflect string 1 Access-accept
tunnel-tos-setting integer 1 Access-accept
tunnel-type string 1 Access-accept
username string 1 Access-request, Accounting-request
vpdn-template string 1 Access-accept
vpn-id string 1 Access-accept
vpn-vrf string 1 Access-accept
vrf-id integer 1 Access-accept, Accounting-request
wins-server ipaddr 1 Access-accept

Vendor-Specific Attributes for Account Operations

Table 4. Supported Vendor-Specific Attributes for Account Operations
RADIUS AVP Value Type Action
subscriber:command=account-logon string 1 account logon
subscriber:command=account-logoff string 1 account logoff
subscriber:command=account-update string 1 account update
subscriber:sa=<service-name> string 1 service activate
subscriber:sd=<service-name> string 1 service de-activate

RADIUS ADSL Attributes

Table 5. Supported RADIUS ADSL Attributes

Name

Value

Type

Access-Loop-Encapsulation binary 144
Actual-Interleaving-Delay-Downstream integer 142
Actual-Interleaving-Delay-Upstream integer 140
Actual-Data-Rate-Downstream integer 130
Actual-Data-Rate-Upstream integer 129
Attainable-Data-Rate-Downstream integer 134
Attainable-Data-Rate-Upstream integer 133
Agent-Circuit-Id string 1
IWF-Session boolean social 254
Maximum-Interleaving-Delay-Downstream integer 141
Maximum-Interleaving-Delay-Upstream integer 139
Maximum-Data-Rate-Downstream integer 136
Maximum-Data-Rate-Upstream integer 135
Minimum-Data-Rate-Downstream integer 132
Minimum-Data-Rate-Downstream-Low-Power integer 138
Minimum-Data-Rate-Upstream integer 131
Minimum-Data-Rate-Upstream-Low-Power integer 137
Agent-Remote-Id string 2

RADIUS ASCEND Attributes

Table 6. Supported RADIUS Ascend Attributes

Name

Value

Type

Ascend-Client-Primary-DNS ipv4addr 135
Ascend-Client-Secondary-DNS ipv4addr 136
Ascend-Connection-Progress integer 196
Ascend-Disconnect-Cause integer 195
Ascend-Multilink-Session-ID integer 187
Ascend-Num-In-Multilink integer 188

RADIUS Microsoft Attributes

Table 7. Supported RADIUS Microsoft Attributes

Name

Value

Type

MS-1st-NBNS-Server ipv4addr 30
MS-2nd-NBNS-Server ipv4addr 31
MS-CHAP-ERROR binary 2
MS-Primary-DNS ipv4addr 28
MS-Secondary-DNS ipv4addr 29

RADIUS Disconnect-Cause Attributes

Disconnect-cause attribute values specify the reason a connection was taken offline. The attribute values are sent in Accounting request packets. These values are sent at the end of a session, even if the session fails to be authenticated. If the session is not authenticated, the attribute can cause stop records to be generated without first generating start records.

lists the cause codes, values, and descriptions for the Disconnect-Cause (195) attribute.


Note


The Disconnect-Cause is incremented by 1000 when it is used in RADIUS AVPairs; for example, disc-cause 4 becomes 1004.


Table 8. Supported Disconnect-Cause Attributes

Cause Code

Value

Description

0

No-Reason

No reason is given for the disconnect.

1

No-Disconnect

The event was not disconnected.

2

Unknown

Reason unknown.

3

Call-Disconnect

The call has been disconnected.

4

CLID-Authentication-Failure

Failure to authenticate number of the calling-party.

9

No-Modem-Available

A modem in not available to connect the call.

10

No-Carrier

No carrier detected.

Note

 

Codes 10, 11, and 12 can be sent if there is a disconnection during initial modem connection.

11

Lost-Carrier

Loss of carrier.

12

No-Detected-Result-Codes Failure to detect modem result codes.

20

User-Ends-Session User terminates a session.

Note

 

Codes 20, 22, 23, 24, 25, 26, 27, and 28 apply to EXEC sessions.

21

Idle-Timeout Timeout waiting for user input.

Note

 

Codes 21, 100, 101, 102, and 120 apply to all session types.

22

Exit-Telnet-Session Disconnect due to exiting Telnet session.

23

No-Remote-IP-Addr Could not switch to SLIP/PPP; the remote end has no IP address.

24

Exit-Raw-TCP Disconnect due to exiting raw TCP.

25

Password-Fail Bad passwords.

26

Raw-TCP-Disabled Raw TCP disabled.

27

Control-C-Detected Control-C detected.

28

EXEC-Process-Destroyed EXEC process destroyed.

29

Close-Virtual-Connection User closes a virtual connection.

30

End-Virtual-Connection Virtual connected has ended.

31

Exit-Rlogin User exists Rlogin.

32

Invalid-Rlogin-Option Invalid Rlogin option selected.

33

Insufficient-Resources

Insufficient resources.

40

Timeout-PPP-LCP

PPP LCP negotiation timed out.

Note

 

Codes 40 through 49 apply to PPP sessions.

41 Failed-PPP-LCP-Negotiation PPP LCP negotiation failed.
42 Failed-PPP-PAP-Auth-Fail PPP PAP authentication failed.
43 Failed-PPP-CHAP-Auth PPP CHAP authentication failed.
44 Failed-PPP-Remote-Auth PPP remote authentication failed.
45 PPP-Remote-Terminate PPP received a Terminate Request from remote end.
46 PPP-Closed-Event Upper layer requested that the session be closed.
47 NCP-Closed-PPP PPP session closed because there were no NCPs open.
48 MP-Error-PPP PPP session closed because of an MP error.
49 PPP-Maximum-Channels PPP session closed because maximum channels were reached.
50 Tables-Full Disconnect due to full terminal server tables.
51 Resources-Full Disconnect due to full internal resources.
52 Invalid-IP-Address IP address is not valid for Telnet host.
53 Bad-Hostname Hostname cannot be validated.
54 Bad-Port Port number is invalid or missing.
60 Reset-TCP TCP connection has been reset.

Note

 

Codes 60 through 67 apply to Telnet or raw TCP sessions.

61 TCP-Connection-Refused TCP connection has been refused by the host.
62 Timeout-TCP TCP connection has timed out.
63 Foreign-Host-Close-TCP TCP connection has been closed.
64 TCP-Network-Unreachable TCP network is unreachable.
65 TCP-Host-Unreachable TCP host is unreachable.
66 TCP-Network-Admin

Unreachable

TCP network is unreachable for administrative reasons.
67 TCP-Port-Unreachable TCP port in unreachable.
100 Session-Timeout Session timed out.
101 Session-Failed-Security Session failed for security reasons.
102 Session-End-Callback Session terminated due to callback.
120 Invalid-Protocol Call refused because the detected protocol is disabled.
150 RADIUS-Disconnect Disconnected by RADIUS request.
151 Local-Admin-Disconnect Administrative disconnect.
152 SNMP-Disconnect Disconnected by SNMP request.
160 V110-Retries Allowed V.110 retries have been exceeded.
170 PPP-Authentication-Timeout PPP authentication timed out.
180 Local-Hangup Disconnected by local hangup.
185 Remote-Hangup Disconnected by remote end hangup.
190 T1-Quiesced Disconnected because T1 line was quiesced.
195 Call-Duration Disconnected because the maximum duration of the call was exceeded.
600 VPN-User-Disconnect Call disconnected by client (through PPP).

Code is sent if the LNS receives a PPP terminate request from the client.

601 VPN-Carrier-Loss Loss of carrier. This can be the result of a physical line going dead.

Code is sent when a client is unable to dial out using a dialer.

602 VPN-No-Resources No resources available to handle the call.

Code is sent when the client is unable to allocate memory (running low on memory).

603 VPN-Bad-Control-Packet Bad L2TP or L2F control packets.

This code is sent when an invalid control packet, such as missing mandatory Attribute-Value pairs (AVP), from the peer is received. When using L2TP, the code will be sent after six retransmits; when using L2F, the number of retransmits is user configurable.

Note

 

VPN-Tunnel-Shut will be sent if there are active sessions in the tunnel.

604 VPN-Admin-Disconnect Administrative disconnect. This can be the result of a VPN soft shutdown, which is when a client reaches maximum session limit or exceeds maximum hopcount.

Code is sent when a tunnel is brought down by issuing the clear vpdn tunnel command.

605 VPN-Tunnel-Shut Tunnel teardown or tunnel setup has failed.

Code is sent when there are active sessions in a tunnel and the tunnel goes down.

Note

 

This code is not sent when tunnel authentication fails.

606 VPN-Local-Disconnect Call is disconnected by LNS PPP module.

Code is sent when the LNS sends a PPP terminate request to the client. It indicates a normal PPP disconnection initiated by the LNS.

607 VPN-Session-Limit VPN soft shutdown is enabled.

Code is sent when a call has been refused due to any of the soft shutdown restrictions previously mentioned.

608 VPN-Call-Redirect VPN call redirect is enabled.