RADIUS Attributes
For more information about RADIUS attributes, use the AAA Attribute Query Tool.
Standard RADIUS Attributes
RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are supported by all mainstream vendors. For details, see Table 1.
Attribute No. |
Attribute Name |
Attribute Type |
Description |
|---|---|---|---|
1 |
User-Name |
string |
User name for authentication. The user name format can be user name@domain name, or just user name. |
2 |
User-Password |
string |
User password for authentication, which is only valid for the Password Authentication Protocol (PAP). |
3 |
CHAP-Password |
string |
Response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. |
4 |
NAS-IP-Address |
ipaddr |
Internet Protocol (IP) address of the NAS carried in authentication request packets. By default, the attribute value is the source IP address of the authentication request packets sent by the NAS. You can change the attribute value to the specified IP address on the NAS or the IP address of the AP using the radius-attribute nas-ip { ip-address | ap-info } command. |
5 |
NAS-Port |
integer |
Physical port number of the network access server that is authenticating the user, which is in either of the following formats:
|
6 |
Service-Type |
integer |
Service type of the user to be authenticated:
|
7 |
Framed-Protocol |
integer |
Encapsulation protocol of Frame services:
|
8 |
Framed-IP-Address |
ipaddr |
User IP address. |
11 |
Filter-Id |
string |
UCL group name, user group name, or IPv4 Access Control List (ACL) ID. NOTE:
|
12 |
Framed-MTU |
integer |
Maximum transmission unit (MTU) of the data link between user and NAS. For example, in 802.1X Extensible Authentication Protocol (EAP) authentication, the NAS specifies the maximum length of the EAP packet in this attribute. An EAP packet larger than the link MTU may be lost. |
14 |
Login-IP-Host |
ipaddr |
Management user IP address:
|
15 |
Login-Service |
integer |
Service to use to connect the user to the login host:
NOTE:
An attribute can contain multiple service types. |
18 |
Reply-Message |
string |
This attribute determines whether a user is authenticated:
|
19 |
Callback-Number |
string |
Information sent from the authentication server and to be displayed to a user, such as a mobile number. |
24 |
State |
string |
This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. |
25 |
Class |
string |
If the RADIUS server sends a RADIUS Access-Accept packet carrying the Class attribute to the NAS, the subsequent RADIUS Accounting-Request packets sent from the NAS must carry the Class attribute with the same value. |
26 |
Vendor-Specific |
string |
Vendor-specific attribute. For details, see Table 2. A packet can carry one or more private attributes. Each private attribute contains one or more sub-attributes. |
27 |
Session-Timeout |
integer |
In the Access-Request packet, this attribute indicates the maximum number of seconds a user should be allowed to remain connected. In the Access-Challenge packet, this attribute indicates the duration for which EAP authentication users are reauthenticated. When the value of this attribute is 0:
NOTE:
This attribute is only valid for 802.1X, MAC address, Portal, and PPPoE authentication users. When the RADIUS server delivers only this attribute, the value of attribute 29 Termination-Action is set to 0 (users are forced offline) by default. |
28 |
Idle-Timeout |
integer |
Maximum number of consecutive seconds of idle connection the user is allowed before termination of the session or prompt. NOTE:
|
29 |
Termination-Action |
integer |
What action the NAS should take when the specified service is completed:
NOTE:
This attribute is only valid for 802.1X and MAC address authentication users. When the authentication point is deployed on a VLANIF interface, MAC address authenticated users do not support the authorization of Termination-Action=1. When the RADIUS server delivers only this attribute, the value of attribute 27 Session-Timeout is set to 3600s (for 802.1X authentication users) or 1800s (for MAC address authentication users) by default. |
30 |
Called-Station-Id |
string |
Number of the NAS:
|
31 |
Calling-Station-Id |
string |
This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. |
32 |
NAS-Identifier |
string |
String identifying the network access server originating the Access-Request. By default, the attribute value is the host name of the user. You can change the attribute value to the VLAN ID of the user or the MAC address of the AP using the radius-server nas-identifier-format { hostname | vlan-id | ap-info } command. |
40 |
Acct-Status-Type |
integer |
Accounting-Request type:
|
41 |
Acct-Delay-Time |
integer |
Number of seconds the client has been trying to send the accounting packet (excluding the network transmission time). |
42 |
Acct-Input-Octets |
integer |
Number of bytes in upstream traffic, corresponding to the lower 32 bits in the data structure for storing the upstream traffic. Contents of this attribute and the RADIUS attribute 52 (Acct-Input-Gigawords) compose the upstream traffic. The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. To set the traffic unit for each RADIUS server, run the radius-server traffic-unit command. By default, the unit is Byte. NOTE:
This attribute is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
43 |
Acct-Output-Octets |
integer |
Number of bytes in downstream traffic, corresponding to the lower 32 bits in the data structure for storing the downstream traffic. Contents of this attribute and the RADIUS attribute 53 (Acct-Output-Gigawords) compose the downstream traffic. The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. To set the traffic unit for each RADIUS server, run the radius-server traffic-unit command. By default, the unit is Byte. |
44 |
Acct-Session-Id |
string |
Accounting session ID. The Accounting-Start, Interim-Accounting, and Accounting-Stop packets of the same accounting session must have the same session ID. The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) + Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4 bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) Tick (6 bits) + User ID prefix (2 bits) + User ID (5 bits). |
45 |
Acct-Authentic |
integer |
User authentication mode:
|
46 |
Acct-Session-Time |
integer |
How long (in seconds) the user has received service. NOTE:
If the administrator modifies the system time after the user goes online, the online time calculated by the device may be incorrect. |
47 |
Acct-Input-Packets |
integer |
Number of incoming packets. NOTE:
This attribute is only supported by S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
48 |
Acct-Output-Packets |
integer |
Number of outgoing packets. |
49 |
Acct-Terminate-Cause |
string |
Cause of a terminated session:
|
52 |
Acct-Input-Gigawords |
integer |
Number of times the number of bytes in upstream traffic is greater than 4 GB (2^32), corresponding to the higher 32 bits in the data structure for storing the upstream traffic. Contents of this attribute and the RADIUS attribute 42 (Acct-Input-Octets) compose the upstream traffic. The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. To set the traffic unit for each RADIUS server, run the radius-server traffic-unit command. By default, the unit is Byte. NOTE:
This attribute is only supported by S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
53 |
Acct-Output-Gigawords |
integer |
Number of times the number of bytes in downstream traffic is greater than 4 GB (2^32), corresponding to the higher 32 bits in the data structure for storing the downstream traffic. Contents of this attribute and the RADIUS attribute 43 (Acct-Output-Octets) compose the downstream traffic. The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. To set the traffic unit for each RADIUS server, run the radius-server traffic-unit command. By default, the unit is Byte. |
55 |
Event-Timestamp |
integer |
Time when an Accounting-Request packet is generated, represented by is the number of seconds elapsed since 00:00:00 of January 1, 1970. |
60 |
CHAP-Challenge |
string |
Challenge field in CHAP authentication. This field is generated by the NAS for Message Digest algorithm 5 (MD5) calculation. |
61 |
NAS-Port-Type |
integer |
NAS port type. The attribute value can be configured in the interface view. By default, the type is Ethernet (15). |
64 |
Tunnel-Type |
integer |
Protocol type of the tunnel. The value is fixed as 13, indicating VLAN. |
65 |
Tunnel-Medium-Type |
integer |
Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet. |
79 |
EAP-Message |
string |
Encapsulates Extended Access Protocol (EAP) packets so that RADIUS supports EAP authentication. When an EAP packet is longer than 253 bytes, the packet is encapsulated into multiple attributes. A RADIUS packet can carry multiple EAP-Message attributes. |
80 |
Message-Authenticator |
string |
Authenticates and verifies authentication packets to prevent spoofing packets. |
81 |
Tunnel-Private-Group-ID |
string |
Tunnel private group ID, which is used to deliver user VLAN IDs. NOTE:
Authorization can be performed using the VLAN ID, VLAN description, VLAN name, and VLAN pool. The order in which authorization takes effect is as follows: VLAN ID > VLAN description > VLAN name > VLAN pool. To make the VLAN authorization function take effect, ensure the correct access control mode is configured:
Both wired and wireless users support the authorization of VLAN pools, and wireless users support the authorization of VLAN pools since V200R013C00 |
85 |
Acct-Interim-Interval |
integer |
Interim accounting interval. The value ranges from 60 to 3932100, in seconds. It is recommended that the interval be at least 600 seconds. |
87 |
NAS-Port-Id |
string |
Port of the NAS that is authenticating the user. The NAS-Port-Id attribute has the following formats:
|
89 |
Chargeable-User-Identity |
string |
Charging ID delivered by the server. To configure a device to support this attribute, run the radius-server support chargeable-user-identity [ not-reject ] command. |
95 |
NAS-IPv6-Address |
ipaddr |
IPv6 address carried in the authentication request packet sent by the NAS. Both the NAS-IPv6-Address and NAS-IP-Address fields can be included in a packet. |
96 |
Framed-Interface-Id |
string |
IPv6 interface identifier to be configured for the user. |
97 |
Framed-IPv6-Prefix |
ipaddr |
IPv6 prefix to be configured for the user. |
168 |
Framed-IPv6-Address |
ipaddr |
IPv6 address of the user. |
195 |
HW-SecurityStr |
string |
Security information of users in EAP relay authentication. |
Huawei Proprietary RADIUS Attributes
RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in RFC2865 can be used to extend RADIUS for implementing functions not supported by standard RADIUS attributes. Table 2 describes Huawei proprietary RADIUS attributes.
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.
Attribute No. |
Attribute Name |
Attribute Type |
Description |
|---|---|---|---|
26-1 |
HW-Input-Peak-Information-Rate |
integer |
Peak information rate (PIR) at which the user accesses the NAS, which is the maximum rate of traffic that can pass through an interface. The value is a 4-byte integer, in bit/s. The HW-Input-Peak-Information-Rate must be higher than or equal to the HW-Input-Committed-Information-Rate. The default HW-Input-Peak-Information-Rate is equal to the HW-Input-Committed-Information-Rate. |
26-2 |
HW-Input-Committed-Information-Rate |
integer |
Committed information rate (CIR) at which the user accesses the NAS, which is the allowed average rate of traffic that can pass through an interface. The value is a 4-byte integer, in bit/s. NOTE:
This attribute must be specified when the rate of packets sent from the user to the NAS is limited. |
26-3 |
HW-Input-Committed-Burst-Size |
integer |
Committed burst size (CBS) at which the user accesses the NAS, which is the average volume of burst traffic that can pass through an interface. The value is a 4-byte integer, in bit. |
26-4 |
HW-Output-Peak-Information-Rate |
integer |
Peak information rate at which the NAS connects to the user. The value is a 4-byte integer, in bit/s. The HW-Output-Peak-Information-Rate must be higher than or equal to the HW-Output-Committed-Information-Rate. The default HW-Output-Peak-Information-Rate is equal to the HW-Output-Committed-Information-Rate. |
26-5 |
HW-Output-Committed-Information-Rate |
integer |
Committed information rate at which the NAS connects to the user. The value is a 4-byte integer, in bit/s. NOTE:
This attribute must be specified when the rate of packets sent from the NAS to the user is limited. |
26-6 |
HW-Output-Committed-Burst-Size |
integer |
Committed burst size at which the NAS connects to the user. The value is a 4-byte integer, in bit. |
26-15 |
HW-Remanent-Volume |
integer |
Remaining traffic. The unit is KB. |
26-17 |
HW-Subscriber-QoS-Profile |
string |
Name of the QoS profile. NOTE:
The RADIUS server can only grant this attribute to wired users who go online through the S5720-HI. When this attribute is authorized to an NAS remotely, ensure that the user queue has been created in the QoS profile using the user-queue { pir pir-value | flow-queue-profile flow-queue-profile-name | flow-mapping-profile flow-mapping-profile-name } * command to implement HQoS. |
26-18 |
HW-UserName-Access-Limit |
integer |
Maximum number of users who are allowed to access the network using the same user name. The limit is indicated by a particular numeric value as follows:
NOTE:
This attribute can be carried only in Access-Accept packets. |
26-26 |
HW-Connect-ID |
integer |
Index of a user connection. |
26-28 |
HW-FTP-Directory |
string |
Initial directory of an FTP user. |
26-29 |
HW-Exec-Privilege |
integer |
Management user (such as Telnet user) priority, ranging from 0 to 15. The priority that is greater than or equal to 16 is ineffective. |
26-31 |
HW-Qos-Data |
string |
Name of the QoS profile. The maximum length of the name is 31 bytes. The RADIUS server uses this field to deliver the QoS profile for traffic policing. The QoS profile must exist on the device and traffic policing is configured using the car (QoS profile view) command. NOTE:
This attribute is only supported by the S5720-EI, S5720-HI, S5730-HI, S5731-H,?S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI. |
26-33 |
HW-VoiceVlan |
integer |
Voice VLAN authorization flag. The value 1 indicates that the authorized VLAN is the voice VLAN. This attribute is used with VLAN authorization attributes. NOTE:
After the authentication mode multi-share command is configured in the authentication profile, authorization voice VLAN will not be supported. |
26-35 |
HW-ProxyRdsPkt |
integer |
This attribute specifies whether a RADIUS server is a proxy server:
|
26-59 |
HW-NAS-Startup-Time-Stamp |
integer |
NAS start time, represented by the number of seconds elapsed since 00:00:00 of January 1, 1970. |
26-60 |
HW-IP-Host-Address |
string |
User IP address and MAC address carried in authentication and accounting packets, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address are separated by a space. If the user's IP address is detected to be invalid during authentication, the IP address is set to 255.255.255.255. |
26-61 |
HW-Up-Priority |
integer |
802.1p priority of upstream packets. |
26-62 |
HW-Down-Priority |
integer |
802.1p priority of downstream packets. |
26-75 |
HW-Primary-WINS |
ipaddr |
Primary WINS server address delivered by the RADIUS server after a user is successfully authenticated. |
26-76 |
HW-Second-WINS |
ipaddr |
Secondary WINS server address delivered by the RADIUS server after a user is successfully authenticated. |
26-77 |
HW-Input-Peak-Burst-Size |
integer |
Upstream peak rate, in bit/s. NOTE:
This attribute is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
26-78 |
HW-Output-Peak-Burst-Size |
integer |
Downstream peak rate, in bit/s. |
26-82 |
HW-Data-Filter |
string |
Used by the RADIUS server to deliver IPv4 or IPv6 ACL rules to users. ACL rules can be delivered in two modes: delivering ACL rules through DACL groups and delivering ACL rules. There are old and new attribute formats for ACL rules. Compared with the old attribute format, the new attribute format shortens the length of an ACL rule. NOTE:
Directly delivering ACL rules in new attribute format (fields in square brackets are optional) The attribute format is: $number permit/deny [ protocol ] [ direction ip-address [ port ] ] The fields are described as follows:
The following examples are the attribute values entered on the server: $1 permit dst 10.0.239.192/26 $2 permit udp src any 8080 $3 permit icmp echo dst 10.1.1.1/24 $5 deny Directly delivering ACL rules in old attribute format The attribute format is acl number key1 key-value1... keyN key-valueN permit/deny. The fields are described as follows:
|
26-135 |
HW-Client-Primary-DNS |
ipaddr |
Primary DNS address delivered by the RADIUS server after a user is successfully authenticated. |
26-136 |
HW-Client-Secondary-DNS |
ipaddr |
Secondary DNS address delivered by the RADIUS server after a user is successfully authenticated. |
26-138 |
HW-Domain-Name |
string |
Name of the domain used for user authentication. This attribute can be the domain name contained in a user name or the name of a forcible domain. |
26-141 |
HW-AP-Information |
string |
AP's MAC address used for STA authentication, in H-H-H format. H is a 4-digit hexadecimal number. NOTE:
This attribute is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
26-142 |
HW-User-Information |
string |
User security check information delivered by the RADIUS server to an Extensible Authentication Protocol over LAN (EAPoL) user to notify the user of items that require security checks. |
26-146 |
HW-Service-Scheme |
string |
Service scheme name. A service scheme contains user authorization information and policies. |
26-153 |
HW-Access-Type |
integer |
User access type carried in the authentication and accounting request packets sent by the RADIUS client to the RADIUS server:
|
26-155 |
HW-URL-Flag |
integer |
This attribute specifies whether a Uniform Resource Locator (URL) is forcibly pushed when it is used with another attribute, for example, HW-Portal-URL:
|
26-156 |
HW-Portal-URL |
string |
Forcibly pushed URL. If information delivered by the RADIUS server matches the configured URL template, the URL configured in the template is used. Otherwise, the character string delivered by the RADIUS server is used. |
26-157 |
HW-Terminal-Type |
string |
Terminal type of a user. |
26-158 |
HW-DHCP-Option |
string |
DHCP Option, encapsulated in Type-Length-Value (TLV) format. A packet may contain multiple HW-DHCP-Option attributes to carry Option information. Only Option 82 can be delivered. |
26-159 |
HW-HTTP-UA |
string |
User-Agent information in Hypertext Transfer Protocol (HTTP) packets. |
26-160 |
HW-UCL-Group |
integer |
Index of a UCL group. |
26-161 |
HW-Forwarding-VLAN |
string |
Delivers the Internet Service Provider (ISP) VLAN for user packet forwarding. NOTE:
This attribute is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
26-162 |
HW-Forwarding-Interface |
string |
Outbound interface for forwarding user packets. NOTE:
This attribute is only supported by the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI. |
26-163 |
HW-LLDP |
string |
LLDP information. A packet can contain multiple HW-LLDP-Info attributes to carry different options. |
26-166 |
HW-Acct-ipv6-Input-Octets |
integer |
Number of upstream bytes in an IPv6 flow. The unit can be byte, kilobyte, megabyte, or gigabyte. |
26-167 |
HW-Acct-ipv6-Output-Octets |
integer |
Number of downstream bytes in an IPv6 flow. The unit can be byte, kilobyte, megabyte, or gigabyte. |
26-168 |
HW-Acct-ipv6-Input-Packets |
integer |
Number of upstream packets in an IPv6 flow. |
26-169 |
HW-Acct-ipv6-Output-Packets |
integer |
Number of downstream packets in an IPv6 flow. |
26-170 |
HW-Acct-ipv6-Input-Gigawords |
integer |
This attribute specifies the number of times that more than 4 GB upstream packets are carried in an IPv6 flow. This attribute is usually used with the HW-Acct-ipv6-Input-Octets attribute. |
26-171 |
HW-Acct-ipv6-Output-Gigawords |
integer |
This attribute specifies the number of times that more than 4 GB downstream packets are carried in an IPv6 flow. This attribute is usually used with the HW-Acct-ipv6-Output-Octets attribute. |
26-173 |
HW-Redirect-ACL |
string |
Redirection ACL. Redirection is performed for only the users matching the ACL rules. The ACL number or ACL name can be delivered. The ACL name must start with a character. NOTE:
The value range of acl-number is from 3000 to 3999 for wired users and from 3000 to 3031 for wireless users. After the authentication mode multi-share command is configured in the authentication profile, authorization redirection ACL will not be supported. |
26-178 |
HW-IPv6-Redirect-ACL |
string |
Redirection IPv6 ACL. Redirection is performed for only the users matching the ACL rules. The ACL number or ACL name can be delivered. The ACL name must start with a character. NOTE:
|
26-201 |
HW-User-Extend-Info |
string |
Extended user information. This attribute is contained in authentication and accounting request packets. A packet can contain multiple HW-User-Extend-Info attributes. The following describes extended user information:
This attribute applies only to MAC address authentication and Portal authentication. |
26-237 |
HW-Web-Authen-Info |
string |
Information sent from the portal server via the device (which transparently transmits the information) to the RADIUS server. For example, a user selects the authentication-free option and time information for next login, based on which the RADIUS server saves the MAC address of the user for a period of time. Upon the next login of the user, the login page is not displayed. Instead, MAC address authentication is preferentially used. This attribute can be used for transparent transmission in complex modes such as EAP. |
26-238 |
HW-Ext-Specific |
string |
User extended attributes:
NOTE:
During RADIUS CoA dynamic authorization, when the value of user-command is 1, 2, or 3, other authorization attributes are not supported. The user-dscp-in and user-dscp-out attributes cannot be authorized to wireless users in direct forwarding mode. This attribute applies only to NAC users. |
26-239 |
HW-User-Access-Info |
string |
User description profile information. |
26-240 |
HW-Access-Device-Info |
string |
The authentication and accounting request packets carry the IP addresses, MAC addresses, and port numbers of access switches in policy association. The format is ip=A.B.C.D;mac=XXXX-XXXX-XXXX;slot=XX;subslot=XXX;port=XXX;vlanid=XXXX. |
26-244 |
HW-Reachable-Detect |
string |
Server reachability detection information. Authentication packets carrying this attribute are server detection packets. |
26-247 |
HW-Tariff-Input-Octets |
string |
Number of upstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit can be byte, kilobyte, megabyte, or gigabyte. The format is Tariff level:Number of upstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels. |
26-248 |
HW-Tariff-Output-Octets |
string |
Number of downstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit can be byte, kilobyte, megabyte, or gigabyte. The format is Tariff level:Number of downstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels. |
26-249 |
HW-Tariff-Input-Gigawords |
string |
Number of times larger the number of upstream bytes at the specified tariff level is than 4G. This field and the HW-Tariff-Input-Octets field specify the number of upstream bytes at the specified tariff level. |
26-250 |
HW-Tariff-Output-Gigawords |
string |
Number of times larger the number of downstream bytes at the specified tariff level is than 4G. This field and the HW-Tariff-Output-Octets field specify the number of downstream bytes at the specified tariff level. |
26-251 |
HW-IPv6-Filter-ID |
string |
ID of a user IPv6 ACL. The value range is from 3000 to 3031. NOTE:
|
26-253 |
HW-Framed-IPv6-Address |
ipaddr |
IPv6 address to be configured for the user. |
26-254 |
HW-Version |
string |
Software version of the device. |
26-255 |
HW-Product-ID |
string |
NAS product name. |
Huawei-supported Extended RADIUS Attributes of Other Vendors
Huawei devices support some extended RADIUS attributes of Microsoft, Cisco, and DSL Forum. For details, see Table 3.
Attribute No. |
Attribute Name |
Attribute Type |
Description |
|---|---|---|---|
MICROSOFT-16 |
MS-MPPE-Send-Key |
string |
This attribute indicates the MPPE sending key. |
MICROSOFT-17 |
MS-MPPE-Recv-Key |
string |
This attribute indicates the MPPE receiving key. |
CISCO-1 |
Cisco-avpair |
string |
This attribute indicates the voice VLAN. |
DSLFORUM-1 |
Agent-Circuit-Id |
string |
This Attribute contains information describing the subscriber agent circuit identifier corresponding to the logical access loop port of the Access Node/DSLAM from which a subscriber's requests are initiated. |
DSLFORUM-2 |
Agent-Remote-Id |
string |
This attribute contains an operator-specific, statically configured string that uniquely identifies the subscriber on the associated access loop of the Access Node/DSLAM. |
RADIUS Attributes Available in Packets
The following describes the values in the tables:
- 1: indicates that the attribute must appear once in the packet.
- 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
- 0-1: indicates that the attribute can appear once or does not appear in the packet.
- 0+: indicates that the attribute may appear multiple times or does not appear in the packet.
Attribute No. |
Access-Request |
Access-Accept |
Access-Reject |
Access-Challenge |
|---|---|---|---|---|
User-Name(1) |
1 |
0-1 |
0 |
0 |
User-Password(2) |
0-1 |
0 |
0 |
0 |
CHAP-Password(3) |
0-1 |
0 |
0 |
0 |
NAS-IP-Address(4) |
1 |
0 |
0 |
0 |
NAS-Port(5) |
1 |
0 |
0 |
0 |
Service-Type(6) |
1 |
0-1 |
0 |
0 |
Framed-Protocol(7) |
1 |
0-1 |
0 |
0 |
Framed-IP-Address(8) |
0-1 |
0-1 |
0 |
0 |
Filter-Id(11) |
0 |
0-1 |
0 |
0 |
Framed-Mtu(12) |
0-1 |
0 |
0 |
0 |
Login-IP-Host(14) |
0-1 |
0-1 |
0 |
0 |
Login-Service(15) |
0 |
0-1 |
0 |
0 |
Reply-Message(18) |
0 |
0-1 |
0-1 |
0-1 |
Callback-Number(19) |
0 |
0-1 |
0 |
0 |
State(24) |
0-1 |
0-1 |
0 |
0-1 |
Class(25) |
0 |
0-1 |
0 |
0 |
Session-Timeout(27) |
0 |
0-1 |
0-1 |
0-1 |
Idle-Timeout(28) |
0 |
0-1 |
0 |
0 |
Termination-Action(29) |
0 |
0-1 |
0 |
0-1 |
Called-Station-Id(30) |
0-1 |
0 |
0 |
0 |
Calling-Station-Id(31) |
1 |
0-1 |
0 |
0 |
NAS-Identifier(32) |
1 |
0 |
0 |
0 |
Acct-Session-id(44) |
1 |
0 |
0 |
0 |
CHAP-Challenge(60) |
0-1 |
0 |
0 |
0 |
NAS-Port-Type(61) |
1 |
0 |
0 |
0 |
Tunnel-Type(64) |
0 |
0-1 |
0 |
0 |
Tunnel-Medium-Type(65) |
0 |
0-1 |
0 |
0 |
EAP-Message(79) |
0-1 |
0-1 |
0-1 |
0-1 |
Message-Authenticator(80) |
0-1 |
0-1 |
0-1 |
0-1 |
Tunnel-Private-Group-ID(81) |
0 |
0-1 |
0-1 |
0 |
Acct-Interim-Interval(85) |
0 |
0-1 |
0 |
0 |
NAS-Port-Id(87) |
0-1 |
0 |
0 |
0 |
Chargeable-User-Identity(89) |
0-1 |
0-1 |
0 |
0 |
NAS-IPv6-Address(95) |
0-1 |
0 |
0 |
0 |
Framed-Interface-Id(96) |
0+ |
0 |
0 |
0 |
Framed-IPv6-Prefix(97) |
0+ |
0 |
0 |
0 |
HW-SecurityStr(195) |
0-1 |
0 |
0 |
0 |
HW-Input-Peak-Information-Rate(26-1) |
0 |
0-1 |
0 |
0 |
HW-Input-Committed-Information-Rate(26-2) |
0 |
0-1 |
0 |
0 |
HW-Input-Committed-Burst-Size(26-3) |
0 |
0-1 |
0 |
0 |
HW-Output-Peak-Information-Rate(26-4) |
0 |
0-1 |
0 |
0 |
HW-Output-Committed-Information-Rate(26-5) |
0 |
0-1 |
0 |
0 |
HW-Output-Committed-Burst-Size(26-6) |
0 |
0-1 |
0 |
0 |
HW-Remanent-Volume(26-15) |
0 |
0-1 |
0 |
0 |
HW-Subscriber-QoS-Profile(26-17) |
0 |
0-1 |
0 |
0 |
HW-UserName-Access-Limit(26-18) |
0 |
0-1 |
0 |
0 |
HW-Connect-ID(26-26) |
1 |
0 |
0 |
0 |
Ftp-directory(26-28) |
0 |
0-1 |
0 |
0 |
HW-Exec-Privilege(26-29) |
0 |
0-1 |
0 |
0 |
HW-Qos-Data(26-31) |
0 |
0-1 |
0 |
0 |
HW-VoiceVlan(26-33) |
0 |
0-1 |
0 |
0 |
HW-ProxyRdsPkt(26-35) |
0 |
0-1 |
0 |
0 |
HW-NAS-Startup-Time-Stamp(26-59) |
1 |
0 |
0 |
0 |
HW-IP-Host-Address(26-60) |
1 |
0 |
0 |
0 |
HW-Up-Priority(26-61) |
0 |
0-1 |
0 |
0 |
HW-Down-Priority(26-62) |
0 |
0-1 |
0 |
0 |
HW-Primary-WINS(26-75) |
0 |
0-1 |
0 |
0 |
HW-Second-WINS(26-76) |
0 |
0-1 |
0 |
0 |
HW-Input-Peak-Burst-Size(26-77) |
0 |
0-1 |
0 |
0 |
HW-Output-Peak-Burst-Size(26-78) |
0 |
0-1 |
0 |
0 |
HW-Data-Filter(26-82) |
0 |
0-1 |
0-1 |
0 |
HW-Client-Primary-DNS(26-135) |
0 |
0-1 |
0 |
0 |
HW-Client-Secondary-DNS(26-136) |
0 |
0-1 |
0 |
0 |
HW-Domain-Name(26-138) |
1 |
0 |
0 |
0 |
HW-AP-Information(26-141) |
1 |
0 |
0 |
0 |
HW-User-Information(26-142) |
0 |
0-1 |
0 |
0 |
HW-Service-Scheme(26-146) |
0 |
0-1 |
0 |
0 |
HW-Access-Type(26-153) |
1 |
0-1 |
0 |
0 |
HW-URL-Flag(26-155) |
0 |
0-1 |
0 |
0 |
HW-Portal-URL(26-156) |
0 |
0-1 |
0 |
0 |
HW-Terminal-Type(26-157) |
0-1 |
0 |
0 |
0 |
HW-DHCP-Option(26-158) |
0+ |
0 |
0 |
0 |
HW-UCL-Group(26-160) |
0 |
0-1 |
0 |
0 |
HW-Forwarding-VLAN(26-161) |
0 |
0-1 |
0 |
0 |
HW-Forwarding-Interface(26-162) |
0 |
0-1 |
0 |
0 |
HW-LLDP(26-163) |
0-1 |
0 |
0 |
0 |
HW-Redirect-ACL(26-173) |
0 |
0-1 |
0 |
0 |
HW-User-Extend-Info(26-201) |
0-1 |
0 |
0 |
0 |
HW-Web-Authen-Info(26-237) |
1 |
0 |
0 |
0 |
HW-Ext-Specific(26-238) |
0 |
0-1 |
0 |
0 |
HW-User-Access-Info(26-239) |
1 |
0 |
0 |
0 |
HW-Access-Device-Info(26-240) |
0-1 |
0 |
0 |
0 |
HW-Reachable-Detect(26-244) |
0 |
0 |
0 |
0 |
HW-Framed-IPv6-Address(26-253) |
0-1 |
0 |
0 |
0 |
HW-Version(26-254) |
1 |
0 |
0 |
0 |
HW-Product-ID(26-255) |
1 |
0 |
0 |
0 |
MS-MPPE-Send-Key(MICROSOFT-16) |
0 |
0-1 |
0 |
0 |
MS-MPPE-Recv-Key(MICROSOFT-17) |
0 |
0-1 |
0 |
0 |
Cisco-avpair(CISCO-1) |
0 |
0-1 |
0 |
0 |
Agent-Circuit-Id(DSLFORUM-1) |
0-1 |
0 |
0 |
0 |
Agent-Remote-Id(DSLFORUM-2) |
0-1 |
0 |
0 |
0 |
Attribute No. |
Accounting-Request (Start) |
Accounting-Request (Interim-Update) |
Accounting-Request (Stop) |
Accounting-Response (start) |
Accounting-Response (Interim-Update) |
Accounting-Response (Stop) |
|---|---|---|---|---|---|---|
User-Name(1) |
1 |
1 |
1 |
0 |
0 |
0 |
NAS-IP-Address(4) |
1 |
1 |
1 |
0 |
0 |
0 |
NAS-Port(5) |
1 |
1 |
1 |
0 |
0 |
0 |
Service-Type(6) |
1 |
1 |
1 |
0 |
0 |
0 |
Framed-Protocol(7) |
1 |
1 |
1 |
0 |
0 |
0 |
Framed-IP-Address(8) |
1 |
1 |
1 |
0 |
0 |
0 |
Class(25) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Session-Timeout(27) |
0 |
0 |
0 |
0-1 |
0-1 |
0 |
Called-Station-Id(30) NOTE:
For users who access the network through PPP authentication, this attribute is optional. If the authentication request packet does not carry this attribute, then neither does the accounting request packet. |
1 |
1 |
1 |
0 |
0 |
0 |
Calling-Station-Id(31) |
1 |
1 |
1 |
0 |
0 |
0 |
NAS-Identifier(32) |
1 |
1 |
1 |
0 |
0 |
0 |
Acct-Status-Type(40) |
1 |
1 |
1 |
0 |
0 |
0 |
Acct-Delay-Time(41) |
0-1 |
1 |
1 |
0 |
0 |
0 |
Acct-Input-Octets(42) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Acct-Session-Id(44) |
1 |
1 |
1 |
0 |
0 |
0 |
Acct-Authentic(45) |
1 |
1 |
1 |
0 |
0 |
0 |
Acct-Session-Time(46) |
0 |
1 |
1 |
0 |
0 |
0 |
Acct-Input-Packets(47) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Acct-Output-Packets(48) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Acct-Terminate-Cause(49) |
0 |
0 |
1 |
0 |
0 |
0 |
Acct-Input-Gigawords(52) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Acct-Output-Gigawords(53) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Event-Timestamp(55) |
1 |
1 |
1 |
0 |
0 |
0 |
NAS-Port-Type(61) |
1 |
1 |
1 |
0 |
0 |
0 |
NAS-Port-Id(87) |
1 |
1 |
1 |
0 |
0 |
0 |
Chargeable-User-Identity(89) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
NAS-IPv6-Address(95) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Input-Committed-Information-Rate(26-2) |
1 |
1 |
1 |
0 |
0 |
0 |
HW-Output-Committed-Information-Rate(26-5) |
1 |
1 |
1 |
0 |
0 |
0 |
HW-Connect-ID(26-26) |
1 |
1 |
1 |
0 |
0 |
0 |
HW-IP-Host-Address(26-60) |
1 |
1 |
1 |
0 |
0 |
0 |
HW-Domain-Name(26-138) |
1 |
1 |
1 |
0 |
0 |
0 |
HW-AP-Information(26-141) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-User-Information(26-142) |
0 |
0 |
0 |
0-1 |
0-1 |
0 |
HW-Access-Type(26-153) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Terminal-Type(26-157) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-DHCP-Option(26-158) |
0+ |
0+ |
0+ |
0 |
0 |
0 |
HW-HTTP-UA(26-159) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-LLDP(26-163) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-User-Extend-Info(26-201) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Access-Device-Info(26-240) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Reachable-Detect(26-244) |
0 |
0 |
0 |
0 |
0 |
0 |
HW-Tariff-Input-Octets(26-247) |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Tariff-Output-Octets(26-248) |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Tariff-Input-Gigawords(26-249) |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Tariff-Output-Gigawords(26-250) |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
HW-Framed-IPv6-Address(26-253) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
MS-MPPE-Send-Key(MICROSOFT-16) |
0 |
0 |
0 |
0 |
0 |
0 |
MS-MPPE-Recv-Key(MICROSOFT-17) |
0 |
0 |
0 |
0 |
0 |
0 |
Cisco-avpair(CISCO-1) |
0 |
0 |
0 |
0 |
0 |
0 |
Agent-Circuit-Id(DSLFORUM-1) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Agent-Remote-Id(DSLFORUM-2) |
0-1 |
0-1 |
0-1 |
0 |
0 |
0 |
Attribute No. |
CoA REQUEST |
CoA ACK |
CoA NAK |
DM REQUEST |
DM ACK |
DM NAK |
|---|---|---|---|---|---|---|
User-Name(1) |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
NAS-IP-Address(4) |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
NAS-Port(5) |
0-1 |
0 |
0 |
0-1 |
0 |
0 |
Framed-IP-Address(8) |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
Filter-Id(11) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Session-Timeout(27) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Idle-Timeout(28) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Termination-Action(29) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Calling-Station-Id(31) |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
NAS-Identifier(32) |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
Acct-Session-Id(44) |
1 |
1 |
1 |
1 |
1 |
1 |
Tunnel-Type(64) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Tunnel-Medium-Type(65) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Tunnel-Private-Group-ID(81) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Acct-Interim-Interval(85) |
0-1 |
0 |
0 |
0 |
0 |
0 |
NAS-Port-Id(87) |
0-1 |
0 |
0 |
0-1 |
0 |
0 |
HW-Input-Peak-Information-Rate(26-1) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Input-Committed-Information-Rate(26-2) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Output-Peak-Information-Rate(26-4) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Output-Committed-Information-Rate(26-5) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Output-Committed-Burst-Size(26-6) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Subscriber-QoS-Profile(26-17) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Qos-Data(26-31) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Up-Priority(26-61) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Down-Priority(26-62) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Input-Peak-Burst-Size(26-77) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Output-Peak-Burst-Size(26-78) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Data-Filter(26-82) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Service-Scheme(26-146) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-URL-Flag(26-155) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Portal-URL(26-156) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-UCL-Group(26-160) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Forwarding-VLAN(26-161) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Forwarding-Interface(26-162) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Redirect-ACL(26-173) |
0-1 |
0 |
0 |
0 |
0 |
0 |
HW-Ext-Specific(26-238) |
1 |
0 |
0 |
0 |
0 |
0 |
MS-MPPE-Send-Key(MICROSOFT-16) |
0 |
0 |
0 |
0 |
0 |
0 |
MS-MPPE-Recv-Key(MICROSOFT-17) |
0 |
0 |
0 |
0 |
0 |
0 |
Cisco-avpair(CISCO-1) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Agent-Circuit-Id(DSLFORUM-1) |
0-1 |
0 |
0 |
0 |
0 |
0 |
Agent-Remote-Id(DSLFORUM-2) |
0-1 |
0 |
0 |
0 |
0 |
0 |
RADIUS Attributes Precautions
Dynamic VLAN: If dynamic VLAN delivery is configured on the server, authorization information includes the delivered VLAN attribute. After the device receives the delivered VLAN attribute, it changes the VLAN of the user to the delivered VLAN.
The delivered VLAN does not change or affect the interface configuration. The delivered VLAN, however, takes precedence over the VLAN configured on the interface. That is, the delivered VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline.
- (064) Tunnel-Type (It must be set to VLAN or 13.)
- (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
- (081) Tunnel-Private-Group-ID (For devices running versions earlier than V200R012C00, it can be the VLAN ID or VLAN description. For devices running V200R012C00 and later versions, it can be the VLAN ID, VLAN description, VLAN name, or VLAN pool.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.