Description of RADIUS attributes

Attribute number

1

Attribute type

string

Protocol

RFC2865

Attribute description

Name of the user to be authenticated.

In wireless 802.1X access and IPoE access scenarios, after a user passes authentication with a username, the RADIUS server can assign a different username to the user by using the Access-Accept packet. When the access device receives the packet and the username-authorization apply command is executed, the access device uses the assigned username for subsequent AAA processing (such as accounting, user information query and display) for the user.

Attribute number

2

Attribute type

string

Protocol

RFC2865

Attribute description

User password for PAP authentication, only present in Access-Request packets when PAP authentication is used.

Attribute number

3

Attribute type

Octets

Protocol

RFC2865

Attribute description

Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used.

Attribute number

4

Attribute type

Address

Protocol

RFC2865

Attribute description

IP address of the NAS device.

An authentication request must carry the NAS-IP-Address or NAS-identifier attribute. The NAS-IP-Address carried in the request might be different from the source IP address in the packets received by the RADIUS server in some cases, for example, after a NAT traversal.

The NAS-IP-Address attribute value can be set by a command on the NAS device. For more information, see the AAA configuration guide for the NAS device.

Attribute number

5

Attribute type

integer

Protocol

RFC2865

Attribute description

Physical port of the NAS that the user accesses.

H3C defines the attribute format as follows:

·     For Ethernet access users: slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits)

·     For ADSL access users: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (166 bits)

Attribute number

6

Attribute type

integer

Protocol

RFC2865

Attribute description

Type of service that the user has requested or type of service to be provided. Values include:

·     1: Login service, for device management users.

·     2: Framed service, for network access users.

·     4: Callback Framed service.

·     5: Outbound service.

·     10: Call Check service, for MAC authentication users.

At present, the attribute value is 10 for MAC authentication users, 1 for device management users, and 2 for other types of users. For IPoE users, you can use the attribute 6 value outbound user-type ipoe command to set the value of the attribute to 5.

Attribute number

7

Attribute type

integer

Protocol

RFC2865

Attribute description

Encapsulation protocol for framed access. Values include:

·     1: PPP

·     2: SLIP

·     3: AppleTalk Remote Access Protocol (ARAP)

·     4: Gandalf proprietary SingleLink/MultiLink protocol

·     5: Xylogics proprietary IPX/SLIP

·     6: X.75 Synchronous

·     255: Portal

At present, the attribute value is 255 for portal access and 1 for all other access types.

Attribute number

8

Attribute type

Address

Protocol

RFC2865

Attribute description

IP address assigned to the user.

·     Carries the IP address of the user in an authentication request to the server.

·     Carries the IP address assigned by the server to the user in an authentication reply.

Attribute number

11

Attribute type

String

Protocol

RFC2865

Attribute description

Name of the filter list.

This attribute is parsed as follows:

·     If the name is a string of all digits, it indicates an ACL number.

·     If the name is not a string of all digits, it indicates a user profile.

NOTE:

The H3C proprietary attribute user-group (140) can also be used to deploy SSL VPN user groups. This proprietary attribute only supports deploying SSL VPN user groups during authentication and authorization (carried in Access-Accept packets). It does not support the deployment in dynamic authorization (carried in SessionControl and CoA packets). If the Filter-ID attribute is carried in the Access-Accept packet and the user-group (140) attribute is carried in the SessionControl or CoA packet, the device uses the attribute that comes first.

Attribute number

12

Attribute type

integer

Protocol

RFC2865

Attribute description

MTU of the data link, only for port security users.

The size of an EAPoL frame is limited by the Ethernet frame. If an EAP frame is too long, it cannot be carried in an EAPoL frame.

The NAS device uses the Framed-MTU attribute to indicate the maximum length of an EAP frame sent by the RADIUS server, so as to avoid loss of EAP frames caused by EAP frames exceeding the data link MTU. The default value of this attribute is 1450.

Attribute number

14

Attribute type

Address

Protocol

RFC2865

Attribute description

IP address of the NAS interface that the user accesses.

Attribute number

15

Attribute type

Integer

Protocol

RFC2865

Attribute description

Type of service that the user uses for login. The server is supported to deploy multiple Login-Service attributes at a time.

The device checks the consistency of the service type used by the user to log in to the device and the service type indicated by the Login-Service attribute assigned by the server.

H3C defines the following extended values for the Login-Service attribute:

·     50: SSH

·     51: FTP

·     52: Terminal

·     53: HTTP

·     54: HTTPS

Support for values 53 and 54 depends on the device model.

You can configure the check method for RADIUS 15 on the NAS device to determine whether to use the extended Login-Service attribute values to check the service type consistency for users.

·     Strict method: The devices uses standard and extended Login-Service attribute values to check user service types. SSH, FTP, and terminal users can pass authentication only when the RADIUS server assigns the corresponding extended Login-Service attribute values to them.

·     Loose method: The devices uses standard Login-Service attribute values to check user service types. SSH, FTP, and terminal users can pass authentication only when the RADIUS server assigns the Login-Service attribute value of 0 (representing the Telnet service).

Attribute number

22

Attribute type

string

Protocol

RFC2865

Attribute description

Authorization routing information for the user. This attribute applies only to PPP users. Other access types ignore this attribute. This attribute can be used multiple times in a packet.

Attribute number

24

Attribute type

Octets

Protocol

RFC2865

Attribute description

If a reply packet from the server contains this attribute, the access device carries this attribute in all subsequent packets it sends, and the attribute value maintains the same.

Attribute number

25

Attribute type

Octets

Protocol

RFC2865

Attribute description

If a reply packet from the server contains this attribute, the access device carries this attribute in all subsequent packets it sends, and the attribute value maintains the same.

To communicate with a specific server, you must use the attribute 25 car command to configure the device to interpret the Class attribute (attribute 25) as CAR parameters. The device will parse the first 32 bytes of the Class attribute value as INPUT_PEAK_RATE, INPUT_AVG_RATE, OUTPUT_PEAK_RATE, and OUTPUT_AVG_RAT, in bytes. Other bytes of the Class attribute value are ignored.

Attribute number

26

Attribute type

Octets

Protocol

RFC2865

Attribute description

Vendor-specific proprietary attribute. A packet can contain one or more proprietary attributes, each of which can contain one or more subattributes.

Attribute number

27

Attribute type

Integer

Protocol

RFC2865

Attribute description

Maximum service duration (in seconds) for the user before termination of the session. This attribute can present in authentication reply and accounting reply packets.

When the user online duration reaches the session timeout time, the device does not log out the user immediately but initiates an accounting update process for the user. If the accounting reply packet carries a non-zero session-timeout attribute, the device updates the remaining online time for the user. If the accounting reply packet does not provide the session-timeout attribute or the carried session-timeout attribute value is 0, the device logs out the user.

Attribute number

28

Attribute type

Integer

Protocol

RFC2865

Attribute description

Maximum idle time permitted for the user before termination of the session.

The device supports setting user idle timeout in ISP domain view. The idle timeout set in ISP domain view has a higher priority than that assigned by the server. By default, a user is timed out if the user generates less than 10240 bytes of traffic within the idle timeout time.

Attribute number

29

Attribute type

Integer

Protocol

RFC2865

Attribute description

The specified mode for terminating the NAS service, such as re-authentication or forcing a user to log out. The value for this attribute can be the following:

·     0: Default. The value 0 indicates to force the user to log out. However, if the device is enabled with periodic re-authentication and the re-authentication timer value is smaller than the user session-timeout value, the port does not force users to log out but initiate re-authentication on the online 802.1X users on the port at intervals set by the re-authentication timer.

·     1: RADIUS-Request. The value 1 indicates to perform re-authentication on the user when the session-timeout time for the user is reached. At present, only 802.1X and MAC authentication users support re-authentication.

Attribute number

30

Attribute type

String

Protocol

RFC2865

RFC3580

Attribute description

·     For PPP users, this attribute is the called number.

·     For PPPoE/IPoE/portal/port security users, this attribute is the MAC address of the user access interface (format: XX-XX-XX-XX-XX-XX).

·     For wireless access (portal/port security) users, this attribute is the MAC address of the user access AP and the SSID (format: XX-XX-XX-XX-XX-XX:SSID).

Attribute number

31

Attribute type

String

Protocol

RFC2865

RFC3580

Attribute description

·     For 802.1X, portal, and Login users, this attribute is the MAC address of the user, in the format of H-H-H-H-H-H. On the NAS, you can use the attribute 31 mac-format command to configure the MAC address format, including setting the separator, lowercase, uppercase, six-section format, or three-section format.

·     For PPP and VoIP users, this attribute is the caller number.

·     For reverse telnet users, this attribute is the user IP address.

Attribute number

32

Attribute type

String

Protocol

RFC2865

RFC3580

Attribute description

Device name of the NAS. Values in descending order of priority are:

·     NAS-ID obtained by the wireless module.

·     NAS-ID in VSRP instance view.

·     NAS-ID bound with the user access VLANs.

·     NAS-ID in access interface view.

·     NAS-ID in ISP domain view.

·     System name set by the sysname command.

Attribute number

40

Attribute type

Integer

Protocol

RFC2866

Attribute description

Type of the Accounting-Request packet. Possible values include:

·     1: Accounting start.

·     2: Accounting stop.

·     3: Interim-Update.

Attribute number

41

Attribute type

Integer

Protocol

RFC2866

Attribute description

Time spent to send an Accounting Request packet, in seconds.

Acct-Delay-Time = Time when an Accounting Request packet was sent - Time when the packet was created.

Attribute number

42

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of upstream bytes. The unit is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 52 (Acct-Input-Gigawords).

Attribute number

43

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of downstream bytes. The unit is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 53 (Acct-Output-Gigawords).

Attribute number

44

Attribute type

String

Protocol

RFC2866

Attribute description

A unique accounting identifier, a string of 1 to 64 characters. Accounting packets must carry  this attribute. Authentication packets carry this attribute as required by the server. If this attribute is carried in an authentication packet, the attribute value must be the same as that carried in accounting packets.

Attribute number

45

Attribute type

Integer

Protocol

RFC2866

Attribute description

User authentication method carried in accounting packets. Possible values include:

·     0—None (extended value of H3C).

·     1—RADIUS.

·     2—Local.

·     3—Remote.

Attribute number

46

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Session duration of the user, in seconds.

Attribute number

47

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of upstream packets. The unit is specified by the data-flow-format command on the NAS, which can be packet (default), kilo-packet, mega-packet, or giga-packet.

Attribute number

48

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of downstream packets. The unit is specified by the data-flow-format command on the NAS, which can be packet (default), kilo-packet, mega-packet, or giga-packet.

Attribute number

49

Attribute type

Integer

Protocol

RFC2866

Attribute description

Reason for the termination of the accounting session. Possible values include:

·     1: User Request

·     2: Lost Carrier

·     3: Lost Service

·     4: Idle Timeout

·     5: Session Timeout

·     6: Admin Reset

·     7: Admin Reboot

·     8: Port Error

·     9: NAS Error

·     10: NAS Request

·     11: NAS Reboot

·     12: Port Unneeded

·     13: Port Preempted

·     14: Port Suspended

·     15: Service Unavailable

·     16: Callback

·     17: User Error

·     18: Host Request

Attribute number

50

Attribute type

String

Protocol

RFC2866

Attribute description

(Accounting) A unique accounting identifier used to link multiple related sessions of a user.

In ITA service, the primary user's attribute 44 (Acct-Session-Id) is the same as attribute 50 for all levels of traffic of the user.

Attribute number

52

Attribute type

Integer

Protocol

RFC2869

Attribute description

Number of times the Acct-Input-Octets counter has wrapped around 2^32. The unit for this attribute is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 42 (Acct-Input-Octets).

Attribute number

53

Attribute type

Integer

Protocol

RFC2869

Attribute description

Number of times the Acct-Output-Octets counter has wrapped around 2^32. The unit for this attribute is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 43 (Acct-Output-Octets).

Attribute number

55

Attribute type

Date

Protocol

RFC2869

Attribute description

Time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC.

Attribute number

56

Attribute type

Integer

Protocol

RFC4675

Attribute description

Four-byte VLAN ID assigned by the server. The first byte 0x31 indicates to carry the tag. The first byte 0x32 indicates to not carry the tag. The subsequent 12 bits represent the VLAN ID. In any other cases, this attribute is invalid.

Attribute number

58

Attribute type

String

Protocol

RFC4675

Attribute description

VLAN ID assigned by the server. The first byte 0x31 indicates to carry the tag. The first byte 0x32 indicates to not carry the tag. The subsequent bytes represent the VLAN name.

Attribute number

60

Attribute type

Octets

Protocol

RFC2865

Attribute description

CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.

Attribute number

61

Attribute type

Integer

Protocol

RFC2865

Attribute description

Type of the physical port of the NAS that is authenticating the user. Possible values include:

·     0: Async

·     1: Sync

·     2: ISDN Sync

·     3: ISDN Async V.120

·     4: ISDN Async V.110

·     5: Virtual

·     6: PIAFS

·     7: HDLC Clear Channel

·     8: X.25

·     9: X.75

·     10: G.3 Fax

·     11: SDSL - Symmetric DSL

·     12: ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation

·     13: ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone

·     14: IDSL - ISDN Digital Subscriber Line

·     15: Ethernet

·     16: xDSL - Digital Subscriber Line of unknown type (any type of ADSL)

·     17: Cable (for cable TV)

·     18: Wireless - Other

·     19: Wireless - IEEE 802.11

·     201: VLAN

·     202: ATM interface

To configure the value for this attribute, use the nas-port-type command on the port.

For portal users, if the NAS communicates with a MAC binding server from a specific vendor, you can use the nas-port-type command in MAC binding server view to configure the value of this attribute.

Attribute number

64

Attribute type

Integer

Protocol

RFC2868

Attribute description

Tunneling protocol. Possible values include:

·     1: Point-to-Point Tunneling Protocol (PPTP) [1]

·     2: Layer Two Forwarding (L2F) [2]

·     3: Layer Two Tunneling Protocol (L2TP) [3]

·     4: Ascend Tunnel Management Protocol (ATMP) [4]

·     5: Virtual Tunneling Protocol (VTP)

·     6: IP Authentication Header in the Tunnel-mode (AH) [5]

·     7: IP-in-IP Encapsulation (IP-IP) [6]

·     8: Minimal IP-in-IP Encapsulation (MIN-IP-IP) [7]

·     9: IP Encapsulating Security Payload in the Tunnel-mode (ESP) [8]

·     10: Generic Route Encapsulation (GRE) [9]

·     11: Bay Dial Virtual Services (DVS)

·     12: IP-in-IP Tunneling [10]

·     13: VLAN

This attribute supports carrying the Tag field.

Attribute number

65

Attribute type

Integer

Protocol

RFC2868

Attribute description

Transport medium type to use for creating a tunnel. Possible values include:

·     1: IPv4 (IP version 4)

·     2: IPv6 (IP version 6)

·     3: NSAP

·     4: HDLC (8-bit multidrop)

·     5: BBN 1822

·     6: 802 (includes all 802 media plus Ethernet "canonical format")

·     7: E.163 (POTS)

·     8: E.164 (SMDS, Frame Relay, ATM)

·     9: F.69 (Telex)

·     10: X.121 (X.25, Frame Relay)

·     11: IPX

·     12: Appletalk

·     13: Decnet IV

·     14: Banyan Vines

·     15:  E.164 with NSAP format subaddress

For VLAN assignment, the value must be 6.

This attribute supports carrying the Tag field.

Attribute number

66

Attribute type

String

Protocol

RFC2868

Attribute description

IP address of the initiator end of the tunnel, in dotted decimal notation.

This attribute is applicable only to L2TP users, and it cannot be used to send multiple addresses to the server at a time.

Attribute number

67

Attribute type

String

Protocol

RFC2868

Attribute description

IP address of the server end of the tunnel, in dotted decimal notation.

This attribute is applicable only to L2TP users, and it cannot be used to send multiple addresses to the server at a time. The server can deploy a maximum of eight addresses at a time.

This attribute supports carrying the Tag field.

Attribute number

69

Attribute type

String

Protocol

RFC2868

Attribute description

Authentication password of the tunnel. The first two bytes are the SALT. The last 16 bytes are the password after encryption. You can configure a plaintext or ciphertext tunnel password by using the tunnel password command on the NAS.

This attribute is applicable only to L2TP users, and it supports carrying the Tag field.

Attribute number

79

Attribute type

Octets

Protocol

RFC3579

Attribute description

Encapsulates EAP packet to implement RADIUS support for the EAP authentication. An EAP packet will be fragmented when it exceeds 253 bytes. The fragments are encapsulated in multiple EAP-Message attributes in order. One RADIUS packet can carry multiple EAP-Message attributes.

This attribute is applicable to 802.1X EAP or portal EAP authentication.

In COA packets of the PPPoE proxy scenario, this attribute is the password of the operator account.

Attribute number

80

Attribute type

Octets

Protocol

RFC3579

Attribute description

Message authenticator used to check the integrity of the RADIUS packet that carries the EAP-Message attributes during the EAP authentication.

This attribute is used in the RADIUS support for EAP authentication mode.

Attribute number

81

Attribute type

String

Protocol

RFC2868

Attribute description

Group ID for a tunnel session. It can be an integer in the range of 1 to 4094 or a value in other forms.

This attribute is used together with attribute 64 and attribute 65:

·     When attribute 64 is 13 and attribute 65 is 6, this attribute represents a VLAN name.

·     When attribute 64 is 3, this attribute represents a tunnel group ID.

This attribute supports carrying the Tag field.

Attribute number

82

Attribute type

String

Protocol

RFC2868

Attribute description

ID of the tunnel that carries the session.

This attribute is applicable only to L2TP users, and supports carrying the Tag field.

·     If the device already has an L2TP tunnel with this ID, the user uses this L2TP tunnel.

·     If no L2TP tunnel exists on the device with this ID, the device creates an L2TP tunnel with this ID.

Attribute number

83

Attribute type

Integer

Protocol

RFC2868

Attribute description

Tunnel preference in the range of 0x000000 to 0xFFFFFF, the smaller the value, the higher the preference. 0x000000 represent the highest precedence. 0xFFFFFF represents the lowest preference. This attribute supports carrying the Tag field.

If the RADIUS server assigns multiple Tunnel-Preference attributes to the LAC, the LAC tries to establish a tunnel with the LNSs in descending order of the preference until a tunnel is successfully established with an LNS. If no Tunnel-Preference attributes are assigned to the LAC, the LAC establishes tunnels with LNSs for load balancing.

Attribute number

85

Attribute type

Integer

Protocol

RFC2869

Attribute description

Real-time accounting interval, in seconds.

Attribute number

87

Attribute type

String

Protocol

RFC2869

Attribute description

String for describing the port of the NAS that is authenticating the user. The format of this attribute can be configured by a command on the NAS.

The following formats are supported:

·     Format for ADSL users:

slot=XX;subslot=X;port=X;VPI=XXX;VCI=XXXXX.

Value ranges for the parameters:

slot=0 to 15; subslot=0 to 9; port=0 to 9; VPI=0 to 255; VCI=0 to 65535.

·     Format for Ethernet access users:

¡     VLAN: slot=XX;subslot=XX;port=XXX;VLANID=0;

¡     Single tag: slot=XX;subslot=XX;port=XXX;VLANID=XXXX;

¡     Dual tags: slot=XX;subslot=XX;port=XXX;VLANID=inner VLAN;VLANID2=outer VLAN;

Value ranges for the parameters:

slot=0 to 15; subslot=0 to 15; port=0 to 255; VLANID=0 to 4095.

·     Format for portal users:

¡     {atm|eth|trunk}NAS_slot/NAS_subslot/NAS_port:XPI.XCI AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port[:ANI_XPI.ANI_XCI]

¡     SlotID00IfNOVlanID

¡     SlotID00IfNOVlanID+DHCPoption82 or DHCPoption18

¡     slot=XX;subslot=XX;port=XXX;vlanid=inner VLAN;vlanid2=outer VLAN

·     Standard format in communication industry (YDT 2275-2011)

{eth|trunk} NAS_slo1/NAS_subslot/NAS_port:SVLAN.CVLAN AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/LSW_ID

·     Format in UP and CP separation scenario:

{eth|trunk} NAS_UpIdentifier/NAS_slo1/NAS_subslot/NAS_port:CVLAN.SVLAN AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/LSW_ID

Attribute number

88

Attribute type

String

Protocol

RFC2869

Attribute description

Name of the IPv4 address pool assigned by the server to the user.

The attribute is valid only when the server allocates IP addresses to users from the local address pool. The designated IPv4 address pool must have been configured on the device.

Attribute number

90

Attribute type

String

Protocol

RFC2868

Attribute description

Name used by the tunnel client end.

This attribute is applicable only to L2TP users, and it supports carrying the Tag field.

Attribute number

91

Attribute type

String

Protocol

RFC2868

Attribute description

Name used by the tunnel server end. This attribute is present in accounting packets of L2TP users.

This attribute supports carrying the Tag field.

Attribute number

95

Attribute type

Ipv6addr

Protocol

RFC3162

Attribute description

IPv6 address of the NAS.

The NAS-IPv6-Address to be carried in RADIUS packets can be configured in interface view, RADIUS scheme view, and system view. The settings take effect as follows:

·     The NAS IP address configured in interface view (by using the aaa nas-ip command) takes effect only on the users on the interface.

·     The NAS IP address configured in RADIUS scheme view (by using the nas-ip command) takes effect only on this RADIUS scheme.

·     The NAS IP address configured in system view (by using the radius nas-ip command) takes effect only on all RADIUS schemes.

The NAS IP settings in these views have descending order of priority as follows: interface view > RADIUS view > system view.

In VSRP scenarios, if a NAS-IP is configured in the VSRP instance associated with the access service (by using the nas ip command), this configured NAS-IP is carried in sent RADIUS packets.

In CPDR scenarios, if the access service associated CPDR group has configured with the source interface for RADIUS packets (by using the radius source-interface command), the NAS-IP carried in the sent RADIUS packets is the IP address of the specified source interface.

NOTE: Support for NAS-IP address configuration in interface view depends on the device model.

Attribute number

96

Attribute type

Binary

Protocol

RFC3162

Attribute description

Interface ID assigned by the server to the IPv6 user. This attribute is eight bytes long.

Attribute number

97

Attribute type

Binary

Protocol

RFC3162

Attribute description

Address prefix assigned by the server to the IPv6 user. The maximum length of this attribute is 128 bits.

Attribute number

100

Attribute type

String

Protocol

RFC3162

Attribute description

Name of the IPv6 address pool assigned by the server to the IPv6 user.

The attribute is valid only when the server allocates IP addresses to users from the local address pool. The designated IPv6 address pool must have been configured on the device.

Attribute number

101

Attribute type

Integer

Protocol

RFC3576

Attribute description

Used in COA packets to send user error code to the server. Possible values include:

·     201: Session successfully deleted.

·     401: Unsupported attribute.

·     404: Invalid COA request.

·     503: No matching user.

·     504: Failed to delete the session.

·     506: Internal processing failure.

Attribute number

102

Attribute type

String

Protocol

N/A

Attribute description

EAP key name used in MACsec authentication.

Attribute number

123

Attribute type

Binary

Protocol

RFC4818

Attribute description

IPv6 PD prefixes assigned to routed CPEs. A packet can carry multiple Delegated-IPv6-Prefix attributes.

Attribute number

168

Attribute type

Ipv6addr

Protocol

RFC6911

Attribute description

IPv6 address assigned to the user.

·     Carries the IPv6 address of the user in an authentication request to the server.

·     Carries the IPv6 address assigned by the server to the user in an authentication reply.

Attribute number

1

Attribute type

Integer

Attribute description

Input peak rate from a user to the NAS.

The default measurement unit is bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute number

2

Attribute type

Integer

Attribute description

Input average rate from a user to the NAS.

The default measurement unit is bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute number

3

Attribute type

Integer

Attribute description

Input basic rate from a user to the NAS, in bps.

No service supports this attribute in the current software version.

Attribute number

4

Attribute type

Integer

Attribute description

Output peak rate from the NAS to a user, in bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute number

5

Attribute type

Integer

Attribute description

Output average rate from the NAS to a user, in bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute number

6

Attribute type

Integer

Attribute description

Output basic rate from the NAS to a user, in bps.

No access service supports this attribute in the current software version.

Attribute number

15

Attribute type

Integer

Attribute description

Total amount of data available for a user. The measurement unit is configurable by using the attribute remanent-volume unit command. The default measurement unit is kilo-byte.

This attribute can be included in authentication response packets, accounting response packets, and CoA packets sent from a server. When the amount of user traffic reaches the value of this attribute, the NAS does not immediately logs off the user. Instead, the NAS triggers an accounting update. If the accounting response packet contains new data quota, the NAS updates the total amount of data available for the user. If the new data quota is 0 or no new data quota is assigned by the server, the NAS logs off the user. If this attribute is included in a CoA packet, the NAS updates the total amount of data available for the user.

Support for this attribute depends on the access type.

Attribute number

17

Attribute type

String

Attribute description

ISP domain name of a user, a string of 1 to 253 characters.

·     In an Access-Request packet, this attribute represents the authentication domain used by the user to come online.

·     In an Access-Accept packet, this attribute represents the authorization domain assigned to the user for assigning authorization attributes to the user.

Attribute number

20

Attribute type

Integer

Attribute description

Operation for a user session, used for session control. Possible values include:

·     1: Trigger-Request. This value is not used in the current software version.

·     2: Terminate-Request. This value means that the server forcibly logs off the user.

·     3: SetPolicy. This value means that the server requests to change user authorization attributes.

·     4: Result. This value is used to respond to the server with the session operation result.

·     5: PortalClear. This value is not used in the current software version.

Attribute number

22

Attribute type

Integer

Attribute description

Service priority.

No service supports this attribute in the current software version.

Attribute number

25

Attribute type

Integer

Attribute description

Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure.

Attribute number

27

Attribute type

String

Attribute description

PADM URL assigned to a PPPoE user.

Attribute number

28

Attribute type

String

Attribute description

FTP, SFTP, or SCP user working directory.

If this attribute is not assigned by a server, the NAS uses the default working directory of the current system as the FTP, SFTP, or SCP working directory.

Attribute number

29

Attribute type

Integer

Attribute description

EXEC user priority, in the range of 0 to 15.

A server uses this attribute to assign the level-0 to level-15 user roles to device management users.

Attribute number

32

Attribute type

Address

Attribute description

Public IP address assigned to a user when the source IP address and port are translated.

When an AAA user accesses the external network after NAT, the NAS includes this attribute in accounting request packets to report the public IP address of the user to the server. The server can identify the user by its public IP address.

Attribute number

33

Attribute type

Integer

Attribute description

Start port number of the port range assigned to a user when the source IP address and port are translated.

The method for including this attribute in a packet and the attribute purposes are the same as those of attribute 32.

Attribute number

34

Attribute type

Integer

Attribute description

End port number of the port range assigned to a user when the source IP address and port are translated.

The method for including this attribute in a packet and the attribute purposes are the same as those of attribute 32.

Attribute number

59

Attribute type

Integer

Attribute description

Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).

Attribute number

60

Attribute type

String

Attribute description

User IP address and MAC address included in authentication and accounting requests. The value is a string of 25 to 33 bytes in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.

If the user IP address is invalid when the NAS sends an authentication request, the NAS pads A.B.C.D with all zeros.

An IMC server preferentially obtains MAC or IP addresses from this attribute for user and MAC or IP address bindings. If the value for this attribute is invalid, the server obtains IP or MAC addresses from the Framed-IP or Calling-Station-Id attribute, respectively.

Attribute number

61

Attribute type

String

Attribute description

Information that must be sent from the server to the client transparently. The value is a string of 1 to 247 bytes. This attribute can appear multiple times in a packet to deliver multiple messages.

The NAS directly delivers this attribute to the client without parsing it. In EAD solutions, the server can use this attribute to deliver server information including the server IP address and port number to the client.

Attribute number

62

Attribute type

String

Attribute description

Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and verifies the handshake packets from the 802.1X client.

Attribute number

98

Attribute type

Address

Attribute description

IP address of the multicast group that a user joins as a receiver.

This attribute can appear multiple times in a multicast packet to indicate that the user belongs to multiple multicast groups.

Attribute number

100

Attribute type

Ipv6addr

Attribute description

IPv6 address of the multicast group that a user joins as a receiver.

This attribute can appear multiple times in a multicast packet to indicate that the user belongs to multiple multicast groups.

Attribute number

101

Attribute type

Integer

Attribute description

Maximum number of MLD multicast groups that a user can join concurrently.

Attribute number

103

Attribute type

Integer

Attribute description

Maximum number of IGMP multicast groups that a user can join concurrently.

Attribute number

104

Attribute type

String

Attribute description

Name of the MPLS L3VPN instance to which a user belongs.

Attribute number

105

Attribute type

String

Attribute description

ANCP profile name.

Attribute number

106

Attribute type

Integer

Attribute description

User priority of incoming packets, in the range of 0 to 7 and 15. The value of 15 indicates cancelling user priority authorization.

Attribute number

107

Attribute type

Integer

Attribute description

User priority of outgoing packets, in the range of 0 to 7 and 15. The value of 15 indicates cancelling user priority authorization.

Attribute number

120

Attribute type

Integer

Attribute description

Type of the user address used to access the NAS. Values include:

·     0: Public IPv4 user.

·     1: Private IPv4 user.

·     2: Public dual-stack user.

·     3: Private dual-stack user.

·     4: DS-Lite user.

·     5: Pure IPv6 user.

·     6: NAT64 user.

Attribute number

121

Attribute type

String

Attribute description

CGN address translation log information, for example, end port number and user address. The value is a string. This attribute is included in accounting request packets.

The fields in this attribute is separated by a colon (:). for example, the value for this attribute can be in the format of mapping-time (format YY/MM/DD/HH/MM/SS):public-IPv4-address:start-port-number:end-port-number:user-IPv4-or-IPv6-address.

Attribute number

135

Attribute type

Address

Attribute description

Address of the primary DNS server.

Attribute number

136

Attribute type

Address

Attribute description

Address of the secondary DNS server.

Attribute number

140

Attribute type

String

Attribute description

User groups assigned after a user passes authentication. Typically, a user can belong to only one user group. For SSL VPN users, a user can belong to multiple user groups. The user group names are separated by semicolon (;).

If this attribute is included in an authentication response packet, the user is assigned to the specified user groups after it passes authentication.

If this attribute is included in an accounting request packet, it indicates the user groups that the user has been added to. This situation is supported only by PPPoE dial-up users.

Attribute number

144

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the inbound direction.  The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. By default, the unit is byte.

Attribute number

145

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the outbound direction.  The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. By default, the unit is byte.

Attribute number

146

Attribute type

Integer

Attribute description

Number of IPv6 packets in the inbound direction. The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include one-packet, kilo-packet, mega-packet, or giga-packet. By default, the unit is one-packet.

Attribute number

147

Attribute type

Integer

Attribute description

Number of IPv6 packets in the outbound direction. The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include one-packet, kilo-packet, mega-packet, or giga-packet. By default, the unit is one-packet.

Attribute number

148

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the inbound direction divided by 4G. The value is the most significant 32 bits of the Acct-ipv6-Input-Octets attribute (No. 144). The measurement unit is configurable by using the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. The default measurement unit is byte.

Attribute number

149

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the outbound direction divided by 4G. The value is the most significant 32 bits of the Acct-ipv6-Output-Octets attribute (No. 145). The measurement unit is configurable by using the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. The default measurement unit is byte.

Attribute number

155

Attribute type

String

Attribute description

List of space-separated user roles.

This attribute can appear multiple times in a packet.

Attribute number

157

Attribute type

String

Attribute description

IPv6 ND prefix pool.

Attribute number

158

Attribute type

Ipv6addr

Attribute description

IPv6 address used by a user to access the NAS.

Attribute number

159

Attribute type

Integer

Attribute description

Flag for user IP update. If the value is 1, the user IP address has an update. If the value is 0, the user IP address does not have an update.

Only IPoE and PPP users support this attribute in the current software version.

Attribute number

180

Attribute type

Integer

Attribute description

User authentication type. Values include:

·     1: PPP authentication.

·     2: IPoE authentication.

·     3: Portal authentication.

·     4: 802.1X authentication.

·     5: MAC authentication.

·     6: Web authentication.

·     7: Login

·     9: Port security static user.

Attribute number

181

Attribute type

Integer

Attribute description

Subcause code for user going offline.

Attribute number

183

Attribute type

String

Attribute description

L2TP group name.

The NAS uses the L2TP group name to set up an L2TP tunnel.

Attribute number

184

Attribute type

Integer

Attribute description

NAS type. Supported values:

·     1: Traditional BRAS.

·     2: vBRAS in the vBRAS CUPS architecture.

Attribute number

185

Attribute type

String

Attribute description

vBRAS UP ID in the vBRAS CUPS architecture.

Attribute number

186

Attribute type

Ipaddr

Attribute description

vBRAS UP IPv4 address in the vBRAS CUPS architecture.

Attribute number

187

Attribute type

Ipv6addr

Attribute description

vBRAS UP IPv6 address in the vBRAS CUPS architecture.

Attribute number

188

Attribute type

String

Attribute description

Name of the user profile for incoming service traffic.

Attribute number

189

Attribute type

String

Attribute description

Name of the user profile for outgoing service traffic.

Attribute number

190

Attribute type

String

Attribute description

Name of an IPv4 multicast user profile.

Attribute number

191

Attribute type

String

Attribute description

Name of an IPv6 multicast user profile.

Attribute number

201

Attribute type

Integer

Attribute description

Upstream flow difference, in bytes.

No service supports this attribute in the current software version.

Attribute number

202

Attribute type

Integer

Attribute description

Downstream flow difference, in bytes.

No service supports this attribute in the current software version.

Attribute number

203

Attribute type

Integer

Attribute description

Upstream flow difference, in packets.

No service supports this attribute in the current software version.

Attribute number

204

Attribute type

Integer

Attribute description

Downstream flow difference, in packets.

No service supports this attribute in the current software version.

Attribute number

205

Attribute type

Integer

Attribute description

Upstream flow difference, in Gigawords.

No service supports this attribute in the current software version.

Attribute number

206

Attribute type

Integer

Attribute description

Downstream flow difference, in Gigawords.

No service supports this attribute in the current software version.

Attribute number

208

Attribute type

Octets

Attribute description

DHCP Option 55 fingerprint used in BYOD.

Attribute number

210

Attribute type

String

Attribute description

Extended attributes assigned in attribute pair form. The format for an extended attribute is attribute-command-keywords=attribute-value.

For more information about the supported extended attributes and their formats, see "H3C AV-Pair (210) subattributes."

Attribute number

215

Attribute type

Integer

Attribute description

ITA traffic accounting level, in the range of 1 to 8.

Attribute number

216

Attribute type

Octets

Attribute description

Name of an Intelligent Target Accounting (ITA) policy.

Attribute number

217

Attribute type

Integer

Attribute description

When a CGN service module requests or releases ports, it uses this attribute to report information to the server. Supported values:

·     0: Request a port range.

·     1: Release a port range.

This attribute is included in accounting request packets.

Attribute number

220

Attribute type

String

Attribute description

HTTP user agent fingerprint used in BYOD.

Attribute number

246

Attribute type

Integer

Attribute description

Authentication result details. This attribute is used in conjunction with the Web-URL attribute (No.250). Supported values:

·     0: Cancel redirection. This value can be assigned only through CoA packets.

·     1: Continue redirection until redirection is canceled.

·     2: Perform redirection for a number of times. The maximum number of redirection times is configurable by using the authorization-attribute redirect-times command in ISP domain view on the NAS. By default, the maximum number of redirection times is 2.

Attribute number

247

Attribute type

Integer

Attribute description

Committed burst size from a user to the NAS, in bits. The total length cannot exceed 4 bytes for this field.

This attribute must be assigned in conjunction with the Input-Average-Rate attribute (No. 2).

Attribute number

248

Attribute type

Integer

Attribute description

Committed burst size from the NAS to a user, in bits. The total length cannot exceed 4 bytes for this field.

This attribute must be assigned in conjunction with the Output-Average-Rate attribute (No. 5).

Attribute number

249

Attribute type

Integer

Attribute description

User authentication type. Supported values:

·     1: Intranet access authentication.

·     2: Internet access authentication.

If this attribute does not exist, common authentication applies.

Attribute number

250

Attribute type

String

Attribute description

Web redirect URL for a user.

·     In single-stack scenarios, use this attribute to assign an IPv4 or IPv6 URL.

·     In dual-stack scenarios, use this attribute to assign an IPv4 URL and use user-defined attribute pair urlipv6-redirect to assign an IPv6 URL.

Attribute number

251

Attribute type

String

Attribute description

Family plan ID, a string of digits.

Attribute number

252

Attribute type

String

Attribute description

QoS policy name for the family plan of a subscriber.

Attribute number

255

Attribute type

String

Attribute description

Product name.

Attribute number

1

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Peak uplink rate of user access to an NAS device, in bps. 

(Huawei RADIUS1.1 protocol) Uplink committed burst size for user access to an NAS device, in bit.The value length is 4 bytes. To deploy this attribute, you must also deploy the HW-Input-Committed-Info-Rate attribute.

Attribute number

2

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Average uplink rate of user access to an NAS device, in bps.

(Huawei RADIUS1.1 protocol) Committed uplink rate of user access to an NAS device, in bps. To deploy this attribute, you must also deploy the HW-Input-Committed-Burst-Size attribute.

Attribute number

3

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Basic uplink rate of user access to an NAS device, in bps.

(Huawei RADIUS1.1 protocol) Peak uplink rate of user access to an NAS device, in bps. The value length is 4 bytes. Use this attribute for dual leaky bucket. To deploy this attribute, you must also deploy the HW-Input-Committed-Info-Rate attribute.

Attribute number

4

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Peak downlink rate from an NAS device to a user, in bps.

(Huawei RADIUS1.1 protocol) Committed burst size for downlink from an NAS device to a user, in bit. The value length is 4 bytes. To deploy this attribute, you must also deploy the HW-Output-Committed-Info-Rate attribute.

Attribute number

5

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Average downlink rate from an NAS device to a user, in bps.

(Huawei RADIUS1.1 protocol) Committed downlink rate from an NAS device to a user, in bps. To deploy this attribute, you must also deploy the HW-Output-Committed-Burst-Rate attribute.

Attribute number

6

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Basic downlink rate from an NAS device to a user, in bps.

(Huawei RADIUS1.1 protocol) Peak downlink rate from an NAS device to a user, in bps. The value length is 4 bytes. Use this attribute for dual leaky bucket. To deploy this attribute, you must also deploy the HW-Output-Committed-Info-Rate attribute.

Attribute number

20

Attribute type

Integer

Attribute description

Action to take on user sessions. Options include:

·     1: Trigger-Request. This option is reserved for future use.

·     2: Terminate-Request. This action indicates forced user logoff.

·     3: SetPolicy. This action indicates that the server requires user authorization attribute modification.

·     4: Result. This action is used to send the session operation result to the server.

·     5: PortalClear. This option is reserved for future use.

Attribute number

25

Attribute type

Integer

Attribute description

Indicates the Trigger-Request or SetPolicy result. 0 indicates success and a non-zero value indicates failure.

Attribute number

27

Attribute type

String

Attribute description

PADM URL deployed to PPPoE.

Attribute number

28

Attribute type

String

Attribute description

Working directory of an FTP/SFTP/SCP user.

If this attribute is not deployed, a NAS device obtains the default directory of the system as the FTP/SFTP/SCP working directory.

Attribute number

29

Attribute type

Integer

Attribute description

EXEC user priority in the range of 0 to 15. 

This attribute is used by the server to assign user role level 0 through level 15 to device management users.

Attribute number

61

Attribute type

String

Attribute description

Message sent by the server to a client, a string of 1 to 247 bytes. The attribute can appear multiple times in a packet to deploy multiple messages.

NAS devices pass the attribute directly to clients without parsing the attribute.

Attribute number

94

Attribute type

String

Attribute description

Name of the VPN to which a user can join.

Attribute number

98

Attribute type

Address

Attribute description

Address of the multicast group to which a user belongs as a multicast receiver. 

If the attribute appears multiple times in a packet, it indicates that the user belongs to multiple multicast groups.

Attribute number

135

Attribute type

Address

Attribute description

Primary DNS server address.

Attribute number

136

Attribute type

Address

Attribute description

Secondary DNS server address.

Attribute number

138

Attribute type

String

Attribute description

ISP domain name, a string of 1 to 253 characters.

·     The attribute in an Access-Request packet indicates the authentication domain used by user association.

·     The attribute in an Access-Accept packet indicates the authorized domain to a user.

Attribute number

139

Attribute type

String

Attribute description

ANCP policy name.

Attribute number

143

Attribute type

Integer

Attribute description

Maximum number of IPv4 multicast groups that a user can join.

Attribute number

253

Attribute type

String

Attribute description

User Web-redirection URL.

Attribute number

1

Attribute type

Binary

Attribute description

Response to the MS-CHAP authentication challenge, a string of 50 bytes. 

In the current software version, only PPP users support this attribute.

Attribute number

2

Attribute type

Binary

Attribute description

Error information carried in an MS-CHAP Access-Reject packet, a string of 80 bytes. 

In the current software version, only PPP users support this attribute.

Attribute number

6

Attribute type

Binary

Attribute description

New CHAP password obtained by encrypting the old password. The new password contains 516 bytes, which exceeds the maximum length of a RADIUS attribute. The password will be fragmented and carried in multiple attributes for transmission.  The attribute contains a 2-byte serial number for fragment reassembly. 

In the current software version, only PPP users support this attribute.

Attribute number

11

Attribute type

Binary

Attribute description

CHAP challenge. For MS-CHAP authentication, the value length is 8 bytes. For MS-CHAP2 authentication, the value length is 16 bytes. For MS-CHAP2 password change, the value length is 32 bytes. 

In the current software version, only PPP users support this attribute.

Attribute number

16

Attribute type

Binary

Attribute description

MPPE key generated for TLS or PEAP authentication. This attribute is used for 802.1X authentication.

Attribute number

17

Attribute type

Binary

Attribute description

MPPE key generated for TLS or PEAP authentication. This attribute is used for 802.1X authentication.

Attribute number

25

Attribute type

Binary

Attribute description

Response to the CHAP2 authentication challenge. The value length is 50 bytes. 

In the current software version, only PPP users support this attribute.

Attribute number

26

Attribute type

Binary

Attribute description

Authentication success code. The value length is 42 bytes. 

In the current software version, only PPP users support this attribute.

Attribute number

27

Attribute type

Binary

Attribute description

MS-CHAP2 password change information. 

If the password of a user has expired, the user can change the password.

In the current software version, only PPP users support this attribute.

Attribute number

28

Attribute type

Binary

Attribute description

Primary DNS server address.

Attribute number

29

Attribute type

Binary

Attribute description

Secondary DNS server address.

Attribute number

1

Attribute type

Integer

Attribute description

EXEC user priority in the range of 0 to 15. 

This attribute is used by the server to assign user role level 0 through level 15 to device management users.

Attribute number

1

Attribute type

String

Attribute description

Extended attribute deployed in AV pair format, which is Attribute Name=Attribute Value.

For more information about supported extended attributes and formats, see the table blow.

Attribute number

1

Attribute type

String

Attribute description

Deployed voice VLAN:

device-traffic-class=voice

Attribute number

1

Attribute type

String

Attribute description

Deployed user role list.

shell:roles="xxx yyy zzz"

shell:allowed-roles="xxx" (Only for super users)

Use a space to separate two role names.