RADIUS attributes

Attribute name

User-Name

Attribute number

1

Attribute type

string

Protocol

RFC2865

Attribute description

Name of the user to be authenticated.

In wireless 802.1X access and IPoE access scenarios, after a user passes authentication with a username, the RADIUS server can assign a different username to the user by using the Access-Accept packet. When the access device receives the packet and the username-authorization apply command is executed, the access device uses the assigned username for subsequent AAA processing (such as accounting, user information query and display) for the user.

Attribute name

User-Password

Attribute number

2

Attribute type

string

Protocol

RFC2865

Attribute description

User password for PAP authentication, which takes effect only for PAP authentication and is typically present in Access-Request packets.

Used for issuing the encrypted ISP account password to the agency gateway in the PPPoE agency scenario, which is present in COA request packets.

Attribute name

CHAP-Password

Attribute number

3

Attribute type

Octets

Protocol

RFC2865

Attribute description

Digest of the user password for CHAP authentication, only present in Access-Request packets when CHAP authentication is used.

Attribute name

NAS-IP-Address

Attribute number

4

Attribute type

Address

Protocol

RFC2865

Attribute description

IP address of the NAS device.

An authentication request must carry the NAS-IP-Address or NAS-identifier attribute. The NAS-IP-Address carried in the request might be different from the source IP address in the packets received by the RADIUS server in some cases, for example, after a NAT traversal.

The NAS-IP-Address attribute value can be set by a command on the NAS device. For more information, see the AAA configuration guide for the NAS device.

Attribute name

NAS-Port

Attribute number

5

Attribute type

integer

Protocol

RFC2865

Attribute description

Physical port of the NAS that the user accesses.

H3C defines the attribute format as follows:

·     For Ethernet access users: slot number (8 bits) + subslot number (4 bits) + port number (8 bits) + VLAN ID (12 bits)

·     For ADSL access users: slot number (4 bits) + subslot number (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (166 bits)

Attribute name

Service-Type

Attribute number

6

Attribute type

integer

Protocol

RFC2865

Attribute description

Type of service that the user has requested or type of service to be provided. Values include:

·     1: Login service, for device management users.

·     2: Framed service, for network access users.

·     4: Callback Framed service.

·     10: Call Check service, for MAC authentication users.

·     25:Obtain ACL rules for dynamic ACL

At present, the attribute value is 10 for MAC authentication users, 1 for device management users, and 2 for other types of users. For IPoE users, you can use the attribute 6 value outbound user-type ipoe command to set the value of the attribute to 5.

Attribute name

Framed-Protocol

Attribute number

7

Attribute type

integer

Protocol

RFC2865

Attribute description

Encapsulation protocol for framed access. Values include:

·     1: PPP

·     2: SLIP

·     3: AppleTalk Remote Access Protocol (ARAP)

·     4: Gandalf proprietary SingleLink/MultiLink protocol

·     5: Xylogics proprietary IPX/SLIP

·     6: X.75 Synchronous

·     255: Portal

At present, the attribute value is 255 for portal access and 1 for all other access types.

Attribute name

Framed-IP-Address

Attribute number

8

Attribute type

Address

Protocol

RFC2865

Attribute description

IP address assigned to the user.

·     Carries the IP address of the user in an authentication request to the server.

·     Carries the IP address assigned by the server to the user in an authentication reply.

Attribute name

Filter-ID

Attribute number

11

Attribute type

String

Protocol

RFC2865

Attribute description

Name of the filter list.

This attribute is parsed as follows:

·     If the name is a string of all digits, it indicates an ACL number.

·     If the name is not a string of all digits and contains no equal signs (=):

¡     If the next attribute is H3C-ACL-Version, it indicates an ACL name.

¡     if the next attribute not H3C-ACL-Version, it indicates a user profile name.

·     If the name is not a string of all digits and contains equal signs (=), further parsing is required. At present, the server is supported to send several SSL VPN user groups in the format of user-group=name1;name2;...;namex.

NOTE:

The H3C proprietary attribute user-group (140) can also be used to deploy SSL VPN user groups. This proprietary attribute only supports deploying SSL VPN user groups during authentication and authorization (carried in Access-Accept packets). It does not support the deployment in dynamic authorization (carried in SessionControl and CoA packets). If the Filter-ID attribute is carried in the Access-Accept packet and the user-group (140) attribute is carried in the SessionControl or CoA packet, the device uses the attribute that comes first.

Attribute name

Framed-MTU

Attribute number

12

Attribute type

integer

Protocol

RFC2865

Attribute description

MTU of the data link, only for port security users.

The size of an EAPoL frame is limited by the Ethernet frame. If an EAP frame is too long, it cannot be carried in an EAPoL frame.

The NAS device uses the Framed-MTU attribute to indicate the maximum length of an EAP frame sent by the RADIUS server, so as to avoid loss of EAP frames caused by EAP frames exceeding the data link MTU. The default value of this attribute is 1450.

Attribute name

Login-IP-Host

Attribute number

14

Attribute type

Address

Protocol

RFC2865

Attribute description

IP address of the NAS interface that the user accesses.

Attribute name

Login-Service

Attribute number

15

Attribute type

Integer

Protocol

RFC2865

Attribute description

Type of service that the user uses for login. The server is supported to deploy multiple Login-Service attributes at a time.

The device checks the consistency of the service type used by the user to log in to the device and the service type indicated by the Login-Service attribute assigned by the server.

H3C defines the following extended values for the Login-Service attribute:

·     50: SSH

·     51: FTP

·     52: Terminal

·     53: HTTP

·     54: HTTPS

Support for values 53 and 54 depends on the device model.

You can configure the check method for RADIUS 15 on the NAS device to determine whether to use the extended Login-Service attribute values to check the service type consistency for users.

·     Strict method: The devices uses standard and extended Login-Service attribute values to check user service types. SSH, FTP, and terminal users can pass authentication only when the RADIUS server assigns the corresponding extended Login-Service attribute values to them.

·     Loose method: The devices uses standard Login-Service attribute values to check user service types. SSH, FTP, and terminal users can pass authentication only when the RADIUS server assigns the Login-Service attribute value of 0 (representing the Telnet service).

Attribute name

Framed-Route

Attribute number

22

Attribute type

string

Protocol

RFC2865

Attribute description

Authorization routing information for the user. This attribute applies only to PPP and SMF users. Other access types ignore this attribute. This attribute can be used multiple times in a packet.

Attribute name

State

Attribute number

24

Attribute type

Octets

Protocol

RFC2865

Attribute description

If a reply packet from the server contains this attribute, the access device carries this attribute in all subsequent authentication request packets it sends, and the attribute value maintains the same.

Attribute name

Class

Attribute number

25

Attribute type

Octets

Protocol

RFC2865

Attribute description

If a reply packet from the server contains this attribute, the access device carries this attribute in all subsequent packets it sends, and the attribute value maintains the same.

To communicate with a specific server, you must use the attribute 25 car command to configure the device to interpret the Class attribute (attribute 25) as CAR parameters. The device will parse the first 32 bytes of the Class attribute value as INPUT_PEAK_RATE, INPUT_AVG_RATE, OUTPUT_PEAK_RATE, and OUTPUT_AVG_RAT. Other bytes of the Class attribute value are ignored.

Attribute name

Vendor-Specific

Attribute number

26

Attribute type

Octets

Protocol

RFC2865

Attribute description

Vendor-specific proprietary attribute. A packet can contain one or more proprietary attributes, each of which can contain one or more subattributes.

Attribute name

Session-Timeout

Attribute number

27

Attribute type

Integer

Protocol

RFC2865

Attribute description

Maximum service duration (in seconds) for the user before termination of the session. This attribute can present in authentication reply and accounting reply packets.

When the user online duration reaches the session timeout time, the device does not log out the user immediately but initiates an accounting update process for the user. If the accounting reply packet carries a non-zero session-timeout attribute, the device updates the remaining online time for the user. If the accounting reply packet does not provide the session-timeout attribute or the carried session-timeout attribute value is 0, the device logs out the user.

Attribute name

Idle-TimeOut

Attribute number

28

Attribute type

Integer

Protocol

RFC2865

Attribute description

Maximum idle time permitted for the user before termination of the session.

The device supports setting user idle timeout in ISP domain view. The idle timeout set in ISP domain view has a higher priority than that assigned by the server. By default, a user is timed out if the user generates less than 10240 bytes of traffic within the idle timeout time.

Attribute name

Termination-Action

Attribute number

29

Attribute type

Integer

Protocol

RFC2865

Attribute description

The specified mode for terminating the NAS service, such as re-authentication or forcing a user to log out. The value for this attribute can be the following:

·     0: Default. The value 0 indicates to force the user to log out. However, if the device is enabled with periodic re-authentication and the re-authentication timer value is smaller than the user session-timeout value, the port does not force users to log out but initiate re-authentication on the online 802.1X users on the port at intervals set by the re-authentication timer.

·     1: RADIUS-Request. The value 1 indicates to perform re-authentication on the user when the session-timeout time for the user is reached. At present, only 802.1X and MAC authentication users support re-authentication.

Attribute name

Called-Station-Id

Attribute number

30

Attribute type

String

Protocol

RFC2865

RFC3580

Attribute description

·     For PPP users, this attribute is the called number.

·     For wired access (portal/port security) users, this attribute is the MAC address of the user access interface (default format: XX-XX-XX-XX-XX-XX).On the NAS, you can use the attribute 30 mac-format command to configure the MAC address format.

·     For wireless access (portal/port security) users, this attribute is the MAC address of the user access AP and the SSID (format: XX-XX-XX-XX-XX-XX:SSID).On the NAS, you can use the attribute 30 format command to configure the attribute format and use the attribute 31 mac-format command to configure the MAC address format.

Attribute name

Calling-Station-Id

Attribute number

31

Attribute type

String

Protocol

RFC2865

RFC3580

Attribute description

·     For 802.1X, portal, PPPoE, IPOE, L2TP LAC and Login users, this attribute is the MAC address of the user, in the format of H-H-H-H-H-H. On the NAS, you can use the attribute 31 mac-format command to configure the MAC address format, including setting the separator, lowercase, uppercase, six-section format, or three-section format.

·     For L2TP LNS users, this attribute use the information received from LAC.

·     For PPP and VoIP users, this attribute is the caller number.

·     For reverse telnet users, this attribute is the user IP address.

·     For PPPoE agency users, this attribute is a user MAC address in the format of HH:HH:HH:HH:HH:HH, which is present in COA request packets.

Attribute name

NAS-Identifier

Attribute number

32

Attribute type

String

Protocol

RFC2865

RFC3580

Attribute description

Device name of the NAS. Values in descending order of priority are:

·     NAS-ID obtained by the wireless module.

·     NAS-ID in VSRP instance view.

·     NAS-ID bound with the user access VLANs.

·     NAS-ID in access interface view.

·     NAS-ID in ISP domain view.

·     System name set by the sysname command.

Attribute name

Acct-Status-Type

Attribute number

40

Attribute type

Integer

Protocol

RFC2866

Attribute description

Type of the Accounting-Request packet. Possible values include:

• 1: Accounting start.

• 2: Accounting stop.

• 3: Interim-Update.

Attribute name

Acct-Delay-Time

Attribute number

41

Attribute type

Integer

Protocol

RFC2866

Attribute description

Time spent to send an Accounting Request packet, in seconds.

Acct-Delay-Time = Time when an Accounting Request packet was sent - Time when the packet was created.

Attribute name

Acct-Input-Octets

Attribute number

42

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of upstream bytes. The unit is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 52 (Acct-Input-Gigawords).

Attribute name

Acct-Output-Octets

Attribute number

43

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of downstream bytes. The unit is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 53 (Acct-Output-Gigawords).

Attribute name

Acct-Session-Id

Attribute number

44

Attribute type

String

Protocol

RFC2866

Attribute description

A unique accounting identifier, a string of 1 to 64 characters. Accounting packets must carry  this attribute. Authentication packets carry this attribute as required by the server. If this attribute is carried in an authentication packet, the attribute value must be the same as that carried in accounting packets.

Attribute name

Acct-Authentic

Attribute number

45

Attribute type

Integer

Protocol

RFC2866

Attribute description

User authentication method carried in accounting packets. Possible values include:

·     0—None (extended value of H3C).

·     1—RADIUS.

·     2—Local.

·     3—Remote.

Attribute name

Acct-Session-Time

Attribute number

46

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Session duration of the user, in seconds.

Attribute name

Acct-Input-Packets

Attribute number

47

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of upstream packets. The unit is specified by the data-flow-format command on the NAS, which can be packet (default), kilo-packet, mega-packet, or giga-packet.

Attribute name

Acct-Output-Packets

Attribute number

48

Attribute type

Integer

Protocol

RFC2866

Attribute description

(Accounting) Number of downstream packets. The unit is specified by the data-flow-format command on the NAS, which can be packet (default), kilo-packet, mega-packet, or giga-packet.

Attribute name

Acct-Terminate-Cause

Attribute number

49

Attribute type

Integer

Protocol

RFC2866

Attribute description

Reason for the termination of the accounting session. Possible values include:

·     1: User Request

·     2: Lost Carrier

·     3: Lost Service

·     4: Idle Timeout

·     5: Session Timeout

·     6: Admin Reset

·     7: Admin Reboot

·     8: Port Error

·     9: NAS Error

·     10: NAS Request

·     11: NAS Reboot

·     12: Port Unneeded

·     13: Port Preempted

·     14: Port Suspended

·     15: Service Unavailable

·     16: Callback

·     17: User Error

·     18: Host Request

Attribute name

Acct-Multi-Session-Id

Attribute number

50

Attribute type

String

Protocol

RFC2866

Attribute description

(Accounting) A unique accounting identifier used to link multiple related sessions of a user.

In ITA service, the primary user's attribute 44 (Acct-Session-Id) is the same as attribute 50 for all levels of traffic of the user.

Attribute name

Acct-Input-Gigawords

Attribute number

52

Attribute type

Integer

Protocol

RFC2869

Attribute description

Number of times the Acct-Input-Octets counter has wrapped around 2^32. The unit for this attribute is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 42 (Acct-Input-Octets).

Attribute name

Acct-Output-Gigawords

Attribute number

53

Attribute type

Integer

Protocol

RFC2869

Attribute description

Number of times the Acct-Output-Octets counter has wrapped around 2^32. The unit for this attribute is specified by the data-flow-format command on the NAS, which can be byte (default), KB, MB, or GB.

This attribute is used together with attribute 43 (Acct-Output-Octets).

Attribute name

Event-Timestamp

Attribute number

55

Attribute type

Date

Protocol

RFC2869

Attribute description

Time that this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC.

Attribute name

Egress-VLANID

Attribute number

56

Attribute type

Integer

Protocol

RFC4675

Attribute description

Four-byte VLAN ID assigned by the server. The first byte 0x31 indicates to carry the tag. The first byte 0x32 indicates to not carry the tag. The subsequent 12 bits represent the VLAN ID. In any other cases, this attribute is invalid.

Attribute name

Egress-VLAN-Name

Attribute number

58

Attribute type

String

Protocol

RFC4675

Attribute description

VLAN ID assigned by the server. The first byte 0x31 indicates to carry the tag. The first byte 0x32 indicates to not carry the tag. The subsequent bytes represent the VLAN name.

Attribute name

CHAP-Challenge

Attribute number

60

Attribute type

Octets

Protocol

RFC2865

Attribute description

CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication.

Attribute name

 NAS-Port-Type

Attribute number

61

Attribute type

Integer

Protocol

RFC2865

Attribute description

Type of the physical port of the NAS that is authenticating the user. Possible values include:

·     0: Async

·     1: Sync

·     2: ISDN Sync

·     3: ISDN Async V.120

·     4: ISDN Async V.110

·     5: Virtual

·     6: PIAFS

·     7: HDLC Clear Channel

·     8: X.25

·     9: X.75

·     10: G.3 Fax

·     11: SDSL - Symmetric DSL

·     12: ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation

·     13: ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone

·     14: IDSL - ISDN Digital Subscriber Line

·     15: Ethernet

·     16: xDSL - Digital Subscriber Line of unknown type (any type of ADSL)

·     17: Cable (for cable TV)

·     18: Wireless - Other

·     19: Wireless - IEEE 802.11

·     201: VLAN

·     202: ATM interface

To configure the value for this attribute, use the nas-port-type command on the port.

For portal users, if the NAS communicates with a MAC binding server from a specific vendor, you can use the nas-port-type command in MAC binding server view to configure the value of this attribute.

Attribute name

Tunnel-Type

Attribute number

64

Attribute type

Integer

Protocol

RFC2868

Attribute description

Tunneling protocol. Possible values include:

·     1: Point-to-Point Tunneling Protocol (PPTP) [1]

·     2: Layer Two Forwarding (L2F) [2]

·     3: Layer Two Tunneling Protocol (L2TP) [3]

·     4: Ascend Tunnel Management Protocol (ATMP) [4]

·     5: Virtual Tunneling Protocol (VTP)

·     6: IP Authentication Header in the Tunnel-mode (AH) [5]

·     7: IP-in-IP Encapsulation (IP-IP) [6]

·     8: Minimal IP-in-IP Encapsulation (MIN-IP-IP) [7]

·     9: IP Encapsulating Security Payload in the Tunnel-mode (ESP) [8]

·     10: Generic Route Encapsulation (GRE) [9]

·     11: Bay Dial Virtual Services (DVS)

·     12: IP-in-IP Tunneling [10]

·     13: VLAN

This attribute supports carrying the Tag field.

Attribute name

Tunnel-Medium-Type

Attribute number

65

Attribute type

Integer

Protocol

RFC2868

Attribute description

Transport medium type to use for creating a tunnel. Possible values include:

·     1: IPv4 (IP version 4)

·     2: IPv6 (IP version 6)

·     3: NSAP

·     4: HDLC (8-bit multidrop)

·     5: BBN 1822

·     6: 802 (includes all 802 media plus Ethernet "canonical format")

·     7: E.163 (POTS)

·     8: E.164 (SMDS, Frame Relay, ATM)

·     9: F.69 (Telex)

·     10: X.121 (X.25, Frame Relay)

·     11: IPX

·     12: Appletalk

·     13: Decnet IV

·     14: Banyan Vines

·     15:  E.164 with NSAP format subaddress

For VLAN assignment, the value must be 6.

This attribute supports carrying the Tag field.

Attribute name

Tunnel-Client-Endpoint

Attribute number

66

Attribute type

String

Protocol

RFC2868

Attribute description

IP address of the initiator end of the tunnel, in dotted decimal notation.

This attribute is applicable only to L2TP users, and it cannot be used to send multiple addresses to the server at a time.

Attribute name

Tunnel-Server-Endpoint

Attribute number

67

Attribute type

String

Protocol

RFC2868

Attribute description

IP address of the server end of the tunnel, in dotted decimal notation.

This attribute is applicable only to L2TP users, and it cannot be used to send multiple addresses to the server at a time. The server can deploy a maximum of eight addresses at a time.

This attribute supports carrying the Tag field.

Attribute name

Tunnel-Password

Attribute number

69

Attribute type

String

Protocol

RFC2868

Attribute description

Authentication password of the tunnel. The first two bytes are the SALT. The last 16 bytes are the password after encryption. You can configure a plaintext or ciphertext tunnel password by using the tunnel password command on the NAS.

This attribute is applicable only to L2TP users, and it supports carrying the Tag field.

Attribute name

EAP-Message

Attribute number

79

Attribute type

Octets

Protocol

RFC3579

Attribute description

Encapsulates EAP packet to implement RADIUS support for the EAP authentication. An EAP packet will be fragmented when it exceeds 253 bytes. The fragments are encapsulated in multiple EAP-Message attributes in order. One RADIUS packet can carry multiple EAP-Message attributes.

This attribute is applicable to 802.1X EAP or portal EAP authentication.

In COA packets of the PPPoE proxy scenario, this attribute is the password of the operator account.

Attribute name

Message-Authenticator

Attribute number

80

Attribute type

Octets

Protocol

RFC3579

Attribute description

Message authenticator used to check the integrity of the RADIUS packet that carries the EAP-Message attributes during the EAP authentication.

This attribute is used in the RADIUS support for EAP authentication mode.

Attribute name

Tunnel-Private-Group-id

Attribute number

81

Attribute type

String

Protocol

RFC2868

Attribute description

Group ID for a tunnel session. It can be an integer in the range of 1 to 4094 or a value in other forms.

This attribute is used together with attribute 64 and attribute 65:

·     When attribute 64 is 13 and attribute 65 is 6, this attribute represents a VLAN name.

·     When attribute 64 is 3, this attribute represents a tunnel group ID.

This attribute supports carrying the Tag field.

Attribute name

Tunnel-Assignment-id

Attribute number

82

Attribute type

String

Protocol

RFC2868

Attribute description

ID of the tunnel that carries the session.

This attribute is applicable only to L2TP users, and supports carrying the Tag field.

·     If the device already has an L2TP tunnel with this ID, the user uses this L2TP tunnel.

·     If no L2TP tunnel exists on the device with this ID, the device creates an L2TP tunnel with this ID.

Attribute name

Tunnel-Preference

Attribute number

83

Attribute type

Integer

Protocol

RFC2868

Attribute description

Tunnel preference in the range of 0x000000 to 0xFFFFFF, the smaller the value, the higher the preference. 0x000000 represent the highest precedence. 0xFFFFFF represents the lowest preference. This attribute supports carrying the Tag field.

If the RADIUS server assigns multiple Tunnel-Preference attributes to the LAC, the LAC tries to establish a tunnel with the LNSs in descending order of the preference until a tunnel is successfully established with an LNS. If no Tunnel-Preference attributes are assigned to the LAC, the LAC establishes tunnels with LNSs for load balancing.

Attribute name

Acct-Interim-Interval

Attribute number

85

Attribute type

Integer

Protocol

RFC2869

Attribute description

Real-time accounting interval, in seconds.

Attribute name

NAS-Port-Id

Attribute number

87

Attribute type

String

Protocol

RFC2869

Attribute description

String for describing the port of the NAS that is authenticating the user. The format of this attribute can be configured by a command on the NAS.

The following formats are supported:

·     Format for ADSL users:

slot=XX;subslot=X;port=X;VPI=XXX;VCI=XXXXX.

Value ranges for the parameters:

slot=0 to 15; subslot=0 to 9; port=0 to 9; VPI=0 to 255; VCI=0 to 65535.

·     Format for Ethernet access users:

¡     VLAN: slot=XX;subslot=XX;port=XXX;VLANID=0;

¡     Single tag: slot=XX;subslot=XX;port=XXX;VLANID=XXXX;

¡     Dual tags: slot=XX;subslot=XX;port=XXX;VLANID=inner VLAN;VLANID2=outer VLAN;

Value ranges for the parameters:

slot=0 to 15; subslot=0 to 15; port=0 to 255; VLANID=0 to 4095.

·     Format for portal users:

¡     {atm|eth|trunk}NAS_slot/NAS_subslot/NAS_port:XPI.XCI AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port[:ANI_XPI.ANI_XCI]

¡     SlotID00IfNOVlanID

¡     SlotID00IfNOVlanID+DHCPoption82 or DHCPoption18

¡     slot=XX;subslot=XX;port=XXX;vlanid=inner VLAN;vlanid2=outer VLAN

·     Standard format in communication industry (YDT 2275-2011)

{eth|trunk} NAS_slo1/NAS_subslot/NAS_port:SVLAN.CVLAN AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/LSW_ID

·     Format in UP and CP separation scenario:

{eth|trunk} NAS_UpIdentifier/NAS_slo1/NAS_subslot/NAS_port:CVLAN.SVLAN AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/LSW_ID

Attribute name

Framed-Pool

Attribute number

88

Attribute type

String

Protocol

RFC2869

Attribute description

Name of the IPv4 address pool assigned by the server to the user.

The attribute is valid only when the server allocates IP addresses to users from the local address pool. The designated IPv4 address pool must have been configured on the device.

In COA packets in PPPoE proxy scenario, this attribute represents the dialup group.

Attribute name

Tunnel-Client-Auth-id

Attribute number

90

Attribute type

String

Protocol

RFC2868

Attribute description

Name used by the tunnel client end.

This attribute is applicable only to L2TP users, and it supports carrying the Tag field.

Attribute name

NAS-IPv6-Address

Attribute number

95

Attribute type

Ipv6addr

Protocol

RFC3162

Attribute description

IPv6 address of the NAS.

The NAS-IPv6-Address to be carried in RADIUS packets can be configured in interface view, RADIUS scheme view, and system view. The settings take effect as follows:

·     The NAS IP address configured in interface view (by using the aaa nas-ip command) takes effect only on the users on the interface.

·     The NAS IP address configured in RADIUS scheme view (by using the nas-ip command) takes effect only on this RADIUS scheme.

·     The NAS IP address configured in system view (by using the radius nas-ip command) takes effect only on all RADIUS schemes.

The NAS IP settings in these views have descending order of priority as follows: interface view > RADIUS view > system view.

In VSRP scenarios, if a NAS-IP is configured in the VSRP instance associated with the access service (by using the nas ip command), this configured NAS-IP is carried in sent RADIUS packets.

In CPDR scenarios, if the access service associated CPDR group has configured with the source interface for RADIUS packets (by using the radius source-interface command), the NAS-IP carried in the sent RADIUS packets is the IP address of the specified source interface.

NOTE: Support for NAS-IP address configuration in interface view depends on the device model.

Attribute name

Framed-Interface-Id

Attribute number

96

Attribute type

Binary

Protocol

RFC3162

Attribute description

Interface ID assigned by the server to the IPv6 user. This attribute is eight bytes long.

Attribute name

Framed-IPv6-Prefix

Attribute number

97

Attribute type

Binary

Protocol

RFC3162

Attribute description

Address prefix assigned by the server to the IPv6 user. The maximum length of this attribute is 128 bits.

Attribute name

Framed-IPV6-Pool

Attribute number

100

Attribute type

String

Protocol

RFC3162

Attribute description

Name of the IPv6 address pool assigned by the server to the IPv6 user.

The attribute is valid only when the server allocates IP addresses to users from the local address pool. The designated IPv6 address pool must have been configured on the device.

Attribute name

Error-Cause

Attribute number

101

Attribute type

Integer

Protocol

RFC3576

Attribute description

Used in COA packets to send user error code to the server. Possible values include:

·     201: Session successfully deleted.

·     401: Unsupported attribute.

·     404: Invalid COA request.

·     503: No matching user.

·     504: Failed to delete the session.

·     506: Internal processing failure.

Attribute name

EAP-Key-Name

Attribute number

102

Attribute type

String

Protocol

N/A

Attribute description

EAP key name used in MACsec authentication.

Attribute name

Delegated-IPv6-Prefix

Attribute number

123

Attribute type

Binary

Protocol

RFC4818

Attribute description

IPv6 PD prefixes assigned to routed CPEs. A packet can carry multiple Delegated-IPv6-Prefix attributes.

Attribute name

Framed-IPv6-Address

Attribute number

168

Attribute type

Ipv6addr

Protocol

RFC6911

Attribute description

IPv6 address assigned to the user.

-Carries the IPv6 address of the user in an authentication request to the server.

-Carries the IPv6 address assigned by the server to the user in an authentication reply.

Attribute name

WLAN-Reason-Code

Attribute number

185

Attribute type

Octets

Protocol

RFC7268

Attribute description

Reason for the failure of the WLAN endpoint authentication. It is a 32-bit string. The first 16 bits are reserved bits and the last 16 bits indicate the reason code.

Attribute name

WLAN-Pairwise-Cipher

Attribute number

186

Attribute type

Octets

Protocol

RFC7268

Attribute description

Cipher suite for WLAN unicast frames, a 32-bit string. The first 24 bits indicate the OUI and the last 8 bits indicate the suite type. This attribute is present only in authentication request packets.

Attribute name

WLAN-Group-Cipherr

Attribute number

187

Attribute type

Octets

Protocol

RFC7268

Attribute description

Cipher suite for WLAN multicast frames, a 32-bit string. The first 24 bits indicate the OUI and the last 8 bits indicate the suite type. This attribute is present only in authentication request packets.

Attribute name

WLAN-AKM-Suite

Attribute number

188

Attribute type

Octets

Protocol

RFC7268

Attribute description

Authentication and Key Management (AKM) suite, a 32-bit string. The first 24 bits indicate the OUI and the last 8 bits indicate the suite type. This attribute is present only in authentication request packets.

Attribute name

WLAN-Group-Mgmt-Cipher

Attribute number

189

Attribute type

Octets

Protocol

RFC7268

Attribute description

Cipher suite for WLAN multicast management frames, a 32-bit string. The first 24 bits indicate the OUI and the last 8 bits indicate the suite type. This attribute is present only in authentication request packets.

Attribute name

Input-Peak-Rate

Attribute number

1

Attribute type

Integer

Attribute description

Input peak rate from a user to the NAS.

The default measurement unit is bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute name

Input-Average-Rate

Attribute number

2

Attribute type

Integer

Attribute description

Input average rate from a user to the NAS.

The default measurement unit is bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute name

Input-Basic-Rate

Attribute number

3

Attribute type

Integer

Attribute description

Input basic rate from a user to the NAS, in bps.

No service supports this attribute in the current software version.

Attribute name

Output-Peak-Rate

Attribute number

4

Attribute type

Integer

Attribute description

Output peak rate from the NAS to a user, in bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute name

Output-Average-Rate

Attribute number

5

Attribute type

Integer

Attribute description

Output average rate from the NAS to a user, in bps.

When the NAS delivers this attribute to a server, the value cannot be 0xFFFFFFFF. If the server assigns the unit of CAR parameters through the Av-Pair attribute in the format of car:car-unit=kbps, the server-assigned unit kbps takes effect.

Attribute name

Output-Basic-Rate

Attribute number

6

Attribute type

Integer

Attribute description

Output basic rate from the NAS to a user, in bps.

No access service supports this attribute in the current software version.

Attribute name

Remanent-Volume

Attribute number

15

Attribute type

Integer

Attribute description

Total amount of data available for a user. The measurement unit is configurable by using the attribute remanent-volume unit command. The default measurement unit is kilo-byte.

This attribute can be included in authentication response packets, accounting response packets, and CoA packets sent from a server. When the amount of user traffic reaches the value of this attribute, the NAS does not immediately logs off the user. Instead, the NAS triggers an accounting update. If the accounting response packet contains new data quota, the NAS updates the total amount of data available for the user. If the new data quota is 0 or no new data quota is assigned by the server, the NAS logs off the user. If this attribute is included in a CoA packet, the NAS updates the total amount of data available for the user.

Support for this attribute depends on the access type.

Attribute name

ISP-ID

Attribute number

17

Attribute type

String

Attribute description

ISP domain name of a user, a string of 1 to 253 characters.

·     In an Access-Request packet, this attribute represents the authentication domain used by the user to come online.

·     In an Access-Accept packet, this attribute represents the authorization domain assigned to the user for assigning authorization attributes to the user.

Attribute name

Command

Attribute number

20

Attribute type

Integer

Attribute description

Operation for a user session, used for session control. Possible values include:

·     1: Trigger-Request. This value is not used in the current software version.

·     2: Terminate-Request. This value means that the server forcibly logs off the user.

·     3: SetPolicy. This value means that the server requests to change user authorization attributes.

·     4: Result. This value is used to respond to the server with the session operation result.

·     5: PortalClear. This value is not used in the current software version.

Attribute name

Acl-Version

Attribute number

21

Attribute type

Integer

Attribute description

ACL type. This attribute and an ACL name are assigned together to deploy an ACL to a user. Available ACL types:

·     1: IPv4.

·     2: IPv6.

·     3: MAC.

·     4: User.

Attribute name

Priority

Attribute number

22

Attribute type

Integer

Attribute description

Service priority.

No service supports this attribute in the current software version.

Attribute name

Result-Code

Attribute number

25

Attribute type

Integer

Attribute description

Result of the Trigger-Request or SetPolicy operation, zero for success and any other value for failure.

Attribute name

PADM-URL

Attribute number

27

Attribute type

String

Attribute description

PADM URL assigned to a PPPoE user.

Attribute name

Ftp-Directory

Attribute number

28

Attribute type

String

Attribute description

FTP, SFTP, or SCP user working directory.

If this attribute is not assigned by a server, the NAS uses the default working directory of the current system as the FTP, SFTP, or SCP working directory.

Attribute name

Exec-Privilege

Attribute number

29

Attribute type

Integer

Attribute description

EXEC user priority, in the range of 0 to 15.

A server uses this attribute to assign the level-0 to level-15 user roles to device management users.

Attribute name

NAT-IP-Address

Attribute number

32

Attribute type

Address

Attribute description

Public IP address assigned to a user when the source IP address and port are translated.

When an AAA user accesses the external network after NAT, the NAS includes this attribute in accounting request packets to report the public IP address of the user to the server. The server can identify the user by its public IP address.

Attribute name

NAT-Start-Port

Attribute number

33

Attribute type

Integer

Attribute description

Start port number of the port range assigned to a user when the source IP address and port are translated.

The method for including this attribute in a packet and the attribute purposes are the same as those of attribute 32.

Attribute name

NAT-End-Port

Attribute number

34

Attribute type

Integer

Attribute description

End port number of the port range assigned to a user when the source IP address and port are translated.

The method for including this attribute in a packet and the attribute purposes are the same as those of attribute 32.

Attribute name

NAS-Startup-Timestamp

Attribute number

59

Attribute type

Integer

Attribute description

Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC).

Attribute name

Ip-Host-Addr

Attribute number

60

Attribute type

String

Attribute description

User IP address and MAC address included in authentication and accounting requests. The value is a string of 25 to 33 bytes in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address.

If the user IP address is invalid when the NAS sends an authentication request, the NAS pads A.B.C.D with all zeros.

An IMC server preferentially obtains MAC or IP addresses from this attribute for user and MAC or IP address bindings. If the value for this attribute is invalid, the server obtains IP or MAC addresses from the Framed-IP or Calling-Station-Id attribute, respectively.

Attribute name

User-Notify

Attribute number

61

Attribute type

String

Attribute description

Information that must be sent from the server to the client transparently. The value is a string of 1 to 247 bytes. This attribute can appear multiple times in a packet to deliver multiple messages.

The NAS directly delivers this attribute to the client without parsing it. In EAD solutions, the server can use this attribute to deliver server information including the server IP address and port number to the client.

Attribute name

User-HeartBeat

Attribute number

62

Attribute type

String

Attribute description

Hash value assigned after an 802.1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the NAS and verifies the handshake packets from the 802.1X client.

Attribute name

Multicast-Receive-Group

Attribute number

98

Attribute type

Address

Attribute description

IP address of the multicast group that a user joins as a receiver.

This attribute can appear multiple times in a multicast packet to indicate that the user belongs to multiple multicast groups.

Attribute name

IP6-Multicast-Receive-Group

Attribute number

100

Attribute type

Ipv6addr

Attribute description

IPv6 address of the multicast group that a user joins as a receiver.

This attribute can appear multiple times in a multicast packet to indicate that the user belongs to multiple multicast groups.

Attribute name

MLD-Access-Limit

Attribute number

101

Attribute type

Integer

Attribute description

Maximum number of MLD multicast groups that a user can join concurrently.

Attribute name

Local-Name

Attribute number

102

Attribute type

String

Attribute description

L2TP local tunnel name.

Attribute name

IGMP-Access-Limit

Attribute number

103

Attribute type

Integer

Attribute description

Maximum number of IGMP multicast groups that a user can join concurrently.

Attribute name

VPN-Instance

Attribute number

104

Attribute type

String

Attribute description

Name of the MPLS L3VPN instance to which a user belongs.

Attribute name

ANCP-Profile

Attribute number

105

Attribute type

String

Attribute description

ANCP profile name.

Attribute name

Up-Priority

Attribute number

106

Attribute type

Integer

Attribute description

User priority of incoming packets, in the range of 0 to 7 and 15. The value of 15 indicates cancelling user priority authorization.

Attribute name

Down-Priority

Attribute number

107

Attribute type

Integer

Attribute description

User priority of outgoing packets, in the range of 0 to 7 and 15. The value of 15 indicates cancelling user priority authorization.

Attribute name

Longitude-Latitude

Attribute number

111

Attribute type

String

Attribute description

Longitude and latitude information of the NAS. This attribute can only be included in start-accounting and stop-accounting packets.

The value is a string in the format of longitude,latitude. A longitude or latitude is in the format of DirectionDegree.

·     The default directions are east longitude and north latitude. To mark a west longitude or south latitude, add a minus sign (-) before the degree.

·     The degree is in the format of 3 digits plus 6 decimal places. If the number of decimal places is insufficient, use zero paddings.

For example, 123.230000,40.330000 represents east longitude 123.23 degree and north latitude 40.33 degree.

Attribute name

User-Address-Type

Attribute number

120

Attribute type

Integer

Attribute description

Type of the user address used to access the NAS. Values include:

·     0: Public IPv4 user.

·     1: Private IPv4 user.

·     2: Public dual-stack user.

·     3: Private dual-stack user.

·     4: DS-Lite user.

·     5: Pure IPv6 user.

·     6: NAT64 user.

Attribute name

User-Address-Log

Attribute number

121

Attribute type

String

Attribute description

CGN address translation log information, for example, end port number and user address. The value is a string. This attribute is included in accounting request packets.

The fields in this attribute is separated by a colon (:). for example, the value for this attribute can be in the format of mapping-time (format YY/MM/DD/HH/MM/SS):public-IPv4-address:start-port-number:end-port-number:user-IPv4-or-IPv6-address.

Attribute name

Client-Primary-DNS

Attribute number

135

Attribute type

Address

Attribute description

Address of the primary DNS server.

Attribute name

Client-Secondary-DNS

Attribute number

136

Attribute type

Address

Attribute description

Address of the secondary DNS server.

Attribute name

User-Group

Attribute number

140

Attribute type

String

Attribute description

User groups assigned after a user passes authentication. Typically, a user can belong to only one user group. For SSL VPN users, a user can belong to multiple user groups. The user group names are separated by semicolon (;).

If this attribute is included in an authentication response packet, the user is assigned to the specified user groups after it passes authentication.

Attribute name

Acct-IPv6-Input-Octets

Attribute number

144

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the inbound direction.  The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. By default, the unit is byte.

Attribute name

Acct-IPv6-Output-Octets

Attribute number

145

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the outbound direction.  The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. By default, the unit is byte.

Attribute name

Acct-IPv6-Input-Packets

Attribute number

146

Attribute type

Integer

Attribute description

Number of IPv6 packets in the inbound direction. The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include one-packet, kilo-packet, mega-packet, or giga-packet. By default, the unit is one-packet.

Attribute name

Acct-IPv6-Output-Packets

Attribute number

147

Attribute type

Integer

Attribute description

Number of IPv6 packets in the outbound direction. The measurement unit depends on the configuration of the data-flow-format command on the NAS. Supported units include one-packet, kilo-packet, mega-packet, or giga-packet. By default, the unit is one-packet.

Attribute name

Acct-IPv6-Input-Gigawords

Attribute number

148

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the inbound direction divided by 4G. The value is the most significant 32 bits of the Acct-ipv6-Input-Octets attribute (No. 144). The measurement unit is configurable by using the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. The default measurement unit is byte.

Attribute name

Acct-IPv6-Output-Gigawords

Attribute number

149

Attribute type

Integer

Attribute description

Bytes of IPv6 packets in the outbound direction divided by 4G. The value is the most significant 32 bits of the Acct-ipv6-Output-Octets attribute (No. 145). The measurement unit is configurable by using the data-flow-format command on the NAS. Supported units include byte, kilo-byte, mega-byte, and giga-byte. The default measurement unit is byte.

Attribute name

User-Roles

Attribute number

155

Attribute type

String

Attribute description

List of space-separated user roles.

This attribute can appear multiple times in a packet.

Attribute name

Framed-IPv6-Stateless-Prefix-Pool

Attribute number

157

Attribute type

String

Attribute description

IPv6 ND prefix pool.

Attribute name

Framed-IPv6-Address

Attribute number

158

Attribute type

Ipv6addr

Attribute description

IPv6 address used by a user to access the NAS.

Attribute name

Acct-Update-Address

Attribute number

159

Attribute type

Integer

Attribute description

Flag for user IP update. If the value is 1, the user IP address has an update. If the value is 0, the user IP address does not have an update.

Only IPoE and PPP users support this attribute in the current software version.

Attribute name

Auth-Type

Attribute number

180

Attribute type

Integer

Attribute description

User authentication type. Values include:

·     1: PPP authentication.

·     2: IPoE authentication.

·     3: Portal authentication.

·     4: 802.1X authentication.

·     5: MAC authentication.

·     6: Web authentication.

·     7: Login

·     9: Port security static user.

Attribute name

Distributed-Relay-Group-ID

Attribute number

192

Attribute type

integer

Attribute description

DR group ID.

The value of 0 indicates no DR group.

Attribute name

User-Name

Attribute number

193

Attribute type

String

Attribute description

Used by the authentication server to reply with the actual username for MAC authentication or MAC-based transparent authentication. The username is used for display and will not change the username carried in the RADIUS requests of users.

Attribute name

Input-Interval-Octets

Attribute number

201

Attribute type

Integer

Attribute description

Upstream flow difference, in bytes.

No service supports this attribute in the current software version.

Attribute name

Output-Interval-Octets

Attribute number

202

Attribute type

Integer

Attribute description

Downstream flow difference, in bytes.

No service supports this attribute in the current software version.

Attribute name

Input-Interval-Packets

Attribute number

203

Attribute type

Integer

Attribute description

Upstream flow difference, in packets.

No service supports this attribute in the current software version.

Attribute name

Output-Interval-Packets

Attribute number

204

Attribute type

Integer

Attribute description

Downstream flow difference, in packets.

No service supports this attribute in the current software version.

Attribute name

Input-Interval-Gigawords

Attribute number

205

Attribute type

Integer

Attribute description

Upstream flow difference, in Gigawords.

No service supports this attribute in the current software version.

Attribute name

Output-Interval-Gigawords

Attribute number

206

Attribute type

Integer

Attribute description

Downstream flow difference, in Gigawords.

No service supports this attribute in the current software version.

Attribute name

AV-Pair

Attribute number

210

Attribute type

String

Attribute description

Extended attributes assigned in attribute pair form. The format for an extended attribute is attribute-command-keywords=attribute-value.

For more information about the supported extended attributes and their formats, see "H3C AV-Pair (210) subattributes."

Attribute name

Accounting-Level

Attribute number

215

Attribute type

Integer

Attribute description

ITA traffic accounting level, in the range of 1 to 8.

Attribute name

ITA-Policy-Name

Attribute number

216

Attribute type

Octets

Attribute description

Name of an Intelligent Target Accounting (ITA) policy.

Attribute name

DHCP-Option

Attribute number

218

Attribute type

Octets

Attribute description

DHCP option information for the DHCP client. This attribute includes the following fields:

·     Type: Type of the option attribute. By default, the length of this field is 1 byte. You can use the include-attribute h3c-dhcp-option format format2 command to change the length of this field to 2 bytes to meet the requirement of HUAWEI servers.

·     Length: Length of the Value field.

·     Value: Value of the option attribute.

This attribute can be included in authentication request packets, start-accounting packets, and real-time accounting packets.

This attribute can appear multiple times in a packet to deliver multiple DHCP options.

Attribute name

NAS-Port-Name

Attribute number

230

Attribute type

String

Attribute description

Name of the interface through which a user is connected to the NAS.

Attribute name

Authen-Detail-Result

Attribute number

246

Attribute type

Integer

Attribute description

Authentication result details. This attribute is used in conjunction with the Web-URL attribute (No.250). Supported values:

·     0: Cancel redirection. This value can be assigned only through CoA packets.

·     1: Continue redirection until redirection is canceled.

·     2: Perform redirection for a number of times. The maximum number of redirection times is configurable by using the authorization-attribute redirect-times command in ISP domain view on the NAS. By default, the maximum number of redirection times is 2.

Attribute name

Web-URL

Attribute number

250

Attribute type

String

Attribute description

Web redirect URL for a user.

·     In single-stack scenarios, use this attribute to assign an IPv4 or IPv6 URL.

·     In dual-stack scenarios, use this attribute to assign an IPv4 URL and use user-defined attribute pair urlipv6-redirect to assign an IPv6 URL.

Attribute name

Subscriber-ID

Attribute number

251

Attribute type

String

Attribute description

Family plan ID, a string of digits.

Attribute name

Subscriber-Profile

Attribute number

252

Attribute type

String

Attribute description

QoS policy name for the family plan of a subscriber.

Attribute name

Product-ID

Attribute number

255

Attribute type

String

Attribute description

Product name.

Attribute name

HW-Input-Peak-Rate(1.0)/HW-Input-Committed-Burst-Size(1.1)

Attribute number

1

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Peak uplink rate of user access to an NAS device, in bps. 

(Huawei RADIUS1.1 protocol) Uplink committed burst size for user access to an NAS device, in bit.The value length is 4 bytes. To deploy this attribute, you must also deploy the HW-Input-Committed-Info-Rate attribute.

Attribute name

HW-Input-Average-Rate(1.0)/HW-Input-Committed-Info-Rate(1.1)

Attribute number

2

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Average uplink rate of user access to an NAS device, in bps.

(Huawei RADIUS1.1 protocol) Committed uplink rate of user access to an NAS device, in bps. To deploy this attribute, you must also deploy the HW-Input-Committed-Burst-Size attribute.

Attribute name

HW-Input-Basic-Rate(1.0)/HW-Input-Peak-Info-Rate(1.1)

Attribute number

3

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Basic uplink rate of user access to an NAS device, in bps.

(Huawei RADIUS1.1 protocol) Peak uplink rate of user access to an NAS device, in bps. The value length is 4 bytes. Use this attribute for dual leaky bucket. To deploy this attribute, you must also deploy the HW-Input-Committed-Info-Rate attribute.

Attribute name

HW-Output-Peak-Rate(1.0)/HW-Output-Committed-Burst-Size(1.1)

Attribute number

4

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Peak downlink rate from an NAS device to a user, in bps.

(Huawei RADIUS1.1 protocol) Committed burst size for downlink from an NAS device to a user, in bit. The value length is 4 bytes. To deploy this attribute, you must also deploy the HW-Output-Committed-Info-Rate attribute.

Attribute name

HW-Output-Average-Rate(1.0)/HW-Output-Committed-Info-Rate(1.1)

Attribute number

5

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Average downlink rate from an NAS device to a user, in bps.

(Huawei RADIUS1.1 protocol) Committed downlink rate from an NAS device to a user, in bps. To deploy this attribute, you must also deploy the HW-Output-Committed-Burst-Rate attribute.

Attribute name

HW-Output-Basic-Rate(1.0)/HW-Output-Peak-Info-Rate(1.1)

Attribute number

6

Attribute type

Integer

Attribute description

(Huawei RADIUS1.0 protocol) Basic downlink rate from an NAS device to a user, in bps.

(Huawei RADIUS1.1 protocol) Peak downlink rate from an NAS device to a user, in bps. The value length is 4 bytes. Use this attribute for dual leaky bucket. To deploy this attribute, you must also deploy the HW-Output-Committed-Info-Rate attribute.

Attribute name

HW-Command

Attribute number

20

Attribute type

Integer

Attribute description

Action to take on user sessions. Options include:

·     1: Trigger-Request. This option is reserved for future use.

·     2: Terminate-Request. This action indicates forced user logoff.

·     3: SetPolicy. This action indicates that the server requires user authorization attribute modification.

·     4: Result. This action is used to send the session operation result to the server.

·     5: PortalClear. This option is reserved for future use.

Attribute name

HW-Result-Code

Attribute number

25

Attribute type

Integer

Attribute description

Indicates the Trigger-Request or SetPolicy result. 0 indicates success and a non-zero value indicates failure.

Attribute name

HW-PADM-URL

Attribute number

27

Attribute type

String

Attribute description

PADM URL deployed to PPPoE.

Attribute name

HW-FTP-Directory

Attribute number

28

Attribute type

String

Attribute description

Working directory of an FTP/SFTP/SCP user.

If this attribute is not deployed, a NAS device obtains the default directory of the system as the FTP/SFTP/SCP working directory.

Attribute name

HW-Exec-Privilege

Attribute number

29

Attribute type

Integer

Attribute description

EXEC user priority in the range of 0 to 15. 

This attribute is used by the server to assign user role level 0 through level 15 to device management users.

Attribute name

HW-Server-String

Attribute number

61

Attribute type

String

Attribute description

Message sent by the server to a client, a string of 1 to 247 bytes. The attribute can appear multiple times in a packet to deploy multiple messages.

NAS devices pass the attribute directly to clients without parsing the attribute.

Attribute name

HW-VPN-Instance

Attribute number

94

Attribute type

String

Attribute description

Name of the VPN to which a user can join.

Attribute name

HW-Multicast-Receive-Group

Attribute number

98

Attribute type

Address

Attribute description

Address of the multicast group to which a user belongs as a multicast receiver. 

If the attribute appears multiple times in a packet, it indicates that the user belongs to multiple multicast groups.

Attribute name

HW-Primary-DNS

Attribute number

135

Attribute type

Address

Attribute description

Primary DNS server address.

Attribute name

HW-Secondary-DNS

Attribute number

136

Attribute type

Address

Attribute description

Secondary DNS server address.

Attribute name

HW-Domain-Name

Attribute number

138

Attribute type

String

Attribute description

ISP domain name, a string of 1 to 253 characters.

·     The attribute in an Access-Request packet indicates the authentication domain used by user association.

·     The attribute in an Access-Accept packet indicates the authorized domain to a user.

Attribute name

HW-ANCP-Profile

Attribute number

139

Attribute type

String

Attribute description

ANCP policy name.

Attribute name

HW-Max-List-Num

Attribute number

143

Attribute type

Integer

Attribute description

Maximum number of IPv4 multicast groups that a user can join.

Attribute name

HW-Web-URL

Attribute number

253

Attribute type

String

Attribute description

User Web-redirection URL.

Attribute name

MS-CHAP-Response

Attribute number

1

Attribute type

Binary

Attribute description

Response to the MS-CHAP authentication challenge, a string of 50 bytes. 

In the current software version, only PPP users support this attribute.

Attribute name

MS-CHAP-Error

Attribute number

2

Attribute type

Binary

Attribute description

Error information carried in an MS-CHAP Access-Reject packet, a string of 80 bytes. 

In the current software version, only PPP users support this attribute.

Attribute name

MS-CHAP-NT-Enc-PW

Attribute number

6

Attribute type

Binary

Attribute description

New CHAP password obtained by encrypting the old password. The new password contains 516 bytes, which exceeds the maximum length of a RADIUS attribute. The password will be fragmented and carried in multiple attributes for transmission.  The attribute contains a 2-byte serial number for fragment reassembly. 

In the current software version, only PPP users support this attribute.

Attribute name

MS-CHAP-Challenge

Attribute number

11

Attribute type

Binary

Attribute description

CHAP challenge. For MS-CHAP authentication, the value length is 8 bytes. For MS-CHAP2 authentication, the value length is 16 bytes. For MS-CHAP2 password change, the value length is 32 bytes. 

In the current software version, only PPP users support this attribute.

Attribute name

MS-MPPE-Send-Key

Attribute number

16

Attribute type

Binary

Attribute description

MPPE key generated for TLS or PEAP authentication. This attribute is used for 802.1X authentication.

Attribute name

MS-MPPE-Recv-Key

Attribute number

17

Attribute type

Binary

Attribute description

MPPE key generated for TLS or PEAP authentication. This attribute is used for 802.1X authentication.

Attribute name

MS-CHAP2-Response

Attribute number

25

Attribute type

Binary

Attribute description

Response to the CHAP2 authentication challenge. The value length is 50 bytes. 

In the current software version, only PPP users support this attribute.

Attribute name

MS-CHAP2-Success

Attribute number

26

Attribute type

Binary

Attribute description

Authentication success code. The value length is 42 bytes. 

In the current software version, only PPP users support this attribute.

Attribute name

MS-CHAP2-ChangePW

Attribute number

27

Attribute type

Binary

Attribute description

MS-CHAP2 password change information. 

If the password of a user has expired, the user can change the password.

In the current software version, only PPP users support this attribute.

Attribute name

MS-Primary-DNS

Attribute number

28

Attribute type

Binary

Attribute description

Primary DNS server address.

Attribute name

MS-Secondary-DNS

Attribute number

29

Attribute type

Binary

Attribute description

Secondary DNS server address.

Attribute name

user_access_level

Attribute number

1

Attribute type

Integer

Attribute description

EXEC user priority in the range of 0 to 15. 

This attribute is used by the server to assign user role level 0 through level 15 to device management users.

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Extended attribute deployed in AV pair format, which is Attribute Name=Attribute Value.

For more information about supported extended attributes and formats, see the table blow.

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Deployed voice VLAN:

device-traffic-class=voice

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Deployed user role list.

shell:roles="xxx yyy zzz"

shell:allowed-roles="xxx" (Only for super users)

Use a space to separate two role names.

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Deployed user redirection URL:

url-redirect=xxx

Deployed user redirection ACL:

url-redirect-acl=xxx

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

Integer

Attribute description

Deployed port restart command:

subscriber:command=bounce-host-port

Deployed port shutdown command:

subscriber:command=disable-host-port

Deployed port restart duration in seconds:

bounce:seconds=xxx

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

EDSG service policy name:

edsg-policy=policyname

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Server-assigned colon-separated list of EDSG service policies to be activated.

edsg-policy:activelist=policyname1;policyname2;…;policynameN

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Server-assigned colon-separated list of deactivated EDSG service policies.

edsg-policy:deactivelist=policyname1;policyname2;…;policynameN

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Server-assigned EDSG service policy with a username.

edsg-policy:username=[policyname]username

Attribute name

CISCO-AV-Pair

Attribute number

1

Attribute type

String

Attribute description

Server-assigned EDSG service policy with a password.

edsg-policy:password=[policyname]password

Attribute name

User-Address-Type

Attribute number

120

Attribute type

Integer

Attribute description

User access address type. Options include:

·     0: Public network IPv4 user

·     1: Private network IPv4 user

·     2: Public network dual-stack user

·     3: Private network dual-stack user

·     4: DS-Lite user

·     5: Pure IPv6 user

·     6: NAT64 user