RADIUS Attribute Definitions
This page contains a list of RADIUS attribute definitions, with links to the relevant standards.
It is critical that all vendors and administrators follow the RFC definitions of attributes. Standardization enables devices from different manufacturers to communicate using shared protocols and frameworks. RFC-compliant systems have consistent behaviour, which prevents interoperability issues that can cause problems in production networks.
In addition to interoperability issues, FreeRADIUS depends on the data types which are defined in RFC 8044. Many modules in the server use specific RFC attributes, and rely on using their defined data types. Changing the definitions of those attributes in the dictionaries will cause problems. Since the server needs a specific definition for these attributes, it will detect edits to the dictionaries, and refuse to start if the dictionary definitions for standard attributes have been modified.
RADIUS also has a finite range (1-255) available for standard attributes. Defining a custom attribute with a number already used by an RFC can cause a collision. Vendors who need custom attributes must use Vendor-Specific attributes.
For local site policy, administrators can define local attributes in
the local dictionary. These
attributes should use the
DEFINE keyword, which avoids
all issues with assigning attribute numbers. Policies in unlang can
also use local variables. All of
these local attributes are never sent over the network.
Attribute RFCs and Definitions
The following tables list the RADIUS attributes which are defined in the RFCs. Each attribute includes a brief explanation and a direct link to its definition in the RFCs.
A
Contains the response to the dial-in client’s challenge. |
|
Holds password information that the NAS sent to the user (via feature flags). |
|
Contains the dial-in user’s response to the NAS challenge. |
|
Identifies the ARAP Security Module to be used in an Access-Challenge packet. |
|
Contains the security module challenge or response in Access type packets. |
|
Indicates how the ARAP zone list for the user is to be used. |
|
RADIUS attributes providing support for 802.16 Privacy Key Management (v1). |
|
Access-Accept packets that contain specific configuration information to start delivery of service to the user. |
|
Access-Challenge packets sent by RADIUS in response to a user’s Access-Request message. |
|
Access-Reject packets are sent when an attribute verification fails. |
|
Access-Request packets that contain select information to determine the user’s level of access and services. |
|
Accounting-Request packets contain information used by accounting operations for a service or resource granted to a user. |
|
Accounting-Response packets are acknowledgments indication that the Accounting-Request has been processed. |
|
Indicates how the user was authenticated. |
|
The delay between two accounting events and shows client’s time taken to send a specific record. |
|
Indicates how many times the Acct-Input-Octets counter has wrapped during service provided. |
|
The number of octets that have been received from the port after the service started. |
|
The number of packets received on the ingress port. |
|
The time (in seconds) between each interim update for the specific session and only appears in the Access-Accept message. |
|
Gives the count of links used in a select multilink session when the accounting record is generated. |
|
A unique Accounting ID to make it easy to link together multiple related sessions in a log file. |
|
Indicates how many times the Acct-Output-Octets counter has wrapped while delivering this service. |
|
The number of octets sent to the port while delivering this service. |
|
The number of packets sent on the egress port. |
|
An ID assigned to a session and tracked by this ID via log files. Exmple stop and start events are mapped to this ID. |
|
Indicates how long the user has been granted access. |
|
Indicates the state of the user service, for example: start or stop events. |
|
Gives the reasons why a connection ended. |
|
Gives details of the the tunnel connection such as port, ip address etc. |
|
Tracks the number of accounting packets lost during a session. |
C
Contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. |
|
Contains the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. |
|
Indicates the name of a place to be called, to be interpreted by the NAS. |
|
Indicates a dialing string to be used for callback. |
|
The phone number that the user called, using Dialed Number Identification (DNIS). |
|
The phone number that the call came from, using Automatic Number Identification (ANI). |
|
Contains information for dynamically changing session authorizations. |
|
CUI, is a unique handle used correlate and process authentication/accounting operations for a specific user. |
|
This Attribute is available to be sent by the server to the client in an Access-Accept packet. |
|
Indicates the type of user profile to be applied during authentication requests. |
|
Indicates the nature of the user’s connection. |
D
Contains the IPv6 address of a DNS server. |
|
Provides IPv4 and IPv6 connectivity to users that are addressed only with an IPv6 prefix. |
|
Specifies the Fully Qualified Domain Name (FQDN) of the Address Family Transition Router (AFTR) that the client connects to. |
|
Contains the IPv6 prefix that’s assigned to the user for network operations. |
|
Contains the name of an assigned pool used for prefix delegation. |
|
Contains the auts parameter that’s used in theDigest AKA calculation. |
|
Holds the algorithm parameter that defines the HTTP Digest calculation. |
|
Used for future extensions and also maps to the auth-param parameter [RFC2617]. |
|
Contains the client nonce parameter that’s used in HTTP Digest calculations. |
|
Contains a URI that helps define the protection space for HTTP type protocols. |
|
Contains a HASH value of an HTTP type message body that used in digest calculation. |
|
Enables the generation of an Authentication-Info header. |
|
Contains the opaque parameter that is passed to the HTTP-style client. |
|
Holds a nonce to be used in the HTTP Digest calculation. |
|
holds a nonce to be used in the HTTP Digest calculation. |
|
Contains the nonce count parameter that is used to detect replay attacks. |
|
Contains the opaque parameter that is passed to the HTTP-style client. |
|
Contins the |
|
Defines a protection space of the RADIUS server. |
|
If present in an Access-Request message, a RADIUS server will process theAccess-Request as a request for Digest Authentication. |
|
Enables the RADIUS server to prove possession of the password. |
|
An attribute value (T/F) that’s sent by a RADIUS server to notify client whether it has accepted a nonce. |
|
Contains the contents of the digest-uri directive or the URI of the HTTP-style request. |
|
Holds the user name used in the HTTP Digestcalculation. |
E
This attribute encapsulates EAP packets allowing the NAS to authenticate dial-in users via EAP. |
|
Holds information about why the Authorization Server cannot process Disconnect-Request or CoA-Request packets. |
|
This attribute is used Accounting-Request packets to record the time of an event. |
|
Encapsulates "Extended Type" attributes format, in the RADIUS Attribute Type space of 241.{1-255}. |
|
Encapsulates "Extended Type" attributes format, in the RADIUS Attribute Type space of 242.{1-255}. |
|
Encapsulates "Extended Type" attributes format, in the RADIUS Attribute Type space of 243.{1-255}. |
|
Encapsulates "Extended Type" attributes format, in the RADIUS Attribute Type space of 244.{1-255}. |
|
Defines a RADIUS Type Code of 241.26 ("evs" data type). |
|
Defines a RADIUS Type Code of 242.26 ("evs" data type). |
|
Defines a RADIUS Type Code of 243.26 ("evs" data type). |
|
Defines a RADIUS Type Code of 244.26 ("evs" data type). |
|
Defines a RADIUS Type Code of 245.26 ("evs" data type). |
|
Defines a RADIUS Type Code of 246.26 ("evs" data type). |
F
Indicates the name of the filter list to be applied to the Supplicant’s session. |
|
Indicates the name of the filter list for the specific user. |
|
The AppleTalk Network number to be used for the serial link to the user. |
|
The AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. |
|
Defines the AppleTalk Default Zone to be used for this user. |
|
Indicates a compression protocol to be used for the link. |
|
Indicates the address to be configured for the user. |
|
Indicates the IP netmask to be configured for the user when the user is a router to a network. |
|
Indicates the IPX Network number to be configured for the user. |
|
Indicates an IPv6 address that’s assigned to the NAS-facing interface of the RG/host. |
|
Contains the name of an assigned pool that’s used to assign an IPv6 prefix for the user. |
|
Indicates an IPv6 prefix (and corresponding route) to be configured for the user. |
|
Provides routing information to be configured for the user on the NAS. |
|
Indicates the IPv6 interface identifier to be configured for the user. |
|
Indicates the Maximum Transmission Unit to be configured for the user. |
|
Contains the name of an assigned address pool used to assign an address for the user. |
|
Indicates the framing to be used for framed access. |
|
Provides routing information to be configured for the user on the NAS. |
|
Indicates the routing method for the user, when theuser is a router to a network. |
I
Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. |
L
Indicates the system with which to connect the user, when the Login-Service Attribute is included |
|
Indicates the system with which to connect the user, when the Login-Service Attribute is included. |
|
Contains a string identifying the LAT group codes which this user is authorized to use. |
|
Indicates the Node with which the user is to be automatically connected by LAT. |
|
Indicates the Port with which the user is to be connected by LAT. |
|
Indicates the system with which the user is to be connected by LAT. |
|
Indicates the service to use to connect the user to the login host. |
|
indicates the TCP port with which the user is to be connected. |
|
Encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 245.{1-255}. |
|
Encapsulates attributes of the "Long Extended Type"format, in the RADIUS Attribute Type space of 246.{1-255}. |
M
This attribute is only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP). |
|
Indicates the reason for a server-initiated password change. |
|
Represents the method used to authenticate the dial-up user. |
|
Represents the Extensible Authentication Protocol (EAP) [15] type used to authenticate the dial-up user. |
|
Determines if the use of BAP is allowed, disallowed or required on new multilink calls. |
|
Allows the user to change their password if it has expired. |
|
Allows the user to change their password if it has expired. |
|
Contains the challenge sent by a NAS to a MS-CHAP user. |
|
Indicates the Windows NT domain in which the user was authenticated. |
|
Contains error data related to the preceding MS-CHAP exchange. |
|
Contains the new Windows NT password encrypted with the old LAN Manager password hash. |
|
Present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP). |
|
Contains the new Windows NT password encrypted with the old Windows NT password hash. |
|
Contains the response value provided by a PPP MS-CHAP user in response to the challenge. |
|
Allows the user to change their password if it has expired. |
|
Contains the response value provided by an MS-CHAP-V2 peer in response to the challenge. |
|
Contains the response value provided by an MS-CHAP-V2 peer in response to the challenge. |
|
Indicates the length of time (in seconds) that a link must be underutilized before it is dropped. |
|
Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. |
|
Used to indicate if encryption is on or off. |
|
Defines what type of encryptions are available. |
|
Contains a session key to use for encrypting packets received by the NAS from the remote host. |
|
Contains a session key to use for encrypting packets sent by the NAS to the remote host. |
|
Contains the new ARAP password during a password change operation. |
|
Contains the old ARAP password during a password change operation. |
|
The primary Domain Name Server’s (DNS) IP address. |
|
The primary Net Bios Name Server’s (NBNS) IP address. |
|
The manufacturer name of the RAIDIUS client machine. |
|
The software version of the RADIUS client machine. |
|
The IP address of the secondary DNS server to be used by the PPP peer. This attribute can be included in Access-Accept or Accounting-Request packets. |
|
The IP address of the secondary Net Bios Name Server(NBNS) server to be used by the PPP peer. |
|
The name of the management access policy for the specific user. |
|
The assigned privilege level for management access for the authenticated user. |
|
The minimum level of protection required for transport within an access session. |
|
Used to sign Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP or EAP authentication. |
|
Contains the mobile node identifier (MN-Identifier) to identify the device on the network. |
N
The filter rules to be applied for the select user. |
|
The NAS’s IP Address that is requesting authentication of the user. |
|
The NAS’s IPv6 Address that is requesting authentication of the user. |
|
A string used to identify the NAS originating the Access-Request packet. |
|
The NAS’s physical port number that is authenticating the user. |
|
The name (text string) used to reference the NAS’s port that is authenticating the user. |
|
The type of the physical port of the NAS that is authenticating the user. |
P
Contains a PKM authorisation key. |
|
A string value containing the X.509 certificate used to sign the SS certificate. |
|
Contains string values that map to relevant TLVs used in the PKM configuration. |
|
Contains a list of cryptosuite attributes that may be used to create security attributes. |
|
Specifies the characteristics of a PKM security association. |
|
Contains a PKM Security Association Identifier. |
|
Contains a an X.509 certificate (public key). |
|
The number of authentication attempts a user may be allowed before being disconnected. |
|
Sets the maximum number of ports to be provided to the user by the NAS. |
|
This state attribute is sent by a proxy server to another server when forwarding an Access-Request. |
R
A text message that may be shown to the user. |
|
Defines the prefix and route for the user on the NAS. |
S
This attribute, identifies the URI, and is used for the authorisation of SIP messages. |
|
The name of the service or the external network with which the mobility service for the particular MN. |
|
The the type of service the user has requested, or the type of service to be provided. |
|
The maximum number of seconds of service provided to the user before a session terminates. |
|
An attribute that’s sent by the server to the client in an Access-Challenge or by client to the server in the new Access-Request. |
|
The assigned pool used to select an IPv6 address for the user on the NAS. |
T
This Attribute indicates what action the NAS should take when the specified service is completed. |
|
This Attribute is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. |
|
This Attribute specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. |
|
This Attribute contains the address of the initiator end of the tunnel. |
|
This value marks the rejection of the establishment of a new link in an existing tunnel. |
|
This value marks the creation of a tunnel link. |
|
This value marks the destruction of a tunnel link. |
|
Attribute indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. |
|
Contains a password to be used to authenticate to a remote server. |
|
An attribute to indicate the relative preference assigned to each tunnel. |
|
This Attribute indicates the group ID for a particular tunneled session. |
|
This attribute, identifies the URI, and is used for the authorisation of SIP messages. |
|
This Attribute specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. |
|
This Attribute indicates the address of the server end of the tunnel. |
|
This value MAY be used to mark the establishment of a tunnel with another node. |
|
This value MAY be used to mark the destruction of a tunnel to or from another node. |
|
This Attribute indicates the tunneling protocol(s) to be used a tunnel (either as a tunnel initiator or terminator). |
U
This Attribute indicates the name of the user to be authenticated. |
|
This Attribute indicates the password of the user to be authenticated, or the user’s input following an Access-Challenge. |