[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The following sections describe the most frequently used Radius attributes. Each attribute is described as follows:
ATTRIBUTE name value type |
Users: | user-flags |
|
Hints: | hints-flags |
|
Huntgroups: | huntgroup-flags |
|
Additivity: | additivity | |
Proxy propagated: | prop |
These values have the following meaning:
The entry N/A for any of this fields signifies "not applicable".
14.1 Authentication Attributes 14.2 Accounting Attributes 14.3 Radius Internal Attributes
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
These are the attributes the NAS uses in authentication packets and expects to get back in authentication replies. These can be used in matching rules.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
CHAP-Password
ATTRIBUTE CHAP-Password 3 string |
Users: | L- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | No |
This attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets.
The CHAP challenge value is found in the CHAP-Challenge attribute (60) if present in the packet, otherwise in the request authenticator field.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Callback-Id
ATTRIBUTE Callback-Id 20 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute indicates the name of a place to be called, to be interpreted by the NAS. It may be used in Access-Accept packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Callback-Number
ATTRIBUTE Callback-Number 19 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute indicates a dialing string to be used for callback. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Called-Station-Id
ATTRIBUTE Called-Station-Id 30 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Calling-Station-Id
ATTRIBUTE Calling-Station-Id 31 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using automatic number identification (ANI) or similar technology. It is only used in Access-Request packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Class
ATTRIBUTE Class 25 string |
Users: | LR |
|
Hints: | LR |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Compression
ATTRIBUTE Framed-Compression 13 integer |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
VALUE Framed-Compression None 0 VALUE Framed-Compression Van-Jacobson-TCP-IP 1 |
This attribute indicates a compression protocol to be used for the link. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.
More than one compression protocol attribute may be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-IP-Address
ATTRIBUTE Framed-IP-Address 8 ipaddr |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.
The value 0xFFFFFFFF
(255.255.255.255
) indicates that
the NAS should
allow the user to select an address. The value 0xFFFFFFFE
(255.255.255.254
)
indicates that the NAS should select an address for the user (e.g. assigned
from a pool of addresses kept by the NAS). Other valid values indicate
that the NAS should use that value as the user's IP.
When used in a RHS, the value of this attribute can
optionally be followed by a plus sign. This usage means that
the value of NAS-Port-Id
must be added to this IP before
replying. For example,
Framed-IP-Address = 10.10.0.1+ |
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-IP-Netmask
ATTRIBUTE Framed-IP-Netmask 9 ipaddr |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-MTU
ATTRIBUTE Framed-MTU 12 integer |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Protocol
ATTRIBUTE Framed-Protocol 7 integer |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
VALUE Framed-Protocol PPP 1 VALUE Framed-Protocol SLIP 2 |
This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Route
ATTRIBUTE Framed-Route 22 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Framed-Routing
ATTRIBUTE Framed-Routing 10 integer |
Users: | -R |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Replace | |
Proxy propagated: | No |
VALUE Framed-Routing None 0 VALUE Framed-Routing Broadcast 1 VALUE Framed-Routing Listen 2 VALUE Framed-Routing Broadcast-Listen 3 |
This attribute indicates the routing method for the user when the user is a router to a network. It is only used in Access-Accept packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Idle-Timeout
ATTRIBUTE Idle-Timeout 28 integer |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-IP-Address
ATTRIBUTE NAS-IP-Address 4 ipaddr |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute indicates the identifying IP of the NAS
which is requesting authentication of the user. It is only used
in Access-Request packets. Each Access-Request packet should contain
either a NAS-IP-Address
or a NAS-Identifier
attribute
(14.1.16 NAS-Identifier
).
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-Identifier
ATTRIBUTE NAS-Identifier 32 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute contains a string identifying the NAS originating
the access request. It is only used in Access-Request packets.
Either NAS-IP-Address
or NAS-Identifier
should be present in an
Access-Request packet.
See section 14.1.15 NAS-IP-Address
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-Port-Id
ATTRIBUTE NAS-Port-Id 5 integer |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute indicates the physical port number of the NAS that is authenticating the user. It is only used in Access-Request packets. Note that here we are using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number.
Some NASes try to encode various information in the NAS-Port-Id
attribute value. For example, the MAX Ascend terminal server constructs
NAS-Port-Id
by concatenating the line type (one digit), the line number
(two digits), and the channel number (two digits), thus producing
a five-digit port number. In order to normalize such encoded
port numbers we recommend using a rewrite function (see section 5.12 Rewrite functions -- `raddb/rewrite').
A rewrite function for MAX Ascend servers is provided in the
distribution.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
NAS-Port-Type
ATTRIBUTE NAS-Port-Type 61 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | No |
VALUE NAS-Port-Type Async 0 VALUE NAS-Port-Type Sync 1 VALUE NAS-Port-Type ISDN 2 VALUE NAS-Port-Type ISDN-V120 3 VALUE NAS-Port-Type ISDN-V110 4 |
This attribute indicates the type of the physical port of the NAS
that is authenticating the user. It can be used instead of or in
addition to the NAS-Port-Id
(14.1.17 NAS-Port-Id
) attribute. It
is only used in
Access-Request packets. Either NAS-Port
or NAS-Port-Type
or
both should be present in an Access-Request packet, if the NAS
differentiates among its ports.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Reply-Message
ATTRIBUTE Reply-Message 18 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | Yes |
This attribute indicates text that may be displayed to the user.
When used in an Access-Accept, it is the success message.
When used in an Access-Reject, it is the failure message. It may indicate a dialog message to prompt the user before another Access-Request attempt.
When used in an Access-Challenge, it may indicate a dialog message to prompt the user for a response.
Multiple Reply-Message
attributes may be included, and if any
are displayed,
they must be displayed in the same order as they appear in in the
packet.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Service-Type
ATTRIBUTE Service-Type 6 integer |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3 VALUE Service-Type Callback-Framed-User 4 VALUE Service-Type Outbound-User 5 VALUE Service-Type Administrative-User 6 VALUE Service-Type NAS-Prompt-User 7 VALUE Service-Type Authenticate-Only 8 VALUE Service-Type Call-Check 10 |
This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets.
When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated.
When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service.
The meaning of various service types is as follows:
Login-User
Framed-User
Framed-IP-Address
attribute (see section 14.1.8 Framed-IP-Address
) will
supply the IP to be used.
Callback-Login-User
Callback-Framed-User
Outbound-User
Administrative-User
NAS-Prompt
Authenticate-Only
Call-Check
Callback-NAS-Prompt
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Session-Timeout
ATTRIBUTE Session-Timeout 27 integer |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
State
ATTRIBUTE State 24 string |
Users: | LR |
|
Hints: | LR |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.
This attribute is available to be sent by the server to the client
in an Access-Accept that also includes a Termination-Action
attribute with the value RADIUS-Request
. If the NAS performs
the termination action by sending a new Access-Request upon
termination of the current session, it must include the State
attribute unchanged in that Access-Request.
In either usage, no interpretation by the client should be made.
A packet may have only one State
attribute.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Termination-Action
ATTRIBUTE Termination-Action 29 integer |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Replace | |
Proxy propagated: | No |
VALUE Termination-Action Default 0 VALUE Termination-Action RADIUS-Request 1 |
This attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
User-Name
ATTRIBUTE User-Name 1 string |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Replace | |
Proxy propagated: | Yes |
This attribute indicates the name of the user to be authenticated or
accounted. It is used in Access-Request and Accounting attributes.
The length of the user name is usually limited by some arbitrary value.
By default, Radius supports user names up to 32 characters long. This
value can be modified by redefining the RUT_USERNAME
macro in the
`include/radutmp.h' file in the distribution directory and recompiling the
program.
Some NASes have peculiarities about sending long user names. For example, the Specialix Jetstream 8500 24-port access server inserts a `/' character after the 10th character if the user name is longer than 10 characters. In such cases, we recommend applying rewrite functions in order to bring the user name to its normal form (see section 5.12 Rewrite functions -- `raddb/rewrite').
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
User-Password
ATTRIBUTE User-Password 2 string |
Users: | L- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | No |
This attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets.
On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the request authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password attribute.
If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the string field of the User-Password attribute.
If necessary, this operation is repeated, with each XOR result being used along with the shared secret to generate the next hash to XOR the next segment of the password, up to no more than 128 characters.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Vendor-Specific
(This message will disappear, once this node revised.)
ATTRIBUTE Vendor-Specific 26 string |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute is available to allow vendors to support their own extended attributes not suitable for general usage. <FIXME> some more detail over the VSAs? How does GNU Radius handle unknown VSAs? </>
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
These are attributes the NAS sends along with accounting requests. These attributes can not be used in matching rules.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Authentic
ATTRIBUTE Acct-Authentic 45 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
VALUE Acct-Authentic RADIUS 1 VALUE Acct-Authentic Local 2 VALUE Acct-Authentic Remote 3 |
This attribute may be included in an Accounting-Request to indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated should not generate accounting records.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Delay-Time
ATTRIBUTE Acct-Delay-Time 41 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Input-Octets
ATTRIBUTE Acct-Input-Octets 42 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute indicates how many octets have been received from
the port over the course of this service being provided, and can
only be present in Accounting-Request records where
Acct-Status-Type
is set to Stop
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Input-Packets
ATTRIBUTE Acct-Input-Packets 47 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute indicates how many packets have been received from
the port over the course of this service being provided to a
framed user, and can only be present in Accounting-Request records
where Acct-Status-Type
is set to Stop
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Output-Octets
ATTRIBUTE Acct-Output-Octets 43 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute indicates how many octets have been sent to the
port in the course of delivering this service, and can only be
present in Accounting-Request records where Acct-Status-Type
is set to Stop
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Output-Packets
ATTRIBUTE Acct-Output-Packets 48 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute indicates how many packets have been sent to the
port in the course of delivering this service to a framed user,
and can only be present in Accounting-Request records where
Acct-Status-Type
is set to Stop
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Session-Id
ATTRIBUTE Acct-Session-Id 44 string |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute is a unique accounting ID to make it easy to match
start and stop records in a log file. The start and stop records
for a given session must have the same Acct-Session-Id
. An
Accounting-Request packet must have an Acct-Session-Id
. An
Access-Request packet may have an Acct-Session-Id
; if it does,
then the NAS must use the same Acct-Session-Id
in the
Accounting-Request
packets for that session.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Session-Time
ATTRIBUTE Acct-Session-Time 46 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
This attribute indicates how many seconds the user has received
service for, and can only be present in Accounting-Request records
where Acct-Status-Type
is set to Stop
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Status-Type
ATTRIBUTE Acct-Status-Type 40 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 VALUE Acct-Status-Type Alive 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8 |
This attribute indicates whether this Accounting-Request marks the
beginning of the user service (Start
) or the end (Stop
).
It may also be used to mark the start of accounting (for example,
upon booting) by specifying Accounting-On
and to mark the end of
accounting (for example, just before a scheduled reboot) by specifying
Accounting-Off
.
A special value Alive
or Interim-Update
indicates the packet that
contains some additional data to the initial Start
record or to the
last Alive
record.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Terminate-Cause
ATTRIBUTE Acct-Terminate-Cause 49 integer |
Users: | -- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | N/A | |
Proxy propagated: | N/A |
VALUE Acct-Terminate-Cause User-Request 1 VALUE Acct-Terminate-Cause Lost-Carrier 2 VALUE Acct-Terminate-Cause Lost-Service 3 VALUE Acct-Terminate-Cause Idle-Timeout 4 VALUE Acct-Terminate-Cause Session-Timeout 5 VALUE Acct-Terminate-Cause Admin-Reset 6 VALUE Acct-Terminate-Cause Admin-Reboot 7 VALUE Acct-Terminate-Cause Port-Error 8 VALUE Acct-Terminate-Cause NAS-Error 9 VALUE Acct-Terminate-Cause NAS-Request 10 VALUE Acct-Terminate-Cause NAS-Reboot 11 VALUE Acct-Terminate-Cause Port-Unneeded 12 VALUE Acct-Terminate-Cause Port-Preempted 13 VALUE Acct-Terminate-Cause Port-Suspended 14 VALUE Acct-Terminate-Cause Service-Unavailable 15 VALUE Acct-Terminate-Cause Callback 16 VALUE Acct-Terminate-Cause User-Error 17 VALUE Acct-Terminate-Cause Host-Request 18 |
This attribute indicates how the session was terminated, and can
only be present in Accounting-Request records where
Acct-Status-Type
is set to Stop
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
These are attributes used by GNU Radius during the processing of a request. They are never returned to the NAS. Mostly, they are used in matching rules.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Ext-Program
ATTRIBUTE Acct-Ext-Program 2008 string |
Users: | -- |
|
Hints: | -R |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | N/A |
The Acct-Ext-Program
attribute can be used in RHS of an
`raddb/hints' to require the execution of an external accounting
program or filter. If the attribute value starts with a vertical bar
(`|'), then the attribute specifies the filter program to be used.
If it starts with a slash (`/'), then it is understood as
the full pathname and arguments for the external program to be executed.
Using any other character as the start of this string results in error.
The command line can reference any attributes from both check and reply pairlists using attribute macros (see section 5.14 Macro Substitution).
Before the execution of the program, radiusd
switches to the
uid and gid of the user daemon
and the group daemon
. You can
override these defaults by setting variables exec-program-user
and exec-program-group
in configuration file to proper values
(see section The option statement).
The accounting program must exit with status 0 to indicate a successful accounting.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Acct-Type
ATTRIBUTE Acct-Type 2003 integer |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | N/A |
VALUE Acct-Type None 0 VALUE Acct-Type System 1 VALUE Acct-Type Detail 2 VALUE Acct-Type SQL 3 |
The Acct-Type
allows one to control which accounting methods
must be used for a given user or group of users. In the absence
of this attribute, all currently enabled accounting types are used.
See section 8. Accounting, for more information about accounting types.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Auth-Failure-Trigger
This attribute specifies an external program or a Scheme expression to be run upon an authentication failure. The handling of this attribute depends upon its value:
If the value of Auth-Failure-Trigger
begins with `/', it
is taken to contain a command line for invoking an external
program. In this case radiusd
invokes the program much the
same way it does when handling Exec-Program
attribute, i.e. the
program is invoked with standard input closed, its standard output and
standard error are captured and redirected to
`radlog/radius.stderr' file, the return value of the
program is ignored.
If the value of Auth-Failure-Trigger
begins with `(', it
is executed it as a Scheme
expression. The return value of the
expression is ignored.
This attribute is designed as a means to provide special handling for authentication failures. It can be used, for example, to increase failure counters and to block accounts after a specified number of authentication failures occurs. See section 7.10 Controlling Authentication Probes, for the detailed discussion of its usage.
<FIXME> There is no corresponding Auth-Success-Trigger
...
Exec-Program
or Scheme-Procedure
may be used for the
purpose, the latter, however, is not able to execute s-exps. At
the time of this writing the release 1.3 is being prepared, so I do
not want to introduce any possibly destabilizing changes. This will be
fixed in future releases. </>
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Auth-Data
ATTRIBUTE Auth-Data 2006 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Replace | |
Proxy propagated: | N/A |
The Auth-Data
can be used to pass additional data to the
authentication methods that need them. In version 1.3
of GNU Radius, this attribute may be used in conjunction with the
SQL
and Pam
authentication types. When used with the
Pam
authentication type, this attribute holds the name
of the PAM service to use. This attribute is temporarily
appended to the authentication request, so its value can be
referenced to as %C{Auth-Data}
.
See section 5.11.2 Authentication Server Parameters, for an example of
of using the Auth-Data
attribute in `raddb/sqlserver':
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Auth-Type
ATTRIBUTE Auth-Type 1000 integer |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
VALUE Auth-Type Local 0 VALUE Auth-Type System 1 VALUE Auth-Type Crypt-Local 3 VALUE Auth-Type Reject 4 VALUE Auth-Type SQL 252 VALUE Auth-Type Pam 253 VALUE Auth-Type Accept 254 |
This attribute tells the server which type of authentication to apply to a particular user. It can be used in the LHS of the user's profile (see section 7. Authentication.)
Radius interprets values of Auth-Type
attribute as follows:
Local
User-Password
attribute from the record is taken
as a cleantext password and is compared against the User-Password
value
from the input packet.
System
Crypt-Local
User-Password
attribute from the record is taken
as an MD5 hash on the user's password. Radius generates MD5 hash
on the supplied User-Password
value and compares the two strings.
Reject
Accept
SQL
Mysql
Mysql
is an alias maintained for compatibility
with other versions of Radius.
Pam
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Crypt-Password
ATTRIBUTE Crypt-Password 1006 string |
Users: | L- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute is intended to be used in user's profile LHS.
It specifies the MD5 hash of the user's password. When this attribute
is present, Auth-Type = Crypt-Local
is assumed. If both Auth-Type
and Crypt-Password
are present, the value of Auth-Type
is
ignored.
See section 14.3.5 Auth-Type
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Exec-Program-Wait
ATTRIBUTE Exec-Program-Wait 1039 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
When present in the RHS, the Exec-Program-Wait
attribute specifies
the program to be executed when the entry matches. If the attribute
value string starts with vertical bar (`|'), then the attribute
specifies the filter program to be used. If it starts with
slash (`/'), then it is understood as the full
pathname and arguments for the external program to be executed. Using
any other character as the start of this string results in error.
14.3.7.1 Running an External Program 14.3.7.2 Using an External Filter
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The command line can reference any attributes from both check and reply pairlists using attribute macros see section 5.14 Macro Substitution.
Before the execution of the program, radiusd
switches to
uid and gid of the user daemon
and the group daemon
. You can
override these defaults by setting the variable exec-program-user
in the configuration file to a proper value.
See section The option statement.
The daemon will wait until the program terminates. The return value of its execution determines whether the entry matches. If the program exits with a nonzero code, then the match fails. If it exits with a zero code, the match succeeds. In this case the standard output of the program is read and parsed as if it were a pairlist. The attributes thus obtained are added to the entry's reply attributes.
Suppose the `users' file contains the following entry:
DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program-Wait = "/usr/local/sbin/telauth \ %C{User-Name} \ %C{Calling-Station-Id}" |
Then, upon successful matching, the program
`/usr/local/sbin/telauth' will be executed. It will get as its
arguments the values of the User-Name
and Calling-Station-Id
attributes from the request pairs.
The `/usr/local/sbin/telauth' can, for example, contain the following:
#! /bin/sh DB=/var/db/userlist if grep "$1:$2" $DB; then echo "Service-Type = Login," echo "Session-Timeout = 1200" exit 0 else echo "Reply-Message = \ \"You are not authorized to log in\"" exit 1 fi |
It is assumed that `/var/db/userlist' contains a list of
username
:caller-id
pairs for those users that are
authorized to use login service.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
If the value of Exec-Program-Wait
attribute begins with `|',
radiusd
strips this character from the value and uses the
resulting string
as a name of the predefined external filter. Such filter must be
declared in `raddb/config' (see section 5.1.10 filters
statement).
DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program-Wait = "|myfilter" |
and let the `raddb/config' contain the following (6):
filters { filter myfilter { exec-path "/usr/libexec/myfilter"; error-log "myfilter.log"; auth { input-format "%C{User-Name} %C{Calling-Station-Id}"; wait-reply yes; }; }; }; |
/usr/libexec/myfilter
will be invoked, if it hasn't already been
started for this thread. Any output it sends to its standard error
will be redirected to the file `myfilter.log' in the current
logging directory. A string consisting of the user's login name and
his calling station ID followed by a newline will be sent to the
program.
The following is a sample /usr/libexec/myfilter
written
in the shell:
#! /bin/sh DB=/var/db/userlist while read NAME CLID do if grep "$1:$2" $DB; then echo "0 Service-Type = Login, Session-Timeout = 1200" else echo "1 Reply-Message = \ \"You are not authorized to log in\"" fi done |
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Exec-Program
ATTRIBUTE Exec-Program 1038 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
When present in the RHS, the Exec-Program
attribute specifies
the full pathname and arguments for the program to be executed when the
entry matches.
The command line can reference any attributes from both check and reply pairlists, using attribute macros (see section 5.14 Macro Substitution).
Before the execution of the program, radiusd
switches to the
uid and gid of the user daemon
and the group daemon
. You can
override these defaults by setting variables exec-program-user
and exec-program-group
in configuration file to proper values
The option statement.
The daemon does not wait for the process to terminate.
Suppose the `users' file contains the following entry:
DEFAULT Auth-Type = System, Simultaneous-Use = 1 Exec-Program = "/usr/local/sbin/logauth \ %C{User-Name} \ %C{Calling-Station-Id}" |
Then, upon successful matching, the program
`/usr/local/sbin/logauth' will be executed. It will get as its
arguments the values of the User-Name
and Calling-Station-Id
attributes from the request pairs.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Fall-Through
ATTRIBUTE Fall-Through 1036 integer |
Users: | LR |
|
Hints: | LR |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | No |
VALUE Fall-Through No 0 VALUE Fall-Through Yes 1 |
The Fall-Through
attribute should be used in the reply list.
If its value is set to Yes
in a particular record, that
tells Radius to continue looking up other records
even when the record at hand matches the request. It can be used to provide
default values for several profiles.
Consider the following example. Let's suppose the `users' file contains the following:
johns Auth-Type = SQL Framed-IP-Address = 11.10.10.251, Fall-Through = Yes smith Auth-Type = SQL Framed-IP-Address = 11.10.10.252, Fall-Through = Yes DEFAULT NAS-IP-Address = 11.10.10.1 Service-Type = Framed-User, Framed-Protocol = PPP |
Then after successful matching of a particular user's record,
the matching will continue until it finds the DEFAULT
entry,
which will add its RHS to the reply pairs for
this request. The effect is that, if user `johns' authenticates
successfully she gets the following reply pairs:
Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 11.10.10.251 |
whereas user smith
gets
Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 11.10.10.252 |
Note that the attribute Fall-Through
itself
is never returned to the NAS.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Group
ATTRIBUTE Group 1005 string |
Users: | L- |
|
Hints: | L- |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Hint
ATTRIBUTE Hint 1040 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
Use the Hint
attribute to specify additional matching criteria
depending on the hint (see section 5.6 Request Processing Hints -- `raddb/hints').
Let the `hints' file contain
DEFAULT Prefix = "S", Strip-User-Name = No Hint = "SLIP" |
and the `users' file contain
DEFAULT Hint = "SLIP", NAS-IP-Address = 11.10.10.12, Auth-Type = System Service-Type = Framed-User, Framed-Protocol = SLIP |
Then any user having a valid system account and coming from NAS `11.10.10.12' will be provided SLIP service if his user name starts with `S'.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Huntgroup-Name
ATTRIBUTE Huntgroup-Name 221 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
The Huntgroup-Name
can be used either in the LHS of the
`users' file record or in the RHS of the `huntgroups'
file record.
When encountered in a LHS of a particular `users' profile, this attribute indicates the huntgroup name to be matched. Radius looks up the corresponding record in the `huntgroups' file. If such a record is found, each A/V pair from its reply list is compared against the corresponding pair from the request being processed. The request matches only if it contains all the attributes from the specified huntgroup, and their values satisfy the conditions listed in the huntgroup pairs.
For example, suppose that the authentication request contains the following attributes:
User-Name = "john", User-Password = "guess", NAS-IP-Address = 10.11.11.1, NAS-Port-Id = 24 |
Let us further suppose that the `users' file contains the following entry:
john Huntgroup-Name = "users_group", Auth-Type = System Service-Type = Login |
and, finally, `huntgroups' contains the following entry:
users_group NAS-IP-Address = 10.11.11.1 NAS-Port-Id < 32 |
Then the authentication request will succeed, since it contains
NAS-Port-Id
attribute and its value is less than 32.
See section 5.7 Huntgroups -- `raddb/huntgroups'.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Log-Mode-Mask
ATTRIBUTE Log-Mode-Mask 2007 integer |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | N/A |
VALUE Log-Mode-Mask Log-Auth 1 VALUE Log-Mode-Mask Log-Auth-Pass 2 VALUE Log-Mode-Mask Log-Failed-Pass 4 VALUE Log-Mode-Mask Log-Pass 6 VALUE Log-Mode-Mask Log-All 7 |
Log-Mode-Mask
is used to control the verbosity of authentication
log messages for given user or class of users. The meaning of its
values is:
Log-Auth
Log-Auth-Pass
Log-Failed-Pass
Log-Pass
Log-All
Technical details: After authentication, the server collects all
Log-Mode-Mask
attributes from the incoming request and LHS
of the user's entry. The values of these attributes ORed together
form a mask, which is applied via an XOR operation to the current log
mode. The value thus obtained is used as effective log mode.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Login-Time
ATTRIBUTE Login-Time 1042 string |
Users: | L- |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | No |
The Login-Time
attribute specifies the time range over which the user
is allowed to log in. The attribute should be specified in the LHS.
The format of the Login-Time
string is the same as that of UUCP
time ranges. The following description of the time range format is
adopted from the documentation for the Taylor UUCP package:
A time string may be a list of simple time strings separated with vertical bars `|' or commas `,'.
Each simple time string must begin either with a day-of-week abbreviation (one of `Su', `Mo', `Tu', `We', `Th', `Fr', `Sa'), or `Wk' for any day from Monday to Friday inclusive, or `Any' or `Al' for any day.
Following the day may be a range of hours separated with a hyphen, using 24-hour time. The range of hours may cross 0; for example `2300-0700' means any time except 7 AM to 11 PM. If no time is given, calls may be made at any time on the specified day(s).
The time string may also be the single word `Never', which does not match any time.
Here are a few sample time strings with an explanation of what they mean.
This means weekdays before 8:55 AM or after 11:05 PM, any time Saturday, or Sunday before 4:55 PM or after 11:05 PM. These are approximately the times during which night rates apply to phone calls in the U.S.A. Note that this time string uses, for example, `2305' rather than `2300'; this will ensure a cheap rate even if the computer clock is running up to five minutes ahead of the real time.
This means weekdays from 9:05 AM to 10:55 PM, or Sunday from 5:05 PM to 10:55 PM. This is approximately the opposite of the previous example.
This means any day. Since no time is specified, it means any time on any day.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Match-Profile
ATTRIBUTE Match-Profile 2004 string |
Users: | LR |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
The Match-Profile
attribute can be used in LHS and RHS lists of a
user profile. Its value is the name of another user's profile (target
profile). When Match-Profile
is used in the LHS, the incoming
packet will match this profile only if it matches the target profile.
In this case the reply pairs will be formed by concatenating the RHS
lists from both profiles.
When used in the RHS, this attribute causes the reply pairs
from the target profile to be appended to the reply from the current
profile if the target profile matches the incoming request.
For example:
IPPOOL NAS-IP-Address = 10.10.10.1 Framed-Protocol = PPP, Framed-IP-Address = "10.10.10.2" IPPOOL NAS-IP-Address = 10.10.11.1 Framed-Protocol = PPP, Framed-IP-Address = "10.10.11.2" guest Auth-Type = SQL Service-Type = Framed-User, Match-Profile = IPPOOL |
In this example, when user guest
comes from NAS
10.10.10.1
, he is
assigned IP 10.10.10.2
, otherwise if he is coming from NAS
10.10.11.1
he is assigned IP 10.10.11.2
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Menu
ATTRIBUTE Menu 1001 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute should be used in the RHS. If it is used, it should be the only reply item.
The Menu
attribute specifies the name of the menu to be presented
to the user. The corresponding menu code is looked up in the
`RADIUS_DIR/menus/' directory (see section 5.13 Login Menus -- `raddb/menus').
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Pam-Auth
ATTRIBUTE Pam-Auth 1041 string |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
The Pam-Auth
attribute can be used in conjunction with
Auth-Type = Pam |
to supply the PAM service name instead of the default `radius'.
It is ignored if Auth-Type
attribute is not set to Pam
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Prefix
ATTRIBUTE Prefix 1003 string |
Users: | L- |
|
Hints: | L- |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
The Prefix
attribute indicates the prefix that the user name
should contain in order for a particular record in the profile
to be matched. This attribute should be specified in the LHS
of the `users' or `hints' file.
For example, if the `users' file contained
DEFAULT Prefix = "U", Auth-Type = System Service-Type = Login-User |
then the user names `Ugray' and `Uyoda' would match this record, whereas `gray' and `yoda' would not.
Both Prefix
and Suffix
attributes may be specified in
a profile. In this case the record is matched only if the user name
contains both the prefix and the suffix specified.
See section 14.3.27 Suffix
, and
14.3.26 Strip-User-Name
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Proxy-Replied
ATTRIBUTE Proxy-Replied 2012 integer |
Users: | L- |
|
Hints: | L- |
|
Huntgroups: | L- |
|
Additivity: | Replace | |
Proxy propagated: | N/A |
VALUE Proxy-Replied No 0 VALUE Proxy-Replied Yes 1 |
radiusd
adds this attribute to the incoming request if it
was already processed by a remote radius server.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Realm-Name
(This message will disappear, once this node revised.)
ATTRIBUTE Realm-Name 2013 string |
Users: | L- |
|
Hints: | L- |
|
Huntgroups: | L- |
|
Additivity: | Append | |
Proxy propagated: | No |
<FIXME> This is an `internal attribute'. It keeps the realm name
of the user. The Realm-Name
attribute is added to the proxied
request after receiving a reply from the realm server. See section 14.3.19 Proxy-Replied
. </>
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Replace-User-Name
ATTRIBUTE Replace-User-Name 2001 string |
Users: | LR |
|
Hints: | LR |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | No |
VALUE Replace-User-Name No 0 VALUE Replace-User-Name Yes 1 |
Use this attribute to modify the user name from the incoming packet. The
Replace-User-Name
can reference any attributes from both LHS
and RHS pairlists using attribute macros (5.14 Macro Substitution).
For example, the `users' entry
guest NAS-IP-Address = 11.10.10.11, Calling-Station-Id != "" Auth-Type = Accept Replace-User-Name = "guest#%C{Calling-Station-Id}", Service-Type = Framed-User, Framed-Protocol = PPP |
allows the use of PPP service for user name guest
, coming from NAS
`11.10.10.11' with a nonempty Calling-Station-Id
attribute.
A string consisting of a `#' character followed by the
Calling-Station-Id
value is appended to the user name.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Rewrite-Function
ATTRIBUTE Rewrite-Function 2004 string |
Users: | LR |
|
Hints: | LR |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
The Rewrite-Function
attribute specifies the name of the
rewriting function to be applied to the request. The attribute
may be specified in either pairlist in the entries of
the `hints' or `huntgroups' configuration file.
The corresponding function should be defined in `rewrite' as
integer name() |
i.e., it should return an integer value and should not take any arguments.
See section Packet rewriting rules, 5.6 Request Processing Hints -- `raddb/hints'; 5.7 Huntgroups -- `raddb/huntgroups'.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Scheme-Acct-Procedure
ATTRIBUTE Scheme-Acct-Procedure 2010 string |
Users: | -- |
|
Hints: | -R |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | N/A |
The Scheme-Acct-Procedure
attribute is used to set the name
of the Scheme accounting procedure. See section 11.3.3 Accounting with Scheme, for
information about how to write Scheme accounting procedures.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Scheme-Procedure
ATTRIBUTE Scheme-Procedure 2009 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Append | |
Proxy propagated: | N/A |
The Scheme-Procedure
attribute is used to set the name
of the Scheme authentication procedure. See section 11.3.2 Authentication with Scheme, for
information about how to write Scheme authentication procedures.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Simultaneous-Use
ATTRIBUTE Simultaneous-Use 1034 integer |
Users: | L- |
|
Hints: | -R |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected.
See section 7.9 Multiple Login Checking.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Strip-User-Name
ATTRIBUTE Strip-User-Name 1035 integer |
Users: | LR |
|
Hints: | LR |
|
Huntgroups: | -R |
|
Additivity: | Append | |
Proxy propagated: | No |
VALUE Strip-User-Name No 0 VALUE Strip-User-Name Yes 1 |
The value of Strip-User-Name
indicates whether Radius should
strip any prefixes/suffixes specified in the user's profile from the
user name. When it is set to Yes
, the user names will be logged and
accounted without any prefixes or suffixes.
A user may have several user names for different kind of services. In this case differentiating the user names by their prefixes and stripping them off before accounting would help keep accounting records consistent.
For example, let's suppose the `users' file contains
DEFAULT Suffix = ".ppp", Strip-User-Name = Yes, Auth-Type = SQL Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Suffix = ".slip", Strip-User-Name = Yes, Auth-Type = SQL Service-Type = Framed-User, Framed-Protocol = SLIP |
Now, user `johns', having a valid account in the SQL database, logs in as `johns.ppp'. She then is provided the PPP service, and her PPP session is accounted under user name `johns'. Later on, she logs in as `johns.slip'. In this case she is provided the SLIP service and again her session is accounted under her real user name `johns'.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Suffix
ATTRIBUTE Suffix 1004 string |
Users: | L- |
|
Hints: | L- |
|
Huntgroups: | LR |
|
Additivity: | Append | |
Proxy propagated: | No |
The Suffix
attribute indicates the suffix that the user name
should contain in order for a particular record in the profile
to be matched. This attribute should be specified in LHS
of the `users' or `hints' file.
For example, if the `users' file contained
DEFAULT Suffix = ".ppp", Auth-Type = System, Strip-User-Name = Yes Service-Type = Framed-User, Framed-Protocol = PPP |
then the user names `gray.ppp' and `yoda.ppp' would match this record, whereas `gray' and `yoda' would not.
Both Prefix
and Suffix
attributes may be specified in
a profile. In this case the record is matched only if the user name
contains both the prefix and the suffix specified.
See section 14.3.18 Prefix
, and
14.3.26 Strip-User-Name
.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Termination-Menu
ATTRIBUTE Termination-Menu 1002 string |
Users: | -R |
|
Hints: | -- |
|
Huntgroups: | -- |
|
Additivity: | Replace | |
Proxy propagated: | No |
This attribute should be used in the RHS. If it is used, it should be the only reply item.
The Termination-Menu
specifies the name of the menu file to be
presented to the user after finishing his session. The corresponding
menu code is looked up in the `RADIUS_DIR/menus/' directory
(see section 5.13 Login Menus -- `raddb/menus').
[ << ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |