No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Are the RADIUS Attributes Supported by AR Routers

What Are the RADIUS Attributes Supported by AR Routers

Table 29-69 describes the standard RADIUS attributes.

Table 29-69  Standard RADIUS attributes

Attribute

No.

Name Attribute Type Usage Remarks
1 User-Name String Depending on the command line configuration, the user name can contain the domain name (such as user0001@isp) or does not contain the domain name (such as user0001). The value is a string of 1 to 129 characters, that is, user name (64 characters) + domain name (64 characters).
2 User-Password String In PAP authentication, the user password is transmitted to the server after being encrypted by NAS. The PAP authentication password supported by the AR routers consists of 0-128 characters. The length of password encapsulated in RADIUS packets is the multiple of 16, and ranges from 16 to 128.
3 CHAP-Password String This attribute is only valid for CHAP authentication. The value is a string of 17 characters, in which CHAP ID contains 1 character and CHAP challenge contains 16 characters.
4 NAS-IP-Address Address This attribute indicates the identifying IP address of the NAS, which is requesting authentication of the user.
  • The value is an interface address if the NAS is bound to an interface.
  • The value is the IP address of the interface sending packets if the NAS is not bound to an interface.
The value contains 4 bytes.
5 NAS-Port Integer This attribute indicates the physical port number of the NAS which is authenticating the user. The formats are as follows:
  • 12-bit slot ID + 8-bit port number + 12-bit VLAN ID. Zeros are added when the bits are not occupied.
  • 8-bit slot ID + 4-bit subcard number + 8-bit port number + 12-bit VLAN ID. Zeros are added when the bits are not occupied.
The value contains 4 bytes.
6 Service-Type Integer When a user is authenticated, this attribute has a fixed value of 2, indicating the Framed type. When an administration is authenticated, this attribute has a fixed value of 6, indicating the Administrator type. The value contains 4 bytes.
7 Framed-Protocol Integer On the switch, the value of Framed-Protocol is set to 1 for non-administrator users, indicating the PPP type. The value is set to 6 for administrators. The value contains 4 bytes.
8 Framed-IP-Address Address This attribute indicates the address to be configured for the user. The following addresses are invalid:
  • 0
  • 0XFFFFFFFE and 0XFFFFFFFF
  • Addresses on network segment 127.0.0.0/8
  • Addresses on network segment 224-255/8
If the user IP address is invalid, the NAS allocates a valid address to the user. For example, after allocating IP address 8.0.0.7 (0x08000007) to a user, the server sets the value of Framed-IP-Address to 0x08000007.
The value contains 4 bytes.
11 Filter-Id String Generally, the attribute contains the ACL number for the user. The value contains 1 to 32 bytes.
14 Login-IP-Host Address This attribute indicates the IP address of an administrator. When this value is 0, 0xFFFFFFFF, or 0xFFFFFFFE in the Access-Accept packet, the NAS does not check the IP address of the administrator. If the value is not 0, 0xFFFFFFFF, or 0xFFFFFFFE, the NAS checks whether the administrator's IP address is the same as the delivered address.

-

15 Login-Service Integer The attribute indicates the type of service used by the login user. 0: telnet; 5: X25-PAD: 50: SSH; 51: FTP; 52: Terminal. The attribute can contain multiple service types.

-

18 Reply-Message String When the attribute is in the Access-Accept packet, it indicates that the message is sent successfully. When the attribute is in the Access-Reject packet, it indicates that the message is rejected. This attribute is valid for only web authentication users. (The web server must support this attribute.) The value contains 1 to 253 bytes.
19 Callback-Number String The attribute indicates the information from the authentication server to be displayed to users, such as the mobile phone numbers.

-

24 State String The attribute can be sent by the server to the client in the format of the Access-Challenge packet and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

-

26 Vendor-Specific String This attribute is defined by the vendor.

-

27 Session-Timeout Integer
  • In an Access-Accept packet, this attribute indicates the maximum number of seconds of service to be provided to the user.
  • In an Access-Challenge packet, this attribute indicates the re-authentication duration of EAP users.
The value contains 4 bytes.
28 Idle-Timeout Integer This attribute indicates the idle-cut time, in seconds. The value contains 4 bytes.
29 Termination-Action Integer This attribute indicates what action the NAS should take when the specified service is completed for the user, including re-authentication or forcible disconnection. The value 0 indicates the forcible disconnection and the value 1 indicates re-authentication. The attribute is only valid for 802.1X authentication.
31 Calling-Station-Id String This attribute allows the NAS to send the phone number where the call came from in the Access-Request packet. The value is usually a MAC address.

-

32 NAS-Identifier String This attribute indicates the name of the NAS, namely, the sysname. The value contains 1 to 30 bytes.
40 Acct-Status-Type Integer This attribute indicates the type of the Accounting-Request packet. There are five types:
  • Start (Value=1)
  • Stop (Value=2)
  • Interium-Update (Value=3)
  • Accounting-On(Value=7)
  • Accounting-Off(Value=8)
The value contains 4 bytes.
41 Acct-Delay-Time Integer This attribute indicates how many seconds the client has been trying to send an accounting record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. On a switch, Acct-Delay-Time consists of two parts. One part is difference between the time when RADIUS obtains data from the AAA and the latest update time. The other part is the delay in sending the Account-Request packet, including retransmission time. The value contains 4 bytes.
44 Acct-Session-Id String The format of this attribute is: Host name (7 digits) + slot ID (2 digits) + card number (1 digit) + port number (2 digits) + outer VLAN ID (4 digits) + inner VLAN ID (5 digits) + CPUTICK (6 digits) + connection index of the user (6 digits).

-

45 Acct-Authentic Integer The attribute indicates the authentication type:
  • RADIUS authentication (Value=1)
  • Local authentication (Value=2)
  • Other remote authentication (Value=3)
The value contains 4 bytes.
46 Acct-Session-Time Integer This attribute indicates how many seconds the user has received service for. The value contains 4 bytes.
49 Acct-Terminate-Cause Integer This attribute indicates how the session was terminated. The value contains 4 bytes.
55 Event-Timestamp Integer This attribute is included in an Accounting-Request packet to record the time that the event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC. The value contains 4 bytes.
60 CHAP_Challenge String This attribute is only valid for CHAP authentication. The value is a string of 16 bytes.
61 NAS-Port-Type Integer The attribute indicates the NAS port type, which can be configured on the switch interface. By default, the type is Ethernet (15). The value contains 4 bytes.
64 Tunnel-Type Integer

This attribute indicates the tunnel protocol type.

If the Tunnel-Type value is 13, a VLAN ID is delivered.

-

65 Tunnel-Medium-Type Integer This attribute indicates which transport medium to use when creating a tunnel. It has a fixed value of 6, indicating Ethernet. The value contains 4 bytes.
79 EAP-Message String This attribute encapsulates EAP packets. When the length of an EAP packet exceeds 253 bytes, multiple attributes can be encapsulated.

-

80 Message-Authenticator String This attribute contains encryption information about EAP packets in EAPoR authentication.

-

81 Tunnel-Private-Group-ID String This attribute indicates the group ID for a particular tunneled session. The value is a string of 32 bytes. Currently, the attribute is used to deliver user VLAN IDs.

-

85 Acct_Interim_Interval Integer The attribute indicates the interim accounting interval, in seconds. It is recommended that you set the value to be larger than 60. The value ranges from 0 to 3932100. The value 0 indicates that interim accounting is disabled. The value greater than 3932100 indicates that the user cannot log in to the NAS. The value contains 4 bytes.
87 NAS-Port-Id String This attribute identifies the port of the NAS which is authenticating the user. The formats are as follows:
  • 2-bit slot ID + 2-bit subcard number + 3-bit port number + 9-bit VLAN ID
  • Slot=Slot ID;Subslot=Subcard number;Port=Port Number;VLAN ID=VLAN

-

Table 29-70 describes the Huawei private RADIUS attributes.

Table 29-70  Huawei private RADIUS attributes
No. Name Attribute Type Usage Remarks
26-1 HW-Input-Peak-Information-Rate Integer Indicates the upstream peak rate, in bit/s.

-

26-2 HW-Input-Committed-Information-Rate Integer Indicates the upstream average rate, in bit/s.

-

26-3 HW-Input-Committed-Burst-Size Integer Indicates the upstream committed burst size, in bit/s.

-

26-4 HW-Output-Peak-Information-Rate Integer Indicates the downstream peak rate, in bit/s.

-

26-5 HW-Output-Committed-Information-Rate Integer Indicates the downstream average rate, in bit/s.

-

26-6 HW-Output-Committed-Burst-Size Integer Indicates the downstream committed burst size, in bit/s.

-

26-22 HW-Priority Integer Indicates the priority. After this attribute is delivered, HW-Up-Priority and HW-Down-Priority are invalid.
26-28 HW-FTP-Directory String This attribute indicates the initial directory of the FTP user. The maximum length of this field is 64 bytes.
26-29 HW-Exec-Privilege Integer The attribute indicates the administrator priority, such as a Telnet user. The value ranges from 0 to 16, and the value 16 indicates that the user does not have the administrator's authority.

-

26-59 HW-NAS-Startup-Time-Stamp Integer The attribute indicates the time when the device starts. The value is the number of seconds since 1970.
26-60 HW-IP-Host-Address String This attribute indicates the user IP address and MAC address contained in the authentication request packet or accounting request packet, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address must be separated by a space. If the user's IP address is detected invalid during authentication, A.B.C.D is set to 255.255.255.255. The value is a string of up to 33 characters in the format "IP address MAC address."
26-61 HW-Up-Priority Integer Indicates the upstream priority.

-

26-62 HW-Down-Priority Integer Indicates the downstream priority.

-

26-77 HW-Input-Peak-Burst-Size Integer Indicates the upstream peak rate, in bit/s.

-

26-78 HW-Output-Peak-Burst-Size Integer Indicates the downstream peak rate, in bit/s.

-

26-82 HW-Data-Filter String Indicates the delivered ACL in the format

acl acl-num key1 key-value1... keyN key-valueN permit/deny.

  • permit: allows users matching the rules to access the network.
  • deny: prevents users matching the rules from accessing the network.
  • acl: delivers ACL rules.
  • acl-num: specifies the ACL number, ranging from 10000 to 10999.
  • keyM(1≤M≤N): indicates the keywords in an ACL rule. The values are as follows:
    • src-ip: source IP address
    • src-ipmask: source IP address mask
    • dest-ip: destination IP address
    • dest-ipmask: destination IP address mask
    • src-mac: source MAC address
    • dest-mac: destination MAC address
    • tcp-srport: source TCP port
    • tcp-dstport: destination TCP port
    • udp-srcport: source UDP port
    • udp-dstport: destination UDP port
  • key-valueM(1<M<N): value corresponding to ACL keyword, including IP address, IP address mask, MAC address, and port number.
NOTE:
  • All the keywords are case-insensitive.
  • All the keywords and/or key values are separated by spaces.
  • Key values cannot be placed behind permit and deny.
  • The keywords are arranged in any sequence.

-

26-254 HW-Version String Indicates the switch version.

-

26-255 HW-Product-ID String Indicates the switch name.

-

  • Table 29-71 lists the attributes in RADIUS authentication packets.

  • Table 29-72 lists the attributes in RADIUS accounting packets.

  • Table 29-73 lists the attributes in RADIUS authorization packets (COA&DM).

  • Table 29-74 describes the Acct-Terminate-Cause attribute.

NOTE:
In the following tables, the value 1 indicates that the attribute must be included in the packet; the value 0 indicates that the attribute is not included in the packet (the attribute is invalid even if it is included in the packet); the value 0-1 indicates that the attribute may be included once in the packet or not included in the packet; the value 0+ indicates that the attribute is not included or included multiple times in the packet.
Table 29-71  RADIUS authentication packet
Attribute Access-Request Access-Accept Access-Reject Access-Challenge
User-Name (1) 1 0 0 0
User-Password (2) 0-1 0 0 0
Chap-Password (3) 0-1 0 0 0
NAS-IP-Address (4) 1 0 0 0
NAS-Port (5) 1 0 0 0
Service-Type (6) 1 0-1 0 0
Framed-Protocol (7) 1 0-1 0 0
Framed-IP-Address (8) 0-1 0-1 0 0
Filter-Id (11) 0 0-1 0 0
Login-IP-Host (14) 0-1 0-1 0 0
Login-Service(15) 0 0-1 0 0
Reply-Message (18) 0 0-1 0-1 0
Callback-Number(19) 0 0-1 0 0
State (24) 0-1 0-1 0 0-1
Session-Timeout (27) 0 0-1 0 0-1
Idle-Timeout (28) 0 0-1 0 0
Termination-Action (29) 0 0-1 0 0-1
Calling-Station-Id (31) 1 0 0 0
NAS-Identifier (32) 1 0 0 0
Acct-session-id (44) 1 0 0 0
CHAP_Challenge (60) 0-1 0 0 0
NAS-Port-Type (61) 1 0 0 0
Tunnel-Type (64) 0 0-1 0 0
Tunnel-Medium-Type (65) 0 0-1 0 0
EAP-Message (79) 0 0-1 0-1 1
Message-Authenticator (80) 0 0-1 0-1 1
Tunnel-Private-Group-ID (81) 0 0-1 0 0
Acct_Interim_Interval (85) 0 0-1 0 0
NAS-Port-Id (87) 1 0 0 0
Ftp_directory (284) 0 0-1 0 0
HW-Exec-Privilege (285) 0 0-1 0 0
hw_NAS_Startup_Timestamp-315 1 0 0 0
HW-IP-Host-Address (316) 1 0 0 0
hw-Data-Filter (338) 0 0-1 0 0
HW-Version (510) 1 0 0 0
HW-Product-ID (511) 1 0 0 0
Table 29-72  RADIUS accounting packet
Attribute Accounting-Request (Start) Accounting-Request (Interium-Update) Accounting-Request (Stop) Accounting-Response (start) Accounting-Response (Interium-Update) Accounting-Response (Stop)
User-Name (1) 1 1 1 0 0 0
NAS-IP-Address (4) 1 1 1 0 0 0
NAS-Port (5) 1 1 1 0 0 0
Service-Type (6) 1 1 1 0 0 0
Framed-Protocol (7) 1 1 1 0 0 0
Framed-IP-Address (8) 1 1 1 0 0 0
Filter-Id (11) 1 1 1 0 0 0
Session-Timeout (27) 0 0 0 0-1 0-1 0
Calling-Station-Id (31) 1 1 1 0 0 0
NAS-Identifier (32) 1 1 1 0 0 0
Acct-Status-Type (40) 1 1 1 0 0 0
Acct-Delay-Time (41) 0 1 1 0 0 0
Acct-Session-Id (44) 1 1 1 0 0 0
Acct-Authentic (45) 1 1 1 0 0 0
Acct-Session-Time (46) 0 1 1 0 0 0
Acct-Terminate-Cause (49) 0 0 1 0 0 0
Event-Timestamp (55) 1 1 1 0 0 0
NAS-Port-Type (61) 1 1 1 0 0 0
Tunnel-Type (64) 0-1 0-1 0-1 0 0 0
Tunnel-Medium-Type (65) 0-1 0-1 0-1 0 0 0
Tunnel-Private-Group-ID (81) 0 0 0 0 0 0
NAS-Port-Id (87) 1 1 1 0 0 0
HW-IP-Host-Address (316) 1 1 1 0 0 0
Agent-Circuit-Id (26-1) 0-1 0 0 0 0 0
Agent-Remote-Id (26-2) 0-1 0 0 0 0 0
Table 29-73  RADIUS authorization packet (COA&DM)
Attribute COA REQUEST COA ACK COA NAK DM REQUEST DM ACK DM NAK
User-Name (1) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-IP-Address (4) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Port (5) 0-1 0-1 0-1 0-1 0-1 0-1
Framed-IP-Address (8) 0-1 0-1 0-1 0-1 0-1 0-1
Filter-Id (11) 0-1 0 0 0 0 0
Session-Timeout (27) 0-1 0 0 0 0 0
Idle-Timeout (28) 0-1 0 0 0 0 0
Calling-Station-Id (31) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Identifier (32) 0-1 0-1 0-1 0-1 0-1 0-1
Acct-Session-Id (44) 1 1 1 1 1 1
Acct_Interim_Interval (85) 0-1 0 0 0 0 0
Error-Cause (101) 0 0 1 0 0 1
HW-Data-Filter (26-82) 0-1 0 0 0 0 0
HW-Input-Peak-Information-Rate (26-1) 0-1 0 0 0 0 0
HW-Input-Committed-Information-Rate (26-2) 0-1 0 0 0 0 0
HW-Input-Committed-Burst-Size (26-3) 0-1 0 0 0 0 0
HW-Output-Peak-Information-Rate (26-4) 0-1 0 0 0 0 0
HW-Output-Committed-Information-Rate (26-5) 0-1 0 0 0 0 0
HW-Output-Committed-Burst-Size (26-6) 0-1 0 0 0 0 0
HW-Priority (26-22) 0-1 0 0 0 0 0
HW-Up-Priority (26-61) 0-1 0 0 0 0 0
HW-Down-Priority (26-62) 0-1 0 0 0 0 0
HW-Input-Peak-Burst-Size (26-77) 0-1 0 0 0 0 0
HW-Output-Peak-Burst-Size (26-78) 0-1 0 0 0 0 0
Table 29-74  Acct-Terminate-Cause attribute
Type No. Description
User Request 1 The user requests to go offline.
Lost Carrier 2 Handshake fails or heartbeat expires.
Lost Service 3 The connection initiated by the peer device is torn down.
Idle Timeout 4 The user is disconnected because the idle timer expires.
Session Timeout 5 The user is disconnected because the session times out.
Admin Reset 6 The administrator force the user to go offline.
Admin Reboot 7 The administrator restarts the device.
Port Error 8 The port is faulty.
NAS Error 9 An internal error occurs in the NAS.
NAS Request 10 The NAS requests to go offline.
NAS Reboot 11 The NAS is restarted.
Port Unneeded 12 The port is unavailable.
Port Preempted 13 The port is occupied.
Port Suspended 14 The port is suspended.
Service Unavailable 15 The service is not supported.
Callback 16 A callback is performed.
User Error 17 A user-side fault occurs, for example, user session timeout.
Host Request 18 A host sends a logout request to the server, and receives a DECLINE packet.
Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 450095

Downloads: 4307

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next