No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS Protocol

RADIUS Protocol

RADIUS Protocol Overview

RADIUS is a protocol that uses the client/server model in distributed mode and protects a network from unauthorized access. It is often used in network environments that require high security and control remote user access. It defines the User Datagram Protocol (UDP)-based RADIUS packet format and message transmission mechanism, and specifies UDP ports 1812 and 1813 as the authentication and accounting ports respectively.

At the beginning, RADIUS was only the AAA protocol used for dial-up users. When diverse user access modes are used, such as Ethernet and ADSL access, RADIUS can also be applied to these access modes. RADIUS provides the access service through authentication and authorization, and records the network resources used by users through accounting.

RADIUS has the following characteristics:

  • Client/Server model

    • RADIUS client: RADIUS clients run on the network access servers (NAS) to transmit user information to the specified RADIUS server and process requests (for example, accept or reject user access) based on the responses from the servers. RADIUS clients can locate at any node on a network.

      As the RADIUS client, the device supports:

      • Standard RADIUS protocol and its extensions, including Request For Comments (RFC) 2865 and RFC 2866

      • Huawei-developed private attributes

      • Active detection on the RADIUS server status

      • Retransmission for Accounting Stop packets in the local buffer

      • Automatic switching function of the RADIUS server

  • RADIUS server: RADIUS servers run on central computers and workstations to maintain user authentication and network service access information. The servers receive connection requests from users, authenticate the users, and send the responses (indicating that the requests are accepted or rejected) to the clients. RADIUS servers need to maintain three databases, as shown in Figure 1-3.

    Figure 1-3  Databases maintained by the RADIUS servers

    • Users: stores user information such as user names, passwords, protocols, and IP addresses.
    • Clients: stores RADIUS client information, such as the shared key and IP address of an access device.
    • Dictionary: stores the attributes in the RADIUS protocol and their value descriptions.
  • Security mechanism

    RADIUS clients and servers exchange authentication messages using shared keys that cannot be transmitted through networks, which enhances information exchange security. In addition, passwords are encrypted using shared keys before being transmitted to avoid theft on an insecure network.

  • Fine scalability

    RADIUS packets consist of the packet header and a certain number of attributes. After new attributes are added to RADIUS packets, its implementation remains unchanged.

RADIUS Packet Overview

RADIUS Packet Format

RADIUS uses UDP packets to transmit information. Figure 1-4 shows the RADIUS packet format.

Figure 1-4  RADIUS packet format

Fields in a RADIUS packet include:
  • Code: 1 byte. It describes the RADIUS packet type. The Code value varies in different types of RADIUS packets. For example, the value 1 indicates an Access-Request packet, and the value 2 indicates an Access-Accept packet.
  • Identifier: 1 byte. It is used to match request packets and reply packets, and to detect the request packets retransmitted within a certain period. After a client sends a request packet, the server sends a reply packet with the same Identifier value as the request packet.
  • Length: 2 bytes. It specifies the RADIUS packet length. Bytes exceeding the specified length are treated as padding and ignored on the receiver. If the length of a received packet is smaller than the Length value, the packet is discarded.
  • Authenticator: 16 bytes. It is used to verify the reply packets sent by the RADIUS server and encrypt user passwords.
  • Attribute: variable length. It is the content of a packet carrying authentication, authorization, and accounting information and providing configuration details of request and reply packets. An Attribute field may contain multiple attributes, each of which consists of Type, Length, and Value fields. For details, see RADIUS Attributes.

    • Type: indicates the attribute type. The length is 1 byte and the value ranges from 1 to 255.
    • Length: It indicates the length of an attribute (including type, length, and attribute). The length is measured in bytes.
    • Value: indicates the attribute information. The format and content are dependent on Type and Length. The maximum length is 253 bytes.
RADIUS Packet Type

RADIUS defines 16 types of packets, which can be categorized into authentication packets, accounting packets, and authorization packets. Table 1-1 describes the authentication packets, Table 1-2 describes the accounting packets, and Table 1-3 describes the authorization packets.

Table 1-1  RADIUS authentication packets

Packet Name

Description

Access-Request

This is the first packet transmitted in a RADIUS interaction process. This packet carries user authentication information, such as user name and password. The Access-Request packet is from the RADIUS client to the RADIUS server. The RADIUS server determines whether a user is allowed to access the network according to the user information carried in this packet.

Access-Accept

This packet is sent by the RADIUS server to respond to the Access-Request packet sent by the client. If all attributes in the Access-Request packet are acceptable, the server determines that the user passes the authentication and sends this packet. After receiving this packet, the client grants the network access rights to the user.

Access-Reject

This packet is sent by the RADIUS server to respond to the Access-Request packet sent by the client. If any attribute in the Access-Request packet is unacceptable, the RADIUS server determines that the user fails the authentication and sends this packet.

Access-Challenge

During an EAP authentication, when the RADIUS server receives an Access-Request packet carrying the user name, it generates a random MD5 challenge and sends the MD5 challenge to the client through this packet. After the client encrypts the user password using the MD5 challenge, the client sends the encrypted password in an Access-Request packet to the RADIUS server. The RADIUS server compares the encrypted password received from the client with the locally encrypted password. If they are the same, the server determines the user is valid.

Table 1-2  RADIUS accounting packets

Packet Name

Description

Accounting-Request (Start)

If the client uses RADIUS accounting, the client sends this packet to the server before accessing network resources.

Accounting-Response (Start)

After receiving and recording the Accounting-Request (Start) packet, the server returns this packet to the client.

Accounting-Request (Interim-update)

If the accounting server fails to receive the Accounting-Request (Stop) packet, the server cannot stop accounting for the user. To address this problem, configure interim accounting on the client. The client then periodically sends accounting packets to the server.

Accounting-Response (Interim-update)

After receiving an Accounting-Request (Interim-update) packet, the server returns this packet to the client.

Accounting-Request (Stop)

When a user goes offline voluntarily or is forcibly disconnected, the client sends this packet carrying the network resource usage information (including online duration and number of incoming/outgoing bytes) to the server, requesting the server to stop accounting.

Accounting-Response (Stop)

After receiving an Accounting-Request (Stop) packet, the server sends this packet to the client.

Table 1-3  RADIUS authorization packets

Packet Name

Description

CoA-Request

When the administrator needs to modify the rights of an online user (for example, prohibit the user from accessing a website), the server sends this packet to the client, requesting the client to modify the user rights.

CoA-ACK

If the client successfully modifies the user rights, the client sends this packet to the server.

CoA-NAK

If the client cannot modify the user rights, the client sends this packet to the server.

DM-Request

When the administrator needs to disconnect a user, the server sends this packet to the client, requesting the client to disconnect the user.

DM-ACK

If the client successfully disconnects the user, the client sends this packet to the server.

DM-NAK

If the client cannot disconnect the user, the client sends this packet to the server.

RADIUS Interaction Process

RADIUS Authentication, Authorization, and Accounting

Access devices function as RADIUS clients by collecting user information, including user names and passwords, and sending the information to a RADIUS server. The RADIUS server authenticates users according to the information, and performs authorization and accounting for the users after the users are authenticated. Figure 1-5 shows information exchanged between a user, the RADIUS client, and the RADIUS server.

Figure 1-5  RADIUS authentication, authorization, and accounting process

  1. A user sends a connection request carrying the user name and password to the RADIUS client (access device).
  2. The RADIUS client sends an Access-Request packet containing the user identity information to the RADIUS server according to the user name and password.
  3. The RADIUS server verifies the user identity:

    • If the user identity is valid, the RADIUS server returns an Access-Accept packet to the RADIUS client. The Access-Accept packet contains authorization information.
    • If the user identity is invalid, the RADIUS server returns an Access-Reject packet to the RADIUS client to reject access from the user.
  4. The RADIUS client notifies the user whether authentication is successful.
  5. The RADIUS client permits or rejects the user according to the authentication result. If the user is permitted, the RADIUS client sends an Accounting-Request (Start) packet to the RADIUS server.
  6. The RADIUS server sends an Accounting-Response (Start) packet to the RADIUS client and starts accounting.
  7. The user starts to access network resources.
  8. (Optional) If interim accounting is enabled, the RADIUS client periodically sends Accounting-Request (Interim-update) packets to the RADIUS server, preventing incorrect accounting result caused by unexpected user disconnection.
  9. (Optional) The RADIUS server returns Accounting-Response (Interim-update) packets and performs interim accounting.
  10. The user sends a logout request.
  11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS server.
  12. The RADIUS server sends an Accounting-Response (Stop) packet to the RADIUS client and stops accounting.
  13. The RADIUS client notifies the user of the processing result, and the user stops accessing network resources.
CoA

Change of Authorization (CoA) allows the administrator to change the right of an authenticated online user through RADIUS. For example, a VLAN ID can be delivered to some access users through CoA packets, so that they belong to the same VLAN no matter which interfaces they connect to. Figure 1-6 shows the CoA interaction process.

Figure 1-6  CoA interaction process

  1. The RADIUS server sends a CoA-Request packet to the RADIUS client according to service information, requesting the client to modify user authorization information. The CoA-Request packet may contain the policy name (configured on the RADIUS client) or ACL rules.
  2. The RADIUS client modifies user authorization information according to the CoA-Request packet without disconnecting the user.
  3. The RADIUS client returns a CoA-ACK or CoA-NAK packet.
    • If the authorization information is modified (for example, the policy name in the CoA packet is the same as that configured on the client), the RADIUS client returns a CoA-ACK packet to the RADIUS server.
    • If the authorization information cannot be modified, the RADIUS client returns a CoA-NAK packet to the RADIUS server.
DM

When a user needs to be disconnected forcibly, a RADIUS server sends a Disconnect Message (DM) to a RADIUS client. Figure 1-7 shows the DM interaction process.

Figure 1-7  DM interaction process

  1. The administrator forcibly disconnects a user on the RADIUS server. The RADIUS server sends a DM Request packet to the RADIUS client, requesting the client to disconnect the user.
  2. When receiving the DM Request packet, the RADIUS client requests the user to go offline.
  3. The RADIUS client returns a DM ACK or DM NAK packet.

    • If the user successfully goes offline, the RADIUS client returns a DM ACK packet to the RADIUS server.
    • If the user cannot go offline, the RADIUS client returns a DM NAK packet to the RADIUS server.

RADIUS Attributes

RADIUS attributes are classified into Standard RADIUS Attributes and Huawei Proprietary RADIUS Attributes. Different RADIUS packets carry different RADIUS attributes. For details, see RADIUS Attributes Available in Packets.

Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are supported by all mainstream vendors. For details, see Table 1-4.

Table 1-4  Standard RADIUS attributes

Attribute No.

Attribute Name

Description

1

User-Name

User name for authentication. The user name format can be user name@domain name, or just user name.

2

User-Password

User password for authentication, which is only valid for the Password Authentication Protocol (PAP).

3

CHAP-Password

User password for authentication, which is only valid for the Challenge Handshake Authentication Protocol (CHAP).

4

NAS-IP-Address

Internet Protocol (IP) address carried in the authentication request packet sent by the NAS. If the RADIUS server is bound to an interface, the attribute is set to the IP address of the bound interface. Otherwise, the attribute is set to the IP address of the interface that sends RADIUS packets.

5

NAS-Port

User access physical port, which is in either of the following formats:
  • new: slot ID (8 bits) + sub-slot ID (4 bits) + port number (8 bits) + Virtual Local Area Network (VLAN) ID (12 bits)
  • old: slot ID (12 bits) + port number (8 bits) + VLAN ID (12 bits)
  • The ADSL access physical port is in the format: slot ID (4 bits) + sub-slot ID (2 bits) + port number (2 bits) + VPI (8 bits) + VCI (16 bits).

6

Service-Type

Service type of the user to be authenticated.
  • 2 (Framed): PPP or 802.1X user
  • 10 (Call Check): MAC address authentication user or MAC address bypass authentication user

7

Framed-Protocol

Encapsulation protocol of Frame services.
  • For a non-management user, the value is fixed as 1.
  • For a management user, the value is fixed as 6.

8

Framed-IP-Address

User IP address.

9

Framed-IP-Netmask

User IP address mask. This field must be used with the Framed-IP-Address field.

11

Filter-Id

user group name or Access Control List (ACL) ID. A RADIUS packet cannot carry the ACL ID and user group name simultaneously.

NOTE:

When this attribute carries the ACL ID, the ACL IDs must range from 3000 to 3999.

12

Framed-MTU

MTU of the data link between user and NAS. For example, in 802.1X Extensible Authentication Protocol (EAP) authentication, the NAS specifies the maximum length of the EAP packet in this attribute. An EAP packet larger than the link MTU may be lost.

14

Login-IP-Host

Management user IP address.
  • If the value is 0 or 0xFFFFFFFF, the IP address of management user is not checked.
  • If this attribute uses other values, the device checks whether the management user IP address is the same as the delivered attribute value.

15

Login-Service

Service type available to management users:
  • 0: Telnet
  • 5: X25-PAD
  • 50: SSH
  • 51: FTP
  • 52: Terminal
NOTE:

An attribute can contain multiple service types.

18

Reply-Message

Access-Accept or Access-Reject packet.
  • The Access-Accept packet indicates that a user is successfully authenticated.
  • The Access-Reject packet indicates that a user fails the authentication.

19

Callback-Number

Information sent from the authentication server and to be displayed to a user, such as a mobile number.

22

Framed-Route

Routing information provided by the RADIUS server to users, in format Destination/Mask NextHop Metric, for example, 192.168.1.0/24 192.168.1.1 1.

If the NextHop value is 0.0.0.0, the user IP address is used as the next hop address. The device can obtain only one Metric value. If the attribute delivered by the RADIUS server contains multiple Metric values, the device obtains only the first one.

24

State

If the RADIUS server sends a RADIUS Access-Challenge packet carrying the State attribute to a device, the subsequent RADIUS Access-Request packets sent from the device must carry the State attribute with the same value.

25

Class

If the RADIUS server sends a RADIUS Access-Accept packet carrying the Class attribute to the NAS, the subsequent RADIUS Accounting-Request packets sent from the NAS must carry the Class attribute with the same value.

26

Vendor-Specific

Vendor-specific attribute. For details, see Table 1-5. A packet can carry one or more private attributes. Each private attribute contains one or more sub-attributes.

27

Session-Timeout

In the Access-Request packet, this attribute indicates the maximum number of seconds of service to be provided to the user before termination of the session or prompt.

In the Access-Challenge packet, this attribute indicates the reauthentication duration of EAP authentication users.

The value of this attribute must be larger than 0.

NOTE:

This attribute is only valid for 802.1X, MAC, Portal and PPPoE authentication users.

28

Idle-Timeout

Maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

NOTE:

This attribute is only valid for administrators and L2TP users.

29

Termination-Action

Action taken by the NAS to finish user services.
  • 0: forcible disconnection
  • 1: reauthentication
NOTE:

This attribute is only valid for 802.1X and MAC authentication users.

30

Called-Station-Id

Number of the NAS device. For wired users, the typical value of this attribute is the MAC address of the NAS device.
NOTE:

This attribute takes effect only for access users. This attribute is ineffective for administrative users and the value of the attribute is an all-F MAC address. You can disable this attribute using the radius-attribute disable called-station-id send command.

31

Calling-Station-Id

Identification number of the client. Generally, it is the MAC address of the client.

32

NAS-Identifier

Host name of the NAS.

40

Acct-Status-Type

Accounting-Request type:
  • 1: Accounting-Start packet
  • 2: Accounting-Stop packet
  • 3: Interim-Accounting packet

41

Acct-Delay-Time

Number of seconds the client has been trying to send the accounting packet (excluding the network transmission time).

44

Acct-Session-Id

Accounting session ID. The Accounting-Start, Interim-Accounting, and Accounting-Stop packets of the same accounting session must have the same session ID.

The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) + Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4 bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) TICK (6 bits) + user connection ID (7 bits).

45

Acct-Authentic

User authentication mode:
  • 1: RADIUS authentication
  • 2: Local authentication
  • 3: Other remote authentications

46

Acct-Session-Time

Duration of a user being online, in seconds.

NOTE:

If the administrator modifies the system time after the user goes online, the online time calculated by the device may be incorrect.

49

Acct-Terminate-Cause

Cause of a terminated session:
  • User-Request(1): The user requests termination of service.
  • Lost Carrier (2): The connection is torn down due to a handshake failure or heartbeat timeout, such as an ARP probe failure or PPP handshake failure.
  • Lost Service (3): The connection initiated by the peer device is torn down.
  • Idle Timeout (4): The idle timer expires.
  • Session Timeout (5): The session times out or the traffic threshold is reached.
  • Admin Reset (6): The administrator forces the user to go offline.
  • Admin Reboot (7): The administrator restarts the NAS.
  • Port Error (8): A port fails.
  • NAS Error (9): The NAS encounters an internal error.
  • NAS Request (10): The NAS ends session for resource change.
  • NAS Reboot (11): The NAS automatically restarts.
  • Port Unneeded (12): The port is Down.
  • Port Preempted (13): The port is occupied.
  • Port Suspended (14): The port is suspended.
  • Service Unavailable (15): The service is unavailable.
  • Callback (16): NAS is terminating current session in order to perform a callback for a new session.
  • User Error (17): User authentication fails or times out.
  • Host Request (18): A host sends a request.

55

Event-Timestamp

Time when an Accounting-Request packet is generated. The value is the number of seconds elapsed since 00:00:00 of January 1, 1970.

60

CHAP-Challenge

Challenge field in CHAP authentication. This field is generated by the NAS for Message Digest algorithm 5 (MD5) calculation.

61

NAS-Port-Type

NAS port type. The attribute value can be configured in the interface view. By default, the type is Ethernet (15).

64

Tunnel-Type

Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.

65

Tunnel-Medium-Type

Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.

79

EAP-Message

Encapsulates Extended Access Protocol packets so that RADIUS supports EAP authentication. When an EAP packet is longer than 253 bytes, the packet is encapsulated into multiple attributes. A RADIUS packet can carry multiple EAP-Message attributes.

80

Message-Authenticator

Authenticates and verifies authentication packets to prevent spoofing packets.

81

Tunnel-Private-Group-ID

Tunnel private group ID, which is used to deliver user VLAN IDs.

NOTE:
To make the VLAN authorization function take effect, the link type and access control mode of the user authentication access interface must meet the following requirements:
  • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
  • When the link type is access or trunk, the access control mode can only be based on the interface.

85

Acct-Interim-Interval

Interim accounting interval, the value ranges from 60 to 3932100, in seconds. It is recommended that the interval be equivalent to or longer than 600 seconds.

87

NAS-Port-Id

User access port, in either of the following formats:
  • New:

    • For Ethernet access users, the NAS port ID is in the format "slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 15, "port" 0 to 255, and "VLAN ID" 1 to 4094.
    • For ADSL access users, the NAS port ID is in the format "slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255, and "VCI" 0 to 65535.
  • Old:

    • For Ethernet access users, the NAS port ID format is port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VLAN ID (9 characters).
    • For ADSL access users: port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain fewer bytes than specified.

88

Framed-Pool

Address pool, which is only included in the Access-Accept packet. It is used as authorization information in Efficient VPN.

95

NAS-IPv6-Address

The authentication request packets sent by NAS carry the IPv6 address of the device. Both the NAS-IPv6-Address and NAS-IP-Address fields can be included in a packet.

Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in RFC2865 can be used to extend RADIUS to implement the functions not supported by standard RADIUS attributes. Table 1-5 describes Huawei proprietary RADIUS attributes.

NOTE:

Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.

Table 1-5  Huawei proprietary RADIUS attributes

Attribute No.

Attribute Name

Description

26-1

HW-Input-Peak-Information-Rate

Peak rate at which the user accesses the NAS, in bit/s. Integer, 4 Byte.

26-2

HW-Input-Committed-Information-Rate

Average rate at which the user accesses the NAS, in bit/s. Integer, 4 Byte.

26-3

HW-Input-Committed-Burst-Size

Committed burst size at which the user accesses the NAS, in bit/s. Integer, 4 Byte.

26-4

HW-Output-Peak-Information-Rate

Peak rate at which the NAS connects to the user, in bit/s. Integer, 4 Byte.

26-5

HW-Output-Committed-Information-Rate

Average rate at which the NAS connects to the user, in bit/s. Integer, 4 Byte.

26-6

HW-Output-Committed-Burst-Size

Committed burst size at which the NAS connects to the user, in bit/s. Integer, 4 Byte.

26-15

HW-Remanent-Volume

Remaining traffic. The unit is KB.

26-26

HW_ConnectID

Index of a user connection.

26-28

HW-FTP-Directory

Initial directory of an FTP user.

26-29

HW-Exec-Privilege

Management user (such as Telnet user) priority, ranging from 0 to 16. The value 16 indicates that the user does not have the administrator rights.

26-31

HW-Qos-Data

Name of the QoS profile. The maximum length of the name is 31 bytes. The RADIUS server uses this field to deliver the QoS profile. The QoS profile must exist on the device.

26-59

HW-Startup-Time-Stamp

NAS start time, which is the number of seconds elapsed since 00:00:00 of January 1, 1970.

26-60

HW-IP-Host-Address

User IP address and MAC address carried in authentication and accounting packets, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address are separated by a space.

If the user's IP address is detected invalid during authentication, A.B.C.D is set to 255.255.255.255.

26-61

HW-Up-Priority

Upstream priority of user service.

26-62

HW-Down-Priority

Downstream priority of user service.

26-75

HW-Primary-WINS

Primary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

26-76

HW-Second-WINS

Secondary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

26-77

HW-Input-Peak-Burst-Size

Upstream peak rate, in bit/s.

26-78

HW-Output-Peak-Burst-Size

Downstream peak rate, in bit/s.

26-94

HW-VPN-Instance

VPN instance name delivered by the RADIUS server after a user is successfully authenticated. It specifies the VPN to which the user belongs.

26-135

HW-Primary-DNS

IP address of the primary DNS delivered after a user is successfully authenticated.

26-136

HW-Secondary-DNS

IP address of the secondary DNS delivered after a user is successfully authenticated.

26-142

HW_User_Information

User security check information delivered by the RADIUS server to an Extensible Authentication Protocol over LAN (EAPoL) user to notify the user of check items.

26-143

HW_Web_Proxy_Name

Web proxy resource name of Secure Sockets Layer virtual private network (SSL VPN).

26-144

HW_Port_Forward_Name

Port forwarding resource name of SSL VPN.

26-145

HW_IP_Forwarding_Name

IP forwarding resource name of SSL VPN.

26-153

HW-Access-Type

User access type carried in the authentication and accounting request packets sent by the device to the RADIUS server:
  • 1: Dot1x user
  • 2: MAC address authentication user or MAC address bypass authentication
  • 3: Portal authentication user
  • 4: Static user
  • 6: Management user
  • 7: Point-to-Point Protocol (PPP) user

26-155

HW-URL-Flag

Whether URL is forcibly pushed, for example, used together with HW-Portal-URL:
  • 0: no
  • 1: yes

26-156

HW-Portal-URL

Forcibly pushed Uniform Resource Locator (URL).

26-241

HW-User-Addr-Network

User's address segment.

26-242

HW-DNS-Domain-Name

DNS domain name.

26-243

HW-Auto-Update-URL

URL address for version upgrade.

26-244

HW-Reachable-Detect

Server reachability detection information. Authentication packets can carry this attribute to indicate that the packets are server detection packets.

26-247

HW-Tariff-Input-Octets

Number of upstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit is Byte, KByte, MByte, or GByte. The format is Tariff level:Number of upstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

26-248

HW-Tariff-Output-Octets

Number of downstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit is Byte, KByte, MByte, or GByte. The format is Tariff level:Number of downstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

26-250

HW-Tariff-Output-Gigawords

Number of times the number of downstream bytes at the specified tariff level is larger than 4G. This field and the HW-Tariff-Output-Octets field specify the number of downstream bytes at the specified tariff level.

26-254

HW-Version

Software version running on the device.

26-255

HW-Product-ID

NAS product name.

RADIUS Attributes Available in Packets
Different RADIUS packets carry different RADIUS attributes.
  • For the RADIUS attributes available in authentication packets, see Table 1-6.
  • For the RADIUS attributes available in accounting packets, see Table 1-7.
  • For the RADIUS attributes available in authorization packets, see Table 1-8.
NOTE:
  • 1: indicates that the attribute must appear once in the packet.
  • 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
  • 0-1: indicates that the attribute can appear once or does not appear in the packet.
  • 0+: indicates that the attribute may appear multiple times or does not appear in the packet.
Table 1-6  RADIUS attributes available in authentication packets

Attribute No.

Access-Request

Access-Accept

Access-Reject

Access-Challenge

User-Name(1)

1

0-1

0

0

User-Password(2)

0-1

0

0

0

CHAP-Password(3)

0-1

0

0

0

NAS-IP-Address(4)

1

0

0

0

NAS-Port(5)

1

0

0

0

Service-Type(6)

1

0-1

0

0

Framed-Protocol(7)

1

0-1

0

0

Framed-IP-Address(8)

0-1

0

0

0

Framed-IP-Netmask(9)

0

0-1

0

0

Filter-Id(11)

0

0-1

0

0

Framed-MTU(12)

0-1

0

0

0

Login-IP-Host(14)

0-1

0-1

0

0

Login-Service(15)

0

0-1

0

0

Reply-Message(18)

0

0-1

0-1

0

Callback-Number(19)

0

0-1

0

0

Framed-Route(22)

0

0-1

0

0

State(24)

0-1

0-1

0

0-1

Class(25)

0

0-1

0

0

Session-Timeout(27)

0

0-1

0

0-1

Idle-Timeout(28)

0

0-1

0

0

Termination-Action(29)

0

0-1

0

0-1

Called_Station_Id(30)

0-1

0

0

0

Calling-Station-Id(31)

1

0

0

0

NAS-Identifier(32)

1

0

0

0

Acct-Session-Id(44)

1

0

0

0

CHAP_Challenge(60)

0-1

0

0

0

NAS-Port-Type(61)

1

0

0

0

Tunnel-Type(64)

0

0-1

0

0

Tunnel-Medium-Type(65)

0

0-1

0

0

EAP-Message(79)

0-1

0-1

0-1

0-1

Message-Authenticator(80)

0-1

0-1

0-1

0-1

Tunnel-Private-Group-ID(81)

0

0-1

0

0

Acct-Interim-Interval(85)

0

0-1

0

0

NAS-Port-Id(87)

1

0

0

0

Framed-Pool(88)

0

1

0

0

NAS-IPv6-Address(95)

0-1

0

0

0

HW-Input-Peak-Information-Rate(26-1)

0

0-1

0

0

HW-Input-Committed-Information-Rate(26-2)

0

0-1

0

0

HW-Input-Committed-Burst-Size(26-3)

0

0-1

0

0

HW-Output-Peak-Information-Rate(26-4)

0

0-1

0

0

HW-Output-Committed-Information-Rate(26-5)

0

0-1

0

0

HW-Output-Committed-Burst-Size(26-6)

0

0-1

0

0

HW-Remanent-Volume(26-15)

0

0-1

0

0

HW_ConnectID(26-26)

1

0

0

0

Ftp_directory(26-28)

0

0-1

0

0

HW-Exec-Privilege(26-29)

0

0-1

0

0

HW-Qos-Data(26-31)

0

0-1

0

0

HW_Startup_Timestamp(26-59)

1

0

0

0

HW-IP-Host-Address(26-60)

1

0

0

0

HW-Up-Priority(26-61)

0

0-1

0

0

HW-Down-Priority(26-62)

0

0-1

0

0

HW-Primary-WINS(26-75)

0

0-1

0

0

HW-Second-WINS(26-76)

0

0-1

0

0

HW-Input-Peak-Burst-Size(26-77)

0

0-1

0

0

HW-Output-Peak-Burst-Size(26-78)

0

0-1

0

0

HW-Primary-DNS(26-135)

0

1

0

0

HW-Secondary-DNS(26-136)

0

1

0

0

HW-User-Information(26-142)

0

0-1

0

0

HW_Web_Proxy_Name(26-143)

0

0-1

0

0

HW_Port_Forward_Name(26-144)

0

0-1

0

0

HW_IP_Forwarding_Name(26-145)

0

0-1

0

0

HW-Service-Scheme(26-146)

0

0-1

0

0

HW-Access-Type(26-153)

1

0

0

0

HW-User-Addr-Network(26-241)

0

0-1

0

0

HW-DNS-Domain-Name(26-242)

0

0-1

0

0

HW-Auto-Update-URL(26-243)

0

0-1

0

0

HW-Reachable-Detect(26-244)

0-1

0

0

0

HW-Version(26-254)

1

0

0

0

HW-Product-ID(26-255)

1

0

0

0

Table 1-7  RADIUS attributes available in accounting packets

Attribute No.

Accounting-Request

(Start)

Accounting-Request

(Interim-Update)

Accounting-Request

(Stop)

Accounting-Response

(start)

Accounting-Response(Interim-Update)

Accounting-Response

(Stop)

User-Name(1)

1

1

1

0

0

0

NAS-IP-Address(4)

1

1

1

0

0

0

NAS-Port(5)

1

1

1

0

0

0

Service-Type(6)

1

1

1

0

0

0

Framed-Protocol(7)

1

1

1

0

0

0

Framed-IP-Address(8)

1

1

1

0

0

0

Class(25)

0-1

0-1

0-1

0

0

0

Session-Timeout(27)

0

0

0

0-1

0-1

0

Called-Station-Id(30)

1

1

1

0

0

0

Calling-Station-Id(31)

1

1

1

0

0

0

NAS-Identifier(32)

1

1

1

0

0

0

Acct-Status-Type(40)

1

1

1

0

0

0

Acct-Delay-Time(41)

0

1

1

0

0

0

Acct-Session-Id(44)

1

1

1

0

0

0

Acct-Authentic(45)

1

1

1

0

0

0

Acct-Session-Time(46)

0

1

1

0

0

0

Acct-Terminate-Cause(49)

0

0

1

0

0

0

Event-Timestamp(55)

1

1

1

0

0

0

NAS-Port-Type(61)

1

1

1

0

0

0

NAS-Port-Id(87)

1

1

1

0

0

0

NAS-IPv6-Address(95)

0-1

0-1

0-1

0

0

0

HW_ConnectID(26-26)

1

1

1

0

0

0

HW-IP-Host-Address(26-60)

1

1

1

0

0

0

HW-Access-Type(26-153)

1

1

1

0

0

0

HW-Reachable-Detect(26-244)

0-1

0-1

0-1

0

0

0

HW-Tariff-Input-Octets(26-247)

0

0-1

0-1

0

0

0

HW-Tariff-Output-Octets(26-248)

0

0-1

0-1

0

0

0

HW-Tariff-Input-Gigawords(26-249)

0

0-1

0-1

0

0

0

HW-Tariff-Output-Gigawords(26-250)

0

0-1

0-1

0

0

0

Table 1-8  RADIUS attributes available in COA/DM packets

Attribute No.

COA REQUEST

COA ACK

COA NAK

DM REQUEST

DM ACK

DM NAK

User-Name(1)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-IP-Address(4)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-Port(5)

0-1

0

0

0-1

0

0

Framed-IP-Address(8)

0-1

0-1

0-1

0-1

0-1

0-1

Filter-Id(11)

0-1

0

0

0

0

0

Session-Timeout(27)

0-1

0

0

0

0

0

Calling-Station-Id(31)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-Identifier(32)

0-1

0-1

0-1

0-1

0-1

0-1

Acct-Session-Id(44)

1

1

1

1

1

1

HW-Input-Peak-Information-Rate(26-1)

0-1

0

0

0

0

0

HW-Input-Committed-Information-Rate(26-2)

0-1

0

0

0

0

0

HW-Output-Peak-Information-Rate(26-4)

0-1

0

0

0

0

0

HW-Output-Committed-Information-Rate(26-5)

0-1

0

0

0

0

0

HW-Qos-Data(26-31)

0-1

0

0

0

0

0

HW-Up-Priority(26-61)

0-1

0

0

0

0

0

HW-Down-Priority(26-62)

0-1

0

0

0

0

0

HW-Service-Scheme(26-146)

0-1

0

0

0

0

0

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 12262

Downloads: 38

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next