RADIUS
Overview of RADIUS
RADIUS uses the client/server model in distributed mode and protects a network from unauthorized access. It is often used in network environments that require high security and control of remote user access. It defines the User Datagram Protocol (UDP)-based RADIUS packet format and message transmission mechanism, and specifies UDP ports 1812 and 1813 as the authentication and accounting ports, respectively.
At first, RADIUS was only an AAA protocol used for only dial-up users. Later on, RADIUS adapted to more diverse user access modes, such as Ethernet. RADIUS provides the access service through authentication and authorization, and records the network resources used by users through accounting.
RADIUS has the following characteristics:
Client/Server model
RADIUS client: RADIUS clients run on the network access servers (NAS) to transmit user information to the specified RADIUS server and process requests (for example, accept or reject user access) based on the responses from the server. RADIUS clients can be located at any node on a network.
As the RADIUS client, the device supports:
Standard RADIUS protocol and its extensions
Huawei-developed private attributes
Active detection on the RADIUS server status
Retransmission of Accounting Stop packets in the local buffer
Automatic switching function of the RADIUS server
RADIUS server: RADIUS servers run on central computers and workstations to maintain user authentication and network service access information. The servers receive connection requests from users, authenticate the users, and send responses (indicating that the requests are accepted or rejected) to the clients. RADIUS servers need to maintain three databases, as shown in Figure 1-2.
- Users: Stores user information such as user names, passwords, protocols, and IP addresses.
- Clients: Stores RADIUS client information such as the shared key and IP address of an access device.
- Dictionary: Stores the attributes in the RADIUS protocol and their value descriptions.
Security mechanism
RADIUS clients and servers exchange authentication messages using shared keys that cannot be transmitted through networks, enhancing information exchange security. In addition, to avoid theft on an insecure network, passwords are encrypted using shared keys before being transmitted.
Good scalability
RADIUS packets consist of the packet header and a certain number of attributes. After new attributes are added to RADIUS packets, its implementation remains unchanged.
RADIUS Packets
RADIUS Packet Format
RADIUS uses UDP packets to transmit information. Figure 1-3 shows the RADIUS packet format.
- Code (1 byte): Describes the RADIUS packet type. The value 1 indicates an Access-Request packet, and the value 2 indicates an Access-Accept packet.
- Identifier (1 byte): Used to match request packets and reply packets, and to detect the request packets retransmitted within a certain period. After a client sends a request packet, the server sends a reply packet with the same Identifier value as the request packet.
- Length (2 bytes): Specifies the RADIUS packet length. Bytes exceeding the specified length value are treated as padding and ignored on the receiver. If the length of a received packet is smaller than the Length value, the packet is discarded.
- Authenticator (16 bytes): Used to verify the reply packets sent by the RADIUS server and encrypt user password.
Attribute (variable length): Field of a packet carrying authentication, authorization, and accounting information and providing configuration details of request and reply packets. An Attribute field may contain multiple attributes, each of which consists of the Type, Length, and Value fields.
- Type (1 byte): Indicates the attribute type. The value range is from 1 to 255.
- Length: Indicates the length of an attribute (including type, length, and attribute). The length is measured in bytes.
- Value: Indicates the attribute information. The format and content are dependent on Type and Length. The maximum length is 253 bytes.
RADIUS Packet Type
RADIUS defines 16 types of packets. These packets can be categorized into authentication packets, accounting packets, and authorization packets, which are described in Table 1-1, Table 1-2, and Table 1-3.
Packet Name |
Description |
|---|---|
Access-Request |
This is the first packet transmitted in a RADIUS interaction process. This packet carries user authentication information, such as user name and password. The Access-Request packet is sent from the RADIUS client to the RADIUS server, which then determines whether a user is allowed to access the network according to the user information carried in this packet. |
Access-Accept |
If all attributes in the Access-Request packet are acceptable, the RADIUS server considers that the user passes the authentication and sends this packet to the client. After receiving this packet, the client grants the network access rights to the user. |
Access-Reject |
If any attribute in the Access-Request packet is unacceptable, the RADIUS server considers that the user fails the authentication and sends this packet to the client. |
Access-Challenge |
During an Extensible Authentication Protocol (EAP) authentication, when the RADIUS server receives an Access-Request packet carrying the user name, it generates a random MD5 challenge and sends the MD5 challenge to the client in this packet. After the client encrypts the user password using the MD5 challenge, the client sends the encrypted password in an Access-Request packet to the RADIUS server. The RADIUS server compares the encrypted password received from the client with the locally encrypted password. If they are the same, the server considers the user valid. |
Packet Name |
Description |
|---|---|
Accounting-Request (Start) |
If the client uses RADIUS accounting, the client sends this packet to the server before accessing network resources. |
Accounting-Response (Start) |
After receiving and recording the Accounting-Request (Start) packet, the server returns this packet to the client. |
Accounting-Request (Stop) |
When a user goes offline voluntarily or is forcibly disconnected, the client sends this packet carrying the network resource usage information (including online duration and number of incoming/outgoing bytes) to the server, requesting the server to stop accounting. |
Accounting-Response (Stop) |
After receiving an Accounting-Request (Stop) packet, the server sends this packet to the client. |
Accounting-Request (Interim-update) |
If the accounting server fails to receive the Accounting-Request (Stop) packet, the server cannot stop accounting for the user. To address this problem, configure interim accounting on the client. The client then periodically sends accounting packets to the server. If the server stops receiving these packets, it stops accounting for the user. |
Accounting-Response (Interim-update) |
After receiving an Accounting-Request (Interim-update) packet, the server returns this packet to the client. |
Packet Name |
Description |
|---|---|
CoA-Request |
When the administrator needs to modify the rights of an online user (for example, prohibit the user from accessing a website), the server sends this packet to the client, requesting the client to modify the user rights. |
CoA-ACK |
If the client successfully modifies the user rights, the client sends this packet to the server. |
CoA-NAK |
If the client cannot modify the user rights, the client sends this packet to the server. |
DM-Request |
When the administrator needs to disconnect a user, the server sends this packet to the client, requesting the client to disconnect the user. |
DM-ACK |
If the client successfully disconnects the user, the client sends this packet to the server. |
DM-NAK |
If the client cannot disconnect the user, the client sends this packet to the server. |
RADIUS Interaction Process
RADIUS Authentication, Authorization, and Accounting
Access devices function as RADIUS clients by collecting user information, including user names and passwords, and sending the information to the RADIUS server. The RADIUS server authenticates users according to the information, after which it performs authorization and accounting for the users. Figure 1-4 shows information exchanged between a user, the RADIUS client, and the RADIUS server.
The following describes the process shown in Figure 1-4:
- A user sends a connection request carrying the user name and password to the RADIUS client (access device).
- The RADIUS client sends an Access-Request packet containing the user identity information to the RADIUS server according to the user name and password.
The RADIUS server verifies the user identity:
- If the user identity is valid, the RADIUS server returns an Access-Accept packet to the RADIUS client. The Access-Accept packet contains authorization information.
- If the user identity is invalid, the RADIUS server returns an Access-Reject packet to the RADIUS client to reject access from the user.
- The RADIUS client notifies the user of whether authentication is successful.
- The RADIUS client permits or rejects the user according to the authentication result. If the user is permitted, the RADIUS client sends an Accounting-Request (Start) packet to the RADIUS server.
- The RADIUS server sends an Accounting-Response (Start) packet to the RADIUS client and starts accounting.
- The user starts to access network resources.
- (Optional) If interim accounting is enabled, the RADIUS client periodically sends Accounting-Request (Interim-update) packets to the RADIUS server, preventing incorrect accounting result caused by unexpected user disconnection.
- (Optional) The RADIUS server returns Accounting-Response (Interim-update) packets and performs interim accounting.
- The user sends a logout request.
- The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS server.
- The RADIUS server sends an Accounting-Response (Stop) packet to the RADIUS client and stops accounting.
- The RADIUS client notifies the user of the processing result, and the user stops accessing network resources.
CoA
Change of Authorization (CoA) allows the administrator to change the right of an authenticated online user through RADIUS. For example, a VLAN ID can be delivered to some access users through CoA packets. In this way, they can belong to the same VLAN no matter which interfaces they connect to. Figure 1-5 shows the CoA interaction process.
The following describes the process shown in Figure 1-5:
- The RADIUS server sends a CoA-Request packet to the RADIUS client according to service information, requesting the client to modify user authorization information. The CoA-Request packet may contain the policy name (configured on the RADIUS client) or ACL rules.
- The RADIUS client modifies user authorization information according to the CoA-Request packet without disconnecting the user.
- The RADIUS client returns a CoA-ACK or CoA-NAK packet.
- If the authorization information is modified (for example, the policy name in the CoA packet is the same as that configured on the client), the RADIUS client returns a CoA-ACK packet to the RADIUS server.
- If the authorization information cannot be modified, the RADIUS client returns a CoA-NAK packet to the RADIUS server.
DM
When a user needs to be disconnected forcibly, the RADIUS server sends a Disconnect Message (DM) to the RADIUS client. Figure 1-6 shows the DM interaction process.
The following describes the process shown in Figure 1-6:
- On the RADIUS server, the administrator forcibly disconnects a user. The RADIUS server sends a DM Request packet to the RADIUS client, requesting the client to disconnect the user.
- When receiving the DM Request packet, the RADIUS client requests the user to go offline.
The RADIUS client returns a DM ACK or DM NAK packet.
- If the user successfully goes offline, the RADIUS client returns a DM ACK packet to the RADIUS server.
- If the user cannot go offline, the RADIUS client returns a DM NAK packet to the RADIUS server.
RADIUS Attributes
Standard RADIUS Attributes
RFC 2865, RFC 2866, and RFC 3576 define standard RADIUS attributes that are supported by all mainstream vendors. For details, see Table 1-4.
Attribute No. |
Attribute Name |
Attribute Type |
Description |
|---|---|---|---|
1 |
User-Name |
string |
User name for authentication. The user name format can be user name@domain name or user name. |
2 |
User-Password |
string |
User password for authentication, which is only valid for Password Authentication Protocol (PAP) authentication. |
3 |
CHAP-Password |
string |
User password for authentication, which is only valid for Challenge-Handshake Authentication Protocol (CHAP) authentication. |
4 |
NAS-IP-Address |
ipaddr |
Internet Protocol (IP) address of the NAS carried in authentication request packets. If the RADIUS server is bound to an interface, the attribute is set to the IP address of the bound interface. Otherwise, the attribute is set to the IP address of the interface that sends RADIUS packets. |
5 |
NAS-Port |
integer |
Physical port number of the network access server that is authenticating the user, which is in either of the following formats:
|
6 |
Service-Type |
integer |
Service type of the user to be authenticated:
|
7 |
Framed-Protocol |
integer |
Encapsulation protocol of frame services:
|
8 |
Framed-IP-Address |
ipaddr |
User IP address. |
9 |
Framed-IP-Netmask |
ipaddr |
User IP address mask. This field must be used with the Framed-IP-Address field. |
11 |
Filter-Id |
string |
IPv4 Access Control List (ACL) ID. |
12 |
Framed-MTU |
integer |
Maximum transmission unit (MTU) of the data link between user and NAS. For example, in 802.1X Extensible Authentication Protocol (EAP) authentication, the NAS specifies the maximum length of the EAP packet sent by the server in this attribute. An EAP packet larger than the link MTU will be lost. |
14 |
Login-IP-Host |
ipaddr |
Administrator IP address:
|
15 |
Login-Service |
integer |
Login service type used by the administrator:
NOTE:
An attribute can contain multiple service types. |
18 |
Reply-Message |
string |
Whether a user is authenticated:
|
19 |
Callback-Number |
string |
Information sent from the authentication server to a user, such as a mobile number. |
22 |
Framed-Route |
string |
Routing information provided by the RADIUS server to users, in format <Destination>[/<Mask>] [<NextHop>] [<Metric>], for example, 192.168.1.0/24 192.168.1.1 1. If the NextHop value is 0.0.0.0, the user IP address is used as the next hop address. The device can obtain only one Metric value. If the attribute delivered by the RADIUS server contains multiple Metric values, the device obtains only the first one. |
24 |
State |
string |
This attribute is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. |
25 |
Class |
string |
If the RADIUS server sends a RADIUS Access-Accept packet carrying the Class attribute to the NAS, the subsequent RADIUS Accounting-Request packets sent from the NAS must carry the Class attribute with the same value. |
26 |
Vendor-Specific |
string |
Vendor-specific attribute. For details, see Table 1-5. A packet can carry one or more private attributes. Each private attribute contains one or more sub-attributes. |
27 |
Session-Timeout |
integer |
In the Access-Request packet, this attribute indicates the maximum number of seconds of service to be provided to the user before termination of the session or prompt. In the Access-Challenge packet, this attribute indicates the reauthentication duration of EAP authentication users. NOTE:
This attribute is valid only for 802.1X and MAC address authenticated users. |
28 |
Idle-Timeout |
integer |
The maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. NOTE:
This attribute is only valid for administrators. |
29 |
Termination-Action |
integer |
What action the NAS should take when the specified service is completed:
NOTE:
This attribute is valid only for 802.1X and MAC address authenticated users. |
30 |
Called-Station-Id |
string |
NAS device number information, which is typically the MAC address of a NAS device. |
31 |
Calling-Station-Id |
string |
This attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. |
32 |
NAS-Identifier |
string |
Host name of the NAS. |
40 |
Acct-Status-Type |
integer |
Accounting-Request packet type:
|
41 |
Acct-Delay-Time |
integer |
Number of seconds the client has been trying to send the accounting packet (excluding the network transmission time). |
42 |
Acct-Input-Octets |
integer |
Number of octets that have been received. The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. |
43 |
Acct-Output-Octets |
integer |
Number of octets that have been sent. The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. |
44 |
Acct-Session-Id |
string |
Accounting session ID. The Accounting-Start, Interim-Accounting, and Accounting-Stop packets of the same accounting session must have the same session ID. The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) + Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4 bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) Tick (6 bits) + User ID (6 bits). |
45 |
Acct-Authentic |
integer |
User authentication mode:
|
46 |
Acct-Session-Time |
integer |
How long the user has received service, in seconds. NOTE:
If the administrator modifies the system time after the user goes online, the online time calculated by the device may be incorrect. |
47 |
Acct-Input-Packets |
integer |
Number of incoming packets. |
48 |
Acct-Output-Packets |
integer |
Number of outgoing packets. |
49 |
Acct-Terminate-Cause |
string |
Cause of a terminated session:
|
55 |
Event-Timestamp |
integer |
Time when an Accounting-Request packet is generated, represented by is the number of seconds elapsed since 00:00:00 of January 1, 1970. |
60 |
CHAP-Challenge |
string |
Challenge field in CHAP authentication. This field is generated by the NAS for Message Digest algorithm 5 (MD5) calculation. |
61 |
NAS-Port-Type |
integer |
NAS port type. The attribute value can be configured in the interface view. By default, the type is Ethernet (15). |
62 |
Port-Limit |
integer |
Number of port users. This attribute is used to limit the number of users who share the same account. |
87 |
NAS-Port-Id |
string |
Port of the NAS that is authenticating the user. The NAS-Port-Id attribute has the following formats:
|
101 |
Error-Cause |
integer |
Logout cause. |
Huawei Proprietary RADIUS Attributes
RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in RFC 2865 can be used to extend RADIUS for implementing functions not supported by standard RADIUS attributes. Table 1-5 describes Huawei proprietary RADIUS attributes.
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.
Attribute No. |
Attribute Name |
Attribute Type |
Description |
|---|---|---|---|
26-28 |
HW-FTP-Directory |
string |
Initial directory of an FTP user. |
26-29 |
HW-Exec-Privilege |
integer |
Administrator (such as Telnet user) priority, ranging from 0 to 15. The priority that is greater than or equal to 16 is ineffective. |
26-31 |
HW-QOS-Profile-Name |
string |
Name of the QoS profile. The maximum length of the name is 31 bytes. The RADIUS server uses this field to deliver the QoS profile for traffic policing. |
26-59 |
HW-NAS-Startup-Time-Stamp |
integer |
NAS start time, represented by the number of seconds elapsed since 00:00:00 of January 1, 1970. |
26-82 |
HW-Data-Filter |
string |
The RADIUS server delivers an IPv4 or IPv6 ACL rule to users through this attribute. |
26-140 |
HW-DHCPSNP-Data |
string |
DHCP snooping entry of virtual machine user. |
26-251 |
HW-Usr-Group-Name |
string |
User group name which is applicable for the user. |
26-252 |
HW-Usr-Service-Type |
integer |
Service type which is applicable for the user. |
26-254 |
HW-Version |
string |
Software version of the device. |
26-255 |
HW-Product-ID |
string |
NAS product name. |
Huawei-supported Extended RADIUS Attributes of Other Vendors
Huawei devices support some extended RADIUS attributes of Microsoft. For details, see Table 1-6.
RADIUS Attributes Available in Packets
The following describes the values in the tables:
- 1: indicates that the attribute must appear once in the packet.
- 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
- 0-1: indicates that the attribute can appear once or does not appear in the packet.
- 0+: indicates that the attribute may appear multiple times or does not appear in the packet.
Attribute No. |
Attribute Name |
Access-Request |
Access-Accept |
Access-Reject |
Access-Challenge |
|---|---|---|---|---|---|
1 |
User-Name |
1 |
0-1 |
0 |
0 |
2 |
User-Password |
0-1 |
0 |
0 |
0 |
3 |
CHAP-Password |
0-1 |
0 |
0 |
0 |
4 |
NAS-IP-Address |
1 |
0 |
0 |
0 |
5 |
NAS-Port |
1 |
0 |
0 |
0 |
6 |
Service-Type |
1 |
0-1 |
0 |
0 |
7 |
Framed-Protocol |
1 |
0-1 |
0 |
0 |
8 |
Framed-IP-Address |
0-1 |
0-1 |
0 |
0 |
9 |
Framed-IP-Netmask |
0 |
0-1 |
0 |
0 |
11 |
Filter-Id |
0 |
0-1 |
0 |
0 |
12 |
Framed-MTU |
0-1 |
0 |
0 |
0 |
14 |
Login-IP-Host |
0-1 |
0-1 |
0 |
0 |
15 |
Login-Service |
0 |
0-1 |
0 |
0 |
18 |
Reply-Message |
0 |
0-1 |
0-1 |
0 |
19 |
Callback-Number |
0 |
0-1 |
0 |
0 |
22 |
Framed-Route |
0 |
0-1 |
0 |
0 |
24 |
State |
0-1 |
0-1 |
0 |
0-1 |
25 |
Class |
0 |
0+ |
0 |
0 |
26 |
Vendor-Specific |
0+ |
0+ |
0-1 |
0 |
27 |
Session-Timeout |
0 |
0-1 |
0-1 |
0-1 |
28 |
Idle-Timeout |
0 |
0-1 |
0 |
0 |
29 |
Termination-Action |
0 |
0-1 |
0 |
0-1 |
30 |
Called-Station-Id |
0-1 |
0 |
0 |
0 |
31 |
Calling-Station-Id |
1 |
0 |
0 |
0 |
32 |
NAS-Identifier |
1 |
0 |
0 |
0 |
44 |
Acct-Session-Id |
1 |
0 |
0 |
0 |
60 |
CHAP-Challenge |
0-1 |
0 |
0 |
0 |
61 |
NAS-Port-Type |
1 |
0 |
0 |
0 |
62 |
Port-Limit |
1 |
1 |
0 |
0 |
87 |
NAS-Port-Id |
0-1 |
0 |
0 |
0 |
26-1 |
MS-CHAP-Response |
1 |
0 |
0 |
0 |
26-2 |
MS-CHAP-Challenge |
1 |
0 |
0 |
0 |
26-28 |
HW-FTP-Directory |
0 |
0-1 |
0 |
0 |
26-29 |
HW-Exec-Privilege |
0 |
0-1 |
0 |
0 |
26-31 |
HW-QOS-Profile-Name |
0 |
0-1 |
0 |
0 |
26-59 |
HW-NAS-Startup-Time-Stamp |
1 |
0 |
0 |
0 |
26-82 |
HW-Data-Filter |
0 |
0+ |
0-1 |
0 |
26-251 |
HW-Usr-Group-Name |
0 |
0-1 |
0 |
0 |
26-252 |
HW-Usr-Service-Type |
0 |
0-1 |
0 |
0 |
26-254 |
HW-Version |
1 |
0 |
0 |
0 |
26-255 |
HW-Product-ID |
1 |
0 |
0 |
0 |
Attribute No. |
Attribute Name |
Access-Request |
Access-Accept |
Access-Reject |
Access-Challenge |
|---|---|---|---|---|---|
1 |
User-Name |
1 |
0-1 |
0 |
0 |
2 |
User-Password |
0-1 |
0 |
0 |
0 |
3 |
CHAP-Password |
0-1 |
0 |
0 |
0 |
4 |
NAS-IP-Address |
1 |
0 |
0 |
0 |
5 |
NAS-Port |
1 |
0 |
0 |
0 |
6 |
Service-Type |
1 |
0-1 |
0 |
0 |
7 |
Framed-Protocol |
1 |
0-1 |
0 |
0 |
8 |
Framed-IP-Address |
0-1 |
0-1 |
0 |
0 |
9 |
Framed-IP-Netmask |
0 |
0-1 |
0 |
0 |
11 |
Filter-Id |
0 |
0-1 |
0 |
0 |
12 |
Framed-MTU |
0-1 |
0 |
0 |
0 |
14 |
Login-IP-Host |
0-1 |
0-1 |
0 |
0 |
15 |
Login-Service |
0 |
0-1 |
0 |
0 |
18 |
Reply-Message |
0 |
0-1 |
0-1 |
0 |
19 |
Callback-Number |
0 |
0-1 |
0 |
0 |
22 |
Framed-Route |
0 |
0-1 |
0 |
0 |
24 |
State |
0-1 |
0-1 |
0 |
0-1 |
25 |
Class |
0 |
0+ |
0 |
0 |
26 |
Vendor-Specific |
0+ |
0+ |
0-1 |
0 |
27 |
Session-Timeout |
0 |
0-1 |
0-1 |
0-1 |
28 |
Idle-Timeout |
0 |
0-1 |
0 |
0 |
29 |
Termination-Action |
0 |
0-1 |
0 |
0-1 |
30 |
Called-Station-Id |
0-1 |
0 |
0 |
0 |
31 |
Calling-Station-Id |
1 |
0 |
0 |
0 |
32 |
NAS-Identifier |
1 |
0 |
0 |
0 |
44 |
Acct-Session-Id |
1 |
0 |
0 |
0 |
60 |
CHAP-Challenge |
0-1 |
0 |
0 |
0 |
61 |
NAS-Port-Type |
1 |
0 |
0 |
0 |
62 |
Port-Limit |
1 |
1 |
0 |
0 |
87 |
NAS-Port-Id |
0-1 |
0 |
0 |
0 |
26-1 |
MS-CHAP-Response |
1 |
0 |
0 |
0 |
26-2 |
MS-CHAP-Challenge |
1 |
0 |
0 |
0 |
26-28 |
HW-FTP-Directory |
0 |
0-1 |
0 |
0 |
26-29 |
HW-Exec-Privilege |
0 |
0-1 |
0 |
0 |
26-31 |
HW-QOS-Profile-Name |
0 |
0-1 |
0 |
0 |
26-59 |
HW-NAS-Startup-Time-Stamp |
1 |
0 |
0 |
0 |
26-82 |
HW-Data-Filter |
0 |
0+ |
0-1 |
0 |
26-251 |
HW-Usr-Group-Name |
0 |
0-1 |
0 |
0 |
26-252 |
HW-Usr-Service-Type |
0 |
0-1 |
0 |
0 |
26-254 |
HW-Version |
1 |
0 |
0 |
0 |
26-255 |
HW-Product-ID |
1 |
0 |
0 |
0 |
Attribute No. |
Attribute Name |
COA REQUEST |
COA ACK |
COA NAK |
DM REQUEST |
DM ACK |
DM NAK |
|---|---|---|---|---|---|---|---|
1 |
User-Name |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
2 |
User-Password |
0-1 |
0 |
0 |
0 |
0 |
0 |
4 |
NAS-IP-Address |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
5 |
NAS-Port |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
6 |
Service-Type |
0-1 |
0 |
0 |
0 |
0 |
0 |
8 |
Framed-IP-Address |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
9 |
Framed-IP-Netmask |
0 |
0-1 |
0 |
0 |
0 |
0 |
11 |
Filter-Id |
0-1 |
0 |
0 |
0 |
0 |
0 |
18 |
Reply-Message |
0 |
0 |
0-1 |
0 |
0 |
0 |
25 |
Class |
0+ |
0 |
0 |
0 |
0 |
0 |
26 |
Vendor-Specific |
0+ |
0+ |
0+ |
0+ |
0+ |
0+ |
27 |
Session-Timeout |
0-1 |
0 |
0 |
0 |
0 |
0 |
28 |
Idle-Timeout |
0-1 |
0-1 |
0 |
0 |
0 |
0 |
29 |
Termination-Action |
0-1 |
0 |
0 |
0 |
0 |
0 |
31 |
Calling-Station-Id |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
0-1 |
32 |
NAS-Identifier |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
42 |
Acct-Input-Octets |
0 |
0-1 |
0 |
0 |
0 |
0 |
43 |
Acct-Output-Octets |
0 |
0-1 |
0 |
0 |
0 |
0 |
44 |
Acct-Session-Id |
1 |
1 |
1 |
1 |
1 |
1 |
46 |
Acct-Session-Time |
0 |
0-1 |
0 |
0 |
0 |
0 |
47 |
Acct-Input-Packets |
0 |
0-1 |
0 |
0 |
0 |
0 |
48 |
Acct-Output-Packets |
0 |
0-1 |
0 |
0 |
0 |
0 |
87 |
NAS-Port-Id |
0 |
0-1 |
0-1 |
0 |
0 |
0 |
101 |
Error-Cause |
0 |
0 |
1 |
0 |
0 |
1 |
26-31 |
HW-QOS-Profile-Name |
0-1 |
0-1 |
0 |
0 |
0 |
0 |
26-82 |
HW-Data-Filter |
0-1 |
0 |
0 |
0 |
0 |
0 |