NetEngine 8000 F8 V800R023C00SPC500 Configuration Guide

Appendix: RADIUS Attributes

RADIUS Attribute Dictionary
Attributes Carried in RADIUS Packets
- Attributes Carried in RADIUS Packets
RADIUS Attribute Prohibition, Conversion, and Default Carrying Status
Radius Attributes Description
- Radius Attributes Description
RADIUS Server Selection
Description for the Attributes of OWN Type
Interface Format for Attributes on a NetEngine 8000 F8 Model
Reasons for User Offline
- Reasons for User Offline
More Information About HW-Data-Filter (82)
More Information About NAS-Port-Id (87)
More Information About HW-Dhcp-Option (187)
HW-Avpair (188) Attribute Description
More Information About HW-DHCPv6-Option (189)

RADIUS Attribute Dictionary

The RADIUS attribute dictionary defines Huawei proprietary RADIUS attributes (including the attribute number, attribute name, and attribute type) and Huawei's vendor ID. When a Huawei device interconnects with a RADIUS server, to allow the RADIUS server to properly identify and process Huawei proprietary RADIUS attributes, the RADIUS attribute dictionary file must be loaded to the RADIUS server.

The RADIUS attribute dictionary contains the attributes supported on all products of this series. For details about the attributes supported by a type of product, see the RADIUS attribute list of the corresponding product.

When configuring RADIUS attributes on a RADIUS server, ensure that the RADIUS attribute names are the same as those in the RADIUS attribute dictionary.

Click the link below to obtain the RADIUS attribute dictionary:

RADIUS Attribute Dictionary

Attributes Carried in RADIUS Packets

Attributes in RADIUS Access Packets

In the following tables:

1: indicates the attribute must be present in the packet.
0: indicates the attribute must not be present in the packet. If present, the attribute is invalid and must be ignored.
0-n: indicates the attribute is optional and can appear in a packet. The number of times that the attribute appears can be 0 to n.
0+: indicates the attribute is optional and can be carried in a packet. Multiple attributes can be carried in a packet.

Table 1-1473 RADIUS Attributes Defined by RFC

Attribute Number	Attribute Name	Access-Request	Access-Accept	Access-Reject	Access-Challenge
1	User-Name	1	0-1	0	0
2	User-Password	0-1	0	0	0
3	CHAP-Password	0-1	0	0	0
4	NAS-IP-Address	1	0	0	0
5	NAS-Port	1	0	0	0
6	Service-Type	1	0-1	0	0
7	Framed-Protocol	1	0-1	0	0
8	Framed-IP-Address	0-1	0-1	0	0
9	Framed-IP-Netmask	0	0-1	0	0
11	Filter-Id	0	0-1	0	0
12	Framed-MTU	0	0-1	0	0
14	Login-IP-Host	0-1	0-1	0	0
15	Login-Service	0	0-1	0	0
18	Reply-Message	0	0-1	0-1	0
19	Callback-Number	0	0-1	0	0
22	Framed-route	0	0-1	0	0
24	State	0-1	0-1	0	0-1
25	Class	0	0+	0	0
26	Vendor-Specific	0+	0+	0-1	0
27	Session-Timeout	0-1	0-1	0	0-1
28	Idle-Timeout	0	0-1	0	0
29	Termination-Action	0	0-1	0	0-1
30	Called-Station-Id	0-1	0	0	0
31	Calling-Station-Id	1	0	0	0
32	NAS-Identifier	1	0	0	0
33	Proxy-State	0	0	0	0
40	Acct-Status-Type	0	0	0	0
41	Acct-Delay-Time	0	0	0	0
42	Acct-Input-Octets	0	0	0	0
43	Acct-Output-Octets	0	0	0	0
44	Acct-Session-Id	1	0	0	0
45	Acct-Authentic	0	0	0	0
46	Acct-Session-Time	0	0	0	0
47	Acct-Input-Packets	0	0	0	0
48	Acct-Output-Packets	0	0	0	0
49	Acct-Terminate-Cause	0	0	0	0
50	Acct-Multi-Session-Id	0	0	0	0
52	Acct-Input-Gigawords	0	0	0	0
53	Acct-Output-Gigawords	0	0	0	0
55	Event-Timestamp	0	0	0	0
60	CHAP-Challenge	0-1	0	0	0
61	NAS-Port-Type	1	0	0	0
62	Port-Limit	0	0-1	0	0
64	Tunnel-Type	0-1	0-1	0	0
65	Tunnel-Medium-Type	0-1	0-1	0	0
66	Tunnel-Client-Endpoint	0-1	0-1	0	0
67	Tunnel-Server-Endpoint	0-1	0-1	0	0
68	Acct-Tunnel-Connection	0	0	0	0
69	Tunnel-Password	0	0-1	0	0
77	Connect-Info	0-1	0	0	0
80	Message-Authenticator	0	0-1	0-1	1
81	Tunnel-Private-Group-ID	0	0-1	0	0
82	Tunnel-Assignment-ID	0	0-1	0	0
83	Tunnel-Preference	0	0-1	0	0
85	Acct-Interim-Interval	0	0-1	0	0
86	Acct-Tunnel-Packets-Lost	0	0	0	0
87	NAS-Port-Id	1	0	0	0
88	Framed-Pool	0	0-1	0	0
89	Chargeable-User-Identity	0-1	0-1	0	0
90	Tunnel-Client-Auth-ID	0-1	0-1	0	0
91	Tunnel-Server-Auth-ID	0-1	0-8	0	0
95	NAS-IPv6-Address	0-1	0	0	0
96	Framed-Interface-Id	0	0-1	0	0
97	Framed-Ipv6-Prefix	0-1	0-1	0	0
99	Framed-Ipv6-Route	0	0-1	0	0
100	Framed-Ipv6-Pool	0	0-16	0	0
101	Error-Cause	0	0	0	0
123	Delegated-Ipv6-Prefix	0-1	0-1	0	0
144	DS-Lite-Tunnel-Name	0-1	0-1	0	0

Table 1-1474 RADIUS Attributes Defined by Huawei+1.1 Protocol (Vendor = 2011, Attribute Number=26)

Attribute Number	Attribute Name	Access-Request	Access-Accept	Access-Reject
1	HW-Input-Committed-Burst-Size	0	0-1	0
2	HW-Input-Committed-Information-Rate	0	0-1	0
3	HW-Input-Peak-Information-Rate	0	0-1	0
4	HW-Output-Committed-Burst-Size	0	0-1	0
5	HW-Output-Committed-Information-Rate	0	0-1	0
6	HW-Output-Peak-Information-Rate	0	0-1	0
7	HW-Input-Kilobytes-Before-Tariff-Switch	0	0-1	0-1
8	HW-Output-Kilobytes-Before-Tariff-Switch	0	0	0
9	HW-Input-Packets-Before-Tariff-Switch	0	0	0
10	HW-Output-Packets-Before-Tariff-Switch	0	0	0
11	HW-Input-Kilobytes-After-Tariff-Switch	0	0	0
12	HW-Output-Kilobytes-After-Tariff-Switch	0	0	0
13	HW-Input-Packets-After-Tariff-Switch	0	0	0
14	HW-Output-Packets-After-Tariff-Switch	0	0	0
15	HW-Remanent-Volume	0-1	0-1	0
16	HW-Tariff-Switch-Interval	0	0	0
17	HW-Subscriber-QoS-Profile	0	0-1	0
20	HW-Command	0	0	0
22	HW-Priority	0	0-1	0
26	HW-Connect-ID	1	0	0
27	HW-Portal-URL	0	0-1	0
28	HW-FTP-Directory	0	0-1	0
29	HW-Exec-Privilege	0	0-1	0
31	HW-QOS-Profile-Name	0	0-1	0
32	HW-SIP-Server	0	0-1	0
33	HW-User-Password	0	0	0
34	HW-Command-Mode	0	0	0
35	HW-Renewal-Time	0	0-1	0
36	HW-Rebinding-Time	0	0-1	0
37	HW-Igmp-Enable	0	0-1	0
59	HW-NAS-Startup-Time-Stamp	1	0	0
60	HW-IP-Host-Address	1	0	0
61	HW-Up-Priority	0	0-1	0
62	HW-Down-Priority	0	0-1	0
63	HW-Tunnel-VPN-Instance	0	0-1	0
65	HW-User-Date	0	0-1	0
66	HW-User-Class	0	0-1	0
72	HW-Subnet-Mask	0	0-1	0
73	HW-Gateway-Address	0	0-1	0
74	HW-Lease-Time	0	0-1	0
75	HW-Ascend-Client-Primary-WINS	0	0-1	0
76	HW-Ascend-Client-Second-WIN	0	0-1	0
77	HW-Input-Peak-Burst-Size	0	0-1	0
78	HW-Output-Peak-Burst-Size	0	0-1	0
80	HW-Tunnel-Session-Limit	0	0-1	0
82	HW-Data-Filter	0	0+	0
83	HW-Access-Service	0	0-1	0
84	HW-Accounting-Level	0	0	0
85	HW-Portal-Mode	0	0-1	0
87	HW-Policy-Route	0	0-1	0
88	HW-Framed-Pool	0	0-1	0
89	HW-L2TP-Terminate-Cause	0	0	0
93	HW-Multicast-Profile-Name	0	0-1	0
94	HW-VPN-Instance	0	0-1	0
95	HW-Policy-Name	0-1	0-12	0
96	HW-Tunnel-Group-Name	0	0-1	0
99	HW-Multicast-Type	0	0-1	0
135	HW-Client-Primary-DNS	0	0-1	0
136	HW-Client-Secondary-DNS	0	0-1	0
138	HW-Domain-Name	1	0-1	0
140	HW-HTTP-Redirect-URL	0	0-1	0
142	HW-Qos-Profile-Type	0	0-1	0
143	HW-Max-List-Num	0	0-1	0
144	HW-Acct-ipv6-Input-Octets	0	0	0
145	HW-Acct-ipv6-Output-Octets	0	0	0
146	HW-Acct-ipv6-Input-Packets	0	0	0
147	HW-Acct-ipv6-Output-Packets	0	0	0
148	HW-Acct-ipv6-Input-Gigawords	0	0	0
149	HW-Acct-ipv6-Output-Gigawords	0	0	0
150	HW-DHCPv6-Option37	0-1	0	0
151	HW-DHCPv6-Option38	0-1	0	0
153	HW-User-Mac	0-1	0	0
154	HW-DNS-Server-IPv6-Address	0	0-2	0
155	HW-DHCPv4-Option121	0	0-24	0
156	HW-DHCPV4-Option43	0	0-1	0
157	HW-Framed-Pool-Group	0	0-1	0
158	HW-Framed-IPv6-Address	0-1	0-1	0
159	HW-Acct-Update-Address	0	0	0
160	HW-NAT-Policy-Name	0	0-1	0
161	HW-Nat-IP-Address	0	0	0
162	HW-NAT-Start-Port	0	0	0
163	HW-NAT-End-Port	0	0	0
164	HW-NAT-Port-Forwarding	0	0-1	0
165	HW-Nat-Port-Range-Update	0	0	0
166	HW-DS-Lite-Tunnel-Name	0-1	0-1	0
167	HW-PCP-Server-Name	0	0-1	0
168	HW-Public-IP-Addr-State	1	0	0
180	HW-Auth-Type	0-1	0	0
181	HW-Acct-terminate-subcause	0	0	0
182	HW-Down-QOS-Profile-Name	0	0-1	0
183	HW-Port-Mirror	0	0-1	0
184	HW-Account-Info	0	0-12	0
185	HW-Service-Info	0-1	0	0
187	HW-Dhcp-Option	0-16	0-8	0
188	HW-AVpair	0	0-14	0
189	HW-Dhcpv6-Option	0-16	0-8	0
191	HW-Delegated-IPv6-Prefix-Pool	0	0-1	0
192	HW-IPv6-Prefix-Lease	0	0-1	0
193	HW-IPv6-Address-Lease	0	0-1	0
194	HW-IPv6-Policy-Route	0	0-1	0
196	HW-MNG-IPv6	0	0-1	0
251	HW-USR-GRP-NAME	0	0-1	0
252	HW-USER-SRVC_TYPE	0	0-1	0
253	HW-Web-URL	0	0-1	0
254	HW-Version	1	0	0
255	HW-Product-ID	1	0	0

Table 1-1475 RADIUS Attributes Defined by DSL Forum (Vendor ID = 3561, Attribute Number=26)

Attribute Number	Attribute Name	Access-Request
1	Agent-Circuit-Id	0-1
2	Agent-Remote-Id	0-1
129	Actual-Data-Rate-Upstream	0-1
130	Actual-Data-Rate-Downstream	0-1
131	Minimum-Data-Rate-Upstream	0-1
132	Minimum-Data-Rate-Downstream	0-1
133	Attainable-Data-Rate-Upstream	0
134	Attainable-Data-Rate-Downstream	0
135	Maximum-Data-Rate-Upstream	0
136	Maximum-Data-Rate-Downstream	0
137	Minimum-Data-Rate-Upstream-Low-Power	0
138	Minimum-Data-Rate-Downstream-Low-Power	0
139	Maximum-Interleaving-Delay-Upstream	0
140	Actual-Interleaving-Delay-Upstream	0
141	Maximum-Interleaving-Delay-Downstream	0
142	Actual-Interleaving-Delay-Downstream	0
144	Access-Loop-Encapsulation	0-1

Table 1-1476 RADIUS Attributes Defined by Microsoft (Vendor ID = 311, Attribute Number=26)

Attribute Number	Attribute Name	Access-Request	Access-Accept	Access-Reject
1	MS-CHAP-Response	0-1	0	0
2	MS-CHAP-Error	0	0	0-1
4	MS-CHAP-CPW-2	0-1	0	0
6	MS-CHAP-NT-Enc-PW	0+	0	0
11	MS-CHAP-Challenge	0-1	0	0
16	MS-MPPE-Send-Key	0	1	0
17	MS-MPPE-Recv-Key	0	0-1	0
25	MS-CHAP2-Response	0-1	0	0
26	MS-CHAP2-Success	0	0-1	0
27	MS-CHAP2-CPW	0-1	0	0
28	MS-Primary-DNS-Server	0	0-1	0
29	MS-Secondary-DNS-Server	0	0-1	0

Table 1-1477 RADIUS Attributes Defined by Redback (Vendor ID = 2352, Attribute Number=26)

Attribute Number	Attribute Name	Access-Request	Access-Accept
92	Forward-Policy	0	0-1
97	BB-Caller-ID	0-1	0
106	NPM-Service-Id	0	0-2
107	HTTP-Redirect-Profile-Name	0	0-1
165	HTTP-Redirect-URL	0	0-1

Table 1-1478 RADIUS Attributes Defined by Ascend

Attribute Number	Attribute Name	Access-Request	Access-Accept	Access-Reject	Access-Challenge
135	Ascend-Client-Primary-Dns	0	0-1	0	0
136	Ascend-Client-Secondary-Dns	0	0-1	0	0

Table 1-1479 RADIUS Attributes Defined by Huawei+1.0 Protocol (Vendor = 2011, Attribute Number=26)

Attribute Number	Attribute Name	Access-Request	Access-Accept
80	Remanent-Volume	0	0
81	Tariff-Switch-Interval	0	0
111	In-Kb-Before-T-Switch	0	0
112	Out-Kb-Before-T-Switch	0	0
113	In-Pkts-Before-T-Switch	0	0
114	Out-Pkts-Before-T-Switch	0	0
115	In-Kb-After-T-Switch	0	0
116	Out-Kb-After-T-Switch	0	0
117	In-Pkts-After-T-Switch	0	0
118	Out-Pkts-After-T-Switch	0	0
121	Input-Peak-Rate	0	0-1
122	Input-Average-Rate	0	0-1
124	Output-Peak-Rate	0	0-1
125	Output-Average-Rate	0	0-1
127	OnLine-User-Id	1	0
128	Connect-port	1	0

Table 1-1480 RADIUS Attributes Defined by Carrier (Vendor ID = 28357)

Attribute Number	Attribute Name	Access-Request	Access-Accept	Access-Reject	Access-Challenge
201	CMCC-NAS-Type	0-1	0	0	0

Attributes in RADIUS Accounting Packets

In the following tables:

1: indicates the attribute must be present in the packet.
0: indicates the attribute must not be present in the packet. If present, the attribute is invalid and must be ignored.
0-n: indicates the attribute is optional and can appear in a packet. The number of times that the attribute appears can be 0 to n.
0+: indicates the attribute is optional and can be carried in a packet. Multiple attributes can be carried in a packet.

Table 1-1481 RADIUS Attributes Defined by RFC

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)
1	User-Name	1	1	1	0	0
2	User-Password	0	0	0	0	0
3	CHAP-Password	0	0	0	0	0
4	NAS-IP-Address	0-1	0-1	0-1	0	0
5	NAS-Port	1	1	1	0	0
6	Service-Type	1	1	1	0	0
7	Framed-Protocol	1	1	1	0	0
8	Framed-IP-Address	0-1	0-1	0-1	0	0
9	Framed-IP-Netmask	0-1	0-1	0-1	0	0
11	Filter-Id	0-1	0-1	0-1	0	0
12	Framed-MTU	0	0	0	0	0
14	Login-IP-Host	0	0	0	0	0
15	Login-Service	0	0	0	0	0
18	Reply-Message	0	0	0	0	0
19	Callback-Number	0	0	0	0	0
22	Framed-route	0	0	0	0	0
24	State	0	0	0	0	0
25	Class	0-1	0-1	0-1	0	0
26	Vendor-Specific	0	0+	0+	0+	0+
27	Session-Timeout	0-1	0-1	0-1	0-1	0-1
28	Idle-Timeout	0-1	0-1	0-1	0	0
29	Termination-Action	0	0	0	0	0
30	Called-Station-Id	0-1	0-1	0-1	0	0
31	Calling-Station-Id	0-1	0-1	0-1	0	0
32	NAS-Identifier	1	1	1	0	0
33	Proxy-State	0	0	0	0	0
40	Acct-Status-Type	1	1	1	0	0
41	Acct-Delay-Time	0	1	1	0	0
42	Acct-Input-Octets	0	1	1	0	0
43	Acct-Output-Octets	0	1	1	0	0
44	Acct-Session-Id	1	1	1	0	0
45	Acct-Authentic	1	1	1	0	0
46	Acct-Session-Time	0	1	1	0	0
47	Acct-Input-Packets	0	0-1	0-1	0	0
48	Acct-Output-Packets	0	0-1	0-1	0	0
49	Acct-Terminate-Cause	0	0	1	0	0
50	Acct-Multi-Session-Id	0-1	0-1	0-1	0	0
52	Acct-Input-Gigawords	0	1	1	0	0
53	Acct-Output-Gigawords	0	1	1	0	0
55	Event-Timestamp	1	1	1	0	0
60	CHAP-Challenge	0	0	0	0	0
61	NAS-Port-Type	1	1	1	0	0
62	Port-Limit	0	0	0	0	0
64	Tunnel-Type	0-1	0-1	0-1	0	0
65	Tunnel-Medium-Type	0-1	0-1	0-1	0	0
66	Tunnel-Client-Endpoint	0-1	0-1	0-1	0	0
67	Tunnel-Server-Endpoint	0-1	0-1	0-1	0	0
68	Acct-Tunnel-Connection	0-1	0-1	0-1	0	0
69	Tunnel-Password	0	0	0	0	0
77	Connect-Info	0-1	0-1	0-1	0	0
80	Message-Authenticator	0	0	0	0	0
81	Tunnel-Private-Group-ID	0	0	0	0	0
82	Tunnel-Assignment-ID	0	0	0	0	0
83	Tunnel-Preference	0	0	0	0	0
85	Acct-Interim-Interval	0	0	0	0	0
86	Acct-Tunnel-Packets-Lost	0-1	0-1	0-1	0	0
87	NAS-Port-Id	0-1	0-1	0-1	0	0
88	Framed-Pool	0	0	0	0	0
89	Chargeable-User-Identity	0-1	0-1	0-1	0	0
90	Tunnel-Client-Auth-ID	0-1	0-1	0-1	0	0
91	Tunnel-Server-Auth-ID	0-1	0-1	0-1	0	0
95	NAS-IPv6-Address	0-1	0-1	0-1	0	0
96	Framed-Interface-Id	0-1	0-1	0-1	0	0
97	Framed-Ipv6-Prefix	0-1	0-1	0-1	0	0
99	Framed-Ipv6-Route	0	0	0	0	0
100	Framed-Ipv6-Pool	0	0	0	0	0
101	Error-Cause	0	0	0	0	0
123	Delegated-Ipv6-Prefix	0-1	0-1	0-1	0	0
144	DS-Lite-Tunnel-Name	0-1	0-1	0-1	0	0

Table 1-1482 RADIUS Attributes Defined by Huawei+1.1 Protocol (Vendor = 2011, Attribute Number=26)

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)
1	HW-Input-Committed-Burst-Size	0-1	0-1	0-1	0	0
2	HW-Input-Committed-Information-Rate	0-1	0-1	0-1	0	0
3	HW-Input-Peak-Information-Rate	0-1	0-1	0-1	0	0
4	HW-Output-Committed-Burst-Size	0-1	0-1	0-1	0	0
5	HW-Output-Committed-Information-Rate	0-1	0-1	0-1	0	0
6	HW-Output-Peak-Information-Rate	0-1	0-1	0-1	0	0
7	HW-Input-Kilobytes-Before-Tariff-Switch	0	0-1	0-1	0	0
8	HW-Output-Kilobytes-Before-Tariff-Switch	0	0-1	0-1	0	0
9	HW-Input-Packets-Before-Tariff-Switch	0	0-1	0-1	0	0
10	HW-Output-Packets-Before-Tariff-Switch	0	0-1	0-1	0	0
11	HW-Input-Kilobytes-After-Tariff-Switch	0	0-1	0-1	0	0
12	HW-Output-Kilobytes-After-Tariff-Switch	0	0-1	0-1	0	0
13	HW-Input-Packets-After-Tariff-Switch	0	0-1	0-1	0	0
14	HW-Output-Packets-After-Tariff-Switch	0	0-1	0-1	0	0
15	HW-Remanent-Volume	0	0	0	0-1	0-1
16	HW-Tariff-Switch-Interval	0	0	0	0-1	0-1
17	HW-Subscriber-QoS-Profile	0-1	0-1	0-1	0	0
20	HW-Command	0	0	0	0	0
22	HW-Priority	0-1	0-1	0-1	0	0
26	HW-Connect-ID	0-1	0-1	0-1	0	0
27	HW-Portal-URL	0	0	0	0	0
28	HW-FTP-Directory	0	0	0	0	0
29	HW-Exec-Privilege	0	0	0	0	0
31	HW-QOS-Profile-Name	0-1	0-1	0-1	0	0
32	HW-SIP-Server	0	0	0	0	0
33	HW-User-Password	0	0	0	0	0
34	HW-Command-Mode	0	0	0	0	0
35	HW-Renewal-Time	0	0	0	0	0
36	HW-Rebinding-Time	0	0	0	0	0
37	HW-Igmp-Enable	0	0	0	0	0
59	HW-NAS-Startup-Time-Stamp	0	0	0	0	0
60	HW-IP-Host-Address	0-1	0-1	0-1	0	0
61	HW-Up-Priority	0-1	0-1	0-1	0	0
62	HW-Down-Priority	0-1	0-1	0-1	0	0
63	HW-Tunnel-VPN-Instance	0	0	0	0	0
65	HW-User-Date	0-1	0-1	0-1	0	0
66	HW-User-Class	0-1	0-1	0-1	0	0
72	HW-Subnet-Mask	0	0	0	0	0
73	HW-Gateway-Address	0	0	0	0	0
74	HW-Lease-Time	0	0	0	0	0
75	HW-Ascend-Client-Primary-WINS	0	0	0	0	0
76	HW-Ascend-Client-Second-WIN	0	0	0	0	0
77	HW-Input-Peak-Burst-Size	0-1	0-1	0-1	0	0
78	HW-Output-Peak-Burst-Size	0-1	0-1	0-1	0	0
80	HW-Tunnel-Session-Limit	0	0	0	0	0
82	HW-Data-Filter	0	0	0	0	0
83	HW-Access-Service	0	0	0	0	0
84	HW-Accounting-Level	0-1	0-1	0-1	0	0
85	HW-Portal-Mode	0	0	0	0	0
87	HW-Policy-Route	0	0	0	0	0
88	HW-Framed-Pool	0	0	0	0	0
89	HW-L2TP-Terminate-Cause	0	0	0-1	0	0
93	HW-Multicast-Profile-Name	0	0	0	0	0
94	HW-VPN-Instance	0	0	0	0	0
95	HW-Policy-Name	0-1	0-1	0-1	0	0
96	HW-Tunnel-Group-Name	0-1	0-1	0-1	0	0
99	HW-Multicast-Type	0	0	0	0	0
135	HW-Client-Primary-DNS	0-1	0-1	0-1	0	0
136	HW-Client-Secondary-DNS	0-1	0-1	0-1	0	0
138	HW-Domain-Name	0-1	0-1	0-1	0	0
140	HW-HTTP-Redirect-URL	0	0	0	0	0
142	HW-Qos-Profile-Type	0	0	0	0	0
143	HW-Max-List-Num	0	0	0	0	0
144	HW-Acct-ipv6-Input-Octets	0	0-1	0-1	0	0
145	HW-Acct-ipv6-Output-Octets	0	0-1	0-1	0	0
146	HW-Acct-ipv6-Input-Packets	0	0-1	0-1	0	0
147	HW-Acct-ipv6-Output-Packets	0	0-1	0-1	0	0
148	HW-Acct-ipv6-Input-Gigawords	0	0-1	0-1	0	0
149	HW-Acct-ipv6-Output-Gigawords	0	0-1	0-1	0	0
150	HW-DHCPv6-Option37	0-1	0-1	0-1	0	0
151	HW-DHCPv6-Option38	0	0	0	0	0
153	HW-User-Mac	0-1	0-1	0-1	0	0
154	HW-DNS-Server-IPv6-Address	0	0	0	0	0
155	HW-DHCPv4-Option121	0	0	0	0	0
156	HW-DHCPV4-Option43	0	0	0	0	0
157	HW-Framed-Pool-Group	0	0	0	0	0
158	HW-Framed-IPv6-Address	0-1	0-1	0-1	0	0
159	HW-Acct-Update-Address	1	1	1	0	0
160	HW-NAT-Policy-Name	0	0	0	0	0
161	HW-Nat-IP-Address	0-1	0-1	0-1	0	0
162	HW-NAT-Start-Port	0-1	0-1	0-1	0	0
163	HW-NAT-End-Port	0-1	0-1	0-1	0	0
164	HW-NAT-Port-Forwarding	0-1	0-1	0-1	0	0
165	HW-Nat-Port-Range-Update	0	0-1	0	0	0
166	HW-DS-Lite-Tunnel-Name	0-1	0-1	0-1	0	0
167	HW-PCP-Server-Name	0	0	0	0	0
168	HW-Public-IP-Addr-State	0	0	0	0	0
180	HW-Auth-Type	0-1	0-1	0-1	0	0
181	HW-Acct-terminate-subcause	0	0	1	0	0
182	HW-Down-QOS-Profile-Name	0-1	0-1	0-1	0	0
183	HW-Port-Mirror	0	0	0	0	0
184	HW-Account-Info	0	0	0	0	0
185	HW-Service-Info	0-1	0-1	0-1	0	0
187	HW-Dhcp-Option	0-1	0-1	0	0	0
188	HW-AVpair	0-1	0-1	0-1	0	0
189	HW-Dhcpv6-Option	0-1	0-1	0	0	0
191	HW-Delegated-IPv6-Prefix-Pool	0	0	0	0	0
192	HW-IPv6-Prefix-Lease	0	0	0	0	0
193	HW-IPv6-Address-Lease	0	0	0	0	0
194	HW-IPv6-Policy-Route	0	0	0	0	0
196	HW-MNG-IPv6	0	0	0	0	0
251	HW-USR-GRP-NAME	0	0	0	0	0
252	HW-USER-SRVC_TYPE	0	0	0	0	0
253	HW-Web-URL	0	0	0	0	0
254	HW-Version	0-1	0-1	0-1	0	0
255	HW-Product-ID	0-1	0-1	0-1	0	0

Table 1-1483 RADIUS Attributes Defined by DSL Forum (Vendor ID = 3561, Attribute Number=26)

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)
1	Agent-Circuit-Id	0-1	0-1	0-1
2	Agent-Remote-Id	0-1	0-1	0-1
129	Actual-Data-Rate-Upstream	0-1	0-1	0-1
130	Actual-Data-Rate-Downstream	0-1	0-1	0-1
131	Minimum-Data-Rate-Upstream	0-1	0-1	0-1
132	Minimum-Data-Rate-Downstream	0-1	0-1	0-1
133	Attainable-Data-Rate-Upstream	0-1	0-1	0-1
134	Attainable-Data-Rate-Downstream	0-1	0-1	0-1
135	Maximum-Data-Rate-Upstream	0-1	0-1	0-1
136	Maximum-Data-Rate-Downstream	0-1	0-1	0-1
137	Minimum-Data-Rate-Upstream-Low-Power	0-1	0-1	0-1
138	Minimum-Data-Rate-Downstream-Low-Power	0-1	0-1	0-1
139	Maximum-Interleaving-Delay-Upstream	0-1	0-1	0-1
140	Actual-Interleaving-Delay-Upstream	0-1	0-1	0-1
141	Maximum-Interleaving-Delay-Downstream	0-1	0-1	0-1
142	Actual-Interleaving-Delay-Downstream	0-1	0-1	0-1
144	Access-Loop-Encapsulation	0-1	0-1	0-1

Table 1-1484 RADIUS Attributes Defined by Microsoft (Vendor ID = 311, Attribute Number=26)

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)	Accounting-Response (Stop)
1	MS-CHAP-Response	0	0	0	0	0	0
2	MS-CHAP-Error	0	0	0	0	0	0
4	MS-CHAP-CPW-2	0	0	0	0	0	0
6	MS-CHAP-NT-Enc-PW	0	0	0	0	0	0
11	MS-CHAP-Challenge	0	0	0	0	0	0
16	MS-MPPE-Send-Key	0	0	0	0	0	0
17	MS-MPPE-Recv-Key	0	0	0	0	0	0
25	MS-CHAP2-Response	0	0	0	0	0	0
26	MS-CHAP2-Success	0	0	0	0	0	0
27	MS-CHAP2-CPW	0	0	0	0	0	0
28	MS-Primary-DNS-Server	0	0	0	0	0	0
29	MS-Secondary-DNS-Server	0	0	0	0	0	0

Table 1-1485 RADIUS Attributes Defined by Redback (Vendor ID = 2352, Attribute Number=26)

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)
92	Forward-Policy	0	0	0
97	BB-Caller-ID	0-1	0-1	0-1
106	NPM-Service-Id	0-2	0-2	0-2
107	HTTP-Redirect-Profile-Name	0	0	0
165	HTTP-Redirect-URL	0	0	0

Table 1-1486 RADIUS Attributes Defined by Ascend

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)	Accounting-Response (Stop)
135	Ascend-Client-Primary-Dns	0	0	0	0	0	0
136	Ascend-Client-Secondary-Dns	0	0	0	0	0	0

Table 1-1487 RADIUS Attributes Defined by Huawei+1.0 Protocol (Vendor = 2011, Attribute Number=26)

Attribute Number	Attribute Name	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)
80	Remanent-Volume	0	0	0-1	0-1
81	Tariff-Switch-Interval	0	0	0-1	0-1
111	In-Kb-Before-T-Switch	0-1	0-1	0	0
112	Out-Kb-Before-T-Switch	0-1	0-1	0	0
113	In-Pkts-Before-T-Switch	0-1	0-1	0	0
114	Out-Pkts-Before-T-Switch	0-1	0-1	0	0
115	In-Kb-After-T-Switch	0-1	0-1	0	0
116	Out-Kb-After-T-Switch	0-1	0-1	0	0
117	In-Pkts-After-T-Switch	0-1	0-1	0	0
118	Out-Pkts-After-T-Switch	0-1	0-1	0	0
121	Input-Peak-Rate	0	0	0	0
122	Input-Average-Rate	0	0	0	0
124	Output-Peak-Rate	0	0	0	0
125	Output-Average-Rate	0	0	0	0
127	OnLine-User-Id	0	0	0	0
128	Connect-port	0	0	0	0

Table 1-1488 RADIUS Attributes Defined by Carrier (Vendor ID = 28357)

Attribute Number	Attribute Name	Accounting-Request (Start)	Accounting-Request (Interim-Update)	Accounting-Request (Stop)	Accounting-Response (start)	Accounting-Response (Interim-Update)	Accounting-Response (Stop)
201	CMCC-NAS-Type	0-1	0-1	0-1	0	0	0

Attributes in RADIUS COA&DM Packets

In the following tables:

1: indicates the attribute must be present in the packet.
0: indicates the attribute must not be present in the packet. If present, the attribute is invalid and must be ignored.
0-n: indicates the attribute is optional and can appear in a packet. The number of times that the attribute appears can be 0 to n.
0+: indicates the attribute is optional and can be carried in a packet. Multiple attributes can be carried in a packet.

Table 1-1489 RADIUS Attributes Defined by RFC

Attribute Number	Attribute Name	COA REQUEST	COA ACK	COA NAK	DM REQUEST	DM ACK	DM NAK
1	User-Name	0-1	0-1	0-1	0-1	0-1	0-1
2	User-Password	0-1	0	0	0	0	0
3	CHAP-Password	0	0	0	0	0	0
4	NAS-IP-Address	0-1	0-1	0-1	0-1	0-1	0-1
5	NAS-Port	0-1	0-1	0-1	0-1	0-1	0-1
6	Service-Type	0-1	0	0	0	0	0
7	Framed-Protocol	0	0	0	0	0	0
8	Framed-IP-Address	0-1	0-1	0-1	0-1	0-1	0-1
9	Framed-IP-Netmask	0	0-1	0	0	0	0
11	Filter-Id	0-1	0	0	0	0	0
12	Framed-MTU	0	0	0	0	0	0
14	Login-IP-Host	0	0	0	0	0	0
15	Login-Service	0	0	0	0	0	0
18	Reply-Message	0	0	0-1	0	0	0
19	Callback-Number	0	0	0	0	0	0
22	Framed-route	0	0	0	0	0	0
24	State	0	0	0	0	0	0
25	Class	0+	0	0	0	0	0
26	Vendor-Specific	0+	0+	0+	0+	0+	0+
27	Session-Timeout	0-1	0	0	0	0	0
28	Idle-Timeout	0-1	0-1	0	0	0	0
29	Termination-Action	0-1	0	0	0	0	0
30	Called-Station-Id	0	0	0	0	0	0
31	Calling-Station-Id	0-1	0-1	0-1	0-1	0-1	0-1
32	NAS-Identifier	0-1	0-1	0-1	0-1	0-1	0-1
33	Proxy-State	0-1	0-1	0-1	0-1	0-1	0-1
40	Acct-Status-Type	0	0	0	0	0	0
41	Acct-Delay-Time	0	0	0	0	0	0
42	Acct-Input-Octets	0	0-1	0	0	0	0
43	Acct-Output-Octets	0	0-1	0	0	0	0
44	Acct-Session-Id	1	1	1	1	1	1
45	Acct-Authentic	0	0	0	0	0	0
46	Acct-Session-Time	0	0-1	0	0	0	0
47	Acct-Input-Packets	0	0-1	0	0	0	0
48	Acct-Output-Packets	0	0-1	0	0	0	0
49	Acct-Terminate-Cause	0	0	0	0	0	0
50	Acct-Multi-Session-Id	0	0	0	0	0	0
52	Acct-Input-Gigawords	0	0-1	0	0	0	0
53	Acct-Output-Gigawords	0	0-1	0	0	0	0
55	Event-Timestamp	0	0	0	0	0	0
60	CHAP-Challenge	0	0	0	0	0	0
61	NAS-Port-Type	0	0	0	0	0	0
62	Port-Limit	0	0	0	0	0	0
64	Tunnel-Type	0	0	0	0	0	0
65	Tunnel-Medium-Type	0	0	0	0	0	0
66	Tunnel-Client-Endpoint	0	0	0	0	0	0
67	Tunnel-Server-Endpoint	0	0	0	0	0	0
68	Acct-Tunnel-Connection	0	0	0	0	0	0
69	Tunnel-Password	0	0	0	0	0	0
77	Connect-Info	0	0	0	0	0	0
80	Message-Authenticator	0	0	0	0-1	0-1	0-1
81	Tunnel-Private-Group-ID	0	0	0	0	0	0
82	Tunnel-Assignment-ID	0	0	0	0	0	0
83	Tunnel-Preference	0	0	0	0	0	0
85	Acct-Interim-Interval	0-1	0	0	0	0	0
86	Acct-Tunnel-Packets-Lost	0	0	0	0	0	0
87	NAS-Port-Id	0	0-1	0-1	0	0	0
88	Framed-Pool	0	0	0	0	0	0
89	Chargeable-User-Identity	0	0	0	0	0	0
90	Tunnel-Client-Auth-ID	0	0	0	0	0	0
91	Tunnel-Server-Auth-ID	0	0	0	0	0	0
95	NAS-IPv6-Address	0	0	0	0	0	0
96	Framed-Interface-Id	0	0-1	0	0	0	0
97	Framed-Ipv6-Prefix	0	0-1	0	0	0	0
99	Framed-Ipv6-Route	0	0	0	0	0	0
100	Framed-Ipv6-Pool	0	0	0	0	0	0
101	Error-Cause	0	0	1	0	0	1
123	Delegated-Ipv6-Prefix	0	0-1	0	0	0	0
144	DS-Lite-Tunnel-Name	0	0	0	0	0	0

Table 1-1490 RADIUS Attributes Defined by Huawei+1.1 Protocol (Vendor = 2011, Attribute Number=26)

Attribute Number	Attribute Name	COA REQUEST	COA ACK	COA NAK	DM REQUEST	DM ACK	DM NAK
1	HW-Input-Committed-Burst-Size	0-1	0-1	0	0	0	0
2	HW-Input-Committed-Information-Rate	0-1	0	0	0	0	0
3	HW-Input-Peak-Information-Rate	0-1	0	0	0	0	0
4	HW-Output-Committed-Burst-Size	0-1	0-1	0	0	0	0
5	HW-Output-Committed-Information-Rate	0-1	0	0	0	0	0
6	HW-Output-Peak-Information-Rate	0-1	0	0	0	0	0
7	HW-Input-Kilobytes-Before-Tariff-Switch	0	0	0	0	0	0
8	HW-Output-Kilobytes-Before-Tariff-Switch	0	0	0	0	0	0
9	HW-Input-Packets-Before-Tariff-Switch	0	0	0	0	0	0
10	HW-Output-Packets-Before-Tariff-Switch	0	0	0	0	0	0
11	HW-Input-Kilobytes-After-Tariff-Switch	0	0	0	0	0	0
12	HW-Output-Kilobytes-After-Tariff-Switch	0	0	0	0	0	0
13	HW-Input-Packets-After-Tariff-Switch	0	0	0	0	0	0
14	HW-Output-Packets-After-Tariff-Switch	0	0	0	0	0	0
15	HW-Remanent-Volume	0-1	0-1	0	0	0	0
16	HW-Tariff-Switch-Interval	0	0	0	0	0	0
17	HW-Subscriber-QoS-Profile	0-1	0	0	0	0	0
20	HW-Command	0	0	0	0	0	0
22	HW-Priority	0-1	0	0	0	0	0
26	HW-Connect-ID	0	0	0	0	0	0
27	HW-Portal-URL	0-1	0	0	0	0	0
28	HW-FTP-Directory	0	0	0	0	0	0
29	HW-Exec-Privilege	0	0	0	0	0	0
31	HW-QOS-Profile-Name	0-1	0-1	0	0	0	0
32	HW-SIP-Server	0	0	0	0	0	0
33	HW-User-Password	0-1	0	0	0	0	0
34	HW-Command-Mode	0-1	0-1	0	0	0	0
35	HW-Renewal-Time	0	0	0	0	0	0
36	HW-Rebinding-Time	0	0	0	0	0	0
37	HW-Igmp-Enable	0-1	0	0	0	0	0
59	HW-NAS-Startup-Time-Stamp	0	0	0	0	0	0
60	HW-IP-Host-Address	0	0	0	0	0	0
61	HW-Up-Priority	0-1	0	0	0	0	0
62	HW-Down-Priority	0-1	0	0	0	0	0
63	HW-Tunnel-VPN-Instance	0	0	0	0	0	0
65	HW-User-Date	0	0	0	0	0	0
66	HW-User-Class	0	0	0	0	0	0
72	HW-Subnet-Mask	0	0	0	0	0	0
73	HW-Gateway-Address	0	0	0	0	0	0
74	HW-Lease-Time	0-1	0	0	0	0	0
75	HW-Ascend-Client-Primary-WINS	0	0	0	0	0	0
76	HW-Ascend-Client-Second-WIN	0	0	0	0	0	0
77	HW-Input-Peak-Burst-Size	0-1	0-1	0	0	0	0
78	HW-Output-Peak-Burst-Size	0-1	0-1	0	0	0	0
80	HW-Tunnel-Session-Limit	0	0	0	0	0	0
82	HW-Data-Filter	0+	0	0	0	0	0
83	HW-Access-Service	0	0	0	0	0	0
84	HW-Accounting-Level	0	0	0	0	0	0
85	HW-Portal-Mode	0-1	0	0	0	0	0
87	HW-Policy-Route	0	0	0	0	0	0
88	HW-Framed-Pool	0	0	0	0	0	0
89	HW-L2TP-Terminate-Cause	0	0	0	0	0	0
93	HW-Multicast-Profile-Name	0-1	0	0	0	0	0
94	HW-VPN-Instance	0-1	0	0	0	0	0
95	HW-Policy-Name	0-12	0-12	0-12	0-12	0-12	0-12
96	HW-Tunnel-Group-Name	0	0	0	0	0	0
99	HW-Multicast-Type	0-1	0	0	0	0	0
135	HW-Client-Primary-DNS	0	0	0	0	0	0
136	HW-Client-Secondary-DNS	0	0	0	0	0	0
138	HW-Domain-Name	0-1	0	0	0	0	0
140	HW-HTTP-Redirect-URL	0	0	0	0	0	0
142	HW-Qos-Profile-Type	0	0	0	0	0	0
143	HW-Max-List-Num	0	0	0	0	0	0
144	HW-Acct-ipv6-Input-Octets	0	0	0	0	0	0
145	HW-Acct-ipv6-Output-Octets	0	0	0	0	0	0
146	HW-Acct-ipv6-Input-Packets	0	0	0	0	0	0
147	HW-Acct-ipv6-Output-Packets	0	0	0	0	0	0
148	HW-Acct-ipv6-Input-Gigawords	0	0	0	0	0	0
149	HW-Acct-ipv6-Output-Gigawords	0	0	0	0	0	0
150	HW-DHCPv6-Option37	0	0	0	0	0	0
151	HW-DHCPv6-Option38	0	0	0	0	0	0
153	HW-User-Mac	0	0	0	0	0	0
154	HW-DNS-Server-IPv6-Address	0	0	0	0	0	0
155	HW-DHCPv4-Option121	0	0	0	0	0	0
156	HW-DHCPV4-Option43	0	0	0	0	0	0
157	HW-Framed-Pool-Group	0	0	0	0	0	0
158	HW-Framed-IPv6-Address	0	0-1	0	0	0	0
159	HW-Acct-Update-Address	0	0	0	0	0	0
160	HW-NAT-Policy-Name	0	0	0	0	0	0
161	HW-Nat-IP-Address	0	0	0	0	0	0
162	HW-NAT-Start-Port	0	0	0	0	0	0
163	HW-NAT-End-Port	0	0	0	0	0	0
164	HW-NAT-Port-Forwarding	0	0	0	0	0	0
165	HW-Nat-Port-Range-Update	0	0	0	0	0	0
166	HW-DS-Lite-Tunnel-Name	0	0	0	0	0	0
167	HW-PCP-Server-Name	0	0	0	0	0	0
168	HW-Public-IP-Addr-State	0	0	0	0	0	0
180	HW-Auth-Type	0	0	0	0	0	0
181	HW-Acct-terminate-subcause	0	0	0	0	0	0
182	HW-Down-QOS-Profile-Name	0-1	0-1	0	0	0	0
183	HW-Port-Mirror	0-1	0	0	0	0	0
184	HW-Account-Info	0-1	0-9	0-1	0	0	0
185	HW-Service-Info	0	0	0	0	0	0
187	HW-Dhcp-Option	0	0	0	0	0	0
188	HW-AVpair	0	0	0	0	0	0
189	HW-Dhcpv6-Option	0	0	0	0	0	0
191	HW-Delegated-IPv6-Prefix-Pool	0	0	0	0	0	0
192	HW-IPv6-Prefix-Lease	0	0	0	0	0	0
193	HW-IPv6-Address-Lease	0	0	0	0	0	0
194	HW-IPv6-Policy-Route	0	0	0	0	0	0
196	HW-MNG-IPv6	0	0	0	0	0	0
251	HW-USR-GRP-NAME	0	0	0	0	0	0
252	HW-USER-SRVC_TYPE	0	0	0	0	0	0
253	HW-Web-URL	0-1	0	0	0	0	0
254	HW-Version	0	0	0	0	0	0
255	HW-Product-ID	0	0	0	0	0	0

Table 1-1491 RADIUS Attributes Defined by DSL Forum (Vendor ID = 3561, Attribute Number=26)

Attribute Number	Attribute Name	COA ACK	DM ACK
1	Agent-Circuit-Id	0-1	0-1
2	Agent-Remote-Id	0-1	0-1
129	Actual-Data-Rate-Upstream	0	0
130	Actual-Data-Rate-Downstream	0	0
131	Minimum-Data-Rate-Upstream	0	0
132	Minimum-Data-Rate-Downstream	0	0
133	Attainable-Data-Rate-Upstream	0	0
134	Attainable-Data-Rate-Downstream	0	0
135	Maximum-Data-Rate-Upstream	0	0
136	Maximum-Data-Rate-Downstream	0	0
137	Minimum-Data-Rate-Upstream-Low-Power	0	0
138	Minimum-Data-Rate-Downstream-Low-Power	0	0
139	Maximum-Interleaving-Delay-Upstream	0	0
140	Actual-Interleaving-Delay-Upstream	0	0
141	Maximum-Interleaving-Delay-Downstream	0	0
142	Actual-Interleaving-Delay-Downstream	0	0
144	Access-Loop-Encapsulation	0	0

Table 1-1492 RADIUS Attributes Defined by Microsoft (Vendor ID = 311, Attribute Number=26)

Attribute Number	Attribute Name	COA REQUEST	COA ACK	COA NAK	DM REQUEST	DM ACK	DM NAK
1	MS-CHAP-Response	0	0	0	0	0	0
2	MS-CHAP-Error	0	0	0	0	0	0
4	MS-CHAP-CPW-2	0	0	0	0	0	0
6	MS-CHAP-NT-Enc-PW	0	0	0	0	0	0
11	MS-CHAP-Challenge	0	0	0	0	0	0
16	MS-MPPE-Send-Key	0	0	0	0	0	0
17	MS-MPPE-Recv-Key	0	0	0	0	0	0
25	MS-CHAP2-Response	0	0	0	0	0	0
26	MS-CHAP2-Success	0	0	0	0	0	0
27	MS-CHAP2-CPW	0	0	0	0	0	0
28	MS-Primary-DNS-Server	0	0	0	0	0	0
29	MS-Secondary-DNS-Server	0	0	0	0	0	0

Table 1-1493 RADIUS Attributes Defined by Redback (Vendor ID = 2352, Attribute Number=26)

Attribute Number	Attribute Name	COA REQUEST
92	Forward-Policy	0-1
97	BB-Caller-ID	0
106	NPM-Service-Id	0
107	HTTP-Redirect-Profile-Name	0
165	HTTP-Redirect-URL	0

Table 1-1494 RADIUS Attributes Defined by Ascend

Attribute Number	Attribute Name	COA REQUEST	COA ACK	COA NAK	DM REQUEST	DM ACK	DM NAK
135	Ascend-Client-Primary-Dns	0	0	0	0	0	0
136	Ascend-Client-Secondary-Dns	0	0	0	0	0	0

Table 1-1495 RADIUS Attributes Defined by Huawei+1.0 Protocol (Vendor = 2011, Attribute Number=26)

Attribute Number	Attribute Name	COA REQUEST	COA ACK	COA NAK	DM REQUEST	DM ACK	DM NAK
80	Remanent-Volume	0	0	0	0	0	0
81	Tariff-Switch-Interval	0	0	0	0	0	0
111	In-Kb-Before-T-Switch	0	0	0	0	0	0
112	Out-Kb-Before-T-Switch	0	0	0	0	0	0
113	In-Pkts-Before-T-Switch	0	0	0	0	0	0
114	Out-Pkts-Before-T-Switch	0	0	0	0	0	0
115	In-Kb-After-T-Switch	0	0	0	0	0	0
116	Out-Kb-After-T-Switch	0	0	0	0	0	0
117	In-Pkts-After-T-Switch	0	0	0	0	0	0
118	Out-Pkts-After-T-Switch	0	0	0	0	0	0
121	Input-Peak-Rate	0	0	0	0	0	0
122	Input-Average-Rate	0	0	0	0	0	0
124	Output-Peak-Rate	0	0	0	0	0	0
125	Output-Average-Rate	0	0	0	0	0	0
127	OnLine-User-Id	0	0	0	0	0	0
128	Connect-port	0	0	0	0	0	0

Table 1-1496 RADIUS Attributes Defined by Carrier (Vendor ID = 28357)

Attribute Number	Attribute Name	COA REQUEST	COA ACK	COA NAK	DM REQUEST	DM ACK	DM NAK
201	CMCC-NAS-Type	0	0	0	0	0	0

RADIUS Attribute Prohibition, Conversion, and Default Carrying Status

RADIUS is widely applied on networks because it is simple, flexible, and extensible. However, these same characteristics lead vendors to define RADIUS attributes differently and develop proprietary attributes. RADIUS interconnection between different vendor devices often suffers attribute compatibility problems. Huawei NetEngine 8000 F8/NetEngine 8000E F8s solve this problem by supporting flexible configuration, prohibition, and conversion of RADIUS attributes, enhancing attribute compatibility between different vendor devices.

RADIUS server vendors set different limits on the number of RADIUS attributes carried in a packet. For example, the RADIUS servers manufactured by some vendors can process a packet carrying up to 50 RADIUS attributes. The RADIUS servers cannot properly process packets exceeding this number. NetEngine 8000 F8/NetEngine 8000E F8s are configurable to carry or not carry specific RADIUS attributes in packets to be sent to RADIUS servers.

The commands for attribute prohibition, conversion, and carrying are all configured in the RADIUS server group view. The commands for attribute prohibition and conversion take effect on packets in the sending and receiving directions of a RADIUS server group, but the commands controlling the attribute carrying status take effect only on packets in the sending (from BRAS to RADIUS server) direction.

RADIUS Attribute Prohibition

Normally, a RADIUS server interconnects with multiple BRASs, which may be from different vendors. If the BRASs of some vendors require the RADIUS server to deliver an attribute to support a specified feature, whereas the BRASs from other vendors do not support the delivered attribute, parsing the attribute fails. Likewise, when a Huawei BRAS connects to RADIUS servers of other vendors, some RADIUS servers may require that the Huawei BRAS send attributes that may not be processed by other RADIUS servers. If other RADIUS servers receive these attributes, a processing error occurs. NetEngine 8000 F8/NetEngine 8000E F8s provide the following configuration commands in a RADIUS server group, preventing NetEngine 8000 F8/NetEngine 8000E F8s from sending specific attributes or allowing NetEngine 8000 F8/NetEngine 8000E F8s to ignore specific attributes in received packets.

Commands:

radius-attribute disable attr-description { receive | send } ^*

radius-attribute disable attr-description { access-request | access-accept | account [ start ] } ^*

radius-attribute disable attr-description { ip forbid-ip | string forbid-string | bin forbid-bin-value | integer integer-value } receive

Parameters:

attr-description: name of a prohibited RADIUS attribute
forbid-ip: prohibited IP address
forbid-string: prohibited character string
forbid-bin-value prohibited value (in hexadecimal notation) in the bin format
integer-value: prohibited integer

To allow the preceding commands to take effect, the radius-server attribute translate command must be run in the RADIUS server group view.

If the preceding commands are not run, NetEngine 8000 F8/NetEngine 8000E F8s support all the attributes listed in "Attributes Carried in RADIUS Packets" when handling protocol packets. If the preceding commands are run, NetEngine 8000 F8/NetEngine 8000E F8s do not encapsulate the specified attributes when sending packets, and ignore the specified attributes when receiving packets.

RADIUS Attribute Conversion

NAS-Port-Id (87) is used to identify the location of the user. The attribute is defined as a string in RADIUS standards, but the structure of the string is not specified. Therefore, the formats defined for this attribute vary among the RADIUS servers of different carriers. NetEngine 8000 F8/NetEngine 8000E F8s provide a flexible attribute conversion mechanism to meet the requirements of carriers.

NetEngine 8000 F8/NetEngine 8000E F8s support attribute conversion in both sending and receiving directions. In the sending direction, if attribute A is converted to attribute B, an NetEngine 8000 F8/NetEngine 8000E F8 encapsulates the attribute type of A but attribute content and format of B before sending packets. In the receiving direction, if attribute A is converted to attribute B and received by an NetEngine 8000 F8/NetEngine 8000E F8, the NetEngine 8000 F8/NetEngine 8000E F8 parses it as attribute B. The attribute conversion commands are as follows:

radius-attribute translate src-attr-description dest-attr-description { receive | send } ^*

radius-attribute translate src-attr-description dest-attr-description { access-request | access-accept | account } ^*

radius-attribute translate extend src-attr-description dest-attr-description { access-request | access-accept | account } ^*

radius-attribute translate extend <src-attr-description vendor-specific dest-vendor-id dest-sub-attr-id { access-request | account } ^*

radius-attribute translate extend vendor-specific src-vendor-id src-sub-attr-id dest-attr-description access-accept

Parameters:

src-attr-description: name of an attribute to be converted
dest-attr-description: name of an attribute after conversion
dest-vendor-id vendor ID attribute number after conversion
dest-sub-attr-id: vendor ID sub-attribute number after conversion
src-vendor-id: vendor ID attribute number to be converted
src-sub-attr-id vendor ID sub-attribute number to be converted

To allow the preceding commands to take effect, the radius-server attribute translate command must be run in the RADIUS server group view.

Attribute Conversion Rules:

Attribute conversion configuration requires the same or compatible data types.

RADIUS attributes can be integer, string, IP address, or text data type. The string and text types are compatible, and integer and IP address types are compatible. The attributes before and after conversion must belong to the same or a compatible type. For example, User-name (1) can be converted to NAS-Identifier (32) because they are both of the string type, and Server-Type (6) can be converted to Framed-Protocol (7) because they are both of the integer type. User-name (1) cannot be converted Service-Type (6) because they are of different types.
Conversion restrictions with and without the extend keyword:

If the extend keyword is not carried in a command, the source and destination attributes can be public or vendor-specific private attributes. If the extend keyword is carried in a command, the source and destination attributes can only be vendor-specific private attributes. Under the same server group, attribute conversions with and without the extend keyword cannot both be configured.
If the attribute to be converted is a private attribute in the sending direction, only the configuration carrying the extend keyword takes effect.

For example, the first configuration takes effect whereas the second configuration does not.

radius-attribute translate extend hw-qos-profile-name hw-domain-name account

radius-attribute translate hw-qos-profile-name hw-domain-name account
Attribute conversion in the sending direction takes effect only in packets supporting both the source and target attributes.

For example, the Filter-Id (11) attribute is supported only in accounting request packets, not in authentication request packets. The Calling-Station-Id (31) attribute is supported both in accounting and authentication request packets.

After the radius-attribute translate filter-id calling-station-id send or radius-attribute translate filter-id calling-station-id access-request account command is run, the Filter-Id (11) attribute can only be converted and sent in accounting request packets and cannot be converted or sent in authentication request packets.

This limitation has exceptions. For details, see point 5.
Attribute conversion in the sending direction specifies the specialty of the destination attributes through the vendor ID and sub-attribute ID attributes.

Command: radius-attribute translate extend src-attr-description vendor-specific dest-vendor-id dest-sub-attr-id { access-request | account } ^*

When the parameters dest-vendor-id and dest-sub-attr-id are not pre-defined attributes on a device (pre-defined attributes can be identified by a device and queried using the display radius-attribute command), attribute conversion is special. The destination attribute ID is the same as the configured parameters dest-vendor-id and dest-sub-attr-id, but the content in the destination attribute is the same as the content of the source attribute (src-attr-description). This mode allows the private attributes of an original vendor to be converted to any vendor's private attributes that are not pre-defined on a device.
Attribute conversion in the receiving direction takes effect only in packets supporting destination attributes.

For example, the HW-Policy-Route (HUAWEI-87) attribute is supported in Access-Accept packets but not in COA messages. The Acct-Interim-Interval(85) attribute is supported both in Access-Accept packets and COA messages. After the radius-attribute translate acct-interim-interval hw-policy-route receive command is run, attribute conversion takes effect only in Access-Accept packets. In COA packets, attribute conversion does not take effect, meaning that the Acct-Interim-Interval(85) attribute is processed in the form of itself.
Attribute conversion in the receiving direction generally requires that the source attribute is a device pre-defined attribute.

The source attribute must be a device pre-defined attribute (namely, an attribute that can be identified by a device and queried using the display radius-attribute command). Through configuration, a private attribute that is not pre-defined can also be converted into a pre-defined attribute that can be processed by a device.
- Run the radius-attribute translate extend vendor-specific src-vendor-id src-sub-attr-id dest-attr-description access-accept command to configure src-vendor-id- and src-vendor-id-based private attribute conversion that is not pre-defined by a device.
- Run the radius-attribute vendor vendor-id enable command to enable an NetEngine 8000 F8/NetEngine 8000E F8 to process private attributes that are pre-defined.

Examples of Common Attribute Conversion Applications

Conversion of the Same Attribute
This is the most common application of RADIUS attribute conversion. This conversion allows attribute formats required by different carriers to be compatible. The following attribute conversions are possible:
- NAS-Port (5): can be converted to HW-Own-NAS-Port-New, HW-Own-NAS-Port-QinQ, or HW-Own-NAS-Port-CID.
- NAS-Identifier (32): can be converted to HW-Own-NAS-Identify-SIM.
- Calling-Station-Id (31): can be converted to HW-Own-Calling-Station-Id-Old.
- NAS-Port-Id (87): can be converted to HW-Own-NAS-Port-Identify-Old or HW-Own-NAS-Port-Id-Uppercase.
Conversion Among Different Attributes

This conversion aims to improve the compatibility of RADIUS implementation on different vendor devices. The conversion can be performed when the previous rules of attribute conversion are met. The following are usage examples of such conversion.
- In the receiving direction
  
  For example, an NetEngine 8000 F8/NetEngine 8000E F8 delivers the priority of a management user through the private attribute HW-Exec-Privilege (26-29), whereas another vendor's device delivers it through the Login-service (15) attribute. When the and the vendor's device use the same RADIUS server on the network, the carrier requires that the NetEngine 8000 F8/NetEngine 8000E F8 deliver the priority of a management user also through the Login-service (15) attribute. To meet this requirement, run the radius-attribute translate Login-service HW-Exec-Privilege receive command on the NetEngine 8000 F8/NetEngine 8000E F8.
  
  After the command is run, an NetEngine 8000 F8/NetEngine 8000E F8 automatically treats the Login-service attribute as the HW-Exec-Privilege attribute when parsing the Login-service attribute in the received RADIUS authentication response packet. The priority of a management user is originally delivered through the HW-Exec-Privilege attribute. After the attribute conversion, the NetEngine 8000 F8/NetEngine 8000E F8 can deliver the Login-service attribute to manage the priority of the management user.
- In the sending direction
  
  For example, an NetEngine 8000 F8/NetEngine 8000E F8 reports the name of a BRAS device through the NAS-Identifier (32) attribute and reports the location of an accessed user through the NAS-Port-Id (87) attribute. However, other vendor devices report the name of the BRAS device through the NAS-Port-Id attribute. The carrier requires that the Huawei NetEngine 8000 F8/NetEngine 8000E F8 also report the name of the BRAS device through the NAS-Port-Id attribute. To meet this requirement, run the radius-attribute translate NAS-Port-Id NAS-Identifier send command.

Before this command is run, the encapsulated content in the NAS-Port-Id attribute is the location of the accessed user when the NetEngine 8000 F8/NetEngine 8000E F8 sends the authentication request packet. After this command is run, the content encapsulated in the NAS-Port-Id attribute is the same as that of the NAS-Identifier attribute, namely, the device name, when the NetEngine 8000 F8/NetEngine 8000E F8 sends the authentication request packet.

Default Carrying Status of RADIUS Attributes

Different RADIUS server vendors have their own requirements on the maximum number of RADIUS attributes that can be carried in a packet. For example, the RADIUS servers manufactured by some vendors can process a packet carrying up to 50 RADIUS attributes. If a packet carries more RADIUS attributes, the RADIUS servers cannot function properly. The radius-attribute include attribute-name command has been added for NetEngine 8000 F8/NetEngine 8000E F8 to allow them to carry or not carry specific RADIUS attributes in packets to be sent to RADIUS servers by default.

Radius Attributes Description

RADIUS Attributes Defined by RFC

User-Name (1)

Attribute Number	1
Attribute Name	User-Name
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Depending on the command line configuration, the user name can contain the domain name (such as user0001@isp) or does not contain the domain name (such as user0001). The "radius-server domain-annex" command can be run in the domain view to add a prefix or annex to the domain name carried in the user name of RADIUS request packets. The user name can be delivered through RADIUS Access-Accept packets for EAP users, IPoE users (excluding leased lines and leased line users), and users who use RADIUS proxy as the authentication mode. The other types of users will ignore the user name carried in the RADIUS Access-Accept packets. This function takes effect for IPoE users only when the "radius-attribute apply user-name match user-type ipoe" command is run in the RADIUS server group view. If the RADIUS server has delivered the user name through the RADIUS Access-Accept packets and the "radius-attribute apply user-name match user-type ipoe" command has been run in the RADIUS server group view, the user name delivered by the RADIUS server will be carried in the RADIUS Accounting-Request packets, irrespective of whether the "radius-server user-name" and "radius-server domain-annex" commands have been run.
Remark	The pure user name consists of 1 to 253 bytes; the domain name consists of 1 to 64 bytes. The total length of the user name, @, and the domain name ranges from 1 to 253 bytes. If the total length exceeds 253 bytes, the bytes following the 253rd byte are automatically deleted. For example, if the pure user name consists of 250 bytes and the domain name consists of 10 bytes, the length of the final user name is calculated as follows: 250 bytes (pure user name) + @ + 2 bytes (domain name) = 253 bytes.

User-Password (2)

Attribute Number	2
Attribute Name	User-Password
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	16*n (1<=n<=8)
Description	In Password Authentication Protocol (PAP) authentication, the user password is encrypted by the NAS and then sent to the RADIUS server. This attribute can be used to carry the service authentication password in a CoA request for activating an EDSG service. In this case, the password is in plain text.
Remark	The value is a multiple of 16 and contains 16 to 128 characters. The password used in PAP authentication must be a string of 16 to 128 characters. When the User-Password attribute is used to carry the service authentication password in the COA requests for activating EDSG services, the password must be a string of 1 to 128 characters in plaintext.

CHAP-Password (3)

Attribute Number	3
Attribute Name	CHAP-Password
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	17
Description	Only valid for the CHAP authentication.
Remark	The value contains 17 characters, that is, 1 character used for the CHAP ID and 16 characters used for the CHAP challenge.

NAS-IP-Address (4)

Attribute Number	4
Attribute Name	NAS-IP-Address
Attribute Value Type	Address
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	Device address, which can be either of the following: IP address, not subordinate IP of an interface if the attribute is bound to the interface IP address of the outbound interface for sending packets if the attribute is not bound to any interface
Remark	-

NAS-Port (5)

Attribute Number	5
Attribute Name	NAS-Port
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	Physical port for user access. Default formats are as follows: (0s are used for padding if the total length is less than 4 bytes) ATM interface: slot number (4 bits)+sub-slot number (2 bits)+port number (2 bits)+PVC (8 bits + 16 bits) Ethernet interface: slot number (8 bits)+sub-slot number (4 bits)+port number (8 bits)+VLAN ID (12 bits) (For QinQ VLAN tag termination, the inner VLAN ID is used) The "radius-server format-attribute nas-port" command can be run to convert the NAS-Port attribute into one of the following attributes: 1. HW-Own-NAS-Port-New, the formats are as follows: (0s are used for padding if the total length is less than 4 bytes.) ATM interface: slot number (4 bits)+sub-slot number (2 bits)+port number (2 bits)+PVC (8 bits + 16 bits) Ethernet interface: slot number (12 bits)+port number (8 bits)+VLAN ID (12 bits) (For QinQ VLAN tag termination, the inner VLAN ID is used.) 2. HW-Own-NAS-Port-QinQ, the formats are as follows: (0s are used for padding if the total length is less than 4 bytes.) ATM interface: slot number (4 bits)+sub-slot number (2 bits)+port number (2 bits)+PVC (8 bits + 16 bits) Ethernet interface for X1/X2 models: sub-slot number (4 bits)+port number (4 bits)+QinQ VLAN ID (12 bits)+VLAN ID (12 bits) Ethernet interface for other models: slot number (3 bits)+sub-slot number (1 bit)+port number (4 bits)+QinQ VLAN ID (12 bits)+VLAN ID (12 bits) 3. HW-Own-NAS-Port-CID, for LNS users, user CIDs are encapsulated; for other users, the default encapsulation format is used.
Remark	-

Service-Type (6)

Attribute Number	6
Attribute Name	Service-Type
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	When a Web user is authenticated, the value is set to 1. When a common user is authenticated, the value is set to 2, indicating the Framed type. When an Outbound IPoE user is authenticated, the value is set to 5. When an administration and maintenance user is authenticated, the value is set to 6, indicating the Administrator type. When COA re-authenticating, the value is set to 17.
Remark	-

Framed-Protocol (7)

Attribute Number	7
Attribute Name	Framed-Protocol
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	The value of Framed-Protocol is set to 1 for non-administrator users, indicating the PPP type. The value of Framed-Protocol is set to 6 for the administrator.
Remark	-

Framed-IP-Address (8)

Attribute Number

Attribute Name

Framed-IP-Address

Attribute Value Type

Address

Standard Defined

RFC 2865

Server Type

All

Value of Length field (in Bytes)

Description

IP address of the user. The RADIUS server assigns address to PPP users. For example, the server assigns 10.0.0.7 as the user's IP address which is notated 0x0A000007 in hexadecimal. Therefore, the server sets the value of Framed-IP-Address to 0x0A000007.

The following addresses are invalid:

0XFFFFFFFE or 0XFFFFFFFF

IP address in the 127.0.0.0/8 network segment

IP address in the 224-255/8 network segment

If the delivered IP address is invalid, the NAS assigns a valid IP address for the user.

Note:

Only the Framed-IP-Address attribute delivered by the RADIUS server is supported by DHCP users. The IP addresses delivered to Layer 2 DHCP users must belong to the address pool configured for the device. The IP addresses delivered to Layer 3 DHCP users does not need to belong to the address pool configured for the device.

If only the Framed-IP-Address attribute is delivered to PPPoE users, the subnet mask is fixed at 32 bits. The IP address delivered do not need to belong to the address pool configured for the device.

Remark

Framed-IP-Netmask (9)

Attribute Number	9
Attribute Name	Framed-IP-Netmask
Attribute Value Type	Address
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	Subnet mask delivered by the RADIUS server to PPP users. The Framed-IP-Netmask attribute be used together with the Framed-IP-Address attribute to generate a network segment with the next hop pointing to PPP users. If this attribute is delivered by the RADIUS server, it will be carried in IPCP negotiation packets used in PPP implementation. The value obtained during IPCP negotiation with the client will take effect. This attribute delivered by the RADIUS server to DHCP users does not take effect.
Remark	-

Filter-Id (11)

Attribute Number	11
Attribute Name	Filter-Id
Attribute Value Type	Text
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	This attribute is used to carry a user group name. If a user group name contains @, only the character string before @ is carried in the attribute. If a packet carries multiple Filter-Id attributes, only the last Filter-Id attribute takes effect. It is recommended that a packet carries only one Filter-Id.
Remark	The valid length is 1 to 32 bytes.

Framed-MTU (12)

Attribute Number	12
Attribute Name	Framed-MTU
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	It indicates the maximum transmission unit delivered by the RADIUS server.
Remark	The smallest value is 256, and the greatest value is 9600.

Login-IP-Host (14)

Attribute Number	14
Attribute Name	Login-IP-Host
Attribute Value Type	Address
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	It indicates the IP address of an administrator. If the value of this attribute is 0, 0xFFFFFFFF, or 0xFFFFFFFE in Access-Accept packets, the IP address is not checked. If the value of this attribute is any other value, the device checks whether the IP address of the attribute is consistent with the one delivered in this attribute.
Remark	-

Login-Service (15)

Attribute Number	15
Attribute Name	Login-Service
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	The type of the service used by the login user. The service types matching with the value of the attributes are as follows: 0: telnet 5: X25-PAD 50: SSH 51: FTP 52: Terminal. An attribute can deliver multiple service types.
Remark	-

Reply-Message (18)

Attribute Number	18
Attribute Name	Reply-Message
Attribute Value Type	Text
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	This attribute can be carried in RADIUS Access-Accept packets to indicate an authentication success or RADIUS Access-Reject packets to indicate an authentication failure. The Reply-Message attribute is sent only to PPP and web authentication users. If web authentication is used, the web server must support this attribute. The attribute in CoA NAK messages can be used to carry the CoA failure reason description.
Remark	-

Callback-Number (19)

Attribute Number	19
Attribute Name	Callback-Number
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~16
Description	The information delivered from the authentication server can be displayed to users, such as the mobile numbers.
Remark	-

Framed-route (22)

Attribute Number	22
Attribute Name	Framed-route
Attribute Value Type	Text
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Routing information provided by the RADIUS server to users through the NAS. This attribute is in the following format of <IP address>[/<mask length>] [<next hop address> ] [<metric>], for example, 192.168.1.0/24 192.168.1.1 1. The mask is generated automatically based on the address type (Class A, Class B, or Class C). In Authorization scenario, if the next hop address is not configured or not delivered, the user's IP address is used as the next hop address. If the next hop address is delivered, only the delivered value equal to the user's address is valid (AAA onload routes function). In AAA onload routes scenarios, the the next hop address should be delivered and only the "null0" is supported. Only one metric is supported. If multiple metrics are delivered, the value of the first metric is used. The metric ranges from 0 to 255. If the value exceeds 255, users fail to go online. A maximum of 128 Framed-route attributes can be delivered to each user. If more than 128 Framed-Route attributes are delivered, users fail to go online. Note: The attribute is only delivered to the PPPoE and IPoE. The attribute is discarded if the other access information receives it.
Remark	-

State (24)

Attribute Number	24
Attribute Name	State
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	If the RADIUS Access-Challenge packet sent by the RADIUS server carries the State attribute, it must be carried in subsequent RADIUS Access-Request packets.
Remark	-

Class (25)

Attribute Number	25
Attribute Name	Class
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	If the RADIUS Access-Accept packet sent by the RADIUS server to the NAS carries the Class attribute, the Class attribute must also be carried in the subsequent RADIUS Accounting-Request packets sent from the NAS to the RADIUS server. A RADIUS Access-Accept packet can carry zero to eight Class attributes. Note: The Class attribute is used in two application scenarios. In addition to the standard scenario described by RFC 2865, the Class attribute can be delivered with QoS parameters contained. The details are as follows: 1. If the "radius-server class-as-car" command is run in the RADIUS server group view, the Class attribute is parsed as CAR parameters: For a standard RADIUS server, the Class attribute can carry CAR parameters after the radius-server class-as-car command is run. If the Class attribute carries CAR parameters, the total length of the CAR parameters is at least 32 bytes, and the CAR parameter string can consist of only digits ranging from 0 to 9. The first 32 bytes are divided into four 8-bytes (from left to right), which are used to indicate the upstream PIR, upstream CIR, downstream PIR, and downstream CIR, respectively, expressed in bit/s. For other types of RADIUS servers, the Class attribute cannot carry CAR parameters. Irrespective of whether the Class attribute is used to carry CAR parameters, the Class attribute is eventually transmitted back to the RADIUS server. When the Class attribute carries CAR parameters, a NAS detects whether the first 32 bytes are characters, and discards the subsequent bytes. Only one Class attribute takes effect. If multiple Class attributes are contained in a packet, the CAR parameters of the last valid Class attribute are used. 2. The Class attribute can also be used to send descriptions of user access VLANs or PVCs to a RADIUS server. If the "link-account resolve" command is run on a BAS interface, the command takes effect only for common Layer 2 users who are not authenticated but are charged by a RADIUS server. The rules for delivering the Class attribute in a CoA message are as follows: 1. If the radius-server class-as-car [enable-pir] command is not run in the view of the RADIUS server group to which the authorization server belongs, the Class attribute can be modified using a CoA message. The Class attribute delivered in a CoA message replaces the existing Class attribute of a user. 2. If the radius-server class-as-car [enable-pir] command is run in the view of the RADIUS server group to which the authorization server belongs, the Class attribute delivered in a CoA message fails to take effect. 3. After the value-added-service edsg modify-synchronous class command is run, the Class attribute can be delivered together with EDSG service attributes in a CoA message. If this command is not run, the Class attribute is ignored if it is delivered in a CoA message used to activate or deactivate the EDSG service. 4. The Class attribute can be delivered in a CoA message used to deactivate the EDSG service. Accounting Stop packets of the deactivated service carry the old Class attribute. 5. The Class attribute can be delivered in a CoA message used to activate the EDSG service. Accounting Start packets of the activated service carry the new Class attribute. 6. The Class attribute can be delivered in a CoA message used to replace the EDSG service. Accounting Stop packets of the replaced service carry the old Class attribute. Accounting Start packets of the new service carry the new Class attribute. 7. If the radius-server coa-request hw-policy-name daa coexist-with-user command is configured, the Class attribute can be delivered in a CoA message used to activate the DAA service. If this command is not configured, the Class attribute delivered in a CoA message used to activate the DAA service is ignored. 8. The Class attribute cannot be delivered in a CoA message used to activate the BOD service. If the Class attribute is delivered in a CoA message used to activate the BOD service, the Class attribute is ignored. 9. After the Class attribute is changed using a CoA message, all accounting packets carry the newly delivered Class attribute, including accounting packets of the user, accounting packets of EDSG services, and accounting packets of DAA services.
Remark	-

Vendor-Specific (26)

Attribute Number	26
Attribute Name	Vendor-Specific
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	The attribute specified by a vendor. By default, multiple private attributes of the same vendor are consecutively encapsulated into one Vendor-Specific (26) attribute, and another Vendor-Specific attribute is used after the first Vendor-Specific attribute is full. To allow for flexible compatibility with different types of servers, the "undo radius-attribute vendor { HUAWEI \| MICROSOFT \| 3GPP2 \| REDBACK \| DSLFORUM \| other }" continuous command can be run to allow one Vendor-Specific (26) attribute to be encapsulated with only one private attribute.
Remark	-

Session-Timeout (27)

Attribute Number	27
Attribute Name	Session-Timeout
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	In Access-Accept packets, the attribute indicates the remaining online time of users, in seconds. If the value is 0, the device logs out the users by default. In Challenge packets, the attribute indicates the re-authentication duration of EAP users. In Accounting-Request packets, the attribute is the one carried in the Access-Reply packets delivered by the RADIUS server. This attribute is used by the accounting server to obtain the original remaining online time of users delivered by the authentication server. The attribute carried in Access-Request packets used to apply for the EDSG service quota indicates the time quota that has been used. In scenarios where the initial value of Session-Timeout is not 0 and the "quota-out { offline \| online \| redirect }" command has been run in the domain view, if the value of Session-Timeout decreases to 0, the device performs one of the following operations: (1) Log out the user; (2) Keep the user online; (3) Redirect the user to the portal server. If the value of Session-Timeout in the Access-Accept packets is 0, run the authening quota-out-redirect-enable command in the authentication scheme view to redirect the user to a domain. If the value of Session-Timeout in the Accounting-Response packets is 0, run the "quota-out redirect" command in the domain view to redirect the user to a domain.
Remark	-

Idle-Timeout (28)

Attribute Number	28
Attribute Name	Idle-Timeout
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	Idle-cut time of a user, in seconds. If the traffic rate of a user is less than a preset value during the Idle-Timeout period, the user is disconnected. For example, the idle-cut traffic rate is set to 1000 bytes per minute (60 KB per minute by default) by the "idle-cut rate" command in the AAA domain view and Idle-Timeout is set to 50 minutes. Once the traffic rate of a user is less than 1000 bytes per minute during the 50 minutes, the user is disconnected. If the traffic rate of the user is always lower than 1000 bytes per minute during the 50 minutes, the user is forcibly logged out. If the traffic rate of the user exceeds 1000 bytes per minute at any time during the 50 minutes, the Idle-Timeout starts over. If Idle-Timeout is 0 or 0XFFFFFFFF, the user is not disconnected. The RADIUS server delivers only the idle-cut time through the Idle-Timeout attribute. The idle-cut traffic rate is set using the "idle-cut time rate" command. By default, the idle-cut traffic rate is not configured. In Accounting-Request packets, the attribute indicates the value carried in the Access-Reply packets sent from the RADIUS server.
Remark	-

Termination-Action (29)

Attribute Number	29
Attribute Name	Termination-Action
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	The specified mode for terminating the NAS service, such as re-authentication or forcing a user to log out. The value 0 indicates to force the user to log out. The value 1 indicates to perform the re-authentication. Note: The attribute carried in an Access-Accept or Access-Challenge packet is valid only for 802.1X authentication users, not EAP termination users. If the attribute carried in a CoA packet, the re-authentication function is valid only for IPoE, PPPoE and L2TP users (Leased Line users), and the forcing a user to log out function is valid for all kinds of users except administrators.
Remark	-

Called-Station-Id (30)

Attribute Number	30
Attribute Name	Called-Station-Id
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~64
Description	The attribute is valid only for LNS users. The value is a string carried by the L2TP AVP attribute dialed number (21). When the device is used as the LAC, AVP is empty. For other types of users: 1. If the "ssid" command is run on a BAS interface to configure a service set ID (SSID) for WLAN services, the format of this attribute is 00-00-00-00-00-00:SSID. 2. The "radius-server called-station-id include" command can be run in the RADIUS server group view to configure the content that is allowed to be carried in this attribute. ap-mac and ssid can be specified in the command. If the "ssid" command is not run on a BAS interface, the content specified by the "radius-server called-station-id include" command is carried. The "radius-server called-station-id include" command can take effect only after the "wlan option82 decode-mode" command is run on the BAS interface.
Remark	-

Attribute Number

Attribute Name

Called-Station-Id

Attribute Value Type

String

Standard Defined

RFC 2865

Server Type

All

Value of Length field (in Bytes)

1~64

Description

The attribute is valid only for LNS users. The value is a string carried by the L2TP AVP attribute dialed number (21). When the device is used as the LAC, AVP is empty.

For other types of users:

1. If the "ssid" command is run on a BAS interface to configure a service set ID (SSID) for WLAN services, the format of this attribute is 00-00-00-00-00-00:SSID.

2. The "radius-server called-station-id include" command can be run in the RADIUS server group view to configure the content that is allowed to be carried in this attribute. ap-mac and ssid can be specified in the command. If the "ssid" command is not run on a BAS interface, the content specified by the "radius-server called-station-id include" command is carried. The "radius-server called-station-id include" command can take effect only after the "wlan option82 decode-mode" command is run on the BAS interface.

Remark

Calling-Station-Id (31)

Attribute Number

Attribute Name

Calling-Station-Id

Attribute Value Type

String

Standard Defined

RFC 2865

Server Type

All

Value of Length field (in Bytes)

1~253

Description

The attribute is used by the NAS to carry user information.

For management users, Layer 2 leased line users, Layer 3 leased line users, and network-side PPP users, the attribute is not encapuslated.

For an LAC, if the function to parse the logical line ID (LLID) information is enabled using the radius-server calling-station-id include llid user-type { ppp | lns }* command, the Calling-Station-Id attribute is obtained from the RADIUS server and encapsulated into the calling-number attribute to be sent to the LNS.

For L2TP LNS-side users, the value configured"calling-number-avp" command configured in the LAC-side L2TP group is used.

For non-L2TP LNS-side users, the attribute carries users' MAC addresses by default, in the format of 01:0A:0E:11:34:B5.

To configure the generation mode of Calling-Station-Id, run the "radius-server calling-station-id include [ delimiter <delimiter> ] { { option82 | access-line-id } [ delimiter <delimiter> ] | mac [ mac-format type1 ] [ delimiter <delimiter> ] | interface [ delimiter <delimiter> ] | domain [ delimiter <delimiter> ] | sysname [ delimiter <delimiter> ] } *" or "radius-server calling-station-id include refer-option61" command.

In the format of initial delimiter + configuration item + delimiter + configuration item + delimiter, the value of a delimiter can be any of the following characters: n, b, @, #, \, &, *, -, and $, where 'n' represents null and 'b' represents a blank space.

The sysname value is obtained in ascending order of the following priorities:

nas-name configured on the RBP

nas-name configured on the interface

sysname configured for the system

The format of the interface information can be any of the following:

Three-dimensional format:

eth slot/picnum/portnum:pevlan.cevlan

trunk slot/0/Trunkid:pevlan.cevlan

atm slot/picnum/portnum:pevlan.cevlan

Four-dimensional format (configured using the "access four-dimensional mode enable" command), with ap-id being added for Ethernet and trunk interfaces:

eth ap-id (5 bits)/slot/picnum/portnum:pevlan.cevlan

trunk ap-id (5 bits)/slot/0/Trunkid:pevlan.cevlan

The MAC address format is xx:xx:xx:xx:xx:xx and can be changed to xx-xx-xx-xx-xx-xx by setting type1 in the preceding command.

When Calling-Station-Id is converted to HW-Own-Calling-Station-Id-Old using the attribute conversion command, the format is as follows:

The format of the attribute encapsulated in RADIUS packets is 00E0FC123456.

For 802.1X relay users, the attribute format is 00-e0-fc-12-34-56.

If the "radius-server calling-station-id include option82" command has been run, the Calling-Station-Id field value varies with the "option82-relay-mode" command configuration in the BAS interface view. Specifically, the Calling-Station-Id field will contain:

All Option 82 information if the "option82-relay-mode include allvalue" command is configured.

Only the circuit ID if the "option82-relay-mode include agent-circuit-id" command is configured.

Only the remote ID if the "option82-relay-mode include agent-remote-id" command is configured.

Both the circuit ID and remote ID if the "option82-relay-mode include agent-circuit-id agent-remote-id" command is configured.

After the "option82-relay-mode" command is run with any of the preceding four parameters configured, the "option82-relay-mode subopt" command can be run to configure a format (either a character string or hexadecimal notation) for the circuit ID or remote ID to be transmitted.

The value of the Calling-Station-Id attribute to be sent to the RADIUS server depends on whether the Option 61 field is carried in packets sent by access users. The "radius-server calling-station-id include refer-option61" command can be run in the RADIUS server group view to configure a device to encapsulate the user MAC address in the Calling-Station-Id attribute to be sent to the RADIUS server if user packets carry the Option 61 field. If this command is not run, the device encapsulates the user name without a domain name in the Calling-Station-Id attribute to be sent to the RADIUS server.

You can also configure a RedBack-compatible format for the Calling-Station-Id attribute.

To do so, run the "radius-server format-attribute calling-station-id vendor 2352" command in the RADIUS server group view.

Three-dimensional format:

For PPPoE and IPoE users: systemname#slot/port#PVlan:CVlan

When the virtual access four-dimensional interface format is configured using the "access four-dimensional mode enable" command, the Ethernet interface format has an additional ap-id.

For PPPoE and IPoE users: systemname#ap-id(5 bits)/slot/port#PVlan:CVlan

NOTE:

The "radius-server format-attribute include sub-slot" command can be run to convert Slot/Port to Slot/Sub-Slot/Port.

If the "radius-server calling-station-id include vlan-description" command has been run, the format of the Calling-Station-Id attribute to be sent to the RADIUS server varies as follows:

When the three-dimensional interface format is used, the Calling-Station-Id attribute format is sysname#slot/subslot/port#Pevlan.CeVlan#vlan-description.

When the virtual access four-dimensional interface format is configured using the "access four-dimensional mode enable" command, the Ethernet interface format has an additional ap-id.

sysname# ap-id(5 bits)/slot/subslot/port#Pevlan.CeVlan#vlan-description

In this format:

The sysname has a maximum of 30 characters allowed. If the sysname is longer than 30 characters, only the first 30 characters are used.

Using the logical device name and logical interface name configured on the BAS interface as the sysname and slot/subslot/port is recommended.

If packets carry only one VLAN tag, the PeVlan, instead of the CeVlan, is displayed in the format.

The vlan-description is the description of the VLAN configured for the access interface. It has a maximum of 128 characters allowed.

NOTE:

For the device name and port and IP information, use their logical values configured on the BAS interfaces if they are present. If their logical values are not configured, use their actual values.

If encapsulation using the specified format fails, the device encapsulates only the user MAC address to the Calling-Station-Id attribute.

For LNS users, the calling-number attribute carried in L2TP packets sent from the LAC is preferentially encapsulated into the Calling-Station-Id attribute. If no calling-number attribute is carried in L2TP packets sent from the LAC, the LNS does not carry the Calling-Station-Id attribute in packets to be sent to the RADIUS server by default. If the radius-server calling-station-id lns-default version1 command is run in the RADIUS server group view, the Calling-Station-Id attribute carried in packets sent by the LNS is in the following format: sysname#slot/subslot/port#0#0.

Remark

NAS-Identifier (32)

Attribute Number

Attribute Name

NAS-Identifier

Attribute Value Type

String

Standard Defined

RFC 2865

Server Type

All

Value of Length field (in Bytes)

1~246

Description

Name of the NAS or the sysname (host name).

When NAS-Identifier is converted to HW-Own-NAS-Identify-SIM using the attribute conversion command, the value of HW-Own-NAS-Identify-SIM is the BAS interface name if a BAS interface is configured. If a BAS interface is not configured, the value of HW-Own-NAS-Identify-SIM is the device name.

By default, the maximum length of the NAS device name to be sent is 29 characters. If the device name contains more than 29 characters, the extra part will be truncated. After the radius-attribute nas-identifier max-length unlimited command is run, the maximum length of the NAS device name will not be limited. Currently, the device's host name contains a maximum of 246 characters. Therefore, the maximum length of the NAS device name to be sent is 246 characters.

Remark

Proxy-State (33)

Attribute Number	33
Attribute Name	Proxy-State
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	1~253
Description	The attribute is carried in CoA and DM Request and Response packets. The Proxy-State attribute in Response and Request packets must be the same.
Remark	-

Acct-Status-Type (40)

Attribute Number	40
Attribute Name	Acct-Status-Type
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Type of the Accounting-Request packet, which can be any of the following: Start (Value=1) Stop (Value=2) Interim-Update (Value=3) Accounting-On(Value=7) Accounting-Off(Value=8) Tunnel-Start (Value=9) Tunnel-Stop (Value=10) Tunnel-Link-Start (Value=12) Tunnel-Link-Stop (Value=13)
Remark	-

Acct-Delay-Time (41)

Attribute Number	41
Attribute Name	Acct-Delay-Time
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Time spent to send an Accounting Request packet, excluding the network transmission duration, in seconds. Time when an Accounting Request packet arrives at the RADIUS server – Acct-Delay-Time = Time when the NAS created the packet. Acct-Delay-Time is composed of two periods of time: the difference between the time spent by the RADIUS module to retrieve data from AAA and the latest data refresh time, and the delayed time spent by the RADIUS module to deliver the accounting request packet, for example, the time spent on re-transmission.
Remark	-

Acct-Input-Octets (42)

Attribute Number	42
Attribute Name	Acct-Input-Octets
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of upstream bytes. The unit can be byte, KB, MB, or GB. By default, the unit for the standard RADIUS server is byte and the unit for the RADIUS+ server is KB. The "radius-server traffic-unit" command can be run in the RADIUS server group view to specify the unit of the attribute.
Remark	-

Acct-Output-Octets (43)

Attribute Number	43
Attribute Name	Acct-Output-Octets
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of downstream bytes. The unit can be byte, KB, MB, or GB. By default, the unit for the standard RADIUS server is byte and the unit for the RADIUS+ server is KB. The "radius-server traffic-unit" command can be run in the RADIUS server group view to specify the unit of the attribute.
Remark	-

Acct-Session-Id (44)

Attribute Number	44
Attribute Name	Acct-Session-Id
Attribute Value Type	Text
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	1~44
Description	The formats of Acct-Session-Id are as follows: version 1: On an X1/X2 model: host name(7 bytes)+slot ID(1 byte)+card ID(2 bytes)+port number(2 bytes)+ {VPI(4 bytes)+VCI(5 bytes, outer-VLAN(4 bytes)+inner-VLAN(5 bytes)}+CPUTICK(6 bytes in hexadecimal notation)+user connection index (6 bits in hexadecimal notation). If the three-dimensional interface format is used on an X3/X8/X16 model: host name (7 bits)+slot ID (2 bits)+card ID (1 bit)+port number (2 bits)+{VPI (4 bits)+VCI (5 bits), outer VLAN ID (4 bits)+inner VLAN ID (5 bits)}+CPU tick (6 bits in hexadecimal notation)+user connection index (6 bits in hexadecimal notation). Version 2: {VPI (4 bits), outer VLAN ID (4 bits)}+CPU tick (6 bits in hexadecimal notation)+user connection index (6 bits in hexadecimal notation) Version 3: CPU tick (in hexadecimal notation, least significant 2 bits)+user connection index (6 bits in hexadecimal notation) Version 4: Host name (7 bits)+serial number (2 bits)+user connection index (6 bits in hexadecimal notation). 15 bytes in total version 5: If the three-dimensional interface format is used: host name (7 bits)+space (1 bit)+interface name abbreviation (3 bits to 5 bits)+slot ID+/ (1 bit)+card ID+/ (1 bit)+port number+. (1 bit)+CPU tick (4 least significant bits in hexadecimal notation)+: (1 bit)+outer VLAN ID+. (1 bit)+inner VLAN ID+: (1 bit)+user connection index (6 bits in hexadecimal notation) NOTE: The interface name can be eth, atm, or ethtr. The slot ID, card ID, port number, outer VLAN ID, and inner VLAN ID do not have length limitation. Format in the EDSG service: If the three-dimensional interface format is used: host name (1 bit to 7 bits)+slot ID (2 bits)+card ID (1 bit)+port number (2 bits)+SSG+service ID (6 bits)+CPU tick (6 bits in hexadecimal notation)+user connection index (6 bits in hexadecimal notation)
Remark	When Acct-Session-Id is in version 1 format, the value contains 27 to 33 bytes with variable-length host name. When Acct-Session-Id is in version 2 format, the value contains 16 bytes. When Acct-Session-Id is in version 3 format, the value contains 8 bytes. When Acct-Session-Id is used in the DSG service, the value contains 26 to 32 bytes.

Acct-Authentic (45)

Attribute Number	45
Attribute Name	Acct-Authentic
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	The attribute indicates the authentication type: 1: RADIUS authentication 2: local authentication 3: remote authentication
Remark	-

Acct-Session-Time (46)

Attribute Number	46
Attribute Name	Acct-Session-Time
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Online time of a user, in seconds.
Remark	-

Acct-Input-Packets (47)

Attribute Number	47
Attribute Name	Acct-Input-Packets
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of upstream packets.
Remark	-

Acct-Output-Packets (48)

Attribute Number	48
Attribute Name	Acct-Output-Packets
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of downstream packets.
Remark	-

Acct-Terminate-Cause (49)

Attribute Number	49
Attribute Name	Acct-Terminate-Cause
Attribute Value Type	Integer
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	4
Description	Reason for session interruption, which can be any of the following: 1: User Request. The user goes offline intentionally. 2: Lost Carrier. For example, the ARP handshake fails, the echo handshake fails, the internal heartbeat times out, or the EAP handshake fails. 3: Lost Service. The session that the LNS initiates is torn down. 4: Idle Timeout. 5: Session Timeout. The user is disconnected due to a time or traffic quota. 6: Admin Reset. The administrator instructs to log a user out, and the RADIUS server delivers the logout instruction. (For example, the administrator runs a command to delete a static VLAN.) 7: Admin Reboot. The administrator requires the user to go offline. 8: Port Error. The port fails. 9: NAS Error. For example, an internal error occurs, memory allocation fails, messages fail to be sent, or the timer fails to be started. 10: NAS Request. The NAS requires the user to go offline. 11: NAS Reboot. The value is not supported currently. 12: Port Unneeded. For example, the port is Down. 13: Port Preempted. The value is not supported currently. 14: Port Suspended. The port is suspended. 15: Service Unavailable. For example, a session is torn down because VPN services are deployed for PPP leased lines. 16: Callback. The value is not supported currently. 17: User Error. Authentication fails or times out. 18: Host Request. The client receives a Decline packet from the server.
Remark	See the chapter "Reasons for User Offline".

Acct-Multi-Session-Id (50)

Attribute Number	50
Attribute Name	Acct-Multi-Session-Id
Attribute Value Type	String
Standard Defined	RFC 2866
Server Type	All
Value of Length field (in Bytes)	1~44
Description	If tunnel users are configured in the system, the attribute indicates the accounting ID of an L2TP tunnel user. The format of Acct-Multi-Session-Id is the same as that of Acct-Session-Id. For other scenarios, this attribute is not used. If RADIUS accounting is applied to a user's value-added services, accounting packets carry the user's Acct-Session-Id as Multi-Session-Id.
Remark	For detailed formats, see the chapter "Acct-Session-Id (44)"

Acct-Input-Gigawords (52)

Attribute Number	52
Attribute Name	Acct-Input-Gigawords
Attribute Value Type	Integer
Standard Defined	RFC 2869
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of upstream bytes. The value is a multiple of 4 GB, KB, MB, or bytes (2^32), which can be configured using the "radius-server traffic-unit" command. The value is the most significant 32 bits of Acct-Input-Octets.
Remark	-

Acct-Output-Gigawords (53)

Attribute Number	53
Attribute Name	Acct-Output-Gigawords
Attribute Value Type	Integer
Standard Defined	RFC 2869
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of downstream bytes. The value is a multiple of 4 GB, KB, MB, or bytes (2^32), which can be configured using the "radius-server traffic-unit" command. The value is the most significant 32 bits of Acct-Output-Octets.
Remark	-

Event-Timestamp (55)

Attribute Number	55
Attribute Name	Event-Timestamp
Attribute Value Type	Integer
Standard Defined	RFC 2869
Server Type	All
Value of Length field (in Bytes)	4
Description	Time when an Accounting-Request packet was generated. The timestamp sent in the attribute is in the absolute time format (number of seconds since January 1, 1970 00:00:00 UTC)
Remark	-

CHAP-Challenge (60)

Attribute Number	60
Attribute Name	CHAP-Challenge
Attribute Value Type	String
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	16
Description	Indecates the value of Challenge. Only valid for the CHAP authentication.
Remark	-

NAS-Port-Type (61)

Attribute Number	61
Attribute Name	NAS-Port-Type
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	NAS port type, which can be set by the "nas-port-type" command in the BAS interface view. By default, the value is Ethernet (15). For LNS users, the value is Virtual (5).
Remark	-

Port-Limit (62)

Attribute Number	62
Attribute Name	Port-Limit
Attribute Value Type	Integer
Standard Defined	RFC 2865
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of port users. This attribute is used to limit the number of users who share the same account.
Remark	-

Tunnel-Type (64)

Attribute Number	64
Attribute Name	Tunnel-Type
Attribute Value Type	Integer
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	4
Description	Tunnel protocol type, only the following values are supported: 3: L2TP 10: GRE If other values than the preceding ones are delivered by the RADIUS server, user login fails.
Remark	-

Tunnel-Medium-Type (65)

Attribute Number	65
Attribute Name	Tunnel-Medium-Type
Attribute Value Type	Integer
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	4
Description	Type of the tunnel bearer medium. Currently, the value can only be 1, indicating that the type of the tunnel bearer medium is IPv4. If the RADIUS server delivers other values, users fail to go online. If the tag value is 0, all tag values can be matched.
Remark	-

Tunnel-Client-Endpoint (66)

Attribute Number	66
Attribute Name	Tunnel-Client-Endpoint
Attribute Value Type	string
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	1~253
Description	IP address of the local end of the tunnel. The IP address is in the dotted decimal notation. Currently, one tag can deliver only one IP address. When the device functions as the LNS in L2TP user authentication, the RADIUS server applies different policies to the Access-Request packets sent from different LACs. Therefore, this attribute must be carried in the user authentication requests sent over the tunnel from the LNS. Tags are supported.
Remark	-

Tunnel-Server-Endpoint (67)

Attribute Number	67
Attribute Name	Tunnel-Server-Endpoint
Attribute Value Type	string
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	1~129
Description	IP address of the tunnel server. The IP address is in the dotted decimal notation. A tag can deliver a maximum of eight IP addresses, with the IP addresses separated by spaces. The multiple IP addresses work in primary/secondary mode. When the device functions as the LNS in L2TP user authentication, the RADIUS server applies different policies to the Access-Request packets sent from different LACs. Therefore, this attribute must be carried in the user authentication requests sent over the tunnel from the LNS. Tags are supported.
Remark	-

Acct-Tunnel-Connection (68)

Attribute Number	68
Attribute Name	Acct-Tunnel-Connection
Attribute Value Type	string
Standard Defined	RFC 2867
Server Type	All
Value of Length field (in Bytes)	1~19
Description	Accounting ID of the tunnel server. The format is <TunnelID>-<SessionID>, for example, 12-1245. The attribute takes effect only after "tunnel-acct-2867" command is configured in the domain view.
Remark	-

Tunnel-Password (69)

Attribute Number

Attribute Name

Tunnel-Password

Attribute Value Type

string

Standard Defined

RFC 2868

Server Type

All

Value of Length field (in Bytes)

1~253

Description

Authentication password of the tunnel.

In the RADIUS server group view, you can set the password to the plaintext or ciphertext mode using the "radius-attribute tunnel-password { cipher | simple }" command.By default, ciphertext mode is used.

Tags are supported.

Remark

If the RADIUS server delivers the attribute in ciphertext, the first two bits are SALT, and the remaining bits construct the encrypted password. The password contains a maximum of 250 characters if a tag is carried or 251 characters if no tag is carried. If the RADIUS server delivers the attribute in plaintext, all characters excluding the tags construct the password. The password contains a maximum of 252 characters if a tag is carried or 253 characters if no tag is carried. The simple text configured in the L2TP group view can contain 255 bytes and the ciphertext password configured can contain 392 characters.

Connect-Info (77)

Attribute Number	77
Attribute Name	Connect-Info
Attribute Value Type	String
Standard Defined	RFC 2869
Server Type	All
Value of Length field (in Bytes)	1~253
Description	When the device functions as the LNS, the RADIUS Connect-Info attribute is used to report the L2TP Tx Connect Speed (avp24) and Rx Connect Speed (avp38). The attribute is in the format of Tx/Rx. If Rx=Tx, the attribute carries only one value. For example, if tx=3000 and rx=5000, the attribute carries 3000/5000; if tx=3000 and rx=3000, the attribute carries 3000. The rate is expressed in bps.
Remark	-

Message-Authenticator (80)

Attribute Number	80
Attribute Name	Message-Authenticator
Attribute Value Type	String
Standard Defined	RFC 3579
Server Type	Standard, Plus11
Value of Length field (in Bytes)	16
Description	Encryption information about EAP packets in EAPoR authentication. Huawei RADIUS+10 protocol conflicts with this attribute. When the server type is RADIUS+10, the Huawei-specific attribute is used.
Remark	-

Tunnel-Private-Group-ID (81)

Attribute Number	81
Attribute Name	Tunnel-Private-Group-ID
Attribute Value Type	String
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	1~32
Description	Upon receipt of RADIUS authentication response packets, MAC address bypass authentication users transparently transmit the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes to the EAP module. Upon receipt of the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes transparently transmitted by the RADIUS server, the EAP module determines that the Tunnel-Private-Group-ID attribute is parsed if tunnel-type is 13 and Tunnel-Medium-Type is 6. If the VLAN ID is valid and within the VLAN scope configured using the port default vlan or port trunk allow command on the interface, the user VLAN ID is replaced with this VLAN ID.
Remark	-

Tunnel-Assignment-ID (82)

Attribute Number	82
Attribute Name	Tunnel-Assignment-ID
Attribute Value Type	String
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Tunnel ID. If a tunnel with this ID already exists, this tunnel is used. If no tunnel has this ID, a new tunnel is created using this ID. For the tunnel selection algorithm, refer to RFC 2868.
Remark	The password contains a maximum of 252 characters if a tag is carried or 253 characters if no tag is carried.

Tunnel-Preference (83)

Attribute Number	83
Attribute Name	Tunnel-Preference
Attribute Value Type	Integer
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	4
Description	Tunnel preference. The smaller the value, the higher the priority. The tunnel with the preference of 0 has the highest priority. If no Tunnel-Preference is delivered, the tunnel has the lowest priority. Load balancing is performed between tunnels with the same preference. If the preferences of all the tunnels are different, the tunnels work in master/backup mode. If the preferences of some tunnels are the same while the preferences of others are different, the tunnels with the same preference work in load balancing mode while the tunnels with different preferences work in master/backup mode. Note: If the RADIUS server delivers multiple tag groups, each group must contain the Tunnel-Preference attribute.
Remark	-

Acct-Interim-Interval (85)

Attribute Number	85
Attribute Name	Acct-Interim-Interval
Attribute Value Type	Integer
Standard Defined	RFC 2869
Server Type	All
Value of Length field (in Bytes)	4
Description	Real-time accounting interval, in seconds. Setting the Acct-Interim-Interval attribute to a value greater than or equal to 60s is recommended. The value ranges from 0 to 3932100. The value 0 indicates that real-time accounting is not required. When the value is greater than 3932100, user login fails.
Remark	-

Acct-Tunnel-Packets-Lost (86)

Attribute Number	86
Attribute Name	Acct-Tunnel-Packets-Lost
Attribute Value Type	Integer
Standard Defined	RFC 2867
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of packets lost on a given link. This attribute must be contained in an accounting packet that carries the Acct-Status-Type attribute whose value is set to Tunnel-Link-Stop.
Remark	Set to 0 in the current version.

NAS-Port-Id (87)

Attribute Number	87
Attribute Name	NAS-Port-Id
Attribute Value Type	String
Standard Defined	RFC 2869
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Slot ID, subslot ID, port number, and VLAN ID of the user access interface. For trunk interfaces, the subslot ID is 2, and the port number is the trunk ID. The NAS-Port-Id attribute can also carry the DHCPv6 Option 18 field, in the same format of DHCPv4 Option 82.
Remark	For detailed formats, see the chapter "NAS-Port-Id (87)"

Framed-Pool (88)

Attribute Number

Attribute Name

Framed-Pool

Attribute Value Type

String

Standard Defined

RFC 2869

Server Type

All

Value of Length field (in Bytes)

1~253

Description

Address pool delivered to PPP and DHCP users. The attribute is valid only when the server allocates IP addresses to PPP or DHCP users from the local address pool. Therefore, the designated address pool must be contained in the local address pools configured. The address pool name can contain a maximum of 32 characters.

If the delivered attribute contains @ or #, the characters before @ or # are used as the name of the address pool.

This attribute can also be used to specify an address pool group for PPP and DHCP users. If an address pool whose name is the same as that of the address pool group is configured on the device, the address pool is preferentially selected.

Remark

Chargeable-User-Identity (89)

Attribute Number	89
Attribute Name	Chargeable-User-Identity
Attribute Value Type	String
Standard Defined	RFC 4372
Server Type	All
Value of Length field (in Bytes)	1~127
Description	The attribute is used to identify a user.
Remark	-

Tunnel-Client-Auth-ID (90)

Attribute Number	90
Attribute Name	Tunnel-Client-Auth-ID
Attribute Value Type	String
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Name of the local end of a tunnel delivered in tunnel authentication. For L2TP users, the Tunnel-Client-Auth-ID(90) and Tunnel-Server-Auth-ID(91) attributes are carried in RADIUS accounting packets.
Remark	The value contains a maximum of 252 characters if a tag is carried or 253 characters if no tag is carried.

Tunnel-Server-Auth-ID (91)

Attribute Number	91
Attribute Name	Tunnel-Server-Auth-ID
Attribute Value Type	String
Standard Defined	RFC 2868
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Name of the remote end of a tunnel delivered in tunnel authentication.
Remark	The value contains a maximum of 252 characters if a tag is carried or 253 characters if no tag is carried.

NAS-IPv6-Address (95)

Attribute Number	95
Attribute Name	NAS-IPv6-Address
Attribute Value Type	String
Standard Defined	RFC 3162
Server Type	All
Value of Length field (in Bytes)	16
Description	IPv6 address of the NAS. If the RADIUS server group is bound to an interface, the IPv6 address of the interface is used. If the RADIUS server group is not bound to any interface, the IPv6 address of the interface that sends packets is used. Note: If the address of the RADIUS server is an IPv6 address, NAS-Ipv6-Address is encapsulated. If the address of the RADIUS server is an IPv4 address, NAS-IP-Address is encapsulated.
Remark	-

Framed-Interface-Id (96)

Attribute Number	96
Attribute Name	Framed-Interface-Id
Attribute Value Type	String
Standard Defined	RFC 3162
Server Type	All
Value of Length field (in Bytes)	8
Description	Interface ID assigned to a user. Currently, this attribute is valid only for PPPv6 users.
Remark	-

Framed-Ipv6-Prefix (97)

Attribute Number	97
Attribute Name	Framed-Ipv6-Prefix
Attribute Value Type	String
Standard Defined	RFC 3162
Server Type	All
Value of Length field (in Bytes)	2~18
Description	IPv6 prefix assigned to a user in NDRA mode. Currently, the attribute is valid only for ND users, and PPPv6 users whose addresses are allocated in stateless mode.
Remark	-

Framed-Ipv6-Route (99)

Attribute Number

Attribute Name

Framed-Ipv6-Route

Attribute Value Type

String

Standard Defined

RFC 3162

Server Type

All

Value of Length field (in Bytes)

1~200

Description

IPv6 routing information provided by the RADIUS server to users through the NAS. This attribute is in the following format of <IP address>[/<mask length>] [<next hop address> ] [<metric>], for example, 2001:db8:1::1/64 2001:db8:2::1 1.

In Authorization scenario, if the next hop address is not configured or not delivered, the user's IP address is used as the next hop address. If the next hop address is delivered, only the delivered value equal to the user's address is valid (AAA onload routes function). In AAA onload routes scenarios, the the next hop address should be delivered and only the "null0" is supported.

Only one metric is supported. If multiple metrics are delivered, the value of the first metric is used. The metric ranges from 0 to 255. If the value exceeds 255, users fail to go online. A maximum of 128 Framed-route attributes can be delivered to each user.If more than 128 Framed-Route attributes are delivered, the device parses only the first 128 Framed-Route attributes delivered and user access is not affected.

The attribute can be carried only in accounting request packets for common users, and not carried in service accouting packets.

Accounting request packets can carry multiple framed routes. Considering RADIUS packet limit, a maximum of 128 framed routes can be carried. The attribute is encapsulated at the end of a packet to prevent impact on other attributes. If the maximum length is reached, excess characters are discarded.

Note: The attribute is only delivered to the PPPoE and IPoE. The attribute is discarded if the other access information receives it.

Remark

Framed-Ipv6-Pool (100)

Attribute Number	100
Attribute Name	Framed-Ipv6-Pool
Attribute Value Type	String
Standard Defined	RFC 3162
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Pool name of an IPv6 user. RFC3162 supports the delivery of one pool. The router supports the delivery of 16 pools, including different types of IPv6 pools. After the "radius-attribute apply framed-ipv6-pool match pool-type" command is run in the RADIUS server group view, the IPv6 address pool delivered by the Framed-Ipv6-Pool attribute matches address pool types and replaces only the IPv6 address pools of the same type configured in the AAA domain.
Remark	-

Error-Cause (101)

Attribute Number	101
Attribute Name	Error-Cause
Attribute Value Type	Integer
Standard Defined	RFC 3576
Server Type	All
Value of Length field (in Bytes)	4
Description	Logout cause as defined in RFC3576. 201 Residual Session Context Removed In the Disconnect-Request packet, this error code is returned if obtaining basic user information based on the user CID fails. 202 Invalid EAP Packet (Ignored) Not supported. 401 Unsupported Attribute This error code is returned if the attribute parsed by the RADIUS server is not supported. 402 Missing Attribute This error code is returned if the accounting ID does not exist. 403 NAS Identification Mismatch This error code is returned if the host name in a DM or COA request message does not exist or does not match. 404 Invalid Request This error code is returned if the RADIUS module fails to decapsulate or match user attributes when parsing a DM and COA message. 405 Unsupported Service This error code is returned if COA responding fails. 406 Unsupported Extension Not supported. 501 Administratively Prohibited Not supported. 502 Request not Routable (Proxy) Not supported. 503 Session Context not Found This error code is returned if the user that is searched for according to a session ID does not exist. 504 Session Context not Removable This error code is returned if DM responding fails. 505 Other Proxy Processing Error Not supported. 506 Resources Unavailable Not supported. 507 Request Initiated Not supported.
Remark	-

Delegated-Ipv6-Prefix (123)

Attribute Number	123
Attribute Name	Delegated-Ipv6-Prefix
Attribute Value Type	String
Standard Defined	RFC 4818
Server Type	All
Value of Length field (in Bytes)	2~18
Description	IPv6 PD prefixes assigned to routed CPEs. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Type \| Length \| Reserved \| Prefix-Length \| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Prefix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Prefix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Prefix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Prefix \| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Remark	-

DS-Lite-Tunnel-Name (144)

Attribute Number	144
Attribute Name	DS-Lite-Tunnel-Name
Attribute Value Type	String
Standard Defined	RFC 6519
Server Type	Standard
Value of Length field (in Bytes)	1~63
Description	IPv6 tunnel name in a CGN scenario.
Remark	The length must be shorter than or equal to 63 bytes.

RADIUS Attributes Defined by Huawei+1.1 Protocol (Vendor = 2011, Attribute Number=26)

HW-Input-Committed-Burst-Size (1)

Attribute Number	1
Attribute Name	HW-Input-Committed-Burst-Size
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Upstream CBS, in bits.
Remark	-

HW-Input-Committed-Information-Rate (2)

Attribute Number	2
Attribute Name	HW-Input-Committed-Information-Rate
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Upstream CIR, in bit/s. If the "user-qos cir-zero { unlimited \| <cir-value> }" command is run and the CIR and PIR delivered by a RADIUS server are both 0s, user traffic is processed based on the QoS parameter configured in this command. By default, unlimited is used.
Remark	-

HW-Input-Peak-Information-Rate (3)

Attribute Number	3
Attribute Name	HW-Input-Peak-Information-Rate
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Upstream PIR, in bit/s. When a dual-rate token bucket is used, delivery of this attribute requires the delivery of the HW-Input-Committed-Information-Rate(2) attribute. If the "user-qos cir-zero { unlimited \| <cir-value> }" command is run and the CIR and PIR delivered by a RADIUS server are both 0s, user traffic is processed based on the QoS parameter configured in this command. By default, unlimited is used.
Remark	-

HW-Output-Committed-Burst-Size (4)

Attribute Number	4
Attribute Name	HW-Output-Committed-Burst-Size
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Downstream CBS, in bits. Delivery of this attribute requires the delivery of the HW-Output-Committed-Information-Rate (5) attribute.
Remark	-

HW-Output-Committed-Information-Rate (5)

Attribute Number	5
Attribute Name	HW-Output-Committed-Information-Rate
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Downstream CIR, in bit/s. If the "user-qos cir-zero { unlimited \| <cir-value> }" command is run and the CIR and PIR delivered by a RADIUS server are both 0s, user traffic is processed based on the QoS parameter configured in this command. By default, unlimited is used.
Remark	-

HW-Output-Peak-Information-Rate (6)

Attribute Number	6
Attribute Name	HW-Output-Peak-Information-Rate
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Downstream PIR, in bit/s. When a dual-rate token bucket is used, delivery of this attribute requires the delivery of the HW-Output-Committed-Information-Rate (5) attribute. If the "user-qos cir-zero { unlimited \| <cir-value> }" command is run and the CIR and PIR delivered by a RADIUS server are both 0s, user traffic is processed based on the QoS parameter configured in this command. By default, unlimited is used.
Remark	-

HW-Input-Kilobytes-Before-Tariff-Switch (7)

Attribute Number	7
Attribute Name	HW-Input-Kilobytes-Before-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of bytes sent by a user before tariff switching, in KB. If no tariff switching occurs during a real-time accounting period, the value of the attribute refers to the total number of bytes received by the NAS from the user port during a real-time accounting period. If tariff switching occurs once during a real-time accounting period, the value of the attribute refers to the total number of bytes received by the NAS from the user port before the tariff switching time. Tariff switching can only be performed once during a real-time accounting period.
Remark	-

HW-Output-Kilobytes-Before-Tariff-Switch (8)

Attribute Number	8
Attribute Name	HW-Output-Kilobytes-Before-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of bytes received by a user before tariff switching, in KB. If no tariff switching occurs during a real-time accounting period, the value of the attribute refers to the total number of bytes sent by the NAS to the user port during a real-time accounting period. If tariff switching occurs once during a real-time accounting period, the value of the attribute refers to the total number of bytes sent by the NAS to the user port before the tariff switching time. Tariff switching can only be performed once during a real-time accounting period.
Remark	-

HW-Input-Packets-Before-Tariff-Switch (9)

Attribute Number	9
Attribute Name	HW-Input-Packets-Before-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of packets sent by a user before tariff switching. If no tariff switching occurs during a real-time accounting period, the value of the attribute refers to the total number of packets received by the NAS from the user port during a real-time accounting period. If tariff switching occurs once during a real-time accounting period, the value of the attribute refers to the total number of packets received by the NAS from the user port before the tariff switching time. Tariff switching can only be performed once during a real-time accounting period.
Remark	-

HW-Output-Packets-Before-Tariff-Switch (10)

Attribute Number	10
Attribute Name	HW-Output-Packets-Before-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of packets received by a user before tariff switching. If no tariff switching occurs during a real-time accounting period, the value of the attribute refers to the total number of packets sent by the NAS to the user port during a real-time accounting period. If tariff switching occurs once during a real-time accounting period, the value of the attribute refers to the total number of packets sent by the NAS to the user port before the tariff switching time. Tariff switching can only be performed once during a real-time accounting period.
Remark	-

HW-Input-Kilobytes-After-Tariff-Switch (11)

Attribute Number	11
Attribute Name	HW-Input-Kilobytes-After-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of bytes sent by a user after tariff switching, in KB. The value of this attribute refers to the total number of bytes received by the NAS from the user port during a real-time accounting period.
Remark	-

HW-Output-Kilobytes-After-Tariff-Switch (12)

Attribute Number	12
Attribute Name	HW-Output-Kilobytes-After-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of bytes received by a user after tariff switching, in KB. The value of this attribute refers to the total number of bytes sent by the NAS to the user port during a real-time accounting period.
Remark	-

HW-Input-Packets-After-Tariff-Switch (13)

Attribute Number	13
Attribute Name	HW-Input-Packets-After-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of packets sent by a user after tariff switching. The value of this attribute refers to the total number of packets received by the NAS from the user port during a real-time accounting period.
Remark	-

HW-Output-Packets-After-Tariff-Switch (14)

Attribute Number	14
Attribute Name	HW-Output-Packets-After-Tariff-Switch
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Number of packets received by a user after tariff switching. The value of this attribute refers to the total number of packets sent by the NAS to the user port during a real-time accounting period.
Remark	-

HW-Remanent-Volume (15)

Attribute Number	15
Attribute Name	HW-Remanent-Volume
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	In Access-Accept packet, the attribute indicates the remaining traffic volume available to a user, in KB. The value 0 indicates that the user is logged out immediately. The value 0XFFFFFFFF indicates that there is no traffic limit. This attribute carried in Access-Request packets used to apply for the EDSG service quota indicates the traffic quota that has been used. Note: If the initialized value of HW-Remanent-Volume is not 0 and the "quota-out { offline \| online \| redirect }" command is configured in the domain view, then the device makes the user offline, keep the user online or direct the user to Portal server. If this attribute in Access-Accept packet is set to 0, then you can configure the "authening quota-out-redirect-enable" command in the authentication scheme view to make the device take redirecting action. If this attribute in Accouting-Response packet is set to 0, then you can configure the "quota-out redirect" command in the domain view to make the device take redirecting action.
Remark	-

HW-Tariff-Switch-Interval (16)

Attribute Number	16
Attribute Name	HW-Tariff-Switch-Interval
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Interval between the latest tariff switching time and the current time, in seconds. The next tariff switching time may be within or beyond the next real-time accounting period. The NAS sends an accounting update packet to the RADIUS server upon tariff switching.
Remark	-

HW-Subscriber-QoS-Profile (17)

Attribute Number	17
Attribute Name	HW-Subscriber-QoS-Profile
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~63
Description	Home QoS profile. The bandwidth limit for a home and scheduling preference of home services are specified in the profile. If the name of the QoS profile delivered by the RADIUS server is case-sensitive, the "radius-attribute case-sensitive qos-profile-name" command can be run to allow the device to identify the case-sensitive QoS profile name. The "radius-attribute qos-profile no-exist-policy { offline \| online }" command can be run to configure a policy used when the QoS profile delivered by the RADIUS server does not exist. By default, if the QoS profile delivered by the RADIUS server does not exist, the user goes offline. If online is configured, user bandwidth is not limited. If a QoS profile has been configured in the domain or interface view, bandwidth will be limited based on the QoS profile configured. Currently, the attribute value can only be Terminate-Request (value=2), indicating user logoff.
Remark	-

HW-Command (20)

Attribute Number	20
Attribute Name	HW-Command
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Plus11
Value of Length field (in Bytes)	4
Description	Currently, the attribute value can only be Terminate-Request (value=2), indicating user logoff.
Remark	-

HW-Priority (22)

Attribute Number	22
Attribute Name	HW-Priority
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Service priority of a user. The value can be 15 or any value ranging from 0 to 13.
Remark	The valied value range is 0~13 and 15.

HW-Connect-ID (26)

Attribute Number	26
Attribute Name	HW-Connect-ID
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Connection index of a user.
Remark	-

HW-Portal-URL (27)

Attribute Number	27
Attribute Name	HW-Portal-URL
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	1~200
Description	URL to which user is redirected after being authenticated. This function is supported by IPoE, PPP, and LNS users.
Remark	-

HW-FTP-Directory (28)

Attribute Number	28
Attribute Name	HW-FTP-Directory
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~64
Description	Initial directory of an FTP user.
Remark	-

HW-Exec-Privilege (29)

Attribute Number	29
Attribute Name	HW-Exec-Privilege
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Authorized level of administrative users, such as Telnet users. The value ranges from 0 to 15, and the value which is greater than 15 indicates that the user does not have the right to login.
Remark	-

HW-QOS-Profile-Name (31)

Attribute Number	31
Attribute Name	HW-QOS-Profile-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~63
Description	QoS profile delivered by the RADIUS server. In home user access, HW-QOS-Profile-Name is used to configure the bandwidth for each service in the home. In common user access, HW-QOS-Profile-Name is used to configure the total bandwidth and scheduling preference of service traffic. If the name of the QoS profile delivered by the RADIUS server is case-sensitive, the "radius-attribute case-sensitive qos-profile-name" command can be run to allow the device to identify the case-sensitive QoS profile name. The "radius-attribute qos-profile no-exist-policy { offline \| online }" command can be run to configure a policy used when the QoS profile delivered by the RADIUS server does not exist. By default, if the QoS profile delivered by the RADIUS server does not exist, the no-exist-policy is 'offline'. If 'online' is specified in the command, user bandwidth is not limited. If the "qos-profile" command has been configured in the domain or interface view, bandwidth will be limited based on the QoS profile configured.
Remark	-

HW-SIP-Server (32)

Attribute Number	32
Attribute Name	HW-SIP-Server
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	SIP server address or name delivered to DHCP users. The address is in dotted decimal notation, and the name is in the format of a URL, such as 'abc.com'.
Remark	-

HW-User-Password (33)

Attribute Number	33
Attribute Name	HW-User-Password
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~128
Description	Re-authentication password contained in HW-Command-Mode delivered through CoA packets. PAP and CHAP modes are supported.
Remark	-

HW-Command-Mode (34)

Attribute Number	34
Attribute Name	HW-Command-Mode
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	Command mode, which is differentiated by the first character. Subtype 1: uses A as the first character, followed by a user name. (Alternatively, no user name is attached, and the user name is delivered by the User-Name attribute.) This subtype is used for triggering CoA re-authentication. The HW-User-Password attribute can be used together to deliver the re-authentication password. Subtype 2: uses Q as the first character, followed by a type parameter, indicating user information query. If the type parameter is S, the user information (IP address and accounting ID) is queried; if the type parameter is UC, the upstream bandwidth of the user is queried; if the type parameter is DC, the downstream bandwidth of the user is queried; if the type parameter is UF, the upstream traffic of the user is queried; if the type parameter is DF, the downstream traffic of the user is queried. Subtype 3: uses 0x01 as the first character, followed by a user name. (Alternatively, no user name is attached, and the user name is delivered by the User-Name attribute.) This subtype is used by the Account Login request to trigger web re-authentication. The HW-User-Password attribute can be used together to deliver the re-authentication password. Subtype 4: uses 0x02 as the first byte, followed by a user name. This subtype indicates a user Account Logoff request, which triggers web users to return to the pre-authentication domain. Subtype 5: uses 0x04 as the first byte, followed by a type parameter, indicating user session query. If the type parameter is a space, the service information of a session is queried; if the type parameter is an ampersand (&), information about a session is queried; if the type parameter is a service name, information about the specified service is queried. Subtype 6: uses 0x0B as the first byte, followed by a service name. This subtype indicates a service active request. Subtype 7: uses 0x0C as the first byte, followed by a service name. This subtype indicates a service deactive request. Combinations of UC, DC, UF, and DF can be delivered. For example, if QUCDC is delivered, upstream and downstream bandwidths can be queried. If subtype 5 is used, spaces and ampersands (&) can be delivered in combination.
Remark	-

HW-Renewal-Time (35)

Attribute Number	35
Attribute Name	HW-Renewal-Time
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Interval at which addresses of DHCP users are renewed.
Remark	The value ranges from 30 to 259200, in seconds.

HW-Rebinding-Time (36)

Attribute Number	36
Attribute Name	HW-Rebinding-Time
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Rebinding time of addresses of DHCP users.
Remark	The value ranges from 30 to 259200, in seconds.

HW-Igmp-Enable (37)

Attribute Number	37
Attribute Name	HW-Igmp-Enable
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Whether IGMP is enabled for users.
Remark	0: disabled; 1: enabled

HW-NAS-Startup-Time-Stamp (59)

Attribute Number	59
Attribute Name	HW-NAS-Startup-Time-Stamp
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Time when the device was started.
Remark	The value is in seconds since January 1, 1970 00:00:00.

HW-IP-Host-Address (60)

Attribute Number	60
Attribute Name	HW-IP-Host-Address
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	1~33
Description	User IP address and MAC address carried in the authentication request packet and accounting request packet, in the format of "A.B.C.D hh:hh:hh:hh:hh:hh". The IP and MAC addresses must be separated by a space. During user authentication, if the user IP address is invalid, A.B.C.D is set to 255.255.255.255.
Remark	It is a string in the format of user IP address+space+MAC address.

HW-Up-Priority (61)

Attribute Number	61
Attribute Name	HW-Up-Priority
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Priority of upstream services. If the HW-Priority (26-22) attribute has been delivered, HW-Priority takes effect.
Remark	-

HW-Down-Priority (62)

Attribute Number	62
Attribute Name	HW-Down-Priority
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Priority of downstream services. If the HW-Priority (26-22) attribute has been delivered, HW-Priority takes effect.
Remark	-

HW-Tunnel-VPN-Instance (63)

Attribute Number	63
Attribute Name	HW-Tunnel-VPN-Instance
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Name of the VPN instance on the local end of a tunnel. HW-Tunnel-VPN-Instance must be delivered together with the standard Tunnel-Client-Endpoint (66) attribute.
Remark	-

HW-User-Date (65)

Attribute Number	65
Attribute Name	HW-User-Date
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	1~31
Description	Date when a user account was opened.
Remark	-

HW-User-Class (66)

Attribute Number	66
Attribute Name	HW-User-Class
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	1~31
Description	User level.
Remark	-

HW-Subnet-Mask (72)

Attribute Number

Attribute Name

HW-Subnet-Mask

Attribute Value Type

Address

Standard Defined

Huawei RADIUS+1.1

Server Type

All

Value of Length field (in Bytes)

Description

Subnet mask.

This attribute is applicable only to IPoE users. Only Layer 3 DHCP users support this attribute

Remark

HW-Gateway-Address (73)

Attribute Number	73
Attribute Name	HW-Gateway-Address
Attribute Value Type	Address
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Gateway IP address. This attribute is applicable only to IPoE users and PPPOE users.
Remark	-

HW-Lease-Time (74)

Attribute Number	74
Attribute Name	HW-Lease-Time
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Lease time. The value ranges from 60 to 259200, in seconds. The value can only be 0 in CoA packets. This attribute is ignored if zero lease is delivered in a CoA message for users (PPPoE users, static users, private line users, and users authorized with only ND ) that do not support lease.
Remark	-

HW-Ascend-Client-Primary-WINS (75)

Attribute Number	75
Attribute Name	HW-Ascend-Client-Primary-WINS
Attribute Value Type	Address
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Primary WINS address.
Remark	-

HW-Ascend-Client-Second-WIN (76)

Attribute Number	76
Attribute Name	HW-Ascend-Client-Second-WIN
Attribute Value Type	Address
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Secondary WINS address.
Remark	-

HW-Input-Peak-Burst-Size (77)

Attribute Number	77
Attribute Name	HW-Input-Peak-Burst-Size
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Upstream PBS.
Remark	-

HW-Output-Peak-Burst-Size (78)

Attribute Number	78
Attribute Name	HW-Output-Peak-Burst-Size
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Downstream PBS.
Remark	-

HW-Tunnel-Session-Limit (80)

Attribute Number	80
Attribute Name	HW-Tunnel-Session-Limit
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	4
Description	Number of sessions over a tunnel.
Remark	-

HW-Data-Filter (82)

Attribute Number	82
Attribute Name	HW-Data-Filter
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	1~247
Description	Dynamically delivered ACL rule. The HW-Data-Filter attribute delivers classifier-behavior pairs to achieve delivery of dynamical ACLs. These ACLs have a higher priority than those configured locally. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Type(26) \| Length \| Vendor ID(0000) \| \| \| 6+VendorLength\| \| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Vendor ID(2011) \|Vendor Type(82)\| Vendor Length \| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| String +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor Length: 1–249 bytes, including the two bytes occupied by Vendor Type and Vendor Length. The String length is therefore two bytes subtracted from Vendor Length and is up to 247 bytes. String: attribute content string. The HW-Data-Filter attribute supports delivery of classifier and behavior strings as well as CoA action strings, with each type of string being a combination of fields delimited by semicolons and containing only displayable characters entered using a keyboard. The HW-Data-Filter attribute can be delivered repeatedly, and one attribute can contain multiple attribute strings that are separated using a number sign (#). For example, when one HW-Data-Filter attribute contains two classifier strings, the HW-Data-Filter attribute can be delivered with the classifier1 string#classifier2 string padded to the String field of this attribute. When one attribute string contains both classifier and behavior strings, the HW-Data-Filter attribute can be delivered with the classifier string#behavior string padded to the String field of this attribute. In one RADIUS packet, the total number of sub-attributes of all HW-Data-Filter attributes cannot exceed 2047. Both classifier and behavior strings are categorized as local or remote. These types can be flexibly combined, meaning that a local or a remote classifier strings can be combined with both local and remote behavior strings.
Remark	For more information, see the chapter "More Information About HW-Data-Filter (82)".

HW-Access-Service (83)

Attribute Number	83
Attribute Name	HW-Access-Service
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~32
Description	Access service template. The template is locally configured on the device, and CAR parameters in different periods can be configured in the template.
Remark	-

HW-Accounting-Level (84)

Attribute Number	84
Attribute Name	HW-Accounting-Level
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Accounting level, ranging from 1 to 16, used to identify accounting services based on the destination address.
Remark	The value ranges from 0 to 9. The default value is 0, indicating common charging, 1 to 8 indicating DAA services, and 9 indicating BOD services.

HW-Portal-Mode (85)

Attribute Number	85
Attribute Name	HW-Portal-Mode
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	4
Description	Portal modes. 0: PADM; 1: redirection; 2: non-portal
Remark	-

HW-Policy-Route (87)

Attribute Number	87
Attribute Name	HW-Policy-Route
Attribute Value Type	Address
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	4
Description	Next hop address in the policy-based routing.
Remark	-

HW-Framed-Pool (88)

Attribute Number	88
Attribute Name	HW-Framed-Pool
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Same as the standard No. 88 attribute.
Remark	-

HW-L2TP-Terminate-Cause (89)

Attribute Number	89
Attribute Name	HW-L2TP-Terminate-Cause
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	6~70
Description	L2TP user logout cause. The value is in the format of logout code (2 bytes)+control protocol number (2 bytes)+direction (1 byte)+whether it is valid (1 byte)+L2TP AVP46 information (0–64 bytes).
Remark	-

HW-Multicast-Profile-Name (93)

Attribute Number	93
Attribute Name	HW-Multicast-Profile-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~32
Description	Name of a multicast profile. The contents of the profile can be configured on the device.
Remark	-

HW-VPN-Instance (94)

Attribute Number	94
Attribute Name	HW-VPN-Instance
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~31
Description	Name of a VPN instance to which a user belongs.
Remark	-

HW-Policy-Name (95)

Attribute Number	95
Attribute Name	HW-Policy-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Name of a value-added service policy. Multiple HW-Policy-Name attributes can be encapsulated in a packet to deliver multiple value-added services. A packet can carry a maximum of twelve value-added service templates. One HW-Policy-Name attribute can be used to deliver multiple value-added service policy names, which are separated using a vertical bar '\|'.
Remark	-

HW-Tunnel-Group-Name (96)

Attribute Number	96
Attribute Name	HW-Tunnel-Group-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~32
Description	Name of an L2TP or GRE group.
Remark	-

HW-Multicast-Type (99)

Attribute Number	99
Attribute Name	HW-Multicast-Type
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Specifies whether the IPv4 or IPv6 PIM multicast function is enabled. Value 0 indicates that neither the IPv4 nor IPv6 PIM multicast function is enabled. Value 1 indicates that the IPv4 PIM multicast function is enabled. Value 2 indicates that the IPv6 PIM multicast function is enabled. Value 3 indicates that both the IPv4 and IPv6 PIM multicast functions are enabled. For PPP users, the IPv4 or IPv6 PIM multicast function is enabled after the corresponding configuration is either performed on an interface or delivered by the RADIUS server. For L2TP users, the IPv4 or IPv6 PIM multicast function is enabled only after the corresponding configuration is both performed on an interface and delivered by the RADIUS server.
Remark	-

HW-Client-Primary-DNS (135)

Attribute Number	135
Attribute Name	HW-Client-Primary-DNS
Attribute Value Type	Address
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Primary DNS server's IP address.
Remark	-

HW-Client-Secondary-DNS (136)

Attribute Number	136
Attribute Name	HW-Client-Secondary-DNS
Attribute Value Type	Address
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Secondary DNS server's IP address.
Remark	-

HW-Domain-Name (138)

Attribute Number	138
Attribute Name	HW-Domain-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard, Plus11
Value of Length field (in Bytes)	1~64
Description	Domain name used in user authentication. The domain name may be the name of a roaming or mandatory domain. The domain name may not be the domain name in the user name.
Remark	-

HW-HTTP-Redirect-URL (140)

Attribute Number	140
Attribute Name	HW-HTTP-Redirect-URL
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~200
Description	URL of a page where a user will be redirected if the user fails to be authenticated. The user can still go online. When the user initiates a Hypertext Transfer Protocol (HTTP) access request, the user is redirected to the specified URL. This attribute is processed only when the "authening authen-redirect online authen-domain <redirect-domain>" command is configured in the authentication-scheme view.
Remark	-

HW-Qos-Profile-Type (142)

Attribute Number	142
Attribute Name	HW-Qos-Profile-Type
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Type of the QoS profile delivered by the RADIUS server, valid only for LNS users. The value can be any of the following: 0: The original QoS profile is used. If the attribute is not delivered, it has the same meaning. 1: The delivered QoS profile is used as the inbound L2TP QoS profile. 2: The delivered QoS profile is used as the outbound L2TP QoS profile. 3: The delivered QoS profile is used as both the inbound and outbound L2TP QoS profile. If a QoS profile is delivered for the LNS, the original CAR parameters no longer take effect.
Remark	-

HW-Max-List-Num (143)

Attribute Number	143
Attribute Name	HW-Max-List-Num
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	4
Description	Maximum number of multicast programs that a user can order.
Remark	-

HW-Acct-ipv6-Input-Octets (144)

Attribute Number	144
Attribute Name	HW-Acct-ipv6-Input-Octets
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Volume of IPv6 upstream traffic, in bytes, KB, MB, or GB. By default, the unit of the attribute is byte in the standard RADIUS protocol, and KB in the RADIUS+ protocol. The "radius-server traffic-unit" command can be run in the RADIUS server group view to specify the unit of the attribute.
Remark	-

HW-Acct-ipv6-Output-Octets (145)

Attribute Number	145
Attribute Name	HW-Acct-ipv6-Output-Octets
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Volume of IPv6 downstream traffic, in bytes, KB, MB, or GB. By default, the unit of the attribute is byte in the standard RADIUS protocol, and KB in the RADIUS+ protocol. The "radius-server traffic-unit" command can be run in the RADIUS server group view to specify the unit of the attribute.
Remark	-

HW-Acct-ipv6-Input-Packets (146)

Attribute Number	146
Attribute Name	HW-Acct-ipv6-Input-Packets
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of IPv6 upstream packets.
Remark	-

HW-Acct-ipv6-Output-Packets (147)

Attribute Number	147
Attribute Name	HW-Acct-ipv6-Output-Packets
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of IPv6 downstream packets.
Remark	-

HW-Acct-ipv6-Input-Gigawords (148)

Attribute Number	148
Attribute Name	HW-Acct-ipv6-Input-Gigawords
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of IPv6 upstream bytes. The value is a multiple of 4 GB, KB, MB, or bytes (2^32), which can be configured using a command. The value is the most significant 32 bits of HW-Acct-ipv6-Input-Octets.
Remark	-

HW-Acct-ipv6-Output-Gigawords (149)

Attribute Number	149
Attribute Name	HW-Acct-ipv6-Output-Gigawords
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Number of IPv6 downstream bytes. The value is a multiple of 4 GB, KB, MB, or bytes (2^32), which can be configured using a command. The value is the most significant 32 bits of HW-Acct-ipv6-Output-Octets.
Remark	-

HW-DHCPv6-Option37 (150)

Attribute Number	150
Attribute Name	HW-DHCPv6-Option37
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	16
Description	The attribute identifies user location information. A switch and PON device encapsulate the device MAC address to the Option 37 field of DHCPv6 packets. The BRAS parses the field and uses a private RADIUS attribute to report it to the RADIUS server. In Layer 3 access, a router functions as a network-side DHCP relay agent can use Option 37 to encapsulate the client's MAC address for the BRAS to obtain the user MAC address.
Remark	-

HW-DHCPv6-Option38 (151)

Attribute Number	151
Attribute Name	HW-DHCPv6-Option38
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~127
Description	Content of DHCPv6 Option 38.
Remark	-

HW-User-Mac (153)

Attribute Number	153
Attribute Name	HW-User-Mac
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~253
Description	The attribute carries a user MAC address or Option 61 information. Access-Request and Accounting-Request packets can carry the attribute with a user MAC address. If the Option 61 information about DHCPv4 users carried in HW-User-Mac is a string of characters, it is sent to the RADIUS server directly; if the Option 61 information is in binary notation, it is converted to a string of characters before it is sent to the RADIUS server. The "radius-attribute usermac-as-option61" command can be run in the RADIUS server group view to control whether this attribute carries MAC address or Option61 information. If the "radius-attribute usermac-as-option61" command is not run, this attribute carries the user MAC address by default. If the "radius-attribute usermac-as-option61" command is run, this attribute carries Option61 information. If the "option-61 hardware-type" command is not run in the BAS view and the user packet does not carry Option61 information, this attribute is not encapsulated in RADIUS packets.
Remark	-

HW-DNS-Server-IPv6-Address (154)

Attribute Number	154
Attribute Name	HW-DNS-Server-IPv6-Address
Attribute Value Type	ipv6addr
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	16
Description	IPv6 address of the DNS server.
Remark	-

HW-DHCPv4-Option121 (155)

Attribute Number	155
Attribute Name	HW-DHCPv4-Option121
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~245
Description	Routing information of IPoE users. A maximum of 24 route prefixes are supported. Routes are separated by the delimiter (;). Routes can be delivered multiple times. Each time a maximum of eight routes containing up to 245 bytes can be delivered. A maximum of 24 routes can be delivered. The format is 1.1.1.1/16 1.1.1.2;2.2.2.2/16 2.2.2.1. The mask is optional. There is only one space between the destination address/mask and the next hop address. The delimiter following the last route is optional. If the attribute fails to be parsed, the user cannot go online.
Remark	-

HW-DHCPV4-Option43 (156)

Attribute Number	156
Attribute Name	HW-DHCPV4-Option43
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~200
Description	The attribute carries the Option 43 information in the DHCP reply packet sent to the DHCPv4 user, and is delivered in the Access-Accept packet. If this attribute is delivered carrying the URI of PPPoE users, it has a lower priority than hw-portal-url. This means that this attribute will not be encapsulated into the PADM's tag as long as the RADIUS server has delivered hw-portal-url.
Remark	-

HW-Framed-Pool-Group (157)

Attribute Number	157
Attribute Name	HW-Framed-Pool-Group
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~253
Description	The attribute carries the name of the address pool group and is delivered in the Access-Accept packet. The BRAS resolves the address pool list based on the address pool group name and chooses address pools from the list to allocate addresses to users. The attribute carries the name of the address pool group and is delivered in the Access-Accept packet. The BRAS resolves the address pool list based on the address pool group name and chooses address pools from the list to allocate addresses to users.
Remark	The name of an address pool group configured on the device can have a maximum of 32 bytes while that of an address pool delivered can have a maximum of 253 bytes.

HW-Framed-IPv6-Address (158)

Attribute Number	158
Attribute Name	HW-Framed-IPv6-Address
Attribute Value Type	ipv6addr
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	16
Description	Carries an address assigned by a DHCPv6 server using identity association for non-temporary addresses (IA_NA).
Remark	-

HW-Acct-Update-Address (159)

Attribute Number	159
Attribute Name	HW-Acct-Update-Address
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	The attribute is carried in accounting update packets. If the accounting server needs to update user IP addresses based on received packets, the value of this attribute is set to 1. The default value of this attribute is 0.
Remark	-

HW-NAT-Policy-Name (160)

Attribute Number	160
Attribute Name	HW-NAT-Policy-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~31
Description	NAT policy template delivered in the user authentication response packet. This template is saved locally.
Remark	-

HW-Nat-IP-Address (161)

Attribute Number

161

Attribute Name

HW-Nat-IP-Address

Attribute Value Type

Address

Standard Defined

Huawei RADIUS+1.1

Server Type

All

Value of Length field (in Bytes)

Description

Public network IP address after network address translation (NAT).

When port pre-allocation is used in centralized BRAS scenarios, the BRAS sends accounting packets carrying the translated public network IP address to the RADIUS server.

Remark

HW-NAT-Start-Port (162)

Attribute Number

162

Attribute Name

HW-NAT-Start-Port

Attribute Value Type

Integer

Standard Defined

Huawei RADIUS+1.1

Server Type

All

Value of Length field (in Bytes)

Description

Start port of the public network IP address after NAT in a centralized BRAS scenario.

When port pre-allocation is used in centralized BRAS scenarios, the BRAS sends accounting packets carrying the start port of the translated public network IP address to the RADIUS server.

Remark

HW-NAT-End-Port (163)

Attribute Number

163

Attribute Name

HW-NAT-End-Port

Attribute Value Type

Integer

Standard Defined

Huawei RADIUS+1.1

Server Type

All

Value of Length field (in Bytes)

Description

End port of the public network IP address after NAT in a centralized BRAS scenario.

When port pre-allocation is used in centralized BRAS scenarios, the BRAS sends accounting packets carrying the end port of the translated public network IP address to the RADIUS server.

Remark

HW-NAT-Port-Forwarding (164)

Attribute Number	164
Attribute Name	HW-NAT-Port-Forwarding
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~48
Description	Port-Forwarding delivered and reported by the RADIUS server in a centralized BRAS scenario. 1. This attribute consists of User IP, Protocol, User Port, PortFwd IP, and PortFwd Port, which are separated by semicolons (;), for example, 192.168.1.1;TCP;32768;50.50.50.1;50000. 2. The values in this attribute are arranged in the following order: User IP, Protocol, PortFwd IP, User Port, and PortFwd Port. User IP, Protocol, User Port, and Port-Fwd-Port must be delivered in Access packets to the BRAS. Currently, PortFwd IP is not resolved. Accounting-Request packets must carry all fields. If PortFwd Port and PortFwd IP fail to be allocated, users can go online, but the port forwarding function does not take effect.
Remark	-

HW-Nat-Port-Range-Update (165)

Attribute Number

165

Attribute Name

HW-Nat-Port-Range-Update

Attribute Value Type

Integer

Standard Defined

Huawei RADIUS+1.1

Server Type

All

Value of Length field (in Bytes)

Description

RADIUS source tracing in a CGN scenario. The attribute is supported by NAT444 users and DSLITE users.

The attribute is carried by RADIUS accounting packets and reported to the RADIUS server when ports on the CGN service board change. The value can be:

0: Ports are added.

1: Ports are deleted.

3: The public network information is changed.

Remark

HW-DS-Lite-Tunnel-Name (166)

Attribute Number	166
Attribute Name	HW-DS-Lite-Tunnel-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	1~63
Description	IPv6 tunnel name in a CGN scenario.
Remark	The length must be shorter than or equal to 63 bytes.

HW-PCP-Server-Name (167)

Attribute Number	167
Attribute Name	HW-PCP-Server-Name
Attribute Value Type	Text
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~64
Description	PCP Server Name.
Remark	The length must be shorter than or equal to 64 bytes.

HW-Public-IP-Addr-State (168)

Attribute Number	168
Attribute Name	HW-Public-IP-Addr-State
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Status of the public IP address pool in a NAT444 scenario. When upper and lower thresholds for a public IP address pool are configured in the AAA domain view, the attribute is carried in the Access-Request packets for the RADIUS server to determine whether the user is a public network user or a NAT444 user. Safe (0): No NAT444 instance is bound to the AAA domain, all NAT444 instances bound to the AAA domain are inactive, or the usage of the public IP address pool is smaller than the lower threshold. Warning (1): Active NAT444 instances are bound to the AAA domain, but the usage of the public IP address pool is greater than or equal to the lower threshold and less than or equal to the upper threshold. Danger (2): Active NAT444 instances are bound to the AAA domain, but the usage of the public IP address pool is greater than the upper threshold.
Remark	-

HW-Auth-Type (180)

Attribute Number	180
Attribute Name	HW-Auth-Type
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Authentication type, which can be any of the following: 1: PPP authentication. 2: web authentication. 3: dot1x authentication. 4: fast authentication. 5: bind authentication. 6: WLAN authentication. 7: management user authentication. 8: tunnel authentication. 9: MIP authentication. 10: non-authentication. 11: MAC authentication.
Remark	-

HW-Acct-terminate-subcause (181)

Attribute Number	181
Attribute Name	HW-Acct-terminate-subcause
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Sub-code for a session disconnection. For details, see the "display radius offline-sub-reason" command output.
Remark	-

HW-Down-QOS-Profile-Name (182)

Attribute Number	182
Attribute Name	HW-Down-QOS-Profile-Name
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~63
Description	QoS profile delivered by the RADIUS server. In home user access, this attribute is used to configure the bandwidth for each service in the home. In common user access, this attribute is used to configure the total downstream bandwidth and scheduling preference of downstream service traffic.
Remark	-

HW-Port-Mirror (183)

Attribute Number	183
Attribute Name	HW-Port-Mirror
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Upstream and downstream interface mirroring enabling flag delivered by the RADIUS server, which is used to control whether interface mirroring is enabled in the upstream and downstream directions. The value ranges from 0 or 3. (1) The value 0 indicates that interface mirroring is not enabled in both the upstream and downstream directions. (2) The value 1 indicates that interface mirroring is enabled in only the upstream direction. (3) The value 2 indicates that interface mirroring is enabled in only the downstream direction. (4) The value 3 indicates that interface mirroring is enabled in both the upstream and downstream directions.
Remark	-

HW-Account-Info (184)

Attribute Number	184
Attribute Name	HW-Account-Info
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	Account information. The first character is used to identify different meanings. Subtype 1: uses A as the first character, followed by a service name. This subtype is used in user authentication response packets to deliver EDSG services that automatically take effect (directly activated after delivery) and to return the delivered EDSG service name in the CoA user information query. Subtype 2: uses N as the first character, followed by a service name or other information. The format is N[<service-state>]<service-name>;[<time-connected>];[<username>];[<pkt-in>];[<pkt-out>];[<bytes_in>];[<bytes_out>], where <service-state> is active:1 or inactive:0. This attribute is used in user authentication response packets to deliver EDSG services that do not automatically take effect (not automatically activated after delivery) and to return the delivered EDSG service name and detailed service information in the CoA user information or service information query. Subtype 3: uses S as the first character, followed by a user IP address or by a user IP address plus a port number (for example, S10.10.5.11:85). This attribute is used as a user identifier in a CoA message and has the same function as the Acct-Session-Id attribute in a CoA message.
Remark	-

HW-Service-Info (185)

Attribute Number	185
Attribute Name	HW-Service-Info
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	Service information. The first character is used to identify different meanings. Currently, it can only use N as the first character, followed by a service name. This attribute is used in authentication request, quota application, and accounting request packets in EDSG services to carry the service name.
Remark	-

HW-Dhcp-Option (187)

Attribute Number	187
Attribute Name	HW-Dhcp-Option
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	DHCP options delivered by the RADIUS server after a user is being authenticated.
Remark	For more information, see the chapter "More Information About HW-Dhcp-Option (187)".

HW-AVpair (188)

Attribute Number	188
Attribute Name	HW-AVpair
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	Attribute-value pair, which is the framework attribute of extensible sub-attributes. The format is a character string of <attribute-name>=<value>.
Remark	For more information, see the chapter "More Information About HW-AVpair (188)".

HW-Dhcpv6-Option (189)

Attribute Number	189
Attribute Name	HW-Dhcpv6-Option
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~247
Description	DHCPv6 options delivered by the RADIUS server after a user is being authenticated.
Remark	For more information, see the chapter "More Information About HW-Dhcpv6-Option (189)".

HW-Delegated-IPv6-Prefix-Pool (191)

Attribute Number	191
Attribute Name	HW-Delegated-IPv6-Prefix-Pool
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~253
Description	Address pool from which PD prefixes are allocated.
Remark	-

HW-IPv6-Prefix-Lease (192)

Attribute Number	192
Attribute Name	HW-IPv6-Prefix-Lease
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	10
Description	IPv6 prefix lease. Format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Type \| Length \| T1 \| T2 \| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Preferred-lifetime +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| valid-lifetime +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Remark	-

HW-IPv6-Address-Lease (193)

Attribute Number	193
Attribute Name	HW-IPv6-Address-Lease
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	10
Description	IPv6 address lease. Format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Type \| Length \| T1 \| T2 \| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| Preferred-lifetime +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \| valid-lifetime +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Remark	-

HW-IPv6-Policy-Route (194)

Attribute Number	194
Attribute Name	HW-IPv6-Policy-Route
Attribute Value Type	ipv6addr
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	16
Description	IPv6 policy-based routing. Each board supports a maximum of 64 IPv6 PBR policies. Exceeding IPv6 PBR policies do not take effect and will cause alarms, but will not affect user login.
Remark	-

HW-MNG-IPv6 (196)

Attribute Number	196
Attribute Name	HW-MNG-IPv6
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	Whether IPv6 address management is used for users is determined by the RADIUS server based on the authentication result (whether IPv6 addresses are assigned) and CPE information (that specifies IPv6 address management). If the HW-MNG-IPv6 attribute is delivered to the BRAS, the BRAS will encapsulate it into the PPPoE PADM Tag0x0112 MOTM. The value can only be 0 or 1. 0: IPv6 address management is not supported. 1: IPv6 address management is supported. If any other value is delivered, user login fails.
Remark	-

HW-USR-GRP-NAME (251)

Attribute Number	251
Attribute Name	HW-USR-GRP-NAME
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~32
Description	User group name which is applicable for the user. Do not configure the user level by using the HW-Exec-Privilege (29). Otherwise, the user level configuration takes effect, but the user group configuration cannot take effect.
Remark	The value is a string of 1 to 32 characters containing letters, digits, and underscores (_).

HW-USER-SRVC_TYPE (252)

Attribute Number	252
Attribute Name	HW-USER-SRVC_TYPE
Attribute Value Type	Integer
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	4
Description	User access type, which can be PPP, terminal, Telnet, FTP, and SSH.
Remark	-

HW-Web-URL (253)

Attribute Number	253
Attribute Name	HW-Web-URL
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	All
Value of Length field (in Bytes)	1~200
Description	URL to which a web authentication user is redirected. This attribute is applicable to web authentication scenarios for IPoE users or captive portal scenarios for all types of users in arrears. This attribute takes effect only when the user-group attribute is also delivered.
Remark	-

HW-Version (254)

Attribute Number

254

Attribute Name

HW-Version

Attribute Value Type

String

Standard Defined

Huawei RADIUS+1.1

Server Type

Standard

Value of Length field (in Bytes)

1~253

Description

Version of a device.

This attribute carries different information for different devices. For example, on NE devices, this attribute carries Huawei NE by default.

Note:

The "radius-attribute include <attributename>" command can be used to determine whether packets in a RADIUS group are processed and how to process the HW-Version and HW-Product-ID attributes. After the HW-Version attribute or HW-Product-ID attribute is specified, the content displayed in the "display version" command output is encapsulated as the HW-Version or HW-Product-ID attribute content in the authentication and accounting packets except for the ME Series devices.

Remark

HW-Product-ID (255)

Attribute Number	255
Attribute Name	HW-Product-ID
Attribute Value Type	String
Standard Defined	Huawei RADIUS+1.1
Server Type	Standard
Value of Length field (in Bytes)	1~8
Description	Product ID of a device. This attribute carries different information for different devices. For example, on NE devices, this attribute carries NE by default. For details, see the HW-Version (254) attribute description. The displayed format can be controlled by a command. For details, see the HW-Version (254) attribute description.
Remark	-

RADIUS Attributes Defined by DSL Forum (Vendor ID = 3561, Attribute Number=26)

Agent-Circuit-Id (1)

Attribute Number	1
Attribute Name	Agent-Circuit-Id
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~63
Description	ID of the line from an online user to the access device. When the "radius-attribute agent-circuit-id format {cn \| tr-101}" command is configured, if the DHCP module parses option82 successfully according to the "option-82 parse-mode" command configured in the interface, then the Agent-Circuit-Id attribute is carried in the RADIUS Access packets and the attribute's format is set according to the the "radius-attribute agent-circuit-id format {cn \| tr-101}" command.
Remark	-

Agent-Remote-Id (2)

Attribute Number	2
Attribute Name	Agent-Remote-Id
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~63
Description	Unique identifier for the association between an online user and the line
Remark	-

Actual-Data-Rate-Upstream (129)

Attribute Number	129
Attribute Name	Actual-Data-Rate-Upstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Actual upstream rate of the line corresponding to the online user
Remark	-

Actual-Data-Rate-Downstream (130)

Attribute Number	130
Attribute Name	Actual-Data-Rate-Downstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Actual downstream rate of the line corresponding to the online user
Remark	-

Minimum-Data-Rate-Upstream (131)

Attribute Number	131
Attribute Name	Minimum-Data-Rate-Upstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Minimum upstream rate configured for the online user
Remark	-

Minimum-Data-Rate-Downstream (132)

Attribute Number	132
Attribute Name	Minimum-Data-Rate-Downstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Minimum downstream rate configured for the online user
Remark	-

Attainable-Data-Rate-Upstream (133)

Attribute Number	133
Attribute Name	Attainable-Data-Rate-Upstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Attainable upstream rate for the online user
Remark	-

Attainable-Data-Rate-Downstream (134)

Attribute Number	134
Attribute Name	Attainable-Data-Rate-Downstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Attainable downstream rate for the online user
Remark	-

Maximum-Data-Rate-Upstream (135)

Attribute Number	135
Attribute Name	Maximum-Data-Rate-Upstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Maximum upstream rate configured for the online user
Remark	-

Maximum-Data-Rate-Downstream (136)

Attribute Number	136
Attribute Name	Maximum-Data-Rate-Downstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Maximum downstream rate configured for the online user
Remark	-

Minimum-Data-Rate-Upstream-Low-Power (137)

Attribute Number	137
Attribute Name	Minimum-Data-Rate-Upstream-Low-Power
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Minimum upstream rate for the online user at low voltage
Remark	-

Minimum-Data-Rate-Downstream-Low-Power (138)

Attribute Number	138
Attribute Name	Minimum-Data-Rate-Downstream-Low-Power
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Minimum downstream rate for the online user at low voltage
Remark	-

Maximum-Interleaving-Delay-Upstream (139)

Attribute Number	139
Attribute Name	Maximum-Interleaving-Delay-Upstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Maximum delay for the upstream traffic per channel
Remark	-

Actual-Interleaving-Delay-Upstream (140)

Attribute Number	140
Attribute Name	Actual-Interleaving-Delay-Upstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Actual delay for the upstream traffic per channel
Remark	-

Maximum-Interleaving-Delay-Downstream (141)

Attribute Number	141
Attribute Name	Maximum-Interleaving-Delay-Downstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Maximum delay for the downstream traffic per channel
Remark	-

Actual-Interleaving-Delay-Downstream (142)

Attribute Number	142
Attribute Name	Actual-Interleaving-Delay-Downstream
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Actual delay for the downstream traffic per channel
Remark	-

Access-Loop-Encapsulation (144)

Attribute Number	144
Attribute Name	Access-Loop-Encapsulation
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Line encapsulation type for the access user
Remark	-

RADIUS Attributes Defined by Microsoft (Vendor ID = 311, Attribute Number=26)

MS-CHAP-Response (1)

Attribute Number	1
Attribute Name	MS-CHAP-Response
Attribute Value Type	string
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~50
Description	Response to the MS-CHAP authentication challenge.
Remark	-

MS-CHAP-Error (2)

Attribute Number	2
Attribute Name	MS-CHAP-Error
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~80
Description	Error information that is carried in an MS-CHAP Access-Reject packet.
Remark	-

MS-CHAP-CPW-2 (4)

Attribute Number	4
Attribute Name	MS-CHAP-CPW-2
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~84
Description	Changed MS-CHAP V2 password
Remark	-

MS-CHAP-NT-Enc-PW (6)

Attribute Number	6
Attribute Name	MS-CHAP-NT-Enc-PW
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~516
Description	New MS-CHAP password, which is obtained by encrypting the old MS-CHAP password.
Remark	If the length of this attribute exceeds 516 bytes, this attribute must be encapsulated in fragments.

MS-CHAP-Challenge (11)

Attribute Number	11
Attribute Name	MS-CHAP-Challenge
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~32
Description	MS-CHAP challenge.
Remark	Ms-chap: 8 bytes Ms-chap2 authentication: 16 bytes Ms-chap2 password change: 32 bytes

MS-MPPE-Send-Key (16)

Attribute Number	16
Attribute Name	MS-MPPE-Send-Key
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~32
Description	A RADIUS server delivers an Microsoft Point-to-Point Encryption (MPPE) key to a NAS. The NAS then transparently transmits the key to an AP after decrypting and encrypting the key. This attribute can be used in WLAN scenarios.
Remark	-

MS-MPPE-Recv-Key (17)

Attribute Number	17
Attribute Name	MS-MPPE-Recv-Key
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~32
Description	A RADIUS server delivers an Microsoft Point-to-Point Encryption (MPPE) key to a NAS. The NAS then transparently transmits the key to an AP after decrypting and encrypting the key. This attribute can be used in WLAN scenarios.
Remark	-

MS-CHAP2-Response (25)

Attribute Number	25
Attribute Name	MS-CHAP2-Response
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~50
Description	Response to the MS-CHAP2 authentication challenge.
Remark	-

MS-CHAP2-Success (26)

Attribute Number	26
Attribute Name	MS-CHAP2-Success
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~42
Description	Authentication success code.
Remark	-

MS-CHAP2-CPW (27)

Attribute Number	27
Attribute Name	MS-CHAP2-CPW
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~68
Description	Changed MS-CHAP2 password.
Remark	-

MS-Primary-DNS-Server (28)

Attribute Number	28
Attribute Name	MS-Primary-DNS-Server
Attribute Value Type	Address
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Address of the primary DNS server of a specified user after user authentication is successful.
Remark	-

MS-Secondary-DNS-Server (29)

Attribute Number	29
Attribute Name	MS-Secondary-DNS-Server
Attribute Value Type	Address
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	Address of the secondary DNS server of a specified user after user authentication is successful.
Remark	-

RADIUS Attributes Defined by Redback (Vendor ID = 2352, Attribute Number=26)

Forward-Policy (92)

Attribute Number	92
Attribute Name	Forward-Policy
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~253
Description	The attribute has the same function as the Filter-Id (11) attribute defined in RFC 2865. This attribute is delivered only to Access-Accept packets and COA messages.
Remark	-

BB-Caller-ID (97)

Attribute Number	97
Attribute Name	BB-Caller-ID
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~253
Description	When "vlanpvc-to-username version10" command or "vlanpvc-to-username version20" command is configured, the attribute (the original option82) is sent to a RADIUS server. This attribute is sent only in Access-Request and Accounting-Request packets to a RADIUS server. By default, this attribute is not sent to a RADIUS server. To allow this attribute to be sent, run the "radius-attribute include BB-Caller-ID" command in the RADIUS server group view.
Remark	-

NPM-Service-Id (106)

Attribute Number	106
Attribute Name	NPM-Service-Id
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~127
Description	Indicates service name. Anywhere from zero to two NPM-Service-Id attributes can be delivered to Access-Accept packets or sent to a RADIUS server in Accounting-Request packets.
Remark	-

HTTP-Redirect-Profile-Name (107)

Attribute Number	107
Attribute Name	HTTP-Redirect-Profile-Name
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~64
Description	Configured user URL profile name. This attribute has a similar function to the HW-HTTP-Redirect-URL (140) attribute.
Remark	-

HTTP-Redirect-URL (165)

Attribute Number	165
Attribute Name	HTTP-Redirect-URL
Attribute Value Type	String
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	1~200
Description	Redirection URL. The attribute has the same function as the HW-HTTP-Redirect-URL (140) attribute. Zero or one HTTP-Redirect-URL attribute can be delivered to one Access-Accept packet.
Remark	-

RADIUS Attributes Defined by Ascend

Ascend-Client-Primary-Dns (135)

Attribute Number	135
Attribute Name	Ascend-Client-Primary-Dns
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	IP address of the primary DNS server delivered after user authentication is successful. The attribute can be delivered in the IPv4 address format.
Remark	-

Ascend-Client-Secondary-Dns (136)

Attribute Number	136
Attribute Name	Ascend-Client-Secondary-Dns
Attribute Value Type	Integer
Standard Defined	-
Server Type	All
Value of Length field (in Bytes)	4
Description	IP address of the secondary DNS delivered after user authentication is successful. The attribute can be delivered in the IPv4 address format.
Remark	-

RADIUS Attributes Defined by Huawei+1.0 Protocol (Vendor = 2011, Attribute Number=26)

Remanent-Volume (80)

Attribute Number	80
Attribute Name	Remanent-Volume
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Remaining traffic (in KB) available to a user. Value 0 indicates that the user is logged out immediately. Value 0XFFFFFFFF indicates that there is no traffic limit. The preceding meaning of the attribute applies only to the scenario where the RADIUS server type is plus10. When the RADIUS server type is not plus10, the attribute meaning is the same as that defined in the RFC standard.
Remark	-

Tariff-Switch-Interval (81)

Attribute Number	81
Attribute Name	Tariff-Switch-Interval
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Interval between the latest tariff switching time and the current time, in seconds. The next tariff switching time may be within or beyond the next real-time accounting period. Upon tariff switching, a NAS sends an accounting update packet to the RADIUS server. The preceding meaning of the attribute applies only to the scenario where the RADIUS server type is plus10. When the RADIUS server type is not plus10, the attribute meaning is the same as that defined in the RFC standard.
Remark	-

In-Kb-Before-T-Switch (111)

Attribute Number	111
Attribute Name	In-Kb-Before-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of bytes (in KB) sent by a user before tariff switching. If no tariff switching occurs within the real-time accounting period, this attribute refers to the total number of bytes that a NAS receives from a user port from the start of the session to the end of the real-time accounting period. If one tariff switching occurs within the real-time accounting period, this attribute refers to the total number of bytes that a NAS receives from a user port from the start of the session to the time when tariff switching occurs. No more than one tariff switching can occur in one real-time accounting period.
Remark	-

Out-Kb-Before-T-Switch (112)

Attribute Number	112
Attribute Name	Out-Kb-Before-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of bytes (in KB) received by a user before tariff switching. If no tariff switching occurs within the real-time accounting period, this attribute refers to the total number of bytes that a NAS sends to a user port from the start of the session to the end of the real-time accounting period. If one tariff switching occurs within the real-time accounting period, this attribute refers to the total number of bytes that a NAS sends to a user port from the start of the session to the time when tariff switching occurs. No more than one tariff switching can occur in one real-time accounting period.
Remark	-

In-Pkts-Before-T-Switch (113)

Attribute Number	113
Attribute Name	In-Pkts-Before-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of bytes (in KB) received by a user before tariff switching. If no tariff switching occurs within the real-time accounting period, this attribute refers to the total number of bytes that a NAS sends to a user port from the start of the session to the end of the real-time accounting period. If one tariff switching occurs within the real-time accounting period, this attribute refers to the total number of bytes that a NAS sends to a user port from the start of the session to the time when tariff switching occurs. No more than one tariff switching can occur in one real-time accounting period.
Remark	-

Out-Pkts-Before-T-Switch (114)

Attribute Number	114
Attribute Name	Out-Pkts-Before-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of packets received by a user before tariff switching. If no tariff switching occurs within the real-time accounting period, this attribute refers to the total number of packets that a NAS sends to a user port from the start of the session to the end of the real-time accounting period. If one tariff switching occurs within the real-time accounting period, this attribute refers to the total number of packets that a NAS sends to a user port from the start of the session to the time when tariff switching occurs. No more than one tariff switching can occur in one real-time accounting period.
Remark	-

In-Kb-After-T-Switch (115)

Attribute Number	115
Attribute Name	In-Kb-After-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of bytes (in KB) sent by a user after tariff switching. This attribute refers to the total number of bytes that a NAS receives from a user port from the start of the session to the end of the real-time accounting period.
Remark	-

Out-Kb-After-T-Switch (116)

Attribute Number	116
Attribute Name	Out-Kb-After-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of bytes (in KB) received by a user after tariff switching. This attribute refers to the total number of bytes that a NAS sends to a user port from the start of the session to the end of the real-time accounting period.
Remark	-

In-Pkts-After-T-Switch (117)

Attribute Number	117
Attribute Name	In-Pkts-After-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of packets sent by a user after tariff switching. This attribute refers to the total number of packets that a NAS receives from a user port from the start of the session to the end of the real-time accounting period.
Remark	-

Out-Pkts-After-T-Switch (118)

Attribute Number	118
Attribute Name	Out-Pkts-After-T-Switch
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Number of packets received by a user after tariff switching. This attribute refers to the total number of packets that a NAS sends to a user port from the start of the session to the end of the real-time accounting period.
Remark	-

Input-Peak-Rate (121)

Attribute Number	121
Attribute Name	Input-Peak-Rate
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Upstream burst rate (PIR), in bit/s.
Remark	-

Input-Average-Rate (122)

Attribute Number	122
Attribute Name	Input-Average-Rate
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Upstream average rate (CIR), in bit/s.
Remark	-

Output-Peak-Rate (124)

Attribute Number	124
Attribute Name	Output-Peak-Rate
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Downstream burst rate (PIR), in bit/s.
Remark	-

Output-Average-Rate (125)

Attribute Number	125
Attribute Name	Output-Average-Rate
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Downstream average rate (CIR), in bit/s.
Remark	-

OnLine-User-Id (127)

Attribute Number	127
Attribute Name	OnLine-User-Id
Attribute Value Type	Integer
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	4
Description	Connection index of a user.
Remark	-

Connect-port (128)

Attribute Number	128
Attribute Name	Connect-port
Attribute Value Type	String
Standard Defined	-
Server Type	Plus10
Value of Length field (in Bytes)	1~48
Description	Feature of a physical port for user access. Specific formats: 1. When "vlanpvc-to-username" command in the AAA domain view is configured as version 10 (the default value is version 20), the formats of this attribute are as follows: Ethernet interface: On an X1/X2 model: <host-name>+'-'+<slot-number> (2 bytes)+<sub-slot-number> (1 byte)+<port-number> (1 byte)+<VLAN-ID> (7 bytes)+'@vlan' (0s are used for padding, and excess bits are discarded) 2. When "vlanpvc-to-username" command in an AAA domain view is configured as other types (the default value is version 20), the formats of this attribute are as follows: Ethernet interface on an X1/X2 model: QinQ interface: <host-name>+'-'+<slot-number> (1 byte)+<sub-slot-number> (2 bytes)+<port-number> (1 byte)+<VLAN-ID> (4-byte outer VLAN ID + 0 + 4-byte inner VLAN ID)+'@vlan' (0s are used for padding, and excess bits are discarded.) Non-QinQ interface: <host-name>+'-'+<slot-number> (1 byte)+<sub-slot-number> (2 bytes)+<port-number> (1 byte)+<VLAN-ID> (9 bytes)+'@vlan' (0s are used for padding, and excess bits are discarded.) 3. When the Connect-port attribute is converted to the Connect-Port-New attribute using an attribute conversion command, the formats of the new attribute are the same as those of the old attribute except that the port number is extended from 1 byte to 2 bytes.
Remark	-

RADIUS Attributes Defined by Carrier (Vendor ID = 28357)

CMCC-NAS-Type (201)

Attribute Number

201

Attribute Name

CMCC-NAS-Type

Attribute Value Type

Integer

Standard Defined

Server Type

All

Value of Length field (in Bytes)

Description

NAS type:

1. For a non-CU separation device, the value is 1.

2. For a CU separation device, the value is 2.

Remark

RADIUS Attributes Defined by Cisco (Vendor ID = 9)

CISCO-AVPair (1)

Attribute Number

Attribute Name

CISCO-AVPair (1)

Attribute Value Type

String

Standard Defined

Server Type

All

Value of Length field (in Bytes)

1~247

Description

Attribute-value pair; framework attribute of the extended sub-attributes of Cisco. The value is a character string in the format of <attribute-name>=<value>. Currently, only the address pool attribute named ip:addr-pool is supported.

Remark

RADIUS Server Selection

Server Status Control Policy

By default, a device considers the RADIUS server to be abnormal and sets its status to Down if the following conditions apply:
- The device consecutively sends 10 packets to which a RADIUS server does not respond.
- The interval between the first ignored packet and the tenth ignored packet exceeds 5 seconds.
The maximum number of consecutively sent packets to which a RADIUS server does not respond can be set using the radius-server dead-count count command. The interval between the first ignored packet and the packet ignored for the specified times can be set using the radius-server dead-interval interval-value command.
If a RADIUS server responds only to a few packets due to a server malfunction or bad connection, the RADIUS server becomes undesirable and should be set to Down. However, the default Down condition of consecutive n timeout packets cannot be met. To resolve this issue, run the radius-server dead-count count fail-rate fail-rate command to enable the device to set the RADIUS server to Down based on the failure rate of packets sent. By default, this function is disabled. After it is enabled, it takes effect along with dead-count, causing a RADIUS server to be set to Down if either the fail-rate or dead-count condition is met.
By default, after a RADIUS server is set to Down, it recovers immediately if its connected device receives response packets from it. If the device does not receive any response packets within a specified period, the device sets the RADIUS server to Up. The period is set to 3 minutes by default and can be configured using the radius-server dead-time time-value command.
If a RADIUS server responds only to a few packets due to a server malfunction or bad connection or a RADIUS server frequently goes Up and Down, the network becomes unstable. To suppress the unstable status of the RADIUS server, run the radius-server dead-time time-value [ recover-count invalid ] command to enable slow recovery of the RADIUS server. By default, this function is disabled. After it is enabled, a device does not set the RADIUS server to Up upon receipt of response packets until dead-time elapses.
After a RADIUS server is set to Down, users who have already selected the server to send packets continue to use this server if packet sending times out but the number of packet retransmission times is not reached.
The retransmission time configured for a RADIUS group is valid for all the servers in the group. If the number of times that a RADIUS server sends packets to a device reaches the limit, the device selects the next server. For example, if the number of retransmission times is set to n for a server group and the number of servers is 3, the maximum number of retransmission times of a user packet is 3 x n.
By default, the authentication server with the same IP address and VPN is preferentially used for accounting. If the radius-server algorithm master-backup strict command is run, the accounting server is strictly selected based on the configured algorithm. The primary accounting server is preferentially selected instead of referring to the authentication server selection result.

Master/Backup Server Selection Policy

Master/backup server selection policy when a packet is sent for the first time:

The master server (which has an internal index of 0) that is Up is selected. If the master server is Down, the server that most recently received packets is selected. If there is no such server, the one that first went Up is searched for based on the server configuration sequence in the server group. If no server is found, the one first configured in the server group is selected.
Master/backup server selection policy in retransmission timeout conditions:
- If a server is already selected and the number of retransmission times has not reached the limit, the server can continually be used for packet transmission.
- If the number of retransmission times from the master server reaches the limit, the server that received packets most recently is selected. If there is no such a server or such as a server has sent packets, the next Up backup server is selected using the polling mode. If there is no such server, the next configured backup server is searched for.
- If the number of retransmission times from a backup server reaches the limit, the next Up backup server is selected using the polling mode. If there is no such server, the next configured backup server is searched for.

Load-Balancing Server Selection Policy

When users go online, the sum of weights of all the RADIUS servers that are in the Up state and have not been used is calculated. If there is no RADIUS server in the Up state, the sum of weights of all the configured RADIUS servers that have not been used is calculated.
If the sum of weights of the RADIUS servers is greater than 0, a random seed is generated with a value smaller than the sum of weights of the RADIUS servers. A server is then selected among the collection of RADIUS servers to send packets based on the value of the random seed and the weights of the RADIUS servers. To be specific, the first RADIUS server that meets the following requirement is selected:

Sum of weights of all the RADIUS servers before this server ≤ Value of the random seed < (Weight of this server + Sum of weights of all the RADIUS servers before this server)

For example, there are four servers with the weights 1, 2, 3, and 4, respectively. The sum of weights is 10. The value of the random seed generated ranges from 0 to 9. If the value of the generated random seed is 0, the server with weight 1 is selected. If the value of the seed is 1 or 2, the server with weight 2 is selected. If the value of the seed is 3, 4, or 5, the server with weight 3 is selected. If the value of the seed is 6, 7, 8, or 9, the server with weight 4 is selected.
If the sum of weights of RADIUS servers is 0, a random seed is generated with a value no greater than the number of RADIUS servers. This seed is used for selecting a packet sending server from the collection of RADIUS servers. For example, four servers do not have weights configured. The value of the random seed then ranges from 0 to 3. If the value of the generated random seed is 0, server 1 is selected. If the value of the seed is 1, server 2 is selected. If the value of the seed is 2, server 3 is selected. If the value of the seed is 3, server 4 is selected.

Description for the Attributes of OWN Type

OWN attributes are virtual attributes. They have their own names, encapsulation formats, and supported packets, but lack their own attribute numbers.

OWN attributes are supported only in the device-to-RADIUS direction. They cannot be independently used due to lack of attribute numbers. Before being sent to a RADIUS server, OWN attributes must be converted to other attributes. The numbers of the attributes belong to the original attributes, but the attribute content and formats belong to the OWN attributes. For example, if the radius-attribute translate nas-port hw-own-nas-port-new send command is run, the NAS-Port attribute sent to the RADIUS server uses the HW-Own-NAS-Port-New attribute's content and format.

All the currently defined OWN attributes function similarly to the preceding example. They are implemented by serving as the substitute formats for basic attributes. The following table describes all the available OWN attributes, their supporting status in packets, and their corresponding basic attributes.

OWN Attribute	Access-Request Packet	Accounting-Request Packet	COA & DM ACK Packet	Basic Attribute
HW-Own-NAS-Identify-SIM (OWN-1)	Supported	Supported	Supported	NAS-Identifier (32)
HW-Own-NAS-Port-New (OWN-2)	Supported	Supported	Not supported	NAS-Port (5)
HW-Own-NAS-Port-Identify-Old (OWN-3)	Supported	Supported	Not supported	NAS-Port-Id (87)
HW-Own-Calling-Station-Id-Old (OWN-4)	Supported	Supported	Not supported	Calling-Station-Id (31)
HW-Own-Nas-Port-Id-Uppercase (OWN-5)	Supported	Supported	Not supported	NAS-Port-Id (87)
HW-Own-NAS-Port-CID (OWN-6)	Supported	Supported	Not supported	NAS-Port (5)
Connect-Port-New (OWN-7)	Supported	Not supported	Not supported	Connect-port (128)
HW-Own-NAS-Port-QinQ (OWN-8)	Supported	Supported	Not supported	NAS-Port (5)
Nas-Port-Id-QINQ-Reverse (OWN-9)	Supported	Supported	Not supported	NAS-Port-Id (87)

Interface Format for Attributes on a NetEngine 8000 F8 Model

Device models rather than NetEngine 8000 F8 each support a maximum of two subcards, indicating that the SubSlot can only be 0 or 1. On NetEngine 8000 F8 models, the SubSlot ranges from SubSlot 0 to 15. To support format compatibility between different models, the following adjustments are made on NetEngine 8000 F8 modes for attributes with a sub-slot number: (Note: NetEngine 8000 F8 models only have Ethernet interfaces; therefore, only the Ethernet interface format needs to be adjusted.)

For an Attribute of Coupled-Character String Type, the Reserved Number of SubSlot Characters in Its Original Format Where Two Decimal Bytes Are Reserved for the Slot and One Decimal Byte Is Reserved for the SubSlot Number Is Insufficient

For example, the original format of Acct-Session-ID version1 is as follows:

host-name (7) +Slot (2)+SubSlot (1) +port-number (2) +{VPI (4) +VCI (5), outer-VLAN-ID (4) +inner-VLANID (5) }+CPUTICK (6 bytes in hexadecimal notation) +user-connection-index (6 bytes in hexadecimal notation)

The following attribute has a similar format to the example format:
- Acct-Session-Id(44), including version1 and EDSG service's Acct-Session-Id
- Connect-port(128)
- Connect-Port-New(OWN-7)
Implementation on the NetEngine 8000 F8 model: Slot is cut to 1 byte, and the SubSlot is extended to 2 bytes. For detailed formats, see Radius Attributes Description.
For an Attribute of Coupled-Character String Type, Its Original Format Does Not Limit the Length of the SubSlot; or, the Reserved Number of SubSlot Characters in Its Original Format Is Sufficient

The available formats are as follows:
- Example attribute format: slot-id/SubSlotID/PortID
  
  The following attributes have a similar format to the example format:
  - Acct-Session-Id(44): version5
  - NAS-Port-Id(87)
  - HW-Own-Nas-Port-Id-Uppercase(OWN-5)
  - Calling-Station-Id(31)
  - User-Name(1): when automatically generated using physical information
  Implementation on the NetEngine 8000 F8 model: The attribute format remains unchanged except that the length of the SubSlot is automatically extended. For detailed formats, see Radius Attributes Description.
- Example attribute format: slot=slot-id;subslot=SubSlotID;port=PortID
  
  The following attributes have a similar format to the example format:
  - NAS-Port-Id(87)
  - HW-Own-Nas-Port-Id-Uppercase(OWN-5)
  - Nas-Port-Id-QINQ-Reverse(OWN-9)
  Implementation on the NetEngine 8000 F8 model: The attribute format remains unchanged except that the length of the SubSlot is automatically extended. For detailed formats, see Radius Attributes Description.
- Example attribute format: slot-id.SubSlotID
  
  The following attribute has a similar format to the example format:
  
  User-Name(1): when automatically generated using physical information
  
  Implementation on the NetEngine 8000 F8 model: The attribute format remains unchanged except that the length of the SubSlot is automatically extended. For detailed formats, see Radius Attributes Description.
- Format where no delimiter lies between fields and the reserved number for the SubSlot is sufficient
  
  The following attribute fits the preceding format:
  
  HW-Own-NAS-Port-Identify-Old(OWN-3)
  
  Implementation on the NetEngine 8000 F8 model: The attribute format remains unchanged. For detailed format, see Radius Attributes Description.
For an Attribute of Coupled-Integer Type, the Reserved Number of SubSlot Characters in Its Original Format Is Insufficient

In the HW-Own-NAS-Port-QinQ attribute format, the Slot occupies 3 bits, and SubSlot occupies 1 bit.

ETH interface: slot-id (3bit) +SubSlot (1bit) +PortID (4bit) +QinQVLAN (12bit) +VLAN (12bit)
Confusion Between a Common Interface on a NetEngine 8000 F8 Model and a Trunk Interface When the SubSlot Is Fixed at 2 (or 0 in Some Attribute Formats)

Confusion means that when SubSlot is 2 or 0, users cannot determine whether the interface is a common interface on an NetEngine 8000 F8 model or a trunk interface.

Run the nas logic-port port-type slot-id SubSlotID PortID command to configure a logical interface on the trunk interface's BAS interface.

Reasons for User Offline

Reasons for User Offline Defined by Standard Protocol

Subcode	Description
1	User request to offline
2	Lost carrier
3	Lost service
4	Idle timeout
5	Session timeout
6	Admin reset
7	Admin reboot
8	Port error
9	Nas error
10	Nas request to offline
11	Nas reboot
12	Port unneeded
13	Port preempted
14	Port suspend
15	Service unavailable
16	Callback user
17	User info error
18	Host request to offline

Sub-Codes for User Offline Reasons Defined by Huawei

Table 1-1497 Common Reasons for User Offline

Code	Subcode	Description
SC_PROTOCOL_USER_REQUEST (1)	19	User request to offline
	21	PPP user request
	34	EAPOL user request
	65	Web user request
	69	DHCP release
	70	DHCP decline
	95	FTP with user switch
	110	Gateway different from former
	156	L2TP request offline
	168	WLAN cuts DHCP old user
	272	Realloc ip timeout
	273	Lease renewal timeout for short-leased users
	367	Mac user ppp preferred
	435	Radius client request
	555	Receive LCP terminate request from user while LCP negotiating.
	556	Receive LCP terminate request from user after IPCP negotiation.
	558	Receive PADT packet from user.
	674	Physical link down.
SC_PROTOCOL_LOST_CARRIER(2)	22	PPP with echo fail
	29	ARP with detect fail
	36	EAPOL with echo fail
	49	WEBS with heartbeat fail
	162	Tunnel with session null
	166	No response of control packet from peer
	177	ND Detect Fail
	275	DHCP with MTU limit
	432	L2TP wait control ack from peer timeout
SC_PROTOCOL_LOST_SERVICE (3)	27	LNS request
	152	L2TP peer cleared tunnel
	154	LNS cleared session
	155	LNS clearing session error
SC_PROTOCOL_IDLE_TIMEOUT(4)	90	Idle cut
SC_PROTOCOL_SESSION_TIMEOUT (5)	88	AAA with flow limit
SC_PROTOCOL_SESSION_TIMEOUT (5)	93	Session time out
SC_PROTOCOL_ADMIN_RESET (6)	40	SRVCFG cut command
	87	AAA cut command
	91	AAA with radius server cut command
	158	CLI clear tunnel
SC_PROTOCOL_PORT_ERROR (8)	59	CM with Ifnet down
	102	Board remove
	103	Card remove
	104	Slot down
	148	PPP pvc interface down
	149	PPP VE interface down
	353	CM with Ifnet ipv6 protocol down
SC_PROTOCOL_NAS_ERROR (9)	79	AAA with message send fail
	159	L2TP checking SCCRP error
	160	L2TP checking ICRP error
SC_PROTOCOL_NAS_REQUEST (10)	1	User request to offline
	2	Lost carrier
	3	Lost service
	4	Idle timeout
	5	Session timeout
	6	Admin reset
	7	Admin reboot
	8	Port error
	9	Nas error
	10	Nas request to offline
	11	Nas reboot
	12	Port unneeded
	13	Port preempted
	14	Port suspend
	15	Service unavailable
	16	Callback user
	17	User info error
	18	Host request to offline
	25	PPPOE with ethernet interface down
	26	L2TP with cut command
	33	Interface down
	41	MCC with IGMP request
	43	MCC with route delete
	44	MCC with IGMP disable
	45	MCC with level 2 devise leaving
	46	MCC with PVLAN Attribute change
	48	MCC with MG attribute change
	50	Webs with Realloc IP Address fail
	51	AM with lease timeout
	53	AM with Renew lease timeout
	54	CM with l2tp session fail
	55	CM with login fail
	57	CM with access limit
	58	CM with time out
	60	CM with IP address alloc fail
	67	DHCP with server nak
	68	DHCP with server no response
	71	DHCP with IP address conflict
	74	AAA with logout fail
	75	AAA with force MG offline fail
	77	AAA with user information error
	78	AAA with realtime accouting fail
	80	AAA reauthen stop accounting
	81	Server trigger reauthen stop accounting
	82	AAA with start accounting fail
	83	AAA with Authentication no response
	84	AAA with authorization data error
	86	AAA access limit
	89	AAA with local bill pool no space
	92	AAA with stop accounting fail
	94	AAA with update fail
	96	FTP with service closing
	97	FTP with server closed
	98	FTP with server idle timeout
	99	FTP with user login fail
	100	FTP with receive data fail
	101	Interface delete
	105	IP address conflict
	106	MAC address conflict
	108	DHCP wait client packet timeout
	119	DHCP illegal ip range
	121	DHCP invalid IP pool info
	122	DHCP storing pool info failed
	130	DHCP receive discover from a working user
135	AAA with radius decode fail
139	DHCP lease timeout
142	Layer2-VPN down
143	Board on Master removed
144	Card on Master removed
145	Interface on Master down
146	PPP negotiate fail
150	VPDN license not enable
151	Authenticate fail
161	LNS challenge us but password is null
164	L2TP send ICRQ fail
165	L2TP send ICCN fail
169	PPP user over LNS request
170	LAC clear tunnel
171	LAC clear session
172	CLI clear tunnel
173	LNS clear tunnel
174	LNS clear session
175	LNS send fail
176	LNS clear group
182	RUI user request offline
183	MP main users offline, then cut all sub users
184	MP sub user down
185	Netmask assigned by RDS error(Route conflict)
186	Netmask assigned by RDS error(Value invalid)
189	VRRP change to slave
190	The domain has not bound ip-pool or ipv6-pool
199	Not config prefix in domain
200	CM with Framed IP address invalid
203	Unmatched Vpn-Instance
205	Domain disable remote backup
207	local no this user
208	AAA send authen request fail
209	Local authen reject
210	Local author reject
213	layer2 leased line config delete
271	DHCP repeat packet
274	Dhcp server speed limit
278	RUI request offline
303	Not bind IPv6 pool or ip alloc fail
304	UCM failed to apply resource for trunk user
305	UCM failed to update work-slot of trunk-interface user
306	UCM failed to update QoS resource of trunk-interface user
319	DHCPV6 wait UCM timeout
320	DHCPV6 wait client timeout
321	DHCPV6 ip alloc fail
322	DHCPV6 client decline
323	DHCPV6 client release
325	Block domain force user to offline
326	CM with AAA auth ack time out
329	CM with AMV6 ipv6 ack time out
330	CM with AM ip ack time out
331	CM with PPP conn up time out
332	CM with DHCPACC conn up time out
333	CM with DHCPv6 conn up time out
334	CM with MSEADA cib ack time out
335	CM with ARP detect ack time out
336	CM with AAA ipv6 update ack time out
337	CM with AAA logout ack time out
338	CM with WEB logout resp time out
339	CM with MSEADA update workslot time out
341	DHCPV6 wait server timeout
352	DHCPV6 lease expired
365	Author of IP address and ip include conflict
366	CM with PPP ipv6 conn up time out
381	IP alloc fail for trigger user
382	Radius alloc incorrect IP
386	AMV6 with assigning ipv6 address conflicted
387	DHCPV6 repeat solicit
388	CM with DHCPv6 conn request time out
389	The vrf of domain is not accord with the pool
392	CGN Board reset
416	Receive L2TP Session break message from peer LAC
417	Receive L2TP Tunnel break message from peer LAC
422	L2TP tunnel idle cut
528	Fail to get AP MAC
529	Get unnumbered loopback failed
530	RADIUS server delivered the denial of renewal flag
541	Session group virtual user offline
560	OFFER packet contains a gateway IP address
561	OFFER packet contains an IP address not on user segment
562	OFFER packet contains an IP address being used
563	OFFER packet contains a conflicting IP address
564	OFFER packet has an IP address being used by PPPoE user
565	ACK packet contains a gateway IP address
566	ACK packet contains an IP address being used
567	ACK packet contains a conflicting IP address
568	ACK packet has an IP address being used by PPPoE user
569	RADIUS allocated address not matching the trigger one
570	No available pool for the Layer3 DHCP user
571	No available pool for the Layer2 DHCP user
572	Server-Identifier in packet is not the local device
573	DHCP wait authentication reply timeout
574	DHCP wait Up reply timeout
575	Fail to alloc specified IP address for RUI
576	No available pool
577	The idle addresses conflict with those used by other users
578	ACK contains a gateway IP address not matching the user's
579	ACK packet contains a mask not matching the user's
580	DHCP Server no response.
581	ACK packet contains an IP address not on user segment
582	ACK packet has an IP address being used by other user
583	IP address record fail on local device
586	The memory reached the restart threshold
594	Deny padi by ACL
595	Pppoe chasten
596	Fail to process padi
597	Fail to process padr
598	Drop padi or padr for backup rui
599	Packet version or type is wrong
600	Create pppinfo fail
601	Deny discover packet by ACL
602	Drop discover packet for ip pool is synchronizing
603	Drop discover packet with Option54
604	Fail to process DHCP Discover packet
640	User have no overlap pool
655	No available pool for DHCPV6
656	IPv6 address is over limit
657	IPv6 address is over limit on slot
658	User is over IP stack limit
659	GTL license limit
665	The number of users exceeds limit
666	This device does not support bas
667	CGN instance down
669	Master slot of CGN instance is unavailable
675	Number of users exceeded the spec which the device is able to support
676	Update PPP user conflict with others
677	Update PPP user, it reached the MAC session limit
679	Get a challenge from peer LNS, but the password of local tunnel is null
682	Framing capability is invalid from LNS SCCRP
683	Receive window size is invalid from LNS SCCRP
684	Receive unsupported AVP from LNS
685	Chap response from lns doesn't pass authentication
686	The DAA user inbound car apply fail
687	The DAA user outbound car apply fail
688	The DAA user both direction car apply fail
689	Server has no free ip for rui user
690	Server select pool failed for rui user
691	IP address conflict with Giaddr of the ip pool
696	Pwve-access interface bas disable
710	UP blocked
711	Cusp state down
712	Framed IP conflicts with IP of interface
713	UP VPN instance not exist
714	CP and UP vpn relate fail
717	subscriber:fq:Unsupported fq name.
740	DHCPv6 user trigger fail for server configuration unconsistent
741	ND user trigger fail for server configuration unconsistent
743	Alloc Tunnel ID Fail
744	L2TP NOT Enable or No L2TP License when processing SCCRQ
745	There is no host name in SCCRQ
746	Get L2TP group fail from host name when processing SCCRQ
747	L2TP NOT Enable or No L2TP License when processing ICRQ
748	Tunnel down when processing ICRQ
749	CHAP authentication of the Web user is denied
752	WEB authentication request is denied when processing authentication request
756	Layer3-subscriber does not support pd user
757	Relay Forward have no valid linkaddress
773	Static users fail to occupy exclusive address pool
774	Static user access from shared address pool failed
775	Add nat user data fail(IP Access User Limit)
782	The number of services exceeds limit
789	Prefix conflict with same option
790	Prefix conflict with different option
791	CGN user does not support warm-standby switch
792	Portswitch fail for reach slot access limit or slave interface not prepared
793	Radius authorize invalid vlan
831	IP address conflict with static bind
832	IP address status is disable
833	RADIUS server delivered zero lease
834	AMv6 with check fail
835	Configuration recovery is not complete when processing SCCRQ
836	Multi-sessions per-mac exceed the maximum
837	The shared-key of RADIUS server has not been config
838	The route cost of the tunnel source interface bound to the L2TP group is invalid.
839	DHCP users option82 mismatch
840	DHCPV6 check fail.
841	The authenticator header of the RADIUS response packet is invalid.
842	PCP port range specified by RADIUS is out of reserved scope.
843	Invalid PCP port range.
844	Fail to allocate PCP port.
845	Dynamic Pool is not supported by Radius
846	Ucm receive repeated dhcpv6 connect request
847	Web user logout, pre-domain IPV6 authorization disabled.
848	AM with smooth fail
849	A subnet conflict occurred in the dynamic address pool
850	The vBRAS-UP specification is exceeded during a switchover in warm backup mode
851	The number of users on the vBRAS-UP exceeds the specification
852	The number of IP stacks on the vBRAS-UP exceeds the specification
853	The number of IPv6 addresses on the vBRAS-UP exceeds the specification
854	CM with AAA start acct ack time out.
855	Receive PADI packet from user while user online
856	An IPv4 static user has a higher priority than the dynamic user with the same MAC address
857	Port switch preprocessing fails during the PWVE online process
858	Port switch preprocessing fails during the PWVE offline process
859	DHCPv6 proxy lease expired
860	The IP address assigned in the offer packet is inconsistent with that of the online user
861	Disaster recovery group role change to slave
862	AMV6 with smooth fail
863	No service location is available
864	Interface information is invalid during a switchover in warm backup mode
865	License not enable during a switchover in warm backup mode
866	Authentication methods are different during a switchover in warm backup mode
867	Access data is invalid during a switchover in warm backup mode
868	Qos information is different during a switchover in warm backup mode
869	The address pool bound to the domain does not match the address pool bound to the interface.
870	Virtual MAC does not exist in peer CP
871	Virtual MAC conflicts with peer CP
872	Acct-Session-Id conflict
873	MSEADA failed to download table
898	Number of users exceeded the spec which the instance is able to support
899	Number of users exceeded the spec which the loadbalance instance is able to support
900	Wait local dhcp server alloc ip time out
901	Send message to local dhcp server failed
902	IP address is smoothing
SC_PROTOCOL_SERVICE_UNAVAILABLE(15)	107	L2TP service is unavailable
SC_PROTOCOL_USER_ERROR (17)	23	PPP with authentication fail
SC_PROTOCOL_USER_ERROR (17)	35	EAPOL with authentication fail

Table 1-1498 Rare Reasons for User Offline

Code	Subcode	Description
SC_PROTOCOL_LOST_CARRIER(2)	523	ND table synchronization fails
SC_PROTOCOL_SESSION_TIMEOUT (5)	312	EAPOL server session timeout
SC_PROTOCOL_ADMIN_RESET (6)	72	DHCP free lease with command
SC_PROTOCOL_NAS_ERROR(9)	38	EAPOL with nas error
	64	CM with Nas error
	76	AAA with memory alloc fail
	85	AAA with timer create fail
	153	L2TP FSM error
	163	L2TP inner error
	167	L2TP other error
	342	L2TP alloc sessionid fail
	343	L2TP alloc tunnelid fail
	344	L2TP init tunnel struct fail
	345	L2TP rebuild tunnel fail
	346	L2TP download lac fib fail
	347	L2TP send SCCRQ fail
	349	L2TP get tunnel fail
	350	L2TP remote slot
	427	L2TP send connect up message fail
	428	L2TP send SCCCN fail
	430	L2TP SCCRQ check fail
	431	L2TP SCCRP send fail
SC_PROTOCOL_NAS_REQUEST (10)	20	Connect check fail
	24	PPP with connect check fail
	28	L2TP with connect check fail
	30	ARP with table full
	31	ARP with connect check fail
	32	ARP with start detect fail
	37	EAPOL with connect check fail
	39	SRVCFG with connect check fail
	42	MCC with nas error
	47	MCC with mvlan update fail
	52	AM with check fail
	56	CM with start arp detect fail
	61	CM with add to FC fail
	62	CM with FC connect check fail
	63	CM with AAA connect check fail
	66	Abnormal logout request packet
	73	DHCP with unknown error
	109	DHCP cib syn error
	111	DHCP memory error
	112	DHCP relay discovery pkt fail
	113	DHCP create timer fail
	114	DHCP generate discover pkt fail
	115	DHCP generate request pkt fail
	116	DHCP send ack pkt fail
	117	DHCP send offer pkt fail
	118	DHCP send message fail
	120	DHCP packet info did not match
	123	DHCP caching client packet failed
	124	DHCP storing user info failed
	125	DHCP distributing route failed
	126	DHCP retrieved unexpected IP address
	127	DHCP allocating IP from local pool failed
	128	DHCP user state timeout
	129	DHCP receive other client's request packet
	131	DHCP failed to relay selectReq to server
	132	DHCP sending reboot pkt fail
	133	MSEADA with user added fail
	134	MSEADA with cib checked fail
	136	AAA with HQOS filled fail
	137	AAA with pool filled fail
	138	MSEQOS with SQ reserved fail
	140	Failed to realtime backup
	141	Layer2 leased line down
	147	PPP up recv lcp again
	157	L2TP connect check fail
	178	ND Table Check Fail
	179	ND send ipv6 request message fail
	180	ND Add Prefix Fail
	181	Prefix Aging
	187	MIP check fail
	188	MP first link down
	191	Clear VSI, BCP users offline
	192	Reserved
	193	Update TBMASK fail
	194	Add ELB fail
	195	Not support BCP access
	196	Delete ELB fail
	197	Clear mac fail
	198	UCM beyond vsi limit
	201	RUI users create ppp table fail
	202	RUI users delete ppp table fail
	204	Reserved
	206	SRVCFG failed to process
	211	Reserved
212	AAA service change
214	Fail to transport access type
215	Fail to check ucm oper
216	Fail to Init cib list
217	Fail to Init Cib
218	Fail to add mac hash
219	Fail to add ip hash
220	Fail to set local cid from global cid
221	Fail to add internal pfb
222	Fail to trans access type
223	Fail to check ucm oper message
224	Fail to del internal pfb
225	Fail to del mac hash
226	Fail to del ip hash
227	Fail to check ucm oper message when modify
228	Fail to get cib item when modify
229	Fail to set local CID from gloabal cid
230	Fail to update internal pfb
231	Fail to update qos para
232	Fail to add user mac
233	Fail to add arp
234	Fail to add l2tp lac fwd table
235	Fail to add l2tp lns fwd table
236	Fail to add l2tp lts fwd table
237	Fail to add elabel map
238	Fail to add outsegment table
239	Fail to add insegment table
240	Fail to qinq user oper
241	Trunk is no member
242	Fail to resource Apply
243	Fail to set qos data
244	Fail to apply stat ingress res
245	Fail to apply stat egress res
246	Fail to apply new user mac index
247	Fail to apply new arp index
248	Fail to appy car id
249	Fail to apply user-queue resource
250	The label cell is null
251	Fail to apply qos resource
252	Fail to apply qos res by host
253	Fail to apply qos res ingress
254	Fail to apply stat res
255	Fail to apply staid ingress
256	Fail to apply statid egress
257	Fail to apply stat res ingress
258	Fail to apply qos res egress
259	Fail to apply qos res by location
260	Fail to apply qos res by hash
261	Fail to apply qos res by c-vlan
262	Fail to apply qos res by lease line
263	Fail to manage internal qos resource
264	Fail to portal add user info
265	Fail to add qos param
266	Fail to download out bound SQ id
267	Fail to add fwd table
268	Fail to add internal product main fwd entry
269	Fail to add node fresh list
270	Fail to deliver QoS parameters
276	RUI trigger to delete pppoe cib failed
277	RUI trigger to create pppoe cib failed
279	User info is conflict with rui user
280	Rui is disable in the domain
281	Fail to get rui user info
282	Record in aaa of rui authentication request is null
283	Fill rui user information fail
284	Fill rui user ip pool fail
285	Fill rui user qos profile fail
286	RUI request cold backup user offline for slave
287	IPv6 address allocation failed because of inner cause
288	No prefix available
289	No IPv6 address available
290	IPv6 address conflicts too much times
291	No available prefix for conflicts of the interface id specified by radius
292	User expected a wrong prefix length
293	MSEADA fail update qos resource
294	MSEADA fail update work slot
295	MSEADA success update work slot
296	Failed to update ip address for ip type mismatch
297	Failed to update user mac table
298	AAA update ipv6 address fail
299	UCM failed to send ipv6 update message to AAA
300	UCM failed to send ipv6 update message to MSEADA
301	UCM update ipv6 address fail
302	UCM with framed IPv6 address invalid
307	MSEADA failed to download session table
308	MSEADA failed to download uaib table
309	MSEADA failed to download cib table
310	MSEADA failed to add cid from vcd
311	DHCPV6 check fail
313	UCM portswitch process fail
314	UCM portswitch preprocess fail
315	MSEADA portswitch process fail
316	MSEADA portswitch process timeout
317	MSEADA set user num of interface fail
318	MSEADA portswitch notify access module fail
324	DHCPV6 inner error
327	Get Interface Linklocal Addr Failed
328	Base service address alloc failed
340	IPv6 static user has a higher priority than dynamic user with same mac
348	L2TP session limit
351	Failed to switch workslot for user is not up
354	MSEADA failed to get lns info
355	MSEADA failed to download l2tp global table
356	MSEADA failed to download l2tp global table
357	MSEADA failed to get pfb data
358	MSEADA failed to download dual user table
359	AAA with DAA QOS filled fail
360	Fail to get ppp info when modify
361	PPP is already down when modify
362	Failed to add user to board for user is not up
363	Authentication method error on bas interface
364	EAP connection down
368	GTL license needed
369	Online user number exceed GTL license limit
370	User access speed too fast
371	Bas interface access limit
372	Wait cib ack time out
373	Wait EAPOL auth request time out
374	Wait EAPOL down ack time out
375	Wait WEB auth request time out
376	Wait WEB down ack time out
377	Wait WEB user ack time out
378	Wait PPP auth request time out
379	Wait L2TP connection up time out
380	Wait DHCP connection request time out
383	Board type does not support user access
384	Slot blocked
385	Fail to switch workslot for slotcid is invalid
390	Get dslite info error
391	Get nat info error
393	CM with CGN ack time out
394	Add nat user data fail
395	Add nat user data fail(Input Error)
396	Add nat user data fail(Create User Fail)
397	Add nat user data fail(Port PreAlloc Fail)
398	Add nat user data fail(Syn User To Spu Fail)
399	Not Find User When Del CGN User
400	Add nat user data fail(Search Public Addr Fail)
401	IPv4 user basic ip type and author mismatch
402	IPv6 user basic ip type and author mismatch
403	Add nat user data fail(add slave user fail)
404	Add nat user data fail(public resource conflict)
405	IPv6 PD user basic ip type and author mismatch
406	IPv6 user managed flag error
407	CM with CGN modify time out
408	L2TP RUI IN BATCH BACKUP
409	Fail to download daa car param
410	Fail to apply daa qos resource
411	Fail to apply daa inbound qos resource
412	Fail to apply daa outbound qos resource
413	Fail to apply count resource
414	Static on-line user with the same mac exists
415	Packet Authenticator Error
418	Basic stack IPv6 address alloc fail
419	Basic stack PD prefix alloc fail
420	L2TP test tunnel ok
421	L2TP test tunnel NG
423	L2TP tunnel time out
424	General error occured in modify process
425	CM with user blocked
426	L2TP local clear tunnel
429	L2TP wait auth ack timeout
433	Up to user max session
434	Can not get all of authorized IP address
436	IPv4 authentication method error
437	IPv6 authentication method error
438	DHCPv6(IANA) can't access with ND at the same time
439	PPP IPCP negotiate fail
440	PPP IPv6CP negotiate fail
441	ND address conflict
442	ND Repeat Request
443	CGN auto cut
444	The ds-lite tunnel prefix length is inconsistent with the user's
445	L2TP Tunnel password error
446	L2TP Tunnel authentication fail
447	User's password expired
448	The VPN to which the subscriber belongs has been deleted.
449	DHCPV6 packet speed limit
450	PPP IPCP terminate
451	PPP IPv6CP terminate
452	The number of users on this slot exceeds limit
453	Fail to save ucm message data
454	The number of classifiers in a packet exceeded the specification
455	The number of classifiers in a packet exceeded the specification
456	The same classifiers could not use different behavior names
457	The number of classifiers delivered by a device exceeded the specification
458	The number of user groups of a device exceeded the specification
459	The number of classifier referenced by all-user exceeded the specification
460	The number of classifier referenced by per-user exceeded the specification
461	The number of the classifier's rules exceeded the specification
462	The attribute identifiers were not registered
463	The ACL type was invalid
464	The classifier name was invalid
465	The behavior name was invalid
466	The optype value was invalid
467	The ruleid value was invalid
468	The sipv4 value was invalid
469	The sipv6 value was invalid
470	The dipv4 value was invalid
471	The dipv6 value was invalid
472	The ss-group value was invalid
473	The ss-group does not exist
474	The su-group value was invalid
475	The su-group does not exist
476	The value of the ds-group was invalid
477	The ds-group does not exist
478	The du-group value was invalid
479	The du-group does not exist
480	The proto value was invalid
481	The sport value was invalid
482	The dport value was invalid
483	The sport-range value was invalid
484	The dport-range value was invalid
485	The pre value was invalid
486	The tos value was invalid
487	The dscp value was invalid
488	The tcpflag value was invalid
489	The remark-dscp value was invalid
490	The value of remark-ipv6-dscp was invalid
491	The remark-8021p value was invalid
492	The dir value was invalid
493	An ACL delivered multiple duplicate attributes
494	The parameters delivered could not be the same
495	An unregistered attribute was displayed in RC
496	The protocol was not TCP when the tcpflag was delivered
497	The port and protocol type conflicted
498	The address type defined in an ACL and protocol type conflicted
499	The address type defined in an ACL and IP address type conflicted
500	An unregistered attribute was displayed in RB
501	An unregistered attribute was displayed in lc or optype
502	One packet contained multiple optype parameters
503	The lc and other attributes in an ACL were mutually exclusive
504	The permit and deny in an ACL were mutually exclusive
505	The IPV4 and IPv6 in an ACL were mutually exclusive
506	One ACL could not deliver multiple source types
507	One ACL could not deliver multiple destination types
508	The dport and dport-range in one ACL were mutually exclusive
509	The sport and sport-range in one ACL were mutually exclusive
510	The bidirectional parameter and rule ID in an ACL were mutually exclusive
511	The tos or pre parameter and dscp parameter was mutually exclusive
512	Ipv6 and tcp-flag in the same ACL were mutually exclusive
513	IP address alloc fail for IP pool is synchronizing
514	The user was logged out due to web packet attacks
515	LNS Multicast user resource full
518	Fail to create dynamic user-group
519	Dynamic user-group number is full
521	Fail to release the public IP
524	Web fast reply was configured on the L2-aware user access board.
525	IP address conflict
533	IP address conflict
538	Failed to authorize session group user
539	No sub user in session group
540	Username user cannot switch to session group user
542	Session group user doesnot support reauthentication
543	Layer 3 subscriber IP address conflict
548	Undo NAT server
559	Receive PADR packet from user while user online
587	Add nat user data fail When Switch VPN.
588	Delete nat user data fail When Switch VPN.
590	The GQ profile delivered by the RADIUS server does not exist on the device.
591	The user IP address conflicts with the IP address of the RUI backup device
592	Reset NAT users whose public IP addresses were locked
593	Add nat user data fail(Section Lock)
605	Multi-session per-mac for IPoE users is disabled on the backup device
606	Multi-session per-mac for IPoE users is disabled on the master device
607	The address pool is locked
608	There are no address segments in the address pool
609	There are no available addresses in the address pool
610	An incorrect address pool VPN is obtained
611	The address type should not be server
612	The address state is incorrect
613	The address carried in packets fails to be allocated
614	The allocated address is not in the address pool
629	IP address is not a valid user address
631	MSEADA failed to check qvct table
635	Online interface is conflict with family
644	TERM with time out
649	UCM failed to apply resource for virtual-access user
660	Virtual-access remote interface bas disable
661	UCM failed to get resource parameter for virtual-access user smooth
662	UCM failed to get interlink for virtual-access user smooth
668	CGN instance is synchronizing data
670	CM with CGN syn ack time out
671	CM with CGN del ack time out
672	CM failed get nat instance when smooth
673	CM with VSM connect check fail
678	LNS tunnel name doesn't match LAC remote-name
680	Use config to create tunnel with no start lns ip-address
681	Invalid tunnel id from LNS SCCRP
692	UCM failed to apply resource for pwve user
693	UCM failed to apply nhp resource for pwve-access
694	UCM failed to get resource parameter for pwve-access user smooth
695	The user was logged out due to pwve-access interface no nexthop
697	User offline for test command
698	Check user board resource failure
699	MSEADA failed to download user-mac table
700	MSEADA failed to download AIB table
701	MSEADA failed to download CST table
702	CM with qos ack time out
703	CM with qinq ack time out
704	CM with fei ack time out
705	VSM reset section user down
706	Add nat user data fail(slave VPN mismatch)
707	RUI data synchronization
708	Dual previous check failed
709	DHCP server allocated a delayed state address in the RUI-slave address pool
715	The port license is not active
716	CM failed get dslite instance when smooth
718	subscriber:fq:More blanks exist.
719	subscriber:fq:The shaping and shaping-percentage can not be together.
720	subscriber:fq:Shaping range error.
721	subscriber:fq:Pbs range error.
722	subscriber:fq:Unsupported sch.
723	subscriber:fq:Wfq must with weight.
724	subscriber:fq:Non-wfq can't with weight.
725	subscriber:fq:Weight range error.
726	subscriber:fq:Direction error.
727	subscriber:fq:Unsupported function.
728	subscriber:fq:Neither shaping nor sch.
729	subscriber:fq:The ratio of the shaping values exceeds 2000.
730	subscriber:fq:Unsupported user type.
731	subscriber:fq:Incompatible FQ scheme.
732	subscriber:fq:No QoS-profile error.
733	subscriber:fq:Get QoS-profile error.
734	subscriber:fq:Car speed limit error.
735	subscriber:fq:queue in car mode.
736	The number of users on this card exceeds limit
739	Delete domain force user to offline
750	The Web user is authenticated when processing CHAP authentication request
751	The Web user is being authenticated when processing CHAP authentication request
753	The Web user is authenticated when processing authentication request
754	The Web user is being authenticated when processing authentication request
755	Over limit of users and NOT EAP USER
758	Portswitch process fail for synchronize interface information
759	Portswitch process fail for send roam up ack message
760	Portswitch process fail for modify user host router
761	Portswitch process fail for synchronize physical information
762	Portswitch process fail for L2TP process
763	Portswitch preprocess fail for trunk offline process
764	Portswitch preprocess fail for free QOS resource
765	Portswitch preprocess fail for reach slot access limit
766	Portswitch preprocess fail for apply QOS resource
767	Portswitch preprocess fail for trunk online process
768	Portswitch preprocess fail for synchronize physical information
769	Portswitch preprocess fail for reach interface access limit
770	Portswitch preprocess fail for user add access number
771	Portswitch not support dhcpv6 access when switching
772	Switch domain is suppressed because HA is not done
776	FES message queue blocked
777	FEI add service table failed
778	FEI add service action table failed
779	Family is conflict with edsg
780	Family table cannot be created
781	Family table cannot be updated
783	Failed to refresh service table
784	Failed to backup message
785	Failed to apply qos when modify
786	UM wait fei ack time out
787	Access types of the CP and UP do not match
788	Pipeline inner error
794	DB request offline
795	User info is conflict with DB
796	CU does not support L2TP's IPV6 users online.
797	User access conflicts with key configuration modification.
798	L2TP LNS BackupGrp Session Backup Fail
799	UCM failed to apply resource for lns backup user
800	The number of L2NAT users exceeds limit
801	Portswitch preprocess fail for reach interface ip-stack access limit
802	Failed to acquire a valid user name template
803	The UP types do not match for warm backup
804	The interface type does not support warm backup
805	The PW-VE tunnel type must be VXLAN for warm backup.
806	The interface types do not match
807	The access type does not support warm backup
808	The backup interface of the faulty interface fails to be obtained
809	The domain configurations are different for warm backup
810	User info is conflict with online user
811	The interface is not ready now
812	The board is not available
813	The count of IPoE user has reached the maximum number of board
814	Layer 3 static users with vpn-instance switch enabled do not support RUI
815	The address carried in ack packet is different from offer packet
816	L2TP session state synchronization failed during failover
817	L2TP failover recovery failed
818	L2TP failover recovery timed out
819	L2TP tunnel is in the failover recovery phase
820	Vxlan state down
821	DHCP request packet contains a unmatched IP address
822	UCM inner error
823	Failed to resume dynamic subnet from server
825	CGN instance down(static-mapping configured with load-balance)
826	Cold backup user IP address conflict
827	The Dynamic pool has no license and no other pools are avaliable.
828	Incomplete user ip stack
829	No available DHCPV6 server
830	Dynamic subnet conflicts in disaster recovery
874	The RBP resources on the UP plane are insufficient
875	Get warm profile group failed.
876	The ODAP client fails to detect the server
877	Online users on the same interface and in the same VLAN conflict
878	The dynamic subnet has been recycled
879	Failed to add users in N+1 warm backup scenarios.
880	Dynamic server has no subnet with matching length
881	Dynamic server no avaliable subnet
882	User login from basic IP stack times out
883	KeepOnline static user detect fail
884	Login from the second stack (IPv6) is not allowed during port switching
885	The dynamic subnet lease timeout
886	The dynamic subnet renew failed with error subnet state
887	The dynamic subnet renew failed with no exsited subnet
888	Ipv6 address delivered by Radius conflicted with DHCPv6 server pool address
889	The user group from UP is not configured on CP
890	Static mapping bind load balance
891	Up is not ready
892	The address of the online user is different from that assigned by the DHCPv6 server.
893	Dynamic server is smoothing
894	Dynamic server is locked
895	User virtual mac is different with user identifier
896	Radius IP address conflict
897	The IP address carried in the packet sent by the DHCP server is invalid.
903	An Eth-Trunk sub-interface on a vUP is bound to the hot backup group.

Table 1-1499 More Detailed Reasons for User Offline

Subcode	Description	Subcode	Description
21	PPP user request	559	Receive PADR packet from user while user online
58	CM with time out	560	OFFER packet contains a gateway IP address
		561	OFFER packet contains an IP address not on user segment
		562	OFFER packet contains an IP address being used
		563	OFFER packet contains a conflicting IP address
		564	OFFER packet has an IP address being used by PPPoE user
		565	ACK packet contains a gateway IP address
		566	ACK packet contains an IP address being used
		567	ACK packet contains a conflicting IP address
		568	ACK packet has an IP address being used by PPPoE user
		569	RADIUS allocated address not matching the trigger one
		570	No available pool for the Layer3 DHCP user
		571	No available pool for the Layer2 DHCP user
		572	Server-Identifier in packet is not the local device
		573	DHCP wait authentication reply timeout
		574	DHCP wait Up reply timeout
60	CM with IP address alloc fail	575	Fail to alloc specified IP address for RUI
		576	No available pool
		577	The idle addresses conflict with those used by other users
		578	ACK contains a gateway IP address not matching the user's
		579	ACK packet contains a mask not matching the user's
		580	DHCP Server no response.
		581	ACK packet contains an IP address not on user segment
		582	ACK packet has an IP address being used by other user
		583	IP address record fail on local device
571	No available pool for the Layer2 DHCP user	897	The IP address carried in the packet sent by the DHCP server is invalid.

More Information About HW-Data-Filter (82)

The HW-Data-Filter attribute delivers classifier-behavior pairs to achieve delivery of dynamical ACLs. These ACLs have a higher priority than those configured locally.

Format of the HW-Data-Filter Attribute

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
|    Type(26)   |    Length     |         Vendor ID(0000)       |
|               | 6+VendorLength|                               |
+---------------+---------------+---------------+---------------+
|         Vendor ID(2011)       |Vendor Type(82)| Vendor Length |
+-------------------------------+---------------+---------------+
|           String
+---------------------------------------------------------------+

Vendor Length: 1–249 bytes, including the two bytes occupied by Vendor Type and Vendor Length. The String length is therefore two bytes subtracted from Vendor Length and is up to 247 bytes.
String: attribute content string. The HW-Data-Filter attribute supports delivery of classifier and behavior strings as well as CoA action strings, with each type of string being a combination of fields delimited by semicolons and containing only displayable characters entered using a keyboard.

The HW-Data-Filter attribute can be delivered repeatedly, and one attribute can contain multiple attribute strings that are separated using a number sign (#). For example, when one HW-Data-Filter attribute contains two classifier strings, the HW-Data-Filter attribute can be delivered with the classifier1 string#classifier2 string padded to the String field of this attribute. When one attribute string contains both classifier and behavior strings, the HW-Data-Filter attribute can be delivered with the classifier string#behavior string padded to the String field of this attribute.

In one RADIUS packet, the total number of sub-attributes of all HW-Data-Filter attributes cannot exceed 2047.

Both classifier and behavior strings are categorized as local or remote. These types can be flexibly combined, meaning that a local or remote classifier string can be combined with both local and remote behavior strings.

Local Classifier String in the HW-Data-Filter Attribute

A local classifier string refers to a classifier configured on a device using a command. A RADIUS server uses the HW-Data-Filter attribute to specify a behavior to be bound to a classifier but cannot add, delete, or modify the rules matching a classifier. The local classifier format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
Local classifier name	lc	Class-name string<1--31>	lc= class2;	Mandatory<1>	When a local classifier is delivered, this field must be the first in the HW-Data-Filter attribute string.
Behavior name	rb	Behavior-name string<1--31>	rb=behavior1;	Optional<0-1>	rb stands for remote behavior; lb stands for local behavior. A local classifier can be bound to a local or remote behavior. This field specifies the name of the behavior to be bound to a local classifier. If this field is not delivered, the configuration takes effect based on the permit/deny action in the rule applied by a classifier.
Behavior name	lb	Behavior-name string<1--31>	lb= behavior2;	Optional<0-1>
Direction	dir	in	in;	Mandatory<1>	This field specifies the directions in which rules are used. in indicates the inbound direction, out indicates the outbound direction, and both indicates both the inbound and outbound directions.
		out	out;
		both	both;

For example, "lc=class2;rb=behavior1;dir=in;" represents that a local classifier named class2 is bound to a remote behavior named behavior1 and this configuration takes effect in the inbound direction.

Remote Classifier String in the HW-Data-Filter Attribute

A remote classifier string refers to a classifier dynamically configured by a RADIUS server. A RADIUS server uses the Hw-Data-Filter attribute to specify a name for a classifier, name for a behavior to be bound to a remote classifier, and rules matched by a remote classifier. The remote classifier format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
Remote classifier name	rc	Class-name string<1-31>	rc= class2;	Mandatory<1>	When a remote classifier is delivered, this field must be the first in the HW-Data-Filter attribute string.
Behavior name	rb	Behavior-name string<1-31>	rb=behavior1;	Optional<0-1>	rb stands for remote behavior; lb stands for local behavior. A remote classifier can be bound to a local or remote behavior. This field specifies the name of the behavior to be bound to a remote classifier. If this field is not delivered, the configuration takes effect based on the permit/deny action in the rule applied by a classifier.
Behavior name	lb	Behavior-name string<1-31>	lb= behavior2;	Optional<0-1>
Direction	dir	in	in;	Optional<0-1>	This field specifies the directions in which rules are used. in indicates the inbound direction, out indicates the outbound direction, and both indicates both the inbound and outbound directions. This field does not need to be delivered if: An IPv4 or IPv6 address functions as the source and a user-group or service-group functions as the destination An IPv4 or IPv6 address functions as the destination and a user-group or service-group functions as the source. If neither of these situations apply, this field must be delivered to specify a direction. When a user-group or service-group functions as the source and an IPv4 or IPv6 address functions as the destination, rules are applied to the inbound direction. When an IPv4 or IPv6 address functions as the source and a user-group or service-group functions as the destination, rules are applied to the outbound direction.
		out	out;
		both	both;
Rule number	ruleid	<0-4294967294>	ruleid=11;	Optional<0-1>	This field specifies the number of a rule. If this field is not delivered, a step of 5 is used as the default value. If rules with the same number are applied by the same classifier, all the HW-Data-Filter attributes in packets being processed fail be to processed. It is recommended that you have this field either delivered or not delivered for all rules in actual rule applications.
Rule Action	NA	permit	permit;	Optional<0-1>	This field specifies an action in a rule. If this field is not delivered, the action is permit. This field's values clearly indicate the field meanings; therefore, the field name is unnecessary.
Rule Action	NA	deny	deny;	Optional<0-1>
Rule ip type	NA	ipv4	ipv4;	Optional<0-1>	This field specifies an IP address type in a rule. The value can be IPv4 or IPv6. This field does not need to be delivered when an IPv4 or IPv6 address is specified as the source or destination in a rule. In other situations, this field must be delivered. When an IPv4 or IPv6 address is specified as the source or destination and this field is delivered, the address type in this field must match the one specified. Otherwise, all the HW-Data-Filter attributes in packets being processed fail be to processed.
Rule ip type	NA	ipv6	ipv6;	Optional<0-1>
Protocol	proto	<1-255>	proto=6;	Optional<0-1>	This field specifies a protocol in a rule. The value is 6 for TCP and 17 for UDP. If this field is not delivered, the protocol is IP for IPv4 rules and IPv6 for IPv6 rules.
Source IP	sipv4	X.X.X.X/mask-length	sipv4=1.1.1.0/24;	Optional<0+>	This field specifies a source IPv4 address, IPv6 address, service-group, or user-group in a rule. If this field is not delivered, IPv4 rules match any source IPv4 addresses, and IPv6 rules match any source IPv6 addresses. Source IP addresses of the same type (IPv4, IPv6, service-group, or user-group) can appear multiple times in a remote classifier. If source IP addresses have different types, all the HW-Data-Filter attributes in packets being processed fail be to processed.
	sipv4	X.X.X.X/wild-mask	sipv4=1.1.1.0/0.255.255.255;	Optional<0+>
	sipv6	X:X::X:X/M	sipv6=2001:db8::1/64;	Optional<0+>
	ss-group	Service-group name string<1-31>	ss-group =paid;	Optional<0+>
	su-group	User-group name string<1-32>	su-group =isp1;	Optional<0+>
Destination ip	dipv4	X.X.X.X/mask-length	dipv4=1.1.1.0/24;	Optional<0+>	This field specifies a destination IPv4 address, IPv6 address, service-group, or user-group in a rule. If this field is not delivered, IPv4 rules match any source IPv4 addresses, and IPv6 rules match any source IPv6 addresses. Destination IP addresses of the same type (either IPv4 or IPv6 or service-group or user-group) can appear multiple times in a remote classifier. If destination IP addresses have different types, all the HW-Data-Filter attributes in packets being processed fail be to processed.
	dipv4	X.X.X.X/wild-mask	dipv4=1.1.1.0/0.255.255.255;	Optional<0+>
	dipv6	X:X::X:X/M	dipv6=2001:db8::1/64;	Optional<0+>
	ds-group	Service-group name string<1-31>	ds-group =paid;	Optional<0+>
	du-group	User-group name string<1-32>	du-group =isp1;	Optional<0+>
Source port	sport	<0-65535>	sport =80;	Optional<0+>	This field can be delivered only if the protocol value is 6 or 17. This field specifies a source port number in a rule. When a source port number range (sport-range) is specified, the range must be delivered in ascending order and can appear only once in a remote classifier. A source port number (sport) can appear multiple times in a remote classifier.
Source port	sport-range	<0-65535>-<0-65535>	sport-range=20-200;	Optional<0-1>	sport and sport-range cannot both appear in the same remote classifier.
Destination port	dport	<0-65535>	dport =80;	Optional<0+>	This field can be delivered only if the protocol value is 6 or 17. This field specifies a destination port number in a rule. When a destination port number range (dport-range) is specified, the range must be delivered in ascending order and can appear only once in a remote classifier. A destination port number (dport) can appear multiple times in a remote classifier. dport and dport-range cannot both appear in the same remote classifier.
Destination port	dport-range	<0-65535>-<0-65535>	dport-range =20-200;	Optional<0-1>	A source port and destination port can have different types.
Dscp	dscp	<0-63>	dscp=5;	Optional<0-1>	This field specifies a DSCP value in a rule and cannot appear in the same remote classifier as precedence and tos.
Precedence	pre	<0-7>	pre=5;	Optional<0-1>	This field specifies a precedence value in a rule and cannot appear in the same remote classifier as dscp.
Tos	tos	<0-15>	tos=5;	Optional<0-1>	This field specifies a ToS value in a rule and cannot appear in the same remote classifier as dscp.
Tcp syn flag	tcpflag	<0-511>	tcpflag=5;	Optional<0-1>	This field specifies a TCP synchronization flag in a rule and can be delivered only if the protocol value is 6. If it is delivered when the protocol value is not 6, all the HW-Data-Filter attributes in packets being processed fail be to processed.
Bidirectional	NA	bi-dir	bi-dir;	Optional<0-1>	This field specifies a reverse delivery of a rule and cannot be delivered when the direction is both. A reverse delivery means that a rule is delivered again with source and destination IP addresses swapped and source and destination port numbers swapped.

In a remote classifier, only the source, destination, source-port, and destination-port fields can be delivered multiple times. However, only one field can appear multiple times in a remote classifier.

Rule fields of enumerated type that can be delivered have the following meanings:

Protocol field

  <1-255>  Protocol number
  gre      GRE tunneling(47)                                                    
  icmp     Internet Control Message Protocol(1)                                 
  igmp     Internet Group Management Protocol(2)                                
  ip       Any IP protocol                                                      
  ipinip   IP in IP tunneling(4)                                                
  ospf     OSPF routing protocol(89)                                            
  tcp      Transmission Control Protocol (6)                                    
  udp      User Datagram Protocol (17)

Source-port/Destination-port field

  <0-65535>  Port number
  CHARgen    Character generator (19)                                           
  bgp        Border Gateway Protocol (179)                                      
  cmd        Remote commands (rcmd, 514)                                        
  daytime    Daytime (13)                                                       
  discard    Discard (9)                                                        
  domain     Domain Name Service (53)                                           
  echo       Echo (7)                                                           
  exec       Exec (rsh, 512)                                                    
  finger     Finger (79)                                                        
  ftp        File Transfer Protocol (21)                                        
  ftp-data   FTP data connections (20)                                          
  gopher     Gopher (70)                                                        
  hostname   NIC hostname server (101)                                          
  irc        Internet Relay Chat (194)                                          
  klogin     Kerberos login (543)                                               
  kshell     Kerberos shell (544)                                               
  login      Login (rlogin, 513)                                                
  lpd        Printer service (515)                                              
  nntp       Network News Transport Protocol (119)                              
  pop2       Post Office Protocol v2 (109)                                      
  pop3       Post Office Protocol v3 (110)                                      
  smtp       Simple Mail Transport Protocol (25)                                
  sunrpc   Sun Remote Procedure Call (111)                                    
  tacacs   TAC Access Control System (49)                                     
  talk     Talk (517)                                                         
  telnet    Telnet (23)                                                        
  time     Time (37)                                                          
  uucp     Unix-to-Unix Copy Program (540)                                    
  whois    Nicname (43)                                                       
  www    World Wide Web (HTTP, 80)

Precedence field

  <0-7>           Value of precedence
  critical        Specify critical precedence(5)
  flash           Specify flash precedence(3)                                   
  flash-override  Specify flash-override precedence(4)                          
  immediate       Specify immediate precedence(2)                               
  internet        Specify internetwork control precedence(6)                    
  network         Specify network control precedence(7)                         
  priority        Specify priority precedence(1)                                
  routine         Specify routine precedence(0)

Tos field

  <0-15>             Value of TOS(type of service)
  max-reliability    Match packets with max reliable TOS(2)                     
  max-throughput     Match packets with max throughput TOS(4)                   
  min-delay          Match packets with min delay TOS(8)                        
  min-monetary-cost   Match packets with min monetary cost TOS(1)                
  normal             Match packets with normal TOS(0)

Remote Behavior String in the HW-Data-Filter Attribute

A remote behavior string refers to a behavior dynamically configured by a RADIUS server. A RADIUS server uses the Hw-Data-Filter attribute to specify a behavior name and traffic action in the behavior. The remote behavior format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
Remote behavior name	rb	Behavior-name string<1--31>	rb=behavior1;	Mandatory<1>	When a remote behavior is delivered, this field must be the first in the HW-Data-Filter attribute string.
Action	NA	permit	permit;	Optional<0-1>	If this field is not delivered, permit takes effect.
Action	NA	deny	deny;	Optional<0-1>	If this field is not delivered, permit takes effect.
Redirect cpu portal	NA	redirect-cpu-portal	redirect-cpu-portal;	Optional<0-1>	In portal push, if this field is configured, TCP packets that require portal redirection are sent to a RADIUS server.
Http redirect	NA	http-redirect	http-redirect;	Optional<0-1>	In forcible web redirection, if this field is configured, TCP packets that require web redirection are sent to a RADIUS server.
Remark dscp	remark-dscp	<0-63>	remark-dscp=5;	Optional<0-1>	This field can be delivered only by a remote behavior.
Remark ipv6 dscp	remark-ipv6-dscp	<0-63>	remark-ipv6-dscp=5;	Optional<0-1>	This field can be delivered only by a remote behavior.
Remark 802.1p	remark-8021p	<0-7>	remark-8021p=5;	Optional<0-1>	This field can be delivered only by a remote behavior.

If a remote behavior contains only the permit action (not other actions), the remote behavior string does not need to be delivered, and actions specified by Action (permit/deny) in rules are delivered.

CoA Action String in the HW-Data-Filter Attribute

A RADIUS server can deliver CoA action strings to CoA request packets to specify operation types on dynamic ACLs. The CoA action string format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
CoA operation type	optype	update-user-class	optype = update-user-class;	Mandatory<1>	The first value specifies a substitute for the dynamic ACL information being used. To be specific, if this field is delivered, a user no longer applies the C-B pair being used but applies the C-B pair delivered by a CoA packet. If no C-B pair is delivered by a CoA packet, the user cannot get any dynamic ACL information after the CoA packet is successfully processed. If CoA packets carry a different user group (user access rights) each time, "optype = update-user-class" must be delivered.
		add-user-class	optype= add-user-class;	Mandatory<1>	The second value specifies that a C-B pair delivered by a CoA packet is added for user application.
		del-user-class	optype= del-user-class;	Mandatory<1>	The third value specifies deletion of some C-B pairs specified by CoA packets from C-B pairs being applied by a user.
		add-rule	optype= add-rule;	Mandatory<1>	The fourth value specifies addition of rules in the classifier specified by a CoA packet to the classifier being used by a user.
		update-class	optype= update-class;	Mandatory<1>	The fifth value specifies replacement of rules and actions in the C-B pair being used by a user. To be specific, the rules and actions in the C-B pair that is being used by the user and specified in a CoA packet are replaced with those in the C-B pair delivered using the CoA packet.

When CoA packets are used to deliver dynamic ACLs, an operation type (optype) must be specified for the dynamic ACLs in the CoA packets. If no operation type is delivered, update-user-class takes effect.

When optype is update-user-class or add-user-class, if C-B pairs delivered by CoA packets have been delivered by a user, only the number of reference rules is increased, and the C-B pair content is not updated; if the C-B pairs delivered by CoA packets have not been delivered by a user yet, the C-B pairs must be delivered.

Actions Supported by Local Behaviors

A local behavior string refers to a behavior configured on a device using a command. When a RADIUS server uses the Hw-Data-Filter attribute to deliver a local or remote classifier, the classifier can be bound to a local behavior. Local behavior supports only the following actions. If an action other than the following is configured in a local behavior, dynamic ACLs ignore the action.

redirect-cpu portal
redirect ip-nexthop X.X.X.X [ interface { STRING<1-256> STRING<1-256> | STRING<1-256> } | vpn STRING<1-31> | nqa STRING<1-31> STRING<1-31> ]
redirect ipv6-nexthop X:X::X:X [ interface { STRING<1-256> STRING<1-256> | STRING<1-256> } | vpn STRING<1-31> ]
{ permit | deny }
remark dscp STRING<0-63>
remark 8021p INTEGER<0-7>
remark ipv6 dscp INTEGER<0-63>
nat bind instance STRING<1-31>
ds-lite bind instance STRING<1-31>
http-redirect [ plus ]

Dynamic ACL Specifications

A device supports a maximum of 1024 C-B pairs, which can have different names and types. One classifier can contain up to 1024 rules, including both IPv4 and IPv6 rules.

The number of times that C-B pairs in dynamic ACLs on a device are applied by users cannot exceed the value obtained by multiplying 256 x 1024 x 16. If one C-B pair is applied by n users, the C-B pair is applied n times.

One user can deliver a maximum of 1024 C-B pairs. Different users can deliver C-B pairs that share the same name and type. In this situation, the rule and action in the first delivered C-B pair of the user take effect. To modify C-B pair content, modify the CoA packet. For example:

User A has a Thunder service and delivers to the service a dynamic ACL, which contains 10 rules. After User B logs in, User B also selects the same Thunder service. For example, a dynamic ACL with 11 rules that are applied by the same classifier and same behavior as those for user A is delivered in a RADIUS authentication response packet for User B. Then, the dynamic ACL for the Thunder service is still the one delivered when user A goes online, meaning that the 10 rules for User A take effect, but the rules delivered for User B do not take effect.
If the dynamic ACL for the Thunder service needs to be added, deleted, or modified and there are online users who are using the Thunder service's dynamic ACL, the dynamic ACL can be modified only when a RADIUS server delivers CoA packets to the online users.
After users who are using the Thunder service all go offline, the dynamic ACL for the Thunder service is deleted. If User C goes online at this time, the dynamic ACL for the Thunder service delivered in user C's RADIUS authentication response packet takes effect.

More Information About NAS-Port-Id (87)

If the following command is run on a Huawei device, the NAS-Port-Id attribute is encapsulated in the format defined by a specific vendor. If the following command is not run or format encapsulation fails, the NAS-Port-Id attribute is encapsulated according to the specific device configuration.

radius-server format-attribute nas-port-id vendor { vendor-id | redback-simple | redback-addition }

The following format examples assume that a user is logged in from GE 2/0/5.4, with the single VLAN ID being 4 in the user packet. For Eth-Trunk interfaces, the value of sub-slot-id is always 2 unless otherwise specified as 0.

vendor-id set to 2636
- When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  {fastEthernet|gigabitEthernet} slot-id/port-id.sub-interface-number [:vpi-vci|:ivlan]
  
  Format example: gigabitEthernet 2/5.4:4
If the logical interface configured on a user access interface is not a Trunk interface, the NAS-Port-Id attribute is encapsulated in the format of the logical interface. If the logical interface is a Trunk interface, the NAS-Port-Id attribute is encapsulated in the format of the user access interface. If the user access interface is theTrunk interface itself, the NAS-Port-Id attribute is encapsulated in the format of the first member interface of the Trunk interface.

The logical interface is specified using the nas logic-port command.

If the VLAN ID is double-tagged, the sub-interface ID is combined with the VLAN ID and the VLAN ID is separated by a hyphen (-). In the preceding example, if the outer VLAN ID is 3 and the inner VLAN ID is 4, the format is gigabitEthernet 2/5.30004:3-4.

If the radius-server format-attribute nas-port-id vendor 2636 version1 command is run:
- When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  {FastEthernet|GigabitEthernet} slot-id/sub-slot-id/port-id.sub-interface-number[:vpi-vci|:ivlan]
  
  Format example: GigabitEthernet 2/0/5.4:4
If the logical interface configured on a user access interface is not a Trunk interface, the NAS-Port-Id attribute is encapsulated in the format of the logical interface. If the logical interface is a Trunk interface, the NAS-Port-Id attribute is encapsulated in the format of the user access interface. If the user access interface is the Trunk interface itself, the NAS-Port-Id attribute is encapsulated in the format of the first member interface of the Trunk interface. The sub-slot number of the Trunk interface is always 2.

If the VLAN ID is double-tagged, the sub-interface ID is combined with the VLAN ID and the VLAN ID is separated by a hyphen (-). In the preceding example, if the outer VLAN ID is 3 and the inner VLAN ID is 4, the format is gigabitEthernet 2/0/5.30004:3-4.
vendor-id set to 9
- When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  {ethernet|trunk|PW} slot-id/sub-slot-id/port-id
  
  Format example: ethernet 2/0/5
  
  If a logical interface is configured on a user access interface, the NAS-Port-Id attribute is encapsulated in the format of the logical interface. If no logical interface is configured on a user access interface, the NAS-Port-Id attribute is encapsulated in the format of the user access interface. The sub-slot number is always 0 for Trunk and PW interfaces.
vendor-id set to 2352
- When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  [vpi-vci vpi vci | vlan-id [ivlan:]evlan] [pppoe sess-id | clips sess-id]
  
  Format example: 2/5 vlan-id 4 pppoe 8
If a logical interface is configured on a user access interface, the NAS-Port-Id attribute is encapsulated in the format of the logical interface. If no logical interface is configured on a user access interface, the NAS-Port-Id attribute is encapsulated in the format of the user access interface. For a PPP user, sess-id specifies the ID of the user's PPPoE session. For a DHCP user, sess-id specifies the CID of the user on the device. Untagged packets of Ethernet access users do not carry VLAN information. For a QinQ interface, evlan and ivlan specify the outer and inner VLAN IDs, respectively.
redback-simple Format
- When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  slot-id/port-id[vpivci vpi vci | vlanid [ivlan:]evlan] [pppoe sess-id | clips sess-id]
  
  Format example: 2/5 vlanid 4 pppoe 8
This format differs from that defined when vendor-id is set to 2352 in that both vpivci and vlanid have a hyphen (-) deleted.
Default Formats
The default format is under the Control of the vlanpvc-to-username { standard | turkey | version10 | version20 } command in the AAA view and the vbas command and the client-option82 command in the BAS interface view
- Client option information is untrusted (default status).
  If the following conditions are true, client option information is not trusted:
  1. The vbas command is not run in the BAS interface view.
  2. For DHCPv4 users, the vlanpvc-to-username standard trust { pevlan | cevlan } [ ignore-rid ] command is not run, so the device does not trust Option82 information. For PPPoE users, DHCPv6 users, ND users, dual-stack users, leased line users, and static users, the client-option18 command or either of the client-option82 and client-access-line-id commands is not run, so the device does not trust Option18 or Option82 information.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the version20 (default type) format.
    
    When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
    
    slot=slot-id;subslot=sub-slot-id;port=port-id;{VPI=vpi;VCI=vci;|vlanid=VLAN-id;|vlanid=inner-VLAN-id;vlanid2=outer-VLAN-id;}
    
    Example: slot=2;subslot=0;port=5;vlanid=4;
    
    Note that the slot-id, sub-slot-id, port-id, vpi, vci, VLAN-ID, outer-VLAN-ID, and inner-VLAN-ID vary according to the actual situations.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the version10 format.
    
    When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
    
    slot=slot-id;subslot=sub-slot-id;port=port-id;{VPI=vpi;VCI=vci;|vlanid=VLAN-ID;}
    
    Example: slot=2;subslot=0;port=5;vlanid=4;
    
    Note that the slot-id, sub-slot-id, port-id, vpi, vci, and VLAN-ID vary according to the actual situations. For users logging in from a QinQ interface, the VLAN-ID is the inner VLAN ID.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the Turkey format (newly added for Turkey Telecom).
    
    When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
    
    slot-id/port-id vlan-id inner-VLAN-ID:outer-VLAN-ID
    
    Example: 2/5 vlan-id 4096:4
    
    If access users' packets do not carry any VLAN tags, both the inner and outer VLAN IDs are 4096. If the packets carry only one VLAN tag, the outer VLAN ID is 4096.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the standard format.
    
    When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
    
    {eth|trunk|PW} slot-id/sub-slot-id/port-id:{vpi.vci|inner-VLAN-ID.outer-VLAN-ID} 0/0/0/0/0/0
    
    Example: eth 2/0/5:4096.4 0/0/0/0/0/0
    
    Note that the slot-id, sub-slot-id, port-id, vpi, vci, outer-VLAN-ID, and inner-VLAN-ID vary according to the actual situations. For Trunk interfaces, the sub-slot-id is always 0. If access users' packets do not carry any VLAN tags, both the inner and outer VLAN IDs are 4096. If the packets carry only one VLAN tag, the outer-VLAN-ID is 4096. For PW interfaces, the sub-slot-id is always 0. In the AAA view, you can specify pevlan or cevlan in the vlanpvc-to-username standard trust { pevlan | cevlan } command. By default, both parameters are specified in the command. If only pevlan is specified, set the inner-VLAN-ID to 4096. If only cevlan is specified, set the outer-VLAN-ID to 4096.
- Client Option information is trusted.
  
  If any of following conditions is true, client option information is trusted:
  1. The vbas command is run in the BAS interface view.
  2. For DHCPv4 users, the option82 command is run to allow the device to trust Option82 information.
    
    For PPPoE users, DHCPv6 users, ND users, dual-stack users, leased line users, and static users, the client-option18 command or either of the client-option82 and client-access-line-id commands is run to allow the device to trust Option18 or Option82 information.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the version20 (default type) or version10 format, and the client-option82 basinfo-insert cn-telecom command is not run.
    - User packets carry Option82.
      
      If the vbas command is run, content carried in user packets is directly returned.
      
      Format example: mse-108 eth 0/2/0/5:4
      
      If the option82-relay-mode command is not run in the BAS interface view, the value of the first TLV carried in user packets is returned.
      
      Format example: If abc is carried in user packets, c is returned.
      
      If the option82-relay-mode command is run in the BAS interface view, content is returned in the configured format:
      
      1. If include allvalue is specified, all content carried in user packets is returned.
      
      Format example: If abc is carried in user packets, abc is returned.
      
      2. If include agent-circuit-id is specified, the circuit ID carried in user packets is returned.
      
      Format example: If abc de is carried in user packets, abc is returned.
      
      3. If include agent-remote-id is specified, the remote ID carried in user packets is returned.
      
      Format example: If abc de is carried in user packets, de is returned.
      
      4. If include agent-circuit-id agent-remote-id is specified, both the circuit ID and remote agent ID carried in user packets is returned.
      
      Format example: If abc de is carried in user packets, abcde is returned.
      
      After any of the preceding parameters is specified in the option82-relay-mode include command, you can run the option82-relay-mode subopt command to configure a format (either in hexadecimal notation or a string) for the circuit ID or remote agent ID to be transmitted. If the second, third, or fourth parameter stated above is specified in the option82-relay-mode command but sub-attribute parsing fails, information is returned in the format specified for the situation where user packets do not carry Option82 information.
      
      Format example: When the option82-relay-mode include agent-circuit-id and option82-relay-mode subopt agent-circuit-id hex commands are run, if user packets carry abc de, 616263 is returned; if user packets carry abc, MSE-108 eth 0/2/0/5:4 is returned.
    - User packets do not carry Option82.
      
      When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
      
      host-name {eth} 0/slot-id/sub-slot-id/port-id:{vpi.vci|vlan|outer-VLAN-ID.inner-VLAN-ID}
      
      Format example: MSE-108 eth 0/2/0/5:4
      
      The host name configured in the BAS interface view using the nas logic-sysname host-name command is preferentially used. If no host name is configured in the BAS interface view, the default host name configured by the system is used. If access users' packets do not carry any VLAN tags, both the inner and outer VLAN IDs are 0. If the packets carry only one VLAN tag, the inner VLAN ID is 0, which is not displayed.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the turkey format, and the client-option82 basinfo-insert cn-telecom command is not run.
    
    When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
    
    slot-id/port-id vlan-id inner-VLAN-ID:outer-VLAN-ID
    
    Example: 2/5 vlan-id 4096:4
    
    If access users' packets do not carry any VLAN tags, both the inner and outer VLAN IDs are 4096. If the packets carry only one VLAN tag, the inner VLAN ID is 4096.
  - The vlanpvc-to-username command is run to set the Nas-Port-Id attribute to use the standard format, and the client-option82 basinfo-insert cn-telecom command is run.
    
    When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
    
    {eth|trunk|PW} slot-id/sub-slot-id/port-id:{vpi.vci|outer-VLAN-ID.inner-VLAN-ID} client carried information
    
    The slot-id, sub-slot-id, port-id, vpi, vci, outer-VLAN-ID, and inner-VLAN-ID vary according to the actual situations.
    
    ForTrunk interfaces, the sub-slot number is always 0. If access users' packets do not carry VLAN any tags, both the inner and outer VLAN IDs are 4096. If the packets carry only one VLAN tag, the inner VLAN ID is 4096.
    
    For PW interfaces, the sub-slot number is always 0.
    
    In the AAA view, you can specify pevlan or cevlan in the vlanpvc-to-username standard trust { pevlan | cevlan } command. By default, both parameters are specified in the command. If only pevlan is specified, set the inner VLAN ID to 4096. If only cevlan is specified, set the outer VLAN ID to 4096.
    - User packets carry Option82.
      
      If the vbas command is run, the entire Option82 content carried in user packets is parsed. If the vbas command is not run, the Option 82 information with two offset bytes is parsed.
      
      Parsing procedure:
      
      The NetEngine 8000 F8/NetEngine 8000E F8 checks whether the content in a user packet contains a space.
      
      If yes, the content carried in the user packet is returned. For example, if the user packet carries abc, eth 2/0/5:4096.4 c is returned.
      
      If no, NetEngine 8000 F8/NetEngine 8000E F8 checks whether a slash (/) is prior to the space.
      
      If yes, the content carried in the user packet is returned. For example, if the user packet carries aaa/b cd, eth 2/0/5:4096.4 a/b cd is returned.
      
      If no, checks whether the content in the user packet contains another space.
      
      If yes, the content following the second space is returned. For example, if the user packet carries aaab cd e, eth 2/0/5:4096.4 e is returned.
      
      If no, 0/0/0/0/0/0 is returned. For example, if the user packet carries aaab cde, eth 2/0/5:4096.4 0/0/0/0/0/0 is returned.
    - User packets do not carry Option82.
      
      Information carried by the client is filled with 0/0/0/0/0/0.
      
      Format example: eth 2/0/5:4096.4 0/0/0/0/0/0
Formats of the HW-Own-NAS-Port-Identify-Old Attribute Converted from the NAS-Port-Id Attribute (0s Are Used for Padding, and Excess Bits Are Discarded)
- Ethernet interface:
  
  When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  slot-id (2 bytes)+sub-slot-id (2 bytes)+ port-id (3 bytes)+ VLAN (4 bytes outer-VLAN-ID+0+4 bytes inner-VLAN-ID)
Formats of the HW-Own-Nas-Port-Id-Uppercase Attribute Converted from the NAS-Port-Id Attribute (0s Are Used for Padding, and Excess Bits Are Discarded)
If "vlanidxxxx" is included, "vlanid" is converted to "VLANID". Other situations are the same as those in Default Formats.
A Logical Interface Is Configured in the BAS Mode
Command:

(Interface of BAS mode) nas logic-port
After a logic interface is configured, it generates the following information:
- User name of DHCP users or binding authentication users
- User Option 82 information to be generated or replaced
- NAS-port and NAS-port-ID in RADIUS authentication packets
Impact of the radius-attribute-format nas-port-id unitary-subslot Command on the NAS-Port-Id Attribute Format
The radius-attribute-format nas-port-id unitary-subslot slot slot-id base-number number command configures a type for the subslot field in the NAS-Port-Id attribute. The keyword unitary-subslot sets the subcard type to unitary.

This command is used in the following situation:

When a board on the device contains no subcard, the port numbers are FE1/0/0-FE1/0/15 (FE1/0/0, FE1/0/1, FE1/0/2, ..., FE1/0/15). If the board is replaced with a board containing subcards, the port numbers on the new board are FE1/0/0–FE1/0/7 and E1/1/0–FE1/1/7. As a result, the RADIUS server fails to perform binding authentication. To resolve this issue, the radius-attribute-format nas-port-id unitary-subslot command can be run to convert port interfaces FE1/0/0–FE1/0/7 and FE1/1/0–FE1/1/7 to FE1/0/0–FE1/0/15.
Impact of the option82-relay-mode include Command on the NAS-Port-Id Attribute Format
- If option82-relay-mode include allvalue command run in the BAS interface view, all Option82 information is carried.
- If option82-relay-mode include agent-circuit-id command run in the BAS interface view, only circuit ID information is carried.
- If option82-relay-mode include agent-remote-id command run in the BAS interface view, only remote agent ID information is carried.
- If option82-relay-mode include agent-circuit-id agent-remote-id command run in the BAS interface view, both circuit ID information and remote agent ID information are carried.
After any of the preceding commands is configured, you can run the option82-relay-mode subopt command to configure a format (either in hexadecimal notation or a string) for the circuit ID or remote agent ID to be transmitted.
Formats of the Nas-Port-Id-QINQ-Reverse Attributed Converted from the NAS-Port-Id Attribute
ETH interface:
- When the user access interface is in the three dimensional format, the format of the NAS-Port-Id attribute is as follows:
  
  slot=slot-id; subslot=sub-slot-id; port=port-id; vlanid=outer-VLAN-ID;vlanid2=inner-VLAN-ID;

More Information About HW-Dhcp-Option (187)

Format of HW-Dhcp-Option (187)

The HW-Dhcp-Option (187) attribute delivered by a RADIUS server must use the following format:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
   +---------------+---------------+---------------------------------+
   |     Type      |    Length     |        Option Type              |
   +---------------+---------------+---------------------------------+
   |     value
   +-----------------

Option Type: 2 bytes
Value: option value

HW-Dhcp-Option (187) Attribute Rules

Rule1: A maximum of eight options can be delivered. After parsing eight valid options, subsequent ones are ignored.
Rule2: If a duplicate option is delivered, it replaces the one previously delivered. Option121 is an exception because this option carries routing information and can be delivered multiple times.

Example for rules 1 and 2: If eight options are delivered with the first and eighth options having the same number, the eighth option replaces the first option. That is to say, there are only seven options in effect, and the ninth option (if there is the ninth option) can be parsed successfully.

If eight unique options have been delivered and the ninth option is the same as the first option, the ninth option is not parsed.

Rule3: The following options cannot be delivered.

Option Code	Description	Reason
0	Byte aligning	This option for byte aligning is not a normal option.
1	Subnet mask	A subnet mask belongs to an address pool and therefore should not be delivered.
3	Gateway	A gateway belongs to an address pool configuration. DHCP users do not support gateway option delivery.
12	Client host name	This option is sent by a DHCP client to a BAS device.
53	Type of a DHCP message	This option indicates the type of a DHCP message and cannot be delivered.
54	Server identifier	This option is the gateway address for DHCP clients and encapsulated in Offer and ACK messages. This option code is not supported currently.
55	Request parameter list	This option is sent by a DHCP client to a BAS device.
61	Client identifier	This option is sent by a DHCP client to a BAS device.
64	Network information server (NIS)+ domain name	This option identifies a DHCP client.
77	User Class Option	This option is sent by a DHCP client to a BAS device.
82	Relay information	This option is sent by a DHCP client to a BAS device.

Rule4: The following options are replaced by RADIUS attributes before being delivered.

Option Code	Description	Radius Attribute Number	Attribute Name
6	Domain Server	26-135	HW-Client-Primary-DNS
6	Domain Server	26-136	HW-Client-Secondary-DNS
43	Vendor Specific	26-156	HW-DHCPV4-Option43
44	NETBIOS Name Srv	26-75	HW-Ascend-Client-Primary-WINS
44	NETBIOS Name Srv	26-76	HW-Ascend-Client-Second-WIN
51	Address Time	26-74	HW-Lease-Time
58	Renewal Time	26-35	HW-Renewal-Time
59	Rebinding Time	26-36	HW-Rebinding-Time
120	DHCP_OPT120	26-32	RD_hw_SIP_Server
121	Classless Static Route Option	26-155	HW-DHCPv4-Option121

Rule5: The preceding RADIUS attributes that are converted from the options have the same priorities as those directly delivered by a RADIUS server. Except for Option121, those delivered later take effect.
Rule6: A maximum of 24 Option121s can be delivered. If the total number of routes delivered by two attributes is less than 24, Option121 can be continually delivered. If there are more than 24 routes, a failure is returned, and users cannot log in.
Rule7: Option6 and Option44 can be parsed as either RADIUS attribute numbers 26-135 and 26-136, respectively, or 26-75 and 26-76, respectively. A maximum of two IP addresses can take effect in the format of ULONG. The first two IP addresses are delivered after being converted to the corresponding RADIUS attributes.
Rule8: To parse an option, a RADIUS server first determines whether the option can be delivered and whether the option length meets the requirement. If it cannot be delivered or its length does not meet the requirement, the RADIUS server ignores this option and continues its polling. After the first round of determination, if the RADIUS server finds that this option must be converted to a RADIUS attribute before being delivered, it converts this option to the desired RADIUS attribute. If this attribute fails to be parsed, users fail to log in.
Rule 9: To trigger a user that goes offline unexpectedly to go online again, the options sent to the RADIUS server can only be the Option 12,61,60,82,77 stored in the backup table of the unexpected logout.

HW-Avpair (188) Attribute Description

This attribute is a framework attribute of extensible sub-attributes. Currently, the following sub-attributes are supported:

Used to return the policy configuration during EDSG service template downloading. Each sub-attribute corresponds to a command.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
service:service-group	service:service-group=<service-group-name> [ inbound \| outbound ] [ priority <0-1000>]	Service-group is used to download the EDSG service template and determine the matching rule for EDSG service flows. The corresponding command is service-group. The service group, direction, and priority are separated by spaces. Each attribute can contain only one service group, one direction, and one priority. The sequence cannot be adjusted.
service:authentication-scheme	service:authentication-scheme=<authentication-scheme-name>	It is used to download an authentication scheme for an EDSG service template. The corresponding command is authentication-scheme.
service:accounting-scheme	service:accounting-scheme=<accounting-scheme-name>	It is used to download an accounting scheme for the EDSG service template. The corresponding command is accounting-scheme.
service:prepaid-config	service:prepaid-config=< prepaid-profile-name>	It is used to download a prepaid profile for an EDSG service template. The corresponding command is prepaid-profile.
service:radius-server-group	service:radius-server-group=<radius-server-group-name>	It is used to download a RADIUS server group for an EDSG service template. The corresponding command is radius-server group.
service:diameter-monitor-key	service:diameter-monitor-key=<diameter-monitor-key>	It is used to download the Diameter monitoring key for an EDSG service template. The corresponding command is diameter monitor-key.
service:service-class-inbound	service:service-class-inbound={ cs7 \| cs6 \| ef \| af4 \| af3 \| af2 \| af1 \| be }	It is used to download the upstream service-class information for an EDSG service template. The corresponding command is service-class { cs7 \| cs6 \| ef \| af4 \| af3 \| af2 \| af1 \| be } inbound.
service:service-class-outbound	service:service-class-outbound={ cs7 \| cs6 \| ef \| af4 \| af3 \| af2 \| af1 \| be }	It is used to download the downstream service-class information for an EDSG service template. The corresponding command is service-class { cs7 \| cs6 \| ef \| af4 \| af3 \| af2 \| af1 \| be } outbound.
service:time-range	service:time-range=<time-range-name>< >type=rate;dir={in\|out\|both};cir=<cir-value>;pir=<pir-value>;cbs=<cbs-value>;pbs=<pbs-value>;	It is used to download a time range template for an EDSG service template. The format requirements are as follows: The type parameter is mandatory and must be the first parameter after the space. The cir parameter is mandatory. The dir parameter is optional. The default value is both. The pbs parameter can be carried only when the cbs parameter is available. The device does not check time range templates delivered by the RADIUS server. If a RADIUS-delivered time range template already exists, the existing time range template takes effect. If a RADIUS-delivered time range template does not exist, the time range template fails to take effect. However, if a time range template with the same name as the RADIUS-delivered time range template is configured later, the time range template takes effect. As above, if the time range template applied to an EDSG service template is deleted, the bandwidth configured for the time range in the EDSG service template does not take effect. If a new time range template with the same name is configured, the bandwidth in the EDSG service template is updated based on the new time range template. A maximum of three time range templates can be downloaded for an EDSG service template. Downloading of more than three time range templates fails.
service:ip-type	service:ip-type=<ip-type>	It is used to download the service IP type for an EDSG service template. The corresponding command is ip-type ipv6.
service:http-redirect-profile	service:http-redirect-profile=<http-redirect-profile>	It is used to download the name of a redirection profile for an EDSG service template. The corresponding command is http-redirect-profile.
service:redirect-config	service:redirect-config=<redirect-config>	To download the name of a forcible redirection profile for an EDSG service template. The corresponding command is service force redirect.
service:traffic-match-user-group	service:traffic-match-user-group={ inbound \| outbound \| both }	It is used to download the service traffic matching user group for an EDSG service template. Inbound or outbound service traffic or service traffic in both directions can be matched. The corresponding command is traffic match user-group.
service:fq-pbs-in	service:fq-pbs-in	The flow-queue parameter takes effect only for EDSG services whose rate limit mode is user-queue but not car. This value ranges from 1 to 4194304. To download the upstream flow queue bandwidth for an EDSG service policy, run the rate-limit cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ] [ flow-queue-pbs flow-queue-pbs ] ] inbound command.
service:fq-pbs-out	service:fq-pbs-out	The flow-queue parameter takes effect only for EDSG services whose rate limit mode is user-queue but not car. This value ranges from 1 to 4194304. To download the flow-queue bandwidth for an EDSG service policy, run the rate-limit cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ] [ flow-queue-pbs flow-queue-pbs ] ] outbound command.
qos:rate-unit	qos:rate-unit=<rate-unit>	It is used to download the bandwidth unit for an EDSG service template. No corresponding command is available.

Example

service:authentication-scheme=defalut1

service:service-group=service1 inbound 10

service:accounting-scheme=default0

service:prepaid-config=prepaid1

service:radius-server-group=aaa

service:diameter-monitor-key=123

service:service-class-inbound=ef

service:service-class-outbound=ef

service:time-range=time_range1 type=rate;dir=both;cir=1000;pir=1000;cbs=187000;pbs=187000;

service:ip-type=ipv6

service:http-redirect-profile=redirect1

service:redirect-config=forceredirect1

service:traffic-match-user-group=both

service:fq-pbs-in=500

service:fq-pbs-out=800

qos:rate-unit=kbps

Service bandwidth parameters are delivered using Huawei proprietary attributes 1, 2, 3, 4, 5, 6, 77, and 78.

It is used to set the UNR tag for IPv4 host routes and route advertisement in Access-Accept packets.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
route-tag	route-tag=<0-4294967294>	This attribute is delivered to a device through an Access-Accept packet and sent to a RADIUS server through an Accounting-Request packet. COA- or COA re-authentication-based delivery is not supported. This attribute is used together with Framed-route (22) or with Framed-IP-Address (8) plus Framed-IP-Netmask (9) and takes effect to the UNR tag in the route generated using Framed-route (22) or using Framed-IP-Address (8) plus Framed-IP-Netmask (9). The route tag in the same frame route varies with users. The attribute delivered by the first user prevails and is not updated later.

Example

route tag=5

This attribute is used in EDSG real-time accounting and stop-accounting merging packets to identify them as merging accounting packets.
- Attribute Description
  Attribute Name
  
  Attribute Format
  
  Application Scenarios
  
  acct:merge
  
  acct:merge=1
  
  This attribute identifies a packet as a merging accounting packet.
- Example
  
  acct:merge=1

This attribute is used in EDSG real-time accounting and stop-accounting merging packets to report discarded FQ traffic.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
acct:dropped-cs7	acct:dropped-cs7 = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	This attribute is used in EDSG real-time accounting and stop-accounting merging packets to report statistics about discarded CS7 traffic. The data before the first semicolon indicates the number of upstream bytes. The number of higher 32 bytes and lower 32 bytes are separated by a comma. The data between the first semicolon and the second semicolon indicates the number of upstream packets. The data between the second semicolon and the third semicolon indicates the number of downstream bytes. The number of higher 32 bytes and lower 32 bytes are separated by a comma. The last part of the data indicates the number of downstream packets.
acct:dropped-cs6	acct:dropped-cs6 = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded CS6 traffic. The data meaning is the same as that described previously.
acct:dropped-ef	acct:dropped-ef = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded EF traffic. The data meaning is the same as that of the acct:dropped-cs7 attribute.
acct:dropped-af4	acct:dropped-af4 = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded AF4 traffic. The data meaning is the same as that described previously.
acct:dropped-af3	acct:dropped-af3 = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded AF3 traffic. The data meaning is the same as that described previously.
acct:dropped-af2	acct:dropped-af2 = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded AF2 traffic. The data meaning is the same as that described previously.
acct:dropped-af1	acct:dropped-af1 = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded AF1 traffic. The data meaning is the same as that described previously.
acct:dropped-be	acct:dropped-be = <high,low>;<0-4294967295>; <high,low>;<0-4294967295>	It is used in EDSG real-time accounting and stop-accounting merging packets to report discarded BE traffic. The data meaning is the same as that described previously.

Example

acct:dropped-cs7 = <0,100>;<200>; <0,100>;<200>

acct:dropped-cs6 = <0,100>;<200>; <0,100>;<200>

acct:dropped-ef = <0,100>;<200>; <0,100>;<200>

acct:dropped-af4 = <0,100>;<200>; <0,100>;<200>

acct:dropped-af3 = <0,100>;<200>; <0,100>;<200>

acct:dropped-af2 = <0,100>;<200>; <0,100>;<200>

acct:dropped-af1 = <0,100>;<200>; <0,100>;<200>

acct:dropped-be = <0,100>;<200>; <0,100>;<200>

This attribute is used in an authentication reply packet or a COA message to deliver a traffic policy.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:traffic-policy	subscriber:traffic-policy=<traffic-policy-name>	This attribute is used to deliver a traffic policy, with the upstream and downstream directions not differentiated.

Example

subscriber:traffic-policy =tp

This attribute is used in an authentication reply packet or a COA message to deliver user FQ parameters.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:fq	subscriber:fq={cs7\|cs6\|ef\|af4\|af3\|af2\|af1\|be };{ {shaping.value=<8-4294967294>\|shaping.percentage=<0-100>} [<space>pbs=<1-4194304>] };sch={pq\|lpq\|wfq<space>weight=<1-100> };[dir={in\|out}];	This attribute is used in users' Access-Accept packets and COA messages and cannot be sent to RADIUS servers.

subscriber indicates that this parameter takes effect only for users. fq indicates a specific FQ queue. A maximum of eight queue parameters can be delivered each time. If repeated queues are delivered, the configuration delivered later takes effect. shaping indicates the FQ rate limit, which is followed by .value or .percentage, the unit of value is kbit/s, and the unit of percentage is the percentage of the FQ. The shaping units of all attributes delivered each time must be the same. When value is specified, the difference between values of different queues delivered each time cannot exceed 2000 times. pbs indicates the peak burst bucket depth, in bytes. sch indicates the scheduling mode of the FQ. dir indicates the direction. If dir is not specified, the direction is bidirectional.

The FQ parameters delivered by the RADIUS server and the FQ and QoS parameters on the device may affect each other. Therefore, the attributes that are correctly parsed may not take effect due to parameter restrictions on the device. The scenarios where the attributes do not take effect are as follows:

The rate is not limited or is limited by CAR.
Users have configured the four-flow-queue mode or a priority translation profile. The parameters of these configurations are incompatible with those in the flow-queue profile delivered by a RADIUS server.
A RADIUS server delivers queues, causing the proportion of the shaping value (in percentage) of one queue to the shaping value (in percentage) of another queue to exceed 2000 folds.
A RADIUS server delivers queues, causing the shaping values of queues in the user flow-queue profile to have different units.
FQs delivered to unsupported types of users (family users) do not take effect.
The queue cos-value car { car-value | car-percentage car-percentage-value } [ pbs pbs-value ] command is configured in the flow queue view to limit the rate of the flow queue.
Either shaping or sch must be delivered.

Example

subscriber:fq=ef;shaping.value=1000 pbs=3000;sch=wfq weight=20;dir=out;

This attribute is used in an authentication reply packet or a COA message to deliver a GQ profile name

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:gq-inbound	subscriber:gq-inbound =<gq-inbound-name>	This attribute is used to deliver a GQ profile name used in the upstream direction.
subscriber:gq-outbound	subscriber:gq-outbound =<gq-outbound-name>	This attribute is used to deliver a GQ profile name used in the downstream direction.

Example

subscriber:gq-inbound =gq_in

This attribute is sent by a RADIUS server to online users to deliver or cancel the in-arrears identifier.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:lease-timeout-offline	subscriber:lease-timeout-offline={enable \| disable}	This attribute is sent by a RADIUS server to online users to deliver or cancel the in-arrears identifier.

Example

subscriber:lease-timeout-offline=enable

It is used by the RADIUS server to deliver user groups to online users or users who request to go online.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:user-group	subscriber:user-group=<user-group-name>	It is sent by a RADIUS server to online users or users who request to go online to deliver the user-group attribute.

Example

subscriber:user-group=group1

This attribute is used in an authentication response packet to deliver the Framed-Route attribute.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:framed-route	subscriber:framed-route= <address>[/<mask length>]<space>[<next hop>]<space>[<number of hops>]<space>[preference<space><route preference>]	This attribute is used to deliver the Framed-Route attribute in an authentication response packet sent by the RADIUS server. A maximum of 128 Framed-route attributes can be delivered in an authentication response packet per user, but the total length of the packet must not exceed 4096 bytes. It is recommended that the preference value delivered in the RUI scenario be less than the default protocol value. If the delivered preference value is larger than the default protocol value, traffic may be interrupted on the new master device after a master/backup device switchover is performed.

Example

subscriber:framed-route=192.168.1.0/24 0.0.0.0 2 preference 200

This attribute is sent by a RADIUS server to online users or users who request to go online to deliver the upstream VPN instance.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:vpn-instance-inbound	subscriber:vpn-instance-inbound=<vpn-instance-name>	This attribute is sent by a RADIUS server to online users or users who request to go online to deliver the upstream VPN instance.

Example

subscriber:vpn-instance-inbound=vpn1

This attribute carries the VPN ID in an accounting request packet to be sent to the RADIUS server.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:vpnid	subscriber:vpnid=<vpn-instance-id>	This attribute carries the VPN ID in an accounting request packet to be sent to the RADIUS server.

Example

subscriber:vpnid=1

It is used in RADIUS authentication response packets to deliver the PCP enabling flag.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
pcp-flag	pcp-flag=<flag>	It is used in RADIUS authentication response packets to deliver pcp-flag. The value of <flag> can be 0 (disabled) or 1 (enabled).

Example

pcp-flag=1

This attribute is used in an authentication response packet to deliver the IPv6 Framed-Route attribute.

Attribute Description

Attribute Name

Attribute Format

Application Scenarios

subscriber:framed-ipv6-route

subscriber:framed-ipv6-route= <IPv6 address>[/<mask length>]<space>[<next hop>]<space>[<number of hops>]<space>[preference<space><route preference>]

This attribute is used to deliver the Framed-IPv6-Route attribute in an authentication response packet sent by the RADIUS server. A maximum of 128 Framed-route attributes can be delivered in an authentication response packet per user, but the total length of the packet must not exceed 4096 bytes.

It is recommended that the preference value delivered in the RUI scenario be less than the default protocol value. If the delivered preference value is larger than the default protocol value, traffic may be interrupted on the new master device after a master/backup device switchover is performed.

Example

subscriber:framed-ipv6-route=2001:db8:1::1/64 :: 10 preference 200

It is used to carry the bandwidth unit in authentication response packets, accounting request packets, CoA request packets, and CoA ACK packets.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
qos:rate-unit	qos:rate-unit=kbps	This attribute specifies the unit of the values carried in the HW-Input-Committed-Information-Rate(HUAWEI-2), HW-Input-Peak-Information-Rate(HUAWEI-3), HW-Output-Committed-Information-Rate(HUAWEI-5), and HW-Output-Peak-Information-Rate(HUAWEI-6) attributes.

Example

qos:rate-unit=kbps

This attribute carries the rate limit mode and statistics counting mode of EDSG services in COA request packets.

Attribute Description

Attribute Name

Attribute Format

Application Scenarios

service:traffic-mode

This attribute specifies the rate limit mode and statistics counting mode of EDSG services. The value can be 0, 1, or 2.

0: rate limit separation and statistics separation.
1: EDSG service rate limit separation and statistical unseparation
2: EDSG service rate limit unseparation and statistical unseparation

Example

service:traffic-mode=1

This attribute carries UP information in authentication request packets and accounting packets of users and value-added services.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:nas-type	subscriber:nas-type=<nas-type>	This parameter specifies the type of a device and is used to distinguish between forwarding-control separation and non-forwarding-control separation devices. The value is 1 or 2. 1 indicates a non-forwarding-control separation device, and 2 indicates a forwarding-control separation device.

Example

subscriber:nas-type=2

This attribute is used in an authentication response packet to deliver the upstream/downstream traffic policy that takes effect.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
subscriber:traffic-policy-in	subscriber:subscriber:traffic-policy-in=<traffic-policy-name>	The delivered traffic policy takes effect in the upstream direction.
subscribertraffic-policy-out	subscriber:subscriber:traffic-policy-out=<traffic-policy-name>	The delivered traffic policy takes effect in the downstream direction.

Example

subscriber:traffic-policy-in=tp

This attribute is used in authentication and accounting requests to send UPIDs.
- Attribute Description
  Attribute Name
  
  Attribute Format
  
  Application Scenarios
  
  cu:upid
  
  cu:upid=<upid>
  
  This parameter specifies the ID of a BRAS-UP, that is, the value of UP-ID.
- Example
  
  cu:upid=1024

This attribute indicates the time when the DSLITE private IPv4 address is sent in an accounting request.

Attribute Description

Attribute Name	Attribute Format	Application Scenarios
nat:dslite-private-ipv4-time	nat:dslite-private-ipv4-time=<timestamp>	This attribute indicates the time when the DS-Lite private IPv4 address is sent.

Example

nat:dslite-private-ipv4-time=123456

This attribute is used in accounting requests to send the CGN extended port range.
- Attribute Description
  Attribute Name
  
  Attribute Format
  
  Application Scenarios
  
  nat:extport
  
  nat:extport=<startport,endport;>
  
  This parameter identifies a CGN extended port range.
- Example
  
  nat:extport=1,2;4,5;
This attribute is used in accounting requests to send public network VPN indexes.
- Attribute Description
  Attribute Name
  
  Attribute Format
  
  Application Scenarios
  
  nat:vpn
  
  nat:vpn=<vpnindex>
  
  This parameter specifies the index of a public network VPN.
- Example
  
  nat:vpn=123
This attribute is used in accounting requests to send public network VPN indexes.
- Attribute Description
  Attribute Name
  
  Attribute Format
  
  Application Scenarios
  
  subscriber:link-address
  
  subscriber:link-address=<radius-template-number>
  
  This attribute indicates the ID of the server template.
- Example
  
  subscriber:link-address=1

More Information About HW-DHCPv6-Option (189)

Format of HW-DHCPv6-Option (189)

The values delivered through the RADIUS attribute must be in the following format:

    0                   1                    2                3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
   +---------------+---------------+---------------------------------+
   |     Type      |    Length     |        Option Type              |
   +---------------+---------------+---------------------------------+
   |     value
   +-----------------

The description of each field is as follows:

Option Type: 2 bytes
Value: option value

HW-DHCPv6-Option (189) Attribute Rules

Rule 1: A maximum of eight options can be delivered. If eight valid options have been parsed, the subsequent options are ignored.
Rule 2: If a duplicate option is delivered, it replaces the one previously delivered.

Example for rules 1 and 2: If eight options are delivered and the first and eighth options have the same number, the eighth option replaces the first option. That is to say, only seven options are available. The ninth option can also be parsed successfully in this case.

If the eight delivered options are different from each other, the ninth delivered option will be ignored.
Rule 3: The attribute can be delivered only in Access-Response packets, not in CoA messages.

Rule 4: The following options cannot be delivered currently.

Option Number	Description
1	Client-identifier option
2	Server-identifier option
3	Identity Association for the Non-temporary Address (IA_NA) option
4	Identity association for temporary addresses (IA_TA)
5	IPv6 address option
6	Option request option
7	Priority option
8	Time option
9	Relay information option
10	Unassigned.
11	Authentication option
12	Option that allows a client to unicast messages to a server
13	Status code option
14	Two-step message exchange option
15	User level option
18	Relay agent interface ID option
19	Reconfigure Message option
20	Reconfigure Accept option
25	Identity Association for Prefix Delegation (IA_PD) option
26	Prefix option
37	Relay agent remote ID option
38	Relay agent subscriber ID option

Rule 5: If the supported RADIUS attributes need to be delivered through the HW-DHCPv6-Option, they must be translated, and corresponding check rules are used during the delivery. For example, a packet can carry two DNSs at most, and the two DNSs have the same priority, but the DNS that is parsed the latest overrides the other one, which is different from the processing in the case of HW-DNS-Server-IPv6-Address.

Option Number	Description	RADIUS Attribute Number	Attribute Name
64	IPv6 tunnel name in a CGN scenario	26-166	HW-DS-Lite-Tunnel-Name
64	IPv6 tunnel name in a CGN scenario	144	DS-Lite-Tunnel-Name
86	PCP server name	26-167	HW-PCP-Server-Name
23	IPv6 address of the DNS server	26-154	HW-DNS-Server-IPv6-Address

The RADIUS attributes about DHCPv4 lease (HW-Lease-Time, HW-Renewal-Time, and HW-Rebinding-Time) can be translated and belong to independent options (51, 58, and 59, respectively).

DHCPv6 lease-related fields belong to Option 5 and Option 26. To avoid the conflict with the options listed in Rule 4, the RADIUS attributes about DHCPv6 lease (HW-IPv6-Prefix-Lease and HW-IPv6-Address-Lease) cannot be translated through HW-DHCPv6-Option.

Rule 6: The RADIUS server ensures the validity of options. The BNG does not check the validity of options. If a RADIUS attribute in Rule 5 is translated to a supported RADIUS attribute and delivered, the system checks the validity of the RADIUS attribute. If the attribute fails to pass the check, it is not parsed.
Rule 7: The option attributes delivered by the RADIUS server take precedence over locally configured option attributes.
Rule 8: Before parsing an option in the HW-DHCPv6-Option attribute, the BRAS determines whether this option can be delivered and checks the basic length of the attribute. If this option cannot be delivered or its length does not meet the requirement, the BRAS ignores this option and continues its traversing. After a round of comprehensive traversing, the BRAS examines ineligible options to see whether these options need to be translated to RADIUS attributes for delivery. If some options cannot be delivered, the corresponding users will fail to go online.
Rule 9: To trigger a user that goes offline unexpectedly to go online again, the options sent to the RADIUS server can only be the Option 15,16,17,18,37,38,79 stored in the backup table of the unexpected logout.

RADIUS Attribute Dictionary
Attributes Carried in RADIUS Packets
- Attributes Carried in RADIUS Packets
RADIUS Attribute Prohibition, Conversion, and Default Carrying Status
Radius Attributes Description
- Radius Attributes Description
RADIUS Server Selection
Description for the Attributes of OWN Type
Interface Format for Attributes on a NetEngine 8000 F8 Model
Reasons for User Offline
- Reasons for User Offline
More Information About HW-Data-Filter (82)
More Information About NAS-Port-Id (87)
More Information About HW-Dhcp-Option (187)
HW-Avpair (188) Attribute Description
More Information About HW-DHCPv6-Option (189)

Translation

Favorite

Download

Update Date：2025-06-30

Document ID：EDOC1100335695

Downloads：173

Average rating：0.0Points

Digital Signature File

digtal sigature tool