RADIUS Attributes

Attribute Values

The value of each RADIUS attribute has a well-defined data type.

ClearBox Server distinguishes five basic value types that may be a number (possibly with a set of named values), binary or text string, IP or IPX address, date/time.
For example, Callback-Number is of string type and contains a telephone number. NAS-Port-Type is an integer item, and its numeric values have alises 'Sync', 'Async', and so forth. Some attributes may have Tag field to provide a means of grouping attributes in the same packet.

Further information on this page is about RADIUS authorization.

Vendor-Specific Attributes

In addition to IETF-specified standard attributes, the RFC allowed for vendors to create their own, for specific authentication and accounting settings for their own equipment. This is managed using attribute number 26 - any packet with this attribute ID will have another AV pair nested within it, that will mean something to the RADIUS client and server in use, although not every RADIUS implementation may understand it.

Examples of these Vendor Specific Attributes (VSAs) include the Bay-Primary-DNS-Server (the value is an IP address) for Nortel equipment, the Microsoft MS-MPPE-Encryption-Type (an integer) or Cisco's CVPN3000-IPSec-Sec-Association (a string) - there are numerous more.

Sadly, RFC 2865 doesn't require the contents of the RADIUS vendor- specific attribute to contain the same fields as normal attributes have to specify their attribute ID and length. This has led to varieties like 2- and 4-octet attribute numbers, length specifications that don't include the attribute- and length fields, multiple vendor attributes inside one encapsulating attribute 26, etc. Luckily, ClearBox Server can receive and send all these types of attributes.

Multi-valued Attributes

Attributes may be single- or multi-valued; in other words, certain attributes may appear at most once in the Check list or Response list, while others may appear multiple times. (Read more about Check lists and Response lists.)

If an attribute appears more than once in the Check list, this means that any of the values is valid. For example, ClearBox may be configured to include both Sync and Async values for attribute NAS-Port-Type in the Check list. This means that the user can dial into a Sync port or an Async port, but not into one of the ISDN ports.

If an attribute appears more than once in the Response list, this results in each value of the attribute being sent as part of the response packet. For example, to enable both IP and IPX header compression for a user, the Framed-Compression attribute should appear twice in the Response list; once with the value 'VJ-TCP-IP-header-compression' and once with the value 'IPX-header-compression'.

Orderable Attributes

Certain multi-valued Response list attributes are also orderable; that is, the attribute may appear more than once in a RADIUS response, and the order in which the attributes appear is important.

For example, the Reply-Message attribute allows text messages to be sent back to the user for display. A multi-line message is sent by including this attribute multiple times in the Response list, with each line of the message in its proper sequence.

RADIUS Attributes Reference

List of standard RADIUS attributes can be found here.