Attribute List

The following sections describe the most frequently used RADIUS attributes. Each attribute is described as follows:

These values have the following meaning:

name

The attribute name.

value

The attribute number.

type

The attribute type.

user-flags

Syntax flags defining in which part of `raddb/users' entry this attribute may be used. The flags consist of two letters: `L' means the attribute can be used in LHS, `R' means it can be used in RHS.

hints-flags

Syntax flags defining in which part of `raddb/hints' entry this attribute may be used.

huntgroup-flags

Syntax flags defining in which part of `raddb/huntgroups' entry this attribute may be used.

additivity

Additivity of the attribute determines what happens if a rule attempts to add to the pair list the attribute, which is already present in this list. Depending on its value, the actions of the server are:

Append

New attribute is appended to the end of the list.

Replace

New attribute replaces the old.

Drop

New attribute is dropped. The old one remains in the list.

prop

Is the attribute propagated back to the NAS if the server works in proxy mode.

The value of N/A in any of this fields signifies "not applicable".

• Authentication Attributes
• Accounting Attributes
• Radius Internal Attributes

Authentication Attributes

These are the attributes the NAS uses in authentication packets and expects to get back in authentication replies. These can be used in matching rules.

• User-Name
• Password
• CHAP-Password
• NAS-IP-Address
• NAS-Port-Id
• Service-Type
• Framed-Protocol
• Framed-IP-Address
• Framed-IP-Netmask
• Framed-Routing
• Framed-MTU
• Framed-Compression
• Reply-Message
• Callback-Number
• Callback-Id
• Framed-Route
• State
• Class
• Vendor-Specific
• Session-Timeout
• Idle-Timeout
• Termination-Action
• Called-Station-Id
• Calling-Station-Id
• NAS-Identifier
• NAS-Port-Type

User-Name

This Attribute indicates the name of the user to be authenticated or accounted. It is used in Access-Request and Accounting attributes. The length of the username is usually limited by some arbitrary value. By default, Radius supports usernames up to 32 characters long. This value can be modified by redefining RUT_USERNAME macro in include/radutmp.h file in the distribution directory and recompiling the program.

Some NASes have peculiarities about sending long usernames. For example, Specialix Jetstream 8500 24 port access server inserts a `/' character after the 10th character if the username is longer than 10 characters. In such cases, we recommend to apply rewrite functions in order to bring username to its "normal" form (see section Rewrite functions -- `raddb/rewrite').

Password

This Password attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets.

On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the Password Attribute.

If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the String field of the Password Attribute.

If necessary, this operation is repeated, with each xor result being used along with the shared secret to generate the next hash to xor the next segment of the password, to no more than 128 characters.

CHAP-Password

This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets.

The CHAP challenge value is found in the CHAP-Challenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field.

NAS-IP-Address

This Attribute indicates the identifying IP address of the NAS which is requesting authentication of the user. It is only used in Access-Request packets. Each Access-Request packet should contain either NAS-IP-Address or NAS-Identifier attribute section NAS-Identifier.

NAS-Port-Id

This attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number.

Some NASes try to encode various information in the NAS-Port-Id attribute value. For example MAX Ascend terminal server constructs NAS-Port-Id concatenating line type (one-digit), line number (two-digits), and the channel number (two-digits) thus producing a 5-digit port number. In order to "normalize" such encoded port numbers we recommend to use a rewrite function (see section Rewrite functions -- `raddb/rewrite'). A rewrite function for MAX Ascend servers is provided in the distribution.

Service-Type

    VALUE      Service-Type      Login-User           1       
    VALUE      Service-Type      Framed-User          2       
    VALUE      Service-Type      Callback-Login-User  3       
    VALUE      Service-Type      Callback-Framed-User 4       
    VALUE      Service-Type      Outbound-User        5       
    VALUE      Service-Type      Administrative-User  6       
    VALUE      Service-Type      NAS-Prompt-User      7       
    VALUE      Service-Type      Authenticate-Only    8       
    VALUE      Service-Type      Call-Check           10      

This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets.

When used in an Access-Request the Service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated.

When used in an Access-Accept, the Service type is an indication to the NAS that the user must be provided this type of service.

The meaning of various service-types is as follows:

Login-User

The user should be connected to a host.

Framed-User

A Framed Protocol should be started for the User, such as PPP or SLIP. The Framed-IP-Address attribute (see section Framed-IP-Address) would supply the IP address to be used.

Callback-Login-User

The user should be disconnected and called back, then connected to a host.

Callback-Framed-User

The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP.

Outbound-User

The user should be granted access to outgoing devices.

Administrative-User

The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed.

NAS-Prompt

The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.

Authenticate-Only

Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept

Call-Check

Callback-NAS-Prompt

The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed.

Framed-Protocol

    VALUE      Framed-Protocol   PPP                  1       
    VALUE      Framed-Protocol   SLIP                 2       

This Attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets.

Framed-IP-Address

This Attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.

The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user's IP address.

When used in a RHS, the value of this attribute can optionally be followed by a plus sign. This usage means that the value of NAS-Port-Id must be added to this IP address before replying. For example

            Framed-IP-Address = 10.10.0.1+

Also section Add-Port-To-IP-Address.

Framed-IP-Netmask

This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.

Framed-Routing

    VALUE      Framed-Routing    None                 0       
    VALUE      Framed-Routing    Broadcast            1       
    VALUE      Framed-Routing    Listen               2       
    VALUE      Framed-Routing    Broadcast-Listen     3       

This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets.

Framed-MTU

This Attribute indicates the Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.

Framed-Compression

    VALUE      Framed-Compression  None                 0       
    VALUE      Framed-Compression  Van-Jacobson-TCP-IP  1       

This Attribute indicates a compression protocol to be used for the link. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.

More than one compression protocol Attribute may be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.

Reply-Message

This Attribute indicates text which may be displayed to the user.

When used in an Access-Accept, it is the success message.

When used in an Access-Reject, it is the failure message. It may indicate a dialog message to prompt the user before another Access-Request attempt.

When used in an Access-Challenge, it may indicate a dialog message to prompt the user for a response.

Multiple Reply-Message attributes may be included and if any are displayed, they must be displayed in the same order as they appear in the packet.

Callback-Number

This Attribute indicates a dialing string to be used for callback. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.

Callback-Id

This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It may be used in Access-Accept packets.

Framed-Route

This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.

State

This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action Attribute with the value of RADIUS-Request. If the NAS performs the Termination-Action by sending a new Access-Request upon termination of the current session, it MUST include the State attribute unchanged in that Access-Request.

In either usage, no interpretation by the client should be made. A packet may have only one State Attribute.

Class

This Attribute is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported.

Vendor-Specific

This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage.

Session-Timeout

This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.

Idle-Timeout

This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.

Termination-Action

    VALUE      Termination-Action  Default              0       
    VALUE      Termination-Action  RADIUS-Request       1       

This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.

Called-Station-Id

This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.

Calling-Station-Id

This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.

NAS-Identifier

This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier should be present in an Access-Request packet.

See section NAS-IP-Address.

NAS-Port-Type

    VALUE      NAS-Port-Type     Async                0       
    VALUE      NAS-Port-Type     Sync                 1       
    VALUE      NAS-Port-Type     ISDN                 2       
    VALUE      NAS-Port-Type     ISDN-V120            3       
    VALUE      NAS-Port-Type     ISDN-V110            4       

This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port-Id section NAS-Port-Id attribute. It is only used in Access-Request packets. Either NAS-Port or NAS-Port-Type or both should be present in an Access-Request packet, if the NAS differentiates among its ports.

Accounting Attributes

These are attributes the NAS sends along with accounting requests. These attributes can not be used in matching rules.

• Acct-Status-Type
• Acct-Delay-Time
• Acct-Input-Octets
• Acct-Output-Octets
• Acct-Session-Id
• Acct-Authentic
• Acct-Session-Time
• Acct-Input-Packets
• Acct-Output-Packets
• Acct-Terminate-Cause

Acct-Status-Type

    VALUE           Acct-Status-Type        Start                   1
    VALUE           Acct-Status-Type        Stop                    2   
    VALUE           Acct-Status-Type        Alive                   3
    VALUE           Acct-Status-Type        Accounting-On           7
    VALUE           Acct-Status-Type        Accounting-Off          8

This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop).

It may also be used to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.

A special value Alive or Interim-Update indicates the packet that contains some additional data to the initial Start record or to the last Alive record.

Acct-Delay-Time

This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)

Acct-Input-Octets

This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.

Acct-Output-Octets

This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.

Acct-Session-Id

This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session must have the same Acct-Session-Id. An Accounting-Request packet must have an Acct-Session-Id. An Access-Request packet may have an Acct-Session-Id; if it does, then the NAS must use the same Acct-Session-Id in the Accounting-Request packets for that session.

Acct-Authentic

    VALUE           Acct-Authentic          RADIUS          1
    VALUE           Acct-Authentic          Local           2
    VALUE           Acct-Authentic          Remote          3

This attribute may be included in an Accounting-Request to indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated should not generate Accounting records.

Acct-Session-Time

This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.

Acct-Input-Packets

This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.

Acct-Output-Packets

This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.

Acct-Terminate-Cause

    VALUE           Acct-Terminate-Cause    User-Request            1
    VALUE           Acct-Terminate-Cause    Lost-Carrier            2
    VALUE           Acct-Terminate-Cause    Lost-Service            3
    VALUE           Acct-Terminate-Cause    Idle-Timeout            4
    VALUE           Acct-Terminate-Cause    Session-Timeout         5
    VALUE           Acct-Terminate-Cause    Admin-Reset             6
    VALUE           Acct-Terminate-Cause    Admin-Reboot            7
    VALUE           Acct-Terminate-Cause    Port-Error              8
    VALUE           Acct-Terminate-Cause    NAS-Error               9
    VALUE           Acct-Terminate-Cause    NAS-Request             10
    VALUE           Acct-Terminate-Cause    NAS-Reboot              11
    VALUE           Acct-Terminate-Cause    Port-Unneeded           12
    VALUE           Acct-Terminate-Cause    Port-Preempted          13
    VALUE           Acct-Terminate-Cause    Port-Suspended          14
    VALUE           Acct-Terminate-Cause    Service-Unavailable     15
    VALUE           Acct-Terminate-Cause    Callback                16
    VALUE           Acct-Terminate-Cause    User-Error              17
    VALUE           Acct-Terminate-Cause    Host-Request            18

This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct- Status-Type is set to Stop.

Radius Internal Attributes

These are attributes, used by GNU Radius during the processing of a request. They are never returned to NAS. Mostly, they are used in matching rules.

• Auth-Type
• Auth-Data
• Menu
• Termination-Menu
• Prefix
• Suffix
• Group
• Crypt-Password
• Huntgroup-Name
• Simultaneous-Use
• Strip-User-Name
• Fall-Through
• Add-Port-To-IP-Address
• Exec-Program
• Exec-Program-Wait
• Acct-Ext-Program
• Hint
• Pam-Auth
• Login-Time
• Replace-User-Name
• Rewrite-Function
• Match-Profile
• Scheme-Procedure
• Scheme-Acct-Procedure
• Log-Mode-Mask
• Acct-Type

Auth-Type

    VALUE      Auth-Type         Local                0       
    VALUE      Auth-Type         System               1       
    VALUE      Auth-Type         Crypt-Local          3       
    VALUE      Auth-Type         Reject               4       
    VALUE      Auth-Type         SQL                  252     
    VALUE      Auth-Type         Pam                  253     
    VALUE      Auth-Type         Accept               254     

This attribute tells the server which type of authentication to apply to a particular user. It can be used in LHS of the user's profile. See section Authentication.

Radius interprets values of Auth-Type attribute as follows:

Local

The value of the Password attribute from the record is taken as a cleantext password and is compared against the Password value from the input packet.

System

This means that a user's password is stored in a system password type. Radius queries the operating system to determine if the username/password supplied in the incoming packet are OK.

Crypt-Local

The value of the Password attribute from the record is taken as an MD5 hash on the user's password. Radius generates MD5 hash on the supplied Password value and compares both strings.

Reject

Authentication fails.

Accept

Authentication succeeds.

SQL

Mysql

The MD5-encrypted user's password is queried from the SQL database section SQL Authentication Type. Mysql is an alias maintained for compatibility with other versions of Radius.

Pam

The username/password combination is checked using PAM.

Auth-Data

The Auth-Data can be used to pass additional data to the authentication methods that need them. In version 0.96 of GNU Radius, this attribute may be used in conjunction with SQL and Pam authentication types. When used with Pam authentication type, this attribute holds the name of PAM service to use. This attribute is temporarily appended to the authentication request, so its value can be referenced to as %C{Auth-Data}. See section Authentication Server Parameters, for an example of of using Auth-Data attribute in `raddb/sqlserver':

Menu

This attribute should be used in the RHS. If it is used, it should be the only reply item.

The Menu attribute specifies the name of the menu to be presented to the user. The corresponding menu code is looked up in `RADIUS_DIR/menus/' directory (see section Login Menus -- `raddb/menus').

Termination-Menu

This attribute should be used in the RHS. If it is used, it should be the only reply item.

The Termination-Menu specifies the name of the menu file to be presented to the user after finishing his session. The corresponding menu code is looked up in `RADIUS_DIR/menus/' directory (see section Login Menus -- `raddb/menus').

Prefix

The Prefix attribute indicates the prefix which the username should contain in order for a particular record in the profile to be matched. This attribute should be specified in LHS of the `users' or `hints' file.

For example, if the `users' file contained:

    DEFAULT Prefix = "U", Auth-Type = System
                    Service-Type = Login-User

then usernames `Ugray' and `Uyoda' would match this record, whereas `gray' and `yoda' would not.

Both Prefix and Suffix attributes may be specified in a profile. In this case the record is matched only if the username contains both prefix and suffix specified.

section Suffix section Strip-User-Name

Suffix

The Suffix attribute indicates the suffix which the username should contain in order for a particular record in the profile to be matched. This attribute should be specified in LHS of the `users' or `hints' file.

For example, if the `users' file contained:

    DEFAULT Suffix = ".ppp", Auth-Type = System, Strip-User-Name = Yes
            Service-Type = Framed-User,
                    Framed-Protocol = PPP        

then usernames `gray.ppp' and `yoda.ppp' would match this record, whereas `gray' and `yoda' would not.

Both Prefix and Suffix attributes may be specified in a profile. In this case the record is matched only if the username contains both prefix and suffix specified.

section Prefix section Strip-User-Name

Group

Crypt-Password

This attribute is intended to be used in user's profile LHS. It specifies the MD5 hash of the user's password. When this attribute is present, Auth-Type = Crypt-Local is assumed. If both Auth-Type and Crypt-Password are present, the value of Auth-Type is ignored.

See section Auth-Type.

Huntgroup-Name

The Huntgroup-Name can be used either in LHS of the `users' file record or in RHS of the `huntgroups' file record.

When encountered in a LHS of a particular `users' profile, this attribute indicates the huntgroup name to be matched. Radius looks up the corresponding record in the `huntgroups' file. If such record is found, each A/V pair from its reply-list is compared against the corresponding pair from the request being processed. The request matches only if it contains all the attributes from the specified huntgroup, and their values satisfy the conditions listed in the huntgroup pairs.

For example, suppose that the authentication request contained the following attributes:

    User-Name = "john",
    Password = "guess",
    NAS-IP-Address = 10.11.11.1,
    NAS-Port-Id = 24

Let us further suppose that the `users' file contains the following entry:

    john    Huntgroup-Name = "users_group",
                    Auth-Type = System
            Service-Type = Login

and, finally, `huntgroups' contains the following entry:

    users_group     NAS-IP-Address = 10.11.11.1
                    NAS-Port-Id < 32

Then the authentication request would succeed since it contains NAS-Port-Id attribute and its value is less than 32.

See section Huntgroups -- `raddb/huntgroups'.

Simultaneous-Use

This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times any surplus attempts to log in are rejected.

See section Checking Simultaneous Logins.

Strip-User-Name

    VALUE      Strip-User-Name   No                   0       
    VALUE      Strip-User-Name   Yes                  1       

The value of Strip-User-Name indicates whether Radius should strip any prefixes/suffixes specified in the user's profile from the user name. When set to Yes the usernames would be logged and accounted without any prefixes/suffixes.

A user may have several usernames for different kind of services. In this case differentiating the usernames by their prefixes and stripping them off before accounting would help keeping accounting records consistent.

For example, let's suppose the `users' file contains:

    DEFAULT Suffix = ".ppp",
                    Strip-User-Name = Yes,
                    Auth-Type = SQL
            Service-Type = Framed-User,
                    Framed-Protocol = PPP
    
    DEFAULT Suffix = ".slip",
                    Strip-User-Name = Yes,
                    Auth-Type = SQL
            Service-Type = Framed-User,
                    Framed-Protocol = SLIP

Now, user `johns' having a valid account in SQL database logs in as `johns.ppp'. He then is provided the PPP service, and his PPP session is accounted under username `johns'. Later on, he logs in as `johns.slip'. In this case he is provided the SLIP service and again his session is accounted under his real username `johns'.

Fall-Through

    VALUE      Fall-Through      No                   0       
    VALUE      Fall-Through      Yes                  1       

The Fall-Through attribute should be used in reply-list. If its value is set to Yes in a particular record, it indicates to Radius that it should continue looking up another records even when this record matches the request. It can be used to provide default values for several profiles.

Consider the following example. Let's suppose the `users' file contains the following:

    
    johns   Auth-Type = SQL
                    Framed-IP-Address = 11.10.10.251,
                    Fall-Through = Yes
    
    smith   Auth-Type = SQL
                    Framed-IP-Address = 11.10.10.252,
                    Fall-Through = Yes
    
    DEFAULT NAS-IP-Address = 11.10.10.1
            Service-Type = Framed-User,
                    Framed-Protocol = PPP
    

Then after successful matching of a particular user's record, the matching will continue until it finds the DEFAULT entry, which would add its RHS to the reply pairs for this request. The effect is, that if user `johns' authenticates successfully it gets the following reply pairs:

            Service-Type = Framed-User,
            Framed-Protocol = PPP,  
            Framed-IP-Address = 11.10.10.251

whereas user smith gets

            Service-Type = Framed-User,
            Framed-Protocol = PPP,  
            Framed-IP-Address = 11.10.10.252

Please note that the attribute Fall-Through itself is never returned to the NAS.

Add-Port-To-IP-Address

    VALUE      Add-Port-To-IP-Address  No                   0       
    VALUE      Add-Port-To-IP-Address  Yes                  1       

If this attribute is present in the RHS and has the value of Yes, then the value of NAS-Port-Id attribute from the authentication request will be added to the value of Framed-IP-Address attribute from the RHS, and resulting value will be returned in Framed-IP-Address attribute to the NAS.

This provides the simplest form of organizing IP address pools.

This attribute is implicitly added to the RHS when the value of a Framed-IP-Address attribute ends with `+' sign. For example the following:

            Framed-IP-Address = 10.10.0.1+

is equivalent to

            Framed-IP-Address = 10.10.0.1,
            Add-Port-To-IP-Address = Yes

Exec-Program

When present in RHS, the Exec-Program attribute specifies the full pathname and arguments for the program to be executed when the entry matches.

The command line can reference any attributes from both check and reply pairlists using attribute macros (see section Macro Substitution).

Before the execution of the program radiusd switches to uid and gid of user daemon, group daemon. You can override these defaults by setting variables exec-program-user and exec-program-group in configuration file to proper values section option block.

The daemon does not wait for the process to terminate.

Example

Suppose the `users' file contains the following entry:

    DEFAULT Auth-Type = System,
                    Simultaneous-Use = 1
            Exec-Program = "/usr/local/sbin/logauth \
                            %C{User-Name} \
                            %C{Calling-Station-Id}"

Then, upon successful matching, the program `/usr/local/sbin/logauth' will be executed. It will get as its arguments the values of User-Name and Calling-Station-Id attributes from the request pairs.

Exec-Program-Wait

When present in RHS, the Exec-Program-Wait attribute specifies the full pathname and arguments for the program to be executed when the entry matches.

The command line can reference any attributes from both check and reply pairlists using attribute macros section Macro Substitution.

Before the execution of the program radiusd switches to uid and gid of user daemon, group daemon. You can override these defaults by setting variable exec-program-user in configuration file to a proper value. section option block.

The daemon will wait until the program terminates. The return value of its execution determines whether the entry matches. If the program exits with a non-zero code then the match fails. If it exits with a zero code, the match succeeds. In this case the standard output of the program is read and parsed as if it was a pairlist. The attributes thus obtained are added to the entry's reply attributes.

Example

Suppose the `users' file contains the following entry:

    DEFAULT Auth-Type = System,
                    Simultaneous-Use = 1
            Exec-Program-Wait = "/usr/local/sbin/telauth \
                                 %C{User-Name} \
                                 %C{Calling-Station-Id}"

Then, upon successful matching, the program `/usr/local/sbin/telauth' will be executed. It will get as its arguments the values of User-Name and Calling-Station-Id attributes from the request pairs.

The `/usr/local/sbin/telauth' can, for example, contain the following:

    #! /bin/sh
    
    DB=/var/db/userlist
    
    if grep "$1:$2" $DB; then
            echo "Service-Type = Login,"
            echo "Session-Timeout = 1200"
            exit 0
    else
            echo "Reply-Message = \"You are not authorized to log in\""
            exit 1
    fi

It is assumed that `/var/db/userlist' contains a list of username:caller-id pairs for those users that are authorized to use login service.

Acct-Ext-Program

The Acct-Ext-Program attribute can be used in RHS of an `raddb/hints' entry to specify the full path and attributes of an external program to be executed for each accounting request.

The command line can reference any attributes from both check and reply pairlists using attribute macros (see section Macro Substitution).

Before the execution of the program radiusd switches to uid and gid of user daemon, group daemon. You can override these defaults by setting variables exec-program-user and exec-program-group in configuration file to proper values section option block.

The accounting program must exit with status 0 to indicate a successive accounting.

Hint

Use Hint attribute to specify additional matching criterium depending on the hint (see section Request Processing Hints -- `raddb/hints').

Let the `hints' contain:

    DEFAULT         Prefix = "S", Strip-User-Name = No      Hint = "SLIP"

and the `users' file contain:

    DEFAULT Hint = "SLIP",
                    NAS-IP-Address = 11.10.10.12,
                    Auth-Type = System
            Service-Type = Framed-User,
                    Framed-Protocol = SLIP

Then any user having a valid system account and coming from NAS `11.10.10.12' will be provided SLIP service if his username starts with `S'.

Pam-Auth

The Pam-Auth attribute can be used in conjunction with

    Auth-Type = Pam

to supply the PAM service name instead of the default `radius'. It is ignored if Auth-Type attribute is not set to Pam.

Login-Time

The Login-Time attribute specifies the time range when the user is allowed to log in. The attribute should be specified in LHS.

Format of the Login-Time string is the same as that of UUCP time ranges. The following description of time range format is adopted from the documentation for Taylor UUCP package:

A time string may be a list of simple time strings separated with a vertical bar `|' or a comma `,'.

Each simple time string must begin either with a day of week abbreviation (one of: `Su', `Mo', `Tu', `We', `Th', `Fr', or `Sa'), or `Wk' for any day between Monday and Friday inclusive, or `Any' or `Al' for any day.

Following the day may be a range of hours separated with a hyphen using 24 hour time. The range of hours may cross 0; for example `2300-0700' means any time except 7 AM to 11 PM. If no time is given, calls may be made at any time on the specified day(s).

The time string may also be the single word `Never', which does not match any time.

Here are a few sample time strings with an explanation of what they mean.

`Wk2305-0855,Sa,Su2305-1655 '

This means weekdays before 8:55 AM or after 11:05 PM, any time Saturday, or Sunday before 4:55 PM or after 11:05 PM. These are approximately the times during which night rates apply to phone calls in the U.S.A. Note that this time string uses, for example, `2305' rather than `2300'; this will ensure a cheap rate phone call even if the computer clock is running up to five minutes ahead of the real time.

`Wk0905-2255,Su1705-2255 '

This means weekdays from 9:05 AM to 10:55 PM, or Sunday from 5:05 PM to 10:55 PM. This is approximately the opposite of the previous example.

`Any '

This means any day. Since no time is specified, it means any time on any day.

Replace-User-Name

    VALUE      Replace-User-Name  No                   0       
    VALUE      Replace-User-Name  Yes                  1       

Use this attribute to modify username from the incoming packet. The Replace-User-Name can reference any attributes from both LHS and RHS pairlists using attribute macros section Macro Substitution.

For example the following `users' entry

    guest   NAS-IP-Address = 11.10.10.11,
                    Calling-Station-Id != ""
                    Auth-Type = Accept
            Replace-User-Name = "guest#%C{Calling-Station-Id}",
                    Service-Type = Framed-User,
                    Framed-Protocol = PPP

Allows usage of PPP service for username guest, coming from NAS `11.10.10.11' with non-empty Calling-Station-Id attribute. The string consisting of `#' character followed by Calling-Station-Id value is appended to the username.

Rewrite-Function

The Rewrite-Function attribute specifies the name of the rewriting function to be applied to the request. The attribute may be specified in either pairlist in the entries of `hints' or `huntgroups' configuration files.

The corresponding function should be defined in `rewrite' as

    integer name()

i.e. it should return integer value and should not take any arguments.

See section Rewrite functions -- `raddb/rewrite'. See section Request Processing Hints -- `raddb/hints'. See section Huntgroups -- `raddb/huntgroups'.

Match-Profile

The Match-Profile attribute can be used in LHS and RHS lists of a user profile. Its value is the name of another user's profile (target profile). When Match-Profile is used in the LHS, the incoming packet will match this profile only if it matches the target profile. In this case the reply pairs will be formed concatenating the RHS lists from both profiles. When used in RHS, this attribute causes the reply pairs from the target profile to be appended to the reply from the current profile if the target profile matches the incoming request.

For example:

    IPPOOL  NAS-IP-Address = 10.10.10.1
                    Framed-Protocol = PPP, Framed-IP-Address = "10.10.10.2"
    
    IPPOOL  NAS-IP-Address = 10.10.11.1
                    Framed-Protocol = PPP, Framed-IP-Address = "10.10.11.2"
    
    guest   Auth-Type = SQL
                    Service-Type = Framed-User,
            Match-Profile = IPPOOL

In this example, when user "guest" comes from NAS 10.10.10.1 he is assigned IP address 10.10.10.2, otherwise if he is coming from NAS 10.10.11.1 he is assigned IP address 10.10.11.2.

Scheme-Procedure

The Scheme-Procedure attribute is used to set the name of Scheme authentication procedure. See section Authentication with Scheme, for the information about how to write Scheme authentication procedures.

Scheme-Acct-Procedure

The Scheme-Acct-Procedure attribute is used to set the name of Scheme accounting procedure. See section Accounting with Scheme, for the information about how to write Scheme accounting procedures.

Log-Mode-Mask

    VALUE		Log-Mode-Mask		Log-Auth		1
    VALUE		Log-Mode-Mask		Log-Auth-Pass		2
    VALUE		Log-Mode-Mask		Log-Failed-Pass		4
    VALUE		Log-Mode-Mask		Log-Pass		6
    VALUE		Log-Mode-Mask		Log-All			7

Log-Mode-Mask is used to control the verbosity of authentication log messages for given user or class of users. The meaning of its values is:

Log-Auth

Do not log successful authentications.

Log-Auth-Pass

Do not show password with the log message from a successful authentication.

Log-Failed-Pass

Do not show failed password.

Log-Pass

Do not show plaintext password, either failed or succeeded.

Log-All

Do not log authentications at all.

Technical details: After authentication, the server collects all Log-Mode-Mask attributes from the incoming request and LHS of the user's entry. The values of these attributes OR'ed together form a mask which is applied via XOR operation to the current log mode. The value thus obtained is used as effective log mode.

Acct-Type

    VALUE		Acct-Type		None	0
    VALUE		Acct-Type		System	1
    VALUE		Acct-Type		Detail	2
    VALUE		Acct-Type		SQL	3

The Acct-Type allows to control which accounting methods must be used for a given user or a group of users. In the absense of this attribute, all currently enabled accounting types are used. See section Accounting, for more information about accounting types.

Go to the first, previous, next, last section, table of contents.