9.5 New Extensions Attributes
| Acct-Input-Gigawords |
| Attribute Number | 52 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Access-Accept, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The value of this attribute is the number of times that the Acct-Input-Octets counter has exceeded and wrapped over 2 32 since this transaction's inception. It can only be present in Accounting-Request packets where the value of the Acct-Status-Type is either Stop or Interim-Update .
| Acct-Output-Gigawords |
| Attribute Number | 53 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Access-Accept, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The value of this attribute is the number of times that the Acct-Output-Octets counter has exceeded and wrapped over 2 32 since this transaction's inception. It can only be present in Accounting-Request packets where the value of the Acct-Status-Type is either Stop or Interim-Update .
| Event-Timestamp |
| Attribute Number | 55 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Access-Accept, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute indicates the time at which an event marked by the transmission of an Accounting-Request packet occurred. The value is represented as an integer in the typical Unix-style time notation: the number of seconds since January 1, 1970 00:00 UTC.
| Tunnel-Type |
| Attribute Number | 64 |
| Length | 6 |
| Value | ENUM |
| Allowed in | Access-Request, Accept-Accept, Accounting-Request |
| Prohibited in | Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute is an enumerated value that indicates the tunneling protocol specified for a particular session. If the attribute is present in an Access-Request packet, the RADIUS server should read its presence as a hint; it is not required to honor that request.
The possible values for the Tunnel-Type attribute and their corresponding meanings are listed in Table 9-2.
Table 9-2. Tunnel-Type enumerated values
| Value | Tunneling protocol |
|---|---|
| 1 | Point-to-Point Tunneling Protocol (PPTP) |
| 2 | Layer Two Forwarding (L2F) |
| 3 | Layer Two Tunneling Protocol (L2TP) |
| 4 | Ascend Tunnel Management Protocol (ATMP) |
| 5 | Virtual Tunneling Protocol (VTP) |
| 6 | IP Authentication Header in the Tunnel-mode (AH) |
| 7 | IP-in-IP Encapsulation (IP-IP) |
| 8 | Minimal IP-in-IP Encapsulation (MIN-IP-IP) |
| 9 | IP Encapsulating Security Payload in the Tunnel-mode (ESP) |
| 10 | Generic Route Encapsulation (GRE) |
| 11 | Bay Dial Virtual Services (DVS) |
| 12 | IP-in-IP Tunneling |
| Tunnel-Medium-Type |
| Attribute Number | 65 |
| Length | 6 |
| Value | ENUM |
| Allowed in | Access-Request, Accept-Accept |
| Prohibited in | Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute is an enumerated value that indicates the transport medium to use when creating a tunnel based on a protocol that can support multiple tunnel types. If the attribute is present in an Access-Request packet, the RADIUS server should read its presence as a hint; it is not required to honor that request.
The possible values for the Tunnel-Medium-Type attribute and their corresponding meanings are listed in Table 9-3.
Table 9-3. Tunnel-Medium-Type enumerated values
| Value | Tunnel Medium Types |
|---|---|
| 1 | IPv4 (IP Version 4) |
| 2 | IPv6 (IP Version 6) |
| 3 | NSAP |
| 4 | HDLC (8-bit multidrop) |
| 5 | BBN 1822 |
| 6 | 802 (includes all 802 media plus Ethernet "canonical format") |
| 7 | E.163 (POTS) |
| 8 | E.164 (SMDS, Frame Relay, ATM) |
| 9 | F.69 (Telex) |
| 10 | X.121 (X.25, Frame Relay) |
| 11 | IPX |
| 12 | AppleTalk |
| 13 | Decnet IV |
| 14 | Banyan Vines |
| 15 | E.164 with NSAP format subaddress |
| Tunnel-Client-Endpoint |
| Attribute Number | 66 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Access-Accept, Accounting-Request |
| Prohibited in | Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Tunnel-Client-Endpoint attribute contains the address of the initiator of the tunnel. It's designed to work in conjunction with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection-ID attributes to provide a way to identify a specific tunnel for accounting, billing, and auditing functions. If the tunnel is an IPv4 tunnel, then the value of this attribute is either the FQDN of the initiator end of the tunnel or the dotted -decimal ( x.x.x.x ) address of the initiator. If the tunnel is an IPv6 tunnel, the string is either the FQDN as described here or a textual representation of the address. All other tunnel formats use a tag that refers to local configuration data specific to the medium.
| Tunnel-Server-Endpoint |
| Attribute Number | 67 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Access-Accept, Accounting-Request |
| Prohibited in | Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Tunnel-Server-Endpoint attribute contains the address of the initiator of the tunnel. It's designed to work in conjunction with the Tunnel-Client-Endpoint and Acct-Tunnel-Connection-ID attributes to provide a way to identify a specific tunnel for accounting, billing, and auditing functions. If the tunnel is an IPv4 tunnel, then the value of this attribute is either the FQDN of the receiving (server) end of the tunnel or the dotted-decimal ( x.x.x.x ) address of the receiver. If the tunnel is an IPv6 tunnel, the string is either the FQDN as described here or a textual representation of the address. All other tunnel formats use a tag that refers to local configuration data specific to the medium.
| Acct-Tunnel-Connection |
| Attribute Number | 68 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Accounting-Request |
| Prohibited in | Access-Accept, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute defines the identifier assigned to a specific tunnel session. This attribute works in conjunction with Tunnel-Client-Endpoint and Tunnel-Server-Endpoint to uniquely identify a specific session for accounting, auditing, and billing purposes. The field encoding for the value of this attribute is implementation specific.
| Tunnel-Password |
| Attribute Number | 69 |
| Length | 5 or more octets |
| Value | STRING |
| Allowed in | Access-Accept |
| Prohibited in | Access-Request, Access-Reject, Access-Challenge, Accounting-Response, Accounting-Request |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute contains the password for authenticating to a remote server and includes a "salt" field that is used to verify the uniqueness of the key used to encrypt the tunnel password.You can find more information at the RFC 2868, but no sense sending you off on a chase. Here's the relevant part:
The plaintext String field consists of three logical sub-fields: the Data-Length and Password sub-fields (both of which are required), and the optional Padding sub-field. The Data-Length sub-field is one octet in length and contains the length of the unencrypted Password sub-field. The Password sub-field contains the actual tunnel password. If the combined length (in octets) of the unencrypted Data-Length and Password sub-fields is not an even multiple of 16, then the Padding sub-field MUST be present. If it is present, the length of the Padding sub-field is variable, between 1 and 15 octets. The String field MUST be encrypted as follows , prior to transmission:
Construct a plaintext version of the String field by concatenating the Data-Length and Password sub-fields. If necessary, pad the resulting string until its length (in octets) is an even multiple of 16. It is recommended that zero octets ( 0x00 ) be used for padding. Call this plaintext P. Call the shared secret S, the pseudo-random 128-bit Request Authenticator (from the corresponding Access-Request packet) R, and the contents of the Salt field A. Break P into 16 octet chunks p(1) , p(2)...p(i) , where i = len(P)/16 . Call the ciphertext blocks c(1) , c(2)...c(i) and the final ciphertext C. Intermediate values b(1) , b(2)...c(i) are required. Encryption is performed in the following manner ( + indicates concatenation):
b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)The resulting encrypted String field will contain
c(1)+c(2)+...+c(i)
On receipt, the process is reversed to yield the plaintext String.
| ARAP-Password |
| Attribute Number | 70 |
| Length | 18 |
| Value | STRING |
| Allowed in | Access-Request |
| Prohibited in | Access-Accept, Access-Reject, Access-Challenge, Accounting-Response, Accounting-Request |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute is a 16-octet string designed to carry the client's response to mutual authentication of the client and the RADIUS client machine. The highest-order octets contain the dial-up user 's challenge to the RADIUS client, which consists of two 32-bit numbers totaling eight octets. The lowest -order octets contain the dial-up user's response to the RADIUS client's challenge. This as well consists of two 32-bit numbers totaling eight octets.
| ARAP-Features |
| Attribute Number | 71 |
| Length | 16 |
| Value | STRING |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, found in Access-Accept packets with the Framed-Protocol attribute set to ARAP, transmits password data that the RADIUS client machine is responsible for transmitting to the user in an ARAP feature flags packet. The value is a compound string containing such information as the restrictions on a user for changing his password, the minimum acceptable password length, the password creation date in Macintosh time (32 unsigned bits representing seconds since Midnight GMT January 1, 1904), the password expiration delta from the creation date in seconds, and the current RADIUS server's time in Macintosh format.
| ARAP-Zone-Access |
| Attribute Number | 72 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, found in Access-Accept packets with the Framed-Protocol attribute set to ARAP, indicates how the ARAP zone list for the user should be interpreted.
The value field is an integer that can be one of three values. The integer 1 signifies that the user should only be allowed access to the default zone. The integer 2 indicates that the zone filter should be used inclusivelythat is, the user should be allowed to access only the zones listed in his filter. The integer 4 specifies that the zone filter should be used exclusivelymeaning the user should be allowed to access all zones except those listed in his filter.
The Filter-ID attribute must also be present if this attribute's value is set to 2 or 4 in order to name the zone list filter to which the access flag should be applied.
| ARAP-Security |
| Attribute Number | 73 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Access-Challenge |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Accept, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute is found in an Access-Challenge packet and indicates the ARAP security module that's to be used for the transaction. The value of this attribute is an integer representing a Macintosh operating system type, which is four ASCII characters cast as a 32-bit integer.
| ARAP-Security-Data |
| Attribute Number | 74 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Access-Challenge |
| Prohibited in | Accounting-Request, Access-Accept, Access-Reject, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute contains the actual challenge or response, based on the security model contained in the ARAP-Security attribute, and is found in Access-Request and Access-Challenge packets.
| Password-Retry |
| Attribute Number | 75 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Access-Reject |
| Prohibited in | Accounting-Request, Access-Request, Access-Accept, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, which can be found in Access-Reject packets, indicates the number of authentication attempts a user is allowed before he is disconnected. This attribute is used primarily with the ARAP protocol.
| Prompt |
| Attribute Number | 76 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Access-Challenge |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Accept, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, found only in Access-Challenge packets, tells the RADIUS client box party to the transaction whether to echo the user's response as entered by the user or whether to cease the echo. If the value of this attribute is , the input will not be echoed . If the value is 1 , the input will be echoed.
| Connect- Info |
| Attribute Number | 77 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Accounting-Request |
| Prohibited in | Access-Challenge, Access-Reject, Access-Accept, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 in an Access-Request packet; unlimited in an Accounting-Request packet |
The RADIUS client gear will send this attribute inside an Access-Request or Accounting-Request packet to indicate the properties and nature of this user's connection. Among the data points collected are connection speed, transmit speed, receive speed, and any other optional information. More than one of these attributes is allowed in the Accounting-Request packet to satisfy increasing ITU pressure to allow more modem information to be transmitted that may exceed 252 octets.
| Configuration-Token |
| Attribute Number | 78 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute is designed to be sent from a RADIUS proxy server to a RADIUS proxy client inside an Access-Accept packet in large, distributed networking architectures. It serves to designate which user profile to use. The value field is implementation dependent and should be read as undistinguished octets.
| EAP-Message |
| Attribute Number | 79 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Accept, Access-Reject, Access-Challenge, Access-Request |
| Prohibited in | Accounting-Request, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | Unlimited in Access-Request and Access-Challenge packets;1 in Access-Accept and Access-Reject packets |
This attribute serves as the method by which EAP messages are transmitted within a RADIUS packet. The RADIUS client machine places all of the messages received from the client into individual EAP-Message attributes and wraps them into a standard Access-Request packet. The RADIUS server then returns EAP messages in Access-Challenge , Access-Accept , and Access-Reject messages.
The Message-Authenticator attribute (detailed a bit later in this chapter) is required to be present if this attribute is used; this is to protect the integrity of RADIUS over EAP to the same degree that EAP affords transactional integrity on its side of the link. The Message-Authenticator must be used to protect all Access-Request , Access-Challenge , Access-Accept , and Access-Reject messages which hold one or more EAP-Message attributes.
| Message-Authenticator |
| Attribute Number | 80 |
| Length | 18 |
| Value | STRING |
| Allowed in | Access-Request, Access-Challenge, Access-Accept, Access-Reject |
| Prohibited in | Accounting-Request, Accounting-Response |
| Presence in Packet | Required in Access-Request, Access-Accept, Access-Reject, or Access-Challenge packets that contain EAP-Message; otherwise , not required |
| Maximum Iterations | 1 |
The Message-Authenticator attribute is used to sign packets to ensure their integrity is protected. The attribute may be used in any Access-Request , but any packet that contains EAP-Messages must also have the Message-Authenticator attribute present. The Message-Authenticator itself is an HMAC-MD5 checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field, using the shared secret as the key.
As mentioned earlier in the text, some RADIUS client machines calculate the Message-Authenticator incorrectly, while others use the same attribute values for different purposes. Of course this creates a mess. It's also important to note that the use of the IPsec protocol really makes this a stopgap measure. When IPsec implementation becomes more widespread, this attribute will be made redundant.
| Tunnel-Private- Group -ID |
| Attribute Number | 81 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Access-Accept |
| Prohibited in | Accounting-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Tunnel-Private-Group-ID attribute designates the group ID value for a specified tunneling session. Private groups are used to associate configured tunnels with specified groups of users. The value of the field is unrestricted and can be configured in whatever way a specific implementation requires.
| Tunnel-Assignment-ID |
| Attribute Number | 82 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute is designed to specify which pre-configured tunnel a particular connection should use. More specifically , some tunnel protocols allow for multiplexing multiple connections across one specific tunnel, and with this attribute, RADIUS can inform the initiator (the client, in other words) whether the connection will be over an individual tunnel or a multiplexed tunnel.
There are specific behaviors a tunnel initiator should follow when using the Tunnel-Assignment-ID attribute:
-
If a tunnel exists between the specified end points with the designated assignment ID, then the session should use that tunnel.
-
If no tunnel exists between the specified end points with the designated assignment ID, then a new tunnel should be created and referred to as the label indicated in the Tunnel-Assignment-ID value.
-
If the Tunnel-Assignment-ID attribute is not present, then the session should be assigned to an unnamed tunnel. If this tunnel doesn't exist, it should be created and used for all sessions that don't have the Tunnel-Assignment-ID attribute.
| Tunnel-Preference |
| Attribute Number | 83 |
| Length | 6 |
| Value | HEX |
| Allowed in | Access-Accept, Access-Request |
| Prohibited in | Accounting-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute indicates the preference assigned to each tunnel when more than one set of tunneling attributes is returned by the RADIUS server to the client initiator. The value of this attributes ranges from 0x01 through 0x1F, with the lowest value receiving the highest preference and the highest value receiving the lowest preference.
| ARAP-Challenge-Response |
| Attribute Number | 84 |
| Length | 10 |
| Value | STRING |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, found in Access-Accept packets with a Framed-Protocol attribute set to ARAP, contains the response to the dial-in client's challenge. The value is an eight-octet response to the client challenge, calculated by performing DES encryption on the highest-order eight octets of the ARAP-Password attribute's value, using the user's password as the key.
| Acct-Interim-Interval |
| Attribute Number | 85 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The value of the Acct-Interim-Interval attribute indicates the number of seconds between each transmittal of an interim update for a specific session. The value cannot be less than 60, and best practices reveal that the value of this attribute really has no benefit to being less than 600. Serious increases in network traffic that can adversely affect performance can occur if this value is incorrectly or inefficiently set.
| Acct-Tunnel-Packets-Lost |
| Attribute Number | 86 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Access-Accept, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The value of this attribute is the number of packets that have been lost over a given link.
| NAS-Port-ID |
| Attribute Number | 87 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Accounting-Request |
| Prohibited in | Access-Challenge, Access-Reject, Access-Accept, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The value of this attribute, read from textual characters encoded with UTF-8, indicates the physical port on the NAS machine to which to a user is connected. It is only found in Access-Request and Accounting-Request packets.
| Framed-Pool |
| Attribute Number | 88 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Accept |
| Prohibited in | Accounting-Request, Access-Request, Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, found only in Access-Accept packets, indicates the name of the address pool that should be used to give an address to the authenticating user.
| Tunnel-Client-Auth-ID |
| Attribute Number | 90 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Access-Accept, Accounting-Request |
| Prohibited in | Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Tunnel-Client-Auth-ID attribute designates the name of the initiator that was used during the creation of a tunnel in the authentication phase. It should be included in Access-Accept where the default authentication name is not sufficient or otherwise undesired .
| Tunnel-Server-Auth-ID |
| Attribute Number | 91 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Access-Request, Access-Accept, Accounting-Request |
| Prohibited in | Access-Reject, Access-Challenge, Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Tunnel-Server-Auth-ID attribute designates the name of the receiver (the server) that was used during the creation of a tunnel in the authentication phase. It should be included in Access-Accept where the default authentication name is not sufficient or otherwise undesired.
