RADIUS attributes for authentication and accounting

Various RADIUS attributes are supported for 802.1Xand MAC authentication and accounting.

RADIUS attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored in the RADIUS server. When a client successfully completes the EAP authentication process, the authentication (RADIUS) server sends the authenticator (the ICX device) a RADIUS Access-Accept message that grants the client access to the network. The Access-Accept message contains attributes set for the user in the user's access profile on the RADIUS server. The user's access profile is used for many functions, such as dynamic VLAN assignment, dynamic IP ACL assignment, session timeout, and authentication order rules for Flexible authentication.

The following table describes the RADIUS attributes that are supported for 802.1X and MAC authentication.

Table 1. RADIUS attributes for 802.1X and MAC authentication
Attribute name Attribute ID Data Type Description
Acct-Interim-Interval 85 integer Indicates the interval for sending the interim updates to the RADIUS server in seconds. The minimum value is 300 seconds.
Calling-Station-Id 31 string The supplicant MAC address in ASCII format (uppercase only), with octet values separated by a dash (-). For example, 00-00-00-23-19-C0.
Class 25 string Sent by the server to the client in an Access-Accept. This attribute should not be modified by the client; it should be sent to the accounting server when accounting is supported.
Idle-Timeout 28 integer dle timeout after which the session is cleared when there is no traffic. This is equivalent to configuring the max-sw-age command through the CLI.
NAS-Identifier 32 string Network access server identifier (the hostname of the device).
NAS-IP-Address 4 integer IP address of the network access server requesting user authentication.
NAS-Port 5 integer Physical network access server port number that is authenticating the user.
NAS-Port-Id 87 string Identifier of the network access server port that is authenticating the user.
NAS-Port-Type 61 integer The port type (physical or virtual) that is authenticating the user.
Service-Type 6 integer The type of service that is requested by the user or to be provided to the user.
Session-Timeout 27 integer The maximum number of seconds of service provided to the user before termination of the session or prompt.
Termination-Action 29 integer The action to be taken by the network access server when the specified service is completed.
Tunnel-Private-Group-ID 81 string Group identifier for a particular tunneled session.
Tunnel-Medium-Type 65 integer Indicates which transport medium to use when creating a tunnel for protocols that can operate over multiple transport mediums.
Tunnel-Type 64 integer Indicates the tunnel protocol that is either in use by a tunnel terminator or to be used by a tunnel initiator.
User-Name 1 string Indicates the name of the user to be authenticated.
Note: Any of the default or configured values on the ICX device are replaced with RADIUS sent attributes, as RADIUS values always take precedence over the values configured on the ICX device.

The following table describes the RADIUS attributes that are supported for 802.1X and MAC accounting.

Table 2. RADIUS attributes for 802.1X and MAC accounting
Attribute name Attribute ID Data Type Description
Acct-Authentic 45 Integer Indicates how the user was authenticated:

1—RADIUS

2—Network access server itself

3—Other remote authentication protocol.

Acct-Delay-Time 41 Integer Number of seconds that the client has been trying to send this record.
Acct-Input-Octets 42 Integer Number of octets received from the port while this service is being provided. This attribute can only be present in Accounting-Request records when the Acct-Status-Type is set to stop.
Acct-Input-Packets 47 Integer Number of packets received from the port while this service is being provided to a framed user. This attribute can only be present in Accounting-Request records when the Acct-Status-Type is set to stop.
Acct-Output-Octets 43 Integer Number of octets sent to the port while this service is being provided. This attribute can only be present in Accounting-Request records when the Acct-Status-Type is set to stop.
Acct-Output-Packets 48 Integer Number of packets sent to the port while this service is being provided to a framed user. This attribute can only be present in Accounting- Request records when the Acct- Status-Type is set to stop.
Acct-Session-Id 44 Integer The account session ID, which is a number from 1 through 4294967295.
Acct-Session-Time 46 Integer Number of seconds that the user has received service. This attribute can only be present in Accounting- Request records when the Acct- Status-Type is set to stop.
Acct-Status-Type 40 Integer Indicates whether this Accounting Request marks the beginning (start) or end (stop) of the user service. It also indicates when to send interim updates to the RADIUS server on the status of an active session such as IP address change. The interim update includes the duration of the current session and information on current data usage.

1—Start

2—Stop

3—Interim Update.

Acct-Terminate-Cause 49 Integer Specifies the reason for session termination; for example, session timeout, idle timeout, user logoff, admin forced, port down or disabled, system reload, and so on. This attribute is sent out in an Accounting Stop request.
Framed-IPv4-Address 8 IPv4 address IPv4 address that is assigned on the host or IP routing residential gateway to the interface facing the network access server.
Framed-IPv6-Address 168 IPv6 address IPv6 address that is assigned on the host or IP routing residential gateway to the interface facing the network access server.
Framed-MTU 12 Integer Indicates the maximum transmission unit (MTU) to be configured for the user.