13. Attribute List

The following sections describe the most frequently used Radius attributes. Each attribute is described as follows:

ATTRIBUTE name value type

These values have the following meaning:

name

The attribute name.

value

The attribute number.

type

The attribute type.

user-flags

Syntax flags defining in which part of a ‘raddb/users’ entry this attribute may be used. The flags consist of two letters: ‘L’ means the attribute can be used in the LHS, ‘R’ means it can be used in the RHS.

hints-flags

Syntax flags defining in which part of a ‘raddb/hints’ entry this attribute may be used.

huntgroup-flags

Syntax flags defining in which part of a ‘raddb/huntgroups’ entry this attribute may be used.

additivity

The additivity of the attribute determines what happens if a rule attempts to add to the pair list an attribute that is already present in this list. Depending on its value, the actions of the server are:

Append

New attribute is appended to the end of the list.

Replace

New attribute replaces the old.

Drop

New attribute is dropped. The old one remains in the list.

prop

Is the attribute propagated back to the NAS if the server works in proxy mode?

The entry N/A for any of this fields signifies “not applicable”.

13.1 Authentication Attributes

These are the attributes the NAS uses in authentication packets and expects to get back in authentication replies. These can be used in matching rules.

13.1.1 CHAP-Password

ATTRIBUTE CHAP-Password 3 string

This attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets.

The CHAP challenge value is found in the CHAP-Challenge attribute (60) if present in the packet, otherwise in the request authenticator field.

13.1.2 Callback-Id

ATTRIBUTE Callback-Id 20 string

This attribute indicates the name of a place to be called, to be interpreted by the NAS. It may be used in Access-Accept packets.

13.1.3 Callback-Number

ATTRIBUTE Callback-Number 19 string

This attribute indicates a dialing string to be used for callback. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.

13.1.4 Called-Station-Id

ATTRIBUTE Called-Station-Id 30 string

This attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.

13.1.5 Calling-Station-Id

ATTRIBUTE Calling-Station-Id 31 string

This attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using automatic number identification (ANI) or similar technology. It is only used in Access-Request packets.

13.1.6 Class

ATTRIBUTE Class 25 string

This attribute is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported.

13.1.7 Framed-Compression

ATTRIBUTE Framed-Compression 13 integer

VALUE      Framed-Compression  None                 0       
VALUE      Framed-Compression  Van-Jacobson-TCP-IP  1       

This attribute indicates a compression protocol to be used for the link. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.

More than one compression protocol attribute may be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.

13.1.8 Framed-IP-Address

ATTRIBUTE Framed-IP-Address 8 ipaddr

This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.

The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user's IP.

When used in a RHS, the value of this attribute can optionally be followed by a plus sign. This usage means that the value of NAS-Port-Id must be added to this IP before replying. For example,

        Framed-IP-Address = 10.10.0.1+

13.1.9 Framed-IP-Netmask

ATTRIBUTE Framed-IP-Netmask 9 ipaddr

This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.

13.1.10 Framed-MTU

ATTRIBUTE Framed-MTU 12 integer

This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.

13.1.11 Framed-Protocol

ATTRIBUTE Framed-Protocol 7 integer

VALUE      Framed-Protocol   PPP                  1       
VALUE      Framed-Protocol   SLIP                 2       

This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets.

13.1.12 Framed-Route

ATTRIBUTE Framed-Route 22 string

This attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.

13.1.13 Framed-Routing

ATTRIBUTE Framed-Routing 10 integer

VALUE      Framed-Routing    None                 0       
VALUE      Framed-Routing    Broadcast            1       
VALUE      Framed-Routing    Listen               2       
VALUE      Framed-Routing    Broadcast-Listen     3       

This attribute indicates the routing method for the user when the user is a router to a network. It is only used in Access-Accept packets.

13.1.14 Idle-Timeout

ATTRIBUTE Idle-Timeout 28 integer

This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.

13.1.15 NAS-IP-Address

ATTRIBUTE NAS-IP-Address 4 ipaddr

This attribute indicates the identifying IP of the NAS which is requesting authentication of the user. It is only used in Access-Request packets. Each Access-Request packet should contain either a NAS-IP-Address or a NAS-Identifier attribute (NAS-Identifier).

13.1.16 NAS-Identifier

ATTRIBUTE NAS-Identifier 32 string

This attribute contains a string identifying the NAS originating the access request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier should be present in an Access-Request packet.

See section NAS-IP-Address.

13.1.17 NAS-Port-Id

ATTRIBUTE NAS-Port-Id 5 integer

This attribute indicates the physical port number of the NAS that is authenticating the user. It is only used in Access-Request packets. Note that here we are using “port” in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number.

Some NASes try to encode various information in the NAS-Port-Id attribute value. For example, the MAX Ascend terminal server constructs NAS-Port-Id by concatenating the line type (one digit), the line number (two digits), and the channel number (two digits), thus producing a five-digit port number. In order to normalize such encoded port numbers we recommend using a rewrite function (see section Rewrite functions — ‘raddb/rewrite’). A rewrite function for MAX Ascend servers is provided in the distribution.

13.1.18 NAS-Port-Type

ATTRIBUTE NAS-Port-Type 61 integer

VALUE      NAS-Port-Type     Async                0       
VALUE      NAS-Port-Type     Sync                 1       
VALUE      NAS-Port-Type     ISDN                 2       
VALUE      NAS-Port-Type     ISDN-V120            3       
VALUE      NAS-Port-Type     ISDN-V110            4       

This attribute indicates the type of the physical port of the NAS that is authenticating the user. It can be used instead of or in addition to the NAS-Port-Id (NAS-Port-Id) attribute. It is only used in Access-Request packets. Either NAS-Port or NAS-Port-Type or both should be present in an Access-Request packet, if the NAS differentiates among its ports.

13.1.19 Reply-Message

ATTRIBUTE Reply-Message 18 string

This attribute indicates text that may be displayed to the user.

When used in an Access-Accept, it is the success message.

When used in an Access-Reject, it is the failure message. It may indicate a dialog message to prompt the user before another Access-Request attempt.

When used in an Access-Challenge, it may indicate a dialog message to prompt the user for a response.

Multiple Reply-Message attributes may be included, and if any are displayed, they must be displayed in the same order as they appear in in the packet.

13.1.20 Service-Type

ATTRIBUTE Service-Type 6 integer

VALUE      Service-Type      Login-User           1       
VALUE      Service-Type      Framed-User          2       
VALUE      Service-Type      Callback-Login-User  3       
VALUE      Service-Type      Callback-Framed-User 4       
VALUE      Service-Type      Outbound-User        5       
VALUE      Service-Type      Administrative-User  6       
VALUE      Service-Type      NAS-Prompt-User      7       
VALUE      Service-Type      Authenticate-Only    8       
VALUE      Service-Type      Call-Check           10      

This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets.

When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated.

When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service.

The meaning of various service types is as follows:

Login-User

The user should be connected to a host.

Framed-User

A framed protocol, such as PPP or SLIP, should be started for the user. The Framed-IP-Address attribute (see section Framed-IP-Address) will supply the IP to be used.

Callback-Login-User

The user should be disconnected and called back, then connected to a host.

Callback-Framed-User

The user should be disconnected and called back; then a framed protocol, such as PPP or SLIP, should be started for the user.

Outbound-User

The user should be granted access to outgoing devices.

Administrative-User

The user should be granted access to the administrative interface to the NAS, from which privileged commands can be executed.

NAS-Prompt

The user should be provided a command prompt on the NAS, from which nonprivileged commands can be executed.

Authenticate-Only

Only authentication is requested, and no authorization information needs to be returned in the Access-Accept.

Call-Check

Callback-NAS-Prompt

The user should be disconnected and called back, then provided a command prompt on the NAS, from which nonprivileged commands can be executed.

13.1.21 Session-Timeout

ATTRIBUTE Session-Timeout 27 integer

This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The server may send this attribute to the client in an Access-Accept or Access-Challenge.

13.1.22 State

ATTRIBUTE State 24 string

This attribute is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

This attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action attribute with the value RADIUS-Request. If the NAS performs the termination action by sending a new Access-Request upon termination of the current session, it must include the State attribute unchanged in that Access-Request.

In either usage, no interpretation by the client should be made. A packet may have only one State attribute.

13.1.23 Termination-Action

ATTRIBUTE Termination-Action 29 integer

VALUE      Termination-Action  Default              0       
VALUE      Termination-Action  RADIUS-Request       1       

This attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.

13.1.24 User-Name

ATTRIBUTE User-Name 1 string

This attribute indicates the name of the user to be authenticated or accounted. It is used in Access-Request and Accounting attributes. The length of the user name is usually limited by some arbitrary value. By default, Radius supports user names up to 32 characters long. This value can be modified by redefining the RUT_USERNAME macro in the ‘include/radutmp.h’ file in the distribution directory and recompiling the program.

Some NASes have peculiarities about sending long user names. For example, the Specialix Jetstream 8500 24-port access server inserts a ‘/’ character after the 10th character if the user name is longer than 10 characters. In such cases, we recommend applying rewrite functions in order to bring the user name to its normal form (see section Rewrite functions — ‘raddb/rewrite’).

13.1.25 User-Password

ATTRIBUTE User-Password 2 string

This attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets.

On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the request authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password attribute.

If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the string field of the User-Password attribute.

If necessary, this operation is repeated, with each XOR result being used along with the shared secret to generate the next hash to XOR the next segment of the password, up to no more than 128 characters.

13.1.26 Vendor-Specific

(This message will disappear, once this node revised.)

ATTRIBUTE Vendor-Specific 26 string

This attribute is available to allow vendors to support their own extended attributes not suitable for general usage.

13.2 Accounting Attributes

These are attributes the NAS sends along with accounting requests. These attributes can not be used in matching rules.

13.2.1 Acct-Authentic

ATTRIBUTE Acct-Authentic 45 integer

VALUE           Acct-Authentic          RADIUS          1
VALUE           Acct-Authentic          Local           2
VALUE           Acct-Authentic          Remote          3

This attribute may be included in an Accounting-Request to indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated should not generate accounting records.

13.2.2 Acct-Delay-Time

ATTRIBUTE Acct-Delay-Time 41 integer

This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)

13.2.3 Acct-Input-Octets

ATTRIBUTE Acct-Input-Octets 42 integer

This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop.

13.2.4 Acct-Input-Packets

ATTRIBUTE Acct-Input-Packets 47 integer

This attribute indicates how many packets have been received from the port over the course of this service being provided to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop.

13.2.5 Acct-Output-Octets

ATTRIBUTE Acct-Output-Octets 43 integer

This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop.

13.2.6 Acct-Output-Packets

ATTRIBUTE Acct-Output-Packets 48 integer

This attribute indicates how many packets have been sent to the port in the course of delivering this service to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop.

13.2.7 Acct-Session-Id

ATTRIBUTE Acct-Session-Id 44 string

This attribute is a unique accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session must have the same Acct-Session-Id. An Accounting-Request packet must have an Acct-Session-Id. An Access-Request packet may have an Acct-Session-Id; if it does, then the NAS must use the same Acct-Session-Id in the Accounting-Request packets for that session.

13.2.8 Acct-Session-Time

ATTRIBUTE Acct-Session-Time 46 integer

This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop.

13.2.9 Acct-Status-Type

ATTRIBUTE Acct-Status-Type 40 integer

VALUE    Acct-Status-Type    Start              1
VALUE    Acct-Status-Type    Stop               2 
VALUE    Acct-Status-Type    Alive              3
VALUE    Acct-Status-Type    Accounting-On      7
VALUE    Acct-Status-Type    Accounting-Off     8

This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop).

It may also be used to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.

A special value Alive or Interim-Update indicates the packet that contains some additional data to the initial Start record or to the last Alive record.

13.2.10 Acct-Terminate-Cause

ATTRIBUTE Acct-Terminate-Cause 49 integer

VALUE    Acct-Terminate-Cause    User-Request            1
VALUE    Acct-Terminate-Cause    Lost-Carrier            2
VALUE    Acct-Terminate-Cause    Lost-Service            3
VALUE    Acct-Terminate-Cause    Idle-Timeout            4
VALUE    Acct-Terminate-Cause    Session-Timeout         5
VALUE    Acct-Terminate-Cause    Admin-Reset             6
VALUE    Acct-Terminate-Cause    Admin-Reboot            7
VALUE    Acct-Terminate-Cause    Port-Error              8
VALUE    Acct-Terminate-Cause    NAS-Error               9
VALUE    Acct-Terminate-Cause    NAS-Request             10
VALUE    Acct-Terminate-Cause    NAS-Reboot              11
VALUE    Acct-Terminate-Cause    Port-Unneeded           12
VALUE    Acct-Terminate-Cause    Port-Preempted          13
VALUE    Acct-Terminate-Cause    Port-Suspended          14
VALUE    Acct-Terminate-Cause    Service-Unavailable     15
VALUE    Acct-Terminate-Cause    Callback                16
VALUE    Acct-Terminate-Cause    User-Error              17
VALUE    Acct-Terminate-Cause    Host-Request            18

This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop.

13.3 Radius Internal Attributes

These are attributes used by GNU Radius during the processing of a request. They are never returned to the NAS. Mostly, they are used in matching rules.

13.3.1 Acct-Ext-Program

ATTRIBUTE Acct-Ext-Program 2008 string

The Acct-Ext-Program attribute can be used in RHS of an ‘raddb/hints’ to require the execution of an external accounting program or filter. If the attribute value starts with a vertical bar (‘|’), then the attribute specifies the filter program to be used. If it starts with a slash (‘/’), then it is understood as the full pathname and arguments for the external program to be executed. Using any other character as the start of this string results in error.

The command line can reference any attributes from both check and reply pairlists using attribute macros (see section Macro Substitution).

Before the execution of the program, radiusd switches to the uid and gid of the user daemon and the group daemon. You can override these defaults by setting variables exec-program-user and exec-program-group in configuration file to proper values (see section The option statement).

The accounting program must exit with status 0 to indicate a successful accounting.

13.3.2 Acct-Type

ATTRIBUTE Acct-Type 2003 integer

VALUE           Acct-Type               None    0
VALUE           Acct-Type               System  1
VALUE           Acct-Type               Detail  2
VALUE           Acct-Type               SQL     3

The Acct-Type allows one to control which accounting methods must be used for a given user or group of users. In the absence of this attribute, all currently enabled accounting types are used. See section Accounting, for more information about accounting types.

13.3.3 Auth-Failure-Trigger

This attribute specifies an external program or a Scheme expression to be run upon an authentication failure. The handling of this attribute depends upon its value:

If the value of Auth-Failure-Trigger begins with ‘/’, it is taken to contain a command line for invoking an external program. In this case radiusd invokes the program much the same way it does when handling Exec-Program attribute, i.e. the program is invoked with standard input closed, its standard output and standard error are captured and redirected to ‘radlog/radius.stderr’ file, the return value of the program is ignored.

If the value of Auth-Failure-Trigger begins with ‘(’, it is executed it as a Scheme expression. The return value of the expression is ignored.

This attribute is designed as a means to provide special handling for authentication failures. It can be used, for example, to increase failure counters and to block accounts after a specified number of authentication failures occurs. See section Controlling Authentication Probes, for the detailed discussion of its usage.

13.3.4 Auth-Data

ATTRIBUTE Auth-Data 2006 string

The Auth-Data can be used to pass additional data to the authentication methods that need them. In version 1.6 of GNU Radius, this attribute may be used in conjunction with the SQL and Pam authentication types. When used with the Pam authentication type, this attribute holds the name of the PAM service to use. This attribute is temporarily appended to the authentication request, so its value can be referenced to as %C{Auth-Data}. See section Authentication Server Parameters, for an example of of using the Auth-Data attribute in ‘raddb/sqlserver’:

13.3.5 Auth-Type

ATTRIBUTE Auth-Type 1000 integer

VALUE      Auth-Type         Local                0       
VALUE      Auth-Type         System               1       
VALUE      Auth-Type         Crypt-Local          3       
VALUE      Auth-Type         Reject               4       
VALUE      Auth-Type         SQL                  252     
VALUE      Auth-Type         Pam                  253     
VALUE      Auth-Type         Accept               254     

This attribute tells the server which type of authentication to apply to a particular user. It can be used in the LHS of the user's profile (see section Authentication.)

Radius interprets values of Auth-Type attribute as follows:

Local

The value of the User-Password attribute from the record is taken as a cleantext password and is compared against the User-Password value from the input packet.

System

This means that a user's password is stored in a system password type. Radius queries the operating system to determine if the user name and password supplied in the incoming packet are O.K.

Crypt-Local

The value of the User-Password attribute from the record is taken as an MD5 hash on the user's password. Radius generates MD5 hash on the supplied User-Password value and compares the two strings.

Reject

Authentication fails.

Accept

Authentication succeeds.

SQL

Mysql

The MD5-encrypted user's password is queried from the SQL database (SQL Authentication Type). Mysql is an alias maintained for compatibility with other versions of Radius.

Pam

The user-name–password combination is checked using PAM.

13.3.6 Crypt-Password

ATTRIBUTE Crypt-Password 1006 string

This attribute is intended to be used in user's profile LHS. It specifies the MD5 hash of the user's password. When this attribute is present, Auth-Type = Crypt-Local is assumed. If both Auth-Type and Crypt-Password are present, the value of Auth-Type is ignored.

See section Auth-Type.

13.3.7 Exec-Program-Wait

ATTRIBUTE Exec-Program-Wait 1039 string

When present in the RHS, the Exec-Program-Wait attribute specifies the program to be executed when the entry matches. If the attribute value string starts with vertical bar (‘|’), then the attribute specifies the filter program to be used. If it starts with slash (‘/’), then it is understood as the full pathname and arguments for the external program to be executed. Using any other character as the start of this string results in error.

13.3.7.1 Running an External Program

The command line can reference any attributes from both check and reply pairlists using attribute macros see section Macro Substitution.

Before the execution of the program, radiusd switches to uid and gid of the user daemon and the group daemon. You can override these defaults by setting the variable exec-program-user in the configuration file to a proper value. See section The option statement.

The daemon will wait until the program terminates. The return value of its execution determines whether the entry matches. If the program exits with a nonzero code, then the match fails. If it exits with a zero code, the match succeeds. In this case the standard output of the program is read and parsed as if it were a pairlist. The attributes thus obtained are added to the entry's reply attributes.

Example.

Suppose the ‘users’ file contains the following entry:

DEFAULT Auth-Type = System,
                Simultaneous-Use = 1
        Exec-Program-Wait = "/usr/local/sbin/telauth \
                             %C{User-Name} \
                             %C{Calling-Station-Id}"

Then, upon successful matching, the program ‘/usr/local/sbin/telauth’ will be executed. It will get as its arguments the values of the User-Name and Calling-Station-Id attributes from the request pairs.

The ‘/usr/local/sbin/telauth’ can, for example, contain the following:

#! /bin/sh

DB=/var/db/userlist

if grep "$1:$2" $DB; then
    echo "Service-Type = Login,"
    echo "Session-Timeout = 1200"
    exit 0
else
    echo "Reply-Message = \
          \"You are not authorized to log in\""
    exit 1
fi

It is assumed that ‘/var/db/userlist’ contains a list of username:caller-id pairs for those users that are authorized to use login service.

13.3.7.2 Using an External Filter

If the value of Exec-Program-Wait attribute begins with ‘|’, radiusd strips this character from the value and uses the resulting string as a name of the predefined external filter. Such filter must be declared in ‘raddb/config’ (see section filters statement).

Example.

Let the ‘users’ file contain the following entry:

DEFAULT Auth-Type = System,
                Simultaneous-Use = 1
        Exec-Program-Wait = "|myfilter"

and let the ‘raddb/config’ contain the following (6):

filters {
    filter myfilter {
        exec-path "/usr/libexec/myfilter";
        error-log "myfilter.log";
        auth {
            input-format "%C{User-Name}
                          %C{Calling-Station-Id}";
            wait-reply yes;
        };
    };        
};                        

Then, upon successful authentication, the program /usr/libexec/myfilter will be invoked, if it hasn't already been started for this thread. Any output it sends to its standard error will be redirected to the file ‘myfilter.log’ in the current logging directory. A string consisting of the user's login name and his calling station ID followed by a newline will be sent to the program.

The following is a sample /usr/libexec/myfilter written in the shell:

#! /bin/sh

DB=/var/db/userlist

while read NAME CLID
do
    if grep "$1:$2" $DB; then
        echo "0 Service-Type = Login, Session-Timeout = 1200"
    else
        echo "1 Reply-Message = \
              \"You are not authorized to log in\""
    fi
done

13.3.8 Exec-Program

ATTRIBUTE Exec-Program 1038 string

When present in the RHS, the Exec-Program attribute specifies the full pathname and arguments for the program to be executed when the entry matches.

The command line can reference any attributes from both check and reply pairlists, using attribute macros (see section Macro Substitution).

Before the execution of the program, radiusd switches to the uid and gid of the user daemon and the group daemon. You can override these defaults by setting variables exec-program-user and exec-program-group in configuration file to proper values The option statement.

The daemon does not wait for the process to terminate.

Example

Suppose the ‘users’ file contains the following entry:

DEFAULT Auth-Type = System,
                Simultaneous-Use = 1
        Exec-Program = "/usr/local/sbin/logauth \
                        %C{User-Name} \
                        %C{Calling-Station-Id}"

Then, upon successful matching, the program ‘/usr/local/sbin/logauth’ will be executed. It will get as its arguments the values of the User-Name and Calling-Station-Id attributes from the request pairs.

13.3.9 Fall-Through

ATTRIBUTE Fall-Through 1036 integer

VALUE      Fall-Through      No                   0       
VALUE      Fall-Through      Yes                  1       

The Fall-Through attribute should be used in the reply list. If its value is set to Yes in a particular record, that tells Radius to continue looking up other records even when the record at hand matches the request. It can be used to provide default values for several profiles.

Consider the following example. Let's suppose the ‘users’ file contains the following:

johns   Auth-Type = SQL
                Framed-IP-Address = 11.10.10.251,
                Fall-Through = Yes

smith   Auth-Type = SQL
                Framed-IP-Address = 11.10.10.252,
                Fall-Through = Yes

DEFAULT NAS-IP-Address = 11.10.10.1
        Service-Type = Framed-User,
                Framed-Protocol = PPP

Then after successful matching of a particular user's record, the matching will continue until it finds the DEFAULT entry, which will add its RHS to the reply pairs for this request. The effect is that, if user ‘johns’ authenticates successfully she gets the following reply pairs:

        Service-Type = Framed-User,
        Framed-Protocol = PPP,  
        Framed-IP-Address = 11.10.10.251

whereas user smith gets

        Service-Type = Framed-User,
        Framed-Protocol = PPP,  
        Framed-IP-Address = 11.10.10.252

Note that the attribute Fall-Through itself is never returned to the NAS.

13.3.10 Group

ATTRIBUTE Group 1005 string

13.3.11 Hint

ATTRIBUTE Hint 1040 string

Use the Hint attribute to specify additional matching criteria depending on the hint (see section Request Processing Hints — ‘raddb/hints’).

Let the ‘hints’ file contain

DEFAULT         Prefix = "S", Strip-User-Name = No
                Hint = "SLIP"

and the ‘users’ file contain

DEFAULT Hint = "SLIP",
                NAS-IP-Address = 11.10.10.12,
                Auth-Type = System
        Service-Type = Framed-User,
                Framed-Protocol = SLIP

Then any user having a valid system account and coming from NAS ‘11.10.10.12’ will be provided SLIP service if his user name starts with ‘S’.

13.3.12 Huntgroup-Name

ATTRIBUTE Huntgroup-Name 221 string

The Huntgroup-Name can be used either in the LHS of the ‘users’ file record or in the RHS of the ‘huntgroups’ file record.

When encountered in a LHS of a particular ‘users’ profile, this attribute indicates the huntgroup name to be matched. Radius looks up the corresponding record in the ‘huntgroups’ file. If such a record is found, each A/V pair from its reply list is compared against the corresponding pair from the request being processed. The request matches only if it contains all the attributes from the specified huntgroup, and their values satisfy the conditions listed in the huntgroup pairs.

For example, suppose that the authentication request contains the following attributes:

User-Name = "john",
User-Password = "guess",
NAS-IP-Address = 10.11.11.1,
NAS-Port-Id = 24

Let us further suppose that the ‘users’ file contains the following entry:

john    Huntgroup-Name = "users_group",
                Auth-Type = System
        Service-Type = Login

and, finally, ‘huntgroups’ contains the following entry:

users_group     NAS-IP-Address = 10.11.11.1
                NAS-Port-Id < 32

Then the authentication request will succeed, since it contains NAS-Port-Id attribute and its value is less than 32.

See section Huntgroups — ‘raddb/huntgroups’.

13.3.13 Log-Mode-Mask

ATTRIBUTE Log-Mode-Mask 2007 integer

VALUE           Log-Mode-Mask           Log-Auth                1
VALUE           Log-Mode-Mask           Log-Auth-Pass           2
VALUE           Log-Mode-Mask           Log-Failed-Pass         4
VALUE           Log-Mode-Mask           Log-Pass                6
VALUE           Log-Mode-Mask           Log-All                 7

Log-Mode-Mask is used to control the verbosity of authentication log messages for given user or class of users. The meaning of its values is:

Log-Auth

Do not log successful authentications.

Log-Auth-Pass

Do not show the password with the log message from a successful authentication.

Log-Failed-Pass

Do not show a failed password.

Log-Pass

Do not show a plaintext password, either failed or succeeded.

Log-All

Do not log authentications at all.

Technical details: After authentication, the server collects all Log-Mode-Mask attributes from the incoming request and LHS of the user's entry. The values of these attributes ORed together form a mask, which is applied via an XOR operation to the current log mode. The value thus obtained is used as effective log mode.

13.3.14 Login-Time

ATTRIBUTE Login-Time 1042 string

The Login-Time attribute specifies the time range over which the user is allowed to log in. The attribute should be specified in the LHS.

The format of the Login-Time string is the same as that of UUCP time ranges. The following description of the time range format is adopted from the documentation for the Taylor UUCP package:

A time string may be a list of simple time strings separated with vertical bars ‘|’ or commas ‘,’.

Each simple time string must begin either with a day-of-week abbreviation (one of ‘Su’, ‘Mo’, ‘Tu’, ‘We’, ‘Th’, ‘Fr’, ‘Sa’), or ‘Wk’ for any day from Monday to Friday inclusive, or ‘Any’ or ‘Al’ for any day.

Following the day may be a range of hours separated with a hyphen, using 24-hour time. The range of hours may cross 0; for example ‘2300-0700’ means any time except 7 AM to 11 PM. If no time is given, calls may be made at any time on the specified day(s).

The time string may also be the single word ‘Never’, which does not match any time.

Here are a few sample time strings with an explanation of what they mean.

‘Wk2305-0855,Sa,Su2305-1655’

This means weekdays before 8:55 AM or after 11:05 PM, any time Saturday, or Sunday before 4:55 PM or after 11:05 PM. These are approximately the times during which night rates apply to phone calls in the U.S.A. Note that this time string uses, for example, ‘2305’ rather than ‘2300’; this will ensure a cheap rate even if the computer clock is running up to five minutes ahead of the real time.

‘Wk0905-2255,Su1705-2255’

This means weekdays from 9:05 AM to 10:55 PM, or Sunday from 5:05 PM to 10:55 PM. This is approximately the opposite of the previous example.

‘Any’

This means any day. Since no time is specified, it means any time on any day.

13.3.15 Match-Profile

ATTRIBUTE Match-Profile 2004 string

The Match-Profile attribute can be used in LHS and RHS lists of a user profile. Its value is the name of another user's profile (target profile). When Match-Profile is used in the LHS, the incoming packet will match this profile only if it matches the target profile. In this case the reply pairs will be formed by concatenating the RHS lists from both profiles. When used in the RHS, this attribute causes the reply pairs from the target profile to be appended to the reply from the current profile if the target profile matches the incoming request.

For example:

IPPOOL  NAS-IP-Address = 10.10.10.1
                Framed-Protocol = PPP,
                Framed-IP-Address = "10.10.10.2"

IPPOOL  NAS-IP-Address = 10.10.11.1
                Framed-Protocol = PPP,
                Framed-IP-Address = "10.10.11.2"

guest   Auth-Type = SQL
                Service-Type = Framed-User,
        Match-Profile = IPPOOL

In this example, when user guest comes from NAS 10.10.10.1, he is assigned IP 10.10.10.2, otherwise if he is coming from NAS 10.10.11.1 he is assigned IP 10.10.11.2.

13.3.16 Menu

ATTRIBUTE Menu 1001 string

This attribute should be used in the RHS. If it is used, it should be the only reply item.

The Menu attribute specifies the name of the menu to be presented to the user. The corresponding menu code is looked up in the ‘RADIUS_DIR/menus/’ directory (see section Login Menus — ‘raddb/menus’).

13.3.17 Pam-Auth

ATTRIBUTE Pam-Auth 1041 string

The Pam-Auth attribute can be used in conjunction with

Auth-Type = Pam

to supply the PAM service name instead of the default ‘radius’. It is ignored if Auth-Type attribute is not set to Pam.

13.3.18 Prefix

ATTRIBUTE Prefix 1003 string

The Prefix attribute indicates the prefix that the user name should contain in order for a particular record in the profile to be matched. This attribute should be specified in the LHS of the ‘users’ or ‘hints’ file.

For example, if the ‘users’ file contained

DEFAULT Prefix = "U", Auth-Type = System
                Service-Type = Login-User

then the user names ‘Ugray’ and ‘Uyoda’ would match this record, whereas ‘gray’ and ‘yoda’ would not.

Both Prefix and Suffix attributes may be specified in a profile. In this case the record is matched only if the user name contains both the prefix and the suffix specified.

See section Suffix, and Strip-User-Name.

13.3.19 Proxy-Replied

ATTRIBUTE Proxy-Replied 2012 integer

VALUE      Proxy-Replied     No                   0       
VALUE      Proxy-Replied     Yes                  1       

radiusd adds this attribute to the incoming request if it was already processed by a remote radius server.

13.3.20 Realm-Name

(This message will disappear, once this node revised.)

ATTRIBUTE Realm-Name 2013 string

13.3.21 Replace-User-Name

ATTRIBUTE Replace-User-Name 2001 string

VALUE      Replace-User-Name  No                   0       
VALUE      Replace-User-Name  Yes                  1       

Use this attribute to modify the user name from the incoming packet. The Replace-User-Name can reference any attributes from both LHS and RHS pairlists using attribute macros (Macro Substitution).

For example, the ‘users’ entry

guest   NAS-IP-Address = 11.10.10.11,
                Calling-Station-Id != ""
                Auth-Type = Accept
        Replace-User-Name = "guest#%C{Calling-Station-Id}",
                Service-Type = Framed-User,
                Framed-Protocol = PPP

allows the use of PPP service for user name guest, coming from NAS ‘11.10.10.11’ with a nonempty Calling-Station-Id attribute. A string consisting of a ‘#’ character followed by the Calling-Station-Id value is appended to the user name.

13.3.22 Rewrite-Function

ATTRIBUTE Rewrite-Function 2004 string

The Rewrite-Function attribute specifies the name of the rewriting function to be applied to the request. The attribute may be specified in either pairlist in the entries of the ‘hints’ or ‘huntgroups’ configuration file.

The corresponding function should be defined in ‘rewrite’ as

integer name()

i.e., it should return an integer value and should not take any arguments.

See section Packet rewriting rules, Request Processing Hints — ‘raddb/hints’; Huntgroups — ‘raddb/huntgroups’.

13.3.23 Scheme-Acct-Procedure

ATTRIBUTE Scheme-Acct-Procedure 2010 string

The Scheme-Acct-Procedure attribute is used to set the name of the Scheme accounting procedure. See section Accounting with Scheme, for information about how to write Scheme accounting procedures.

13.3.24 Scheme-Procedure

ATTRIBUTE Scheme-Procedure 2009 string

The Scheme-Procedure attribute is used to set the name of the Scheme authentication procedure. See section Authentication with Scheme, for information about how to write Scheme authentication procedures.

13.3.25 Simultaneous-Use

ATTRIBUTE Simultaneous-Use 1034 integer

This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected.

See section Multiple Login Checking.

13.3.26 Strip-User-Name

ATTRIBUTE Strip-User-Name 1035 integer

VALUE      Strip-User-Name   No                   0       
VALUE      Strip-User-Name   Yes                  1       

The value of Strip-User-Name indicates whether Radius should strip any prefixes/suffixes specified in the user's profile from the user name. When it is set to Yes, the user names will be logged and accounted without any prefixes or suffixes.

A user may have several user names for different kind of services. In this case differentiating the user names by their prefixes and stripping them off before accounting would help keep accounting records consistent.

For example, let's suppose the ‘users’ file contains

DEFAULT Suffix = ".ppp",
                Strip-User-Name = Yes,
                Auth-Type = SQL
        Service-Type = Framed-User,
                Framed-Protocol = PPP

DEFAULT Suffix = ".slip",
                Strip-User-Name = Yes,
                Auth-Type = SQL
        Service-Type = Framed-User,
                Framed-Protocol = SLIP

Now, user ‘johns’, having a valid account in the SQL database, logs in as ‘johns.ppp’. She then is provided the PPP service, and her PPP session is accounted under user name ‘johns’. Later on, she logs in as ‘johns.slip’. In this case she is provided the SLIP service and again her session is accounted under her real user name ‘johns’.

13.3.27 Suffix

ATTRIBUTE Suffix 1004 string

The Suffix attribute indicates the suffix that the user name should contain in order for a particular record in the profile to be matched. This attribute should be specified in LHS of the ‘users’ or ‘hints’ file.

For example, if the ‘users’ file contained

DEFAULT Suffix = ".ppp", Auth-Type = System,
                Strip-User-Name = Yes
        Service-Type = Framed-User,
                Framed-Protocol = PPP        

then the user names ‘gray.ppp’ and ‘yoda.ppp’ would match this record, whereas ‘gray’ and ‘yoda’ would not.

Both Prefix and Suffix attributes may be specified in a profile. In this case the record is matched only if the user name contains both the prefix and the suffix specified.

See section Prefix, and Strip-User-Name.

13.3.28 Termination-Menu

ATTRIBUTE Termination-Menu 1002 string

This attribute should be used in the RHS. If it is used, it should be the only reply item.

The Termination-Menu specifies the name of the menu file to be presented to the user after finishing his session. The corresponding menu code is looked up in the ‘RADIUS_DIR/menus/’ directory (see section Login Menus — ‘raddb/menus’).

This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.