66 attributes · 66 total
| # | Name | Description |
|---|---|---|
| 1 | User-Name ex: jdupont@corp.com | User identifier (login, UPN, MAC in MAB) |
| 2 | User-Password | XOR MD5-encrypted password (PAP). Not recommended — use EAP instead. |
| 3 | CHAP-Password | CHAP response (16 bytes + identifier) |
| 4 | NAS-IP-Address ex: 10.0.1.100 | IP address of the NAS (AP, switch, controller) |
| 5 | NAS-Port | Physical port number of the NAS (may be the SNMP ifIndex) |
| 6 | Service-Type ex: 2 (Framed) | Service type: 1=Login, 2=Framed, 6=Administrative, 10=Call-Check (MAB) |
| 7 | Framed-Protocol | Encapsulated protocol: 1=PPP, 2=SLIP, 7=X.75 Synchronous |
| 8 | Framed-IP-Address ex: 192.168.10.50 | IP address assigned to the client (255.255.255.254 = NAS negotiation) |
| 9 | Framed-IP-Netmask ex: 255.255.255.0 | Subnet mask associated with Framed-IP-Address |
| 10 | Framed-Routing | Routing method: 0=None, 1=Send, 2=Listen, 3=Send & Listen |
| 11 | Filter-Id ex: RESTRICT-INTERNET.in | Name of a named filter/ACL to apply on the NAS side |
| 12 | Framed-MTU ex: 1500 | Session MTU (64–65535 bytes) |
| 13 | Framed-Compression | Compression: 0=None, 1=VJ TCP/IP, 2=IPX Header, 3=Stac-LZS |
| 18 | Reply-Message ex: Certificate expired — contact support | Human-readable message displayed to the user (portal, rejection) |
| 22 | Framed-Route ex: 10.0.0.0/8 192.168.1.1 1 | Static route pushed to the client (format "network/mask gateway metric") |
| 24 | State | Opaque — maintained between Access-Challenge and EAP Access-Request |
| 25 | Class | Opaque — returned verbatim in all Accounting packets for the session |
| 26 | Vendor-Specific | Contains VSA attributes (TLV: Vendor-ID 4 bytes + Type 1 + Len 1 + Value) |
| 27 | Session-Timeout ex: 28800 (8h) | Maximum session duration in seconds before forced re-authentication |
| 28 | Idle-Timeout ex: 900 (15min) | Idle time before disconnection (seconds) |
| 29 | Termination-Action | 0=Default (disconnect), 1=RADIUS-Request (automatic re-auth at end of session) |
| 30 | Called-Station-Id ex: AA:BB:CC:DD:EE:FF:CORP-WIFI | WiFi: BSSID + ":" + SSID. Wired: MAC address of the switch port |
| 31 | Calling-Station-Id ex: 00-1A-2B-3C-4D-5E | Client MAC address (format varies by vendor) |
| 32 | NAS-Identifier ex: SW-ACCESS-BLDG-A | Name of the NAS |
| 33 | Proxy-State | Opaque — preserved verbatim by RADIUS proxies (do not modify) |
| 40 | Acct-Status-Type ex: 1 (Start) | 1=Start, 2=Stop, 3=Interim-Update, 7=Accounting-On, 8=Accounting-Off |
| 41 | Acct-Delay-Time | Seconds since the start of the send attempt (retransmissions) |
| 42 | Acct-Input-Octets | Bytes received from the client (32-bit — wraps at ~4 GB) |
| 43 | Acct-Output-Octets | Bytes sent to the client (32-bit) |
| 44 | Acct-Session-Id ex: A1B2C3D4E5F6 | Unique session identifier (used for CoA/Disconnect) |
| 45 | Acct-Authentic | 1=RADIUS, 2=Local, 3=Remote — authentication method used |
| 46 | Acct-Session-Time ex: 3600 | Session duration in seconds |
| 47 | Acct-Input-Packets | Packets received from the client |
| 48 | Acct-Output-Packets | Packets sent to the client |
| 49 | Acct-Terminate-Cause | 1=User-Request, 2=Lost-Carrier, 4=Idle-Timeout, 5=Session-Timeout, 6=Admin-Reset, 17=User-Error |
| 50 | Acct-Multi-Session-Id | Identifier grouping multiple related sessions (multilink) |
| 51 | Acct-Link-Count | Number of links in a multilink session |
| 52 | Acct-Input-Gigawords | Upper 32-bit complement of Acct-Input-Octets (for high-throughput sessions > 4 GB) |
| 53 | Acct-Output-Gigawords | Upper 32-bit complement of Acct-Output-Octets |
| 55 | Event-Timestamp | Unix epoch timestamp of the event (NTP synchronization required) |
| 56 | Egress-VLANID ex: 0x1000002A (VLAN 42 untagged) | Egress VLAN ID (encoded: 0x20000000 = tagged, 0x10000000 = untagged) |
| 57 | Ingress-Filters | 1=Enabled: only frames from listed VLANs are accepted on ingress |
| 58 | Egress-VLAN-Name ex: 2CORP-DATA | Egress VLAN name (encoded: "1VLAN-NAME" tagged, "2VLAN-NAME" untagged) |
| 59 | User-Priority-Table | 802.1p table — maps priority levels (8 bytes) |
| 60 | CHAP-Challenge | CHAP challenge sent by the NAS |
| 61 | NAS-Port-Type ex: 15 (Ethernet) or 19 (WiFi) | Port type: 5=Virtual, 15=Ethernet, 19=Wireless 802.11, 41=Wireless 802.16 |
| 62 | Port-Limit | Maximum number of allowed parallel ports/sessions |
| 64 | Tunnel-Type ex: 13 (VLAN) | Tunnel type: 13=VLAN (802.1Q). Required for Dynamic VLAN. |
| 65 | Tunnel-Medium-Type ex: 6 (IEEE 802) | Medium: 6=IEEE 802 (Ethernet/WiFi). Required for Dynamic VLAN. |
| 77 | Connect-Info ex: CONNECT 300Mbps 802.11n | WiFi connection information (data rate, modulation) |
| 79 | EAP-Message | Encapsulated EAP packet (max 253 bytes, fragmentation supported) |
| 80 | Message-Authenticator | HMAC-MD5 mandatory whenever EAP is used — protects packet integrity |
| 81 | Tunnel-Private-Group-Id ex: "42" | VLAN ID to assign (1-4094). Key attribute for Dynamic VLAN. |
| 83 | Tunnel-Preference | Preference when multiple Tunnel-* attribute sets are returned (Tag 1, 2…) |
| 85 | Acct-Interim-Interval ex: 300 | Interim-Update send interval in seconds |
| 87 | NAS-Port-Id ex: GigabitEthernet1/0/5 | Textual port identifier (interface-name) |
| 88 | Framed-Pool ex: POOL-GUESTS | Name of the DHCP pool to use for IP address assignment |
| 89 | Chargeable-User-Identity | CUI — stable billing identifier for roaming (Hotspot 2.0, eduroam) |
| 91 | NAS-Filter-Rule ex: permit in ip from any to 10.0.0.0/8 | Inline filter rule (IPFilter format) applied directly without a named ACL |
| 92 | NAS-IPv6-Address | IPv6 address of the NAS (alternative to NAS-IP-Address for IPv6-only NAS) |
| 95 | NAS-IPv6-Address | IPv6 address of the NAS |
| 97 | Framed-IPv6-Prefix ex: 2001:db8:1::/64 | IPv6 prefix delegated to the client (DHCPv6-PD) |
| 98 | Login-IPv6-Host | IPv6 login host (IPv6 equivalent of Login-IP-Host) |
| 99 | Framed-IPv6-Route ex: 2001:db8::/32 :: 1 | Static IPv6 route pushed to the client |
| 100 | Framed-IPv6-Pool | Name of the IPv6 address pool to use |
| 101 | Error-Cause | Error code in CoA-NAK or Disconnect-NAK (201=Unsupported, 401=Missing attr, 503=Session not found…) |