Radius Attributes

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - User Access and
Authentication 2 AAA Configuration
Table 2-10 Standard RADIUS attributes

Attri Attribu Attribu Description
bute te te Type
No. Name
1 User- string User name for authentication. The user name

Name format can be user name@domain name, or just
user name.
2 User- string User password for authentication, which is only
Passwor valid for the Password Authentication Protocol
d (PAP).
3 CHAP- string Response value provided by a PPP Challenge-

Passwor Handshake Authentication Protocol (CHAP) user in
d response to the challenge.
4 NAS-IP- ipaddr Internet Protocol (IP) address of the NAS carried in

Address authentication request packets. By default, the
attribute value is the source IP address of the
authentication request packets sent by the NAS.
You can change the attribute value to the specified
IP address on the NAS using the radius-attribute
nas-ip ip-address command.
5 NAS- integer Physical port number of the network access server

Port that is authenticating the user, which is in either of
the following formats:
● new: slot ID (8 bits) + sub-slot ID (4 bits) + port
number (8 bits) + Virtual Local Area Network
(VLAN) ID (12 bits)
● old: slot ID (12 bits) + port number (8 bits) +
VLAN ID (12 bits)
6 Service- integer Service type of the user to be authenticated:

Type ● 2 (Framed): PPP or 802.1X access users
● 5 (Outbound): IP session access user
● 6 (Administrative): administrator
● 8 (Authenticate Only): reauthentication only
● 10 (Call Check): MAC address authentication
user or MAC address bypass authentication user
7 Framed integer Encapsulation protocol of Frame services:

- ● For a non-management user, the value is fixed
Protocol as 1.
● For a management user, the value is fixed as 6.
8 Framed ipaddr User IP address.

-IP-
Address
Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 41

Switches

bute te te Type
No. Name
11 Filter-Id string UCL group name, user group name, or IPv4 Access
Control List (ACL) ID.
NOTE
● When this attribute carries the IPv4 ACL ID, the IPv4
ACL IDs must range from 3000 to 3999 (wired users)
or 3000 to 3031 (wireless users).
● A RADIUS packet cannot carry the user group name,
UCL group name, or IPv4 ACL ID simultaneously.
12 Framed integer Maximum transmission unit (MTU) of the data link

-MTU between user and NAS. For example, in 802.1X
Extensible Authentication Protocol (EAP)
authentication, the NAS specifies the maximum
length of the EAP packet in this attribute. An EAP
packet larger than the link MTU may be lost.
14 Login- ipaddr Management user IP address:

IP-Host ● If the value is 0 or 0xFFFFFFFF, the IP address of
management user is not checked.
● If this attribute uses other values, the NAS
checks whether the management user IP address
is the same as the delivered attribute value.
15 Login- integer Service to use to connect the user to the login host:
Service ● 0: Telnet
● 5: X25-PAD
● 50: SSH
● 51: FTP
● 52: Terminal
NOTE
An attribute can contain multiple service types.
18 Reply- string This attribute determines whether a user is

Messag authenticated:
e ● When an Access-Accept packet is returned, the
user is successfully authenticated.
● When an Access-Reject packet is returned, the
user fails authentication.
19 Callbac string Information sent from the authentication server

k- and to be displayed to a user, such as a mobile
Number number.
24 State string This Attribute is available to be sent by the server

to the client in an Access-Challenge and MUST be
sent unmodified from the client to the server in the
new Access-Request reply to that challenge, if any.

Switches

bute te te Type
No. Name
25 Class string If the RADIUS server sends a RADIUS Access-Accept

packet carrying the Class attribute to the NAS, the
subsequent RADIUS Accounting-Request packets
sent from the NAS must carry the Class attribute
with the same value.
26 Vendor- string Vendor-specific attribute. For details, see Table

Specific 2-11. A packet can carry one or more private
attributes. Each private attribute contains one or
more sub-attributes.
27 Session- integer In the Access-Request packet, this attribute

Timeout indicates the maximum number of seconds a user
should be allowed to remain connected.
In the Access-Challenge packet, this attribute
indicates the duration for which EAP authentication
users are reauthenticated.
When the value of this attribute is 0:
● If the aaa-author session-timeout invalid-
value enable command is not configured, the
session-timeout attribute delivered by the server
does not take effect and the period for
disconnecting or reauthenticating users depends
on the device configuration.
● If the aaa-author session-timeout invalid-
value enable command is configured, the
session-timeout attribute delivered by the server
takes effect and the device does not disconnect
or reauthenticate users.
NOTE
This attribute is only valid for 802.1X, MAC address, Portal,
and PPPoE authentication users.
When the RADIUS server delivers only this attribute, the
value of attribute 29 Termination-Action is set to 0
(users are forced offline) by default.
28 Idle- integer Maximum number of consecutive seconds of idle

Timeout connection the user is allowed before termination
of the session or prompt.
NOTE
This attribute is only valid for administrators.

Switches

bute te te Type
No. Name
29 Termina integer What action the NAS should take when the
tion- specified service is completed:
Action ● 0: forcible disconnection
● 1: reauthentication
NOTE
This attribute is only valid for 802.1X and MAC address
authentication users.
When the RADIUS server delivers only this attribute, the
value of attribute 27 Session-Timeout is set to 3600s (for
802.1X authentication users) or 1800s (for MAC address
authentication users) by default.
30 Called- string Number of the NAS:

Station- ● For wired users, it is the NAS MAC address.
Id
● For wireless users, it is the SSID and MAC
address of the AP.
31 Calling- string This Attribute allows the NAS to send in the Access-
Station- Request packet the phone number that the call
Id came from, using Automatic Number Identification
(ANI) or similar technology.
32 NAS- string String identifying the network access server

Identifie originating the Access-Request. By default, the
r attribute value is the host name of the device. You
can change the attribute value to the VLAN ID of
the user using the radius-server nas-identifier-
format { hostname | vlan-id } command.
40 Acct- integer Accounting-Request type:

Status- ● 1: Accounting-Start packet
Type
● 2: Accounting-Stop packet
● 3: Interim-Accounting packet
41 Acct- integer Number of seconds the client has been trying to

Delay- send the accounting packet (excluding the network
Time transmission time).

Switches

bute te te Type
No. Name
42 Acct- integer Number of bytes in upstream traffic, corresponding

Input- to the lower 32 bits in the data structure for storing
Octets the upstream traffic. Contents of this attribute and
the RADIUS attribute 52 (Acct-Input-Gigawords)
compose the upstream traffic.
The traffic unit must be the same as that of the
RADIUS server and can be Byte, KByte, MByte, and
GByte. To set the traffic unit for each RADIUS
server, run the radius-server traffic-unit command.
By default, the unit is Byte.
NOTE
This attribute is only supported by the S5720HI.
43 Acct- integer Number of bytes in downstream traffic,

Output- corresponding to the lower 32 bits in the data
Octets structure for storing the downstream traffic.
Contents of this attribute and the RADIUS attribute
53 (Acct-Output-Gigawords) compose the
downstream traffic.
44 Acct- string Accounting session ID. The Accounting-Start,

Session- Interim-Accounting, and Accounting-Stop packets
Id of the same accounting session must have the
same session ID.
The format of this attribute is: Host name (7 bits) +
Slot ID (2 bits) + Subcard number (1 bit) + Port
number (2 bits) + Outer VLAN ID (4 bits) + Inner
VLAN ID (5 bits) + Central Processing Unit (CPU)
Tick (6 bits) + User ID prefix (2 bits) + User ID (5
bits).
45 Acct- integer User authentication mode:

Authent ● 1: RADIUS authentication
ic
● 2: Local authentication
● 3: Other remote authentications
46 Acct- integer How long (in seconds) the user has received
Session- service.
Time NOTE
If the administrator modifies the system time after the
user goes online, the online time calculated by the device
may be incorrect.

Switches

bute te te Type
No. Name
47 Acct- integer Number of incoming packets.

Input- NOTE
Packets This attribute is only supported by S5720HI.
48 Acct- integer Number of outgoing packets.

Output-
Packets
49 Acct- string Cause of a terminated session:

Termina ● User-Request (1): The user requests termination
te- of service.
Cause
● Lost Carrier (2): The connection is torn down
due to a handshake failure or heartbeat timeout,
such as an ARP probe failure or PPP handshake
failure.
● Lost Service (3): The connection initiated by the
peer device is torn down.
● Idle Timeout (4): The idle timer expires.
● Session Timeout (5): The session times out or
the traffic threshold is reached.
● Admin Reset (6): The administrator forces the
user to go offline.
● Admin Reboot (7): The administrator restarts the
NAS.
● Port Error (8): A port fails.
● NAS Error (9): The NAS encounters an internal
error.
● NAS Request (10): The NAS ends the session due
to resource changes.
● NAS Reboot (11): The NAS automatically
restarts.
● Port Unneeded (12): The port is Down.
● Port Preempted (13): The port is preempted.
● Port Suspended (14): The port is suspended.
● Service Unavailable (15): The service is
unavailable.
● Callback (16): NAS is terminating the current
session to perform a callback for a new session.
● User Error (17): User authentication fails or
times out.
● Host Request (18): A host sends a request.

Switches

bute te te Type
No. Name
52 Acct- integer Number of times the number of bytes in upstream

Input- traffic is greater than 4 GB (2^32), corresponding
Gigawo to the higher 32 bits in the data structure for
rds storing the upstream traffic. Contents of this
attribute and the RADIUS attribute 42 (Acct-Input-
Octets) compose the upstream traffic.
NOTE
This attribute is only supported by S5720HI.
53 Acct- integer Number of times the number of bytes in

Output- downstream traffic is greater than 4 GB (2^32),
Gigawo corresponding to the higher 32 bits in the data
rds structure for storing the downstream traffic.
Contents of this attribute and the RADIUS attribute
43 (Acct-Output-Octets) compose the downstream
traffic.
55 Event- integer Time when an Accounting-Request packet is

Timesta generated, represented by is the number of seconds
mp elapsed since 00:00:00 of January 1, 1970.
60 CHAP- string Challenge field in CHAP authentication. This field is

Challen generated by the NAS for Message Digest
ge algorithm 5 (MD5) calculation.
61 NAS- integer NAS port type. The attribute value can be

Port- configured in the interface view. By default, the
Type type is Ethernet (15).
64 Tunnel- integer Protocol type of the tunnel. The value is fixed as 13,
Type indicating VLAN.
65 Tunnel- integer Medium type used on the tunnel. The value is fixed
Medium as 6, indicating Ethernet.
-Type

Switches

bute te te Type
No. Name
79 EAP- string Encapsulates Extended Access Protocol (EAP)

Messag packets so that RADIUS supports EAP
e authentication. When an EAP packet is longer than
253 bytes, the packet is encapsulated into multiple
attributes. A RADIUS packet can carry multiple EAP-
Message attributes.
80 Messag string Authenticates and verifies authentication packets to

e- prevent spoofing packets.
Authent
icator
81 Tunnel- string Tunnel private group ID, which is used to deliver

Private- user VLAN IDs.
Group- NOTE
ID Authorization can be performed using the VLAN ID, VLAN
description. The order in which authorization takes effect
is as follows: VLAN ID > VLAN description.
To make the VLAN authorization function take effect,
ensure the correct access control mode is configured:
● When the link type is hybrid in untagged mode, the
access control mode can be MAC address or interface.
● When the link type is access or trunk, the access
control mode can only be interface.
85 Acct- integer Interim accounting interval. The value ranges from

Interim- 60 to 3932100, in seconds. It is recommended that
Interval the interval be at least 600 seconds.

Switches

bute te te Type
No. Name
87 NAS- string Port of the NAS that is authenticating the user. The
Port-Id NAS-Port-Id attribute has the following formats:
● New:
For Ethernet access users, the NAS-Port-Id is in
the format "slot=xx; subslot=xx; port=xxx; VLAN
ID=xxxx", in which "slot" ranges from 0 to 15,
"subslot" 0 to 15, "port" 0 to 255, and "VLAN ID"
1 to 4094.
For ADSL access users, the NAS-Port-Id is in the
format "slot=xx; subslot=x; port=x; VPI=xxx;
VCI=xxxxx", in which "slot" ranges from 0 to 15,
"subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255,
and "VCI" 0 to 65535.
● Old:
For Ethernet access users, the NAS-Port-Id is in
the format "port number (2 characters) + sub-
slot ID (2 bytes) + card number (3 bytes) +
VLAN ID (9 characters)."
For ADSL access users: port number (2
characters) + sub-slot ID (2 bytes) + card
number (3 bytes) + VPI (8 characters) + VCI (16
characters). The fields are prefixed with 0s if
they contain fewer bytes than specified.
95 NAS- ipaddr IPv6 address carried in the authentication request

IPv6- packet sent by the NAS. Both the NAS-IPv6-Address
Address and NAS-IP-Address fields can be included in a
packet.
96 Framed string IPv6 interface identifier to be configured for the

- user.
Interfac
e-Id
97 Framed ipaddr IPv6 prefix to be configured for the user.

-IPv6-
Prefix
195 HW- string Security information of users in EAP relay

Security authentication.
Str
Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific)
defined in RFC2865 can be used to extend RADIUS for implementing functions not

Switches
supported by standard RADIUS attributes. Table 2-11 describes Huawei

proprietary RADIUS attributes.
NOTE
Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei
is 2011.
Table 2-11 Huawei proprietary RADIUS attributes

Att Attribute Attri Description
rib Name bute
ut Type
e
No
.
26- HW- integ Peak information rate (PIR) at which the user
1 Input- er accesses the NAS, which is the maximum rate of
Peak- traffic that can pass through an interface. The value
Informatio is a 4-byte integer, in bit/s. The HW-Input-Peak-
n-Rate Information-Rate must be higher than or equal to
the HW-Input-Committed-Information-Rate. The
default HW-Input-Peak-Information-Rate is equal to
the HW-Input-Committed-Information-Rate.
26- HW- integ Committed information rate (CIR) at which the user
2 Input- er accesses the NAS, which is the allowed average rate
Committe of traffic that can pass through an interface. The
d- value is a 4-byte integer, in bit/s.
Informatio NOTE
n-Rate This attribute must be specified when the rate of packets
sent from the user to the NAS is limited.
26- HW- integ Committed burst size (CBS) at which the user
3 Input- er accesses the NAS, which is the average volume of
Committe burst traffic that can pass through an interface. The
d-Burst- value is a 4-byte integer, in bit.
Size
26- HW- integ Peak information rate at which the NAS connects to
4 Output- er the user. The value is a 4-byte integer, in bit/s. The
Peak- HW-Output-Peak-Information-Rate must be higher
Informatio than or equal to the HW-Output-Committed-
n-Rate Information-Rate. The default HW-Output-Peak-
Information-Rate is equal to the HW-Output-
Committed-Information-Rate.
26- HW- integ Committed information rate at which the NAS

5 Output- er connects to the user. The value is a 4-byte integer, in
Committe bit/s.
d- NOTE
Informatio This attribute must be specified when the rate of packets
n-Rate sent from the NAS to the user is limited.

Switches

rib Name bute
ut Type
e
No
.
26- HW- integ Committed burst size at which the NAS connects to
6 Output- er the user. The value is a 4-byte integer, in bit.
Committe
d-Burst-
Size
26- HW- integ Remaining traffic. The unit is KB.

15 Remanent er
-Volume
26- HW- string Name of the QoS profile.

17 Subscriber NOTE
-QoS- The RADIUS server can only grant this attribute to wired
Profile users who go online through the S5720HI.
When this attribute is authorized to an NAS remotely,
ensure that the user queue has been created in the QoS
profile using the user-queue (qos-profile view) command
to implement HQoS.
If the server delivers both the downlink bandwidth limit
(equivalent to the RADIUS attribute HW-Output-
Committed-Information-Rate) and the RADIUS attribute
HW-Subscriber-QoS-Profile for user authorization, only the
RADIUS attribute HW-Subscriber-QoS-Profile takes effect.
26- HW- integ Index of a user connection.

26 Connect- er
ID
26- HW-FTP- string Initial directory of an FTP user.

28 Directory
26- HW-Exec- integ Management user (such as Telnet user) priority,

29 Privilege er ranging from 0 to 15. The priority that is greater than
or equal to 16 is ineffective.
26- HW-Qos- string Name of the QoS profile. The maximum length of
31 Data the name is 31 bytes. The RADIUS server uses this
field to deliver the QoS profile for traffic policing. The
QoS profile must exist on the device and traffic
policing is configured using the car (QoS profile
view) command.
NOTE
This attribute is only supported by the S5720EI, S5720HI,
S6720EI, and S6720S-EI.

Switches

rib Name bute
ut Type
e
No
.
26- HW- integ Voice VLAN authorization flag. The value 1 indicates
33 VoiceVlan er that the authorized VLAN is the voice VLAN. This
attribute is used with VLAN authorization attributes.
NOTE
After the authentication mode multi-share command is
run in an authentication profile, the HW-VoiceVlan attribute
cannot be authorized.
26- HW- integ This attribute specifies whether a RADIUS server is a

35 ProxyRdsP er proxy server:
kt ● If the Access-Accept packet returned by a server
carries the HW-Proxy-RDS attribute with value 1,
the server is the proxy server.
● If the Access-Accept packet returned by a server
carries the HW-Proxy-RDS attribute with value 0,
the server is not the proxy server.
26- HW-NAS- integ NAS start time, represented by the number of

59 Startup- er seconds elapsed since 00:00:00 of January 1, 1970.
Time-
Stamp
26- HW-IP- string User IP address and MAC address carried in

60 Host- authentication and accounting packets, in the format
Address A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC
address are separated by a space.
If the user's IP address is detected to be invalid
during authentication, the IP address is set to
255.255.255.255.
26- HW-Up- integ 802.1p priority of upstream packets.

61 Priority er NOTE
Only the S5720HI supports this attribute.
26- HW- integ 802.1p priority of downstream packets.

62 Down- er NOTE
Priority Only the S5720HI supports this attribute.
26- HW- ipadd Primary WINS server address delivered by the

75 Primary- r RADIUS server after a user is successfully
WINS authenticated.
26- HW- ipadd Secondary WINS server address delivered by the

76 Second- r RADIUS server after a user is successfully
WINS authenticated.

Switches

rib Name bute
ut Type
e
No
.
26- HW- integ Upstream peak rate, in bit/s.

77 Input- er NOTE
Peak- This attribute is only supported by the S5720HI.
Burst-Size
26- HW- integ Downstream peak rate, in bit/s.

78 Output- er
Peak-
Burst-Size

Switches

rib Name bute
ut Type
e
No
.
26- HW-Data- string The RADIUS server delivers an ACL rule to users
82 Filter through this attribute.
NOTE
● A RADIUS packet can carry multiple attributes 26-82.
Currently, each attribute can carry only one ACL rule.
● When wireless users go online on the same AP in the
same VLAN, user isolation must be configured in a
traffic profile to ensure that ACL rules can be delivered
to the AP through a DACL group and take effect.
● You can run the display access-user user-id user-id
command to check whether this attribute takes effect. If
Dynamic ACL desc (Effective) is displayed in the
command output, this attribute takes effect. If Dynamic
ACL desc (Ineffective) is displayed in the command
output, this attribute does not take effect.
The attribute format is acl number key1 key-value1...
keyN key-valueN permit/deny.
The fields are described as follows:
● acl: Keyword, indicating that the ACL rule is
delivered.
● number: ACL rule number. The value ranges from
10000 to 10999.
● keyM key-valueM(1≤M≤N): Keyword in an ACL
rule and its value. The keyword value can be:
– dest-ip ip-address: Specifies the destination IP
address in dotted decimal notation. When the
destination IP address is 0.0.0.0, this parameter
can be omitted without configuration.
– dest-ipmask mask: Specifies the destination IP
mask. NAC users support only the destination
IP mask that is an integer ranging from 1 to 32.
VM users support only the destination IP mask
that is in dotted decimal notation. When IP
mask is 0, this parameter can be omitted
without configuration.
– tcp-srcport port: Specifies the source TCP port
number that ranges from 0 to 65535.
– tcp-dstport port: Specifies the destination TCP
port number that ranges from 0 to 65535.
– udp-srcport port: Specifies the source UDP port
number that ranges from 0 to 65535.
– udp-dstport port: Specifies the destination UDP
port number that ranges from 0 to 65535.

Switches

rib Name bute
ut Type
e
No
.
● permit/deny: ACL action. permit indicates that

the user access is allowed. deny indicates that the
user access is denied.
NOTE
You are advised to use the standard RADIUS attribute Filter-
Id to delivery ACL rules.
A maximum of 64 ACL rules can be delivered to a user.
However, bear in mind that if too many ACL rules are
delivered, the number of users who can be online and the
available bandwidth will be affected. For this reason, you
are recommended to deliver no more than 16 ACL rules to a
user.
If direct forwarding mode is used, ACL rules can be delivered
to wireless users using the standard RADIUS attribute 11 but
not this attribute.
All keywords are case-insensitive. All keywords are separated
from keyword values using spaces. The location of keywords
is not fixed. The keywords permit and deny can be placed
after number or the whole command line.
For example:
● acl 10005 deny
● acl 10006 tcp-dstport 5080 permit
● acl 10007 dest-ip 10.11.11.2 dest-ipmask 32
permit
● acl 10008 dest-ip 10.11.11.3 dest-ipmask 32
udp-dstport 5070 permit
26- HW- ipadd Primary DNS address delivered by the RADIUS server
13 Client- r after a user is successfully authenticated.
5 Primary-
DNS
26- HW- ipadd Secondary DNS address delivered by the RADIUS

13 Client- r server after a user is successfully authenticated.
6 Secondary
-DNS
26- HW- string Name of the domain used for user authentication.
13 Domain- This attribute can be the domain name contained in
8 Name a user name or the name of a forcible domain.
26- HW-AP- string AP's MAC address used for STA authentication, in H-
14 Informatio H-H format. H is a 4-digit hexadecimal number.
1 n NOTE

Switches

rib Name bute
ut Type
e
No
.
26- HW-User- string User security check information delivered by the

14 Informatio RADIUS server to an Extensible Authentication
2 n Protocol over LAN (EAPoL) user to notify the user of
items that require security checks.
26- HW- string Service scheme name. A service scheme contains user
14 Service- authorization information and policies.
6 Scheme
26- HW- integ User access type carried in the authentication and
15 Access- er accounting request packets sent by the RADIUS client
3 Type to the RADIUS server:
● 1: Dot1x user
● 2: MAC address authentication user or MAC
address bypass authentication
● 3: Portal authentication user
● 4: Static user
● 6: Management user
● 7: PPP users
26- HW-URL- integ This attribute specifies whether a Uniform Resource

15 Flag er Locator (URL) is forcibly pushed when it is used with
5 another attribute, for example, HW-Portal-URL:
● 0: No
● 1: Yes
26- HW- string Forcibly pushed URL. The maximum length is 200
15 Portal- bytes.
6 URL If information delivered by the RADIUS server
matches the configured URL template, the URL
configured in the template is used. Otherwise, the
character string delivered by the RADIUS server is
used.
26- HW- string Terminal type of a user.

15 Terminal-
7 Type
26- HW- string DHCP Option, encapsulated in Type-Length-Value

15 DHCP- (TLV) format. A packet may contain multiple HW-
8 Option DHCP-Option attributes to carry Option information.
Only Option 82 can be delivered.

Switches

rib Name bute
ut Type
e
No
.
26- HW-UCL- integ Index of a UCL group.

16 Group er NOTE
0 This attribute is only supported by S5720EI, S5720HI,
S6720EI, and S6720S-EI.
26- HW- string Delivers the Internet Service Provider (ISP) VLAN for
16 Forwardin user packet forwarding.
1 g-VLAN NOTE
26- HW- string Outbound interface for forwarding user packets.

16 Forwardin NOTE
2 g- This attribute is only supported by the S5720HI.
Interface
26- HW-LLDP string LLDP information. A packet can contain multiple HW-
16 LLDP-Info attributes to carry different options.
3
26- HW- string Redirection ACL. Redirection is performed for only the
17 Redirect- users matching the ACL rules. The ACL number or
3 ACL ACL name can be delivered. The ACL name must start
with a character.
NOTE
The value range of acl-number is from 3000 to 3999 for
wired users and from 3000 to 3031 for wireless users.

Switches

rib Name bute
ut Type
e
No
.
26- HW-User- string Extended user information. This attribute is contained

20 Extend- in authentication and accounting request packets. A
1 Info packet can contain multiple HW-User-Extend-Info
attributes. The following describes extended user
information:
● User-Position: Service code of the location where a
user goes online
● User-Position-Type: Type of the location where a
user goes online
● AP-Device-Code: AP code
● AP-POS-X: Longitude of a moving AP
● AP-POS-Y: Latitude of a moving AP
● Wifi-Density: Field strength
● TERMINAL-POS-X: X coordinate of the terminal
against AP, in meters
● TERMINAL-POS-Y: Y coordinate of the terminal
against AP, in meters
● HW-Access-Time: user access time. The value is
the number of seconds elapsed since 00:00:00 of
January 1, 1970.
This attribute applies only to MAC address
authentication and Portal authentication.
26- HW-Web- string Information sent from the portal server via the device
23 Authen- (which transparently transmits the information) to
7 Info the RADIUS server. For example, a user selects the
authentication-free option and time information for
next login, based on which the RADIUS server saves
the MAC address of the user for a period of time.
Upon the next login of the user, the login page is not
displayed. Instead, MAC address authentication is
preferentially used. This attribute can be used for
transparent transmission in complex modes such as
EAP.

Switches

rib Name bute
ut Type
e
No
.
26- HW-Ext- string User extended attributes:

23 Specific ● user-dscp-in: DSCP value of inbound user packets.
8 The value ranges from 0 to 63.
● user-dscp-out: DSCP value of outbound user
packets. The value ranges from 0 to 63.
● user-command: user reauthentication. This field
has a fixed value of 1, indicating that
reauthentication will be performed.
NOTE
When the value of user-command is 1, other authorization
attributes are not supported.
The user-dscp-in and user-dscp-out attributes cannot be
authorized to wireless users in direct forwarding mode.
This attribute applies only to NAC users.
26- HW-User- string User context profile information.

23 Access-
9 Info
26- HW- string The authentication and accounting request packets

24 Access- carry the IP addresses, MAC addresses, and port
0 Device- numbers of access switches in policy association. The
Info format is ip=A.B.C.D;mac=XXXX-XXXX-
XXXX;slot=XX;subslot=XXX;port=XXX;vlanid=XXXX.
26- HW- string Server reachability detection information.

24 Reachable Authentication packets carrying this attribute are
4 -Detect server detection packets.
26- HW- string Number of upstream bytes at the specified tariff level
24 Tariff- sent to the accounting server. This field is included in
7 Input- the accounting packets. The unit can be byte,
Octets kilobyte, megabyte, or gigabyte. The format is Tariff
level:Number of upstream bytes. An accounting
packet can contain the traffic of at most 8 tariff
levels.
26- HW- string Number of downstream bytes at the specified tariff

24 Tariff- level sent to the accounting server. This field is
8 Output- included in the accounting packets. The unit can be
Octets byte, kilobyte, megabyte, or gigabyte. The format is
Tariff level:Number of downstream bytes. An
accounting packet can contain the traffic of at most
8 tariff levels.

Switches

rib Name bute
ut Type
e
No
.
26- HW- string Number of times larger the number of upstream

24 Tariff- bytes at the specified tariff level is than 4G. This field
9 Input- and the HW-Tariff-Input-Octets field specify the
Gigawords number of upstream bytes at the specified tariff level.
26- HW- string Number of times larger the number of downstream

25 Tariff- bytes at the specified tariff level is than 4G. This field
0 Output- and the HW-Tariff-Output-Octets field specify the
Gigawords number of downstream bytes at the specified tariff
level.
26- HW- ipadd IPv6 address to be configured for the user.

25 Framed- r
3 IPv6-
Address
26- HW- string Software version of the device.

25 Version
4
26- HW- string NAS product name.

25 Product-
5 ID
Huawei-supported Extended RADIUS Attributes of Other Vendors

Huawei devices support some extended RADIUS attributes of Microsoft, Cisco, and
DSL Forum. For details, see Table 2-12.
Table 2-12 Huawei-supported extended RADIUS attributes of other vendors

Attri Attribute Attribute Type Description
bute Name
No.
MIC MS-MPPE- string This attribute indicates the

ROS Send-Key MPPE sending key.
OFT-
16
MIC MS-MPPE- string This attribute indicates the

ROS Recv-Key MPPE receiving key.
OFT-
17

Switches
Attri Attribute Attribute Type Description

bute Name
No.
CISC Cisco-avpair string This attribute indicates the

O-1 voice VLAN.
DSLF Agent-Circuit- string This Attribute contains

ORU Id information describing the
M-1 subscriber agent circuit
identifier corresponding to
the logical access loop port
of the Access Node/
DSLAM from which a
subscriber's requests are
initiated.
DSLF Agent- string This attribute contains an

ORU Remote-Id operator-specific, statically
M-2 configured string that
uniquely identifies the
subscriber on the
associated access loop of
the Access Node/DSLAM.
RADIUS Attributes Available in Packets

Different RADIUS packets carry different RADIUS attributes.
● For the RADIUS attributes available in authentication packets, see Table 2-13.
● For the RADIUS attributes available in accounting packets, see Table 2-14.
● For the RADIUS attributes available in authorization packets, see Table 2-15.
NOTE
The following describes the values in the tables:

● 1: indicates that the attribute must appear once in the packet.
● 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is
contained).
● 0-1: indicates that the attribute can appear once or does not appear in the packet.
● 0+: indicates that the attribute may appear multiple times or does not appear in the
packet.
Table 2-13 RADIUS attributes available in authentication packets
Attribute No. Access- Access- Access- Access-

Request Accept Reject Challenge
User-Name(1) 1 0-1 0 0
User-Password(2) 0-1 0 0 0

Switches

CHAP-Password(3) 0-1 0 0 0
NAS-IP-Address(4) 1 0 0 0
NAS-Port(5) 1 0 0 0
Service-Type(6) 1 0-1 0 0
Framed-Protocol(7) 1 0-1 0 0
Framed-IP-Address(8) 0-1 0-1 0 0
Filter-Id(11) 0 0-1 0 0
Framed-Mtu(12) 0-1 0 0 0
Login-IP-Host(14) 0-1 0-1 0 0
Login-Service(15) 0 0-1 0 0
Reply-Message(18) 0 0-1 0-1 0-1
Callback-Number(19) 0 0-1 0 0
State(24) 0-1 0-1 0 0-1
Class(25) 0 0-1 0 0
Session-Timeout(27) 0 0-1 0-1 0-1
Idle-Timeout(28) 0 0-1 0 0
Termination-Action(29) 0 0-1 0 0-1
Called-Station-Id(30) 0-1 0 0 0
Calling-Station-Id(31) 1 0-1 0 0
NAS-Identifier(32) 1 0 0 0
Acct-Session-id(44) 1 0 0 0
CHAP-Challenge(60) 0-1 0 0 0
NAS-Port-Type(61) 1 0 0 0
Tunnel-Type(64) 0 0-1 0 0
Tunnel-Medium-Type(65) 0 0-1 0 0
EAP-Message(79) 0-1 0-1 0-1 0-1
Message- 0-1 0-1 0-1 0-1

Authenticator(80)
Tunnel-Private-Group- 0 0-1 0-1 0

ID(81)

Switches

Acct-Interim-Interval(85) 0 0-1 0 0
NAS-Port-Id(87) 0-1 0 0 0
NAS-IPv6-Address(95) 0-1 0 0 0
Framed-Interface-Id(96) 0+ 0 0 0
Framed-IPv6-Prefix(97) 0+ 0 0 0
HW-SecurityStr(195) 0-1 0 0 0
HW-Input-Peak- 0 0-1 0 0
Information-Rate(26-1)
HW-Input-Committed- 0 0-1 0 0
HW-Input-Committed- 0 0-1 0 0
Burst-Size(26-3)
HW-Output-Peak- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
HW-Output-Committed- 0 0-1 0 0
Burst-Size(26-6)
HW-Remanent- 0 0-1 0 0
Volume(26-15)
HW-Subscriber-QoS- 0 0-1 0 0
Profile(26-17)
HW-Connect-ID(26-26) 1 0 0 0
Ftp-directory(26-28) 0 0-1 0 0
HW-Exec-Privilege(26-29) 0 0-1 0 0
HW-Qos-Data(26-31) 0 0-1 0 0
HW-VoiceVlan(26-33) 0 0-1 0 0
HW-ProxyRdsPkt(26-35) 0 0-1 0 0
HW-NAS-Startup-Time- 1 0 0 0
Stamp(26-59)
HW-IP-Host- 1 0 0 0
Address(26-60)
HW-Up-Priority(26-61) 0 0-1 0 0

Switches

HW-Down- 0 0-1 0 0
Priority(26-62)
HW-Primary- 0 0-1 0 0
WINS(26-75)
HW-Second-WINS(26-76) 0 0-1 0 0
HW-Input-Peak-Burst- 0 0-1 0 0
Size(26-77)
HW-Output-Peak-Burst- 0 0-1 0 0
Size(26-78)
HW-Data-Filter(26-82) 0 0-1 0-1 0
HW-Client-Primary- 0 0-1 0 0
DNS(26-135)
HW-Client-Secondary- 0 0-1 0 0
DNS(26-136)
HW-Domain- 1 0 0 0
Name(26-138)
HW-AP- 1 0 0 0
Information(26-141)
HW-User- 0 0-1 0 0
Information(26-142)
HW-Service- 0 0-1 0 0
Scheme(26-146)
HW-Access-Type(26-153) 1 0-1 0 0
HW-URL-Flag(26-155) 0 0-1 0 0
HW-Portal-URL(26-156) 0 0-1 0 0
HW-Terminal- 0-1 0 0 0
Type(26-157)
HW-DHCP- 0+ 0 0 0
Option(26-158)
HW-UCL-Group(26-160) 0 0-1 0 0
HW-Forwarding- 0 0-1 0 0
VLAN(26-161)
HW-Forwarding- 0 0-1 0 0
Interface(26-162)
HW-LLDP(26-163) 0-1 0 0 0

Switches

HW-Redirect- 0 0-1 0 0
ACL(26-173)
HW-User-Extend- 0-1 0 0 0
Info(26-201)
HW-Web-Authen- 1 0 0 0
Info(26-237)
HW-Ext-Specific(26-238) 0 1 0 0
HW-User-Access- 1 0 0 0
Info(26-239)
HW-Access-Device- 0-1 0 0 0
Info(26-240)
HW-Reachable- 0 0 0 0
Detect(26-244)
HW-Framed-IPv6- 0-1 0 0 0
Address(26-253)
HW-Version(26-254) 1 0 0 0
HW-Product-ID(26-255) 1 0 0 0
MS-MPPE-Send- 0 0-1 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0-1 0 0
Key(MICROSOFT-17)
Cisco-avpair(CISCO-1) 0 0-1 0 0
Agent-Circuit- 0-1 0 0 0
Id(DSLFORUM-1)
Agent-Remote- 0-1 0 0 0
Id(DSLFORUM-2)

Switches
Table 2-14 RADIUS attributes available in accounting packets

Attribute No. Accou Accou Accou Accou Accou Account
nting- nting- nting- nting- nting- ing-
Reque Reque Reque Respo Respo Respons
st st st nse nse e
(Start) (Interi (Stop) (start) (Interi (Stop)
m- m-
Updat Updat
e) e)
User-Name(1) 1 1 1 0 0 0
NAS-IP-Address(4) 1 1 1 0 0 0
NAS-Port(5) 1 1 1 0 0 0
Service-Type(6) 1 1 1 0 0 0
Framed-Protocol(7) 1 1 1 0 0 0
Framed-IP- 1 1 1 0 0 0
Address(8)
Class(25) 0-1 0-1 0-1 0 0 0
Session-Timeout(27) 0 0 0 0-1 0-1 0
Called-Station- 1 1 1 0 0 0
Id(30)
NOTE
For users who access
the network through
PPP authentication,
this attribute is
optional. If the
authentication
request packet does
not carry this
attribute, then neither
does the accounting
request packet.
Calling-Station- 1 1 1 0 0 0
Id(31)
NAS-Identifier(32) 1 1 1 0 0 0
Acct-Status-Type(40) 1 1 1 0 0 0
Acct-Delay-Time(41) 0-1 1 1 0 0 0
Acct-Input- 0-1 0-1 0-1 0 0 0

Octets(42)
Acct-Session-Id(44) 1 1 1 0 0 0
Acct-Authentic(45) 1 1 1 0 0 0

Switches

st st st nse nse e
m- m-
Updat Updat
e) e)
Acct-Session- 0 1 1 0 0 0
Time(46)
Acct-Input- 0-1 0-1 0-1 0 0 0

Packets(47)
Acct-Output- 0-1 0-1 0-1 0 0 0

Packets(48)
Acct-Terminate- 0 0 1 0 0 0
Cause(49)
Acct-Input- 0-1 0-1 0-1 0 0 0

Gigawords(52)
Acct-Output- 0-1 0-1 0-1 0 0 0

Gigawords(53)
Event- 1 1 1 0 0 0
Timestamp(55)
NAS-Port-Type(61) 1 1 1 0 0 0
NAS-Port-Id(87) 1 1 1 0 0 0
NAS-IPv6- 0-1 0-1 0-1 0 0 0

Address(95)
HW-Input- 1 1 1 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output- 1 1 1 0 0 0
Committed-
Information-
Rate(26-5)
HW-Connect- 1 1 1 0 0 0
ID(26-26)
HW-IP-Host- 1 1 1 0 0 0
Address(26-60)
HW-Domain- 1 1 1 0 0 0
Name(26-138)

Switches

st st st nse nse e
m- m-
Updat Updat
e) e)
HW-AP- 0-1 0-1 0-1 0 0 0

Information(26-141)
HW-User- 0 0 0 0-1 0-1 0

Information(26-142)
HW-Access- 0-1 0-1 0-1 0 0 0

Type(26-153)
HW-Terminal- 0-1 0-1 0-1 0 0 0

Type(26-157)
HW-DHCP- 0+ 0+ 0+ 0 0 0
Option(26-158)
HW-HTTP- 0-1 0-1 0-1 0 0 0

UA(26-159)
HW-LLDP(26-163) 0-1 0-1 0-1 0 0 0
HW-User-Extend- 0-1 0-1 0-1 0 0 0

Info(26-201)
HW-Access-Device- 0-1 0-1 0-1 0 0 0

Info(26-240)
HW-Reachable- 0 0 0 0 0 0
Detect(26-244)
HW-Tariff-Input- 0 0-1 0-1 0 0 0

Octets(26-247)
HW-Tariff-Output- 0 0-1 0-1 0 0 0

Octets(26-248)
HW-Tariff-Input- 0 0-1 0-1 0 0 0

Gigawords(26-249)
HW-Tariff-Output- 0 0-1 0-1 0 0 0

Gigawords(26-250)
HW-Framed-IPv6- 0-1 0-1 0-1 0 0 0

Address(26-253)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16)

Switches

st st st nse nse e
m- m-
Updat Updat
e) e)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17)
Cisco- 0 0 0 0 0 0
avpair(CISCO-1)
Agent-Circuit- 0-1 0-1 0-1 0 0 0

Id(DSLFORUM-1)
Agent-Remote- 0-1 0-1 0-1 0 0 0

Id(DSLFORUM-2)
Table 2-15 RADIUS attributes available in CoA/DM packets

Attribute No. CoA CoA CoA DM DM DM NAK
REQUE ACK NAK REQUE ACK
ST ST
User-Name(1) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-IP-Address(4) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Port(5) 0-1 0 0 0-1 0 0
Framed-IP- 0-1 0-1 0-1 0-1 0-1 0-1

Address(8)
Filter-Id(11) 0-1 0 0 0 0 0
Session-Timeout(27) 0-1 0 0 0 0 0
Idle-Timeout(28) 0-1 0 0 0 0 0
Termination- 0-1 0 0 0 0 0
Action(29)
Calling-Station- 0-1 0-1 0-1 0-1 0-1 0-1

Id(31)
NAS-Identifier(32) 0 0-1 0-1 0 0 0
Acct-Session-Id(44) 1 1 1 1 1 1
Tunnel-Type(64) 0-1 0 0 0 0 0

Switches

ST ST
Tunnel-Medium- 0-1 0 0 0 0 0
Type(65)
Tunnel-Private- 0-1 0 0 0 0 0
Group-ID(81)
Acct-Interim- 0-1 0 0 0 0 0
Interval(85)
NAS-Port-Id(87) 0-1 0 0 0-1 0 0
HW-Input-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-1)
HW-Input- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-2)
HW-Output-Peak- 0-1 0 0 0 0 0
Information-
Rate(26-4)
HW-Output- 0-1 0 0 0 0 0
Committed-
Information-
Rate(26-5)
HW-Output- 0-1 0 0 0 0 0
Committed-Burst-
Size(26-6)
HW-Subscriber-QoS- 0-1 0 0 0 0 0
Profile(26-17)
HW-Qos- 0-1 0 0 0 0 0
Data(26-31)
HW-Up- 0-1 0 0 0 0 0
Priority(26-61)
HW-Down- 0-1 0 0 0 0 0
Priority(26-62)
HW-Input-Peak- 0-1 0 0 0 0 0
Burst-Size(26-77)
HW-Output-Peak- 0-1 0 0 0 0 0
Burst-Size(26-78)
HW-Data- 0-1 0 0 0 0 0
Filter(26-82)

Switches

ST ST
HW-Service- 0-1 0 0 0 0 0
Scheme(26-146)
HW-URL- 0-1 0 0 0 0 0
Flag(26-155)
HW-Portal- 0-1 0 0 0 0 0
URL(26-156)
HW-UCL- 0-1 0 0 0 0 0
Group(26-160)
HW-Forwarding- 0-1 0 0 0 0 0
VLAN(26-161)
HW-Forwarding- 0-1 0 0 0 0 0
Interface(26-162)
HW-Redirect- 0-1 0 0 0 0 0
ACL(26-173)
HW-Ext- 1 0 0 0 0 0
Specific(26-238)
MS-MPPE-Send- 0 0 0 0 0 0
Key(MICROSOFT-16)
MS-MPPE-Recv- 0 0 0 0 0 0
Key(MICROSOFT-17)
Cisco- 0-1 0 0 0 0 0
avpair(CISCO-1)
Agent-Circuit- 0-1 0 0 0 0 0
Id(DSLFORUM-1)
Agent-Remote- 0-1 0 0 0 0 0
Id(DSLFORUM-2)
2.2.4.9 RADIUS Attribute Disablement and Translation

Different vendors support different collections of RADIUS attributes and each
vendor may have their private attributes. As a result, RADIUS attributes of
different vendors may be incompatible and RADIUS attributes sent between
devices from different vendors fail to be parsed. To resolve this issue, the RADIUS
attribute disablement and translation functions are often used in interconnection
and replacement scenarios.
RADIUS Attribute Disablement

The RADIUS server may have RADIUS attributes with the same attribute IDs and
names as but different encapsulation formats or contents from those on the

Radius Attributes

Uploaded by

Copyright:

Available Formats

Radius Attributes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Radius Attributes

Uploaded by

Copyright:

Available Formats

S1720, S2700, S5700, and S6720 Series Ethernet

Table 2-10 Standard RADIUS attributes

1 User- string User name for authentication. The user name

3 CHAP- string Response value provided by a PPP Challenge-

4 NAS-IP- ipaddr Internet Protocol (IP) address of the NAS carried in

5 NAS- integer Physical port number of the network access server

6 Service- integer Service type of the user to be authenticated:

7 Framed integer Encapsulation protocol of Frame services:

8 Framed ipaddr User IP address.

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 41

Attri Attribu Attribu Description

12 Framed integer Maximum transmission unit (MTU) of the data link

14 Login- ipaddr Management user IP address:

18 Reply- string This attribute determines whether a user is

19 Callbac string Information sent from the authentication server

24 State string This Attribute is available to be sent by the server

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 42

Attri Attribu Attribu Description

25 Class string If the RADIUS server sends a RADIUS Access-Accept

26 Vendor- string Vendor-specific attribute. For details, see Table

27 Session- integer In the Access-Request packet, this attribute

28 Idle- integer Maximum number of consecutive seconds of idle

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 43

Attri Attribu Attribu Description

30 Called- string Number of the NAS:

32 NAS- string String identifying the network access server

40 Acct- integer Accounting-Request type:

41 Acct- integer Number of seconds the client has been trying to

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 44

Attri Attribu Attribu Description

42 Acct- integer Number of bytes in upstream traffic, corresponding

43 Acct- integer Number of bytes in downstream traffic,

44 Acct- string Accounting session ID. The Accounting-Start,

45 Acct- integer User authentication mode:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 45

Attri Attribu Attribu Description

47 Acct- integer Number of incoming packets.

48 Acct- integer Number of outgoing packets.

49 Acct- string Cause of a terminated session:

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 46

Attri Attribu Attribu Description

52 Acct- integer Number of times the number of bytes in upstream

53 Acct- integer Number of times the number of bytes in

55 Event- integer Time when an Accounting-Request packet is

60 CHAP- string Challenge field in CHAP authentication. This field is

61 NAS- integer NAS port type. The attribute value can be

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 47

Attri Attribu Attribu Description

79 EAP- string Encapsulates Extended Access Protocol (EAP)

80 Messag string Authenticates and verifies authentication packets to

81 Tunnel- string Tunnel private group ID, which is used to deliver

85 Acct- integer Interim accounting interval. The value ranges from

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 48

Attri Attribu Attribu Description

95 NAS- ipaddr IPv6 address carried in the authentication request

96 Framed string IPv6 interface identifier to be configured for the

97 Framed ipaddr IPv6 prefix to be configured for the user.

195 HW- string Security information of users in EAP relay

Huawei Proprietary RADIUS Attributes

Issue 14 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 49