attributes.texi

gnu 的radius服务器很好用的

@c This is part of the Radius manual.
@c Copyright (C) 1999,2000,2001,2002,2003,2004 Free Software Foundation, Inc.
@c Written by Sergey Poznyakoff
@c See file radius.texi for copying conditions.
@setfilename radius.info

@comment **L3***************************************************************
@node Attribute List, , , Top
@chapter Attribute List

The following sections describe the most frequently used Radius
attributes. Each attribute is described as follows:

@defattr{@var{name},@var{value},@var{type},@var{user-flags},@var{hints-flags},@var{huntgroup-flags},@var{additivity},@var{prop}}

These values have the following meaning:

@table @var
@item name
The attribute name.
@item value
The attribute number.
@item type
The attribute type.
@item user-flags
Syntax flags defining in which part of a @file{raddb/users} entry this
attribute may be used. The flags consist of two letters: @samp{L} means
the attribute can be used in the @LHS{}, @samp{R} means it can be used in
the @RHS{}. 
@item hints-flags
Syntax flags defining in which part of a @file{raddb/hints} entry this
attribute may be used.
@item huntgroup-flags
Syntax flags defining in which part of a @file{raddb/huntgroups} entry this
attribute may be used.
@item additivity
The @dfn{additivity} of the attribute determines what happens if a rule
attempts to add to the pair list an attribute that is already present
in this list. Depending on its value, the actions of the server are:
@table @asis
@item Append
New attribute is appended to the end of the list.
@item Replace
New attribute replaces the old.
@item Drop
New attribute is dropped. The old one remains in the list.
@end table
@item prop
Is the attribute propagated back to the @NAS{} if the server works
in proxy mode?
@end table

The entry @acronym{N/A} for any of this fields signifies ``not
applicable''.


@menu
* Authentication Attributes::
* Accounting Attributes::
* Radius Internal Attributes::
@end menu

@node Authentication Attributes
@section Authentication Attributes

These are the attributes the @NAS{} uses in authentication packets
and expects to get back in authentication replies. These can
be used in matching rules.

@menu
* CHAP-Password:: 
* Callback-Id:: 
* Callback-Number:: 
* Called-Station-Id::
* Calling-Station-Id::
* Class:: 
* Framed-Compression:: 
* Framed-IP-Address:: 
* Framed-IP-Netmask:: 
* Framed-MTU:: 
* Framed-Protocol:: 
* Framed-Route:: 
* Framed-Routing:: 
* Idle-Timeout:: 
* NAS-IP-Address:: 
* NAS-Identifier::
* NAS-Port-Id:: 
* NAS-Port-Type::
* Reply-Message:: 
* Service-Type:: 
* Session-Timeout:: 
* State:: 
* Termination-Action:: 
* User-Name:: 
* User-Password:: 
* Vendor-Specific:: 
@end menu

@comment **************************************************************
@node CHAP-Password
@subsection @attr{CHAP-Password}
@atindex CHAP-Password

@defattr{CHAP-Password,3,string,L-,--,--,@acronym{N/A},No}

This attribute indicates the response value provided by a PPP
Challenge-Handshake Authentication Protocol (CHAP) user in
response to the challenge.  It is only used in Access-Request
packets.

The CHAP challenge value is found in the CHAP-Challenge attribute
(60) if present in the packet, otherwise in the request
authenticator field.

@comment **************************************************************
@node Callback-Id
@subsection @attr{Callback-Id}
@atindex Callback-Id

@defattr{Callback-Id,20,string,-R,--,--,Replace,No}

This attribute indicates the name of a place to be called, to be
interpreted by the @NAS{}.  It may be used in Access-Accept packets.

@comment **************************************************************
@node Callback-Number
@subsection @attr{Callback-Number}
@atindex Callback-Number

@defattr{Callback-Number,19,string,-R,--,--,Replace,No}

This attribute indicates a dialing string to be used for callback.
It may be used in Access-Accept packets.  It may be used in an
Access-Request packet as a hint to the server that a Callback
service is desired, but the server is not required to honor the
hint.

@comment **************************************************************
@node Called-Station-Id
@subsection @attr{Called-Station-Id}
@atindex Called-Station-Id

@defattr{Called-Station-Id,30,string,L-,-R,LR,Append,No}

This attribute allows the @NAS{} to send in the Access-Request packet
the phone number that the user called, using Dialed Number
Identification (DNIS) or similar technology.  Note that this may be
different from the phone number the call comes in on.  It is only
used in Access-Request packets.

@comment **************************************************************
@node Calling-Station-Id
@subsection @attr{Calling-Station-Id}
@atindex Calling-Station-Id

@defattr{Calling-Station-Id,31,string,L-,-R,LR,Append,No}

This attribute allows the @NAS{} to send in the Access-Request packet
the phone number that the call came from, using automatic number
identification (ANI) or similar technology.  It is only used in
Access-Request packets.

@comment **************************************************************
@node Class
@subsection @attr{Class}
@atindex Class

@defattr{Class,25,string,LR,LR,LR,Append,No}

This attribute is available to be sent by the server to the client
in an Access-Accept and should be sent unmodified by the client to
the accounting server as part of the Accounting-Request packet if
accounting is supported.

@comment **************************************************************
@node Framed-Compression
@subsection @attr{Framed-Compression}
@atindex Framed-Compression

@defattr{Framed-Compression,13,integer,LR,-R,LR,Replace,Yes}

@smallexample
VALUE      Framed-Compression  None                 0       
VALUE      Framed-Compression  Van-Jacobson-TCP-IP  1       
@end smallexample

This attribute indicates a compression protocol to be used for the
link.  It may be used in Access-Accept packets.  It may be used in
an Access-Request packet as a hint to the server that the @NAS{}
would prefer to use that compression, but the server is not
required to honor the hint.

More than one compression protocol attribute may be sent.  It is
the responsibility of the @NAS{} to apply the proper compression
protocol to appropriate link traffic.

@comment **************************************************************
@node Framed-IP-Address
@subsection @attr{Framed-IP-Address}
@atindex Framed-IP-Address

@defattr{Framed-IP-Address,8,ipaddr,LR,-R,LR,Replace,No}

This attribute indicates the address to be configured for the
user.  It may be used in Access-Accept packets.  It may be used in
an Access-Request packet as a hint by the @NAS{} to the server that
it would prefer that address, but the server is not required to
honor the hint.

The value @code{0xFFFFFFFF} (@code{255.255.255.255}) indicates that
the NAS should 
allow the user to select an address. The value @code{0xFFFFFFFE}
(@code{255.255.255.254}) 
indicates that the @NAS{} should select an address for the user (e.g. assigned
from a pool of addresses kept by the @NAS{}).  Other valid values indicate
that the @NAS{} should use that value as the user's IP.

When used in a @RHS{}, the value of this attribute can
optionally be followed by a plus sign. This usage means that
the value of @attr{NAS-Port-Id} must be added to this IP before
replying. For example,

@smallexample
        Framed-IP-Address = 10.10.0.1+
@end smallexample

@comment **************************************************************
@node Framed-IP-Netmask
@subsection @attr{Framed-IP-Netmask}
@atindex Framed-IP-Netmask

@defattr{Framed-IP-Netmask,9,ipaddr,LR,-R,LR,Replace,No}

This attribute indicates the IP netmask to be configured for the
user when the user is a router to a network.  It may be used in
Access-Accept packets.  It may be used in an Access-Request packet
as a hint by the @NAS{} to the server that it would prefer that
netmask, but the server is not required to honor the hint.

@comment **************************************************************
@node Framed-MTU
@subsection @attr{Framed-MTU}
@atindex Framed-MTU

@defattr{Framed-MTU,12,integer,LR,-R,-R,Replace,Yes}

This attribute indicates the maximum transmission unit to be
configured for the user, when it is not negotiated by some other
means (such as PPP).  It is only used in Access-Accept packets.

@comment **************************************************************
@node Framed-Protocol
@subsection @attr{Framed-Protocol}
@atindex Framed-Protocol

@defattr{Framed-Protocol,7,integer,LR,-R,LR,Replace,Yes}

@smallexample
VALUE      Framed-Protocol   PPP                  1       
VALUE      Framed-Protocol   SLIP                 2       
@end smallexample

This attribute indicates the framing to be used for framed access.
It may be used in both Access-Request and Access-Accept packets.

@comment **************************************************************
@node Framed-Route
@subsection @attr{Framed-Route}
@atindex Framed-Route

@defattr{Framed-Route,22,string,-R,--,--,Replace,No}

This attribute provides routing information to be configured for
the user on the @NAS{}.  It is used in the Access-Accept packet and
can appear multiple times.

@comment **************************************************************
@node Framed-Routing
@subsection @attr{Framed-Routing}
@atindex Framed-Routing

@defattr{Framed-Routing,10,integer,-R,-R,-R,Replace,No}

@smallexample
VALUE      Framed-Routing    None                 0       
VALUE      Framed-Routing    Broadcast            1       
VALUE      Framed-Routing    Listen               2       
VALUE      Framed-Routing    Broadcast-Listen     3       
@end smallexample

This attribute indicates the routing method for the user when the
user is a router to a network.  It is only used in Access-Accept
packets.

@comment **************************************************************
@node Idle-Timeout
@subsection @attr{Idle-Timeout}
@atindex Idle-Timeout

@defattr{Idle-Timeout,28,integer,-R,--,--,Replace,Yes}

This attribute sets the maximum number of consecutive seconds of
idle connection allowed to the user before termination of the
session or prompt.  The server may send this attribute to the client
in an Access-Accept or Access-Challenge.

@comment **************************************************************
@node NAS-IP-Address
@subsection @attr{NAS-IP-Address}
@atindex NAS-IP-Address

@defattr{NAS-IP-Address,4,ipaddr,L-,-R,LR,Append,No}

This attribute indicates the identifying IP of the @NAS{}
which is requesting authentication of the user.  It is only used
in Access-Request packets. Each Access-Request packet should contain
either a @attr{NAS-IP-Address} or a @attr{NAS-Identifier} attribute
(@ref{NAS-Identifier}).

@comment **************************************************************
@node NAS-Identifier
@subsection @attr{NAS-Identifier}
@atindex NAS-Identifier

@defattr{NAS-Identifier,32,string,L-,-R,LR,Append,No}

This attribute contains a string identifying the @NAS{} originating
the access request.  It is only used in Access-Request packets.
Either @attr{NAS-IP-Address}  or @attr{NAS-Identifier} should be present in an
Access-Request packet.

@xref{NAS-IP-Address}.

@comment **************************************************************
@node NAS-Port-Id
@subsection @attr{NAS-Port-Id}
@atindex NAS-Port-Id

@defattr{NAS-Port-Id,5,integer,LR,-R,LR,Append,No}

This attribute indicates the physical port number of the @NAS{} that
is authenticating the user.  It is only used in Access-Request
packets.  Note that here we are using ``port'' in its sense of a
physical connection on the @NAS{}, not in the sense of a @sc{tcp} or 
@sc{udp} port number.

Some @NAS{}es try to encode various information in the @attr{NAS-Port-Id}
attribute value. For example, the @sc{max a}scend terminal server constructs
@attr{NAS-Port-Id} by concatenating the line type (one digit), the line number
(two digits), and the channel number (two digits), thus producing
a five-digit port number. In order to normalize such encoded
port numbers we recommend using a rewrite function (@pxref{rewrite file}).
A rewrite function for @sc{max a}scend servers is provided in the
distribution.

@comment **************************************************************
@node NAS-Port-Type
@subsection @attr{NAS-Port-Type}
@atindex NAS-Port-Type

@defattr{NAS-Port-Type,61,integer,--,--,--,Append,No}

@smallexample
VALUE      NAS-Port-Type     Async                0       
VALUE      NAS-Port-Type     Sync                 1       
VALUE      NAS-Port-Type     ISDN                 2       
VALUE      NAS-Port-Type     ISDN-V120            3       
VALUE      NAS-Port-Type     ISDN-V110            4       
@end smallexample

This attribute indicates the type of the physical port of the @NAS{}
that is authenticating the user.  It can be used instead of or in
addition to the @attr{NAS-Port-Id} (@ref{NAS-Port-Id}) attribute.  It
is only used in
Access-Request packets.  Either @attr{NAS-Port} or @attr{NAS-Port-Type} or
both should be present in an Access-Request packet, if the @NAS{}
differentiates among its ports.

@comment **************************************************************
@node Reply-Message
@subsection @attr{Reply-Message}
@atindex Reply-Message

@defattr{Reply-Message,18,string,-R,--,--,Append,Yes}

This attribute indicates text that may be displayed to the user.

When used in an Access-Accept, it is the success message.

When used in an Access-Reject, it is the failure message.  It may
indicate a dialog message to prompt the user before another
Access-Request attempt.

When used in an Access-Challenge, it may indicate a dialog message
to prompt the user for a response.

Multiple @attr{Reply-Message} attributes may be included, and if any
are displayed,
they must be displayed in the same order as they appear in in the
packet.

@comment **************************************************************
@node Service-Type
@subsection @attr{Service-Type}
@atindex Service-Type

@defattr{Service-Type,6,integer,LR,-R,LR,Replace,Yes}

@smallexample
VALUE      Service-Type      Login-User           1       
VALUE      Service-Type      Framed-User          2       
VALUE      Service-Type      Callback-Login-User  3       
VALUE      Service-Type      Callback-Framed-User 4       
VALUE      Service-Type      Outbound-User        5       
VALUE      Service-Type      Administrative-User  6       
VALUE      Service-Type      NAS-Prompt-User      7       
VALUE      Service-Type      Authenticate-Only    8       
VALUE      Service-Type      Call-Check           10      
@end smallexample

This attribute indicates the type of service the user has
requested, or the type of service to be provided.  It may be used
in both Access-Request and Access-Accept packets.

When used in an Access-Request the service type represents a
hint to the Radius server that the @NAS{} has reason to believe the user
would prefer the kind of service indicated.

When used in an Access-Accept, the service type is an indication
to the @NAS{} that the user must be provided this type of service.

The meaning of various service types is as follows:

@table @code
@item Login-User
The user should be connected to a host.