Remote access RADIUS attributes

The following lists the RADIUS attributes that are supported by the remote access server running Windows 2000 for the various RADIUS packet types. For more information about these attributes, see RFC 2138, "Remote Authentication Dial-in User Service (RADIUS)" and RFC 2548, "Microsoft Vendor-specific RADIUS Attributes."

Access-Request

• User-Name (RADIUS attribute 1)

• A string value that contains the user principal name or the Windows NT name without the domain.

• User-Password (RADIUS attribute 2)

• A string value that contains the user password and is only sent if Password Authentication Protocol (PAP) is negotiated as the authentication protocol.

• CHAP-Password (RADIUS attribute 3)

• Contains the response value provided by the Challenge Handshake Authentication Protocol (CHAP) in response to the challenge.

• NAS_IP_Addresss (RADIUS attribute 4)

• Contains the IP address of the remote access server.

• NAS-Port (RADIUS attribute 5)

• Indicates the number of the port on the remote access server on which the incoming call was received.

• Service-Type (RADIUS attribute 6)

• The only value that is sent is "Framed" (2).

• Framed-Protocol (RADIUS attribute 7)

• The only value that is sent is "PPP" (1).

• Framed-MTU (RADIUS attribute 12)

• Used in conjunction with EAP authentication to notify the RADIUS server of the maximum transmission unit (MTU) negotiated with the client, so that the RADIUS server does not send EAP messages that cannot be delivered over the link.

• State (RADIUS attribute 24)

• The remote access server never sends this attribute in the initial Access-Request. If EAP is used as the authentication protocol and a State attribute is received in an Access-Challenge packet, that State attribute is returned unmodified in the next Access-Request packet sent.

• Called-Station-Id (RADIUS attribute 30)

• Telephone number on which the call was received. For virtual private network (VPN) connections, the IP address of the VPN server.

• Calling-Station-Id (RADIUS attribute 31)

• Telephone number on which the call was made. For virtual private network (VPN) connections, the IP address of the VPN client.

• NAS-Identifier (RADIUS attribute 32)

• The fully qualified domain name of the remote access server.

• CHAP-Challenge (RADIUS attribute 60)

• The challenge sent by the remote access server during CHAP authentication.

• NAS-Port-Type (RADIUS attribute 61)

• The only values sent are Async (0), ISDN Sync (2), ISDN Async V.120 (3) ISDN Async V.110 (4), and Virtual (5). Virtual port is used to indicate VPN connections.

• Tunnel-Type (RADIUS attribute 64)

• The only values sent are PPTP (1) and L2TP (3).

• Tunnel-Medium-Type (RADIUS attribute 65)

• The only value sent is IP (1).

• Tunnel-Client-EndPoint (RADIUS attribute 66) (PPTP only)
• Tunnel-Server-EndPoint (RADIUS attribute 67) (PPTP only)
• Connect-Info (RADIUS attribute 77)

• Contains whatever data TAPI returns about the call.

• EAP-Message (RADIUS attribute 79)
• Signature (RADIUS attribute 80)

• Always sent if EAP is used for authentication. Otherwise, it is configurable on the properties of the RADIUS server.

• MS-CHAP-Response (vendor type 1)
• MS-CHAP-CPW-2 (vendor type 4)
• MS-Chap-LM-Enc-Pw (vendor type 5)
• MS-CHAP-NT-Enc-PW (vendor type 6)
• MS-Ras-Vendor (vendor type 9)
• MS-Chap-Challenge (vendor type 11)
• MS-Ras-Version (vendor type 18)

Access-Accept

• Service-Type (RADIUS attribute 6)

• Only Framed (2) and Callback Framed (4) are accepted. If any other Service-Type is received, the call is dropped.

• Framed-Protocol (RADIUS attribute 7)

• Only PPP (1) is accepted. If any other Framed-Protocol is received, the call is dropped.

• Framed-IP-Address (RADIUS attribute 8)

• The only acceptable values are 0xFFFFFFFF (user selects address) and 0xFFFFFFFE (remote access server selects address). If any other Framed-IP-Address is received, the call is dropped.

• Framed-MTU (RADIUS attribute 12)

• Not used.

• Framed-Compression (RADIUS attribute 13)

• The only recognized values are None (0) and VJ TCP/IP header compression (1). All other values are ignored.

• Reply-Message (RADIUS attribute 18)

• Returned in CHAP, PAP, and MS-CHAP (both v1 and v2) Success packets and in the EAP Notification message.

• Framed-Route (RADIUS attribute 22)
• State (RADIUS attribute 24)

• Returned to the remote access server unchanged.

• Class (RADIUS attribute 25)

• Sent unchanged to accounting server in Accounting Start message.

• Session-Timeout (RADIUS attribute 27)
• Idle-Timeout (RADIUS attribute 28)
• Termination-Action (RADIUS attribute 29)

• Not used.

• Port-Limit (RADIUS attribute 62)
• EAP-Message (RADIUS attribute 79)
• Signature (RADIUS attribute 80)

• Only accepted if EAP is used for authentication.

• Acct-Interim-Interval (RADIUS attribute 85)
• MS-MPPE-Encryption-Policy (vendor type 7)
• MS-MPPE-Encryption-Types (vendor type 8)
• MS-CHAP-Domain (vendor type 10)
• MS-BAP-Usage (vendor type 13)
• MS-Link-Utilization-Threshold (vendor type 14)
• MS-Link-Drop-Time-Limit (vendor type 15)
• MS-Filter (vendor type 22)

Access-Challenge

The Access-Challenge is only used with EAP. Otherwise, the receipt of an Access-Challenge is treated as Access-Reject.

• State (RADIUS attribute 24)
• Session-Timeout (RADIUS attribute 27)
• EAP-Message (RADIUS attribute 79)
• Signature (RADIUS attribute 80)

Accounting-Request

• User-Name (RADIUS attribute 1)
• NAS_IP_Addresss (RADIUS attribute 4)
• NAS-Port (RADIUS attribute 5)
• Service-Type (RADIUS attribute 6)
• Framed-Protocol (RADIUS attribute 7)
• Framed-IP-Address (RADIUS attribute 8)
• Framed-MTU (RADIUS attribute 12)
• Framed-Compression (RADIUS attribute 13)
• Framed-Route (RADIUS attribute 22)
• Class (RADIUS attribute 25)
• Session-Timeout (RADIUS attribute 27)
• Idle-Timeout (RADIUS attribute 28)
• Termination-Action (RADIUS attribute 29)
• Called-Station-Id (RADIUS attribute 30)
• Calling-Station-Id (RADIUS attribute 31)
• NAS-Identifier (RADIUS attribute 32)
• NAS-Port-Type (RADIUS attribute 61)
• Port-Limit (RADIUS attribute 62)
• Tunnel-Type (RADIUS attribute 64)
• Tunnel-Medium-Type (RADIUS attribute 65)
• Tunnel-Client-EndPoint (RADIUS attribute 66)
• Tunnel-Server-EndPoint (RADIUS attribute 67)
• Connect-Info (RADIUS attribute 77)
• Acct-Status-Type (RADIUS attribute 40)

• "On" is sent when the Routing and Remote Access service is started. "Off" is sent if the Routing and Remote Access service is gracefully stopped. "Start" and "Stop" are sent at the beginning and end of a user connection. "Interim-Update" is sent at approximately the interval specified in the Acct-Interim-Interval attribute (some random jitter is applied) and only if the Acct-Interim-Interval attribute was returned in the Access-Accept message.

• Acct-Delay-Time (RADIUS attribute 41)

• Five seconds are added on every retransmission (regardless of the actual time between retransmissions).

• Acct-Input-Octets (RADIUS attribute 42)
• Acct-Output-Octets (RADIUS attribute 43)
• Acct-Session-Id (RADIUS attribute 44)
• Acct-Authentic (RADIUS attribute 45)
• Acct-Session-Time (RADIUS attribute 46)
• Acct-Input-Packets (RADIUS attribute 47)
• Acct-Output-Packets (RADIUS attribute 48)
• Acct-Termination-Cause (RADIUS attribute 49)

• The only values sent are 1 (User Request), 4 (Idle Timeout), 5 (Session Timeout), 6 (Admin Reset), and 8 (Port Error).

• Acct-Multi-Session-Id (RADIUS attribute 50)
• Acct-Link-Count (RADIUS attribute 51)
• MS-Ras-Vendor (vendor type 9)
• MS-CHAP-Domain (vendor type 10)
• MS-Ras-Version (vendor type 18)
• MS-Filter (vendor type 22)