5. Attributes

5. Attributes

RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply.

The end of the list of Attributes is indicated by the Length of the RADIUS packet.

Some Attributes MAY be included more than once. The effect of this is Attribute specific, and is specified in each Attribute description. A summary table is provided at the end of the "Attributes" section.

If multiple Attributes with the same Type are present, the order of Attributes with the same Type MUST be preserved by any proxies. The order of Attributes of different Types is not required to be preserved. A RADIUS server or client MUST NOT have any dependencies on the order of attributes of different types. A RADIUS server or client MUST NOT require attributes of the same type to be contiguous.

Where an Attribute's description limits which kinds of packet it can be contained in, this applies only to the packet types defined in this document, namely Access-Request, Access-Accept, Access-Reject and Access-Challenge (Codes 1, 2, 3, and 11). Other documents defining other packet types may also use Attributes described here. To determine which Attributes are allowed in Accounting-Request and Accounting-Response packets (Codes 4 and 5) refer to the RADIUS Accounting document [5].

Likewise where packet types defined here state that only certain Attributes are permissible in them, future memos defining new Attributes should indicate which packet types the new Attributes may be present in.

A summary of the Attribute format is shown below. The fields are transmitted from left to right.

0                   1                   2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type

  The Type field is one octet.  Up-to-date values of the RADIUS Type
  field are specified in the most recent "Assigned Numbers" RFC [6].
  Values 192-223 are reserved for experimental use, values 224-240
  are reserved for implementation-specific use, and values 241-255
  are reserved and should not be used.

  A RADIUS server MAY ignore Attributes with an unknown Type.

  A RADIUS client MAY ignore Attributes with an unknown Type.

This specification concerns the following values:

      1      User-Name
      2      User-Password
      3      CHAP-Password
      4      NAS-IP-Address
      5      NAS-Port
      6      Service-Type
      7      Framed-Protocol
      8      Framed-IP-Address
      9      Framed-IP-Netmask
     10      Framed-Routing
     11      Filter-Id
     12      Framed-MTU
     13      Framed-Compression
     14      Login-IP-Host
     15      Login-Service
     16      Login-TCP-Port
     17      (unassigned)
     18      Reply-Message
     19      Callback-Number
     20      Callback-Id
     21      (unassigned)
     22      Framed-Route
     23      Framed-IPX-Network
     24      State
     25      Class
     26      Vendor-Specific
     27      Session-Timeout
     28      Idle-Timeout
     29      Termination-Action
     30      Called-Station-Id
     31      Calling-Station-Id
     32      NAS-Identifier
     33      Proxy-State
     34      Login-LAT-Service
     35      Login-LAT-Node
     36      Login-LAT-Group
     37      Framed-AppleTalk-Link
     38      Framed-AppleTalk-Network
     39      Framed-AppleTalk-Zone
     40-59   (reserved for accounting)
     60      CHAP-Challenge
     61      NAS-Port-Type
     62      Port-Limit
     63      Login-LAT-Port

Length

  The Length field is one octet, and indicates the length of this
  Attribute including the Type, Length and Value fields.  If an
  Attribute is received in an Access-Request but with an invalid
  Length, an Access-Reject SHOULD be transmitted.  If an Attribute
  is received in an Access-Accept, Access-Reject or Access-Challenge
  packet with an invalid length, the packet MUST either be treated
  as an Access-Reject or else silently discarded.

Value

  The Value field is zero or more octets and contains information
  specific to the Attribute.  The format and length of the Value
  field is determined by the Type and Length fields.

  Note that none of the types in RADIUS terminate with a NUL (hex
  00).  In particular, types "text" and "string" in RADIUS do not
  terminate with a NUL (hex 00).  The Attribute has a length field
  and does not use a terminator.  Text contains UTF-8 encoded 10646
  [7] characters and String contains 8-bit binary data.  Servers and
  servers and clients MUST be able to deal with embedded nulls.
  RADIUS implementers using C are cautioned not to use strcpy() when
  handling strings.

  The format of the value field is one of five data types.  Note
  that type "text" is a subset of type "string".

  text      1-253 octets containing UTF-8 encoded 10646 [7]
            characters.  Text of length zero (0) MUST NOT be sent;
            omit the entire attribute instead.

  string    1-253 octets containing binary data (values 0 through
            255 decimal, inclusive).  Strings of length zero (0)
            MUST NOT be sent; omit the entire attribute instead.

  address   32 bit value, most significant octet first.

  integer   32 bit unsigned value, most significant octet first.

  time      32 bit unsigned value, most significant octet first --
            seconds since 00:00:00 UTC, January 1, 1970.  The
            standard Attributes do not use this data type but it is
            presented here for possible use in future attributes.