SYSTEM ADMINISTRATOR GUIDE     66/1543-CRA 119 1170/1-V1 Uen B    

RADIUS Attributes

© Ericsson AB 2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.
NetOp is a trademark of Telefonaktiebolaget LM Ericsson.

Contents

1Overview
1.1RADIUS Packet Format
1.2Packet Types
1.3RADIUS Files

2

Supported Standard RADIUS Attributes
2.1Standard Attributes in Access-Accept and Accounting Messages
2.2Standard RADIUS Attributes in CoA and Disconnect Messages
2.3Standard RADIUS Attributes That Can Be Reauthorized

3

Vendor VSAs Provided by Ericsson AB
3.1Standard Attributes in Access-Accept and Accounting Messages
3.2Vendor VSAs in CoA and Disconnect Messages
3.3Vendor VSAs That Can Be Reauthorized
3.4VSA for RSE Reauthorization
3.5VSA 164 Format
3.6VSA 196 Format

4

Vendor VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels

5

Other Supported VSAs

6

RADIUS Attributes Supported by RFlow

7

Supported Service Attributes

8

RADIUS Attributes Supported by Mobile IP Services
8.1Standard RADIUS Attributes and Mobile IP Services
8.23GPP2 RADIUS VSAs
8.33GPP2 RADIUS VSAs That Can Be Reauthorized
8.4WiMax Forum RADIUS VSAs
8.5WiMax Forum RADIUS VSAs in the CoA
8.6Motorola VSAs

9

RADIUS Attribute 49 Error Codes


1   Overview

This document describes standard Remote Authentication Dial-In User Service (RADIUS) and vendor-specific attributes (VSAs) supported by the SmartEdge® router.

For more information about RADIUS attributes, see the following documents:

Internet Engineering Task Force (IETF) RADIUS attributes are the original set of 255 standard attributes used to communicate authentication, authorization, and accounting (AAA) information between a client and a server. Because IETF attributes are standard, the attribute data is predefined and well known so that all clients and servers can exchange AAA information. RADIUS VSAs are derived from one IETF RADIUS attribute 26, Vendor-Specific, which enables a vendor, in this case, Redback Networks, to create an additional 255 attributes.

RADIUS packets and files are described further in the following sections:

1.1   RADIUS Packet Format

Figure 1 illustrates the format of a RADIUS packet.

Figure 1   RADIUS Packet Format (797)

Table 1 describes the fields contained in a RADIUS packet.

Table 1    RADIUS Packet Fields

Field

Description

Code

Identifies the RADIUS packet type. The type can be one of the following:


  • Access-Request (1)

  • Access-Accept (2)

  • Access-Reject (3)

  • Accounting-Request (4)

  • Accounting-Response (5)

  • Disconnect-Request (40)

  • Disconnect-ACK (41)

  • Disconnect-NAK (42)

  • CoA-Request (43)

  • CoA-ACK (44)

  • CoA-NAK (45)

Identifier

Helps the RADIUS server match request and responses and detect duplicate requests.

Length

Specifies the length of the entire packet.

Authenticator

Authenticates the reply from the RADIUS server. There are two types of authenticators:


  • Request-Authentication (available in Access-Request and Accounting-Request packets)

  • Response-Authentication (available in Access-Accept, Access Reject, Access-Challenge, and Accounting-Response packets)

1.2   Packet Types

Table 2 describes RADIUS packet types.

Table 2    RADIUS Packet Types

Type

Description

Access-Request

Sent from a client to a RADIUS server. The RADIUS server uses the packet to determine whether to allow access to a specific network access server (NAS), which permits subscriber access. Subscribers performing authentication must submit an Access-Request packet. When an Access-Request packet is received, the RADIUS server must forward a reply.

Access-Accept

Upon receiving an Access-Request packet, the RADIUS server sends an Access-Accept packet if all attribute values in the Access-Request packet are acceptable.

Access-Reject

Upon receiving an Access-Request packet, the RADIUS server sends an Access-Reject packet if any of the attribute values are not acceptable.

Access-Challenge

Upon receiving an Access-Request packet, the RADIUS server can send the client an Access-Challenge packet, which requires a response. If the client does not know how to respond, or if the packets are invalid, the RADIUS server discards the packets. If the client responds to the packet, a new Access-Request packet is sent with the original Access-Request packet.

Accounting-Request

Sent from a client to a RADIUS accounting server. If the RADIUS accounting server successfully records the Accounting-Request packet, it must submit an Accounting-Response packet.

Accounting-Response

Sent by the RADIUS accounting server to the client to acknowledge that the Accounting-Request has been received and recorded successfully.

CoA-Request

Sent by the RADIUS server to the NAS to dynamically change session authorizations.

CoA-Response

Sent by the NAS to the RADIUS server to acknowledge (ACK) a CoA request if the session authorizations were successfully changed. A NAK is sent if the CoA request is unsuccessful.

Disconnect-Request

Sent by the RADIUS server to the NAS to terminate a session and discard all session context.

Disconnect-Response

Sent by the NAS to the RADIUS server to acknowledge (ACK) a disconnect request if the session is successfully terminated and the context discarded. A NAK is sent if the disconnect request is unsuccessful.

1.3   RADIUS Files

RADIUS files communicate AAA information between a client and server. These files are described in the following sections:

1.3.1   RADIUS Dictionary File

Table 3 describes the information contained in a RADIUS dictionary file.

Table 3    RADIUS Dictionary File

Name

ID

Value Type

ASCII string name of the attribute; for example, UserName.

Numerical identification of the attribute; for example, the User-Name attribute is 1.

Each attribute can be specified through one of the following value types:


  • binary—0 to 254 octets.

  • date—32-bit value in big endian order; for example, seconds since 00:00:00 GMT, JAN. 1, 1970.

  • ipadd—4 octets in network byte order.

  • integer—32-bit value in big endian order (high byte first).

  • string—0 to 253 octets.

An integer can be expanded to represent a string. The following example is an integer-based attribute and its corresponding string values. In this example, the values for VSA 144, Acct_Reason, describe the reason for sending subscriber accounting packets to the RADIUS server. Each value is represented by an integer:

#

ATTRIBUTE    Acct_Reason   144                 Integer

VALUE        AAA_LOAD_ACCT_SESSION_UP          1

VALUE        AAA_LOAD_ACCT_SESSION_DOWN        2

VALUE        AAA_LOAD_ACCT_PERIODIC            3

.

.

1.3.2   RADIUS Clients Files

A clients file contains a list of RADIUS clients allowed to send authentication and accounting requests to the RADIUS server. To receive authentication, the client name and authentication key sent to the RADIUS server must be an exact match with the data contained in the clients file; see the following example:

#

Client Name       Key

10.1.1.1           test

nas-1              secret

1.3.3   Subscriber Files

A subscriber file contains an entry for each subscriber that the RADIUS server authenticates. The first line in any subscriber file is a “user access” line; the server must check the attributes on the first line before it can grant access to the user.

The following example allows the subscriber to access five tunnel attributes:

# 

redback.com Password=”redback” Service-Type Outbound

      Tunnel-Type = :1:L2TP

      Tunnel-Medium-Type = :1:IP

      Tunnel-Server-Endpoint = :1:10.0.0.1

      Tunnel-Password =:1:”welcome”

      Tunnel-Assignment-ID = :1:”nas”

2   Supported Standard RADIUS Attributes

Standard RADIUS attributes appear in the various types of RADIUS messages as described in the following sections:

2.1   Standard Attributes in Access-Accept and Accounting Messages

Table 4 describes the standard RADIUS attributes that are supported by the SmartEdge router and that can appear in Access-Request, Account-Request, and Access-Response messages.

Table 4    Standard RADIUS Attributes Supported

#

Attribute Name

Sent in Access- Request

Sent in Acct- Request

Receivable in Access- Response

Notes

1

User-Name

Yes

Yes

No

String. Name of the user to be authenticated; only used in Access-Request packets.


The radius attribute username command provides options to change the format of the User-Name attribute.

2

User-Password

Yes

No

No

String. Sent unless using the CHAP-Password attribute.

3

CHAP-Password

Yes

No

No

String. Sent in Access-Request packet unless using the User-Password attribute.

4

NAS-IP-Address

Yes

Yes

No

IP address. Specifies an IPv4 source IP address for RADIUS packets sent by the SmartEdge router.


This attribute is not sent unless explicitly enabled through the radius attribute nas-ip-address command (in context configuration mode).

5

NAS-Port

Yes

Yes

No

Integer. This attribute is sent using the slot-port format. For details on this format or to modify the format in which this attribute is sent, see the radius attribute nas-port command.

6

Service-Type

Yes

Yes

Yes

Integer. Type of service requested or provided. Values are:


  • 2=Framed

  • 5=Outbound

  • 6=Administrative

  • 7=NAS Prompt

7

Framed-Protocol

Yes

Yes

Yes

Integer. The value indicates the framing to be used for framed access. This attribute must not be used in a user profile designed for RFC 1483 and RFC 1490 bridged or routed circuits, or for telnet sessions. This value is sent only for Point-to-Point Protocol (PPP) service types. The value for PPP is 1.

8

Framed-IP-Address

Yes

Yes

Yes

IP address. In Accounting-Request packets, returns the IP address assigned to the subscriber either dynamically or statically. In Access-Accept packets, a return value of 255.255.255.254 or 0.0.0.0 causes the SmartEdge router to assign the subscriber an address from an IP address pool. This attribute is received in Access-Response messages and is sent in Access-Request messages conditioned by the aaa hint ip address command (in context configuration mode).

9

Framed-IP-Netmask

No

Yes

Yes

IP address. Assigns a range of addresses to a subscriber circuit—it is not a netmask in the conventional sense of determining which address bits are host versus. prefix, and so on.

11

Filter-Id

No

Yes

Yes

String. Specifies that inbound or outbound traffic be filtered. Use the in:<name> and out:<name> format.

12

Framed-MTU

No

Yes

Yes

Integer. Maximum transmission unit (MTU) to be configured for the user when it is not negotiated by some other means (such as Point-to-Point Protocol [PPP]). It is only used in Access-Accept packets.

18

Reply-Message

No

No

Yes

String. Text that can be displayed to the user. Multiple Reply-Message attributes can be included. If any are displayed, they must be displayed in the same order as they appear in the packet.

22

Framed-Route

No

Yes

Yes

IP address. The format is h.h.h.h/nn g.g.g.g n where:


  • h.h.h.h=IP address of destination host or network.

  • nn=optional netmask size in bits (if not present, defaults to 32).

  • g.g.g.g=IP address of gateway.

  • n=Number of hops for this route.

24

State

No

No

Yes

Binary String.

25

Class

No

Yes

Yes

String. If received, this information must be sent on, without interpretation, in all subsequent packets sent to the RADIUS accounting server for that subscriber session.

26

Vendor-Specific

Yes

Yes

No

String. Allows Redback Networks to support its own VSAs, embedded with the Vendor-Id attribute set to 2352. For the VSAs supported by the SmartEdge router, see Table 7.

27

Session-Timeout

No

Yes

Yes

Integer. Sets the maximum number of seconds of service allowed the subscriber before termination of the session. Corresponds to the SmartEdge routertimeout command (in subscriber configuration mode) with the absolute keyword, except that the attribute requires seconds instead of minutes. The value 0 indicates that the timeout is disabled.

28

Idle-Timeout

No

Yes

Yes

Integer. Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Corresponds to the SmartEdge router timeout idle command (in subscriber configuration mode), except that the attribute calls for seconds instead of minutes.

30

Called-Station-Id

Yes

No

No

String. The telephone number that the call came from.

31

Calling-Station-Id

Yes

Yes

No

Dependent on the type of subscriber terminated in the SmartEdge router:


This attribute is not sent unless explicitly enabled through the radius attribute calling-station-id command (in context configuration mode).

32

NAS-Identifier

Yes

Yes

No

String. Value for the system hostname.

33

Proxy_State

No

Yes

No

Binary String. Specifies the state sent by the proxy server.

40

Acct-Status-Type

No

Yes

No

Integer. Values can be:


  • 1=Start

  • 2 =Stop

  • 3=Interim-Updated

  • 7=Accounting-On

  • 8=Accounting-Off

  • 9=Tunnel Start

  • 10=Tunnel Stop

  • 12=Link Start

  • 13=Link Stop

  • 15=Reserved for failed

  • 101=Service-Start

  • 102=Service-Stop

  • 103=Service-Interim-Update

41

Acct-Delay-Time

No

Yes

No

Integer. Time, in seconds, for which the client has been trying to send the record.

42

Acct-Input-Octets

No

Yes

No

Integer. Number of octets that have been received from the port over the course of this service being provided. Can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Update.

43

Acct-Output-Octets

No

Yes

No

Integer. Number of octets that have been sent to the port in the course of delivering this service. Can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Update.

44

Acct-Session-Id

Yes

Yes

No

String. Unique session accounting ID to match start and stop records for in a log file. The start and stop records for a given subscriber session have the same Acct-Session-Id attribute value. The format is cct-handle timestamp.


If service accounting is enabled with VSA 191, this attribute also includes the service accounting identifier, which is the service-name that is defined in VSA 190. The session accounting and service accounting identifiers are separated by a colon (:).


By default, this attribute is sent in Accounting-Request packets. To send this attribute in Access-Request packets, you must use the radius attribute acct-session-id command (in context configuration mode).

45

Acct-Authentic

No

Yes

No

String. Values are RADIUS and local.

46

Acct-Session-Time

No

Yes

No

Integer. Number of seconds for which the user has received service. Can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Update.

47

Acct-Input-Packets

No

Yes

No

Integer. Number of packets that have been received from the port over the course of this service being provided to a framed user. Can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Update.

48

Acct-Output-Packets

No

Yes

No

Integer. Number of packets that have been sent to the port in the course of delivering this service to a Framed User. Can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Update.

49

Acct-Terminate-Cause

No

Yes

No

Integer. Value represents the cause of session termination. Values are:


  • 1=User request

  • 2=Lost carrier

  • 3=Lost service

  • 4=Idle timeout

  • 5=Session timeout

  • 6=Admin reset

  • 8=Port error

  • 9=NAS error

  • 10=NAS request

  • 15=Service unavailable

  • 17=User error

50

Acct-Multi-Session-Id

No

Yes

No

String. Links multiple related sessions with a unique accounting ID.

52

Acct-Input-Gigawords

No

Yes

No

Integer. Value represents the number of times the Acct-Input-Octets counter has wrapped around 2^32 in the course of providing this service. This attribute can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Interim-Update.

53

Acct-Output-Gigawords

No

Yes

No

Integer. Value represents the number of times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service. This attribute can only be present in Accounting-Request records where the Acct-Status-Type attribute is set to Stop or Interim-Update.

55

Event-Timestamp

No

Yes

No

Integer. Value represents the time this event occurred on the NAS, in seconds, since January 1, 1970 00:00 UTC.

61

NAS-Port-Type

Yes

Yes

No

Integer. The default value is either 0 or 5, indicating an asynchronous connection through a console port or a connection through a transport protocol, respectively, depending on how the subscriber is connected to its authenticating NAS. The range of values is 0 to 255.


Values 0 to 19 are as follows:


  • 0—async

  • 1—sync

  • 2—ISDN (sync)

  • 3—ISDN (async V120)

  • 4—ISDN (async V110)

  • 5—Virtual

  • 6—PIAFS (wireless ISDN used in Japan)

  • 7—HDLC (clear-channel)

  • 8—X.25

  • 9—X.75

  • 10—G3_Fax (G.3 Fax)

  • 11—SDSL (symmetric DSL)

  • 12—ADSL_CAP (asymmetric DSL, Carrierless Amplitude Phase Modulation)

  • 13—ADSL_DMT (asymmetric DSL, discrete multi-tone)

  • 14—IDSL (ISDN digital subscriber line)

  • 15—Ethernet

  • 16—xDSL (digital subscriber line of unknown type)

  • 17—Cable

  • 18—Wireless (wireless—Other)

  • 19—Wireless_802_11 (wireless—IEEE 802.11)


You can modify the value of this attribute through the radius attribute nas-port-type command (in ATM profile, dot1q profile, link-group, or port configuration mode).

62

Port-Limit

No

Yes

Yes

Integer. Maximum number of sessions a particular subscriber can have active at one time.

64

Tunnel-Type

No

Yes

Yes

Integer. Value indicates the tunneling protocol to be used. The supported value is 3, which indicates the Layer 2 Tunneling Protocol (L2TP).

65

Tunnel-Medium-Type

No

Yes

Yes

Integer. Value represents the transport medium to use when creating an L2TP tunnel for protocols that can operate over multiple transports. The supported value is 1, which indicates IPv4.

66

Tunnel-Client-Endpoint

No

Yes

Yes

String. Fully qualified domain name or IP address of the initiator end of an L2TP tunnel.

67

Tunnel-Server-Endpoint

No

Yes

Yes

String. Fully qualified domain name or IP address of the server end of an L2TP tunnel.

68

Acct-Tunnel-Connection

No

Yes

No

String. Unique accounting ID to easily match start and stop records in a log file for L2TP sessions. The start and stop records for a given session will have the same Acct-Tunnel-Connection attribute value.

69

Tunnel-Password

No

No

Yes

String. Password. Only used in Access-Accept packets.

77

Connect-Info

Yes

Yes

No

String containing either:


  • An ATM, 802.1Q, or Frame Relay profile name sent to the RADIUS server.

  • The values from L2TP attribute-value pairs (AVPs) 24 and 38 in the Tx/Rx format. Speeds are in bits-per-second.

80

Message-Authenticator

Yes

No

Yes

String. Signs access requests to prevent spoofing.

81

Tunnel-Pvt-Grp-ID

Yes

Yes

Yes

String. Indicates the group ID for a particular tunneled session. If the tunnel initiator can pre-determine the group resulting from a particular connection, the Tunnel-Private-Group-ID Attribute may be included in the Access-Request packet and should be included in the Access-Accept packet (if this tunnel session is to be treated as belonging to a particular private group). Private groups may be used to associate a tunneled session with a particular group of users.

82

Tunnel-Assignment-ID

No

Yes

Yes

String. Used to distinguish between different peers with configurations that use the same IP address. If no Tunnel-Client-Endpoint or Tunnel-Server-Endpoint attribute is supplied with this tag, and if the Tunnel-Assignment-ID matches the name of a locally configured peer, the session will be tunneled to that peer.

83

Tunnel-Preference

No

No

Yes

String. If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute should be included in all sets to indicate the preference assigned to each set; the lower the value for a set, the more preferable it is.

85

Acct-Interim-Interval

No

No

Yes

Integer. The Value field indicates the number of seconds between each interim update sent from the NAS for this specific session.


The value must be between 600 and 604,800 seconds (7 days). Any value outside this range logs a message to the system and the value resets to the corresponding minimum or maximum allowed value.


Before you set this value, consider the possible impact to network traffic.

87

NAS-Port-ID

Yes

Yes

No

String. By default, this attribute is sent in RADIUS packets. The default format is: slot/port [vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id] [pppoe sess-id | clips sess-id].


where slot and port are each 4 bits and tunl-vlan-id and pvc-vlan-id are each 12 bits. The tunl-vlan-id field is 0 if it does not exist.


For example, 4/1 vpi-vci 207 138 pppoe 5.


Use the radius attribute nas-port-id command (in context configuration mode) to specify another format for this attribute.

88

Framed-Pool

No

Yes

Yes

String. Name of the interface or IP pool used to assign an IP pool address to the subscriber. The behavior is identical to vendor VSA 36, IP-Address-Pool-Name.


If both the Framed-Pool and IP-Address-Pool-Name attributes are both received in a RADIUS Access-Accept packet, Framed-Pool takes precedence and is applied.

89

CUI

Yes

Yes

Yes

String. Optional. Chargeable User Identify (CUI). Identifies users when they roam outside their home network.

90

Tunnel-Client-Auth-ID

No

Yes

Yes

String. Defines the local hostname provided to remote tunnel peer (used during tunnel setup). The behavior is identical to vendor VSA 16, Tunnel-Local-Name.

91

Tunnel-Server-Auth-ID

No

Yes

Yes

String. Defines an alias for the remote peer name. The value of this attribute must match the value of the hostname AVP that the peer sends in the SCCRQ or SCCRP message (depending on the tunnel initiator).

95

NAS-IPv6-Address

Yes

Yes

No

IP address. Specifies an IPv6 source IP address of the Network Access Server (NAS) in RADIUS Access-Request and Access-Accounting request packets configured using the CLI. These RADIUS packets are sent by the SmartEdge router.


This attribute is not sent unless explicitly enabled through the radius attribute nas-ipv6 address interface <name> command (in context configuration mode).


For more information about NAS and RADIUS, see Configuring RADIUS.

96

Framed-Interface-ID

No

Yes

Yes

64-bit integer. Provides an interface ID for PPP clients that cannot generate their own interface ID. This value is sent in the Access-Response (Access-Accept) message for an IPv6 subscriber. When this value is in the authentication request, the AAA client receives this attribute from the authentication response.

97

Framed-IPv6-Prefix

No

Yes

Yes

Binary. Used for stateless address autoconfiguration. Indicates the Framed-IPv6-Prefix to be assigned to the user.


The Framed-IPv6-Prefix is also sent if the prefixes are applied via a subscriber record.

99

Framed-IPv6-Route

No

Yes

Yes

String.Provides routing information to be configured for the user on the NAS.

123

Delegated-IPv6-Prefix

No

Yes

Yes

Binary. Indicates the IPv6 prefix to be delegated to the subscriber using DHCPv6. This value is sent in Access-Accept and Accounting-Request messages. Multiple instances of this attribute can be present in one RADIUS packet.


The Delegated-IPv6-Prefix is also sent if the prefixes are applied via a subscriber record.

242

Ascend_Data_Filter

No

Yes

Yes

Binary String.

2.2   Standard RADIUS Attributes in CoA and Disconnect Messages

Table 5 lists the standard RADIUS attributes that can appear in CoA-Request, CoA-Response, Disconnect-Request, and Disconnect-Response messages. For details about these standard attributes, see Table 5.

Table 5    Standard RADIUS Attributes in CoA and Disconnect Messages

#

Attribute Name

Sent in CoA Request

Sent in CoA Response

Sent in Disconnect Request

Sent in Disconnect Response

1

User-Name

Yes

No

Yes

No

5

NAS-Port

Yes

No

Yes

No

6

Service-Type

Yes

Yes(1)

Yes

Yes(1)

7

Framed-Protocol

Yes

No

No

No

8

Framed-IP-Address

Yes

No

Yes

No

9

Framed-IP-Netmask

Yes

No

No

No

11

Filter-Id

Yes

No

No

No

12

Framed-MTU

Yes

No

No

No

18

Reply-Message

Yes

No

Yes

No

22

Framed-Route

Yes

No

No

No

24

State

Yes

Yes

Yes

Yes

25

Class

Yes

No

Yes

No

26

Vendor-Specific

Yes

No

Yes

No

27

Session-Timeout

Yes

No

No

No

28

Idle-Timeout

Yes

No

No

No

30

Called-Station-Id

Yes

No

Yes

No

31

Calling-Station-Id

Yes

No

Yes

No

32

NAS-Identifier

Yes

No

Yes

No

33

Proxy_State

Yes

Yes

Yes

Yes

44

Acct-Session-Id

Yes

No

Yes

No

50

Acct-Multi-Session-Id

Yes

No

Yes

No

55

Event-Timestamp

Yes

Yes

Yes

Yes

61

NAS-Port-Type

Yes

No

Yes

No

62

Port-Limit

Yes

No

No

No

64

Tunnel-Type

Yes

No

No

No

65

Tunnel-Medium-Type

Yes

No

No

No

66

Tunnel-Client-Endpoint

Yes

No

No

No

67

Tunnel-Server-Endpoint

Yes

No

No

No

69

Tunnel-Password

Yes

No

No

No

81

Tunnel_Pvt_Grp_ID

Yes

Yes

Yes

 

82

Tunnel-Assignment-ID

Yes

No

No

No

83

Tunnel-Preference

Yes

No

No

No

85

Acct_Interim_Interval

Yes

No

No

No

87

NAS-Port-Id

Yes

No

Yes

No

90

Tunnel-Client-Auth-ID

Yes

No

No

No

91

Tunnel-Server-Auth-ID

Yes

No

No

No

95

NAS-IPv6-Address

No

No

No

No

96

Framed-Interface-Id

No

No

No

No

97

Framed-IPv6-Prefix

No

No

No

No

99

Framed-IPv6-Route

No

No

No

No

101

Error-Cause

No

Yes(1)

No

Yes

123

Delegated-IPv6-Prefix

No

No

No

No

242

Ascend_Data_Filter

Yes

No

No

No

(1)  Sent in NAK message only.


2.3   Standard RADIUS Attributes That Can Be Reauthorized

Table 6 lists the standard RADIUS attributes that are reauthorized when you enter the reauthorize command (in exec mode).

Table 6    Standard RADIUS Attributes Supported by Reauthorization

#

Attribute Name

Description

11

Filter-Id

Filters inbound or outbound traffic through an access control list (ACL).

25

Class

Forwards the information sent by the RADIUS server to the SmartEdge router, without interpretation, in subsequent accounting messages to the RADIUS accounting server for that subscriber session.

26

Vendor_Specific

Allows Redback Networks to support its own VSAs.

27

Session-Timeout

Sets the in-service time allowed before the session terminates.

28

Idle-Timeout

Sets the idle time allowed before the session terminates.

85

Acct_Interim_Interval

Sets the value to an integer.

242

Ascend_Data_Filter

Allows multiple values.

3   Vendor VSAs Provided by Ericsson AB

Vendor VSAs appear in the various types of RADIUS messages as described in the following sections.

3.1   Standard Attributes in Access-Accept and Accounting Messages

Table 7 lists the vendor VSAs that are supported by the SmartEdge router and can appear in Access-Request, Account-Request, and Access-Response messages.

Table 7    Vendor VSAs Supported

#

VSA Name

Sent in Access- Request

Sent in Acct- Request

Received in Access- Response

Notes

1

Client-DNS-Pri

No

Yes

Yes

IP address of the primary DNS server for this subscriber’s connection.

2

Client-DNS-Sec

No

Yes

Yes

IP address of the secondary DNS server for this subscriber’s connection.

3

DHCP-Max-Leases

No

Yes

Yes

Integer. Maximum number of DHCP addresses this subscriber can allocate to hosts. The range of values is 1 to 255.

4

Context-Name

No

Yes

Yes

Binds the subscriber session to specified context, overriding the structured username. This information is only interpreted when global AAA is enabled.

5

Bridge-Group

No

No

Yes

String. Bridge group name; attaches subscriber to the named bridge group.

6

BG-Aging-Time

No

No

Yes

String. bg-name:val; configures bridge aging time for subscriber attaching to the named bridge group.

7

BG-Path-Cost

No

No

Yes

String. bg-name:val; configures bridge path cost for subscriber attaching to the named bridge group.

8

BG-Span-Dis

No

No

Yes

String. bg-name:val; disables spanning tree for subscriber attaching to the named bridge group.


The val argument can have the following values:


  • 1 = TRUE

  • 2 = FALSE

9

BG-Trans-BPDU

No

No

Yes

String. bg-name:val; sends transparent spanning tree bridge protocol data units (BPDUs) for a subscriber attaching to the named bridge group.


The val argument can have the following values:


  • 1 = TRUE

  • 2 = FALSE

14

Source-Validation

No

Yes

Yes

Integer. Enables source validation for subscriber, according to one of the following values:


  • 1=TRUE

  • 0=FALSE

15

Tunnel-Domain

No

No

Yes

Integer. Binds the subscriber to a tunnel based on the domain name portion of the username, according to one of the following values:


  • 1=TRUE

  • 0=FALSE

16

Tunnel-Local-Name

No

No

Yes

String. Defines the local hostname provided to the remote peer during tunnel setup.

17

Tunnel-Remote-Name

No

No

Yes

String. Defines an alias for the remote peer name.

18

Tunnel-Function

No

Yes

Yes

Integer. Determines this tunnel configuration as a LAC-only endpoint or an LNS endpoint, according to one of the following values:


  • 1=LAC only

  • 2=LNS only

19

Tunnel_Flow_Control

Yes

Yes

No

Integer.

20

Tunnel_Static

     

Integer.

21

Tunnel-Max-Sessions

No

Yes

Yes

Integer. Limits the number of sessions per tunnel using this tunnel configuration.

22

Tunnel-Max-Tunnels

No

Yes

Yes

Integer. Limits the number of tunnels that can be initiated using this tunnel configuration.

23

Tunnel-Session-Auth

No

No

Yes

Integer. Specifies the authentication method to use during PPP authentication, according to one of the following values:


  • 1=CHAP

  • 2=PAP

  • 3=CHAP-PAP

24

Tunnel-Window

No

No

Yes

Integer. Configures the receive window size for incoming L2TP messages.

25

Tunnel-Retransmit

No

No

Yes

Integer. Specifies the number of times the SmartEdge router retransmits a control message.

26

Tunnel-Cmd-Timeout

No

No

Yes

Integer. Specifies the number of seconds for the timeout interval between control message retransmissions.

27

PPPOE-URL

No

Yes

Yes

String in PPPoE URL format. Defines the PPPoE URL that is sent to the remote PPPoE client via the PADM packet.

28

PPPOE-MOTM

No

Yes

Yes

String. Defines the PPPoE MOTM message that is sent to the remote PPPoE client via the PADM packet.

29

Tunnel-Group

No

Yes

Yes

Integer. Indicates whether this record is a tunnel group with a list of member peers:


  • 1 = TRUE

  • 0 = FALSE

30

Tunnel-Context

No

Yes

Yes

String. Context name. Used in a DNIS peer record, this attribute specifies the context where the named peer should be found.

31

Tunnel-Algorithm

No

No

Yes

Integer. Specifies the session distribution algorithm used to choose between the peer configurations in the RADIUS response. This VSA instructs the SmartEdge router on how to interpret standard RADIUS attribute 83, Tunnel-Preference, according to one of the following values:


  • 1=Priority

  • 2=Load-Balance

  • 3=Weighted round-robin

32

Tunnel-Deadtime

No

No

Yes

Integer. Specifies the number of minutes during which no sessions are attempted to an L2TP peer when the peer is down.

33

Mcast-Send

No

Yes

Yes

Integer. Defines whether the subscriber can send multicast packets, according to one of the following values:


  • 1=NO SEND

  • 2=SEND

  • 3=UNSOLICITED SEND

34

Mcast-Receive

No

Yes

Yes

Integer. Defines whether the subscriber can receive multicast packets, according to one of the following values:


  • 1=NO RECEIVE

  • 2=RECEIVE

35

Mcast-MaxGroups

No

Yes

Yes

Integer. Specifies the maximum number of multicast groups of which the subscriber can be a member.

36

Ip-Address-Pool-Name

No

Yes

Yes

String. Name of the interface or IP pool used to assign an IP pool address to the subscriber.

37

Tunnel-DNIS

No

Yes

Yes

Integer. L2TP peer parameter specifying if incoming sessions from this peer are to be switched based on the incoming DNIS AVP if present or on the incoming DNIS AVP only (terminated if no DNIS AVP is present):


  • 1 = DNIS

  • 2 = DNIS ONLY

38

Medium-Type

Yes

Yes

No

Integer. Contains the medium type of the circuit. The system sets this value to DSL for CLIPS and PPP subscribers.

39

PVC-Encapsulation-Type

No

No

Yes

Integer. Encapsulation type to be applied to the circuit:


  • 2 = Routed 1483

  • 4 = ATM multi

  • 5 = Bridged 1483

  • 6 = ATM PPP

  • 7 = ATM PPP serial

  • 8 = ATM PPP NLPID

  • 9 = ATM PPP auto

  • 10 = ATM PPPoE

  • 12 = ATM PPP LLC

  • 22 = Ethernet IPoE

  • 23 = Ethernet PPPoE

  • 24 = Ethernet dot1q

  • 26 = Ethernet dot1q pppoe

  • 31 = Ethernet dot1q tunnel pppoe

  • 32 = Ethernet dot1q multi

  • 33 = Ethernet dot1q tunnel multi

40

PVC-Profile-Name

No

No

Yes

String. Name of the ATM profile that is assigned to the subscriber record, a named profile, or the default profile, using the shaping profile command (in subscriber configuration mode), to use for this circuit.

42

Bind-Type

No

No

Yes

Integer. Binding type to be applied to this circuit:


  • 1 = authentication

  • 3 = interface

  • 4 = subscriber

  • 14 = autosubscriber

  • CCOD (circuit creation on demand) circuits support only subscriber bind types.

43

Bind-Auth-Protocol

No

No

Yes

Integer. Authentication protocol to use for this circuit:


  • 1 = PAP

  • 2 = CHAP

  • 4 = CHAP PAP

  • 5 = AAA-PPP-CHAP-WAIT-PAP

  • 7 = PAP CHAP

44

Bind-Auth-Max-Sessions

No

No

Yes

Integer. Maximum number of PPPoE sessions allowed to be created for this circuit. Also specifies the same for PPPoE sessions tunneled with Ethernet encapsulation over L2TP on the LNS.

45

Bind-Bypass-Bypass

No

No

Yes

String. Name of the bypass being bound.

46

Bind-Auth-Context

No

No

Yes

String. Bind authentication context name. Also specifies the same for PPPoE sessions tunneled with Ethernet encapsulation over L2TP on the LNS.

47

Bind-Auth-Service-Grp

No

No

Yes

String. Bind authentication service group name. Also specifies the same for PPPoE sessions tunneled with Ethernet encapsulation over L2TP on the LNS.

48

Bind-Bypass-Context

No

No

Yes

String. Bind bypass context name.

49

Bind-Int-Context

No

No

Yes

String. Bind interface context name. Also specifies the same for IP bridging sessions tunneled with Ethernet encapsulation over L2TP on the LNS.

50

Bind-Tun-Context

No

No

Yes

String. Bind tunnel context name.

51

Bind-Ses-Context

No

No

Yes

String. Bind session context name.

52

Bind-Dot1q-Slot

No

No

Yes

Integer. Bind 802.1Q slot number.

53

Bind-Dot1q-Port

No

No

Yes

Integer. Bind 802.1Q port number.

54

Bind-Dot1q-Vlan-Tag-Id

No

No

Yes

Integer. Bind 802.1Q VLAN tag ID.

55

Bind-Int-Interface-Name

No

No

Yes

String. Bind interface name. Also specifies the same for IP bridging sessions tunneled with Ethernet encapsulation over L2TP on the LNS.

56

Bind-L2TP-Tunnel-Name

No

No

Yes

String. Bind L2TP tunnel name.

57

Bind-L2TP-Flow-Control

No

No

Yes

Integer. Bind L2TP flow control.

58

Bind-Sub-User-At-Context

No

No

Yes

String. Bind subscriber context name.

59

Bind-Sub-Password

No

No

Yes

String. Bind subscriber password.

60

Ip-Host-Addr

No

No

Yes

String in the form A.B.C.D hh:hh:hh:hh:hh:hh.


IP host address and MAC address. A space must separate the IP address from the MAC address.

61

Ip_Tos_Field

No

No

Yes

Integer. Specifies the value of the IP ToS field. Used for soft QoS:


  • 0 = normal

  • 1 = min-cost only

  • 2 = max-reliability only

  • 3 = max-reliability plus min-cost

  • 4 = max-throughput only

  • 5 = max-throughput plus min-cost

  • 6 = max-throughput plus max-reliability

  • 7 = max-throughput plus max-reliability plus min-cost

  • 8 = min-delay only

  • 9 = min-delay plus min-cost

  • 10 = min-delay plus max-reliability

  • 11 = min-delay plus max-reliability plus min-cost

  • 12 = min-delay plus max-throughput

  • 13 = min-delay plus max-throughput plus min-cost

  • 14 = min-delay plus max-throughput plus max-reliability

  • 15 = min-delay plus max-throughput plus max-reliability plus min-cost

62

NAS-Real-Port

Yes

Yes

No

Integer. Indicates the port number of the physical circuit on which the session was received. The format (in bits) is:


SSSSPPPPCCCCCCCCCCCCCCCCCCCCCCCC


where:


  • S = Slot

  • P = Port

  • C = Circuit (for ATM, 8-bits of VPI, and 16-bits of VCI)

63

Tunnel-Session-Auth-Ctx

No

Yes

Yes

String. L2TP peer parameter that specifies the name of the context in which all incoming PPP over L2TP sessions should be authenticated, regardless of the domain specified in the username.

64

Tunnel-Session-Auth-Service-Grp

No

Yes

Yes

String. L2TP peer parameter specifying the service group (service access control list [ACL]) to be used for all incoming PPP over L2TP sessions.

65

Tunnel-Rate-Limit-Rate

No

Yes

Yes

4-byte integer. L2TP or GRE peer parameter specifying the rate-limit rate for a tunnel in kbps. Valid range of values is 10 to 1,250,000 kbps. If this parameter is configured, the Tunnel-Rate-Limit-Burst must also be configured.

66

Tunnel-Rate-Limit-Burst

No

Yes

Yes

4-byte integer. L2TP or GRE peer parameter specifying the rate-limit burst for a tunnel in bytes. Valid range of values is 0 to 1,562,500,000 bytes. If this parameter is configured, the Tunnel-Rate-Limit-Rate must also be configured.

67

Tunnel-Police-Rate

No

Yes

Yes

4-byte integer. L2TP or GRE peer parameter specifying the policing rate for a tunnel in kbps. Valid range of values is 10 to 1,250,000 kbps. If this parameter is configured, the Tunnel-Police-Burst must also be configured.

68

Tunnel-Police-Burst

No

Yes

Yes

4-byte integer. L2TP or GRE peer parameter specifying the policing burst for a tunnel in bytes. Valid range of values is 0 to 1,562,500,000 bytes. If this parameter is configured, the Tunnel-Police-Rate must also be configured.

69

Tunnel-L2F-Second-Password

No

Yes

Yes

String. L2F peer parameter specifying the password string used to authenticate the L2F remote peer. (1)

70

ACL-Definition

No

Yes

Yes

String. Used to define ACL definitions in the RADIUS database. The ACL-Name attribute is the username and the Service-Type attribute must be set to Access-Control-List. The data content of this attribute contains ACL definitions similar to the SmartEdge router command-line interface (CLI).

71

PPPoE-IP-Route-Add

No

Yes

Yes

String. Allows the PPPoE subscriber routing table to be populated in terms of what routes to be installed if multiple PPPoE sessions exist. A more granular set of routes can be achieved when multiple sessions are active to the client. The format is h.h.h.h nn g.g.g.g m where:


  • h.h.h.h=IP address of destination host or network.

  • nn=optional netmask size in bits (if not present, defaults to 32).

  • g.g.g.g=IP address of gateway.

  • m=Number of hops for this route.


If the first byte of VSA 71 is 121 (classless static route), then this VSA is used to handle the DHCP option 121.

72

TTY-Level-Start

No

No

Yes

Integer. Indicates the starting privilege level for the administrator. The range of values is 0 to 15 and the value must be less than or equal to the value of TTY-Level-Max.

73

TTY-Level-Max

No

No

Yes

Integer. Indicates the maximum privilege level for the administrator. The range of values is 0 to 15, and the value must be greater than or equal to the value of TTY-Level-Start.

74

Tunnel-Checksum

No

Yes

Yes

Integer. Enables GRE checksums. When enabled, a checksum is computed for each outgoing GRE packet. This allows the remote system to verify the integrity of each packet. Incoming packets that fail the checksum are discarded. A value of 1 equals enabled. Any other value for this attribute equals disabled.

75

Tunnel-Profile

No

No

Yes

String. Attaches a profile to the tunnel. Used when configuring a tunnel from a RADIUS server. A Tunnel-Profile attribute in a subscriber record is ignored.

78

Tunnel-Client-VPN

No

Yes

Yes

String. Name of the target context (a virtual private network [VPN]) on the client side of the tunnel. Required for GRE. If omitted, the system automatically sets the value equal to the value set for the Tunnel-Server-VPN attribute.

79

Tunnel-Server-VPN

No

Yes

Yes

String. Name of the target context (VPN) on the server side of the tunnel.

85

Tunnel-Hello-Timer

No

No

Yes

Integer. Hello timer (in seconds) representing the time the tunnel is silent before it transmits a hello message. It is configured using the hello-timer command (in L2TP peer configuration mode).

86

Redback-Reason

No

Yes

No

Integer. If the NetOp Policy Manager (PM) sends the SmartEdge router (through SNMP) a non-zero clear reason while trying to clear (bounce) the subscriber session, this clear reason value is sent to the RADIUS server in the RADIUS accounting Stop packet in this VSA.

87

Qos_Policing

No

Yes

Yes

String. Attaches a QoS policing policy to the subscriber session.

88

Qos_Metering

No

Yes

Yes

String. Attaches a QoS metering policy to the subscriber session.

89

Qos_Queuing

No

Yes

Yes

String. Attaches a QoS queuing policy of any type supported by the circuit to the subscriber session.

90

Igmp_Svc_Prof_Id

No

Yes

Yes

String. Name of the IGMP service profile that is applied to the subscriber session.

91

Sub_Profile_Name

No

Yes

Yes

Name of the subscriber profile that is applied to the subscriber session.

92

Forward-Policy

No

Yes

Yes

String. Attaches an in or out forward policy to the subscriber session. The forward policy is in the following format:


in:forward-policy-name


out:forward-policy-name

94

Reauth-String

No

No

Yes

String. The format is: ID-type;subID;attr-num;attr-value; attr-num;attr-value...


When the ID-type is 1, the subID is read as a RADIUS accounting session ID. When the ID-type is 2, the subID is read as a name.


The semicolon (;) acts as a delimiter. Attr-num is an integer that identifies a RADIUS attribute. For example, standard RADIUS attribute 11 (Filter-Id) for an access control list (ACL) or vendor VSA 87 (Qos_Policing) for a QoS policing policy. (vendor VSAs include the Redback prefix, 2352.) Attr-value is the value of the RADIUS attribute specified by attr-num.

95

Reauth-More

No

No

Yes

Integer. 0 or 1 (False or True).

96

Agent-Remote-Id

Yes

Yes

No

String. Used for two types of subscriber sessions:


  • Incoming CLIPS sessions to the SmartEdge router from a DHCP relay network. This is suboption 2 in a DHCP option 82 packet.

  • PPPoE sessions. Sent by the PPP client in the PADR.


This attribute can also be set through the radius attribute calling-station-id and radius attribute nas-port-id commands in context configuration mode.

97

Agent-Circuit-Id

Yes

Yes

No

String. Used for two types of subscriber sessions:


  • CLIPS sessions coming into the SmartEdge router via a DHCP relay network. This is suboption 1 in a DHCP option 82 packet.

  • PPPoE sessions. Sent by the PPP client in the PADR.


This attribute can also be set through the radius attribute calling-station-id and radius attribute nas-port-id commands in context configuration mode.

98

Platform-Type

Yes

Yes

No

Integer. Indicates the Redback product family from which the RADIUS access request is sent. The supported values are:


  • 2=PLATFORM_TYPE_SE800

  • 3=PLATFORM_TYPE_SE400

99

Client_NBNS_Pri

No

Yes

Yes

IP address. Configures the IP address of a primary NetBios Name Server (NBNS) that the subscriber must use.

100

Client_NBNS_Sec

No

Yes

Yes

IP address. Configures the IP address of a secondary NBNS that the subscriber must use.

101

Shaping-Profile-Name

No

Yes

Yes

String. Name of the ATM shaping profile.

104

IP-Interface-Name

No

Yes

Yes

String. Interface name. Binds a subscriber to the specified interface. This VSA is used in conjunction with VSA 3, DHCP-Max-Leases.


This attribute can also be set through the ip interface name command (in subscriber configuration mode).

105

NAT-Policy-Name

No

Yes

Yes

String. NAT policy name. Attaches the specified NAT policy to a subscriber.

107

HTTP-Redirect-Profile-Name

No

Yes (alive/ and stop records only)

Yes

String of up to 32 characters. HTTP redirect profile name.

108

Bind-Auto-Sub-User

No

No

Yes

String. Subscriber name prefix as specified by the bind auto-subscriber command (in ATM PVC, CLIPS PVC, or dot1q PVC configuration mode). The prefix is included in the automatically generated subscriber name. For more information about this command and the format for the automatically generated subscriber name, see Configuring Bindings.

109

Bind-Auto-Sub-Context

No

No

Yes

String. Name of context in which the subscriber is bound with the bind auto-subscriber command (in ATM PVC, CLIPS PVC, or dot1q PVC configuration mode). For more information about this command, see Configuring Bindings.

110

Bind-Auto-Sub-Password

No

No

Yes

String. Password prefix as specified by the bind auto-subscriber command (in ATM PVC, CLIPS PVC, or dot1q PVC configuration mode). The prefix is included in the automatically generated subscriber password. For more information about this command and the format for the automatically generated subscriber password, see Configuring Bindings.

111

Circuit-Protocol-Encap

No

Yes

Yes

Integer. Circuit encapsulation for CCOD child circuit. The following are the supported values:


  • 27 = PPPoE encapsulation

  • 34 = PPPoE multiencapsulation

  • 35 = PPPoE tunnel multiencapsulation

112

OS-Version

Yes

Yes

No

String. Software version number.

113

Session-Traffic-Limit

No

Yes

Yes

String. Specifies that inbound or outbound traffic be limited. Use the in: limit and out: limit format where limits are independent and in Kbytes. Specifies that inbound, outbound, or aggregated traffic be limited. Use the in: limit, out: limit or aggregate: limit format, where limits are in Kilobytes (KB). The limit values set for inbound and outbound traffic are independent of each other. The limit value set for aggregate traffic is the total sum of both inbound and outbound traffic.


When configuring Session-Traffic-Limit, you can configure the limit for either of these options:


  • Inbound traffic, outbound traffic, or both

  • Aggregate traffic


You cannot configure the limit for aggregate traffic and for inbound or outbound traffic.

114

QoS-Reference

No

Yes

Yes

String. Specifies the node name, the node-name index, the group name, and the group-name index. A colon (:) separates the node-name index from the group name.

125

DHCP-Vendor-Class-Id

Yes

Yes

No

String. DHCP option 60 value.

127

DHCP-Vendor-Encap-Options

No

Yes

Yes

String. DHCP option 43 values. The format is:


code:value:code:value


where:


  • code = DHCP vendor-encapsulation option number

  • value = option data in one of the following formats:
    IP address type = dot notation
    Number = decimal integer
    ASCII string = ASCII characters without quotation marks
    Binary string = Hex values of bytes separated by commas (“,”)


For descriptions of the vendor-encapsulated options found in RFC 2132, DHCP Options and BOOTP Vendor Extension, see the tables in the option command.

128

Acct-Input-Octets-64

No

Yes

No

Integer. 64-bit value for the Acct-Input-Octets standard attribute per RFC 2139.

129

Acct-Output-Octets-64

No

Yes

No

Integer. 64-bit value for the Acct-Output-Octets standard attribute per RFC 2139.

130

Acct-Input-Packets-64

No

Yes

No

Integer. 64-bit value for the Acct-Input-Packets standard attribute per RFC 2139.

131

Acct-Output-Packets-64

No

Yes

No

Integer. 64-bit value for Acct-Output-Packets attribute per RFC 2139.

132

Assigned-IP-Address

No

Yes

No

IP address. Reports IP addresses assigned to a subscriber via IP pools or DHCP.

133

Acct-Mcast-In-Octets-64

No

Yes

No

Integer. 64-bit value for the Acct-Mcast-In-Octets attribute.

134

Acct-Mcast-Out-Octets-64

No

Yes

No

Integer. 64-bit value for the Acct-Mcast-Out-Octets attribute.

135

Acct-Mcast-In-Packets-64

No

Yes

No

Integer. 64-bit value for the Acct-Mcast-In-Packets attribute.

136

Acct-Mcast-Out-Packets-64

No

Yes

No

Integer. 64-bit value for the Acct-Mcast-Out-Packets attribute.

137

LAC-Port

Yes

Yes

No

Integer. Contains the circuit handle for the incoming session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only. The circuit can be virtual for a PPPoE session.

138

LAC-Real-Port

Yes

Yes

No

Integer. Contains the circuit handle for the real circuit of an incoming PPPoE session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only.

139

LAC-Port-Type

Yes

Yes

No

Integer. Contains the port type for the incoming session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only. The port can be virtual for a PPPoE session. Values for port types are:


  • 40 = NAS_PORT_TYPE_10BT

  • 41 = NAS_PORT_TYPE_100BT

  • 42 = NAS_PORT_TYPE_DS3_FR

  • 43 = NAS_PORT_TYPE_DS3_ATM

  • 44 = NAS_PORT_TYPE_OC3

  • 45 = NAS_PORT_TYPE_HSSI

  • 46 = NAS_PORT_TYPE_EIA530

  • 47 = NAS_PORT_TYPE_T1

  • 48 = NAS_PORT_TYPE_CHAN_T3

  • 49 = NAS_PORT_TYPE_DS1_FR

  • 50 = NAS_PORT_TYPE_E3_ATM

  • 51 = NAS_PORT_TYPE_IMA_ATM

  • 52 = NAS_PORT_TYPE_DS3_ATM_2

  • 53 = NAS_PORT_TYPE_OC3_ATM_2

  • 54 = NAS_PORT_TYPE_1000BSX

  • 55 = NAS_PORT_TYPE_E1_FR

  • 56 = NAS_PORT_TYPE_E1_ATM

  • 57 = NAS_PORT_TYPE_E3_FR

  • 58 = NAS_PORT_TYPE_OC3_POS

  • 59 = NAS_PORT_TYPE_OC12_POS

  • 60 = NAS_PORT_TYPE_PPPOE

140

LAC-Real-Port-Type

Yes

Yes

No

Integer. Contains the port type for the real circuit of an incoming PPPoE session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only.


See VSA 139 for port-type values.

141

Acct-Dyn-Ac-Ent

No

Yes

No

String. Used for dynamic redirect ACLs. Specifies that when a watch access entry is triggered, an accounting update is generated.


Format for the accounting entry is:


status:direction:access-entry:byte-count:packet count:


  • status = ON or OFF. The status is ON when the dynamic access entry is triggered and OFF when the dynamic access entry expires.

  • direction = IN or OUT. Flow of traffic in which the ACL was applied. Direction is IN for subscriber traffic destined for the SMS device and OUT for traffic destined to the subscriber.

  • access-entry = Triggered dynamic access entry that caused the update to be generated.

  • byte-count = Number of bytes that have passed through the dynamic access entry since it was triggered.

  • packet-count = Number of packets that have passed through the dynamic access entry since it was triggered.

142

Session-Error-Code

No

Yes

No

Integer. 32 bits. Stop record only. Communicates specific error code information between Redback devices.

143

Session-Error-Msg

No

Yes

No

String. Stop record only. Describes how the session terminated.

144

Acct_Reason

No

Yes

No

Integer. Reason code describing why the SmartEdge router generated an accounting packet for a particular subscriber to RADIUS. Reason code values are:


  • 1 = AAA_LOAD_ACCT_SESSION_UP

  • 2 = AAA_LOAD_ACCT_SESSION_DOWN

  • 3 = AAA_LOAD_ACCT_PERIODIC

  • 16 = AAA_LOAD_ACCT_VOLUME_INGRESS_ EXCEEDED

  • 17 = AAA_LOAD_ACCT_VOLUME_EGRESS_ EXCEEDED

  • 18 = AAA_LOAD_ACCT_IDLE_TIMEOUT

  • 19 = AAA_LOAD_ACCT_TIME_EXCEEDED

145

Mac-Addr

Yes

Yes

No

String. MAC address. The format is 17 octets in hex. The MAC address is sent for all subscriber PPPoE sessions. Supported media includes ATM PVCs, 802.1Q PVCs (tagged or untagged VLANs), and Ethernet ports.

147

Acct-Mcast-In-Octets

No

Yes

No

Integer. Number of inbound multicast octets.

148

Acct-Mcast-Out-Octets

No

Yes

No

Integer. Number of outbound multicast octets.

149

Acct-Mcast-In-Packets

No

Yes

No

Integer. Number of inbound multicast packets.

150

Acct-Mcast-Out-Packets

No

Yes

No

Integer. Number of outbound multicast packets.

151

Reauth-Session-Id

No

No

Yes

String. Identifies the reauthorize session request. The value in this attribute is a string of attributes and values for the identified subscriber.

156

Qos-Rate-Inbound

No

Yes

Yes

String. Changes the inbound QoS rate. The format is rate:burst:excess-burst; changing the burst and excess-burst values is optional.

157

Qos-Rate-Outbound

No

Yes

Yes

String. Changes the outbound QoS rate. The format is rate:burst:excess-burst; changing the burst and excess-burst values is optional.

158

Route-Tag

No

Yes

Yes

Integer. Assigns a route tag to the subscriber’s IP address (Framed-IP-Route), as well as the subscriber’s route statements (Framed-IP-Route).

164

Dynamic-Policy-Filter

No

Yes

Yes

String. The string consists of a set of ASCII tokens separated by one or more spaces. No other characters are allowed. The tokens are shown in a syntax statement in Section 3.5 section along with descriptions of the keywords and arguments in the syntax table.

165

HTTP-Redirect-URL

No

Yes

Yes

String. URL to which the SmartEdge router redirects HTTP requests.

166

DSL-Actual-Rate-Up

Yes

Yes

No

Integer 32-bit value. The actual DSL rate in the upstream direction.

167

DSL-Actual-Rate-Down

Yes

Yes

No

Integer 32-bit value. The actual DSL rate in the downstream direction.

168

DSL-Min-Rate-Up

Yes

Yes

No

Integer 32-bit value. The minimum DSL rate in the upstream direction.

169

DSL-Min-Rate-Down

Yes

Yes

No

Integer 32-bit value. The minimum DSL rate in the downstream direction.

170

DSL-Attainable-Rate-Up

Yes

Yes

No

Integer 32-bit value. The attainable DSL rate in the upstream direction.

171

DSL-Attainable-Rate-Down

Yes

Yes

No

Integer 32-bit value. The attainable DSL rate in the downstream direction.

172

DSL-Max-Rate-Up

Yes

Yes

No

Integer 32-bit value. The maximum DSL rate in the upstream direction.

173

DSL-Max-Rate-Down

Yes

Yes

No

Integer 32-bit value. The maximum DSL rate in the downstream direction.

174

DSL-Min-Low-Power-Rate-Up

Yes

Yes

No

Integer 32-bit value. The DSL minimum low power rate in the upstream direction.

175

DSL-Min-Low-Power-Rate-Down

Yes

Yes

No

Integer 32-bit value. The DSL minimum low power rate in the downstream direction.

176

DSL-Max-Inter-Delay-Up

Yes

Yes

No

Integer 32-bit value. The maximum DSL interleaving delay in the upstream direction.

177

DSL-Actual-Inter-Delay-Up

Yes

Yes

No

Integer 32-bit value. The actual DSL interleaving delay in the upstream direction.

178

DSL-Max-Inter-Delay-Down

Yes

Yes

No

Integer 32-bit value. The maximum DSL interleaving delay in the downstream direction.

179

DSL-Actual-Inter-Delay-Down

Yes

Yes

No

Integer 32-bit value. The actual DSL interleaving delay in the downstream direction.

180

DSL-Line-State

Yes

Yes

No

Integer 32-bit value. The DSL port state:


  • 1 = SHOWTIME

  • 2 = IDLE

  • 3 = SILENT

181

DSL-L2-Encapsulation

Yes

Yes

No

Integer 32-bit value. The DSL data link protocol and data link encapsulation:


Data link byte:


  • 0 = ATM AAL5

  • 1 = ETHERNET


Encapsulation byte 1:


  • 1 = Untagged

  • 2 = Ethernet


Encapsulation byte 2:


  • 0 = NA

  • 1 = PPPoA LLC

  • 2 = PPPoA NULL

  • 3 = IPoA LLC

  • 4 = IPoA NULL

  • 5 = Ethernet over AAL5 LLC with FCS

  • 6 = Ethernet over AAL5 LLC without FCS

  • 7 = Ethernet over AAL5 NULL with FCS

  • 8 = Ethernet over AAL5 NULL without FCS

182

DSL-Transmission-System

Yes

Yes

No

Integer 32-bit value. The DSL access-loop type of transmission system:


  • 1 = ADSL1

  • 2 = ADSL2

  • 3 = ADSL2+

  • 4 = VDSL1

  • 5 = VDSL2

  • 6 = SDSL

  • 7 = UNKNOWN

183

DSL-PPPOA-PPPOE-Inter-Work-Flag

Yes

Yes

No

Integer. PPPoA-to-PPPoE interworking flag.

184

DSL-combined-Line-Info

Yes

Yes

No

String. The value of the TLV described in GSMP Extensions for Layer 2 Control (L2C) Topology Discovery and Line Configuration, section 5.4.1, “Topology Discovery.”

185

DSL-Actual-Rate-Down-Factor

Yes

Yes

No

Integer. The rate that can be learned from the DSLAM or from a PPPoE or DHCP tag, depending on the configuration of the access-line rate command (in subscriber configuration mode).

189

Flow_FAC_Profile

No

Yes

No

String. Specifies the name of a Flow Admission-Control profile. This attribute is used to apply flow on the circuit of the configured subscriber. The Flow_FAC_Profile attribute can only be configured under subscriber profile.

190

Service-Name

No

Yes

Yes

String. The name of the service to be activated, together with the following optional fields:


  • :service id—Used when there is more than one instance of the same service.

  • service-parameter—Zero or more parameters formatted as name-value pairs. Names and values are separated by an equals sign (=) with no spaces around it. Pairs are separated by spaces. You can also specify service parameters in VSA 192. See VSA 192 for formatting details.

191

Service-Options

No

No

Yes

Integer. Specifies whether accounting is enabled for service management:


  • ACCT-DISABLED = 0x00

  • ACCT-ENABLED = 0x01

192

Service-Parameter

No

Yes

Yes

String. Service parameters for a service that is specified in VSA 190, formatted as name-value pairs. Names and values are separated by an equal sign (=) with no spaces around it. Pairs are separated by spaces. If a parameter needs an array, the values in the array are separated by commas (,) with no space between the value and the comma. If the value is a string that includes either spaces or commas, enclose the string in double quotes (“).

193

Service-Error-Cause

No

Yes

No

Integer. Specifies a service management error according to one of the following values:


  • 0 = Service success

  • 401 = Unsupported attribute

  • 402 = Missing attribute

  • 404 = Invalid request

  • 506 = Resource unavailable

  • 550 = Generic service error

  • 551 = Service not found

  • 552 = Service already active

  • 553 = Service accounting disabled

  • 554 = Service duplicate parameter


If the RADIUS server does not support this VSA, the 550, 551, and 552, 553, and 554 error codes can be mapped to the standard Error-Cause attribute 550 (other proxy processing error).

194

Deactivate-Service-Name

No

No

No

String. The service profile name of the service to be deactivated together with the following optional fields:


  • :service id—Used when there is more than one instance of the same service.

  • service-parameter—Zero or more parameters formatted as name-value pairs. Names and values are separated by an equals sign (=) with no spaces around it. Pairs are separated by spaces.

195

QoS-Overhead

No

Yes

Yes

String. Attaches a QoS overhead profile to the subscriber session. If the overhead profile is defined in the RADIUS record of the subscriber, the subscriber has the specified overhead profile when the subscriber session comes up.

196

Dynamic-QoS-Param

No

No

Yes

String. The format varies by QoS parameter. For more information, see Section 3.6.


Zero or more Dynamic-QoS-Param VSAs can be sent in an Access-Accept or CoA-Request packet to the SmartEdge router.

199

Double_Authentication

No

No

Yes

Integer. The integer value is 1. Indicates that the session needs one more authentication. It is valid only if it is received from a global access response.

201

DHCP-Field

Yes

Yes

No

Binary. Identifies a standard DHCP client field.


This generic VSA is used to identify standard DHCP client fields that must be sent in RADIUS authentication or accounting requests. To distinguish each supported DHCP client field, a unique dhcp-sub-field field is used within this VSA to indicate a specific value that corresponds to a specific DHCP client field. Currently, this VSA supports only dhcp-sub-field field of type 1, the giaddr or gateway address field. A RADIUS server uses the gateway address field to provide static routes to clients based on this address.

202

DHCP-Option

Yes

Yes

No

Binary. Identifies a DHCP client option.


This VSA is a generic VSA, which is used to identify various supported DHCP client options that must be sent in RADIUS authentication or accounting requests. To distinguish each supported DHCP client option, a unique dhcp-sub-type field is used within this VSA to indicate a specific value that corresponds to a specific DHCP option. Currently, this VSA supports DHCP options 12 (hostname), 61 (client identifier), and 77 (user class).

203

Security-Service

No

Yes

Yes

String configured in RADIUS. Specifies an ASE security profile. Optionally specifies a preshared key using the following format: Security-Service="ike preshared-key hex hex-value | ASCII-value". The IKE preshared key is only received in an Acct-Response message; it is never sent in an Access-Request or Acct-Request message.


The ASE DPI traffic management policy name is received in the Access-Request and sent in the Acct-Request in the format Security-Service="dpi traffic-management policy policy-name".


To enable DPI security service for a subscriber either through COA or reauthorization at a later point, configure RADIUS to send the Access-Accept message at initial subscriber logon with the following format: Security-Service="dpi traffic-management enable-coa".

204

Reauth-Service-Name

No

No

No

String. The name of the service to be reauthorized, together with the optional field of service-parameter. Parameters are formatted as name-value pairs. Names and values are separated by an equals sign (=) with no spaces around it. Pairs are separated by spaces. The service name and service parameters are separated by spaces. For example: Reauth-Service-Name: = “voip_service inLimit=1000 timeout=10”


This VSA is used to provide dynamic reauthorization of the RADIUS service attributes of an RSE service without bringing the associated service down. The following are the supported RADIUS service attributes:


  • Service-Interim-Accounting

  • Service-Timeout

  • Service-Volume-Limit


For more information about these attributes, see Section 7.


If not all reauthorizable service parameters fit in VSA 204 due to the limitations of number of characters you can use in this VSA, you can use vendor VSA 192, Service-Parameters, to carry these additional service parameters. You can also configure VSA 204 to carry only the service name and VSA 192 carry all the service parameters. See VSA 192 for formatting details.


If you are using VSA 192 with VSA 204, use a RADIUS attribute tag to correlate this VSA with VSA 204. The tag is an arbitrary number you assign to both VSAs.


For example:

Reauth-Service-Name:2 = “voip_service”
Service-Parameters:2 = “timeout=1 
inLimit=777 outLimit=1000”


In the above example, 2 is the RADIUS attribute tag assigned to both VSAs.


If a CoA-Request message is to include more than one set of associated VSAs that are tagged with RADIUS attribute tags, and there exists among these sets at least one common VSA, ensure that the RADIUS attribute tag you assign to each set is unique. Ensuring the uniqueness of each tag allows the SmartEdge router to successfully process the CoA-Request message.

207

RB-IPV6-DNS


No

Yes

Yes

String. This attribute is a Redback VSA to configure the IPv6 Primary and Secondary DNS of a subscriber. An example is shown below:


IPv6-DNS = "1=2000::106:a00:20ff:fe99:a998,2=2000::106:a00:20ff:fe99:a995


1= value indicates the primary ipv6 dns for the subscriber.


2=value indicates the secondary ipv6-dns for the subscriber. Note that the primary and secondary ipv6 dns can be configured using the same VSA. This attribute cannot be modified through CoA. For more information on these commands, refer to dns6 primary and secondary CLI commands.

208

RB-IPv6 Option

No

Yes

Yes

String. This VSA is used to configure multiple ipv6 attributes for a single subscriber. The nd-profile, ipv6-source-validation, and ipv6-route-tag can be configured using the IPv6-Option Redback VSA. IPv6 Source validation or reverse-path-forwarding for the subscriber can be configured using the following syntax:


IPv6-Option ="source-validation=1"


The example below shows how a route-tag can be configured for the subscriber:


IPv6-Option ="route-tag=22"


The ND profile for the subscriber can be configured as shown below.


IPv6-Option += “nd-profile=nd1”


This attribute, IPv6-Option cannot be modified through CoA.

(1)  The Tunnel-Password attribute is used for authentication in the other direction.


3.2   Vendor VSAs in CoA and Disconnect Messages

Table 8 lists the Vendor VSAs that can appear in CoA-Request, CoA-Response, Disconnect-Request, and Disconnect-Response messages. For details about these attributes, see Table 7.

Table 8    Vendor VSAs in CoA and Disconnect Messages

#

VSA Name

Sent in CoA Request

Sent in CoA Response

Sent in Disconnect Request

Sent in Disconnect Response

4

Context_Name

Yes

No

Yes

No

33

Mcast_Send

Yes

No

No

No

34

Mcast_Receive

Yes

No

No

No

35

Mcast_MaxGroups

Yes

No

No

No

87

Qos_Policing

Yes

 

Yes

 

88

Qos_Metering

Yes

 

Yes

 

89

Qos_Queuing

Yes

 

Yes

 

90

Igmp_Svc_Prof_Id

Yes

No

No

No

92

Forward-Policy

Yes

No

No

No

94

Reauth_String

Yes

No

No

No

95

Reauth_More

Yes

No

No

No

96

RBN_Agent_Remote_ID

Yes

No

Yes

No

97

RBN_Agent_Circuit_ID

Yes

No

Yes

No

101

Shaping_Profile_Name

Yes

No

No

No

102

Bridge_Profile

Yes

No

No

No

105

Nat_Policy_Name

Yes

No

No

No

107

HTTP_Redirect_Profile_Name

Yes

No

No

No

112

OS_Version

Yes

No

No

No

113

Session_Traffic_Limit

Yes

No

No

No

114

Qos_Reference

Yes

No

No

No

156

Qos_Rate_Inbound

Yes

No

No

No

157

Qos_Rate_Outbound

Yes

No

No

No

164

Dynamic-Policy-Filter

Yes

No

No

No

165

HTTP-Redirect-URL

Yes

No

No

No

189

Flow_FAC_Profile

Yes

No

No

No

190

Service-Name

Yes

Yes

No

No

191

Service-Options

Yes

No

No

No

192

Service-Parameter

Yes

No

No

No

193

Service-Error-Cause

No

Yes

No

No

194

Deactivate-Service-Name

Yes

Yes

No

No

196

Dynamic-QoS-Param

Yes

No

No

No

203

Security-Service

Yes

No

No

No

204

Reauth-Service-Name

Yes

Yes

No

No

3.3   Vendor VSAs That Can Be Reauthorized

Table 9 lists the vendor VSAs that are reauthorized when you enter the reauthorize command (in exec mode). For details about these VSAs, see Table 7.

Table 9    Vendor VSAs Supported by Reauthorization

#

VSA Name

Description

33

Mcast-Send

Defines whether the subscriber can send multicast packets.

34

Mcast-Receive

Defines whether the subscriber can receive multicast packets.

35

Mcast-MaxGroups

Specifies the maximum number of multicast groups of which the subscriber can be a member.

87

Qos_Policing

Attaches a QoS policing policy to the subscriber session.

88

Qos_Metering

Attaches a QoS metering policy to the subscriber session.

89

Qos_Queuing

Attaches a QoS queuing service profile to the subscriber session.

90

Igmp_Svc_Prof_Id

Applies an IGMP service profile to the subscriber session.

92

Forward-Policy

Attaches an in or out forward policy to the subscriber session.

101

Shaping-Profile-Name

Indicates the name of the ATM shaping profile.

102

Bridge-Profile-Name

Indicates the name of the bridge profile.

105

Nat_Policy_Name

Indicates the NAT policy name. Attaches the specified NAT policy to a subscriber.

107

HTTP-Redirect-Profile-Name

Indicates the name of the HTTP redirect profile.

113

Session-Traffic-Limit

Specifies that inbound or outbound traffic be limited. Specifies that inbound, outbound, or aggregated traffic be limited.

114

Qos_Reference

Specifies the node name, node-name index, group name, and group-name index.


A colon (:) separates the node-name index from the group name.

156

Qos_Rate_Inbound

Changes the inbound QoS rate; changing the excess burst rate is optional.

157

Qos_Rate_Outbound

Changes the outbound QoS rate; changing the excess burst rate is optional.

164

Dynamic_Policy_Filter

Specifies a class rule for a dynamic policy ACL.

165

HTTP_Redirect_URL

Specifies the URL to which the SmartEdge router redirects HTTP requests.

189

Flow_FAC_Profile

Specifies flow.

190

Service_Name

Carries the service name and parameters required to activate the service.

191

Service_Options

Carries the service action, which indicates the action that SmartEdge router should perform.


The enumerated types for this attribute are shown below:


a) ACTIVATE-ENABLED = 0x01


b) ACTIVATE-DISABLED = 0x00

192

Service_Parameter

Carries the parameters required to activate the service.

194

Deactivate_Service_Name

 

195

Qos_Overhead

Attaches a QoS overhead profile to the subscriber session

196

Dynamic_QoS_Param

Parameterizes QoS policies

203

Security-Service

 

204

Reauth-Service-Name

Carries the service name and parameters required to reauthorize the named service.

3.4   VSA for RSE Reauthorization

The router supports the following VSAs:

3.5   VSA 164 Format

VSA 164 has the following format:

ip dir action [dstip n.n.n.n[/nn]] [srcip n.n.n.n[/nn]] [{dscp dscp-value | tos tos-value tos-mask}] [protocol [dstport dst-op dst-port] [srcport src-op src-port] [est]] class class-name service

Table 10 describes keywords and arguments for VSA 164.

Table 10    VSA 164 Keywords and Arguments

ip

Specifies that the filter applies to IP packets.

dir

Specifies the direction of the traffic with one of the following keywords:


  • in—Traffic is inbound to the SmartEdge router.

  • out—Traffic is outbound from the SmartEdge router.

forward

Specifies the filter action.

dstip n.n.n.n[/nn

Optional. IP address and netmask for the destination port. The range of values for the netmask is 0 to 32.

srcip n.n.n.n[/nn

Optional. IP address and netmask for the source port. The range of values for the netmask is 0 to 32.

dscp dscp-value

Optional. Differentiated Services Code Point (DSCP) value that the packet must have to be considered a match. The range of values is decimal 0 to 63, a hexadecimal value listed in Table 13, or one of the keywords listed in Table 13.

tos tos-value tos-mask

Optional. Type of service (ToS) that the packet must have to be considered a match. The range of values for the tos-value argument is decimal 0 to 255 or the hexadecimal equivalent, but only certain values are allowed. The tos-mask argument identifies the group of bits in the IP ToS byte; see Table 14.

protocol

Optional. Protocol, according to one of the following keywords:


  • icmp—Internet Control Message Protocol (ICMP)

  • tcp—Transmission Control Protocol (TCP)

  • udp—User Datagram Protocol (UDP)

  • ospf—Open Shortest Path First (OSPF) protocol

dstport dst-op dst-port

Optional. Comparison operation and port name or number for the destination port. Table 11 lists the keywords for the comparison operation (the dst-op argument). For the dst-port argument, you can specify either a port name or a port number. Table 12 lists the keywords for the port name. The range of values for port number is 1 to 1,023.

srcport src-op src-port

Optional. Comparison operation and port name or number for the source port. Table 11 lists the keywords for the comparison operation (the src-op argument). For the src-port argument, you can specify either a port name or a port number. Table 12 lists the keywords for the port name. The range of values for port number is 1 to 1,023.

est

Optional. TCP established. This keyword is valid only if you specify the tcp keyword for the protocol.

class class-name

Class name. The format is a string of 1 to 39 case-sensitive printable characters.

service

Type of service policy, according to one of the following keywords:


  • fwd—Forward policy

  • nat—Network Address Translation (NAT) policy

  • qos—Quality of service (QoS) policy (either metering or policing)

Table 11 lists the keyword operators for the dst-op and src-op arguments.

Table 11    Keyword Operators for Comparison Operations

Operator

Description

<

Port number is less than the specified port number.

=

Port name or number matches the specified port name or number.

>

Port number is greater than the specified port number.

!=

Port name or number does not match the specified port name or number.

Table 12 lists the keywords for the dst-port and src-port arguments in alphabetical order.

Table 12    Keywords for Destination and Source Port Numbers and Names

Port Name

Description

cmd

514/udp; shell command

domain

53/udp, 53/tcp; Domain Name Server

exec

512/tcp; remote process execution

finger

79/udp, 79/tcp; Finger

ftp

21/udp, 21/tcp; FTP

ftp-data

20/udp, 20/tcp; FTP default data

gopher

70/udp, 70/tcp; Gopher

hostname

101/udp, 101/tcp; NIC Host Name Server

kerberos

88/udp, 88/tcp; Kerberos

login

513/tcp; remote login, such as Telnet

nameserver

42/udp, 42/tcp; Host Name Server

nntp

119/udp, 119/tcp; NNTP

ntp

123/tcp, 123/udp; NTP

smtp

25/udp; SMTP

talk

517/udp; similar to a tenex link, but across machine; does not use link protocol; a rendezvous port from which a tcp connection is established

telnet

23/udp; Telnet

tftp

69/udp; TFTP

www

80/udp, 80/tcp; World Wide Web HTTP

Table 13 lists the keyword and hexadecimal value substitutions for the dscp-value argument.

Table 13    Keyword and Hexadecimal Substitutions for the dscp-value Argument

Keyword

Hexadecimal Value

Definition

af11

0x0a

Assured Forwarding—Class 1/Drop precedence 1

af12

0x0c

Assured Forwarding—Class 1/Drop precedence 2

af13

0x0e

Assured Forwarding—Class 1/Drop precedence 3

af21

0x12

Assured Forwarding—Class 2/Drop precedence 1

af22

0x14

Assured Forwarding—Class 2/Drop precedence 2

af23

0x16

Assured Forwarding—Class 2/Drop precedence 3

af31

0x1a

Assured Forwarding—Class 3/Drop precedence 1

af32

0x1c

Assured Forwarding—Class 3/Drop precedence 2

af33

0x1e

Assured Forwarding—Class 3/Drop precedence 3

af41

0x22

Assured Forwarding—Class 4/Drop precedence 1

af42

0x24

Assured Forwarding—Class 4/Drop precedence 2

af43

0x26

Assured Forwarding—Class 4/Drop precedence 3

cs0

0x00

Class selector 0

cs1

0x08

Class selector 1

cs2

0x10

Class selector 2

cs3

0x18

Class selector 3

cs4

0x20

Class selector 4

cs5

0x28

Class selector 5

cs6

0x30

Class selector 6

cs7

0x38

Class selector 7

df

0x00

Default Forwarding (alternative to cs0)

ef

0x2e

Expedited Forwarding

prec1

0x08

Precedence selector 1 (alternative to cs1)

prec2

0x10

Precedence selector 2 (alternative to cs2)

prec3

0x18

Precedence selector 3 (alternative to cs3)

prec4

0x20

Precedence selector 4 (alternative to cs4)

prec5

0x28

Precedence selector 5 (alternative to cs5)

prec6

0x30

Precedence selector 6 (alternative to cs6)

prec7

0x38

Precedence selector 7 (alternative to cs7)

Table 14 lists the definitions for the groups of bits in the IP ToS byte and the value for the tos-mask argument for each group. ToS values must correspond to the ToS mask so that the value does not have any bits outside the range of the mask.

Table 14    ToS Mask Group Definitions

ToS Group

Bit Range

Decimal Value

Hexadecimal Value

Flags

1 to 4

30

0x1E

Precedence

5 to 7

224

0xE0

Combined

1 to 7

254

0xFE

DSCP

2 to 7

252

0xFC

If you specify either the dscp dscp-value or the tos tos-value construct in the VSA, you must specify the construct before you specify any protocol-related options (protocol argument, class keyword).

To display the definition of this VSA, use the show subscribers command with the active keyword (in any mode) or the show access-group command (in any mode). For more information about these commands, see Command List.

Matching criteria consist of Layer 3 and Layer 4 parameters. All parameters are optional; if you omit a parameter, the parameter has the value “any,” which means that any packet matches that parameter.

You can specify Layer 4 parameters only if you specify either TCP or UDP as the protocol.

If you do not specify the netmask argument, the system uses a default netmask, which is based on the IP network class corresponding to the IP address.

You cannot specify 0.0.0.0 as an IP address.

3.6   VSA 196 Format

VSA 196 has the following format:

attribute [parent] [remove]

Table 15    VSA 196 Format

attribute

Specifies one of the following dynamic quality of service (QoS) parameters:

 
  • fwd-in-access-groupgroup-name(1)

  • meter-circuit-burst bytes

  • meter-circuit-exceed {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value} | {drop-qos-priority priority-value} | drop-all | no-action}

  • meter-circuit-excess-burst bytes

  • meter-circuit-conform {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value} | no-action}

  • meter-circuit-mark {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value}

  • meter-circuit-rate rate-absolute rate-value

  • meter-circuit-violate {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value} | drop-all | no-action}

  • meter-class-burstclass-nameburst-bytes

  • meter-class-conform class-name {mark-dscp | mark-precedence | mark-priority | no-action}

  • meter-class-exceedclass-name {mark-dscp | mark-precedence | mark-priority | drop-qos-priority-group | drop-all | no-action}

  • meter-class-excess-burstclass-nameexcess-burst-bytes

  • meter-class-markclass-name {mark-dscp | mark-precedence | mark-priority}

  • meter-class-rateclass-name {rate-absolute kbps | rate-percentage percentage}

  • meter-class-violateclass-name {mark-dscp | mark-precedence | mark-priority | drop-all | no-action}

 
  • police-circuit-burst bytes

  • police-circuit-conform {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value} | no-action}

  • police-circuit-exceed {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value} | {drop-qos-priority priority-value} | drop-all | no-action}

  • police-circuit-excess-burst bytes

  • police-circuit-mark {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value}

  • police-circuit-rate rate-absolute rate-value

  • police-circuit-violate {mark-dscp dscp-value | mark-precedence precedence-value | mark-priority priority-value} | drop-all | no-action}

  • police-class-burstclass-nameburst-bytes

  • police-class-conformclass-name {mark-dscp | mark-precedence | mark-priority | no-action}

  • police-class-exceedclass-name {mark-dscp | mark-precedence | mark-priority | drop-qos-priority-group | drop-all | no-action}

  • police-class-excess-burstclass-nameexcess-burst-bytes

  • police-class-markclass-name {mark-dscp | mark-precedence | mark-priority}

  • police-class-rate class-name {rate-absolutekbps | rate-percentage percentage}

  • police-class-violateclass-name {mark-dscp | mark-precedence | mark-priority | drop-all | no-action}

 
  • pwfq-priority-group-rate group-num {rate-absolutekbps | rate-percentage percentage}

  • pwfq-queue-priority queue-num {priority-group | weight-value}

  • pwfq-queue-weight queue-numweight-value

  • pwfq-circuit-rate-min rate-value

  • pwfq-circuit-rate-max rate-value

  • pwfq-circuit-weight weight

parent

Optional. Enter the parent keyword to apply the modification of a dynamic-qos-param attribute to the parent circuit of the subscriber session instead of the subscriber session. The parent circuit of a subscriber session is considered to be the 802.1q VLAN or ATM PVC which encapsulates its traffic and under which the bind authentication or bind subscriber CLI configuration entry of the subscriber was specified.


You can also use the remove keyword with the parent keyword to remove applied dynamic parameter on parent circuit.

remove

Optional. Enter the remove keyword to remove a dynamic parameter and revert the QoS parameter to the default value.

(1)   The fwd-in-access-group does not support the parent keyword.


Note:  
VSA 196 offers a superset of the functionality of VSA 156 (Qos-Rate-Inbound) and 157 (Qos-Rate-Outbound). Use either VSA 196, or VSA 156 or 157 or both, to modify the circuit-level rate and associated parameters (burst and excess-burst) on a single circuit. When VSA 196 is applied with VSA 156 or 157 to the same property of a single circuit, VSA 196 takes precedence. Any property (rate, burst, or excess-burst) specified through VSA 156 or 157 is ignored when the corresponding VSA 196 attribute is in place. If the VSA 196 attribute is removed (for example, by the COA attribute removal) and either VSA 156 or 157 is still applied to the subscriber session, the previously overridden VSA takes effect.

When the same QoS rate of a circuit is subject to modification from both the DSL line rate (received through ANCP or through TR-101 PPPoE or DHCP tags) and a rate applied through VSA 156, 157, or 196 (set through RADIUS or the policy-refresh exec command), the lower of the last line rate received or the relevant VSA rate (determined by the preceding precedence rule) is applied.


The description of policy-refresh command (in exec mode) provides more information on this VSA; for details, see Commands: o through po.

4   Vendor VSA Support for CCOD Multiencapsulated PVCs in 802.1Q Tunnels

Remote Authentication Dial-In User Service (RADIUS) supports circuit creation on demand (CCOD) multiencapsulated permanent virtual circuits (PVCs) in 802.1Q tunnels. Multiencapsulated CCOD is typically used in a scenario in which some subscribers have high-speed Internet service only, and others have voice over IP (VoIP) or Video-on-Demand (VoD) and optionally high-speed Internet. When the SmartEdge router receives a subscriber request for service, it queries the RADIUS server. The RADIUS server returns an authorization that informs the SmartEdge router about which type of C-VLAN (customer VLAN) encapsulation to provision:

Table 16 and Table 17 lists the vendor VSAs that provide support for multiencapsulated CCOD 802.1Q PVCs. For details about these VSAs, see Table 7.

If the C-VLAN encapsulation type is PPPoE, the supported RADIUS Redback VSAs in the Access-Accept Accept message are listed in the following table:

Table 16    Vendor VSAs Supported in PPPoE-Encapsulated 802.1Q PVCs

#

VSA Name

39

PVC-Encapsulation-Type

40

PVC-Profile-Name

42

Bind-Type

43

Bind-Auth-Protocol

44

Bind-Auth-Max-Sessions

46

Bind-Auth-Context

89

Qos_Queuing

97

Agent-Circuit-Id

195

QoS-Overhead

If the C-VLAN encapsulation type is multi, the supported RADIUS vendor VSAs in the Access Accept message are listed in the following table:

Table 17    Vendor VSAs Supported in Multiencapsulated PVCs in 802.1Q Tunnels

#

VSA Name

39

PVC-Encapsulation-Type

40

PVC-Profile-Name

42

Bind-Type

43

Bind-Auth-Protocol

44

Bind-Auth-Max-Sessions

46

Bind-Auth-Context

89

Qos_Queuing

97

Agent-Circuit-Id

108

Bind-Auto-Sub-User

109

Bind-Auto-Sub-Context

110

Bind-Auto-Sub-Password

111

Circuit-Protocol-Encap

195

QoS-Overhead

5   Other Supported VSAs

Table 18 lists other VSAs that the SmartEdge router supports. These VSAs require a vendor ID of 529.

Table 18    Other Supported VSAs

#

Attribute Name

Sent in Access- Request

Sent in Acct- Request

Received in Access- Response

Notes

242

Ascend-Data-Filter

No

Yes

Yes

Multivalue attribute. An Access-Accept packet contains multiple binary strings each representing a rule in an IP access control list (ACL). The rules are interpreted in the order they are received from the RADIUS server. If the RADIUS server returns both the SmartEdge router Filter-Id and Ascend-Data-Filter attributes for the same subscriber in the same direction, the Ascend-Data-Filter attribute is ignored, the SmartEdge router Filter-Id attribute is applied in that direction, and an event message to that effect is logged.

6   RADIUS Attributes Supported by RFlow

The following lists the RADIUS attributes supported by RFlow on the SmartEdge router. The format of the RADIUS attribute for RFlow profile is:

Flow-IP-Profile = "[{in|out|both}:<profile-name>]"
Attribute Type: STRING
Attribute Length: <Maximum length of flow ip profile name supported by CLI>
Attribute Id: 205
Note: only the following forms of the attribute are valid:
Flow-IP-Profile = "in:<profile-name>"
Flow-IP-Profile = "out:<profile-name>"
Flow-IP-Profile = "both:<profile-name>"
Flow-IP-Profile = ""

The type string of the VSA includes the Flow-IP-Profile attribute. The attribute value is defined as dir:name, where dir is in, out, or both, and name is a string that corresponds to the RFlow profile name configured on the SmartEdge router.

The following lists the standard RFlow RADIUS attributes that are supported by the SmartEdge router and that can appear in Access-Request and Access-Response messages:

7   Supported Service Attributes

Table 19 lists the service attributes that the SmartEdge router supports. These attributes appear in service profiles that a RADIUS server uses to specify the conditions for a subscriber session.

Table 19    Service Attributes Supported

Attribute Name

Notes

Service-Interim-Accounting

Integer. Number of seconds after which the service accounting counters are updated. The range of values is 900 to 2,147,483,647. Before this attribute is sent to the SmartEdge PPA for processing, the value for the Service-Interim-Accounting attribute is rounded to the nearest integer that divides by 60 evenly. For example, if 925 is the value for the Service-Interim-Accounting attribute, the SmartEdge router rounds this integer to 900.

Service-Timeout

Integer. Number of seconds after which a session times out. The range of values is 60 to 2,147,483,647.

Service-Volume-Limit

Integer. Volume of traffic (in KB) in either the upstream or downstream direction after which a service for a subscriber session has exceeded its volume limit. The range of values is 0 through 2,147,483,647.

8   RADIUS Attributes Supported by Mobile IP Services

For Mobile IP services, RADIUS attributes appear in various types of RADIUS messages, as described in the following sections.

8.1   Standard RADIUS Attributes and Mobile IP Services

The following lists the standard Mobile IP service RADIUS attributes that are supported by the SmartEdge router and that can appear in Access-Request, Account-Request, and Access-Response messages:

For more information about these attributes, see Section 2.1 and Section 2.3.

Note:  
For Mobile IP, the username is the mobile node (MN) Network Access Identifier (NAI).

8.2   3GPP2 RADIUS VSAs

Table 20 describes the Third Generation Partnership Project 2 (3GPP2) RADIUS VSAs used by Mobile IP services that are supported by the SmartEdge router and that can appear in Access-Request, Account-Request, and Access-Response messages. Mobile IP services complies with 3GPP2 standard X.S0011-001-C v3.0, cdma2000 Wireless IP Network Standard: Introduction.

Table 20    3GPP2 RADIUS VSAs Supported

#

Attribute Name

Sent in Access- Request

Sent in Acct- Request

Received in Access- Response

Notes

7

Home Agent IP Address

Yes

Yes

No

IP address of the HA.

57

MN-HA SPI

Yes

No

No

Integer. Security Parameter Index (SPI). Sent when the SPI is changing for the mode node (MN) along with the HA and MN shared secret key.

58

MN-HA shared secret key

No

No

Yes

Octet string. Shared secret key used for MN and HA authentication.

79

Foreign Agent Address

No

Yes

No

IP address of the foreign agent (FA).

8.3   3GPP2 RADIUS VSAs That Can Be Reauthorized

Table 21 lists the 3GPP2 RADIUS VSAs used by Mobile IP services that are reauthorized when you enter the reauthorize command (in exec mode).

Table 21    3GPP2 RADIUS VSAs Supported by Reauthorization

#

Attribute Name

Description

57

MN-HA SPI

Integer. SPI. Sent when the SPI is changing for the MN, along with the HA and MN shared secret key.

58

MN-HA shared secret key

Octet string. Shared secret key used for MN and HA authentication.

8.4   WiMax Forum RADIUS VSAs

Table 22 lists the WiMax Forum RADIUS VSAs supported for Mobile IP and that can appear in Access-Request, Account-Request, and Access-Response messages.

Table 22    WiMax Forum RADIUS VSAs for Mobile IP Supported

#

Attribute Name

Sent in Access- Request

Sent in Acct- Request

Received in Access- Response

Notes

1

WiMax-Capability

Yes

No

Yes

Type-length values (TLVs). Indicates the capabilities that the home agent (HA) supports, such as accounting and hotlining:


  • TLV ID 1: WiMAX release

  • TLV ID 2: Accounting capabilities

  • TLV ID 3: Hotlining capabilities

  • TLV ID 4: Idle Mode notification capabilities


The WiMax-Capability attribute is optionally received in the access response message.

3

GMT-Time-Zone-Offset

No

Yes

No

Integer. The difference in seconds between the HA and RADIUS server, in Greenwich Mean Time (GMT). This information is used to calculate local time. The GMT-Time-Zone-Offset attribute is optionally sent in the Acct-Request message.

4

WIMAX-Session-ID

Yes(1)

No

Yes

Binary string. Unique identifier in the home network for the session set in the home network AAA server. The Received in Access-Response is also received in the CoA.

6

hHA-IP-MIP4

Yes

No

No

IP address. IP address of the home agent (HA).

10

MN-HA-MIP4-Key

No

No

Yes

Binary string. The shared secret key used for authentication between the mobile node (MN) and HA.

11

MN-HA-MIP4-SPI

Yes

No

Yes

Integer. Security Parameter Index (SPI) that corresponds to the shared secret key used for mobile node (MN) and HA authentication. The HA includes this attribute in the Access-Request message to request the corresponding shared key from the RADIUS server. The RADIUS server includes this attribute in the Access-Response message and when it sends the CoA message to the HA to indicate that a new key will be used for subsequent MN and HA authentication or reauthentication for an existing mobile subscriber session.

15

HA-RK-Key

No

No

Yes

Octet. Key used to generate FA-HA keys.

16

HA-RK-SPI

Yes (Optional)

No

Yes

Integer. SPI associated with HA-RK-Key.

17

HA-RK-Lifetime

No

No

Yes

Integer. Lifetime of the HA-RK-Key.

18

RRQ-HA-IP

Yes

No

No

IP address. The IP address identified in the HA IP address file in the RRQ.

19

RRQ-MN-HA-Key

No

No

Yes (Optional)

Encrypted string. MN-HA key bound to the HA IP address.

24

Hotline-Indicator

No

Yes

Yes

String. Enables hotlining. Sent by RADIUS or COA server that is reported in the session and hotlining accounting records. The Hotline-Profile-ID and Hotline-Indicator enable hotlining.

48

Acct-Input-Packets-Gigawords

No

Yes

No

Integer. Incremented when the standard RADIUS attribute 47, Acct-Input-Packets, overflows. The Sent in Acct-Request is optional.

49

Acct-Output-Packets-Gigawords

No

Yes

No

Integer. Incremented when the standard RADIUS attribute 48, Acct-Output-Packets, overflows. The Sent in Acct-Request is optional.

53

Hotline-Profile-ID

No

Yes

Yes

String. Hotlining profile identifier sent by RADIUS or CoA server. The Hotline-Profile-ID and Hotline-Indicator attributes enable hotlining.

58

HA-RK-Key-Requested

Yes (if dynamic keys are required)

No

No

Integer. Flag indicating that the HA requires an HA-RK-Key.

64

vHA-IP-MIP4

No

Yes

Yes

IP address. IP address of the visited HA from the AAA server.

(1)  Yes, if the Access-Request is sent for reauthentication.


8.5   WiMax Forum RADIUS VSAs in the CoA

Table 23 lists the WiMax Forum RADIUS VSAs supported for Mobile IP and that can appear in CoA-Request and CoA-Response messages. For details about these VSAs, see Table 22.

Table 23    WiMax Forum RADIUS VSAs for Mobile IP Supported

#

Attribute Name

Sent in CoA Request

Sent in CoA Response

Notes

4

WiMAX-Session-ID

Yes

No

Binary string. Unique identifier in the home network for the session set in the home network AAA server. The Received in Access-Response is also received in the CoA.

24

Hotline-Indicator

Yes

No

String. Sent by RADIUS or CoA server that is reported in the session and hotlining accounting records. A CoA containing a Hotline-Profile-ID without an accompanying Hotline-Indicator deactivates hotlining for that profile.

53

Hotline-Profile-ID

Yes

No

String. Hotlining profile identifier sent by RADIUS or CoA. A CoA containing a Hotline-Profile-ID without an accompanying Hotline-Indicator deactivates hotlining for that profile.

8.6   Motorola VSAs

Table 24 lists the Motorola VSAs supported for Mobile IP and that can appear in Access-Request, Account-Request, and Access-Response messages.

Table 24    Motorola VSAs for Mobile IP Supported

#

Attribute Name

Sent in Access- Request

Sent in Acct- Request

Received in Access- Response

Notes

66

Coa_IPv4

Yes

No

No

IP Address. Care of Address in MIP RRQ. An FA can have multiple CoA addresses, and the HA IP address must be derived based on the CoA peer.

67

FA-hHA-Key

No

No

Yes

Encrypted string. The FA-HA-key is used by the FA to create an FA-HA authentication extension. This field is protected with an encryption algorithm defined in RFC 2868, RADIUS Attributes for Tunnel Protocol Support, for Tunnel-Password.

68

FA-hHA-Lifetime

No.

No

Yes

Integer. The amount of time in seconds that this FA-hHA-key can be used after it is fetched.

69

FA-hHA-SPI

Yes (Optional)

No

Yes

Integer. The SPI for the FA-hHA-key. The FA-hHA-SPI can be sent in the Access Request to the AAA server if the foreign agent (FA) does not have a matching key corresponding to the key used by the home agent (HA) in a registration revocation message.

70

EP-Request-Type

Yes

No

No

Integer. Sent to the CAPC/AAA server for each RRQ coming to the FA. Values are:


  • 0 - Reserved

  • 1 - MIP Context Request. The value of this attribute is 1 for Mobile FA subscribers.

  • 2 - Non-MIP context request. The value of this attribute is 2 for Fixed CLIPs subscribers.

71

MN-FA-Key

No

No

Yes

Encrypted string. The MN-FA key used for MN-FA authentication.

72

MN-FA-Lifetime

Nos

No

Yes

Integer. The amount of time in seconds that the MN-FA key can be used after the FA obtains it.

73

MN-FA-SPI

Yes

No

Yes

Integer. The SPI associated with the MN-FA Key.

74

FA-IP-MIP4

Yes

No

No

IP address. The IP address of the FA that received the MIP request and used to generate the MN-FA key for authentication.

75

FA-vHA-key

No

No

Yes

Encrypted string. The FA-HA key used by the FA to create FA-HA authentication extension.

76

FA-vHA-Lifetime

No.

No

Yes

Integer. The amount of time in seconds that this FA-hHA-Key can be used after the FA obtains it from the Authenticator within ASN-GW.

77

FA-vHA-SPI

Yes (Optional)

No

Yes

Integer. The SPI for the FA-hHA-Key. This is the same value as the hHA-RK SPI.

78

Accounting-Mode

No

No

Yes

Binary bit mask value. Received from the CAPC/AAA server in response to the AR. The Accounting-Mode is a bitmap with the following bit values:


  • 0x00 - No accounting. This value is assumed if the Accounting-Mode VSA is not included in the Access-Accept over R7.

  • 0x01 - IP-Session-based accounting.

  • 0x02 - Flow-based accounting.

  • 0x10 - Wait for RADIUS attributes parsing and applying result before sending accounting messages.

  • 0x11 - used by ASN-GW DP in Wimax 4.0

9   RADIUS Attribute 49 Error Codes

This section lists the Redback terminate error codes and the Remote Authentication Dial-In User Service (RADIUS) attribute 49 (Acct-Terminate-Cause) error codes, which are included in Accounting-Stop messages, in the following tables:

RADIUS attribute 49 error codes and their definitions are included in RFC 2866, RADIUS Accounting.

Table 25    RADIUS Attribute 49 Termination Error Codes 0 to 99

Redback Terminate Error Code and Code Description

Attribute 49 Error Code and Code Description

Session Error Message

0 No Error


18 Host_Request

No error was recorded

1 Unknown Error

9 NAS_Error

No error was recorded

2 Error Not Specified

9 NAS_Error

No termination cause code was given by peer

3 Vendor Specific Error

9 NAS_Error

Vendor Specific Error

4-19 Not Used

0 INVALID

 

20 Session Timeout

5 Session_Timeout

Session Timeout

21 Setup_Timeout

15 Service_Unavailable

Couldn’t establish a session within session timeout period

22 Bad_Session_ID

9 NAS_Error

Received packet with bad session ID

23 Unknown_Remote_Session_Error

9 NAS_Error

Remote peer sent general/unknown error for this session

24 Authentication_Failed

17 User_Error

Authentication Failure

25 Bind_Failed

15 Service_Unavailable

Failed to bind subscriber

26 Provision_Failed

15

Subscriber provisioning failed

27 No_Session

15 Service_Unavailable

Cannot find AAA_SESSION

28 Stale_Session

15 Service_Unavailable

Clearing stale AAA SESSION

29 Aging_Session

15 Service_Unavailable

Clearing unstable session due to XC Switchover

30 FSM_Timeout

9 NAS_Error

State Machine Timeout

31 FSM_Error

9 NAS_Error

State Machine Error

32-39 Not Used

0 INVALID

 

40 Session_Cleared

6 Admin_Reset

Session cleared by administrator

41 CCT_Cleared

6 Admin_Reset

Circuit cleared by administrator

42 Port_Admin_Down

6 Admin_Reset

Port shutdown by administrator

43 Port_Admin_Deleted

6 Admin_Reset

Port removed from configuration

44 CCT_Admin_Down

6 Admin_Reset

Circuit disabled by administrator

45 Peer_Admin_Down

6 Admin_Reset

Peer disabled by administrator

46 Admin_RAD_Test

23 Admin_Test

Radius test by administrator

47 Admin_RAD_Test

24 Auto_Test

Auto radius connectivity test

48 Admin_Logout

25 Admin_Logout

Administrator logout

49 SVC_Cleared

6 Admin_Reset

Service cleared by administrator

50-59 Not Used

0 INVALID

 

60 CCT_Unbound

6 Admin_Reset

The no bind command was entered on this circuit by the administrator

61 CCT_Deleted

6 Admin_Reset

Circuit removed from configuration

62 Encaps_Changed

6 Admin_Reset

Circuit reset because of encapsulation change

63 Context_Deleted

3 Lost_Service

Context removed from configuration

64 Intf_Deleted

3 Lost_Service

Interface removed from configuration

65 Intf_Changed

3 Lost_Service

Interface configuration changed

66 Profile_Deleted

3 Lost_Service

Dynamic shaping profile was deleted

67 Port_Shutdown

6 Admin_Reset

Shutdown configured on port.

68 CCT_Shutdown

6 Admin_Reset

Shutdown configured on circuit.

69-79 Not Used

0 INVALID

 

80 NAS_Error

? INVALID

 

81 CCT_Mismatch

? INVALID

 

82-99 Not Used

0 INVALID

 
Table 26    RADIUS Attribute 49 Termination Error Codes 100 to 209

Redback Terminate Error Code and Code Description

Attribute 49 Error Code and Code Description

Session Error Message

100 Lost_Carrier

2 Lost_Carrier

Lost carrier

101 EC_Busy

9 NAS_Error

Busy signal, try again later

102 Bad_Framing

8 Port_Error

Incorrect or missing framing

103 No_Dialtone

9 NAS_Error

No dialtone detected

104 No_Carrier

9 NAS_Error

No carrier detected

105 LMI_Down

2 Lost_Carrier

LMI declared PVC down or LMI control channel lost

106 Port_Down

2 Lost_Carrier

Port down

107 HDLC_Down

2 Lost_Carrier

HDLC down on circuit

108 CCT_Down

2 Lost_Carrier

Circuit down

109-129 Not Used

0 INVALID

 

130 Bad_Peer_Config

17 User_Error

Bad peer configuration, negotiation failed

131 Confrej_By_Peer

17 User_Error

Peer rejected required option(s)

132 Rej_IPCP

17 User_Error

Peer refused to negotiate IPCP

133 Peer_Req_Auth

17 User_Error

Peer required outbound authentication

134 No_Auth_Protocol

17 User_Error

Peer refused to negotiate an authentication protocol

135 LCP_Rej_Callback

17 User_Error

Peer refused to negotiate a callback

136 LCP_Fsm_Timeout

17 User_Error

LCP state machine timeout

137 Auth_Fsm_Timeout

17 User_Error

Authentication state machine timeout

138 No_LCP_Packets

2 Lost_Carrier

No LCP packets received from peer

139 LCP_Looped

2 Lost_Carrier

Link loopback detected

140 Recv_Term_Req

1 User_Request

Received PPP Terminate Request

141 Echo_Timeout

2 Lost_Carrier

No response to PPP keepalive from peer

142 Idle_Timeout

4 Idle_Timeout

No traffic within idle timeout period

143 ABS_Timeout

5 Session_Timeout

Session absolute timeout expired

144 Layer_Down

9 NAS_Error

A PPP layer went down (LCP/IPCP/CHAP/PAP)

145 Rec_PADT

1 User_Request

Received PPPoE Active-Discovery Terminate from client

146 PPPOE_Real_CCT_Unbound

6 Admin_Reset

The circuit transporting the PPPoE session was unbound

147 IPCP_No_Addr

9 NAS_Error

No IP address was configured or pool was out of usable addresses

148 No_Confreq_Resp

17 User_Error

No response to PPP Confreq from peer

149 Rej_Crypto

1 User_Request

Peer rejected encryption, which is required by local policy

150 No_MP_Bundle

9 NAS_Error

Cannot find MP bundle

151 Traffic_Limit_Exceeded

10 NAS_Request

Traffic limit exceeded

152 Peer_LCP_Restart

1 User_Request

Received LCP confreq from remote peer after LCP was up

153 Term_ACK

1 User_Request

Received PPP Terminate Ack

154 Idle_Timeout_IN

4 Idle_Timeout

No traffic received within idle timeout period

155 Idle_Timeout_OUT

4 Idle_Timeout

No traffic transmitted within idle timeout period

156 MP_Master_Not_Up

9 NAS_Error

MP Master link did not come up

157 PPP_PPPoE_Sync_Timeout

15 Service_Unavailable

PPPoEd initiated cleanup, stuck pppoe session

158 PPPoE_Magic_Timeout

15 Service_Unavailable

PPPoEd initiated cleanup, no PPP magic received

159 PPPoE_Bind_Timeout

15 Service_Unavailable

PPPoEd Initiated cleanup, no subscriber binding received

160 Tun_Cleared

6 Admin_Reset

Tunnel was cleared

161 Recv_Stopccn

3 Lost_Service

Received a StopCCN from peer

162 Rexmit_Timeout

3 Lost_Service

Control channel timeout - Remote peer dead

163 No_Ctrl_Conn

15 Service_Unavailable

Control packet received but no control channel exists

164 Bad_Len

9 NAS_Error

Length field did not match packet size or packet size invalid

165 Bad_Field

9 NAS_Error

A header field had an invalid value

166 Temp_Res_Fail

15 Service_Unavailable

Temporarily out of resource. Try later

167 Perm_Res_Fail

15 Service_Unavailable

Remote peer permanently lacks sufficient resources for session

168 Try_Another

10 NAS_Request

Remote peer was too busy to accept session. Try another peer

169 Unk_M_Avp

9 NAS_Error

Unknown Mandatory AVP

170 Bad_Dest

9 NAS_Error

Destination Invalid

171 Not Used

0 INVALID

 

172 Max_Tunnels

15 Service_Unavailable

Reached configured max-tunnels limit

173 Max_Sessions

15 Service_Unavailable

Reached configured max-sessions limit

174 Tunnel_Not_LNS

15 Service_Unavailable

Can’t create session; Configured for LAC-only

175 No_Avail_Card

15 Service_Unavailable

Can’t create LNS or LTS session: no available card

176 Wrong_Endpoints

9 NAS_Error

Wrong remote or local address received from peer

177-179 Not Used

0 INVALID

 

180 Clips_Bounce

10 NAS_Request

CLIPS circuit was reset due to a 'clips-bounce' request

181-189 Not Used

0 INVALID

 

190 DHCP_Lease_Released

1 User_Request

Client released DHCP lease

191 DHCP_Lease_Expired

5 Session_Timeout

DHCP lease expired

192 DHCP_Server_Unavailable

15 Service_Unavailable

DHCP server is unavailable

193 DHCP_IPhost_Cleared

6 Admin_Reset

DHCP IP-host cleared

194 SESS_SBXC_SYNC_FAIL

15 Service_Unavailable

Standby sync failed

195 SESS_PROTECTION_SWITCH

13 Port_Preempted

Port protection switch

196 DHCP_IPHOST_Mismatch

17 User_Error

DHCP IP-host mismatch

197 DHCP_Lease_NACK

15 Service_Unavailable

DHCP lease nack'ed

198-199 Not Used

0 INVALID

 

200 CCOD_Idle_Down

6 Admin_Reset

CCOD Idle down timer expired for circuit

201-209 Not Used

0 INVALID

 

210 LI_Fail_Start

15 Service_Unavailable

Couldn't establish a session, Security Fail

211-219 Not Used

0 INVALID

 

220 MEM_ALLOC_ERROR

9 NAS_Error

Memory allocation failed