WLAN management / RADIUS
Parent topic: RADIUS

RADIUS attributes

The RADIUS client can request RADIUS attributes, such as the "Framed-IP-Address", from an external RADIUS server and provide these, for example, to a PPPoE server in order to authenticate them at PPPoE, PPTP or L2TP servers.

Note: For more information about RADIUS attributes, see the following technical documents:

The device transmits the following attributes in access request messages:

Table 1. Overview of the supported RADIUS attributes
ID: Name Meaning Possible values in LCOS
1 User-Name The name entered by the user. Used with 802.1X WLAN, PPPoE server, L2TP, PPTP, VPN
2 User-Password The password entered by the user. Used with 802.1X WLAN, PPPoE server, L2TP, PPTP, VPN
4 NAS-IP-Address Specifies the IPv4 address of the device requesting access for a user. <IPv4 address of the device>
6 Service-Type Specifies the type of service that the device requests or expects as a response.
  • Authenticate-Only
  • Framed
7 Framed-Protocol Specifies the protocol to be used. PPP
8 Framed-IP-Address Specifies the IP address that is assigned to the client. <IP address of the client>
26 Vendor 2356(LCS) ID 2 MAC address of the client if authentication using the MAC address is enabled. In contrast to the Calling-Station-Id, this value is transmitted as a 6-byte binary string. This attribute only exists for the login mode Authenticate with name, password and MAC address. <MAC address of the client>
30 Called-Station-Id Specifies the identifier of the called station (e.g. the VPN server).
  • Server IP address (for VPN connections via PPTP or L2TP)
  • Service name (for PPPoE)
  • BSSID:SSID (for WLAN)
  • MAC address of the device (for Public Spot)
31 Calling-Station-Id Specifies the identifier of the calling station (e.g. the VPN client).
  • Client IP address (for VPN connections via PPTP or L2TP)
  • Client MAC address (for PPPoE, WLAN and Public Spot)
32 NAS identifier Specifies the name of the device being managed by the RADIUS server. <Device-Name>
61 NAS-Port-Type Specifies the physical port through which the device authenticates the user.
  • Virtual (for VPN connections via PPTP or L2TP)
  • Ethernet (with PPPoE)
  • Wireless 802.11 (for WLAN)
64 Tunnel-Type Defines the tunneling protocol which will be used for the session.
  • 13 (VLAN; for Public Spot)
65 Tunnel-Medium-Type Defines the transport medium over which the tunneled session will be established.
  • 6 (802; for Public Spot)
81 Tunnel-Private-Group-ID Defines the group ID if the session is tunneled.
  • 1-4096 (for Public Spot)
87 NAS-Port-Id Description of the interface over which the client is connected to your device. This may be a physical and a logical interface. For example
  • LAN-1
  • WLAN-1-5
  • WLC-TUNNEL-27
95 NAS-IPv6-Address Specifies the IPv6 address of the device requesting access for a user. <IPv6-address of the device>
96 Framed-Interface-ID This attribute conveys the IPv6 interface identifier that should be configured for the user in the IPv6CP.  
97 Framed-IPv6-Prefix Prefix, which is sent to the user via router advertisements.  
99 Framed-IPv6-Route This attribute conveys the route to be used for this user. The device supplements the IPv6 routing table with this route and the next hop to this user.  
100 Framed-IPv6-Pool This indicates the IPv6 pool from which a prefix is to be taken for the user. The IPv6 pool is referenced by its name and must be present under Ipv6 > Router advertisement > Prefix pools.  
123 Delegated-IPv6-Prefix Prefix, which is sent to the user via DHCPv6 prefix delegation.  
177 Mobility-Domain-ID Identifies the mobility domain where the client is located.  
181 WLAN-HESSID Contains the HESSID of the 802.11u SSID.  
182 WLAN-Venue-Info Contains information about the category of the site. This is configured under Wireless-LAN > 802.11u > Venue information.
183 WLAN-Venue-Language Contains information about the language of the site. This is configured under Wireless-LAN > 802.11u > Venue information.
184 WLAN-Venue-Name Contains the name of the site (venue name). This is configured under Wireless-LAN > 802.11u > Venue information.
186 WLAN-Pairwise-Cipher Contains information about the pairwise key used by the client and AP.  
187 WLAN-Group-Cipher Contains information about the group key used by the client and AP.  
188 WLAN-AKM-Suite Contains information about the access management (authentication and key management) between the client and AP.  
189 WLAN-Group-Mgmt-Cipher Contains information about the group management key/cipher used to secure a connection via RSNA (robust security network association) between an AP and mobile client.  
190 WLAN-RF-Band Contains information about the frequency band used by the client.  
Note: In addition to these attributes, there is an almost endless variety of manufacturer-specific attributes. LCOS allows these attributes to be used once they have been defined. See User-defined attributes

An example for a PPP user test with IPv6 in the FreeRADIUS is as follows:

test Cleartext-Password := "1234"
     Service-Type := Framed-User,
     Framed-Protocol := PPP,
     Framed-IPv6-Prefix := "fec0:1:2400:1::/64",
     Delegated-IPv6-Prefix := "fec0:1:2400:1100::/56",
     Framed-IP-Address := 172.16.3.33

The user test in a dual-stack PPP session receives the IPv4 address 172.16.3.33, the prefix fec0:1:2400:1::/64 via router advertisement, and the prefix fec0:1:2400:1100::/56 via DHCPv6 prefix delegation.

The following vendor-specific RADIUS attributes use the IANA Private Enterprise Number "3561" of the Broadband Forum. The remaining entries are LANCOM-specific attributes!

Table 2. Overview of all supported manufacturer-specific RADIUS attributes in the access request
ID: Name Meaning Possible values in LCOS
1 ADSL-Agent-Circuit-Id, Vendor 3561 Specifies the interface of the device being managed by the RADIUS server. Only transmitted if agent-relay info is included in the PPPoED packet (see PPPoE snooping). <Device interface>
2 ADSL-Agent-Remote-Id, Vendor 3561 Specifies the identifier of the device being managed by the RADIUS server. Only transmitted if agent-relay info is included in the PPPoED packet (see PPPoE snooping). <Device identifier>
8 LCS-TxRateLimit, Vendor 2356 Defines a maximum downstream rate in kbps on Layer 2 from the perspective of the PPPoE server (NAS) toward the PPPoE client.
Note: The PPPoE server supports the vendor-specific RADIUS attributes LCS-TxRateLimit and LCS-RxRateLimit with vendor ID 2356 (LANCOM Systems GmbH) in the RADIUS Access-Accept message. This allows the upstream and downstream bandwidth of a PPPoE client to be limited at Layer 2. This feature is only supported when the PPPoE client is connected via LAN interfaces. It is not supported when the PPPoE client is connected via Layer-2 tunnel interfaces such as Ethernet-over-GRE (EoGRE) or L2TPv3.
  
9 LCS-RxRateLimit, Vendor 2356 Defines a maximum upstream rate in kbps on Layer 2 from the perspective of the PPPoE server (NAS) coming from the PPPoE client.  
16 LCS-Orig-NAS-Identifier, Vendor 2356 NAS-identifier of the original access point in WLC mode. <Device-Name>
17 LCS-Orig-NAS-IP-Address, Vendor 2356 NAS IP address of the original access point in WLC mode. <IPv4 address of the device>
18 LCS-Orig-NAS-IPv6-Address, Vendor 2356 NAS IPv6 address of the original access point in WLC mode. <IPv6-address of the device>
Note: An overview of the attributes used to support RADIUS with IKEv2 is available under RADIUS support for IKEv2.
Parent topic: RADIUS

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo