Attributes

RADIUS > Attributes

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which are stored on the RADIUS program.

RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. All clients and servers that exchange AAA information using IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.^[1]

You can search for one or more attributes in this menu.

Useful User and Group Authentication Attributes

attribute	Operator	Value	Description
PAP-Auth-Allow	:=	1	When not using Phase 2 Authentication Using PAP, use this attribute to allow 2-Step PAP authentication for specific users or groups.
PAP-Auth-Deny	:=	1	When using Phase 2 Authentication Using PAP, use this attribute to deny 2-Step PAP authentication for specific users or groups.
Login-Time	+=	text	The Login-Time attribute defines the time span during which a user may login to the system and can deny the authentication on specified days/times. It also allows for automatic termination of wireless LAN connections if they are already established after the specified end time. However, adding this attribute later to a device already connected to the wireless LAN may not result in automatic disconnection. Wireless equipment needs to support Session-Timeout attribute for automatic disconnection. You should define time strings using the "Day%H%M-Day%H%M" format. Days can be Mo, Tu, We, Th, Fr, Sa, or Su, with "Wk" for weekdays and "Any" for all days. ^[2] "%H" represents the hours in the range from 00 to 23, and "%M" represents the minutes in the range from 00 to 59. If you omit "%H" and "%M" in a time string format, it indicates "any time", allowing for any hour and any minute. Multiple time strings may be a list of simple time strings separated by "\|" For examples) Wk0900-1800 // Authentication is possible from Monday to Friday, between 9:00 AM and 6:00 PM. Wk0900-1800, Sa0900-1200 // Authentication is possible from Monday to Friday between 9:00 AM and 6:00 PM and on Saturday only between 9:00 AM and 12:00 PM. Any0900-1800 // Authentication is possible everyday between 9:00 AM and 6:00 PM Any0900-1800, We2000-2100 //Authentication is possible everyday between 9:00 AM and 6:00 PM, and on Wednesday only between 8:00 PM and 9:00 PM. Sa // Authentication is possible every Saturday at any time. Any // Always(Default)
User-Login-Time	:=	text	It is similar to the Login-Time attribute. however, it is an exclusive attribute that does not affect users if they are part of a specific group with its own Login-Time attribute. This attribute applies only to users.
Group-Login-Time	:=	text	It is also similar to the Login-Time attribute but acts as an exclusive attribute that takes precedence over Login-Time attributes for users who are part of a group, even if they have their own Login-Time attribute. However, if a user has a User-Login-Time attribute, Group-Login-Time will not be applied (User-Login-Time takes the highest priority). This attribute applies only to groups.
Calling-Station-Id	=~	mac address1 \| mac address2 ...	It is used to include the user's device MAC address for user identification during authentication. If this attribute is included, user authentication requires a match in Username, User-Password, and MAC address. You can use the "\|" symbol to define multiple MAC addresses. When entering MAC addresses, use lowercase letters without separators. For examples) 0000aaaa2222 0000aaaa2222 \| 0000aaaa3333 // 2 MAC addresses ^bbbb22 // MAC address begins with "bbbb22" 0000bbbb2222 \| 0000bbbb3333 \| ^bbbb22 \| 0000bbbb3333 // Multiple MAC addresses MAC addresses are in hexadecimal, and you should enter them in lowercase without any separators. When including multiple MAC addresses, be sure to separate them using "\|" within a single Calling-Station-Id attribute. If multiple MAC addresses are defined, authentication will succeed if any one of them matches.
Nas-Identifier	=~	ssid	You can specify the SSID when authenticating individual users and users included in a group. In other words, authentication will only proceed if the user connects through a specific SSID. To define multiple SSIDs, use "\|". For examples) my-ssid-A my-ssid-A \| myssid-B
Expiration	:=	datetime	This can be set in user or group attributes and refers to the authentication expiration time. When the time for this attribute expires, authentication for the user with this attribute or users belonging to groups that include this attribute will be denied. The expiration time should be defined in the format "%b %d %Y %H:%M:%S %Z." For example: Oct 20 2023 14:00:00 KST To set the expiration time for individual users, specify "Expiration" in the detailed information of the RADIUS Users page, and then this attribute will be automatically added, so use that interface.

Useful User and Group Reply Attributes

attribute	Operator	Value	Description
Session-Timeout	:=	3600~86400(second)	It refers to the Session-Timeout of a user connected to the wireless LAN, and when this time elapses, a new wireless LAN encryption key is generated to maintain a secure wireless LAN connection. In a typical WPA-Enterprise environment through a wireless LAN authentication server, keys are generated securely to maintain an encrypted channel. However, to ensure an even more secure encrypted channel, you can use this attribute.

References

[1] ttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-16/sec-usr-radatt-xe-16-book/sec-rad-ov-ietf-attr.html

[2] ttps://networkradius.com/doc/current/raddb/mods-available/logintime.html

[1]

[2]