Contains the response to the challenge of a dial-in client. Sent in an Access-Accept packet with Framed-Protocol of ARAP.

Includes password information that the network access server (NAS) must send to the user in an ARAP feature flags packet. Sent in an Access-Accept packet with Framed- Protocol of ARAP.

Appears in an Access-Request packet containing a Framed-Protocol of ARAP. Only one of User-Password, CHAP-Password, or ARAP-Password must be included in an Access-Request, or one or more EAP-Messages.

Identifies the ARAP security module to be used in an Access-Challenge packet.

Contains the actual security module challenge or response, and is in Access-Challenge and Access-Request packets.

Indicates how to use the ARAP zone list for the user.

Provides specific configuration information necessary to begin delivery of service to the user.

Sends the user a challenge requiring a response, and the RADIUS server must respond to the Access-Request by transmitting a packet with the Code field set to 11 (Access-Challenge).

Transmits a packet with the Code field set to 3 (Access-Reject) if any value of the received Attributes is not acceptable.

Conveys information specifying user access to a specific NAS, and any special services requested for that user.

Conveys information used to provide accounting for a service provided to a user.

Acknowledges that the Accounting-Request has been received and recorded successfully.

Indicates how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol.

Indicates how many seconds the client has been trying to send this record.

Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided.

Indicates how many octets have been received from the port during the current session.

Indicates how many packets have been received from the port during the session provided to a Framed User.

Indicates the number of seconds between each interim update in seconds for this specific session.

Indicates the count of links known to have been in each multilink session at the time the accounting record is generated.

Indicates a unique Accounting ID to make it easy to link together multiple related sessions in a log file.

Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 during the current session.

Indicates how many octets have been sent to the port during this session.

Indicates how many packets have been sent to the port during this session to a Framed User.

Indicates a unique Accounting ID to make it easy to match start and stop records in a log file.

Indicates how many seconds the user has received service.

Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop).

Indicates how the session was terminated.

Indicates the identifier assigned to the tunnel session.

Indicates the number of packets lost on a given link.

Contains the Challenge Handshake Authentication Protocol (CHAP) challenge sent by the NAS to a PPP CHAP user.

Indicates the response value provided by a PPP CHAP user in response to the challenge.

Indicates the name of a location to be called, to be interpreted by the NAS.

The dialing string to be used for callback.

Allows the NAS to send the phone number that the user called, using Dialed Number Identification Service (DNIS) or similar technology.

Allows the NAS to send the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology.

Sent by the server to the client in an Access-Accept and then sent unmodified by the client to the accounting server as part of the Accounting-Request packet, if accounting is supported.

Used in large distributed authentication networks based on proxy.

Sent from the NAS to indicate the nature of the user's connection.

Encapsulates Extended Access Protocol [3] packets to allow the NAS to authenticate dial-in users by means of EAP without having to understand the EAP protocol.

Records the time that this event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC.

The Egress-VLANID attribute represents an allowed Egress VLANID for this port, indicating if the VLANID is allowed for tagged or untagged frames as well as the VLANID.

The Egress-VLAN-Name attribute represents an allowed VLAN for this port. It is similar to the Egress-VLANID attribute, except that the VLAN-ID itself is not specified or known; rather, the VLAN name is used to identify the VLAN within the system.

Indicates the name of the filter list for this user.

Indicates the AppleTalk network number used for the serial link to the user, which is another AppleTalk router.

Indicates the AppleTalk Network number which the NAS can probe to allocate an AppleTalk node for the user.

Indicates the AppleTalk Default Zone to be used for this user.

Indicates the compression protocol to be used for the link.

Indicates the address to be configured for the user.

Indicates the IP netmask to be configured for the user when the user is a router to a network.

Contains the name of an assigned pool used to assign an IPv6 prefix for the user.

Indicates an IPv6 prefix (and corresponding route) to be configured for the user.

Indicates the routing information to be configured for the user on the NAS.

Indicates an IPv6 address assigned to NAS interface of the host.

Indicates the IPv6 interface identifier to be configured for the user.

Indicates the IPX Network number to be configured for the user.

Indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP).

Indicates the name of an assigned address pool used to assign an address for the user.

Indicates the framing to be used for framed access.

Indicates the routing information to be configured for the user on the NAS.

Indicates the routing method for the user, when the user is a router to a network.

Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

The Ingress-Filters attribute corresponds to the Ingress Filter per-port variable.

Supports the following values:

Disabled=2

Enabled= 1

When the attribute has the value "Enabled", the set of VLANs that are allowed to ingress a port must match the set of VLANs that are allowed to egress a port.

Uses SNMP instead of keepalives.

Indicates the system with which to connect the user when the Login-Service Attribute is included.

Indicates the system with which to connect the user when the Login-Service Attribute is included.

Contains a string identifying the LAT group codes that this user is authorized to use.

Indicates the node with which the user is to be automatically connected by LAT.

Indicates the port with which the user is to be connected by LAT.

Indicates the system with which the user is to be connected by LAT.

Indicates the service to use to connect the user to the log in host.

Indicates the TCP port with which the user is to be connected when the Login-Service Attribute is also present.

Only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP).

Indicates the reason for a server-initiated password change.

Represents the method used to authenticate the dial-up user.

Represents the Extensible Authentication Protocol (EAP) type used to authenticate the dial-up user.

Describes whether the use of BAP is allowed, disallowed, or required on new multilink calls.

Allows the user to change password if it has expired.

Allows the user to change password if it has expired.

Contains the challenge sent by a NAS to a MS-CHAP user.

Indicates the Windows NT domain in which the user was authenticated.

Contains error data related to the preceding MS-CHAP exchange.

Contains the new Windows NT password encrypted with the old LAN Manager password hash.

Contains two session keys for use by the Microsoft Point-to-Point Encryption (MPPE).

Contains the new Windows NT password encrypted with the old Windows NT password hash.

Contains the response value provided by a PPP MS-CHAP user in response to the challenge.

Allows the user to change password if it has expired.

Contains the response value provided by an MS- CHAP-V2 peer in response to the challenge.

Contains a 42-octet authenticator response string.

Transmits traffic filters.

Indicates the length of time (in seconds) that a link must be underutilized before it is dropped.

Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination.

Signifies whether the use of encryption is allowed or required.

Signifies the types of encryption available for use with MPPE.

Contains a session key for use by the MPPE.

Contains a session key for use by the MPPE.

Transmits the new ARAP password during an ARAP password change operation.

Transmits the old ARAP password during an ARAP password change operation.

Indicates the address of the primary domain name server (DNS) server to be used by the PPP peer.

Indicates the address of the primary NetBIOS name server (NBNS) server to be used by the PPP peer.

Indicates the manufacturer of the RADIUS client machine.

Indicates the version of the RADIUS client software.

Indicates the address of the secondary DNS server to be used by the PPP peer.

Indicates the address of the secondary DNS server to be used by the PPP peer.

Signs Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP, or EAP authentication methods.

Indicates the identifying IP address of the NAS that is requesting authentication of the user, and must be unique to the NAS within the scope of the RADIUS server.

Indicates the identifying IPv6 Address of the NAS that is requesting authentication of the user, and must be unique to the NAS within the scope of the RADIUS server.

Contains a string identifying the NAS originating the Access-Request.

Indicates the physical port number of the NAS that is authenticating the user.

Contains a text string that identifies the port of the NAS that is authenticating the user.

Indicates the type of the physical port of the NAS that is authenticating the user.

Indicates how many authentication attempts a user is allowed to attempt before being disconnected.

Sets the maximum number of ports to be provided to the user by the NAS.

Indicates to the NAS whether it should echo the user's response as it is entered, or not echo it.

Indicates that a proxy server can send this attribute to another server when forwarding an Access-Request. The attribute must be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge.

Indicates that the text that can be displayed to the user.

Indicates the type of service the user has requested, or the type of service to be provided.

Sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt.

Indicates that the packet must have only zero or one State Attribute. Usage of the State Attribute is implementation dependent.

Using the Calling-Station-Id and Called-Station-Id RADIUS attributes, authorization and subsequent tunnel attributes can be based on the phone number originating the call, or the number being called.

Indicates the action the NAS should take when the specified service is completed.

Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned.

Specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment.

Contains the address of the initiator end of the tunnel.

Indicates the rejection of the establishment of a new link in an existing tunnel.

Marks the creation of a tunnel link.

Marks the destruction of a tunnel link.

Indicates the transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports.

Indicates the transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports.

Specifies a password used to access a remote server.

Indicates that if RADIUS server returns more than one set of tunneling attributes to the tunnel initiator, you should include this attribute in each set to indicate the relative preference assigned to each tunnel.

Indicates the group ID for a particular tunneled session.

Marks the rejection of the establishment of a tunnel with another node.

Specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment.

Indicates the address of the server end of the tunnel.

Marks the establishment of a tunnel with another node.

Marks the destruction of a tunnel to or from another node.

Indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the tunneling protocol in use (in the case of a tunnel terminator).

Indicates the name of the user to be authenticated.

Specifies the string that the device administrator specifies during RADIUS server configuration.

Specifies the device’s IP address.

The device sets this attribute to 0 if the user signed in using an internal port, or 1 if an external port is used.

Specifies the user’s source IP address.

Specifies the configured name for the device client under the RADIUS server configuration.

The device sets this attribute to 1 for a start message, or 2 for a stop message in a user-session or a subsession.

Specifies the unique accounting ID that matches start and stop messages corresponding to a user-session or to a subsession.

Specifies the unique accounting ID that you can use to link together multiple related sessions. Each linked session must have a unique Acct-Session-Id and the same Acct-Multi-Session-Id.

Specifies the duration of the user-session or the subsession.

Specify a name to identify the server within the system.

Specify the name that identifies the Network Access Server (NAS) client to the RADIUS server.

- If you do not specify the NAS identifier, the value specified in the Hostname field on the System > Network > Overview page of the administrator console is used.
- If you use the RADIUS proxy feature, the NAS-Identifier field is not used. Proxy passes on the entire RADIUS packet including the NAS identifier from the client.

Primary Server

Specify the name or IPv4/IPv6 address of the RADIUS server.

Specify the authentication port value for the RADIUS server.

Default port number: 1812, 1645 (legacy servers)

Specify the NAS IP address.

- If you leave this field empty, the internal IP address is passed to RADIUS requests.
- If you configure the NAS IP address, then the system passes the value regardless of which cluster node sends the requests.
- If you use the RADIUS proxy feature, this field is not used.
- Proxy passes on the entire RADIUS packet including the NAS IP address from the client.

Specify the interval of time to wait for a response from the RADIUS server before timing out the connection.

Specify the number of times to try to make a connection after the first attempt fails.

Select this option to prompt the user for a token instead of a password.

For example, you can use this option to dynamically prompt for a password or token based on sign-in policies by configuring two instances of the same authentication server. You can use one instance for wireless users with this option enabled and that prompts the user for a token, and another instance for wired users with this option disabled and that prompts the user for a password.

If you are using RADIUS proxy feature, this option is not used.

Backup Server (required only if Backup server exists)

Specify the secondary RADIUS server.

The authentication request is first routed to the primary RADIUS server, then to the specified backup server if the primary server is unreachable.

Accounting messages are sent to the RADIUS server by each cluster node without consolidation.

RADIUS accounting follows these assumptions:

•If the cluster is active/passive, all users are connected to one node at a time.

•If the cluster is active/active and does not use a balancer, users are connected to different nodes but are static.

•If the cluster is active/active and uses a balancer, the balancer usually enforces a persistent source IP. In this case, users are always connected to the same node.

RADIUS does not support load balancing.

Specify the authentication port.

Specify the shared secret.

Specify the accounting port.

Radius Accounting

Specify the user information to the RADIUS accounting server.

You can enter any of the applicable session variables. Applicable variables include those that are set the time after the user signs in and maps to a role.

The default variables for this field are as follows:

•USER: Logs the username to the accounting server.

•REALM: Logs the realm to the accounting server.

•ROLE SEP=”,”: Logs the list of comma-separated roles assigned to the user.

•ROLE: Logs the role to the accounting server.

If you assign the user to more than one role, the system separates them with commas.

Select this option to achieve more precise billing for long-lived session clients and during network failure.

- If you are using the RADIUS proxy feature, the fields in this section are not used.
- The minimum interim update interval is 15 minutes. The data statistics (bytes in and bytes out) for RADIUS accounting might not be sent for a J-SAM/W-SAM/NC session if the session is less than 30 seconds long and the applications keep the connections open all the time.

Custom challenge expressions

(Optional) Three types of challenge expressions exist with each automatically set to its pre-populated default. The custom option allows the administrator to configure the actual string pattern to match for any of the three modes. To add a custom expression, select the check box for the appropriate challenge expression type, and add a custom expression in the associated text box.

- If you use SecureID to authenticate users, then provide the user ID and the concatenation of PIN and the token value.
- When using CASQUE authentication, specify:([0-9a-zA-Z/+=]+): as the custom expression for the Generic Login Challenge Expression.
- If you are using the RADIUS proxy feature, the fields in this section are not used.

Specify the appropriate Next Token.

Specify the New PIN.