1@c This is part of the Radius manual. 2@c Copyright (C) 1999,2000,2001,2002,2003,2004 Free Software Foundation, Inc. 3@c Written by Sergey Poznyakoff 4@c See file radius.texi for copying conditions. 5@setfilename radius.info 6 7@comment **L3*************************************************************** 8@node Attribute List, , , Top 9@chapter Attribute List 10 11The following sections describe the most frequently used Radius 12attributes. Each attribute is described as follows: 13 14@defattr{@var{name},@var{value},@var{type},@var{user-flags},@var{hints-flags},@var{huntgroup-flags},@var{additivity},@var{prop}} 15 16These values have the following meaning: 17 18@table @var 19@item name 20The attribute name. 21@item value 22The attribute number. 23@item type 24The attribute type. 25@item user-flags 26Syntax flags defining in which part of a @file{raddb/users} entry this 27attribute may be used. The flags consist of two letters: @samp{L} means 28the attribute can be used in the @LHS{}, @samp{R} means it can be used in 29the @RHS{}. 30@item hints-flags 31Syntax flags defining in which part of a @file{raddb/hints} entry this 32attribute may be used. 33@item huntgroup-flags 34Syntax flags defining in which part of a @file{raddb/huntgroups} entry this 35attribute may be used. 36@item additivity 37The @dfn{additivity} of the attribute determines what happens if a rule 38attempts to add to the pair list an attribute that is already present 39in this list. Depending on its value, the actions of the server are: 40@table @asis 41@item Append 42New attribute is appended to the end of the list. 43@item Replace 44New attribute replaces the old. 45@item Drop 46New attribute is dropped. The old one remains in the list. 47@end table 48@item prop 49Is the attribute propagated back to the @NAS{} if the server works 50in proxy mode? 51@end table 52 53The entry @acronym{N/A} for any of this fields signifies ``not 54applicable''. 55 56 57@menu 58* Authentication Attributes:: 59* Accounting Attributes:: 60* Radius Internal Attributes:: 61@end menu 62 63@node Authentication Attributes 64@section Authentication Attributes 65 66These are the attributes the @NAS{} uses in authentication packets 67and expects to get back in authentication replies. These can 68be used in matching rules. 69 70@menu 71* CHAP-Password:: 72* Callback-Id:: 73* Callback-Number:: 74* Called-Station-Id:: 75* Calling-Station-Id:: 76* Class:: 77* Framed-Compression:: 78* Framed-IP-Address:: 79* Framed-IP-Netmask:: 80* Framed-MTU:: 81* Framed-Protocol:: 82* Framed-Route:: 83* Framed-Routing:: 84* Idle-Timeout:: 85* NAS-IP-Address:: 86* NAS-Identifier:: 87* NAS-Port-Id:: 88* NAS-Port-Type:: 89* Reply-Message:: 90* Service-Type:: 91* Session-Timeout:: 92* State:: 93* Termination-Action:: 94* User-Name:: 95* User-Password:: 96* Vendor-Specific:: 97@end menu 98 99@comment ************************************************************** 100@node CHAP-Password 101@subsection @attr{CHAP-Password} 102@atindex CHAP-Password 103 104@defattr{CHAP-Password,3,string,L-,--,--,@acronym{N/A},No} 105 106This attribute indicates the response value provided by a PPP 107Challenge-Handshake Authentication Protocol (CHAP) user in 108response to the challenge. It is only used in Access-Request 109packets. 110 111The CHAP challenge value is found in the CHAP-Challenge attribute 112(60) if present in the packet, otherwise in the request 113authenticator field. 114 115@comment ************************************************************** 116@node Callback-Id 117@subsection @attr{Callback-Id} 118@atindex Callback-Id 119 120@defattr{Callback-Id,20,string,-R,--,--,Replace,No} 121 122This attribute indicates the name of a place to be called, to be 123interpreted by the @NAS{}. It may be used in Access-Accept packets. 124 125@comment ************************************************************** 126@node Callback-Number 127@subsection @attr{Callback-Number} 128@atindex Callback-Number 129 130@defattr{Callback-Number,19,string,-R,--,--,Replace,No} 131 132This attribute indicates a dialing string to be used for callback. 133It may be used in Access-Accept packets. It may be used in an 134Access-Request packet as a hint to the server that a Callback 135service is desired, but the server is not required to honor the 136hint. 137 138@comment ************************************************************** 139@node Called-Station-Id 140@subsection @attr{Called-Station-Id} 141@atindex Called-Station-Id 142 143@defattr{Called-Station-Id,30,string,L-,-R,LR,Append,No} 144 145This attribute allows the @NAS{} to send in the Access-Request packet 146the phone number that the user called, using Dialed Number 147Identification (DNIS) or similar technology. Note that this may be 148different from the phone number the call comes in on. It is only 149used in Access-Request packets. 150 151@comment ************************************************************** 152@node Calling-Station-Id 153@subsection @attr{Calling-Station-Id} 154@atindex Calling-Station-Id 155 156@defattr{Calling-Station-Id,31,string,L-,-R,LR,Append,No} 157 158This attribute allows the @NAS{} to send in the Access-Request packet 159the phone number that the call came from, using automatic number 160identification (ANI) or similar technology. It is only used in 161Access-Request packets. 162 163@comment ************************************************************** 164@node Class 165@subsection @attr{Class} 166@atindex Class 167 168@defattr{Class,25,string,LR,LR,LR,Append,No} 169 170This attribute is available to be sent by the server to the client 171in an Access-Accept and should be sent unmodified by the client to 172the accounting server as part of the Accounting-Request packet if 173accounting is supported. 174 175@comment ************************************************************** 176@node Framed-Compression 177@subsection @attr{Framed-Compression} 178@atindex Framed-Compression 179 180@defattr{Framed-Compression,13,integer,LR,-R,LR,Replace,Yes} 181 182@smallexample 183VALUE Framed-Compression None 0 184VALUE Framed-Compression Van-Jacobson-TCP-IP 1 185@end smallexample 186 187This attribute indicates a compression protocol to be used for the 188link. It may be used in Access-Accept packets. It may be used in 189an Access-Request packet as a hint to the server that the @NAS{} 190would prefer to use that compression, but the server is not 191required to honor the hint. 192 193More than one compression protocol attribute may be sent. It is 194the responsibility of the @NAS{} to apply the proper compression 195protocol to appropriate link traffic. 196 197@comment ************************************************************** 198@node Framed-IP-Address 199@subsection @attr{Framed-IP-Address} 200@atindex Framed-IP-Address 201 202@defattr{Framed-IP-Address,8,ipaddr,LR,-R,LR,Replace,No} 203 204This attribute indicates the address to be configured for the 205user. It may be used in Access-Accept packets. It may be used in 206an Access-Request packet as a hint by the @NAS{} to the server that 207it would prefer that address, but the server is not required to 208honor the hint. 209 210The value @code{0xFFFFFFFF} (@code{255.255.255.255}) indicates that 211the NAS should 212allow the user to select an address. The value @code{0xFFFFFFFE} 213(@code{255.255.255.254}) 214indicates that the @NAS{} should select an address for the user (e.g. assigned 215from a pool of addresses kept by the @NAS{}). Other valid values indicate 216that the @NAS{} should use that value as the user's IP. 217 218When used in a @RHS{}, the value of this attribute can 219optionally be followed by a plus sign. This usage means that 220the value of @attr{NAS-Port-Id} must be added to this IP before 221replying. For example, 222 223@smallexample 224 Framed-IP-Address = 10.10.0.1+ 225@end smallexample 226 227@comment ************************************************************** 228@node Framed-IP-Netmask 229@subsection @attr{Framed-IP-Netmask} 230@atindex Framed-IP-Netmask 231 232@defattr{Framed-IP-Netmask,9,ipaddr,LR,-R,LR,Replace,No} 233 234This attribute indicates the IP netmask to be configured for the 235user when the user is a router to a network. It may be used in 236Access-Accept packets. It may be used in an Access-Request packet 237as a hint by the @NAS{} to the server that it would prefer that 238netmask, but the server is not required to honor the hint. 239 240@comment ************************************************************** 241@node Framed-MTU 242@subsection @attr{Framed-MTU} 243@atindex Framed-MTU 244 245@defattr{Framed-MTU,12,integer,LR,-R,-R,Replace,Yes} 246 247This attribute indicates the maximum transmission unit to be 248configured for the user, when it is not negotiated by some other 249means (such as PPP). It is only used in Access-Accept packets. 250 251@comment ************************************************************** 252@node Framed-Protocol 253@subsection @attr{Framed-Protocol} 254@atindex Framed-Protocol 255 256@defattr{Framed-Protocol,7,integer,LR,-R,LR,Replace,Yes} 257 258@smallexample 259VALUE Framed-Protocol PPP 1 260VALUE Framed-Protocol SLIP 2 261@end smallexample 262 263This attribute indicates the framing to be used for framed access. 264It may be used in both Access-Request and Access-Accept packets. 265 266@comment ************************************************************** 267@node Framed-Route 268@subsection @attr{Framed-Route} 269@atindex Framed-Route 270 271@defattr{Framed-Route,22,string,-R,--,--,Replace,No} 272 273This attribute provides routing information to be configured for 274the user on the @NAS{}. It is used in the Access-Accept packet and 275can appear multiple times. 276 277@comment ************************************************************** 278@node Framed-Routing 279@subsection @attr{Framed-Routing} 280@atindex Framed-Routing 281 282@defattr{Framed-Routing,10,integer,-R,-R,-R,Replace,No} 283 284@smallexample 285VALUE Framed-Routing None 0 286VALUE Framed-Routing Broadcast 1 287VALUE Framed-Routing Listen 2 288VALUE Framed-Routing Broadcast-Listen 3 289@end smallexample 290 291This attribute indicates the routing method for the user when the 292user is a router to a network. It is only used in Access-Accept 293packets. 294 295@comment ************************************************************** 296@node Idle-Timeout 297@subsection @attr{Idle-Timeout} 298@atindex Idle-Timeout 299 300@defattr{Idle-Timeout,28,integer,-R,--,--,Replace,Yes} 301 302This attribute sets the maximum number of consecutive seconds of 303idle connection allowed to the user before termination of the 304session or prompt. The server may send this attribute to the client 305in an Access-Accept or Access-Challenge. 306 307@comment ************************************************************** 308@node NAS-IP-Address 309@subsection @attr{NAS-IP-Address} 310@atindex NAS-IP-Address 311 312@defattr{NAS-IP-Address,4,ipaddr,L-,-R,LR,Append,No} 313 314This attribute indicates the identifying IP of the @NAS{} 315which is requesting authentication of the user. It is only used 316in Access-Request packets. Each Access-Request packet should contain 317either a @attr{NAS-IP-Address} or a @attr{NAS-Identifier} attribute 318(@ref{NAS-Identifier}). 319 320@comment ************************************************************** 321@node NAS-Identifier 322@subsection @attr{NAS-Identifier} 323@atindex NAS-Identifier 324 325@defattr{NAS-Identifier,32,string,L-,-R,LR,Append,No} 326 327This attribute contains a string identifying the @NAS{} originating 328the access request. It is only used in Access-Request packets. 329Either @attr{NAS-IP-Address} or @attr{NAS-Identifier} should be present in an 330Access-Request packet. 331 332@xref{NAS-IP-Address}. 333 334@comment ************************************************************** 335@node NAS-Port-Id 336@subsection @attr{NAS-Port-Id} 337@atindex NAS-Port-Id 338 339@defattr{NAS-Port-Id,5,integer,LR,-R,LR,Append,No} 340 341This attribute indicates the physical port number of the @NAS{} that 342is authenticating the user. It is only used in Access-Request 343packets. Note that here we are using ``port'' in its sense of a 344physical connection on the @NAS{}, not in the sense of a @sc{tcp} or 345@sc{udp} port number. 346 347Some @NAS{}es try to encode various information in the @attr{NAS-Port-Id} 348attribute value. For example, the @sc{max a}scend terminal server constructs 349@attr{NAS-Port-Id} by concatenating the line type (one digit), the line number 350(two digits), and the channel number (two digits), thus producing 351a five-digit port number. In order to normalize such encoded 352port numbers we recommend using a rewrite function (@pxref{rewrite file}). 353A rewrite function for @sc{max a}scend servers is provided in the 354distribution. 355 356@comment ************************************************************** 357@node NAS-Port-Type 358@subsection @attr{NAS-Port-Type} 359@atindex NAS-Port-Type 360 361@defattr{NAS-Port-Type,61,integer,--,--,--,Append,No} 362 363@smallexample 364VALUE NAS-Port-Type Async 0 365VALUE NAS-Port-Type Sync 1 366VALUE NAS-Port-Type ISDN 2 367VALUE NAS-Port-Type ISDN-V120 3 368VALUE NAS-Port-Type ISDN-V110 4 369@end smallexample 370 371This attribute indicates the type of the physical port of the @NAS{} 372that is authenticating the user. It can be used instead of or in 373addition to the @attr{NAS-Port-Id} (@ref{NAS-Port-Id}) attribute. It 374is only used in 375Access-Request packets. Either @attr{NAS-Port} or @attr{NAS-Port-Type} or 376both should be present in an Access-Request packet, if the @NAS{} 377differentiates among its ports. 378 379@comment ************************************************************** 380@node Reply-Message 381@subsection @attr{Reply-Message} 382@atindex Reply-Message 383 384@defattr{Reply-Message,18,string,-R,--,--,Append,Yes} 385 386This attribute indicates text that may be displayed to the user. 387 388When used in an Access-Accept, it is the success message. 389 390When used in an Access-Reject, it is the failure message. It may 391indicate a dialog message to prompt the user before another 392Access-Request attempt. 393 394When used in an Access-Challenge, it may indicate a dialog message 395to prompt the user for a response. 396 397Multiple @attr{Reply-Message} attributes may be included, and if any 398are displayed, 399they must be displayed in the same order as they appear in in the 400packet. 401 402@comment ************************************************************** 403@node Service-Type 404@subsection @attr{Service-Type} 405@atindex Service-Type 406 407@defattr{Service-Type,6,integer,LR,-R,LR,Replace,Yes} 408 409@smallexample 410VALUE Service-Type Login-User 1 411VALUE Service-Type Framed-User 2 412VALUE Service-Type Callback-Login-User 3 413VALUE Service-Type Callback-Framed-User 4 414VALUE Service-Type Outbound-User 5 415VALUE Service-Type Administrative-User 6 416VALUE Service-Type NAS-Prompt-User 7 417VALUE Service-Type Authenticate-Only 8 418VALUE Service-Type Call-Check 10 419@end smallexample 420 421This attribute indicates the type of service the user has 422requested, or the type of service to be provided. It may be used 423in both Access-Request and Access-Accept packets. 424 425When used in an Access-Request the service type represents a 426hint to the Radius server that the @NAS{} has reason to believe the user 427would prefer the kind of service indicated. 428 429When used in an Access-Accept, the service type is an indication 430to the @NAS{} that the user must be provided this type of service. 431 432The meaning of various service types is as follows: 433 434@table @code 435@item Login-User 436The user should be connected to a host. 437 438@item Framed-User 439A framed protocol, such as PPP or SLIP, should be started for the user. 440The @attr{Framed-IP-Address} attribute (@pxref{Framed-IP-Address}) will 441supply the IP to be used. 442 443@item Callback-Login-User 444The user should be disconnected and called back, then connected to a host. 445 446@item Callback-Framed-User 447The user should be disconnected and called back; then a framed 448protocol, such as PPP or SLIP, 449should be started for the user. 450 451@item Outbound-User 452The user should be granted access to outgoing devices. 453 454@item Administrative-User 455The user should be granted access to the administrative interface 456to the @NAS{}, from which privileged commands can be executed. 457 458@item NAS-Prompt 459The user should be provided a command prompt on the @NAS{}, from which 460nonprivileged commands can be executed. 461 462@item Authenticate-Only 463Only authentication is requested, and no authorization information needs 464to be returned in the Access-Accept. 465 466@item Call-Check 467@itemx Callback-NAS-Prompt 468The user should be disconnected and called back, then provided a command 469prompt on the @NAS{}, from which nonprivileged commands can be executed. 470@end table 471 472@comment ************************************************************** 473@node Session-Timeout 474@subsection @attr{Session-Timeout} 475@atindex Session-Timeout 476 477@defattr{Session-Timeout,27,integer,-R,--,--,Replace,Yes} 478 479This attribute sets the maximum number of seconds of service to be 480provided to the user before termination of the session or prompt. 481The server may send this attribute to the client in an Access-Accept 482or Access-Challenge. 483 484@comment ************************************************************** 485@node State 486@subsection @attr{State} 487@atindex State 488 489@defattr{State,24,string,LR,LR,LR,Append,No} 490 491This attribute is available to be sent by the server to the client 492in an Access-Challenge and @strong{must} be sent unmodified from the client 493to the server in the new Access-Request reply to that challenge, 494if any. 495 496This attribute is available to be sent by the server to the client 497in an Access-Accept that also includes a @attr{Termination-Action} 498attribute with the value @code{RADIUS-Request}. If the @NAS{} performs 499the termination action by sending a new Access-Request upon 500termination of the current session, it @strong{must} include the @attr{State} 501attribute unchanged in that Access-Request. 502 503In either usage, no interpretation by the client should be made. 504A packet may have only one @attr{State} attribute. 505 506@comment ************************************************************** 507@node Termination-Action 508@subsection @attr{Termination-Action} 509@atindex Termination-Action 510 511@defattr{Termination-Action,29,integer,LR,-R,-R,Replace,No} 512 513@smallexample 514VALUE Termination-Action Default 0 515VALUE Termination-Action RADIUS-Request 1 516@end smallexample 517 518This attribute indicates what action the @NAS{} should take when the 519specified service is completed. It is only used in Access-Accept 520packets. 521 522@comment ************************************************************** 523@node User-Name 524@subsection @attr{User-Name} 525@atindex User-Name 526 527@defattr{User-Name,1,string,LR,-R,LR,Replace,Yes} 528 529This attribute indicates the name of the user to be authenticated or 530accounted. It is used in Access-Request and Accounting attributes. 531The length of the user name is usually limited by some arbitrary value. 532By default, Radius supports user names up to 32 characters long. This 533value can be modified by redefining the @code{RUT_USERNAME} macro in the 534@file{include/radutmp.h} file in the distribution directory and recompiling the 535program. 536 537Some @NAS{}es have peculiarities about sending long user names. For 538example, the 539Specialix Jetstream 8500 24-port access server inserts a @samp{/} 540character after the 10th character if the user name is longer than 54110 characters. In such cases, we recommend applying rewrite functions 542in order to bring the user name to its normal form (@pxref{rewrite file}). 543 544 545@comment ************************************************************** 546@node User-Password 547@subsection @attr{User-Password} 548@atindex User-Password 549 550@defattr{User-Password,2,string,L-,--,--,@acronym{N/A},No} 551 552This attribute indicates the password of the user to be 553authenticated, or the user's input following an Access-Challenge. 554It is only used in Access-Request packets. 555 556On transmission, the password is hidden. The password is first 557padded at the end with nulls to a multiple of 16 octets. A one-way 558 MD5 hash is calculated over a stream of octets consisting of 559the shared secret followed by the request authenticator. This 560value is @sc{xor}ed with the first 16 octet segment of the password and 561placed in the first 16 octets of the String field of the User-Password 562attribute. 563 564If the password is longer than 16 characters, a second one-way MD5 565hash is calculated over a stream of octets consisting of the 566shared secret followed by the result of the first xor. That hash 567is @sc{xor}ed with the second 16 octet segment of the password and 568placed in the second 16 octets of the string field of the 569User-Password attribute. 570 571If necessary, this operation is repeated, with each @sc{xor} result 572being used along with the shared secret to generate the next hash 573to @sc{xor} the next segment of the password, up to no more than 128 574characters. 575 576@comment ************************************************************** 577@node Vendor-Specific 578@subsection @attr{Vendor-Specific} 579@atindex Vendor-Specific 580@UNREVISED{} 581 582@defattr{Vendor-Specific,26,string,LR,-R,-R,Append,No} 583 584This attribute is available to allow vendors to support their own 585extended attributes not suitable for general usage. @FIXME{some more detail over the VSAs? How does GNU Radius handle unknown VSAs?} 586 587@comment ************************************************************** 588@node Accounting Attributes 589@section Accounting Attributes 590 591These are attributes the @NAS{} sends along with accounting requests. 592These attributes can not be used in matching rules. 593 594@menu 595* Acct-Authentic:: 596* Acct-Delay-Time:: 597* Acct-Input-Octets:: 598* Acct-Input-Packets:: 599* Acct-Output-Octets:: 600* Acct-Output-Packets:: 601* Acct-Session-Id:: 602* Acct-Session-Time:: 603* Acct-Status-Type:: 604* Acct-Terminate-Cause:: 605@end menu 606 607@comment ************************************************************** 608@node Acct-Authentic 609@subsection @attr{Acct-Authentic} 610@atindex Acct-Authentic 611 612@defattr{Acct-Authentic,45,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 613 614@smallexample 615VALUE Acct-Authentic RADIUS 1 616VALUE Acct-Authentic Local 2 617VALUE Acct-Authentic Remote 3 618@end smallexample 619 620This attribute may be included in an Accounting-Request to 621indicate how the user was authenticated, whether by Radius, the 622@NAS{} itself, or another remote authentication protocol. Users who 623are delivered service without being authenticated should not 624generate accounting records. 625 626@comment ************************************************************** 627@node Acct-Delay-Time 628@subsection @attr{Acct-Delay-Time} 629@atindex Acct-Delay-Time 630 631@defattr{Acct-Delay-Time,41,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 632 633This attribute indicates how many seconds the client has been 634trying to send this record for, and can be subtracted from the 635time of arrival on the server to find the approximate time of the 636event generating this Accounting-Request. (Network transit time 637is ignored.) 638 639@comment ************************************************************** 640@node Acct-Input-Octets 641@subsection @attr{Acct-Input-Octets} 642@atindex Acct-Input-Octets 643 644@defattr{Acct-Input-Octets,42,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 645 646This attribute indicates how many octets have been received from 647the port over the course of this service being provided, and can 648only be present in Accounting-Request records where 649@code{Acct-Status-Type} is set to @code{Stop}. 650 651@comment ************************************************************** 652@node Acct-Input-Packets 653@subsection @attr{Acct-Input-Packets} 654@atindex Acct-Input-Packets 655 656@defattr{Acct-Input-Packets,47,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 657 658This attribute indicates how many packets have been received from 659the port over the course of this service being provided to a 660framed user, and can only be present in Accounting-Request records 661where @code{Acct-Status-Type} is set to @code{Stop}. 662 663@comment ************************************************************** 664@node Acct-Output-Octets 665@subsection @attr{Acct-Output-Octets} 666@atindex Acct-Output-Octets 667 668@defattr{Acct-Output-Octets,43,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 669 670This attribute indicates how many octets have been sent to the 671port in the course of delivering this service, and can only be 672present in Accounting-Request records where @code{Acct-Status-Type} 673is set to @code{Stop}. 674 675@comment ************************************************************** 676@node Acct-Output-Packets 677@subsection @attr{Acct-Output-Packets} 678@atindex Acct-Output-Packets 679 680@defattr{Acct-Output-Packets,48,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 681 682This attribute indicates how many packets have been sent to the 683port in the course of delivering this service to a framed user, 684and can only be present in Accounting-Request records where 685@code{Acct-Status-Type} is set to @code{Stop}. 686 687@comment ************************************************************** 688@node Acct-Session-Id 689@subsection @attr{Acct-Session-Id} 690@atindex Acct-Session-Id 691 692@defattr{Acct-Session-Id,44,string,--,--,--,@acronym{N/A},@acronym{N/A}} 693 694This attribute is a unique accounting @sc{id} to make it easy to match 695start and stop records in a log file. The start and stop records 696for a given session must have the same @code{Acct-Session-Id}. An 697Accounting-Request packet must have an @code{Acct-Session-Id}. An 698Access-Request packet may have an @code{Acct-Session-Id}; if it does, 699then the @NAS{} must use the same @code{Acct-Session-Id} in the 700Accounting-Request 701packets for that session. 702 703@comment ************************************************************** 704@node Acct-Session-Time 705@subsection @attr{Acct-Session-Time} 706@atindex Acct-Session-Time 707 708@defattr{Acct-Session-Time,46,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 709 710This attribute indicates how many seconds the user has received 711service for, and can only be present in Accounting-Request records 712where @code{Acct-Status-Type} is set to @code{Stop}. 713 714@comment ************************************************************** 715@node Acct-Status-Type 716@subsection @attr{Acct-Status-Type} 717@atindex Acct-Status-Type 718 719@defattr{Acct-Status-Type,40,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 720 721@smallexample 722VALUE Acct-Status-Type Start 1 723VALUE Acct-Status-Type Stop 2 724VALUE Acct-Status-Type Alive 3 725VALUE Acct-Status-Type Accounting-On 7 726VALUE Acct-Status-Type Accounting-Off 8 727@end smallexample 728 729This attribute indicates whether this Accounting-Request marks the 730beginning of the user service (@code{Start}) or the end (@code{Stop}). 731 732It may also be used to mark the start of accounting (for example, 733upon booting) by specifying @code{Accounting-On} and to mark the end of 734accounting (for example, just before a scheduled reboot) by specifying 735@code{Accounting-Off}. 736 737A special value @code{Alive} or @code{Interim-Update} indicates the packet that 738contains some additional data to the initial @code{Start} record or to the 739last @code{Alive} record. 740 741@comment ************************************************************** 742@node Acct-Terminate-Cause 743@subsection @attr{Acct-Terminate-Cause} 744@atindex Acct-Terminate-Cause 745 746@defattr{Acct-Terminate-Cause,49,integer,--,--,--,@acronym{N/A},@acronym{N/A}} 747 748@smallexample 749VALUE Acct-Terminate-Cause User-Request 1 750VALUE Acct-Terminate-Cause Lost-Carrier 2 751VALUE Acct-Terminate-Cause Lost-Service 3 752VALUE Acct-Terminate-Cause Idle-Timeout 4 753VALUE Acct-Terminate-Cause Session-Timeout 5 754VALUE Acct-Terminate-Cause Admin-Reset 6 755VALUE Acct-Terminate-Cause Admin-Reboot 7 756VALUE Acct-Terminate-Cause Port-Error 8 757VALUE Acct-Terminate-Cause NAS-Error 9 758VALUE Acct-Terminate-Cause NAS-Request 10 759VALUE Acct-Terminate-Cause NAS-Reboot 11 760VALUE Acct-Terminate-Cause Port-Unneeded 12 761VALUE Acct-Terminate-Cause Port-Preempted 13 762VALUE Acct-Terminate-Cause Port-Suspended 14 763VALUE Acct-Terminate-Cause Service-Unavailable 15 764VALUE Acct-Terminate-Cause Callback 16 765VALUE Acct-Terminate-Cause User-Error 17 766VALUE Acct-Terminate-Cause Host-Request 18 767@end smallexample 768 769This attribute indicates how the session was terminated, and can 770only be present in Accounting-Request records where 771@code{Acct-Status-Type} is set to @code{Stop}. 772 773@comment ************************************************************** 774@node Radius Internal Attributes 775@section Radius Internal Attributes 776 777These are attributes used by GNU Radius during the processing 778of a request. They are never returned to the @NAS{}. Mostly, they are 779used in matching rules. 780 781@menu 782* Acct-Ext-Program:: 783* Acct-Type:: 784* Auth-Data:: 785* Auth-Failure-Trigger:: 786* Auth-Type:: 787* Crypt-Password:: 788* Exec-Program-Wait:: 789* Exec-Program:: 790* Fall-Through:: 791* Group:: 792* Hint:: 793* Huntgroup-Name:: 794* Log-Mode-Mask:: 795* Login-Time:: 796* Match-Profile:: 797* Menu:: 798* Pam-Auth:: 799* Prefix:: 800* Proxy-Replied:: 801* Realm-Name:: 802* Replace-User-Name:: 803* Rewrite-Function:: 804* Scheme-Acct-Procedure:: 805* Scheme-Procedure:: 806* Simultaneous-Use:: 807* Strip-User-Name:: 808* Suffix:: 809* Termination-Menu:: 810@end menu 811 812@comment ************************************************************** 813@node Acct-Ext-Program 814@subsection @attr{Acct-Ext-Program} 815@atindex Acct-Ext-Program 816 817@defattr{Acct-Ext-Program,2008,string,--,-R,--,Replace,@acronym{N/A}} 818 819The @attr{Acct-Ext-Program} attribute can be used in @RHS{} of an 820@file{raddb/hints} to require the execution of an external accounting 821program or filter. If the attribute value starts with a vertical bar 822(@samp{|}), then the attribute specifies the filter program to be used. 823If it starts with a slash (@samp{/}), then it is understood as 824the full pathname and arguments for the external program to be executed. 825Using any other character as the start of this string results in error. 826 827The command line can reference any attributes from both check and reply 828pairlists using attribute macros (@pxref{Macro Substitution}). 829 830Before the execution of the program, @command{radiusd} switches to the 831uid and gid of the user @code{daemon} and the group @code{daemon}. You can 832override these defaults by setting variables @code{exec-program-user} 833and @code{exec-program-group} in configuration file to proper values 834(@pxref{option,, The option statement}). 835 836The accounting program must exit with status 0 to indicate a successful 837accounting. 838 839@node Acct-Type 840@subsection @attr{Acct-Type} 841@atindex Acct-Type 842 843@defattr{Acct-Type,2003,integer,L-,-R,-R,Append,@acronym{N/A}} 844 845@smallexample 846VALUE Acct-Type None 0 847VALUE Acct-Type System 1 848VALUE Acct-Type Detail 2 849VALUE Acct-Type SQL 3 850@end smallexample 851 852The @attr{Acct-Type} allows one to control which accounting methods 853must be used for a given user or group of users. In the absence 854of this attribute, all currently enabled accounting types are used. 855@xref{Accounting}, for more information about accounting types. 856 857@comment ************************************************************** 858@node Auth-Failure-Trigger 859@subsection @attr{Auth-Failure-Trigger} 860@atindex Auth-Failure-Trigger 861 862This attribute specifies an external program or a Scheme expression to 863be run upon an authentication failure. The handling of this attribute 864depends upon its value: 865 866If the value of @attr{Auth-Failure-Trigger} begins with @samp{/}, it 867is taken to contain a command line for invoking an external 868program. In this case @command{radiusd} invokes the program much the 869same way it does when handling @attr{Exec-Program} attribute, i.e. the 870program is invoked with standard input closed, its standard output and 871standard error are captured and redirected to 872@file{@var{radlog}/radius.stderr} file, the return value of the 873program is ignored. 874 875If the value of @attr{Auth-Failure-Trigger} begins with @samp{(}, it 876is executed it as a @code{Scheme} expression. The return value of the 877expression is ignored. 878 879This attribute is designed as a means to provide special handling for 880authentication failures. It can be used, for example, to increase 881failure counters and to block accounts after a specified number of 882authentication failures occurs. @xref{Auth Probing}, for the detailed 883discussion of its usage. 884 885@FIXME{There is no corresponding @attr{Auth-Success-Trigger}... 886@attr{Exec-Program} or @attr{Scheme-Procedure} may be used for the 887purpose, the latter, however, is not able to execute @emph{s-exps}. At 888the time of this writing the release 1.3 is being prepared, so I do 889not want to introduce any possibly destabilizing changes. This will be 890fixed in future releases.} 891 892@comment ************************************************************** 893@node Auth-Data 894@subsection @attr{Auth-Data} 895@atindex Auth-Data 896 897@defattr{Auth-Data,2006,string,L-,-R,-R,Replace,@acronym{N/A}} 898 899The @attr{Auth-Data} can be used to pass additional data to the 900authentication methods that need them. In version @value{VERSION} 901of GNU Radius, this attribute may be used in conjunction with the 902@code{SQL} and @code{Pam} authentication types. When used with the 903@code{Pam} authentication type, this attribute holds the name 904of the PAM service to use. This attribute is temporarily 905appended to the authentication request, so its value can be 906referenced to as @code{%C@{Auth-Data@}}. 907@xref{Authentication Server Parameters}, for an example of 908of using the @attr{Auth-Data} attribute in @file{raddb/sqlserver}: 909 910@comment ************************************************************** 911@node Auth-Type 912@subsection @attr{Auth-Type} 913@atindex Auth-Type 914 915@defattr{Auth-Type,1000,integer,L-,-R,-R,Append,No} 916 917@smallexample 918VALUE Auth-Type Local 0 919VALUE Auth-Type System 1 920VALUE Auth-Type Crypt-Local 3 921VALUE Auth-Type Reject 4 922VALUE Auth-Type SQL 252 923VALUE Auth-Type Pam 253 924VALUE Auth-Type Accept 254 925@end smallexample 926 927This attribute tells the server which type of authentication 928to apply to a particular user. It can be used in the @LHS{} of 929the user's profile (@pxref{Authentication}.) 930 931Radius interprets values of @attr{Auth-Type} attribute as follows: 932 933@table @code 934@item Local 935The value of the @attr{User-Password} attribute from the record is taken 936as a cleantext password and is compared against the @attr{User-Password} value 937from the input packet. 938 939@item System 940This means that a user's password is stored in a system password type. 941Radius queries the operating system to determine if the user name and password 942supplied in the incoming packet are O.K. 943 944@item Crypt-Local 945The value of the @attr{User-Password} attribute from the record is taken 946as an MD5 hash on the user's password. Radius generates MD5 hash 947on the supplied @attr{User-Password} value and compares the two strings. 948 949@item Reject 950Authentication fails. 951 952@item Accept 953Authentication succeeds. 954 955@item SQL 956@itemx Mysql 957The MD5-encrypted user's password is queried from the @sc{sql} database 958(@ref{SQL Auth}). @code{Mysql} is an alias maintained for compatibility 959with other versions of Radius. 960 961@item Pam 962The user-name--password combination is checked using PAM. 963 964@end table 965 966@comment ************************************************************** 967@node Crypt-Password 968@subsection @attr{Crypt-Password} 969@atindex Crypt-Password 970 971@defattr{Crypt-Password,1006,string,L-,--,--,Append,No} 972 973This attribute is intended to be used in user's profile @LHS{}. 974It specifies the MD5 hash of the user's password. When this attribute 975is present, @code{Auth-Type = Crypt-Local} is assumed. If both @attr{Auth-Type} 976and @attr{Crypt-Password} are present, the value of @attr{Auth-Type} is 977ignored. 978 979@xref{Auth-Type}. 980 981@comment ************************************************************** 982@node Exec-Program-Wait 983@subsection @attr{Exec-Program-Wait} 984@atindex Exec-Program-Wait 985 986@defattr{Exec-Program-Wait,1039,string,-R,-R--,Replace,No} 987 988When present in the @RHS{}, the @attr{Exec-Program-Wait} attribute specifies 989the program to be executed when the entry matches. If the attribute 990value string starts with vertical bar (@samp{|}), then the attribute 991specifies the filter program to be used. If it starts with 992slash (@samp{/}), then it is understood as the full 993pathname and arguments for the external program to be executed. Using 994any other character as the start of this string results in error. 995 996@menu 997* Running External Program:: 998* Using External Filter:: 999@end menu 1000 1001@comment ************************************************************** 1002@node Running External Program 1003@subsubsection Running an External Program 1004 1005The command line can reference any attributes from both check and reply 1006pairlists using attribute macros @pxref{Macro Substitution}. 1007 1008Before the execution of the program, @command{radiusd} switches to 1009uid and gid of the user @code{daemon} and the group @code{daemon}. You can 1010override these defaults by setting the variable @code{exec-program-user} 1011in the configuration file to a proper value. 1012@xref{option,, The option statement}. 1013 1014The daemon will wait until the program terminates. The return value 1015of its execution determines whether the entry matches. If the program 1016exits with a nonzero code, then the match fails. If it exits with a 1017zero code, the match succeeds. In this case the standard output of the 1018program is read and parsed as if it were a pairlist. The attributes 1019thus obtained are added to the entry's reply attributes. 1020 1021@subheading Example. 1022 1023Suppose the @file{users} file contains the following entry: 1024 1025@smallexample 1026DEFAULT Auth-Type = System, 1027 Simultaneous-Use = 1 1028 Exec-Program-Wait = "/usr/local/sbin/telauth \ 1029 %C@{User-Name@} \ 1030 %C@{Calling-Station-Id@}" 1031@end smallexample 1032 1033@noindent 1034Then, upon successful matching, the program 1035@file{/usr/local/sbin/telauth} will be executed. It will get as its 1036arguments the values of the @attr{User-Name} and @attr{Calling-Station-Id} 1037attributes from the request pairs. 1038 1039The @file{/usr/local/sbin/telauth} can, for example, contain the 1040following: 1041 1042@smallexample 1043#! /bin/sh 1044 1045DB=/var/db/userlist 1046 1047if grep "$1:$2" $DB; then 1048 echo "Service-Type = Login," 1049 echo "Session-Timeout = 1200" 1050 exit 0 1051else 1052 echo "Reply-Message = \ 1053 \"You are not authorized to log in\"" 1054 exit 1 1055fi 1056@end smallexample 1057 1058@noindent 1059It is assumed that @file{/var/db/userlist} contains a list of 1060@code{username}:@code{caller-id} pairs for those users that are 1061authorized to use login service. 1062 1063@comment ************************************************************** 1064@node Using External Filter 1065@subsubsection Using an External Filter 1066 1067If the value of @attr{Exec-Program-Wait} attribute begins with @samp{|}, 1068@command{radiusd} strips this character from the value and uses the 1069resulting string 1070as a name of the predefined external filter. Such filter must be 1071declared in @file{raddb/config} (@pxref{filters}). 1072 1073@subheading Example. 1074Let the @file{users} file contain the following entry: 1075 1076@smallexample 1077DEFAULT Auth-Type = System, 1078 Simultaneous-Use = 1 1079 Exec-Program-Wait = "|myfilter" 1080@end smallexample 1081 1082@noindent 1083and let the @file{raddb/config} contain the following 1084@footnote{In this example the @code{input-format} statement has been 1085split on two lines to fit the page width. It must occupy a @emph{single line} 1086in the real configuration file.}: 1087 1088@smallexample 1089filters @{ 1090 filter myfilter @{ 1091 exec-path "/usr/libexec/myfilter"; 1092 error-log "myfilter.log"; 1093 auth @{ 1094 input-format "%C@{User-Name@} 1095 %C@{Calling-Station-Id@}"; 1096 wait-reply yes; 1097 @}; 1098 @}; 1099@}; 1100@end smallexample 1101@noindent 1102Then, upon successful authentication, the program 1103@command{/usr/libexec/myfilter} will be invoked, if it hasn't already been 1104started for this thread. Any output it sends to its standard error 1105will be redirected to the file @file{myfilter.log} in the current 1106logging directory. A string consisting of the user's login name and 1107his calling station @sc{id} followed by a newline will be sent to the 1108program. 1109 1110The following is a sample @command{/usr/libexec/myfilter} written 1111in the shell: 1112 1113@smallexample 1114#! /bin/sh 1115 1116DB=/var/db/userlist 1117 1118while read NAME CLID 1119do 1120 if grep "$1:$2" $DB; then 1121 echo "0 Service-Type = Login, Session-Timeout = 1200" 1122 else 1123 echo "1 Reply-Message = \ 1124 \"You are not authorized to log in\"" 1125 fi 1126done 1127@end smallexample 1128 1129@comment ************************************************************** 1130@node Exec-Program 1131@subsection @attr{Exec-Program} 1132@atindex Exec-Program 1133 1134@defattr{Exec-Program,1038,string,-R,--,--,Replace,No} 1135 1136When present in the @RHS{}, the @attr{Exec-Program} attribute specifies 1137the full pathname and arguments for the program to be executed when the 1138entry matches. 1139 1140The command line can reference any attributes from both check and reply 1141pairlists, using attribute macros (@pxref{Macro Substitution}). 1142 1143Before the execution of the program, @command{radiusd} switches to the 1144uid and gid of the user @code{daemon} and the group @code{daemon}. You can 1145override these defaults by setting variables @code{exec-program-user} 1146and @code{exec-program-group} in configuration file to proper values 1147@ref{option,, The option statement}. 1148 1149The daemon does not wait for the process to terminate. 1150 1151@subheading Example 1152 1153Suppose the @file{users} file contains the following entry: 1154 1155@smallexample 1156DEFAULT Auth-Type = System, 1157 Simultaneous-Use = 1 1158 Exec-Program = "/usr/local/sbin/logauth \ 1159 %C@{User-Name@} \ 1160 %C@{Calling-Station-Id@}" 1161@end smallexample 1162 1163@noindent 1164Then, upon successful matching, the program 1165@file{/usr/local/sbin/logauth} will be executed. It will get as its 1166arguments the values of the @attr{User-Name} and @attr{Calling-Station-Id} 1167attributes from the request pairs. 1168 1169@comment ************************************************************** 1170@node Fall-Through 1171@subsection @attr{Fall-Through} 1172@atindex Fall-Through 1173 1174@defattr{Fall-Through,1036,integer,LR,LR,--,Append,No} 1175 1176@smallexample 1177VALUE Fall-Through No 0 1178VALUE Fall-Through Yes 1 1179@end smallexample 1180 1181The @attr{Fall-Through} attribute should be used in the reply list. 1182If its value is set to @code{Yes} in a particular record, that 1183tells Radius to continue looking up other records 1184even when the record at hand matches the request. It can be used to provide 1185default values for several profiles. 1186 1187Consider the following example. Let's suppose the @file{users} file 1188contains the following: 1189 1190@smallexample 1191 1192johns Auth-Type = SQL 1193 Framed-IP-Address = 11.10.10.251, 1194 Fall-Through = Yes 1195 1196smith Auth-Type = SQL 1197 Framed-IP-Address = 11.10.10.252, 1198 Fall-Through = Yes 1199 1200DEFAULT NAS-IP-Address = 11.10.10.1 1201 Service-Type = Framed-User, 1202 Framed-Protocol = PPP 1203 1204@end smallexample 1205 1206@noindent 1207Then after successful matching of a particular user's record, 1208the matching will continue until it finds the @code{DEFAULT} entry, 1209which will add its @RHS{} to the reply pairs for 1210this request. The effect is that, if user @samp{johns} authenticates 1211successfully she gets the following reply pairs: 1212 1213@smallexample 1214 Service-Type = Framed-User, 1215 Framed-Protocol = PPP, 1216 Framed-IP-Address = 11.10.10.251 1217@end smallexample 1218 1219@noindent 1220whereas user @code{smith} gets 1221 1222@smallexample 1223 Service-Type = Framed-User, 1224 Framed-Protocol = PPP, 1225 Framed-IP-Address = 11.10.10.252 1226@end smallexample 1227 1228@noindent 1229Note that the attribute @attr{Fall-Through} itself 1230is never returned to the @NAS{}. 1231 1232@comment ************************************************************** 1233@node Group 1234@subsection @attr{Group} 1235@atindex Group 1236 1237@defattr{Group,1005,string,L-,L-,LR,Append,No} 1238 1239@comment ************************************************************** 1240@node Hint 1241@subsection @attr{Hint} 1242@atindex Hint 1243 1244@defattr{Hint,1040,string,L-,-R,-R,Append,No} 1245 1246Use the @attr{Hint} attribute to specify additional matching criteria 1247depending on the hint (@pxref{hints file}). 1248 1249Let the @file{hints} file contain 1250 1251@smallexample 1252DEFAULT Prefix = "S", Strip-User-Name = No 1253 Hint = "SLIP" 1254@end smallexample 1255 1256@noindent 1257and the @file{users} file contain 1258 1259@smallexample 1260DEFAULT Hint = "SLIP", 1261 NAS-IP-Address = 11.10.10.12, 1262 Auth-Type = System 1263 Service-Type = Framed-User, 1264 Framed-Protocol = SLIP 1265@end smallexample 1266 1267@noindent 1268 1269Then any user having a valid system account and coming from @NAS{} 1270@samp{11.10.10.12} will be provided SLIP service if his user name 1271starts with @samp{S}. 1272 1273@comment ************************************************************** 1274@node Huntgroup-Name 1275@subsection @attr{Huntgroup-Name} 1276@atindex Huntgroup-Name 1277 1278@defattr{Huntgroup-Name,221,string,L-,-R,LR,Append,No} 1279 1280The @attr{Huntgroup-Name} can be used either in the @LHS{} of the 1281@file{users} file record or in the @RHS{} of the @file{huntgroups} 1282file record. 1283 1284When encountered in a @LHS{} of a particular @file{users} profile, 1285this attribute indicates the huntgroup name to be matched. Radius looks 1286up the corresponding record in the @file{huntgroups} file. If such a 1287record is found, each @AVP{} from its reply list is compared against 1288the corresponding pair from the request being processed. The request 1289matches only if it contains all the attributes from the specified 1290huntgroup, and their values satisfy the conditions listed in the 1291huntgroup pairs. 1292 1293For example, suppose that the authentication request contains the 1294following attributes: 1295 1296@smallexample 1297User-Name = "john", 1298User-Password = "guess", 1299NAS-IP-Address = 10.11.11.1, 1300NAS-Port-Id = 24 1301@end smallexample 1302 1303@noindent 1304Let us further suppose that the @file{users} file contains the following 1305entry: 1306 1307@smallexample 1308john Huntgroup-Name = "users_group", 1309 Auth-Type = System 1310 Service-Type = Login 1311@end smallexample 1312 1313@noindent 1314and, finally, @file{huntgroups} contains the following entry: 1315 1316@smallexample 1317users_group NAS-IP-Address = 10.11.11.1 1318 NAS-Port-Id < 32 1319@end smallexample 1320 1321@noindent 1322Then the authentication request will succeed, since it contains 1323@attr{NAS-Port-Id} attribute and its value is less than 32. 1324 1325@xref{huntgroups file}. 1326 1327@node Log-Mode-Mask 1328@subsection @attr{Log-Mode-Mask} 1329@atindex Log-Mode-Mask 1330 1331@defattr{Log-Mode-Mask,2007,integer,L-,-R,-R,Append,@acronym{N/A}} 1332 1333@smallexample 1334VALUE Log-Mode-Mask Log-Auth 1 1335VALUE Log-Mode-Mask Log-Auth-Pass 2 1336VALUE Log-Mode-Mask Log-Failed-Pass 4 1337VALUE Log-Mode-Mask Log-Pass 6 1338VALUE Log-Mode-Mask Log-All 7 1339@end smallexample 1340 1341@attr{Log-Mode-Mask} is used to control the verbosity of authentication 1342log messages for given user or class of users. The meaning of its 1343values is: 1344 1345@table @code 1346@item Log-Auth 1347Do not log successful authentications. 1348@item Log-Auth-Pass 1349Do not show the password with the log message from a successful authentication. 1350@item Log-Failed-Pass 1351Do not show a failed password. 1352@item Log-Pass 1353Do not show a plaintext password, either failed or succeeded. 1354@item Log-All 1355Do not log authentications at all. 1356@end table 1357 1358Technical details: After authentication, the server collects all 1359@attr{Log-Mode-Mask} attributes from the incoming request and @LHS{} 1360of the user's entry. The values of these attributes @sc{or}ed together 1361form a mask, which is applied via an @sc{xor} operation to the current log 1362mode. The value thus obtained is used as effective log mode. 1363 1364@comment ************************************************************** 1365@node Login-Time 1366@subsection @attr{Login-Time} 1367@atindex Login-Time 1368 1369@defattr{Login-Time,1042,string,L-,--,--,Append,No} 1370 1371The @attr{Login-Time} attribute specifies the time range over which the user 1372is allowed to log in. The attribute should be specified in the @LHS{}. 1373 1374The format of the @attr{Login-Time} string is the same as that of UUCP 1375time ranges. The following description of the time range format is 1376adopted from the documentation for the Taylor UUCP package: 1377 1378A time string may be a list of simple time strings separated with 1379vertical bars @samp{|} or commas @samp{,}. 1380 1381Each simple time string must begin either with a day-of-week abbreviation 1382(one of @samp{Su}, @samp{Mo}, @samp{Tu}, @samp{We}, @samp{Th}, 1383@samp{Fr}, @samp{Sa}), or @samp{Wk} for any day from Monday to 1384Friday inclusive, or @samp{Any} or @samp{Al} for any day. 1385 1386Following the day may be a range of hours separated with a hyphen, using 138724-hour time. The range of hours may cross 0; for example 1388@samp{2300-0700} means any time except 7 AM to 11 PM. If no time is 1389given, calls may be made at any time on the specified day(s). 1390 1391The time string may also be the single word @samp{Never}, which does not 1392match any time. 1393 1394Here are a few sample time strings with an explanation of what they 1395mean. 1396 1397@table @samp 1398 1399@item Wk2305-0855,Sa,Su2305-1655 1400 1401This means weekdays before 8:55 AM or after 11:05 PM, any time Saturday, 1402or Sunday before 4:55 PM or after 11:05 PM. These are approximately the 1403times during which night rates apply to phone calls in the U.S.A. Note 1404that this time string uses, for example, @samp{2305} rather than 1405@samp{2300}; this will ensure a cheap rate even if the 1406computer clock is running up to five minutes ahead of the real time. 1407 1408@item Wk0905-2255,Su1705-2255 1409 1410This means weekdays from 9:05 AM to 10:55 PM, or Sunday from 5:05 PM to 141110:55 PM. This is approximately the opposite of the previous example. 1412 1413@item Any 1414 1415This means any day. Since no time is specified, it means any time on 1416any day. 1417 1418@end table 1419 1420@comment ************************************************************** 1421@node Match-Profile 1422@subsection @attr{Match-Profile} 1423@atindex Match-Profile 1424 1425@defattr{Match-Profile,2004,string,LR,-R,-R,Append,No} 1426 1427The @attr{Match-Profile} attribute can be used in @LHS{} and @RHS{} lists of a 1428user profile. Its value is the name of another user's profile (target 1429profile). When @attr{Match-Profile} is used in the @LHS{}, the incoming 1430packet will match this profile only if it matches the target profile. 1431In this case the reply pairs will be formed by concatenating the @RHS{} 1432lists from both profiles. 1433When used in the @RHS{}, this attribute causes the reply pairs 1434from the target profile to be appended to the reply from the current 1435profile if the target profile matches the incoming request. 1436 1437For example: 1438 1439@smallexample 1440IPPOOL NAS-IP-Address = 10.10.10.1 1441 Framed-Protocol = PPP, 1442 Framed-IP-Address = "10.10.10.2" 1443 1444IPPOOL NAS-IP-Address = 10.10.11.1 1445 Framed-Protocol = PPP, 1446 Framed-IP-Address = "10.10.11.2" 1447 1448guest Auth-Type = SQL 1449 Service-Type = Framed-User, 1450 Match-Profile = IPPOOL 1451@end smallexample 1452 1453In this example, when user @code{guest} comes from @NAS{} 1454@code{10.10.10.1}, he is 1455assigned IP @code{10.10.10.2}, otherwise if he is coming from @NAS{} 1456@code{10.10.11.1} he is assigned IP @code{10.10.11.2}. 1457 1458@comment ************************************************************** 1459@node Menu 1460@subsection @attr{Menu} 1461@atindex Menu 1462 1463@defattr{Menu,1001,string,-R,--,--,Replace,No} 1464 1465This attribute should be used in the @RHS{}. If it is used, it should 1466be the only reply item. 1467 1468The @attr{Menu} attribute specifies the name of the menu to be presented 1469to the user. The corresponding menu code is looked up in the 1470@file{RADIUS_DIR/menus/} directory (@pxref{menus directory}). 1471 1472@comment ************************************************************** 1473@node Pam-Auth 1474@subsection @attr{Pam-Auth} 1475@atindex Pam-Auth 1476 1477@defattr{Pam-Auth,1041,string,L-,-R,-R,Append,No} 1478 1479The @attr{Pam-Auth} attribute can be used in conjunction with 1480 1481@smallexample 1482Auth-Type = Pam 1483@end smallexample 1484 1485@noindent 1486to supply the PAM service name instead of the default @samp{radius}. 1487It is ignored if @attr{Auth-Type} attribute is not set to @code{Pam}. 1488 1489@comment ************************************************************** 1490@node Prefix 1491@subsection @attr{Prefix} 1492@atindex Prefix 1493 1494@defattr{Prefix,1003,string,L-,L-,LR,Append,No} 1495 1496The @attr{Prefix} attribute indicates the prefix that the user name 1497should contain in order for a particular record in the profile 1498to be matched. This attribute should be specified in the @LHS{} 1499of the @file{users} or @file{hints} file. 1500 1501For example, if the @file{users} file contained 1502 1503@smallexample 1504DEFAULT Prefix = "U", Auth-Type = System 1505 Service-Type = Login-User 1506@end smallexample 1507 1508@noindent 1509then the user names @samp{Ugray} and @samp{Uyoda} would match this record, 1510whereas @samp{gray} and @samp{yoda} would not. 1511 1512Both @attr{Prefix} and @attr{Suffix} attributes may be specified in 1513a profile. In this case the record is matched only if the user name 1514contains both the prefix and the suffix specified. 1515 1516@xref{Suffix}, and 1517@ref{Strip-User-Name}. 1518 1519@comment ************************************************************** 1520@node Proxy-Replied 1521@subsection @attr{Proxy-Replied} 1522@atindex Proxy-Replied 1523 1524@defattr{Proxy-Replied,2012,integer,L-,L-,L-,Replace,@acronym{N/A}} 1525 1526@smallexample 1527VALUE Proxy-Replied No 0 1528VALUE Proxy-Replied Yes 1 1529@end smallexample 1530 1531@command{radiusd} adds this attribute to the incoming request if it 1532was already processed by a remote radius server. 1533 1534@comment ************************************************************** 1535@node Realm-Name 1536@subsection @attr{Realm-Name} 1537@atindex Realm-Name 1538@UNREVISED{} 1539 1540@defattr{Realm-Name,2013,string,L-,L-,L-,Append,No} 1541 1542@FIXME{This is an @samp{internal attribute}. It keeps the realm name 1543of the user. The @attr{Realm-Name} attribute is added to the proxied 1544request after receiving a reply from the realm server. @xref{Proxy-Replied}.} 1545 1546@comment ************************************************************** 1547@node Replace-User-Name 1548@subsection @attr{Replace-User-Name} 1549@atindex Replace-User-Name 1550 1551@defattr{Replace-User-Name,2001,string,LR,LR,--,Append,No} 1552 1553@smallexample 1554VALUE Replace-User-Name No 0 1555VALUE Replace-User-Name Yes 1 1556@end smallexample 1557 1558Use this attribute to modify the user name from the incoming packet. The 1559@attr{Replace-User-Name} can reference any attributes from both @LHS{} 1560and @RHS{} pairlists using attribute macros (@ref{Macro Substitution}). 1561 1562For example, the @file{users} entry 1563 1564@smallexample 1565guest NAS-IP-Address = 11.10.10.11, 1566 Calling-Station-Id != "" 1567 Auth-Type = Accept 1568 Replace-User-Name = "guest#%C@{Calling-Station-Id@}", 1569 Service-Type = Framed-User, 1570 Framed-Protocol = PPP 1571@end smallexample 1572 1573@noindent 1574allows the use of PPP service for user name @code{guest}, coming from @NAS{} 1575@samp{11.10.10.11} with a nonempty @attr{Calling-Station-Id} attribute. 1576A string consisting of a @samp{#} character followed by the 1577@attr{Calling-Station-Id} value is appended to the user name. 1578 1579@comment ************************************************************** 1580@node Rewrite-Function 1581@subsection @attr{Rewrite-Function} 1582@atindex Rewrite-Function 1583 1584@defattr{Rewrite-Function,2004,string,LR,LR,LR,Append,No} 1585 1586The @attr{Rewrite-Function} attribute specifies the name of the 1587rewriting function to be applied to the request. The attribute 1588may be specified in either pairlist in the entries of 1589the @file{hints} or @file{huntgroups} configuration file. 1590 1591The corresponding function should be defined in @file{rewrite} as 1592 1593@smallexample 1594integer @var{name}() 1595@end smallexample 1596 1597@noindent 1598i.e., it should return an integer value and should not take any arguments. 1599 1600@xref{rewrite file,, Packet rewriting rules}, 1601@ref{hints file}; 1602@ref{huntgroups file}. 1603 1604@node Scheme-Acct-Procedure 1605@subsection @attr{Scheme-Acct-Procedure} 1606@atindex Scheme-Acct-Procedure 1607 1608@defattr{Scheme-Acct-Procedure,2010,string,--,-R,--,Replace,@acronym{N/A}} 1609 1610The @attr{Scheme-Acct-Procedure} attribute is used to set the name 1611of the Scheme accounting procedure. @xref{Accounting with Scheme}, for 1612information about how to write Scheme accounting procedures. 1613 1614@comment ************************************************************** 1615@node Scheme-Procedure 1616@subsection @attr{Scheme-Procedure} 1617@atindex Scheme-Procedure 1618 1619@defattr{Scheme-Procedure,2009,string,-R,-R--,Append,@acronym{N/A}} 1620 1621The @attr{Scheme-Procedure} attribute is used to set the name 1622of the Scheme authentication procedure. @xref{Authentication with Scheme}, for 1623information about how to write Scheme authentication procedures. 1624 1625@comment ************************************************************** 1626@node Simultaneous-Use 1627@subsection @attr{Simultaneous-Use} 1628@atindex Simultaneous-Use 1629 1630@defattr{Simultaneous-Use,1034,integer,L-,-R,-R,Append,No} 1631 1632This attribute specifies the maximum number of simultaneous logins 1633a given user is permitted to have. When the user is logged in this 1634number of times, any further attempts to log in are rejected. 1635 1636@xref{Multiple Login Checking}. 1637 1638@comment ************************************************************** 1639@node Strip-User-Name 1640@subsection @attr{Strip-User-Name} 1641@atindex Strip-User-Name 1642 1643@defattr{Strip-User-Name,1035,integer,LR,LR,-R,Append,No} 1644 1645@smallexample 1646VALUE Strip-User-Name No 0 1647VALUE Strip-User-Name Yes 1 1648@end smallexample 1649 1650The value of @attr{Strip-User-Name} indicates whether Radius should 1651strip any prefixes/suffixes specified in the user's profile from the 1652user name. When it is set to @code{Yes}, the user names will be logged and 1653accounted without any prefixes or suffixes. 1654 1655A user may have several user names for different kind of services. In 1656this case differentiating the user names by their prefixes and stripping 1657them off before accounting would help keep accounting records 1658consistent. 1659 1660For example, let's suppose the @file{users} file contains 1661 1662@smallexample 1663DEFAULT Suffix = ".ppp", 1664 Strip-User-Name = Yes, 1665 Auth-Type = SQL 1666 Service-Type = Framed-User, 1667 Framed-Protocol = PPP 1668 1669DEFAULT Suffix = ".slip", 1670 Strip-User-Name = Yes, 1671 Auth-Type = SQL 1672 Service-Type = Framed-User, 1673 Framed-Protocol = SLIP 1674@end smallexample 1675 1676@noindent 1677Now, user @samp{johns}, having a valid account in the @sc{sql} database, 1678logs in as @samp{johns.ppp}. She then is provided the PPP service, 1679and her PPP session is accounted under user name @samp{johns}. 1680Later on, she logs in as @samp{johns.slip}. In this case she is 1681provided the SLIP service and again her session is accounted 1682under her real user name @samp{johns}. 1683 1684@comment ************************************************************** 1685@node Suffix 1686@subsection @attr{Suffix} 1687@atindex Suffix 1688 1689@defattr{Suffix,1004,string,L-,L-,LR,Append,No} 1690 1691The @attr{Suffix} attribute indicates the suffix that the user name 1692should contain in order for a particular record in the profile 1693to be matched. This attribute should be specified in @LHS{} 1694of the @file{users} or @file{hints} file. 1695 1696For example, if the @file{users} file contained 1697 1698@smallexample 1699DEFAULT Suffix = ".ppp", Auth-Type = System, 1700 Strip-User-Name = Yes 1701 Service-Type = Framed-User, 1702 Framed-Protocol = PPP 1703@end smallexample 1704 1705@noindent 1706then the user names @samp{gray.ppp} and @samp{yoda.ppp} would match this record, 1707whereas @samp{gray} and @samp{yoda} would not. 1708 1709Both @attr{Prefix} and @attr{Suffix} attributes may be specified in 1710a profile. In this case the record is matched only if the user name 1711contains both the prefix and the suffix specified. 1712 1713@xref{Prefix}, and 1714@ref{Strip-User-Name}. 1715 1716@comment ************************************************************** 1717@node Termination-Menu 1718@subsection @attr{Termination-Menu} 1719@atindex Termination-Menu 1720 1721@defattr{Termination-Menu,1002,string,-R,--,--,Replace,No} 1722 1723This attribute should be used in the @RHS{}. If it is used, it should 1724be the only reply item. 1725 1726The @attr{Termination-Menu} specifies the name of the menu file to be 1727presented to the user after finishing his session. The corresponding 1728menu code is looked up in the @file{RADIUS_DIR/menus/} directory 1729(@pxref{menus directory}). 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741