RADIUS, Remote Authentication Dial-In User Service

Description Glossary RFCs Publications Obsolete RFCs

Description:

Protocol suite: TCP/IP.
Protocol type:Application layer protocol.
Ports: 1646 (UDP) obsolete.
1812 (UDP) server.
1813 (UDP) accounting.
2083 (TCP) over TLS.
3799 (TCP) dynamic authorization.
SNMP MIBs: iso.org.dod.internet.mgmt.mib-2.radiusMIB (1.3.6.1.2.1.67).
Working groups: aaa, Authentication, Authorization and Accounting.
radext, RADIUS Extensions.
IANA: RADIUS types.
Links: 

MAC header IP header UDP header RADIUS header Data :::

RADIUS header:

0001020304050607 0809101112131415 1617181920212223 2425262728293031
Code Identifier Length
Authenticator
-
-
-
Attributes :::

Code. 8 bits.
Identifies the type of RADIUS packet. If a packet is received with an invalid Code field, it is silently discarded.

CodeDescriptionReferences
1Access-Request. RFC 2865
2Access-Accept. RFC 2865
3Access-Reject. RFC 2865
4Accounting-Request. RFC 2865
5Accounting-Response. RFC 2865
6Accounting-Status, Interim Accounting. RFC 2882
7Password-Request. RFC 2882
8Password-Ack. RFC 2882
9Password-Reject. RFC 2882
10Accounting-Message RFC 2882
11Access-Challenge. RFC 2865
12Status-Server (experimental). RFC 2865
13Status-Client (experimental). RFC 2865
14
-
20
  
21Resource-Free-Request RFC 2882
22Resource-Free-Response RFC 2882
23Resource-Query-Request. RFC 2882
24Resource-Query-Response RFC 2882
25Alternate-Resource- Reclaim-Request. RFC 2882
26NAS-Reboot-Request RFC 2882
27NAS-Reboot-Response RFC 2882
28  
29Next-Passcode. RFC 2882
30New-Pin. RFC 2882
31Terminate-Session. RFC 2882
32Password-Expired. RFC 2882
33Event-Request. RFC 2882
34Event-Response. RFC 2882
35
-
39
  
40Disconnect-Request. RFC 2882
41Disconnect-ACK. RFC 2882
42Disconnect-NAK. RFC 2882
43CoA-Request. RFC 2882
44CoA-ACK. RFC 2882
45CoA-NAK. RFC 2882
46
-
49
  
50IP-Address-Allocate. RFC 2882
51IP-Address-Release. RFC 2882
52
-
249
  
250
-
253
Experimental use. 
254reserved. 
255reserved. RFC 2865

Identifier. 8 bits.
Used to match RADIUS request and reply packets.

Length. 16 bits. 20 to 4096.
Indicates the length of the packet including the RADIUS header and Attribute fields. Bytes outside the range of the Length field should be treated as padding and should be ignored on reception. If the packet is shorter than the indicated length, it should be silently discarded.

Authenticator. 16 bytes.
Used to authenticate the reply from the RADIUS server and is used in the password hiding algorithm.

Attributes. Variable length.
RADIUS Attributes carry the specific authentication, authorization and accounting details for the request and response. Some attributes MAY be included more than once. The effect of this is attribute specific, and is specified in each attribute description. The end of the list of attributes is indicated by the Length of the RADIUS packet.

Type Length Value :::

Type. 8 bits.

Length. 8 bits.
Indicates the length of this attribute including the Type, Length and Value fields. If an attribute is received in an Accounting-Request packet with an invalid Length, the entire request should be silently discarded.

Value. Variable.
Contains information specific to the attribute. The format and length of this field is determined by the Type and Length fields. The format of the field can be one of the following data types:

The valid attributes are:

TypeLengthDescriptionReferences
0   
1>= 3User-Name. RFC 2865
218 to 130User-Password. RFC 2865
319CHAP-Password. RFC 2865
46NAS-IP-Address. RFC 2865
56NAS-Port. RFC 2865
66Service-Type. RFC 2865
76Framed-Protocol. RFC 2865
86Framed-IP-Address. RFC 2865
96Framed-IP-Netmask. RFC 2865
106Framed-Routing. RFC 2865
11>= 3Filter-Id. RFC 2865
126Framed-MTU. RFC 2865
136Framed-Compression. RFC 2865
146Login-IP-Host. RFC 2865
156Login-Service. RFC 2865
166Login-TCP-Port. RFC 2865
17   
18>= 3Reply-Message. RFC 2865
19>= 3Callback-Number. RFC 2865
20>= 3Callback-Id. RFC 2865
21   
22>= 3Framed-Route. RFC 2865
236Framed-IPX-Network. RFC 2865
24>= 3State. RFC 2865
25>= 3Class. RFC 2865
26>= 7Vendor-Specific. RFC 2865
276Session-Timeout. RFC 2865
286Idle-Timeout. RFC 2865
296Termination-Action. RFC 2865
30>= 3Called-Station-Id. RFC 2865
31>= 3Calling-Station-Id. RFC 2865
32>= 3NAS-Identifier. RFC 2865
33>= 3Proxy-State. RFC 2865
34>= 3Login-LAT-Service. RFC 2865
35>= 3Login-LAT-Node. RFC 2865
3634Login-LAT-Group. RFC 2865
376Framed-AppleTalk-Link. RFC 2865
386Framed-AppleTalk-Network. RFC 2865
39>= 3Framed-AppleTalk-Zone. RFC 2865
40 6 Acct-Status-Type. RFC 2866
41 6 Acct-Delay-Time. RFC 2866
42 6 Acct-Input-Octets. RFC 2866
43 6 Acct-Output-Octets. RFC 2866
44 >= 3 Acct-Session-Id RFC 2866
45 6 Acct-Authentic. RFC 2866
46 6 Acct-Session-Time. RFC 2866
47 6 Acct-Input-Packets. RFC 2866
48 6 Acct-Output-Packets. RFC 2866
49 6 Acct-Terminate-Cause. RFC 2866
50 >= 3 Acct-Multi-Session-Id. RFC 2866
51 6 Acct-Link-Count. RFC 2866
52 6 Acct-Input-Gigawords. RFC 2869
53 6 Acct-Output-Gigawords. RFC 2869
54      
55 6 Event-Timestamp. RFC 2869
56 Egress-VLANID.RFC 4675
57   Ingress-Filters. RFC 4675
58   Egress-VLAN-Name. RFC 4675
59   User-Priority-Table. RFC 4675
60 >= 7 CHAP-Challenge. RFC 2865
61 6 NAS-Port-Type. RFC 2865
62 6 Port-Limit. RFC 2865
63 >= 3 Login-LAT-Port. RFC 2865
64 6 Tunnel-Type. RFC 2868
65 6 Tunnel-Medium-Type. RFC 2868
66 >= 3 Tunnel-Client-Endpoint. RFC 2868
67

>= 3

Tunnel-Server-Endpoint. RFC 2868
68   Acct-Tunnel-Connection. RFC 2867
69

>= 5

Tunnel-Password. RFC 2868
70

18

ARAP-Password. RFC 2869
71

16

ARAP-Features. RFC 2869
72

6

ARAP-Zone-Access. RFC 2869
73

6

ARAP-Security. RFC 2869
74

>= 3

ARAP-Security-Data. RFC 2869
756Password-Retry. RFC 2869
766Prompt. RFC 2869
77>= 3Connect-Info. RFC 2869
78>= 3Configuration-Token. RFC 2869
79>= 3EAP-Message. RFC 2869, RFC 3579
8018Message-Authenticator. RFC 2869, RFC 3579
81>= 3Tunnel-Private-Group-ID. RFC 2868
82>= 3Tunnel-Assignment-ID. RFC 2868
836Tunnel-Preference. RFC 2868
8410ARAP-Challenge-Response. RFC 2869
856Acct-Interim-Interval. RFC 2869
86 Acct-Tunnel-Packets-Lost.RFC 2867
87>= 3NAS-Port-Id. RFC 2869
88>= 3Framed-Pool. RFC 2869
89>= 3CUI, Chargeable User Identity. RFC 4372
90>= 3Tunnel-Client-Auth-ID. RFC 2868
91>= 3Tunnel-Server-Auth-ID. RFC 2868
92 NAS-Filter-Rule. RFC 4849
93   
94 Originating-Line-Info. RFC 3162, RFC4005
9518NAS-IPv6-Address. RFC 3162
9610Framed-Interface-Id. RFC 3162
974 to 20Framed-IPv6-Prefix. RFC 3162
9818Login-IPv6-Host. RFC 3162
99>= 3Framed-IPv6-Route. RFC 3162
100>= 3Framed-IPv6-Pool. RFC 3162
101 Error-Cause Attribute.RFC 3576
102 EAP-Key-Name. RFC 4072
103 Digest-Response.RFC 4590
104 Digest-Realm.RFC 4590
105 Digest-Nonce.RFC 4590
106 Digest-Nextnonce.RFC 4590
107 Digest-Response-Auth.RFC 4590
108 Digest-Method.RFC 4590
109 Digest-URI.RFC 4590
110 Digest-Qop.RFC 4590
111 Digest-Algorithm.RFC 4590
112 Digest-Entity-Body-Hash.RFC 4590
113 Digest-CNonce.RFC 4590
114 Digest-Nonce-Count.RFC 4590
115 Digest-Username.RFC 4590
116 Digest-Opaque.RFC 4590
117 Digest-Auth-Param.RFC 4590
118 Digest-AKA-Auts.RFC 4590
119 Digest-Domain.RFC 4590
120 Digest-Stale.RFC 4590
121 Digest-HA1.RFC 4590
122 SIP-AOR.RFC 4590
123 Delegated-IPv6-Prefix.RFC 4818
124 MIP6-Feature-Vector. RFC 5447
125 MIP6-Home-Link-Prefix. RFC 5447
126 Operator-Name.RFC 5580
127 Location-Information.RFC 5580
128 Location-Data.RFC 5580
129 Basic-Location-Policy-Rules.RFC 5580
130 Extended-Location-Policy-Rules.RFC 5580
131 Location-Capable.RFC 5580
132 Requested-Location-Info.RFC 5580
133 Framed-Management-Protocol.RFC 5607
134 Management-Transport-Protection.RFC 5607
135 Management-Policy-Id.RFC 5607
136 Management-Privilege-Level.RFC 5607
137 PKM-SS-Cert.RFC 5904
138 PKM-CA-Cert.RFC 5904
139 PKM-Auth-Wait-Timeout.RFC 5904
140 PKM-Cryptosuite-List.RFC 5904
141 PKM-SAID.RFC 5904
142 PKM-SA-Descriptor.RFC 5904
143 PKM-Auth-Key.RFC 5904
144 DS-Lite-Tunnel-Name.RFC 6519
145 Mobile-Node-Identifier. 
146 Service-Selection. 
147 PMIP6-Home-LMA-IPv6-Address. 
148 PMIP6-Visited-LMA-IPv6-Address. 
149 PMIP6-Home-LMA-IPv4-Address. 
150 PMIP6-Visited-LMA-IPv4-Address. 
151 PMIP6-Home-HN-Prefix. 
152 PMIP6-Visited-HN-Prefix. 
153 PMIP6-Home-Interface-ID. 
154 PMIP6-Visited-Interface-ID. 
155 PMIP6-Home-IPv4-HoA. 
156 PMIP6-Visited-IPv4-HoA. 
157 PMIP6-Home-DHCP4-Server-Address. 
158 PMIP6-Visited-DHCP4-Server-Address. 
159 PMIP6-Home-DHCP6-Server-Address. 
160 PMIP6-Visited-DHCP6-Server-Address. 
161
-
191
   
192
-
223
 experimental. RFC 2058, RFC 3575
224
-
240
 Implementation specific. RFC 2058, RFC 3575
241
-
255
 reserved. RFC 2058, RFC 3575

Glossary:

NAS, Network Access Server.
(RFC 2139) Operates as a client of the RADIUS accounting server. The client is responsible for passing user accounting information to a designated RADIUS accounting server.

Service.
(RFC 2139) The NAS provides a service to the dial-in user, such as PPP or Telnet.

Session.
(RFC 2139) Each service provided by the NAS to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the NAS supports that, with each session generating a separate start and stop accounting record with its own Acct-Session-Id.

Silently discard.
(RFC 2139) This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter.


RFCs:

[RFC 2548] Microsoft Vendor-specific RADIUS Attributes.

[RFC 2618] RADIUS Authentication Client MIB.

[RFC 2619] RADIUS Authentication Server MIB.

[RFC 2620] RADIUS Accounting Client MIB.

[RFC 2621] RADIUS Accounting Server MIB.

[RFC 2809] Implementation of L2TP Compulsory Tunneling via RADIUS.

[RFC 2865] Remote Authentication Dial In User Service (RADIUS).

[RFC 2866] RADIUS Accounting.

[RFC 2867] RADIUS Accounting Modifications for Tunnel Protocol Support.

[RFC 2868] RADIUS Attributes for Tunnel Protocol Support.

[RFC 2869] RADIUS Extensions.

[RFC 2882] Network Access Servers Requirements: Extended RADIUS Practices.

[RFC 2888] Secure Remote Access with L2TP.

[RFC 2924] Accounting Attributes and Record Formats.

[RFC 2975] Introduction to Accounting Management.

[RFC 3127] Authentication, Authorization, and Accounting: Protocol Evaluation.

[RFC 3162] RADIUS and IPv6.

[RFC 3575] IANA Considerations for RADIUS (Remote Authentication Dial In User Service).

[RFC 3576] Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS).

[RFC 3579] RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP).

[RFC 3580] IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.

[RFC 4072] Diameter Extensible Authentication Protocol (EAP) Application.

[RFC 4372] Chargeable User Identity.

[RFC 5447] Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction.

[RFC 6709] Design Considerations for Protocol Extensions.


Publications:


Obsolete RFCs:

[RFC 2058] Remote Authentication Dial In User Service (RADIUS).

[RFC 2059] RADIUS Accounting.

[RFC 2138] Remote Authentication Dial In User Service (RADIUS).

[RFC 2139] RADIUS Accounting.


Description Glossary RFCs Publications Obsolete RFCs