RADIUS AVPs and VSAs

This topic describes RADIUS Attribute Value Pairs (AVPs) and Vendor-Specific Attributes (VSAs).

AVPs

RADIUS packets include a set of AVPs to identify information about the user, their location, and other information. The IETF defined a set of 255 standard attributes, which are well known and come in the form of Type, Length, Value (for more details, refer to RFC 2865). Of the standard 255, the FortiGate sends the following RADIUS attributes:

RADIUS attribute number

Name

Description

1

User-Name

Name of the user being authenticated by the RADIUS server.

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication. The NAS is the FortiGate.

8

Framed-IP-Address

IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the Access-Request packet.

25

Class

Used in accounting packets and requests for firewall, WiFi, and proxy authentication. The attribute is returned in the Access-Accept message and is added to all accounting packets.

26

Fortinet-VSA

See VSAs.

32

NAS-Identifier

Identifier or IP address of the NAS that is requesting authentication. The NAS is the FortiGate.

42

Acct-Input-Octets

Number of octets received from the port over the course of this service being provided. Used to charge the user for the amount of traffic they used.

43

Acct-Output-Octets

Number of octets sent to the port while delivering this service. Used to charge the user for the amount of traffic they used.

44

Acct-Session-Id

Unique number assigned to each start and stop record to make it easy to match them, and to eliminate duplicate records.

55

Event-Timestamp

Records the time that the event occurred on the NAS. The timestamp is measured in seconds since January 1, 1970 00:00 UTC. Before the Event-Timestamp attribute can be sent in a packet, make sure that the correct time is set on the FortiGate.

VSAs

Some vendors want or need to send attributes that do not match any of the defined IETF attributes. This can be accomplished by using RADIUS attribute type 26, which allows a vendor to encapsulate their own specific attributes in this standard AVP.

In order to support VSAs, the RADIUS server requires a dictionary to define the VSAs. This dictionary is typically supplied by the client or server vendor.

The Fortinet RADIUS vendor ID is 12356 and contains the following attributes:

Attribute name

Attribute number

Attribute value format

Fortinet-Group-Name

1

String

Fortinet-Client-IP-Address

2

IP address

Fortinet-Vdom-Name*

3

String

Fortinet-Client-IPv6-Address

4

Octets

Fortinet-Interface-Name

5

String

Fortinet-Access-Profile

6

String

Fortinet-SSID

7

String