Fortinet white logo
Fortinet white logo

Administration Guide

Appendix B: Supported attributes for RADIUS CoA and RSSO

Appendix B: Supported attributes for RADIUS CoA and RSSO

Attributes sent from the FortiSwitch unit to the RADIUS server during MAB (Access-Request)

Attribute

AVP Type

Type

Description

NAS-Identifier

32

text

Host name of switch

User-Name

1

alphanumeric

User name of supplicant or MAC address

User -Password

2

string

User password of supplicant

Service-Type

6

enum

Optional. The following settings are available:

- administrative—The user granted access to the administrative interface.

- authenticate-only—Authentication is requested, and no authentication information needs to be returned.

- call-check—This setting is used by the NAS in an Access-Request packet or Access-Accept packet to answer the call.

- callback-administrative—The user disconnected, called back, and granted access to the administrative interface.

- callback-framed—The user disconnected and called back and then used a Framed-Protocol attribute.

- callback-login—The user disconnected and called back.

- callback-nas-prompt—The user disconnected and called back and then provided a command prompt.

- framed—The user used a Framed-Protocol attribute.

- login—The user should be connected to a host.

- nas-prompt—The user provided a command prompt on the NAS.

- none—Disable the Service-Type AVP.

- outbound—The user granted access to outgoing devices.

The default is none for 802.1X authentication. MAC Authentication Bypass (MAB) always uses the call-check setting, no matter what is configured.

Framed-MTU

12

integer

Configurable (size of bytes). The range of values is 600-1500. The default value is 1500.

NAS-Port-Id

87

text

Port connected to supplicant

NAS-Port

5

integer

Value of port ID; for example, 12 means port12

NAS-Port-Type

61

enum

Ethernet (15)

Calling-Station-ID

31

text

MAC address of supplicant

Message-Authenticator

80

string

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Attributes sent from the FortiSwitch unit to the RADIUS server during 802.1X authentication (Access-Request)

Attribute

AVP Type

Type

Description

NAS-Identifier

32

text

Host name of switch

User-Name

1

alphanumeric

User name of supplicant or MAC address

EAP-Message

79

concat

Include EAP content

Framed-MTU

12

integer

Configurable (size of bytes). The range of values is 600-1500. The default value is 1500.

NAS-Port-Id

87

text

Port connected to supplicant

NAS-Port

5

integer

Value of port ID; for example, 12 means port12

NAS-Port-Type

61

enum

Ethernet (15)

Calling-Station-ID

31

text

MAC address of supplicant

Message-Authenticator

80

string

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Service-Type

6

enum

Optional. The following settings are available:

- administrative—The user granted access to the administrative interface.

- authenticate-only—Authentication is requested, and no authentication information needs to be returned.

- call-check—This setting is used by the NAS in an Access-Request packet or Access-Accept packet to answer the call.

- callback-administrative—The user disconnected, called back, and granted access to the administrative interface.

- callback-framed—The user disconnected and called back and then used a Framed-Protocol attribute.

- callback-login—The user disconnected and called back.

- callback-nas-prompt—The user disconnected and called back and then provided a command prompt.

- framed—The user used a Framed-Protocol attribute.

- login—The user should be connected to a host.

- nas-prompt—The user provided a command prompt on the NAS.

- none—Disable the Service-Type AVP.

- outbound—The user granted access to outgoing devices.

The default is none for 802.1X authentication. MAC Authentication Bypass (MAB) always uses the call-check setting, no matter what is configured.

Attributes sent from the RADIUS server to the FortiSwitch unit during 802.1X authentication (Access-Accept)

Attribute

AVP Type

Type

Description

User-Name

1

alphanumeric

User name of supplicant (MAC address of host in MAB)

Class

25

string

Whatever the server returns

Tunnel-Type

64

enum

Optional. Set to 13 for VLAN.

Tunnel-Medium-Type

65

vsa

Optional. Set to 6 for IEEE-802.

Tunnel-Private-Group-ID

81

text

VLAN number or VLAN name

Egress-VLANID

56

integer

Provides the VLAN identifier and controls whether egress packets are tagged.

Egress-VLAN-Name

58

text

Provides the VLAN name and controls whether egress packets are tagged.

Ingress-Filters

57

enum

Enables (1) the use of ingress filters. The use of ingress filters cannot be disabled.

Vendor-Specific

26

vsa

Fortinet-Group-Name

Filter-Id

11

text

Relayed from the server

Session-Timeout

27

integer

How many seconds before the session times out

RADIUS attributes in the Accounting Start message

Attribute

AVP Type

Description

Acct-Status-Type

40

1 for Start

Acct-Session-Id

44

802.1X or MAB session ID generated by the switch. For example: 0000004b

User-Name

1

Host login name or MAC address. For example: host01

Acct-Multi-Session-Id

50

For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode. The minimum value is 1; the maximum value is 1.

NAS-Identifier

32

For example, S148EP591900009 for the host name of the switch.

Framed-IP-Address

8

This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3

NAS-Port-Id

87

This value is a text string that identifies the port of the NAS connected to the host. For example: port48

NAS-Port

5

This value indicates the physical port number of the NAS. For example: 48

NAS-Port-Type

61

0 for asynchronous

Called-Station-Id

30

MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46

Calling-Station-Id

31

MAC address of host. For example: 00-12-01-00-00-01

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Filter-Id

11

Relayed from the server

Vendor-Specific

26

Fortinet-Group-Name. Authentication fails if this value does not match.

Class

25

Whatever the server returns

RADIUS attributes in the Accounting Interim Update message

Attribute

AVP Type

Description

Acct-Status-Type

40

3 for Interim-Update

Acct-Session-Id

44

802.1X or MAB session ID generated by the switch. For example: 0000004b

User-Name

1

Host login name or MAC address. For example: host01

Acct-Multi-Session-Id

50

For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode.

Acct-Link-Count

51

2 for two sessions on the port. This attribute is only valid for MAC mode.

NAS-Identifier

32

For example, S148EP591900009 for the host name of the switch.

Framed-IP-Address

8

This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3

NAS-Port-Id

87

This value is a text string that identifies the port of the NAS connected to the host. For example: port48

NAS-Port

5

This value indicates the physical port number of the NAS. For example: 48

NAS-Port-Type

61

15 for Ethernet

Called-Station-Id

30

MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46

Calling-Station-Id

31

MAC address of host. For example: 00-12-01-00-00-01

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Filter-Id

11

Eng-Group. If Filter-Id is received during authentication, it is included in accounting.

Class

25

Whatever the server returns

Vendor-Specific

26

Fortinet-Group-Name. Authentication fails if this value does not match.

RADIUS attributes in the Accounting Stop message

Attribute

AVP Type

Description

Acct-Status-Type

40

2 for Stop

Acct-Session-Id

44

802.1X or MAB session ID generated by the switch. For example: 0000004b

User-Name

1

Host login name or MAC address. For example: host01

Acct-Multi-Session-Id

50

For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode.

Acct-Link-Count

51

2 for two sessions on the port

NAS-Identifier

32

For example, S148EP591900009 for the host name of the switch.

Framed-IP-Address

8

This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3

NAS-Port-Id

87

This value is a text string that identifies the port of the NAS connected to the host. For example: port48

NAS-Port

5

This value indicates the physical port number of the NAS. For example: 48

NAS-Port-Type

61

15 for Ethernet

Called-Station-Id

30

MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46

Calling-Station-Id

31

MAC address of host. For example: 00-12-01-00-00-01

Acct-Input-Octets

42

3200

Acct-Output-Octets

43

16050448

Acct-Input-Packets

47

20

Acct-Output-Packets

48

93606

Acct-Terminate-Cause

49

6 for Admin-Reset

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Filter-Id

11

Eng-Group. If Filter-Id is received during authentication, it is included in accounting.

Class

25

Whatever the server returns

Vendor-Specific

26

Fortinet-Group-Name. Authentication fails if this value does not match.

RADIUS attributes in the Disconnect-Request message

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

Framed-IP-Address

8

IP address of host

User-Name

1

Host login name

NAS-IP-Address

4

NAS IP address

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

RADIUS attributes in the Disconnect-ACK message

Attribute

AVP Type

Description

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

RADIUS attributes in the Disconnect-NAK message

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

NAS-Port

5

Port that the host is connected to

Acct-Session-Id

44

802.1X or MAB session identifier generated by the switch

Framed-IP-Address

8

IP address of host

User-Name

1

Host login name

Error-Cause

101

Refer to the “Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages” table in this appendix for a listing of error causes, error codes, and descriptions.

RADIUS attributes in the CoA-Request message (reauth-port)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Vendor-Specific

26

Fortinet-Group-Name

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

User-Name

1

Host login name

RADIUS attributes in the CoA-Request message (disable-port)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

User-Name

1

Host login name

NAS-IP-Address

4

NAS IP address

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Vendor-Specific

26

Fortinet-Group-Name

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Class

25

Whatever the server returns

Filter-Id

11

Relayed from the server

RADIUS attributes in the CoA-Request message (bounce-port)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

User-Name

1

Host login name

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Vendor-Specific

26

Fortinet-Group-Name

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Class

25

Whatever the server returns

Filter-Id

11

Relayed from the server

RADIUS attributes in the CoA-Request message (session-timeout)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

NAS-Port

5

Port that the host is connected to

Acct-Session-Id

44

802.1X or MAB session identifier generated by the switch

Framed-IP-Address

8

IP address of host

User-Name

1

Host login name

RADIUS attributes in the CoA-ACK message

Attribute

AVP Type

Description

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

RADIUS attributes in the CoA-NAK message

Attribute

AVP Type

Description

Error-Cause

101

Refer to the “Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages” table in this appendix for a listing of error causes, error codes, and descriptions.

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages

Error Cause

Error Code

Description

Unsupported Attribute

401

This error is a fatal error, which is sent if a request contains an attribute that is not supported.

NAS Identification Mismatch

403

This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.

Invalid Attribute Value

407

This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.

Session Context Not Found

503

This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Stop error codes for RADIUS accounting

Error Message

Error Code

Description

ACCT_TERM_CAUSE_IDLE_TIMEOUT

4

The system has been idle for too long.

ACCT_TERM_CAUSE_USER_REQUEST

1

The user requested the service to be stopped.

ACCT_TERM_CAUSE_SESSION_TIMEOUT

5

The session has timed out.

ACCT_TERM_CAUSE_ADMIN_RESET

6

The administrator has reset the session or port.

Appendix B: Supported attributes for RADIUS CoA and RSSO

Appendix B: Supported attributes for RADIUS CoA and RSSO

Attributes sent from the FortiSwitch unit to the RADIUS server during MAB (Access-Request)

Attribute

AVP Type

Type

Description

NAS-Identifier

32

text

Host name of switch

User-Name

1

alphanumeric

User name of supplicant or MAC address

User -Password

2

string

User password of supplicant

Service-Type

6

enum

Optional. The following settings are available:

- administrative—The user granted access to the administrative interface.

- authenticate-only—Authentication is requested, and no authentication information needs to be returned.

- call-check—This setting is used by the NAS in an Access-Request packet or Access-Accept packet to answer the call.

- callback-administrative—The user disconnected, called back, and granted access to the administrative interface.

- callback-framed—The user disconnected and called back and then used a Framed-Protocol attribute.

- callback-login—The user disconnected and called back.

- callback-nas-prompt—The user disconnected and called back and then provided a command prompt.

- framed—The user used a Framed-Protocol attribute.

- login—The user should be connected to a host.

- nas-prompt—The user provided a command prompt on the NAS.

- none—Disable the Service-Type AVP.

- outbound—The user granted access to outgoing devices.

The default is none for 802.1X authentication. MAC Authentication Bypass (MAB) always uses the call-check setting, no matter what is configured.

Framed-MTU

12

integer

Configurable (size of bytes). The range of values is 600-1500. The default value is 1500.

NAS-Port-Id

87

text

Port connected to supplicant

NAS-Port

5

integer

Value of port ID; for example, 12 means port12

NAS-Port-Type

61

enum

Ethernet (15)

Calling-Station-ID

31

text

MAC address of supplicant

Message-Authenticator

80

string

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Attributes sent from the FortiSwitch unit to the RADIUS server during 802.1X authentication (Access-Request)

Attribute

AVP Type

Type

Description

NAS-Identifier

32

text

Host name of switch

User-Name

1

alphanumeric

User name of supplicant or MAC address

EAP-Message

79

concat

Include EAP content

Framed-MTU

12

integer

Configurable (size of bytes). The range of values is 600-1500. The default value is 1500.

NAS-Port-Id

87

text

Port connected to supplicant

NAS-Port

5

integer

Value of port ID; for example, 12 means port12

NAS-Port-Type

61

enum

Ethernet (15)

Calling-Station-ID

31

text

MAC address of supplicant

Message-Authenticator

80

string

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Service-Type

6

enum

Optional. The following settings are available:

- administrative—The user granted access to the administrative interface.

- authenticate-only—Authentication is requested, and no authentication information needs to be returned.

- call-check—This setting is used by the NAS in an Access-Request packet or Access-Accept packet to answer the call.

- callback-administrative—The user disconnected, called back, and granted access to the administrative interface.

- callback-framed—The user disconnected and called back and then used a Framed-Protocol attribute.

- callback-login—The user disconnected and called back.

- callback-nas-prompt—The user disconnected and called back and then provided a command prompt.

- framed—The user used a Framed-Protocol attribute.

- login—The user should be connected to a host.

- nas-prompt—The user provided a command prompt on the NAS.

- none—Disable the Service-Type AVP.

- outbound—The user granted access to outgoing devices.

The default is none for 802.1X authentication. MAC Authentication Bypass (MAB) always uses the call-check setting, no matter what is configured.

Attributes sent from the RADIUS server to the FortiSwitch unit during 802.1X authentication (Access-Accept)

Attribute

AVP Type

Type

Description

User-Name

1

alphanumeric

User name of supplicant (MAC address of host in MAB)

Class

25

string

Whatever the server returns

Tunnel-Type

64

enum

Optional. Set to 13 for VLAN.

Tunnel-Medium-Type

65

vsa

Optional. Set to 6 for IEEE-802.

Tunnel-Private-Group-ID

81

text

VLAN number or VLAN name

Egress-VLANID

56

integer

Provides the VLAN identifier and controls whether egress packets are tagged.

Egress-VLAN-Name

58

text

Provides the VLAN name and controls whether egress packets are tagged.

Ingress-Filters

57

enum

Enables (1) the use of ingress filters. The use of ingress filters cannot be disabled.

Vendor-Specific

26

vsa

Fortinet-Group-Name

Filter-Id

11

text

Relayed from the server

Session-Timeout

27

integer

How many seconds before the session times out

RADIUS attributes in the Accounting Start message

Attribute

AVP Type

Description

Acct-Status-Type

40

1 for Start

Acct-Session-Id

44

802.1X or MAB session ID generated by the switch. For example: 0000004b

User-Name

1

Host login name or MAC address. For example: host01

Acct-Multi-Session-Id

50

For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode. The minimum value is 1; the maximum value is 1.

NAS-Identifier

32

For example, S148EP591900009 for the host name of the switch.

Framed-IP-Address

8

This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3

NAS-Port-Id

87

This value is a text string that identifies the port of the NAS connected to the host. For example: port48

NAS-Port

5

This value indicates the physical port number of the NAS. For example: 48

NAS-Port-Type

61

0 for asynchronous

Called-Station-Id

30

MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46

Calling-Station-Id

31

MAC address of host. For example: 00-12-01-00-00-01

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Filter-Id

11

Relayed from the server

Vendor-Specific

26

Fortinet-Group-Name. Authentication fails if this value does not match.

Class

25

Whatever the server returns

RADIUS attributes in the Accounting Interim Update message

Attribute

AVP Type

Description

Acct-Status-Type

40

3 for Interim-Update

Acct-Session-Id

44

802.1X or MAB session ID generated by the switch. For example: 0000004b

User-Name

1

Host login name or MAC address. For example: host01

Acct-Multi-Session-Id

50

For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode.

Acct-Link-Count

51

2 for two sessions on the port. This attribute is only valid for MAC mode.

NAS-Identifier

32

For example, S148EP591900009 for the host name of the switch.

Framed-IP-Address

8

This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3

NAS-Port-Id

87

This value is a text string that identifies the port of the NAS connected to the host. For example: port48

NAS-Port

5

This value indicates the physical port number of the NAS. For example: 48

NAS-Port-Type

61

15 for Ethernet

Called-Station-Id

30

MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46

Calling-Station-Id

31

MAC address of host. For example: 00-12-01-00-00-01

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Filter-Id

11

Eng-Group. If Filter-Id is received during authentication, it is included in accounting.

Class

25

Whatever the server returns

Vendor-Specific

26

Fortinet-Group-Name. Authentication fails if this value does not match.

RADIUS attributes in the Accounting Stop message

Attribute

AVP Type

Description

Acct-Status-Type

40

2 for Stop

Acct-Session-Id

44

802.1X or MAB session ID generated by the switch. For example: 0000004b

User-Name

1

Host login name or MAC address. For example: host01

Acct-Multi-Session-Id

50

For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode.

Acct-Link-Count

51

2 for two sessions on the port

NAS-Identifier

32

For example, S148EP591900009 for the host name of the switch.

Framed-IP-Address

8

This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3

NAS-Port-Id

87

This value is a text string that identifies the port of the NAS connected to the host. For example: port48

NAS-Port

5

This value indicates the physical port number of the NAS. For example: 48

NAS-Port-Type

61

15 for Ethernet

Called-Station-Id

30

MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46

Calling-Station-Id

31

MAC address of host. For example: 00-12-01-00-00-01

Acct-Input-Octets

42

3200

Acct-Output-Octets

43

16050448

Acct-Input-Packets

47

20

Acct-Output-Packets

48

93606

Acct-Terminate-Cause

49

6 for Admin-Reset

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Filter-Id

11

Eng-Group. If Filter-Id is received during authentication, it is included in accounting.

Class

25

Whatever the server returns

Vendor-Specific

26

Fortinet-Group-Name. Authentication fails if this value does not match.

RADIUS attributes in the Disconnect-Request message

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

Framed-IP-Address

8

IP address of host

User-Name

1

Host login name

NAS-IP-Address

4

NAS IP address

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

RADIUS attributes in the Disconnect-ACK message

Attribute

AVP Type

Description

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

RADIUS attributes in the Disconnect-NAK message

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

NAS-Port

5

Port that the host is connected to

Acct-Session-Id

44

802.1X or MAB session identifier generated by the switch

Framed-IP-Address

8

IP address of host

User-Name

1

Host login name

Error-Cause

101

Refer to the “Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages” table in this appendix for a listing of error causes, error codes, and descriptions.

RADIUS attributes in the CoA-Request message (reauth-port)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Vendor-Specific

26

Fortinet-Group-Name

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

User-Name

1

Host login name

RADIUS attributes in the CoA-Request message (disable-port)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

User-Name

1

Host login name

NAS-IP-Address

4

NAS IP address

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Vendor-Specific

26

Fortinet-Group-Name

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Class

25

Whatever the server returns

Filter-Id

11

Relayed from the server

RADIUS attributes in the CoA-Request message (bounce-port)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

User-Name

1

Host login name

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Vendor-Specific

26

Fortinet-Group-Name

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Class

25

Whatever the server returns

Filter-Id

11

Relayed from the server

RADIUS attributes in the CoA-Request message (session-timeout)

Attribute

AVP Type

Description

Calling-Station-ID

31

MAC address of host

NAS-Port

5

Port that the host is connected to

Acct-Session-Id

44

802.1X or MAB session identifier generated by the switch

Framed-IP-Address

8

IP address of host

User-Name

1

Host login name

RADIUS attributes in the CoA-ACK message

Attribute

AVP Type

Description

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

RADIUS attributes in the CoA-NAK message

Attribute

AVP Type

Description

Error-Cause

101

Refer to the “Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages” table in this appendix for a listing of error causes, error codes, and descriptions.

Event-Timestamp

55

Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time

Message-Authenticator

80

The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key.

Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages

Error Cause

Error Code

Description

Unsupported Attribute

401

This error is a fatal error, which is sent if a request contains an attribute that is not supported.

NAS Identification Mismatch

403

This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.

Invalid Attribute Value

407

This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.

Session Context Not Found

503

This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Stop error codes for RADIUS accounting

Error Message

Error Code

Description

ACCT_TERM_CAUSE_IDLE_TIMEOUT

4

The system has been idle for too long.

ACCT_TERM_CAUSE_USER_REQUEST

1

The user requested the service to be stopped.

ACCT_TERM_CAUSE_SESSION_TIMEOUT

5

The session has timed out.

ACCT_TERM_CAUSE_ADMIN_RESET

6

The administrator has reset the session or port.