Appendix B: Supported attributes for RADIUS CoA and RSSO
Attributes sent from the FortiSwitch unit to the RADIUS server during MAB (Access-Request)
Attribute |
AVP Type |
Type |
Description |
---|---|---|---|
NAS-Identifier |
32 |
text |
Host name of switch |
User-Name |
1 |
alphanumeric |
User name of supplicant or MAC address |
User -Password |
2 |
string |
User password of supplicant |
Service-Type |
6 |
enum |
Optional. The following settings are available: - administrative—The user granted access to the administrative interface. - authenticate-only—Authentication is requested, and no authentication information needs to be returned. - call-check—This setting is used by the NAS in an Access-Request packet or Access-Accept packet to answer the call. - callback-administrative—The user disconnected, called back, and granted access to the administrative interface. - callback-framed—The user disconnected and called back and then used a Framed-Protocol attribute. - callback-login—The user disconnected and called back. - callback-nas-prompt—The user disconnected and called back and then provided a command prompt. - framed—The user used a Framed-Protocol attribute. - login—The user should be connected to a host. - nas-prompt—The user provided a command prompt on the NAS. - none—Disable the Service-Type AVP. - outbound—The user granted access to outgoing devices. The default is |
Framed-MTU |
12 |
integer |
Configurable (size of bytes). The range of values is 600-1500. The default value is 1500. |
NAS-Port-Id |
87 |
text |
Port connected to supplicant |
NAS-Port |
5 |
integer |
Value of port ID; for example, 12 means port12 |
NAS-Port-Type |
61 |
enum |
Ethernet (15) |
Calling-Station-ID |
31 |
text |
MAC address of supplicant |
Message-Authenticator |
80 |
string |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Attributes sent from the FortiSwitch unit to the RADIUS server during 802.1X authentication (Access-Request)
Attribute |
AVP Type |
Type |
Description |
---|---|---|---|
NAS-Identifier |
32 |
text |
Host name of switch |
User-Name |
1 |
alphanumeric |
User name of supplicant or MAC address |
EAP-Message |
79 |
concat |
Include EAP content |
Framed-MTU |
12 |
integer |
Configurable (size of bytes). The range of values is 600-1500. The default value is 1500. |
NAS-Port-Id |
87 |
text |
Port connected to supplicant |
NAS-Port |
5 |
integer |
Value of port ID; for example, 12 means port12 |
NAS-Port-Type |
61 |
enum |
Ethernet (15) |
Calling-Station-ID |
31 |
text |
MAC address of supplicant |
Message-Authenticator |
80 |
string |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Service-Type |
6 |
enum |
Optional. The following settings are available: - administrative—The user granted access to the administrative interface. - authenticate-only—Authentication is requested, and no authentication information needs to be returned. - call-check—This setting is used by the NAS in an Access-Request packet or Access-Accept packet to answer the call. - callback-administrative—The user disconnected, called back, and granted access to the administrative interface. - callback-framed—The user disconnected and called back and then used a Framed-Protocol attribute. - callback-login—The user disconnected and called back. - callback-nas-prompt—The user disconnected and called back and then provided a command prompt. - framed—The user used a Framed-Protocol attribute. - login—The user should be connected to a host. - nas-prompt—The user provided a command prompt on the NAS. - none—Disable the Service-Type AVP. - outbound—The user granted access to outgoing devices. The default is |
Attributes sent from the RADIUS server to the FortiSwitch unit during 802.1X authentication (Access-Accept)
Attribute |
AVP Type |
Type |
Description |
---|---|---|---|
User-Name |
1 |
alphanumeric |
User name of supplicant (MAC address of host in MAB) |
Class |
25 |
string |
Whatever the server returns |
Tunnel-Type |
64 |
enum |
Optional. Set to 13 for VLAN. |
Tunnel-Medium-Type |
65 |
vsa |
Optional. Set to 6 for IEEE-802. |
Tunnel-Private-Group-ID |
81 |
text |
VLAN number or VLAN name |
Egress-VLANID |
56 |
integer |
Provides the VLAN identifier and controls whether egress packets are tagged. |
Egress-VLAN-Name |
58 |
text |
Provides the VLAN name and controls whether egress packets are tagged. |
Ingress-Filters |
57 |
enum |
Enables (1) the use of ingress filters. The use of ingress filters cannot be disabled. |
Vendor-Specific |
26 |
vsa |
Fortinet-Group-Name |
Filter-Id |
11 |
text |
Relayed from the server |
Session-Timeout |
27 |
integer |
How many seconds before the session times out |
RADIUS attributes in the Accounting Start message
Attribute |
AVP Type |
Description |
---|---|---|
Acct-Status-Type |
40 |
1 for Start |
Acct-Session-Id |
44 |
802.1X or MAB session ID generated by the switch. For example: 0000004b |
User-Name |
1 |
Host login name or MAC address. For example: host01 |
Acct-Multi-Session-Id |
50 |
For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode. The minimum value is 1; the maximum value is 1. |
NAS-Identifier |
32 |
For example, S148EP591900009 for the host name of the switch. |
Framed-IP-Address |
8 |
This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3 |
NAS-Port-Id |
87 |
This value is a text string that identifies the port of the NAS connected to the host. For example: port48 |
NAS-Port |
5 |
This value indicates the physical port number of the NAS. For example: 48 |
NAS-Port-Type |
61 |
0 for asynchronous |
Called-Station-Id |
30 |
MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46 |
Calling-Station-Id |
31 |
MAC address of host. For example: 00-12-01-00-00-01 |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Filter-Id |
11 |
Relayed from the server |
Vendor-Specific |
26 |
Fortinet-Group-Name. Authentication fails if this value does not match. |
Class |
25 |
Whatever the server returns |
RADIUS attributes in the Accounting Interim Update message
Attribute |
AVP Type |
Description |
---|---|---|
Acct-Status-Type |
40 |
3 for Interim-Update |
Acct-Session-Id |
44 |
802.1X or MAB session ID generated by the switch. For example: 0000004b |
User-Name |
1 |
Host login name or MAC address. For example: host01 |
Acct-Multi-Session-Id |
50 |
For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode. |
Acct-Link-Count |
51 |
2 for two sessions on the port. This attribute is only valid for MAC mode. |
NAS-Identifier |
32 |
For example, S148EP591900009 for the host name of the switch. |
Framed-IP-Address |
8 |
This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3 |
NAS-Port-Id |
87 |
This value is a text string that identifies the port of the NAS connected to the host. For example: port48 |
NAS-Port |
5 |
This value indicates the physical port number of the NAS. For example: 48 |
NAS-Port-Type |
61 |
15 for Ethernet |
Called-Station-Id |
30 |
MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46 |
Calling-Station-Id |
31 |
MAC address of host. For example: 00-12-01-00-00-01 |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Filter-Id |
11 |
Eng-Group. If Filter-Id is received during authentication, it is included in accounting. |
Class |
25 |
Whatever the server returns |
Vendor-Specific |
26 |
Fortinet-Group-Name. Authentication fails if this value does not match. |
RADIUS attributes in the Accounting Stop message
Attribute |
AVP Type |
Description |
---|---|---|
Acct-Status-Type |
40 |
2 for Stop |
Acct-Session-Id |
44 |
802.1X or MAB session ID generated by the switch. For example: 0000004b |
User-Name |
1 |
Host login name or MAC address. For example: host01 |
Acct-Multi-Session-Id |
50 |
For example, e81cba8e8146 in MAC mode. This attribute cannot be used in port mode. |
Acct-Link-Count |
51 |
2 for two sessions on the port |
NAS-Identifier |
32 |
For example, S148EP591900009 for the host name of the switch. |
Framed-IP-Address |
8 |
This value is the host IP address if is found in the switch; otherwise, the switch does not send this attribute. For example: 100.1.0.3 |
NAS-Port-Id |
87 |
This value is a text string that identifies the port of the NAS connected to the host. For example: port48 |
NAS-Port |
5 |
This value indicates the physical port number of the NAS. For example: 48 |
NAS-Port-Type |
61 |
15 for Ethernet |
Called-Station-Id |
30 |
MAC address of the 802.1X port. For example: E8-1C-BA-8E-81-46 |
Calling-Station-Id |
31 |
MAC address of host. For example: 00-12-01-00-00-01 |
Acct-Input-Octets |
42 |
3200 |
Acct-Output-Octets |
43 |
16050448 |
Acct-Input-Packets |
47 |
20 |
Acct-Output-Packets |
48 |
93606 |
Acct-Terminate-Cause |
49 |
6 for Admin-Reset |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Filter-Id |
11 |
Eng-Group. If Filter-Id is received during authentication, it is included in accounting. |
Class |
25 |
Whatever the server returns |
Vendor-Specific |
26 |
Fortinet-Group-Name. Authentication fails if this value does not match. |
RADIUS attributes in the Disconnect-Request message
Attribute |
AVP Type |
Description |
---|---|---|
Calling-Station-ID |
31 |
MAC address of host |
Framed-IP-Address |
8 |
IP address of host |
User-Name |
1 |
Host login name |
NAS-IP-Address |
4 |
NAS IP address |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
RADIUS attributes in the Disconnect-ACK message
Attribute |
AVP Type |
Description |
---|---|---|
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
RADIUS attributes in the Disconnect-NAK message
Attribute |
AVP Type |
Description |
---|---|---|
Calling-Station-ID |
31 |
MAC address of host |
NAS-Port |
5 |
Port that the host is connected to |
Acct-Session-Id |
44 |
802.1X or MAB session identifier generated by the switch |
Framed-IP-Address |
8 |
IP address of host |
User-Name |
1 |
Host login name |
Error-Cause |
101 |
Refer to the “Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages” table in this appendix for a listing of error causes, error codes, and descriptions. |
RADIUS attributes in the CoA-Request message (reauth-port)
Attribute |
AVP Type |
Description |
---|---|---|
Calling-Station-ID |
31 |
MAC address of host |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Vendor-Specific |
26 |
Fortinet-Group-Name |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
User-Name |
1 |
Host login name |
RADIUS attributes in the CoA-Request message (disable-port)
Attribute |
AVP Type |
Description |
---|---|---|
Calling-Station-ID |
31 |
MAC address of host |
User-Name |
1 |
Host login name |
NAS-IP-Address |
4 |
NAS IP address |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Vendor-Specific |
26 |
Fortinet-Group-Name |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Class |
25 |
Whatever the server returns |
Filter-Id |
11 |
Relayed from the server |
RADIUS attributes in the CoA-Request message (bounce-port)
Attribute |
AVP Type |
Description |
---|---|---|
Calling-Station-ID |
31 |
MAC address of host |
User-Name |
1 |
Host login name |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Vendor-Specific |
26 |
Fortinet-Group-Name |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Class |
25 |
Whatever the server returns |
Filter-Id |
11 |
Relayed from the server |
RADIUS attributes in the CoA-Request message (session-timeout)
Attribute |
AVP Type |
Description |
---|---|---|
Calling-Station-ID |
31 |
MAC address of host |
NAS-Port |
5 |
Port that the host is connected to |
Acct-Session-Id |
44 |
802.1X or MAB session identifier generated by the switch |
Framed-IP-Address |
8 |
IP address of host |
User-Name |
1 |
Host login name |
RADIUS attributes in the CoA-ACK message
Attribute |
AVP Type |
Description |
---|---|---|
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
RADIUS attributes in the CoA-NAK message
Attribute |
AVP Type |
Description |
---|---|---|
Error-Cause |
101 |
Refer to the “Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages” table in this appendix for a listing of error causes, error codes, and descriptions. |
Event-Timestamp |
55 |
Time when the event occurred. For example: May 31, 2019 12:25:03.00000000 Pacific Daylight Time |
Message-Authenticator |
80 |
The Message-Authenticator attribute is a checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field; the shared secret is used as the key. |
Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages
Error Cause |
Error Code |
Description |
---|---|---|
Unsupported Attribute |
401 |
This error is a fatal error, which is sent if a request contains an attribute that is not supported. |
NAS Identification Mismatch |
403 |
This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request. |
Invalid Attribute Value |
407 |
This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value. |
Session Context Not Found |
503 |
This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS. |
Stop error codes for RADIUS accounting
Error Message |
Error Code |
Description |
---|---|---|
ACCT_TERM_CAUSE_IDLE_TIMEOUT |
4 |
The system has been idle for too long. |
ACCT_TERM_CAUSE_USER_REQUEST |
1 |
The user requested the service to be stopped. |
ACCT_TERM_CAUSE_SESSION_TIMEOUT |
5 |
The session has timed out. |
ACCT_TERM_CAUSE_ADMIN_RESET |
6 |
The administrator has reset the session or port. |