RFC relevance of indicate

As per Relevance of the word indicate, we have this rfc below:

Network Working Group C.
Request for Comments: 2865 S.
Obsoletes: 2138
Category: Standards Track A.

W.

June 2000

Remote Authentication Dial In User Service (RADIUS

Status of this

This document specifies an Internet standards track protocol for
Internet community, and requests discussion and suggestions
improvements. Please refer to the current edition of the "
Official Protocol Standards" (STD 1) for the standardization
and status of this protocol. Distribution of this memo is unlimited

Copyright

Copyright (C) The Internet Society (2000). All Rights Reserved

IESG Note

This protocol is widely implemented and used. Experience has
that it can suffer degraded performance and lost data when used
large scale systems, in part because it does not include
for congestion control. Readers of this document may find
beneficial to track the progress of the IETF's AAA working group
which may develop a successor protocol that better addresses
scaling and congestion control issues

This document describes a protocol for carrying authentication
authorization, and configuration information between a Network
Server which desires to authenticate its links and a
Authentication Server

Implementation

This memo documents the RADIUS protocol. The early deployment
RADIUS was done using UDP port number 1645, which conflicts with
"datametrics" service. The officially assigned port number
RADIUS is 1812.

Rigney, et al. Standards Track [Page 1]

RFC 2865 RADIUS June 2000

Table of

1. Introduction .......................................... 3
1.1 Specification of Requirements ................... 4
1.2 Terminology ..................................... 5
2. Operation ............................................. 5
2.1 Challenge/Response .............................. 7
2.2 Interoperation with PAP and CHAP ................ 8
2.3 Proxy ........................................... 8
2.4 Why UDP? ........................................ 11
2.5 Retransmission Hints ............................ 12
2.6 Keep-Alives Considered Harmful .................. 13
3. Packet Format ......................................... 13
4. Packet Types .......................................... 17
4.1 Access-Request .................................. 17
4.2 Access-Accept ................................... 18
4.3 Access-Reject ................................... 20
4.4 Access-Challenge ................................ 21
5. Attributes ............................................ 22
5.1 User-Name ....................................... 26
5.2 User-Password ................................... 27
5.3 CHAP-Password ................................... 28
5.4 NAS-IP-Address .................................. 29
5.5 NAS-Port ........................................ 30
5.6 Service-Type .................................... 31
5.7 Framed-Protocol ................................. 33
5.8 Framed-IP-Address ............................... 34
5.9 Framed-IP-Netmask ............................... 34
5.10 Framed-Routing .................................. 35
5.11 Filter-Id ....................................... 36
5.12 Framed-MTU ...................................... 37
5.13 Framed-Compression .............................. 37
5.14 Login-IP-Host ................................... 38
5.15 Login-Service ................................... 39
5.16 Login-TCP-Port .................................. 40
5.17 (unassigned) .................................... 41
5.18 Reply-Message ................................... 41
5.19 Callback-Number ................................. 42
5.20 Callback-Id ..................................... 42
5.21 (unassigned) .................................... 43
5.22 Framed-Route .................................... 43
5.23 Framed-IPX-Network .............................. 44
5.24 State ........................................... 45
5.25 Class ........................................... 46
5.26 Vendor-Specific ................................. 47
5.27 Session-Timeout ................................. 48
5.28 Idle-Timeout .................................... 49
5.29 Termination-Action .............................. 49

Rigney, et al. Standards Track [Page 2]

RFC 2865 RADIUS June 2000

5.30 Called-Station-Id ............................... 50
5.31 Calling-Station-Id .............................. 51
5.32 NAS-Identifier .................................. 52
5.33 Proxy-State ..................................... 53
5.34 Login-LAT-Service ............................... 54
5.35 Login-LAT-Node .................................. 55
5.36 Login-LAT-Group ................................. 56
5.37 Framed-AppleTalk-Link ........................... 57
5.38 Framed-AppleTalk-Network ........................ 58
5.39 Framed-AppleTalk-Zone ........................... 58
5.40 CHAP-Challenge .................................. 59
5.41 NAS-Port-Type ................................... 60
5.42 Port-Limit ...................................... 61
5.43 Login-LAT-Port .................................. 62
5.44 Table of Attributes ............................. 63
6. IANA Considerations ................................... 64
6.1 Definition of Terms ............................. 64
6.2 Recommended Registration Policies ............... 65
7. Examples .............................................. 66
7.1 User Telnet to Specified Host ................... 66
7.2 Framed User Authenticating with CHAP ............ 67
7.3 User with Challenge-Response card ............... 68
8. Security Considerations ............................... 71
9. Change Log ............................................ 71
10. References ............................................ 73
11. Acknowledgements ...................................... 74
12. Chair's Address ....................................... 74
13. Authors' Addresses .................................... 75
14. Full Copyright Statement .............................. 76

1.

This document obsoletes RFC 2138 [1]. A summary of the
between this document and RFC 2138 is available in the "Change Log
appendix

Managing dispersed serial line and modem pools for large numbers
users can create the need for significant administrative support
Since modem pools are by definition a link to the outside world,
require careful attention to security, authorization and accounting
This can be best achieved by managing a single "database" of users
which allows for authentication (verifying user name and password)
well as configuration information detailing the type of service
deliver to the user (for example, SLIP, PPP, telnet, rlogin).

Rigney, et al. Standards Track [Page 3]

RFC 2865 RADIUS June 2000

Key features of RADIUS are

Client/Server

A Network Access Server (NAS) operates as a client of RADIUS.
client is responsible for passing user information to
RADIUS servers, and then acting on the response which is returned

RADIUS servers are responsible for receiving user
requests, authenticating the user, and then returning
configuration information necessary for the client to
service to the user

A RADIUS server can act as a proxy client to other RADIUS
or other kinds of authentication servers

Network

Transactions between the client and RADIUS server
authenticated through the use of a shared secret, which is
sent over the network. In addition, any user passwords are
encrypted between the client and RADIUS server, to eliminate
possibility that someone snooping on an unsecure network
determine a user's password

Flexible Authentication

The RADIUS server can support a variety of methods to
a user. When it is provided with the user name and
password given by the user, it can support PPP PAP or CHAP,
login, and other authentication mechanisms

Extensible

All transactions are comprised of variable length Attribute
Length-Value 3-tuples. New attribute values can be added
disturbing existing implementations of the protocol

1.1. Specification of

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
document are to be interpreted as described in BCP 14 [2]. These
words mean the same thing whether capitalized or not

An implementation is not compliant if it fails to satisfy one or
of the must or must not requirements for the protocols it implements
An implementation that satisfies all the must, must not, should

Rigney, et al. Standards Track [Page 4]

RFC 2865 RADIUS June 2000

should not requirements for its protocols is said to
"unconditionally compliant"; one that satisfies all the must and
not requirements but not all the should or should not
for its protocols is said to be "conditionally compliant".

A NAS that does not implement a given service MUST NOT implement
RADIUS attributes for that service. For example, a NAS that
unable to offer ARAP service MUST NOT implement the RADIUS
for ARAP. A NAS MUST treat a RADIUS access-accept authorizing
unavailable service as an access-reject instead

1.2.

This document frequently uses the following terms

service The NAS provides a service to the dial-in user, such as
or Telnet

session Each service provided by the NAS to a dial-in
constitutes a session, with the beginning of the
defined as the point where service is first provided
the end of the session defined as the point where
is ended. A user may have multiple sessions in parallel
series if the NAS supports that

silently
This means the implementation discards the packet
further processing. The implementation SHOULD provide
capability of logging the error, including the contents
the silently discarded packet, and SHOULD record the
in a statistics counter

2.

When a client is configured to use RADIUS, any user of the
presents authentication information to the client. This might
with a customizable login prompt, where the user is expected to
their username and password. Alternatively, the user might use
link framing protocol such as the Point-to-Point Protocol (PPP),
which has authentication packets which carry this information

Once the client has obtained such information, it may choose
authenticate using RADIUS. To do so, the client creates an "Access
Request" containing such Attributes as the user's name, the user'
password, the ID of the client and the Port ID which the user
accessing. When a password is present, it is hidden using a
based on the RSA Message Digest Algorithm MD5 [3].

Rigney, et al. Standards Track [Page 5]

RFC 2865 RADIUS June 2000

The Access-Request is submitted to the RADIUS server via the network
If no response is returned within a length of time, the request
re-sent a number of times. The client can also forward requests
an alternate server or servers in the event that the primary
is down or unreachable. An alternate server can be used either
a number of tries to the primary server fail, or in a round-
fashion. Retry and fallback algorithms are the topic of
research and are not specified in detail in this document

Once the RADIUS server receives the request, it validates the
client. A request from a client for which the RADIUS server does
have a shared secret MUST be silently discarded. If the client
valid, the RADIUS server consults a database of users to find
user whose name matches the request. The user entry in the
contains a list of requirements which must be met to allow access
the user. This always includes verification of the password, but
also specify the client(s) or port(s) to which the user is
access

The RADIUS server MAY make requests of other servers in order
satisfy the request, in which case it acts as a client

If any Proxy-State attributes were present in the Access-Request
they MUST be copied unmodified and in order into the response packet
Other Attributes can be placed before, after, or even between
Proxy-State attributes

If any condition is not met, the RADIUS server sends an "Access
Reject" response indicating that this user request is invalid.
desired, the server MAY include a text message in the Access-
which MAY be displayed by the client to the user. No
Attributes (except Proxy-State) are permitted in an Access-Reject

If all conditions are met and the RADIUS server wishes to issue
challenge to which the user must respond, the RADIUS server sends
"Access-Challenge" response. It MAY include a text message to
displayed by the client to the user prompting for a response to
challenge, and MAY include a State attribute

If the client receives an Access-Challenge and
challenge/response it MAY display the text message, if any, to
user, and then prompt the user for a response. The client then re
submits its original Access-Request with a new request ID, with
User-Password Attribute replaced by the response (encrypted),
including the State Attribute from the Access-Challenge, if any
Only 0 or 1 instances of the State Attribute SHOULD

Rigney, et al. Standards Track [Page 6]

RFC 2865 RADIUS June 2000

present in a request. The server can respond to this new Access
Request with either an Access-Accept, an Access-Reject, or
Access-Challenge

If all conditions are met, the list of configuration values for
user are placed into an "Access-Accept" response. These
include the type of service (for example: SLIP, PPP, Login User)
all necessary values to deliver the desired service. For SLIP
PPP, this may include values such as IP address, subnet mask, MTU
desired compression, and desired packet filter identifiers.
character mode users, this may include values such as
protocol and host

2.1. Challenge/

In challenge/response authentication, the user is given
unpredictable number and challenged to encrypt it and give back
result. Authorized users are equipped with special devices such
smart cards or software that facilitate calculation of the
response with ease. Unauthorized users, lacking the
device or software and lacking knowledge of the secret key
to emulate such a device or software, can only guess at the response

The Access-Challenge packet typically contains a Reply-
including a challenge to be displayed to the user, such as a
value unlikely ever to be repeated. Typically this is obtained
an external server that knows what type of authenticator is in
possession of the authorized user and can therefore choose a
or non-repeating pseudorandom number of an appropriate radix
length

The user then enters the challenge into his device (or software)
it calculates a response, which the user enters into the client
forwards it to the RADIUS server via a second Access-Request. If
response matches the expected response the RADIUS server replies
an Access-Accept, otherwise an Access-Reject

Example: The NAS sends an Access-Request packet to the RADIUS
with NAS-Identifier, NAS-Port, User-Name, User-Password (which
just be a fixed string like "challenge" or ignored). The
sends back an Access-Challenge packet with State and a Reply-
along the lines of "Challenge 12345678, enter your response at
prompt" which the NAS displays. The NAS prompts for the response
sends a NEW Access-Request to the server (with a new ID) with NAS
Identifier, NAS-Port, User-Name, User-Password (the response
entered by the user, encrypted), and the same State Attribute

Rigney, et al. Standards Track [Page 7]

RFC 2865 RADIUS June 2000

came with the Access-Challenge. The server then sends back either
Access-Accept or Access-Reject based on whether the response
the required value, or it can even send another Access-Challenge

2.2. Interoperation with PAP and

For PAP, the NAS takes the PAP ID and password and sends them in
Access-Request packet as the User-Name and User-Password. The NAS
include the Attributes Service-Type = Framed-User and Framed-
= PPP as a hint to the RADIUS server that PPP service is expected

For CHAP, the NAS generates a random challenge (preferably 16 octets
and sends it to the user, who returns a CHAP response along with
CHAP ID and CHAP username. The NAS then sends an Access-
packet to the RADIUS server with the CHAP username as the User-
and with the CHAP ID and CHAP response as the CHAP-
(Attribute 3). The random challenge can either be included in
CHAP-Challenge attribute or, if it is 16 octets long, it can
placed in the Request Authenticator field of the Access-
packet. The NAS MAY include the Attributes Service-Type = Framed
User and Framed-Protocol = PPP as a hint to the RADIUS server
PPP service is expected

The RADIUS server looks up a password based on the User-Name
encrypts the challenge using MD5 on the CHAP ID octet, that password
and the CHAP challenge (from the CHAP-Challenge attribute if present
otherwise from the Request Authenticator), and compares that
to the CHAP-Password. If they match, the server sends back
Access-Accept, otherwise it sends back an Access-Reject

If the RADIUS server is unable to perform the
authentication it MUST return an Access-Reject. For example,
requires that the user's password be available in cleartext to
server so that it can encrypt the CHAP challenge and compare that
the CHAP response. If the password is not available in cleartext
the RADIUS server then the server MUST send an Access-Reject to
client

2.3.

With proxy RADIUS, one RADIUS server receives an authentication (
accounting) request from a RADIUS client (such as a NAS),
the request to a remote RADIUS server, receives the reply from
remote server, and sends that reply to the client, possibly
changes to reflect local administrative policy. A common use
proxy RADIUS is roaming. Roaming permits two or more
entities to allow each other's users to dial in to either entity'
network for service

Rigney, et al. Standards Track [Page 8]

RFC 2865 RADIUS June 2000

The NAS sends its RADIUS access-request to the "forwarding server
which forwards it to the "remote server". The remote server sends
response (Access-Accept, Access-Reject, or Access-Challenge) back
the forwarding server, which sends it back to the NAS. The User-
attribute MAY contain a Network Access Identifier [8] for
Proxy operations. The choice of which server receives the
request SHOULD be based on the authentication "realm".
authentication realm MAY be the realm part of a Network
Identifier (a "named realm"). Alternatively, the choice of
server receives the forwarded request MAY be based on whatever
criteria the forwarding server is configured to use, such as Called
Station-Id (a "numbered realm").

A RADIUS server can function as both a forwarding server and a
server, serving as a forwarding server for some realms and a
server for other realms. One forwarding server can act as
forwarder for any number of remote servers. A remote server can
any number of servers forwarding to it and can provide
for any number of realms. One forwarding server can forward
another forwarding server to create a chain of proxies, although
must be taken to avoid introducing loops

The following scenario illustrates a proxy RADIUS
between a NAS and the forwarding and remote RADIUS servers

1. A NAS sends its access-request to the forwarding server

2. The forwarding server forwards the access-request to the
server

3. The remote server sends an access-accept, access-reject
access-challenge back to the forwarding server. For this example
an access-accept is sent

4. The forwarding server sends the access-accept to the NAS

The forwarding server MUST treat any Proxy-State attributes
in the packet as opaque data. Its operation MUST NOT depend on
content of Proxy-State attributes added by previous servers

If there are any Proxy-State attributes in the request received
the client, the forwarding server MUST include those Proxy-
attributes in its reply to the client. The forwarding server
include the Proxy-State attributes in the access-request when
forwards the request, or MAY omit them in the forwarded request.
the forwarding server omits the Proxy-State attributes in
forwarded access-request, it MUST attach them to the response
sending it to the client

Rigney, et al. Standards Track [Page 9]

RFC 2865 RADIUS June 2000

We now examine each step in more detail

1. A NAS sends its access-request to the forwarding server.
forwarding server decrypts the User-Password, if present,
the shared secret it knows for the NAS. If a CHAP-
attribute is present in the packet and no CHAP-Challenge
is present, the forwarding server MUST leave the Request
Authenticator untouched or copy it to a CHAP-Challenge attribute

'' The forwarding server MAY add one Proxy-State attribute to
packet. (It MUST NOT add more than one.) If it adds a Proxy
State, the Proxy-State MUST appear after any other Proxy-States
the packet. The forwarding server MUST NOT modify any
Proxy-States that were in the packet (it may choose not to
them, but it MUST NOT change their contents). The
server MUST NOT change the order of any attributes of the
type, including Proxy-State

2. The forwarding server encrypts the User-Password, if present
using the secret it shares with the remote server, sets
Identifier as needed, and forwards the access-request to
remote server

3. The remote server (if the final destination) verifies the
using User-Password, CHAP-Password, or such method as
extensions may dictate, and returns an access-accept, access
reject or access-challenge back to the forwarding server.
this example, an access-accept is sent. The remote server
copy all Proxy-State attributes (and only the Proxy-
attributes) in order from the access-request to the
packet, without modifying them

4. The forwarding server verifies the Response Authenticator
the secret it shares with the remote server, and silently
the packet if it fails verification. If the packet
verification, the forwarding server removes the last Proxy-
(if it attached one), signs the Response Authenticator using
secret it shares with the NAS, restores the Identifier to
the one in the original request by the NAS, and sends the access
accept to the NAS

A forwarding server MAY need to modify attributes to enforce
policy. Such policy is outside the scope of this document, with
following restrictions. A forwarding server MUST not modify
Proxy-State, State, or Class attributes present in the packet

Rigney, et al. Standards Track [Page 10]

RFC 2865 RADIUS June 2000

Implementers of forwarding servers should consider carefully
values it is willing to accept for Service-Type.
consideration must be given to the effects of passing along Service
Types of NAS-Prompt or Administrative in a proxied Access-Accept,
implementers may wish to provide mechanisms to block those or
service types, or other attributes. Such mechanisms are outside
scope of this document

2.4. Why UDP

A frequently asked question is why RADIUS uses UDP instead of TCP
a transport protocol. UDP was chosen for strictly technical reasons

There are a number of issues which must be understood. RADIUS is
transaction based protocol which has several
characteristics

1. If the request to a primary Authentication server fails,
secondary server must be queried

To meet this requirement, a copy of the request must be kept
the transport layer to allow for alternate transmission.
means that retransmission timers are still required

2. The timing requirements of this particular protocol
significantly different than TCP provides

At one extreme, RADIUS does not require a "responsive"
of lost data. The user is willing to wait several seconds for
authentication to complete. The generally aggressive
retransmission (based on average round trip time) is not required
nor is the acknowledgement overhead of TCP

At the other extreme, the user is not willing to wait
minutes for authentication. Therefore the reliable delivery
TCP data two minutes later is not useful. The faster use of
alternate server allows the user to gain access before giving up

3. The stateless nature of this protocol simplifies the use of UDP

Clients and servers come and go. Systems are rebooted, or
power cycled independently. Generally this does not cause
problem and with creative timeouts and detection of lost
connections, code can be written to handle anomalous events.
however completely eliminates any of this special handling.
client and server can open their UDP transport just once and
it open through all types of failure events on the network

Rigney, et al. Standards Track [Page 11]

RFC 2865 RADIUS June 2000

4. UDP simplifies the server implementation

In the earliest implementations of RADIUS, the server was
threaded. This means that a single request was received
processed, and returned. This was found to be unmanageable
environments where the back-end security mechanism took real
(1 or more seconds). The server request queue would fill and
environments where hundreds of people were being
every minute, the request turn-around time increased to
than users were willing to wait (this was especially severe when
specific lookup in a database or over DNS took 30 or
seconds). The obvious solution was to make the server multi
threaded. Achieving this was simple with UDP. Separate
were spawned to serve each request and these processes
respond directly to the client NAS with a simple UDP packet to
original transport of the client

It's not all a panacea. As noted, using UDP requires one thing
is built into TCP: with UDP we must artificially
retransmission timers to the same server, although they don't
the same attention to timing provided by TCP. This one penalty is
small price to pay for the advantages of UDP in this protocol

Without TCP we would still probably be using tin cans connected
string. But for this particular protocol, UDP is a better choice

2.5. Retransmission

If the RADIUS server and alternate RADIUS server share the
shared secret, it is OK to retransmit the packet to the
RADIUS server with the same ID and Request Authenticator, because
content of the attributes haven't changed. If you want to use a
Request Authenticator when sending to the alternate server, you may

If you change the contents of the User-Password attribute (or
other attribute), you need a new Request Authenticator and
a new ID

If the NAS is retransmitting a RADIUS request to the same server
before, and the attributes haven't changed, you MUST use the
Request Authenticator, ID, and source port. If any attributes
changed, you MUST use a new Request Authenticator and ID

A NAS MAY use the same ID across all servers, or MAY keep track
IDs separately for each server, it is up to the implementer. If
NAS needs more than 256 IDs for outstanding requests, it MAY

Rigney, et al. Standards Track [Page 12]

RFC 2865 RADIUS June 2000

additional source ports to send requests from, and keep track of
for each source port. This allows up to 16 million or so
requests at one time to a single server

2.6. Keep-Alives Considered

Some implementers have adopted the practice of sending test
requests to see if a server is alive. This practice is
discouraged, since it adds to load and harms scalability
providing any additional useful information. Since a RADIUS
is contained in a single datagram, in the time it would take you
send a ping you could just send the RADIUS request, and getting
reply tells you that the RADIUS server is up. If you do not have
RADIUS request to send, it does not matter if the server is up
not, because you are not using it

If you want to monitor your RADIUS server, use SNMP. That's
SNMP is for

3. Packet

Exactly one RADIUS packet is encapsulated in the UDP Data field [4],
where the UDP Destination Port field indicates 1812 (decimal).

When a reply is generated, the source and destination ports
reversed

This memo documents the RADIUS protocol. The early deployment
RADIUS was done using UDP port number 1645, which conflicts with
"datametrics" service. The officially assigned port number
RADIUS is 1812.

Rigney, et al. Standards Track [Page 13]

RFC 2865 RADIUS June 2000

A summary of the RADIUS data format is shown below. The fields
transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

The Code field is one octet, and identifies the type of
packet. When a packet is received with an invalid Code field,
is silently discarded

RADIUS Codes (decimal) are assigned as follows

1 Access-
2 Access-
3 Access-
4 Accounting-
5 Accounting-
11 Access-
12 Status-Server (experimental
13 Status-Client (experimental
255

Codes 4 and 5 are covered in the RADIUS Accounting document [5].
Codes 12 and 13 are reserved for possible use, but are not
mentioned here

The Identifier field is one octet, and aids in matching
and replies. The RADIUS server can detect a duplicate request
it has the same client source IP address and source UDP port
Identifier within a short span of time

Rigney, et al. Standards Track [Page 14]

RFC 2865 RADIUS June 2000

The Length field is two octets. It indicates the length of
packet including the Code, Identifier, Length, Authenticator
Attribute fields. Octets outside the range of the Length
MUST be treated as padding and ignored on reception. If
packet is shorter than the Length field indicates, it MUST
silently discarded. The minimum length is 20 and maximum
is 4096.

The Authenticator field is sixteen (16) octets. The
significant octet is transmitted first. This value is used
authenticate the reply from the RADIUS server, and is used in
password hiding algorithm

Request

In Access-Request Packets, the Authenticator value is a 16
octet random number, called the Request Authenticator.
value SHOULD be unpredictable and unique over the lifetime of
secret (the password shared between the client and the
server), since repetition of a request value in
with the same secret would permit an attacker to reply with
previously intercepted response. Since it is expected that
same secret MAY be used to authenticate with servers
disparate geographic regions, the Request Authenticator
SHOULD exhibit global and temporal uniqueness

The Request Authenticator value in an Access-Request
SHOULD also be unpredictable, lest an attacker trick a
into responding to a predicted future request, and then use
response to masquerade as that server to a future Access
Request

Although protocols such as RADIUS are incapable of
against theft of an authenticated session via realtime
wiretapping attacks, generation of unique
requests can protect against a wide range of active
against authentication

The NAS and RADIUS server share a secret. That shared
followed by the Request Authenticator is put through a one-
MD5 hash to create a 16 octet digest value which is xored
the password entered by the user, and the xored result

Rigney, et al. Standards Track [Page 15]

RFC 2865 RADIUS June 2000

in the User-Password attribute in the Access-Request packet
See the entry for User-Password in the section on
for a more detailed description

Response

The value of the Authenticator field in Access-Accept, Access
Reject, and Access-Challenge packets is called the
Authenticator, and contains a one-way MD5 hash calculated
a stream of octets consisting of: the RADIUS packet,
with the Code field, including the Identifier, the Length,
Request Authenticator field from the Access-Request packet,
the response Attributes, followed by the shared secret.
is, ResponseAuth =
MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where +
denotes concatenation

Administrative

The secret (password shared between the client and the
server) SHOULD be at least as large and unguessable as a well
chosen password. It is preferred that the secret be at least 16
octets. This is to ensure a sufficiently large range for
secret to provide protection against exhaustive search attacks
The secret MUST NOT be empty (length 0) since this would
packets to be trivially forged

A RADIUS server MUST use the source IP address of the RADIUS
packet to decide which shared secret to use, so that
requests can be proxied

When using a forwarding proxy, the proxy must be able to alter
packet as it passes through in each direction - when the
forwards the request, the proxy MAY add a Proxy-State Attribute
and when the proxy forwards a response, it MUST remove its Proxy
State Attribute if it added one. Proxy-State is always added
removed after any other Proxy-States, but no other
regarding its location within the list of attributes can be made
Since Access-Accept and Access-Reject replies are authenticated
the entire packet contents, the stripping of the Proxy-
attribute invalidates the signature in the packet - so the
has to re-sign it

Further details of RADIUS proxy implementation are outside
scope of this document

Rigney, et al. Standards Track [Page 16]

RFC 2865 RADIUS June 2000

4. Packet

The RADIUS Packet type is determined by the Code field in the
octet of the Packet

4.1. Access-

Access-Request packets are sent to a RADIUS server, and
information used to determine whether a user is allowed access
a specific NAS, and any special services requested for that user
An implementation wishing to authenticate a user MUST transmit
RADIUS packet with the Code field set to 1 (Access-Request).

Upon receipt of an Access-Request from a valid client,
appropriate reply MUST be transmitted

An Access-Request SHOULD contain a User-Name attribute. It
contain either a NAS-IP-Address attribute or a NAS-
attribute (or both).

An Access-Request MUST contain either a User-Password or a CHAP
Password or a State. An Access-Request MUST NOT contain both
User-Password and a CHAP-Password. If future extensions
other kinds of authentication information to be conveyed,
attribute for that can be used in an Access-Request instead
User-Password or CHAP-Password

An Access-Request SHOULD contain a NAS-Port or NAS-Port-
attribute or both unless the type of access being requested
not involve a port or the NAS does not distinguish among
ports

An Access-Request MAY contain additional attributes as a hint
the server, but the server is not required to honor the hint

When a User-Password is present, it is hidden using a method
on the RSA Message Digest Algorithm MD5 [3].

Rigney, et al. Standards Track [Page 17]

RFC 2865 RADIUS June 2000

A summary of the Access-Request packet format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Request Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

1 for Access-Request

The Identifier field MUST be changed whenever the content of
Attributes field changes, and whenever a valid reply has
received for a previous request. For retransmissions,
Identifier MUST remain unchanged

Request

The Request Authenticator value MUST be changed each time a
Identifier is used

The Attribute field is variable in length, and contains the
of Attributes that are required for the type of service, as
as any desired optional Attributes

4.2. Access-

Access-Accept packets are sent by the RADIUS server, and
specific configuration information necessary to begin delivery
service to the user. If all Attribute values received in
Access-Request are acceptable then the RADIUS implementation
transmit a packet with the Code field set to 2 (Access-Accept).

Rigney, et al. Standards Track [Page 18]

RFC 2865 RADIUS June 2000

On reception of an Access-Accept, the Identifier field is
with a pending Access-Request. The Response Authenticator
MUST contain the correct response for the pending Access-Request
Invalid packets are silently discarded

A summary of the Access-Accept packet format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

2 for Access-Accept

The Identifier field is a copy of the Identifier field of
Access-Request which caused this Access-Accept

Response

The Response Authenticator value is calculated from the Access
Request value, as described earlier

The Attribute field is variable in length, and contains a list
zero or more Attributes

Rigney, et al. Standards Track [Page 19]

RFC 2865 RADIUS June 2000

4.3. Access-

If any value of the received Attributes is not acceptable,
the RADIUS server MUST transmit a packet with the Code field
to 3 (Access-Reject). It MAY include one or more Reply-
Attributes with a text message which the NAS MAY display to
user

A summary of the Access-Reject packet format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

3 for Access-Reject

The Identifier field is a copy of the Identifier field of
Access-Request which caused this Access-Reject

Response

The Response Authenticator value is calculated from the Access
Request value, as described earlier

The Attribute field is variable in length, and contains a list
zero or more Attributes

Rigney, et al. Standards Track [Page 20]

RFC 2865 RADIUS June 2000

4.4. Access-

If the RADIUS server desires to send the user a
requiring a response, then the RADIUS server MUST respond to
Access-Request by transmitting a packet with the Code field set
11 (Access-Challenge).

The Attributes field MAY have one or more Reply-
Attributes, and MAY have a single State Attribute, or none
Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-
attributes MAY also be included. No other Attributes defined
this document are permitted in an Access-Challenge

On receipt of an Access-Challenge, the Identifier field is
with a pending Access-Request. Additionally, the
Authenticator field MUST contain the correct response for
pending Access-Request. Invalid packets are silently discarded

If the NAS does not support challenge/response, it MUST treat
Access-Challenge as though it had received an Access-
instead

If the NAS supports challenge/response, receipt of a
Access-Challenge indicates that a new Access-Request SHOULD
sent. The NAS MAY display the text message, if any, to the user
and then prompt the user for a response. It then sends
original Access-Request with a new request ID and
Authenticator, with the User-Password Attribute replaced by
user's response (encrypted), and including the State
from the Access-Challenge, if any. Only 0 or 1 instances of
State Attribute can be present in an Access-Request

A NAS which supports PAP MAY forward the Reply-Message to
dialing client and accept a PAP response which it can use
though the user had entered the response. If the NAS cannot
so, it MUST treat the Access-Challenge as though it had
an Access-Reject instead

Rigney, et al. Standards Track [Page 21]

RFC 2865 RADIUS June 2000

A summary of the Access-Challenge packet format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

11 for Access-Challenge

The Identifier field is a copy of the Identifier field of
Access-Request which caused this Access-Challenge

Response

The Response Authenticator value is calculated from the Access
Request value, as described earlier

The Attributes field is variable in length, and contains a list
zero or more Attributes

5.

RADIUS Attributes carry the specific authentication, authorization
information and configuration details for the request and reply

The end of the list of Attributes is indicated by the Length of
RADIUS packet

Some Attributes MAY be included more than once. The effect of
is Attribute specific, and is specified in each
description. A summary table is provided at the end of
"Attributes" section

Rigney, et al. Standards Track [Page 22]

RFC 2865 RADIUS June 2000

If multiple Attributes with the same Type are present, the order
Attributes with the same Type MUST be preserved by any proxies.
order of Attributes of different Types is not required to
preserved. A RADIUS server or client MUST NOT have any
on the order of attributes of different types. A RADIUS server
client MUST NOT require attributes of the same type to be contiguous

Where an Attribute's description limits which kinds of packet it
be contained in, this applies only to the packet types defined
this document, namely Access-Request, Access-Accept, Access-
and Access-Challenge (Codes 1, 2, 3, and 11). Other
defining other packet types may also use Attributes described here
To determine which Attributes are allowed in Accounting-Request
Accounting-Response packets (Codes 4 and 5) refer to the
Accounting document [5].

Likewise where packet types defined here state that only
Attributes are permissible in them, future memos defining
Attributes should indicate which packet types the new Attributes
be present in

A summary of the Attribute format is shown below. The fields
transmitted from left to right

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

The Type field is one octet. Up-to-date values of the RADIUS
field are specified in the most recent "Assigned Numbers" RFC [6].
Values 192-223 are reserved for experimental use, values 224-240
are reserved for implementation-specific use, and values 241-255
are reserved and should not be used

A RADIUS server MAY ignore Attributes with an unknown Type

A RADIUS client MAY ignore Attributes with an unknown Type

Rigney, et al. Standards Track [Page 23]

RFC 2865 RADIUS June 2000

This specification concerns the following values

1 User-
2 User-
3 CHAP-
4 NAS-IP-
5 NAS-
6 Service-
7 Framed-
8 Framed-IP-
9 Framed-IP-
10 Framed-
11 Filter-
12 Framed-
13 Framed-
14 Login-IP-
15 Login-
16 Login-TCP-
17 (unassigned
18 Reply-
19 Callback-
20 Callback-
21 (unassigned
22 Framed-
23 Framed-IPX-
24
25
26 Vendor-
27 Session-
28 Idle-
29 Termination-
30 Called-Station-
31 Calling-Station-
32 NAS-
33 Proxy-
34 Login-LAT-
35 Login-LAT-
36 Login-LAT-
37 Framed-AppleTalk-
38 Framed-AppleTalk-
39 Framed-AppleTalk-
40-59 (reserved for accounting
60 CHAP-
61 NAS-Port-
62 Port-
63 Login-LAT-

Rigney, et al. Standards Track [Page 24]

RFC 2865 RADIUS June 2000

The Length field is one octet, and indicates the length of
Attribute including the Type, Length and Value fields. If
Attribute is received in an Access-Request but with an
Length, an Access-Reject SHOULD be transmitted. If an
is received in an Access-Accept, Access-Reject or Access-
packet with an invalid length, the packet MUST either be
as an Access-Reject or else silently discarded

The Value field is zero or more octets and contains
specific to the Attribute. The format and length of the
field is determined by the Type and Length fields

Note that none of the types in RADIUS terminate with a NUL (
00). In particular, types "text" and "string" in RADIUS do
terminate with a NUL (hex 00). The Attribute has a length
and does not use a terminator. Text contains UTF-8 encoded 10646
[7] characters and String contains 8-bit binary data. Servers
servers and clients MUST be able to deal with embedded nulls
RADIUS implementers using C are cautioned not to use strcpy()
handling strings

The format of the value field is one of five data types.
that type "text" is a subset of type "string".

text 1-253 octets containing UTF-8 encoded 10646 [7]
characters. Text of length zero (0) MUST NOT be sent
omit the entire attribute instead

string 1-253 octets containing binary data (values 0
255 decimal, inclusive). Strings of length zero (0)
MUST NOT be sent; omit the entire attribute instead

address 32 bit value, most significant octet first

integer 32 bit unsigned value, most significant octet first

time 32 bit unsigned value, most significant octet first --
seconds since 00:00:00 UTC, January 1, 1970.
standard Attributes do not use this data type but it
presented here for possible use in future attributes

Rigney, et al. Standards Track [Page 25]

RFC 2865 RADIUS June 2000

5.1. User-

This Attribute indicates the name of the user to be authenticated
It MUST be sent in Access-Request packets if available

It MAY be sent in an Access-Accept packet, in which case
client SHOULD use the name returned in the Access-Accept packet
all Accounting-Request packets for this session. If the Access
Accept includes Service-Type = Rlogin and the User-Name attribute
a NAS MAY use the returned User-Name when performing the
function

A summary of the User-Name Attribute format is shown below.
fields are transmitted from left to right

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

1 for User-Name

>= 3

The String field is one or more octets. The NAS may limit
maximum length of the User-Name but the ability to handle at
63 octets is recommended

The format of the username MAY be one of several forms

text Consisting only of UTF-8 encoded 10646 [7] characters

network access
A Network Access Identifier as described in RFC 2486
[8].

distinguished
A name in ASN.1 form used in Public Key
systems

Rigney, et al. Standards Track [Page 26]

RFC 2865 RADIUS June 2000

5.2. User-

This Attribute indicates the password of the user to
authenticated, or the user's input following an Access-Challenge
It is only used in Access-Request packets

On transmission, the password is hidden. The password is
padded at the end with nulls to a multiple of 16 octets. A one
way MD5 hash is calculated over a stream of octets consisting
the shared secret followed by the Request Authenticator.
value is XORed with the first 16 octet segment of the password
placed in the first 16 octets of the String field of the User
Password Attribute

If the password is longer than 16 characters, a second one-way MD
hash is calculated over a stream of octets consisting of
shared secret followed by the result of the first xor. That
is XORed with the second 16 octet segment of the password
placed in the second 16 octets of the String field of the User
Password Attribute

If necessary, this operation is repeated, with each xor
being used along with the shared secret to generate the next
to xor the next segment of the password, to no more than 128
characters

The method is taken from the book "Network Security" by Kaufman
Perlman and Speciner [9] pages 109-110. A more
explanation of the method follows

Call the shared secret S and the pseudo-random 128-bit
Authenticator RA. Break the password into 16-octet chunks p1, p2,
etc. with the last one padded at the end with nulls to a 16-
boundary. Call the ciphertext blocks c(1), c(2), etc. We'll
intermediate values b1, b2, etc

b1 = MD5(S + RA) c(1) = p1 xor b
b2 = MD5(S + c(1)) c(2) = p2 xor b
. .
. .
. .
bi = MD5(S + c(i-1)) c(i) = pi xor

The String will contain c(1)+c(2)+...+c(i) where +
concatenation

Rigney, et al. Standards Track [Page 27]

RFC 2865 RADIUS June 2000

On receipt, the process is reversed to yield the
password

A summary of the User-Password Attribute format is shown below.
fields are transmitted from left to right

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

2 for User-Password

At least 18 and no larger than 130.

The String field is between 16 and 128 octets long, inclusive

5.3. CHAP-

This Attribute indicates the response value provided by a
Challenge-Handshake Authentication Protocol (CHAP) user
response to the challenge. It is only used in Access-
packets

The CHAP challenge value is found in the CHAP-Challenge
(60) if present in the packet, otherwise in the
Authenticator field

A summary of the CHAP-Password Attribute format is shown below.
fields are transmitted from left to right

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | CHAP Ident | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Rigney, et al. Standards Track [Page 28]

RFC 2865 RADIUS June 2000

3 for CHAP-Password

19

CHAP

This field is one octet, and contains the CHAP Identifier from
user's CHAP Response

The String field is 16 octets, and contains the CHAP Response
the user

5.4. NAS-IP-

This Attribute indicates the identifying IP Address of the
which is requesting authentication of the user, and SHOULD
unique to the NAS within the scope of the RADIUS server. NAS-IP
Address is only used in Access-Request packets. Either NAS-IP
Address or NAS-Identifier MUST be present in an Access-
packet

Note that NAS-IP-Address MUST NOT be used to select the
secret used to authenticate the request. The source IP address
the Access-Request packet MUST be used to select the
secret

A summary of the NAS-IP-Address Attribute format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

4 for NAS-IP-Address

Rigney, et al. Standards Track [Page 29]

RFC 2865 RADIUS June 2000

6

The Address field is four octets

5.5. NAS-

This Attribute indicates the physical port number of the NAS
is authenticating the user. It is only used in Access-
packets. Note that this is using "port" in its sense of
physical connection on the NAS, not in the sense of a TCP or
port number. Either NAS-Port or NAS-Port-Type (61) or both
be present in an Access-Request packet, if the NAS
among its ports

A summary of the NAS-Port Attribute format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

5 for NAS-Port

6

The Value field is four octets

Rigney, et al. Standards Track [Page 30]

RFC 2865 RADIUS June 2000

5.6. Service-

This Attribute indicates the type of service the user
requested, or the type of service to be provided. It MAY be
in both Access-Request and Access-Accept packets. A NAS is
required to implement all of these service types, and MUST
unknown or unsupported Service-Types as though an Access-
had been received instead

A summary of the Service-Type Attribute format is shown below.
fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

6 for Service-Type

6

The Value field is four octets

1
2
3 Callback
4 Callback
5
6
7 NAS
8 Authenticate
9 Callback NAS
10 Call
11 Callback

Rigney, et al. Standards Track [Page 31]

RFC 2865 RADIUS June 2000

The service types are defined as follows when used in an Access
Accept. When used in an Access-Request, they MAY be considered
be a hint to the RADIUS server that the NAS has reason to
the user would prefer the kind of service indicated, but
server is not required to honor the hint

Login The user should be connected to a host

Framed A Framed Protocol should be started for
User, such as PPP or SLIP

Callback Login The user should be disconnected and
back, then connected to a host

Callback Framed The user should be disconnected and
back, then a Framed Protocol should be
for the User, such as PPP or SLIP

Outbound The user should be granted access to
devices

Administrative The user should be granted access to
administrative interface to the NAS from
privileged commands can be executed

NAS Prompt The user should be provided a command
on the NAS from which non-privileged
can be executed

Authenticate Only Only Authentication is requested, and
authorization information needs to be
in the Access-Accept (typically used by
servers rather than the NAS itself).

Callback NAS Prompt The user should be disconnected and
back, then provided a command prompt on
NAS from which non-privileged commands can
executed

Call Check Used by the NAS in an Access-Request packet
indicate that a call is being received
that the RADIUS server should send back
Access-Accept to answer the call, or
Access-Reject to not accept the call
typically based on the Called-Station-Id
Calling-Station-Id attributes. It

Rigney, et al. Standards Track [Page 32]

RFC 2865 RADIUS June 2000

recommended that such Access-Requests use
value of Calling-Station-Id as the value
the User-Name

Callback
The user should be disconnected and
back, then granted access to
administrative interface to the NAS from
privileged commands can be executed

5.7. Framed-

This Attribute indicates the framing to be used for framed access
It MAY be used in both Access-Request and Access-Accept packets

A summary of the Framed-Protocol Attribute format is shown below
The fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

7 for Framed-Protocol

6

The Value field is four octets

1
2
3 AppleTalk Remote Access Protocol (ARAP
4 Gandalf proprietary SingleLink/MultiLink
5 Xylogics proprietary IPX/
6 X.75

Rigney, et al. Standards Track [Page 33]

RFC 2865 RADIUS June 2000

5.8. Framed-IP-

This Attribute indicates the address to be configured for
user. It MAY be used in Access-Accept packets. It MAY be used
an Access-Request packet as a hint by the NAS to the server
it would prefer that address, but the server is not required
honor the hint

A summary of the Framed-IP-Address Attribute format is shown below
The fields are transmitted from left to right

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

8 for Framed-IP-Address

6

The Address field is four octets. The value 0xFFFFFFFF
that the NAS Should allow the user to select an address (e.g
Negotiated). The value 0xFFFFFFFE indicates that the NAS
select an address for the user (e.g. Assigned from a pool
addresses kept by the NAS). Other valid values indicate that
NAS should use that value as the user's IP address

5.9. Framed-IP-

This Attribute indicates the IP netmask to be configured for
user when the user is a router to a network. It MAY be used
Access-Accept packets. It MAY be used in an Access-Request
as a hint by the NAS to the server that it would prefer
netmask, but the server is not required to honor the hint

Rigney, et al. Standards Track [Page 34]

RFC 2865 RADIUS