3 # Non Protocol Attributes used by FreeRADIUS
8 # The attributes number ranges are allocates as follows:
11 # server-side attributes which can go in a reply list
13 # These attributes CAN go in the reply item list.
14 ATTRIBUTE Fall-Through 500 integer
15 ATTRIBUTE Exec-Program 502 string
16 ATTRIBUTE Exec-Program-Wait 503 string
18 # These attributes CANNOT go in the reply item list.
22 # Attributes which cannot go in a reply list.
26 # Miscellaneous server attributes.
29 # Non-Protocol Attributes
30 # These attributes are used internally by the server
32 ATTRIBUTE Auth-Type 1000 integer
33 ATTRIBUTE Menu 1001 string
34 ATTRIBUTE Termination-Menu 1002 string
35 ATTRIBUTE Prefix 1003 string
36 ATTRIBUTE Suffix 1004 string
37 ATTRIBUTE Group 1005 string
38 ATTRIBUTE Crypt-Password 1006 string
39 ATTRIBUTE Connect-Rate 1007 integer
40 ATTRIBUTE Add-Prefix 1008 string
41 ATTRIBUTE Add-Suffix 1009 string
42 ATTRIBUTE Expiration 1010 date
43 ATTRIBUTE Autz-Type 1011 integer
44 ATTRIBUTE Acct-Type 1012 integer
45 ATTRIBUTE Session-Type 1013 integer
46 ATTRIBUTE Post-Auth-Type 1014 integer
47 ATTRIBUTE Pre-Proxy-Type 1015 integer
48 ATTRIBUTE Post-Proxy-Type 1016 integer
49 ATTRIBUTE Pre-Acct-Type 1017 integer
52 # This is the EAP type of authentication, which is set
53 # by the EAP module, for informational purposes only.
55 ATTRIBUTE EAP-Type 1018 integer
56 ATTRIBUTE EAP-TLS-Require-Client-Cert 1019 integer
57 ATTRIBUTE EAP-Id 1020 integer
58 ATTRIBUTE EAP-Code 1021 integer
59 # Attribute 1022 unused, was EAP-MD5-Password, which was
60 # used only be radeapclient. It's been replaced by Cleartext-Password
61 ATTRIBUTE PEAP-Version 1023 integer
62 ATTRIBUTE Client-Shortname 1024 string
63 ATTRIBUTE Load-Balance-Key 1025 string
69 ATTRIBUTE TNC-VLAN-Access 1027 string
70 ATTRIBUTE TNC-VLAN-Isolate 1028 string
71 ATTRIBUTE User-Category 1029 string
72 ATTRIBUTE Group-Name 1030 string
73 ATTRIBUTE Huntgroup-Name 1031 string
74 ATTRIBUTE Simultaneous-Use 1034 integer
75 ATTRIBUTE Strip-User-Name 1035 integer
76 ATTRIBUTE Hint 1040 string
77 ATTRIBUTE Pam-Auth 1041 string
78 ATTRIBUTE Login-Time 1042 string
79 ATTRIBUTE Stripped-User-Name 1043 string
80 ATTRIBUTE Current-Time 1044 string
81 ATTRIBUTE Realm 1045 string
82 ATTRIBUTE No-Such-Attribute 1046 string
83 ATTRIBUTE Packet-Type 1047 integer
84 ATTRIBUTE Proxy-To-Realm 1048 string
85 ATTRIBUTE Replicate-To-Realm 1049 string
86 ATTRIBUTE Acct-Session-Start-Time 1050 date
87 ATTRIBUTE Acct-Unique-Session-Id 1051 string
88 ATTRIBUTE Client-IP-Address 1052 ipaddr
89 ATTRIBUTE Ldap-UserDn 1053 string
90 ATTRIBUTE NS-MTA-MD5-Password 1054 string
91 ATTRIBUTE SQL-User-Name 1055 string
92 ATTRIBUTE LM-Password 1057 octets
93 ATTRIBUTE NT-Password 1058 octets
94 ATTRIBUTE SMB-Account-CTRL 1059 integer
95 ATTRIBUTE SMB-Account-CTRL-TEXT 1061 string
96 ATTRIBUTE User-Profile 1062 string
97 ATTRIBUTE Digest-Realm 1063 string
98 ATTRIBUTE Digest-Nonce 1064 string
99 ATTRIBUTE Digest-Method 1065 string
100 ATTRIBUTE Digest-URI 1066 string
101 ATTRIBUTE Digest-QOP 1067 string
102 ATTRIBUTE Digest-Algorithm 1068 string
103 ATTRIBUTE Digest-Body-Digest 1069 string
104 ATTRIBUTE Digest-CNonce 1070 string
105 ATTRIBUTE Digest-Nonce-Count 1071 string
106 ATTRIBUTE Digest-User-Name 1072 string
107 ATTRIBUTE Pool-Name 1073 string
108 ATTRIBUTE Ldap-Group 1074 string
109 ATTRIBUTE Module-Success-Message 1075 string
110 ATTRIBUTE Module-Failure-Message 1076 string
111 # X99-Fast 1077 integer
112 ATTRIBUTE Rewrite-Rule 1078 string
113 ATTRIBUTE Sql-Group 1079 string
114 ATTRIBUTE Response-Packet-Type 1080 integer
115 ATTRIBUTE Digest-HA1 1081 string
116 ATTRIBUTE MS-CHAP-Use-NTLM-Auth 1082 integer
117 ATTRIBUTE NTLM-User-Name 1083 string
118 ATTRIBUTE Packet-Src-IP-Address 1084 ipaddr
119 ATTRIBUTE Packet-Dst-IP-Address 1085 ipaddr
120 ATTRIBUTE Packet-Src-Port 1086 integer
121 ATTRIBUTE Packet-Dst-Port 1087 integer
122 ATTRIBUTE Packet-Authentication-Vector 1088 octets
123 ATTRIBUTE Time-Of-Day 1089 string
124 ATTRIBUTE Request-Processing-Stage 1090 string
125 ATTRIBUTE Cache-No-Caching 1091 string
126 ATTRIBUTE Cache-Delete-Cache 1092 string
127 ATTRIBUTE SHA-Password 1093 octets
128 ATTRIBUTE SSHA-Password 1094 octets
129 ATTRIBUTE SHA1-Password 1093 octets
130 ATTRIBUTE SSHA1-Password 1094 octets
131 ATTRIBUTE MD5-Password 1095 octets
132 ATTRIBUTE SMD5-Password 1096 octets
133 ATTRIBUTE Packet-Src-IPv6-Address 1097 ipv6addr
134 ATTRIBUTE Packet-Dst-IPv6-Address 1098 ipv6addr
135 ATTRIBUTE Virtual-Server 1099 string
136 ATTRIBUTE Cleartext-Password 1100 string
137 ATTRIBUTE Password-With-Header 1101 string
138 ATTRIBUTE Inner-Tunnel-User-Name 1102 string
141 # EAP-IKEv2 is experimental.
143 ATTRIBUTE EAP-IKEv2-IDType 1103 integer
145 VALUE EAP-IKEv2-IDType IPV4_ADDR 1
146 VALUE EAP-IKEv2-IDType FQDN 2
147 VALUE EAP-IKEv2-IDType RFC822_ADDR 3
148 VALUE EAP-IKEv2-IDType IPV6_ADDR 5
149 VALUE EAP-IKEv2-IDType DER_ASN1_DN 9
150 VALUE EAP-IKEv2-IDType DER_ASN1_GN 10
151 VALUE EAP-IKEv2-IDType KEY_ID 11
153 ATTRIBUTE EAP-IKEv2-ID 1104 string
154 ATTRIBUTE EAP-IKEv2-Secret 1105 string
155 ATTRIBUTE EAP-IKEv2-AuthType 1106 string
157 VALUE EAP-IKEv2-AuthType none 0
158 VALUE EAP-IKEv2-AuthType secret 1
159 VALUE EAP-IKEv2-AuthType cert 2
160 VALUE EAP-IKEv2-AuthType both 3
164 # EAP-SIM (and other EAP type) weirdness.
166 # For EAP-SIM, some attribute definitions for database interface
168 ATTRIBUTE EAP-Sim-Subtype 1200 integer
170 ATTRIBUTE EAP-Sim-Rand1 1201 octets
171 ATTRIBUTE EAP-Sim-Rand2 1202 octets
172 ATTRIBUTE EAP-Sim-Rand3 1203 octets
174 ATTRIBUTE EAP-Sim-SRES1 1204 octets
175 ATTRIBUTE EAP-Sim-SRES2 1205 octets
176 ATTRIBUTE EAP-Sim-SRES3 1206 octets
178 VALUE EAP-Sim-Subtype Start 10
179 VALUE EAP-Sim-Subtype Challenge 11
180 VALUE EAP-Sim-Subtype Notification 12
181 VALUE EAP-Sim-Subtype Re-authentication 13
183 # this attribute is used internally by the client code.
184 ATTRIBUTE EAP-Sim-State 1207 integer
186 ATTRIBUTE EAP-Sim-IMSI 1208 string
187 ATTRIBUTE EAP-Sim-HMAC 1209 string
188 ATTRIBUTE EAP-Sim-KEY 1210 octets
189 ATTRIBUTE EAP-Sim-EXTRA 1211 octets
191 ATTRIBUTE EAP-Sim-KC1 1212 octets
192 ATTRIBUTE EAP-Sim-KC2 1213 octets
193 ATTRIBUTE EAP-Sim-KC3 1214 octets
197 # EAP-type specific attributes
200 # these are PW_EAP_X + 1280
201 ATTRIBUTE EAP-Type-Identity 1281 string
202 ATTRIBUTE EAP-Type-Notification 1282 string
203 ATTRIBUTE EAP-Type-NAK 1283 string
204 ATTRIBUTE EAP-Type-MD5 1284 octets
205 ATTRIBUTE EAP-Type-OTP 1285 string
206 ATTRIBUTE EAP-Type-GTC 1286 string
207 ATTRIBUTE EAP-Type-TLS 1297 octets
208 ATTRIBUTE EAP-Type-SIM 1298 octets
209 ATTRIBUTE EAP-Type-LEAP 1301 octets
210 ATTRIBUTE EAP-Type-SIM2 1302 octets
211 ATTRIBUTE EAP-Type-TTLS 1305 octets
212 ATTRIBUTE EAP-Type-PEAP 1309 octets
219 # these are PW_EAP_SIM_X + 1536
220 ATTRIBUTE EAP-Sim-RAND 1537 octets
221 ATTRIBUTE EAP-Sim-PADDING 1542 octets
222 ATTRIBUTE EAP-Sim-NONCE_MT 1543 octets
223 ATTRIBUTE EAP-Sim-PERMANENT_ID_REQ 1546 octets
224 ATTRIBUTE EAP-Sim-MAC 1547 octets
225 ATTRIBUTE EAP-Sim-NOTIFICATION 1548 octets
226 ATTRIBUTE EAP-Sim-ANY_ID_REQ 1549 octets
227 ATTRIBUTE EAP-Sim-IDENTITY 1550 octets
228 ATTRIBUTE EAP-Sim-VERSION_LIST 1551 octets
229 ATTRIBUTE EAP-Sim-SELECTED_VERSION 1552 octets
230 ATTRIBUTE EAP-Sim-FULLAUTH_ID_REQ 1553 octets
231 ATTRIBUTE EAP-Sim-COUNTER 1555 octets
232 ATTRIBUTE EAP-Sim-COUNTER_TOO_SMALL 1556 octets
233 ATTRIBUTE EAP-Sim-NONCE_S 1557 octets
234 ATTRIBUTE EAP-Sim-IV 1665 octets
235 ATTRIBUTE EAP-Sim-ENCR_DATA 1666 octets
236 ATTRIBUTE EAP-Sim-NEXT_PSEUDONUM 1668 octets
237 ATTRIBUTE EAP-Sim-NEXT_REAUTH_ID 1669 octets
238 ATTRIBUTE EAP-Sim-CHECKCODE 1670 octets
242 # Temporary attributes, for local storage.
244 ATTRIBUTE Tmp-String-0 1800 string
245 ATTRIBUTE Tmp-String-1 1801 string
246 ATTRIBUTE Tmp-String-2 1802 string
247 ATTRIBUTE Tmp-String-3 1803 string
248 ATTRIBUTE Tmp-String-4 1804 string
249 ATTRIBUTE Tmp-String-5 1805 string
250 ATTRIBUTE Tmp-String-6 1806 string
251 ATTRIBUTE Tmp-String-7 1807 string
252 ATTRIBUTE Tmp-String-8 1808 string
253 ATTRIBUTE Tmp-String-9 1809 string
255 ATTRIBUTE Tmp-Integer-0 1810 integer
256 ATTRIBUTE Tmp-Integer-1 1811 integer
257 ATTRIBUTE Tmp-Integer-2 1812 integer
258 ATTRIBUTE Tmp-Integer-3 1813 integer
259 ATTRIBUTE Tmp-Integer-4 1814 integer
260 ATTRIBUTE Tmp-Integer-5 1815 integer
261 ATTRIBUTE Tmp-Integer-6 1816 integer
262 ATTRIBUTE Tmp-Integer-7 1817 integer
263 ATTRIBUTE Tmp-Integer-8 1818 integer
264 ATTRIBUTE Tmp-Integer-9 1819 integer
266 ATTRIBUTE Tmp-IP-Address-0 1820 ipaddr
267 ATTRIBUTE Tmp-IP-Address-1 1821 ipaddr
268 ATTRIBUTE Tmp-IP-Address-2 1822 ipaddr
269 ATTRIBUTE Tmp-IP-Address-3 1823 ipaddr
270 ATTRIBUTE Tmp-IP-Address-4 1824 ipaddr
271 ATTRIBUTE Tmp-IP-Address-5 1825 ipaddr
272 ATTRIBUTE Tmp-IP-Address-6 1826 ipaddr
273 ATTRIBUTE Tmp-IP-Address-7 1827 ipaddr
274 ATTRIBUTE Tmp-IP-Address-8 1828 ipaddr
275 ATTRIBUTE Tmp-IP-Address-9 1829 ipaddr
282 # Site-local attributes (see raddb/dictionary.in)
283 # Do NOT define attributes in this range!
289 # Invalid. Don't use.
293 # Non-Protocol Integer Translations
296 VALUE Auth-Type Local 0
297 VALUE Auth-Type System 1
298 VALUE Auth-Type SecurID 2
299 VALUE Auth-Type Crypt-Local 3
300 VALUE Auth-Type Reject 4
301 VALUE Auth-Type ActivCard 5
302 VALUE Auth-Type EAP 6
303 VALUE Auth-Type ARAP 7
306 # FreeRADIUS extensions (most originally from Cistron)
308 VALUE Auth-Type Accept 254
310 VALUE Auth-Type PAP 1024
311 VALUE Auth-Type CHAP 1025
312 # 1026 was LDAP, but we deleted it. Adding it back will break the
314 VALUE Auth-Type PAM 1027
315 VALUE Auth-Type MS-CHAP 1028
316 VALUE Auth-Type MSCHAP 1028
317 VALUE Auth-Type Kerberos 1029
318 VALUE Auth-Type CRAM 1030
319 VALUE Auth-Type NS-MTA-MD5 1031
320 # 1032 is unused (was a duplicate of CRAM)
321 VALUE Auth-Type SMB 1033
324 # Authorization type, too.
326 VALUE Autz-Type Local 0
331 VALUE Acct-Type Local 0
334 # And Session handling
336 VALUE Session-Type Local 0
340 VALUE Post-Auth-Type Local 0
343 # Experimental Non-Protocol Integer Translations for FreeRADIUS
345 VALUE Fall-Through No 0
346 VALUE Fall-Through Yes 1
348 VALUE Strip-User-Name No 0
349 VALUE Strip-User-Name Yes 1
351 VALUE Packet-Type Access-Request 1
352 VALUE Packet-Type Access-Accept 2
353 VALUE Packet-Type Access-Reject 3
354 VALUE Packet-Type Accounting-Request 4
355 VALUE Packet-Type Accounting-Response 5
356 VALUE Packet-Type Accounting-Status 6
357 VALUE Packet-Type Password-Request 7
358 VALUE Packet-Type Password-Accept 8
359 VALUE Packet-Type Password-Reject 9
360 VALUE Packet-Type Accounting-Message 10
361 VALUE Packet-Type Access-Challenge 11
362 VALUE Packet-Type Status-Server 12
363 VALUE Packet-Type Status-Client 13
366 # The following packet types are described in RFC 2882,
367 # but they are NOT part of the RADIUS standard. Instead,
368 # they are informational about vendor-specific extensions
369 # to the RADIUS standard.
371 VALUE Packet-Type Resource-Free-Request 21
372 VALUE Packet-Type Resource-Free-Response 22
373 VALUE Packet-Type Resource-Query-Request 23
374 VALUE Packet-Type Resource-Query-Response 24
375 VALUE Packet-Type Alternate-Resource-Reclaim-Request 25
376 VALUE Packet-Type NAS-Reboot-Request 26
377 VALUE Packet-Type NAS-Reboot-Response 27
378 VALUE Packet-Type Next-Passcode 29
379 VALUE Packet-Type New-Pin 30
380 VALUE Packet-Type Terminate-Session 31
381 VALUE Packet-Type Password-Expired 32
382 VALUE Packet-Type Event-Request 33
383 VALUE Packet-Type Event-Response 34
385 # RFC 3576 allocates packet types 40-45
387 VALUE Packet-Type Disconnect-Request 40
388 VALUE Packet-Type Disconnect-ACK 41
389 VALUE Packet-Type Disconnect-NAK 42
390 VALUE Packet-Type CoA-Request 43
391 VALUE Packet-Type CoA-ACK 44
392 VALUE Packet-Type CoA-NAK 45
394 VALUE Packet-Type IP-Address-Allocate 50
395 VALUE Packet-Type IP-Address-Release 51
397 VALUE Response-Packet-Type Access-Request 1
398 VALUE Response-Packet-Type Access-Accept 2
399 VALUE Response-Packet-Type Access-Reject 3
400 VALUE Response-Packet-Type Accounting-Request 4
401 VALUE Response-Packet-Type Accounting-Response 5
402 VALUE Response-Packet-Type Accounting-Status 6
403 VALUE Response-Packet-Type Password-Request 7
404 VALUE Response-Packet-Type Password-Accept 8
405 VALUE Response-Packet-Type Password-Reject 9
406 VALUE Response-Packet-Type Accounting-Message 10
407 VALUE Response-Packet-Type Access-Challenge 11
408 VALUE Response-Packet-Type Status-Server 12
409 VALUE Response-Packet-Type Status-Client 13
414 VALUE Response-Packet-Type Do-Not-Respond 256
417 # EAP Sub-types, inside of Request and Response packets
419 # http://www.iana.org/assignments/ppp-numbers
420 # "PPP EAP REQUEST/RESPONSE TYPES"
423 # See dictionary.microsoft, MS-Acct-EAP-Type for similar definitions
425 VALUE EAP-Type None 0
426 VALUE EAP-Type Identity 1
427 VALUE EAP-Type Notification 2
429 VALUE EAP-Type MD5-Challenge 4
430 VALUE EAP-Type One-Time-Password 5
431 VALUE EAP-Type Generic-Token-Card 6
432 VALUE EAP-Type RSA-Public-Key 9
433 VALUE EAP-Type DSS-Unilateral 10
434 VALUE EAP-Type KEA 11
435 VALUE EAP-Type KEA-Validate 12
436 VALUE EAP-Type EAP-TLS 13
437 VALUE EAP-Type Defender-Token 14
438 VALUE EAP-Type RSA-SecurID-EAP 15
439 VALUE EAP-Type Arcot-Systems-EAP 16
440 VALUE EAP-Type Cisco-LEAP 17
441 VALUE EAP-Type Nokia-IP-Smart-Card 18
442 VALUE EAP-Type SIM 18
443 VALUE EAP-Type SRP-SHA1-Part-1 19
444 VALUE EAP-Type SRP-SHA1-Part-2 20
445 VALUE EAP-Type EAP-TTLS 21
446 VALUE EAP-Type Remote-Access-Service 22
447 VALUE EAP-Type UMTS 23
448 VALUE EAP-Type EAP-3Com-Wireless 24
449 VALUE EAP-Type PEAP 25
450 VALUE EAP-Type MS-EAP-Authentication 26
451 VALUE EAP-Type MAKE 27
452 VALUE EAP-Type CRYPTOCard 28
453 VALUE EAP-Type EAP-MSCHAP-V2 29
454 VALUE EAP-Type DynamID 30
455 VALUE EAP-Type Rob-EAP 31
456 VALUE EAP-Type SecurID-EAP 32
457 VALUE EAP-Type MS-Authentication-TLV 33
458 VALUE EAP-Type SentriNET 34
459 VALUE EAP-Type EAP-Actiontec-Wireless 35
460 VALUE EAP-Type Cogent-Biomentric-EAP 36
461 VALUE EAP-Type AirFortress-EAP 37
462 VALUE EAP-Type EAP-HTTP-Digest 38
463 VALUE EAP-Type SecuriSuite-EAP 39
464 VALUE EAP-Type DeviceConnect-EAP 40
465 VALUE EAP-Type EAP-SPEKE 41
466 VALUE EAP-Type EAP-MOBAC 42
469 # These are duplicate values, to get around the problem of
470 # having two MS-CHAPv2 EAP types.
472 VALUE EAP-Type Microsoft-MS-CHAPv2 26
473 VALUE EAP-Type Cisco-MS-CHAPv2 29
476 # And this is what most people mean by MS-CHAPv2
478 VALUE EAP-Type MS-CHAP-V2 26
481 # This says TLS, but it's only valid for TTLS & PEAP.
482 # EAP-TLS *always* requires a client certificate.
484 VALUE EAP-TLS-Require-Client-Cert No 0
485 VALUE EAP-TLS-Require-Client-Cert Yes 1
488 # These are the EAP-Code values.
490 VALUE EAP-Code Request 1
491 VALUE EAP-Code Response 2
492 VALUE EAP-Code Success 3
493 VALUE EAP-Code Failure 4
496 # For MS-CHAP, do we run ntlm_auth, or not.
498 VALUE MS-CHAP-Use-NTLM-Auth No 0
499 VALUE MS-CHAP-Use-NTLM-Auth Yes 1