1

User-Name

Refers to the user to be authenticated in the Access-Request. The format for IPoE/PPPoE hosts depends on configuration parameters pppoe-access-method, ppp-user-name or user-name-format in the CLI context configure subscriber-mgmt authentication-policy name. The format for ARP-hosts is not configurable and always the host IPv4-address. The RADIUS User-Name specified in an Access-Accept or CoA is reflected in the corresponding accounting messages. The attribute is included in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute user-name.

2

User-Password

The password of the user to be authenticated, or the user's input following an Access-Challenge. For PPPoE users it indirectly maps to the password provided by a PPPoE PAP user in response to the PAP Authenticate-Request. For IPoE/ARP hosts it indirectly maps to a preconfigured password (configure subscriber-mgmt authentication-policy name password password or configure aaa isa-radius-policy name password password).

3

CHAP-Password

Provided by a PPPoE CHAP user in response to the CHAP challenge. The CHAP challenge sent by the NAS to a PPPoE CHAP user is part of the CHAP authentication sequence RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP), (Challenge, Response, Success, Failure). The user generated CHAP password length is equal to the defined Limits and contains a one byte CHAP-Identifier from the user's CHAP Response followed by the CHAP Response from the user.

4

NAS-IP-Address

The identifying IP Address of the NAS requesting the Authentication or Accounting. Included when the RADIUS server is reachable via IPv4. The address is determined by the routing instance through which the RADIUS server can be reached:

The address can be overwritten with the configured source-address (configure aaa radius-server-policy policy-name servers source-address ip-address).

5

NAS-Port

The physical access-circuit on the NAS which is used for the Authentication or Accounting of the user. The format of this attribute is configurable on the NAS as a fixed 32 bit value or a parameterized 32 bit value. The parameters can be a combination of outer-vlan-id(o), inner-vlan-id(i), slot number(s), MDA number(m), port number or lag-id(p), ATM VPI(v) and ATM VCI(c), fixed bit values zero (0) or one (1) but cannot exceed 32 bit. The format can be configured for following applications: configure aaa l2tp-accounting-policy name include-radius-attribute nas-port, configure router l2tp cisco-nas-port, configure service vprn service-id l2tp cisco-nas-port, configure subscriber-mgmt authentication-policy name include-radius-attribute nas-port, configure subscriber-mgmt radius-accounting-policy name include-radius-attribute nas-port.

6

Service-Type

The type of service the PPPoE user has requested, or the type of service to be provided for the PPPoE user. Optional in RADIUS-Accept and CoA. Treated as a session setup failure if different from Framed-User.

7

Framed-Protocol

The framing to be used for framed access in case of PPPoE users. Optional in RADIUS-Accept and CoA. Treated as a session setup failure if different from PPP.

8

Framed-IP-Address

The IPv4 address to be configured for the host via DHCPv4 (RADIUS proxy), IPCP (PPPoE), or data-triggered subscriber management. Simultaneously returned [88] Framed-Pool and [8] Framed-IP-Address (RADIUS Access-Accept) attributes are handled as host setup failures. Attribute is also used in CoA and Disconnect messages (part of the ESM or AA user identification key). Attribute can be omitted in accounting via the configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no framed-ip-addr command.

9

Framed-IP-Netmask

The IP netmask to be configured for the user when the user is a router to a network. For DHCPv4 users, the attribute maps to DHCPv4 option [1] Subnet mask and is mandatory if [8] Framed-IP-Address is also returned. For PPPoE residential access, the attribute should be set to 255.255.255.255 (also the default value if the attribute is omitted). For PPPoE business access, the attribute maps to PPPoE IPCP option [144] Subnet-Mask only when the user requests this option and if the node parameter configure subscriber-mgmt ppp-policy ppp-policy-name ipcp-subnet-negotiation is set. Attribute is omitted in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no framed-ip-netmask.

18

Reply-Message

Text that may be displayed to the user by a PPPoE client as a success, failure or dialogue message. It is mapped to the message field from the PAP/CHAP authentication replies to the user. Omitting this attribute results in standard reply messages: login ok and login incorrect for PAP, CHAP authentication success and CHAP authentication failure for CHAP. String length greater than the defined Limits are accepted but truncated at this boundary.

22

Framed-Route

Routing information (IPv4 managed route) to be configured on the NAS for a host (DHCP, PPPoE, ARP, or data-triggered) that operates as a router without NAT (routed subscriber host). The route included in the Framed-Route attribute is accepted as a managed route only if its next-hop points to the hosts ip-address, if the next-hop address equals 0.0.0.0, or if the included route is a valid classful network, in which case the subnet-mask is omitted. If neither is applicable, this specific framed-route attribute is ignored and the host is instantiated without this specific managed route installed. A Framed-Route attribute is also ignored if the SAP does not have anti-spoof configured to nh-mac (the host is installed as a standalone host without a managed route). Any routes above the configured Limits are silently ignored. Optionally, a metric, tag or protocol preference can be specified for the managed route. If the metrics are not specified, specified in a wrong format, or specified with out-of-range values, then the default values are used for all metrics: metric=0, no tag and preference=0.

If an identical managed route is associated with different routed subscriber hosts in the context of the same IES/VPRN service up to max-ecmp-routes managed routes are installed in the routing table (configured as ecmp max-ecmp-routes in the routing instance). Candidate ECMP Framed-Routes have identical prefix, equal lowest preference and equal lowest metric. The “lowest ip next-hop” is the tie breaker if more candidate ECMP Framed-Routes are available than the configured max-ecmp-routes. Other identical managed routes are shadowed (not installed in the routing table) and an event is logged. An alternative to RADIUS managed routes are managed routes via host dynamic BGP peering.

Valid RADIUS learned managed routes can be included in RADIUS accounting messages with following configuration: configure subscriber-mgmt radius-accounting-policy name include-radius-attribute framed-route. Associated managed routes for an instantiated routed subscriber host are included in RADIUS accounting messages independent of the state of the managed route (Installed, Shadowed or HostInactive).

25

Class

Attribute sent by the RADIUS server to the NAS in an Access-Accept or CoA and is sent unmodified by the NAS to the Accounting server as part of the Accounting-Request packet. Strings with a length longer than the defined Limits are accepted but truncated to this boundary.

27

Session-Timeout

Sets the maximum number of seconds of service to be provided to the user (IPoEv4 host, PPPoE or IPoE session) before termination of the session. The attribute equals [26.6527.160] Alc-Relative-Session-Timeout when received in Access-Accept since current session time portion is then equal to zero. Value zero sets the session-timeout to infinite (no session-timeout). The attribute is CoA NAK'd if its value is smaller than the current-session time. Simultaneous received [27] Session-Timeout and [26.6527.160] Alc-Relative-Session-Timeout are treated as an error condition (setup failure if received via Access-Accept and NAK’d if received via CoA). With IPoE session disabled for IPoEv4 radius proxy and CoA create-host scenarios, [27] Session-Timeout is interpreted as lease-time instead of session-time if [26.6527.174] Alc-Lease-Time is omitted.

For WLAN-GW group interfaces, the interpretation of the Session-Timeout attribute is configured with: configure service ies | vprn service-id subscriber-interface ip-int-name group-interface ip-int-name wlangw ipoe-session radius-session-timeout {backwards-compatible | ignore | absolute}.

28

Idle-Timeout

Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session (IPoE/PPPoE) or a connectivity check is triggered (IPoE). Values outside the allowed Limits are accepted but rounded to these boundaries. A value of zero is treated as an infinite idle-timeout. The idle-timeout handling on the node is implemented via category-maps (configure subscriber-mgmt category-map category-map-name and configure subscriber-mgmt sla-profile sla-profile-name category-map category-map-name).

30

Called-Station-Id

Allows the NAS to send in an Access Request and/or Accounting Request information with respect to the user called. Attribute is omitted in authentication/accounting via: configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute no called-station-id.

Supported applications:

31

Calling-Station-Id

Allows the NAS to send unique information identifying the user who requested the service. This format is driven by configuration (configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute calling-station-id <llid | mac | remote-id | sap-id | sap-string>). The LLID (logical link identifier) is the mapping from a physical to logical identification of a subscriber line and supplied by a RADIUS llid-server. The sap-string maps to configure service ies | vprn service-id subscriber-interface ip-int-name group-interface ip-int-name sap sap-id calling-station-id sap-string. A [31] Calling-Station-Id attribute value longer than the allowed maximum is treated as a setup failure. The attribute is omitted in authentication/accounting via configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute no calling-station-id.

32

NAS-Identifier

A string (configure system name system-name) identifying the NAS originating the Authentication or Accounting requests and sent when nas-identifier is included for the corresponding application: include-radius-attribute nas-identifier in configure subscriber-mgmt authentication-policy (ESM authentication), configure subscriber-mgmt radius-accounting-policy (ESM accounting), configure aaa isa-radius-policy (LSN accounting, WLAN-GW) and configure aaa l2tp-accounting-policy (L2TP accounting).

44

Acct-Session-Id

A unique identifier that represents the subscriber host or session that is authenticated. This attribute can be used as CoA or Disconnect Message key to target the host or session and is reflected in the accounting messages for this host or session. The attribute is included or excluded based on configure subscriber-mgmt authentication-policy name include-radius-attribute acct-session-id [host | session]. For PPPoE, either the host acct-session-id (default) or the session acct-session-id is included.

60

CHAP-Challenge

The CHAP challenge sent by the NAS to a PPPoE CHAP user as part of the chap authentication sequence RFC 1994 (Challenge, Response, Success, Failure). The generated challenge length for each new pppoe session is by default a random value from 32 to 64 bytes unless configured different under configure subscriber-mgmt ppp-policy ppp-policy-name ppp-chap-challenge-length [8 to 64] or configure service vprn service-id | router l2tp group tunnel-group-name ppp chap-challenge-length [8 to 64] for LNS (the command can also be specified at the tunnel level). The CHAP challenge value is copied into the request-authenticator field of the RADIUS Access-Request message if the minimum and maximum value is configured at exact 16 (RFC 2865, Remote Authentication Dial In User Service (RADIUS), section 2.2, Interoperation with PAP and CHAP). Attribute CHAP-Password is provided by a PPPoE CHAP user in response to the [60] CHAP-challenge.

61

NAS-Port-Type

The type of the physical port of the NAS which is authenticating the user and value automatically determined from subscriber SAP encapsulation. It can be overruled by configuration. Included only if include-radius-attribute nas-port-type is added per application: configure subscriber-mgmt authentication-policy (ESM authentication), configure subscriber-mgmt radius-accounting-policy (ESM accounting), configure aaa isa-radius-policy (LSN accounting, WLAN-GW) and configure aaa l2tp-accounting-policy (L2TP accounting). Checked for correctness if returned in CoA.

The NAS-Port-Type attribute is always included when the Nas-Port-Id is also included.

85

Acct-Interim-Interval

The interval, in seconds, at which Acct-Interim-Update messages should be generated for the first RADIUS Accounting Policy in the subscriber profile. Overrides the local configured update-interval value in the RADIUS accounting policy. This only takes effect if interim-updates are enabled for one of the accounting modes in the RADIUS Accounting Policy.

An attribute value of 0 disables the generation of Acct-Interim-Update messages.

Attribute [85] Acct-Interim-Interval takes precedence over [26.6527.232] Alc-Acct-Interim-IvI with tag 1 when both are included. Attribute values outside the allowed limits are accepted but are rounded to the minimum or maximum limit.

87

NAS-Port-Id

A text string which identifies the physical/logical port of the NAS which is authenticating the user and/or reported for accounting. Attribute is also used in CoA and Disconnect Message (part of the user identification-key). See [87] NAS-Port-Id Attribute Details for a detailed description of the attribute format.

The NAS-Port-Id can have an optional prefix-string (max 8 chars) and suffix-string (max 64 chars) added for Authentication and Accounting (configure subscriber-mgmt radius-accounting-policy | authentication-policy name include-radius-attribute nas-port-id [prefix-string string] [suffix circuit-id|remote-id]).

Included only if include-radius-attribute nas-port-id is added per application: configure subscriber-mgmt authentication-policy (ESM authentication), configure subscriber-mgmt radius-accounting-policy (ESM accounting), configure aaa isa-radius-policy (LSN accounting, WLAN-GW) and configure aaa l2tp-accounting-policy (L2TP accounting). For a capture-sap, the nas-port-id attribute is always included in authentication requests.

88

Framed-Pool

The name of one address pool or the name of a primary and secondary address pool separated with a one character configurable delimiter (configure router/service vprn service-id dhcp local-dhcp-server server-name use-pool-from-client delimiter delimiter) that should be used to assign an address for the user and maps to either:

1) dhcpv4 option [82] vendor-specific-option [9] sub-option [13] dhcpPool if option is enabled on the node (configure service ies/vprn service-id subscriber-interface ip-int-name group-interface ip-int-name dhcp option vendor-specific-option pool-name) or

2) used directly as pool-name in the local configured dhcp server when local-address-assignment is used and client-application is ppp-v4 (configure service ies/vprn service-id subscriber-interface ip-int-name group-interface ip-int-name local-address-assignment). Alternative to [26.2352.36] Ip-Address-Pool-Name and [26.4874.2] ERX-Address-Pool-Name. Framed-Pool names longer than the allowed maximum are treated as host setup failures. Simultaneous returned attributes [88] Framed-Pool and [8] Framed-IP-Address are also handled as host setup failures.

95

NAS-IPv6-Address

The identifying IP Address of the NAS requesting the Authentication or Accounting. Included when the RADIUS server is reachable via IPv6.

The address is determined by the routing instance through which the RADIUS server can be reached:

“Management” — The active IPv6 address in the Boot Options File (bof address ipv6-address).

“Base” or “VPRN” — The IPv6 address of the system interface (configure router interface system ipv6 address ipv6-address).

The address can be overwritten with the configured ipv6-source-address (configure aaa radius-server-policy policy-name servers ipv6-source-address ipv6-address).

97

Framed-IPv6-Prefix

The IPv6 prefix or prefix length to be configured via SLAAC (Router Advertisement) to the WAN side of the user. Any non /64 prefix-length for SLAAC host creation is treated as a session setup failure for this host. This attribute is an alternative to [100] Framed-IPv6-Pool and [26.6527.99] Alc-IPv6-Address, which assigns IPv6 addressing to the wan-side of a host via DHCPv6 IA-NA. Attribute is also used in CoA and Disconnect Message (part of the ESM or AA user identification-key). Attribute is omitted in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no framed-ipv6-prefix.

99

Framed-IPv6-Route

Routing information (IPv6 managed route) to be configured on the NAS for an IPv6 WAN host (IPoE or PPPoE) that operates as a router. The functionality is comparable with offering multiple PD prefixes for a single host. The route included in the Framed-IPv6-Route attribute is accepted as a managed route only if its next hop is a WAN host (DHCPv6 IA-NA, SLAAC, or /128 data-triggered). Therefore, Framed-IPv6-Routes with an explicitly configured gateway prefix of a pd-host (DHCPv6 IA-PD) will not be installed. A Framed-Route attribute is also ignored if the SAP does not have anti-spoof configured to nh-mac (the host is installed as a standalone host without managed route). Any routes above the configured limits are silently ignored.

Optionally, a metric, tag, or protocol preference can be specified for the managed route. If the metrics are not specified, specified in a wrong format, or specified with out-of-range values, then the following default values are used for all metrics: metric=0, no tag, and preference=0.

If an identical managed route is associated with different routed subscriber hosts in the context of the same IES or VPRN service, up to max-ecmp-routes managed routes are installed in the routing table (configured as ecmp max-ecmp-routes in the routing instance). Candidate ECMP Framed-IPv6-Routes have an identical prefix, equal lowest preference, and equal lowest metric. The lowest IP next hop is the tie breaker if more candidate ECMP Framed-IPv6-Routes are available than the configured max-ecmp-routes. Other identical managed routes are shadowed (not installed in the routing table) and an event is logged. Valid RADIUS-learned managed routes can be included in RADIUS accounting messages with the following configuration: configure subscriber-mgmt radius-accounting-policy name include-radius-attribute framed-ipv6-route. Associated managed routes for an instantiated routed subscriber host are included in RADIUS accounting messages independent of the state of the managed route (Installed, Shadowed or HostInactive).

100

Framed-IPv6-Pool

The name of an assigned pool that should be used to assign an IPv6 address via DHCPv6 (IA-NA) to the WAN side of the user (IPoE, PPPoE). Maps to DHCPv6 vendor-option [17], sub-option [1] wan-pool. Framed-IPv6-Pool names longer than the allowed maximum are treated as host setup failures. This attribute is an alternative to [97] Framed-IPv6-Prefix and [26.6527.99] Alc-IPv6-Address, that also assigns IPv6 addressing to the WAN side of a host via SLAAC or DHCPv6 IA-NA.

101

Error-Cause

The Error-Cause Attribute provides more detail on the cause of the problem if the NAS cannot honor Disconnect-Request or CoA-Request messages for some reason. It may be included within Disconnect-ACK, Disconnect-NAK and CoA-NAK messages. The Error-Causes are divided in 5 blocks. Range [400-499] is used for fatal errors committed by the RADIUS server. Range [500-599] is used for fatal errors occurring on a NAS or RADIUS proxy. Ranges [000-199 reserved], [300-399 reserved] and [200-299 used for successful completion in disconnect-ack/coa-ack] are not implemented.

123

Delegated-IPv6-Prefix

The attribute that carries the prefix (IPv6 prefix or prefix length) to be delegated via DHCPv6 (IA-PD) for the LAN side of the user (IPoE, PPPoE). Maps to DHCPv6 option IA-PD [25] sub-option IA-Prefix [26] Prefix. An exact Delegated-prefix-Length [DPL] match with configure service ies | vprn service-id subscriber-interface ip-int-name ipv6 delegated-prefix-length [48 to 64] is required with the received attribute prefix-length unless a variable DPL is configured (configure service ies | vprn service-id subscriber-interface ip-int-name ipv6 delegated-prefix-length variable). In the latter case, multiple hosts for the same group-interface having different prefix-length [48 to 64] per host are supported. Simultaneous returned attributes [123] Delegated-IPv6-Prefix and [26.6527.131] Alc-Delegated-IPv6-Pool are handled as host setup failures. Attribute is also used in CoA and Disconnect Message (part of the ESM or AA user identification-key). This attribute is omitted in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no delegated-ipv6-prefix.

For data-triggered subscriber host authentication, an Access-Accept message can include this attribute to specify the prefix to create an IPv6 prefix host.

26.2352.1

Client-DNS-Pri

The IPv4 address of the primary DNS server for this subscriber’s connection and maps to PPPoE IPCP option 129 Primary DNS Server address or DHCPv4 option 6 Domain Server. Is an alternative for 26.4874.4 ERX-Primary-Dns or 26.6527.9 Alc-Primary-Dns.

26.2352.2

Client-DNS-Sec

A IPv4 address of the secondary DNS server for this subscriber’s connection and maps to 'PPPoE IPCP option 131 Secondary DNS Server address or DHCPv4 option 6 Domain Server. Is an alternative for 26.4874.5 ERX-Secondary-Dns or 26.6527.10 Alc-Secondary-Dns.

26.2352.36

Ip-Address-Pool-Name

The name of an assigned address pool that should be used to assign an address for the user and maps to DHCPv4 option [82] vendor-specific-option [9] sub-option [13] dhcpPool if option is enabled on the node (configure service ies | vprn service-id subscriber-interface ip-int-name group-interface ip-int-name dhcp option vendor-specific-option pool-name). Alternative to [88] Pool-Name and [26.4874.2] ERX-Address-Pool-Name. Framed-Pool names longer than the allowed maximum are treated as host setup failures. Simultaneous returned attributes Pool-Names [8] and Framed-IP-Address are also handled as host setup failures.

26.2352.99

RB-Client-NBNS-Pri

The IPv4 address of the primary NetBios Name Server (NBNS) for this subscriber’s connection and maps to PPPoE IPCP option 130 Primary DNS Server address or DHCPv4 option44 NETBIOS name server. Is an alternative for 26.4874.6 ERX-Primary-Wins or 26.6527.29 Alc-Primary-Nbns.

26.2352.100

RB-Client-NBNS-Sec

The IPv4 address of the secondary NetBios Name Server (NBNS) for this subscriber’s connection and maps to PPPoE IPCP option 132 Primary DNS Server address or DHCPv4 option44 NETBIOS name server. This attribute is an alternative for 26.4874.7 ERX-Secondary-Wins or 26.6527.30 Alc-Secondary-Nbns.

26.3561.1

Agent-Circuit-Id

Information describing the subscriber agent circuit identifier corresponding to the logical access loop port of the Access Node or DSLAM from which a subscriber's requests are initiated. Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute circuit-id.

For data-triggered subscriber host authentication, this attribute in the Access-Request message contains the source IPv4 or IPv6 address of the data-trigger. The Access-Accept message can include this attribute to specify the circuit ID of the IPoE session if the configure subscriber-management ipoe-session-policy name circuit-id-from-auth command is configured.

26.3561.2

Agent-Remote-Id

An operator-specific, statically configured string that uniquely identifies the subscriber on the associated access loop of the Access Node or DSLAM. Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute remote-id.

26.3561.129

Actual-Data-Rate-Upstream

The actual upstream train rate (coded in bits per second) of a subscriber's synchronized DSL link and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.130

Actual-Data-Rate-Downstream

Actual downstream train rate (coded in bits per second) of a subscriber's synchronized DSL link and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.131

Minimum-Data-Rate-Upstream

The subscriber's operator-configured minimum upstream data rate (coded in bits per second) and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.132

Minimum-Data-Rate-Downstream

The subscriber's operator-configured minimum downstream data rate (coded in bits per second) and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.133

Attainable-Data-Rate-Upstream

The subscriber's attainable upstream data rate (coded in bits per second) and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.134

Attainable-Data-Rate-Downstream

The subscriber's attainable downstream data rate (coded in bits per second) and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.135

Maximum-Data-Rate-Upstream

The subscriber's maximum upstream data rate (coded in bits per second), as configured by the operator and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.136

Maximum-Data-Rate-Downstream

The subscriber's maximum downstream data rate (coded in bits per second), as configured by the operator and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.137

Minimum-Data-Rate-Upstream-Low-Power

The subscriber's minimum upstream data rate (coded in bits per second) in low power state, as configured by the operator and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.138

Minimum-Data-Rate-Downstream-Low-Power

The subscriber's minimum downstream data rate (coded in bits per second) in low power state, as configured by the operator and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.139

Maximum-Interleaving-Delay-Upstream

The subscriber's maximum one-way upstream interleaving delay in milliseconds, as configured by the operator and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.140

Actual-Interleaving-Delay-Upstream

The subscriber's actual one-way upstream interleaving delay in milliseconds and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.141

Maximum-Interleaving-Delay-Downstream

The subscriber’s maximum one-way downstream interleaving delay in milliseconds, as configured by the operator and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.142

Actual-Interleaving-Delay-Downstream

The subscriber's actual one-way downstream interleaving delay in milliseconds and maps to values received during PPPoE discovery (tag 0x0105) or DHCP (opt-82). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.3561.144

Access-Loop-Encapsulation

The last mile encapsulation used by the subscriber on the DSL access loop and maps to values received during PPPoE discovery Tags (tag 0x0105) or DHCP Tags (opt-82). Attribute is included or excluded in RADIUS/Accounting-Request based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options. Last mile encapsulation information can be used to adjust automatically the egress aggregate rate for this subscriber. Preconfigured encapsulation types are used if PPP or IPoE access loop information (tags) is not available (configure subscriber-mgmt sub-profile subscriber-profile-name egress encap-offset type type or configure subscriber-mgmt local-user-db local-user-db-name ppp host access-loop encap-offset type). [26.6527.133] Alc-Access-Loop-Encap-Offset when returned in Access-Accept is taken into account (overrules received tags and preconfigured encapsulation types) for ALE adjust (last mile aware shaping) but is not reflected in access-loop-options send to RADIUS. Alc-Access-Loop-Encap from ANCP are currently not taken into account for ALE adjust.

26.3561.254

IWF-Session

The presence of this Attribute indicates that the IWF has been performed with respect to the subscriber's session. IWF is utilized to enable the carriage of PPP over ATM (PPPoA) traffic over PPPoE. The Access Node inserts the PPPoE Tag 0x0105, vendor-id 0x0de9 with sub-option code 0xFE, length field is set to 0x00 into the PPPoE Discovery packets when it is performing an IWF functionality. Attribute is included/excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.4874.2

ERX-Address-Pool-Name

The name of an assigned address pool that should be used to assign an address for the user and maps to dhcpv4 option[82] vendor-specific-option [9] sub-option [13] dhcpPool if option is enabled on the node (configure service ies | vprn service-id subscriber-interface ip-int-name group-interface ip-int-name dhcp option vendor-specific-option pool-name). Alternative to [88] Pool-Name and [26.2352.36] Ip-Address-Pool-Name. Framed-Pool names longer than the allowed maximum are treated as host setup failures. Simultaneous returned attributes Pool-Names [8] and Framed-IP-Address are also handled as host setup failures.

26.4874.4

ERX-Primary-Dns

The IPv4 address of the primary DNS server for this subscriber’s connection and maps to PPPoE IPCP option 129 Primary DNS Server address or DHCPv4 option 6 Domain Server. Is an alternative for 26.2352.1 Client-DNS-Pri or 26.6527.9 Alc-Primary-Dns.

Applicable in proxy scenarios only for IPoE.

26.4874.5

ERX-Secondary-Dns

The IPv4 address of the secondary DNS server for this subscriber’s connection and maps to PPPoE IPCP option 131 Secondary DNS Server address or DHCPv4 option 6 Domain Server. Is an alternative for 26.2352.2 Client-DNS-Sec or 26.6527.10 Alc-Secondary-Dns.

Applicable in proxy scenarios only for IPoE.

26.4874.6

ERX-Primary-Wins

The IPv4 address of the primary NetBios Name Server (NBNS) for this subscriber’s connection and maps to PPPoE IPCP option 130 Primary DNS Server address or DHCPv4 option44 NETBIOS name server. Is an alternative for 26.2352.99 RB-Client-NBNS-Pri or 26.6527.29 Alc-Primary-Nbns.

26.4874.7

ERX-Secondary-Wins

The IPv4 address of the secondary NetBios Name Server (NBNS) for this subscriber’s connection and maps to PPPoE IPCP option 132 Primary DNS Server address or DHCPv4 option44 NETBIOS name server. Is an alternative for 26.2352.100 RB-Client-NBNS-Sec or 26.6527.30 Alc-Secondary-Nbns.

26.4874.47

ERX-Ipv6-Primary-Dns

The IPv6 address of the primary DNSv6 server for this subscriber’s connection and maps to DNS Recursive Name Server option 23 (RFC 3646) in DHCPv6.Is an alternative for 26.6527.105 Alc-Ipv6-Primary-Dns.

Applicable in proxy scenarios only.

26.4874.48

ERX-Ipv6-Secondary-Dns

The IPv6 address of the secondary DNSv6 server for this subscriber’s connection and maps to DNS Recursive Name Server option 23 (RFC 3646) in DHCPv6.Is an alternative for 26.6527.106 Alc-Ipv6-Secondary-Dns.

Applicable in proxy scenarios only.

26.6527.9

Alc-Primary-Dns

The IPv4 address of the primary DNS server for this subscriber’s connection and maps to PPPoE IPCP option 129 Primary DNS Server address or DHCPv4 option 6 Domain Server. Is an alternative for 26.2352.1 Client-DNS-Pri or 26.4874.4 ERX-Primary-Dns.

Applicable in proxy scenarios only for IPoE.

26.6527.10

Alc-Secondary-Dns

The IPv4 address of the secondary DNS server for this subscriber’s connection and maps to PPPoE IPCP option 131 Secondary DNS Server address or DHCPv4 option 6 Domain Server. Is an alternative for 26.2352.2 Client-DNS-Sec or 26.4874.5 ERX-Secondary-Dns.

Applicable in proxy scenarios only for IPoE.

26.6527.11

Alc-Subsc-ID-Str

A subscriber is a collection of subscriber-hosts (typically represented by IP-MAC combination) and is uniquely identified by a subscriber string. Subscriber-hosts queues or policers belonging to the same subscriber (residing on the same forwarding complex) can be treated under one aggregate scheduling QoS mechanism. Fallback to preconfigured values if attribute is omitted. Attribute values longer than the allowed string value are treated as setup failures. Can be used as key in CoA and Disconnect Message. Attribute is omitted in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no subscriber-id.

26.6527.12

Alc-Subsc-Prof-Str

The subscriber profile is a template that contains settings (accounting, IGMP, HQoS, and so on) that apply to all hosts belonging to the same subscriber where [26.6527.12] Alc-Subsc-Prof-Str is the string that maps (configure subscriber-mgmt sub-ident-policy sub-ident-policy-name sub-profile-map) to such an subscriber profile (configure subscriber-mgmt sub-profile subscriber-profile-name). Strings longer than the allowed maximum are treated as setup failures. Unreferenced strings (where the string does not map to a policy) are silently ignored and a fallback to preconfigured defaults is done. This attribute is omitted in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no sub-profile.

26.6527.13

Alc-SLA-Prof-Str

The SLA profile is a template which contains settings (filter, QoS, host-limit, and so on) which are applicable to individual hosts were [26.6527.13] Alc-SLA-Prof-Str is the string that maps (configure subscriber-mgmt sub-ident-policy sub-ident-policy-name sla-profile-map) to such a sla profile (configure subscriber-mgmt sla-profile sla-profile-name). Strings longer than the allowed maximum are treated as setup failures. Unreferenced strings (where the string does not map to a policy) are silently ignored and a fallback to preconfigured defaults is done. This attribute is omitted in accounting via configure subscriber-mgmt radius-accounting-policy name include-radius-attribute no sla-profile.

26.6527.16

Alc-ANCP-Str

Information describing the subscriber agent circuit identifier corresponding to the logical access loop port of the Access Node or DSLAM from which a subscriber's requests are initiated and used to associate the ANCP Circuit-Id (info received via ANCP Port Up and Port Down) with the PPPoE/IPoE Circuit-Id (info received via [26.6527.16] Alc-ANCP-Str and [26.3561.1] Agent-Circuit-Id). A subscriber is associated with ANCP when both strings are equal. For associated subscribers, the ingress and egress ANCP QoS rules apply (configure subscriber-mgmt ancp ancp-policy policy-name and configure subscriber-mgmt sub-profile ancp ancp-policy policy-name.

26.6527.18

Alc-Default-Router

Maps to an DHCP offer or ACK message option [3] default-router for a DHCPv4 RADIUS proxy scenario and defines the default gateway for the user. This attribute is silently ignored if the NAS is using DHCPv4 relay. In the latter case, the default-router is part of the DHCPv4 server configuration.

26.6527.27

Alc-Client-Hardware-Addr

MAC address from a user that requests a service and included in CoA, Authentication or Accounting (configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute mac-address).

26.6527.28

Alc-Int-Dest-Id-Str

A string representing an aggregation point (example, Access Node) and interpreted as the intermediate destination ID. Subscribers connected to the same aggregation point receives the same int-dest-id string assigned. The int-dest-id is used in MC ring access redundancy to identify subscribers behind a ring node (configure redundancy multi-chassis peer ip-address mc-ring ring/l3-ring name ring-node ring-node-name). The int-dest-id can be used in QoS to shape the egress traffic of a group of subscribers to an aggregate rate using Vports (configure port port-id ethernet access egress vport name host-match dest destination-string) or secondary shapers on HS-MDAv2 (configure port port-id ethernet egress exp-secondary-shaper secondary-shaper-name). For egress policed subscriber traffic, the int-dest-id can be used to select the egress queue-group for forwarding (configure port port-id ethernet access egress queue-group name host-match dest destination-string). Strings longer than the allowed maximum are treated as setup failures.

26.6527.29

Alc-Primary-Nbns

The IPv4 address of the primary NetBios Name Server (NBNS) for this subscriber’s connection and maps to PPPoE IPCP option 130 Primary DNS Server address or DHCPv4 option44 NETBIOS name server. Is an alternative for 26.2352.99 RB-Client-NBNS-Pri or 26.4874.6 ERX-Primary-Wins.

26.6527.30

Alc-Secondary-Nbns

The IPv4 address of the secondary NetBios Name Server (NBNS) for this subscriber’s connection and maps to PPPoE IPCP option 132 Primary DNS Server address or DHCPv4 option44 NETBIOS name server. Is an alternative for 26.2352.100 RB-Client-NBNS-Sec or 26.4874.7 ERX-Secondary-Wins.

26.6527.34

Alc-PPPoE-PADO-Delay

Specifies the number in deciseconds that the PPPoE protocol stack on the NAS waits before sending a PADO packet in response to a PADI request. In dual homed topologies, you may want to designate a primary NAS and a backup NAS for handling a particular service request. In such a scenario, you can configure a delay for the backup NAS to allow sufficient time for the primary NAS to respond to the client with a PADO packet. If the primary NAS does not send the PADO packet within this delay period, then the backup NAS sends the PADO packet after the delay period expires. This attribute is only applicable if RADIUS PADI authentication is used (configure subscriber-mgmt authentication-policy name pppoe-access-method padi). Values above the allowed Limits are truncated at the Limits boundary. There is no PADO delay if the attribute is omitted or if the attribute is received with a value of zero.

26.6527.35

Alc-PPPoE-Service-Name

Maps to PADI field PPPoE tags [0x0101] service-name and is sent in the Access-Request if enabled under configure subscriber-mgmt authentication-policy name include-radius-attribute pppoe-service-name. A PPPoE-Service-Name above the allowed maximum length is handled as a PPPoE session setup failure.

26.6527.36

Alc-DHCP-Vendor-Class-Id

Initiated by DHCP clients via option [60] Vendor Class Identifier and reflected in Authentication. (configure subscriber-mgmt authentication-policy name include-radius-attribute dhcp-vendor-class-id or configure aaa isa-radius-policy name auth-include-attributes dhcp-vendor-class-id). DHCP option [60] Vendor Class Identifier can also be used as User-name in RADIUS requests. (configure subscriber-mgmt authentication-policy name user-name-format dhcp-client-vendor-opts).

26.6527.45

Alc-App-Prof-Str

Application Assurance for residential, business, or transit-AA subscribers is enabled through the assignment of an application profile as part of either enhanced subscriber management or static configuration. [26.6527.45] Alc-App-Prof-Str is a string that maps (configure subscriber-mgmt sub-ident-policy sub-ident-policy-name app-profile-map) to such an application profile (configure application-assurance group aa-group-id:partition-id policy app-profile app-profile-name). This attribute is used in access-accept to assign an application profile during esm host creation and in CoA to change the application profile of a AA-subscriber or to create transit AA-subscriber. Strings longer than the allowed maximum are treated as setup failures. Unreferenced strings (strings not mapping to an application profile) silently triggers a fallback to preconfigured default values if allowed. If no default value is preconfigured, the subscriber's application profile is silently disabled for esm AA-subscriber; in case of a transit AA-subscriber creation, the CoA is rejected. The change of an application profile to one configured under a different group or partition or the modification of the application profile of a static AA-subscriber is not allowed and is treated as setup failures.

26.6527.99

Alc-Ipv6-Address

The IPv6 address to be configured to the WAN side of the user (IPoE,PPPoE) via DHCPv6 (IA-NA). Maps to DHCPv6 option IA-NA[3] sub-option IA-Address[5] address. This attribute is an alternative to [97] Framed-IPv6-Prefix and [100] Framed-IPv6-Pool, which also assigns IPv6 addressing to the wan-side of a host via SLAAC or DHCPv6 IA-NA. Attribute is also used in CoA and Disconnect Message (part of the ESM or AA user identification-key).

For data-triggered subscriber host creation in the Enhanced Subscriber Management (ESM) context, the attribute can be included in an Access-Accept message to specify the IPv6 address to create a /128 IPv6 host.

For data-triggered authentication of an IPv6 UE in Distributed Subscriber Management (DSM) context, this attribute contains the IPv6 address that triggered the request. Inclusion of this attribute is configured under configure aaa isa-radius-policy policy-name auth-include-attributes ipv6-address.

For data-triggered subscriber host creation, an Access-Accept message can contain this attribute to specify the IPv6 address to create an IPv6 /128 host.

26.6527.100

Alc-Serv-Id

Applies to GTP access hosts only.

This VSA refers to a the service where the GTP sessions will be terminated (configure service {vprn | ies} service-id). This overrides a potential default configured under configure subscriber-mgmt gtp apn-policy policy-name apn apn defaults group-interface interface-name svc-id service-id. This VSA must be accompanied with a valid Alc-Interface VSA.

26.6527.101

Alc-Interface

Applies to GTP access hosts only.

This VSA refers to a group-interface of type gtp where the GTP sessions will be terminated (configure service {vprn | ies} subscriber-interface ip-int-name group-interface ip-int-name gtp). This overrides a potential default configured under configure subscriber-mgmt gtp apn-policy policy-name apn apn defaults group-interface interface-name svc-id service-id. If neither a default or a radius-specified interface is provided, session setup will fail.

26.6527.102

Alc-ToServer-Dhcp-Options

Send to RADIUS all DHCPv4 options received in a DHCPv4 message triggering authentication. The DHCPv4 options are concatenated in the attribute up to maximum length per attribute. If more space is needed, an additional attribute is included. If the total dhcp options space requires more than the total maximum length, then no attributes are included. (configure subscriber-mgmt authentication-policy name include-radius-attribute dhcp-options, or configure aaa isa-radius-policy name auth-include-attributes dhcp-options).

26.6527.103

Alc-ToClient-Dhcp-Options

Copy the content of the attribute value in dhcpv4 options for dhcpv4 messages towards the client. It is not required to send each option in a different VSA; concatenation is allowed. Attributes outside the defined limits result in a setup failure.

26.6527.105

Alc-Ipv6-Primary-Dns

The IPv6 address of the primary DNSv6 server for this subscriber’s connection. Maps to DNS Recursive Name Server option 23 (RFC 3646) in DHCPv6 and Recursive DNS Server Option type 25 (RFC 6106) for SLAAC RA. This attribute is an alternative for [26.4874.47] ERX-Ipv6-Primary-Dns.

Applicable in proxy scenarios only.

26.6527.106

Alc-Ipv6-Secondary-Dns

The IPv6 address of the secondary DNSv6 server for this subscriber’s connection. Maps to DNS Recursive Name Server option 23 (RFC 3646) in DHCPv6 and Recursive DNS Server Option type 25 (RFC 6106) for SLAAC RA. This attribute is an alternative for [26.4874.48] ERX- Ipv6-Secondary-Dns.

Applicable in proxy scenarios only.

26.6527.126

Alc-Subscriber-QoS-Override

Used to override queue or policer parameters (CIR, PIR, CBS, MBS) and HQoS parameters (aggregate rate, scheduler rate or root arbiter rate) configured at sla-profile and sub-profile context. Enables per subscriber or host customization. Each set of Alc-Subscriber-QoS-Override attributes in a RADIUS message replaces the set of Alc-Subscriber-QoS-Override attributes from a previous message. Hence the SLA profile or subscriber profile QoS configuration is always used as the base config. To undo a previously enabled RADIUS QoS-override and return to the base config, send a CoA with at least one Alc-Subscriber-QoS-Override attribute. The value part of each Alc-Subscriber-QoS-Override attribute must be empty (for example, Alc-Subscriber-QoS-Override += i:q:2:). Incorrectly formatted attributes or too many attributes are treated as a setup failure or result in a CoA NAK.

26.6527.128

Alc-ATM-Ingress-TD-Profile

The ATM Traffic Descriptor override for a PPPoA or PPPoEoA host and refers to the preconfigured traffic description QoS profile applied on the ingress ATM Virtual Circuit (configure qos atm-td-profile traffic-desc-profile-id). All subscriber hosts on a given ATM VC must have same ATM traffic descriptors and this attribute is ignored if it specifies an ATM Traffic Descriptor override while it has already specified another one for another host on the same ATM Virtual Circuit. A preconfigured description profile per ATM Virtual Circuit is used when this attribute is omitted. (configure subscriber-mgmt msap-policy msap-policy-name atm egress/ingress traffic-desc or configure service vprn service-id subscriber-interface ip-int-name group-interface ip-int-name sap sap-id atm egress/ingress traffic-desc). A Traffic Descriptor profile above the Limit is treated as a setup failure. Unreferenced Traffic Descriptor profiles within the Limit, or a Traffic Descriptor profile for a non ATM host are silently ignored.

26.6527.129

Alc-ATM-Egress-TD-Profile

The ATM Traffic Descriptor override for a PPPoA or PPPoEoA host and refers to the preconfigured traffic description QoS profile applied on the egress ATM Virtual Circuit (configure qos atm-td-profile traffic-desc-profile-id). All subscriber hosts on a given ATM VC must have same ATM traffic descriptors and this attribute is ignored if it specifies an ATM Traffic Descriptor override while it has already specified another one for another host on the same ATM Virtual Circuit. A preconfigured description profile per ATM Virtual Circuit is used when this attribute is omitted (configure subscriber-mgmt msap-policy atm egress/ingress traffic-desc or configure service vprn service-id subscriber-interface ip-int-name group-interface ip-int-name sap sap-id atm egress/ingress traffic-desc). A Traffic Descriptor profile above the Limits is treated as a setup failure. Unreferenced Traffic Descriptor profiles within the Limits, or a Traffic Descriptor profile for a non ATM host are silently ignored.

26.6527.131

Alc-Delegated-IPv6-Pool

The name of an assigned pool that should be used to assign an IPv6 prefix via DHCPv6(IA-PD) to the LAN side of the user (IPoE, PPPoE). Maps to DHCPv6 vendor-option[17],sub-option[2] pfx-pool. Alc-Delegated-ipv6-pool names longer than the allowed maximum are treated as host setup failures. Alternative method for [123] Delegated-IPv6-Prefix so simultaneous returned attributes [123] Delegated-IPv6-Prefix and [26.6527.131] Alc-Delegated-IPv6-Pool are handled as host setup failures. The length information [DPL] can be supplied via [26.6527.161] Alc-Delegated-IPv6-Prefix-Length along with the pool name. The [26.6527.161] Alc-Delegated-IPv6-Prefix-Length has priority over other possible sources of DPL. (As a fixed [48 to 64] DPL or variable DPL under configure service ies | vprn service-id subscriber-interface ipv6 delegated-prefix-length or on the dhcpv6 server configure router dhcp6 local-dhcp-server server-name pool pool-name delegated-prefix-length).

26.6527.132

Alc-Access-Loop-Rate-Down

The actual downstream rate (coded in kb/s) of a PPPoE subscriber's synchronized DSL link and competes with the value received from alternative sources (dsl-forum tags, LUDB, ANCP). Values outside the limits are treated as setup failures. This attribute is silently ignored for non-MLPPP sessions or IPoE sessions.

26.6527.133

Alc-Access-Loop-Encap-Offset

The last mile encapsulation representing the subscriber’s DSL access loop encapsulation. When returned in RADIUS-Accept (PTA or LAC), it is taken into account for ALE adjust (last mile aware shaping) but not reflected in [26.3561.144] Access-Loop-Encapsulation (access-loop-options) send to Accounting. For LAC, this attributes maps to LTP AVP [3561-144] Access-Loop-Encapsulation.

26.6527.135

Alc-PPP-Force-IPv6CP

Forces IPv6CP negotiation in conditions where no IPv6 related attributes (such as v6 pool, v6 prefix, v6 address, DNSv6) are obtained via authentication (Access Accept, local user database, and so on). Without these IPv6 related attributes, the NAS cannot detect that this is a dual-stack PPPoE user and therefore it will not start IPv6CP negotiation.

An attribute value other than 0 (zero) forces IPv6CP negotiation to start when no IPv6 attributes are obtained in authentication.

An attribute value of 0 (zero) is treated the same as not sending the attribute.

26.6527.136

Alc-Onetime-Http-Redirection-Filter-Id

The preconfigured IPv4 filter with HTTP redirection rules. Via this host- specific filter only the first HTTP request from the host is redirected to a configured URL with specified parameters. There is no HTTP redirection for subsequent HTTP requests which is useful in cases where service providers need to push a web page of advertisement or announcements to broadband users.

26.6527.146

Alc-Wlan-APN-Name

This VSA contains the Access Point Name string as signaled in the incoming GTP-C message for GTP Access hosts.

Inclusion of this attribute can be configured via configure subscriber-mgmt authentication-policy name include-radius-attribute apn.

26.6527.147

Alc-MsIsdn

This VSA contains the MSISDN (telephone number) as signaled in the incoming GTP-C message for GTP Access hosts. If the corresponding GTP-C IE is not present the VSA will not be included.

Inclusion of this attribute can be configured via configure subscriber-mgmt authentication-policy name include-radius-attribute msisdn.

26.6527.160

Alc-Relative-Session-Timeout

Sets or resets the IPoE or PPPoE session timeout to a relative value (current session time + newly received Alc-Relative-Session-Timeout). Attribute equals to [27] Session-Timeout if received in Access-Accept since current session time portion is than zero. A value of zero sets or resets the session-timeout to infinite (no session-timeout). Simultaneous received [27] Session-Timeout and [26.6527.160] Alc-Relative-Session-Timeout are treated as a setup failure (setup failure if received in Access-Accept or CoA rejected (NAK) with error cause = Invalid Request).

26.6527.161

Alc-Delegated-IPv6-Prefix-Length

Defines the IA-PD length information [DPL] and only applicable together with [26.6527.131] Alc-Delegated-IPv6-Pool (silently ignored if received in RADIUS Accept without Alc-Delegated-IPv6-Pool). Maps to DHCPv6 vendor-option[17], sub-option[3] pfx-len. The [26.6527.161] Alc-Delegated-IPv6-Prefix-Length has priority over other possible sources of DPL. (As a fixed [48 to 64] DPL or variable DPL under configure service ies |vprn service-id subscriber-interface ip-int-name ipv6 delegated-prefix-length or on the dhcpv6 server configure router dhcp6 local-dhcp-server server-name pool pool-name delegated-prefix-length). DPL values outside the limits are treated as setup failures.

26.6527.174

Alc-Lease-Time

Defines the lease-time in seconds for RADIUS proxy and create-host-CoA scenarios only. The [27] Session-Timeout is interpreted and used as IPoE lease-time if [26.6527.174] Alc-lease-Time is omitted. Returning attribute [26.6527.174] Alc-Lease-Time in other scenarios than radius-proxy and create-host-CoA are treated as setup failures.

26.6527.175

Alc-DSL-Line-State

Status of the DSL line obtained via ANCP can be one of three value: SHOWTIME (the modem is ready to transfer data), IDLE (line is idle) or SILENT (line is silent). Attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.6527.176

Alc-DSL-Type

Type of the DSL line (ADSL1, ADSL2, ADSL2PLUS, VDSL1, VDSL2, SDSL, other) obtained via ANCP.

This attribute is included or excluded based on configure subscriber-mgmt authentication-policy/radius-accounting-policy name include-radius-attribute access-loop-options.

26.6527.177

Alc-Portal-Url

The URL to which traffic matching the host’s IPv4 filter entry with HTTP redirect action is redirected. The URL overrides the configured URL in the redirect filter. RADIUS overrides must explicitly be enabled: configure filter ip-filter filter-id entry entry-id action http-redirect rdr-url-string allow-radius-override.

26.6527.178

Alc-Ipv6-Portal-Url

The URL to which traffic matching the host’s IPv6 filter entry with HTTP redirect action is redirected. The URL overrides the configured URL in the redirect filter. RADIUS overrides must explicitly be enabled: configure filter ipv6-filter filter-id entry entry-id action http-redirect rdr-url-string allow-radius-override.

26.6527.180

Alc-SAP-Session-Index

Per SAP, this is a unique PPPoE or IPoE session index that can be included in RADIUS Access Request messages. The lowest free index is assigned to a new PPPoE or IPoE session. Attribute is included or excluded based on configure subscriber-mgmt authentication-policy name include-radius-attribute sap-session-index.

26.6527.181

Alc-SLAAC-IPv6-Pool

A pool name that can be used in local address assignment to assign an IPv6 SLAAC prefix via a Router Advertisement to the WAN side of the IPoE or PPPoE user.

Alc-SLAAC-IPv6-Pool names longer than the allowed maximum are treated as host setup failures. If local-address-assignment is not enabled on the group-interface for ipv6 client-application ppp-slaac, then the PPP session is terminated. If local-address-assignment is not enabled on the group-interface for ipv6 client-application ipoe-slaac, then the IPoE host is not instantiated.

26.6527.183

Alc-WPP-Error-Code

This attribute specifies the value of the ErrCode that the system should use in a WPP ACK_AUTH packet. This attribute can only be included in a RADIUS Access-Reject packet.

26.6527.185

Alc-Onetime-Http-Redirect-Reactivate

An indication to reactivate a onetime HTTP redirect filter for the host.

When received in a RADIUS CoA message, the filter with the value indicated by [26.6527.136] Alc-Onetime-Http-Redirection-Filter-Id is activated.

If [26.6527.136] Alc-Onetime-Http-Redirection-Filter-Id contains the value 0, then the existing onetime http redirect filter id associated with the host is removed.

If no [26.6527.136] Alc-Onetime-Http-Redirection-Filter-Id VSA is provided in the RADIUS CoA message, then the existing onetime http redirect filter id associated with the host is applied.

The value of the [26.6527.185] Alc-Onetime-Http-Redirect-Reactivate VSA is opaque. It is the presence of the VSA in a RADIUS CoA that triggers the action.

26.6527.191

Alc-ToServer-Dhcp6-Options

This attribute contains DHCPv6 client options present in a DHCPv6 Solicit or Request message to be passed to RADIUS in an Access-Request. Up to two attributes are included in the Access-Request message when the length of the DHCPv6 options exceeds the maximum length of a single attribute. No attributes are included if the total length of the DHCPv6 options exceeds 494 bytes.

When the DHCPv6 solicit or request message is encapsulated in a Relay-Forward message, only the inner DHCPv6 client options are copied in the Alc-ToServer-Dhcp6-Options attribute. Options inserted by a Relay Agent are ignored.

Attribute is included or excluded based on configure subscriber-mgmt authentication-policy name include-radius-attribute dhcp6-options.

For DHCPv6 triggered authentication in a Distribute Subscriber Management (DSM) context, this attribute contains the DHCPv6 client options as sent to the WLAN-GW. Inclusion of this attribute is configured via configure aaa isa-radius-policy policy-name auth-include-attributes dhcp6-options.

26.6527.192

Alc-ToClient-Dhcp6-Options

The value of this attribute represents DHCPv6 options encoded in a hexadecimal format. DHCPv6 options originated by RADIUS are appended to the options already present in the DHCPv6 Advertise and Reply messages towards the client.

Passing the RADIUS obtained DHCPv6 options to the client is supported for both DHCPv6 proxy and relay.

Attributes outside the defined limits result in a setup failure.

26.6527.200

Alc-v6-Preferred-Lifetime

An IPv6 address or prefix preferred lifetime is the length of time that a valid address or prefix is preferred (for example, the time until deprecation). When the preferred lifetime expires, the address or prefix becomes deprecated (it can still be used in existing communications but should not be used as a source in new communications).

This attribute is applicable only when an IPv6 address or prefix is assigned via RADIUS (DHCPv6 proxy). It overrides the dhcp6 proxy-server preferred-lifetime configuration on the group-interface.

The attribute value is expressed in seconds. Values outside the allowed range result in a setup failure.

If, for the final determined values from the different sources (LUDB, RADIUS, defaults), the following rule is violated:

renew timer 7705 SAR-8 rebind timer <= preferred lifetime <= valid lifetime

then the default timers are used: renew-timer = 30 min, rebind-timer = 48 min, preferred-lifetime = 1hr, valid-lifetime = 1 day.

Note that only a single value can be specified that applies to both IA-NA address and IA-PD prefix.

26.6527.201

Alc-v6-Valid-Lifetime

The IPv6 address or prefix valid lifetime is the length of time an address or prefix remains in the valid state (for example, the time until invalidation). When the valid lifetime expires, the address or prefix becomes invalid and must no longer be used in communications. This attribute is used as the DHCPv6 lease time.

This attribute is applicable only when an IPv6 address or prefix is assigned via RADIUS (DHCPv6 proxy). Overrides the dhcp6 proxy-server valid-lifetime configuration on the group-interface.

The attribute value is expressed in seconds. Values outside the allowed range result in a setup failure.

If, for the final determined values from the different sources (LUDB, RADIUS, defaults), the following rule is violated:

renew timer <= rebind timer <= preferred lifetime <= valid lifetime

then the default timers are used: renew-timer = 30 min, rebind-timer = 48 min, preferred-lifetime = 1hr, valid-lifetime = 1 day.

Note that only a single value can be specified that applies to both IA-NA address and IA-PD prefix.

26.6527.202

Alc-Dhcp6-Renew-Time

The attribute value represents the DHCPv6 lease renew time (T1). T1 is the time at which the client contacts the addressing authority to extend the lifetimes of the DHCPv6 leases (addresses or prefixes).

This attribute is applicable only when an IPv6 address or prefix is assigned via RADIUS (DHCPv6 proxy). Overrides the dhcp6 proxy-server renew-timer configuration on the group interface.

The attribute value is expressed in seconds. Values outside the allowed range result in a setup failure.

If, for the final determined values from the different sources (LUDB, RADIUS, defaults), the following rule is violated:

renew timer <= rebind timer <= preferred lifetime <= valid lifetime

then the default timers are used: renew-timer = 30 min, rebind-timer = 48 min, preferred-lifetime = 1hr, valid-lifetime = 1 day.

Note that only a single value can be specified that applies to both IA-NA address and IA-PD prefix.

26.6527.203

Alc-Dhcp6-Rebind-Time

The attribute value represents the DHCPv6 lease rebind time (T2). T2 is the time at which the client contacts any available addressing authority to extend the lifetimes of DHCPv6 leases.

This attribute is applicable only when an IPv6 address or prefix is assigned via RADIUS (DHCPv6 proxy). The attribute overrides the dhcp6 proxy-server rebind-timer configuration on the group interface

The attribute value is expressed in seconds. Values outside the allowed range result in a setup failure.

If, for the final determined values from the different sources (LUDB, RADIUS, defaults), the following rule is violated:

renew timer <= rebind timer <= preferred lifetime <= valid lifetime

then the default timers are used: renew-timer = 30 min, rebind-timer = 48 min, preferred-lifetime = 1hr, valid-lifetime = 1 day.

Note that only a single value can be specified that applies to both IA-NA address and IA-PD prefix.

26.6527.217

Alc-UPnP-Sub-Override-Policy

Specifies the UPnP policy to use for this L2-Aware subscriber. The policy must be configured in configure service upnp upnp-policy policy-name.

Overrides the configured policy in the sub-profile for the subscriber: configure subscriber-mgmt sub-profile name upnp-policy policy-name.

The value “_tmnx_no_override” removes any existing override and installs the upnp-policy configured in the sub-profile instead.

The value “_tmnx_disabled” creates a special override that disables UPnP for this subscriber.

Specifying a non-existing policy results in a host or session setup failure or in a CoA Reject.

All hosts belonging to the subscriber are affected by a UPnP policy override.

Changing the UPnP policy clears all existing UPnP mappings.

26.6527.228

Alc-Trigger-Acct-Interim

When included in a CoA message an accounting interim update is generated for all accounting modes that have interim-updates enabled. The Alc-Trigger-Acct-Interim attribute with free formatted string value is echoed in the CoA triggered accounting interim update message. The [26.6527.163] Alc-Acct-Triggered- Reason attribute in the interim update is set to 18 (CoA-Triggered).

26.6527.232

Alc-Acct-Interim-IvI

Tagged Attribute.

The interval in seconds at which Acct-Interim-Update messages should be generated. Overrides the local configured update-interval value in the RADIUS accounting policy. Only takes effect if interim-updates are enabled for one of the accounting modes in the RADIUS accounting policy.

With attribute value=0, the interim accounting is switched off.

The tag value (1 to 5) indicates which RADIUS accounting policy in the subscriber profile is updated.

To change the update interval of the first accounting policy, attribute [85] Acct-Interim-Interval takes precedence over [26.6527.232] Alc-Acct-Interim-Ivl with tag 1 when both are included.

26.6527.234

Alc-DNAT-Override

A composite RADIUS attribute used to modify DNAT function for L2-Aware NAT subscribers:

After the DNAT configuration is modified via CoA (by enabling or disabling DNAT or changing the DNAT IP address), the existing flows remain active for five more seconds while the new flows are being created in accordance with the new configuration. After a five-second timeout, the stale flows are cleared from the system.

If multiple Alc-DNAT-Override attributes with conflicting actions are received in the same CoA or Access-Accept, the last one takes precedence.

26.6527.238

Alc-Remove-Override

This attribute, when included in a CoA, removes the override installed with or deactivates the action triggered by the referenced attribute ID.

26.6527.242

Alc-Radius-Py

A free format attribute reserved for use in combination with a RADIUS Python script. SR OS ignores the attribute when received in an access accept or CoA and will not generate the attribute.

The primary purpose for this attribute is to interact with RADIUS servers that do not support RFC 6929 extended and long extended vendor specific attribute types. This attribute can be used between the RADIUS server and the Python script. The Python script should convert the attribute value in an RFC 6929 compliant attribute format.

26.6527.244

Alc-Force-DHCP-Relay

When this attribute is included in an Access Accept message at the authentication of a data triggered subscriber hosts IPoE session, then a DHCP relay is performed when the subscriber host in the session is promoted to a DHCP host at renew or rebind.

The IP and/or IPv6 address/prefix origin is set to DHCP or DHCP6 for the data triggered subscriber host that is promoted to a DHCP host.

The IP address/prefix for all IP stacks of the subscribers IPoE session must also be included in the Access Accept.

Attributes with invalid value are ignored.

241.26.6527.16

Alc-IPv6-Router-Adv-Policy

This attribute specifies the Router Advertisement policy to be used for this subscriber host or session. The Router Advertisement policy is configured in configure subscriber-mgmt router-advertisement-policy name. The Router Advertisement policy overrides the default Router Advertisement parameters configured in the ipv6 router-advertisements CLI context at the group interface or subscriber interface (wholesale or retail).

Referencing a non-existing policy results in a subscriber host or session setup failure or a CoA reject.

241.26.6527.17

Alc-Nat-Outside-IPs

This attribute allows to specify an outside NAT IP address from AAA instead of allocating an address from the local NAT pools. An IP address can be provided for each policy.

241.26.6527.18

Alc-Mld-Import-Policy

This attribute overrides the subscriber’s current list of dynamic MLD import policies. The order in which the policies were added can be checked with show router [router-instance] mld hosts host ipv6-address detail. Note that the configured MLD import policy (configure subscriber-mgmt mld-policy mld-policy-name import policy-name) cannot be overridden and is always applied as the last policy in the MLD import policies list. As the import policies are evaluated in the applied order using a match and exit, it is good practice to only include a default-action in the configured MLD import policy.

Access-Accept fails and CoA is rejected if more than 14 attributes are present.

241.26.6527.24

Alc-IPv6-DMZ-Enabled

This attribute applies to vRGW only. When present, this VSA determines if the corresponding session should be treated as part of a demilitarized zone in an IPv6 firewall or not. This attribute is ignored if the session is not part of a subscriber with firewall enabled.

241.26.6527.27

Alc-IPv6-Sub-If-Prefix

This attribute installs a subscriber interface IPv6 prefix of type pd, wan-host or both. This is similar to a statically configured IPv6 prefix on a subscriber interface. The prefix is part of the subscriber host or session state. The prefix is removed from the system when the subscriber host or session disconnects. An invalid prefix, such as when overlapping with a static provisioned prefix, results in a subscriber host or session setup failure.

241.26.6527.35

Alc-Mld-Import-Policy-Modif

This attribute modifies the subscriber’s dynamic MLD import policy list. The command can either add or delete an MLD import policy to or from the list.

The CoA is rejected if more than the allowed number of attributes are included or if the number of resulting dynamic MLD import policies is more than 14.

241.26.6527.37

Alc-VAS-IPv4-Filter

(l2-aware NAT subscriber only).

This VSA enables IPv4 service chaining for an l2-aware NAT subscriber using the named Value Added Services (VAS) filter configured under configure subscriber-mgmt isa-service-chaining vas-filter.

241.26.6527.38

Alc-VAS-NSH-IPv4-Opaque-Meta-Data

(l2-aware NAT subscriber only).

For Value Added Services (VAS) enabled sessions this VSA specifies the Network Services Header (NSH) context header data for MD type 1. This value will override insert-subscriber-id or opaque-data configured under configure subscriber-mgmt isa-service-chaining vas-filter filter-name entry id action {downstream | upstream} insert-nsh meta-data. An NSH header with this context data will only be inserted if svc-path is correctly configured under configure subscriber-mgmt isa-service-chaining vas-filter filter-name entry id action {downstream | upstream} insert-nsh.

241.26.6527.39

Alc-Static-Port-Forward

Static port forwards to be installed for layer-2 aware NAT subscribers using external address assignment.

241.26.6527.40

Alc-IPv6-Slaac-Replacement-Prefix

Override the current host SLAAC prefix with the one specified in the VSA. The host address origin is not changed. Three subsequent Router Advertisements are sent to the SLAAC host respecting the configured advertisement intervals. The Router Advertisements contain both the current and new SLAAC prefixes: the valid and preferred lifetime for the current prefix are set to zero and for the new prefix the values are either specified in the router advertisement policy or the group interface configuration. Because of the prefix change, all traffic send using the old SLAAC prefix as source address is dropped in the BNG when anti-spoof is set to IP + MAC.

Note that the prefix change results in a SLAAC host delete and create.

241.26.6527.47

Alc-SPI-Sharing-Id

Sets or overrides the SLA Profile Instance (SPI) sharing method for this subscriber session to SPI sharing per group or to the default SPI sharing method (per SAP or per session) as specified in the SLA profile (configure subscriber-mgmt sla-profile sla-profile-name def-instance-sharing spi-sharing-type).

For SPI sharing per group, the group is identified with an integer group identifier (for example, the SPI sharing id). An SPI is shared by all subscriber sessions with the same subscriber id, SAP, SLA profile and group id.

Setting this attribute for an IPoE host with IPoE session disabled on the group interface results in a setup failure.

Unsupported values result in a subscriber session setup failure

26.10415.5

3GPP-GPRS-Negotiated-QoS-Profile

This VSA contains the QoS values signaled in the incoming GTP-C message for GTP Access hosts.

Inclusion of this attribute can be configured via configure subscriber-mgmt authentication-policy name include-radius-attribute gprs-negotiated-qos-profile.

26.10415.20

3GPP-IMEISV

This VSA contains the International Mobile Equipment Identity and its software version as signaled in the incoming GTP-C message for GTP Access hosts. If the corresponding GTP-C IE is not present the VSA will not be included.

Inclusion of this attribute can be configured via configure subscriber-mgmt authentication-policy name include-radius-attribute imei.

26.10415.21

3GPP-RAT-Type

This VSA contains the Radio Access Type as signaled in the incoming GTP-C message for GTP Access hosts.

Inclusion of this attribute can be configured via configure subscriber-mgmt authentication-policy name include-radius-attribute rat-type.

26.10415.22

3GPP-User-Location-Info

This VSA contains the User Location Information as signaled in the incoming GTP-C message for GTP Access hosts.

Inclusion of this attribute can be configured via configure subscriber-mgmt authentication-policy name include-radius-attribute uli.

1

User-Name

string

253 chars

Form depends on authentication method and configuration.

For example: User-Name user1@domain1.com

2

User-Password

string

64 bytes

Encrypted password

For example: User-Password 4ec1b7bea6f2892fa466b461c6accc00

3

CHAP-Password

octets

16+1 bytes

Users CHAP identifier 1 followed by the Encrypted password

For example: CHAP-Password 01ef8ddc7237f4adcd991ac4c277d312e9

4

NAS-IP-Address

ipaddr

4 bytes

# ipv4 address

For example: NAS-IP-Address=192.0.2.1

5

NAS-Port

integer

4 bytes

nas-port <binary-spec>

<binary-spec> = <bit-specification> <binary-spec>

<bit-specification> = 0 | 1 | <bit-origin>

<bit-origin> = *<number-of-bits><origin>

<number-of-bits> = [1 to 32]

<origin> = o (outer VLAN ID), i (inner VLAN ID), s (slot number), m (MDA number), p (port number or lag-id), v (ATM VPI), c (ATM VCI)

For example: # configured nas-port *12o*10i*3s*2m*5p for SAP 2/2/4:221.7 corresponds to 000011011101 0000000111 010 10 00100

NAS-Port = 231742788

6

Service-Type

integer

2 (mandatory value)

PPPoE and PPPoL2TP hosts only

For example: Service-Type = Framed-User

7

Framed-Protocol

integer

1 (fixed value)

PPPoE and PPPoL2TP hosts only

For example: Service-Type = PPP

8

Framed-IP-Address

ipaddr

4 bytes

For example: # ip-address 10.11.12.13

Framed-IP-Address 0a0b0c0d

9

Framed-IP-Netmask

ipaddr

4 bytes

For example: Framed-IP-Netmask = 255.255.255.255 #PPPoE residential

Framed-IP-Netmask = 255.255.255.0 #PPPoE Business with IPCP option 144 support

Framed-IP-Netmask = 255.255.255.0 # IPoE

18

Reply-Message

string

253 chars

For example: Reply-Message MyCustomizedReplyMessage

22

Framed-Route

string

max 16 Framed-Routes attributes

"<ip-prefix>[/<prefix-length>] <space> <gateway-address> [<space> <metric>] [<space> tag <space> <tag-value>] [<space> pref <space> <preference-value>]"

where:

<space> is a white space or blank character

<ip-prefix>[/prefix-length] is the managed route to be associated with the routed subscriber host. The prefix-length is optional and if not specified, a class-full class A,B or C subnet is assumed.

<gateway-address> must be the routed subscriber host IP address. “0.0.0.0” is automatically interpreted as the host IPv4 address.

[<metric>] (Optional) Installed in the routing table as the metric of the managed route. If not specified, metric zero is used. Value = [0 to 65535]

[tag <tag-value>] (Optional) The managed route is tagged for use in routing policies. If not specified or tag-value=0, then the route is not tagged. Value = [0 to 4294967295]

[pref <preference-value>] (Optional) Installed in the routing table as protocol preference for this managed route. If not specified, preference zero is used. Value = [0 to 255]

For example:

Framed-Route = "192.168.1.0/24 0.0.0.0" where 0.0.0.0 is replaced by host address. Default metrics are used (metric=0, preference=0 and no tag)

Framed-Route = "192.168.1.0 0.0.0.0" where 192.168.1.0 is a class-C network /24 and 0.0.0.0 is replaced host address. Default metrics are used.

(Continued on next page)

22 (cont.)

Framed-Route (cont.)

Framed-Route = "192.168.1.0/24 192.168.1.1" where 192.168.1.1 is the host address. Default metrics are used.

Framed-Route = "192.168.1.0 0.0.0.0 10 tag 3 pref 100" installs a managed route with metric=10, protocol preference = 100 and tagged with tag=3

25

Class

octets

Up to 6 attributes. Max. value length for each attribute is 253 chars

For example:

Class += My Class1

Class += MyClass2

27

Session-Timeout

integer

[0 to 2147483647]

seconds

# 0 = infinite (no session-timeout)

# [0 to 2147483647] in seconds

For example: Session-Timeout = 3600

28

Idle-Timeout

integer

[60 to 15552000] seconds

# 0 = infinite (no idle-timeout)

# [60 to 15552000] in seconds

For example: Idle-Timeout = 3600

30

Called-Station-Id

string

64 chars

# LNS: L2TP Called Number AVP21 from LAC

For example: Called-Station-Id = 4441212

31

Calling-Station-Id

string

64 chars

# llid | mac | remote-id | sap-id | sap-string (64 char. string configured at sap-level)

For example: include-radius-attribute calling-station-id sap-id

Calling-Station-Id = 1/1/2:1.1

32

NAS-Identifier

string

32 chars

For example: NAS-Identifier = PE1-Antwerp

44

Acct-Session-Id

string

22 bytes

Internally generated 22 bytes number.

For example:

Acct-Session-Id = 241AFF0000003250B5F750

60

CHAP-Challenge

octets

[8 to 64] bytes

random length

For example: 20 bytes CHAP-Challenge 0xa9710d2386c3e1771b8a3ea3d4e53f2a1c7024fb

61

NAS-Port-Type

integer

4 bytes

Values [0 to 255]

Values as defined in rfc-2865 and rfc-4603

For LNS, the value is set to virtual (5)

For example: NAS-Port-Type = PPPoEoQinQ (34)

85

Acct-Interim-Interval

integer

0, [300 to 15552000]

A value of 0 (zero) disables the generation of interim update messages.

A value of 1 to 299 is rounded to 300s (minimum CLI value).

A value of 300 to 15552000 specifies the Acct-Interim-Update message interval in seconds.

A value greater than 15552000 is rounded to 15552000 (maximum CLI value).

For example: 1 hour interval for interim updates

Acct-Interim-Interval = 3600

87

NAS-Port-Id

string

253 bytes in Access-Request and Accounting Request messages.

128 bytes in CoA

See [87] NAS-Port-Id Attribute Details for a detailed description of the attribute format.

For example:

NAS-Port-Id = 1/1/4:501.1001

NAS-Port-Id = LNS rtr-2#lip-203.0.113.1#rip-198.51.100.1#ltid-11381#rtid-1285#lsid-30067#rsid-19151#347

88

Framed-Pool

string

32 chars per pool name

65 chars in total (primary pool, delimiter, secondary pool)

For example:

Framed-Pool = "MyPoolname"

Framed-Pool = "Pool-1#Pool-2"

95

NAS-IPv6-Address

ipv6addr

16 bytes

# ipv6 address

For example: NAS-IPv6-Address = 2001:db8::1

97

Framed-IPv6-Prefix

ipv6prefix

max. 16 bytes for prefix + 1 byte for length

PPPoE SLAAC wan-host

<ipv6-prefix/prefix-length> with prefix-length 64

For example: Framed-IPv6-Prefix 2001:db8:FFF3:1::/64

99

Framed-IPv6-Route

string

max. 16 Framed-IPv6-Route attributes

"<ip-prefix>/<prefix-length> <space> <gateway-address> [<space> <metric>] [<space> tag <space> <tag-value>] [<space> pref <space> <preference-value>]"

where:

<space> is a white space or blank character

<ip-prefix>/<prefix-length> is the managed route to be associated with the routed subscriber host.

<gateway-address> must be the routed subscriber host IP address. “::” and “0:0:0:0:0:0:0:0” are automatically interpreted as the wan-host IPv6 address.

[<metric>] (Optional) Installed in the routing table as the metric of the managed route. If not specified, metric zero is used. Value = [0 to 65535]

[tag <tag-value>] (Optional) The managed route is tagged for use in routing policies. If not specified or tag-value=0, then the route is not tagged. Value = [0 to 4294967295]

[pref <preference-value>] (Optional) Installed in the routing table as protocol preference for this managed route. If not specified, preference zero is used. Value = [0 to 255]

99 (continued)

Framed-IPv6-Route

string

max. 16 Framed-IPv6-Route attributes

For example:

Framed-IPv6-Route = "2001:db8:1::/48 ::" where :: resolves in the wan-host. Default metrics are used (metric=0, preference=0 and no tag)

Framed-IPv6-Route = "2001:db8:2::/48 0:0:0:0:0:0:0:0" where 0:0:0:0:0:0:0:0 resolves in the wan-host. Default metrics are used.

Framed-IPv6-Route = "2001:db8:3::/48 0::0" where 0::0 resolves in the wan-host. Default metrics are used.

Framed-IPv6-Route = "2001:db8:3::/48 2001:db8:aa:1::1" where 2001:db8:aa:1::1 is the wan-host. Default metrics are used.

Framed-IPv6-Route = "2001:db8:1::/48 :: 10 tag 3 pref 100" installs a managed route with metric = 10, protocol preference = 100 and tagged with tag = 3

Framed-IPv6-Route = "2001:db8:1::/48 :: tag 5" installs a managed route with metric = 0 (default), protocol preference = 0 (default) and tagged with tag = 5

100

Framed-IPv6-Pool

string

32 chars

For example: Framed-IPv6-Pool MyWanPoolnameIANA

101

Error-Cause

octets

4 bytes

Current supported causes are: Missing Attribute[402], NAS Identification Mismatch[403], Invalid Request[404], Unsupported Service[405], Invalid Attribute Value[407], Administratively Prohibited [501], Session Context Not Found [503], Resources Unavailable[506]

For example: Error-Cause = Invalid Request

123

Delegated-IPv6-Prefix

ipv6prefix

max. 16 bytes for prefix + 1 Byte for length

<ipv6-prefix/prefix-length> with prefix-length [48 to 64]

For example: Delegated-IPv6-Prefix 2001:DB8:173A:100::/56

26.2352.1

Client-DNS-Pri

ipaddr

4 bytes

For example: Client-DNS-Pri = 198.51.100.1

26.2352.2

Client-DNS-Sec

ipaddr

4 bytes

For example: Client-DNS-Sec = 198.51.100.2

26.2352.36

Ip-Address-Pool-Name

string

65 chars

For example: Ip-Address-Pool-Name = Address_Pool_1

26.2352.99

RB-Client-NBNS-Pri

ipaddr

4 bytes

For example: RB-Client-NBNS-Pri = 198.51.100.1

26.2352.100

RB-Client-NBNS-Sec

ipaddr

4 bytes

For example: RB-Client-NBNS-Sec = 198.51.100.2

26.3561.1

Agent-Circuit-Id

string

247 chars

format see also RFC4679

# ATM/DSL <Access-Node-Identifier><atm slot/port:vpi.vci>

# Ethernet/DSL <Access-Node-Identifier><eth slot/port[:vlan-id]>

For example: ethernet dslam1 slot 2 port 1 vlan 100 Agent-Circuit-Id = dslam1 eth 2/1:100

26.3561.2

Agent-Remote-Id

string

247 chars

Format see also RFC 4679

For example: Agent-Remote-Id = MyRemoteId

26.3561.129

Actual-Data-Rate-Upstream

integer

4294967295

b/s

For example: # 1Mb/s

Actual-Data-Rate-Upstream = 1000000

26.3561.130

Actual-Data-Rate-Downstream

integer

4294967295

b/s

For example: # 5Mb/s

Actual-Data-Rate-Downstream = 5000000

26.3561.131

Minimum-Data-Rate-Upstream

integer

4294967295

b/s

For example: Minimum-Data-Rate-Upstream = 1000

26.3561.132

Minimum-Data-Rate-Downstream

integer

4294967295

b/s

For example: Minimum-Data-Rate-Downstream = 1000

26.3561.133

Attainable-Data-Rate-Upstream

integer

4294967295

b/s

For example: Attainable-Data-Rate-Downstream = 1000

26.3561.134

Attainable-Data-Rate-Downstream

integer

4294967295

b/s

For example: Minimum-Data-Rate-Upstream = 1000

26.3561.135

Maximum-Data-Rate-Upstream

integer

4294967295

b/s

For example: Maximum-Data-Rate-Upstream = 1000

26.3561.136

Maximum-Data-Rate-Downstream

integer

4294967295

b/s

For example: Maximum-Data-Rate-Downstream = 1000

26.3561.137

Minimum-Data-Rate-Upstream-Low-Power

integer

4294967295

b/s

For example: Minimum-Data-Rate-Upstream-Low-Power = 1000

26.3561.138

Minimum-Data-Rate-Downstream-Low-Power

integer

4294967295

b/s

For example: Minimum-Data-Rate-Downstream-Low-Power = 1000

26.3561.139

Maximum-Interleaving-Delay-Upstream

integer

4294967295 ms

For example: Maximum-Interleaving-Delay-Upstream = 10

26.3561.140

Actual-Interleaving-Delay-Upstream

integer

4294967295 ms

For example: Actual-Interleaving-Delay-Upstream = 10

26.3561.141

Maximum-Interleaving-Delay-Downstream

integer

4294967295 ms

For example: Maximum-Interleaving-Delay-Downstream = 10

26.3561.142

Actual-Interleaving-Delay-Downstream

integer

4294967295 ms

For example: Actual-Interleaving-Delay-Downstream = 10

26.3561.144

Access-Loop-Encapsulation

octets

3 bytes

<Data Link><Encaps-1><Encaps-2>

<Data Link>: AAL5(1), Ethernet(2)

<Encaps 1>: NotAvailable(0), Untagged Ethernet(1), Single-Tagged Ethernet(2)

<Encaps 2>: Not Available(0), PPPoA LLC(1), PPPoA Null(2), IPoA LLC(3), IPoA Null(4), Ethernet over AAL5 LLC w FCS(5), Ethernet over AAL5 LLC without FCS(6), Ethernet over AAL5 Null w FCS(7), Ethernet over AAL5 Null without FCS(8)

For example: Ethernet, Single-Tagged Ethernet, Ethernet over AAL5 LLC w FCS

Access-Loop-Encapsulation = 020205

26.3561.254

IWF-Session

octets

len 0

For example: IWF-Session

26.4874.2

ERX-Address-Pool-Name

string

65 chars

For example: ERX-Address-Pool-Name = MyPoolname

26.4874.4

ERX-Primary-Dns

ipaddr

4 bytes

For example: ERX-Primary-Dns = 198.51.100.1

26.4874.5

ERX-Secondary-Dns

ipaddr

4 bytes

For example: ERX-Secondary-Dns = 198.51.100.2

26.4874.6

ERX-Primary-Wins

ipaddr

4 bytes

For example: ERX-Primary-Wins = 198.51.100.1

26.4874.7

ERX-Secondary-Wins

ipaddr

4 bytes

For example: ERX-Ipv6-Primary-Dns = 198.51.100.2

26.4874.47

ERX-Ipv6-Primary-Dns

ipv6addr

16 bytes

For example: ERX-Secondary-Wins = 2001:db8:1::1

26.4874.48

ERX-Ipv6-Secondary-Dns

ipv6addr

16 bytes

For example: ERX-Ipv6-Secondary-Dns = 2001:db8:2::1

26.6527.9

Alc-Primary-Dns

ipaddr

4 bytes

For example: Alc-Primary-Dns = 198.51.100.1

26.6527.10

Alc-Secondary-Dns

ipaddr

4 bytes

For example: Alc-Secondary-Dns = 1198.51.100.2

26.6527.11

Alc-Subsc-ID-Str

string

32 chars

For example: Alc-Subsc-ID-Str = MySubscriberId

26.6527.12

Alc-Subsc-Prof-Str

string

16 chars

For example: Alc-Subsc-Prof-Str = MySubProfile

26.6527.13

Alc-SLA-Prof-Str

string

16 chars

For example: Alc-SLA-Prof-Str = MySlaProfile

26.6527.16

Alc-ANCP-Str

string

63 chars

format see also RFC4679

# ATM/DSL <Access-Node-Identifier><atm slot/port:vpi.vci>

# Ethernet/DSL <Access-Node-Identifier><eth slot/port[:vlan-id]>

For example: If [26.3561.1] Agent-Circuit-Id = dslam1 eth 2/1:100 then put Alc-ANCP-Str = dslam1 eth 2/1:100

26.6527.18

Alc-Default-Router

ipaddr

4 bytes

For example: Alc-Default-Router = 10.0.255.254

26.6527.27

Alc-Client-Hardware-Addr

string

6 bytes

For example: Alc-Client-Hardware-Addr = 00:00:00:00:00:01

26.6527.28

Alc-Int-Dest-Id-Str

string

32 chars

For example: Alc-Int-Dest-Id-Str= AccessNode1

26.6527.29

Alc-Primary-Nbns

ipaddr

4 bytes

For example: Alc-Primary-Nbns = 198.51.100.1

26.6527.30

Alc-Secondary-Nbns

ipaddr

4 bytes

For example: Alc-Secondary-Nbns = 198.51.100.2

26.6527.34

Alc-PPPoE-PADO-Delay

integer

[0 to 30] deci-seconds

For example: 3 seconds pado-delay

Alc-PPPoE-PADO-Delay = 30

26.6527.35

Alc-PPPoE-Service-Name

string

247 chars

For example: Alc-PPPoE-Service-Name = MyServiceName

26.6527.36

Alc-DHCP-Vendor-Class-Id

string

247 chars

For example: Alc-DHCP-Vendor-Class-Id = My-DHCP-VendorClassId

26.6527.45

Alc-App-Prof-Str

string

16 bytes

For example: Alc-App-Prof-Str = MyAppProfile

26.6527.99

Alc-Ipv6-Address

ipv6addr

16 bytes

For example: Alc-Ipv6-Address 2001:db8:FFF5::1

26.6527.100

Alc-Serv-Id

integer

2147483647

id

For example: Alc-Serv-Id = 100

26.6527.101

Alc-Interface

string

32 chars

For example: Alc-Interface = myGTPgroupinterface

26.6527.102

Alc-ToServer-Dhcp-Options

octets

2 attributes

247 bytes/attribute

494 bytes total

For example: DHCPv4 Discover , option-60 [Class-identifier-option] = DHCP-VendorClassId ; Agent-Circuit-Id = circuit10;Agent-Remote-Id = remote10

Alc-ToServer-Dhcp-Options = 66313501013c12444843502d56656e646f72436c617373496452150109636972637569743130020872656d6f74653130

26.6527.103

Alc-ToClient-Dhcp-Options

octets

8 attributes

247 bytes/attribute

494 bytes total

For example: Insert DHCP Option 121, length=7, 16.192.168 10.1.255.254

# Classless Static Route: 192.168.0.0/16 10.1.255.254

Alc-ToClient-Dhcp-Options = 0x790710C0A80A01FFFE

26.6527.105

Alc-Ipv6-Primary-Dns

ipv6addr

16 bytes

For example: Alc-Ipv6-Primary-Dns = 2001:db8:1::1

26.6527.106

Alc-Ipv6-Secondary-Dns

ipv6addr

16 bytes

For example: Alc-Ipv6-Secondary-Dns = 2001:db8:2::1

26.6527.126

Alc-Subscriber-

QoS-Override

string

18 attributes

<direction>:<QoS object>:[<id or name>:][<parameter>=value,...]

[iIeE]:[qQ]:<queue-id>:(pir|cir|mbs|cbs)

[eE]:[qQ]:<queue-id>:(wrr_weight|class_weight)

[iIeE]:[pP]:<policer-id>:(pir|cir|mbs|cbs)

[eE]:[rR]:(rate)

[eE]:[lL]:(rate)

[eE]:[gG]:<wrr-group-id>:(rate|class-weight)

[iIeE]:[aA]:root:(rate)

[iIeE]:[sS]:<scheduler-name>:(rate|cir)

See [26.6527.126] Alc-Subscriber-QoS-Override Attribute Details for a detailed description of the attribute format.

For example: ingress queue 1 pir, cir, mbs, cbs and egress aggregate rate overrides

Alc-Subscriber-QoS-Override += i:q:1:pir=40000,cir=20000,mbs=32000,cbs=16 000, Alc-Subscriber-QoS-Override += e:r:rate=800000

26.6527.128

Alc-ATM-Ingress-TD-Profile

integer

[1 to 1000] id

For example: Alc-ATM-Ingress-TD-Profile = 10

26.6527.129

Alc-ATM-Egress-TD-Profile

integer

[1 to 1000] id

For example: Alc-ATM-Egress-TD-Profile = 10

26.6527.131

Alc-Delegated-IPv6-Pool

string

32 chars

For example: Alc-Delegated-IPv6-Pool = MyLanPoolnameIAPD

26.6527.132

Alc-Access-Loop-Rate-Down

integer

[1 to 100000] kb/s

For example: rate 4M b/s

Alc-Access-Loop-Rate-Down = 4000

26.6527.133

Alc-Access-Loop-Encap-Offset

octets

3 bytes

<Data Link><Encaps-1><Encaps-2>

<Data Link>: AAL5(0), Ethernet(1)

<Encaps 1>: NotAvailable(0), Untagged Ethernet(1), Single-Tagged Ethernet(2)

<Encaps 2>: Not Available(0), PPPoA LLC(1), PPPoA Null(2), IPoA LLC(3), IPoA Null(4), Ethernet over AAL5 LLC w FCS(5), Ethernet over AAL5 LLC without FCS(6), Ethernet over AAL5 Null with FCS(7), Ethernet over AAL5 Null without FCS(8)

For example: # pppoe-tagged -> 01,02,00

Alc-Access-Loop-Encap-Offset = 0x010200

# pppoeoa-llc -> 00,01,06

Alc-Access-Loop-Encap-Offset = 0x000106

# pppoa-llc -> 00 00 01

Alc-Access-Loop-Encap-Offset = 0x000001

26.6527.135

Alc-PPP-Force-IPv6CP

integer

[0 to 4294967295]

0 : False - start IPv6CP negotiation only when IPv6 attributes are obtained in authentication

>0 : True - also start IPv6CP negotiation when no IPv6 attributes are obtained in authentication

For example: Alc-PPP-Force-IPv6CP = 1

26.6527.136

Alc-Onetime-Http-Redirection-Filter-Id

string

249 bytes

“Ingr-v4:<number>”

[1 to 65535] = apply this filter-id as one-time-http-redirect-filter

0 = Remove the current redirection filter and replace it with sla-profile ingress filter

For example: Alc-Onetime-Http-Redirection-Filter-Id = Ingr-v4:1000

26.6527.146

Alc-Wlan-APN- Name

string

247 bytes

The APN is directly reflected as present in the incoming GTP-C message.

For example: Alc-Wlan-APN-Name = demo.mnc001.mcc001.gprs

26.6527.147

Alc-MsIsdn

string

9 to 15 digits

Textual representation of the MSISDN in decimal format.

For example: Alc-MsIsdn = 13109976224

26.6527.160

Alc-Relative-Session-Timeout

integer

[0 to 2147483647] seconds

0 = infinite (no session-timeout)

[0 to 2147483647] in seconds

For example: Alc-Relative-Session-Timeout = 3600

26.6527.161

Alc-Delegated-IPv6-Prefix-Length

integer

[48 to 64] DPL length

For example: Alc-Delegated-IPv6-Prefix-Length = 48

26.6527.174

Alc-Lease-Time

integer

[0 to 4294967295] seconds

0 : fallback to the default lease-time of 7 days.

The maximum value 4294967295 corresponds with a lease-time > 9999 days (24855d 03h).

[1 to 4294967295] lease-time in seconds

For example: Alc-Lease-Time = 3600

26.6527.175

Alc-DSL-Line-State

integer

4 bytes

1=showtime, 2-idle, 3=silent

For example:

Alc-DSL-Line-State = SHOWTIME

26.6527.176

Alc-DSL-Type

integer

4 bytes

0=other, 1=ADSL1, 2=ADSL2, 3=ADSL2PLUS, 4=VDSL1, 5=VDSL2, 6=SDSL

For example:

Alc-DSL-Type = VDSL2

26.6527.177

Alc-Portal-Url

string

247 chars

URL string. An empty string removes the override.

For example:

Alc-Portal-Url = “http://portal.com/welcome/sub=$SUB”

26.6527.178

Alc-Ipv6-Portal-Url

string

247 chars

URL string. An empty string removes the override.

For example:

Alc-IPv6-Portal-Url = “http://portal.com/welcome/sub=$SUB”

26.6527.180

Alc-SAP-Session-Index

integer

4 bytes

For example:

Alc-SAP-Session-Index = 5

26.6527.181

Alc-SLAAC-IPv6-Pool

string

32 chars

DHCPv6 server pool name.

Pool name "_tmnx_auto" indicates that the pool is automatically selected by the system, for example for use with IPv6 firewall.

For example:

Alc-SLAAC-IPv6-Pool = "MySlaacPoolname"

26.6527.183

Alc-WPP-Error-Code

integer

4 bytes

A non-zero unsigned integer. Valid values are 1, 2, or 4

26.6527.185

Alc-Onetime-Http-Redirect-Reactivate

string

247 chars

The value of the attribute is opaque. Its presence in a RADIUS CoA triggers the action.

26.6527.191

Alc-ToServer-Dhcp6-Options

octets

2 attributes

247 bytes/

attribute

494 bytes total

For example, when the DHCPv6 solicit contains following options:

Option : ELAPSED_TIME (8), Length : 2

Time : 0 seconds

Option : CLIENTID (1), Length : 10

LL : HwTyp=0001,LL=005100000002

00030001005100000002

Option : ORO (6), Length : 4

Requested Option : IA_NA (3)

Requested Option : IA_PD (25)

Option : IA_NA (3), Length : 12

IAID : 0

Time1: 0 seconds

Time2: 0 seconds

Option : IA_PD (25), Length : 12

IAID : 1

Time1: 0 seconds

Time2: 0 seconds

Alc-ToServer-Dhcp6-Options = 0x0008000200000001000a0003000100510000000200060004000300190003000c0000000000000000000000000019000c000000010000000000000000

26.6527.192

Alc-ToClient-Dhcp6-Options

octets

8 attributes

247 bytes/

attribute

494 bytes total

For example, to insert following option:

Option: Simple Network Time Protocol Server (31)

Length: 32

Value:

SNTP servers address: 2001:db8:cafe:1::1

SNTP servers address: 2001:db8:cafe:2::1

Alc-ToClient-Dhcp6-Options = 0x001F002020010DB8CAFE0001000000000000000120010DB8CAFE00020000000000000001

26.6527.200

Alc-v6-Preferred-Lifetime

integer

[300 to 315446399] seconds

For example:

Alc-v6-Preferred-Lifetime = 3600

26.6527.201

Alc-v6-Valid-Lifetime

integer

[300 to 315446399] seconds

For example:

Alc-v6-Valid-Lifetime = 86400

26.6527.202

Alc-Dhcp6-Renew-Time

integer

[0 to 604800] seconds

For example:

Alc-Dhcp6-Renew-Time = 1800

26.6527.203

Alc-Dhcp6-Rebind-Time

integer

[0 to 1209600] seconds

For example:

Alc-Dhcp6-Rebind-Time = 2880

26.6527.217

Alc-UPnP-Sub-Override-Policy

string

32 chars

UPnP policy name or special values “_tmnx_no_override” or “_tmnx_disabled”.

For example:

Alc-UPnP-Sub-Override-Policy = “my-UPnP-policy”

26.6527.228

Alc-Trigger-Acct-Interim

string

247 chars

Free formatted string that is echoed in the triggered interim update message.

For example:

Alc-Trigger-Acct-Interim = "CoA - Filter update"

26.6527.232

Alc-Acct-Interim-IvI

integer

1 VSA per tag per message Max. tag 1- 5 Value [300 to 15552000]

Tagged attribute

A value of 0 (zero) disables the generation of interim update messages.

A value [1 to 299] seconds is rounded to 300s (min. CLI value) and a value > 15552000 seconds (max. CLI value) is rounded to the max. CLI value.

An untagged attribute or tag value of 0 (zero) and tag values greater than 5 are not supported and result in a host setup failure or CoA Reject.

A tag value of [1 to 5] changes the update interval of the corresponding accounting policy specified in the subscriber profile.

For example:

Alc-Acct-Interim-lvl:1 += 300

Alc-Acct-Interim-lvl:2 += 600

26.6527.234

Alc-DNAT-Override

string

247 chars

{DNAT-state | DNAT-ip-addr}[,nat-policy-name]

DNAT state = none | disable

DNAT-ip-addr = IPv4 address in dotted format (a.b.c.d)

DNAT-state and DNAT-ip-addr parameters are mutually exclusive

nat-policy-name = name of the nat-policy. This is an optional parameter and if not specified then the default nat-policy is assumed.

If two parameters are present simultaneously within the Alc-DNAT-Override attribute, then they are separated by a comma with no white spaces used as delimiter.

For example:

Alc-DNAT-Override=none

This re-enables DNAT functionality in the default nat-policy, assuming that DNAT was previously disabled via the Alc-DNAT-Override=disable attribute submitted either in Access-Accept or in a previous CoA. If the none value was received at the time when the DNAT is already enabled, a CoA ACK is sent back to the originator.

This negates any previous DNAT-related override in the default nat-policy. The DNAT functionality is set as originally defined in the default nat-policy. If the DNAT classifier is not present in the default nat-policy when this CoA is received, an error log message is raised.

26.6527.234

For example:

Alc-DNAT-Override =198.51.100.1, nat-pol-1

This changes the default DNAT IP address to 198.51.100.1 in the specified nat-policy with name nat-pol-1. DNAT is implicitly enabled in case that it was disabled before this CoA was received.

For example:

Alc-DNAT-Override = none, 198.51.100.1

DNAT-state and DNAT-ip-addr parameters are mutually exclusive within the same Alc-DNAT-Override attribute. A CoA ACK is returned to the RADIUS server and an error event is logged.

26.6527.238

Alc-Remove- Override

string

Single attribute identifier per attribute

Multiple attributes per message

[<action><space>]<attribute identifier>

See [26.6527.238] Alc-Remove-Override Attribute Details for a detailed description of the attribute format and its possible values

For example:

To deactivate an ESM L2TP steering profile: Alc-Remove-Override = "deactivate 241.26.6527.25”

26.6527.242

Alc-Radius-Py

octets

247 bytes

Free formatted attribute value for use with a corresponding RADIUS Python script.

26.6527.244

Alc-Force-DHCP-Relay

string

max. 2 attributes

fixed values

Fixed values:

“relay-ipv4” – sets the lease origin to DHCP

“relay-ipv6” – sets the lease origin to DHCP6

For example:

Alc-Force-DHCP-Relay = “relay-ipv4”

241.26.6527.16

Alc-IPv6-Router-Adv-Policy

string

32 chars

The Router Advertisement policy name.

For example:

Alc-IPv6-Router-Adv-Policy = “RA-policy-01”

241.26.6527.17

Alc-Nat-Outside-IPs

string

max. 4 attributes

<outside IP address>;<NAT policy name>

For example:

Alc-Nat-Outside-IPs += 192.0.2.1;nat-policy-1

Alc-Nat-Outside-IPs += 198.51.100.1;nat-policy-2

241.26.6527.18

Alc-Mld-Import-Policy

string

32 chars

Up to 14 attributes

The MLD import policy name.

A subscriber can have a list of up to 14 MLD import policies associated from Radius. Each MLD policy must be included in a separate attribute.

For example:

Alc-Mld-Import-Policy=”ch-lineup-01”

241.26.6527.24

Alc-IPv6-DMZ-Enabled

Integer

[0..1]

0: DMZ disabled

1: DMZ enabled

For example: DMZ enabled

Alc-IPv6-DMZ-Enabled = 1

241.26.6527.27

Alc-IPv6-Sub-If-Prefix

string

127 chars

Max. 1 attribute

<IPv6 prefix>/<prefix length><space><type>

Where <type> is either pd, wan-host, or wan-host pd. When not specified, pd is assumed.

A maximum of one prefix per subscriber host or session can be specified and up to 24 prefixes per system or per subscriber interface.

For example:

Alc-IPv6-Sub-If-Prefix = “2001:db8::/32 pd”

Alc-IPv6-Sub-If-Prefix = “2001:db8::/32 wan-host pd”

Alc-IPv6-Sub-If-Prefix = “2001:db8::/32”

241.26.6527.35

Alc-Mld-Import-Policy-Modif

string

34 chars

Max. 5 attribute

<action>:<MLD policy name>

where <action> is

a — Adds the MLD policy to the list of import policies.

s – Subtracts (removes) the MLD policy from the list of import policies.

For example:

Alc-Mld-Import-Policy-Modif=”a:ch-lineup-01”

Alc-Mld-Import-Policy-Modif=”s:ch-lineup-02”

241.26.6527.37

Alc-VAS-IPv4-Filter

string

1..32 characters

Name of a VAS filter as defined under configure subscriber-mgmt isa-service-chaining vas-filter

For example:

Alc-VAS-IPv4-Filter="vas_filter_1"

241.26.6527.38

Alc-VAS-NSH-IPv4-Opaque-Meta-Data

octets

16 bytes

Opaque data in network order to send in NSH. This will only be applicable if insert-nsh is correctly configured and will override insert-subscriber-id or opaque data configured under configure subscriber-mgmt isa-service-chaining vas-filter filter-name entry id action {downstream|upstream} insert-nsh meta-data.

241.26.6527.39

Alc-Static-Port-Forward

string

64 SPFs

See [241.26.6527.39] Alc-Static-Port-Forward Attribute Details for a detailed description of the attribute format and its possible values

For example:

Add an l2-aware NAT SPF to open up TCP port 80 (HTTP) on the outside and forward it to port 8080 on ip 10.1.0.1 on the inside:

Alc-Static-Port-Forward = "c tcp 10.1.0.1 8080->80"

241.26.6527.40

Alc-IPv6-Slaac-Replacement-Prefix

ipv6prefix

Max. 16 Bytes for prefix + 1 Byte for length

<ipv6-prefix/prefix-length> with prefix-length 64

For example:

Alc-IPv6-Slaac-Replacement-Prefix = 2001:db8:FFF3:1::/64

241.26.6527.47

Alc-SPI-Sharing-Id

string

Max. 247 chars

To set or override the SLA Profile Instance

(SPI) sharing to SPI sharing per group:

     "group:<group id>"

where <group id> is an unsigned integer value in the range [0..65535]

For example:

Alc-SPI-Sharing-Id = "group:100"

To set or override the SLA Profile Instance (SPI) sharing to the default SPI sharing method as specified in the SLA profile def-instance-sharing:

     "default"

For example:

Alc-SPI-Sharing-Id = "default"

26.10415.5

3GPP-GPRS-Negotiated-QoS- Profile

string

length as defined in the 3GPP TS

29.061

Specified in TS 29.061 version 8.5.0 Release 8 section 16.4.7.2

For example:

3GPP-GPRS-Negotiated-QoS-Profile = 08- 4D020000002710000000138800000001f40000000bb8

26.10415.20

3GPP-IMEISV

string

14 to 16 digits

3GPP vendor specific attribute as defined in TS 29.061

26.10415.21

3GPP-RAT-Type

octets

1 octet

[0..255]

Specifies the Radio Access Technology type, see 3GPP 29.061 section 16.4.7.2. for more details

For example (E-UTRAN RAT Type):

3GPP-RAT-Type = 0x06

26.10415.22

3GPP-User- Location-Info

octets

247 bytes

3GPP vendor specific attribute as defined in TS 29.061

1

User-Name

1

0-1

0-1

2

User-Password

0-1

0

0

3

CHAP-Password

0-1

0

0

4

NAS-IP-Address

0-1

0

0

5

NAS-Port

0-1

0

0

6

Service-Type

0-1

0-1

0-1

7

Framed-Protocol

0-1

0-1

0-1

8

Framed-IP-Address

0

0-1

0-1 1

9

Framed-IP-Netmask

0

0-1

0

18

Reply-Message

0

0-1

0

22

Framed-Route

0

0+

0

25

Class

0

0+

0+

27

Session-Timeout

0

0-1

0-1

28

Idle-Timeout

0

0-1

0-1

30

Called-Station-Id

0-1

0

0-1

31

Calling-Station-Id

0-1

0-1

0-1

32

NAS-Identifier

0-1

0

0

44

Acct-Session-Id

0-1

0

0-1 1

60

CHAP-Challenge

0-1

0

0

61

NAS-Port-Type

0-1

0

0-1

85

Acct-Interim-Interval

0

0-1

0-1

87

NAS-Port-Id

0-1

0

0-1 1

88

Framed-Pool

0

0-1

0

95

NAS-IPv6-Address

0-1

0

0

97

Framed-IPv6-Prefix

0

0-1

0-1 1

99

Framed-IPv6-Route

0

0+

0

100

Framed-IPv6-Pool

0

0-1

0

101

Error-Cause

0

0

0-1

123

Delegated-IPv6-Prefix

0

0-1

0-1 1

26.2352.1

Client-DNS-Pri

0

0-1

0

26.2352.2

Client-DNS-Sec

0

0-1

0

26.2352.36

Ip-Address-Pool-Name

0

0-1

0

26.2352.99

RB-Client-NBNS-Pri

0

0-1

0

26.2352.100

RB-Client-NBNS-Sec

0

0-1

0

26.3561.1

Agent-Circuit-Id

0-1

0-1

0

26.3561.2

Agent-Remote-Id

0-1

0

0

26.3561.129

Actual-Data-Rate-Upstream

0-1

0

0

26.3561.130

Actual-Data-Rate-Downstream

0-1

0

0

26.3561.131

Minimum-Data-Rate-Upstream

0-1

0

0

26.3561.132

Minimum-Data-Rate-Downstream

0-1

0

0

26.3561.133

Attainable-Data-Rate-Upstream

0-1

0

0

26.3561.134

Attainable-Data-Rate-Downstream

0-1

0

0

26.3561.135

Maximum-Data-Rate-Upstream

0-1

0

0

26.3561.136

Maximum-Data-Rate-Downstream

0-1

0

0

26.3561.137

Minimum-Data-Rate-Upstream-Low-Power

0-1

0

0

26.3561.138

Minimum-Data-Rate-Downstream-Low-Power

0-1

0

0

26.3561.139

Maximum-Interleaving-Delay-Upstream

0-1

0

0

26.3561.140

Actual-Interleaving-Delay-Upstream

0-1

0

0

26.3561.141

Maximum-Interleaving-Delay-Downstream

0-1

0

0

26.3561.142

Actual-Interleaving-Delay-Downstream

0-1

0

0

26.3561.144

Access-Loop-Encapsulation

0-1

0

0

26.3561.254

IWF-Session

0-1

0-1

0

26.4874.2

ERX-Address-Pool-Name

0

0-1

0

26.4874.4

ERX-Primary-Dns

0

0-1

0

26.4874.5

ERX-Secondary-Dns

0

0-1

0

26.4874.6

ERX-Primary-Wins

0

0-1

0

26.4874.7

ERX-Secondary-Wins

0

0-1

0

26.4874.47

ERX-Ipv6-Primary-Dns

0

0-1

0-1

26.4874.48

ERX-Ipv6-Secondary-Dns

0

0-1

0-1

26.6527.9

Alc-Primary-Dns

0

0-1

0

26.6527.10

Alc-Secondary-Dns

0

0-1

0

26.6527.11

Alc-Subsc-ID-Str

0

0-1

0-1 1

26.6527.12

Alc-Subsc-Prof-Str

0

0-1

0-1

26.6527.13

Alc-SLA-Prof-Str

0

0-1

0-1

26.6527.16

Alc-ANCP-Str

0

0-1

0-1

26.6527.18

Alc-Default-Router

0

0-1

0

26.6527.27

Alc-Client-Hardware-Addr

0-1

0-1

0-1

26.6527.28

Alc-Int-Dest-Id-Str

0

0-1

0-1

26.6527.29

Alc-Primary-Nbns

0

0-1

0

26.6527.30

Alc-Secondary-Nbns

0

0-1

0

26.6527.34

Alc-PPPoE-PADO-Delay

0

0-1

0

26.6527.35

Alc-PPPoE-Service-Name

0-1

0

0

26.6527.36

Alc-DHCP-Vendor-Class-Id

0-1

0

0

26.6527.45

Alc-App-Prof-Str

0

0-1

0-1

26.6527.99

Alc-Ipv6-Address

0

0-1

0-1 1

26.6527.100

Alc-Serv-Id

0

0-1

0

26.6527.101

Alc-Interface

0

0-1

0

26.6527.102

Alc-ToServer-Dhcp-Options

0+

0

0

26.6527.103

Alc-ToClient-Dhcp-Options

0

0+

0

26.6527.105

Alc-Ipv6-Primary-Dns

0

0-1

0-1

26.6527.106

Alc-Ipv6-Secondary-Dns

0

0-1

0-1

26.6527.126

Alc-Subscriber-QoS-Override

0

0-1

0-1

26.6527.128

Alc-ATM-Ingress-TD-Profile

0

0-1

0

26.6527.129

Alc-ATM-Egress-TD-Profile

0

0-1

0

26.6527.131

Alc-Delegated-IPv6-Pool

0

0-1

0

26.6527.132

Alc-Access-Loop-Rate-Down

0

0-1

0-1

26.6527.133

Alc-Access-Loop-Encap-Offset

0

0-1

0

26.6527.135

Alc-PPP-Force-IPv6CP

0

0-1

0

26.6527.136

Alc-Onetime-Http-Redirection-Filter-Id

0

0-1

0-1

26.6527.146

Alc-Wlan-APN-Name

0-1

0

0

26.6527.147

Alc-MsIsdn

0-1

0

0

26.6527.160

Alc-Relative-Session-Timeout

0

0-1

0-1

26.6527.161

Alc-Delegated-IPv6-Prefix-Length

0

0-1

0

26.6527.174

Alc-Lease-Time

0

0-1

0

26.6527.175

Alc-DSL-Line-State

0-1

0

0

26.6527.176

Alc-DSL-Type

0-1

0

0

26.6527.177

Alc-Portal-Url

0

0-1

0-1

26.6527.178

Alc-Ipv6-Portal-Url

0

0-1

0-1

26.6527.180

Alc-SAP-Session-Index

0-1

0

0

26.6527.181

Alc-SLAAC-IPv6-Pool

0

0-1

0

26.6527.183

Alc-WPP-Error-Code

0

0

(Access-Reject only)

0

26.6527.185

Alc-Onetime-Http-Redirect-Reactivate

0

0

0-1

26.6527.191

Alc-ToServer-Dhcp6-Options

0+

0

0

26.6527.192

Alc-ToClient-Dhcp6-Options

0

0+

0

26.6527.200

Alc-v6-Preferred-Lifetime

0

0-1

0

26.6527.201

Alc-v6-Valid-Lifetime

0

0-1

0

26.6527.202

Alc-Dhcp6-Renew-Time

0

0-1

0

26.6527.203

Alc-Dhcp6-Rebind-Time

0

0-1

0

26.6527.217

Alc-UPnP-Sub-Override-Policy

0

0-1

0-1

26.6527.228

Alc-Trigger-Acct-Interim

0

0

0-1

26.6527.232

Alc-Acct-Interim-IvI

0

0+

0+

26.6527.234

Alc-DNAT-Override

0

0+

0+

26.6527.238

Alc-Remove-Override

0

0

0+

26.6527.242

Alc-Radius-Py

0+

0+

0+

26.6527.244

Alc-Force-DHCP-Relay

0

0+

0

241.26.6527.16

Alc-IPv6-Router-Adv-Policy

0

0-1

0-1

241.26.6527.17

Alc-Nat-Outside-IPs

0

0+

0+

241.26.6527.18

Alc-Mld-Import-Policy

0

0+

0+

241.26.6527.19

Alc-Bonding-Id  2

0

0-1

0

241.26.6527.22

Alc-Bonding-Reference-Rate

0

0-1

0-1

241.26.6527.27

Alc-IPv6-Sub-If-Prefix

0

0-1

0

241.26.6527.35

Alc-Mld-Import-Policy-Modif

0

0

0+

241.26.6527.37

Alc-VAS-IPv4-Filter

0

0-1

0-1

241.26.6527.38

Alc-VAS-NSH-IPv4-Opaque-Meta-Data

0

0-1

0-1

241.26.6527.39

Alc-Static-Port-Forward

0

0+

0+

241.26.6527.40

Alc-IPv6-Slaac-Replacement-Prefix

0

0

0-1

241.26.6527.47

Alc-SPI-Sharing-Id

0

0-1

0-1

26.10415.5

3GPP-GPRS-Negotiated-QoS-Profile

0-1

0-1

0

26.10415.20

3GPP-IMEISV

0-1

0

0

26.10415.21

3GPP-RAT-Type

0-1

0

0

26.10415.22

3GPP-User-Location-Info

0-1

0

0

26.6527.17

Alc-Retail-Serv-Id

The service ID of the retailer to which this subscriber host belongs. (configure service ies | vprn retail-service-id subscriber-interface retail-interface-name fwd-service wholesale-service-id fwd-subscriber-interface wholesale-interface-name). Returning an IES service ID for an IPoEv4 host is treated as a session setup failure.

This attribute must be included together with NAS-Port-Id and an IP-address or prefix attribute in a CoA targeting a subscriber host in a retail service.

26.6527.31

Alc-MSAP-Serv-Id

The service ID where Managed SAPs are created. (configure service ies/vprn service-id). If this attribute is omitted, use msap defaults created under ludb or capture VPLS. (configure subscriber-mgmt local-user-db local-user-db-name ppp/ipoe host msap-defaults service service-id or configure service vpls service-id sap sap-id msap-defaults service service-id). This omitted attribute without explicitly created msap-defaults is treated as a setup failure.

26.6527.32

Alc-MSAP-Policy

Managed sap policy-name used to create managed SAPs and refers to the CLI context configure subscriber-mgmt msap-policy msap-policy-name). The policy contains similar parameters that would be configured for a regular subscriber SAP. If this attribute is omitted, then the MSAP default configured in ludb or capture-sap is used (configure subscriber-mgmt local-user-db ppp/ipoe host host-name msap-defaults policy msap-policy-name or configure service vpls service-id sap sap-id msap-defaults policy msap-policy-name).This omitted attribute without explicitly created MSAP defaults is treated as a setup failure.

26.6527.33

Alc-MSAP-Interface

The group interface name where managed SAPs are created and refers to CLI context configure service ies | vprn service -id subscriber-interface ip-int-name group-interface ip-int-name. If this attribute is omitted, the MSAP defaults configured in the ludb or capture-sap are used. (configure subscriber-mgmt local-user-db local-user-db-name ppp/ipoe host host-name msap-defaults group-interface ip-int-name or configure service vpls service-id sap sap-id msap-defaults group-interface ip-int-name). Strings above the limits and an omitted attribute without explicitly created MSAP defaults are treated as setup failures.

26.6527.17

Alc-Retail-Serv-Id

integer

2147483647 id

For example: Alc-Retail-Serv-Id = 10

26.6527.31

Alc-MSAP-Serv-Id

integer

2147483647 id

For example: Alc-MSAP-Serv-Id = 20

26.6527.32

Alc-MSAP-Policy

string

32 chars

Policy may start with a letter or number

For example: Alc-MSAP-Policy = 1-Policy-business

26.6527.33

Alc-MSAP-Interface

string

32 chars

Interface-name must start with a letter

For example: Alc-MSAP-Interface = group-1

26.6527.17

Alc-Retail-Serv-Id

0

0-1

0-1

26.6527.31

Alc-MSAP-Serv-Id

0

0-1

0

26.6527.32

Alc-MSAP-Policy

0

0-1

0

26.6527.33

Alc-MSAP-Interface

0

0-1

0

64

Tunnel-Type

The tunneling protocol(s) to be used (in the case of a tunnel initiator) or the tunneling protocol in use (in the case of a tunnel terminator). This attribute is mandatory on LAC Access-Accept and needs to be L2TP. The same attribute is included on LNS in the Access-Request and Acct-Request if the CLI RADIUS policy include-radius-attribute tunnel-server-attrs is enabled on a 7750 SR LNS. For L2TP Tunnel or Link Accounting, this attribute is always included on LAC and LNS.

65

Tunnel-Medium-Type

The transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. This attribute is mandatory on LAC Access-Accept and needs to be IP or IPv4.The same attribute is included on LNS in the Access-Request and Acct-Request if the CLI RADIUS policy include-radius-attribute tunnel-server-attrs is enabled on a 7750 SR LNS. For L2TP Tunnel or Link Accounting, this attribute is always included on LAC and LNS.

66

Tunnel-Client-Endpoint

The dotted-decimal IP address of the initiator end of the tunnel. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp local-address). If omitted in Access Accept on LAC and no local-address configured, then the address is taken from the interface with name system. This attribute is included on LNS in the Access-Request and Acct-Request only if the CLI RADIUS policy include-radius-attribute tunnel-server-attrs is enabled on a 7750 SR LNS. For L2TP Tunnel or Link Accounting, this attribute is always included on LAC and LNS as untagged.

67

Tunnel-Server-Endpoint

The dotted-decimal IP address of the server end of the tunnel is also on the LAC the destination IP for all L2TP packets for that tunnel.

To support more than 31 tunnels in a single RADIUS Access-Accept message, multiple Tunnel-Server-Endpoint attributes with the same tag can be inserted. All tunnels specified by Tunnel-Sever-Endpoint attributes with a given tag uses the tunnel parameters specified by the other Tunnel attributes having the same tag value.

69

Tunnel-Password

A shared, salt-encrypted secret used for tunnel authentication and AVP-hiding. The usage of tunnel-authentication is indicated by attribute [26.6527.97] Alc-Tunnel-Challenge and the usage of AVP-hiding is indicated by attribute [26.6527.54] Alc-Tunnel-AVP-Hiding. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp password). There is no default password. Received passwords longer than the maximum character limit are truncated at that limit.

81

Tunnel-Private-Group-ID

The group ID for a particular tunneled session. This RADIUS attribute is copied by a 7750 SR LAC in AVP 37 - Private Group ID (ICCN) and is used by the LAC to indicate that this call is to be associated with a particular customer group. The 7750 SR LNS ignores AVP 37 when received from LAC. The value with tag 0 is used as default for the tunnels where the value is not specified. String lengths above the maximum value are treated as setup failures.

82

Tunnel-Assignment-ID

Indicates to the tunnel initiator the particular tunnel to which a session is to be assigned. Some tunneling protocols, such as PPTP and L2TP, allow for sessions between the same two tunnel endpoints to be multiplexed over the same tunnel, and also for a given session to utilize its own dedicated tunnel. Tag-0 Tunnel-Assignment-ID:0 string, has a special meaning and the string becomes the tunnel group name that can hold up to maximum 31 tunnels with the name Tunnel-Assignment-ID-[1 to 31] string. A tunnel group with the name default_radius_group is created on the LAC when this attribute with tag-0 is omitted. This attribute is not the same as attribute [26.4874.64] ERX-Tunnel-Group or [26.6527.46] Alc-Tunnel-Group since these attributes both refer to a tunnel group name created in CLI context. When not specified, the default value for Tunnel-Assignment-ID-[1 to 31] string is unnamed. String lengths above the limits are treated as a setup failure.

83

Tunnel-Preference

Indicates the relative preference assigned to each tunnel if more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator. 0x0 (zero) being the lowest and 0x0FFFFFF(16777215) being the highest numerical value. The tunnel having the numerically lowest value in the Value field of this Attribute is given the highest preference. Other tunnel selection criteria are used if preference values from different tunnels are equal. Preference 50 is used when attribute is omitted. Values above the Limits wrap around by Freeradius before send to the NAS (start again from zero until the Limits).

90

Tunnel-Client-Auth-ID

Used during the authentication phase of tunnel establishment and copied by the LAC in L2TP SCCRQ AVP 7 Host Name. Reported in L2TP Tunnel or Link accounting when length is different from zero. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when the attribute is omitted (configure router/service vprn service-id l2tp local-name). The Node system-name is copied in AVP Host Name if this attribute is omitted and no local-name is configured.

91

Tunnel-Server-Auth-ID

Used during the authentication phase of tunnel establishment and reported in L2TP Tunnel or Link accounting when length is different from zero. For authentication the value of this attribute is compared with the value of AVP 7 Host Name from the received LNS SCCRP. Authentication from LAC point of view passes if both attributes are the same. This authentication check is not performed if the RADIUS attribute is omitted.

26.2352.21

Tunnel-Max-sessions

The maximum number of sessions allowed per tunnel group (untagged attribute only). This attribute has the same function as attribute 26.6527.48 Alc-Tunnel-Max-Sessions:0. No sessions are setup above the limits. Preconfigured values configure router/service vprn service-id l2tp session-limit are used when attribute is omitted.

26.4874.33

ERX-Tunnel-Maximum-Sessions

The maximum number of sessions allowed per tunnel group (untagged attribute only). This attribute has the same meaning as attribute 26.6527.48 Alc-Tunnel-Max-Sessions:0. No sessions are setup above the limits. Preconfigured values (configure router/service vprn service-id l2tp session-limit) are used when attribute is omitted.

26.4874.64

ERX-Tunnel-Group

The name of the tunnel group that refers to the CLI-created tunnel-group-name context configure router/service vprn service-id l2tp group tunnel-group-name. Any other RADIUS returned L2TP parameter is ignored and other required info to setup the tunnel should come from the CLI-created context. Strings above the limits are treated as a setup failure.

26.6527.46

Alc-Tunnel-Group

The tunnel-group-name that refers to the CLI-created tunnel-group-name context configure router/service vprn service-id l2tp group tunnel-group-name. Any other RADIUS returned L2TP parameter is ignored and other required info to setup the tunnel should come from the CLI-created context. Strings above the limits are treated as a setup failure.

26.6527.47

Alc-Tunnel-Algorithm

Describes how new sessions are assigned (weighted-access, weighted-random or existing-first) to one of the set of suitable tunnels that are available or could be made available. A preconfigured algorithm (configure router/service vprn service-id l2tp session-assign-method) is used when this attribute is omitted.

Attribute value existing-first specifies that the first suitable tunnel is used or set up for the first session and re-used for all subsequent sessions.

The weighted-access attribute value (session-assign-method weighted) specifies that the sessions are equally distributed over the available tunnels; new tunnels are set up until the maximum number is reached; the distribution aims at an equal ratio of the actual number of sessions to the maximum number of sessions. When there are multiple tunnels with an equal number of sessions (equal weight), LAC selects the first tunnel from the candidate list.

The weighted-random attribute value enhances the weighted-access algorithm such that when there are multiple tunnels with an equal number of sessions (equal weight), LAC randomly selects a tunnel.

The maximum number of sessions per tunnel is retrieved via attribute 26.6527.48 Alc-Tunnel-Max-Sessions or set to a preconfigured value if Alc-Tunnel-Max-Sessions is omitted. Values outside the limits are treated as a setup failure.

26.6527.48

Alc-Tunnel-Max-Sessions

The maximum number of sessions allowed per tunnel (if tag is 1 to 31) or per tunnel group (if tag is 0).This attribute has the same meaning as attribute 26.2352.21 Tunnel-Max-sessions and 26.4874.33 ERX-Tunnel-Maximum-Sessions with the only difference that these latter attributes refers to the tunnel group only (untagged attributed). No sessions are setup above the Limits. Preconfigured values (configure router/service vprn service-id l2tp session-limit) are used when attribute is omitted.

26.6527.49

Alc-Tunnel-Idle-Timeout

The period in seconds that an established tunnel with no active sessions (Established-Idle) persists before being disconnected. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp idle-timeout). The tunnel is not disconnected (infinite) without local configured idle-timeout or if the attribute has value -1 (16777215). Values above the Limits are treated as setup failures.

26.6527.50

Alc-Tunnel-Hello-Interval

The time interval in seconds between two consecutive tunnel Hello messages. A value of -1 specifies that the keepalive function is disabled. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp hello-interval). Values outside the limits are treated as a setup failure.

26.6527.51

Alc-Tunnel-Destruct-Timeout

The time in seconds that operational data of a disconnected tunnel persists on the node before being removed. Availability of the data after tunnel disconnection allows better troubleshooting. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp destruct-timeout). Values outside the limits are treated as a setup failure.

26.6527.52

Alc-Tunnel-Max-Retries-Estab

The number of retries allowed for established tunnels before their control connection goes down. An exponential back-off mechanism is used for the retransmission interval: the first retransmission occurs after 1 second, the next after 2 seconds, then 4 seconds up to a maximum interval of 8 seconds (1,2,4,8,8,8,8). The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp max-retries-estab). Values outside the limits are treated as a setup failure.

26.6527.53

Alc-Tunnel-Max-Retries-Not-Estab

The number of retries allowed for unestablished tunnels before their control connection goes down. An exponential back-off mechanism is used for the retransmission interval: the first retransmission occurs after 1 second, the next after 2 seconds, then 4 seconds up to a maximum interval of 8 seconds (1,2,4,8,8,8,8). The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp max-retries-not-estab). Values outside the limits are treated as a setup failure.

26.6527.54

Alc-Tunnel-AVP-Hiding

Indicates if data is hidden in the Attribute Value field of an L2TP AVP. The H bit in the header of each L2TP AVP provides a mechanism to indicate to the receiving peer whether the contents of the AVP are hidden or present in cleartext. This feature can be used to hide sensitive control message data such as user passwords or user IDs. All L2TP AVPs are passed in cleartext if the attribute is omitted and corresponds with the nothing value. The sensitive-only value specifies that the H bit is only set for AVPs containing sensitive information. The all value specifies that the H bit is set for all AVPs where it is allowed. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when the attribute is omitted configure router/service vprn service-id l2tp avp-hiding. AVP hiding uses the shared LAC-LNS secret defined in attribute [69] Tunnel-Password or in configuration. If no password is specified, the tunnel setup fails for sensitive-only and all values. Values outside the Limits are treated as a setup failure.

26.6527.97

Alc-Tunnel-Challenge

Indicates whether the tunnel authentication (challenge-response) is to be used. L2TP tunnel-authentication is based on RFC 1994 CHAP authentication and requires the shared-secret defined in attribute [69] Tunnel-Password. The value with tag 0 is used as default for the tunnels where the value is not specified. When the attribute is omitted and no [69] Tunnel-Password attribute is specified, a preconfigured value is used (configure router/service vprn service-id l2tp challenge). When the attribute is omitted and a [69] Tunnel-Password attribute is specified, then the always value is used. When the attribute has the always value, no [69] Tunnel-Password attribute is specified and no preconfigured value exists for the password, then the tunnel setup fails. Values outside the limits are treated as a setup failure.

26.6527.100

Alc-Serv-Id

The service ID on the LNS node where the PPP sessions are established (configure service ies/vprn service-id subscriber-interface ip-int-name group-interface ip-int-name). Preconfigured values are used if attribute is omitted (configure subscriber-mgmt local-user-db local-user-db-name ppp host host-name interface ip-int-name service-id service-id or configure router/service vprn service-id l2tp group ppp default-group-interface ip-int-name service-id service-id). Values above the limits or unreferenced are treated as a setup failure.

26.6527.101

Alc-Interface

Refers to the group interface ip-int-name on LNS node only where the PPP sessions are established (configure service ies/vprn service-id subscriber-interface ip-int-name group-interface ip-int-name lns). Preconfigured values are used if the attribute is omitted (configure subscriber-mgmt local-user-db local-user-db-name ppp host host-name interface ip-int-name service-id service-id or configure router/service vprn service-id l2tp group ppp default-group-interface ip-int-name service-id service-id). Alc-interface names longer than the maximum allowed value are treated as session setup failures.

26.6527.104

Alc-Tunnel-Serv-Id

The service ID from which the tunnel should be established, enables the tunnel origin to be in a VPRN (VRF). The default value equals Base. Values above the limits or unreferenced are treated as a setup failure.

26.6527.120

Alc-Tunnel-Rx-Window-Size

The initial receive window size being offered to the remote peer. This attribute is copied in the AVP 10 L2TP Receive Window Size. The remote peer may send the specified number of control messages before it must wait for an acknowledgment. The value with tag 0 is used as default for the tunnels where the value is not specified. A preconfigured value is used when the attribute is omitted (configure router/service vprn service-id l2tp receive-window-size). Values outside the allowed limits are treated as a setup failure.

26.6527.144

Alc-Tunnel-Acct-Policy

Refers to a preconfigured L2TP tunnel accounting policy name (configure aaa l2tp-accounting-policy policy-name). L2TP tunnel accounting (RFC 2867) can collect usage data based either on L2TP tunnel and L2TP sessions and send these accounting data to a RADIUS server. Different RADIUS attributes such as [66] Tunnel-Client-Endpoint, [67] Tunnel-Server-Endpoint, [68] Acct-Tunnel-Connection, [82] Tunnel-Assignment-ID can be used to identify the tunnel or session. The value with tag 0 is used as default for the tunnels where the value is not specified. Preconfigured values are used when the attribute is omitted (configure router/service vprn service-id l2tp radius-accounting-policy). Unreferenced policy names or policy names longer than the allowed maximum are treated as host setup failures.

26.6527.204

Alc-Tunnel-DF-bit

This attribute is used on an L2TP LAC only. By default, a LAC does not allow L2TP packet fragmentation by sending L2TP towards the LNS with the Do not Fragment (DF) bit set to 1. This DF bit can be set to 0 to allow downstream routers to fragment the L2TP packets. The LAC itself will not fragment L2TP packets. Packets sent with MTU bigger than the allowed size on the LAC egress port are dropped. This attribute is silently ignored if RADIUS returns an Alc-Tunnel-Group attribute. In that case, the tunnel level, group level, or as last resort, the root level configuration is used instead.

26.6527.214

Alc-Tunnel-Recovery-Method

Sets the L2TP LAC failover recovery method to be used for this tunnel: MCS or recovery tunnel (RFC 4951). Preconfigured values are used when the attribute is omitted (configure router/service vprn service-id l2tp failover recovery-method).

When the tunnel recovery method is set to recovery-tunnel but LNS does not support this capability, then the system automatically falls back to mcs.

Values outside the limits are treated as a setup failure.

26.6527.215

Alc-Tunnel-Recovery-Time

Only applicable when the L2TP LAC failover recovery-method is set to recovery-tunnel. Sets the L2TP LAC failover recovery-time to be negotiated with LNS via L2TP failover extensions (RFC 4951). It indicates to the LNS how long it needs to extend its protocol retry timeout before declaring the control channel down. Preconfigured values are used when attribute is omitted (configure router/service vprn service-id l2tp failover recovery-time).

Values outside the limits are treated as a setup failure.

241.26.6527.25

Alc-Steering-Profile

The steering profile that should be applied to perform traffic steering on L2TP LAC. The steering profile is configured in the following CLI context: configure subscriber-mgmt steering-profile name. An L2TP LAC session is successfully set up when a non-existent steering profile name is referenced in an Access-Accept. A CoA containing a non-existent steering profile is rejected. In both cases, the non-existent steering profile is stored in the L2TP LAC session information and becomes active when the profile is configured at a later stage.

To deactivate traffic steering on L2TP LAC, the [26.6527.238] Alc-Remove-Override attribute must be used.

64

Tunnel-Type

integer

3 (mandatory value)

Mandatory 3=L2TP

For example: Tunnel-Type = L2TP

65

Tunnel-Medium-Type

integer

1 (mandatory value)

Mandatory 1=IP or IPv4

For example: Tunnel-Medium-Type = IP

66

Tunnel-Client-Endpoint

string

Max. length = 15 bytes (untagged) or 16 bytes (tagged)

<tag field><dotted-decimal IP address used on LAC as L2TP src-ip>

If the tag field is greater than 0x1F, it is interpreted as the first byte of the following string field

For example:

# untagged Tunnel-Client-Endpoint = 3139382e35312e3130302e31

Tunnel-Client-Endpoint = 198.51.100.1

# tagged 0 Tunnel-Client-Endpoint = 003139382e35312e3130302e31

Tunnel-Client-Endpoint:0 = 198.51.100.1

# tagged 1 Tunnel-Client-Endpoint = 013139382e35312e3130302e31

Tunnel-Client-Endpoint:1 = 198.51.100.1

67

Tunnel-Server-Endpoint

string

Max. length = 15 bytes (untagged) or 16 bytes (tagged)

Max. 451 attributes or limited by RADIUS message size

<tag field><dotted-decimal IP address used on LAC as L2TP dst-ip>

If Tag field is greater than 0x1F, it is interpreted as the first byte of the following string field

For example: # tagged 1 Tunnel-Server-Endpoint = 013230332e302e3131332e31

Tunnel-Server-Endpoint:1 = 203.0.113.1

69

Tunnel-Password

string

64 chars

For example: Tunnel-Password:1 = password

81

Tunnel-Private-Group-ID

string

32 chars

For example: Tunnel-Private-Group-ID:1 = MyPrivateTunnelGroup

82

Tunnel-Assignment-ID

string

32 chars

Tag 0x00 tunnel-group

Tag 0x01-0x01f individual tunnels within this tunnel-group

For example:

Tunnel-Assignment-ID:0 += LNS-ALU

Tunnel-Assignment-ID:1 += Tunnel-1

Tunnel-Assignment-ID:2 += Tunnel-2

83

Tunnel-Preference

integer

16777215

Default preference 50

For example: Tunnel 1 and 2 same preference and first selected

Tunnel-Preference:1 += 10

Tunnel-Preference:2 += 10

Tunnel-Preference:3 += 20

90

Tunnel-Client-Auth-ID

string

64 chars

For example: Tunnel-Client-Auth-Id:0 = LAC-Antwerp-1

91

Tunnel-Server-Auth-ID

string

64 chars

For example: Tunnel-Server-Auth-ID:0 = LNS-Antwerp-1

26.2352.21

Tunnel-Max-sessions

integer

131071

max sessions per group with default=131071

default=131071

For example: Tunnel-Max-sessions:0 = 1000

26.4874.33

ERX-Tunnel-Maximum-Sessions

integer

131071

max sessions per group with default=131071

For example: ERX-Tunnel-Maximum-Sessions:0 = 1000

26.4874.64

ERX-Tunnel-Group

string

32 chars

node preconfigured tunnel-group

For example: ERX-Tunnel-Group:0 = MyCliTunnelGroupName

26.6527.46

Alc-Tunnel-Group

string

32 chars

node preconfigured tunnel-group

For example: Alc-Tunnel-Group = MyCliTunnelGroupName

26.6527.47

Alc-Tunnel-Algorithm

integer

values [1 to 3]

1=weighted-access, 2=existing-first, 3=weighted-random

default=existing-first For example: Alc-Tunnel-Algorithm:0 = weighted-access

26.6527.48

Alc-Tunnel-Max-Sessions

integer

131071

max sessions per group or tunnel with default=131071

For example: # 10000 for the group and individual settings per tunnel

Alc-Tunnel-Max-Sessions:0 += 10000

Alc-Tunnel-Max-Sessions:1 += 2000

Alc-Tunnel-Max-Sessions:2 += 1000

26.6527.49

Alc-Tunnel-Idle-Timeout

integer

3600 seconds

infinite = -1 or [0 to 3600] seconds with default= infinite

For example: # don't disconnect tunnel1

Alc-Tunnel-Idle-Timeout :1 += 16777215

# disconnect tunnel2 after 1 minute

Alc-Tunnel-Idle-Timeout :2 += 60

# disconnect tunnel3 immediately

Alc-Tunnel-Idle-Timeout :3 += 0

26.6527.50

Alc-Tunnel-Hello-Interval

integer

[60 to 3600] seconds

no keepalive = -1 or [60 to 3600] seconds with default= 300 seconds

For example: # tunnel 1 keepalive 120 seconds

Alc-Tunnel-Hello-Interval:1 += 120

26.6527.51

Alc-Tunnel-Destruct-Timeout

integer

[60 to 86400] seconds

[60 to 86400] seconds with default= 60 seconds

For example: # tunnel 1 tunnel destruct timer 120 seconds

Alc-Tunnel-Destruct-Timeout:1 += 120

26.6527.52

Alc-Tunnel-Max-Retries-Estab

integer

[2 to 7]

default 5

For example: # retry 2 times for all tunnels in tunnel group

Alc-Tunnel-Max-Retries-Estab:0 = 2

26.6527.53

Alc-Tunnel-Max-Retries-Not-Estab

integer

[2 to 7]

default 5

For example: # retry 2 times for all tunnels in tunnel group

Alc-Tunnel-Max-Retries-Not-Estab:0 = 2

26.6527.54

Alc-Tunnel-AVP-Hiding

integer

values [1 to 3]

1=nothing,2=sensitive-only,3=all; default nothing

1=nothing: All L2TP AVPs in clear text

2=sensitive-only: AVP 11-Challenge, 13-Response, 14-Assigned Session ID, 21-Called-number, 22-Calling-number, 26-Initial Received LCP Confreq, 27-Last Sent LCP Confreq,28-Last Received LCP Confreq, 29-Proxy Authen Type, 30-Proxy Authen Name, 31-Proxy Authen Challenge, 32-Proxy Authen ID, 33-Proxy Authen Response

3=all: All AVPs that, according RFC 2661 can be hidden, are hidden.

For example: # Best common practices

Alc-Tunnel-AVP-Hiding:0 = sensitive-only

26.6527.97

Alc-Tunnel-Challenge

integer

values [1 to 2]

1=never, 2=always; default never

For example: Alc-Tunnel-Max-Retries-Estab:0 = always

26.6527.100

Alc-Serv-Id

integer

2147483647 id

For example: Alc-Serv-Id = 100

26.6527.101

Alc-Interface

string

32 chars

For example: Alc-Interface = MyGroupInterface

26.6527.104

Alc-Tunnel-Serv-Id

integer

2147483647 id

default = 'Base' router

For example: # vprn service 100

Alc-Tunnel-Serv-Id = 100

26.6527.120

Alc-Tunnel-Rx-Window-Size

integer

[4 to 1024]

Tag 0 = default when not specified (all tunnels)

Tag 1 to 31 = specific tunnel

default 64

For example: Alc-Tunnel-Rx-Window-Size = 1000

26.6527.144

Alc-Tunnel-Acct-Policy

string

32 chars

For example: Alc-Tunnel-Acct-Policy = MyL2TPTunnelPolicy

26.6527.204

Alc-Tunnel-DF-bit

integer

values [0 to 1]

0=clr-lac-data, 1=set-lac-data; default = 1

For example: Alc-Tunnel-DF-bit:0 = clr-lac-data

26.6527.214

Alc-Tunnel-Recovery-Method

integer

values [0 to 1]

0=recovery-tunnel, 1=mcs; default = 0

For example: Alc-Tunnel-Recovery-Method:1 = recovery-tunnel

26.6527.215

Alc-Tunnel-Recovery-Time

integer

[0 to 900] seconds

[0 to 900] in seconds; default = 0

For example: Alc-Tunnel-Recovery-Time = 180

241.26.6527.25

Alc-Steering-Profile

string

32 chars

Steering profile name

For example:

Alc-Steering-Profile = “steering-profile-1”

64

Tunnel-Type

0-1

1

0

N

Y

31

65

Tunnel-Medium-Type

0-1

1

0

N

Y

31

66

Tunnel-Client-Endpoint

0-1

0-1

0

N

Y

31

67

Tunnel-Server-Endpoint

0-1

1

0

N

Y

31

69

Tunnel-Password

0

0-1

0

Y

Y

31

81

Tunnel-Private-Group-ID

0-1

0-1

0

N

Y

31

82

Tunnel-Assignment-ID

0

0-1

0

N

Y

31

83

Tunnel-Preference

0

0-1

0

N

Y

31

90

Tunnel-Client-Auth-ID

0-1

0-1

0

N

Y

31

91

Tunnel-Server-Auth-ID

0-1

0-1

0

N

Y

31

26.2352.21

Tunnel-Max-sessions

0

0-1

0

N

N

N/A

26.4874.33

ERX-Tunnel-Maximum-Sessions

0

0-1

0

N

N

N/A

26.4874.64

ERX-Tunnel-Group

0

0-1

0

N

N

N/A

26.6527.46

Alc-Tunnel-Group

0

0-1

0

N

N

N/A

26.6527.47

Alc-Tunnel-Algorithm

0

0-1

0

N

N

N/A

26.6527.48

Alc-Tunnel-Max-Sessions

0

0-1

0

N

Y

31

26.6527.49

Alc-Tunnel-Idle-Timeout

0

0-1

0

N

Y

31

26.6527.50

Alc-Tunnel-Hello-Interval

0

0-1

0

N

Y

31

26.6527.51

Alc-Tunnel-Destruct-Timeout

0

0-1

0

N

Y

31

26.6527.52

Alc-Tunnel-Max-Retries-Estab

0

0-1

0

N

Y

31

26.6527.53

Alc-Tunnel-Max-Retries-Not-Estab

0

0-1

0

N

Y

31

26.6527.54

Alc-Tunnel-AVP-Hiding

0

0-1

0

N

Y

31

26.6527.97

Alc-Tunnel-Challenge

0

0-1

0

N

Y

31

26.6527.100

Alc-Serv-Id

0

0-1

0

N

N

N/A

26.6527.101

Alc-Interface

0

0-1

0

N

N

N/A

26.6527.104

Alc-Tunnel-Serv-Id

0

0-1

0

N

N

N/A

26.6527.120

Alc-Tunnel-Rx-Window-Size

0

0-1

0

N

Y

31

26.6527.144

Alc-Tunnel-Acct-Policy

0

0-1

0

N

Y

31 (untag-ged)

26.6527.204

Alc-Tunnel-DF-bit

0

0-1

0

N

Y

31

26.6527.214

Alc-Tunnel-Recovery-Method

0

0-1

0

N

Y

31

26.6527.215

Alc-Tunnel-Recovery-Time

0

0-1

0

N

Y

31

241.26.6527.25

Alc-Steering-Profile

0

0-1

0-1

N

N

N/A

22

Framed-Route

Routing information (IPv4 managed route) to be configured on the NAS for a host (DHCP, PPPoE, ARP) that operates as a router without NAT (so called routed subscriber host). The route included in the Framed-Route attribute is accepted as a managed route only if the next-hop points to the host’s IP address if the next-hop address equals 0.0.0.0, or if the included route is a valid classful network in case the subnet-mask is omitted. If neither is applicable, this specific framed-route attribute is ignored and the host is instantiated without this specific managed route installed. A Framed-Route attribute is also ignored if the SAP does not have anti-spoof configured to NH-MAC (the host is installed as a standalone host without managed route). The number of routes above limits are silently ignored. Optionally, a metric, tag, and protocol preference can be specified for the managed route. If the metrics are not specified, are specified in a wrong format, or specified with out-of-range values, then default values are used for all metrics: metric=0, no tag and preference=0. If an identical managed route is associated with different routed subscriber hosts in the context of the same IES/VPRN service, up to max-ecmp-routes managed routes are installed in the routing table (configured as ecmp max-ecmp-routes in the routing instance). Candidate ECMP Framed-Routes have identical prefix, equal lowest preference, and equal lowest metric. The lowest IP next-hop” is the tie breaker if more candidate ECMP Framed-Routes are available than the configured max-ecmp-routes. Other identical managed routes are shadowed (not installed in the routing table) and an event is logged. An alternative to RADIUS managed routes are managed routes via host dynamic BGP peering.

Valid RADIUS-learned managed routes can be included in RADIUS accounting messages with the configure subscriber-mgmt radius-accounting-policy name include-radius-attribute framed-route configuration. Associated managed routes for an instantiated routed subscriber host are included in RADIUS accounting messages independent of the state of the managed route (Installed, Shadowed or HostInactive).

99

Framed-IPv6-Route

Routing information (IPv6 managed route) to be configured on the NAS for a v6 WAN host (IPoE or PPPoE) that operates as a router. The functionality is comparable with offering multiple PD prefixes for a single host. The route included in the Framed-IPv6-Route attribute is accepted as a managed route only if its next-hop is a WAN host (DHCPv6 IA-NA or SLAAC) or if the next-hop address equals ::. As a consequence, Framed-IPv6-Routes with explicit configured gateway prefix of a pd-host (DHCPv6 IA-PD) will not be installed. A Framed-Route attribute is also ignored if the SAP does not have anti-spoof configured to NH-MAC (the host is installed as a standalone host without a managed route). The number of routes above limits are silently ignored. Optionally, a metric, tag, or protocol preference can be specified for the managed route. If the metrics are not specified, specified in a wrong format, or specified with out-of-range values, then default values are used for all metrics: metric=0, no tag and preference=0. If an identical managed route is associated with different routed subscriber hosts in the context of the same IES or VPRN service up to max-ecmp-routes managed routes are installed in the routing table (configured as ecmp max-ecmp-routes in the routing instance). Candidate ECMP Framed-IPv6-Routes have identical prefix, equal lowest preference and equal lowest metric. The lowest IP next-hop is the tie breaker if more candidate ECMP Framed-IPv6-Routes are available than the configured max-ecmp-routes. Other identical managed routes are shadowed (not installed in the routing table) and an event is logged. Valid RADIUS learned managed routes can be included in RADIUS accounting messages with following configuration: configure subscriber-mgmt radius-accounting-policy name include-radius-attribute framed-ipv6-route. Associated managed routes for an instantiated routed subscriber host are included in RADIUS accounting messages independent of the state of the managed route (Installed, Shadowed or HostInactive).

26.6527.55

Alc-BGP-Policy

Refers to a preconfigured policy under configure subscriber-mgmt bgp- peering-policy policy-name. Mandatory attribute for dynamic BGPv4 peering. The referenced policy contains all required parameters to setup the dynamic BGPv4 peer. Peer-AS, MD5 key, Authentication-Keychain and import and export policies can be overridden by optional RADIUS attributes. Dynamic BGPv4 peering related attributes are ignored if the session or host does not terminate in a VPRN. Host setup is successful, but without BGPv4 peering if a non-existing policy-name is received or if the SAP anti-spoof type is different from nh-mac. Policy names above the maximum length result in a host setup failure.

26.6527.56

Alc-BGP-Auth-Keychain

Optional attribute for dynamic BGPv4 peering. Refers to the keychain parameters (configure system security keychain keychain-name) used to sign or authenticate the BGP protocol stream via the TCP enhanced authentication option (draft-bonica-tcp-auth). Host setup is successful, but without BGPv4 peering if a non-existing keychain name is received. Keychain names above the maximum length result in a host setup failure. Alternative for [26.6527.57] Alc-BGP-Auth-Key.

26.6527.57

Alc-BGP-Auth-Key

Optional attribute for dynamic BGPv4 peering. Indicates the authentication key used between BGPv4 peers before establishing sessions. Authentication is done using the MD5 message based digest protocol. Authentication keys are truncated at 247 Bytes and are not encrypted.

26.6527.58

Alc-BGP-Export-Policy

Optional attribute for dynamic BGPv4 peering. This refers to a preconfigured BGP export policy (configure router policy-options policy-statement name). The RADIUS received policy is appended to the list of export policies configured in the peering policy (configure subscriber-mgmt bgp-peering-policy policy-name export policy-name) if there are fewer than 15 preconfigured policies or replaces the fifteenth policy. Host setup is successful, but without export policy applied if a non-existing policy-name is received. Policy names above the maximum length result in a host setup failure.

26.6527.59

Alc-BGP-Import-Policy

Optional attribute for dynamic BGPv4 peering. Refers to a preconfigured BGP import policy (configure router policy-options policy-statement name). The RADIUS received policy is appended to the peer (if preconfigured policies for peer are smaller than 15) or replaces the fifteenth policy (if preconfigured policies for peer are exact 15). Host setup is successful but without import policy applied if a non-existing policy-name is received. Policy names above the maximum length result in a host setup failure.

26.6527.60

Alc-BGP-PeerAS

Optional attribute for dynamic BGPv4 peering. Specifies the Autonomous System number for the remote BGPv4 peer.

26.6527.207

Alc-RIP-Policy

Refers to the preconfigured policy under configure subscriber-mgmt rip-policy policy-name and enables the BNG to listen to RIPv1 or RIPv2 messages from the host (master SRRP node only in case of a dual-homed BNG). The referenced policy contains the authentication type and authentication key used to establish a RIP neighbor with this host. Host setup is successful, but the RIP message from the host are ignored if a non-existing policy name is received or if the SAP anti-spoof type is different from NH-MAC. Policy names exceeding the maximum length result in a host setup failure.

26.6527.208

Alc-BGP-IPv6-Policy

Refers to a preconfigured policy under configure subscriber-mgmt bgp- peering-policy policy-name. Mandatory attribute for dynamic BGPv6 peering. The referenced policy contains all required parameters to setup the dynamic BGPv6 peer. Peer-AS, MD5 key, Authentication-Keychain and import or export policies can be overridden by optional RADIUS attributes. Dynamic BGPv6 peering related attributes are ignored if the session or host does not terminate in a VPRN. Host setup is successful, but without BGPv6 peering if a non-existing policy name is received or if the SAP anti-spoof type is different from nh-mac. Policy names above the maximum length result in a host setup failure.

Note that unlike the ESMv4 case, there is no IPv6 interface address associated with a subscriber interface. The peering address for CPE devices can be any routable IPv6 interface address in the same routing instance as the host (example a loopback interface). This requires multi-hop BGPv6 capability on the CPE.

26.6527.209

Alc-BGP-IPv6-Auth-Keychain

Optional attribute for dynamic BGPv6 peering. Refers to the keychain parameters (configure system security keychain keychain-name) used to sign or authenticate the BGPv6 protocol stream via the TCP enhanced authentication option (draft-bonica-tcp-auth). Host setup is successful, but without BGPv6 peering if a non-existing keychain name is received. Keychain names above the maximum length result in a host setup failure. Alternative for [26.6527.201] Alc-BGP-IPv6-Auth-Key.

26.6527.210

Alc-BGP-IPv6-Auth-Key

Optional attribute for dynamic BGPv6 peering. Indicates the authentication key used between BGPv6 peers before establishing sessions. Authentication is performed using the MD5 message based digest protocol. Authentication keys are truncated at 247 bytes and are not encrypted.

26.6527.211

Alc-BGP-IPv6-Export-Policy

Optional attribute for dynamic BGPv6 peering. Refers to a preconfigured BGP export policy (configure router policy-options policy-statement name). The RADIUS received policy is appended to the peer (if there are fewer than 15) or replaces the fifteenth policy. Host setup is successful, but without export policy applied if a non-existing policy name is received. Policy names above the maximum length result in a host setup failure.

26.6527.212

Alc-BGP-IPv6-Import-Policy

Optional attribute for dynamic BGPv6 peering. Refers to a preconfigured BGP import policy (configure router policy-options policy-statement name). The RADIUS received policy is appended to the peer (if there are fewer than 15) or if the received policy replaces the fifteenth policy. Host setup is successful, but without import policy applied if a non-existing policy name is received. Policy names above the maximum length result in a host setup failure.

26.6527.213

Alc-BGP-IPv6-PeerAS

Optional attribute for dynamic BGPv6 peering. Specifies the Autonomous System number for the remote BGPv6 peer.

22

Framed-Route

string

max. 16 Framed-Route attributes

"<ip-prefix>[/<prefix-length>] <space> <gateway-address> [<space> <metric>] [<space> tag <space> <tag-value>] [<space> pref <space> <preference-value>]”

where:

<space> is a white space or blank character

<ip-prefix>[/prefix-length] is the managed route to be associated with the routed subscriber host. The prefix-length is optional and if not specified, a class-full class A,B or C subnet is assumed.

<gateway-address> must be the routed subscriber host IP address. “0.0.0.0” is automatically interpreted as the host IPv4 address.

[<metric>] (Optional) Installed in the routing table as the metric of the managed route. If not specified, metric zero is used. Value = [0 to 65535]

[tag <tag-value>] (Optional) The managed route is tagged for use in routing policies. If not specified or tag-value=0, then the route is not tagged. Value = [0 to 4294967295]

[pref <preference-value>] (Optional) Installed in the routing table as protocol preference for this managed route. If not specified, preference zero is used. Value = [0 to 255]

22 (continued)

Framed-Route

string

max. 16 Framed-Route attributes

For example:

Framed-Route = "192.168.1.0/24 0.0.0.0" where 0.0.0.0 is replaced by host address. Default metrics are used (metric=0, preference=0 and no tag)

Framed-Route = "192.168.1.0 0.0.0.0" where 192.168.1.0 is a class-C network /24 and 0.0.0.0 is replaced host address. Default metrics are used.

Framed-Route = "192.168.1.0/24 192.168.1.1" where 192.168.1.1 is the host address. Default metrics are used.

Framed-Route = "192.168.1.0 0.0.0.0 10 tag 3 pref 100" installs a managed route with metric=10, protocol preference = 100 and tagged with tag=3

Framed-Route = "192.168.1.0 0.0.0.0 tag 5" installs a managed route with metric=0 (default), protocol preference = 0 (default) and tagged with tag=5"

99

Framed-IPv6-Route

string

max. 16 Framed-IPv6-Route attributes

<ip-prefix>/<prefix-length> <space> <gateway-address> [<space> <metric>] [<space> tag <space> <tag-value>] [<space> pref <space> <preference-value>]”

where:

<space> is a white space or blank character

<ip-prefix>/<prefix-length> is the managed route to be associated with the routed subscriber host.

<gateway-address> must be the routed subscriber host IP address. “::” and “0:0:0:0:0:0:0:0” are automatically interpreted as the wan-host IPv6 address.

[<metric>] (Optional) Installed in the routing table as the metric of the managed route. If not specified, metric zero is used. Value = [0 to 65535]

[tag <tag-value>] (Optional) The managed route is tagged for use in routing policies. If not specified or tag-value=0, then the route is not tagged. Value = [0 to 4294967295]

[pref <preference-value>] (Optional) Installed in the routing table as protocol preference for this managed route. If not specified, preference zero is used. Value = [0 to 255]

99 (continued)

Framed-IPv6-Route

string

max. 16 Framed-IPv6-Route attributes

For example:

Framed-IPv6-Route = "2001:db8:1::/48 ::" where :: resolves in the wan-host. Default metrics are used (metric=0, preference=0 and no tag)

Framed-IPv6-Route = "2001:db8:2::/48 0:0:0:0:0:0:0:0" where 0:0:0:0:0:0:0:0 resolves in the wan-host. Default metrics are used.

Framed-IPv6-Route = "2001:db8:3::/48 0::0" where 0::0 resolves in the wan-host. Default metrics are used.

Framed-IPv6-Route = "2001:db8:3::/48 2001:db8:aa::1" where 2021:1::1 is the wan-host. Default metrics are used.

Framed-IPv6-Route = "2001:db8:1::/48 :: 10 tag 3 pref 100" installs a managed route with metric = 10, protocol preference = 100 and tagged with tag = 3

Framed-IPv6-Route = "2001:db8:1::/48 :: tag 5" installs a managed route with metric = 0 (default), protocol preference = 0 (default) and tagged with tag = 5

26.6527.55

Alc-BGP-Policy

string

32 chars

For example: Alc-BGP-Policy = MyBGPPolicy

26.6527.56

Alc-BGP-Auth-Keychain

string

32 chars

For example: Alc-BGP-Auth-Keychain = MyKeychainPolicy

26.6527.57

Alc-BGP-Auth-Key

octets

247 bytes

For example: Alc-BGP-Auth-Key = "SecuredBGP"

26.6527.58

Alc-BGP-Export-Policy

string

32 chars

For example: Alc-BGP-Export-Policy = to_dynamic_bgp_peer

26.6527.59

Alc-BGP-Import-Policy

string

32 chars

For example: Alc-BGP-Import-Policy = from_dynamic_bgp_peer

26.6527.60

Alc-BGP-PeerAS

integer

[1 to 4294967294]

For example: Alc-BGP-PeerAS = 64500

26.6527.207

Alc-RIP-Policy

string

32 chars

For example: Alc-RIP-Policy = MyRIPPolicy

26.6527.208

Alc-BGP-IPv6-Policy

string

32 chars

For example: Alc-BGP-IPv6-Policy = MyBGPPolicy

26.6527.209

Alc-BGP-IPv6-Auth-Keychain

string

32 chars

For example: Alc-BGP-IPv6-Auth-Keychain = MyKeychain

26.6527.210

Alc-BGP-IPv6-Auth-Key

octets

247 bytes

For example: Alc-BGP-IPv6-Auth-Key = “SecuredBGPv6”

26.6527.211

Alc-BGP-IPv6-Export-Policy

string

32 chars

For example: Alc-BGP-IPv6-Export-Policy = to_dynamic_bgpv6_peer

26.6527.212

Alc-BGP-IPv6-Import-Policy

string

32 chars

For example: Alc-BGP-IPv6-Import-Policy = from_dynamic_bgpv6_peer

26.6527.213

Alc-BGP-IPv6-PeerAS

integer

[1 to 4294967294]

For example: Alc-BGP-IPv6-PeerAS = 64500

22

Framed-Route

0

0+

0

99

Framed-IPv6-Route

0

0+

0

26.6527.55

Alc-BGP-Policy

0

0-1

0

26.6527.56

Alc-BGP-Auth-Keychain

0

0-1

0

26.6527.57

Alc-BGP-Auth-Key

0

0-1

0

26.6527.58

Alc-BGP-Export-Policy

0

0-1

0

26.6527.59

Alc-BGP-Import-Policy

0

0-1

0

26.6527.60

Alc-BGP-PeerAS

0

0-1

0

26.6527.207

Alc-RIP-Policy

0

0-1

0

26.6527.208

Alc-BGP-IPv6-Policy

0

0-1

0

26.6527.209

Alc-BGP-IPv6-Auth-Keychain

0

0-1

0

26.6527.210

Alc-BGP-IPv6-Auth-Key

0

0-1

0

26.6527.211

Alc-BGP-IPv6-Export-Policy

0

0-1

0

26.6527.212

Alc-BGP-IPv6-Import-Policy

0

0-1

0

26.6527.213

Alc-BGP-IPv6-PeerAS

0

0-1

0

26.6527.95

Alc-Credit-Control-CategoryMap

Refers to a preconfigured category-map (configure subscriber-mgmt category-map category-map-name) that contains credit control information for up to 16 predefined categories The category-map-name can also be assigned via the LUDB, or credit-control-policy if the attribute is omitted. This attribute is ignored if the host has no credit-control-policy defined in its SLA profile instance. Strings with lengths above the limits are treated as a setup failure.

26.6527.96

Alc-Credit-Control-Quota

Defines a volume and time quota per category. Either volume or time monitoring is supported and the operational credit-type (volume or time) is taken from the category map if both volume and time-quota in this attribute are non-zero. The operational credit-type becomes time if the volume-quota is zero and volume if the time-quota is zero. The Credit Expired becomes true and the corresponding Out Of Credit Action is triggered if both time and volume-quota are zero in the initial Authentication-Accept or CoA. Value zero for both time and volume-quota in additional Authentication Accepts (triggered by credit refresh or re-authentication) are interpreted as no extra credit granted and does not influence the current available credit, were non-zero values reset the current available credit. For CoA requests both Alc-Credit-Control-CategoryMap and Alc-Credit-Control-Quota attributes needs to be included. For RADIUS-Access Accepts this is not mandatory and either both or one of the two attributes can come from pre-defined values from the node. Volume quota values outside the defined limits are treated as an error condition. Time quota values above the defined limits are accepted and capped at maximum value. If more attributes are present than allowed by the limits, it is treated as a setup failure.

26.6527.95

Alc-Credit-Control-CategoryMap

string

32 chars

For example: Alc-Credit-Control-CategoryMap = MyCatMap

26.6527.96

Alc-Credit-Control-Quota

string

(2^64 - 1) volume value

(2^32 - 1) time value

16 attributes

volume-value volume-units|time-value time- units|category-name

<volume-value>: converted in bytes and stored in 64 bit counter

- value '0' = no volume credit

- value between 1 Byte and (2^64 - 1 / 18446744073709551615) Bytes

<time-value>: converted in seconds and stored in 32 bit counter

- value '0' = no time credit

- value between 1 second and (2^32 - 1 / 4294967295) seconds

<volume-units>:

- in byte (B or units omitted), kilobyte (K or KB), megabyte (M or MB), gigabyte (G or GB)

- a combination (10GB200MB20KB|) of different volume units is not allowed.

<time-units>:

- in seconds (s or units omitted), in minutes (m), in hours (h), in days (d)

- a combination of different time units is allowed with some restrictions: 15m30s is accepted while 15m60s is not.

For example: 500 Mbytes volume credit for category cat1 and 1 day, 2 hours, 3 minutes and 4 seconds time credit for category cat2

Alc-Credit-Control-Quota += 500MB|0|cat1,

Alc-Credit-Control-Quota += 0|1d2h3m4s|cat2

26.6527.95

Alc-Credit-Control-CategoryMap

0

0-1

0-1

26.6527.96

Alc-Credit-Control-Quota

0+

0+

0+

92

NAS-Filter-Rule

Subscriber host specific filter entry. The match criteria are automatically extended with the subscriber host IP or IPv6 address as source (ingress) or destination (egress) IP. They represent a per-host customization of a generic filter policy: only traffic to or from the subscriber host matches against these entries.

A range of entries must be reserved for subscriber host specific entries in a filter policy: configure filter ip-filter/ipv6-filter filter-id sub-insert-radius

Subscriber host specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries.

When the subscriber host session terminates or is disconnected, then the corresponding subscriber host-specific filter entries are also deleted.

The function of the attribute is identical to [26.6527.159] Alc-Ascend-Data-Filter-Host-Spec but it has a different format. The format used to specify host specific filter entries (NAS-Filter-Rule format or Alc-Ascend-Data-Filter-Host-Spec format) cannot change during the lifetime of the subscriber host.

Mixing formats in a single RADIUS message results in a failure.

26.529.242

Ascend-Data-Filter

A local configured filter policy can be extended with shared dynamic filter entries. A dynamic copy of the base filter (the filter associated to the host via SLA profile or host filter override) is made and extended with the set of filter rules per type (IPv4 or IPv6) and direction (ingress or egress) in the RADIUS message. If a dynamic copy with the same set of rules already exists, no new copy is made, but the existing copy is associated with the host or session. If after host or session disconnection, no hosts or sessions are associated with the dynamic filter copy, then the dynamic copy is removed.

Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and if the new filter policy contains enough free reserved entries.

A range of entries must be reserved for shared entries in a filter policy: configure filter ip-filter/ipv6 filter filter-id sub-insert-shared-radius.

The function of the attribute is identical to [26.6527.158] Alc-Nas-Filter-Rule-Shared but it has a different format. The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host.

Mixing formats in a single RADIUS message results in a failure.

Shared filter entries should only be used if many hosts share the same set of filter rules that need to be controlled from RADIUS.

26.6527.134

Alc-Subscriber-Filter

Subscriber host preconfigured IP or IPv6 ingress and egress filters to be used instead of the filters defined in the SLA profile. Non-relevant fields are ignored (for example, IPv4 filters for an IPv6 host).

The scope of the local preconfigured filter should be set to template for correct operation (configure filter ip-filter/ipv6-filter filter-id scope template). This is not enforced. For a RADIUS CoA message, if the ingress or egress field is missing in the VSA, there is no change for that direction. For a RADIUS Access-Accept message, if the ingress or egress field is missing in the VSA, then the IP filters as specified in the SLA profile is active for that direction Applicable to all dynamic host types, including L2TP LNS but excluding L2TP LAC.

26.6527.158

Alc-Nas-Filter-Rule-Shared

A local configured filter policy can be extended with shared dynamic filter entries. A dynamic copy of the base filter (the filter associated to the host via SLA profile or host filter override) is made and extended with the set of filter rules per type (IPv4 or IPv6) and direction (ingress or egress) in the RADIUS message. If a dynamic copy with the same set of rules already exists, no new copy is made, but the existing copy is associated with the host or session. If after host or session disconnection, no hosts or sessions are associated with the dynamic filter copy, then the dynamic copy is removed. Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and if the new filter policy contains enough free reserved entries. A range of entries must be reserved for shared entries in a filter policy: configure filter ip-filter|ipv6-filter filter-id sub-insert-shared-radius The function of the attribute is identical to [26.529.242] Ascend-Data-Filter but it has a different format. The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure.

Shared filter entries should only be used if many hosts share the same set of filter rules that need to be controlled from RADIUS.

26.6527.159

Alc-Ascend-Data-Filter-Host-Spec

Subscriber host specific filter entry. The match criteria is automatically extended with the subscriber host IP address or IPv6 address as source (ingress) or destination (egress) IP. They represent a per host customization of a generic filter policy: only traffic to or from the subscriber host matches against these entries. A range of entries must be reserved for subscriber host specific entries in a filter policy: configure filter ip-filter/ipv6-filter filter-id sub-insert-radius. Subscriber host specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and if the new filter policy contains enough free reserved entries. When the subscriber host session terminates or is disconnected, then the corresponding subscriber host specific filter entries are also deleted. The function of the attribute is identical to [92] Nas-Filter-Rule but it has a different format. The format used to specify host-specific filter entries (NAS-Filer-Rule format or Alc-Ascend-Data-Filter-Host-Spec format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure.

92

NAS-Filter-Rule

string

max. 10 attributes per message or max. 10 filter entries per message

The format of a NAS-Filter-Rule is defined in RFC 3588, Diameter Base Protocol, section-4.3, Derived AVP Data Formats. A single filter rule is a string of format <action> <direction> <protocol> from <source> to <destination> <options> Multiple rules should be separated by a NUL (0x00). A NAS-Filter-Rule attribute may contain a partial rule, one rule, or more than one rule. Filter rules may be continued across attribute boundaries.

A RADIUS message with NAS-Filter-Rule attribute value equal to 0x00 or “ “ (a space) removes all host specific filter entries for that host.

See also IP Filter Attribute Details.

For example: Nas-Filter-Rule = permit in ip from any to 10.1.1.1/32

26.529.242

Ascend-Data-Filter

Octets

multiple attributes per RADIUS message allowed.

min. length 22 bytes (IPv4), 46 bytes (IPv6)

max. length: 110 bytes (IPv4), 140 bytes (IPv6)