| Attribute ID | Attribute name | Description |
|---|---|---|
|
1 |
User-Name |
The name of user requesting user-Authentication, Authorization, Accounting. Usernames longer the allowed maximum Limit are treated as an authentication failure. |
|
2 |
User-Password |
The password of user requesting user-Authentication, Authorization, Accounting and always encrypted in a fixed length |
|
4 |
NAS-IP-Address |
The identifying IP Address of the NAS requesting the Authentication or Accounting. Included when the RADIUS server is reachable using IPv4. The address is determined by the routing instance through which the RADIUS server can be reached: ‟Management”— The active IPv4 address in the Boot Options File (bof address ipv4-address) ‟Base” — The IPv4 address of the system interface (configure router interface system address address). The address can be overwritten with the configured source-address (configure system security source-address application radius ip-int-name | ip-address ) |
|
18 |
Reply-Message |
The attribute received in the Access-Challenge message for challenge-response interactive authentication. The content of the Reply-Message attribute is displayed to the user. The user is prompted for a response. |
|
24 |
State |
The attribute received in the Access-Challenge message for challenge-response interactive authentication and sent unmodified in the new Access-Request |
|
27 |
Session-Timeout |
The attribute received in the Access-Challenge message for challenge-response interactive authentication. The maximum number of seconds in which the user should provide the response. After this time, the prompt is terminated. |
|
28 |
Idle-Timeout |
The attribute received in the Access-Challenge message for challenge-response interactive authentication. The number of seconds after which the prompt is terminated when no user activity is detected. |
|
31 |
Calling-Station-Id |
The IP address (coded in hex) from the user that requests Authentication, Authorization, Accounting or ‟CONSOLE” when requesting access from the serial port (Console). |
|
44 |
Acct-Session-Id |
A unique, without meaning, generated number per authenticated user and reported in all accounting messages and used to correlate users CLI commands (accounting data) from the same user. |
|
61 |
NAS-Port-Type |
Mandatory included as type Virtual (5) for Telnet/SSH or Async (0) for Console. |
|
95 |
NAS-IPv6-Address |
The identifying IP Address of the NAS requesting the Authentication or Accounting. Included when the RADIUS server is reachable using IPv6. The address is determined by the routing instance through which the RADIUS server can be reached: ‟Management” — The active IPv6 address in the Boot Options File (bof address ipv6-address) ‟Base” — The IPv6 address of the system interface (configure router interface system ipv6 address ipv6-address). The address can be overwritten with the configured ipv6-source-address (configure system security source-address application6 radius ipv6-address). |
|
26.6527.1 |
Timetra-Access |
Specifies the allowed management interfaces for the user: ftp, console (serial, Telnet, SSH), netconf and grpc. |
|
26.6527.2 |
Timetra-Home-Directory |
Specifies the local home directory for the user for console and FTP access and is enforced with attribute [26.6527.3] Timetra-Restrict-To-Home. The home directory is not enforced if [26.6527.3] Timetra-Restrict-To-Home is omitted. The local home directory is entered from the moment when the authenticated user enters the file CLI command. |
|
26.6527.3 |
Timetra-Restrict-To-Home |
When the value is true the user is not allowed to navigate to directories above his home directory for file access. The home-directory is specified in [26.6527.2] Timetra-Home-Directory and is root if [26.6527.2] Timetra-Home-Directory is omitted. |
|
26.6527.4 |
Timetra-Profile |
The user profiles that the user has access to and refers to preconfigured user-profile-name's (configure system security profile user-profile-name). These preconfigured profiles hold a default-action, a match command-string and an action. Unreferenced profiles names are silently ignored. If the maximum number of profile strings is violated, or if a string is too long, processing the input is stopped but authorization continues and too long profile string (and all strings followed by that) are ignored. Each user can have multiple profiles and the order is important. The first user profile has highest precedence, followed by the second and so on. Note that for each authenticated RADIUS user a temporary profile with name [1]User-Name is always created (show system security profile) and executed as last profile. This temporary profile is built from the mandatory attribute [26.6527.5]Timetra-Default-Action and optional attributes [26.6527.6] Timetra-Cmd, [26.6527.7] Timetra-Action. |
|
26.6527.5 |
Timetra-Default-Action |
Specifies the default action (permit-all, deny-all or none) when the user has entered a command and none of the commands-strings in [26.6527.6]Timetra-Cmd resulted in a match condition. The attribute is mandatory and required even if the [36.6527.6] Timetra-Cmd's are not used. |
|
26.6527.6 |
Timetra-Cmd |
Command string, subtree command string, or a list of command strings as scope for the match condition for user authorization. Multiple command strings in the same attribute are delimited with the ‟;” character. Additional command strings are encoded in multiple attributes. If the maximum number of command strings is violated, or if a string is too long, processing the input is stopped but authorization continues, therefore, if the RADIUS server is configured to have five command strings of which the third is too long, only the first two entries are used and the rest are ignored. Each [26.6527.6] Timetra-Cmd attribute is followed in sequence by a [26.6527.7] Timetra-Action. (A missing Timetra-Action results in a deny.) Note that for each authenticated RADIUS user, a temporary profile with name [1]User-Name is always created (show system security profile) and executed as last profile. This temporary profile is built from the mandatory attribute [26.6527.5]Timetra-Default-Action and optional attributes [26.6527.6] Timetra-Cmd, [26.6527.7] Timetra-Action. |
|
26.6527.7 |
Timetra-Action |
Action to be used in case a user's command matches the commands specified in [26.6527.6] Timetra-Cmd attribute. Action deny is used if attribute is omitted and the [26.6527.5] Timetra-Default-Action is used when no match is found. Note the following:
|
|
26.6527.8 |
Timetra-Exec-File |
Specifies the file that is executed whenever the user is successfully authenticated. |
| Attribute ID | Attribute name | Type | Limits | SR OS format |
|---|---|---|---|---|
|
1 |
User-Name |
string |
32 chars |
For example: User-Name = ‟admin” |
|
2 |
User-Password |
string |
16 chars fixed |
Encrypted password For example: User-Password 4ec1b7bea6f2892fa466b461c6accc00 |
|
4 |
NAS-IP-Address |
ipaddr |
4 bytes |
# ip-address For example: NAS-IP-Address = ‟192.0.2.1” |
|
18 |
Reply-Message |
string |
— |
For example: Reply-Message = ‟Please enter your response for challenge: 4598 2441 ?” |
|
24 |
State |
string |
— |
For example: State = ‟Challenge-Response” |
|
27 |
Session-Timeout |
integer |
— |
For example: Session-Timeout = 180 |
|
28 |
Idle-Timeout |
integer |
— |
For example: Idle-Timeout = 90 |
|
31 |
Calling-Station-Id |
string |
64 bytes |
# users ip address or ‟CONSOLE” For example: Calling-Station-Id = ‟192.0.2.2” or Calling-Station-Id = ‟2001:db8::2” |
|
44 |
Acct-Session-Id |
string |
22 bytes |
For example: Acct-Session-Id = ‟2128463592102512113409” |
|
61 |
NAS-Port-Type |
integer |
4 bytes value 5 fixed |
Fixed set to value Virtual (5) for SSH/Telnet and Async (0) for console. For example: NAS-Port-Type 00000005 |
|
95 |
NAS-IPv6-Address |
ipv6addr |
16 bytes |
# ipv6 address For example: NAS-IPv6-Address = 2001:db8::1 |
|
26.6527.1 |
Timetra-Access |
integer |
1..15 |
the sum of the values of the allowed management interfaces 1=ftp 2=console (serial port, Telnet and SSH(SCP)) 3=both FTP and console 4=netconf 8=grpc For example: Enable SSH access: Timetra-Access = console Enable FTP, SSH and NETCONF access: Timetra-Access = 7 |
|
26.6527.2 |
Timetra-Home-Directory |
string |
190 chars |
For example: Timetra-Home-Directory = cf3:/7750/configs/ |
|
26.6527.3 |
Timetra-Restrict-To-Home |
integer |
1,2 (false, true) |
1=true, 2=false For example: Timetra-Restrict-To-Home = true |
|
26.6527.4 |
Timetra-Profile |
string |
16 attributes 32 chars/attribute |
For example: Timetra-Profile += administrative1 Timetra-Profile += administrative2 |
|
26.6527.5 |
Timetra-Default-Action |
integer |
1,2,3 |
1=permit-all, 2=deny-all, 3=none For example: Timetra-Default-Action = none |
|
26.6527.6 |
Timetra-Cmd |
string |
25 attributes 247 chars/attribute |
For example: Timetra-Cmd += configure router isis;show subscriber-mgmt sub-profile Timetra-Cmd += show router |
|
26.6527.7 |
Timetra-Action |
integer |
25 attributes |
# 1=permit, 2=deny For example: Timetra-Cmd = permit |
|
26.6527.8 |
Timetra-Exec-File |
string |
200 chars |
Timetra-Exec-File = <local-url>|<remote-url> # local-url : <cflash-id>/][<file-path> # remote-url : {ftp://|tftp://}<login>:<pswd>@<remote-locn>/<file-path> For example: Timetra-Exec-File = cf3:/MyScript Timetra-Exec-File = ftp://root:root@192.168.0.10/home/configs/MyScript.cfg |
| Attribute ID | Attribute name | Access Request 1 |
Access-challenge 1 |
Access Request 2 |
Access-Accept 1 or 2 |
|---|---|---|---|---|---|
|
1 |
User-Name |
1 |
0 |
1 |
0 |
|
2 |
User-Password |
1 |
0 |
1 |
0 |
|
4 |
NAS-IP-Address |
0-1 |
0 |
0-1 |
0 |
|
18 |
Reply-Message |
0 |
1+ |
0 |
0 |
|
24 |
State |
0 |
0-1 |
0-1 |
0 |
|
27 |
Session-Timeout |
0 |
0-1 |
0 |
0 |
|
28 |
Idle-Timeout |
0 |
0-1 |
0 |
0 |
|
31 |
Calling-Station-Id |
1 |
0 |
1 |
0 |
|
44 |
Acct-Session-Id |
0 |
0 |
0 |
0 |
|
61 |
NAS-Port-Type |
1 |
0 |
1 |
0 |
|
95 |
NAS-IPv6-Address |
0-1 |
0 |
0-1 |
0 |
|
26.6527.1 |
Timetra-Access |
0 |
0 |
0 |
1 |
|
26.6527.2 |
Timetra-Home-Directory |
0 |
0 |
0 |
1 |
|
26.6527.3 |
Timetra-Restrict-To-Home |
0 |
0 |
0 |
1 |
|
26.6527.4 |
Timetra-Profile |
0 |
0 |
0 |
0+ |
|
26.6527.5 |
Timetra-Default-Action |
0 |
0 |
0 |
1 |
|
26.6527.6 |
Timetra-Cmd |
0 |
0 |
0 |
0+ |
|
26.6527.7 |
Timetra-Action |
0 |
0 |
0 |
0-1 |
|
26.6527.8 |
Timetra-Exec-File |
0 |
0 |
0 |
0-1 |