| Attribute ID | Attribute name | Description |
|---|---|---|
|
1 |
User-Name |
For IKEv1 remote-access tunnel, this represents the xauth username. For IKEv2 remote-access tunnel, this represents the identity of the peer; the value of User-Name is the received IDi in IKEv2 message. |
|
2 |
User-Password |
For IKEv1 remote-access tunnel, this represents the xauth password. For IKEv2 remote-access tunnel with pskradius authentication method, this represents the pre-shared-key of the ipsec-gw or ipsec-tunnel: configure service ies/vprn service-id interface ip-int-name sap sap-id ipsec-gw gw-name pre-shared-key or configure service vprn service-id interface ip-int-name sap sap-id ipsec-tunnel tnl-name dynamic-keying pre-shared-key For IKEv2 remote-access tunnel with authentication method other than psk-radius, this represents the password configured in IPsec radius-authentication-policy: configure ipsec radius-authentication-policy name password |
|
4 |
NAS-IP-Address |
The identifying IP Address of the NAS requesting the authentication. The attribute can be included or excluded with configure ipsec radius-authentication-policy name include-radius-attribute nas-ip-addr. The address is determined by the routing instance through which the RADIUS server can be reached: "Management" - the active IPv4 address in the Boot Options File (bof address ipv4-address) "Base" or "VPRN" - the IPv4 address of the system interface (configure router interface system address address) The address can be overwritten with the configured source-address (configure aaa radius-server-policy policy-name servers source-address ip-address). |
|
8 |
Framed-IP- Address |
The IPv4 address to be assigned to IKEv1/v2 remote-access tunnel client using configuration payload: INTERNAL_IP4_ADDRESS. |
|
9 |
Framed-IP-Netmask |
The IPv4 netmask to be assigned to IKEv1/v2 remote-access tunnel client using configuration payload: INTERNAL_IP4_NETMASK. |
|
30 |
Called-Station-Id |
The local gateway address of IKEv2 remote-access tunnel. The attribute can be included or excluded with configure ipsec radius-authentication-policy name include-radius-attribute called-station-id. |
|
31 |
Calling-Station-Id |
The peer’s address and port of IKEv2 remote-access tunnel. The attribute can be included or excluded with configure ipsec radius-authentication-policy name include-radius-attribute calling-station-id. |
|
32 |
NAS-Identifier |
A string (configure system name system-name) identifying the NAS originating the Authentication requests. The attribute can be included or excluded with configure ipsec radius-authentication-policy name include-radius-attribute nas-identifier. |
|
44 |
Acct-Session-Id |
A unique identifier representing an IKEv2 remote-access tunnel session that is authenticated. Same Acct-Session-Id is included in both access-request and accounting-request. |
|
79 |
EAP-Message |
This attribute encapsulates the received IKEv2 EAP payload in access-request. |
|
80 |
Message-Authenticator |
This attribute is used in EAP authentication and provides message integrity verification. |
|
87 |
Nas-Port-Id |
The public SAP ID of IKEv2 remote-access tunnel. The attribute can be included or excluded with configure ipsec radius-authentication-policy name include-radius-attribute nas-port-id. |
|
88 |
Framed-Pool |
The name of one IPv4 address pool or the name of a primary and secondary IPv4 address pool separated with a one-character configurable delimiter (configure router | service vprn service-id dhcp local-dhcp-server server-name use-pool-from-client delimiter delimiter) that should be used for local address assignment during IKEv2 remote-access tunnel setup. A RADIUS server can include the attribute in an Access-Accept. The value of this attribute overrides the local configured value in the ipsec-gw local-address-assignment ipv4 CLI context of the interface SAP. |
|
97 |
Framed-IPv6-Prefix |
The IPv6 address to be assigned to IKEv2 remote-access tunnel client using IKEv2 configuration payload: INTERNAL_IP6_ADDRESS. The prefix and prefix-length of Framed-IPv6-Prefix are conveyed in the corresponding part of INTERNAL_IP6_ADDRESS. |
|
100 |
Framed-IPv6-Pool |
The name of the IPv6 address pool used for local address assignment during IKEv2 remote-access tunnel setup. The value of this attribute overrides the local configured value in the ipsec-gw>local-address-assignment>ipv6 CLI context of the interface SAP. |
|
26.311.16 |
MS-MPPE-Send-Key |
This attribute along with [26.311.17] MS-MPPE-Recv-Key hold the Master Session Key (MSK) of the EAP authentication. It is expected in access-accept when EAP authentication succeed with specific EAP methods. |
|
26.311.17 |
MS-MPPE-Recv-Key |
This attribute along with [26.311.16] MS-MPPE-Send-Key hold the Master Session Key (MSK) of the EAP authentication. It is expected in access-accept when EAP authentication succeed with specific EAP methods. |
|
26.6527.9 |
Alc-Primary-Dns |
The IPv4 DNS server address to be assigned to an IKEv1/v2 remote-access tunnel client using configuration payload: INTERNAL_IP4_DNS. In case of IKEv2, up to four DNS server addresses can be returned to a client, including Alc-Primary-Dns, Alc-Secondary-Dns, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns. |
|
26.6527.10 |
Alc-Secondary-Dns |
The IPv4 DNS server address to be assigned to an IKEv2 remote-access tunnel client using IKEv2 configuration payload: INTERNAL_IP4_DNS. Up to four DNS server addresses can be returned to a client, including Alc-Primary-Dns, Alc-Secondary-Dns, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns. |
|
26.6527.61 |
Alc-IPsec-Serv-Id |
IPsec private service ID, used by IKEv1/v2 remote-access tunnel, referring to the preconfigured VPRN where the IPsec tunnel terminates (configure service vprn service-id). A default private service is used when this attribute is omitted (configure service vprn interface sap ipsec-gw default-secure-service). If the returned service ID does not exist/out-of limits or exists but not a VPRN service, the tunnel setup fails. |
|
26.6527.62 |
Alc-IPsec-Interface |
Private IPsec interface name, used by IKEv1/v2 remote-access tunnel, refers to a preconfigured private ipsec interface the IPsec tunnel terminates (config>service>vprn>interface ip-int-name tunnel). A default private interface is used when this attribute is omitted (config>service>ies/vprn>if>sap>ipsec-gw>default-secure-service service-id interface ip-int-name); the maximum length is 32 bytes; if the returned interface does not exist or exceeds the maximum length or exists but is not a private ipsec interface, the tunnel setup fails. |
|
26.6527.63 |
Alc-IPsec-Tunnel-Template-Id |
IPsec tunnel-template ID, used by IKEv1/v2 remote-access tunnel, refers to a preconfigured ipsec tunnel-template (configure ipsec tunnel-template ipsec template identifier). A default tunnel-template is used when this attribute is omitted (config>service>vprn>if>sap>ipsec-gw>default-tunnel-template template-id). If the returned template does not exist or exceeds the limits, the tunnel setup fails. |
|
26.6527.64 |
Alc-IPsec-SA-Lifetime |
IPsec phase2 SA lifetime in seconds, used by IKEv1/v2 remote-access tunnel. A preconfigured value is used when this attribute is omitted (configure ipsec ike-policy policy-id ipsec-lifetime ipsec-lifetime). Values outside the Limits are treated as a tunnel setup failure. |
|
26.6527.65 |
Alc-IPsec-SA-PFS-Group |
IPsec PFS group ID, used by IKEv1/v2 remote-access tunnel. The PFS group in ike-policy is used when this attribute is omitted (configure ipsec ike-policy policy-id pfs dh-group grp-id); if the returned value is not one of the allowed values, the tunnel setup fails. |
|
26.6527.66 |
Alc-IPsec-SA-Encr-Algorithm |
IPsec phase2 SA Encryption Algorithm, used by IKEv1/v2 remote-access tunnel. The esp-encryption-algorithm in ipsec-transform is used when this attribute is omitted (configure ipsec ipsec-transform transform-id esp-encryption-algorithm algo). This attribute must be used along with Alc-IPsec-SA-Auth-Algorithm, otherwise tunnel setup fails. Values different then the Limits are treated as a setup failure. |
|
26.6527.67 |
Alc-IPsec-SA-Auth-Algorithm |
IPsec phase2 SA Authentication Algorithm, used by IKEv1/v2 remote-access tunnel. The esp-auth-algorithm in ipsec-transform is used when this attribute is omitted (configure ipsec ipsec-transform transform-id esp-auth-algorithm algo). Values different than the Limits are treated as a tunnel setup failure. This attribute must be used along with Alc-IPsec-SA-Encr-Algorithm, otherwise tunnel setup fails. |
|
26.6527.68 |
Alc-IPsec-SA-Replay-Window |
IPsec anti-replay window size, used by IKEv1/v2 remote-access tunnel. The replay-window size in tunnel-template is used when this attribute is omitted (configure ipsec tunnel-template ipsec template identifier replay-window size). Values different than the Limits are treated as a tunnel setup failure. |
|
26.6527.105 |
Alc-Ipv6- Primary-Dns |
The IPv6 DNS server address to be assigned to an IKEv2 remote-access tunnel client using IKEv2 configuration payload: INTERNAL_IP6_DNS. Up to four DNS server addresses can be returned to a client, which could be any combination of Alc-Primary-Dns, Alc-Secondary-Dns, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns. |
|
26.6527.106 |
Alc-Ipv6- Secondary-Dns |
The IPv6 DNS server address to be assigned to an IKEv2 remote-access tunnel client using IKEv2 configuration payload: INTERNAL_IP6_DNS. Up to four DNS server addresses can be returned to a client, which could be any combination of Alc-Primary-Dns, Alc-Secondary-Dns, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns. |
|
26.6527.229 |
Alc-IPsec-Ts-Override |
The name of the ts-list to be used during IKEv2 tunnel setup. It overrides the CLI configured value using the CLI command ts-negotiation. |
|
26.6527.237 |
Alc-Subject-Key-Identifier |
The binary value of Subject Key Id in peer's certificate. The attribute can be included or excluded with configure ipsec radius-authentication-policy name include-radius-attribute client-cert-subject-key-id. |
|
241.26.6527.50 |
Alc-IPsec-LAA-IPv4-Svr-Name |
The local DHCPv4 server name that is used for IKEv2 remote-access tunnel local address assignment; The local-dhcp4-svr-name in address-source config is used when this attribute is omitted (configure service ies|vprn service-id interface ip-int-name sap sap-id ipsec-gw name local-address-assignment ipv4 address-source router router-instance dhcp-server local-dhcp4-svr-name pool dhcp4-server-pool [secondary-pool <[32 chars max]>]) |
|
241.26.6527.51 |
Alc-IPsec-LAA-IPv6-Svr-Name |
The local DHCPv6 server name that is used for IKEv2 remote-access tunnel local address assignment; The local-dhcp6-svr-name in address-source config is used when this attribute is omitted (configure service ies|vprn service-id interface ip-int-name sap sap-id ipsec-gw name local-address-assignment ipv6 address-source router router-instance dhcp-server local-dhcp6-svr-name pool dhcp6-server-pool [secondary-pool <[32 chars max]>]) |
|
241.26.6527.52 |
Alc-IPsec-LAA-IPv4-Svc-Name |
The service name where local DHCPv4 server that is used for IKEv2 remote-access tunnel local address assignment resides in; The router-instance in address-source config is used when this attribute is omitted (configure service ies|vprn service-id interface ip-int-name sap sap-id ipsec-gw name local-address-assignment ipv4 address-source router router-instance dhcp-server local-dhcp4-svr-name pool dhcp4-server-pool [secondary-pool <[32 chars max]>]) |
|
241.26.6527.53 |
Alc-IPsec-LAA-IPv6-Svc-Name |
The service name where local DHCPv6 server that is used for IKEv2 remote-access tunnel local address assignment resides in; The router-instance in address-source config is used when this attribute is omitted (configure service ies|vprn service-id interface ip-int-name sap sap-id ipsec-gw name local-address-assignment ipv6 address-source router router-instance dhcp-server local-dhcp6-svr-name pool dhcp6-server-pool [secondary-pool <[32 chars max]>]) |
| Attribute ID | Attribute name | Type | Limits | SR OS format |
|---|---|---|---|---|
|
1 |
User-Name |
string |
253 bytes |
Format depends on IDi format. For example: User-Name = ‟user1@domain1.com” |
|
2 |
User-Password |
string |
64 bytes |
— |
|
4 |
NAS-IP-Address |
ipaddr |
4 bytes |
For example: NAS-IP-Address=192.0.2.1 |
|
8 |
Framed-IP-Address |
ipaddr |
4 bytes |
For example: Framed-IP-Address = 192.168.10.100 |
|
9 |
Framed-IP-Netmask |
ipaddr |
4 bytes |
For example: Framed-IP-Netmask = 255.255.255.0 |
|
30 |
Called-Station-Id |
string |
253 bytes |
local gateway address of IKEv2 remote-access tunnel. For example: Called-Station-Id = ‟172.16.100.1” |
|
31 |
Calling-Station-Id |
string |
253 bytes |
peer-address:port For example: Calling-Station-Id = ‟192.168.5.100:500” |
|
32 |
NAS-Identifier |
string |
64 char |
For example: NAS-Identifier = "pe1" |
|
44 |
Acct-Session-Id |
string |
147 bytes |
local_gw_ip-remote_ip:remote_port-time_stamp For example: Acct-Session-Id = 172.16.100.1-192.168.5.100:500-1365016423 |
|
79 |
EAP-Message |
string |
253 bytes |
Binary string |
|
80 |
Message-Authenticator |
string |
16 bytes |
Binary string |
|
87 |
Nas-Port-Id |
string |
44 bytes |
SAP-ID For example: Nas-Port-Id = ‟tunnel-1.public:100” |
|
88 |
Framed-Pool |
string |
32 chars per pool name |
For example: Framed-Pool = "MyPoolname" |
|
97 |
Framed-IPv6-Prefix |
ipv6prefix |
max. 16 bytes for prefix + 1 byte for length |
For example: Framed-IPv6-Prefix = 2001:DB8:CAFE:1::100/128 |
|
100 |
Framed-IPv6-Pool |
string |
32 chars |
For example: Framed-IPv6-Pool = "MyV6Poolname" |
|
26.311.16 |
MS-MPPE-Send-Key |
string |
254 bytes |
Binary string |
|
26.311.17 |
MS-MPPE-Recv-Key |
string |
254 bytes |
Binary string |
|
26.6527.9 |
Alc-Primary-Dns |
ipaddr |
Up to 4 attributes (4B per attribute) |
For example: Alc-Primary-Dns = 192.168.1.1 |
|
26.6527.10 |
Alc-Secondary-Dns |
ipaddr |
Up to 4 attributes (4B per attribute) |
For example: Alc-Secondary-Dns = 192.168.2.1 |
|
26.6527.61 |
Alc-IPsec-Serv-Id |
integer |
2147483647 ID |
For example: Alc-IPsec-Serv-Id = 100 |
|
26.6527.62 |
Alc-IPsec-Interface |
string |
32 chars |
For example: Alc-IPsec-Interface = IPsec-Priv |
|
26.6527.63 |
Alc-IPsec-Tunnel-Template-Id |
integer |
1 to 2048 |
For example: Alc-IPsec-Tunnel-Template-Id = 200 |
|
26.6527.64 |
Alc-IPsec-SA-Lifetime |
integer |
[1200 to 172800] seconds |
For example: Alc-IPsec-SA-Lifetime = 2400 |
|
26.6527.65 |
Alc-IPsec-SA-PFS-Group |
integer |
[1 | 2 | 5 | 14 | 15 | 19 | 20 | 21] |
1=group1, 2=group2, 5=group5, and so on For example: Alc-IPsec-SA-PFS-Group = 2 |
|
26.6527.66 |
Alc-IPsec-SA-Encr-Algorithm |
integer |
[1 to 18] |
1=null, 2=des, 3=3des, 4=aes128, 5=aes192, 6=aes256, 7=aes128gcm8, 8=aes128gcm12, 9=aes128gcm16, 10=aes192gcm8, 11=aes192gcm12, 12=aes192gcm16, 13=aes256gcm8, 14=aes256gcm12, 15=aes256gcm16, 16=aes128gmac, 17=aes192gmac, 18=aes256gmac For example: Alc-IPsec-SA-Encr-Algorithm = 3 |
|
26.6527.67 |
Alc-IPsec-SA-Auth-Algorithm |
integer |
[1 to 8] |
1=null, 2=md5, 3=sha1, 4=sha256, 5=sha384, 6=sha512, 7=aesXcbc, 8=authencrypt For example: Alc-IPsec-SA-Auth-Algorithm = 3 |
|
26.6527.68 |
Alc-IPsec-SA-Replay-Window |
integer |
32|64|128|256|512 |
For example: Alc-IPsec-SA-Replay-Window = 128 |
|
26.6527.105 |
Alc-Ipv6- Primary-Dns |
ipv6addr |
Up to 4 attributes (16B per attribute) |
For example: Alc-Ipv6-Primary-Dns = 2001:DB8:1::1 |
|
26.6527.106 |
Alc-Ipv6- Secondary-Dns |
ipv6addr |
Up to 4 attributes (16B per attribute) |
For example: Alc-Ipv6-Secondary-Dns = 2001:DB8:2::1 |
|
26.6527.229 |
Alc-IPsec-Ts-Override |
string |
32 bytes |
For example: Alc-IPsec-Ts-Override="ikev2-ts-list-1" |
|
26.6527.237 |
Alc-Subject-Key-Identifier |
integer64 |
8 bytes |
The least significant 247 bytes of the Subject Key Id in peer's certificate. |
|
241.26.6527.50 |
Alc-IPsec-LAA-IPv4-Svr-Name |
string |
32 bytes |
For example: Alc-IPsec-LAA-IPv4-Svr-Name = "dhcpv4-svr-1" |
|
241.26.6527.51 |
Alc-IPsec-LAA-IPv6-Svr-Name |
string |
32 bytes |
For example: Alc-IPsec-LAA-IPv6-Svr-Name = "dhcpv6-svr-1" |
|
241.26.6527.52 |
Alc-IPsec-LAA-IPv4-Svc-Name |
string |
32 bytes |
For example: Alc-IPsec-LAA-IPv4-Svc-Name = "svc-1" |
|
241.26.6527.53 |
Alc-IPsec-LAA-IPv6-Svc-Name |
string |
32 bytes |
For example: Alc-IPsec-LAA-IPv6-Svc-Name = "svc-2" |
| Attribute ID | Attribute name | Access Request | Access Accept | Access challenge |
|---|---|---|---|---|
|
1 |
User-Name |
1 |
0-1 |
0 |
|
2 |
User-Password |
1 |
0 |
0 |
|
4 |
NAS-IP-Address |
0-1 |
0 |
0 |
|
8 |
Framed-IP- Address |
0 |
1 |
0 |
|
9 |
Framed-IP-Netmask |
0 |
0-1 |
0 |
|
30 |
Called-Station-Id |
0-1 |
0 |
0 |
|
31 |
Calling-Station-Id |
0-1 |
0 |
0 |
|
32 |
NAS-Identifier |
0-1 |
0 |
0 |
|
44 |
Acct-Session-Id |
1 |
0 |
0 |
|
79 |
EAP-Message |
0+ |
0+ |
0+ |
|
80 |
Message-Authenticator |
0-1 |
0-1 |
0-1 |
|
87 |
Nas-Port-Id |
0-1 |
0 |
0 |
|
88 |
Framed-Pool |
0 |
0-1 |
0 |
|
97 |
Framed-IPv6-Prefix |
0 |
0-1 |
0 |
|
100 |
Framed-IPv6-Pool |
0 |
0-1 |
0 |
|
26.311.16 |
MS-MPPE-Send-Key |
0 |
0-1 |
0 |
|
26.311.17 |
MS-MPPE-Recv-Key |
0 |
0-1 |
0 |
|
26.6527.9 |
Alc-Primary-Dns |
0 |
0+ |
0 |
|
26.6527.10 |
Alc-Secondary-Dns |
0 |
0+ |
0 |
|
26.6527.61 |
Alc-IPsec-Serv-Id |
0 |
0-1 |
0 |
|
26.6527.62 |
Alc-IPsec-Interface |
0 |
0-1 |
0 |
|
26.6527.63 |
Alc-IPsec-Tunnel-Template-Id |
0 |
0-1 |
0 |
|
26.6527.64 |
Alc-IPsec-SA-Lifetime |
0 |
0-1 |
0 |
|
26.6527.65 |
Alc-IPsec-SA-PFS-Group |
0 |
0-1 |
0 |
|
26.6527.66 |
Alc-IPsec-SA-Encr-Algorithm |
0 |
0-1 |
0 |
|
26.6527.67 |
Alc-IPsec-SA-Auth-Algorithm |
0 |
0-1 |
0 |
|
26.6527.68 |
Alc-IPsec-SA-Replay-Window |
0 |
0-1 |
0 |
|
26.6527.105 |
Alc-Ipv6- Primary-Dns |
0 |
0+ |
0 |
|
26.6527.106 |
Alc-Ipv6- Secondary-Dns |
0 |
0+ |
0 |
|
26.6527.229 |
Alc-IPsec-Ts-Override |
0 |
0-1 |
0 |
|
26.6527.237 |
Alc-Subject-Key-Identifier |
0-1 |
0 |
0 |
|
241.26.6527.50 |
Alc-IPsec-LAA-IPv4-Svr-Name |
0 |
0-1 |
0 |
|
241.26.6527.51 |
Alc-IPsec-LAA-IPv6-Svr-Name |
0 |
0-1 |
0 |
|
241.26.6527.52 |
Alc-IPsec-LAA-IPv4-Svc-Name |
0 |
0-1 |
0 |
|
241.26.6527.53 |
Alc-IPsec-LAA-IPv6-Svc-Name |
0 |
0-1 |
0 |