01. How do RADIUS attributes work?

This is first entry in our blog. We will talk about some general terms found in business of Internet Service Providers, namely the RADIUS packets and attributes. We hope this text will be easy to understand even to non technical personnel. But please keep in mind, we will not talk here about what RADIUS protocol is or how it works.

One of the most important part of RADIUS protocol is how is communication made between Network Access Servers (NAS) and RADIUS server. Not going into details of how it is done using UDP protocol, what interests us is what is in packet sent over network.

Here comes in RADIUS packet. Or in a nutshell - glorified configuration file sent as 100 or more bytes in UDP packet. Each packet is little more than zero or more name = value pairs, each containing attribute name and a attribute value that describe what is going on and what are we trying to accomplish.

There are many types of RADIUS packets that are used in separate, exactly defined situations. Some of them are sent only by NAS server, some of them only by RADIUS server. What is important is that all of them may contain zero, one or many attributes per RADIUS packet, though some packet types really do not have to. And there are clear specifications which attribute may go in which type of packet and how many times. It is rare but possible for a same attribute to be present more than once in a packet, so think of them as unique per packet.

For an example, when client is trying to authenticate, RADIUS receives auth request packet from NAS server that contains attributes like this :

User-Name = johndoe@example.com
User-Password = 0x3827fe085adf987ca9b8210
Nas-Identifier = hotspot_12
NAS-IP-Address =

In example packet you see some common attributes. They are all defined as standard RADIUS attributes and are described in special textual files called RADIUS dictionaries. Standard attributes are understood and used by most, if not all NAS server types you may find (Cisco, MikroTik etc.). Part of its standard dictionary is:

ATTRIBUTE   User-Name       1   string
ATTRIBUTE   User-Password       2   string
ATTRIBUTE   CHAP-Password       3   octets
ATTRIBUTE   NAS-IP-Address      4   ipaddr
ATTRIBUTE   NAS-Port        5   integer
ATTRIBUTE   Service-Type        6   integer
ATTRIBUTE   Framed-Protocol     7   integer
ATTRIBUTE   Framed-IP-Address   8   ipaddr
ATTRIBUTE   Framed-IP-Netmask   9   ipaddr
ATTRIBUTE   Framed-Routing      10  integer
ATTRIBUTE   Filter-Id       11  string
ATTRIBUTE   Framed-MTU      12  integer
ATTRIBUTE   Framed-Compression  13  integer
ATTRIBUTE   Login-IP-Host       14  ipaddr
ATTRIBUTE   Login-Service       15  integer

As you can see, each attribute is defined with specific type. There are string, ipaddr, integer types and some other, not so common ones. They are more just than a clue for you what type of information goes with attribute - they are instructions for RADIUS and NAS servers on how to build packets on byte level.

Going back to our auth request example. Attributes in that packet provide enough information for RADIUS server so it can decide what to do with that request. If RADIUS decides it is valid, then access accept packet will be sent back containing:

Framed-IP-Address =
Session-Timeout = 86400
Mikrotik-Recv-Limit = 100000

Again, all standard RADIUS attributes present, except the last one. Each NAS server type may have specific attributes it can understand, and they are called vendor specific attributes. They are defined same as standard attributes in a separate dictionaries provided with NAS server. Purpose of them is to inform RADIUS of specific and unique features that NAS server type has to offer. Keep in mind that nothing will happen if you use these attributes with different NAS servers. They all by default ignore attributes they do not understand.

So if you are using MikroTik as NAS server, then it would be a smart move to read about MikroTik specific attributes and how you can use them. You might find some new cool thing to play with.

By here you have basic understanding of what RADIUS packets and attributes are and how they work. There are a lot more things to learn and we will soon cover questions like:

If you are using BlissRADIUS, then you may have already found out that configuring RADIUS attributes using admin portal is easy as writing them down as you see them in examples here. You might have already found out that BlissRADIUS uses rather advanced inheritance rules. You can override attributes depending on which NAS server or account type request is coming.

BlissRADIUS Embedded™ 1.13 is released with new fixes and features.
BlissRADIUS Embedded™ 1.12 is out with new features.
Volume discount for monthly BlissRADIUS™ licenses is available now.
BlissRADIUS Embedded™ 1.11 is released. This version will focus on incremental security and performance improvements.
BlissRADIUS Embedded™ 1.10 is out with incremental improvements.
BlissRADIUS Embedded™ 1.9 brings new features and performance improvements.
BlissRADIUS Embedded™ 1.8 is out with performance enhancements.
BlissRADIUS Embedded™ 1.7 maintenance release is out.
BlissRADIUS Embedded™ 1.6 is out with incremental improvements and new usability features.