RADIUS, Remote Authentication Dial-In User Service

Protocol suite:	TCP/IP.
Protocol type:	Application layer protocol.
Ports:	1646 (UDP) obsolete. 1812 (UDP) server. 1813 (UDP) accounting. 3799 dynamic authorization.
SNMP MIBs:	iso.org.dod.internet.mgmt.mib-2.radiusMIB (1.3.6.1.2.1.67).
Working groups:	aaa, Authentication, Authorization and Accounting. radext, RADIUS Extensions.
Links:	IANA: Radius types.

MAC header

IP header

UDP header

RADIUS header

Data :::

RADIUS header:

00	08	16
Code	Identifier	Length
Authenticator - - -
Attributes :::

Code. 8 bits.
Identifies the type of RADIUS packet. If a packet is received with an invalid Code field, it is silently discarded.

Code	Description	References
1	Access-Request.	RFC 2865
2	Access-Accept.	RFC 2865
3	Access-Reject.	RFC 2865
4	Accounting-Request.	RFC 2865
5	Accounting-Response.	RFC 2865
6	Accounting-Status, Interim Accounting.	RFC 2882
7	Password-Request.	RFC 2882
8	Password-Ack.	RFC 2882
9	Password-Reject.	RFC 2882
10	Accounting-Message	RFC 2882
11	Access-Challenge.	RFC 2865
12	Status-Server (experimental).	RFC 2865
13	Status-Client (experimental).	RFC 2865
14 - 20
21	Resource-Free-Request	RFC 2882
22	Resource-Free-Response	RFC 2882
23	Resource-Query-Request.	RFC 2882
24	Resource-Query-Response	RFC 2882
25	Alternate-Resource- Reclaim-Request.	RFC 2882
26	NAS-Reboot-Request	RFC 2882
27	NAS-Reboot-Response	RFC 2882
28
29	Next-Passcode.	RFC 2882
30	New-Pin.	RFC 2882
31	Terminate-Session.	RFC 2882
32	Password-Expired.	RFC 2882
33	Event-Request.	RFC 2882
34	Event-Response.	RFC 2882
35 - 39
40	Disconnect-Request.	RFC 2882
41	Disconnect-ACK.	RFC 2882
42	Disconnect-NAK.	RFC 2882
43	CoA-Request.	RFC 2882
44	CoA-ACK.	RFC 2882
45	CoA-NAK.	RFC 2882
46 - 49
50	IP-Address-Allocate.	RFC 2882
51	IP-Address-Release.	RFC 2882
52 - 249
250 - 253	Experimental use.
254	reserved.
255	reserved.	RFC 2865

Identifier. 8 bits.
Used to match RADIUS request and reply packets.

Length. 16 bits. 20 to 4096.
Indicates the length of the packet including the RADIUS header and Attribute fields. Bytes outside the range of the Length field should be treated as padding and should be ignored on reception. If the packet is shorter than the indicated length, it should be silently discarded.

Authenticator. 16 bytes.
Used to authenticate the reply from the RADIUS server and is used in the password hiding algorithm.

Attributes. Variable length.
RADIUS Attributes carry the specific authentication, authorization and accounting details for the request and response. Some attributes MAY be included more than once. The effect of this is attribute specific, and is specified in each attribute description. The end of the list of attributes is indicated by the Length of the RADIUS packet.

Type Length Value :::

Type. 8 bits.

Length. 8 bits.
Indicates the length of this attribute including the Type, Length and Value fields. If an attribute is received in an Accounting-Request packet with an invalid Length, the entire request should be silently discarded.

Value. Variable.
Contains information specific to the attribute. The format and length of this field is determined by the Type and Length fields. The format of the field can be one of the following data types:

String. 0 to 253 bytes.

Address. 32 bits, MSB.

Integer. 32 bits, MSB.

Time. 32 bits. Seconds since 00:00:00 GMT, January 1, 1970.

The valid attributes are:

Type	Length	Description	References
0
1	>= 3	User-Name.	RFC 2865
2	18 to 130	User-Password.	RFC 2865
3	19	CHAP-Password.	RFC 2865
4	6	NAS-IP-Address.	RFC 2865
5	6	NAS-Port.	RFC 2865
6	6	Service-Type.	RFC 2865
7	6	Framed-Protocol.	RFC 2865
8	6	Framed-IP-Address.	RFC 2865
9	6	Framed-IP-Netmask.	RFC 2865
10	6	Framed-Routing.	RFC 2865
11	>= 3	Filter-Id.	RFC 2865
12	6	Framed-MTU.	RFC 2865
13	6	Framed-Compression.	RFC 2865
14	6	Login-IP-Host.	RFC 2865
15	6	Login-Service.	RFC 2865
16	6	Login-TCP-Port.	RFC 2865
17
18	>= 3	Reply-Message.	RFC 2865
19	>= 3	Callback-Number.	RFC 2865
20	>= 3	Callback-Id.	RFC 2865
21
22	>= 3	Framed-Route.	RFC 2865
23	6	Framed-IPX-Network.	RFC 2865
24	>= 3	State.	RFC 2865
25	>= 3	Class.	RFC 2865
26	>= 7	Vendor-Specific.	RFC 2865
27	6	Session-Timeout.	RFC 2865
28	6	Idle-Timeout.	RFC 2865
29	6	Termination-Action.	RFC 2865
30	>= 3	Called-Station-Id.	RFC 2865
31	>= 3	Calling-Station-Id.	RFC 2865
32	>= 3	NAS-Identifier.	RFC 2865
33	>= 3	Proxy-State.	RFC 2865
34	>= 3	Login-LAT-Service.	RFC 2865
35	>= 3	Login-LAT-Node.	RFC 2865
36	34	Login-LAT-Group.	RFC 2865
37	6	Framed-AppleTalk-Link.	RFC 2865
38	6	Framed-AppleTalk-Network.	RFC 2865
39	>= 3	Framed-AppleTalk-Zone.	RFC 2865
40	6	Acct-Status-Type.	RFC 2866
41	6	Acct-Delay-Time.	RFC 2866
42	6	Acct-Input-Octets.	RFC 2866
43	6	Acct-Output-Octets.	RFC 2866
44	>= 3	Acct-Session-Id	RFC 2866
45	6	Acct-Authentic.	RFC 2866
46	6	Acct-Session-Time.	RFC 2866
47	6	Acct-Input-Packets.	RFC 2866
48	6	Acct-Output-Packets.	RFC 2866
49	6	Acct-Terminate-Cause.	RFC 2866
50	>= 3	Acct-Multi-Session-Id.	RFC 2866
51	6	Acct-Link-Count.	RFC 2866
52	6	Acct-Input-Gigawords.	RFC 2869
53	6	Acct-Output-Gigawords.	RFC 2869
54
55	6	Event-Timestamp.	RFC 2869
56		Egress-VLANID.	RFC 4675
57		Ingress-Filters.	RFC 4675
58		Egress-VLAN-Name.	RFC 4675
59		User-Priority-Table.	RFC 4675
60	>= 7	CHAP-Challenge.	RFC 2865
61	6	NAS-Port-Type.	RFC 2865
62	6	Port-Limit.	RFC 2865
63	>= 3	Login-LAT-Port.	RFC 2865
64	6	Tunnel-Type.	RFC 2868
65	6	Tunnel-Medium-Type.	RFC 2868
66	>= 3	Tunnel-Client-Endpoint.	RFC 2868
67	>= 3	Tunnel-Server-Endpoint.	RFC 2868
68		Acct-Tunnel-Connection.	RFC 2867
69	>= 5	Tunnel-Password.	RFC 2868
70	18	ARAP-Password.	RFC 2869
71	16	ARAP-Features.	RFC 2869
72	6	ARAP-Zone-Access.	RFC 2869
73	6	ARAP-Security.	RFC 2869
74	>= 3	ARAP-Security-Data.	RFC 2869
75	6	Password-Retry.	RFC 2869
76	6	Prompt.	RFC 2869
77	>= 3	Connect-Info.	RFC 2869
78	>= 3	Configuration-Token.	RFC 2869
79	>= 3	EAP-Message.	RFC 2869, RFC 3579
80	18	Message-Authenticator.	RFC 2869, RFC 3579
81	>= 3	Tunnel-Private-Group-ID.	RFC 2868
82	>= 3	Tunnel-Assignment-ID.	RFC 2868
83	6	Tunnel-Preference.	RFC 2868
84	10	ARAP-Challenge-Response.	RFC 2869
85	6	Acct-Interim-Interval.	RFC 2869
86		Acct-Tunnel-Packets-Lost.	RFC 2867
87	>= 3	NAS-Port-Id.	RFC 2869
88	>= 3	Framed-Pool.	RFC 2869
89	>= 3	CUI, Chargeable User Identity.	RFC 4372
90	>= 3	Tunnel-Client-Auth-ID.	RFC 2868
91	>= 3	Tunnel-Server-Auth-ID.	RFC 2868
92		NAS-Filter-Rule.	RFC 4849
93
94		Originating-Line-Info.	RFC 3162, RFC4005
95	18	NAS-IPv6-Address.	RFC 3162
96	10	Framed-Interface-Id.	RFC 3162
97	4 to 20	Framed-IPv6-Prefix.	RFC 3162
98	18	Login-IPv6-Host.	RFC 3162
99	>= 3	Framed-IPv6-Route.	RFC 3162
100	>= 3	Framed-IPv6-Pool.	RFC 3162
101		Error-Cause Attribute.	RFC 3576
102		EAP-Key-Name.	RFC 4072
103		Digest-Response.	RFC 4590
104		Digest-Realm.	RFC 4590
105		Digest-Nonce.	RFC 4590
106		Digest-Nextnonce.	RFC 4590
107		Digest-Response-Auth.	RFC 4590
108		Digest-Method.	RFC 4590
109		Digest-URI.	RFC 4590
110		Digest-Qop.	RFC 4590
111		Digest-Algorithm.	RFC 4590
112		Digest-Entity-Body-Hash.	RFC 4590
113		Digest-CNonce.	RFC 4590
114		Digest-Nonce-Count.	RFC 4590
115		Digest-Username.	RFC 4590
116		Digest-Opaque.	RFC 4590
117		Digest-Auth-Param.	RFC 4590
118		Digest-AKA-Auts.	RFC 4590
119		Digest-Domain.	RFC 4590
120		Digest-Stale.	RFC 4590
121		Digest-HA1.	RFC 4590
122		SIP-AOR.	RFC 4590
123		Delegated-IPv6-Prefix.	RFC 4818
124		MIP6-Feature-Vector.	RFC 5447
125		MIP6-Home-Link-Prefix.	RFC 5447
126		Operator-Name.	RFC 5580
127		Location-Information.	RFC 5580
128		Location-Data.	RFC 5580
129		Basic-Location-Policy-Rules.	RFC 5580
130		Extended-Location-Policy-Rules.	RFC 5580
131		Location-Capable.	RFC 5580
132		Requested-Location-Info.	RFC 5580
133		Framed-Management-Protocol.	RFC 5607
134		Management-Transport-Protection.	RFC 5607
135		Management-Policy-Id.	RFC 5607
136		Management-Privilege-Level.	RFC 5607
137		PKM-SS-Cert.
138		PKM-CA-Cert.
139		PKM-Auth-Wait-Timeout.
140		PKM-Cryptosuite-List.
141		PKM-SAID.
142		PKM-SA-Descriptor.
143		PKM-Auth-Key.
144 - 191
192 - 223		experimental.	RFC 2058, RFC 3575
224 - 240		Implementation specific.	RFC 2058, RFC 3575
241 - 255		reserved.	RFC 2058, RFC 3575

Glossary:

NAS, Network Access Server.
(RFC 2139) Operates as a client of the RADIUS accounting server. The client is responsible for passing user accounting information to a designated RADIUS accounting server.

Service.
(RFC 2139) The NAS provides a service to the dial-in user, such as PPP or Telnet.

Session.
(RFC 2139) Each service provided by the NAS to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the NAS supports that, with each session generating a separate start and stop accounting record with its own Acct-Session-Id.

Silently discard.
(RFC 2139) This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter.

RFCs:

[RFC 2548] Microsoft Vendor-specific RADIUS Attributes.

Category: Informational.

[RFC 2618] RADIUS Authentication Client MIB.

Category: Standards Track.
Defines SNMP MIB iso.org.dod.internet.mgmt.mib-2.radiusMIB (1.3.6.1.2.1.67).

[RFC 2619] RADIUS Authentication Server MIB.

Category: Standards Track.
Defines SNMP MIB iso.org.dod.internet.mgmt.mib-2.radiusMIB (1.3.6.1.2.1.67).

[RFC 2620] RADIUS Accounting Client MIB.

Category: Informational.
Defines SNMP MIB iso.org.dod.internet.mgmt.mib-2.radiusMIB (1.3.6.1.2.1.67).

[RFC 2621] RADIUS Accounting Server MIB.

Category: Informational.
Defines SNMP MIB iso.org.dod.internet.mgmt.mib-2.radiusMIB (1.3.6.1.2.1.67).

[RFC 2809] Implementation of L2TP Compulsory Tunneling via RADIUS.

Category: Informational.

[RFC 2865] Remote Authentication Dial In User Service (RADIUS).

Category: Standards Track.
Obsoletes:
RFC 2138.

[RFC 2866] RADIUS Accounting.

Category: Informational.

[RFC 2867] RADIUS Accounting Modifications for Tunnel Protocol Support.

Category: Informational.
Updates:
RFC 2866.

[RFC 2868] RADIUS Attributes for Tunnel Protocol Support.

Category: Informational.
Updates:
RFC 2865.

[RFC 2869] RADIUS Extensions.

Category: Informational.
Updated by:
RFC 3579.

[RFC 2882] Network Access Servers Requirements: Extended RADIUS Practices.

Category: Informational.

[RFC 2888] Secure Remote Access with L2TP.

Category: Informational.

[RFC 2924] Accounting Attributes and Record Formats.

Category: Informational.

[RFC 2975] Introduction to Accounting Management.

Category: Informational.

[RFC 3127] Authentication, Authorization, and Accounting: Protocol Evaluation.

Category: Informational.

[RFC 3162] RADIUS and IPv6.

Category: Standards Track.

[RFC 3575] IANA Considerations for RADIUS (Remote Authentication Dial In User Service).

Category: Standard Track.
Updates:
RFC 2865.

[RFC 3576] Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS).

Category: Informational.

[RFC 3579] RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP).

Category: Informational.
Defines RADIUS attributes 79 (EAP-Message) and 80 for (Message-Authenticator).
Updates:
RFC 2869.

[RFC 3580] IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.

Category: Informational.

[RFC 4072] Diameter Extensible Authentication Protocol (EAP) Application.

Category: Standards Track.
Defines Diameter command code 268.
Defines Diameter AVP codes 462 - 465.
Defines RADIUS AVP code 102 (EAP-Key-Name).

[RFC 4372] Chargeable User Identity.

Category: Standards Track.
Defines RADIUS attribute 89 (Chargeable User Identity).

Publications:

Obsolete RFCs:

[RFC 2058] Remote Authentication Dial In User Service (RADIUS).

Category: Standards Track.
Obsoleted by:
RFC 2138.

[RFC 2059] RADIUS Accounting.

Category: Informational.
Obsoleted by:
RFC 2139.

[RFC 2138] Remote Authentication Dial In User Service (RADIUS).

Category: Standards Track.
Obsoleted by:
RFC 2865.
Obsoletes:
RFC 2058.

[RFC 2139] RADIUS Accounting.

Category: Informational.
Obsoleted by:
RFC 2866.
Obsoletes:
RFC 2059.