|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
routeros支持的radius Attributes全部在这里Supported RADIUS Attributes
Description
MikroTik RADIUS Dictionaries
Here you can download MikroTik reference dictionary, which incorporates all the needed RADIUS attributes. This dictionary is the minimal dictionary, which is enough to support all features of MikroTik RouterOS. It is designed for FreeRADIUS, but may also be used with many other UNIX RADIUS servers (eg. XTRadius).
Note that it may conflict with the default configuration files of RADIUS server, which have references to the Attributes, absent in this dictionary. Please correct the configuration files, not the dictionary, as no other Attributes are supported by MikroTik Routeros.
There is also dictionary.mikrotik that can be included in an existing dictionary to support MikroTik vendor-specific Attributes.
Definitions
PPPs - PPP, PPTP, PPPoE and ISDN
default configuration - settings in default profile (for PPPs) or HotSpot server settings (for HotSpot)
Access-Request
Service-Type - always is "Framed" (only for PPPs)
Framed-Protocol - always is "PPP" (only for PPPs)
NAS-Identifier - router identity
NAS-IP-Address - IP address of the router itself
NAS-Port - unique session ID
NAS-Port-Type - async PPP - "Async"; PPTP and L2TP - "Virtual"; PPPoE - "Ethernet"; ISDN - "ISDN Sync"; HotSpot - "Ethernet | Cable | Wireless-802.11" (according to the value of nas-port-type parameter in /ip hotspot profile
Calling-Station-Id - PPPoE - client MAC address in capital letters; PPTP and L2TP - client public IP address; HotSpot - MAC address of the client if it is known, or IP address of the client if MAC address is unknown; ISDN - client MSN
Called-Station-Id - PPPoE - service name; PPTP and L2TP - server IP address; ISDN - interface MSN; HotSpot - MAC of the hotspot interface (if known), else IP of hotspot interface specified in hotspot menu (if set), else attribute not present
NAS-Port-Id - async PPP - serial port name; PPPoE - ethernet interface name on which server is running; HotSpot - name of the hotspot interface (if known), otherwise - not present; not present for ISDN, PPTP and L2TP
Framed-IP-Address - IP address of HotSpot client after Universal Client translation
Host-IP - IP address of HotSpot client before Universal Client translation (the original IP address of the client)
User-Name - client login name
MS-CHAP-Domain - User domain, if present
Realm - If it is set in /radius menu, it is included in every RADIUS request as Mikrotik-Realm attribute. If it is not set, the same value is sent as in MS-CHAP-Domain attribute (if MS-CHAP-Domain is missing, Realm is not included neither)
Depending on authentication methods (NOTE: HotSpot uses CHAP by default and may use also PAP if unencrypted passwords are enabled, it can not use MSCHAP):
User-Password - encrypted password (used with PAP authentication)
CHAP-Password, CHAP-Challenge - encrypted password and challenge (used with CHAP authentication)
MS-CHAP-Response, MS-CHAP-Challenge - encrypted password and challenge (used with MS-CHAPv1 authentication)
MS-CHAP2-Response, MS-CHAP-Challenge - encrypted password and challenge (used with MS-CHAPv2 authentication)
Access-Accept
Framed-IP-Address - IP address given to client. PPPs - if address belongs to 127.0.0.0/8 or 224.0.0.0/3 networks, IP pool is used from the default profile to allocate client IP address. HotSpot - used only for dhcp-pool login method (ignored for enabled-address method), if address is 255.255.255.254, IP pool is used from HotSpot settings; if Framed-IP-Address is specified, Framed-Pool is ignored
Framed-IP-Netmask - client netmask. PPPs - if specified, a route will be created to the network Framed-IP-Address belongs to via the Framed-IP-Address gateway; HotSpot - ignored by HotSpot
Framed-Pool - IP pool name (on the router) from which to get IP address for the client. If specified, overrides Framed-IP-Address
NOTE: if Framed-IP-Address or Framed-Pool is specified it overrides remote-address in default configuration
Idle-Timeout - overrides idle-timeout in the default configuration
Session-Timeout - overrides session-timeout in the default configuration
Max-Session-Time - maximum session length (uptime) the user is allowed to
Class - cookie, will be included in Accounting-Request unchanged
Framed-Route - routes to add on the server. Format is specified in RFC2865 (Ch. 5.22), can be specified as many times as needed
Filter-Id - firewall filter chain name. It is used to make a dynamic firewall rule. Firewall chain name can have suffix .in or .out, that will install rule only for incoming or outgoing traffic. Multiple Filter-id can be provided, but only last ones for incoming and outgoing is used. For PPPs - filter rules in ppp chain that will jump to the specified chain, if a packet has come to/from the client (that means that you should first create a ppp chain and make jump rules that would put actual traffic to this chain). The same applies for HotSpot, but the rules will be created in hotspot chain
Mark-Id - firewall mangle chain name (HotSpot only). The MikroTik RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action=jump chain=hotspot and jump-target equal to the atribute value. Mangle chain name can have suffixes .in or .out, that will install rule only for incoming or outgoing traffic. Multiple Mark-id attributes can be provided, but only last ones for incoming and outgoing is used.
Acct-Interim-Interval - interim-update for RADIUS client, if 0 uses the one specified in RADIUS client
MS-MPPE-Encryption-Policy - require-encryption property (PPPs only)
MS-MPPE-Encryption-Types - use-encryption property, non-zero value means to use encryption (PPPs only)
Ascend-Data-Rate - tx/rx data rate limitation if multiple attributes are provided, first limits tx data rate, second - rx data rate. If used together with Ascend-Xmit-Rate, specifies rx rate. 0 if unlimited
Ascend-Xmit-Rate - tx data rate limitation. It may be used to specify tx limit only instead of sending two sequental Ascend-Data-Rate attributes (in that case Ascend-Data-Rate will specify the receive rate). 0 if unlimited
MS-CHAP2-Success - auth. response if MS-CHAPv2 was used (for PPPs only)
MS-MPPE-Send-Key, MS-MPPE-Recv-Key - encryption keys for encrypted PPPs provided by RADIUS server only is MS-CHAPv2 was used as authentication (for PPPs only)
Ascend-Client-Gateway - client gateway for DHCP-pool HotSpot login method (HotSpot only)
Recv-Limit - total receive limit in bytes for the client
Xmit-Limit - total transmit limit in bytes for the client
Wireless-Forward - not forward the client's frames back to the wireless infrastructure if this attribute is set to "0" (Wireless only)
Wireless-Skip-Dot1x - disable 802.1x authentication for the particulat wireless client if set to non-zero value (Wireless only)
Wireless-Enc-Algo - WEP encryption algorithm: 0 - no encryption, 1 - 40-bit WEP, 2 - 104-bit WEP (Wireless only)
Wireless-Enc-Key - WEP encruption key for the client (Wireless only)
Rate-Limit - Datarate limitation for clients. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.
Group - Router local user group name (defines in /user group) for local users. HotSpot default profile for HotSpot users.
Advertise-URL - URL of the page with advertisements that should be displayed to clients. If this attribute is specified, advertisements are enabled automatically, including transparent proxy, even if they were explicitly disabled in the corresponding user profile. Multiple attribute instances may be send by RADIUS server to specify additional URLs which are choosen in round robin fashion.
Advertise-Interval - Time interval between two adjacent advertisements. Multiple attribute instances may be send by RADIUS server to specify additional intervals. All interval values are threated as a list and are taken one-by-one for each successful advertisement. If end of list is reached, the last value is continued to be used.
Note that the received attributes override the default ones (set in the default profile), but if an attribute is not received from RADIUS server, the default one is to be used.
Here are some Rate-Limit examples:
128k - rx-rate=128000, tx-rate=128000 (no bursts)
64k/128M - rx-rate=64000, tx-rate=128000000
64k 256k - rx/tx-rate=64000, rx/tx-burst-rate=256000, rx/tx-burst-threshold=64000, rx/tx-burst-time=1s
64k/64k 256k/256k 128k/128k 10/10 - rx/tx-rate=64000, rx/tx-burst-rate=256000, rx/tx-burst-threshold=128000, rx/tx-burst-time=10s
Accounting-Request
Acct-Status-Type - Start, Stop, or Interim-Update
Acct-Session-Id - accounting session ID
Service-Type - same as in request (PPPs only)
Framed-Protocol - same as in request (PPPs only)
NAS-Identifier - same as in request
NAS-IP-Address - same as in request
User-Name - same as in request
MS-CHAP-Domain - same as in request (only for PPPs)
NAS-Port-Type - same as in request
NAS-Port - same as in request
NAS-Port-Id - same as in request
Calling-Station-Id - same as in request
Called-Station-Id - same as in request
Acct-Authentic - either authenticated by the RADIUS or Local authority (PPPs only)
Framed-IP-Address - IP address given to the user
Framed-IP-Netmask - same as in RADIUS reply
Class - RADIUS server cookie (PPPs only)
Acct-Delay-Time - how long does the router try to send this Accounting-Request packet
Stop and Interim-Update Accounting-Request
Acct-Session-Time - connection uptime in seconds
Acct-Input-Octets - bytes received from the client
Acct-Input-Gigawords - 4G (2^32) bytes received from the client (bits 32..63, when bits 0..31 are delivered in Acct-Input-Octets) (HotSpot only)
Acct-Input-Packets - nubmer of packets received from the client
Acct-Output-Octets - bytes sent to the client
Acct-Output-Gigawords - 4G (2^32) bytes sent to the client (bits 32..63, when bits 0..31 are delivered in Acct-Output-Octets) (HotSpot only)
Acct-Output-Packets - number of packets sent to the client
Stop Accounting-Request
These packets can additionally have:
Acct-Terminate-Cause - session termination cause (see RFC2866 ch. 5.10)
Attribute Numeric Values Name VendorID Value RFC where it is defined
Acct-Authentic 45 RFC2866
Acct-Delay-Time 41 RFC2866
Acct-Input-Gigawords 52 RFC2869
Acct-Input-Octets 42 RFC2866
Acct-Input-Packets 47 RFC2866
Acct-Interim-Interval 85 RFC2869
Acct-Output-Gigawords 53 RFC2869
Acct-Output-Octets 43 RFC2866
Acct-Output-Packets 48 RFC2866
Acct-Session-Id 44 RFC2866
Acct-Session-Time 46 RFC2866
Acct-Status-Type 40 RFC2866
Acct-Terminate-Cause 49 RFC2866
Ascend-Client-Gateway 529 132
Ascend-Data-Rate 529 197
Ascend-Xmit-Rate 529 255
Called-Station-Id 30 RFC2865
Calling-Station-Id 31 RFC2865
CHAP-Challenge 60 RFC2866
CHAP-Password 3 RFC2865
Class 25 RFC2865
Filter-Id 11 RFC2865
Framed-IP-Address 8 RFC2865
Framed-IP-Netmask 9 RFC2865
Framed-Pool 88 RFC2869
Framed-Protocol 7 RFC2865
Framed-Route 22 RFC2865
Group 14988 3
Idle-Timeout 28 RFC2865
MS-CHAP-Challenge 311 11 RFC2548
MS-CHAP-Domain 311 10 RFC2548
MS-CHAP-Response 311 1 RFC2548
MS-CHAP2-Response 311 25 RFC2548
MS-CHAP2-Success 311 26 RFC2548
MS-MPPE-Encryption-Policy 311 7 RFC2548
MS-MPPE-Encryption-Types 311 8 RFC2548
MS-MPPE-Recv-Key 311 17 RFC2548
MS-MPPE-Send-Key 311 16 RFC2548
NAS-Identifier 32 RFC2865
NAS-Port 5 RFC2865
NAS-Port-Id 87 RFC2869
NAS-Port-Type 61 RFC2865
Rate-Limit 14988 8
Realm 14988 9
Recv-Limit 14988 1
Service-Type 6 RFC2865
Session-Timeout 27 RFC2865
User-Name 1 RFC2865
User-Password 2 RFC2865
Wireless-Enc-Algo 14988 6
Wireless-Enc-Key 14988 7
Wireless-Forward 14988 4
Wireless-Skip-Dot1x 14988 5
Xmit-Limit 14988 2 |
|