= RFCs and Attributes
-The RFCs have several issues and ambiguities. The proposed standard, https://datatracker.ietf.org/doc/html/rfc5080[RFC 5080] *Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes*, resolves some of these discrepencies. When creating new RADIUS standards, follow the guidelines in the https://datatracker.ietf.org/doc/html/rfc6158[RFC 6158] *RADIUS Design Guidelines* document. To review a list of all the standard RADIUS attributes, navigate to the xref:rfc_attributelist.adoc[Attribute Definitions] section below.
-
-However, these documents do not cover all the known issues with RADIUS. The RFCs are unclear in some areas, and some things are not explicitly allowed or forbidden. Developers should not assume something is allowed just because it is not prohibited. After 20 years of RADIUS deployments, new behaviours could conflict with current practices. We recommend that you follow the RFC specifications closely for the best results.
-
-The https://www.freeradius.org/rfc/issues.html[open issues] page lists the problems we know about and our suggested solutions.
+The standard RADIUS attributes are listed in the
+xref:rfc_attributelist.adoc[Attribute Definitions] section below.
+
+When creating new RADIUS dictionaries or standards, you must follow
+the *RADIUS Design Guidelines* document
+(https://datatracker.ietf.org/doc/html/rfc6158[RFC 6158]), and the
+*Data Types in RADIUS* document
+(https://datatracker.ietf.org/doc/html/rfc8044[RFC 8044]).
+
+Unfortunately, the RFCs are imperfect, and they have many issues and
+ambiguities. The *Common Remote Authentication Dial In User Service
+(RADIUS) Implementation Issues and Suggested Fixes* document
+(https://datatracker.ietf.org/doc/html/rfc5080[RFC 5080]), resolves
+some of these discrepencies.
+
+However, that document does not cover all the known issues with
+RADIUS. The RFCs are unclear in some areas, and does not always
+explicitly allowed or forbid behavior. Developers should not assume
+something is allowed just because it is not prohibited. Any new
+behavior that you invent is likely to conflict with After 20 years of
+RADIUS deployments. We recommend that you follow the RFC
+specifications closely for the best results. If you're unsure about
+the RFCs, follow existing best practices, or ask on the
+freeradius-users mailing list.
+
+Additional problems with the RADIUS standards and implementations are listed on the
+https://github.com/radext-wg/issues-and-fixes-2/wiki/[IETF RADEXT
+Wiki], and in the https://www.freeradius.org/rfc/issues.html[open
+issues] page.
.RFCs
include::partial$rfc_radius.adoc[]
-
.Related Documents (old RFCs, information, etc)
include::partial$rfc_related.adoc[]
https://www.inkbridgenetworks.com/blog/blog-10/the-freeradius-auth-type-attribute-103[The FreeRADIUS Auth-Type attribute]
-https://www.inkbridgenetworks.com/blog/blog-10/radius-standards-compliance-from-rfc-to-wifi-alliance-135[RADIUS standards compliance: from RFC to WiFI Alliance]
-
+https://www.inkbridgenetworks.com/blog/blog-10/radius-standards-compliance-from-rfc-to-wifi-alliance-135[RADIUS standards compliance: from RFC to WiFi Alliance]
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
= Attribute Definitions
-In FreeRADIUS v4, following the RFC definitions is critical. The modular codespace allows RADIUS to function as a plug-in protocol, like DHCP or DNS. Standardization enables devices from different manufacturers to communicate using shared protocols and frameworks. RFC-compliant systems show clear behaviours to prevent security issues in authentication or authorisation.
+This page contains a list of RADIUS attribute definitions, with links
+to the relevant standards.
-If non-standard attribute numbers or types are used, a NAS might ignore some authorisation instructions. FreeRADIUS v4 depends on the strict data types defined in https://datatracker.ietf.org/doc/html/rfc8044[RFC 8044] ensure that attributes are parsed the correct data type and interpreted accurately. This prevents "garbled" data or session crashes when dealing with complex attributes. Standard Logic: Many core modules depend on certain RFC attributes and formats. For example, State (RFC 5080) helps link many requests into one session. Re-defining these flows can lead to failed authentications or replay attacks.
+It is critical that all vendors and administrators follow the RFC
+definitions of attributes. Standardization enables devices from
+different manufacturers to communicate using shared protocols and
+frameworks. RFC-compliant systems have consistent behaviour, which
+prevents interoperability issues that can cause problems in production
+networks.
-RADIUS has a finite range (0–255) available for standard attributes. Defining a custom attribute with a number already used by an RFC can cause a collision. The server might apply the wrong policy to a packet. This can lead to unauthorised access or accounting errors. FreeRADIUS v4 supports Extended Attributes (IDs > 255). Ignoring RFC formats can break the server's ability to manage longer or fragmented attributes.
+In addition to interoperability issues, FreeRADIUS depends on the data
+types which are defined in
+https://datatracker.ietf.org/doc/html/rfc8044[RFC 8044]. Many modules
+in the server use specific RFC attributes, and rely on using their
+defined data types. Changing the definitions of those attributes in
+the dictionaries _will_ cause problems. Since the server needs a
+specific definition for these attributes, it will detect edits to the
+dictionaries, and refuse to start if the dictionary definitions for
+standard attributes have been modified.
-Use Internal Attributes (defined with the DEFINE keyword) for local logic. These attributes are never sent over the network, eliminating interoperability issues.
+RADIUS also has a finite range (1-255) available for standard
+attributes. Defining a custom attribute with a number already used by
+an RFC can cause a collision. Vendors who need custom attributes
+*must* use
+https://datatracker.ietf.org/doc/html/rfc6929#section-4[Vendor-Specific]
+attributes.
+
+For local site policy, administrators can define local attributes in
+the xref:reference:raddb/dictionary.adoc[local dictionary]. These
+attributes should use the
+xref:reference:dictionary/define.adoc[DEFINE] keyword, which avoids
+all issues with assigning attribute numbers. Policies in `unlang` can
+also use xref:reference:unlang/local.adoc[local variables]. All of
+these local attributes are never sent over the network.
== Attribute RFCs and Definitions
-The following tables list the relevant attributes used in RADIUS development. Each attribute includes a brief explanation and a direct link to its definition. All RADIUS attribute information is available this documentation.
+The following tables list the RADIUS attributes which are defined in
+the RFCs. Each attribute includes a brief explanation and a direct
+link to its definition in the RFCs.
== A
include::partial$a_attributelist.adoc[]
== V
include::partial$v_attributelist.adoc[]
-
-
-
-
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
= RFC Compliance
-RADIUS (Remote Authentication Dial-In User Service) RFC compliance is critical for ensuring that network access control systems are secure, interoperable, and scalable in 2026. Adhering to these IETF standards provides a common language for diverse networking hardware and software to communicate reliably.
-The importance of RADIUS RFC compliance centers on four key areas:
+RADIUS (Remote Authentication Dial-In User Service) RFC compliance is
+critical for ensuring that network access control systems are secure,
+interoperable, and scalable in 2026. Adhering to these IETF standards
+provides a common language for diverse networking hardware and
+software to communicate reliably. The importance of RADIUS RFC
+compliance centers on four key areas:
== Interoperability in Multi-Vendor Environments
-* De Facto Standard: RADIUS is the industry standard for centralizing Authentication, Authorization, and Accounting (AAA). Compliance ensures that a RADIUS server can communicate with network access servers (NAS) like Wi-Fi access points, VPN gateways, and switches from different manufacturers (e.g., Cisco, Aruba, Fortinet).
+* De Facto Standard: RADIUS is the industry standard for centralizing
+ Authentication, Authorization, and Accounting (AAA). Compliance
+ ensures that a RADIUS server can communicate with network access
+ servers (NAS) like Wi-Fi access points, VPN gateways, and switches
+ from different manufacturers (e.g., Cisco, Aruba, Fortinet).
-* Consistent Behavior: RFCs provide documented, predictable behavior, reducing unexpected issues when integrating new equipment into an existing infrastructure.
+* Consistent Behavior: RFCs provide documented, predictable behavior,
+ reducing unexpected issues when integrating new equipment into an
+ existing infrastructure.
-* Standardized Attributes: Standards like https://datatracker.ietf.org/doc/html/rfc2865[RFC 2865] and https://datatracker.ietf.org/doc/html/rfc2868[RFC 2868] define how user attributes (e.g., VLAN assignments, tunnel protocols) are formatted, ensuring they are correctly interpreted across the network.
+* Standardized Attributes: Standards like
+ https://datatracker.ietf.org/doc/html/rfc2865[RFC 2865] and
+ https://datatracker.ietf.org/doc/html/rfc2868[RFC 2868] define how
+ user attributes (e.g., VLAN assignments, tunnel protocols) are
+ formatted, ensuring they are correctly interpreted across the
+ network.
== Security and Vulnerability Mitigation
-* Addressing Cryptographic Weaknesses: Legacy RADIUS (RFC 2865) relies on MD5 hashing, which is now considered insecure. Recent critical vulnerabilities like BlastRADIUS (identified in 2024) exploit these MD5 weaknesses to forge authentication responses.
+* Addressing Cryptographic Weaknesses: Legacy RADIUS (RFC 2865) relies
+ on MD5 hashing, which is now considered insecure. Recent critical
+ vulnerabilities like BlastRADIUS (identified in 2024) exploit these
+ MD5 weaknesses to forge authentication responses.
-* Protocol Evolution: Modern compliance often requires moving toward newer standards like RadSec (RADIUS over TLS, RFC 6614), which replaces unencrypted UDP transport with encrypted TLS. This protects sensitive data, such as usernames and location information, from eavesdropping and tampering.
+* Protocol Evolution: Modern compliance often requires moving toward
+ newer standards like RadSec (RADIUS over TLS, RFC 6614), which
+ replaces unencrypted UDP transport with encrypted TLS. This protects
+ sensitive data, such as usernames and location information, from
+ eavesdropping and tampering.
-* Mandatory Integrity Checks: Updated standards mandate features like the Message-Authenticator attribute to prevent packet forgery attacks that were previously optional.
+* Mandatory Integrity Checks: Updated standards mandate features like
+ the Message-Authenticator attribute to prevent packet forgery
+ attacks that were previously optional.
== Scalability and Reliability
-* Centralised Management: Compliance allows organizations to manage millions of users from a single point, making it suitable for large ISPs and global enterprises.
+* Centralised Management: Compliance allows organizations to manage
+ millions of users from a single point, making it suitable for large
+ ISPs and global enterprises.
-* Backward Compatibility: RFC-compliant systems are designed to evolve while maintaining connections with older infrastructure, allowing for gradual network upgrades without total system overhauls.
+* Backward Compatibility: RFC-compliant systems are designed to evolve
+ while maintaining connections with older infrastructure, allowing
+ for gradual network upgrades without total system overhauls.
-The following is a comprehensive set of tables that list all the RADIUS and related RFCs that are required reading. Depending on the section or feature that you are delveloping, will determine which documents you need to review.
+The following is a comprehensive set of tables that list all the
+RADIUS and related RFCs that are required reading. Depending on the
+section or feature that you are delveloping, will determine which
+documents you need to review.
.RADIUS Related
[options=header,cols="20,~",autowidth]
|====
-|RFC |Description
+|RFC |Description
|https://datatracker.ietf.org/doc/html/rfc2865[RFC 2865] |Remote Authentication Dial In User Service (RADIUS) (Obsoletes https://datatracker.ietf.org/doc/html/rfc2138[RFC 2138] and https://datatracker.ietf.org/doc/html/rfc2058[RFC 2058]).
|https://datatracker.ietf.org/doc/html/rfc2869[RFC 2869] |RADIUS Extensions
-|https://datatracker.ietf.org/doc/html/rfc3576[RFC 3576] |Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
+|https://datatracker.ietf.org/doc/html/rfc3576[RFC 3576] |Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
-|https://datatracker.ietf.org/doc/html/rfc3580[RFC 3580] |IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
+|https://datatracker.ietf.org/doc/html/rfc3580[RFC 3580] |IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
-|https://datatracker.ietf.org/doc/html/rfc4072[RFC 4072] |Diameter Extensible Authentication Protocol (EAP) Application
+|https://datatracker.ietf.org/doc/html/rfc4072[RFC 4072] |Diameter Extensible Authentication Protocol (EAP) Application
-|https://datatracker.ietf.org/doc/html/rfc4372[RFC 4372] |Chargeable User Identity
+|https://datatracker.ietf.org/doc/html/rfc4372[RFC 4372] |Chargeable User Identity
-|https://datatracker.ietf.org/doc/html/rfc4603[RFC 4603] |Additional Values for the NAS-Port-Type Attribute
+|https://datatracker.ietf.org/doc/html/rfc4603[RFC 4603] |Additional Values for the NAS-Port-Type Attribute
-|https://datatracker.ietf.org/doc/html/rfc4675[RFC 4675] |RADIUS Attributes for Virtual LAN and Priority Support
+|https://datatracker.ietf.org/doc/html/rfc4675[RFC 4675] |RADIUS Attributes for Virtual LAN and Priority Support
|https://datatracker.ietf.org/doc/html/rfc4849[RFC 4849] |RADIUS Filter Rule Attribute.
-|https://datatracker.ietf.org/doc/html/rfc5090[RFC 5090] |RADIUS Extension for Digest Authentication.
+|https://datatracker.ietf.org/doc/html/rfc5090[RFC 5090] |RADIUS Extension for Digest Authentication.
|https://datatracker.ietf.org/doc/html/rfc5176[RFC 5176] |Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS).
|https://datatracker.ietf.org/doc/html/rfc5607[RFC 5607] |Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management.
-|https://datatracker.ietf.org/doc/html/rfc6929[RFC 6929] |Remote Authentication Dial In User Service (RADIUS) Protocol Extensions
+|https://datatracker.ietf.org/doc/html/rfc6929[RFC 6929] |Remote Authentication Dial In User Service (RADIUS) Protocol Extensions
|====
.Authentication
|RADIUS accounting for SIP servers.
|====
-// Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
+// Copyright (C) 2026 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
|https://datatracker.ietf.org/doc/rfc2548/[RFC 2548] |Microsoft Vendor-specific RADIUS Attributes (attributes)
-|https://datatracker.ietf.org/doc/rfc809/[RFC 2809] |Implementation of L2TP Compulsory Tunneling via RADIUS (information )
+|https://datatracker.ietf.org/doc/rfc809/[RFC 2809] |Implementation of L2TP Compulsory Tunneling via RADIUS (information )
|https://datatracker.ietf.org/doc/rfc2865/[RFC 2865] |Remote Authentication Dial In User Service (RADIUS) (attributes)
|https://datatracker.ietf.org/doc/rfc4818/[RFC 4818] |RADIUS Delegated-IPv6-Prefix Attribute (attributes)
-|https://datatracker.ietf.org/doc/rfc4849/[RFC 4849] |RADIUS Filter Rule Attribute (attributes)
+|https://datatracker.ietf.org/doc/rfc4849/[RFC 4849] |RADIUS Filter Rule Attribute (attributes)
|https://datatracker.ietf.org/doc/rfc5080/[RFC 5080] |Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes (information)
-|https://datatracker.ietf.org/doc/rfc5997/[RFC 5997] |Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol (information)
+|https://datatracker.ietf.org/doc/rfc5997/[RFC 5997] |Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol (information)
|====
[options=header,cols="20,~",autowidth]
-|====
+| ====
-|RFC |Description
+| RFC | Description
-|https://datatracker.ietf.org/doc/rfc1157/[RFC 1157] |A Simple Network Management Protocol (SNMP)
+| https://datatracker.ietf.org/doc/rfc1157/[RFC 1157] | A Simple Network Management Protocol (SNMP)
-|https://datatracker.ietf.org/doc/rfc1227/[RFC 1227] |SNMP MUX Protocol and MIB
+| https://datatracker.ietf.org/doc/rfc1227/[RFC 1227] | SNMP MUX Protocol and MIB
-|https://datatracker.ietf.org/doc/rfc1448/[RFC 1448] |Protocol Operations for version 2 of the Simple Network Management Protocol (SNMPv2)
+| https://datatracker.ietf.org/doc/rfc1448/[RFC 1448] | Protocol Operations for version 2 of the Simple Network Management Protocol (SNMPv2)
-|https://datatracker.ietf.org/doc/rfc1901/[RFC 1901] |Introduction to Community-based SNMPv2
+| https://datatracker.ietf.org/doc/rfc1901/[RFC 1901] | Introduction to Community-based SNMPv2
-|https://datatracker.ietf.org/doc/rfc1905/[RFC 1905] |Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)
+| https://datatracker.ietf.org/doc/rfc1905/[RFC 1905] | Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)
-|https://datatracker.ietf.org/doc/rfc2058/[RFC 2058] |Remote Authentication Dial In User Service (RADIUS)
+| https://datatracker.ietf.org/doc/rfc2058/[RFC 2058] | Remote Authentication Dial In User Service (RADIUS)
-|https://datatracker.ietf.org/doc/rfc2059/[RFC 2059] |RADIUS Accounting
+| https://datatracker.ietf.org/doc/rfc2059/[RFC 2059] | RADIUS Accounting
-|https://datatracker.ietf.org/doc/rfc2138/[RFC 2138] |Remote Authentication Dial In User Service (RADIUS)
+| https://datatracker.ietf.org/doc/rfc2138/[RFC 2138] | Remote Authentication Dial In User Service (RADIUS)
-|https://datatracker.ietf.org/doc/rfc2139/[RFC 2139] |RADIUS Accounting
+| https://datatracker.ietf.org/doc/rfc2139/[RFC 2139] | RADIUS Accounting
-|https://datatracker.ietf.org/doc/rfc2243/[RFC 2243] |OTP Extended Responses
+| https://datatracker.ietf.org/doc/rfc2243/[RFC 2243] | OTP Extended Responses
-|https://datatracker.ietf.org/doc/rfc2289/[RFC 2289] |A One-Time Password System
+| https://datatracker.ietf.org/doc/rfc2289/[RFC 2289] | A One-Time Password System
-|https://datatracker.ietf.org/doc/rfc2433/[RFC 2433] |Microsoft PPP CHAP Extensions
+| https://datatracker.ietf.org/doc/rfc2433/[RFC 2433] | Microsoft PPP CHAP Extensions
-|https://datatracker.ietf.org/doc/rfc2607/[RFC 2607] |Proxy Chaining and Policy Implementation in Roaming
+| https://datatracker.ietf.org/doc/rfc2607/[RFC 2607] | Proxy Chaining and Policy Implementation in Roaming
-|https://datatracker.ietf.org/doc/rfc2618/[RFC 2618] |RADIUS Authentication Client MIB
+| https://datatracker.ietf.org/doc/rfc2618/[RFC 2618] | RADIUS Authentication Client MIB
-|https://datatracker.ietf.org/doc/rfc2619/[RFC 2619] |RADIUS Authentication Server MIB
+| https://datatracker.ietf.org/doc/rfc2619/[RFC 2619] | RADIUS Authentication Server MIB
-|https://datatracker.ietf.org/doc/rfc2620/[RFC 2620] |RADIUS Accounting Client MIB
+| https://datatracker.ietf.org/doc/rfc2620/[RFC 2620] | RADIUS Accounting Client MIB
-|https://datatracker.ietf.org/doc/rfc2621/[RFC 2621] |RADIUS Accounting Server MIB
+| https://datatracker.ietf.org/doc/rfc2621/[RFC 2621] | RADIUS Accounting Server MIB
-|https://datatracker.ietf.org/doc/rfc2716/[RFC 2716] |PPP EAP TLS Authentication Protocol
+| https://datatracker.ietf.org/doc/rfc2716/[RFC 2716] | PPP EAP TLS Authentication Protocol
-|https://datatracker.ietf.org/doc/rfc2759/[RFC 2759] |Microsoft PPP CHAP Extensions, Version 2
+| https://datatracker.ietf.org/doc/rfc2759/[RFC 2759] | Microsoft PPP CHAP Extensions, Version 2
-|https://datatracker.ietf.org/doc/rfc2924/[RFC 2924] |Accounting Attributes and Record Formats
+| https://datatracker.ietf.org/doc/rfc2924/[RFC 2924] | Accounting Attributes and Record Formats
-|https://datatracker.ietf.org/doc/rfc3575/[RFC 3575] |IANA Considerations for RADIUS (Remote Authentication Dial In User Service)
+| https://datatracker.ietf.org/doc/rfc3575/[RFC 3575] | IANA Considerations for RADIUS (Remote Authentication Dial In User Service)
-|https://datatracker.ietf.org/doc/rfc3748/[RFC 3748] |Extensible Authentication Protocol (EAP)
+| https://datatracker.ietf.org/doc/rfc3748/[RFC 3748] | Extensible Authentication Protocol (EAP)
-|====
+| ====
projects / thirdparty / freeradius-server.git / commitdiff
