Skip to content

Background Introduction

Bamboo Cloud IDaaS provides Radius Server capabilities, supporting various enterprise devices such as VPNs (SANGFOR, Huawei, Netentsec, etc.) and cloud desktops (Huawei) to authenticate through the Radius protocol after configuration.

This section introduces device mapping definitions and RADIUS attributes and other related information.

Device Mapping Definition

The device mapping definition of Bamboo Cloud IDaaS mainly returns the attributes required by the vendor device to the vendor under the vendor device's authentication success/failure/challenge code status.

Therefore, in the mapping definition selection, the device attribute names come from the vendor, and each device vendor has different attributes. This article mainly lists the currently supported vendor attributes for your configuration. The mapping definition mapping type is the same as in other parts of the product.

IDaaS can choose to return different attributes under different authentication statuses, determined by the Applicable Scenario. Access-Accept (success), Access-Reject (failure), and Access-Challenge (challenge code) mean that attributes can only be returned under the corresponding authentication packet scenario.

Mapping TypeDescription
User AttributeYou can select attributes available on the user attribute
Fixed Attribute ValueFixed text
Dynamic ScriptThe script syntax can refer to Dynamic Script in Development Mapping Definition. Note that the script object for devices is only the User Object

RADIUS Attributes

Protocols RFC2865, RFC2866, and RFC3576 define the following RADIUS standard attributes, which are basically supported by all mainstream device vendors. The RADIUS protocol has good scalability. The Vendor-Specific attribute (attribute number 26) defined in protocol (RFC2865) is used by device vendors to extend RADIUS to implement functions not defined by standard RADIUS.

RADIUS attributes do not always have return values in authentication packets; it depends on the attribute itself and the configuration in IDaaS. RADIUS authentication packet attributes have four states in total: Access-Request (request), Access-Accept (success), Access-Reject (failure), and Access-Challenge (challenge code).

The following introduces the vendor attributes supported by IDaaS.

Attribute NameCodeAttribute Description
User-Name1Username for authentication
User-Password2User password for authentication, valid only for PAP authentication
Challenge-Password3User password for authentication, valid only for CHAP authentication
NAS-IP-Address4Device IP address. If the RADIUS server group is bound to an interface address, the bound interface address is used. Otherwise, the interface address that sends the packet is used
NAS-Port5User access port, in the format "4-digit slot number + 2-digit card number + 5-digit port number + 21-digit VLAN"
Service-Type6User service type. Access user is 2, operation user is 6
Framed-Protocol7Fixed at 1, indicating PPP type
Framed-IP-Address8IP address assigned to the user by the RADIUS server. 0xFFFFFFFE means the RADIUS server does not assign an address, and the device assigns an IP address to the user
Framed-Netmask9IP address mask assigned to the user by the RADIUS server
Filter-ID11Indicates the user group
Login-IP-Host14Host IP address of the Login connection
Login-Service15Login service type----Telnet, Rlogin, TCP Clear, PortMaster (proprietary), LAT
Reply-Message18Authentication success or rejection message
Callback-Number19Information passed by the authentication server that can be displayed to the user, such as mobile phone number, etc.
State24If the access challenge packet sent by the RADIUS server to the device contains this value, the device must include the same value in subsequent access request packets
Class25If the authentication accept packet sent by the RADIUS server to the device contains this value, the device must include the same value in subsequent accounting request packets; for standard RADIUS servers, the device can use the Class attribute to represent CAR parameters
Session-Timeout27Remaining time available to the user, in seconds; in EAP challenge packets, it serves as the user's re-authentication duration
Idle-Timeout28User idle disconnect time, in seconds
Termination-Action29Specified service termination method, re-authentication or forced user logout, etc.
Called-Station-Id30Allows NAS to send called number
Calling-Station-Id31Allows NAS to send calling number
NAS-Identifier32Device host name
Acct-Status-Type40Accounting packet type. 1 indicates start accounting packet, 2 indicates stop accounting packet, 3 indicates interim accounting packet
Acct-Delay-Time41Time spent generating the accounting packet, in seconds
Acct-Input-Octets42Uplink bytes, in Byte, kbyte, Mbyte, Gbyte. The specific unit can be configured through commands
Acct-Output-Octets43Downlink bytes, in Byte, kbyte, Mbyte, Gbyte. The specific unit can be configured through commands
Acct-Session-Id44Accounting connection number. For start, interim, and stop accounting packets of the same connection, the connection number must be the same
Acct-Authentic45User authentication mode. 1 indicates RADIUS authentication, 2 indicates local authentication
Acct-Session-Time46User online time, in seconds
Acct-Input-Packets47Uplink packet count
Acct-Output-Packets48Downlink packet count
Acct-Terminate-Cause49Reason for user connection interruption
Acct-Multi-Session-ID50Multi-session ID, used to identify related sessions in logs
Acct-Input-Gigawords52Indicates how many times the uplink bytes are of 4G(232)Byte, kbyte, Mbyte, Gbyte (the unit is determined by command configuration)
Acct-Output-Gigawords53Indicates how many times the downlink bytes are of 4G(232)Byte, kbyte, Mbyte, Gbyte (the unit is determined by command configuration)
Event-Timestamp55Time when the accounting packet is generated, in seconds, representing the absolute number of seconds since 00:00:00 on January 1, 1970
CHAP-Challenge60CHAP authentication challenge word, used only for CHAP authentication
NAS-Port-Type61NAS port type, configurable in BAS interface view
Tunnel-Type64Tunnel protocol type, fixed at 3, indicating L2TP tunnel
Tunnel-Medium-Type65Tunnel medium type, fixed at 1, indicating IPv4
Tunnel-Server-Endpoint67IP address of the tunnel server end
Tunnel-Password69Tunnel verification password. The first two bytes are SALT, and the following 16 bytes are the encrypted password
Tunnel-Private-Group-ID81Tunnel group name
Tunnel-Assignment-ID82Tunnel identifier name
Tunnel-Preference83Tunnel priority
Acct-Interim-Interval85Interim accounting interval, in seconds
NAS-Port-Id87User access port number, in the format "slot=XX;subslot=XX;port=XXX;VLANID=XXXX;" or "slot=XX;subslot=XX;port=XXX;VPI=XXX;VCI=XXXX"
Framed-Pool88Address pool name and address segment number, valid only when assigning IP addresses to PPP from the device's local address pool, in the format "address pool name#address segment number"
Tunnel-Client-Auth-ID90Local username passed in tunnel authentication
Tunnel_Server_Auth_id91Server-side username passed in tunnel authentication

BambooCloud IDaaS Open Platform