From 4d67eaf70e3dd076b72d06cd28a888878b53b567 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=BA=C5=A1=20B=C3=A1r=C3=A1ny?= Date: Mon, 1 Jul 2024 10:04:55 +0200 Subject: [PATCH 1/6] feat: more attributes from rfc --- src/Enums/Attribute.php | 515 ++++++++++++++++++++++++++++++--- src/Language/en/FreeRadius.php | 219 +++++++++++--- 2 files changed, 660 insertions(+), 74 deletions(-) diff --git a/src/Enums/Attribute.php b/src/Enums/Attribute.php index 73e4a4c..789e068 100644 --- a/src/Enums/Attribute.php +++ b/src/Enums/Attribute.php @@ -21,32 +21,184 @@ public static function getDropdownValues(): array public function toDescription(): string { return match ($this) { - self::NasIpAddress => lang('FreeRadius.attributeDescription.nasIpAddress'), - self::CleartextPassword => lang('FreeRadius.attributeDescription.cleartextPassword'), - self::FallThrough => lang('FreeRadius.attributeDescription.fallThrough'), - self::SimultaneousUse => lang('FreeRadius.attributeDescription.simultaneousUse'), - self::ServiceType => lang('FreeRadius.attributeDescription.serviceType'), - self::FramedIPAddress => lang('FreeRadius.attributeDescription.framedIPAddress'), - self::FramedIPNetmask => lang('FreeRadius.attributeDescription.framedIPNetmask'), - self::FramedProtocol => lang('FreeRadius.attributeDescription.framedProtocol'), - self::FramedMTU => lang('FreeRadius.attributeDescription.framedMTU'), - self::CiscoAVPair => lang('FreeRadius.attributeDescription.ciscoAVPair'), - self::CiscoNASPort => lang('FreeRadius.attributeDescription.ciscoNASPort'), - self::CiscoFramedRoute => lang('FreeRadius.attributeDescription.ciscoFramedRoute'), - self::AcctAuthentic => lang('FreeRadius.attributeDescription.acctAuthentic'), - self::AcctTerminateCause => lang('FreeRadius.attributeDescription.acctTerminateCause'), - self::AcctOutputOctets => lang('FreeRadius.attributeDescription.acctOutputOctets'), - self::AcctInterval => lang('FreeRadius.attributeDescription.acctInterval'), - self::AcctSessionId => lang('FreeRadius.attributeDescription.acctSessionId'), - self::AcctUniqueId => lang('FreeRadius.attributeDescription.acctUniqueId'), - self::AcctStartTime => lang('FreeRadius.attributeDescription.acctStartTime'), - self::AcctUpdateTime => lang('FreeRadius.attributeDescription.acctUpdateTime'), - self::AcctStopTime => lang('FreeRadius.attributeDescription.acctStopTime'), - self::AcctSessionTime => lang('FreeRadius.attributeDescription.acctSessionTime'), - self::NasPortId => lang('FreeRadius.attributeDescription.nasPortId'), - self::NasPortType => lang('FreeRadius.attributeDescription.nasPortType'), - self::AcctInputOctets => lang('FreeRadius.attributeDescription.acctInputOctets'), - self::CiscoServiceInfo => lang('FreeRadius.attributeDescription.ciscoServiceInfo'), + self::NasIpAddress => lang('FreeRadius.attributeDescription.NAS-Ip-Address'), + self::CleartextPassword => lang('FreeRadius.attributeDescription.cleartextPassword'), + self::FallThrough => lang('FreeRadius.attributeDescription.fallThrough'), + self::SimultaneousUse => lang('FreeRadius.attributeDescription.simultaneousUse'), + self::ServiceType => lang('FreeRadius.attributeDescription.serviceType'), + self::FramedIPAddress => lang('FreeRadius.attributeDescription.Framed-IP-Address'), + self::FramedIPNetmask => lang('FreeRadius.attributeDescription.Framed-IP-Netmask'), + self::FramedProtocol => lang('FreeRadius.attributeDescription.Framed-Protocol'), + self::FramedMTU => lang('FreeRadius.attributeDescription.Framed-MTU'), + self::CiscoAVPair => lang('FreeRadius.attributeDescription.ciscoAVPair'), + self::CiscoNASPort => lang('FreeRadius.attributeDescription.ciscoNASPort'), + self::CiscoFramedRoute => lang('FreeRadius.attributeDescription.ciscoFramedRoute'), + self::AcctAuthentic => lang('FreeRadius.attributeDescription.Acct-Authentic'), + self::AcctTerminateCause => lang('FreeRadius.attributeDescription.Acct-TerminateCause'), + self::AcctOutputOctets => lang('FreeRadius.attributeDescription.Acct-OutputOctets'), + self::AcctInterval => lang('FreeRadius.attributeDescription.Acct-Interval'), + self::AcctSessionId => lang('FreeRadius.attributeDescription.Acct-SessionId'), + self::AcctUniqueId => lang('FreeRadius.attributeDescription.Acct-UniqueId'), + self::AcctStartTime => lang('FreeRadius.attributeDescription.Acct-StartTime'), + self::AcctUpdateTime => lang('FreeRadius.attributeDescription.Acct-UpdateTime'), + self::AcctStopTime => lang('FreeRadius.attributeDescription.Acct-StopTime'), + self::AcctSessionTime => lang('FreeRadius.attributeDescription.Acct-SessionTime'), + self::NasPortId => lang('FreeRadius.attributeDescription.NAS-PortId'), + self::NasPortType => lang('FreeRadius.attributeDescription.Nas-PortType'), + self::AcctInputOctets => lang('FreeRadius.attributeDescription.Acct-InputOctets'), + self::UserPassword => lang('FreeRadius.attribute.User-Password'), + self::UserName => lang('FreeRadius.attribute.User-Name'), + self::TunnelType => lang('FreeRadius.attribute.Tunnel-Type'), + self::TunnelReject => lang('FreeRadius.attribute.Tunnel-Reject'), + self::TunnelStop => lang('FreeRadius.attribute.Tunnel-Stop'), + self::TunnelStart => lang('FreeRadius.attribute.Tunnel-Start'), + self::TunnelServerEndpoint => lang('FreeRadius.attribute.Tunnel-Server-Endpoint'), + self::TunnelServerAuthID => lang('FreeRadius.attribute.Tunnel-Server-Auth-ID'), + self::TunnelPrivateGroupID => lang('FreeRadius.attribute.Tunnel-Private-Group-ID'), + self::TunnelPreference => lang('FreeRadius.attribute.Tunnel-Preference'), + self::TunnelPassword => lang('FreeRadius.attribute.Tunnel-Password'), + self::TunnelMediumType => lang('FreeRadius.attribute.Tunnel-Medium-Type'), + self::TunnelLinkStop => lang('FreeRadius.attribute.Tunnel-Link-Stop'), + self::TunnelLinkStart => lang('FreeRadius.attribute.Tunnel-Link-Start'), + self::TunnelLinkReject => lang('FreeRadius.attribute.Tunnel-Link-Reject'), + self::TunnelClientEndpoint => lang('FreeRadius.attribute.Tunnel-Client-Endpoint'), + self::TunnelClientAuthID => lang('FreeRadius.attribute.Tunnel-Client-Auth-ID'), + self::TunnelAssignmentID => lang('FreeRadius.attribute.Tunnel-Assignment-ID'), + self::TerminationAction => lang('FreeRadius.attribute.Termination-Action'), + self::StatefulIPv6AddressPool => lang('FreeRadius.attribute.Stateful-IPv6-Address-Pool'), + self::State => lang('FreeRadius.attribute.State'), + self::SessionTimeout => lang('FreeRadius.attribute.Session-Timeout'), + self::ServiceSelection => lang('FreeRadius.attribute.Service-Selection'), + self::RouteIPv6Information => lang('FreeRadius.attribute.Route-IPv6-Information'), + self::ReplyMessage => lang('FreeRadius.attribute.Reply-Message'), + self::ProxyState => lang('FreeRadius.attribute.Proxy-State'), + self::PortLimit => lang('FreeRadius.attribute.Port-Limit'), + self::PasswordRetry => lang('FreeRadius.attribute.Password-Retry'), + self::PKMSSCert => lang('FreeRadius.attribute.PKM-SS-Cert'), + self::PKMSAID => lang('FreeRadius.attribute.PKM-SAID'), + self::PKMSADescriptor => lang('FreeRadius.attribute.PKM-SA-Descriptor'), + self::PKMCryptosuiteList => lang('FreeRadius.attribute.PKM-Cryptosuite-List'), + self::PKMConfigSettings => lang('FreeRadius.attribute.PKM-Config-Settings'), + self::PKMCACert => lang('FreeRadius.attribute.PKM-CA-Cert'), + self::PKMAUTHKey => lang('FreeRadius.attribute.PKM-MA-Key'), + self::NASPort => lang('FreeRadius.attribute.NAS-Port'), + self::NASIdentifier => lang('FreeRadius.attribute.NAS-Identifier'), + self::NASIPv6Address => lang('FreeRadius.attribute.NAS-IPv6-Address'), + self::MobileNodeIdentifier => lang('FreeRadius.attribute.Mobile-Node-Identifier'), + self::MSARAPChallenge => lang('FreeRadius.attribute.MS-ARAP-Challenge'), + self::MSARAPPasswordChangeReason => lang('FreeRadius.attribute.MS-ARAP-Password-Change-Reason'), + self::MSAcctAuthType => lang('FreeRadius.attribute.MS-Acct-Auth-Type'), + self::MSAcctEAPType => lang('FreeRadius.attribute.MS-Acct-EAP-Type'), + self::MSBAPUsage => lang('FreeRadius.attribute.MS-BAP-Usage'), + self::MSCHAPCPW1 => lang('FreeRadius.attribute.MS-CHAP-CPW-1'), + self::MSCHAPCPW2 => lang('FreeRadius.attribute.MS-CHAP-CPW-2'), + self::MSCHAPChallenge => lang('FreeRadius.attribute.MS-CHAP-Challenge'), + self::MSCHAPDomain => lang('FreeRadius.attribute.MS-CHAP-Domain'), + self::MSCHAPError => lang('FreeRadius.attribute.MS-CHAP-Error'), + self::MSCHAPLMEncPW => lang('FreeRadius.attribute.MS-CHAP-LM-Enc-PW'), + self::MSCHAPMPPEKeys => lang('FreeRadius.attribute.MS-CHAP-MPPE-Keys'), + self::MSCHAPNTEncPW => lang('FreeRadius.attribute.MS-CHAP-NT-Enc-PW'), + self::MSCHAPResponse => lang('FreeRadius.attribute.MS-CHAP-Response'), + self::MSCHAP2CPW => lang('FreeRadius.attribute.MS-CHAP2-CPW'), + self::MSCHAP2Response => lang('FreeRadius.attribute.MS-CHAP2-Response'), + self::MSCHAP2Success => lang('FreeRadius.attribute.MS-CHAP2-Success'), + self::MSFilter => lang('FreeRadius.attribute.MS-Filter'), + self::MSLinkDropTimeLimit => lang('FreeRadius.attribute.MS-Link-Drop-Time-Limit'), + self::MSLinkUtilizationThreshold => lang('FreeRadius.attribute.MS-Link-Utilization-Threshold'), + self::MSMPPEEncryptionPolicy => lang('FreeRadius.attribute.MS-MPPE-Encryption-Policy'), + self::MSMPPEEncryptionTypes => lang('FreeRadius.attribute.MS-MPPE-Encryption-Types'), + self::MSMPPERecvKey => lang('FreeRadius.attribute.MS-MPPE-Recv-Key'), + self::MSMPPESendKey => lang('FreeRadius.attribute.MS-MPPE-Send-Key'), + self::MSNewARAPPassword => lang('FreeRadius.attribute.MS-New-ARAP-Password'), + self::MSOldARAPPassword => lang('FreeRadius.attribute.MS-Old-ARAP-Password'), + self::MSPrimaryDNSServer => lang('FreeRadius.attribute.MS-Primary-DNS-Server'), + self::MSPrimaryNBNSServer => lang('FreeRadius.attribute.MS-Primary-NBNS-Server'), + self::MSRASVendor => lang('FreeRadius.attribute.MS-RAS-Vendor'), + self::MSRASVersion => lang('FreeRadius.attribute.MS-RAS-Version'), + self::MSSecondaryDNSServer => lang('FreeRadius.attribute.MS-Secondary-DNS-Server'), + self::MSSecondaryNBNSServer => lang('FreeRadius.attribute.MS-Secondary-NBNS-Server'), + self::MSAcctAuthType => lang('FreeRadius.attribute.MS-Acct-Auth-Type'), + self::MSARAPPasswordChangeReason => lang('FreeRadius.attribute.MS-ARAP-Password-Change-Reason'), + self::MSARAPChallenge => lang('FreeRadius.attribute.MS-ARAP-Challenge'), + self::LongExtendedType2 => lang('FreeRadius.attribute.Long-Extended-Type2'), + self::LongExtendedType1 => lang('FreeRadius.attribute.Long-Extended-Type1'), + self::LoginTCPPort => lang('FreeRadius.attribute.Login-TCP-Port'), + self::LoginService => lang('FreeRadius.attribute.Login-Service'), + self::LoginLATService => lang('FreeRadius.attribute.Login-LAT-Service'), + self::LoginLATPort => lang('FreeRadius.attribute.Login-LAT-Port'), + self::LoginLATNode => lang('FreeRadius.attribute.Login-LAT-Node'), + self::LoginLATGroup => lang('FreeRadius.attribute.Login-LAT-Group'), + self::LoginIPv6Host => lang('FreeRadius.attribute.Login-IPv6-Host'), + self::LoginIPHost => lang('FreeRadius.attribute.Login-IP-Host'), + self::IdleTimeout => lang('FreeRadius.attribute.Idle-Timeout'), + self::FramedRouting => lang('FreeRadius.attribute.Framed-Routing'), + self::FramedRoute => lang('FreeRadius.attribute.Framed-Route'), + self::FramedPool => lang('FreeRadius.attribute.Framed-Pool'), + self::FramedManagementProtocol => lang('FreeRadius.attribute.Framed-Management-Protocol'), + self::FramedInterfaceId => lang('FreeRadius.attribute.Framed-Interface-Id'), + self::FramedIPv6Route => lang('FreeRadius.attribute.Framed-IPv6-Route'), + self::FramedIPv6Prefix => lang('FreeRadius.attribute.Framed-IPv6-Prefix'), + self::FramedIPv6Pool => lang('FreeRadius.attribute.Framed-IPv6-Pool'), + self::FramedIPv6Address => lang('FreeRadius.attribute.Framed-IPv6-Address'), + self::FramedIPXNetwork => lang('FreeRadius.attribute.Framed-IPX-Network'), + self::FramedCompression => lang('FreeRadius.attribute.Framed-Compression'), + self::FramedAppleTalkZone => lang('FreeRadius.attribute.Framed-AppleTalk-Zone'), + self::FramedAppleTalkNetwork => lang('FreeRadius.attribute.Framed-AppleTalk-Network'), + self::FramedAppleTalkLink => lang('FreeRadius.attribute.Framed-AppleTalk-Link'), + self::FilterId => lang('FreeRadius.attribute.Filter-Id'), + self::FilterID => lang('FreeRadius.attribute.Filter-ID'), + self::ExtendedVendorSpecific6 => lang('FreeRadius.attribute.Extended-Vendor-Specific6'), + self::ExtendedVendorSpecific5 => lang('FreeRadius.attribute.Extended-Vendor-Specific5'), + self::ExtendedVendorSpecific4 => lang('FreeRadius.attribute.Extended-Vendor-Specific4'), + self::ExtendedVendorSpecific3 => lang('FreeRadius.attribute.Extended-Vendor-Specific3'), + self::ExtendedVendorSpecific2 => lang('FreeRadius.attribute.Extended-Vendor-Specific2'), + self::ExtendedVendorSpecific1 => lang('FreeRadius.attribute.Extended-Vendor-Specific1'), + self::ExtendedType4 => lang('FreeRadius.attribute.Extended-Type4'), + self::ExtendedType3 => lang('FreeRadius.attribute.Extended-Type3'), + self::ExtendedType2 => lang('FreeRadius.attribute.Extended-Type2'), + self::ExtendedType1 => lang('FreeRadius.attribute.Extended-Type1'), + self::EventTimestamp => lang('FreeRadius.attribute.Event-Timestamp'), + self::ErrorCause => lang('FreeRadius.attribute.Error-Cause'), + self::EAPMessage => lang('FreeRadius.attribute.EAP-Message'), + self::DelegatedIPv6PrefixPool => lang('FreeRadius.attribute.Delegated-IPv6-Prefix-Pool'), + self::DSLiteTunnelName => lang('FreeRadius.attribute.DSLite-Tunnel-Name'), + self::DNSServerIPv6Address => lang('FreeRadius.attribute.DNSServer-IPv6-Address'), + self::ConnectInfo => lang('FreeRadius.attribute.Connect-Info'), + self::ConfigurationToken => lang('FreeRadius.attribute.Configuration-Token'), + self::class => lang('FreeRadius.attribute.Class'), + self::ChargeableUserIdentity => lang('FreeRadius.attribute.Chargeable-User-Identity'), + self::CallingStationId => lang('FreeRadius.attribute.Calling-Station-Id'), + self::CalledStationId => lang('FreeRadius.attribute.Called-Station-Id'), + self::CallbackNumber => lang('FreeRadius.attribute.Callback-Number'), + self::CallbackId => lang('FreeRadius.attribute.Callback-Id'), + self::CHAPPassword => lang('FreeRadius.attribute.CHAP-Password'), + self::CHAPChallenge => lang('FreeRadius.attribute.CHAP-Challenge'), + self::AcctDelayTime => lang('FreeRadius.attribute.Acct-Delay-Time'), + self::AccountingResponse => lang('FreeRadius.attribute.Accounting-Response'), + self::AccountingRequest => lang('FreeRadius.attribute.Accounting-Request'), + self::AccessRequest => lang('FreeRadius.attribute.Access-Request'), + self::AccessReject => lang('FreeRadius.attribute.Access-Reject'), + self::AccessChallenge => lang('FreeRadius.attribute.Access-Challenge'), + self::AccessAccept => lang('FreeRadius.attribute.Access-Accept'), + self::ARAPZoneAccess => lang('FreeRadius.attribute.ARAP-Zone-Access'), + self::ARAPSecurityData => lang('FreeRadius.attribute.ARAP-Security-Data'), + self::ARAPSecurity => lang('FreeRadius.attribute.ARAP-Security'), + self::ARAPPassword => lang('FreeRadius.attribute.ARAP-Password'), + self::ARAPFeatures => lang('FreeRadius.attribute.ARAP-Features'), + self::ARAPChallengeResponse => lang('FreeRadius.attribute.ARAP-Challenge-Response'), + self::AcctSessionId => lang('FreeRadius.attribute.Acct-Session-Id'), + self::AcctUniqueId => lang('FreeRadius.attribute.Acct-Unique-Id'), + self::NasPortId => lang('FreeRadius.attribute.Nas-Port-Id'), + self::NasPortType => lang('FreeRadius.attribute.Nas-Port-Type'), + self::AcctStartTime => lang('FreeRadius.attribute.Acct-Start-Time'), + self::AcctUpdateTime => lang('FreeRadius.attribute.Acct-Update-Time'), + self::AcctStopTime => lang('FreeRadius.attribute.Acct-Stop-Time'), + self::AcctInterval => lang('FreeRadius.attribute.Acct-Interval'), + self::AcctSessionTime => lang('FreeRadius.attribute.Acct-Session-Time'), + self::AcctAuthentic => lang('FreeRadius.attribute.Acct-Authentic'), + self::AcctInputOctets => lang('FreeRadius.attribute.Acct-Input-Octets'), + self::AcctOutputOctets => lang('FreeRadius.attribute.Acct-Output-Octets'), + self::AcctTerminateCause => lang('FreeRadius.attribute.Acct-Terminate-Cause'), }; } @@ -93,19 +245,304 @@ public static function getFramedMtuMax(): int { return 65535; } + case UserPassword = 'User-Password'; + + case UserName = 'User-Name'; + + case TunnelType = 'Tunnel-Type'; + + case TunnelReject = 'Tunnel-Reject'; + + case TunnelStop = 'Tunnel-Stop'; + + case TunnelStart = 'Tunnel-Start'; + + case TunnelServerEndpoint = 'Tunnel-Server-Endpoint'; + + case TunnelServerAuthID = 'Tunnel-Server-Auth-ID'; + + case TunnelPrivateGroupID = 'Tunnel-Private-Group-ID'; + + case TunnelPreference = 'Tunnel-Preference'; + + case TunnelPassword = 'Tunnel-Password'; + + case TunnelMediumType = 'Tunnel-Medium-Type'; + + case TunnelLinkStop = 'Tunnel-Link-Stop'; + + case TunnelLinkStart = 'Tunnel-Link-Start'; + + case TunnelLinkReject = 'Tunnel-Link-Reject'; + + case TunnelClientEndpoint = 'Tunnel-Client-Endpoint'; + + case TunnelClientAuthID = 'Tunnel-Client-Auth-ID'; + + case TunnelAssignmentID = 'Tunnel-Assignment-ID'; + + case TerminationAction = 'Termination-Action'; + + case StatefulIPv6AddressPool = 'Stateful-IPv6-Address-Pool'; + + case State = 'State'; + + case SessionTimeout = 'Session-Timeout'; + + case ServiceSelection = 'Service-Selection'; + + case RouteIPv6Information = 'Route-IPv6-Information'; + + case ReplyMessage = 'Reply-Message'; + + case ProxyState = 'Proxy-State'; + + case PortLimit = 'Port-Limit'; + + case PasswordRetry = 'Password-Retry'; + + case PKMSSCert = 'PKM-SS-Cert'; + + case PKMSAID = 'PKM-SAID'; + + case PKMSADescriptor = 'PKM-SA-Descriptor'; + + case PKMCryptosuiteList = 'PKM-Cryptosuite-List'; + + case PKMConfigSettings = 'PKM-Config-Settings'; + + case PKMCACert = 'PKM-CA-Cert'; + + case PKMAUTHKey = 'PKM-AUTH-Key'; + + case NASPort = 'NAS-Port'; + + case NASIdentifier = 'NAS-Identifier'; + + case NASIPv6Address = 'NAS-IPv6-Address'; + + case MobileNodeIdentifier = 'Mobile-Node-Identifier'; + + case MSCHAPDomain = 'MS-CHAP-Domain'; + + case MSCHAPChallenge = 'MS-CHAP-Challenge'; + + case MSCHAPCPW2 = 'MS-CHAP-CPW-2'; + + case MSCHAPCPW1 = 'MS-CHAP-CPW-1'; + + case MSBAPUsage = 'MS-BAP-Usage'; + + case MSCHAPError = 'MS-CHAP-Error'; + + case MSCHAPLMEncPW = 'MS-CHAP-LM-Enc-PW'; + + case MSAcctEAPType = 'MS-Acct-EAP-Type'; + + case MSHAPMPPEKeys = 'MS-CHAP-MPPE-Keys'; + + case MSCHAPNTEncPW = 'MS-CHAP-NT-Enc-PW'; + + case MSCHAPResponse = 'MS-CHAP-Response'; + + case MSCHAP2CPW = 'MS-CHAP2-CPW'; + + case MSCHAP2Response = 'MS-CHAP2-Response'; + + case MSAcctAuthType = 'MS-Acct-Auth-Type'; + + case MSCHAP2Success = 'MS-CHAP2-Success'; + + case MSFilter = 'MS-Filter'; + + case MSMPPEEncryptionPolicy = 'MS-MPPE-Encryption-Policy'; + + case MSMPPEEncryptionTypes = 'MS-MPPE-Encryption-Types'; + + case MSMPPERecvKey = 'MS-MPPE-Recv-Key'; + + case MSMPPESendKey = 'MS-MPPE-Send-Key'; + + case MSNewARAPPassword = 'MS-New-ARAP-Password'; + + case MSOldARAPPassword = 'MS-Old-ARAP-Password'; + + case MSPrimaryDNSServer = 'MS-Primary-DNS-Server'; + + case MSPrimaryNBNSServer = 'MS-Primary-NBNS-Server'; + + case MSRASVendor = 'MS-RAS-Vendor'; + + case MSRASVersion = 'MS-RAS-Version'; + + case MSSecondaryDNSServer = 'MS-Secondary-DNS-Server'; + + case MSSecondaryNBNSServer = 'MS-Secondary-NBNS-Server'; + + case MSLinkDropTimeLimit = 'MS-Link-Drop-Time-Limit'; + + case MSLinkUtilizationThreshold = 'MS-Link-Utilization-Threshold'; + + case MSARAPPasswordChangeReason = 'MS-ARAP-Password-Change-Reason'; + + case MSARAPChallenge = 'MS-ARAP-Challenge'; + + case LongExtendedType2 = 'Long-Extended-Type-2'; + + case LongExtendedType1 = 'Long-Extended-Type-1'; + + case LoginTCPPort = 'Login-TCP-Port'; + + case LoginService = 'Login-Service'; + + case LoginLATService = 'Login-LAT-Service'; + + case LoginLATPort = 'Login-LAT-Port'; + + case LoginLATNode = 'Login-LAT-Node'; + + case LoginLATGroup = 'Login-LAT-Group'; + + case LoginIPv6Host = 'Login-IPv6-Host'; + + case LoginIPHost = 'Login-IP-Host'; + + case IdleTimeout = 'Idle-Timeout'; + + case FramedRouting = 'Framed-Routing'; + + case FramedRoute = 'Framed-Route'; + + case FramedPool = 'Framed-Pool'; + + case FramedManagementProtocol = 'Framed-Management-Protocol'; + + case FramedInterfaceId = 'Framed-Interface-Id'; + + case FramedIPv6Route = 'Framed-IPv6-Route'; + + case FramedIPv6Prefix = 'Framed-IPv6-Prefix'; + + case FramedIPv6Pool = 'Framed-IPv6-Pool'; + + case FramedIPv6Address = 'Framed-IPv6-Address'; + + case FramedIPXNetwork = 'Framed-IPX-Network'; + + case FramedCompression = 'Framed-Compression'; + + case FramedAppleTalkZone = 'Framed-AppleTalk-Zone'; + + case FramedAppleTalkNetwork = 'Framed-AppleTalk-Network'; + + case FramedAppleTalkLink = 'Framed-AppleTalk-Link'; + + case FilterId = 'Filter-Id'; + + case FilterID = 'Filter-ID'; + + case ExtendedVendorSpecific6 = 'Extended-Vendor-Specific-6'; + + case ExtendedVendorSpecific5 = 'Extended-Vendor-Specific-5'; + + case ExtendedVendorSpecific4 = 'Extended-Vendor-Specific-4'; + + case ExtendedVendorSpecific3 = 'Extended-Vendor-Specific-3'; + + case ExtendedVendorSpecific2 = 'Extended-Vendor-Specific-2'; + + case ExtendedVendorSpecific1 = 'Extended-Vendor-Specific-1'; + + case ExtendedType4 = 'Extended-Type-4'; + + case ExtendedType3 = 'Extended-Type-3'; + + case ExtendedType2 = 'Extended-Type-2'; + + case ExtendedType1 = 'Extended-Type-1'; + + case EventTimestamp = 'Event-Timestamp'; + + case ErrorCause = 'Error-Cause'; + + case EAPMessage = 'EAP-Message'; + + case DelegatedIPv6PrefixPool = 'Delegated-IPv6-Prefix-Pool'; + + case DSLiteTunnelName = 'DS-Lite-Tunnel-Name'; + + case DNSServerIPv6Address = 'DNS-Server-IPv6-Address'; + + case ConnectInfo = 'Connect-Info'; + + case ConfigurationToken = 'Configuration-Token'; + + case Class = 'Class'; + + case ChargeableUserIdentity = 'Chargeable-User-Identity'; + + case CallingStationId = 'Calling-Station-Id'; + + case CalledStationId = 'Called-Station-Id'; + + case CallbackNumber = 'Callback-Number'; + + case CallbackId = 'Callback-Id'; + + case CHAPPassword = 'CHAP-Password'; + + case CHAPChallenge = 'CHAP-Challenge'; + + case AcctDelayTime = 'Acct-Delay-Time'; + + case AccountingResponse = 'Accounting-Response'; + + case AccountingRequest = 'Accounting-Request'; + + case AccessRequest = 'Access-Request'; + + case AccessReject = 'Access-Reject'; + + case AccessChallenge = 'Access-Challenge'; + + case AccessAccept = 'Access-Accept'; + + case ARAPZoneAccess = 'ARAP-Zone-Access'; + + case ARAPSecurityData = 'ARAP-Security-Data'; + + case ARAPSecurity = 'ARAP-Security'; + + case ARAPPassword = 'ARAP-Password'; + + case ARAPFeatures = 'ARAP-Features'; + + case ARAPChallengeResponse = 'ARAP-Challenge-Response'; + + case AcctSessionId = 'Acct-Session-Id'; + + case AcctUniqueId = 'Acct-Unique-Id'; + + case NasPortId = 'NAS-Port-Id'; + + case NasPortType = 'NAS-Port-Type'; + + case AcctStartTime = 'Acct-Start-Time'; + + case AcctUpdateTime = 'Acct-Update-Time'; + + case AcctStopTime = 'Acct-Stop-Time'; + + case AcctInterval = 'Acct-Interval'; + + case AcctSessionTime = 'Acct-Session-Time'; + + case AcctAuthentic = 'Acct-Authentic'; + + case AcctInputOctets = 'Acct-Input-Octets'; + + case AcctOutputOctets = 'Acct-Output-Octets'; - case AcctSessionId = 'Acct-Session-Id'; - case AcctUniqueId = 'Acct-Unique-Id'; - case NasPortId = 'NAS-Port-Id'; - case NasPortType = 'NAS-Port-Type'; - case AcctStartTime = 'Acct-Start-Time'; - case AcctUpdateTime = 'Acct-Update-Time'; - case AcctStopTime = 'Acct-Stop-Time'; - case AcctInterval = 'Acct-Interval'; - case AcctSessionTime = 'Acct-Session-Time'; - case AcctAuthentic = 'Acct-Authentic'; - case AcctInputOctets = 'Acct-Input-Octets'; - case AcctOutputOctets = 'Acct-Output-Octets'; case AcctTerminateCause = 'Acct-Terminate-Cause'; /** @@ -181,7 +618,7 @@ public static function getFramedMtuMax(): int /** * NAS-IP-Address indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret. - * More information: + * More information: https://www.gnu.org/software/radius/manual/html_node/NAS_002dIP_002dAddress.html */ case NasIpAddress = 'NAS-IP-Address'; } diff --git a/src/Language/en/FreeRadius.php b/src/Language/en/FreeRadius.php index f4039d5..693479e 100644 --- a/src/Language/en/FreeRadius.php +++ b/src/Language/en/FreeRadius.php @@ -6,40 +6,189 @@ 'accessReject' => 'Access-Reject', ], 'attributeDescription' => [ - 'nasIpAddress' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', - 'nasPortType' => 'TODO', - 'nasPortId' => 'TODO', - 'cleartextPassword' => 'TODO', - 'fallThrough' => 'The Fall-Through attribute should be used in the reply list. If its value is set to Yes in a particular record, that tells Radius to continue looking up other records even when the record at hand matches the request. It can be used to provide default values for several profiles.', - 'simultaneousUse' => 'This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected. ', - 'serviceType' => 'This attribute indicates the type of service the user has requested, or the type of service to be provided. It may be used in both Access-Request and Access-Accept packets. When used in an Access-Request the service type represents a hint to the Radius server that the NAS has reason to believe the user would prefer the kind of service indicated. When used in an Access-Accept, the service type is an indication to the NAS that the user must be provided this type of service. ', - 'framedIPAddress' => 'This attribute indicates the address to be configured for the user. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint. The value 0xFFFFFFFF (255.255.255.255) indicates that the NAS should allow the user to select an address. The value 0xFFFFFFFE (255.255.255.254) indicates that the NAS should select an address for the user (e.g. assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user\'s IP. ', - 'framedIPNetmask' => 'This attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It may be used in Access-Accept packets. It may be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.', - 'framedProtocol' => 'This attribute indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. ', - 'framedMTU' => 'This attribute indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It is only used in Access-Accept packets.', - 'ciscoAVPair' => 'Cisco-AVPair allows Vendor-Specific information to be carried in RADIUS packets.', - 'ciscoNASPort' => 'Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command). Each 16-bit number should be viewed as a 5-digit decimal integer.', - 'ciscoFramedRoute' => 'Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the device field is omitted or 0, the peer IP address is used. Metrics are currently ignored. This attribute is access-request packets.', - 'ciscoServiceInfo' => 'Cisco-Service-Info provides information about the service parameters for Cisco devices.', - 'acctUniqueId' => 'TODO', - 'acctInterval' => 'TODO', - 'acctStopTime' => 'TODO', - 'acctUpdateTime' => 'TODO', - 'acctStartTime' => 'TODO', - 'acctAuthentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', - 'acctInputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctInputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctInterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', - 'acctLinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', - 'acctMultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', - 'acctOutputGigawords' => 'TODO', - 'acctOutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctOutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctSessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', - 'acctSessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctStatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', - 'acctTerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'acctTunnelConnection' => 'TODO', - 'acctTunnelPacketsLost' => 'TODO', + 'NAS-Ip-Address' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', + 'cleartextPassword' => 'Specifies the user’s password in clear text. This attribute is typically used during authentication processes to verify the user’s identity.', + 'fallThrough' => 'The Fall-Through attribute should be used in the reply list. If its value is set to Yes in a particular record, that tells Radius to continue looking up other records even when the record at hand matches the request. It can be used to provide default values for several profiles.', + 'simultaneousUse' => 'This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected. ', + 'ciscoAVPair' => 'Cisco-AVPair allows Vendor-Specific information to be carried in RADIUS packets.', + 'ciscoNASPort' => 'Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command). Each 16-bit number should be viewed as a 5-digit decimal integer.', + 'ciscoFramedRoute' => 'Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the device field is omitted or 0, the peer IP address is used. Metrics are currently ignored. This attribute is access-request packets.', + 'ciscoServiceInfo' => 'Cisco-Service-Info provides information about the service parameters for Cisco devices.', + + 'Acct-DelayTime' => 'This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)', + 'Acct-InputGigawords' => 'This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update.', + 'Acct-Authentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', + 'Acct-InputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'Acct-InputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'Acct-InterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', + 'Acct-LinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', + 'Acct-MultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', + 'Acct-OutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'Acct-OutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'Acct-SessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', + 'Acct-SessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'Acct-StatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', + 'Acct-TerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'Acct-TunnelConnection' => 'This Attribute indicates the identifier assigned to the tunnel session. It SHOULD be included in Accounting-Request packets which contain an Acct-Status-Type attribute having the value Start, Stop or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel- Server-Endpoint attributes [3], may be used to provide a means to uniquely identify a tunnel session for auditing purposes.', + + 'ARAP-Challenge-Response' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and contains the response to the dial-in client\'s challenge.', + 'ARAP-Features' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP "feature flags" packet.', + 'ARAP-Password' => ' This attribute is only present in an Access-Request packet containing a Framed-Protocol of ARAP. Only one of User-Password, CHAP-Password, or ARAP-Password needs to be present in an Access-Request', + 'ARAP-Security' => 'This attribute identifies the ARAP Security Module to be used in an Access-Challenge packet.', + 'ARAP-Security-Data' => 'This attribute contains the actual security module challenge or response, and can be found in Access-Challenge and Access-Request packets.', + 'ARAP-Zone-Access' => 'This attribute is included in an Access-Accept packet with Framed-Protocol of ARAP to indicate how the ARAP zone list for the user should be used.', + + 'Access-Accept' => 'Access-Accept packets are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user. If all Attribute values received in an Access-Request are acceptable then the RADIUS implementation MUST transmit a packet with the Code field set to 2 (Access-Accept).', + 'Access-Challenge' => 'If the RADIUS server desires to send the user a challenge requiring a response, then the RADIUS server MUST respond to the Access-Request by transmitting a packet with the Code field set to 11 (Access-Challenge).', + 'Access-Reject' => 'If any value of the received Attributes is not acceptable, then the RADIUS server MUST transmit a packet with the Code field set to 3 (Access-Reject). It MAY include one or more Reply-Message Attributes with a text message which the NAS MAY display to the user.', + 'Access-Request' => 'Access-Request packets are sent to a RADIUS server, and convey information used to determine whether a user is allowed access to a specific NAS, and any special services requested for that user. An implementation wishing to authenticate a user MUST transmit a RADIUS packet with the Code field set to 1 (Access-Request).', + 'Accounting-Request' => 'Accounting-Request packets are sent from a client (typically a Network Access Server or its proxy) to a RADIUS accounting server, and convey information used to provide accounting for a service provided to a user. The client transmits a RADIUS packet with the Code field set to 4 (Accounting-Request)', + 'Accounting-Response' => ' Accounting-Response packets are sent by the RADIUS accountingserver to the client to acknowledge that the Accounting-Requesthas been received and recorded successfully. If the Accounting-Request was recorded successfully then the RADIUS accountingserver MUST transmit a packet with the Code field set to 5(Accounting-Response). On reception of an Accounting-Response bythe client, the Identifier field is matched with a pendingAccounting-Request. The Response Authenticator field MUST containthe correct response for the pending Accounting-Request. Invalidpackets are silently discarded', + 'CHAP-Challenge' => 'This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets. If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute.', + 'CHAP-Password' => 'This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets. The CHAP challenge value is found in the CHAP-Challenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field.', + 'Callback-Id' => 'This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets.', + 'Callback-Number' => 'This Attribute indicates a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.', + 'Called-Station-Id' => 'This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.', + 'Calling-Station-Id' => 'This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.', + 'Chargeable-User-Identity' => 'The Chargeable-User-Identity attribute, or CUI, (Type value 89) is a unique, temporary handle used as means to, for example, correlate authentication, accounting, and bill post-processing for a particular chargeable subscriber. The CUI format and use follows guidelines defined by [RFC4372]. In the scope of this document, the CUI attribute MAY be present in the Access-Request. The CUI MAY also be present in the Access- Accept. The CUI MUST be present in the Access-Accept if it was present in the Access-Request. If the use of the Chargeable-User- Identity attribute is supported, then the MAG and/or the LMA commits to include the Chargeable-User-Identity attribute in all subsequent RADIUS Accounting packets they send for the given user.', + 'Class' => 'This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally.', + 'Configuration-Token' => 'This attribute is for use in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept to indicate a type of user profile to be used. It should not be sent to a NAS.', + 'Connect-Info' => 'This attribute is sent from the NAS to indicate the nature of the user\'s connection. The NAS MAY send this attribute in an Access-Request or Accounting-Request to indicate the nature of the user\'s connection.', + 'DNS-Server-IPv6-Address' => 'The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a DNS server. This Attribute MAY be included multiple times in Access- Accept packets when the intention is for a NAS to announce more than one DNS server address to an RG/host. The Attribute MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the DNS IPv6 address, but the RADIUS server is not required to honor the hint. The content of this Attribute can be copied to an instance of the DHCPv6 DNS Recursive Name Server Option [RFC3646] or to an IPv6 Router Advertisement Recursive DNS Server Option [RFC6106]. If more than one DNS-Server-IPv6-Address Attribute is present in the Access- Accept packet, the addresses from the Attributes SHOULD be copied in the same order as received.', + 'DS-Lite-Tunnel-Name' => 'The DS-Lite-Tunnel-Name RADIUS attribute contains an FQDN that refers to the AFTR to which the client is requested to establish a connection. The NAS SHALL use the name returned in the RADIUS DS-Lite-Tunnel-Name attribute to populate the DHCPv6 OPTION_AFTR_NAME option [RFC6334]. This attribute MAY be used in Access-Request packets as a hint to the RADIUS server; for example, if the NAS is pre-configured with a default tunnel name, this name MAY be inserted in the attribute. The RADIUS server MAY ignore the hint sent by the NAS, and it MAY assign a different AFTR tunnel name.', + 'Delegated-IPv6-Prefix-Pool' => 'The Delegated-IPv6-Prefix-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 delegated prefix for the user on the NAS. If a NAS does not support prefix pools, the NAS MUST ignore this Attribute. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.', + 'EAP-Message' => 'This attribute encapsulates Extended Access Protocol [3] packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol. The NAS places any EAP messages received from the user into one or more EAP attributes and forwards them to the RADIUS Server as part of the Access-Request, which can return EAP messages in Access- Challenge, Access-Accept and Access-Reject packets.', + 'Error-Cause' => 'It is possible that a Dynamic Authorization Server cannot honor Disconnect-Request or CoA-Request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It MAY be included within CoA-NAK and Disconnect-NAK packets.', + 'Event-Timestamp' => 'This attribute is included in an Accounting-Request packet to record the time that this event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC.', + 'Extended-Type-1' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 241.{1-255}.', + 'Extended-Type-2' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 242.{1-255}.', + 'Extended-Type-3' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 243.{1-255}', + 'Extended-Type-4' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 244.{1-255}', + 'Extended-Vendor-Specific-1' => 'This attribute defines a RADIUS Type Code of 241.26, using the "evs" data type.', + 'Extended-Vendor-Specific-2' => 'This attribute defines a RADIUS Type Code of 242.26, using the "evs" data type.', + 'Extended-Vendor-Specific-3' => 'This attribute defines a RADIUS Type Code of 243.26, using the "evs" data type.', + 'Extended-Vendor-Specific-4' => 'This attribute defines a RADIUS Type Code of 244.26, using the "evs" data type.', + 'Extended-Vendor-Specific-5' => 'This attribute defines a RADIUS Type Code of 245.26, using the "evs" data type.', + 'Extended-Vendor-Specific-6' => 'This attribute defines a RADIUS Type Code of 246.26, using the "evs" data type.', + 'Filter-ID' => 'This attribute indicates the name of the filter list to be applied to the Supplicant\'s session. For use with an IEEE 802.1X Authenticator, it may be used to indicate either layer 2 or layer 3 filters. Layer 3 filters are typically only supported on IEEE 802.1X Authenticators that act as layer 3 devices.', + 'Framed-MTU' => 'This attribute indicates the maximum size of an IP packet that may be transmitted over the wire between the Supplicant and the Authenticator. IEEE 802.1X Authenticators set this to the value corresponding to the relevant 802 medium, and include it in the RADIUS Access-Request. The RADIUS server may send an EAP packet as large as Framed-MTU minus four (4) octets, taking into account the additional overhead for the IEEE 802.1X Version (1), Type (1) and Body Length (2) fields. For EAP over IEEE 802 media, the Framed-MTU values.', + 'Filter-Id' => 'This Attribute indicates the name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.', + + 'Framed-AppleTalk-Link' => 'This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It is never used when the user is not another router.', + 'Framed-AppleTalk-Network' => 'This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified.', + 'Framed-AppleTalk-Zone' => 'This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed.', + 'Framed-Compression' => 'This Attribute indicates a compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.', + 'Framed-IP-Address' => 'This Attribute indicates the address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.', + 'Framed-IP-Netmask' => 'This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.', + 'Framed-IPX-Network' => 'This Attribute indicates the IPX Network number to be configured for the user. It is used in Access-Accept packets.', + 'Framed-IPv6-Address' => 'The Framed-IPv6-Address Attribute indicates an IPv6 address that is assigned to the NAS-facing interface of the RG/host. It MAY be used in Access-Accept packets and MAY appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server that it would prefer this IPv6 address, but the RADIUS server is not required to honor the hint. Because it is assumed that the', + 'Framed-IPv6-Pool' => 'This Attribute contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user. If a NAS does not support multiple prefix pools, the NAS MUST ignore this Attribute.', + 'Framed-IPv6-Prefix' => 'This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint. Since it is assumed that the NAS will plumb a route corresponding to the prefix, it is not necessary for the server to also send a Framed-IPv6-Route attribute for the same prefix.', + 'Framed-IPv6-Route' => 'This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.', + 'Framed-Interface-Id' => 'This Attribute indicates the IPv6 interface identifier to be configured for the user. It MAY be used in Access-Accept packets. If the Interface-Identifier IPv6CP option [11] has been successfully negotiated, this Attribute MUST be included in an Access-Request packet as a hint by the NAS to the server that it would prefer that value. It is recommended, but not required, that the server honor the hint.', + 'Framed-Management-Protocol' => 'The Framed-Management-Protocol (133) Attribute indicates the application-layer management protocol to be used for Framed Management access. It MAY be used in both Access-Request and Access- Accept packets. This attribute is used in conjunction with a Service-Type (6) Attribute with the value of Framed-Management (18)', + 'Framed-Pool' => 'This Attribute contains the name of an assigned address pool that SHOULD be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore this Attribute. Address pools are usually used for IP addresses, but can be used for other protocols if the NAS supports pools for those protocols.', + 'Framed-Protocol' => 'This Attribute indicates the framing to be used for framed access. It MAY be used in both Access-Request and Access-Accept packets.', + 'Framed-Route' => 'This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.', + 'Framed-Routing' => 'This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets.', + + 'Idle-Timeout' => 'This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.', + 'Login-IP-Host' => 'This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.', + 'Login-IPv6-Host' => 'This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access- Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.', + 'Login-LAT-Group' => 'This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access- Accept packets, but only when LAT is specified as the Login- Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'Login-LAT-Node' => 'This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'Login-LAT-Port' => 'This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'Login-LAT-Service' => 'This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'Login-Service' => 'This Attribute indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets.', + 'Login-TCP-Port' => 'This Attribute indicates the TCP port with which the user is to be connected, when the Login-Service Attribute is also present. It is only used in Access-Accept packets.', + + 'Long-Extended-Type-1' => 'This attribute encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 245.{1-255}.', + 'Long-Extended-Type-2' => 'This attribute encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 246.{1-255}.', + + 'MS-ARAP-Challenge' => 'This attribute is only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP).', + 'MS-ARAP-Password-Change-Reason' => 'The MS-ARAP-Password-Change-Reason Attribute is used to indicate reason for a server-initiated password change. It MAY be included in Access-Challenge packets.', + 'MS-Acct-Auth-Type' => 'The MS-Acct-Auth-Type Attribute is used to represent the method used to authenticate the dial-up user. It MAY be included in Accounting-Request packets.', + 'MS-Acct-EAP-Type' => 'The MS-Acct-EAP-Type Attribute is used to represent the Extensible Authentication Protocol (EAP) [15] type used to authenticate the dial-up user. It MAY be included in Accounting-Request packets.', + 'MS-BAP-Usage' => 'This Attribute describes whether the use of BAP is allowed, disallowed or required on new multilink calls. It MAY be used in Access-Accept packets.', + 'MS-CHAP-CPW-1' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is less than 2.', + 'MS-CHAP-CPW-2' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 2.', + 'MS-CHAP-Challenge' => 'This Attribute contains the challenge sent by a NAS to a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user. It MAY be used in both Access-Request and Access-Challenge packets.', + 'MS-CHAP-Domain' => 'The MS-CHAP-Domain Attribute indicates the Windows NT domain in which the user was authenticated. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MS-CHAP-Error' => 'The MS-CHAP-Error Attribute contains error data related to the preceding MS-CHAP exchange. This Attribute may be used in both MS-CHAP-V1 and MS-CHAP-V2 (see below) exchanges. It is only used in Access-Reject packets.', + 'MS-CHAP-LM-Enc-PW' => 'This Attribute contains the new Windows NT password encrypted with the old LAN Manager password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments.', + 'MS-CHAP-MPPE-Keys' => 'The MS-CHAP-MPPE-Keys Attribute contains two session keys for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). This Attribute is only included in Access-Accept packets.', + 'MS-CHAP-NT-Enc-PW' => 'This Attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments.', + 'MS-CHAP-Response' => 'This Attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. It is only used in Access- Request packets.', + 'MS-CHAP2-CPW' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in conjunction with the MS- CHAP-NT-Enc-PW attribute in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 3.', + 'MS-CHAP2-Response' => 'This Attribute contains the response value provided by an MS- CHAP-V2 peer in response to the challenge. It is only used in Access-Request packets.', + 'MS-CHAP2-Success' => 'This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets.', + 'MS-Filter' => 'The MS-Filter Attribute is used to transmit traffic filters. It MAY be included in both Access-Accept and Accounting-Request packets. If multiple MS-Filter Attributes are contained within a packet, they MUST be in order and they MUST be consecutive attributes in the packet.', + 'MS-Link-Drop-Time-Limit' => 'The MS-Link-Drop-Time-Limit Attribute indicates the length of time (in seconds) that a link must be underutilized before it is dropped. It MAY only be included in Access-Accept packets.', + 'MS-Link-Utilization-Threshold' => 'This Attribute represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. Permissible values for the MS-Link- Utilization-Threshold Attribute are in the range 1-100, inclusive. It is only used in Access-Accept packets.', + 'MS-MPPE-Encryption-Policy' => 'The MS-MPPE-Encryption-Policy Attribute may be used to signify whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types Attribute MAY be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types Attribute MAY be used, but at least one MUST be used.', + 'MS-MPPE-Encryption-Types' => 'The MS-MPPE-Encryption-Types Attribute is used to signify the types of encryption available for use with MPPE. It is a four octet integer that is interpreted as a string of bits.', + 'MS-MPPE-Recv-Key' => 'The MS-MPPE-Recv-Key Attribute contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). As the name implies, this key is intended for encrypting packets received by the NAS from the remote host. This Attribute is only included in Access-Accept packets.', + 'MS-MPPE-Send-Key' => 'The MS-MPPE-Send-Key Attribute contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). As the name implies, this key is intended for encrypting packets sent from the NAS to the remote host. This Attribute is only included in Access-Accept packets.', + 'MS-New-ARAP-Password' => 'The MS-New-ARAP-Password Attribute is used to transmit the new ARAP password during an ARAP password change operation. It MAY be included in Access-Request packets.', + 'MS-Old-ARAP-Password' => 'The MS-Old-ARAP-Password Attribute is used to transmit the old ARAP password during an ARAP password change operation. It MAY be included in Access-Request packets.', + 'MS-Primary-DNS-Server' => 'The MS-Primary-DNS-Server Attribute is used to indicate the address of the primary Domain Name Server (DNS) [16, 17] server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MS-Primary-NBNS-Server' => 'The MS-Primary-NBNS-Server Attribute is used to indicate the address of the primary NetBIOS Name Server (NBNS) [18] server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MS-RAS-Vendor' => 'The MS-RAS-Vendor Attribute is used to indicate the manufacturer of the RADIUS client machine. It MAY be included in both Access- Request and Accounting-Request packets.', + 'MS-RAS-Version' => 'The MS-RAS-Version Attribute is used to indicate the version of the RADIUS client software. This attribute SHOULD be included in packets containing an MS-RAS-Vendor Attribute; it SHOULD NOT be', + 'MS-Secondary-DNS-Server' => 'The MS-Secondary-DNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MS-Secondary-NBNS-Server' => 'The MS-Secondary-NBNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + + 'Management-Policy-Id' => 'The Management-Policy-Id (135) Attribute indicates the name of the management access policy for this user. Zero or one Management- Policy-Id (135) Attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details.', + 'Management-Privilege-Level' => 'The Management-Privilege-Level (136) Attribute indicates the integer- valued privilege level to be assigned for management access for the authenticated user. Many NASes provide the notion of differentiated management privilege levels denoted by an integer value. The specific access rights conferred by each value are implementation dependent. It MAY be used in both Access-Request and Access-Accept packets.', + 'Management-Transport-Protection' => 'The Management-Transport-Protection (134) Attribute specifies the minimum level of protection that is required for a protected transport used with the Framed or non-Framed Management access session. The protected transport used by the NAS MAY provide a greater level of protection, but MUST NOT provide a lower level of protection.', + 'Message-Authenticator' => 'This attribute MAY be used to sign Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP or EAP authentication methods. It MAY be used in any Access-Request. It MUST be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge that includes an EAP-Message attribute.', + 'Mobile-Node-Identifier' => 'The Mobile-Node-Identifier attribute (Type value 145) is of type String and contains the mobile node identifier (MN-Identifier), see [RFC5213], in a form of a Network Access Identifier (NAI) [RFC4282]. This identifier and the identifier used for access authentication may be different; however, there needs to be a mapping between the two identities as specified in Section 6.6 of [RFC5213]. This attribute is used on the interface between the MAG and the AAA server. The Mobile-Node-Identifier attribute is designed for deployments where the identity used during network access authentication and the identity used for mobility management is decoupled. It may also be the case where the MAG does not have means to find out the MN identity that could be used in subsequent PBU and Proxy Binding Acknowledgement (PBA) exchanges (e.g., due to identity hiding during the network access authentication) or when the HAAA wants to assign periodically changing identities to the MN.', + + 'NAS-IP-Address' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP- Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet.', + 'NAS-IPv6-Address' => 'This Attribute indicates the identifying IPv6 Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS- IPv6-Address is only used in Access-Request packets. NAS-IPv6- Address and/or NAS-IP-Address MAY be present in an Access-Request packet; however, if neither attribute is present then NAS- Identifier MUST be present.', + 'NAS-Identifier' => 'This Attribute contains a string identifying the NAS originating the Access-Request">Access-Request. It is only used in Access-Request">Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', + 'NAS-Port' => 'This Attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.', + 'NAS-Port-Id' => 'This Attribute contains a text string which identifies the port of the NAS which is authenticating the user. It is only used in Access-Request and Accounting-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports.', + 'NAS-Port-Type' => 'This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.', + + 'PKM-AUTH-Key' => 'The PKM-AUTH-Key Attribute is of type string, 135 octets in length. It consists of 3 fields, described below, which together specify the characteristics of a PKM authorization key. The PKM- AUTH-Key Attribute MAY occur in an Access-Accept message. Any packet that contains an instance of the PKM-AUTH-Key Attribute MUST also contain an instance of the Message-Authenticator Attribute [RFC3579].', + 'PKM-CA-Cert' => 'The PKM-CA-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] used by the CA to sign the SS certificate carried in the PKM-SS-Cert attribute (Section 3.1) in the same message.', + 'PKM-Config-Settings' => 'The PKM-Config-Settings Attribute is of type string [RFC2865]. It is 30 octets in length and consists of seven independent fields, each of which is conceptually an unsigned integer. Each of the fields contains a timeout value and corresponds to a Type-Length- Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM configuration settings" attribute; for details on the contents of each field, see Section 11.9.19 of [IEEE.802.16-2004]. One instance of the PKM-Config-Settings Attribute MAY be included in the Access-Accept message.', + 'PKM-Cryptosuite-List' => 'The PKM-Cryptosuite-List Attribute is of type string [RFC2865] and is variable length; it corresponds roughly to the "Cryptographic- Suite-List" 802.16 attribute (see Section 11.19.15 of [IEEE.802.16-2004]), the difference being that the RADIUS Attribute contains only the list of 3-octet cryptographic suite identifiers, omitting the IEEE Type and Length fields.', + 'PKM-SA-Descriptor' => 'The PKM-SA-Descriptor Attribute is of type string and is 8 octets in length. It contains three fields, described below, which together specify the characteristics of a PKM security association. One or more instances of the PKM-SA-Descriptor Attribute MAY occur in an Access-Accept message.', + 'PKM-SAID' => 'The PKM-SAID Attribute is of type string [RFC2865]. It is 4 octets in length and contains a PKM Security Association Identifier ([IEEE.802.16-2004], Section 11.9.7). It MAY be included in an Access-Request message.', + 'PKM-SS-Cert' => 'The PKM-SS-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] binding a public key to the identifier of the Subscriber Station. The minimum size of an SS certificate exceeds the maximum size of a RADIUS attribute. Therefore, the client MUST encapsulate the certificate in the Value fields of two or more instances of the PKM-SS-Cert Attribute, each (except possibly the last) having a length of 255 octets. These multiple PKM-SS-Cert Attributes MUST appear consecutively and in order within the packet. Upon receipt, the RADIUS server MUST recover the original certificate by concatenating the Value fields of the received PKM-SS-Cert Attributes in order.', + + 'Password-Retry' => 'This attribute MAY be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected. It is primarily intended for use with ARAP authentication.', + 'Port-Limit' => 'This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint.', + 'Proxy-State' => 'This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy- State in the packet) before forwarding the response to the NAS. If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes.', + 'Reply-Message' => 'This Attribute indicates text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple Reply-Message\'s MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.', + 'Route-IPv6-Information' => 'The Route-IPv6-Information Attribute specifies a prefix (and corresponding route) for the user on the NAS, which is to be announced using the Route Information Option defined in "Default Router Preferences and More Specific Routes" [RFC4191], Section 2.3. It is used in the Access-Accept packet and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server, but the RADIUS server is not required to honor the hint. The Route-IPv6-Information Attribute format is depicted below. The format of the prefix is as per [RFC3162].', + 'Service-Selection' => 'The Service-Selection attribute (Type value 146) is of type UTF-8 text and contains the name of the service or the external network with which the mobility service for the particular MN SHOULD be associated [RFC5149]. The identifier MUST be unique within the PMIPv6 Domain when normalized using the selected normalization form [UNF] for the particular PMIPv6 Domain deployment. For instance, [RFC5149] uses the Normalization Form KC (NFKC). The MAG MUST include the Service-Selection attribute in the Access- Request sent to the AAA if the information was acquired, e.g., by operator-specific configuration. The AAA MAY include the Service- Selection attribute in the Access-Accept response message to the MAG even if it was not included in the Access-Request as a means of indicating the MN\'s default service. The Service Selection mobility option defined in [RFC5149] can be used in PBU/PBA messages between the MAG and LMA. On the LMA-to-AAA interface, the LMA MAY populate the Service-Selection attribute in the Access-Request message using the service information found in the received PBU, if such a mobility option were included. The Service- Selection identifier should be used to assist the PBU authorization, the assignment of the MN-HNP, and the IPv4-MN-HoA as described in [RFC5149] and [RFC5779].', + 'Service-Type' => 'This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.', + 'Session-Timeout' => 'This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.', + 'State' => 'This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.', + 'Stateful-IPv6-Address-Pool' => 'The Stateful-IPv6-Address-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 address for the user on the NAS. If a NAS does not support address pools, the NAS MUST ignore this Attribute. A summary of the Stateful-IPv6-Address- Pool Attribute format is shown below. It MAY be used in an Access- Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.', + 'Termination-Action' => 'This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.', + + 'Tunnel-Assignment-ID' => 'This Attribute is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. Some tunneling protocols, such as PPTP and L2TP, allow for sessions between the same two tunnel endpoints to be multiplexed over the same tunnel and also for a given session to utilize its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be used to inform the tunnel initiator (e.g. PAC, LAC) whether to assign the session to a multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing multiplexed tunnels to be assigned to different multiplexed tunnels.', + 'Tunnel-Client-Auth-ID' => 'This Attribute specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.', + 'Tunnel-Client-Endpoint' => 'This Attribute contains the address of the initiator end of the tunnel. It MAY be included in both Access-Request and Access- Accept packets to indicate the address from which a new tunnel is to be initiated. If the Tunnel-Client-Endpoint Attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint; the server is not obligated to honor the hint, however. This Attribute SHOULD be included in Accounting- Request packets which contain Acct-Status-Type attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This Attribute, along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection- ID attributes, may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes.', + 'Tunnel-Link-Reject' => 'This value MAY be used to mark the rejection of the establishment of a new link in an existing tunnel. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since in this case the Tunnel-Reject Attribute has the same meaning.', + 'Tunnel-Link-Start' => 'This value MAY be used to mark the creation of a tunnel link. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. This Attribute is intended to mark the creation of a link within a tunnel that carries multiple links. For example, if a mandatory tunnel were to carry M links over its lifetime, 2(M+1) RADIUS Accounting messages might be sent: one each marking the initiation and destruction of the tunnel itself and one each for the initiation and destruction of each link within the tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since the presence of the Tunnel-Start Attribute will imply the initiation of the (only possible) link.', + 'Tunnel-Link-Stop' => 'This value MAY be used to mark the destruction of a tunnel link. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. This Attribute is intended to mark the destruction of a link within a tunnel that carries multiple links. For example, if a mandatory tunnel were to carry M links over its lifetime, 2(M+1) RADIUS Accounting messages might be sent: one each marking the initiation and destruction of the tunnel itself and one each for the initiation and destruction of each link within the tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since the presence of the Tunnel-Stop Attribute will imply the termination of the (only possible) link.', + 'Tunnel-Medium-Type' => 'The Tunnel-Medium-Type Attribute indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. It MAY be included in both Access-Request and Access-Accept packets; if it is present in an Access-Request packet, it SHOULD be taken as a hint to the RADIUS server as to the tunnel media supported by the tunnel end- point. The RADIUS server MAY ignore the hint, however.', + 'Tunnel-Password' => 'This Attribute may contain a password to be used to authenticate to a remote server. It may only be included in an Access-Accept packet.', + 'Tunnel-Preference' => 'If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this Attribute SHOULD be included in each set to indicate the relative preference assigned to each tunnel. For example, suppose that Attributes describing two tunnels are returned by the server, one with a Tunnel-Type of PPTP and the other with a Tunnel-Type of L2TP. If the tunnel initiator supports only one of the Tunnel-Types returned, it will initiate a tunnel of that type. If, however, it supports both tunnel protocols, it SHOULD use the value of the Tunnel-Preference Attribute to decide which tunnel should be started. The tunnel having the numerically lowest value in the Value field of this Attribute SHOULD be given the highest preference. The values assigned to two or more instances of the Tunnel-Preference', + 'Tunnel-Private-Group-ID' => 'This Attribute indicates the group ID for a particular tunneled session. The Tunnel-Private-Group-ID Attribute MAY be included in the Access-Request packet if the tunnel initiator can pre- determine the group resulting from a particular connection and SHOULD be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. Private groups may be used to associate a tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered IP addresses through a', + 'Tunnel-Server-Auth-ID' => 'This Attribute specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.', + 'Tunnel-Server-Endpoint' => 'This Attribute indicates the address of the server end of the tunnel. The Tunnel-Server-Endpoint Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet and MUST be included in the Access-Accept packet if the initiation of a tunnel is desired. It SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session. This Attribute, along with the Tunnel-Client-Endpoint and Acct- Tunnel-Connection-ID Attributes [11], may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes.', + 'Tunnel-Start' => 'This value MAY be used to mark the establishment of a tunnel with another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', + 'Tunnel-Stop' => 'This value MAY be used to mark the destruction of a tunnel to or from another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', + 'Tunnel-Reject' => 'This value MAY be used to mark the rejection of the establishment of a tunnel with another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', + 'Tunnel-Type' => 'This Attribute indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). It MAY be included in Access-Request, Access-Accept and Accounting-Request packets. If the Tunnel-Type Attribute is present in an Access-Request packet sent from a tunnel initiator, it SHOULD be taken as a hint to the RADIUS server as to the tunnelling protocols supported by the tunnel end-point; the RADIUS server MAY ignore the hint, however. A tunnel initiator is not required to implement any of these tunnel types; if a tunnel initiator receives an Access-Accept packet which contains only unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave as though an Access-Reject had been received instead. If the Tunnel-Type Attribute is present in an Access-Request packet sent from a tunnel terminator, it SHOULD be taken to signify the tunnelling protocol in use. In this case, if the RADIUS server determines that the use of the communicated protocol is not authorized, it MAY return an Access-Reject packet. If a tunnel terminator receives an Access-Accept packet which contains', + + 'User-Name' => 'This Attribute indicates the name of the user to be authenticated. It MUST be sent in Access-Request packets if available. It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session. If the Access- Accept includes Service-Type = Rlogin and the User-Name attribute, a NAS MAY use the returned User-Name when performing the Rlogin function.', + 'User-Password' => 'This Attribute indicates the password of the user to be authenticated, or the user\'s input following an Access-Challenge. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User- Password Attribute.', ], ]; From 7161ae3a90c8b95acd4f1025a3ae5d0f83679527 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=BA=C5=A1=20B=C3=A1r=C3=A1ny?= Date: Mon, 1 Jul 2024 13:42:00 +0200 Subject: [PATCH 2/6] fix: Class to _Class --- src/Enums/Attribute.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Enums/Attribute.php b/src/Enums/Attribute.php index 789e068..424a1af 100644 --- a/src/Enums/Attribute.php +++ b/src/Enums/Attribute.php @@ -165,7 +165,7 @@ public function toDescription(): string self::DNSServerIPv6Address => lang('FreeRadius.attribute.DNSServer-IPv6-Address'), self::ConnectInfo => lang('FreeRadius.attribute.Connect-Info'), self::ConfigurationToken => lang('FreeRadius.attribute.Configuration-Token'), - self::class => lang('FreeRadius.attribute.Class'), + self::_Class => lang('FreeRadius.attribute.Class'), self::ChargeableUserIdentity => lang('FreeRadius.attribute.Chargeable-User-Identity'), self::CallingStationId => lang('FreeRadius.attribute.Calling-Station-Id'), self::CalledStationId => lang('FreeRadius.attribute.Called-Station-Id'), @@ -477,7 +477,7 @@ public static function getFramedMtuMax(): int case ConfigurationToken = 'Configuration-Token'; - case Class = 'Class'; + case _Class = 'Class'; case ChargeableUserIdentity = 'Chargeable-User-Identity'; From 7c363ca8e1ddf5ed5633f42f1e60ffebba8bbe13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=BA=C5=A1=20B=C3=A1r=C3=A1ny?= Date: Tue, 2 Jul 2024 13:10:57 +0200 Subject: [PATCH 3/6] fix: remove hyphens --- src/Enums/Attribute.php | 326 +++++++++++++++----------------- src/Language/en/FreeRadius.php | 336 ++++++++++++++++----------------- 2 files changed, 323 insertions(+), 339 deletions(-) diff --git a/src/Enums/Attribute.php b/src/Enums/Attribute.php index 424a1af..f4504ca 100644 --- a/src/Enums/Attribute.php +++ b/src/Enums/Attribute.php @@ -21,184 +21,168 @@ public static function getDropdownValues(): array public function toDescription(): string { return match ($this) { - self::NasIpAddress => lang('FreeRadius.attributeDescription.NAS-Ip-Address'), + self::NasIpAddress => lang('FreeRadius.attributeDescription.NASIpAddress'), self::CleartextPassword => lang('FreeRadius.attributeDescription.cleartextPassword'), self::FallThrough => lang('FreeRadius.attributeDescription.fallThrough'), self::SimultaneousUse => lang('FreeRadius.attributeDescription.simultaneousUse'), self::ServiceType => lang('FreeRadius.attributeDescription.serviceType'), - self::FramedIPAddress => lang('FreeRadius.attributeDescription.Framed-IP-Address'), - self::FramedIPNetmask => lang('FreeRadius.attributeDescription.Framed-IP-Netmask'), - self::FramedProtocol => lang('FreeRadius.attributeDescription.Framed-Protocol'), - self::FramedMTU => lang('FreeRadius.attributeDescription.Framed-MTU'), + self::FramedIPAddress => lang('FreeRadius.attributeDescription.FramedIPAddress'), + self::FramedIPNetmask => lang('FreeRadius.attributeDescription.FramedIPNetmask'), + self::FramedProtocol => lang('FreeRadius.attributeDescription.FramedProtocol'), + self::FramedMTU => lang('FreeRadius.attributeDescription.FramedMTU'), self::CiscoAVPair => lang('FreeRadius.attributeDescription.ciscoAVPair'), self::CiscoNASPort => lang('FreeRadius.attributeDescription.ciscoNASPort'), self::CiscoFramedRoute => lang('FreeRadius.attributeDescription.ciscoFramedRoute'), - self::AcctAuthentic => lang('FreeRadius.attributeDescription.Acct-Authentic'), - self::AcctTerminateCause => lang('FreeRadius.attributeDescription.Acct-TerminateCause'), - self::AcctOutputOctets => lang('FreeRadius.attributeDescription.Acct-OutputOctets'), - self::AcctInterval => lang('FreeRadius.attributeDescription.Acct-Interval'), - self::AcctSessionId => lang('FreeRadius.attributeDescription.Acct-SessionId'), - self::AcctUniqueId => lang('FreeRadius.attributeDescription.Acct-UniqueId'), - self::AcctStartTime => lang('FreeRadius.attributeDescription.Acct-StartTime'), - self::AcctUpdateTime => lang('FreeRadius.attributeDescription.Acct-UpdateTime'), - self::AcctStopTime => lang('FreeRadius.attributeDescription.Acct-StopTime'), - self::AcctSessionTime => lang('FreeRadius.attributeDescription.Acct-SessionTime'), - self::NasPortId => lang('FreeRadius.attributeDescription.NAS-PortId'), - self::NasPortType => lang('FreeRadius.attributeDescription.Nas-PortType'), - self::AcctInputOctets => lang('FreeRadius.attributeDescription.Acct-InputOctets'), - self::UserPassword => lang('FreeRadius.attribute.User-Password'), - self::UserName => lang('FreeRadius.attribute.User-Name'), - self::TunnelType => lang('FreeRadius.attribute.Tunnel-Type'), - self::TunnelReject => lang('FreeRadius.attribute.Tunnel-Reject'), - self::TunnelStop => lang('FreeRadius.attribute.Tunnel-Stop'), - self::TunnelStart => lang('FreeRadius.attribute.Tunnel-Start'), - self::TunnelServerEndpoint => lang('FreeRadius.attribute.Tunnel-Server-Endpoint'), - self::TunnelServerAuthID => lang('FreeRadius.attribute.Tunnel-Server-Auth-ID'), - self::TunnelPrivateGroupID => lang('FreeRadius.attribute.Tunnel-Private-Group-ID'), - self::TunnelPreference => lang('FreeRadius.attribute.Tunnel-Preference'), - self::TunnelPassword => lang('FreeRadius.attribute.Tunnel-Password'), - self::TunnelMediumType => lang('FreeRadius.attribute.Tunnel-Medium-Type'), - self::TunnelLinkStop => lang('FreeRadius.attribute.Tunnel-Link-Stop'), - self::TunnelLinkStart => lang('FreeRadius.attribute.Tunnel-Link-Start'), - self::TunnelLinkReject => lang('FreeRadius.attribute.Tunnel-Link-Reject'), - self::TunnelClientEndpoint => lang('FreeRadius.attribute.Tunnel-Client-Endpoint'), - self::TunnelClientAuthID => lang('FreeRadius.attribute.Tunnel-Client-Auth-ID'), - self::TunnelAssignmentID => lang('FreeRadius.attribute.Tunnel-Assignment-ID'), - self::TerminationAction => lang('FreeRadius.attribute.Termination-Action'), - self::StatefulIPv6AddressPool => lang('FreeRadius.attribute.Stateful-IPv6-Address-Pool'), - self::State => lang('FreeRadius.attribute.State'), - self::SessionTimeout => lang('FreeRadius.attribute.Session-Timeout'), - self::ServiceSelection => lang('FreeRadius.attribute.Service-Selection'), - self::RouteIPv6Information => lang('FreeRadius.attribute.Route-IPv6-Information'), - self::ReplyMessage => lang('FreeRadius.attribute.Reply-Message'), - self::ProxyState => lang('FreeRadius.attribute.Proxy-State'), - self::PortLimit => lang('FreeRadius.attribute.Port-Limit'), - self::PasswordRetry => lang('FreeRadius.attribute.Password-Retry'), - self::PKMSSCert => lang('FreeRadius.attribute.PKM-SS-Cert'), - self::PKMSAID => lang('FreeRadius.attribute.PKM-SAID'), - self::PKMSADescriptor => lang('FreeRadius.attribute.PKM-SA-Descriptor'), - self::PKMCryptosuiteList => lang('FreeRadius.attribute.PKM-Cryptosuite-List'), - self::PKMConfigSettings => lang('FreeRadius.attribute.PKM-Config-Settings'), - self::PKMCACert => lang('FreeRadius.attribute.PKM-CA-Cert'), - self::PKMAUTHKey => lang('FreeRadius.attribute.PKM-MA-Key'), - self::NASPort => lang('FreeRadius.attribute.NAS-Port'), - self::NASIdentifier => lang('FreeRadius.attribute.NAS-Identifier'), - self::NASIPv6Address => lang('FreeRadius.attribute.NAS-IPv6-Address'), - self::MobileNodeIdentifier => lang('FreeRadius.attribute.Mobile-Node-Identifier'), - self::MSARAPChallenge => lang('FreeRadius.attribute.MS-ARAP-Challenge'), - self::MSARAPPasswordChangeReason => lang('FreeRadius.attribute.MS-ARAP-Password-Change-Reason'), - self::MSAcctAuthType => lang('FreeRadius.attribute.MS-Acct-Auth-Type'), - self::MSAcctEAPType => lang('FreeRadius.attribute.MS-Acct-EAP-Type'), - self::MSBAPUsage => lang('FreeRadius.attribute.MS-BAP-Usage'), - self::MSCHAPCPW1 => lang('FreeRadius.attribute.MS-CHAP-CPW-1'), - self::MSCHAPCPW2 => lang('FreeRadius.attribute.MS-CHAP-CPW-2'), - self::MSCHAPChallenge => lang('FreeRadius.attribute.MS-CHAP-Challenge'), - self::MSCHAPDomain => lang('FreeRadius.attribute.MS-CHAP-Domain'), - self::MSCHAPError => lang('FreeRadius.attribute.MS-CHAP-Error'), - self::MSCHAPLMEncPW => lang('FreeRadius.attribute.MS-CHAP-LM-Enc-PW'), - self::MSCHAPMPPEKeys => lang('FreeRadius.attribute.MS-CHAP-MPPE-Keys'), - self::MSCHAPNTEncPW => lang('FreeRadius.attribute.MS-CHAP-NT-Enc-PW'), - self::MSCHAPResponse => lang('FreeRadius.attribute.MS-CHAP-Response'), - self::MSCHAP2CPW => lang('FreeRadius.attribute.MS-CHAP2-CPW'), - self::MSCHAP2Response => lang('FreeRadius.attribute.MS-CHAP2-Response'), - self::MSCHAP2Success => lang('FreeRadius.attribute.MS-CHAP2-Success'), - self::MSFilter => lang('FreeRadius.attribute.MS-Filter'), - self::MSLinkDropTimeLimit => lang('FreeRadius.attribute.MS-Link-Drop-Time-Limit'), - self::MSLinkUtilizationThreshold => lang('FreeRadius.attribute.MS-Link-Utilization-Threshold'), - self::MSMPPEEncryptionPolicy => lang('FreeRadius.attribute.MS-MPPE-Encryption-Policy'), - self::MSMPPEEncryptionTypes => lang('FreeRadius.attribute.MS-MPPE-Encryption-Types'), - self::MSMPPERecvKey => lang('FreeRadius.attribute.MS-MPPE-Recv-Key'), - self::MSMPPESendKey => lang('FreeRadius.attribute.MS-MPPE-Send-Key'), - self::MSNewARAPPassword => lang('FreeRadius.attribute.MS-New-ARAP-Password'), - self::MSOldARAPPassword => lang('FreeRadius.attribute.MS-Old-ARAP-Password'), - self::MSPrimaryDNSServer => lang('FreeRadius.attribute.MS-Primary-DNS-Server'), - self::MSPrimaryNBNSServer => lang('FreeRadius.attribute.MS-Primary-NBNS-Server'), - self::MSRASVendor => lang('FreeRadius.attribute.MS-RAS-Vendor'), - self::MSRASVersion => lang('FreeRadius.attribute.MS-RAS-Version'), - self::MSSecondaryDNSServer => lang('FreeRadius.attribute.MS-Secondary-DNS-Server'), - self::MSSecondaryNBNSServer => lang('FreeRadius.attribute.MS-Secondary-NBNS-Server'), - self::MSAcctAuthType => lang('FreeRadius.attribute.MS-Acct-Auth-Type'), - self::MSARAPPasswordChangeReason => lang('FreeRadius.attribute.MS-ARAP-Password-Change-Reason'), - self::MSARAPChallenge => lang('FreeRadius.attribute.MS-ARAP-Challenge'), - self::LongExtendedType2 => lang('FreeRadius.attribute.Long-Extended-Type2'), - self::LongExtendedType1 => lang('FreeRadius.attribute.Long-Extended-Type1'), - self::LoginTCPPort => lang('FreeRadius.attribute.Login-TCP-Port'), - self::LoginService => lang('FreeRadius.attribute.Login-Service'), - self::LoginLATService => lang('FreeRadius.attribute.Login-LAT-Service'), - self::LoginLATPort => lang('FreeRadius.attribute.Login-LAT-Port'), - self::LoginLATNode => lang('FreeRadius.attribute.Login-LAT-Node'), - self::LoginLATGroup => lang('FreeRadius.attribute.Login-LAT-Group'), - self::LoginIPv6Host => lang('FreeRadius.attribute.Login-IPv6-Host'), - self::LoginIPHost => lang('FreeRadius.attribute.Login-IP-Host'), - self::IdleTimeout => lang('FreeRadius.attribute.Idle-Timeout'), - self::FramedRouting => lang('FreeRadius.attribute.Framed-Routing'), - self::FramedRoute => lang('FreeRadius.attribute.Framed-Route'), - self::FramedPool => lang('FreeRadius.attribute.Framed-Pool'), - self::FramedManagementProtocol => lang('FreeRadius.attribute.Framed-Management-Protocol'), - self::FramedInterfaceId => lang('FreeRadius.attribute.Framed-Interface-Id'), - self::FramedIPv6Route => lang('FreeRadius.attribute.Framed-IPv6-Route'), - self::FramedIPv6Prefix => lang('FreeRadius.attribute.Framed-IPv6-Prefix'), - self::FramedIPv6Pool => lang('FreeRadius.attribute.Framed-IPv6-Pool'), - self::FramedIPv6Address => lang('FreeRadius.attribute.Framed-IPv6-Address'), - self::FramedIPXNetwork => lang('FreeRadius.attribute.Framed-IPX-Network'), - self::FramedCompression => lang('FreeRadius.attribute.Framed-Compression'), - self::FramedAppleTalkZone => lang('FreeRadius.attribute.Framed-AppleTalk-Zone'), - self::FramedAppleTalkNetwork => lang('FreeRadius.attribute.Framed-AppleTalk-Network'), - self::FramedAppleTalkLink => lang('FreeRadius.attribute.Framed-AppleTalk-Link'), - self::FilterId => lang('FreeRadius.attribute.Filter-Id'), - self::FilterID => lang('FreeRadius.attribute.Filter-ID'), - self::ExtendedVendorSpecific6 => lang('FreeRadius.attribute.Extended-Vendor-Specific6'), - self::ExtendedVendorSpecific5 => lang('FreeRadius.attribute.Extended-Vendor-Specific5'), - self::ExtendedVendorSpecific4 => lang('FreeRadius.attribute.Extended-Vendor-Specific4'), - self::ExtendedVendorSpecific3 => lang('FreeRadius.attribute.Extended-Vendor-Specific3'), - self::ExtendedVendorSpecific2 => lang('FreeRadius.attribute.Extended-Vendor-Specific2'), - self::ExtendedVendorSpecific1 => lang('FreeRadius.attribute.Extended-Vendor-Specific1'), - self::ExtendedType4 => lang('FreeRadius.attribute.Extended-Type4'), - self::ExtendedType3 => lang('FreeRadius.attribute.Extended-Type3'), - self::ExtendedType2 => lang('FreeRadius.attribute.Extended-Type2'), - self::ExtendedType1 => lang('FreeRadius.attribute.Extended-Type1'), - self::EventTimestamp => lang('FreeRadius.attribute.Event-Timestamp'), - self::ErrorCause => lang('FreeRadius.attribute.Error-Cause'), - self::EAPMessage => lang('FreeRadius.attribute.EAP-Message'), - self::DelegatedIPv6PrefixPool => lang('FreeRadius.attribute.Delegated-IPv6-Prefix-Pool'), - self::DSLiteTunnelName => lang('FreeRadius.attribute.DSLite-Tunnel-Name'), - self::DNSServerIPv6Address => lang('FreeRadius.attribute.DNSServer-IPv6-Address'), - self::ConnectInfo => lang('FreeRadius.attribute.Connect-Info'), - self::ConfigurationToken => lang('FreeRadius.attribute.Configuration-Token'), - self::_Class => lang('FreeRadius.attribute.Class'), - self::ChargeableUserIdentity => lang('FreeRadius.attribute.Chargeable-User-Identity'), - self::CallingStationId => lang('FreeRadius.attribute.Calling-Station-Id'), - self::CalledStationId => lang('FreeRadius.attribute.Called-Station-Id'), - self::CallbackNumber => lang('FreeRadius.attribute.Callback-Number'), - self::CallbackId => lang('FreeRadius.attribute.Callback-Id'), - self::CHAPPassword => lang('FreeRadius.attribute.CHAP-Password'), - self::CHAPChallenge => lang('FreeRadius.attribute.CHAP-Challenge'), - self::AcctDelayTime => lang('FreeRadius.attribute.Acct-Delay-Time'), - self::AccountingResponse => lang('FreeRadius.attribute.Accounting-Response'), - self::AccountingRequest => lang('FreeRadius.attribute.Accounting-Request'), - self::AccessRequest => lang('FreeRadius.attribute.Access-Request'), - self::AccessReject => lang('FreeRadius.attribute.Access-Reject'), - self::AccessChallenge => lang('FreeRadius.attribute.Access-Challenge'), - self::AccessAccept => lang('FreeRadius.attribute.Access-Accept'), - self::ARAPZoneAccess => lang('FreeRadius.attribute.ARAP-Zone-Access'), - self::ARAPSecurityData => lang('FreeRadius.attribute.ARAP-Security-Data'), - self::ARAPSecurity => lang('FreeRadius.attribute.ARAP-Security'), - self::ARAPPassword => lang('FreeRadius.attribute.ARAP-Password'), - self::ARAPFeatures => lang('FreeRadius.attribute.ARAP-Features'), - self::ARAPChallengeResponse => lang('FreeRadius.attribute.ARAP-Challenge-Response'), - self::AcctSessionId => lang('FreeRadius.attribute.Acct-Session-Id'), - self::AcctUniqueId => lang('FreeRadius.attribute.Acct-Unique-Id'), - self::NasPortId => lang('FreeRadius.attribute.Nas-Port-Id'), - self::NasPortType => lang('FreeRadius.attribute.Nas-Port-Type'), - self::AcctStartTime => lang('FreeRadius.attribute.Acct-Start-Time'), - self::AcctUpdateTime => lang('FreeRadius.attribute.Acct-Update-Time'), - self::AcctStopTime => lang('FreeRadius.attribute.Acct-Stop-Time'), - self::AcctInterval => lang('FreeRadius.attribute.Acct-Interval'), - self::AcctSessionTime => lang('FreeRadius.attribute.Acct-Session-Time'), - self::AcctAuthentic => lang('FreeRadius.attribute.Acct-Authentic'), - self::AcctInputOctets => lang('FreeRadius.attribute.Acct-Input-Octets'), - self::AcctOutputOctets => lang('FreeRadius.attribute.Acct-Output-Octets'), - self::AcctTerminateCause => lang('FreeRadius.attribute.Acct-Terminate-Cause'), + self::AcctAuthentic => lang('FreeRadius.attributeDescription.AcctAuthentic'), + self::AcctTerminateCause => lang('FreeRadius.attributeDescription.AcctTerminateCause'), + self::AcctOutputOctets => lang('FreeRadius.attributeDescription.AcctOutputOctets'), + self::AcctInterval => lang('FreeRadius.attributeDescription.AcctInterval'), + self::AcctSessionId => lang('FreeRadius.attributeDescription.AcctSessionId'), + self::AcctUniqueId => lang('FreeRadius.attributeDescription.AcctUniqueId'), + self::AcctStartTime => lang('FreeRadius.attributeDescription.AcctStartTime'), + self::AcctUpdateTime => lang('FreeRadius.attributeDescription.AcctUpdateTime'), + self::AcctStopTime => lang('FreeRadius.attributeDescription.AcctStopTime'), + self::AcctSessionTime => lang('FreeRadius.attributeDescription.AcctSessionTime'), + self::NasPortId => lang('FreeRadius.attributeDescription.NASPortId'), + self::NasPortType => lang('FreeRadius.attributeDescription.NasPortType'), + self::AcctInputOctets => lang('FreeRadius.attributeDescription.AcctInputOctets'), + self::UserPassword => lang('FreeRadius.attributeDescription.UserPassword'), + self::UserName => lang('FreeRadius.attributeDescription.UserName'), + self::TunnelType => lang('FreeRadius.attributeDescription.TunnelType'), + self::TunnelReject => lang('FreeRadius.attributeDescription.TunnelReject'), + self::TunnelStop => lang('FreeRadius.attributeDescription.TunnelStop'), + self::TunnelStart => lang('FreeRadius.attributeDescription.TunnelStart'), + self::TunnelServerEndpoint => lang('FreeRadius.attributeDescription.TunnelServerEndpoint'), + self::TunnelServerAuthID => lang('FreeRadius.attributeDescription.TunnelServerAuthID'), + self::TunnelPrivateGroupID => lang('FreeRadius.attributeDescription.TunnelPrivateGroupID'), + self::TunnelPreference => lang('FreeRadius.attributeDescription.TunnelPreference'), + self::TunnelPassword => lang('FreeRadius.attributeDescription.TunnelPassword'), + self::TunnelMediumType => lang('FreeRadius.attributeDescription.TunnelMediumType'), + self::TunnelLinkStop => lang('FreeRadius.attributeDescription.TunnelLinkStop'), + self::TunnelLinkStart => lang('FreeRadius.attributeDescription.TunnelLinkStart'), + self::TunnelLinkReject => lang('FreeRadius.attributeDescription.TunnelLinkReject'), + self::TunnelClientEndpoint => lang('FreeRadius.attributeDescription.TunnelClientEndpoint'), + self::TunnelClientAuthID => lang('FreeRadius.attributeDescription.TunnelClientAuthID'), + self::TunnelAssignmentID => lang('FreeRadius.attributeDescription.TunnelAssignmentID'), + self::TerminationAction => lang('FreeRadius.attributeDescription.TerminationAction'), + self::StatefulIPv6AddressPool => lang('FreeRadius.attributeDescription.StatefulIPv6AddressPool'), + self::State => lang('FreeRadius.attributeDescription.State'), + self::SessionTimeout => lang('FreeRadius.attributeDescription.SessionTimeout'), + self::ServiceSelection => lang('FreeRadius.attributeDescription.ServiceSelection'), + self::RouteIPv6Information => lang('FreeRadius.attributeDescription.RouteIPv6Information'), + self::ReplyMessage => lang('FreeRadius.attributeDescription.ReplyMessage'), + self::ProxyState => lang('FreeRadius.attributeDescription.ProxyState'), + self::PortLimit => lang('FreeRadius.attributeDescription.PortLimit'), + self::PasswordRetry => lang('FreeRadius.attributeDescription.PasswordRetry'), + self::PKMSSCert => lang('FreeRadius.attributeDescription.PKMSSCert'), + self::PKMSAID => lang('FreeRadius.attributeDescription.PKMSAID'), + self::PKMSADescriptor => lang('FreeRadius.attributeDescription.PKMSADescriptor'), + self::PKMCryptosuiteList => lang('FreeRadius.attributeDescription.PKMCryptosuiteList'), + self::PKMConfigSettings => lang('FreeRadius.attributeDescription.PKMConfigSettings'), + self::PKMCACert => lang('FreeRadius.attributeDescription.PKMCACert'), + self::PKMAUTHKey => lang('FreeRadius.attributeDescription.PKMMAKey'), + self::NASPort => lang('FreeRadius.attributeDescription.NASPort'), + self::NASIdentifier => lang('FreeRadius.attributeDescription.NASIdentifier'), + self::NASIPv6Address => lang('FreeRadius.attributeDescription.NASIPv6Address'), + self::MobileNodeIdentifier => lang('FreeRadius.attributeDescription.MobileNodeIdentifier'), + self::MSARAPChallenge => lang('FreeRadius.attributeDescription.MSARAPChallenge'), + self::MSARAPPasswordChangeReason => lang('FreeRadius.attributeDescription.MSARAPPasswordChangeReason'), + self::MSAcctAuthType => lang('FreeRadius.attributeDescription.MSAcctAuthType'), + self::MSAcctEAPType => lang('FreeRadius.attributeDescription.MSAcctEAPType'), + self::MSBAPUsage => lang('FreeRadius.attributeDescription.MSBAPUsage'), + self::MSCHAPCPW1 => lang('FreeRadius.attributeDescription.MSCHAPCPW1'), + self::MSCHAPCPW2 => lang('FreeRadius.attributeDescription.MSCHAPCPW2'), + self::MSCHAPChallenge => lang('FreeRadius.attributeDescription.MSCHAPChallenge'), + self::MSCHAPDomain => lang('FreeRadius.attributeDescription.MSCHAPDomain'), + self::MSCHAPError => lang('FreeRadius.attributeDescription.MSCHAPError'), + self::MSCHAPLMEncPW => lang('FreeRadius.attributeDescription.MSCHAPLMEncPW'), + self::MSCHAPMPPEKeys => lang('FreeRadius.attributeDescription.MSCHAPMPPEKeys'), + self::MSCHAPNTEncPW => lang('FreeRadius.attributeDescription.MSCHAPNTEncPW'), + self::MSCHAPResponse => lang('FreeRadius.attributeDescription.MSCHAPResponse'), + self::MSCHAP2CPW => lang('FreeRadius.attributeDescription.MSCHAP2CPW'), + self::MSCHAP2Response => lang('FreeRadius.attributeDescription.MSCHAP2Response'), + self::MSCHAP2Success => lang('FreeRadius.attributeDescription.MSCHAP2Success'), + self::MSFilter => lang('FreeRadius.attributeDescription.MSFilter'), + self::MSLinkDropTimeLimit => lang('FreeRadius.attributeDescription.MSLinkDropTimeLimit'), + self::MSLinkUtilizationThreshold => lang('FreeRadius.attributeDescription.MSLinkUtilizationThreshold'), + self::MSMPPEEncryptionPolicy => lang('FreeRadius.attributeDescription.MSMPPEEncryptionPolicy'), + self::MSMPPEEncryptionTypes => lang('FreeRadius.attributeDescription.MSMPPEEncryptionTypes'), + self::MSMPPERecvKey => lang('FreeRadius.attributeDescription.MSMPPERecvKey'), + self::MSMPPESendKey => lang('FreeRadius.attributeDescription.MSMPPESendKey'), + self::MSNewARAPPassword => lang('FreeRadius.attributeDescription.MSNewARAPPassword'), + self::MSOldARAPPassword => lang('FreeRadius.attributeDescription.MSOldARAPPassword'), + self::MSPrimaryDNSServer => lang('FreeRadius.attributeDescription.MSPrimaryDNSServer'), + self::MSPrimaryNBNSServer => lang('FreeRadius.attributeDescription.MSPrimaryNBNSServer'), + self::MSRASVendor => lang('FreeRadius.attributeDescription.MSRASVendor'), + self::MSRASVersion => lang('FreeRadius.attributeDescription.MSRASVersion'), + self::MSSecondaryDNSServer => lang('FreeRadius.attributeDescription.MSSecondaryDNSServer'), + self::MSSecondaryNBNSServer => lang('FreeRadius.attributeDescription.MSSecondaryNBNSServer'), + self::LongExtendedType2 => lang('FreeRadius.attributeDescription.LongExtendedType2'), + self::LongExtendedType1 => lang('FreeRadius.attributeDescription.LongExtendedType1'), + self::LoginTCPPort => lang('FreeRadius.attributeDescription.LoginTCPPort'), + self::LoginService => lang('FreeRadius.attributeDescription.LoginService'), + self::LoginLATService => lang('FreeRadius.attributeDescription.LoginLATService'), + self::LoginLATPort => lang('FreeRadius.attributeDescription.LoginLATPort'), + self::LoginLATNode => lang('FreeRadius.attributeDescription.LoginLATNode'), + self::LoginLATGroup => lang('FreeRadius.attributeDescription.LoginLATGroup'), + self::LoginIPv6Host => lang('FreeRadius.attributeDescription.LoginIPv6Host'), + self::LoginIPHost => lang('FreeRadius.attributeDescription.LoginIPHost'), + self::IdleTimeout => lang('FreeRadius.attributeDescription.IdleTimeout'), + self::FramedRouting => lang('FreeRadius.attributeDescription.FramedRouting'), + self::FramedRoute => lang('FreeRadius.attributeDescription.FramedRoute'), + self::FramedPool => lang('FreeRadius.attributeDescription.FramedPool'), + self::FramedManagementProtocol => lang('FreeRadius.attributeDescription.FramedManagementProtocol'), + self::FramedInterfaceId => lang('FreeRadius.attributeDescription.FramedInterfaceId'), + self::FramedIPv6Route => lang('FreeRadius.attributeDescription.FramedIPv6Route'), + self::FramedIPv6Prefix => lang('FreeRadius.attributeDescription.FramedIPv6Prefix'), + self::FramedIPv6Pool => lang('FreeRadius.attributeDescription.FramedIPv6Pool'), + self::FramedIPv6Address => lang('FreeRadius.attributeDescription.FramedIPv6Address'), + self::FramedIPXNetwork => lang('FreeRadius.attributeDescription.FramedIPXNetwork'), + self::FramedCompression => lang('FreeRadius.attributeDescription.FramedCompression'), + self::FramedAppleTalkZone => lang('FreeRadius.attributeDescription.FramedAppleTalkZone'), + self::FramedAppleTalkNetwork => lang('FreeRadius.attributeDescription.FramedAppleTalkNetwork'), + self::FramedAppleTalkLink => lang('FreeRadius.attributeDescription.FramedAppleTalkLink'), + self::FilterId => lang('FreeRadius.attributeDescription.FilterId'), + self::FilterID => lang('FreeRadius.attributeDescription.FilterID'), + self::ExtendedVendorSpecific6 => lang('FreeRadius.attributeDescription.ExtendedVendorSpecific6'), + self::ExtendedVendorSpecific5 => lang('FreeRadius.attributeDescription.ExtendedVendorSpecific5'), + self::ExtendedVendorSpecific4 => lang('FreeRadius.attributeDescription.ExtendedVendorSpecific4'), + self::ExtendedVendorSpecific3 => lang('FreeRadius.attributeDescription.ExtendedVendorSpecific3'), + self::ExtendedVendorSpecific2 => lang('FreeRadius.attributeDescription.ExtendedVendorSpecific2'), + self::ExtendedVendorSpecific1 => lang('FreeRadius.attributeDescription.ExtendedVendorSpecific1'), + self::ExtendedType4 => lang('FreeRadius.attributeDescription.ExtendedType4'), + self::ExtendedType3 => lang('FreeRadius.attributeDescription.ExtendedType3'), + self::ExtendedType2 => lang('FreeRadius.attributeDescription.ExtendedType2'), + self::ExtendedType1 => lang('FreeRadius.attributeDescription.ExtendedType1'), + self::EventTimestamp => lang('FreeRadius.attributeDescription.EventTimestamp'), + self::ErrorCause => lang('FreeRadius.attributeDescription.ErrorCause'), + self::EAPMessage => lang('FreeRadius.attributeDescription.EAPMessage'), + self::DelegatedIPv6PrefixPool => lang('FreeRadius.attributeDescription.DelegatedIPv6PrefixPool'), + self::DSLiteTunnelName => lang('FreeRadius.attributeDescription.DSLiteTunnelName'), + self::DNSServerIPv6Address => lang('FreeRadius.attributeDescription.DNSServerIPv6Address'), + self::ConnectInfo => lang('FreeRadius.attributeDescription.ConnectInfo'), + self::ConfigurationToken => lang('FreeRadius.attributeDescription.ConfigurationToken'), + self::_Class => lang('FreeRadius.attributeDescription.Class'), + self::ChargeableUserIdentity => lang('FreeRadius.attributeDescription.ChargeableUserIdentity'), + self::CallingStationId => lang('FreeRadius.attributeDescription.CallingStationId'), + self::CalledStationId => lang('FreeRadius.attributeDescription.CalledStationId'), + self::CallbackNumber => lang('FreeRadius.attributeDescription.CallbackNumber'), + self::CallbackId => lang('FreeRadius.attributeDescription.CallbackId'), + self::CHAPPassword => lang('FreeRadius.attributeDescription.CHAPPassword'), + self::CHAPChallenge => lang('FreeRadius.attributeDescription.CHAPChallenge'), + self::AcctDelayTime => lang('FreeRadius.attributeDescription.AcctDelayTime'), + self::AccountingResponse => lang('FreeRadius.attributeDescription.AccountingResponse'), + self::AccountingRequest => lang('FreeRadius.attributeDescription.AccountingRequest'), + self::AccessRequest => lang('FreeRadius.attributeDescription.AccessRequest'), + self::AccessReject => lang('FreeRadius.attributeDescription.AccessReject'), + self::AccessChallenge => lang('FreeRadius.attributeDescription.AccessChallenge'), + self::AccessAccept => lang('FreeRadius.attributeDescription.AccessAccept'), + self::ARAPZoneAccess => lang('FreeRadius.attributeDescription.ARAPZoneAccess'), + self::ARAPSecurityData => lang('FreeRadius.attributeDescription.ARAPSecurityData'), + self::ARAPSecurity => lang('FreeRadius.attributeDescription.ARAPSecurity'), + self::ARAPPassword => lang('FreeRadius.attributeDescription.ARAPPassword'), + self::ARAPFeatures => lang('FreeRadius.attributeDescription.ARAPFeatures'), + self::ARAPChallengeResponse => lang('FreeRadius.attributeDescription.ARAPChallengeResponse'), }; } diff --git a/src/Language/en/FreeRadius.php b/src/Language/en/FreeRadius.php index 693479e..f0c390c 100644 --- a/src/Language/en/FreeRadius.php +++ b/src/Language/en/FreeRadius.php @@ -2,193 +2,193 @@ return [ 'radpostauthReplies' => [ - 'accessAccept' => 'Access-Accept', - 'accessReject' => 'Access-Reject', + 'accessAccept' => 'AccessAccept', + 'accessReject' => 'AccessReject', ], 'attributeDescription' => [ - 'NAS-Ip-Address' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', + 'NASIpAddress' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', 'cleartextPassword' => 'Specifies the user’s password in clear text. This attribute is typically used during authentication processes to verify the user’s identity.', 'fallThrough' => 'The Fall-Through attribute should be used in the reply list. If its value is set to Yes in a particular record, that tells Radius to continue looking up other records even when the record at hand matches the request. It can be used to provide default values for several profiles.', 'simultaneousUse' => 'This attribute specifies the maximum number of simultaneous logins a given user is permitted to have. When the user is logged in this number of times, any further attempts to log in are rejected. ', - 'ciscoAVPair' => 'Cisco-AVPair allows Vendor-Specific information to be carried in RADIUS packets.', + 'ciscoAVPair' => 'CiscoAVPair allows Vendor-Specific information to be carried in RADIUS packets.', 'ciscoNASPort' => 'Indicates the physical port number of the network access server that is authenticating the user. The NAS-Port value (32 bits) consists of one or two 16-bit values (depending on the setting of the radius-server extended-portnames command). Each 16-bit number should be viewed as a 5-digit decimal integer.', 'ciscoFramedRoute' => 'Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the device field is omitted or 0, the peer IP address is used. Metrics are currently ignored. This attribute is access-request packets.', - 'ciscoServiceInfo' => 'Cisco-Service-Info provides information about the service parameters for Cisco devices.', + 'ciscoServiceInfo' => 'CiscoServiceInfo provides information about the service parameters for Cisco devices.', - 'Acct-DelayTime' => 'This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)', - 'Acct-InputGigawords' => 'This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update.', - 'Acct-Authentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', - 'Acct-InputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'Acct-InputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'Acct-InterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', - 'Acct-LinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', - 'Acct-MultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', - 'Acct-OutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'Acct-OutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'Acct-SessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', - 'Acct-SessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'Acct-StatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', - 'Acct-TerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'Acct-TunnelConnection' => 'This Attribute indicates the identifier assigned to the tunnel session. It SHOULD be included in Accounting-Request packets which contain an Acct-Status-Type attribute having the value Start, Stop or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel- Server-Endpoint attributes [3], may be used to provide a means to uniquely identify a tunnel session for auditing purposes.', + 'AcctDelayTime' => 'This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)', + 'AcctInputGigawords' => 'This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update.', + 'AcctAuthentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', + 'AcctInputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctInputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctInterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', + 'AcctLinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', + 'AcctMultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', + 'AcctOutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctOutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctSessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', + 'AcctSessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctStatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', + 'AcctTerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctTunnelConnection' => 'This Attribute indicates the identifier assigned to the tunnel session. It SHOULD be included in Accounting-Request packets which contain an Acct-Status-Type attribute having the value Start, Stop or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel- Server-Endpoint attributes [3], may be used to provide a means to uniquely identify a tunnel session for auditing purposes.', - 'ARAP-Challenge-Response' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and contains the response to the dial-in client\'s challenge.', - 'ARAP-Features' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP "feature flags" packet.', - 'ARAP-Password' => ' This attribute is only present in an Access-Request packet containing a Framed-Protocol of ARAP. Only one of User-Password, CHAP-Password, or ARAP-Password needs to be present in an Access-Request', - 'ARAP-Security' => 'This attribute identifies the ARAP Security Module to be used in an Access-Challenge packet.', - 'ARAP-Security-Data' => 'This attribute contains the actual security module challenge or response, and can be found in Access-Challenge and Access-Request packets.', - 'ARAP-Zone-Access' => 'This attribute is included in an Access-Accept packet with Framed-Protocol of ARAP to indicate how the ARAP zone list for the user should be used.', + 'ARAPChallengeResponse' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and contains the response to the dial-in client\'s challenge.', + 'ARAPFeatures' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP "feature flags" packet.', + 'ARAPPassword' => ' This attribute is only present in an Access-Request packet containing a Framed-Protocol of ARAP. Only one of User-Password, CHAP-Password, or ARAP-Password needs to be present in an Access-Request', + 'ARAPSecurity' => 'This attribute identifies the ARAP Security Module to be used in an Access-Challenge packet.', + 'ARAPSecurityData' => 'This attribute contains the actual security module challenge or response, and can be found in Access-Challenge and Access-Request packets.', + 'ARAPZoneAccess' => 'This attribute is included in an Access-Accept packet with Framed-Protocol of ARAP to indicate how the ARAP zone list for the user should be used.', - 'Access-Accept' => 'Access-Accept packets are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user. If all Attribute values received in an Access-Request are acceptable then the RADIUS implementation MUST transmit a packet with the Code field set to 2 (Access-Accept).', - 'Access-Challenge' => 'If the RADIUS server desires to send the user a challenge requiring a response, then the RADIUS server MUST respond to the Access-Request by transmitting a packet with the Code field set to 11 (Access-Challenge).', - 'Access-Reject' => 'If any value of the received Attributes is not acceptable, then the RADIUS server MUST transmit a packet with the Code field set to 3 (Access-Reject). It MAY include one or more Reply-Message Attributes with a text message which the NAS MAY display to the user.', - 'Access-Request' => 'Access-Request packets are sent to a RADIUS server, and convey information used to determine whether a user is allowed access to a specific NAS, and any special services requested for that user. An implementation wishing to authenticate a user MUST transmit a RADIUS packet with the Code field set to 1 (Access-Request).', - 'Accounting-Request' => 'Accounting-Request packets are sent from a client (typically a Network Access Server or its proxy) to a RADIUS accounting server, and convey information used to provide accounting for a service provided to a user. The client transmits a RADIUS packet with the Code field set to 4 (Accounting-Request)', - 'Accounting-Response' => ' Accounting-Response packets are sent by the RADIUS accountingserver to the client to acknowledge that the Accounting-Requesthas been received and recorded successfully. If the Accounting-Request was recorded successfully then the RADIUS accountingserver MUST transmit a packet with the Code field set to 5(Accounting-Response). On reception of an Accounting-Response bythe client, the Identifier field is matched with a pendingAccounting-Request. The Response Authenticator field MUST containthe correct response for the pending Accounting-Request. Invalidpackets are silently discarded', - 'CHAP-Challenge' => 'This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets. If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute.', - 'CHAP-Password' => 'This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets. The CHAP challenge value is found in the CHAP-Challenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field.', - 'Callback-Id' => 'This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets.', - 'Callback-Number' => 'This Attribute indicates a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.', - 'Called-Station-Id' => 'This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.', - 'Calling-Station-Id' => 'This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.', - 'Chargeable-User-Identity' => 'The Chargeable-User-Identity attribute, or CUI, (Type value 89) is a unique, temporary handle used as means to, for example, correlate authentication, accounting, and bill post-processing for a particular chargeable subscriber. The CUI format and use follows guidelines defined by [RFC4372]. In the scope of this document, the CUI attribute MAY be present in the Access-Request. The CUI MAY also be present in the Access- Accept. The CUI MUST be present in the Access-Accept if it was present in the Access-Request. If the use of the Chargeable-User- Identity attribute is supported, then the MAG and/or the LMA commits to include the Chargeable-User-Identity attribute in all subsequent RADIUS Accounting packets they send for the given user.', - 'Class' => 'This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally.', - 'Configuration-Token' => 'This attribute is for use in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept to indicate a type of user profile to be used. It should not be sent to a NAS.', - 'Connect-Info' => 'This attribute is sent from the NAS to indicate the nature of the user\'s connection. The NAS MAY send this attribute in an Access-Request or Accounting-Request to indicate the nature of the user\'s connection.', - 'DNS-Server-IPv6-Address' => 'The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a DNS server. This Attribute MAY be included multiple times in Access- Accept packets when the intention is for a NAS to announce more than one DNS server address to an RG/host. The Attribute MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the DNS IPv6 address, but the RADIUS server is not required to honor the hint. The content of this Attribute can be copied to an instance of the DHCPv6 DNS Recursive Name Server Option [RFC3646] or to an IPv6 Router Advertisement Recursive DNS Server Option [RFC6106]. If more than one DNS-Server-IPv6-Address Attribute is present in the Access- Accept packet, the addresses from the Attributes SHOULD be copied in the same order as received.', - 'DS-Lite-Tunnel-Name' => 'The DS-Lite-Tunnel-Name RADIUS attribute contains an FQDN that refers to the AFTR to which the client is requested to establish a connection. The NAS SHALL use the name returned in the RADIUS DS-Lite-Tunnel-Name attribute to populate the DHCPv6 OPTION_AFTR_NAME option [RFC6334]. This attribute MAY be used in Access-Request packets as a hint to the RADIUS server; for example, if the NAS is pre-configured with a default tunnel name, this name MAY be inserted in the attribute. The RADIUS server MAY ignore the hint sent by the NAS, and it MAY assign a different AFTR tunnel name.', - 'Delegated-IPv6-Prefix-Pool' => 'The Delegated-IPv6-Prefix-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 delegated prefix for the user on the NAS. If a NAS does not support prefix pools, the NAS MUST ignore this Attribute. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.', - 'EAP-Message' => 'This attribute encapsulates Extended Access Protocol [3] packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol. The NAS places any EAP messages received from the user into one or more EAP attributes and forwards them to the RADIUS Server as part of the Access-Request, which can return EAP messages in Access- Challenge, Access-Accept and Access-Reject packets.', - 'Error-Cause' => 'It is possible that a Dynamic Authorization Server cannot honor Disconnect-Request or CoA-Request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It MAY be included within CoA-NAK and Disconnect-NAK packets.', - 'Event-Timestamp' => 'This attribute is included in an Accounting-Request packet to record the time that this event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC.', - 'Extended-Type-1' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 241.{1-255}.', - 'Extended-Type-2' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 242.{1-255}.', - 'Extended-Type-3' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 243.{1-255}', - 'Extended-Type-4' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 244.{1-255}', - 'Extended-Vendor-Specific-1' => 'This attribute defines a RADIUS Type Code of 241.26, using the "evs" data type.', - 'Extended-Vendor-Specific-2' => 'This attribute defines a RADIUS Type Code of 242.26, using the "evs" data type.', - 'Extended-Vendor-Specific-3' => 'This attribute defines a RADIUS Type Code of 243.26, using the "evs" data type.', - 'Extended-Vendor-Specific-4' => 'This attribute defines a RADIUS Type Code of 244.26, using the "evs" data type.', - 'Extended-Vendor-Specific-5' => 'This attribute defines a RADIUS Type Code of 245.26, using the "evs" data type.', - 'Extended-Vendor-Specific-6' => 'This attribute defines a RADIUS Type Code of 246.26, using the "evs" data type.', - 'Filter-ID' => 'This attribute indicates the name of the filter list to be applied to the Supplicant\'s session. For use with an IEEE 802.1X Authenticator, it may be used to indicate either layer 2 or layer 3 filters. Layer 3 filters are typically only supported on IEEE 802.1X Authenticators that act as layer 3 devices.', - 'Framed-MTU' => 'This attribute indicates the maximum size of an IP packet that may be transmitted over the wire between the Supplicant and the Authenticator. IEEE 802.1X Authenticators set this to the value corresponding to the relevant 802 medium, and include it in the RADIUS Access-Request. The RADIUS server may send an EAP packet as large as Framed-MTU minus four (4) octets, taking into account the additional overhead for the IEEE 802.1X Version (1), Type (1) and Body Length (2) fields. For EAP over IEEE 802 media, the Framed-MTU values.', - 'Filter-Id' => 'This Attribute indicates the name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.', + 'AccessAccept' => 'AccessAccept packets are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user. If all Attribute values received in an Access-Request are acceptable then the RADIUS implementation MUST transmit a packet with the Code field set to 2 (Access-Accept).', + 'AccessChallenge' => 'If the RADIUS server desires to send the user a challenge requiring a response, then the RADIUS server MUST respond to the Access-Request by transmitting a packet with the Code field set to 11 (Access-Challenge).', + 'AccessReject' => 'If any value of the received Attributes is not acceptable, then the RADIUS server MUST transmit a packet with the Code field set to 3 (Access-Reject). It MAY include one or more Reply-Message Attributes with a text message which the NAS MAY display to the user.', + 'AccessRequest' => 'AccessRequest packets are sent to a RADIUS server, and convey information used to determine whether a user is allowed access to a specific NAS, and any special services requested for that user. An implementation wishing to authenticate a user MUST transmit a RADIUS packet with the Code field set to 1 (Access-Request).', + 'AccountingRequest' => 'AccountingRequest packets are sent from a client (typically a Network Access Server or its proxy) to a RADIUS accounting server, and convey information used to provide accounting for a service provided to a user. The client transmits a RADIUS packet with the Code field set to 4 (Accounting-Request)', + 'AccountingResponse' => ' Accounting-Response packets are sent by the RADIUS accountingserver to the client to acknowledge that the Accounting-Requesthas been received and recorded successfully. If the Accounting-Request was recorded successfully then the RADIUS accountingserver MUST transmit a packet with the Code field set to 5(Accounting-Response). On reception of an Accounting-Response bythe client, the Identifier field is matched with a pendingAccounting-Request. The Response Authenticator field MUST containthe correct response for the pending Accounting-Request. Invalidpackets are silently discarded', + 'CHAPChallenge' => 'This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets. If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute.', + 'CHAPPassword' => 'This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets. The CHAP challenge value is found in the CHAP-Challenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field.', + 'CallbackId' => 'This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets.', + 'CallbackNumber' => 'This Attribute indicates a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.', + 'CalledStationId' => 'This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.', + 'CallingStationId' => 'This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.', + 'ChargeableUserIdentity' => 'The Chargeable-User-Identity attribute, or CUI, (Type value 89) is a unique, temporary handle used as means to, for example, correlate authentication, accounting, and bill post-processing for a particular chargeable subscriber. The CUI format and use follows guidelines defined by [RFC4372]. In the scope of this document, the CUI attribute MAY be present in the Access-Request. The CUI MAY also be present in the Access- Accept. The CUI MUST be present in the Access-Accept if it was present in the Access-Request. If the use of the Chargeable-User- Identity attribute is supported, then the MAG and/or the LMA commits to include the Chargeable-User-Identity attribute in all subsequent RADIUS Accounting packets they send for the given user.', + 'Class' => 'This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally.', + 'ConfigurationToken' => 'This attribute is for use in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept to indicate a type of user profile to be used. It should not be sent to a NAS.', + 'ConnectInfo' => 'This attribute is sent from the NAS to indicate the nature of the user\'s connection. The NAS MAY send this attribute in an Access-Request or Accounting-Request to indicate the nature of the user\'s connection.', + 'DNSServerIPv6Address' => 'The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a DNS server. This Attribute MAY be included multiple times in Access- Accept packets when the intention is for a NAS to announce more than one DNS server address to an RG/host. The Attribute MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the DNS IPv6 address, but the RADIUS server is not required to honor the hint. The content of this Attribute can be copied to an instance of the DHCPv6 DNS Recursive Name Server Option [RFC3646] or to an IPv6 Router Advertisement Recursive DNS Server Option [RFC6106]. If more than one DNS-Server-IPv6-Address Attribute is present in the Access- Accept packet, the addresses from the Attributes SHOULD be copied in the same order as received.', + 'DSLiteTunnelName' => 'The DS-Lite-Tunnel-Name RADIUS attribute contains an FQDN that refers to the AFTR to which the client is requested to establish a connection. The NAS SHALL use the name returned in the RADIUS DS-Lite-Tunnel-Name attribute to populate the DHCPv6 OPTION_AFTR_NAME option [RFC6334]. This attribute MAY be used in Access-Request packets as a hint to the RADIUS server; for example, if the NAS is pre-configured with a default tunnel name, this name MAY be inserted in the attribute. The RADIUS server MAY ignore the hint sent by the NAS, and it MAY assign a different AFTR tunnel name.', + 'DelegatedIPv6PrefixPool' => 'The Delegated-IPv6-Prefix-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 delegated prefix for the user on the NAS. If a NAS does not support prefix pools, the NAS MUST ignore this Attribute. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.', + 'EAPMessage' => 'This attribute encapsulates Extended Access Protocol [3] packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol. The NAS places any EAP messages received from the user into one or more EAP attributes and forwards them to the RADIUS Server as part of the Access-Request, which can return EAP messages in Access- Challenge, Access-Accept and Access-Reject packets.', + 'ErrorCause' => 'It is possible that a Dynamic Authorization Server cannot honor Disconnect-Request or CoA-Request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It MAY be included within CoA-NAK and Disconnect-NAK packets.', + 'EventTimestamp' => 'This attribute is included in an Accounting-Request packet to record the time that this event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC.', + 'ExtendedType1' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 241.{1-255}.', + 'ExtendedType2' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 242.{1-255}.', + 'ExtendedType3' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 243.{1-255}', + 'ExtendedType4' => 'This attribute encapsulates attributes of the "Extended Type" format, in the RADIUS Attribute Type space of 244.{1-255}', + 'ExtendedVendorSpecific1' => 'This attribute defines a RADIUS Type Code of 241.26, using the "evs" data type.', + 'ExtendedVendorSpecific2' => 'This attribute defines a RADIUS Type Code of 242.26, using the "evs" data type.', + 'ExtendedVendorSpecific3' => 'This attribute defines a RADIUS Type Code of 243.26, using the "evs" data type.', + 'ExtendedVendorSpecific4' => 'This attribute defines a RADIUS Type Code of 244.26, using the "evs" data type.', + 'ExtendedVendorSpecific5' => 'This attribute defines a RADIUS Type Code of 245.26, using the "evs" data type.', + 'ExtendedVendorSpecific6' => 'This attribute defines a RADIUS Type Code of 246.26, using the "evs" data type.', + 'FilterID' => 'This attribute indicates the name of the filter list to be applied to the Supplicant\'s session. For use with an IEEE 802.1X Authenticator, it may be used to indicate either layer 2 or layer 3 filters. Layer 3 filters are typically only supported on IEEE 802.1X Authenticators that act as layer 3 devices.', + 'FramedMTU' => 'This attribute indicates the maximum size of an IP packet that may be transmitted over the wire between the Supplicant and the Authenticator. IEEE 802.1X Authenticators set this to the value corresponding to the relevant 802 medium, and include it in the RADIUS Access-Request. The RADIUS server may send an EAP packet as large as Framed-MTU minus four (4) octets, taking into account the additional overhead for the IEEE 802.1X Version (1), Type (1) and Body Length (2) fields. For EAP over IEEE 802 media, the Framed-MTU values.', + 'FilterId' => 'This Attribute indicates the name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.', - 'Framed-AppleTalk-Link' => 'This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It is never used when the user is not another router.', - 'Framed-AppleTalk-Network' => 'This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified.', - 'Framed-AppleTalk-Zone' => 'This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed.', - 'Framed-Compression' => 'This Attribute indicates a compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.', - 'Framed-IP-Address' => 'This Attribute indicates the address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.', - 'Framed-IP-Netmask' => 'This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.', - 'Framed-IPX-Network' => 'This Attribute indicates the IPX Network number to be configured for the user. It is used in Access-Accept packets.', - 'Framed-IPv6-Address' => 'The Framed-IPv6-Address Attribute indicates an IPv6 address that is assigned to the NAS-facing interface of the RG/host. It MAY be used in Access-Accept packets and MAY appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server that it would prefer this IPv6 address, but the RADIUS server is not required to honor the hint. Because it is assumed that the', - 'Framed-IPv6-Pool' => 'This Attribute contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user. If a NAS does not support multiple prefix pools, the NAS MUST ignore this Attribute.', - 'Framed-IPv6-Prefix' => 'This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint. Since it is assumed that the NAS will plumb a route corresponding to the prefix, it is not necessary for the server to also send a Framed-IPv6-Route attribute for the same prefix.', - 'Framed-IPv6-Route' => 'This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.', - 'Framed-Interface-Id' => 'This Attribute indicates the IPv6 interface identifier to be configured for the user. It MAY be used in Access-Accept packets. If the Interface-Identifier IPv6CP option [11] has been successfully negotiated, this Attribute MUST be included in an Access-Request packet as a hint by the NAS to the server that it would prefer that value. It is recommended, but not required, that the server honor the hint.', - 'Framed-Management-Protocol' => 'The Framed-Management-Protocol (133) Attribute indicates the application-layer management protocol to be used for Framed Management access. It MAY be used in both Access-Request and Access- Accept packets. This attribute is used in conjunction with a Service-Type (6) Attribute with the value of Framed-Management (18)', - 'Framed-Pool' => 'This Attribute contains the name of an assigned address pool that SHOULD be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore this Attribute. Address pools are usually used for IP addresses, but can be used for other protocols if the NAS supports pools for those protocols.', - 'Framed-Protocol' => 'This Attribute indicates the framing to be used for framed access. It MAY be used in both Access-Request and Access-Accept packets.', - 'Framed-Route' => 'This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.', - 'Framed-Routing' => 'This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets.', + 'FramedAppleTalkLink' => 'This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It is never used when the user is not another router.', + 'FramedAppleTalkNetwork' => 'This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified.', + 'FramedAppleTalkZone' => 'This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed.', + 'FramedCompression' => 'This Attribute indicates a compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.', + 'FramedIPAddress' => 'This Attribute indicates the address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.', + 'FramedIPNetmask' => 'This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.', + 'FramedIPXNetwork' => 'This Attribute indicates the IPX Network number to be configured for the user. It is used in Access-Accept packets.', + 'FramedIPv6Address' => 'The Framed-IPv6-Address Attribute indicates an IPv6 address that is assigned to the NAS-facing interface of the RG/host. It MAY be used in Access-Accept packets and MAY appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server that it would prefer this IPv6 address, but the RADIUS server is not required to honor the hint. Because it is assumed that the', + 'FramedIPv6Pool' => 'This Attribute contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user. If a NAS does not support multiple prefix pools, the NAS MUST ignore this Attribute.', + 'FramedIPv6Prefix' => 'This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint. Since it is assumed that the NAS will plumb a route corresponding to the prefix, it is not necessary for the server to also send a Framed-IPv6-Route attribute for the same prefix.', + 'FramedIPv6Route' => 'This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.', + 'FramedInterfaceId' => 'This Attribute indicates the IPv6 interface identifier to be configured for the user. It MAY be used in Access-Accept packets. If the Interface-Identifier IPv6CP option [11] has been successfully negotiated, this Attribute MUST be included in an Access-Request packet as a hint by the NAS to the server that it would prefer that value. It is recommended, but not required, that the server honor the hint.', + 'FramedManagementProtocol' => 'The Framed-Management-Protocol (133) Attribute indicates the application-layer management protocol to be used for Framed Management access. It MAY be used in both Access-Request and Access- Accept packets. This attribute is used in conjunction with a Service-Type (6) Attribute with the value of Framed-Management (18)', + 'FramedPool' => 'This Attribute contains the name of an assigned address pool that SHOULD be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore this Attribute. Address pools are usually used for IP addresses, but can be used for other protocols if the NAS supports pools for those protocols.', + 'FramedProtocol' => 'This Attribute indicates the framing to be used for framed access. It MAY be used in both Access-Request and Access-Accept packets.', + 'FramedRoute' => 'This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.', + 'FramedRouting' => 'This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets.', - 'Idle-Timeout' => 'This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.', - 'Login-IP-Host' => 'This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.', - 'Login-IPv6-Host' => 'This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access- Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.', - 'Login-LAT-Group' => 'This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access- Accept packets, but only when LAT is specified as the Login- Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', - 'Login-LAT-Node' => 'This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', - 'Login-LAT-Port' => 'This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', - 'Login-LAT-Service' => 'This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', - 'Login-Service' => 'This Attribute indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets.', - 'Login-TCP-Port' => 'This Attribute indicates the TCP port with which the user is to be connected, when the Login-Service Attribute is also present. It is only used in Access-Accept packets.', + 'IdleTimeout' => 'This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.', + 'LoginIPHost' => 'This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.', + 'LoginIPv6Host' => 'This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access- Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.', + 'LoginLATGroup' => 'This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access- Accept packets, but only when LAT is specified as the Login- Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'LoginLATNode' => 'This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'LoginLATPort' => 'This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'LoginLATService' => 'This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.', + 'LoginService' => 'This Attribute indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets.', + 'LoginTCPPort' => 'This Attribute indicates the TCP port with which the user is to be connected, when the Login-Service Attribute is also present. It is only used in Access-Accept packets.', - 'Long-Extended-Type-1' => 'This attribute encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 245.{1-255}.', - 'Long-Extended-Type-2' => 'This attribute encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 246.{1-255}.', + 'LongExtendedType1' => 'This attribute encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 245.{1-255}.', + 'LongExtendedType2' => 'This attribute encapsulates attributes of the "Long Extended Type" format, in the RADIUS Attribute Type space of 246.{1-255}.', - 'MS-ARAP-Challenge' => 'This attribute is only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP).', - 'MS-ARAP-Password-Change-Reason' => 'The MS-ARAP-Password-Change-Reason Attribute is used to indicate reason for a server-initiated password change. It MAY be included in Access-Challenge packets.', - 'MS-Acct-Auth-Type' => 'The MS-Acct-Auth-Type Attribute is used to represent the method used to authenticate the dial-up user. It MAY be included in Accounting-Request packets.', - 'MS-Acct-EAP-Type' => 'The MS-Acct-EAP-Type Attribute is used to represent the Extensible Authentication Protocol (EAP) [15] type used to authenticate the dial-up user. It MAY be included in Accounting-Request packets.', - 'MS-BAP-Usage' => 'This Attribute describes whether the use of BAP is allowed, disallowed or required on new multilink calls. It MAY be used in Access-Accept packets.', - 'MS-CHAP-CPW-1' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is less than 2.', - 'MS-CHAP-CPW-2' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 2.', - 'MS-CHAP-Challenge' => 'This Attribute contains the challenge sent by a NAS to a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user. It MAY be used in both Access-Request and Access-Challenge packets.', - 'MS-CHAP-Domain' => 'The MS-CHAP-Domain Attribute indicates the Windows NT domain in which the user was authenticated. It MAY be included in both Access-Accept and Accounting-Request packets.', - 'MS-CHAP-Error' => 'The MS-CHAP-Error Attribute contains error data related to the preceding MS-CHAP exchange. This Attribute may be used in both MS-CHAP-V1 and MS-CHAP-V2 (see below) exchanges. It is only used in Access-Reject packets.', - 'MS-CHAP-LM-Enc-PW' => 'This Attribute contains the new Windows NT password encrypted with the old LAN Manager password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments.', - 'MS-CHAP-MPPE-Keys' => 'The MS-CHAP-MPPE-Keys Attribute contains two session keys for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). This Attribute is only included in Access-Accept packets.', - 'MS-CHAP-NT-Enc-PW' => 'This Attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments.', - 'MS-CHAP-Response' => 'This Attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. It is only used in Access- Request packets.', - 'MS-CHAP2-CPW' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in conjunction with the MS- CHAP-NT-Enc-PW attribute in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 3.', - 'MS-CHAP2-Response' => 'This Attribute contains the response value provided by an MS- CHAP-V2 peer in response to the challenge. It is only used in Access-Request packets.', - 'MS-CHAP2-Success' => 'This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets.', - 'MS-Filter' => 'The MS-Filter Attribute is used to transmit traffic filters. It MAY be included in both Access-Accept and Accounting-Request packets. If multiple MS-Filter Attributes are contained within a packet, they MUST be in order and they MUST be consecutive attributes in the packet.', - 'MS-Link-Drop-Time-Limit' => 'The MS-Link-Drop-Time-Limit Attribute indicates the length of time (in seconds) that a link must be underutilized before it is dropped. It MAY only be included in Access-Accept packets.', - 'MS-Link-Utilization-Threshold' => 'This Attribute represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. Permissible values for the MS-Link- Utilization-Threshold Attribute are in the range 1-100, inclusive. It is only used in Access-Accept packets.', - 'MS-MPPE-Encryption-Policy' => 'The MS-MPPE-Encryption-Policy Attribute may be used to signify whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types Attribute MAY be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types Attribute MAY be used, but at least one MUST be used.', - 'MS-MPPE-Encryption-Types' => 'The MS-MPPE-Encryption-Types Attribute is used to signify the types of encryption available for use with MPPE. It is a four octet integer that is interpreted as a string of bits.', - 'MS-MPPE-Recv-Key' => 'The MS-MPPE-Recv-Key Attribute contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). As the name implies, this key is intended for encrypting packets received by the NAS from the remote host. This Attribute is only included in Access-Accept packets.', - 'MS-MPPE-Send-Key' => 'The MS-MPPE-Send-Key Attribute contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). As the name implies, this key is intended for encrypting packets sent from the NAS to the remote host. This Attribute is only included in Access-Accept packets.', - 'MS-New-ARAP-Password' => 'The MS-New-ARAP-Password Attribute is used to transmit the new ARAP password during an ARAP password change operation. It MAY be included in Access-Request packets.', - 'MS-Old-ARAP-Password' => 'The MS-Old-ARAP-Password Attribute is used to transmit the old ARAP password during an ARAP password change operation. It MAY be included in Access-Request packets.', - 'MS-Primary-DNS-Server' => 'The MS-Primary-DNS-Server Attribute is used to indicate the address of the primary Domain Name Server (DNS) [16, 17] server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', - 'MS-Primary-NBNS-Server' => 'The MS-Primary-NBNS-Server Attribute is used to indicate the address of the primary NetBIOS Name Server (NBNS) [18] server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', - 'MS-RAS-Vendor' => 'The MS-RAS-Vendor Attribute is used to indicate the manufacturer of the RADIUS client machine. It MAY be included in both Access- Request and Accounting-Request packets.', - 'MS-RAS-Version' => 'The MS-RAS-Version Attribute is used to indicate the version of the RADIUS client software. This attribute SHOULD be included in packets containing an MS-RAS-Vendor Attribute; it SHOULD NOT be', - 'MS-Secondary-DNS-Server' => 'The MS-Secondary-DNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', - 'MS-Secondary-NBNS-Server' => 'The MS-Secondary-NBNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MSARAPChallenge' => 'This attribute is only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP).', + 'MSARAPPasswordChangeReason' => 'The MS-ARAP-Password-Change-Reason Attribute is used to indicate reason for a server-initiated password change. It MAY be included in Access-Challenge packets.', + 'MSAcctAuthType' => 'The MS-Acct-Auth-Type Attribute is used to represent the method used to authenticate the dial-up user. It MAY be included in Accounting-Request packets.', + 'MSAcctEAPType' => 'The MS-Acct-EAP-Type Attribute is used to represent the Extensible Authentication Protocol (EAP) [15] type used to authenticate the dial-up user. It MAY be included in Accounting-Request packets.', + 'MSBAPUsage' => 'This Attribute describes whether the use of BAP is allowed, disallowed or required on new multilink calls. It MAY be used in Access-Accept packets.', + 'MSCHAPCPW1' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is less than 2.', + 'MSCHAPCPW2' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 2.', + 'MSCHAPChallenge' => 'This Attribute contains the challenge sent by a NAS to a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user. It MAY be used in both Access-Request and Access-Challenge packets.', + 'MSCHAPDomain' => 'The MS-CHAP-Domain Attribute indicates the Windows NT domain in which the user was authenticated. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MSCHAPError' => 'The MS-CHAP-Error Attribute contains error data related to the preceding MS-CHAP exchange. This Attribute may be used in both MS-CHAP-V1 and MS-CHAP-V2 (see below) exchanges. It is only used in Access-Reject packets.', + 'MSCHAPLMEncPW' => 'This Attribute contains the new Windows NT password encrypted with the old LAN Manager password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments.', + 'MSCHAPMPPEKeys' => 'The MS-CHAP-MPPE-Keys Attribute contains two session keys for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). This Attribute is only included in Access-Accept packets.', + 'MSCHAPNTEncPW' => 'This Attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments.', + 'MSCHAPResponse' => 'This Attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. It is only used in Access- Request packets.', + 'MSCHAP2CPW' => 'This Attribute allows the user to change their password if it has expired. This Attribute is only used in conjunction with the MS- CHAP-NT-Enc-PW attribute in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 3.', + 'MSCHAP2Response' => 'This Attribute contains the response value provided by an MS- CHAP-V2 peer in response to the challenge. It is only used in Access-Request packets.', + 'MSCHAP2Success' => 'This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets.', + 'MSFilter' => 'The MS-Filter Attribute is used to transmit traffic filters. It MAY be included in both Access-Accept and Accounting-Request packets. If multiple MS-Filter Attributes are contained within a packet, they MUST be in order and they MUST be consecutive attributes in the packet.', + 'MSLinkDropTimeLimit' => 'The MS-Link-Drop-Time-Limit Attribute indicates the length of time (in seconds) that a link must be underutilized before it is dropped. It MAY only be included in Access-Accept packets.', + 'MSLinkUtilizationThreshold' => 'This Attribute represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. Permissible values for the MS-Link- Utilization-Threshold Attribute are in the range 1-100, inclusive. It is only used in Access-Accept packets.', + 'MSMPPEEncryptionPolicy' => 'The MS-MPPE-Encryption-Policy Attribute may be used to signify whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types Attribute MAY be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types Attribute MAY be used, but at least one MUST be used.', + 'MSMPPEEncryptionTypes' => 'The MS-MPPE-Encryption-Types Attribute is used to signify the types of encryption available for use with MPPE. It is a four octet integer that is interpreted as a string of bits.', + 'MSMPPERecvKey' => 'The MS-MPPE-Recv-Key Attribute contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). As the name implies, this key is intended for encrypting packets received by the NAS from the remote host. This Attribute is only included in Access-Accept packets.', + 'MSMPPESendKey' => 'The MS-MPPE-Send-Key Attribute contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). As the name implies, this key is intended for encrypting packets sent from the NAS to the remote host. This Attribute is only included in Access-Accept packets.', + 'MSNewARAPPassword' => 'The MS-New-ARAP-Password Attribute is used to transmit the new ARAP password during an ARAP password change operation. It MAY be included in Access-Request packets.', + 'MSOldARAPPassword' => 'The MS-Old-ARAP-Password Attribute is used to transmit the old ARAP password during an ARAP password change operation. It MAY be included in Access-Request packets.', + 'MSPrimaryDNSServer' => 'The MS-Primary-DNS-Server Attribute is used to indicate the address of the primary Domain Name Server (DNS) [16, 17] server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MSPrimaryNBNSServer' => 'The MS-Primary-NBNS-Server Attribute is used to indicate the address of the primary NetBIOS Name Server (NBNS) [18] server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MSRASVendor' => 'The MS-RAS-Vendor Attribute is used to indicate the manufacturer of the RADIUS client machine. It MAY be included in both Access- Request and Accounting-Request packets.', + 'MSRASVersion' => 'The MS-RAS-Version Attribute is used to indicate the version of the RADIUS client software. This attribute SHOULD be included in packets containing an MS-RAS-Vendor Attribute; it SHOULD NOT be', + 'MSSecondaryDNSServer' => 'The MS-Secondary-DNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', + 'MSSecondaryNBNSServer' => 'The MS-Secondary-NBNS-Server Attribute is used to indicate the address of the secondary DNS server to be used by the PPP peer. It MAY be included in both Access-Accept and Accounting-Request packets.', - 'Management-Policy-Id' => 'The Management-Policy-Id (135) Attribute indicates the name of the management access policy for this user. Zero or one Management- Policy-Id (135) Attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details.', - 'Management-Privilege-Level' => 'The Management-Privilege-Level (136) Attribute indicates the integer- valued privilege level to be assigned for management access for the authenticated user. Many NASes provide the notion of differentiated management privilege levels denoted by an integer value. The specific access rights conferred by each value are implementation dependent. It MAY be used in both Access-Request and Access-Accept packets.', - 'Management-Transport-Protection' => 'The Management-Transport-Protection (134) Attribute specifies the minimum level of protection that is required for a protected transport used with the Framed or non-Framed Management access session. The protected transport used by the NAS MAY provide a greater level of protection, but MUST NOT provide a lower level of protection.', - 'Message-Authenticator' => 'This attribute MAY be used to sign Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP or EAP authentication methods. It MAY be used in any Access-Request. It MUST be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge that includes an EAP-Message attribute.', - 'Mobile-Node-Identifier' => 'The Mobile-Node-Identifier attribute (Type value 145) is of type String and contains the mobile node identifier (MN-Identifier), see [RFC5213], in a form of a Network Access Identifier (NAI) [RFC4282]. This identifier and the identifier used for access authentication may be different; however, there needs to be a mapping between the two identities as specified in Section 6.6 of [RFC5213]. This attribute is used on the interface between the MAG and the AAA server. The Mobile-Node-Identifier attribute is designed for deployments where the identity used during network access authentication and the identity used for mobility management is decoupled. It may also be the case where the MAG does not have means to find out the MN identity that could be used in subsequent PBU and Proxy Binding Acknowledgement (PBA) exchanges (e.g., due to identity hiding during the network access authentication) or when the HAAA wants to assign periodically changing identities to the MN.', + 'ManagementPolicyId' => 'The Management-Policy-Id (135) Attribute indicates the name of the management access policy for this user. Zero or one Management- Policy-Id (135) Attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details.', + 'ManagementPrivilegeLevel' => 'The Management-Privilege-Level (136) Attribute indicates the integer- valued privilege level to be assigned for management access for the authenticated user. Many NASes provide the notion of differentiated management privilege levels denoted by an integer value. The specific access rights conferred by each value are implementation dependent. It MAY be used in both Access-Request and Access-Accept packets.', + 'ManagementTransportProtection' => 'The Management-Transport-Protection (134) Attribute specifies the minimum level of protection that is required for a protected transport used with the Framed or non-Framed Management access session. The protected transport used by the NAS MAY provide a greater level of protection, but MUST NOT provide a lower level of protection.', + 'MessageAuthenticator' => 'This attribute MAY be used to sign Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP or EAP authentication methods. It MAY be used in any Access-Request. It MUST be used in any Access-Request, Access-Accept, Access-Reject or Access- Challenge that includes an EAP-Message attribute.', + 'MobileNodeIdentifier' => 'The Mobile-Node-Identifier attribute (Type value 145) is of type String and contains the mobile node identifier (MN-Identifier), see [RFC5213], in a form of a Network Access Identifier (NAI) [RFC4282]. This identifier and the identifier used for access authentication may be different; however, there needs to be a mapping between the two identities as specified in Section 6.6 of [RFC5213]. This attribute is used on the interface between the MAG and the AAA server. The Mobile-Node-Identifier attribute is designed for deployments where the identity used during network access authentication and the identity used for mobility management is decoupled. It may also be the case where the MAG does not have means to find out the MN identity that could be used in subsequent PBU and Proxy Binding Acknowledgement (PBA) exchanges (e.g., due to identity hiding during the network access authentication) or when the HAAA wants to assign periodically changing identities to the MN.', - 'NAS-IP-Address' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP- Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet.', - 'NAS-IPv6-Address' => 'This Attribute indicates the identifying IPv6 Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS- IPv6-Address is only used in Access-Request packets. NAS-IPv6- Address and/or NAS-IP-Address MAY be present in an Access-Request packet; however, if neither attribute is present then NAS- Identifier MUST be present.', - 'NAS-Identifier' => 'This Attribute contains a string identifying the NAS originating the Access-Request">Access-Request. It is only used in Access-Request">Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', - 'NAS-Port' => 'This Attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.', - 'NAS-Port-Id' => 'This Attribute contains a text string which identifies the port of the NAS which is authenticating the user. It is only used in Access-Request and Accounting-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports.', - 'NAS-Port-Type' => 'This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.', + 'NASIPAddress' => 'This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP- Address is only used in Access-Request packets. Either NAS-IP- Address or NAS-Identifier MUST be present in an Access-Request packet.', + 'NASIPv6Address' => 'This Attribute indicates the identifying IPv6 Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS- IPv6-Address is only used in Access-Request packets. NAS-IPv6- Address and/or NAS-IP-Address MAY be present in an Access-Request packet; however, if neither attribute is present then NAS- Identifier MUST be present.', + 'NASIdentifier' => 'This Attribute contains a string identifying the NAS originating the Access-Request">Access-Request. It is only used in Access-Request">Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet. Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.', + 'NASPort' => 'This Attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.', + 'NASPortId' => 'This Attribute contains a text string which identifies the port of the NAS which is authenticating the user. It is only used in Access-Request and Accounting-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports.', + 'NASPortType' => 'This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.', - 'PKM-AUTH-Key' => 'The PKM-AUTH-Key Attribute is of type string, 135 octets in length. It consists of 3 fields, described below, which together specify the characteristics of a PKM authorization key. The PKM- AUTH-Key Attribute MAY occur in an Access-Accept message. Any packet that contains an instance of the PKM-AUTH-Key Attribute MUST also contain an instance of the Message-Authenticator Attribute [RFC3579].', - 'PKM-CA-Cert' => 'The PKM-CA-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] used by the CA to sign the SS certificate carried in the PKM-SS-Cert attribute (Section 3.1) in the same message.', - 'PKM-Config-Settings' => 'The PKM-Config-Settings Attribute is of type string [RFC2865]. It is 30 octets in length and consists of seven independent fields, each of which is conceptually an unsigned integer. Each of the fields contains a timeout value and corresponds to a Type-Length- Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM configuration settings" attribute; for details on the contents of each field, see Section 11.9.19 of [IEEE.802.16-2004]. One instance of the PKM-Config-Settings Attribute MAY be included in the Access-Accept message.', - 'PKM-Cryptosuite-List' => 'The PKM-Cryptosuite-List Attribute is of type string [RFC2865] and is variable length; it corresponds roughly to the "Cryptographic- Suite-List" 802.16 attribute (see Section 11.19.15 of [IEEE.802.16-2004]), the difference being that the RADIUS Attribute contains only the list of 3-octet cryptographic suite identifiers, omitting the IEEE Type and Length fields.', - 'PKM-SA-Descriptor' => 'The PKM-SA-Descriptor Attribute is of type string and is 8 octets in length. It contains three fields, described below, which together specify the characteristics of a PKM security association. One or more instances of the PKM-SA-Descriptor Attribute MAY occur in an Access-Accept message.', - 'PKM-SAID' => 'The PKM-SAID Attribute is of type string [RFC2865]. It is 4 octets in length and contains a PKM Security Association Identifier ([IEEE.802.16-2004], Section 11.9.7). It MAY be included in an Access-Request message.', - 'PKM-SS-Cert' => 'The PKM-SS-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] binding a public key to the identifier of the Subscriber Station. The minimum size of an SS certificate exceeds the maximum size of a RADIUS attribute. Therefore, the client MUST encapsulate the certificate in the Value fields of two or more instances of the PKM-SS-Cert Attribute, each (except possibly the last) having a length of 255 octets. These multiple PKM-SS-Cert Attributes MUST appear consecutively and in order within the packet. Upon receipt, the RADIUS server MUST recover the original certificate by concatenating the Value fields of the received PKM-SS-Cert Attributes in order.', + 'PKMAUTHKey' => 'The PKM-AUTH-Key Attribute is of type string, 135 octets in length. It consists of 3 fields, described below, which together specify the characteristics of a PKM authorization key. The PKM- AUTH-Key Attribute MAY occur in an Access-Accept message. Any packet that contains an instance of the PKM-AUTH-Key Attribute MUST also contain an instance of the Message-Authenticator Attribute [RFC3579].', + 'PKMCACert' => 'The PKM-CA-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] used by the CA to sign the SS certificate carried in the PKM-SS-Cert attribute (Section 3.1) in the same message.', + 'PKMConfigSettings' => 'The PKM-Config-Settings Attribute is of type string [RFC2865]. It is 30 octets in length and consists of seven independent fields, each of which is conceptually an unsigned integer. Each of the fields contains a timeout value and corresponds to a Type-Length- Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM configuration settings" attribute; for details on the contents of each field, see Section 11.9.19 of [IEEE.802.16-2004]. One instance of the PKM-Config-Settings Attribute MAY be included in the Access-Accept message.', + 'PKMCryptosuiteList' => 'The PKM-Cryptosuite-List Attribute is of type string [RFC2865] and is variable length; it corresponds roughly to the "Cryptographic- Suite-List" 802.16 attribute (see Section 11.19.15 of [IEEE.802.16-2004]), the difference being that the RADIUS Attribute contains only the list of 3-octet cryptographic suite identifiers, omitting the IEEE Type and Length fields.', + 'PKMSADescriptor' => 'The PKM-SA-Descriptor Attribute is of type string and is 8 octets in length. It contains three fields, described below, which together specify the characteristics of a PKM security association. One or more instances of the PKM-SA-Descriptor Attribute MAY occur in an Access-Accept message.', + 'PKMSAID' => 'The PKM-SAID Attribute is of type string [RFC2865]. It is 4 octets in length and contains a PKM Security Association Identifier ([IEEE.802.16-2004], Section 11.9.7). It MAY be included in an Access-Request message.', + 'PKMSSCert' => 'The PKM-SS-Cert Attribute is variable length and MAY be transmitted in the Access-Request message. The Value field is of type string and contains the X.509 certificate [RFC2459] binding a public key to the identifier of the Subscriber Station. The minimum size of an SS certificate exceeds the maximum size of a RADIUS attribute. Therefore, the client MUST encapsulate the certificate in the Value fields of two or more instances of the PKM-SS-Cert Attribute, each (except possibly the last) having a length of 255 octets. These multiple PKM-SS-Cert Attributes MUST appear consecutively and in order within the packet. Upon receipt, the RADIUS server MUST recover the original certificate by concatenating the Value fields of the received PKM-SS-Cert Attributes in order.', - 'Password-Retry' => 'This attribute MAY be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected. It is primarily intended for use with ARAP authentication.', - 'Port-Limit' => 'This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint.', - 'Proxy-State' => 'This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy- State in the packet) before forwarding the response to the NAS. If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes.', - 'Reply-Message' => 'This Attribute indicates text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple Reply-Message\'s MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.', - 'Route-IPv6-Information' => 'The Route-IPv6-Information Attribute specifies a prefix (and corresponding route) for the user on the NAS, which is to be announced using the Route Information Option defined in "Default Router Preferences and More Specific Routes" [RFC4191], Section 2.3. It is used in the Access-Accept packet and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server, but the RADIUS server is not required to honor the hint. The Route-IPv6-Information Attribute format is depicted below. The format of the prefix is as per [RFC3162].', - 'Service-Selection' => 'The Service-Selection attribute (Type value 146) is of type UTF-8 text and contains the name of the service or the external network with which the mobility service for the particular MN SHOULD be associated [RFC5149]. The identifier MUST be unique within the PMIPv6 Domain when normalized using the selected normalization form [UNF] for the particular PMIPv6 Domain deployment. For instance, [RFC5149] uses the Normalization Form KC (NFKC). The MAG MUST include the Service-Selection attribute in the Access- Request sent to the AAA if the information was acquired, e.g., by operator-specific configuration. The AAA MAY include the Service- Selection attribute in the Access-Accept response message to the MAG even if it was not included in the Access-Request as a means of indicating the MN\'s default service. The Service Selection mobility option defined in [RFC5149] can be used in PBU/PBA messages between the MAG and LMA. On the LMA-to-AAA interface, the LMA MAY populate the Service-Selection attribute in the Access-Request message using the service information found in the received PBU, if such a mobility option were included. The Service- Selection identifier should be used to assist the PBU authorization, the assignment of the MN-HNP, and the IPv4-MN-HoA as described in [RFC5149] and [RFC5779].', - 'Service-Type' => 'This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.', - 'Session-Timeout' => 'This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.', - 'State' => 'This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.', - 'Stateful-IPv6-Address-Pool' => 'The Stateful-IPv6-Address-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 address for the user on the NAS. If a NAS does not support address pools, the NAS MUST ignore this Attribute. A summary of the Stateful-IPv6-Address- Pool Attribute format is shown below. It MAY be used in an Access- Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.', - 'Termination-Action' => 'This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.', + 'PasswordRetry' => 'This attribute MAY be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected. It is primarily intended for use with ARAP authentication.', + 'PortLimit' => 'This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint.', + 'ProxyState' => 'This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy- State in the packet) before forwarding the response to the NAS. If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes.', + 'ReplyMessage' => 'This Attribute indicates text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple Reply-Message\'s MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.', + 'RouteIPv6Information' => 'The Route-IPv6-Information Attribute specifies a prefix (and corresponding route) for the user on the NAS, which is to be announced using the Route Information Option defined in "Default Router Preferences and More Specific Routes" [RFC4191], Section 2.3. It is used in the Access-Accept packet and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server, but the RADIUS server is not required to honor the hint. The Route-IPv6-Information Attribute format is depicted below. The format of the prefix is as per [RFC3162].', + 'ServiceSelection' => 'The Service-Selection attribute (Type value 146) is of type UTF-8 text and contains the name of the service or the external network with which the mobility service for the particular MN SHOULD be associated [RFC5149]. The identifier MUST be unique within the PMIPv6 Domain when normalized using the selected normalization form [UNF] for the particular PMIPv6 Domain deployment. For instance, [RFC5149] uses the Normalization Form KC (NFKC). The MAG MUST include the Service-Selection attribute in the Access- Request sent to the AAA if the information was acquired, e.g., by operator-specific configuration. The AAA MAY include the Service- Selection attribute in the Access-Accept response message to the MAG even if it was not included in the Access-Request as a means of indicating the MN\'s default service. The Service Selection mobility option defined in [RFC5149] can be used in PBU/PBA messages between the MAG and LMA. On the LMA-to-AAA interface, the LMA MAY populate the Service-Selection attribute in the Access-Request message using the service information found in the received PBU, if such a mobility option were included. The Service- Selection identifier should be used to assist the PBU authorization, the assignment of the MN-HNP, and the IPv4-MN-HoA as described in [RFC5149] and [RFC5779].', + 'ServiceType' => 'This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.', + 'SessionTimeout' => 'This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.', + 'State' => 'This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.', + 'StatefulIPv6AddressPool' => 'The Stateful-IPv6-Address-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 address for the user on the NAS. If a NAS does not support address pools, the NAS MUST ignore this Attribute. A summary of the Stateful-IPv6-Address- Pool Attribute format is shown below. It MAY be used in an Access- Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.', + 'TerminationAction' => 'This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.', - 'Tunnel-Assignment-ID' => 'This Attribute is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. Some tunneling protocols, such as PPTP and L2TP, allow for sessions between the same two tunnel endpoints to be multiplexed over the same tunnel and also for a given session to utilize its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be used to inform the tunnel initiator (e.g. PAC, LAC) whether to assign the session to a multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing multiplexed tunnels to be assigned to different multiplexed tunnels.', - 'Tunnel-Client-Auth-ID' => 'This Attribute specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.', - 'Tunnel-Client-Endpoint' => 'This Attribute contains the address of the initiator end of the tunnel. It MAY be included in both Access-Request and Access- Accept packets to indicate the address from which a new tunnel is to be initiated. If the Tunnel-Client-Endpoint Attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint; the server is not obligated to honor the hint, however. This Attribute SHOULD be included in Accounting- Request packets which contain Acct-Status-Type attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This Attribute, along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection- ID attributes, may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes.', - 'Tunnel-Link-Reject' => 'This value MAY be used to mark the rejection of the establishment of a new link in an existing tunnel. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since in this case the Tunnel-Reject Attribute has the same meaning.', - 'Tunnel-Link-Start' => 'This value MAY be used to mark the creation of a tunnel link. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. This Attribute is intended to mark the creation of a link within a tunnel that carries multiple links. For example, if a mandatory tunnel were to carry M links over its lifetime, 2(M+1) RADIUS Accounting messages might be sent: one each marking the initiation and destruction of the tunnel itself and one each for the initiation and destruction of each link within the tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since the presence of the Tunnel-Start Attribute will imply the initiation of the (only possible) link.', - 'Tunnel-Link-Stop' => 'This value MAY be used to mark the destruction of a tunnel link. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. This Attribute is intended to mark the destruction of a link within a tunnel that carries multiple links. For example, if a mandatory tunnel were to carry M links over its lifetime, 2(M+1) RADIUS Accounting messages might be sent: one each marking the initiation and destruction of the tunnel itself and one each for the initiation and destruction of each link within the tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since the presence of the Tunnel-Stop Attribute will imply the termination of the (only possible) link.', - 'Tunnel-Medium-Type' => 'The Tunnel-Medium-Type Attribute indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. It MAY be included in both Access-Request and Access-Accept packets; if it is present in an Access-Request packet, it SHOULD be taken as a hint to the RADIUS server as to the tunnel media supported by the tunnel end- point. The RADIUS server MAY ignore the hint, however.', - 'Tunnel-Password' => 'This Attribute may contain a password to be used to authenticate to a remote server. It may only be included in an Access-Accept packet.', - 'Tunnel-Preference' => 'If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this Attribute SHOULD be included in each set to indicate the relative preference assigned to each tunnel. For example, suppose that Attributes describing two tunnels are returned by the server, one with a Tunnel-Type of PPTP and the other with a Tunnel-Type of L2TP. If the tunnel initiator supports only one of the Tunnel-Types returned, it will initiate a tunnel of that type. If, however, it supports both tunnel protocols, it SHOULD use the value of the Tunnel-Preference Attribute to decide which tunnel should be started. The tunnel having the numerically lowest value in the Value field of this Attribute SHOULD be given the highest preference. The values assigned to two or more instances of the Tunnel-Preference', - 'Tunnel-Private-Group-ID' => 'This Attribute indicates the group ID for a particular tunneled session. The Tunnel-Private-Group-ID Attribute MAY be included in the Access-Request packet if the tunnel initiator can pre- determine the group resulting from a particular connection and SHOULD be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. Private groups may be used to associate a tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered IP addresses through a', - 'Tunnel-Server-Auth-ID' => 'This Attribute specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.', - 'Tunnel-Server-Endpoint' => 'This Attribute indicates the address of the server end of the tunnel. The Tunnel-Server-Endpoint Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet and MUST be included in the Access-Accept packet if the initiation of a tunnel is desired. It SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session. This Attribute, along with the Tunnel-Client-Endpoint and Acct- Tunnel-Connection-ID Attributes [11], may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes.', - 'Tunnel-Start' => 'This value MAY be used to mark the establishment of a tunnel with another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', - 'Tunnel-Stop' => 'This value MAY be used to mark the destruction of a tunnel to or from another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', - 'Tunnel-Reject' => 'This value MAY be used to mark the rejection of the establishment of a tunnel with another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', - 'Tunnel-Type' => 'This Attribute indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). It MAY be included in Access-Request, Access-Accept and Accounting-Request packets. If the Tunnel-Type Attribute is present in an Access-Request packet sent from a tunnel initiator, it SHOULD be taken as a hint to the RADIUS server as to the tunnelling protocols supported by the tunnel end-point; the RADIUS server MAY ignore the hint, however. A tunnel initiator is not required to implement any of these tunnel types; if a tunnel initiator receives an Access-Accept packet which contains only unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave as though an Access-Reject had been received instead. If the Tunnel-Type Attribute is present in an Access-Request packet sent from a tunnel terminator, it SHOULD be taken to signify the tunnelling protocol in use. In this case, if the RADIUS server determines that the use of the communicated protocol is not authorized, it MAY return an Access-Reject packet. If a tunnel terminator receives an Access-Accept packet which contains', + 'TunnelAssignmentID' => 'This Attribute is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. Some tunneling protocols, such as PPTP and L2TP, allow for sessions between the same two tunnel endpoints to be multiplexed over the same tunnel and also for a given session to utilize its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be used to inform the tunnel initiator (e.g. PAC, LAC) whether to assign the session to a multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing multiplexed tunnels to be assigned to different multiplexed tunnels.', + 'TunnelClientAuthID' => 'This Attribute specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.', + 'TunnelClientEndpoint' => 'This Attribute contains the address of the initiator end of the tunnel. It MAY be included in both Access-Request and Access- Accept packets to indicate the address from which a new tunnel is to be initiated. If the Tunnel-Client-Endpoint Attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint; the server is not obligated to honor the hint, however. This Attribute SHOULD be included in Accounting- Request packets which contain Acct-Status-Type attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This Attribute, along with the Tunnel-Server-Endpoint and Acct-Tunnel-Connection- ID attributes, may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes.', + 'TunnelLinkReject' => 'This value MAY be used to mark the rejection of the establishment of a new link in an existing tunnel. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since in this case the Tunnel-Reject Attribute has the same meaning.', + 'TunnelLinkStart' => 'This value MAY be used to mark the creation of a tunnel link. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. This Attribute is intended to mark the creation of a link within a tunnel that carries multiple links. For example, if a mandatory tunnel were to carry M links over its lifetime, 2(M+1) RADIUS Accounting messages might be sent: one each marking the initiation and destruction of the tunnel itself and one each for the initiation and destruction of each link within the tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since the presence of the Tunnel-Start Attribute will imply the initiation of the (only possible) link.', + 'TunnelLinkStop' => 'This value MAY be used to mark the destruction of a tunnel link. Only some tunnel types (e.g., L2TP) support multiple links per tunnel. This Attribute is intended to mark the destruction of a link within a tunnel that carries multiple links. For example, if a mandatory tunnel were to carry M links over its lifetime, 2(M+1) RADIUS Accounting messages might be sent: one each marking the initiation and destruction of the tunnel itself and one each for the initiation and destruction of each link within the tunnel. If only a single link can be carried in a given tunnel (e.g., IPsec in the tunnel mode), this Attribute need not be included in accounting packets, since the presence of the Tunnel-Stop Attribute will imply the termination of the (only possible) link.', + 'TunnelMediumType' => 'The Tunnel-Medium-Type Attribute indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. It MAY be included in both Access-Request and Access-Accept packets; if it is present in an Access-Request packet, it SHOULD be taken as a hint to the RADIUS server as to the tunnel media supported by the tunnel end- point. The RADIUS server MAY ignore the hint, however.', + 'TunnelPassword' => 'This Attribute may contain a password to be used to authenticate to a remote server. It may only be included in an Access-Accept packet.', + 'TunnelPreference' => 'If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this Attribute SHOULD be included in each set to indicate the relative preference assigned to each tunnel. For example, suppose that Attributes describing two tunnels are returned by the server, one with a Tunnel-Type of PPTP and the other with a Tunnel-Type of L2TP. If the tunnel initiator supports only one of the Tunnel-Types returned, it will initiate a tunnel of that type. If, however, it supports both tunnel protocols, it SHOULD use the value of the Tunnel-Preference Attribute to decide which tunnel should be started. The tunnel having the numerically lowest value in the Value field of this Attribute SHOULD be given the highest preference. The values assigned to two or more instances of the Tunnel-Preference', + 'TunnelPrivateGroupID' => 'This Attribute indicates the group ID for a particular tunneled session. The Tunnel-Private-Group-ID Attribute MAY be included in the Access-Request packet if the tunnel initiator can pre- determine the group resulting from a particular connection and SHOULD be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. Private groups may be used to associate a tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered IP addresses through a', + 'TunnelServerAuthID' => 'This Attribute specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The Tunnel-Client-Auth-ID Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session.', + 'TunnelServerEndpoint' => 'This Attribute indicates the address of the server end of the tunnel. The Tunnel-Server-Endpoint Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet and MUST be included in the Access-Accept packet if the initiation of a tunnel is desired. It SHOULD be included in Accounting-Request packets which contain Acct-Status-Type attributes with values of either Start or Stop and which pertain to a tunneled session. This Attribute, along with the Tunnel-Client-Endpoint and Acct- Tunnel-Connection-ID Attributes [11], may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes.', + 'TunnelStart' => 'This value MAY be used to mark the establishment of a tunnel with another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', + 'TunnelStop' => 'This value MAY be used to mark the destruction of a tunnel to or from another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', + 'TunnelReject' => 'This value MAY be used to mark the rejection of the establishment of a tunnel with another node. If this value is used, the following attributes SHOULD also be included in the Accounting-Request packet:', + 'TunnelType' => 'This Attribute indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). It MAY be included in Access-Request, Access-Accept and Accounting-Request packets. If the Tunnel-Type Attribute is present in an Access-Request packet sent from a tunnel initiator, it SHOULD be taken as a hint to the RADIUS server as to the tunnelling protocols supported by the tunnel end-point; the RADIUS server MAY ignore the hint, however. A tunnel initiator is not required to implement any of these tunnel types; if a tunnel initiator receives an Access-Accept packet which contains only unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave as though an Access-Reject had been received instead. If the Tunnel-Type Attribute is present in an Access-Request packet sent from a tunnel terminator, it SHOULD be taken to signify the tunnelling protocol in use. In this case, if the RADIUS server determines that the use of the communicated protocol is not authorized, it MAY return an Access-Reject packet. If a tunnel terminator receives an Access-Accept packet which contains', - 'User-Name' => 'This Attribute indicates the name of the user to be authenticated. It MUST be sent in Access-Request packets if available. It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session. If the Access- Accept includes Service-Type = Rlogin and the User-Name attribute, a NAS MAY use the returned User-Name when performing the Rlogin function.', - 'User-Password' => 'This Attribute indicates the password of the user to be authenticated, or the user\'s input following an Access-Challenge. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User- Password Attribute.', + 'UserName' => 'This Attribute indicates the name of the user to be authenticated. It MUST be sent in Access-Request packets if available. It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session. If the Access- Accept includes Service-Type = Rlogin and the User-Name attribute, a NAS MAY use the returned User-Name when performing the Rlogin function.', + 'UserPassword' => 'This Attribute indicates the password of the user to be authenticated, or the user\'s input following an Access-Challenge. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one- way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User- Password Attribute.', ], ]; From 092645ed267c46649a4b32a9355ebffe730b84a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=BA=C5=A1=20B=C3=A1r=C3=A1ny?= Date: Tue, 2 Jul 2024 13:14:57 +0200 Subject: [PATCH 4/6] fix: typo --- src/Enums/Attribute.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Enums/Attribute.php b/src/Enums/Attribute.php index f4504ca..b7bb8d0 100644 --- a/src/Enums/Attribute.php +++ b/src/Enums/Attribute.php @@ -229,6 +229,9 @@ public static function getFramedMtuMax(): int { return 65535; } + + case MSCHAPMPPEKeys = 'MS-CHAP-MPPE-Keys'; + case UserPassword = 'User-Password'; case UserName = 'User-Name'; @@ -323,8 +326,6 @@ public static function getFramedMtuMax(): int case MSAcctEAPType = 'MS-Acct-EAP-Type'; - case MSHAPMPPEKeys = 'MS-CHAP-MPPE-Keys'; - case MSCHAPNTEncPW = 'MS-CHAP-NT-Enc-PW'; case MSCHAPResponse = 'MS-CHAP-Response'; From 0ed357362a6da530d3eeddd02a75e7a4b5b5a78a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=BA=C5=A1=20B=C3=A1r=C3=A1ny?= Date: Fri, 16 Aug 2024 15:07:10 +0200 Subject: [PATCH 5/6] feat: add some chatgpt translated slovak attributes description --- src/Language/en/FreeRadius.php | 34 +++++++++++++++++++--------------- src/Language/sk/FreeRadius.php | 22 +++++++++++++++++++++- 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/src/Language/en/FreeRadius.php b/src/Language/en/FreeRadius.php index f0c390c..0b72a88 100644 --- a/src/Language/en/FreeRadius.php +++ b/src/Language/en/FreeRadius.php @@ -15,21 +15,25 @@ 'ciscoFramedRoute' => 'Provides routing information to be configured for the user on this network access server. The RADIUS RFC format (net/bits [router [metric]]) and the old style dotted mask (net mask [router [metric]]) are supported. If the device field is omitted or 0, the peer IP address is used. Metrics are currently ignored. This attribute is access-request packets.', 'ciscoServiceInfo' => 'CiscoServiceInfo provides information about the service parameters for Cisco devices.', - 'AcctDelayTime' => 'This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)', - 'AcctInputGigawords' => 'This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update.', - 'AcctAuthentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', - 'AcctInputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'AcctInputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'AcctInterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', - 'AcctLinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', - 'AcctMultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', - 'AcctOutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'AcctOutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'AcctSessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', - 'AcctSessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'AcctStatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', - 'AcctTerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', - 'AcctTunnelConnection' => 'This Attribute indicates the identifier assigned to the tunnel session. It SHOULD be included in Accounting-Request packets which contain an Acct-Status-Type attribute having the value Start, Stop or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel- Server-Endpoint attributes [3], may be used to provide a means to uniquely identify a tunnel session for auditing purposes.', + 'AcctDelayTime' => 'This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)', + 'AcctInputGigawords' => 'This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update.', + 'AcctAuthentic' => 'This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.', + 'AcctInputOctets' => 'This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctInputPackets' => 'This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctInterimInterval' => 'This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message.', + 'AcctLinkCount' => 'This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.', + 'AcctMultiSessionId' => 'This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.', + 'AcctOutputOctets' => 'This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctOutputPackets' => 'This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctSessionId' => 'This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.', + 'AcctSessionTime' => 'This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctStatusType' => 'This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.', + 'AcctTerminateCause' => 'This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.', + 'AcctTunnelConnection' => 'This Attribute indicates the identifier assigned to the tunnel session. It SHOULD be included in Accounting-Request packets which contain an Acct-Status-Type attribute having the value Start, Stop or any of the values described above. This attribute, along with the Tunnel-Client-Endpoint and Tunnel- Server-Endpoint attributes [3], may be used to provide a means to uniquely identify a tunnel session for auditing purposes.', + 'AcctUniqueId' => 'The acctUniqueId attribute is used to uniquely identify a specific accounting request or session in RADIUS accounting packets. This attribute is particularly useful for tracking and correlating accounting records across multiple systems. It ensures that each accounting request can be uniquely identified and distinguished from others, even if they are part of the same session or originate from the same user. This helps in accurately matching and reconciling accounting data, preventing duplication and ensuring consistent accounting records. The acctUniqueId attribute is typically included in Accounting-Request and Accounting-Response packets.', + 'AcctInterval' => 'The acctInterval attribute specifies the time interval, in seconds, between consecutive accounting records for a particular user session. This attribute helps in defining how frequently accounting updates should be sent to the RADIUS server. It is used to manage and control the granularity of accounting information for network access or services.', + 'AcctOutputGigawords' => 'This attribute indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update.', + 'AcctTunnelPacketsLost' => 'This Attribute indicates the number of packets lost on a given link. It SHOULD be included in Accounting-Request packets which contain an Acct-Status-Type attribute having the value Tunnel-Link-Stop.', 'ARAPChallengeResponse' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and contains the response to the dial-in client\'s challenge.', 'ARAPFeatures' => 'This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP "feature flags" packet.', diff --git a/src/Language/sk/FreeRadius.php b/src/Language/sk/FreeRadius.php index 7d5f518..463a292 100644 --- a/src/Language/sk/FreeRadius.php +++ b/src/Language/sk/FreeRadius.php @@ -6,6 +6,26 @@ 'accessReject' => 'Pristup zamietnutý', ], 'atrributeDescription' => [ - 'nasIpAddress' => 'Tento atribút označuje identifikačnú IP adresu NAS, ktorá žiada o autentifikáciu používateľa, a MALA by byť jedinečná pre NAS v rámci dosahu servera RADIUS. NAS-IP-Adresa sa používa iba v paketoch Access-Request. Buď NAS-IP-Adresa alebo NAS-Identifier MUSÍ byť prítomný v pakete Access-Request. Všimnite si, že NAS-IP-Adresa by NEMALA byť použitá na výber zdieľaného tajomstva použitého na autentifikáciu požiadavky. Zdrojová IP adresa paketu Access-Request MUSÍ byť použitá na výber zdieľaného tajomstva.', + 'NASIpAddress' => 'Tento atribút označuje identifikačnú IP adresu NAS, ktorá žiada autentifikáciu používateľa, a MALA BY byť jedinečná pre NAS v rámci RADIUS servera. NAS-IP-Address sa používa iba v Access-Request paketo. Buď NAS-IP-Address, alebo NAS-Identifier MUSÍ byť prítomný v Access-Request pakete. Upozorňujeme, že NAS-IP-Address NESMIE byť použitá na výber zdieľaného tajomstva používaného na autentifikáciu požiadavky. Na výber zdieľaného tajomstva MUSÍ byť použitá zdrojová IP adresa Access-Request paketu.', + 'cleartextPassword' => 'Špecifikuje používateľské heslo v čistej forme. Tento atribút sa zvyčajne používa počas autentifikačných procesov na overenie identity používateľa.', + 'fallThrough' => 'Atribút Fall-Through by sa mal používať v zozname odpovedí. Ak je jeho hodnota nastavená na Áno v konkrétnom zázname, znamená to, že Radius bude pokračovať v hľadaní ďalších záznamov, aj keď súčasný záznam zodpovedá požiadavke. Môže sa použiť na poskytovanie predvolených hodnôt pre niekoľko profilov', + 'simultaneousUse' => 'Tento atribút špecifikuje maximálny počet súčasných prihlásení, ktoré má používateľ povolené. Keď je používateľ prihlásený tento počet krát, všetky ďalšie pokusy o prihlásenie sú zamietnuté,', + 'ciscoAVPair' => 'CiscoAVPair umožňuje prenos informácií špecifických pre výrobcu v paktoch RADIUS.', + 'ciscoNASPort' => 'Ukazuje fyzické číslo portu sieťového prístupového servera, ktorý autentizuje používateľa. Hodnota NAS-Port (32 bitov) pozostáva z jedného alebo dvoch 16-bitových čísel (v závislosti od nastavenia príkazu radius-server extended-portnames). Každé 16-bitové číslo by sa malo považovať za 5-ciferné desatinné číslo.', + 'ciscoFramedRoute' => 'Poskytuje smerovacie informácie na konfiguráciu pre používateľa na tomto sieťovom prístupovom serveri. Podporovaný je formát RFC RADIUS (net/bits [router [metric]]) a starý štýl bodkovanej masky (net mask [router [metric]]). Ak je pole zariadenia vynechané alebo 0, použije sa IP adresa páru. Metódy sa v súčasnosti ignorujú. Tento atribút sa nachádza v Access-Request paketoch.', + 'ciscoServiceInfo' => 'CiscoServiceInfo poskytuje informácie o parametroch služby pre zariadenia Cisco.', + + 'AcctDelayTime' => 'Tento atribút udáva, koľko sekúnd sa klient snažil odoslať tento záznam, a môže byť odpočítaný od času príchodu na server, aby sa zistil približný čas udalosti, ktorá tento Accounting-Request vygenerovala. (Čas sieťového prenosu sa ignoruje.)', + 'AcctInputGigawords' => 'Tento atribút udáva, koľkokrát sa čítač Acct-Input-Octets pretočil okolo hodnoty 2^32 počas poskytovania tejto služby a môže byť prítomný iba v záznamoch Accounting-Request, kde je nastavený typ stavu účtovania (Acct-Status-Type) na Stop alebo Interim-Update.', + 'AcctAuthentic' => 'Tento atribút MÔŽE byť zahrnutý v požiadavke na účtovanie (Accounting-Request), aby naznačil, ako bol používateľ autentifikovaný, či už pomocou RADIUS, samotného NAS, alebo iného vzdialeného autentifikačného protokolu. Používatelia, ktorí dostávajú službu bez autentifikácie, by NEMALI generovať záznamy účtovania.', + 'AcctInputOctets' => 'Tento atribút označuje počet oktetov, ktoré boli prijaté z portu počas poskytovania tejto služby, a môže sa objaviť iba v záznamoch účtovania (Accounting-Request), kde je typ stavu účtovania (Acct-Status-Type) nastavený na Stop.', + 'AcctInputPackets' => 'Tento atribút označuje počet paketov, ktoré boli prijaté z portu počas poskytovania tejto služby používateľovi, ktorý je rámcovaný (Framed User), a môže sa objaviť iba v záznamoch účtovania (Accounting-Request), kde je typ stavu účtovania (Acct-Status-Type) nastavený na Stop.', + 'AcctInterimInterval' => 'Tento atribút označuje počet sekúnd medzi každou medzičasovou aktualizáciou pre túto konkrétnu reláciu. Táto hodnota sa môže objaviť iba v správe Access-Accept.', + 'AcctLinkCount' => 'Tento atribút uvádza počet odkazov, ktoré sú známe, že boli v daných viaclinkových reláciách v čase vytvorenia účtovacieho záznamu. NAS MÔŽE zahrnúť atribút Acct-Link-Count do akéhokoľvek Accounting-Request, ktorý môže mať viacero odkazov.', + 'AcctMultiSessionId' => 'Tento atribút je unikátny identifikátor účtovania, ktorý uľahčuje prepojenie viacerých súvisiacich relácií v súboroch s logmi. Každá prepojená relácia bude mať unikátny Acct-Session-Id, ale rovnaký Acct-Multi-Session-Id. Odporúča sa, aby Acct-Multi-Session-Id obsahoval znaky kódované v UTF-8 podľa normy 10646 [7].', + 'AcctOutputOctets' => 'Tento atribút ukazuje, koľko oktetov bolo odoslaných na port počas poskytovania tejto služby a môže byť prítomný iba v záznamoch Accounting-Request, kde je Acct-Status-Type nastavený na Stop.', + + + ], ]; From 2c7404949e9e1dd1387c4461328b3c9db319e193 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=BA=C5=A1=20B=C3=A1r=C3=A1ny?= Date: Fri, 16 Aug 2024 15:09:07 +0200 Subject: [PATCH 6/6] fix: attributeDescription typo --- src/Language/sk/FreeRadius.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Language/sk/FreeRadius.php b/src/Language/sk/FreeRadius.php index 463a292..c5b6070 100644 --- a/src/Language/sk/FreeRadius.php +++ b/src/Language/sk/FreeRadius.php @@ -5,7 +5,7 @@ 'accessAccept' => 'Pristup schválený', 'accessReject' => 'Pristup zamietnutý', ], - 'atrributeDescription' => [ + 'attributeDescription' => [ 'NASIpAddress' => 'Tento atribút označuje identifikačnú IP adresu NAS, ktorá žiada autentifikáciu používateľa, a MALA BY byť jedinečná pre NAS v rámci RADIUS servera. NAS-IP-Address sa používa iba v Access-Request paketo. Buď NAS-IP-Address, alebo NAS-Identifier MUSÍ byť prítomný v Access-Request pakete. Upozorňujeme, že NAS-IP-Address NESMIE byť použitá na výber zdieľaného tajomstva používaného na autentifikáciu požiadavky. Na výber zdieľaného tajomstva MUSÍ byť použitá zdrojová IP adresa Access-Request paketu.', 'cleartextPassword' => 'Špecifikuje používateľské heslo v čistej forme. Tento atribút sa zvyčajne používa počas autentifikačných procesov na overenie identity používateľa.', 'fallThrough' => 'Atribút Fall-Through by sa mal používať v zozname odpovedí. Ak je jeho hodnota nastavená na Áno v konkrétnom zázname, znamená to, že Radius bude pokračovať v hľadaní ďalších záznamov, aj keď súčasný záznam zodpovedá požiadavke. Môže sa použiť na poskytovanie predvolených hodnôt pre niekoľko profilov',