: Supported RADIUS Attribute Value Pairs (AVPs)
Focus
Focus

Supported RADIUS Attribute Value Pairs (AVPs)

Table of Contents

Supported RADIUS Attribute Value Pairs (AVPs)

Learn about the supported RADIUS server attribute value pairs.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Active Prisma SD-WAN license
RADIUS packets include a set of AVPs to identify information about the user and other attributes. You can override certain configurations from RADIUS server using the user policy. Supported AVPs are:
  • Dynamic VLAN
    You can choose to place different clients on different VLANs to limit the broadcast domain by configuring appropriate VLAN in each user profile. RFC 3580 defines the following Attribute Value Pairs (AVPs) to support dynamic VLAN.
    Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID
    The VLAN ID must be pre-programmed on the ION device prior to receiving the AVP by creating the corresponding SVI. If the received dynamic VLAN is pre-configured, the switch port allows the traffic. If the received dynamic VLAN is not pre-configured, then the ION device raises an alarm. Until the issue is resolved, the port remains unauthorized and client traffic is blocked.
  • Re-authentication Timeout
    • The ION device authenticates or reinitializes the client after a session timeout based on the value of the Termination-Action.
    • The value RADIUS-Request (1) indicates that authentication occurs on expiration of the Session-Time.
    • The value Default (0) indicates that the session will terminate.
  • Idle Timeout
    On receiving the Idle Timeout AVP from the RADIUS server, the ION device does one of the following:
    • If the timeout value in the received Idle Timeout AVP is 0, then ION device adds the client as a static client, that is, the client will never age. If re-auth timer is configured, then the client is forced to re-authenticate when the timer expires.
    • If the timeout value is non-zero, then the ION device adds the client as a dynamic entry which will age based on the switch global aging timer. The Idle Timeout AVP value is discarded due to the switch limitation which cannot age clients differently.
    • If the Idle Timeout AVP is not present, then the ION device adds the client as a static client and the client will never age. If re-auth timer is configured, then the client is forced to re-authenticate when the timer expires.