Skip to main contentSkip to search
Skip to main content

Attributes

RADIUS attributes are name-value pairs defined by the RADIUS protocol (RFC 2865) that carry authentication, authorization, and accounting information between a network access server and a RADIUS server. They control how users connect to a network by specifying settings such as bandwidth limits, VLAN assignments, session timeouts, and time-based access restrictions.

Use attributes in IronWiFi to set bandwidth limits, assign VLANs, enforce session timeouts, and restrict access based on time or usage.

Attribute Types

Check Attributes

Check attributes are evaluated during authentication. The RADIUS server compares received values against pre-defined values.

Use cases:

  • Password verification
  • Time-based access control
  • Session limits

Reply Attributes

Reply attributes are sent back to the NAS/Controller when authentication succeeds.

Use cases:

  • Bandwidth limits
  • VLAN assignment
  • Session timeouts

Common Attributes

Authentication

AttributeTypeDescription
Cleartext-Password
checkUser's password in clear text
User-Password
checkEncrypted password
NT-Password
checkNTLM hash for MS-CHAPv2
Auth-Type
checkAuthentication method to use

Session Control

AttributeTypeValueDescription
Session-Timeout
replysecondsMaximum session duration
Idle-Timeout
replysecondsDisconnect after idle time
Acct-Interim-Interval
replysecondsAccounting update interval
Simultaneous-Use
checknumberMax concurrent sessions

Bandwidth Control

AttributeTypeValueDescription
WISPr-Bandwidth-Max-Down
replybpsMaximum download speed
WISPr-Bandwidth-Max-Up
replybpsMaximum upload speed
Mikrotik-Rate-Limit
replystringMikroTik-specific rate limit

VLAN Assignment

AttributeTypeValueDescription
Tunnel-Type
replyVLANSet to VLAN for VLAN assignment
Tunnel-Medium-Type
replyIEEE-802Medium type
Tunnel-Private-Group-Id
replyVLAN IDThe VLAN to assign

Time Restrictions

AttributeTypeValueDescription
Login-Time
checktime specWhen user can authenticate

Time specification format:

  • Wk0900-1700
    - Weekdays 9 AM to 5 PM
  • Sa,Su
    - Weekends only
  • Al
    or 
    Any
    - All times

Operators

OperatorSymbolDescription
Attribute
=
Match exactly
Add
+=
Add to list
Assign
:=
Assign (overwrite)
Equal
==
Comparison equality
Not Equal
!=
Not equal
Less Than
<
Less than
Greater Than
>
Greater than
Less or Equal
<=
Less than or equal
Greater or Equal
>=
Greater than or equal
Regex Match
=~
Regular expression match
Regex Not Match
!~
Regex doesn't match

Vendor-Specific Attributes (VSA)

IronWiFi supports VSAs for many vendors:

Cisco

  • Cisco-AVPair
  • Cisco-Command

Microsoft

  • MS-MPPE-Send-Key
  • MS-MPPE-Recv-Key

MikroTik

  • Mikrotik-Rate-Limit
  • Mikrotik-Group
  • Mikrotik-Wireless-PSK

Ubiquiti

Ubiquiti uses standard attributes but may require specific configurations.

Adding Attributes

To a User

  1. Navigate to Users > select user
  2. Click Add Attribute
  3. Search or browse for the attribute
  4. Select table (check or reply)
  5. Choose operator
  6. Enter value
  7. Click Save

IronWiFi Console add attribute dialog with table and operator selection

To a Group

  1. Navigate to Users > Groups > select group
  2. Click Add Attribute
  3. Configure as above

IronWiFi Console attribute configuration on a group

Best Practices

  1. Start simple - Begin with basic attributes and add complexity as needed
  2. Test thoroughly - Verify attributes work with your specific hardware
  3. Use groups - Apply common attributes via groups rather than individually
  4. Document - Keep notes on what each attribute configuration achieves
  5. Check vendor docs - Some attributes are vendor-specific

Troubleshooting

Attributes Not Applied

  1. Verify the attribute is supported by your hardware
  2. Check the operator is correct
  3. Ensure the attribute is in the reply table (not check)
  4. Review group priority if using multiple groups

Conflicting Attributes

When multiple attributes of the same type exist:

  • Last-applied typically wins
  • Group priority determines order
  • User-level attributes override group attributes

Was this page helpful?