Skip to main content
The RADIUS attribute picker is driven by a curated dictionary that the UI fetches from the RADIUS service. It includes standard RFC attributes, common vendor-specific attributes, and Altostrat system attributes used for quota behavior. Use the picker in the UI as the source of truth. It shows the current attribute name, vendor, description, tags, input type, select options, validation type, and allowed operators.

Dictionary Coverage

The current dictionary exposes 51 attributes across these vendors:
VendorCountCommon uses
Standard25Session timers, IP assignment, framed routes, service type, VLAN assignment, passwords, access control, and reply messages.
MikroTik4Rate limits, address lists, MikroTik groups, and delegated IPv6 pools.
WISPr2Bandwidth limits for wireless and hotspot environments.
Ubiquiti1Egress VLAN assignment.
Cisco1Cisco AVPair policy values.
Aruba3User role, user VLAN, and captive portal URL.
Ruckus3SSID and uplink/downlink rate limits.
Juniper5Local usernames, DNS, ingress policy, and egress policy.
Microsoft2Primary and secondary DNS server attributes.
System5Altostrat quota attributes.

Standard Attributes

Standard attributes include:
  • Session-Timeout
  • Idle-Timeout
  • Acct-Interim-Interval
  • Termination-Action
  • Framed-IP-Address
  • Framed-IP-Netmask
  • Framed-Route
  • Framed-Pool
  • Delegated-IPv6-Prefix
  • Framed-Protocol
  • Framed-MTU
  • Service-Type
  • NAS-Port-Type
  • Port-Limit
  • Tunnel-Private-Group-Id
  • Tunnel-Type
  • Tunnel-Medium-Type
  • Filter-Id
  • Reply-Message
  • Class
  • Login-LAT-Service
  • User-Password
  • CHAP-Password
  • Cleartext-Password
  • Code
Code is a response-control attribute used by the platform response flow. Most customer policy work uses the session, IP, service, VLAN, filtering, and vendor-specific attributes rather than editing Code directly.

Vendor Attributes

VendorAttributes
MikroTikMikrotik-Rate-Limit, Mikrotik-Address-List, Mikrotik-Group, Mikrotik-Delegated-IPv6-Pool
WISPrWISPr-Bandwidth-Max-Down, WISPr-Bandwidth-Max-Up
UbiquitiEgress-VLANID
CiscoCisco-AVPair
ArubaAruba-User-Role, Aruba-User-Vlan, Aruba-Captive-Portal-URL
RuckusRuckus-SSID, Ruckus-Downlink-Rate-Limit, Ruckus-Uplink-Rate-Limit
JuniperJuniper-Local-User-Name, Juniper-Primary-DNS, Juniper-Secondary-DNS, Juniper-Ingress-Policy-Name, Juniper-Egress-Policy-Name
MicrosoftMS-Primary-DNS-Server, MS-Secondary-DNS-Server

System Quota Attributes

Altostrat system attributes are used for quota-aware policy:
  • X-Octet-Quota
  • X-Quota-TTL
  • X-Quota-Reset-After
  • X-Quota-Carry-Over-Cycles
  • X-Quota-Expire-TTL
Quota attributes belong on groups, not individual users. The quota service reads group attributes, uses the lowest quota when multiple groups define one, and applies top-ups when calculating the effective allowance.
AttributePurpose
X-Octet-QuotaData quota in bytes.
X-Quota-TTLHours after which a quota resets.
X-Quota-Reset-AfterCron expression for the quota reset schedule.
X-Quota-Carry-Over-CyclesNumber of cycles unused quota can carry over.
X-Quota-Expire-TTLHours after usage begins before the quota expires entirely.

Operators

The UI supports these RADIUS operators where allowed by the selected attribute:
OperatorTypical meaning
:=Set or replace the attribute value.
==Match the request attribute value.
+=Add another value for multi-value attributes.
!=Match when a value is not equal.
>Match greater-than values.
>=Match greater-than-or-equal values.
<Match less-than values.
<=Match less-than-or-equal values.
The picker limits the operator list to what the selected attribute supports.

Input Types

Attributes render with an input type that matches their expected value:
  • Text.
  • Number.
  • Password.
  • IP address.
  • Select dropdown.
  • Duration in seconds.
  • Bandwidth in bps or kbps.
  • Storage in bytes.
  • URL.
For enumerated attributes such as Service-Type, NAS-Port-Type, Tunnel-Type, and Tunnel-Medium-Type, the UI shows friendly labels while storing the configured value.

Validation Limits

The picker and API enforce type checks and selected range checks. Current notable limits include:
AttributeAccepted range
Session-Timeout60 to 604800 seconds.
Idle-Timeout60 to 7200 seconds.
WISPr-Bandwidth-Max-Up and WISPr-Bandwidth-Max-Down8000 to 1000000000 bps.
Ruckus-Uplink-Rate-Limit and Ruckus-Downlink-Rate-Limit8 to 1000000 kbps.
Tunnel-Private-Group-Id, Aruba-User-Vlan, and Egress-VLANIDVLAN ID 1 to 4094.
X-Octet-Quota0 to 10995116277760 bytes.
X-Quota-TTL and X-Quota-Expire-TTL1 to 8760 hours.
X-Quota-Carry-Over-Cycles0 to 12 cycles.

Tags

Attributes are tagged for filtering and discovery. Current tags include session, accounting, ISP, IP, DHCP, routing, IPv6, network, service, authentication, NAS, access, limitation, Wi-Fi, VLAN, filtering, user experience, bandwidth, policy, firewall, hotspot, QoS, DNS, and quota.

Attribute Validation

The API validates attributes before saving users or groups. If an attribute is not in the supported dictionary, uses an unsupported operator, or has a value that does not match the expected type, the save request is rejected. Password-related attributes are supported for RADIUS protocol compatibility, but normal user credential changes should use the credential fields and reset flows in the UI. Do not use metadata or ad hoc attributes as a shared secret store.
When translating an existing FreeRADIUS deployment, create one group per reusable policy first. Then use the picker to recreate the check and reply attributes with the correct vendor dictionary and operator.