Attributes

Attributes are RADIUS protocol settings that control user sessions and instruct your network equipment. Use attributes to set bandwidth limits, assign VLANs, enforce session timeouts, and restrict access based on time or usage.

Attribute Types

Check Attributes

Check attributes are evaluated during authentication. The RADIUS server compares received values against pre-defined values.

Use cases:

Password verification
Time-based access control
Session limits

Reply Attributes

Reply attributes are sent back to the NAS/Controller when authentication succeeds.

Use cases:

Bandwidth limits
VLAN assignment
Session timeouts

Common Attributes

Authentication

Attribute	Type	Description
`Cleartext-Password`	check	User's password in clear text
`User-Password`	check	Encrypted password
`NT-Password`	check	NTLM hash for MS-CHAPv2
`Auth-Type`	check	Authentication method to use

Session Control

Attribute	Type	Value	Description
`Session-Timeout`	reply	seconds	Maximum session duration
`Idle-Timeout`	reply	seconds	Disconnect after idle time
`Acct-Interim-Interval`	reply	seconds	Accounting update interval
`Simultaneous-Use`	check	number	Max concurrent sessions

Bandwidth Control

Attribute	Type	Value	Description
`WISPr-Bandwidth-Max-Down`	reply	bps	Maximum download speed
`WISPr-Bandwidth-Max-Up`	reply	bps	Maximum upload speed
`Mikrotik-Rate-Limit`	reply	string	MikroTik-specific rate limit

VLAN Assignment

Attribute	Type	Value	Description
`Tunnel-Type`	reply	VLAN	Set to VLAN for VLAN assignment
`Tunnel-Medium-Type`	reply	IEEE-802	Medium type
`Tunnel-Private-Group-Id`	reply	VLAN ID	The VLAN to assign

Time Restrictions

Attribute	Type	Value	Description
`Login-Time`	check	time spec	When user can authenticate

Time specification format:

Wk0900-1700 - Weekdays 9 AM to 5 PM
Sa,Su - Weekends only
Al or Any - All times

Operators

Operator	Symbol	Description
Attribute	`=`	Match exactly
Add	`+=`	Add to list
Assign	`:=`	Assign (overwrite)
Equal	`==`	Comparison equality
Not Equal	`!=`	Not equal
Less Than	`<`	Less than
Greater Than	`>`	Greater than
Less or Equal	`<=`	Less than or equal
Greater or Equal	`>=`	Greater than or equal
Regex Match	`=~`	Regular expression match
Regex Not Match	`!~`	Regex doesn't match

Vendor-Specific Attributes (VSA)

IronWifi supports VSAs for many vendors:

Cisco

Cisco-AVPair
Cisco-Command

Microsoft

MS-MPPE-Send-Key
MS-MPPE-Recv-Key

MikroTik

Mikrotik-Rate-Limit
Mikrotik-Group
Mikrotik-Wireless-PSK

Ubiquiti

Ubiquiti uses standard attributes but may require specific configurations.

Adding Attributes

To a User

Navigate to Users > select user
Click Add Attribute
Search or browse for the attribute
Select table (check or reply)
Choose operator
Enter value
Click Save

To a Group

Navigate to Users > Groups > select group
Click Add Attribute
Configure as above

Best Practices

Start simple - Begin with basic attributes and add complexity as needed
Test thoroughly - Verify attributes work with your specific hardware
Use groups - Apply common attributes via groups rather than individually
Document - Keep notes on what each attribute configuration achieves
Check vendor docs - Some attributes are vendor-specific

Troubleshooting

Attributes Not Applied

Verify the attribute is supported by your hardware
Check the operator is correct
Ensure the attribute is in the reply table (not check)
Review group priority if using multiple groups

Conflicting Attributes

When multiple attributes of the same type exist:

Last-applied typically wins
Group priority determines order
User-level attributes override group attributes

Attribute Types​

Check Attributes​

Reply Attributes​

Common Attributes​

Authentication​

Session Control​

Bandwidth Control​

VLAN Assignment​

Time Restrictions​

Operators​

Vendor-Specific Attributes (VSA)​

Cisco​

Microsoft​

MikroTik​

Ubiquiti​

Adding Attributes​

To a User​

To a Group​

Best Practices​

Troubleshooting​

Attributes Not Applied​

Conflicting Attributes​