Use of Service type attribute

Phil Mayers p.mayers at
Wed Apr 26 11:04:50 CEST 2006

Chandra mohan wrote:
> Hi,
> I am developing a RADIUS client for our embedded
> product. I would like the Radius client implementation
> to support the association of privilege level with
> individual accounts, e.g. the account "normal_user"
> has a privilege that allows read-only access while
> account "admin_user" has a privilege that allows
> read-write access(can changes our system
> configuration). 
> Is it possible to use "Service-Type" attribute for
> this purpose, with "Login" value for normal_user and
> "Administrative" for admin_user. Please clarify.

Yes it is possible, but it is wrong. RFC2865 states:

5.6.  Service-Type

        1      Login
        2      Framed
        3      Callback Login
        4      Callback Framed
        5      Outbound
        6      Administrative
        7      NAS Prompt
        8      Authenticate Only
        9      Callback NAS Prompt
       10      Call Check
       11      Callback Administrative


   Login               The user should be connected to a host.

   Administrative      The user should be granted access to the
                       administrative interface to the NAS from which
                       privileged commands can be executed.

   NAS Prompt          The user should be provided a command prompt
                       on the NAS from which non-privileged commands
                       can be executed.

So you should actually use "NAS Prompt" for read-only and 
"Administrative" for read-write. "Login" is something else entirely.

More information about the Freeradius-Users mailing list