How to get vendor-specific attribute value pairs

Arran Cudbard-Bell a.cudbardb at
Wed Jul 10 14:14:46 CEST 2013

On 10 Jul 2013, at 12:46, Mathieu Simon <mathieu.sim at> wrote:

> G'day list
> I have been tinkering with some Netgear managed L2/L3 switching stuff  and got the
> login working via freeradius (actually quite simple compared to EAP stuff for wireless).
> But when issuing "enable" after login, going into what they call "Privileged EXEC" mode
> it will - very similar to Cisco - send a request for a user $enab15$ to the radius server
> when FR doesn't send Cisco own attribute value pair for privileges.
> At leat defining such a user leads to working elevation to this privileged mode 
> but requires it instead of using the network admin's own password.
> In general a lot of commands on these Netgears are (very much) simiar to Cisco IOS
> where one can use "shell:priv-lvl=15" avpair during authentication so the Cisco switch/router 
> know privilege level of the logged in user and thus won't ask for a $enab15$ user.
> FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think Netgear 
> copied Cisco's own AVpair use, but in case they do have own AV pairs, how do 
> you guys generally identify them?

By asking Netgear.

There's no way to query the NAS to determine which attributes it supports. Or to decode unknown VSAs into meaningful data. This is not a limitation of FreeRADIUS, but a limitation of the protocol.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list