Server-side Attributes

Server-side attributes are attributes that control the server’s behavior. It is frequently necessary to define these server-side attributes, while ensuring that information pertaining to server-side attributes never gets sent through the network in a RADIUS message. Server-side attributes should not be included in RADIUS messages, since these attributes are internal to server implementation.

Definitions for server-side attributes may vary by server vendor, or may vary even from one version of the same server to another. Only FreeRADIUS definitions for internal attributes are referenced in this document. Those definitions are generally the same across all versions of the server, but other vendors may have different implementations.

Information such as "use LDAP server X", or "remember that the user is in group Y" should be used to create local policy. This information should be stored in server-side attributes (also known as "non-protocol attributes").

Server-side attributes are presented using the same format as standard or vendor RADIUS attributes. This format gives the administrator the same control over internal aspects of the server behavior as over the server external responses. The server-side attribute information can be retrieved as part of one policy and checked later as part of another policy. For example, the policy can say "use LDAP server X for this request" and "respond with attribute X, value Y".

With the exception of certain VSAs, all attribute numbers have to be between 1 and 255. There are attributes, defined by the server, that exist outside of this range; these attributes are called server-side attributes, to emphasize that they exist solely on the server. These server-side attributes exist in a file called dictionary.freeradius.internal. These attributes are never seen in a request or sent in a response.

Server-side attributes add convenience in the form of the ability to refer to additional, non-RADIUS information exactly as if they were normal attributes. This convenience makes configuration file editing and parsing much easier, as concepts such as "now" or "user expiration time" can be referred to in the same way as "user name" or "password".

Since these attributes are server-side only, they have no meaning outside of the particular version of the server that has been installed. They cannot go into a RADIUS packet that the server sends, and they will never be seen in a packet that the server receives. Further, editing the attributes will create significant problems for the server, as the server binary contains hard-coded references to those attributes. Changing the server-side attributes in the dictionary file requires that the server source code be edited and recompiled as well.