| Attribute | Type | Value type | Vendor | Vendor type | Description |
| User-Name | 1 | RADSTR | | | Indicates the name of the user to be authenticated. |
| User-Password | 2 | RADSTR | | | Indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. |
| CHAP-Password | 3 | RADSTR | | | Indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. |
| NAS-IP-Address | 4 | RADIP | | | Indicates the identifying IP Address of the NAS which is requesting authentication of the user. |
| NAS-Port | 5 | RADINT | | | Indicates the physical port number of the NAS which is authenticating the user. |
| Service-Type | 6 | RADINT | | | Indicates the type of service the user has requested, or the type of service to be provided. |
| Framed-Protocol | 7 | RADINT | | | Indicates the framing to be used for framed access. |
| Framed-IP-Address | 8 | RADIP | | | Indicates the address to be configured for the user. |
| Framed-IP-Netmask | 9 | RADIP | | | Indicates the IP netmask to be configured for the user when the user is a router to a network. |
| Framed-Routing | 10 | RADINT | | | Indicates the routing method for the user, when the user is a router to a network. |
| Filter-Id | 11 | RADTXT | | | Indicates the name of the filter list for this user. |
| Framed-MTU | 12 | RADINT | | | Indicates the Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). |
| Framed-Compression | 13 | RADINT | | | Indicates a compression protocol to be used for the link. |
| Login-IP-Host | 14 | RADIP | | | Indicates the system with which to connect the user,
when the Login-Service Attribute is included. |
| Login-Service | 15 | RADINT | | | Indicates the service to use to connect the user to the login host. |
| Login-TCP-Port | 16 | RADINT | | | Indicates the TCP port with which the user is to be connected, when the Login-Service Attribute is also present. |
| Reply-Message | 18 | RADTXT | | | Indicates text which may be displayed to the user. |
| Callback-Number | 19 | RADSTR | | | Indicates a dialing string to be used for callback. |
| Callback-Id | 20 | RADSTR | | | Indicates the name of a place to be called, to be interpreted by the NAS. |
| Framed-Route | 22 | RADTXT | | | Provides routing information to be configured for the user on the NAS. |
| Framed-IPX-Network | 23 | RADSTR | | | Indicates the IPX Network number to be configured for the user. |
| State | 24 | RADSTR | | | Is available to be sent by the server to the client
in an Access-Challenge and must be sent unmodified from the client
to the server in the new Access-Request reply to that challenge, if
any. |
| Class | 25 | RADSTR | | | Is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. |
| Session-Timeout | 27 | RADINT | | | Sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. |
| Idle-Timeout | 28 | RADINT | | | Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. |
| Termination-Action | 29 | RADINT | | | Indicates what action the NAS should take when the specified service is completed. |
| Called-Station-Id | 30 | RADSTR | | | Allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. |
| Calling-Station-Id | 31 | RADSTR | | | Allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. |
| NAS-Identifier | 32 | RADSTR | | | Contains a string identifying the NAS originating the Access-Request. |
| Proxy-State | 33 | RADSTR | | | Is available to be sent by a proxy server to another server when forwarding an Access-Request and must be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. |
| Login-LAT-Service | 34 | RADSTR | | | Indicates the system with which the user is to be connected by LAT. |
| Login-LAT-Node | 35 | RADSTR | | | Indicates the Node with which the user is to be automatically connected by LAT. |
| Login-LAT-Group | 36 | RADSTR | | | Contains a string identifying the LAT group codes which this user is authorized to use. |
| Framed-AppleTalk-Link | 37 | RADINT | | | Indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. |
| Framed-AppleTalk-Network | 38 | RADINT | | | Indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. |
| Framed-AppleTalk-Zone | 39 | RADSTR | | | Indicates the AppleTalk Default Zone to be used for this user. |
| Acct-Status-Type | 40 | RADINT | | | Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). |
| Acct-Delay-Time | 41 | RADINT | | | Indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. |
| Acct-Input-Octets | 42 | RADINT | | | Indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
| Acct-Output-Octets | 43 | RADINT | | | Indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
| Acct-Session-Id | 44 | RADTXT | | | Is a unique Accounting ID to make it easy to match start and stop records in a log file. |
| Acct-Authentic | 45 | RADINT | | | May be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. |
| Acct-Session-Time | 46 | RADINT | | | Indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
| Acct-Input-Packets | 47 | RADINT | | | Indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
| Acct-Output-Packets | 48 | RADINT | | | Indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
| Acct-Termination-Cause | 49 | RADINT | | | Indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop. |
| Acct-Multi-Session-Id | 50 | RADSTR | | | Is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. |
| Acct-Link-Count | 51 | RADINT | | | Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. |
| Acct-Input-Gigawords | 52 | RADINT | | | Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. |
| Acct-Output-Gigawords | 53 | RADINT | | | Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. |
| Event-Timestamp | 55 | RADDATE | | | Is included in an Accounting-Request packet to record the time that this event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC. |
| CHAP-Challenge | 60 | RADSTR | | | Contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. |
| NAS-Port-Type | 61 | RADINT | | | Indicates the type of the physical port of the NAS which is authenticating the user. |
| Port-Limit | 62 | RADINT | | | Sets the maximum number of ports to be provided to the user by the NAS. |
| Login-LAT-Port | 63 | RADSTR | | | Indicates the Port with which the user is to be connected by LAT. |
| Tunnel-Type | 64 | RADINT | | | Indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). |
| Tunnel-Medium-Type | 65 | RADINT | | | Indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. |
| Tunnel-Client-Endpoint | 66 | RADSTR | | | Contains the address of the initiator end of the tunnel. |
| Tunnel-Server-Endpoint | 67 | RADSTR | | | Indicates the address of the server end of the tunnel. |
| Acct-Tunnel-Connection | 68 | RADSTR | | | Indicates the identifier assigned to the tunnel session. |
| Tunnel-Password | 69 | RADSTR | | | May contain a password to be used to authenticate to a remote server. |
| ARAP-Password | 70 | RADSTR | | | Contains a 16 octet string, used to carry the dial-in user's response to the NAS challenge and the client's own challenge to the NAS. |
| ARAP-Features | 71 | RADSTR | | | Includes password information that the NAS should sent to the user in an ARAP "feature flags" packet. |
| ARAP-Zone-Access | 72 | RADINT | | | Indicates how the ARAP zone list for the user should be used. |
| ARAP-Security | 73 | RADINT | | | Identifies the ARAP Security Module to be used in an Access-Challenge packet. |
| ARAP-Security-Data | 74 | RADSTR | | | Contains the actual security module challenge or response. |
| Password-Retry | 75 | RADINT | | | May be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected. |
| Prompt | 76 | RADINT | | | Indicates to the NAS whether it should echo the user's response as it is entered, or not echo it. |
| Connect-Info | 77 | RADTXT | | | Is sent from the NAS to indicate the nature of the user's connection. |
| Configuration-Token | 78 | RADSTR | | | Is for use in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept to indicate a type of user profile to be used. |
| EAP-Message | 79 | RADSTR | | | Encapsulates Extended Access Protocol packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol. |
| Message-Authenticator | 80 | RADSTR | | | May be used to sign Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP or EAP authentication methods. |
| Tunnel-Private-Group-ID | 81 | RADSTR | | | Indicates the group ID for a particular tunneled session. |
| Tunnel-Assignment-ID | 82 | RADSTR | | | Is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. |
| Tunnel-Preference | 83 | RADINT | | | If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this attribute should be included in each set to indicate the relative preference assigned to each tunnel. |
| ARAP-Challenge-Response | 84 | RADSTR | | | Contains the response to the dial-in client's challenge. |
| Acct-Interim-Interval | 85 | RADINT | | | Indicates the number of seconds between each interim update in seconds for this specific session. |
| Acct-Tunnel-Packets-Lost | 86 | RADINT | | | Indicates the number of packets lost on a given link. |
| NAS-Port-ID | 87 | RADTXT | | | Contains a text string which identifies the port of the NAS which is authenticating the user. |
| Framed-Pool | 88 | RADSTR | | | Contains the name of an assigned address pool that should be used to assign an address for the user. |
| Tunnel-Client-Auth-ID | 90 | RADSTR | | | Specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. |
| Tunnel-Server-Auth-ID | 91 | RADSTR | | | Specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. |
| NAS-IPv6-Address | 95 | RADSTR | | | Indicates the identifying IPv6 Address of the NAS which is requesting authentication of the user. |
| Framed-Interface-Id | 96 | RADSTR | | | Indicates the IPv6 interface identifier to be configured for the user. |
| Framed-IPv6-Prefix | 97 | RADSTR | | | Indicates an IPv6 prefix (and corresponding route) to be configured for the user. |
| Login-IPv6-Host | 98 | RADSTR | | | Indicates the system with which to connect the user, when the Login-Service Attribute is included. |
| Framed-IPv6-Route | 99 | RADTXT | | | Provides routing information to be configured for the user on the NAS. |
| Framed-IPv6-Pool | 100 | RADSTR | | | Contains the name of an assigned pool that should be used to assign an IPv6 prefix for the user. |
| MS-CHAP-Response | 26 | RADSTR | Microsoft | 1 | Contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. |
| MS-CHAP-Error | 26 | RADSTR | Microsoft | 2 | Contains error data related to the preceding MS-CHAP exchange. |
| MS-CHAP-CPW-1 | 26 | RADSTR | Microsoft | 3 | Allows the user to change their password if it has expired. |
| MS-CHAP-CPW-2 | 26 | RADSTR | Microsoft | 4 | Allows the user to change their password if it has expired. |
| MS-CHAP-LM-Enc-PW | 26 | RADSTR | Microsoft | 5 | Contains the new Windows NT password encrypted with the old LAN Manager password hash. |
| MS-CHAP-NT-Enc-PW | 26 | RADSTR | Microsoft | 6 | Contains the new Windows NT password encrypted with the old Windows NT password hash. |
| MS-MPPE-Encryption-Policy | 26 | RADINT | Microsoft | 7 | May be used to signify whether the use of encryption is allowed or required. |
| MS-MPPE-Encryption-Type | 26 | RADSTR | Microsoft | 8 | Is used to signify the types of encryption available for use with MPPE. |
| MS-RAS-Vendor | 26 | RADINT | Microsoft | 9 | Is used to indicate the manufacturer of the RADIUS client machine. |
| MS-CHAP-Domain | 26 | RADSTR | Microsoft | 10 | Indicates the Windows NT domain in which the user was authenticated. |
| MS-CHAP-Challenge | 26 | RADSTR | Microsoft | 11 | Contains the challenge sent by a NAS to a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user. |
| MS-CHAP-MPPE-Keys | 26 | RADSTR | Microsoft | 12 | Contains two session keys for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). |
| MS-BAP-Usage | 26 | RADINT | Microsoft | 13 | Describes whether the use of BAP is allowed, disallowed or required on new multilink calls. |
| MS-Link-Utilization-Threshold | 26 | RADINT | Microsoft | 14 | Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. |
| MS-Link-Drop-Time-Limit | 26 | RADINT | Microsoft | 15 | Indicates the length of time (in seconds) that a link must be underutilized before it is dropped. |
| MS-MPPE-Send-Key | 26 | RADSTR | Microsoft | 16 | Contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). |
| MS-MPPE-Recv-Key | 26 | RADSTR | Microsoft | 17 | Contains a session key for use by the Microsoft Point-to-Point Encryption Protocol (MPPE). |
| MS-RAS-Version | 26 | RADSTR | Microsoft | 18 | Is used to indicate the version of the RADIUS client software. |
| MS-Old-ARAP-Password | 26 | RADSTR | Microsoft | 19 | Is used to transmit the old ARAP password during an ARAP password change operation. |
| MS-New-ARAP-Password | 26 | RADSTR | Microsoft | 20 | Is used to transmit the new ARAP password during an ARAP password change operation. |
| MS-ARAP-PW-Change-Reason | 26 | RADINT | Microsoft | 21 | Is used to indicate reason for a server-initiated password change. |
| MS-Filter | 26 | RADSTR | Microsoft | 22 | Is used to transmit traffic filters. |
| MS-Acct-Auth-Type | 26 | RADINT | Microsoft | 23 | Is used to represent the method used to authenticate the dial-up user. |
| MS-Acct-EAP-Type | 26 | RADINT | Microsoft | 24 | is used to represent the Extensible Authentication Protocol (EAP) type used to authenticate the dial-up user. |
| MS-CHAP2-Response | 26 | RADSTR | Microsoft | 25 | Contains the response value provided by an MS-CHAP-V2 peer in response to the challenge. |
| MS-CHAP2-Success | 26 | RADSTR | Microsoft | 26 | Contains a 42-octet authenticator response string. |
| MS-CHAP2-CPW | 26 | RADSTR | Microsoft | 27 | Allows the user to change their password if it has expired. |
| MS-Primary-DNS-Server | 26 | RADIP | Microsoft | 28 | Is used to indicate the address of the primary Domain Name Server (DNS) server to be used by the PPP peer. |
| MS-Secondary-DNS-Server | 26 | RADIP | Microsoft | 29 | Is used to indicate the address of the secondary DNS server to be used by the PPP peer. |
| MS-Primary-NDNS-Server | 26 | RADIP | Microsoft | 30 | is used to indicate the address of the primary NetBIOS Name Server (NBNS) server to be used by the PPP peer. |
| MS-Secondary-NBNS-Server | 26 | RADIP | Microsoft | 31 | Is used to indicate the address of the secondary DNS server to be used by the PPP peer. |
| MS-ARAP-Challenge | 26 | RADSTR | Microsoft | 33 | Contains the challenge (as two 4-octet quantities) sent by the NAS to the peer. |