radius

Configures RADIUS dictionary within the dictionary block.

Example configuration

One or more filename entries can be specified. When multiple files are specified, they are loaded in the order listed and merged together. If no dictionary is specified there will not be a dictionary. There is no automatic loading of default dictionary.

Single dictionary file:

radius {
    filename "dictionary/dictionary";
}

Multiple dictionary files:

radius {
    filename "/opt/radiator/server/dictionary";
    filename "/etc/radiator/conf.d/dictionary.vendor";
    filename "/etc/radiator/conf.d/dictionary.custom";
}

Dictionary File Format

The RADIUS dictionary is an ASCII text file where each definition occupies one line. A hash mark # marks the beginning of a comment. Comment and blank lines are ignored.

Example dictionary file content:

# Standard RADIUS attributes
ATTRIBUTE User-Name           1  string
ATTRIBUTE User-Password       2  binary encrypt=1
ATTRIBUTE NAS-IP-Address      4  ipaddr
ATTRIBUTE Service-Type        6  integer
ATTRIBUTE Framed-IP-Address   8  ipaddr

# Attribute values
VALUE Service-Type Login-User          1
VALUE Service-Type Framed-User         2
VALUE Service-Type Administrative-User 6

# Vendor-specific attributes
VENDOR Cisco 9

VENDORATTR 9 Cisco-AVPair 1 string

Supported Data Types

The following data types are supported for attribute definitions:

Integer Types (Fully Supported):

  • integer - Unsigned 32-bit integer
  • integer64 - 64-bit integer
  • uint32 - Unsigned 32-bit integer (alias for integer)
  • uint64 - Unsigned 64-bit integer (alias for integer64)
  • enum - Enumerated 32-bit integer (with VALUE definitions)

Integer Types (Limited Support - Treated as Binary):

The following integer types are FreeRADIUS extensions (not defined in RADIUS RFCs) and are accepted for dictionary compatibility. They are parsed but not decoded as integers at runtime - instead they are stored and logged as raw binary data (hex strings):

  • byte - 8-bit value
  • short - 16-bit value
  • integer8 - 8-bit integer
  • integer16 - 16-bit integer
  • signed - Signed 32-bit integer
  • signed-integer - Signed 32-bit integer (alias for signed)

Note: These types are rarely used in practice. Standard RADIUS (RFC 2865, RFC 2866) only defines 32-bit integers, with 64-bit integers added in RFC 6929. These smaller types exist mainly for FreeRADIUS dictionary completeness.

String and Binary Types:

  • string - Variable-length UTF-8 string
  • string[N] - Fixed-length string (N bytes)
  • binary - Binary data
  • octets - Binary octets
  • octets[N] - Fixed-length binary (N bytes)
  • abinary - Ascend binary format (treated as binary)
  • hexadecimal - Hexadecimal string (treated as binary)

Network Address Types (Fully Supported):

  • ipaddr - IPv4 address
  • ipv4prefix - IPv4 prefix (address/mask)
  • ipv6addr - IPv6 address
  • ipv6prefix - IPv6 prefix
  • ifid - Interface identifier (64-bit)

Network Address Types (Limited Support - Treated as Binary):

The following network types are FreeRADIUS extensions (not defined in RADIUS RFCs) and are accepted for dictionary compatibility. They are parsed but not decoded as network addresses at runtime - instead they are stored and logged as raw binary data (hex strings):

  • combo-ip - IPv4 or IPv6 address (length-dependent)
  • ipaddrv4v6 - IPv4 or IPv6 address (alias for combo-ip)
  • ether - Ethernet MAC address

Note: These types are rarely used in practice. Standard RADIUS (RFC 2865) defines ipaddr for IPv4 addresses. IPv6 support was added later in RFC 3162 with ipv6addr and ipv6prefix as distinct types. The RADIUS RFCs do not define MAC address or dual-stack address types.

Time Types:

  • date - Unix timestamp (seconds since 1970-01-01 00:00:00 GMT)
  • time_delta - Time interval (treated as binary)
  • boolean - Boolean value (treated as binary)

Structure Types:

  • tlv - Type-Length-Value container
  • vsa - Vendor-Specific Attribute
  • evs - Extended-Vendor-Specific
  • struct - Structured attribute (MEMBER declarations accepted but ignored, treated as binary)

Tagged Types:

  • tagged-integer - Integer with RFC 2868 tag field
  • tagged-string - String with RFC 2868 tag field
  • tagged-enum - Enumerated value with RFC 2868 tag field

Other:

  • group - Group reference (treated as binary)

Attribute Flags

Attributes can have optional flags specified as a comma-separated list after the data type. These flags modify how the attribute is processed:

Encryption Flags:

  • encrypt=1 - User-Password style encryption (RFC 2865)
  • encrypt=2 - Tunnel-Password style encryption (RFC 2868)
  • encrypt=3 - Ascend-Send-Secret style encryption

Processing Flags:

  • array - Multiple values are packed into one attribute
  • concat - Multiple attributes should be concatenated together
  • has_tag - Attribute can have an RFC 2868 style tag
  • virtual - Attribute is server-internal and special

Extended Attribute Flags:

  • extended - Extended attribute type
  • long-extended - Long extended attribute type

Binary Format:

  • abinary - Ascend binary format

Example with flags:

ATTRIBUTE User-Password 2 binary encrypt=1
ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2
ATTRIBUTE Custom-Array-Attr 100 integer array

Practical Usage Example

The dictionary enables you to reference RADIUS attributes and their values by name in your configuration, making logs and policy rules more readable.

Dictionary definitions:

ATTRIBUTE Service-Type 6 integer
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2

Without dictionary - you must reference raw attribute numbers:

log "AUTH" {
    json {
        "service-type-raw" radius.request.attr.6;  # Attribute number: outputs "2"
    }
}

With dictionary - you can use readable names and format strings for translation:

log "AUTH" {
    json {
        "service-type" radius.request.attr.Service-Type;           # 2 (numeric value)
        "service-type-name" "%{radius.request.attr.Service-Type}"; # "Framed-User" (translated)
        "service-type-value" radius.dict.Service-Type.Framed-User; # 2 (constant lookup)
    }
}

The dictionary provides:

  • Name-based access: Use Service-Type instead of memorizing number 6
  • Value translation: Use format strings "%{...}" to convert numeric values to readable strings like "Framed-User"
  • Constants: Access enumeration values as constants (radius.dict.Service-Type.Framed-User = 2)

Without a dictionary, you only see raw numbers in logs. With a dictionary, Radiator automatically translates them to human-readable strings while still allowing numeric access when needed.

This is especially valuable with vendor-specific attributes where attribute numbers can be difficult to remember.

FreeRADIUS Dictionary Format Support

Radiator supports FreeRADIUS dictionary format, allowing you to use FreeRADIUS dictionary files directly. The file parser is format-agnostic and just parses whatever dictionary syntax it finds. Supported features include:

  • ATTRIBUTE - Define standard attributes
  • VALUE - Define enumeration values for attributes
  • VENDOR - Define vendor identifiers
  • VENDORATTR - Define vendor-specific attributes
  • BEGIN-VENDOR / END-VENDOR - Vendor attribute blocks
  • BEGIN-TLV / END-TLV - Type-Length-Value structured attributes
  • $INCLUDE - Include other dictionary files (processed inline)
  • Various vendor formats: format=1,1, format=2,1, format=2,2, format=4,0, format=1,1,c
  • Attribute flags: encrypt=1, encrypt=2, encrypt=3, has_tag, array, concat

Not currently supported:

  • ALIAS - Attribute aliasing (parsed but ignored)
  • STRUCT / MEMBER - Structured data types (parsed but not implemented)
  • PROTOCOL / BEGIN-PROTOCOL / END-PROTOCOL - Protocol namespace blocks (parsed but ignored)
  • $INCLUDE-DIR - Directory inclusion
Navigation
Home