Attribute Number



3 or more octets



Allowed in

Access-Request, Access-Accept

Prohibited in

Access-Reject, Access-Challenge

Presence in Packet

Not required

Maximum Iterations


This attribute carries the distinguished name of the client requesting access to services on the network. Since usernames come in all sizes and flavors, there is not a specified maximum length for this value. It has been recommended by the RADIUS committee and those who follow its proceedings that support for a larger username space be provided (up to 64 bytes in length) to allow the implementation-specific RADIUS client gear to perform its own compliancy and validity checking. This allows each administrator to customize the requirements for a valid username without having a standard dictate to them how usernames are constructed.

There are no specific requirements for the format in which these usernames must be represented, but there are a number of possible ways in which usernames are commonly passed in the User-Name attribute. Monolithic, or alphanumeric, passwords consist of all letters and numbers. UTF-8 characters are also supported. Additionally, usernames can be passed that conform to the Network Access Identifier (NAI) ASN.1 format—this is often known as the “distinguished name”—or some other format common to both the client and the RADIUS implementation. Because of this flexibility, administrators have a wide realm of possibilities ...

Get RADIUS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.