Attribute Number



18 to 130 octets



Allowed in


Prohibited in

Access-Accept, Access-Reject, Access-Challenge

Presence in Packet

Required, unless CHAP-Password is present

Maximum Iterations


This attribute is designed to carry authentication information that a user provides in order to gain access to network services. Primarily, the content of this value will be an encrypted password, but sometimes it can be the response from an Access-Challenge packet sent to the client from the RADIUS server. Most commonly, the length of the value is 16 octets, which is the RFC minimum, but the RFC also permits the value of this attribute to span as long as 130 octets.

As mentioned in Chapter 1 and Chapter 2, the presence of the User-Password attribute typically indicates that the given transaction will use PAP authentication in lieu of CHAP. Refer to Chapter 2 for an explanation of the hiding and encrypting process used in PAP authentication.

Get RADIUS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.