RADIUS attribute from rfc7268
The Allowed-Called-Station-Id Attribute allows the RADIUS server
to specify the authenticator MAC addresses and/or networks to
which the user is allowed to connect. One or more Allowed-Called-
Station-Id Attributes MAY be included in an Access-Accept, CoA-
Request, or Accounting-Request packet.
The Allowed-Called-Station-Id Attribute can be useful in
situations where pre-authentication is supported (e.g., IEEE
802.11 pre-authentication). In these scenarios, a Called-Station-
Id Attribute typically will not be included within the Access-
Request so that the RADIUS server will not know the network that
the user is attempting to access. The Allowed-Called-Station-Id
enables the RADIUS server to restrict the networks and attachment
points to which the user can subsequently connect.
A summary of the Allowed-Called-Station-Id Attribute format is
shown below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
| Type | Length | String...
The String field is one or more octets, specifying a Called-
Station-Id that the user MAY connect to; if the Called-Station-Id
that the user connects to does not match one of the Allowed-
Called-Station-Id Attributes, the Network Access Server (NAS) MUST
NOT permit the user to access the network.In the case of IEEE 802, the Allowed-Called-Station-Id Attribute
is used to store the Medium Access Control (MAC) address,
represented as an uppercase ASCII character string in Canonical
format and with octet values separated by a "-", for example,
"00-10-A4-23-19-C0". Where restrictions on both the network and
authenticator MAC address usage are intended, the network name
MUST be appended to the authenticator MAC address, separated from
the MAC address with a ":", for example, "00-10-A4-23-19-C0:AP1".
Where no MAC address restriction is intended, the MAC address
field MUST be omitted, but ":" and the network name field MUST be
included, for example, ":AP1".
Within IEEE 802.11 , the Service Set Identifier
(SSID) constitutes the network name; within IEEE 802.1X
wired networks, the Network-Id Name (NID-Name)
constitutes the network name. Since a NID-Name can be up to 253
octets in length, when used with wired networks,
there may not be sufficient room within the Allowed-Called-
Station-Id Attribute to include both a MAC address and a network
name. However, as the Allowed-Called-Station-Id Attribute is
expected to be used largely in wireless access scenarios, this
restriction is not considered serious.