RADIUS attribute from rfc3576
Error-Cause
It is possible that the NAS cannot honor Disconnect-Request or
CoA-Request messages for some reason. The Error-Cause Attribute
provides more detail on the cause of the problem. It MAY be
included within Disconnect-ACK, Disconnect-NAK and CoA-NAK
messages.
A summary of the Error-Cause Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
101 for Error-Cause
Length
6
Value
The Value field is four octets, containing an integer specifying
the cause of the error. Values 0-199 and 300-399 are reserved.
Values 200-299 represent successful completion, so that these
values may only be sent within Disconnect-ACK or CoA-ACK message
and MUST NOT be sent within a Disconnect-NAK or CoA-NAK. Values400-499 represent fatal errors committed by the RADIUS server, so
that they MAY be sent within CoA-NAK or Disconnect-NAK messages,
and MUST NOT be sent within CoA-ACK or Disconnect-ACK messages.
Values 500-599 represent fatal errors occurring on a NAS or RADIUS
proxy, so that they MAY be sent within CoA-NAK and Disconnect-NAK
messages, and MUST NOT be sent within CoA-ACK or Disconnect-ACK
messages. Error-Cause values SHOULD be logged by the RADIUS
server. Error-Code values (expressed in decimal) include:
# Value
--- -----
201 Residual Session Context Removed
202 Invalid EAP Packet (Ignored)
401 Unsupported Attribute
402 Missing Attribute
403 NAS Identification Mismatch
404 Invalid Request
405 Unsupported Service
406 Unsupported Extension
501 Administratively Prohibited
502 Request Not Routable (Proxy)
503 Session Context Not Found
504 Session Context Not Removable
505 Other Proxy Processing Error
506 Resources Unavailable
507 Request Initiated
"Residual Session Context Removed" is sent in response to a
Disconnect-Request if the user session is no longer active, but
residual session context was found and successfully removed. This
value is only sent within a Disconnect-ACK and MUST NOT be sent
within a CoA-ACK, Disconnect-NAK or CoA-NAK.
"Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT be
sent by implementations of this specification.
"Unsupported Attribute" is a fatal error sent if a Request contains
an attribute (such as a Vendor-Specific or EAP-Message Attribute)
that is not supported.
"Missing Attribute" is a fatal error sent if critical attributes
(such as NAS or session identification attributes) are missing from a
Request.
"NAS Identification Mismatch" is a fatal error sent if one or more
NAS identification attributes (see.) do not match the
identity of the NAS receiving the Request."Invalid Request" is a fatal error sent if some other aspect of the
Request is invalid, such as if one or more attributes (such as EAP-
Message Attribute(s)) are not formatted properly.
"Unsupported Service" is a fatal error sent if a Service-Type
Attribute included with the Request is sent with an invalid or
unsupported value.
"Unsupported Extension" is a fatal error sent due to lack of support
for an extension such as Disconnect and/or CoA messages. This will
typically be sent by a proxy receiving an ICMP port unreachable
message after attempting to forward a Request to the NAS.
"Administratively Prohibited" is a fatal error sent if the NAS is
configured to prohibit honoring of Request messages for the specified
session.
"Request Not Routable" is a fatal error which MAY be sent by a RADIUS
proxy and MUST NOT be sent by a NAS. It indicates that the RADIUS
proxy was unable to determine how to route the Request to the NAS.
For example, this can occur if the required entries are not present
in the proxy's realm routing table.
"Session Context Not Found" is a fatal error sent if the session
context identified in the Request does not exist on the NAS.
"Session Context Not Removable" is a fatal error sent in response to
a Disconnect-Request if the NAS was able to locate the session
context, but could not remove it for some reason. It MUST NOT be
sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a
Disconnect-NAK.
"Other Proxy Processing Error" is a fatal error sent in response to a
Request that could not be processed by a proxy, for reasons other
than routing.
"Resources Unavailable" is a fatal error sent when a Request could
not be honored due to lack of available NAS resources (memory, non-
volatile storage, etc.).
"Request Initiated" is a fatal error sent in response to a Request
including a Service-Type Attribute with a value of "Authorize Only".
It indicates that the Disconnect-Request or CoA-Request has not been
honored, but that a RADIUS Access-Request including a Service-Type
Attribute with value "Authorize Only" is being sent to the RADIUS
server.
FreeRADIUS Vendor-Specific dictionary values:
201 - Residual-Context-Removed
202 - Invalid-EAP-Packet
401 - Unsupported-Attribute
402 - Missing-Attribute
403 - NAS-Identification-Mismatch
404 - Invalid-Request
405 - Unsupported-Service
406 - Unsupported-Extension
501 - Administratively-Prohibited
502 - Proxy-Request-Not-Routable
503 - Session-Context-Not-Found
504 - Session-Context-Not-Removable
505 - Proxy-Processing-Error
506 - Resources-Unavailable
507 - Request-Initiated
407 - Invalid-Attribute-Value
508 - Multiple-Session-Selection-Unsupported
601 - Response-Too-Big