Request Demo
Features Use Cases About Documentation Contact Request Demo

Response Attributes

Configure RADIUS attributes returned on successful authentication

What Are Response Attributes?

When a user successfully authenticates, Warden sends a RADIUS Access-Accept message back to the network device. This message can include attributes that tell the device how to handle the user's connection:

  • Which VLAN to put them on
  • How long their session can last
  • Bandwidth limits or QoS settings
  • ACLs or firewall policies to apply
  • Vendor-specific configurations

Common Attributes

VLAN Assignment

Dynamic VLAN assignment is one of the most common uses of response attributes. Users land on different VLANs based on their group membership or other criteria.

Tunnel-Type
VLAN (13)
Required for VLAN assignment
Tunnel-Medium-Type
IEEE-802 (6)
Required for VLAN assignment
Tunnel-Private-Group-ID
Your VLAN ID
The VLAN to assign (e.g., "100")

All three required: You need all three Tunnel-* attributes for VLAN assignment to work. Missing any one will cause the assignment to fail.

Session Control

Session-Timeout
Seconds
Max session duration before re-auth required
Idle-Timeout
Seconds
Disconnect after inactivity
Termination-Action
RADIUS-Request (1)
Request re-auth instead of disconnect

Access Control

Filter-Id
ACL name
Named ACL to apply on the network device
Framed-IP-Address
IP address
Assign a specific IP (VPN scenarios)
Service-Type
Type code
Level of access (Login, Admin, etc.)

Vendor-Specific Attributes (VSAs)

Beyond standard RADIUS attributes, vendors define their own attributes for features specific to their equipment.

Cisco

Cisco-AVPair
Various
Flexible key-value pairs for Cisco devices

Example: shell:priv-lvl=15 for full admin access

Aruba

Aruba-User-Role
Role name
Assign a user role defined on controller
Aruba-User-Vlan
VLAN ID
VLAN assignment (Aruba-specific)

Meraki

Airespace-Interface-Name
Interface name
Assign to specific wireless interface

Meraki also uses standard Tunnel-* attributes for VLAN

Check your vendor docs: VSAs vary by vendor and even by firmware version. Always verify the exact attribute format your equipment expects.

Configuring Response Attributes

Response attributes can be configured at multiple levels:

Policy Level

Applies to all users matching this policy. Good for session timeouts and base settings.

Group Level

Applies to all users in a group. Perfect for VLAN assignments by department.

User Level

Applies to a specific user. Use for exceptions or special cases.

More specific levels override less specific ones. User settings override Group, which overrides Policy.

Dynamic Attributes

Some attribute values can be dynamic, pulling from user or request data:

%{User-Name}
The authenticated username
%{Calling-Station-Id}
Client MAC address
%{NAS-IP-Address}
IP of the network device
%{User-Group}
User's primary group

Example: Reply-Message = "Welcome, %{User-Name}!"

Group-Based VLAN Example

A common setup is assigning VLANs based on user groups:

Groups Configuration

Group
VLAN
Attributes
Engineering
100
Tunnel-*: 13, 6, "100"
Sales
200
Tunnel-*: 13, 6, "200"
Guests
300
Tunnel-*: 13, 6, "300", Session-Timeout: 3600

When an engineer authenticates, they automatically get VLAN 100. Sales users get VLAN 200, and guests get VLAN 300 with a 1-hour session timeout.

Testing Attributes

After configuring attributes, verify they're returned correctly:

  1. Authenticate a test user
  2. Check NAC Tracer - it shows all returned attributes
  3. Verify on the network device (many show assigned VLAN in logs)
  4. Test actual network access to confirm VLAN routing works

Debug tip: Use radtest or a similar tool to see exactly what Warden returns. The raw RADIUS response shows all attributes.

What's Next?

Back to Policies Overview