| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
The term request refers to both the authentication/accounting request packet from a NAS to a RADIUS server and the response packet that the server sends back to the NAS.
Each request contains the following fields:
The code field identifies the type of the request.
The number in the range 0–255 used to match the request with the reply.
The length of the request packet.
The 16-byte hash value used to authenticate the packet.
The list of attribute-value pairs carrying actual information about the request.
| 2.2.1 Authentication Requests | ||
| 2.2.2 Accounting Requests |
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
A NAS sends authentication requests (packets with code field set to Access-Request) to a RADIUS server when a user is trying to connect to that NAS. Such requests convey information used to determine whether a user is allowed access to the NAS, and whether any special services are requested for that user.
An Access-Request must contain a User-Name attribute
User-Name. This packet should contain a NAS-IP-Address
attribute, a NAS-Identifier attribute, or both. It
also must contain either a User-Password attribute or a
CHAP-Password attribute. These attributes are passed after
being encoded
using a method based on the RSA Message Digest Algorithm MD5.
The Access-Request should contain a NAS-Port or NAS-Port-Type
attribute or both, unless the type of access being requested does
not involve a port or the NAS does not distinguish among its
ports.
Upon receiving an Access-Request packet for a particular user and authenticating that user, the RADIUS server replies to the NAS that has sent the packet with any one of the following packets:
GNU Radius replies with an Access-Accept packet when it has successfully authenticated the user. Such a reply packet provides the configuration information necessary to begin delivery of service to the user.
GNU Radius replies with an Access-Reject packet when it is unable to
authenticate the user. Such a packet may contain a descriptive text
encapsulated in one or more Reply-Message attributes. The
NAS may display this text along with its response to the user.
GNU Radius replies with an Access-Challenge packet when it needs to obtain more information from the user in order to determine the user's authenticity or to determine the kind of service to be provided to the user.
An Access-Challenge packet may include one or more
Reply-Message attributes, and it may or may not include a
single State attribute. No other attributes are permitted in an
Access-Challenge packet.
Upon receipt of an Access-Challenge, the Identifier field is matched with a pending Access-Request. Additionally, the Response Authenticator field must contain the correct response for the pending Access-Request. In the event of an invalid packet, GNU Radius discards the offending packet and issues the appropriate log message.
If the NAS does not support challenge/response, it treats an
Access-Challenge as though it had received an Access-Reject instead.
Otherwise, upon receipt of a valid Access-Challenge the NAS prompts
the user for a response, possibly displaying the text message provided
in the Reply-Message attributes of the request. It then sends its
original Access-Request with a new request ID and request
authenticator, along with the User-Password attribute replaced
by the encrypted user's response, and including the State
attribute from the Access-Challenge, if any.
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Accounting-Request packets are sent from a NAS to a RADIUS server to allow for accounting of a service provided to a user.
Upon receipt of an Accounting-Request packet, the server attempts to record it (see section Accounting), and if it succeeds in doing so, it replies with an Accounting-Response packet. Otherwise, it sends no reply, which then causes the NAS to retransmit its request within a preconfigured interval of time. Such retransmits will continue until either the server responds with an Accounting-Response packet or a preconfigured number of retransmits is reached, whichever occurs first.
Any attribute valid in an Access-Request or Access-Accept packet is also valid in an Accounting-Request packet, except the following attributes, which are never present in any Accounting-Request packet:
User-Password
CHAP-Password
Reply-Message
State
Either a NAS-IP-Address or a NAS-Identifier must be
present in an Accounting-Request packet. It should contain either a
NAS-Port or a NAS-Port-Type attribute (or both),
unless the service does not involve a port or the NAS
does not distinguish among its ports.
If the Accounting-Request packet includes a Framed-IP-Address,
that attribute must contain the actual IP of the user.
There are five types of accounting packets, differentiated by the
value of the Acct-Status-Type attribute. These are:
The session start packet is sent after the user has successfully passed the authentication and has started to receive the requested service. It must contain at least following attributes:
Acct-Status-Type = Start
User-Name
Acct-Session-Id
NAS-IP-Address
NAS-Port-Id
The session stop packet is sent after the user has disconnected. It conveys the information about the duration of the session, number of octets transferred, etc. It must contain at least the following attributes:
Acct-Status-Type = Stop
User-Name
NAS-IP-Address
Acct-Session-Id
The last three of them are used to find the corresponding session start packet.
The keepalive packet is sent by the NAS when it obtains some new information about the user's session, e.g. it has determined its IP or has changed the connection speed. The packet must contain at least the following attributes:
Acct-Status-Type = Alive
User-Name
NAS-IP-Address
Acct-Session-Id
By sending this packet, the NAS requests that radiusd mark all
sessions registered from this particular NAS as finished. Receiving
this packet usually means that the NAS is to be shut down, or is
about to change its configuration in a way that requires all currently
opened sessions to be closed. The packet must contain at least the
following attributes:
Acct-Status-Type = Accounting-Off
NAS-IP-Address
By sending this packet, the NAS informs radiusd that it is ready
to accept the incoming connections. Usually this packet is sent after
startup, or after a major reconfiguration of the NAS. It must
contain at least the following attributes:
Acct-Status-Type = Accounting-On
NAS-IP-Address
| [ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] |
This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.