beautypg.com

Attribute values – RSA Security 6.1 User Manual

Page 26

background image

14

About RSA RADIUS Server

September 2005

During authentication, RSA RADIUS Server filters the checklist based on the
dictionary for the RADIUS client that sent the authentication request. The server
ignores any checklist attribute that is not valid for this device.

Return List Attributes

A return list is a list of attributes that RSA RADIUS Server must return to the RAS
after authentication succeeds. The return list usually provides additional
parameters that the RAS needs to complete the connection, typically as part of
PPP negotiations. Return list attributes can be “authorization configuration
parameters.”

By including appropriate attributes in the return list, you can create a variety of
connection policies. Specific users can be assigned particular IP addresses or IPX
network numbers; IP header compression can be turned on or off; or a time limit
can be assigned to the connection.

You create a return list by choosing attributes from a list of all RADIUS attributes
known to the RSA RADIUS Server. This list can include a variety of
vendor-specific attributes.

During authentication, RSA RADIUS Server filters the return list based on the
dictionary for the specific RADIUS client that sent the authentication request.
The server omits any return list attribute that is not valid for this device.

Attribute Values

The value of each RADIUS attribute has a well-defined data type: numeric, string,
IP or IPX address, time, or hexadecimal. For example,

Callback-Number

is of

type

string

and contains a telephone number.

RAS-Port-Type

is an item

from a list, and can be

Sync

,

Async

, and so forth.

Multi-Valued Attributes

Attributes can be single- or multi-valued. Single-valued attributes appear at most
once in the checklist or return list; multi-valued attributes might appear several
times.

If an attribute appears more than once in the checklist, this means that any one of
the values is valid. For example, you can set up a checklist to include both

Sync

and

Async

values for attribute

RAS-Port-Type

. This means that the user can

dial into a Sync port or an Async port, but not one of the ISDN ports.

If an attribute appears more than once in the return list, each value of the
attribute is sent as part of the response packet. For example, to enable both IP
and IPX header compression for a user, you would configure the