beautypg.com

Radius packets – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1253

background image

RADIUS Introduction and Configuration

Software Reference for x310 Series Switches

C613-50046-01 REV A

AlliedWare Plus

TM

Operating System - Version 5.4.4C

46.3

Figure 46-1: Example showing a User to a NAS to a RADIUS Server network
connection

RADIUS Packets

The RADIUS RFCs define the RADIUS packet types and attributes. RADIUS authentication is
defined by RFC2058, RFC2138, RFC2865, and RFC2868. RADIUS accounting is defined by
RFC2059, RFC2139, RFC2866, and RFC2867. These RADIUS RFCs define over fifty attributes
and six packets types (Access-Request, Access-Accept, Access-Reject,
Accounting-Request, Accounting-Response, Access-Challenge

).

A RADIUS exchange is initiated by the NAS when a user requests access to the NAS. The
NAS obtains the user authentication data adds them into a RADIUS Access-Request
packet type and sends the RADIUS Access-Request packet to the RADIUS Server.

If a RADIUS Server has not been configured for authentication request from a NAS
then it will silently discard an Access-Request packet from it.

If the RADIUS Server accepts the request from the NAS it considers the authentication
date provided in the Access-Request packet. The RADIUS Server may verify the
user from its own database or it may connect to other servers to verify.

If the RADIUS Server decides that the user is not allowed access to the NAS it responds
to the NAS with an Access-Reject packet and the NAS will block the user.

If the RADIUS Server decides that the user is valid but needs more information to
verify that the user is not an imposter, it may send an Access-Challenge packet
to the NAS that the NAS forwards to the user. The NAS forwards the user response to
the Access-Challenge packet in an Access-Request packet to the RADIUS
Server to accept or reject to allow or deny NAS user access.

If the RADIUS Server rejects the user it sends an Access-Reject packet to the NAS.

If the RADIUS Server accepts the user it sends an Accept-Accept packet to the
NAS. The Accept-Accept packet to the NAS contains attributes that the NAS can
apply.

RADIUS server

Network

NAS

(Authenticator)

User

See also other documents in the category Allied Telesis Computer hardware: