beautypg.com

Radius attributes – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1254

background image

RADIUS Introduction and Configuration

Software Reference for x310 Series Switches

46.4

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Figure 46-2: Example showing an exchange from a Requestor to a NAS to a RADIUS
Server

RADIUS Attributes

Each attribute is identified by its RFC-defined name, followed by its attribute ID in
parenthesis.

User-name(1)
User-names are strings of at least three characters and have a maximum of 253
characters, which is the upper limit on all RADIUS attributes.

User-password(2)
User-passwords are encrypted using an MD5 hash of the password, the NAS's shared
secret with the RADIUS Server, and a request authenticator value. User-passwords can
either be used at the initial authentication attempt or in response to an Access-
Challenge packet type from the RADIUS Server to the NAS.

CHAP-password(3)
CHAP-passwords are used if the NAS is using CHAP to authenticate the user, and
doesn't receive the use the user's password but sends the CHAP response to the
RADIUS Server instead. The CHAP password is an encrypted string that is an MD5 hash
of the password and challenge value sent by the user.

Framed-IP-Address(8)
Used for dial-in user making PPP connections to the NAS who are dynamically
allocated an IP address that they can use for the duration of their connect. The
RADIUS Server sends the Framed-IP-Address to the NAS to allocate.

Service-Type(6)
Used when the NAS is authenticating a user who wants to open a management
session on the NAS, and is sent by the RADIUS Server back to the NAS in an Access-
Accept type packet to indicate the level of access the NAS gives a user. Service-Type(6)
is mapped to a Privileged management session for AlliedWare Plus.

NAS-Port-Type(61)
Identifies the type of port on which the user is accessing the NAS. The NAS-Port-
Type(61) attribute is sent by the NAS to the RADIUS Server in Access-Request type

Authentication credentials -

username/password, and

possibly other information

Access-request containing the challenge

response in the password field

Access-Challenge

Access-Request

Access-Accept

Access-Reject

Pass on challenge data

Response to challenge

Requestor

NAS

Server

Repeated 0 or
more times

Decides user is invalid

OR

Decises user is valid

See also other documents in the category Allied Telesis Computer hardware: