The attribute dictionary, Proxy servers – Cisco Cisco Access Registrar 3.5 User Manual
Page 16
1-4
Cisco Access Registrar 3.5 Concepts and Reference Guide
OL-2683-02
Chapter 1 Overview
RADIUS Protocol
The Attribute Dictionary
The Attribute dictionary contains a list of preconfigured authentication, authorization, and accounting
attributes that can be part of a client’s or user’s configuration. The dictionary entries translate an attribute
into a value Cisco Access Registrar uses to parse incoming requests and generate responses. Attributes
have a human-readable name and an enumerated equivalent from 1-255.
Sixty three standard attributes exist, which are defined in RFCs 2865, 2866, 2867, 2868, and 2869. There
also are additional vendor-specific attributes that depend on the particular NAS you are using.
Some sample attributes include:
•
User-Name—the name of the user
•
User-Password—the user’s password
•
NAS-IP-Address—the IP address of the NAS
•
NAS-Port—the NAS port the user is dialed in to
•
Framed Protocol—such as SLIP or PPP
•
Framed-IP-Address—the IP address the client uses for the session
•
Filter-ID—vendor-specific; identifies a set of filters configured in the NAS
•
Callback-Number—the actual callback number.
Proxy Servers
Any one or all of the RADIUS server’s three functions: authentication, authorization, or accounting can
be subcontracted to another RADIUS server. Cisco Access Registrar then becomes a proxy server.
Proxying to other servers enables you to delegate some of the RADIUS server’s functions to other
servers.
You can use Cisco Access Registrar to “proxy” to an LDAP server for access to directory information
about users in order to authenticate them.
shows user
joe
initiating a request, the Cisco
Access Registrar server proxying the authentication to the LDAP server, and then performing the
authorization and accounting processing in order to enable
joe
to log in.
Authenticator
Contains a value for a Request Authenticator or a Response
Authenticator. The Request Authenticator is included in a client’s
Access-Request. The value is unpredictable and unique, and is
added to the client/server shared secret so the combination can be
run through a one-way algorithm. The NAS then uses the result in
conjunction with the shared secret to encrypt the user’s password.
Attribute(s)
Depends on the type of message being sent. The number of
attribute/value pairs included in the packet’s attribute field is
variable, including those required or optional for the type of service
requested.
Table 1-1
RADIUS Packet Fields (continued)
Fields
Description