beautypg.com

The attribute dictionary, Proxy servers – Cisco Cisco Access Registrar 3.5 User Manual

Page 16

background image

1-4

Cisco Access Registrar 3.5 Concepts and Reference Guide

OL-2683-02

Chapter 1 Overview

RADIUS Protocol

The Attribute Dictionary

The Attribute dictionary contains a list of preconfigured authentication, authorization, and accounting
attributes that can be part of a client’s or user’s configuration. The dictionary entries translate an attribute
into a value Cisco Access Registrar uses to parse incoming requests and generate responses. Attributes
have a human-readable name and an enumerated equivalent from 1-255.

Sixty three standard attributes exist, which are defined in RFCs 2865, 2866, 2867, 2868, and 2869. There
also are additional vendor-specific attributes that depend on the particular NAS you are using.

Some sample attributes include:

User-Name—the name of the user

User-Password—the user’s password

NAS-IP-Address—the IP address of the NAS

NAS-Port—the NAS port the user is dialed in to

Framed Protocol—such as SLIP or PPP

Framed-IP-Address—the IP address the client uses for the session

Filter-ID—vendor-specific; identifies a set of filters configured in the NAS

Callback-Number—the actual callback number.

Proxy Servers

Any one or all of the RADIUS server’s three functions: authentication, authorization, or accounting can
be subcontracted to another RADIUS server. Cisco Access Registrar then becomes a proxy server.
Proxying to other servers enables you to delegate some of the RADIUS server’s functions to other
servers.

You can use Cisco Access Registrar to “proxy” to an LDAP server for access to directory information
about users in order to authenticate them.

Figure 1-2

shows user

joe

initiating a request, the Cisco

Access Registrar server proxying the authentication to the LDAP server, and then performing the
authorization and accounting processing in order to enable

joe

to log in.

Authenticator

Contains a value for a Request Authenticator or a Response
Authenticator. The Request Authenticator is included in a client’s
Access-Request. The value is unpredictable and unique, and is
added to the client/server shared secret so the combination can be
run through a one-way algorithm. The NAS then uses the result in
conjunction with the shared secret to encrypt the user’s password.

Attribute(s)

Depends on the type of message being sent. The number of
attribute/value pairs included in the packet’s attribute field is
variable, including those required or optional for the type of service
requested.

Table 1-1

RADIUS Packet Fields (continued)

Fields

Description