1.
Once the RADIUS server receives the request, it validates the sending
client. A request from a client for which the RADIUS server does not
have a shared secret MUST be silently discarded. If the client is
valid, the RADIUS server consults a database of users to find the
user whose name matches the request. The user entry in the database
contains a list of requirements which must be met to allow access for
the user. This always includes verification of the password, but can
also specify the client(s) or port(s) to which the user is allowed
access.
2.
If any Proxy-State attributes were present in the Access-Request,
they MUST be copied unmodified and in order into the response packet.
Other Attributes can be placed before, after, or even between the
Proxy-State attributes.
3.挑战应答模式
例如:NAS给RADIUS服务器发送了一个携带NAS-Identifier,NAS-Port,
User-Name和User-Password(可能只是一个固定字符串"challenge"或者不携
带)属性的接入请求报文,服务器回应一个携带State和Reply-Message属性的
接入挑战报文,Reply-Message属性包含字符串"Challenge 12345678, enter
your response at the prompt",这个字符串由NAS上显示,NAS接收到回应,
向服务器发送一个新的携带NAS-Identifier,NAS-Port,User-Name,
User-Password(正是用户输入的用户密码,已经被加密)以及被接入挑战报文
带来的State属性的接入请求报文,服务器判断回应是否和想要的回应相匹配,
然后返回接入成功回应报文或者接入拒绝回应报文。或者甚至再发送一个接入
挑战报文。
Example: The NAS sends an Access-Request packet to the RADIUS Server
with NAS-Identifier, NAS-Port, User-Name, User-Password (which may
just be a fixed string like "challenge" or ignored). The server
sends back an Access-Challenge packet with State and a Reply-Message
along the lines of "Challenge 12345678, enter your response at the
prompt" which the NAS displays. The NAS prompts for the response and
sends a NEW Access-Request to the server (with a new ID) with NAS-
Identifier, NAS-Port, User-Name, User-Password (the response just
entered by the user, encrypted), and the same State Attribute that
came with the Access-Challenge. The server then sends back either an
Access-Accept or Access-Reject based on whether the response matches
the required value, or it can even send another Access-Challenge.
4.PAP CHAP
For PAP, the NAS takes the PAP ID and password and sends them in an
Access-Request packet as the User-Name and User-Password. The NAS MAY
include the Attributes Service-Type = Framed-User and Framed-Protocol
= PPP as a hint to the RADIUS server that PPP service is expected.
For CHAP, the NAS generates a random challenge (preferably 16 octets)
and sends it to the user, who returns a CHAP response along with a
CHAP ID and CHAP username. The NAS then sends an Access-Request
packet to the RADIUS server with the CHAP username as the User-Name
and with the CHAP ID and CHAP response as the CHAP-Password
(Attribute 3). The random challenge can either be included in the
CHAP-Challenge attribute or, if it is 16 octets long, it can be
placed in the Request Authenticator field of the Access-Request
packet. The NAS MAY include the Attributes Service-Type = Framed-
User and Framed-Protocol = PPP as a hint to the RADIUS server that
PPP service is expected.
5.代理转发
The following scenario illustrates a proxy RADIUS communication
between a NAS and the forwarding and remote RADIUS servers:
1. A NAS sends its access-request to the forwarding server.
2. The forwarding server forwards the access-request to the remote
server.
3. The remote server sends an access-accept, access-reject or
access-challenge back to the forwarding server. For this example,
an access-accept is sent.
4. The forwarding server sends the access-accept to the NAS.
6
round trip time回环时间
come and go存在还是不存在
Keep-Alives心跳
Authenticator认证字
text message文本消息
padded 填充
Vendor-Specific厂商指定
7.
RADIUS服务器必须(MUST)根据RADIUS的UDP报文的源IP地址决定使用哪个
共享密钥,因此,RADIUS请求才可以被代理。
1399
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
