IETF RFC 2865 PDF
RADIUS Internet Engineering Task Force (IETF) attributes are the original set of standard .. This RADIUS attribute complies with RFC and RFC This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to . Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on accounting. Authentication and authorization are defined in RFC while accounting is described by RFC .. documentation. The RADIUS protocol is currently defined in the following IETF RFC documents.
|Published (Last):||14 December 2015|
|PDF File Size:||14.15 Mb|
|ePub File Size:||12.3 Mb|
|Price:||Free* [*Free Regsitration Required]|
Network Working Group P. Congdon Request for Comments: Smith Trapeze Networks G. Zorn Cisco Systems J. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Packet Modification or Forgery. In situations where it is desirable to centrally manage authentication, authorization and accounting AAA for IEEE networks, deployment of a backend authentication and accounting server is desirable.
In such situations, it is expected that IEEE Terminology This document uses the following terms: Access Point AP A Station that provides access to the distribution services via the wireless medium for associated Stations.
Authenticator An Authenticator is an entity that requires authentication from the Supplicant. The Authenticator may be connected to the Supplicant at the other end of a point-to-point LAN segment or This service verifies, from the credentials provided by the Supplicant, the claim of identity made by the Supplicant. A given PAE may support the protocol functionality associated with the Authenticator, Supplicant or both. Supplicant A Supplicant is an entity that is being authenticated by an Authenticator.
The Supplicant may be connected to the Authenticator at one end of a point-to-point LAN segment or Requirements Language In this document, several words are used to signify the requirements of the specification. These words are often capitalized. Attributes requiring more discussion include: A Lost Carrier 2 termination cause indicates session termination due to loss of physical connectivity for reasons other than roaming between Access Points.
For example, if the Supplicant disconnects a point-to-point LAN connection, or moves out of range of an Access Point, this termination cause is used. A Supplicant Restart 19 termination cause indicates re-initialization of the Supplicant state machines.
Within [IEEE], periodic re-authentication may be useful in preventing reuse of an initialization vector with a given key. Since successful re-authentication does not result in termination of the session, accounting packets are not sent as a result of re-authentication unless the status of the session changes.
The session is terminated due to re-authentication failure. In this case the Reauthentication Failure 20 termination cause is used.
The authorizations are changed as a result of a successful re-authentication. In this case, the Service Unavailable 15 termination cause is used. For accounting purposes, the portion of the session after the authorization change is treated as a separate session. An Admin Reset 6 termination cause indicates that the Port has been administratively forced into the unauthorized state.
A Port Administratively Disabled 22 termination cause indicates that the Port has been administratively disabled. Acct-Multi-Session-Id The purpose of this attribute is to make it possible to link together multiple related sessions. Where supported by the Access Points, the Acct-Multi-Session-Id attribute can be used to link together the multiple related sessions ffc a rrc Supplicant.
In such a situation, if the session context is transferred between Access Points, accounting packets MAY be sent without a corresponding authentication and authorization exchange, Congdon, et al.
If the Acct-Multi-Session-Id were not unique between Access Points, then it is possible that the chosen Acct-Multi-Session-Id will overlap with an existing value ief on that Access Point, and the Accounting Server would therefore be unable to distinguish 265 roaming session from a multi-link session. In order to provide this uniqueness, it is suggested that the Acct-Multi- Session-Id be of efc form: Since the NTP timestamp does not wrap on reboot, there is no possibility that a rebooted Access Point could choose an Acct-Multi-Session-Id that could be confused with that of a previous session.
Acct-Link-Count The Acct-Link-Count attribute may be used to account for the number of ports that have been aggregated.
Alternatively, as discussed in [RFC] Section 2. If the IEEE While an Access Point does not have physical ports, a unique “association ID” is assigned to every mobile Station upon a successful association exchange.
As a result, for an Access Point, if the association exchange has been completed prior to authentication, the NAS-Port attribute will contain the association ID, which is a bit unsigned integer. A Service-Type of Framed indicates that appropriate framing should be used for the connection. A Service-Type of Authenticate Only 8 indicates that no authorization information needs to be returned in the Access-Accept. As described in [RFC], a Congdon, et al. Typically this capability is supported by layer 3 devices.
It is therefore only relevant for IEEE Filter-ID This attribute indicates the name of the filter list to be applied to the Supplicant’s session. For use with an IEEE Layer 3 filters are typically only supported on IEEE Framed-MTU This attribute indicates the maximum size of an IP packet that may be transmitted over the wire between the Supplicant and the Authenticator.
Displayable Messages The Reply-Message attribute, defined in section 5. As noted in [RFC], Section 2. These attributes are therefore only relevant for IEEE Session-Timeout When sent along in an Access-Accept rc a Termination-Action attribute or with a Termination-Action attribute set to Default, the Session-Timeout attribute specifies the maximum number of seconds of service provided prior to session termination.
In this case, the Session-Timeout attribute is used to load the reAuthPeriod constant within the Reauthentication Timer state machine of When sent with a Termination-Action value of RADIUS-Request, a Session-Timeout value of zero rrc the desire to perform another authentication possibly of a different type immediately rcc the first authentication has successfully completed. For IEEE media other than It is possible for a wireless device to wander out of range of all Access Points.
In this case, the Idle-Timeout attribute indicates the maximum time that a wireless device may remain idle. Termination-Action This attribute indicates what action should be taken when the service is completed. The value Default 0 indicates that the session should terminate. Thus this attribute does not make sense for IEEE Connect-Info This attribute is sent by a bridge or Access Point to indicate the nature of the Supplicant’s connection.
When sent in the Access- Request it is recommended that this attribute contain information on the speed of the Supplicant’s connection. If sent in the Rvc STOP, this attribute may be used to summarize statistics relating to session quality. For 285, in IEEE The exact format of this attribute is implementation specific.
Remote authentication dial-in user service server
Where iettf IEEE This can be used, for example, to allow a wireless host to remain on the same VLAN as it moves within a campus network. However, the IEEE For use in VLAN assignment, the following tunnel attributes are used: When Tunnel attributes are sent, it is necessary to fill in the Tag field. As noted in [RFC], section 3. The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel.
Valid values for this field are 0x01 through 0x1F, inclusive. Unless alternative tunnel types are provided, e. Iett example, within The itef key is the same for all Stations within a broadcast domain. If it is lost, then the Supplicant and Authenticator will not have the same keying material, and communication will fail. If this occurs, the problem is typically addressed by re-running the authentication.
It may also be used to refresh the key-mapping key.
RADIUS – Wikipedia
Where keys are required, an EAP method that derives keys is typically letf. Packet Type The Packet Type field is one octet, and determines the type of packet being transmitted. Key Length The Key Length field is two octets.
From the Supplicant point of reference, the terms are reversed. Replay Counter The Replay Counter field is 8 octets.
It does not repeat within the life of the keying material used to encrypt the Key field and compute the Key Signature field. F The Key flag F is a single bit, describing the type of key that is included in the Key field. Key Signature The Key Signature field is 16 octets.
This yields a 48 octet RC4 key bits. Packet modification or forgery Dictionary attacks Known plaintext attacks Replay Outcome mismatches As described in , Section 3.
As a result, when used with IEEE In addition, as described in , Section 4. In order to decrease the level of vulnerability, [RFC], Section 3 recommends: It is preferred that the secret be at least 16 octets. Since the User- Password is known, the key stream corresponding to a given Request Authenticator can be determined and stored.