Wednesday, June 14, 2006

How RADIUS works

A sneak peak on how RADIUS works

  • client creates an "Access-Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing.

  • When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5

  • If no response is returned within a length of time, the request is re-sent a number of times,

  • Once the RADIUS server receives the request, it validates the sending client.

  • A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded

  • If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request

  • The user entry in the database contains a list of requirements which must be met to allow access for the user. This always includes verification of the password, but can also specify the client(s) or port(s) to which the user is allowed access.

  • The RADIUS server MAY make requests of other servers in order to satisfy the request, in which case it acts as a client.

  • If any Proxy-State attributes were present in the Access-Request, they MUST be copied unmodified and in order into the response packet.

  • Other Attributes can be placed before, after, or even between the Proxy-State attributes.

  • If any condition is not met, the RADIUS server sends an "Access-Reject" response indicating that this user request is invalid.

  • If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an "Access-Challenge" response. It MAY include a text message to be displayed by the client to the user prompting for a response to the challenge, and MAY include a State attribute.

  • If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re- submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted)

  • If all conditions are met, the list of configuration values for the user are placed into an "Access-Accept" response.

  • These values include the type of service (for example: SLIP, PPP, Login User) and all necessary values to deliver the desired service.


    Reference

    http://www.faqs.org/rfcs/rfc2865.html
    • Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)