Table of Contents
Advertisement
Quick Links
Download this manual
See also:
Reference Manual
Advertisement
Table of Contents
Related Manuals for Bay Networks RADIUS
Summary of Contents for Bay Networks RADIUS
- Page 1 RADIUS Attributes Reference Marketing Version Number 5.1 Part No. 119347-A Rev. A September 1997...
- Page 2 4401 Great America Parkway Santa Clara, CA 95054 Copyright © 1997 Bay Networks, Inc. Trademarks Restricted Rights Legend Statement of Conditions Remote Access Concentrator Software Reference All rights reserved. Printed in the USA. September 1997. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
- Page 3 SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
- Page 4 Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.
- Page 5 RADIUS Attributes Reference from the date Software is first shipped to Licensee. Bay Networks will replace defective media at no charge if it is returned to Bay Networks during the warranty period along with proof of the date of shipment. This warranty does not apply if the media has been damaged as a result of accident, misuse, or abuse.
- Page 6 RADIUS Attributes Reference Remote Access Concentrator Software Reference agrees to notify Bay Networks of any such intended examination of the Software and may procure support and assistance from Bay Networks. 7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to Bay Networks’...
- Page 7 Revision Level History Revision Description Initial Release. RADIUS Attributes Reference...
- Page 8 Revision Level History RADIUS Attributes Reference viii...
-
Page 9: Table Of Contents
RADIUS Authentication Attributes ........ - Page 10 RADIUS Accounting Attributes ........
-
Page 11: About This Guide
If you are responsible for configuring and/or managing RADIUS security on any of the following platforms, you need to read this guide. For the sake of brevity, this document usually refers to all of the above as RACs. For information on... -
Page 12: Conventions
<cr> lowercase bold lowercase italics RADIUS Attributes Reference In examples, special type indicates system output. type Bold special type indicates user input. In command examples, this notation indicates that pressing the Return key enters the default value. -
Page 13: Acronyms
International Telegraph and Telephone Consultative Committee (now ITU-T) Carrier Sense Multiple Access with Collision Detection Data Link Control Management Interface expedited remote procedure call daemon File Transfer Protocol Graphical User Interface Internet Protocol RADIUS Attributes Reference About This Guide ) and CTRL xiii... - Page 14 ITU-T MDI-X NBMA RADIUS SMDS SNMP TCP/IP Telnet TFTP RADIUS Attributes Reference Integrated Services Digital Network International Organization for Standardization International Telecommunications Union– Telecommunications (formerly CCITT) local area network media access control media access unit Multisystem Multilink PPP Multilink PPP...
-
Page 15: Ordering Bay Networks Publications
FAX--U.S./Canada and International: 510-498-2609 Telephone number 800-2LANWAN; then enter Express Routing Code (ERC) 290, when prompted, to purchase or renew a service contract 508-916-8880 (direct) 33-4-92-96-69-66 61-2-9927-8888 561-988-7661 RADIUS Attributes Reference About This Guide ™ at the Fax number 508-916-3514 33-4-92-96-69-96 61-2-9927-8899 561-988-7550... -
Page 16: How To Get Help
If you purchased a Bay Networks service program, call one of the following Bay Networks Technical Solutions Centers: Technical Solutions Center Billerica, MA Santa Clara, CA Valbonne, France Sydney, Australia Tokyo, Japan RADIUS Attributes Reference Telephone number Fax number 800-2LANWAN 508-916-3514 800-2LANWAN 408-495-1188 33-4-92-96-69-68... -
Page 17: Radius Attributes
Bay Networks vendor-specific attributes (VSAs) and vendor-specific enumerations of attributes (VSEs). This document lists all the RADIUS attributes in numerical order, indicating which attributes the RAC supports and which it does not. Supported attributes are described, with each description containing: •... -
Page 18: Radius Authentication Attributes
Specifies either the password of the user attempting access or the password entered by the user in response to an Access-Challenge. The password is encrypted when transmitted to the RADIUS server. Usage: This can be a fixed password (such as a PAP password) or a one- time password (such as a SecurID password). -
Page 19: Chap-Password (3)
NAS-IP-Address (4) Specifies the RAC’s IP address as a form of identification. Usage: This attribute cannot be used by the server to look up the RADIUS secret; the IP header must be used for that purpose. Multiple Instances Allowed: No. -
Page 20: Nas-Port (5)
For example, if two users are connected via FTP at the same time, the port number of the first user to connect is 2001, and the port number of the second user is 2002. RADIUS Attributes Reference Virtual Device Type VCLI and FTP... - Page 21 Virtual [5] , the port number is represented as: Port Number 200+port_index 300+port_index 400+port_index 500+port_index 600+port_index Multiple Instances Allowed: No. Dependencies: Used only in Access-Request and Accounting-Request packets. RADIUS Attributes Reference RADIUS Attributes Virtual Device Type VCLI and FTP Dialout Ethernet (en0) VPN (for MMP links) MP bundle...
-
Page 22: Service-Type (6)
RAC rejects the user. (If no service type is returned from the server, the RAC allows the user any type of access.) RADIUS Attributes Reference • Login [1] - The user is connected to a host via a terminal service protocol. - Page 23 Login-IP-Host (14) or Login-LAT- Node (35) has been specified, the user is prompted for a target host. Table 1 shows the relationship between the authorized Service-Type (6) and the current connection type. RADIUS Attributes Reference RADIUS Attributes...
- Page 24 Table 1. RAC Action by Connection Type/Service Type Service Type Unspecified Framed Login NAS-Prompt Outbound Administrative Authenticate- Only Callback-Login Callback-NAS- Prompt Callback-Framed RADIUS Attributes Reference Connection Type VCLI accept accept accept convert reject match accept accept reject accept accept reject...
-
Page 25: Framed-Protocol (7)
When the user is already running a framed protocol (that is, Service-Type (6) is Framed [2]), the RAC sends the Framed-Protocol attribute value in the Access-Request as a hint to the RADIUS server. The server returns the authorized framed service in the Access-Response. If the returned value does not match the protocol in use, the RAC rejects the user. -
Page 26: Framed-Ip-Address (8)
Usage: Used in both Access-Request and Access-Accept packets. If the RAC configuration parameter address_origin is set to auth_server and the RADIUS server specifies a Framed-IP-Address (8) in the Access- Accept packet, the RAC uses that framed address as the IP network address of the remote user. -
Page 27: Framed-Ip-Netmask (9)
Send [1] - The RAC sends routing packets but does not listen for them. • Listen [2] - The RAC listens for routing packets but does not send them. This is the RADIUS default. • Send-And-Listen [3] - The RAC sends and listens for routing packets. -
Page 28: Filter-Id (11)
In creating filters, the server must follow the rules defined for the filter keyword in the RAC’s acp_userinfo file. See Managing the Remote Access Concentrator Using Command Line Interfaces. Multiple Instances Allowed: No. Dependencies: Only IP packets are filtered. RADIUS Attributes Reference... -
Page 29: Framed-Mtu (12)
Multiple Instances Allowed: Yes. Dependencies: The value of this attribute supersedes the value of the RAC port parameters do_compression and allow_compression. Both parameters are treated as Y if VJ TCP/IP [1] is specified and N if None [0] is specified. RADIUS Attributes Reference... -
Page 30: Login-Ip-Host (14)
The RAC handles this attribute as follows: Multiple Instances Allowed: No. Dependencies: The session is terminated upon logout. RADIUS Attributes Reference • If the attribute is specified when Service-Type (6) is Login and Login-Service (15) is Telnet or Rlogin, a terminal service connection is started for the user immediately after login. -
Page 31: Login-Service (15)
If it is not, the RAC prompts the user for a target host. • If the value is LAT [4], the Login-LAT-Node (35) attribute must be specified. If it is not, the RAC prompts the user for a target host. RADIUS Attributes Reference RADIUS Attributes... -
Page 32: Login-Tcp-Port (16)
Multiple Instances Allowed: No. Dependencies: The RAC ignores this attribute for connection types other than Telnet or Rlogin. Unassigned (17) RADIUS has not assigned Attribute 17. Reply-Message (18) Contains the text of a prompt or a message. Usage: RADIUS Attributes Reference •... -
Page 33: Callback-Number (19)
Specifies the name of a location to be called back. Usage: The RAC does not support this attribute. Instead, it supports Callback-Number (19). Multiple Instances Allowed: No. Dependencies: The RAC ignores this attribute for connection types other than callback. RADIUS Attributes Reference... -
Page 34: Unassigned (21)
Specifies a static IP route to be added to the RAC routing table. This route applies only to IP Framed [3] or Callback-Framed [4] services, and exists only for the duration of the RADIUS session. Usage: The route specification should use the format:... -
Page 35: Framed-Ipx-Network (23)
Usage: One or more of these attributes are sent in an Access-Accept from the server to the RAC, then held in the session and passed on in RADIUS Accounting-Request messages for logging. The server can use this attribute to pass on any sort of user information desired. -
Page 36: Vendor-Specific (26)
Specifies the number of seconds that the user can be dialed into the RAC before the RAC terminates the session. Usage: This optional attribute is used to restrict the duration of a user’s session. Multiple Instances Allowed: No. Dependencies: This attribute applies to all types of RAC sessions. RADIUS Attributes Reference... -
Page 37: Idle-Timeout (28)
Annex-CLI-Command (VSA Bay Networks 29), to script the user’s session. The default terminates the entire user session. Multiple Instances Allowed: No. Dependencies: Framed protocol sessions, including those originally started at the CLI, are not affected by this attribute. RADIUS Attributes Reference... -
Page 38: Called-Station-Id (30)
Usage: The RAC sends this information, when available, in Access- Request and Accounting-Request packets. Multiple Instances Allowed: No. Dependencies: Applicable to digital service only. NAS-Identifier (32) Uniquely specifies the NAS. Usage: Not supported; NAS-IP-Address [4] is used instead. Multiple Instances Allowed: No. Dependencies: None. RADIUS Attributes Reference... -
Page 39: Proxy-State (33)
RADIUS Attributes Proxy-State (33) This attribute is sent by a proxy server to another RADIUS server to maintain the proxy’s status until an Access-Accept packet arrives. Usage: Ignored; the RAC is not a proxy RADIUS server. Multiple Instances Allowed: Yes. -
Page 40: Login-Lat-Node (35)
AppleTalk router. Usage: Not supported. Multiple Instances Allowed: No. Framed-AppleTalk-Network (38) Specifies the AppleTalk Network number to be probed in order to allocate an AppleTalk node number. Usage: Not supported. Multiple Instances Allowed: No. RADIUS Attributes Reference... -
Page 41: Framed-Appletalk-Zone (39)
ISDN Sync [2] • ISDN Async V.120 [3] • ISDN Async V.110 [4] • Virtual [5] -- NAS-Port (5) further encodes the type of virtual RAC port as described on page 4. Multiple Instances Allowed: No. RADIUS Attributes Reference RADIUS Attributes... -
Page 42: Port-Limit (42)
Specifies the LAT port to which a reverse LAT connection is to be made. Usage: This optional attribute is used to further specify LAT connections. Multiple Instances Allowed: No. Dependencies: This attribute is meaningful for LAT Login-Service connections only. The RAC ignores it for other connection types. RADIUS Attributes Reference... -
Page 43: Radius Accounting Attributes
Call-Start [4] -- The user dialed in. • Call-Stop [5] -- The user hung up. • Accounting-On [7] -- The RAC began RADIUS accounting. This occurs after the RAC is rebooted. • Accounting-Off [8] -- The RAC stopped RADIUS accounting. - Page 44 RADIUS Attributes Multiple Instances Allowed: No. RADIUS Attributes Reference • Accounting-Restart [VSE Bay Networks 10389030] -- The RAC administrator has enabled security after previously disabling it (by using the enable_security parameter and then issuing the na or admin command reset annex security).
-
Page 45: Acct-Delay-Time (41)
Indicates the number of output octets for this session. Usage: Used at the end of a session (that is, when Acct-Status-Type (41) is Stop [2]). Multiple Instances Allowed: No. Dependencies: Available only for physical or tunneled connections. RADIUS Attributes Reference... -
Page 46: Acct-Session-Id (44)
Multiple Instances Allowed: No. Acct-Authentic (45) Indicates the user authentication method. Usage: For RADIUS users, the method indicated is always RADIUS [1]. Multiple Instances Allowed: No. Dependencies: This is recorded in each Accounting-Request packet when Acct-Status-Type (40) = Start [1]. -
Page 47: Acct-Input-Packets (47)
Indicates the number of output packets for the user session. Multiple Instances Allowed: No. Dependencies: Recorded only at the end of a session (that is, when Acct- Status-Type (41) is Stop [2]). Applies only to physical or tunneled connections. RADIUS Attributes Reference... -
Page 48: Acct-Terminate-Cause (49)
Usage: The reasons are: Multiple Instances Allowed: No. Dependencies: Recorded only at the end of a session (that is, when Acct- Status-Type (41) is Stop [2]). RADIUS Attributes Reference • User-Request [1] - The user logged out. • Lost-Carrier [2] - A carrier loss occurred. -
Page 49: Acct-Multi-Session-Id (50)
Acct-Link-Count (51) Indicates the current count of links for a multilink session. Usage: This optional attribute can appear in any Accounting-Request message for a session with multiple links. Multiple Instances Allowed: No. Dependencies: Meaningful only for MP connections. RADIUS Attributes Reference... -
Page 50: Bay Networks Vendor-Specific Attributes
Administrator’s Guide that applies to the Remote Annex you are using. Multiple Instances Allowed: Yes. Each filter must be specified in a separate attribute. Dependencies: This attribute is meaningful only for framed IP connections. The RAC ignores it for other connection types. RADIUS Attributes Reference... -
Page 51: Annex-Cli-Command (Vsa Bay Networks 29)
CLI command name. Commands are executed in the order received. Each command must be in a separate RADIUS attribute. If the RAC detects an error, the error is syslogged, the remaining commands are ignored, and the session is terminated. -
Page 52: Annex-Host-Restrict (Vsa Bay Networks 31)
Dependencies: This attribute applies to Service-Type NAS-Prompt [7] (CLI) sessions only. RADIUS Attributes Reference • The first string of characters specifies the dotted decimal IP address of the host whose access is to be restricted. A zero in one address component matches any value;... -
Page 53: Annex-Host-Allow (Vsa Bay Networks 32)
Identifies the type of RAC or Remote Annex in use. Usage: Contains one of the following product names: RA2000, RA4000, RA6100, RA6300, 5390, 5391, 5399, or 8000. Multiple Instances Allowed: No. Dependencies: Always included in Access-Request and Accounting- Request packets. RADIUS Attributes Reference... -
Page 54: Annex-Sw-Version (Vsa Bay Networks 34)
(interface). If the attribute is not specified, or if address_origin is local, the IP address defaults to the value specified by the na or admin port parameter local_address. RADIUS defines two special values for this attribute: Multiple Instances Allowed: No. Dependencies: This attribute is meaningful only for framed IP connections. -
Page 55: Annex-Tunnel-Type (Vsa Bay Networks 36)
Usage: The RAC supports the value IP [1]. Multiple Instances Allowed: No. Dependencies: This attribute is used to define the type of address that is used in the Annex-Tunnel-Client-Endpoint (VSA Bay Networks 38) and Annex-Tunnel-Server-Endpoint (VSA Bay Networks 39) attributes. RADIUS Attributes Reference... -
Page 56: Annex-Tunnel-Client-Endpoint (Vsa Bay Networks 38)
The arguments are: Multiple Instances Allowed: No. Dependencies: The format of this attribute depends upon the value of the Annex-Tunnel-Medium-Type (VSA Bay Networks 37) attribute. RADIUS Attributes Reference • n.n.n.n is the IP address of the server in dotted decimal notation. •... -
Page 57: Annex-Tunnel-Id (Vsa Bay Networks 40)
39), and Annex-Tunnel-Id (VSA Bay Networks 40) attributes to specify a tunnel uniquely. Multiple Instances Allowed: No. Dependencies: The format of this attribute depends upon the value of the Annex-Tunnel-Type (VSA Bay Networks 36) attribute. For L2TP [3], this is the 16-bit Tunnel ID. RADIUS Attributes Reference... -
Page 58: Annex-Callback-Port-List (Vsa Bay Networks 42)
Dependencies: This attribute is meaningful only when Service-Type (6) is Callback-Login [3], Callback-Framed [4], or Callback-NAS- Prompt [9]. The attribute is primarily useful for Remote Annex Models 2000, 4000, and 6100, on which there are numbered physical ports. RADIUS Attributes Reference...