Page 3
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
Page 4
Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.
Page 5
RADIUS Attributes Reference from the date Software is first shipped to Licensee. Bay Networks will replace defective media at no charge if it is returned to Bay Networks during the warranty period along with proof of the date of shipment. This warranty does not apply if the media has been damaged as a result of accident, misuse, or abuse.
Page 6
RADIUS Attributes Reference Remote Access Concentrator Software Reference agrees to notify Bay Networks of any such intended examination of the Software and may procure support and assistance from Bay Networks. 7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to Bay Networks’...
If you are responsible for configuring and/or managing RADIUS security on any of the following platforms, you need to read this guide. For the sake of brevity, this document usually refers to all of the above as RACs. For information on...
<cr> lowercase bold lowercase italics RADIUS Attributes Reference In examples, special type indicates system output. type Bold special type indicates user input. In command examples, this notation indicates that pressing the Return key enters the default value.
International Telegraph and Telephone Consultative Committee (now ITU-T) Carrier Sense Multiple Access with Collision Detection Data Link Control Management Interface expedited remote procedure call daemon File Transfer Protocol Graphical User Interface Internet Protocol RADIUS Attributes Reference About This Guide ) and CTRL xiii...
Page 14
ITU-T MDI-X NBMA RADIUS SMDS SNMP TCP/IP Telnet TFTP RADIUS Attributes Reference Integrated Services Digital Network International Organization for Standardization International Telecommunications Union– Telecommunications (formerly CCITT) local area network media access control media access unit Multisystem Multilink PPP Multilink PPP...
FAX--U.S./Canada and International: 510-498-2609 Telephone number 800-2LANWAN; then enter Express Routing Code (ERC) 290, when prompted, to purchase or renew a service contract 508-916-8880 (direct) 33-4-92-96-69-66 61-2-9927-8888 561-988-7661 RADIUS Attributes Reference About This Guide ™ at the Fax number 508-916-3514 33-4-92-96-69-96 61-2-9927-8899 561-988-7550...
If you purchased a Bay Networks service program, call one of the following Bay Networks Technical Solutions Centers: Technical Solutions Center Billerica, MA Santa Clara, CA Valbonne, France Sydney, Australia Tokyo, Japan RADIUS Attributes Reference Telephone number Fax number 800-2LANWAN 508-916-3514 800-2LANWAN 408-495-1188 33-4-92-96-69-68...
Bay Networks vendor-specific attributes (VSAs) and vendor-specific enumerations of attributes (VSEs). This document lists all the RADIUS attributes in numerical order, indicating which attributes the RAC supports and which it does not. Supported attributes are described, with each description containing: •...
Specifies either the password of the user attempting access or the password entered by the user in response to an Access-Challenge. The password is encrypted when transmitted to the RADIUS server. Usage: This can be a fixed password (such as a PAP password) or a one- time password (such as a SecurID password).
NAS-IP-Address (4) Specifies the RAC’s IP address as a form of identification. Usage: This attribute cannot be used by the server to look up the RADIUS secret; the IP header must be used for that purpose. Multiple Instances Allowed: No.
For example, if two users are connected via FTP at the same time, the port number of the first user to connect is 2001, and the port number of the second user is 2002. RADIUS Attributes Reference Virtual Device Type VCLI and FTP...
Page 21
Virtual [5] , the port number is represented as: Port Number 200+port_index 300+port_index 400+port_index 500+port_index 600+port_index Multiple Instances Allowed: No. Dependencies: Used only in Access-Request and Accounting-Request packets. RADIUS Attributes Reference RADIUS Attributes Virtual Device Type VCLI and FTP Dialout Ethernet (en0) VPN (for MMP links) MP bundle...
RAC rejects the user. (If no service type is returned from the server, the RAC allows the user any type of access.) RADIUS Attributes Reference • Login [1] - The user is connected to a host via a terminal service protocol.
Page 23
Login-IP-Host (14) or Login-LAT- Node (35) has been specified, the user is prompted for a target host. Table 1 shows the relationship between the authorized Service-Type (6) and the current connection type. RADIUS Attributes Reference RADIUS Attributes...
Page 24
Table 1. RAC Action by Connection Type/Service Type Service Type Unspecified Framed Login NAS-Prompt Outbound Administrative Authenticate- Only Callback-Login Callback-NAS- Prompt Callback-Framed RADIUS Attributes Reference Connection Type VCLI accept accept accept convert reject match accept accept reject accept accept reject...
When the user is already running a framed protocol (that is, Service-Type (6) is Framed [2]), the RAC sends the Framed-Protocol attribute value in the Access-Request as a hint to the RADIUS server. The server returns the authorized framed service in the Access-Response. If the returned value does not match the protocol in use, the RAC rejects the user.
Usage: Used in both Access-Request and Access-Accept packets. If the RAC configuration parameter address_origin is set to auth_server and the RADIUS server specifies a Framed-IP-Address (8) in the Access- Accept packet, the RAC uses that framed address as the IP network address of the remote user.
Send [1] - The RAC sends routing packets but does not listen for them. • Listen [2] - The RAC listens for routing packets but does not send them. This is the RADIUS default. • Send-And-Listen [3] - The RAC sends and listens for routing packets.
In creating filters, the server must follow the rules defined for the filter keyword in the RAC’s acp_userinfo file. See Managing the Remote Access Concentrator Using Command Line Interfaces. Multiple Instances Allowed: No. Dependencies: Only IP packets are filtered. RADIUS Attributes Reference...
Multiple Instances Allowed: Yes. Dependencies: The value of this attribute supersedes the value of the RAC port parameters do_compression and allow_compression. Both parameters are treated as Y if VJ TCP/IP [1] is specified and N if None [0] is specified. RADIUS Attributes Reference...
The RAC handles this attribute as follows: Multiple Instances Allowed: No. Dependencies: The session is terminated upon logout. RADIUS Attributes Reference • If the attribute is specified when Service-Type (6) is Login and Login-Service (15) is Telnet or Rlogin, a terminal service connection is started for the user immediately after login.
If it is not, the RAC prompts the user for a target host. • If the value is LAT [4], the Login-LAT-Node (35) attribute must be specified. If it is not, the RAC prompts the user for a target host. RADIUS Attributes Reference RADIUS Attributes...
Multiple Instances Allowed: No. Dependencies: The RAC ignores this attribute for connection types other than Telnet or Rlogin. Unassigned (17) RADIUS has not assigned Attribute 17. Reply-Message (18) Contains the text of a prompt or a message. Usage: RADIUS Attributes Reference •...
Specifies the name of a location to be called back. Usage: The RAC does not support this attribute. Instead, it supports Callback-Number (19). Multiple Instances Allowed: No. Dependencies: The RAC ignores this attribute for connection types other than callback. RADIUS Attributes Reference...
Specifies a static IP route to be added to the RAC routing table. This route applies only to IP Framed [3] or Callback-Framed [4] services, and exists only for the duration of the RADIUS session. Usage: The route specification should use the format:...
Usage: One or more of these attributes are sent in an Access-Accept from the server to the RAC, then held in the session and passed on in RADIUS Accounting-Request messages for logging. The server can use this attribute to pass on any sort of user information desired.
Specifies the number of seconds that the user can be dialed into the RAC before the RAC terminates the session. Usage: This optional attribute is used to restrict the duration of a user’s session. Multiple Instances Allowed: No. Dependencies: This attribute applies to all types of RAC sessions. RADIUS Attributes Reference...
Annex-CLI-Command (VSA Bay Networks 29), to script the user’s session. The default terminates the entire user session. Multiple Instances Allowed: No. Dependencies: Framed protocol sessions, including those originally started at the CLI, are not affected by this attribute. RADIUS Attributes Reference...
Usage: The RAC sends this information, when available, in Access- Request and Accounting-Request packets. Multiple Instances Allowed: No. Dependencies: Applicable to digital service only. NAS-Identifier (32) Uniquely specifies the NAS. Usage: Not supported; NAS-IP-Address [4] is used instead. Multiple Instances Allowed: No. Dependencies: None. RADIUS Attributes Reference...
RADIUS Attributes Proxy-State (33) This attribute is sent by a proxy server to another RADIUS server to maintain the proxy’s status until an Access-Accept packet arrives. Usage: Ignored; the RAC is not a proxy RADIUS server. Multiple Instances Allowed: Yes.
AppleTalk router. Usage: Not supported. Multiple Instances Allowed: No. Framed-AppleTalk-Network (38) Specifies the AppleTalk Network number to be probed in order to allocate an AppleTalk node number. Usage: Not supported. Multiple Instances Allowed: No. RADIUS Attributes Reference...
Specifies the LAT port to which a reverse LAT connection is to be made. Usage: This optional attribute is used to further specify LAT connections. Multiple Instances Allowed: No. Dependencies: This attribute is meaningful for LAT Login-Service connections only. The RAC ignores it for other connection types. RADIUS Attributes Reference...
Call-Start [4] -- The user dialed in. • Call-Stop [5] -- The user hung up. • Accounting-On [7] -- The RAC began RADIUS accounting. This occurs after the RAC is rebooted. • Accounting-Off [8] -- The RAC stopped RADIUS accounting.
Page 44
RADIUS Attributes Multiple Instances Allowed: No. RADIUS Attributes Reference • Accounting-Restart [VSE Bay Networks 10389030] -- The RAC administrator has enabled security after previously disabling it (by using the enable_security parameter and then issuing the na or admin command reset annex security).
Indicates the number of output octets for this session. Usage: Used at the end of a session (that is, when Acct-Status-Type (41) is Stop [2]). Multiple Instances Allowed: No. Dependencies: Available only for physical or tunneled connections. RADIUS Attributes Reference...
Multiple Instances Allowed: No. Acct-Authentic (45) Indicates the user authentication method. Usage: For RADIUS users, the method indicated is always RADIUS [1]. Multiple Instances Allowed: No. Dependencies: This is recorded in each Accounting-Request packet when Acct-Status-Type (40) = Start [1].
Indicates the number of output packets for the user session. Multiple Instances Allowed: No. Dependencies: Recorded only at the end of a session (that is, when Acct- Status-Type (41) is Stop [2]). Applies only to physical or tunneled connections. RADIUS Attributes Reference...
Usage: The reasons are: Multiple Instances Allowed: No. Dependencies: Recorded only at the end of a session (that is, when Acct- Status-Type (41) is Stop [2]). RADIUS Attributes Reference • User-Request [1] - The user logged out. • Lost-Carrier [2] - A carrier loss occurred.
Acct-Link-Count (51) Indicates the current count of links for a multilink session. Usage: This optional attribute can appear in any Accounting-Request message for a session with multiple links. Multiple Instances Allowed: No. Dependencies: Meaningful only for MP connections. RADIUS Attributes Reference...
Administrator’s Guide that applies to the Remote Annex you are using. Multiple Instances Allowed: Yes. Each filter must be specified in a separate attribute. Dependencies: This attribute is meaningful only for framed IP connections. The RAC ignores it for other connection types. RADIUS Attributes Reference...
CLI command name. Commands are executed in the order received. Each command must be in a separate RADIUS attribute. If the RAC detects an error, the error is syslogged, the remaining commands are ignored, and the session is terminated.
Dependencies: This attribute applies to Service-Type NAS-Prompt [7] (CLI) sessions only. RADIUS Attributes Reference • The first string of characters specifies the dotted decimal IP address of the host whose access is to be restricted. A zero in one address component matches any value;...
Identifies the type of RAC or Remote Annex in use. Usage: Contains one of the following product names: RA2000, RA4000, RA6100, RA6300, 5390, 5391, 5399, or 8000. Multiple Instances Allowed: No. Dependencies: Always included in Access-Request and Accounting- Request packets. RADIUS Attributes Reference...
(interface). If the attribute is not specified, or if address_origin is local, the IP address defaults to the value specified by the na or admin port parameter local_address. RADIUS defines two special values for this attribute: Multiple Instances Allowed: No. Dependencies: This attribute is meaningful only for framed IP connections.
Usage: The RAC supports the value IP [1]. Multiple Instances Allowed: No. Dependencies: This attribute is used to define the type of address that is used in the Annex-Tunnel-Client-Endpoint (VSA Bay Networks 38) and Annex-Tunnel-Server-Endpoint (VSA Bay Networks 39) attributes. RADIUS Attributes Reference...
The arguments are: Multiple Instances Allowed: No. Dependencies: The format of this attribute depends upon the value of the Annex-Tunnel-Medium-Type (VSA Bay Networks 37) attribute. RADIUS Attributes Reference • n.n.n.n is the IP address of the server in dotted decimal notation. •...
39), and Annex-Tunnel-Id (VSA Bay Networks 40) attributes to specify a tunnel uniquely. Multiple Instances Allowed: No. Dependencies: The format of this attribute depends upon the value of the Annex-Tunnel-Type (VSA Bay Networks 36) attribute. For L2TP [3], this is the 16-bit Tunnel ID. RADIUS Attributes Reference...
Dependencies: This attribute is meaningful only when Service-Type (6) is Callback-Login [3], Callback-Framed [4], or Callback-NAS- Prompt [9]. The attribute is primarily useful for Remote Annex Models 2000, 4000, and 6100, on which there are numbered physical ports. RADIUS Attributes Reference...