3Com 3C13636 Configuration Manual page 1005

3Com Router 3000 Ethernet Family
Configuration Guide
Having received the username and password, the RADIUS client sends the
authentication request (Access-Request) to the RADIUS server.
2) The RADIUS server compares the received user information against that in the
Users database. If the authentication succeeds, it sends back an authentication
response (Access-Accept) containing the information of user's right. If the
authentication fails, it returns an Access-Reject message.
3) The RADIUS client acts on the returned authentication result to accept or deny the
user. If it is allowed to accept the user, the RADIUS client sends an accounting
start request (Accounting-Request) to the RADIUS server, with the value of
Status-Type being "start".
4) The RADIUS server returns a start-accounting response (Accounting-Response).
5) The RADIUS client sends a stop-accounting request (Accounting-Request) to the
RADIUS server, with the value of Status-Type being "stop".
6) The RADIUS server returns a stop-accounting response (Accounting-Response).
III. RADIUS packet structure
RADIUS uses UDP to transmit messages; with timer management, retransmission, and
slave server mechanisms, it ensures the smooth message exchange between the
RADIUS server and the client. The following figure shows the RADIUS packet
structure.
Code
Figure 2-3 RADIUS packet structure
The Identifier field is used for matching request packets and response packets. It varies
with the Attribute field and the received valid response packets, but keeps unchanged
during retransmission. The 16-byte Authenticator field is used to authenticate the
request transmitted by the RADIUS server, and it also applies to the password hidden
algorithm. There are two kinds of authenticators: Request and Response.
Request Authenticator is the random code of 16 bytes in length.
Response Authenticator is the result of applying the MD5 algorithm to Code,
Identifier, Request Authenticator, Length, Attribute and shared-key.
1) The Code field decides the type of a RADIUS packet, as shown in the following
table.
Identifier Length
Authenticator
Attribute
3Com Corporation
2-4
Chapter 2 AAA and RADIUS/HWTACACS Protocol
Configuration