Saturday 8 August 2015

Radius Access-Request packet


Radius client send Access-Request packet to radius server. Access-Request packet looks like following.
Code field
Code filed must has value 1 for Access-Request packet.

Identifier field
Identifier field of size 8 bits, used in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.

For retransmissions, the Identifier MUST remains unchanged.  The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request.

Request Authenticator
It is a 16 octet random number in Access-Request Packets. It is used in the password-hiding algorithm. The Request Authenticator value MUST be changed each time a new Identifier is used.

Attributes field
This field length is not fixed, it can vary. Following are the attributes, that Access-Request contains.

Attribute
Description
User-Name
Specifies the name of the user to be authenticated.
NAS-IP-Address
Specifies IP address of radius client. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.
NAS-Identifier
This Attribute contains a string identifying the radius client originating the Access-Request. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.
User-Password
Attribute specifies the password of the user to be authenticated (or) the user's input following an Access-Challenge. An Access-Request MUST contain either a User-Password or a CHAP- Password or a State.
CHAP-Password
This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. An Access-Request MUST contain either a User-Password or a CHAP- Password or a State.
state
A packet must have only zero or one State Attribute. This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge,if any.

An Access-Request MUST contain either a User-Password or a CHAP- Password or a State.
NAS-Port
Specifies physical port number of the radius client, which is authenticating the user.
NAS-Port-Type
This Attribute indicates the type of the physical port of the radius client, which is authenticating the user.

Go through following link for more details.

Additional attributes
An Access-Request MAY contain additional attributes as a hint to the server, but the server is not required to honor the hint.


Prevoius                                                 Next                                                 Home

No comments:

Post a Comment