Following
figure shows radius packet format.
Code field
Code field
is of size 8 bits, used to identify type of radius packet (Access-Request,
Access-Accept). If any packet received with invalid code field, it is simply
ignored.
Code
|
Type Of Packet
|
1
|
Access-Request
|
2
|
Access-Accept
|
3
|
Access-Reject
|
4
|
Accounting-Request
|
5
|
Accounting-Response
|
11
|
Access-Challenge
|
12
|
Status-Server
(experimental)
|
13
|
Status-Client
(experimental)
|
255
|
Reserved
|
Identifier field
Identifier
field of size 8 bits, used in matching requests and replies. The RADIUS server
can detect a duplicate request if it has the same client source IP address and
source UDP port and Identifier within a short span of time.
Length field
Length field
of size 16 bits. It specifies the length of the packet including the Code,
Identifier, Length, Authenticator and Attribute fields.
Minumum
length of packet is 20 and maximum length is 4096. If the packet is less than
length field, then the paket is simply ignored. Data outside the range of the Length
field must be treated as padding and ignored on reception.
Authenticator field
Authenticator
field is 16 octets in size. There are two categories of authenticators.
1. Request Authenticator
2. Response Authenticator
Request Authenticator
It is a 16 octet random number in
Access-Request Packets. It is used in the password-hiding algorithm.
How
password is hidden?
a.
Radius
client and server share a secret.
b.
16-octet
digest value is created using the shared secret followed by the Request
Authenticator (16 octet random number).
c.
Digest value is xored with the password
provided by user.
d.
The
xored result placed in the User-Password attribute in the Access-Request
packet.
Response Authenticator
It is a 16-octet
number in Access-Accept, Access-Reject, and Access-Challenge packets. Response
authenticator value computed using following logic.
ResponseAuth=MD5(Code+ID+Length+RequestAuth+Attributes+Secret)
where ‘+’ denotes
concatenation.
No comments:
Post a Comment