📄 rfc2058.txt
字号:
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
1 for Access-Request.
Identifier
The Identifier field MUST be changed whenever the content of the
Attributes field changes, and whenever a valid reply has been
received for a previous request. For retransmissions, the
Identifier MUST remain unchanged.
Request Authenticator
The Request Authenticator value MUST be changed each time a new
Identifier is used.
Rigney, et. al. Informational [Page 13]
RFC 2058 RADIUS January 1997
Attributes
The Attribute field is variable in length, and contains the list
of Attributes that are required for the type of service, as well
as any desired optional Attributes.
4.2. Access-Accept
Description
Access-Accept packets are sent by the RADIUS server, and provide
specific configuration information necessary to begin delivery of
service to the user. If all Attribute values received in an
Access-Request are acceptable then the RADIUS implementation MUST
transmit a packet with the Code field set to 2 (Access-Accept). On
reception of an Access-Accept, the Identifier field is matched with
a pending Access-Request. Additionally, the Response Authenticator
field MUST contain the correct response for the pending Access-
Request. Invalid packets are silently discarded.
A summary of the Access-Accept packet format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
2 for Access-Accept.
Identifier
The Identifier field is a copy of the Identifier field of the
Access-Request which caused this Access-Accept.
Rigney, et. al. Informational [Page 14]
RFC 2058 RADIUS January 1997
Response Authenticator
The Response Authenticator value is calculated from the Access-
Request value, as described earlier.
Attributes
The Attribute field is variable in length, and contains a list of
zero or more Attributes.
4.3. Access-Reject
Description
If any value of the received Attributes is not acceptable, then the
RADIUS server MUST transmit a packet with the Code field set to 3
(Access-Reject). It MAY include one or more Reply-Message
Attributes with a text message which the NAS MAY display to the
user.
A summary of the Access-Reject packet format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
3 for Access-Reject.
Identifier
The Identifier field is a copy of the Identifier field of the
Access-Request which caused this Access-Reject.
Rigney, et. al. Informational [Page 15]
RFC 2058 RADIUS January 1997
Response Authenticator
The Response Authenticator value is calculated from the Access-
Request value, as described earlier.
Attributes
The Attribute field is variable in length, and contains a list of
zero or more Attributes.
4.4. Access-Challenge
Description
If the RADIUS server desires to send the user a challenge requiring
a response, then the RADIUS server MUST respond to the Access-
Request by transmitting a packet with the Code field set to 11
(Access-Challenge).
The Attributes field MAY have one or more Reply-Message Attributes,
and MAY have a single State Attribute, or none. No other
Attributes are permitted in an Access-Challenge.
On receipt of an Access-Challenge, the Identifier field is matched
with a pending Access-Request. Additionally, the Response
Authenticator field MUST contain the correct response for the
pending Access-Request. Invalid packets are silently discarded.
If the NAS does not support challenge/response, it MUST treat an
Access-Challenge as though it had received an Access-Reject
instead.
If the NAS supports challenge/response, receipt of a valid Access-
Challenge indicates that a new Access-Request SHOULD be sent. The
NAS MAY display the text message, if any, to the user, and then
prompt the user for a response. It then sends its original
Access-Request with a new request ID and Request Authenticator,
with the User-Password Attribute replaced by the user's response
(encrypted), and including the State Attribute from the Access-
Challenge, if any. Only 0 or 1 instances of the State Attribute
can be present in an Access-Request.
A NAS which supports PAP MAY forward the Reply-Message to the
dialin client and accept a PAP response which it can use as though
the user had entered the response. If the NAS cannot do so, it
should treat the Access-Challenge as though it had received an
Access-Reject instead.
Rigney, et. al. Informational [Page 16]
RFC 2058 RADIUS January 1997
A summary of the Access-Challenge packet format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
11 for Access-Challenge.
Identifier
The Identifier field is a copy of the Identifier field of the
Access-Request which caused this Access-Challenge.
Response Authenticator
The Response Authenticator value is calculated from the Access-
Request value, as described earlier.
Attributes
The Attributes field is variable in length, and contains a list of
zero or more Attributes.
5. Attributes
RADIUS Attributes carry the specific authentication, authorization,
information and configuration details for the request and reply.
Some Attributes MAY be included more than once. The effect of this
is Attribute specific, and is specified in each Attribute
description.
The end of the list of Attributes is indicated by the Length of the
RADIUS packet.
Rigney, et. al. Informational [Page 17]
RFC 2058 RADIUS January 1997
A summary of the Attribute format is shown below. The fields are
transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
The Type field is one octet. Up-to-date values of the RADIUS Type
field are specified in the most recent "Assigned Numbers" RFC [3].
Values 192-223 are reserved for experimental use, values 224-240
are reserved for implementation-specific use, and values 241-255
are reserved and should not be used. This specification concerns
the following values:
A RADIUS server MAY ignore Attributes with an unknown Type.
A RADIUS client MAY ignore Attributes with an unknown Type.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor-Specific
Rigney, et. al. Informational [Page 18]
RFC 2058 RADIUS January 1997
27 Session-Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40-59 (reserved for accounting)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
Length
The Length field is one octet, and indicates the length of this
Attribute including the Type, Length and Value fields. If an
Attribute is received in an Access-Request but with an invalid
Length, an Access-Reject SHOULD be transmitted. If an Attribute is
received in an Access-Accept, Access-Reject or Access-Challenge
packet with an invalid length, the packet MUST either be treated as
an Access-Reject or else silently discarded.
Value
The Value field is zero or more octets and contains information
specific to the Attribute. The format and length of the Value
field is determined by the Type and Length fields.
Note that a "string" in RADIUS does not require termination by an
ASCII NUL because the Attribute already has a length field.
The format of the value field is one of four data types.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -