operation.texi

gnu 的radius服务器很好用的

@c This is part of the GNU Radius manual.
@c Copyright (C) 2003 Free Software Foundation
@c See file radius.texi for copying conditions.
@comment *******************************************************************
@node Operation, Invocation, Naming Conventions, Top
@chapter How Radius Operates
@cindex @sc{nas}
@cindex Network Access Server

The main purpose of GNU Radius is to centralize authentication of
users coming from various network stations, pursuant to the @RADIUS{}
specification. Its primary usage is for dial-in users, though it can
be used for any kind of network connection.  

@menu
* Attributes::                  Attributes.
* Requests::                    @RADIUS{} requests.
* Matching Rule::               Rules for request processing.
* Request processing::          How GNU Radius processes incoming requests.
@end menu

@comment *L2****************************************************************
@node Attributes
@section Attributes
@cindex Attribute
@cindex Attribute-value pair
@cindex A/V pair
@cindex Additivity of an attribute
@cindex Propagation of an attribute
@cindex Properties of an attribute

Information carried by @RADIUS{} requests is stored as a list of
@dfn{attribute-value pairs}. Each pair consists of an @dfn{attribute
number} and an @dfn{attribute value}. The @dfn{attribute number} identifies
the type of information the pair carries, and the @dfn{attribute value}
keeps the actual data.

The value part of an attribute can contain data of one of the
following types:

@table @asis
@item Integer
A 32-bit unsigned integer value.
@item IP-number
An IPv4 IP-number.
@item String
A character string up to 253 characters long.
@end table

For convenience, the attributes and the values of some frequently used
integer attributes are given symbolic names. These names are assigned to
attributes and values in the dictionary file (@pxref{dictionary file}).

Attribute numbers range from 1 to 255. Attributes with numbers
greater than 255 are used internally by the server and cannot be sent to
the @NAS{}.

The @dfn{vendor-specific} attribute number 26 is special, allowing
vendors of the @NAS{} hardware or software to support their own extended
attributes. @ref{Vendor-Specific, vendor-specific attribute}.

Each attribute has a set of properties associated with it. The
properties are:

@table @dfn
@item Usage flags
These flags determine the usage of the attribute in the configuration
files @file{huntgroups}, @file{hints}, and @file{users}.
@item Propagation
When a @RADIUS{} server functions in proxy mode, it uses the @dfn{propagation
flag} to determine which attributes from the reply packet should be passed
back to the requesting @NAS{} (@pxref{Proxy Service}).
@item additivity
Some configuration rules may cause the addition of new @AVP{}s to the
incoming request. Before the addition of a new pair, @radiusd{}
scans the request to see if it already contains a pair with the same
attribute. If it does, the value of the @dfn{additivity} determines the
following additional actions:
@table @asis
@item None
The old pair is retained in the request; the new pair is not added to
it.
@item Replace
The old pair is retained in the request, but its value is replaced with
that of the new pair.
@item Append
The new pair is appended to the end of the pair list.
@end table
@end table

Attributes are declared in the @file{raddb/dictionary} file. For a
detailed description, see @ref{ATTRIBUTE}.
For information about particular attributes, see @ref{Attribute List}.

@comment *L2****************************************************************
@node Requests
@section @RADIUS{} Requests
@cindex Request

The term @dfn{request} refers to both the authentication/accounting
request packet from a @NAS{} to a @RADIUS{} server and the response
packet that the server sends back to the @NAS{}.

Each request contains the following fields:

@table @samp

@item Code
The code field identifies the type of the request. 

@item Identifier
The number in the range 0--255 used to match the request with the reply.

@item Length
The length of the request packet.

@item Authenticator
The 16-byte hash value used to authenticate the packet.

@item Attributes

The list of attribute-value pairs carrying actual information about the
request. 

@end table

@menu
* Authentication Requests::
* Accounting Requests::
@end menu

@comment **L3***************************************************************
@node Authentication Requests
@subsection Authentication Requests
@cindex Authentication requests
@cindex Requests, authentication

A @NAS{} sends authentication requests (packets with code field set to
Access-Request) to a @RADIUS{} server when a user is trying to connect
to that @NAS{}. Such requests convey information used to determine
whether a user is allowed access to the @NAS{}, and whether any
special services are requested for that user.

An Access-Request must contain a @attr{User-Name} attribute
@ref{User-Name}. This packet should contain a @attr{NAS-IP-Address}
attribute, a @attr{NAS-Identifier} attribute, or both.  It
also must contain either a @attr{User-Password} attribute or a
@attr{CHAP-Password} attribute. These attributes are passed after
being encoded
using a method based on the RSA Message Digest Algorithm MD5.

The Access-Request should contain a @attr{NAS-Port} or @attr{NAS-Port-Type}
attribute or both, unless the type of access being requested does
not involve a port or the @NAS{} does not distinguish among its
ports.

Upon receiving an Access-Request packet for a particular user and
authenticating that user, the @RADIUS{} server replies to the @NAS{} that
has sent the packet with any one of the following packets:

@itemize @bullet
@item Access-Accept
@item Access-Reject
@item Access-Challenge
@end itemize

GNU Radius replies with an Access-Accept packet when it has successfully
authenticated the user. Such a reply packet provides the
configuration information necessary to begin delivery of service to
the user.

GNU Radius replies with an Access-Reject packet when it is unable to
authenticate the user. Such a packet may contain a descriptive text
encapsulated in one or more @attr{Reply-Message} attributes.  The
@NAS{} may display this text along with its response to the user.

GNU Radius replies with an Access-Challenge packet when it needs to
obtain more information from the user in order to determine the user's
authenticity or to determine the kind of service to be provided to the
user.

An Access-Challenge packet may include one or more
@attr{Reply-Message} attributes, and it may or may not include a
single @attr{State} attribute. No other attributes are permitted in an
Access-Challenge packet.

Upon receipt of an Access-Challenge, the Identifier field is matched
with a pending Access-Request. Additionally, the Response
Authenticator field must contain the correct response for the pending
Access-Request.  In the event of an invalid packet, GNU Radius
discards the offending packet and issues the appropriate log message.

If the @NAS{} does not support challenge/response, it treats an
Access-Challenge as though it had received an Access-Reject instead.
Otherwise, upon receipt of a valid Access-Challenge the @NAS{} prompts
the user for a response, possibly displaying the text message provided
in the @attr{Reply-Message} attributes of the request. It then sends its
original Access-Request with a new request @sc{id} and request
authenticator, along with the @attr{User-Password} attribute replaced
by the encrypted user's response, and including the @attr{State}
attribute from the Access-Challenge, if any.

@comment **L3***************************************************************
@node Accounting Requests
@subsection Accounting Requests
@cindex Accounting requests
@cindex Requests, accounting

Accounting-Request packets are sent from a @NAS{} to a @RADIUS{}
server to allow for accounting of a service provided to a user.

Upon receipt of an Accounting-Request packet, the server attempts to record
it (@pxref{Accounting}), and if it succeeds in doing
so, it replies with an Accounting-Response packet. Otherwise, it sends
no reply, which then causes the @NAS{} to retransmit its request
within a preconfigured interval of time. Such retransmits will
continue until either the server responds with an Accounting-Response
packet or a preconfigured number of retransmits is reached, whichever
occurs first.

Any attribute valid in an Access-Request or Access-Accept packet is
also valid in an Accounting-Request packet, except the following
attributes, which are never present in any Accounting-Request packet:

@itemize @bullet
@item @attr{User-Password}
@item @attr{CHAP-Password}
@item @attr{Reply-Message}
@item @attr{State}
@end itemize

Either a @attr{NAS-IP-Address} or a @attr{NAS-Identifier} must be
present in an Accounting-Request packet.  It should contain either a
@attr{NAS-Port} or a @attr{NAS-Port-Type} attribute (or both),
unless the service does not involve a port or the @NAS{}
does not distinguish among its ports.

If the Accounting-Request packet includes a @attr{Framed-IP-Address},
that attribute @emph{must} contain the actual IP of the user.

There are five types of accounting packets, differentiated by the
value of the @attr{Acct-Status-Type} attribute. These are:

@table @dfn
@item Session Start Packet
The session start packet is sent after the user has successfully
passed the authentication and has started to receive the requested
service. It must contain at least following attributes:

@itemize @bullet
@item @attr{Acct-Status-Type = Start}
@item @attr{User-Name}
@item @attr{Acct-Session-Id}
@item @attr{NAS-IP-Address}
@item @attr{NAS-Port-Id}
@end itemize

@item Session Stop Packet
The session stop packet is sent after the user has disconnected. It
conveys the information about the duration of the session, number of
octets transferred, etc. It must contain at least the following
attributes:

@itemize @bullet
@item @attr{Acct-Status-Type = Stop}
@item @attr{User-Name}
@item @attr{NAS-IP-Address}
@item @attr{Acct-Session-Id}
@end itemize

The last three of them are used to find the corresponding session
start packet.

@item Keepalive Packet
The keepalive packet is sent by the @NAS{} when it obtains some new
information about the user's session, e.g. it has determined its IP
or has changed the connection speed. The packet must contain at
least the following attributes:

@itemize @bullet
@item @attr{Acct-Status-Type = Alive}
@item @attr{User-Name}
@item @attr{NAS-IP-Address}
@item @attr{Acct-Session-Id}
@end itemize

@item Accounting-Off Packet
By sending this packet, the @NAS{} requests that @radiusd{} mark all
sessions registered from this particular @NAS{} as finished. Receiving
this packet usually means that the @NAS{} is to be shut down, or is
about to change its configuration in a way that requires all currently
opened sessions to be closed. The packet must contain at least the
following attributes:

@itemize @bullet
@item @attr{Acct-Status-Type = Accounting-Off}
@item @attr{NAS-IP-Address}
@end itemize

@item Accounting-On Packet
By sending this packet, the @NAS{} informs @radiusd{} that it is ready
to accept the incoming connections. Usually this packet is sent after
startup, or after a major reconfiguration of the @NAS{}. It must
contain at least the following attributes:

@itemize @bullet
@item @attr{Acct-Status-Type = Accounting-On}
@item @attr{NAS-IP-Address}
@end itemize
@end table

@comment *L2****************************************************************
@node Matching Rule
@section Matching Rule
@cindex Matching Rule
@cindex Label, Matching Rule
@cindex LHS, Matching Rule
@cindex RHS, Matching Rule

A record in the GNU Radius database describing a particular rule for
matching an incoming request is called a @dfn{matching rule}. Each
such rule defines an action to be taken when the match occurs.

The matching rule consists of three distinct parts:

@table @dfn
@item Label
This is used to identify the rule. The special usernames
@code{DEFAULT} and @code{BEGIN} are reserved. These will be described