rfc4590.txt

使用最广泛的radius的linux的源码

         authenticate.  In Access-Challenge packets, the RADIUS server
         puts the expected realm value into this attribute.

3.3.  Digest-Nonce Attribute

   Description

         This attribute holds a nonce to be used in the HTTP Digest
         calculation.  If the Access-Request had a Digest-Method and a
         Digest-URI but no Digest-Nonce attribute, the RADIUS server
         MUST put a Digest-Nonce attribute into its Access-Challenge
         packet.  This attribute MUST only be used in Access-Request and
         Access-Challenge packets.
   Type
         105 for Digest-Nonce
   Length
         >=3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         nonce directive (nonce-value in [RFC2617]) without surrounding
         quotes from the HTTP-style request it wants to authenticate.
         In Access-Challenge packets, the attribute contains the nonce
         selected by the RADIUS server.




Sterman, et al.             Standards Track                    [Page 13]

RFC 4590              RADIUS Digest Authentication             July 2006


3.4.  Digest-Response-Auth Attribute

   Description
         This attribute enables the RADIUS server to prove possession of
         the password.  If the previously received Digest-Qop attribute
         was 'auth-int' (without surrounding quotes), the RADIUS server
         MUST send a Digest-HA1 attribute instead of a
         Digest-Response-Auth attribute.  The Digest-Response-Auth
         attribute MUST only be used in Access-Accept packets.  The
         RADIUS client puts the attribute value without surrounding
         quotes into the rspauth directive of the Authentication-Info
         header.
   Type
         106 for Digest-Response-Auth.
   Length
         >= 3
   Text
         The RADIUS server calculates a digest according to section
         3.2.3 of [RFC2617] and copies the result into this attribute.
         Digest algorithms other than the one defined in [RFC2617] MAY
         define digest lengths other than 32.

3.5.  Digest-Nextnonce Attribute

   This attribute holds a nonce to be used in the HTTP Digest
   calculation.

   Description

         The RADIUS server MAY put a Digest-Nextnonce attribute into an
         Access-Accept packet.  If this attribute is present, the RADIUS
         client MUST put the contents of this attribute into the
         nextnonce directive of an Authentication-Info header in its
         HTTP-style response.  This attribute MUST only be used in
         Access-Accept packets.
   Type
         107 for Digest-Nextnonce
   Length
         >=3
   Text
         It is recommended that this text be base64 or hexadecimal data.

3.6.  Digest-Method Attribute

   Description
         This attribute holds the method value to be used in the HTTP
         Digest calculation.  This attribute MUST only be used in
         Access-Request packets.



Sterman, et al.             Standards Track                    [Page 14]

RFC 4590              RADIUS Digest Authentication             July 2006


   Type
         108 for Digest-Method
   Length
         >=3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         request method from the HTTP-style request it wants to
         authenticate.

3.7.  Digest-URI Attribute

   Description
         This attribute is used to transport the contents of the
         digest-uri directive or the URI of the HTTP-style request.  It
         MUST only be used in Access-Request packets.
   Type
         109 for Digest-URI
   Length
         >=3
   Text
         If the HTTP-style request has an Authorization header, the
         RADIUS client puts the value of the "uri" directive found in
         the HTTP-style request Authorization header (known as
         "digest-uri-value" in section 3.2.2 of [RFC2617]) without
         surrounding quotes into this attribute.  If there is no
         Authorization header, the RADIUS client takes the value of the
         request URI from the HTTP-style request it wants to
         authenticate.

3.8.  Digest-Qop Attribute

   Description
         This attribute holds the Quality of Protection parameter that
         influences the HTTP Digest calculation.  This attribute MUST
         only be used in Access-Request and Access-Challenge packets.  A
         RADIUS client SHOULD insert one of the Digest-Qop attributes it
         has received in a previous Access-Challenge packet.  RADIUS
         servers SHOULD insert at least one Digest-Qop attribute in an
         Access-Challenge packet.  Digest-Qop is optional in order to
         preserve backward compatibility with a minimal implementation
         of [RFC2069].
   Type
         110 for Digest-Qop
   Length
         >=3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         qop directive (qop-value as described in [RFC2617]) from the



Sterman, et al.             Standards Track                    [Page 15]

RFC 4590              RADIUS Digest Authentication             July 2006


         HTTP-style request it wants to authenticate.  In
         Access-Challenge packets, the RADIUS server puts a desired
         qop-value into this attribute.  If the RADIUS server supports
         more than one "quality of protection" value, it puts each
         qop-value into a separate Digest-Qop attribute.

3.9.  Digest-Algorithm Attribute

   Description
         This attribute holds the algorithm parameter that influences
         the HTTP Digest calculation.  It MUST only be used in
         Access-Request and Access-Challenge packets.  If this attribute
         is missing, MD5 is assumed.
   Type
         111 for Digest-Algorithm
   Length
         >=3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         algorithm directive (as described in [RFC2617], section 3.2.1)
         from the HTTP-style request it wants to authenticate.  In
         Access-Challenge packets, the RADIUS server SHOULD put the
         desired algorithm into this attribute.

3.10.  Digest-Entity-Body-Hash Attribute

   Description
         When using the qop-level 'auth-int', a hash of the HTTP-style
         message body's contents is required for digest calculation.
         Instead of sending the complete body of the message, only its
         hash value is sent.  This hash value can be used directly in
         the digest calculation.

         The clarifications described in section 22.4 of [RFC3261] about
         the hash of empty entity bodies apply to the
         Digest-Entity-Body-Hash attribute.  This attribute MUST only be
         sent in Access-Request packets.
   Type
         112 for Digest-Entity-Body-Hash
   Length
         >=3
   Text
         The attribute holds the hexadecimal representation of
         H(entity-body).  This hash is required by certain
         authentication mechanisms, such as HTTP Digest with quality of
         protection set to "auth-int".  RADIUS clients MUST use this
         attribute to transport the hash of the entity body when HTTP
         Digest is the authentication mechanism and the RADIUS server



Sterman, et al.             Standards Track                    [Page 16]

RFC 4590              RADIUS Digest Authentication             July 2006


         requires that the integrity of the entity body (e.g., qop
         parameter set to "auth-int") be verified.  Extensions to this
         document may define support for authentication mechanisms other
         than HTTP Digest.

3.11.  Digest-CNonce Attribute

   Description
         This attribute holds the client nonce parameter that is used in
         the HTTP Digest calculation.  It MUST only be used in
         Access-Request packets.
   Type
         113 for Digest-CNonce
   Length
         >=3
   Text
         This attribute includes the value of the cnonce-value [RFC2617]
         without surrounding quotes, taken from the HTTP-style request.

3.12.  Digest-Nonce-Count Attribute

   Description
         This attribute includes the nonce count parameter that is used
         to detect replay attacks.  The attribute MUST only be used in
         Access-Request packets.

   Type
         114 for Digest-Nonce-Count
   Length
         10
   Text
         In Access-Requests, the RADIUS client takes the value of the nc
         directive (nc-value according to [RFC2617]) without surrounding
         quotes from the HTTP-style request it wants to authenticate.

3.13.  Digest-Username Attribute

   Description
         This attribute holds the user name used in the HTTP Digest
         calculation.  The RADIUS server MUST use this attribute only
         for the purposes of calculating the digest.  In order to
         determine the appropriate user credentials, the RADIUS server
         MUST use the User-Name (1) attribute, and MUST NOT use the
         Digest-Username attribute.  This attribute MUST only be used in
         Access-Request packets.
   Type
         115 for Digest-Username




Sterman, et al.             Standards Track                    [Page 17]

RFC 4590              RADIUS Digest Authentication             July 2006


   Length
         >= 3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         username directive (username-value according to [RFC2617])
         without surrounding quotes from the HTTP-style request it wants
         to authenticate.

3.14.  Digest-Opaque Attribute

   Description
         This attribute holds the opaque parameter that is passed to the
         HTTP-style client.  The HTTP-style client will pass this value
         back to the server (i.e., the RADIUS client) without
         modification.  This attribute MUST only be used in
         Access-Request and Access-Challenge packets.
   Type
         116 for Digest-Opaque
   Length
         >=3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         opaque directive (opaque-value according to [RFC2617]) without
         surrounding quotes from the HTTP-style request it wants to
         authenticate and puts it into this attribute.  In
         Access-Challenge packets, the RADIUS server MAY include this
         attribute.

3.15.  Digest-Auth-Param Attribute

   Description
         This attribute is a placeholder for future extensions and
         corresponds to the "auth-param" parameter defined in section
         3.2.1 of [RFC2617].  The Digest-Auth-Param is the mechanism
         whereby the RADIUS client and RADIUS server can exchange
         auth-param extension parameters contained within Digest headers
         that are not understood by the RADIUS client and for which
         there are no corresponding stand-alone attributes.

         Unlike the previously listed Digest-* attributes, the
         Digest-Auth-Param contains not only the value but also the
         parameter name, since the parameter name is unknown to the
         RADIUS client.  If the Digest header contains several unknown
         parameters, then the RADIUS implementation MUST repeat this
         attribute and each instance MUST contain one different unknown
         Digest parameter/value combination.  This attribute MUST ONLY
         be used in Access-Request, Access-Challenge, or Access-Accept
         packets.



Sterman, et al.             Standards Track                    [Page 18]

RFC 4590              RADIUS Digest Authentication             July 2006


   Type
         117 for Digest-Auth-Param
   Length
         >=3
   Text
         The text consists of the whole parameter, including its name
         and the equal sign ('=') and quotes.

3.16.  Digest-AKA-Auts Attribute

   Description
         This attribute holds the auts parameter that is used in the
         Digest AKA ([RFC3310]) calculation.  It is only used if the
         algorithm of the digest-response denotes a version of AKA
         Digest [RFC3310].  This attribute MUST only be used in
         Access-Request packets.
   Type
         118 for Digest-AKA-Auts
   Length
         >=3
   Text
         In Access-Requests, the RADIUS client takes the value of the
         auts directive (auts-param according to section 3.4 of
         [RFC3310]) without surrounding quotes from the HTTP-style
         request it wants to authenticate.

3.17.  Digest-Domain Attribute

   Description
         When a RADIUS client has asked for a nonce, the RADIUS server
         MAY send one or more Digest-Domain attributes in its
         Access-Challenge packet.  The RADIUS client puts them into the
         quoted, space-separated list of URIs of the 'domain' directive
         of a WWW-Authenticate header.  Together with Digest-Realm, the
         URIs in the list define the protection space (see [RFC2617],
         section 3.2.1) for some HTTP-style protocols.  This attribute
         MUST only be used in Access-Challenge packets.
   Type
         119 for Digest-Domain