Network Working Group C. Rigney Request for Comments: 2865 S. Willens Obsoletes: 2138 Livingston Category: Standards Track A. Rubens Merit W. Simpson Daydreamer June 2000
Network Working Group C. Rigney Request for Comments: 2865 S. Willens Obsoletes: 2138 Livingston Category: Standards Track A. Rubens Merit W. Simpson Daydreamer June 2000
Remote Authentication Dial In User Service (RADIUS)
远程身份验证拨入用户服务(RADIUS)
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
IESG Note:
IESG注:
This protocol is widely implemented and used. Experience has shown that it can suffer degraded performance and lost data when used in large scale systems, in part because it does not include provisions for congestion control. Readers of this document may find it beneficial to track the progress of the IETF's AAA working group, which may develop a successor protocol that better addresses the scaling and congestion control issues.
该协议被广泛实现和使用。经验表明,在大规模系统中使用时,它可能会出现性能下降和数据丢失的问题,部分原因是它不包括拥塞控制的规定。本文档的读者可能会发现跟踪IETF AAA工作组的进展是有益的,该工作组可能会开发一个后续协议,更好地解决扩展和拥塞控制问题。
Abstract
摘要
This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server.
本文档描述了一种协议,用于在希望对其链接进行身份验证的网络访问服务器和共享身份验证服务器之间承载身份验证、授权和配置信息。
Implementation Note
实施说明
This memo documents the RADIUS protocol. The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812.
此备忘录记录了RADIUS协议。RADIUS的早期部署是使用UDP端口号1645完成的,这与“datametrics”服务冲突。RADIUS的官方指定端口号为1812。
Table of Contents
目录
1. Introduction .......................................... 3 1.1 Specification of Requirements ................... 4 1.2 Terminology ..................................... 5 2. Operation ............................................. 5 2.1 Challenge/Response .............................. 7 2.2 Interoperation with PAP and CHAP ................ 8 2.3 Proxy ........................................... 8 2.4 Why UDP? ........................................ 11 2.5 Retransmission Hints ............................ 12 2.6 Keep-Alives Considered Harmful .................. 13 3. Packet Format ......................................... 13 4. Packet Types .......................................... 17 4.1 Access-Request .................................. 17 4.2 Access-Accept ................................... 18 4.3 Access-Reject ................................... 20 4.4 Access-Challenge ................................ 21 5. Attributes ............................................ 22 5.1 User-Name ....................................... 26 5.2 User-Password ................................... 27 5.3 CHAP-Password ................................... 28 5.4 NAS-IP-Address .................................. 29 5.5 NAS-Port ........................................ 30 5.6 Service-Type .................................... 31 5.7 Framed-Protocol ................................. 33 5.8 Framed-IP-Address ............................... 34 5.9 Framed-IP-Netmask ............................... 34 5.10 Framed-Routing .................................. 35 5.11 Filter-Id ....................................... 36 5.12 Framed-MTU ...................................... 37 5.13 Framed-Compression .............................. 37 5.14 Login-IP-Host ................................... 38 5.15 Login-Service ................................... 39 5.16 Login-TCP-Port .................................. 40 5.17 (unassigned) .................................... 41 5.18 Reply-Message ................................... 41 5.19 Callback-Number ................................. 42 5.20 Callback-Id ..................................... 42 5.21 (unassigned) .................................... 43 5.22 Framed-Route .................................... 43 5.23 Framed-IPX-Network .............................. 44 5.24 State ........................................... 45 5.25 Class ........................................... 46 5.26 Vendor-Specific ................................. 47 5.27 Session-Timeout ................................. 48 5.28 Idle-Timeout .................................... 49 5.29 Termination-Action .............................. 49
1. Introduction .......................................... 3 1.1 Specification of Requirements ................... 4 1.2 Terminology ..................................... 5 2. Operation ............................................. 5 2.1 Challenge/Response .............................. 7 2.2 Interoperation with PAP and CHAP ................ 8 2.3 Proxy ........................................... 8 2.4 Why UDP? ........................................ 11 2.5 Retransmission Hints ............................ 12 2.6 Keep-Alives Considered Harmful .................. 13 3. Packet Format ......................................... 13 4. Packet Types .......................................... 17 4.1 Access-Request .................................. 17 4.2 Access-Accept ................................... 18 4.3 Access-Reject ................................... 20 4.4 Access-Challenge ................................ 21 5. Attributes ............................................ 22 5.1 User-Name ....................................... 26 5.2 User-Password ................................... 27 5.3 CHAP-Password ................................... 28 5.4 NAS-IP-Address .................................. 29 5.5 NAS-Port ........................................ 30 5.6 Service-Type .................................... 31 5.7 Framed-Protocol ................................. 33 5.8 Framed-IP-Address ............................... 34 5.9 Framed-IP-Netmask ............................... 34 5.10 Framed-Routing .................................. 35 5.11 Filter-Id ....................................... 36 5.12 Framed-MTU ...................................... 37 5.13 Framed-Compression .............................. 37 5.14 Login-IP-Host ................................... 38 5.15 Login-Service ................................... 39 5.16 Login-TCP-Port .................................. 40 5.17 (unassigned) .................................... 41 5.18 Reply-Message ................................... 41 5.19 Callback-Number ................................. 42 5.20 Callback-Id ..................................... 42 5.21 (unassigned) .................................... 43 5.22 Framed-Route .................................... 43 5.23 Framed-IPX-Network .............................. 44 5.24 State ........................................... 45 5.25 Class ........................................... 46 5.26 Vendor-Specific ................................. 47 5.27 Session-Timeout ................................. 48 5.28 Idle-Timeout .................................... 49 5.29 Termination-Action .............................. 49
5.30 Called-Station-Id ............................... 50 5.31 Calling-Station-Id .............................. 51 5.32 NAS-Identifier .................................. 52 5.33 Proxy-State ..................................... 53 5.34 Login-LAT-Service ............................... 54 5.35 Login-LAT-Node .................................. 55 5.36 Login-LAT-Group ................................. 56 5.37 Framed-AppleTalk-Link ........................... 57 5.38 Framed-AppleTalk-Network ........................ 58 5.39 Framed-AppleTalk-Zone ........................... 58 5.40 CHAP-Challenge .................................. 59 5.41 NAS-Port-Type ................................... 60 5.42 Port-Limit ...................................... 61 5.43 Login-LAT-Port .................................. 62 5.44 Table of Attributes ............................. 63 6. IANA Considerations ................................... 64 6.1 Definition of Terms ............................. 64 6.2 Recommended Registration Policies ............... 65 7. Examples .............................................. 66 7.1 User Telnet to Specified Host ................... 66 7.2 Framed User Authenticating with CHAP ............ 67 7.3 User with Challenge-Response card ............... 68 8. Security Considerations ............................... 71 9. Change Log ............................................ 71 10. References ............................................ 73 11. Acknowledgements ...................................... 74 12. Chair's Address ....................................... 74 13. Authors' Addresses .................................... 75 14. Full Copyright Statement .............................. 76
5.30 Called-Station-Id ............................... 50 5.31 Calling-Station-Id .............................. 51 5.32 NAS-Identifier .................................. 52 5.33 Proxy-State ..................................... 53 5.34 Login-LAT-Service ............................... 54 5.35 Login-LAT-Node .................................. 55 5.36 Login-LAT-Group ................................. 56 5.37 Framed-AppleTalk-Link ........................... 57 5.38 Framed-AppleTalk-Network ........................ 58 5.39 Framed-AppleTalk-Zone ........................... 58 5.40 CHAP-Challenge .................................. 59 5.41 NAS-Port-Type ................................... 60 5.42 Port-Limit ...................................... 61 5.43 Login-LAT-Port .................................. 62 5.44 Table of Attributes ............................. 63 6. IANA Considerations ................................... 64 6.1 Definition of Terms ............................. 64 6.2 Recommended Registration Policies ............... 65 7. Examples .............................................. 66 7.1 User Telnet to Specified Host ................... 66 7.2 Framed User Authenticating with CHAP ............ 67 7.3 User with Challenge-Response card ............... 68 8. Security Considerations ............................... 71 9. Change Log ............................................ 71 10. References ............................................ 73 11. Acknowledgements ...................................... 74 12. Chair's Address ....................................... 74 13. Authors' Addresses .................................... 75 14. Full Copyright Statement .............................. 76
This document obsoletes RFC 2138 [1]. A summary of the changes between this document and RFC 2138 is available in the "Change Log" appendix.
本文件废除了RFC 2138[1]。本文件与RFC 2138之间的变更摘要见“变更日志”附录。
Managing dispersed serial line and modem pools for large numbers of users can create the need for significant administrative support. Since modem pools are by definition a link to the outside world, they require careful attention to security, authorization and accounting. This can be best achieved by managing a single "database" of users, which allows for authentication (verifying user name and password) as well as configuration information detailing the type of service to deliver to the user (for example, SLIP, PPP, telnet, rlogin).
为大量用户管理分散的串行线和调制解调器池可能需要大量的管理支持。由于调制解调器池定义为与外部世界的链接,因此需要仔细注意安全性、授权和记帐。这可以通过管理单个用户“数据库”来实现,该数据库允许身份验证(验证用户名和密码)以及详细说明要向用户提供的服务类型的配置信息(例如,SLIP、PPP、telnet、rlogin)。
Key features of RADIUS are:
RADIUS的主要特点是:
Client/Server Model
客户机/服务器模型
A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned.
网络访问服务器(NAS)作为RADIUS的客户端运行。客户端负责将用户信息传递到指定的RADIUS服务器,然后对返回的响应执行操作。
RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user.
RADIUS服务器负责接收用户连接请求、验证用户,然后返回客户端向用户提供服务所需的所有配置信息。
A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
RADIUS服务器可以充当其他RADIUS服务器或其他类型的身份验证服务器的代理客户端。
Network Security
网络安全
Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.
客户机和RADIUS服务器之间的事务通过使用共享机密进行身份验证,该机密永远不会通过网络发送。此外,任何用户密码都在客户端和RADIUS服务器之间加密发送,以消除有人在不安全的网络上窥探可能确定用户密码的可能性。
Flexible Authentication Mechanisms
灵活的身份验证机制
The RADIUS server can support a variety of methods to authenticate a user. When it is provided with the user name and original password given by the user, it can support PPP PAP or CHAP, UNIX login, and other authentication mechanisms.
RADIUS服务器可以支持多种方法对用户进行身份验证。当提供用户提供的用户名和原始密码时,它可以支持PPP PAP或CHAP、UNIX登录和其他身份验证机制。
Extensible Protocol
可扩展协议
All transactions are comprised of variable length Attribute-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol.
所有事务都由可变长度属性长度值3元组组成。可以添加新的属性值,而不会干扰协议的现有实现。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [2]. These key words mean the same thing whether capitalized or not.
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14[2]中所述进行解释。无论大写与否,这些关键词的意思都是一样的。
An implementation is not compliant if it fails to satisfy one or more of the must or must not requirements for the protocols it implements. An implementation that satisfies all the must, must not, should and
如果一个实现未能满足其实现的协议的一个或多个必须或不得要求,则该实现是不兼容的。满足所有必须、不得、应该和
should not requirements for its protocols is said to be "unconditionally compliant"; one that satisfies all the must and must not requirements but not all the should or should not requirements for its protocols is said to be "conditionally compliant".
不应将其协议的要求称为“无条件符合”;满足其协议的所有必须和不得要求,但并非所有应该或不应该要求的协议称为“有条件兼容”。
A NAS that does not implement a given service MUST NOT implement the RADIUS attributes for that service. For example, a NAS that is unable to offer ARAP service MUST NOT implement the RADIUS attributes for ARAP. A NAS MUST treat a RADIUS access-accept authorizing an unavailable service as an access-reject instead.
未实现给定服务的NAS不得实现该服务的RADIUS属性。例如,无法提供ARAP服务的NAS不得实现ARAP的RADIUS属性。NAS必须将授权不可用服务的RADIUS访问接受视为访问拒绝。
This document frequently uses the following terms:
本文件经常使用以下术语:
service The NAS provides a service to the dial-in user, such as PPP or Telnet.
服务NAS向拨入用户提供服务,如PPP或Telnet。
session Each service provided by the NAS to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the NAS supports that.
会话NAS向拨入用户提供的每个服务都构成一个会话,会话的开始定义为首次提供服务的点,会话的结束定义为服务的结束点。如果NAS支持,则用户可以并行或串联多个会话。
silently discard This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter.
静默丢弃这意味着实现在不进行进一步处理的情况下丢弃数据包。实现应该提供记录错误的能力,包括静默丢弃的数据包的内容,并且应该在统计计数器中记录事件。
When a client is configured to use RADIUS, any user of the client presents authentication information to the client. This might be with a customizable login prompt, where the user is expected to enter their username and password. Alternatively, the user might use a link framing protocol such as the Point-to-Point Protocol (PPP), which has authentication packets which carry this information.
当客户端配置为使用RADIUS时,客户端的任何用户都会向客户端提供身份验证信息。这可能是一个可定制的登录提示,用户需要在其中输入用户名和密码。或者,用户可以使用诸如点到点协议(PPP)之类的链路帧协议,其具有携带该信息的认证分组。
Once the client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access-Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5 [3].
一旦客户获得此类信息,它可以选择使用RADIUS进行身份验证。为此,客户端创建一个“访问请求”,其中包含诸如用户名、用户密码、客户端ID和用户正在访问的端口ID等属性。当存在密码时,使用基于RSA消息摘要算法MD5[3]的方法将其隐藏。
The Access-Request is submitted to the RADIUS server via the network. If no response is returned within a length of time, the request is re-sent a number of times. The client can also forward requests to an alternate server or servers in the event that the primary server is down or unreachable. An alternate server can be used either after a number of tries to the primary server fail, or in a round-robin fashion. Retry and fallback algorithms are the topic of current research and are not specified in detail in this document.
访问请求通过网络提交到RADIUS服务器。如果在一段时间内没有返回响应,则会多次重新发送请求。当主服务器关闭或无法访问时,客户端还可以将请求转发到备用服务器。备用服务器可以在主服务器多次尝试失败后使用,也可以以循环方式使用。重试和回退算法是当前研究的主题,本文档中没有详细说明。
Once the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request. The user entry in the database contains a list of requirements which must be met to allow access for the user. This always includes verification of the password, but can also specify the client(s) or port(s) to which the user is allowed access.
RADIUS服务器收到请求后,将验证发送客户端。来自RADIUS服务器没有共享机密的客户端的请求必须以静默方式放弃。如果客户端有效,RADIUS服务器将查询用户数据库以查找名称与请求匹配的用户。数据库中的用户条目包含允许用户访问必须满足的要求列表。这始终包括验证密码,但也可以指定允许用户访问的客户端或端口。
The RADIUS server MAY make requests of other servers in order to satisfy the request, in which case it acts as a client.
RADIUS服务器可以向其他服务器发出请求以满足请求,在这种情况下,它充当客户端。
If any Proxy-State attributes were present in the Access-Request, they MUST be copied unmodified and in order into the response packet. Other Attributes can be placed before, after, or even between the Proxy-State attributes.
如果访问请求中存在任何代理状态属性,则必须不经修改地将其复制到响应数据包中。其他属性可以放置在代理状态属性之前、之后甚至之间。
If any condition is not met, the RADIUS server sends an "Access-Reject" response indicating that this user request is invalid. If desired, the server MAY include a text message in the Access-Reject which MAY be displayed by the client to the user. No other Attributes (except Proxy-State) are permitted in an Access-Reject.
如果不满足任何条件,RADIUS服务器将发送“访问拒绝”响应,指示此用户请求无效。如果需要,服务器可以在访问拒绝中包括文本消息,该文本消息可以由客户端向用户显示。访问拒绝中不允许有其他属性(代理状态除外)。
If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an "Access-Challenge" response. It MAY include a text message to be displayed by the client to the user prompting for a response to the challenge, and MAY include a State attribute.
如果满足所有条件,并且RADIUS服务器希望发出用户必须响应的质询,RADIUS服务器将发送“访问质询”响应。它可以包括由客户端向用户显示的提示对质询作出响应的文本消息,并且可以包括状态属性。
If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any. Only 0 or 1 instances of the State Attribute SHOULD be
如果客户端接收到访问质询并支持质询/响应,它可能会向用户显示文本消息(如果有),然后提示用户进行响应。然后,客户端使用新的请求ID重新提交其原始访问请求,用户密码属性替换为响应(加密),并包括访问质询的状态属性(如果有)。仅应创建状态属性的0或1个实例
present in a request. The server can respond to this new Access-Request with either an Access-Accept, an Access-Reject, or another Access-Challenge.
在请求中提出。服务器可以通过访问接受、访问拒绝或另一个访问质询来响应这个新的访问请求。
If all conditions are met, the list of configuration values for the user are placed into an "Access-Accept" response. These values include the type of service (for example: SLIP, PPP, Login User) and all necessary values to deliver the desired service. For SLIP and PPP, this may include values such as IP address, subnet mask, MTU, desired compression, and desired packet filter identifiers. For character mode users, this may include values such as desired protocol and host.
如果满足所有条件,则将用户的配置值列表放入“访问-接受”响应中。这些值包括服务类型(例如:SLIP、PPP、Login User)和提供所需服务的所有必要值。对于SLIP和PPP,这可能包括诸如IP地址、子网掩码、MTU、所需压缩和所需包过滤器标识符等值。对于字符模式用户,这可能包括所需的协议和主机等值。
In challenge/response authentication, the user is given an unpredictable number and challenged to encrypt it and give back the result. Authorized users are equipped with special devices such as smart cards or software that facilitate calculation of the correct response with ease. Unauthorized users, lacking the appropriate device or software and lacking knowledge of the secret key necessary to emulate such a device or software, can only guess at the response.
在质询/响应身份验证中,用户被赋予一个不可预测的数字,并被质询对其进行加密并返回结果。授权用户配备了智能卡或软件等特殊设备,便于轻松计算正确响应。未经授权的用户,缺乏适当的设备或软件,并且不知道模拟此类设备或软件所需的密钥,只能猜测响应。
The Access-Challenge packet typically contains a Reply-Message including a challenge to be displayed to the user, such as a numeric value unlikely ever to be repeated. Typically this is obtained from an external server that knows what type of authenticator is in the possession of the authorized user and can therefore choose a random or non-repeating pseudorandom number of an appropriate radix and length.
接入质询分组通常包含应答消息,该应答消息包括要向用户显示的质询,例如不太可能重复的数值。通常,这是从外部服务器获得的,该服务器知道授权用户拥有什么类型的验证器,因此可以选择具有适当基数和长度的随机或非重复伪随机数。
The user then enters the challenge into his device (or software) and it calculates a response, which the user enters into the client which forwards it to the RADIUS server via a second Access-Request. If the response matches the expected response the RADIUS server replies with an Access-Accept, otherwise an Access-Reject.
然后,用户将质询输入其设备(或软件)并计算响应,用户将响应输入客户端,客户端通过第二个访问请求将其转发给RADIUS服务器。如果响应与预期的响应相匹配,RADIUS服务器将使用Access Accept(访问接受)进行响应,否则将使用Access Reject(访问拒绝)进行响应。
Example: The NAS sends an Access-Request packet to the RADIUS Server with NAS-Identifier, NAS-Port, User-Name, User-Password (which may just be a fixed string like "challenge" or ignored). The server sends back an Access-Challenge packet with State and a Reply-Message along the lines of "Challenge 12345678, enter your response at the prompt" which the NAS displays. The NAS prompts for the response and sends a NEW Access-Request to the server (with a new ID) with NAS-Identifier, NAS-Port, User-Name, User-Password (the response just entered by the user, encrypted), and the same State Attribute that
示例:NAS向RADIUS服务器发送带有NAS标识符、NAS端口、用户名、用户密码(可能只是一个固定字符串,如“challenge”或“ignored”)的访问请求数据包。服务器发回一个带有状态的访问质询数据包,并按照NAS显示的“质询12345678,在提示符处输入您的响应”行回复消息。NAS会提示响应,并向服务器发送一个新的访问请求(使用新ID),该请求包含NAS标识符、NAS端口、用户名、用户密码(用户刚刚输入的响应,已加密)以及与此相同的状态属性
came with the Access-Challenge. The server then sends back either an Access-Accept or Access-Reject based on whether the response matches the required value, or it can even send another Access-Challenge.
伴随着访问挑战而来。然后,服务器根据响应是否匹配所需的值发回访问接受或访问拒绝,或者甚至可以发送另一个访问质询。
For PAP, the NAS takes the PAP ID and password and sends them in an Access-Request packet as the User-Name and User-Password. The NAS MAY include the Attributes Service-Type = Framed-User and Framed-Protocol = PPP as a hint to the RADIUS server that PPP service is expected.
对于PAP,NAS采用PAP ID和密码,并将其作为用户名和用户密码发送到访问请求数据包中。NAS可能包括属性Service Type=Framed User和Framed Protocol=PPP,以提示RADIUS服务器需要PPP服务。
For CHAP, the NAS generates a random challenge (preferably 16 octets) and sends it to the user, who returns a CHAP response along with a CHAP ID and CHAP username. The NAS then sends an Access-Request packet to the RADIUS server with the CHAP username as the User-Name and with the CHAP ID and CHAP response as the CHAP-Password (Attribute 3). The random challenge can either be included in the CHAP-Challenge attribute or, if it is 16 octets long, it can be placed in the Request Authenticator field of the Access-Request packet. The NAS MAY include the Attributes Service-Type = Framed-User and Framed-Protocol = PPP as a hint to the RADIUS server that PPP service is expected.
对于CHAP,NAS生成一个随机质询(最好是16个八位字节)并将其发送给用户,用户返回CHAP响应以及CHAP ID和CHAP用户名。然后,NAS向RADIUS服务器发送一个访问请求数据包,其中CHAP用户名作为用户名,CHAP ID和CHAP响应作为CHAP密码(属性3)。随机质询可以包含在CHAP质询属性中,或者,如果它是16个八位字节长,则可以将其放置在访问请求数据包的请求验证器字段中。NAS可能包括属性Service Type=Framed User和Framed Protocol=PPP,以提示RADIUS服务器需要PPP服务。
The RADIUS server looks up a password based on the User-Name, encrypts the challenge using MD5 on the CHAP ID octet, that password, and the CHAP challenge (from the CHAP-Challenge attribute if present, otherwise from the Request Authenticator), and compares that result to the CHAP-Password. If they match, the server sends back an Access-Accept, otherwise it sends back an Access-Reject.
RADIUS服务器根据用户名查找密码,在CHAP ID八位字节、该密码和CHAP质询(如果存在,则来自CHAP质询属性,否则来自请求验证器)上使用MD5加密质询,并将该结果与CHAP密码进行比较。如果它们匹配,服务器将发回访问接受,否则将发回访问拒绝。
If the RADIUS server is unable to perform the requested authentication it MUST return an Access-Reject. For example, CHAP requires that the user's password be available in cleartext to the server so that it can encrypt the CHAP challenge and compare that to the CHAP response. If the password is not available in cleartext to the RADIUS server then the server MUST send an Access-Reject to the client.
如果RADIUS服务器无法执行请求的身份验证,则必须返回访问拒绝。例如,CHAP要求用户的密码以明文形式提供给服务器,以便服务器可以加密CHAP质询并将其与CHAP响应进行比较。如果RADIUS服务器的明文密码不可用,则服务器必须向客户端发送访问拒绝。
With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy. A common use for proxy RADIUS is roaming. Roaming permits two or more administrative entities to allow each other's users to dial in to either entity's network for service.
使用代理RADIUS,一台RADIUS服务器从RADIUS客户端(如NAS)接收身份验证(或记帐)请求,将请求转发到远程RADIUS服务器,从远程服务器接收回复,并将该回复发送到客户端,可能会进行更改以反映本地管理策略。代理半径的一个常见用途是漫游。漫游允许两个或多个管理实体允许彼此的用户拨入任一实体的网络进行服务。
The NAS sends its RADIUS access-request to the "forwarding server" which forwards it to the "remote server". The remote server sends a response (Access-Accept, Access-Reject, or Access-Challenge) back to the forwarding server, which sends it back to the NAS. The User-Name attribute MAY contain a Network Access Identifier [8] for RADIUS Proxy operations. The choice of which server receives the forwarded request SHOULD be based on the authentication "realm". The authentication realm MAY be the realm part of a Network Access Identifier (a "named realm"). Alternatively, the choice of which server receives the forwarded request MAY be based on whatever other criteria the forwarding server is configured to use, such as Called-Station-Id (a "numbered realm").
NAS将其RADIUS访问请求发送到“转发服务器”,转发服务器将其转发到“远程服务器”。远程服务器将响应(访问接受、访问拒绝或访问质询)发送回转发服务器,转发服务器将其发送回NAS。用户名属性可能包含RADIUS代理操作的网络访问标识符[8]。接收转发请求的服务器的选择应基于身份验证“领域”。认证领域可以是网络访问标识符的领域部分(“命名领域”)。或者,选择接收转发请求的服务器可以基于转发服务器被配置为使用的任何其他标准,例如被称为站Id(“编号域”)。
A RADIUS server can function as both a forwarding server and a remote server, serving as a forwarding server for some realms and a remote server for other realms. One forwarding server can act as a forwarder for any number of remote servers. A remote server can have any number of servers forwarding to it and can provide authentication for any number of realms. One forwarding server can forward to another forwarding server to create a chain of proxies, although care must be taken to avoid introducing loops.
RADIUS服务器既可以用作转发服务器,也可以用作远程服务器,在某些领域用作转发服务器,在其他领域用作远程服务器。一台转发服务器可以充当任意数量远程服务器的转发服务器。远程服务器可以有任意数量的服务器转发给它,并且可以为任意数量的领域提供身份验证。一个转发服务器可以转发到另一个转发服务器以创建代理链,但必须注意避免引入循环。
The following scenario illustrates a proxy RADIUS communication between a NAS and the forwarding and remote RADIUS servers:
以下场景演示了NAS与转发和远程RADIUS服务器之间的代理RADIUS通信:
1. A NAS sends its access-request to the forwarding server.
1. NAS将其访问请求发送到转发服务器。
2. The forwarding server forwards the access-request to the remote server.
2. 转发服务器将访问请求转发到远程服务器。
3. The remote server sends an access-accept, access-reject or access-challenge back to the forwarding server. For this example, an access-accept is sent.
3. 远程服务器将访问接受、访问拒绝或访问质询发送回转发服务器。对于本例,发送访问接受。
4. The forwarding server sends the access-accept to the NAS.
4. 转发服务器向NAS发送访问接受。
The forwarding server MUST treat any Proxy-State attributes already in the packet as opaque data. Its operation MUST NOT depend on the content of Proxy-State attributes added by previous servers.
转发服务器必须将包中已有的任何代理状态属性视为不透明数据。其操作不得依赖于以前服务器添加的代理状态属性的内容。
If there are any Proxy-State attributes in the request received from the client, the forwarding server MUST include those Proxy-State attributes in its reply to the client. The forwarding server MAY include the Proxy-State attributes in the access-request when it forwards the request, or MAY omit them in the forwarded request. If the forwarding server omits the Proxy-State attributes in the forwarded access-request, it MUST attach them to the response before sending it to the client.
如果从客户端接收的请求中存在任何代理状态属性,则转发服务器必须在其对客户端的答复中包含这些代理状态属性。转发服务器在转发请求时可以在访问请求中包括代理状态属性,或者可以在转发请求中省略它们。如果转发服务器在转发的访问请求中忽略了代理状态属性,则必须在将其发送到客户端之前将其附加到响应中。
We now examine each step in more detail.
现在,我们将更详细地检查每个步骤。
1. A NAS sends its access-request to the forwarding server. The forwarding server decrypts the User-Password, if present, using the shared secret it knows for the NAS. If a CHAP-Password attribute is present in the packet and no CHAP-Challenge attribute is present, the forwarding server MUST leave the Request-Authenticator untouched or copy it to a CHAP-Challenge attribute.
1. NAS将其访问请求发送到转发服务器。转发服务器使用它知道的NAS共享密码对用户密码(如果存在)进行解密。如果数据包中存在CHAP密码属性而不存在CHAP质询属性,则转发服务器必须保持请求验证器不变,或将其复制到CHAP质询属性。
'' The forwarding server MAY add one Proxy-State attribute to the packet. (It MUST NOT add more than one.) If it adds a Proxy-State, the Proxy-State MUST appear after any other Proxy-States in the packet. The forwarding server MUST NOT modify any other Proxy-States that were in the packet (it may choose not to forward them, but it MUST NOT change their contents). The forwarding server MUST NOT change the order of any attributes of the same type, including Proxy-State.
“”转发服务器可以向数据包添加一个代理状态属性。(不能添加多个。)如果添加代理状态,则代理状态必须出现在数据包中任何其他代理状态之后。转发服务器不得修改数据包中的任何其他代理状态(可以选择不转发,但不得更改其内容)。转发服务器不得更改相同类型的任何属性(包括代理状态)的顺序。
2. The forwarding server encrypts the User-Password, if present, using the secret it shares with the remote server, sets the Identifier as needed, and forwards the access-request to the remote server.
2. 转发服务器使用与远程服务器共享的密码对用户密码(如果存在)进行加密,根据需要设置标识符,并将访问请求转发到远程服务器。
3. The remote server (if the final destination) verifies the user using User-Password, CHAP-Password, or such method as future extensions may dictate, and returns an access-accept, access-reject or access-challenge back to the forwarding server. For this example, an access-accept is sent. The remote server MUST copy all Proxy-State attributes (and only the Proxy-State attributes) in order from the access-request to the response packet, without modifying them.
3. 远程服务器(如果是最终目的地)使用用户密码、CHAP密码或将来扩展可能指定的方法验证用户,并将访问接受、访问拒绝或访问质询返回给转发服务器。对于本例,发送访问接受。远程服务器必须按顺序将所有代理状态属性(仅代理状态属性)从访问请求复制到响应数据包,而不进行修改。
4. The forwarding server verifies the Response Authenticator using the secret it shares with the remote server, and silently discards the packet if it fails verification. If the packet passes verification, the forwarding server removes the last Proxy-State (if it attached one), signs the Response Authenticator using the secret it shares with the NAS, restores the Identifier to match the one in the original request by the NAS, and sends the access-accept to the NAS.
4. 转发服务器使用与远程服务器共享的机密验证响应验证器,如果验证失败,则会自动丢弃数据包。如果数据包通过验证,转发服务器将删除最后一个代理状态(如果已连接),使用与NAS共享的机密对响应验证器进行签名,恢复标识符以匹配NAS原始请求中的标识符,并向NAS发送访问接受。
A forwarding server MAY need to modify attributes to enforce local policy. Such policy is outside the scope of this document, with the following restrictions. A forwarding server MUST not modify existing Proxy-State, State, or Class attributes present in the packet.
转发服务器可能需要修改属性以实施本地策略。此类政策不在本文件范围内,但有以下限制。转发服务器不得修改数据包中现有的代理状态、状态或类属性。
Implementers of forwarding servers should consider carefully which values it is willing to accept for Service-Type. Careful consideration must be given to the effects of passing along Service-Types of NAS-Prompt or Administrative in a proxied Access-Accept, and implementers may wish to provide mechanisms to block those or other service types, or other attributes. Such mechanisms are outside the scope of this document.
转发服务器的实现者应该仔细考虑它愿意接受的服务类型的值。必须仔细考虑在代理访问接受中传递NAS Prompt或Administrative服务类型的影响,实现者可能希望提供阻止这些或其他服务类型或其他属性的机制。这些机制不在本文件的范围之内。
A frequently asked question is why RADIUS uses UDP instead of TCP as a transport protocol. UDP was chosen for strictly technical reasons.
一个常见问题是为什么RADIUS使用UDP而不是TCP作为传输协议。选择UDP完全是出于技术原因。
There are a number of issues which must be understood. RADIUS is a transaction based protocol which has several interesting characteristics:
有许多问题必须理解。RADIUS是一种基于事务的协议,具有以下几个有趣的特征:
1. If the request to a primary Authentication server fails, a secondary server must be queried.
1. 如果对主身份验证服务器的请求失败,则必须查询辅助服务器。
To meet this requirement, a copy of the request must be kept above the transport layer to allow for alternate transmission. This means that retransmission timers are still required.
为了满足这一要求,请求的副本必须保存在传输层之上,以允许交替传输。这意味着仍然需要重新传输计时器。
2. The timing requirements of this particular protocol are significantly different than TCP provides.
2. 此特定协议的定时要求与TCP提供的定时要求明显不同。
At one extreme, RADIUS does not require a "responsive" detection of lost data. The user is willing to wait several seconds for the authentication to complete. The generally aggressive TCP retransmission (based on average round trip time) is not required, nor is the acknowledgement overhead of TCP.
在一个极端情况下,RADIUS不需要对丢失的数据进行“响应式”检测。用户愿意等待几秒钟以完成身份验证。通常不需要主动TCP重传(基于平均往返时间),也不需要TCP的确认开销。
At the other extreme, the user is not willing to wait several minutes for authentication. Therefore the reliable delivery of TCP data two minutes later is not useful. The faster use of an alternate server allows the user to gain access before giving up.
在另一个极端,用户不愿意等待几分钟进行身份验证。因此,两分钟后可靠地传递TCP数据是没有用的。更快地使用备用服务器允许用户在放弃之前获得访问权限。
3. The stateless nature of this protocol simplifies the use of UDP.
3. 该协议的无状态特性简化了UDP的使用。
Clients and servers come and go. Systems are rebooted, or are power cycled independently. Generally this does not cause a problem and with creative timeouts and detection of lost TCP connections, code can be written to handle anomalous events. UDP however completely eliminates any of this special handling. Each client and server can open their UDP transport just once and leave it open through all types of failure events on the network.
客户机和服务器来来往往。系统重新启动,或独立进行电源循环。通常,这不会导致问题,通过创造性超时和检测丢失的TCP连接,可以编写代码来处理异常事件。然而,UDP完全消除了这种特殊处理。每个客户机和服务器可以只打开一次UDP传输,并在网络上所有类型的故障事件中保持其打开状态。
4. UDP simplifies the server implementation.
4. UDP简化了服务器实现。
In the earliest implementations of RADIUS, the server was single threaded. This means that a single request was received, processed, and returned. This was found to be unmanageable in environments where the back-end security mechanism took real time (1 or more seconds). The server request queue would fill and in environments where hundreds of people were being authenticated every minute, the request turn-around time increased to longer than users were willing to wait (this was especially severe when a specific lookup in a database or over DNS took 30 or more seconds). The obvious solution was to make the server multi-threaded. Achieving this was simple with UDP. Separate processes were spawned to serve each request and these processes could respond directly to the client NAS with a simple UDP packet to the original transport of the client.
在RADIUS的最早实现中,服务器是单线程的。这意味着接收、处理和返回单个请求。在后端安全机制需要实时(1秒或更长时间)的环境中,这是不可管理的。服务器请求队列将填满,在每分钟有数百人进行身份验证的环境中,请求周转时间将增加到用户愿意等待的时间以外(当数据库或DNS中的特定查找花费30秒或更长时间时,这种情况尤其严重)。显而易见的解决方案是使服务器多线程化。使用UDP实现这一点很简单。产生了单独的进程来为每个请求提供服务,这些进程可以使用简单的UDP数据包直接响应客户端NAS,并将其传输到客户端的原始传输。
It's not all a panacea. As noted, using UDP requires one thing which is built into TCP: with UDP we must artificially manage retransmission timers to the same server, although they don't require the same attention to timing provided by TCP. This one penalty is a small price to pay for the advantages of UDP in this protocol.
这不全是灵丹妙药。如前所述,使用UDP需要一件内置于TCP中的事情:使用UDP,我们必须人为地管理到同一服务器的重传计时器,尽管它们不需要像TCP那样关注时间。这一惩罚对于UDP在该协议中的优势来说是一个很小的代价。
Without TCP we would still probably be using tin cans connected by string. But for this particular protocol, UDP is a better choice.
如果没有TCP,我们可能仍然使用由字符串连接的锡罐。但是对于这个特定的协议,UDP是一个更好的选择。
If the RADIUS server and alternate RADIUS server share the same shared secret, it is OK to retransmit the packet to the alternate RADIUS server with the same ID and Request Authenticator, because the content of the attributes haven't changed. If you want to use a new Request Authenticator when sending to the alternate server, you may.
如果RADIUS服务器和备用RADIUS服务器共享相同的共享机密,则可以使用相同的ID和请求验证器将数据包重新传输到备用RADIUS服务器,因为属性的内容没有更改。如果要在发送到备用服务器时使用新的请求验证器,可以。
If you change the contents of the User-Password attribute (or any other attribute), you need a new Request Authenticator and therefore a new ID.
如果更改用户密码属性(或任何其他属性)的内容,则需要新的请求验证器,因此需要新的ID。
If the NAS is retransmitting a RADIUS request to the same server as before, and the attributes haven't changed, you MUST use the same Request Authenticator, ID, and source port. If any attributes have changed, you MUST use a new Request Authenticator and ID.
如果NAS与以前一样将RADIUS请求重新传输到同一服务器,并且属性没有更改,则必须使用相同的请求验证器、ID和源端口。如果任何属性已更改,则必须使用新的请求验证器和ID。
A NAS MAY use the same ID across all servers, or MAY keep track of IDs separately for each server, it is up to the implementer. If a NAS needs more than 256 IDs for outstanding requests, it MAY use
NAS可以在所有服务器上使用相同的ID,也可以单独跟踪每个服务器的ID,这取决于实施者。如果NAS需要超过256个ID来处理未完成的请求,则可以使用
additional source ports to send requests from, and keep track of IDs for each source port. This allows up to 16 million or so outstanding requests at one time to a single server.
用于发送请求的其他源端口,并跟踪每个源端口的ID。这允许一次向单个服务器发送多达1600万个左右的未完成请求。
Some implementers have adopted the practice of sending test RADIUS requests to see if a server is alive. This practice is strongly discouraged, since it adds to load and harms scalability without providing any additional useful information. Since a RADIUS request is contained in a single datagram, in the time it would take you to send a ping you could just send the RADIUS request, and getting a reply tells you that the RADIUS server is up. If you do not have a RADIUS request to send, it does not matter if the server is up or not, because you are not using it.
一些实现者采用了发送测试RADIUS请求以查看服务器是否处于活动状态的做法。强烈反对这种做法,因为它在不提供任何其他有用信息的情况下增加了负载并损害了可伸缩性。由于RADIUS请求包含在单个数据报中,因此在发送ping所需的时间内,您可以只发送RADIUS请求,并且得到一个回复就告诉您RADIUS服务器已启动。如果您没有要发送的RADIUS请求,那么服务器是否启动并不重要,因为您没有使用它。
If you want to monitor your RADIUS server, use SNMP. That's what SNMP is for.
如果要监视RADIUS服务器,请使用SNMP。这就是SNMP的用途。
Exactly one RADIUS packet is encapsulated in the UDP Data field [4], where the UDP Destination Port field indicates 1812 (decimal).
UDP数据字段[4]中封装了一个RADIUS数据包,其中UDP目标端口字段指示1812(十进制)。
When a reply is generated, the source and destination ports are reversed.
生成应答时,源端口和目标端口会反转。
This memo documents the RADIUS protocol. The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812.
此备忘录记录了RADIUS协议。RADIUS的早期部署是使用UDP端口号1645完成的,这与“datametrics”服务冲突。RADIUS的官方指定端口号为1812。
A summary of the RADIUS data format is shown below. The fields are transmitted from left to right.
RADIUS数据格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
The Code field is one octet, and identifies the type of RADIUS packet. When a packet is received with an invalid Code field, it is silently discarded.
代码字段是一个八位字节,用于标识RADIUS数据包的类型。当接收到带有无效代码字段的数据包时,它将被自动丢弃。
RADIUS Codes (decimal) are assigned as follows:
半径代码(十进制)分配如下:
1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved
1访问请求2访问接受3访问拒绝4记帐请求5记帐响应11访问质询12状态服务器(实验)13状态客户端(实验)255保留
Codes 4 and 5 are covered in the RADIUS Accounting document [5]. Codes 12 and 13 are reserved for possible use, but are not further mentioned here.
代码4和5包含在RADIUS会计文件[5]中。代码12和13保留供可能使用,但此处不再进一步提及。
Identifier
标识符
The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
标识符字段是一个八位字节,有助于匹配请求和响应。如果RADIUS服务器在短时间内具有相同的客户端源IP地址、源UDP端口和标识符,则RADIUS服务器可以检测到重复请求。
Length
长
The Length field is two octets. It indicates the length of the packet including the Code, Identifier, Length, Authenticator and Attribute fields. Octets outside the range of the Length field MUST be treated as padding and ignored on reception. If the packet is shorter than the Length field indicates, it MUST be silently discarded. The minimum length is 20 and maximum length is 4096.
长度字段是两个八位字节。它指示数据包的长度,包括代码、标识符、长度、验证器和属性字段。长度字段范围之外的八位字节必须视为填充,并在接收时忽略。如果数据包短于长度字段指示的长度,则必须以静默方式将其丢弃。最小长度为20,最大长度为4096。
Authenticator
验证者
The Authenticator field is sixteen (16) octets. The most significant octet is transmitted first. This value is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm.
验证器字段为十六(16)个八位字节。最重要的八位字节首先传输。此值用于验证RADIUS服务器的回复,并用于密码隐藏算法。
Request Authenticator
请求验证器
In Access-Request Packets, the Authenticator value is a 16 octet random number, called the Request Authenticator. The value SHOULD be unpredictable and unique over the lifetime of a secret (the password shared between the client and the RADIUS server), since repetition of a request value in conjunction with the same secret would permit an attacker to reply with a previously intercepted response. Since it is expected that the same secret MAY be used to authenticate with servers in disparate geographic regions, the Request Authenticator field SHOULD exhibit global and temporal uniqueness.
在访问请求数据包中,验证器值是一个16个八位组的随机数,称为请求验证器。该值在机密(客户端和RADIUS服务器之间共享的密码)的生命周期内应该是不可预测和唯一的,因为与相同机密一起重复请求值将允许攻击者使用先前截获的响应进行回复。由于预期相同的秘密可用于对不同地理区域中的服务器进行身份验证,因此请求验证器字段应显示全局唯一性和时间唯一性。
The Request Authenticator value in an Access-Request packet SHOULD also be unpredictable, lest an attacker trick a server into responding to a predicted future request, and then use the response to masquerade as that server to a future Access-Request.
访问请求数据包中的请求验证器值也应该是不可预测的,以免攻击者诱使服务器响应预测的未来请求,然后使用响应伪装为该服务器响应未来的访问请求。
Although protocols such as RADIUS are incapable of protecting against theft of an authenticated session via realtime active wiretapping attacks, generation of unique unpredictable requests can protect against a wide range of active attacks against authentication.
尽管RADIUS等协议无法通过实时主动窃听攻击防止身份验证会话被盗,但生成独特的不可预测请求可以防止针对身份验证的各种主动攻击。
The NAS and RADIUS server share a secret. That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed
NAS和RADIUS服务器共享一个秘密。请求验证器后面的共享秘密通过单向MD5散列创建一个16个八位字节的摘要值,该值与用户输入的密码进行XORD,并放置XORD结果
in the User-Password attribute in the Access-Request packet. See the entry for User-Password in the section on Attributes for a more detailed description.
在访问请求数据包的用户密码属性中。有关更详细的说明,请参阅属性部分中的用户密码条目。
Response Authenticator
响应验证器
The value of the Authenticator field in Access-Accept, Access-Reject, and Access-Challenge packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of: the RADIUS packet, beginning with the Code field, including the Identifier, the Length, the Request Authenticator field from the Access-Request packet, and the response Attributes, followed by the shared secret. That is, ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation.
Access Accept、Access Reject和Access Challenge数据包中Authenticator字段的值称为响应验证器,并包含一个单向MD5散列,该散列在八位字节流上计算,八位字节流包括:RADIUS数据包,从代码字段开始,包括标识符、长度、,访问请求数据包中的请求验证器字段和响应属性,后跟共享密钥。也就是说,ResponseAuth=MD5(Code+ID+Length+RequestAuth+Attributes+Secret),其中+表示串联。
Administrative Note
行政说明
The secret (password shared between the client and the RADIUS server) SHOULD be at least as large and unguessable as a well-chosen password. It is preferred that the secret be at least 16 octets. This is to ensure a sufficiently large range for the secret to provide protection against exhaustive search attacks. The secret MUST NOT be empty (length 0) since this would allow packets to be trivially forged.
密码(客户端和RADIUS服务器之间共享的密码)应至少与精心选择的密码一样大且不可用。最好秘密至少为16个八位字节。这是为了确保机密具有足够大的范围,以提供针对穷举搜索攻击的保护。秘密不能为空(长度为0),因为这将允许数据包被轻微伪造。
A RADIUS server MUST use the source IP address of the RADIUS UDP packet to decide which shared secret to use, so that RADIUS requests can be proxied.
RADIUS服务器必须使用RADIUS UDP数据包的源IP地址来决定使用哪个共享密钥,以便可以代理RADIUS请求。
When using a forwarding proxy, the proxy must be able to alter the packet as it passes through in each direction - when the proxy forwards the request, the proxy MAY add a Proxy-State Attribute, and when the proxy forwards a response, it MUST remove its Proxy-State Attribute if it added one. Proxy-State is always added or removed after any other Proxy-States, but no other assumptions regarding its location within the list of attributes can be made. Since Access-Accept and Access-Reject replies are authenticated on the entire packet contents, the stripping of the Proxy-State attribute invalidates the signature in the packet - so the proxy has to re-sign it.
当使用转发代理时,代理必须能够在数据包沿每个方向通过时更改数据包-当代理转发请求时,代理可以添加代理状态属性,当代理转发响应时,如果添加了代理状态属性,则必须删除其代理状态属性。代理状态总是在任何其他代理状态之后添加或删除,但不能对其在属性列表中的位置进行其他假设。由于访问接受和访问拒绝应答在整个数据包内容上都经过身份验证,因此代理状态属性的剥离会使数据包中的签名无效,因此代理必须对其重新签名。
Further details of RADIUS proxy implementation are outside the scope of this document.
RADIUS代理实现的更多详细信息不在本文档范围内。
The RADIUS Packet type is determined by the Code field in the first octet of the Packet.
RADIUS数据包类型由数据包第一个八位字节中的代码字段确定。
Description
描述
Access-Request packets are sent to a RADIUS server, and convey information used to determine whether a user is allowed access to a specific NAS, and any special services requested for that user. An implementation wishing to authenticate a user MUST transmit a RADIUS packet with the Code field set to 1 (Access-Request).
访问请求数据包被发送到RADIUS服务器,并传递用于确定是否允许用户访问特定NAS以及为该用户请求的任何特殊服务的信息。希望验证用户身份的实现必须发送代码字段设置为1(访问请求)的RADIUS数据包。
Upon receipt of an Access-Request from a valid client, an appropriate reply MUST be transmitted.
收到有效客户端的访问请求后,必须发送适当的回复。
An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both).
访问请求应包含用户名属性。它必须包含NAS IP地址属性或NAS标识符属性(或两者都包含)。
An Access-Request MUST contain either a User-Password or a CHAP-Password or a State. An Access-Request MUST NOT contain both a User-Password and a CHAP-Password. If future extensions allow other kinds of authentication information to be conveyed, the attribute for that can be used in an Access-Request instead of User-Password or CHAP-Password.
访问请求必须包含用户密码、CHAP密码或状态。访问请求不能同时包含用户密码和CHAP密码。如果将来的扩展允许传输其他类型的身份验证信息,则可以在访问请求中使用该信息的属性,而不是用户密码或CHAP密码。
An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type attribute or both unless the type of access being requested does not involve a port or the NAS does not distinguish among its ports.
访问请求应包含NAS端口或NAS端口类型属性或两者,除非请求的访问类型不涉及端口或NAS不区分其端口。
An Access-Request MAY contain additional attributes as a hint to the server, but the server is not required to honor the hint.
访问请求可能包含其他属性作为对服务器的提示,但服务器不需要遵守该提示。
When a User-Password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5 [3].
当存在用户密码时,使用基于RSA消息摘要算法MD5[3]的方法将其隐藏。
A summary of the Access-Request packet format is shown below. The fields are transmitted from left to right.
访问请求数据包格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Request Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Request Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
1 for Access-Request.
1用于访问请求。
Identifier
标识符
The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MUST remain unchanged.
每当Attributes字段的内容发生更改时,以及每当收到前一个请求的有效答复时,都必须更改Identifier字段。对于重新传输,标识符必须保持不变。
Request Authenticator
请求验证器
The Request Authenticator value MUST be changed each time a new Identifier is used.
每次使用新标识符时,必须更改请求验证器值。
Attributes
属性
The Attribute field is variable in length, and contains the list of Attributes that are required for the type of service, as well as any desired optional Attributes.
属性字段长度可变,包含服务类型所需的属性列表以及任何所需的可选属性。
Description
描述
Access-Accept packets are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user. If all Attribute values received in an Access-Request are acceptable then the RADIUS implementation MUST transmit a packet with the Code field set to 2 (Access-Accept).
Access Accept数据包由RADIUS服务器发送,并提供开始向用户提供服务所需的特定配置信息。如果在访问请求中接收到的所有属性值都是可接受的,那么RADIUS实现必须发送一个代码字段设置为2(访问接受)的数据包。
On reception of an Access-Accept, the Identifier field is matched with a pending Access-Request. The Response Authenticator field MUST contain the correct response for the pending Access-Request. Invalid packets are silently discarded.
在接收到访问接受时,标识符字段与挂起的访问请求相匹配。响应验证器字段必须包含挂起访问请求的正确响应。无效的数据包将被自动丢弃。
A summary of the Access-Accept packet format is shown below. The fields are transmitted from left to right.
Access-Accept数据包格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
2 for Access-Accept.
2用于访问和接受。
Identifier
标识符
The Identifier field is a copy of the Identifier field of the Access-Request which caused this Access-Accept.
标识符字段是导致此访问接受的访问请求的标识符字段的副本。
Response Authenticator
响应验证器
The Response Authenticator value is calculated from the Access-Request value, as described earlier.
如前所述,根据访问请求值计算响应验证器值。
Attributes
属性
The Attribute field is variable in length, and contains a list of zero or more Attributes.
属性字段长度可变,并且包含零个或多个属性的列表。
Description
描述
If any value of the received Attributes is not acceptable, then the RADIUS server MUST transmit a packet with the Code field set to 3 (Access-Reject). It MAY include one or more Reply-Message Attributes with a text message which the NAS MAY display to the user.
如果接收属性的任何值不可接受,则RADIUS服务器必须发送代码字段设置为3(访问拒绝)的数据包。它可能包括一个或多个回复消息属性以及NAS可能向用户显示的文本消息。
A summary of the Access-Reject packet format is shown below. The fields are transmitted from left to right.
访问拒绝数据包格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
3 for Access-Reject.
3用于访问拒绝。
Identifier
标识符
The Identifier field is a copy of the Identifier field of the Access-Request which caused this Access-Reject.
标识符字段是导致此访问拒绝的访问请求的标识符字段的副本。
Response Authenticator
响应验证器
The Response Authenticator value is calculated from the Access-Request value, as described earlier.
如前所述,根据访问请求值计算响应验证器值。
Attributes
属性
The Attribute field is variable in length, and contains a list of zero or more Attributes.
属性字段长度可变,并且包含零个或多个属性的列表。
Description
描述
If the RADIUS server desires to send the user a challenge requiring a response, then the RADIUS server MUST respond to the Access-Request by transmitting a packet with the Code field set to 11 (Access-Challenge).
如果RADIUS服务器希望向用户发送需要响应的质询,则RADIUS服务器必须通过发送代码字段设置为11(访问质询)的数据包来响应访问请求。
The Attributes field MAY have one or more Reply-Message Attributes, and MAY have a single State Attribute, or none. Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-State attributes MAY also be included. No other Attributes defined in this document are permitted in an Access-Challenge.
属性字段可以有一个或多个回复消息属性,也可以有单个状态属性,或者没有。还可能包括特定于供应商的空闲超时、会话超时和代理状态属性。访问质询中不允许使用本文档中定义的其他属性。
On receipt of an Access-Challenge, the Identifier field is matched with a pending Access-Request. Additionally, the Response Authenticator field MUST contain the correct response for the pending Access-Request. Invalid packets are silently discarded.
在收到访问质询时,标识符字段与挂起的访问请求匹配。此外,响应验证器字段必须包含挂起的访问请求的正确响应。无效的数据包将被自动丢弃。
If the NAS does not support challenge/response, it MUST treat an Access-Challenge as though it had received an Access-Reject instead.
如果NAS不支持质询/响应,则必须将访问质询视为已收到访问拒绝。
If the NAS supports challenge/response, receipt of a valid Access-Challenge indicates that a new Access-Request SHOULD be sent. The NAS MAY display the text message, if any, to the user, and then prompt the user for a response. It then sends its original Access-Request with a new request ID and Request Authenticator, with the User-Password Attribute replaced by the user's response (encrypted), and including the State Attribute from the Access-Challenge, if any. Only 0 or 1 instances of the State Attribute can be present in an Access-Request.
如果NAS支持质询/响应,则收到有效的访问质询表示应发送新的访问请求。NAS可能会向用户显示文本消息(如果有),然后提示用户作出响应。然后,它使用新的请求ID和请求验证器发送其原始访问请求,用户密码属性由用户的响应(加密)替换,并包括访问质询的状态属性(如果有)。一个访问请求中只能存在状态属性的0或1个实例。
A NAS which supports PAP MAY forward the Reply-Message to the dialing client and accept a PAP response which it can use as though the user had entered the response. If the NAS cannot do so, it MUST treat the Access-Challenge as though it had received an Access-Reject instead.
支持PAP的NAS可以将应答消息转发给拨号客户端,并接受PAP响应,它可以使用PAP响应,就像用户输入了响应一样。如果NAS不能这样做,它必须将访问质询视为收到了访问拒绝。
A summary of the Access-Challenge packet format is shown below. The fields are transmitted from left to right.
访问质询数据包格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
11 for Access-Challenge.
11用于访问挑战。
Identifier
标识符
The Identifier field is a copy of the Identifier field of the Access-Request which caused this Access-Challenge.
标识符字段是导致此访问质询的访问请求的标识符字段的副本。
Response Authenticator
响应验证器
The Response Authenticator value is calculated from the Access-Request value, as described earlier.
如前所述,根据访问请求值计算响应验证器值。
Attributes
属性
The Attributes field is variable in length, and contains a list of zero or more Attributes.
Attributes字段长度可变,包含零个或多个属性的列表。
RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply.
RADIUS属性包含请求和应答的特定身份验证、授权、信息和配置详细信息。
The end of the list of Attributes is indicated by the Length of the RADIUS packet.
属性列表的末尾由RADIUS数据包的长度表示。
Some Attributes MAY be included more than once. The effect of this is Attribute specific, and is specified in each Attribute description. A summary table is provided at the end of the "Attributes" section.
某些属性可能包含多次。其效果是特定于属性的,并在每个属性描述中指定。“属性”部分末尾提供了一个汇总表。
If multiple Attributes with the same Type are present, the order of Attributes with the same Type MUST be preserved by any proxies. The order of Attributes of different Types is not required to be preserved. A RADIUS server or client MUST NOT have any dependencies on the order of attributes of different types. A RADIUS server or client MUST NOT require attributes of the same type to be contiguous.
如果存在多个相同类型的属性,则任何代理都必须保留相同类型属性的顺序。不需要保留不同类型属性的顺序。RADIUS服务器或客户端不得依赖于不同类型属性的顺序。RADIUS服务器或客户端不能要求相同类型的属性是连续的。
Where an Attribute's description limits which kinds of packet it can be contained in, this applies only to the packet types defined in this document, namely Access-Request, Access-Accept, Access-Reject and Access-Challenge (Codes 1, 2, 3, and 11). Other documents defining other packet types may also use Attributes described here. To determine which Attributes are allowed in Accounting-Request and Accounting-Response packets (Codes 4 and 5) refer to the RADIUS Accounting document [5].
如果属性的描述限制了它可以包含在哪些类型的数据包中,则这仅适用于本文档中定义的数据包类型,即访问请求、访问接受、访问拒绝和访问质询(代码1、2、3和11)。定义其他包类型的其他文档也可以使用此处描述的属性。要确定记帐请求和记帐响应数据包(代码4和5)中允许哪些属性,请参阅RADIUS记帐文档[5]。
Likewise where packet types defined here state that only certain Attributes are permissible in them, future memos defining new Attributes should indicate which packet types the new Attributes may be present in.
同样,如果此处定义的数据包类型声明其中仅允许某些属性,则定义新属性的未来备忘录应指明新属性可能存在于哪些数据包类型中。
A summary of the Attribute format is shown below. The fields are transmitted from left to right.
属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
The Type field is one octet. Up-to-date values of the RADIUS Type field are specified in the most recent "Assigned Numbers" RFC [6]. Values 192-223 are reserved for experimental use, values 224-240 are reserved for implementation-specific use, and values 241-255 are reserved and should not be used.
类型字段是一个八位字节。半径类型字段的最新值在最近的“已分配编号”RFC[6]中指定。值192-223保留供实验使用,值224-240保留供具体实现使用,值241-255保留且不应使用。
A RADIUS server MAY ignore Attributes with an unknown Type.
RADIUS服务器可能会忽略类型未知的属性。
A RADIUS client MAY ignore Attributes with an unknown Type.
RADIUS客户端可能会忽略类型未知的属性。
This specification concerns the following values:
本规范涉及以下值:
1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 7 Framed-Protocol 8 Framed-IP-Address 9 Framed-IP-Netmask 10 Framed-Routing 11 Filter-Id 12 Framed-MTU 13 Framed-Compression 14 Login-IP-Host 15 Login-Service 16 Login-TCP-Port 17 (unassigned) 18 Reply-Message 19 Callback-Number 20 Callback-Id 21 (unassigned) 22 Framed-Route 23 Framed-IPX-Network 24 State 25 Class 26 Vendor-Specific 27 Session-Timeout 28 Idle-Timeout 29 Termination-Action 30 Called-Station-Id 31 Calling-Station-Id 32 NAS-Identifier 33 Proxy-State 34 Login-LAT-Service 35 Login-LAT-Node 36 Login-LAT-Group 37 Framed-AppleTalk-Link 38 Framed-AppleTalk-Network 39 Framed-AppleTalk-Zone 40-59 (reserved for accounting) 60 CHAP-Challenge 61 NAS-Port-Type 62 Port-Limit 63 Login-LAT-Port
1用户名2用户密码3 CHAP密码4 NAS IP地址5 NAS端口6服务类型7框架协议8框架IP地址9框架IP网络掩码10框架路由11筛选器Id 12框架MTU 13框架压缩14登录IP主机15登录服务16登录TCP端口17(未分配)18回复消息19回叫号码20回叫Id 21(未分配)22框架路由23框架IPX网络24状态25类别26特定于供应商的27会话超时28空闲超时29终止操作30呼叫站Id 31呼叫站Id 32 NAS标识符33代理状态34登录LAT服务35登录LAT节点36登录LAT组37框架AppleTalk链路38框架AppleTalk网络39框架AppleTalk区域40-59(保留用于记帐)60 CHAP挑战61 NAS端口类型62端口限制63登录LAT端口
Length
长
The Length field is one octet, and indicates the length of this Attribute including the Type, Length and Value fields. If an Attribute is received in an Access-Request but with an invalid Length, an Access-Reject SHOULD be transmitted. If an Attribute is received in an Access-Accept, Access-Reject or Access-Challenge packet with an invalid length, the packet MUST either be treated as an Access-Reject or else silently discarded.
长度字段是一个八位字节,表示该属性的长度,包括类型、长度和值字段。如果在访问请求中接收到属性,但长度无效,则应发送访问拒绝。如果在访问接受、访问拒绝或访问质询数据包中接收到长度无效的属性,则必须将该数据包视为访问拒绝,否则将自动丢弃。
Value
价值
The Value field is zero or more octets and contains information specific to the Attribute. The format and length of the Value field is determined by the Type and Length fields.
值字段为零个或多个八位字节,包含特定于属性的信息。值字段的格式和长度由类型和长度字段决定。
Note that none of the types in RADIUS terminate with a NUL (hex 00). In particular, types "text" and "string" in RADIUS do not terminate with a NUL (hex 00). The Attribute has a length field and does not use a terminator. Text contains UTF-8 encoded 10646 [7] characters and String contains 8-bit binary data. Servers and servers and clients MUST be able to deal with embedded nulls. RADIUS implementers using C are cautioned not to use strcpy() when handling strings.
请注意,RADIUS中的所有类型都不会以NUL(十六进制00)终止。特别是,RADIUS中的类型“text”和“string”不会以NUL(十六进制00)结尾。该属性有一个长度字段,不使用终止符。文本包含UTF-8编码的10646[7]个字符,字符串包含8位二进制数据。服务器、服务器和客户端必须能够处理嵌入的空值。使用C的RADIUS实现者在处理字符串时应注意不要使用strcpy()。
The format of the value field is one of five data types. Note that type "text" is a subset of type "string".
值字段的格式是五种数据类型之一。请注意,“text”类型是“string”类型的子集。
text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.
文本1-253个八位字节,包含UTF-8编码的10646[7]个字符。不得发送长度为零(0)的文本;而忽略整个属性。
string 1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.
字符串1-253个八位字节,包含二进制数据(0到255个十进制值,含)。不得发送长度为零(0)的字符串;而忽略整个属性。
address 32 bit value, most significant octet first.
地址32位值,最重要的八位位组在前。
integer 32 bit unsigned value, most significant octet first.
整数32位无符号值,最高有效八位位组在先。
time 32 bit unsigned value, most significant octet first -- seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.
时间32位无符号值,最高有效八位组第一位--自1970年1月1日UTC 00:00:00以来的秒数。标准属性不使用此数据类型,但此处提供此数据类型以供将来的属性使用。
Description
描述
This Attribute indicates the name of the user to be authenticated. It MUST be sent in Access-Request packets if available.
此属性表示要验证的用户的名称。如果可用,必须在访问请求数据包中发送。
It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access-Accept packet in all Accounting-Request packets for this session. If the Access-Accept includes Service-Type = Rlogin and the User-Name attribute, a NAS MAY use the returned User-Name when performing the Rlogin function.
它可以在访问接受数据包中发送,在这种情况下,客户端应该在该会话的所有记帐请求数据包中使用访问接受数据包中返回的名称。如果Access Accept包括Service Type=Rlogin和User Name属性,则NAS在执行Rlogin功能时可以使用返回的用户名。
A summary of the User-Name Attribute format is shown below. The fields are transmitted from left to right.
用户名属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
1 for User-Name.
用户名为1。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets. The NAS may limit the maximum length of the User-Name but the ability to handle at least 63 octets is recommended.
字符串字段是一个或多个八位字节。NAS可能会限制用户名的最大长度,但建议能够处理至少63个八位字节。
The format of the username MAY be one of several forms:
用户名的格式可以是以下几种形式之一:
text Consisting only of UTF-8 encoded 10646 [7] characters.
仅由UTF-8编码的10646[7]个字符组成的文本。
network access identifier A Network Access Identifier as described in RFC 2486 [8].
网络访问标识符RFC 2486[8]中描述的网络访问标识符。
distinguished name A name in ASN.1 form used in Public Key authentication systems.
可分辨名称在公钥身份验证系统中使用的ASN.1格式的名称。
Description
描述
This Attribute indicates the password of the user to be authenticated, or the user's input following an Access-Challenge. It is only used in Access-Request packets.
此属性表示要验证的用户的密码,或访问质询后用户的输入。它仅用于访问请求数据包。
On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the User-Password Attribute.
在传输时,密码是隐藏的。密码首先在末尾填充空值,以16个八位字节的倍数表示。单向MD5散列是在一个八位字节流上计算的,该八位字节流由共享密钥和请求验证器组成。此值与密码的前16个八位字节段异或,并放置在用户密码属性的字符串字段的前16个八位字节中。
If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the String field of the User-Password Attribute.
如果密码长度超过16个字符,则第二个单向MD5散列将在由共享密钥和第一个异或结果组成的八位字节流上计算。该散列与密码的第二个16个八位字节段异或,并放置在用户密码属性的字符串字段的第二个16个八位字节中。
If necessary, this operation is repeated, with each xor result being used along with the shared secret to generate the next hash to xor the next segment of the password, to no more than 128 characters.
如有必要,将重复此操作,并将每个xor结果与共享密钥一起使用,以生成下一个哈希值,将密码的下一段xor到不超过128个字符。
The method is taken from the book "Network Security" by Kaufman, Perlman and Speciner [9] pages 109-110. A more precise explanation of the method follows:
该方法摘自Kaufman、Perlman和Speciner[9]的《网络安全》一书,第109-110页。对该方法的更精确解释如下:
Call the shared secret S and the pseudo-random 128-bit Request Authenticator RA. Break the password into 16-octet chunks p1, p2, etc. with the last one padded at the end with nulls to a 16-octet boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need intermediate values b1, b2, etc.
调用共享密钥S和伪随机128位请求验证器RA。将密码分为16个八位字节块p1、p2等,最后一个在结尾处用空值填充到16个八位字节的边界。调用密文块c(1)、c(2)等。我们需要中间值b1、b2等。
b1 = MD5(S + RA) c(1) = p1 xor b1 b2 = MD5(S + c(1)) c(2) = p2 xor b2 . . . . . . bi = MD5(S + c(i-1)) c(i) = pi xor bi
b1 = MD5(S + RA) c(1) = p1 xor b1 b2 = MD5(S + c(1)) c(2) = p2 xor b2 . . . . . . bi = MD5(S + c(i-1)) c(i) = pi xor bi
The String will contain c(1)+c(2)+...+c(i) where + denotes concatenation.
字符串将包含c(1)+c(2)+…+c(i),其中+表示串联。
On receipt, the process is reversed to yield the original password.
收到密码后,该过程将反转以生成原始密码。
A summary of the User-Password Attribute format is shown below. The fields are transmitted from left to right.
用户密码属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
2 for User-Password.
2为用户密码。
Length
长
At least 18 and no larger than 130.
至少18个且不大于130个。
String
一串
The String field is between 16 and 128 octets long, inclusive.
字符串字段的长度在16到128个八位字节之间,包括在内。
Description
描述
This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets.
此属性表示PPP质询握手身份验证协议(CHAP)用户响应质询时提供的响应值。它仅用于访问请求数据包。
The CHAP challenge value is found in the CHAP-Challenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field.
CHAP质询值位于CHAP质询属性(60)中(如果存在于数据包中),否则位于请求验证器字段中。
A summary of the CHAP-Password Attribute format is shown below. The fields are transmitted from left to right.
CHAP密码属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | CHAP Ident | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | CHAP Ident | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
3 for CHAP-Password.
3用于CHAP密码。
Length
长
19
19
CHAP Ident
CHAP标识
This field is one octet, and contains the CHAP Identifier from the user's CHAP Response.
此字段为一个八位字节,包含来自用户CHAP响应的CHAP标识符。
String
一串
The String field is 16 octets, and contains the CHAP Response from the user.
字符串字段是16个八位字节,包含来自用户的CHAP响应。
Description
描述
This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.
此属性表示正在请求用户身份验证的NAS的标识IP地址,并且对于RADIUS服务器范围内的NAS来说应该是唯一的。NAS IP地址仅用于访问请求数据包。NAS IP地址或NAS标识符必须存在于访问请求数据包中。
Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
请注意,NAS IP地址不得用于选择用于验证请求的共享机密。访问请求数据包的源IP地址必须用于选择共享密钥。
A summary of the NAS-IP-Address Attribute format is shown below. The fields are transmitted from left to right.
NAS IP地址属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
4 for NAS-IP-Address.
4表示NAS IP地址。
Length
长
6
6.
Address
住址
The Address field is four octets.
地址字段是四个八位字节。
Description
描述
This Attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.
此属性表示对用户进行身份验证的NAS的物理端口号。它仅用于访问请求数据包。请注意,这是使用NAS上物理连接意义上的“端口”,而不是TCP或UDP端口号意义上的端口。如果NAS在其端口之间存在差异,则NAS端口或NAS端口类型(61)或两者都应出现在访问请求数据包中。
A summary of the NAS-Port Attribute format is shown below. The fields are transmitted from left to right.
NAS端口属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
5 for NAS-Port.
5用于NAS端口。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead.
此属性表示用户请求的服务类型或要提供的服务类型。它可以用于访问请求和访问接受数据包。NAS不需要实现所有这些服务类型,并且必须将未知或不受支持的服务类型视为接收到访问拒绝。
A summary of the Service-Type Attribute format is shown below. The fields are transmitted from left to right.
服务类型属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
6 for Service-Type.
服务类型为6。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
1 Login 2 Framed 3 Callback Login 4 Callback Framed 5 Outbound 6 Administrative 7 NAS Prompt 8 Authenticate Only 9 Callback NAS Prompt 10 Call Check 11 Callback Administrative
1登录2框架3回调登录4回调框架5出站6管理7 NAS提示符8仅验证9回调NAS提示符10调用检查11回调管理
The service types are defined as follows when used in an Access-Accept. When used in an Access-Request, they MAY be considered to be a hint to the RADIUS server that the NAS has reason to believe the user would prefer the kind of service indicated, but the server is not required to honor the hint.
在Access Accept中使用时,服务类型定义如下。当在访问请求中使用时,它们可能被认为是对RADIUS服务器的提示,即NAS有理由相信用户会喜欢指定的服务类型,但服务器不需要遵守该提示。
Login The user should be connected to a host.
登录用户应连接到主机。
Framed A Framed Protocol should be started for the User, such as PPP or SLIP.
框架应为用户启动框架协议,如PPP或SLIP。
Callback Login The user should be disconnected and called back, then connected to a host.
回调登录用户应断开连接并回调,然后连接到主机。
Callback Framed The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP.
回调框架用户应断开连接并回调,然后应为用户启动框架协议,如PPP或SLIP。
Outbound The user should be granted access to outgoing devices.
出站用户应被授予访问出站设备的权限。
Administrative The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed.
管理应授予用户访问NAS管理界面的权限,从该界面可以执行特权命令。
NAS Prompt The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.
NAS提示符应在NAS上为用户提供命令提示符,从中可以执行非特权命令。
Authenticate Only Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself).
仅验证仅请求验证,无需在Access Accept中返回任何授权信息(通常由代理服务器而不是NAS本身使用)。
Callback NAS Prompt The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed.
回调NAS提示符应断开连接并回调用户,然后在NAS上提供一个命令提示符,从中可以执行非特权命令。
Call Check Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes. It is
NAS在访问请求数据包中使用的呼叫检查,通常基于被叫站Id或主叫站Id属性,指示正在接收呼叫,RADIUS服务器应发回访问接受以应答呼叫,或拒绝访问以不接受呼叫。它是
recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name.
建议此类访问请求使用呼叫站Id的值作为用户名的值。
Callback Administrative The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed.
回调管理用户应断开连接并回调,然后授予对NAS管理接口的访问权,从该接口可以执行特权命令。
Description
描述
This Attribute indicates the framing to be used for framed access. It MAY be used in both Access-Request and Access-Accept packets.
此属性表示要用于框架访问的框架。它可以用于访问请求和访问接受数据包。
A summary of the Framed-Protocol Attribute format is shown below. The fields are transmitted from left to right.
框架协议属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
7 for Framed-Protocol.
7对于框架协议。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
1 PPP 2 SLIP 3 AppleTalk Remote Access Protocol (ARAP) 4 Gandalf proprietary SingleLink/MultiLink protocol 5 Xylogics proprietary IPX/SLIP 6 X.75 Synchronous
1 PPP 2 SLIP 3 AppleTalk远程访问协议(ARAP)4 Gandalf专有单链路/多链路协议5 Xylogics专有IPX/SLIP 6 X.75同步
Description
描述
This Attribute indicates the address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.
此属性表示要为用户配置的地址。它可以用于访问和接受数据包。它可以在访问请求数据包中用作NAS向服务器发出的提示,表示它更喜欢该地址,但服务器不需要遵守该提示。
A summary of the Framed-IP-Address Attribute format is shown below. The fields are transmitted from left to right.
框架IP地址属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
8 for Framed-IP-Address.
8表示框架IP地址。
Length
长
6
6.
Address
住址
The Address field is four octets. The value 0xFFFFFFFF indicates that the NAS Should allow the user to select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates that the NAS should select an address for the user (e.g. Assigned from a pool of addresses kept by the NAS). Other valid values indicate that the NAS should use that value as the user's IP address.
地址字段是四个八位字节。值0xFFFFFF表示NAS应允许用户选择地址(例如协商地址)。值0xFFFFFE表示NAS应为用户选择一个地址(例如,从NAS保留的地址池中分配)。其他有效值指示NAS应将该值用作用户的IP地址。
Description
描述
This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint.
此属性表示当用户是网络路由器时,要为其配置的IP网络掩码。它可以用于访问和接受数据包。它可以在访问请求数据包中用作NAS向服务器发出的提示,表示它希望使用该网络掩码,但服务器不需要遵守该提示。
A summary of the Framed-IP-Netmask Attribute format is shown below. The fields are transmitted from left to right.
框架IP网络掩码属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
9 for Framed-IP-Netmask.
9用于帧式IP网络掩码。
Length
长
6
6.
Address
住址
The Address field is four octets specifying the IP netmask of the user.
地址字段是四个八位字节,用于指定用户的IP网络掩码。
Description
描述
This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets.
当用户是网络的路由器时,此属性指示用户的路由方法。它仅用于访问和接受数据包。
A summary of the Framed-Routing Attribute format is shown below. The fields are transmitted from left to right.
框架布线属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
10 for Framed-Routing.
10用于框架布线。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
0 None 1 Send routing packets 2 Listen for routing packets 3 Send and Listen
0无1发送路由数据包2侦听路由数据包3发送并侦听
Description
描述
This Attribute indicates the name of the filter list for this user. Zero or more Filter-Id attributes MAY be sent in an Access-Accept packet.
此属性表示此用户的筛选器列表的名称。在访问接受数据包中可以发送零个或多个筛选器Id属性。
Identifying a filter list by name allows the filter to be used on different NASes without regard to filter-list implementation details.
通过名称识别过滤器列表,可以在不同的NASE上使用过滤器,而不考虑过滤器列表的实现细节。
A summary of the Filter-Id Attribute format is shown below. The fields are transmitted from left to right.
过滤器Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
11 for Filter-Id.
11用于过滤器Id。
Length
长
>= 3
>= 3
Text
文本
The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [7] characters.
文本字段是一个或多个八位字节,其内容取决于实现。其目的是让人可读,并且不得影响协议的运行。建议消息包含UTF-8编码的10646[7]个字符。
Description
描述
This Attribute indicates the Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that value, but the server is not required to honor the hint.
此属性表示当未通过其他方式(如PPP)协商时,要为用户配置的最大传输单元。它可以用于访问和接受数据包。它可以在访问请求数据包中用作NAS向服务器发出的提示,表示希望使用该值,但服务器无需遵守该提示。
A summary of the Framed-MTU Attribute format is shown below. The fields are transmitted from left to right.
框架MTU属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
12 for Framed-MTU.
框架MTU为12。
Length
长
6
6.
Value
价值
The Value field is four octets. Despite the size of the field, values range from 64 to 65535.
值字段是四个八位字节。尽管字段大小不同,但值的范围从64到65535。
Description
描述
This Attribute indicates a compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint.
此属性表示要用于链接的压缩协议。它可以用于访问和接受数据包。它可以在访问请求数据包中用作对服务器的提示,表示NAS希望使用该压缩,但服务器不需要遵守该提示。
More than one compression protocol Attribute MAY be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic.
可以发送多个压缩协议属性。NAS负责将适当的压缩协议应用于适当的链路流量。
A summary of the Framed-Compression Attribute format is shown below. The fields are transmitted from left to right.
框架压缩属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
13 for Framed-Compression.
13用于框架压缩。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
0 None 1 VJ TCP/IP header compression [10] 2 IPX header compression 3 Stac-LZS compression
0无1 VJ TCP/IP头压缩[10]2 IPX头压缩3 Stac LZS压缩
Description
描述
This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.
此属性表示在包含“登录服务”属性时要与用户连接的系统。它可以用于访问和接受数据包。它可以在访问请求数据包中用作向服务器发出的NAS希望使用该主机的提示,但服务器无需遵守该提示。
A summary of the Login-IP-Host Attribute format is shown below. The fields are transmitted from left to right.
登录IP主机属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
14 for Login-IP-Host.
14用于登录IP主机。
Length
长
6
6.
Address
住址
The Address field is four octets. The value 0xFFFFFFFF indicates that the NAS SHOULD allow the user to select an address. The value 0 indicates that the NAS SHOULD select a host to connect the user to. Other values indicate the address the NAS SHOULD connect the user to.
地址字段是四个八位字节。值0xFFFFFF表示NAS应允许用户选择地址。值0表示NAS应选择要将用户连接到的主机。其他值指示NAS应将用户连接到的地址。
Description
描述
This Attribute indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets.
此属性表示用于将用户连接到登录主机的服务。它仅用于访问和接受数据包。
A summary of the Login-Service Attribute format is shown below. The fields are transmitted from left to right.
登录服务属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
15 for Login-Service.
15用于登录服务。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
0 Telnet 1 Rlogin 2 TCP Clear 3 PortMaster (proprietary) 4 LAT 5 X25-PAD 6 X25-T3POS 8 TCP Clear Quiet (suppresses any NAS-generated connect string)
0 Telnet 1 Rlogin 2 TCP清除3端口主机(专有)4 LAT 5 X25-PAD 6 X25-T3POS 8 TCP清除静默(抑制任何NAS生成的连接字符串)
Description
描述
This Attribute indicates the TCP port with which the user is to be connected, when the Login-Service Attribute is also present. It is only used in Access-Accept packets.
当登录服务属性也存在时,此属性表示用户要连接的TCP端口。它仅用于访问和接受数据包。
A summary of the Login-TCP-Port Attribute format is shown below. The fields are transmitted from left to right.
登录TCP端口属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
16 for Login-TCP-Port.
16用于登录TCP端口。
Length
长
6
6.
Value
价值
The Value field is four octets. Despite the size of the field, values range from 0 to 65535.
值字段是四个八位字节。尽管字段大小不同,但值的范围从0到65535。
Description
描述
ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED.
尚未指定属性类型17。
Description
描述
This Attribute indicates text which MAY be displayed to the user.
此属性表示可能显示给用户的文本。
When used in an Access-Accept, it is the success message.
在Access Accept中使用时,它是成功消息。
When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt.
在访问拒绝中使用时,它是失败消息。它可能指示在另一次访问请求尝试之前提示用户的对话框消息。
When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response.
在访问质询中使用时,它可能指示一条对话框消息,提示用户作出响应。
Multiple Reply-Message's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet.
可能会包含多条回复消息,如果显示了任何回复消息,则必须按照它们在数据包中出现的相同顺序显示它们。
A summary of the Reply-Message Attribute format is shown below. The fields are transmitted from left to right.
回复消息属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
18 for Reply-Message.
18.回复信息。
Length
长
>= 3
>= 3
Text
文本
The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [7] characters.
文本字段是一个或多个八位字节,其内容取决于实现。其目的是让人可读,并且不得影响协议的操作。建议消息包含UTF-8编码的10646[7]个字符。
Description
描述
This Attribute indicates a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint.
此属性表示用于回调的拨号字符串。它可以用于访问和接受数据包。它可以在访问请求数据包中用作提示服务器需要回调服务,但服务器不需要遵守该提示。
A summary of the Callback-Number Attribute format is shown below. The fields are transmitted from left to right.
回调编号属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
19 for Callback-Number.
回拨号码是19。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
字符串字段是一个或多个八位字节。信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets.
此属性表示要调用的位置的名称,由NAS进行解释。它可以用于访问和接受数据包。
A summary of the Callback-Id Attribute format is shown below. The fields are transmitted from left to right.
回调Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
20 for Callback-Id.
20用于回拨Id。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
字符串字段是一个或多个八位字节。信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED.
尚未指定属性类型21。
Description
描述
This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.
此属性提供要在NAS上为用户配置的路由信息。它用于Access Accept数据包中,可以多次出现。
A summary of the Framed-Route Attribute format is shown below. The fields are transmitted from left to right.
框架布线属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
22 for Framed-Route.
22为框架路线。
Length
长
>= 3
>= 3
Text
文本
The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [7] characters.
文本字段是一个或多个八位字节,其内容取决于实现。其目的是让人可读,并且不得影响协议的运行。建议消息包含UTF-8编码的10646[7]个字符。
For IP routes, it SHOULD contain a destination prefix in dotted quad form optionally followed by a slash and a decimal length specifier stating how many high order bits of the prefix to use. That is followed by a space, a gateway address in dotted quad form, a space, and one or more metrics separated by spaces. For example, "192.168.1.0/24 192.168.1.1 1 2 -1 3 400". The length specifier may be omitted, in which case it defaults to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1".
对于IP路由,它应该包含一个虚线四元组形式的目的地前缀,可选地后跟一个斜杠和一个十进制长度说明符,说明要使用的前缀的高阶位数。后面是一个空格、一个虚线四元形式的网关地址、一个空格和一个或多个由空格分隔的度量。例如,“192.168.1.0/24192.168.1.112400”。长度说明符可以省略,在这种情况下,A类前缀默认为8位,B类前缀默认为16位,C类前缀默认为24位。例如,“192.168.1.0 192.168.1.1 1”。
Whenever the gateway address is specified as "0.0.0.0" the IP address of the user SHOULD be used as the gateway address.
当网关地址被指定为“0.0.0.0”时,应将用户的IP地址用作网关地址。
Description
描述
This Attribute indicates the IPX Network number to be configured for the user. It is used in Access-Accept packets.
此属性表示要为用户配置的IPX网络号。它用于访问和接受数据包。
A summary of the Framed-IPX-Network Attribute format is shown below. The fields are transmitted from left to right.
框架IPX网络属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
23 for Framed-IPX-Network.
23用于框架式IPX网络。
Length
长
6
6.
Value
价值
The Value field is four octets. The value 0xFFFFFFFE indicates that the NAS should select an IPX network for the user (e.g. assigned from a pool of one or more IPX networks kept by the NAS). Other values should be used as the IPX network for the link to the user.
值字段是四个八位字节。值0xFFFFFE表示NAS应为用户选择IPX网络(例如,从NAS保留的一个或多个IPX网络池中分配)。其他值应用作用户链接的IPX网络。
Description
描述
This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.
此属性可由服务器在访问质询中发送到客户端,并且必须在对该质询的新访问请求答复(如果有)中未经修改地从客户端发送到服务器。
This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a Termination-Action Attribute with the value of RADIUS-Request. If the NAS performs the Termination-Action by sending a new Access-Request upon termination of the current session, it MUST include the State attribute unchanged in that Access-Request.
此属性可由服务器在Access Accept中发送给客户端,该Access Accept还包括一个值为RADIUS Request的Termination Action属性。如果NAS通过在当前会话终止时发送新的访问请求来执行终止操作,则必须在该访问请求中包含State属性unchanged。
In either usage, the client MUST NOT interpret the attribute locally. A packet must have only zero or one State Attribute. Usage of the State Attribute is implementation dependent.
在这两种用法中,客户端都不能在本地解释该属性。数据包必须只有零个或一个状态属性。State属性的使用取决于实现。
A summary of the State Attribute format is shown below. The fields are transmitted from left to right.
状态属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
24 for State.
24个州。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
字符串字段是一个或多个八位字节。信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally.
此属性可由服务器在访问接受中发送到客户端,如果支持记帐,则客户端应将其作为记帐请求数据包的一部分发送到记帐服务器,而不进行修改。客户端不能在本地解释该属性。
A summary of the Class Attribute format is shown below. The fields are transmitted from left to right.
下面显示了类属性格式的摘要。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
25 for Class.
每节25美元。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
字符串字段是一个或多个八位字节。信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage. It MUST not affect the operation of the RADIUS protocol.
此属性可用于允许供应商支持自己的扩展属性,这些扩展属性不适合一般使用。它不得影响RADIUS协议的运行。
Servers not equipped to interpret the vendor-specific information sent by a client MUST ignore it (although it may be reported). Clients which do not receive desired vendor-specific information SHOULD make an attempt to operate without it, although they may do so (and report they are doing so) in a degraded mode.
未配备解释客户发送的供应商特定信息的服务器必须忽略该信息(尽管可能会报告)。未收到所需供应商特定信息的客户机应尝试在没有供应商特定信息的情况下运行,尽管他们可能会在降级模式下这样做(并报告他们正在这样做)。
A summary of the Vendor-Specific Attribute format is shown below. The fields are transmitted from left to right.
供应商特定属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
26 for Vendor-Specific.
26针对特定供应商。
Length
长
>= 7
>= 7
Vendor-Id
供应商Id
The high-order octet is 0 and the low-order 3 octets are the SMI Network Management Private Enterprise Code of the Vendor in network byte order, as defined in the "Assigned Numbers" RFC [6].
高阶八位字节为0,低阶三位八位字节为供应商的SMI网络管理私有企业代码,按网络字节顺序排列,如“分配编号”RFC[6]中所定义。
String
一串
The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
字符串字段是一个或多个八位字节。信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
It SHOULD be encoded as a sequence of vendor type / vendor length / value fields, as follows. The Attribute-Specific field is dependent on the vendor's definition of that attribute. An example encoding of the Vendor-Specific attribute using this method follows:
应将其编码为供应商类型/供应商长度/值字段的序列,如下所示。属性特定字段取决于供应商对该属性的定义。使用此方法对特定于供应商的属性进行编码的示例如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | Vendor type | Vendor length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | Vendor type | Vendor length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Multiple subattributes MAY be encoded within a single Vendor-Specific attribute, although they do not have to be.
多个子属性可以在单个特定于供应商的属性中进行编码,尽管它们不必进行编码。
Description
描述
This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.
此属性设置在会话或提示终止之前向用户提供服务的最大秒数。此属性可由服务器在访问接受或访问质询中发送给客户端。
A summary of the Session-Timeout Attribute format is shown below. The fields are transmitted from left to right.
会话超时属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
27 for Session-Timeout.
27用于会话超时。
Length
长
6
6.
Value
价值
The field is 4 octets, containing a 32-bit unsigned integer with the maximum number of seconds this user should be allowed to remain connected by the NAS.
该字段为4个八位字节,包含一个32位无符号整数,该整数表示NAS应允许该用户保持连接的最大秒数。
Description
描述
This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge.
此属性设置在会话或提示终止之前允许用户的最大连续空闲连接秒数。此属性可由服务器在访问接受或访问质询中发送给客户端。
A summary of the Idle-Timeout Attribute format is shown below. The fields are transmitted from left to right.
空闲超时属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
28 for Idle-Timeout.
28表示空闲超时。
Length
长
6
6.
Value
价值
The field is 4 octets, containing a 32-bit unsigned integer with the maximum number of consecutive seconds of idle time this user should be permitted before being disconnected by the NAS.
该字段为4个八位字节,包含一个32位无符号整数,该整数具有NAS断开连接之前该用户应允许的最大连续空闲时间秒数。
Description
描述
This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets.
此属性指示指定服务完成时NAS应采取的操作。它仅用于访问和接受数据包。
A summary of the Termination-Action Attribute format is shown below. The fields are transmitted from left to right.
终止操作属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
29 for Termination-Action.
29终止诉讼。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
0 Default 1 RADIUS-Request
0默认1 RADIUS请求
If the Value is set to RADIUS-Request, upon termination of the specified service the NAS MAY send a new Access-Request to the RADIUS server, including the State attribute if any.
如果该值设置为RADIUS Request,则在指定服务终止后,NAS可向RADIUS服务器发送新的访问请求,包括State属性(如果有)。
Description
描述
This Attribute allows the NAS to send in the Access-Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets.
此属性允许NAS使用拨号号码识别(DNIS)或类似技术在访问请求数据包中发送用户呼叫的电话号码。请注意,这可能与电话号码不同。它仅用于访问请求数据包。
A summary of the Called-Station-Id Attribute format is shown below. The fields are transmitted from left to right.
被调用的Station Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
30 for Called-Station-Id.
30表示被叫站Id。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets, containing the phone number that the user's call came in on.
字符串字段是一个或多个八位字节,包含用户来电的电话号码。
The actual format of the information is site or application specific. UTF-8 encoded 10646 [7] characters are recommended, but a robust implementation SHOULD support the field as undistinguished octets.
信息的实际格式是特定于站点或应用程序的。建议使用UTF-8编码的10646[7]个字符,但稳健的实现应支持字段为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets.
此属性允许NAS使用自动号码识别(ANI)或类似技术在访问请求数据包中发送呼叫来源的电话号码。它仅用于访问请求数据包。
A summary of the Calling-Station-Id Attribute format is shown below. The fields are transmitted from left to right.
呼叫站Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
31 for Calling-Station-Id.
31用于呼叫站Id。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets, containing the phone number that the user placed the call from.
字符串字段是一个或多个八位字节,包含用户拨打电话的电话号码。
The actual format of the information is site or application specific. UTF-8 encoded 10646 [7] characters are recommended, but a robust implementation SHOULD support the field as undistinguished octets.
信息的实际格式是特定于站点或应用程序的。建议使用UTF-8编码的10646[7]个字符,但稳健的实现应支持字段为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.
此属性包含标识发起访问请求的NAS的字符串。它仅用于访问请求数据包。NAS IP地址或NAS标识符必须存在于访问请求数据包中。
Note that NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
请注意,NAS标识符不得用于选择用于验证请求的共享机密。访问请求数据包的源IP地址必须用于选择共享密钥。
A summary of the NAS-Identifier Attribute format is shown below. The fields are transmitted from left to right.
NAS标识符属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
32 for NAS-Identifier.
32表示NAS标识符。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets, and should be unique to the NAS within the scope of the RADIUS server. For example, a fully qualified domain name would be suitable as a NAS-Identifier.
字符串字段是一个或多个八位字节,对于RADIUS服务器范围内的NAS来说应该是唯一的。例如,完全限定的域名适合用作NAS标识符。
The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute is available to be sent by a proxy server to another server when forwarding an Access-Request and MUST be returned unmodified in the Access-Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own Proxy-State (the last Proxy-State in the packet) before forwarding the response to the NAS.
此属性可在转发访问请求时由代理服务器发送到另一台服务器,并且必须在访问接受、访问拒绝或访问质询中未经修改地返回。当代理服务器收到对其请求的响应时,它必须在将响应转发到NAS之前删除自己的代理状态(数据包中的最后一个代理状态)。
If a Proxy-State Attribute is added to a packet when forwarding the packet, the Proxy-State Attribute MUST be added after any existing Proxy-State attributes.
如果在转发数据包时向数据包添加了代理状态属性,则必须在任何现有代理状态属性之后添加代理状态属性。
The content of any Proxy-State other than the one added by the current server should be treated as opaque octets and MUST NOT affect operation of the protocol.
除当前服务器添加的代理状态外,任何代理状态的内容都应视为不透明的八位字节,并且不得影响协议的操作。
Usage of the Proxy-State Attribute is implementation dependent. A description of its function is outside the scope of this specification.
代理状态属性的使用取决于实现。其功能说明不在本规范范围内。
A summary of the Proxy-State Attribute format is shown below. The fields are transmitted from left to right.
代理状态属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
33 for Proxy-State.
33代表代理国。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets.
字符串字段是一个或多个八位字节。信息的实际格式是特定于站点或应用程序的,一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
此属性表示用户将通过LAT与之连接的系统。它可用于Access-Accept数据包中,但仅当LAT被指定为登录服务时。它可以在访问请求数据包中用作对服务器的提示,但服务器不需要遵守该提示。
Administrators use the service attribute when dealing with clustered systems, such as a VAX or Alpha cluster. In such an environment several different time sharing hosts share the same resources (disks, printers, etc.), and administrators often configure each to offer access (service) to each of the shared resources. In this case, each host in the cluster advertises its services through LAT broadcasts.
管理员在处理集群系统(如VAX或Alpha集群)时使用服务属性。在这样的环境中,几个不同的分时主机共享相同的资源(磁盘、打印机等),管理员通常会将每个主机配置为提供对每个共享资源的访问(服务)。在这种情况下,集群中的每个主机都通过LAT广播宣传其服务。
Sophisticated users often know which service providers (machines) are faster and tend to use a node name when initiating a LAT connection. Alternately, some administrators want particular users to use certain machines as a primitive form of load balancing (although LAT knows how to do load balancing itself).
成熟的用户通常知道哪些服务提供商(机器)更快,并且在启动LAT连接时倾向于使用节点名称。另外,一些管理员希望特定用户使用某些机器作为负载平衡的基本形式(尽管LAT知道如何自己进行负载平衡)。
A summary of the Login-LAT-Service Attribute format is shown below. The fields are transmitted from left to right.
登录LAT服务属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
34 for Login-LAT-Service.
34用于登录LAT服务。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets, and contains the identity of the LAT service to use. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper and lower case alphabetics, and the ISO Latin-1 character set extension [11]. All LAT string comparisons are case insensitive.
字符串字段是一个或多个八位字节,包含要使用的LAT服务的标识。LAT体系结构允许此字符串包含$(美元),-(连字符)。(句号)、uz(下划线)、数字、大写和小写字母以及ISO Latin-1字符集扩展[11]。所有LAT字符串比较都不区分大小写。
Description
描述
This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
此属性表示用户将通过LAT自动连接到的节点。它可用于Access-Accept数据包中,但仅当LAT被指定为登录服务时。它可以在访问请求数据包中用作对服务器的提示,但服务器不需要遵守该提示。
A summary of the Login-LAT-Node Attribute format is shown below. The fields are transmitted from left to right.
登录LAT节点属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
35 for Login-LAT-Node.
35用于登录LAT节点。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets, and contains the identity of the LAT Node to connect the user to. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper and lower case alphabetics, and the ISO Latin-1 character set extension. All LAT string comparisons are case insensitive.
字符串字段是一个或多个八位字节,包含要连接用户的LAT节点的标识。LAT体系结构允许此字符串包含$(美元),-(连字符)。(句号)、uz(下划线)、数字、大写和小写字母以及ISO Latin-1字符集扩展名。所有LAT字符串比较都不区分大小写。
Description
描述
This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
此属性包含一个字符串,标识此用户有权使用的LAT组码。它可用于Access Accept数据包,但仅当LAT被指定为登录服务时使用。它可以在访问请求数据包中用作对服务器的提示,但服务器不需要遵守该提示。
LAT supports 256 different group codes, which LAT uses as a form of access rights. LAT encodes the group codes as a 256 bit bitmap.
LAT支持256种不同的组码,LAT将其用作访问权限的一种形式。LAT将组码编码为256位位图。
Administrators can assign one or more of the group code bits at the LAT service provider; it will only accept LAT connections that have these group codes set in the bit map. The administrators assign a bitmap of authorized group codes to each user; LAT gets these from the operating system, and uses these in its requests to the service providers.
管理员可以在LAT服务提供商处分配一个或多个组码位;它将只接受在位图中设置了这些组码的LAT连接。管理员为每个用户分配授权组码位图;LAT从操作系统获取这些信息,并在向服务提供商发出的请求中使用这些信息。
A summary of the Login-LAT-Group Attribute format is shown below. The fields are transmitted from left to right.
登录LAT组属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
36 for Login-LAT-Group.
36用于登录LAT组。
Length
长
34
34
String
一串
The String field is a 32 octet bit map, most significant octet first. A robust implementation SHOULD support the field as undistinguished octets.
字符串字段是32个八位字节的位图,最重要的八位字节在前。一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It is never used when the user is not another router.
此属性表示应用于到用户(另一个AppleTalk路由器)的串行链路的AppleTalk网络号。它仅用于访问和接受数据包。当用户不是另一个路由器时,从不使用它。
A summary of the Framed-AppleTalk-Link Attribute format is shown below. The fields are transmitted from left to right.
框架AppleTalk链接属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
37 for Framed-AppleTalk-Link.
37用于框架AppleTalk链接。
Length
长
6
6.
Value
价值
The Value field is four octets. Despite the size of the field, values range from 0 to 65535. The special value of 0 indicates that this is an unnumbered serial link. A value of 1-65535 means that the serial line between the NAS and the user should be assigned that value as an AppleTalk network number.
值字段是四个八位字节。尽管字段大小不同,但值的范围从0到65535。特殊值0表示这是未编号的串行链路。值1-65535表示NAS和用户之间的串行线应分配该值作为AppleTalk网络号。
Description
描述
This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified.
此属性表示NAS应探测的AppleTalk网络号,以便为用户分配AppleTalk节点。它仅用于访问和接受数据包。当用户是另一个路由器时,从不使用它。此属性的多个实例表明NAS可以使用指定的任何网络号进行探测。
A summary of the Framed-AppleTalk-Network Attribute format is shown below. The fields are transmitted from left to right.
框架AppleTalk网络属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
38 for Framed-AppleTalk-Network.
38用于框架AppleTalk网络。
Length
长
6
6.
Value
价值
The Value field is four octets. Despite the size of the field, values range from 0 to 65535. The special value 0 indicates that the NAS should assign a network for the user, using its default cable range. A value between 1 and 65535 (inclusive) indicates the AppleTalk Network the NAS should probe to find an address for the user.
值字段是四个八位字节。尽管字段大小不同,但值的范围从0到65535。特殊值0表示NAS应使用其默认电缆范围为用户分配网络。介于1和65535(含)之间的值表示NAS应探测AppleTalk网络以查找用户地址。
Description
描述
This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed.
此属性表示要用于此用户的AppleTalk默认区域。它仅用于访问和接受数据包。不允许在同一数据包中有此属性的多个实例。
A summary of the Framed-AppleTalk-Zone Attribute format is shown below. The fields are transmitted from left to right.
框架AppleTalk区域属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
39 for Framed-AppleTalk-Zone.
39用于框架AppleTalk区域。
Length
长
>= 3
>= 3
String
一串
The name of the Default AppleTalk Zone to be used for this user. A robust implementation SHOULD support the field as undistinguished octets.
要用于此用户的默认AppleTalk区域的名称。一个健壮的实现应该支持字段作为无差别的八位字节。
The codification of the range of allowed usage of this field is outside the scope of this specification.
该字段允许使用范围的编码不在本规范范围内。
Description
描述
This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets.
此属性包含NAS发送给PPP质询握手身份验证协议(CHAP)用户的CHAP质询。它仅用于访问请求数据包。
If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute.
如果CHAP质询值为16个八位字节长,则可以将其放置在请求验证器字段中,而不使用此属性。
A summary of the CHAP-Challenge Attribute format is shown below. The fields are transmitted from left to right.
CHAP质询属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
60 for CHAP-Challenge.
CHAP挑战赛60分。
Length
长
>= 7
>= 7
String
一串
The String field contains the CHAP Challenge.
字符串字段包含CHAP质询。
Description
描述
This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the NAS-Port (5) attribute. It is only used in Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports.
此属性表示对用户进行身份验证的NAS物理端口的类型。它可以代替NAS端口(5)属性使用,也可以作为NAS端口(5)属性的补充。它仅用于访问请求数据包。如果NAS的端口不同,则NAS端口(5)或NAS端口类型或两者都应出现在访问请求数据包中。
A summary of the NAS-Port-Type Attribute format is shown below. The fields are transmitted from left to right.
NAS端口类型属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
61 for NAS-Port-Type.
61表示NAS端口类型。
Length
长
6
6.
Value
价值
The Value field is four octets. "Virtual" refers to a connection to the NAS via some transport protocol, instead of through a physical port. For example, if a user telnetted into a NAS to
值字段是四个八位字节。“虚拟”是指通过某种传输协议连接到NAS,而不是通过物理端口。例如,如果用户远程登录到NAS以
authenticate himself as an Outbound-User, the Access-Request might include NAS-Port-Type = Virtual as a hint to the RADIUS server that the user was not on a physical port.
将自己验证为出站用户时,访问请求可能包括NAS Port Type=Virtual,以提示RADIUS服务器该用户不在物理端口上。
0 Async 1 Sync 2 ISDN Sync 3 ISDN Async V.120 4 ISDN Async V.110 5 Virtual 6 PIAFS 7 HDLC Clear Channel 8 X.25 9 X.75 10 G.3 Fax 11 SDSL - Symmetric DSL 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 14 IDSL - ISDN Digital Subscriber Line 15 Ethernet 16 xDSL - Digital Subscriber Line of unknown type 17 Cable 18 Wireless - Other 19 Wireless - IEEE 802.11
0异步1同步2 ISDN同步3 ISDN异步V.120 4 ISDN异步V.110 5虚拟6 PIAFS 7 HDLC清晰通道8 X.25 9 X.75 10 G.3传真11 SDSL-对称DSL 12 ADSL-CAP-非对称DSL,无载波幅相调制13 ADSL-DMT-非对称DSL,离散多音14 IDSL-ISDN数字用户线15以太网16 xDSL-未知类型的数字用户线17电缆18无线-其他19无线-IEEE 802.11
PIAFS is a form of wireless ISDN commonly used in Japan, and stands for PHS (Personal Handyphone System) Internet Access Forum Standard (PIAFS).
PIAFS是日本常用的无线ISDN的一种形式,代表PHS(个人手持电话系统)互联网接入论坛标准(PIAFS)。
Description
描述
This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [12] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint.
此属性设置NAS向用户提供的最大端口数。该属性可以由服务器在访问接受数据包中发送给客户机。它旨在与Multilink PPP[12]或类似用途结合使用。NAS也可以将其发送到服务器,作为需要使用多个端口的提示,但服务器不需要遵守该提示。
A summary of the Port-Limit Attribute format is shown below. The fields are transmitted from left to right.
端口限制属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
62 for Port-Limit.
62为端口限制。
Length
长
6
6.
Value
价值
The field is 4 octets, containing a 32-bit unsigned integer with the maximum number of ports this user should be allowed to connect to on the NAS.
该字段为4个八位字节,包含一个32位无符号整数,该整数为该用户在NAS上应允许连接的最大端口数。
Description
描述
This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the Login-Service. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint.
此属性表示用户将通过LAT连接的端口。它可用于Access Accept数据包,但仅当LAT被指定为登录服务时。它可以在访问请求数据包中用作对服务器的提示,但服务器不需要遵守该提示。
A summary of the Login-LAT-Port Attribute format is shown below. The fields are transmitted from left to right.
登录LAT端口属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
63 for Login-LAT-Port.
63用于登录LAT端口。
Length
长
>= 3
>= 3
String
一串
The String field is one or more octets, and contains the identity of the LAT port to use. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper and lower case alphabetics, and the ISO Latin-1 character set extension. All LAT string comparisons are case insensitive.
字符串字段是一个或多个八位字节,包含要使用的LAT端口的标识。LAT体系结构允许此字符串包含$(美元),-(连字符)。(句号)、uz(下划线)、数字、大写和小写字母以及ISO Latin-1字符集扩展名。所有LAT字符串比较都不区分大小写。
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity.
下表提供了在哪些类型的数据包中可以找到哪些属性以及数量的指南。
Request Accept Reject Challenge # Attribute 0-1 0-1 0 0 1 User-Name 0-1 0 0 0 2 User-Password [Note 1] 0-1 0 0 0 3 CHAP-Password [Note 1] 0-1 0 0 0 4 NAS-IP-Address [Note 2] 0-1 0 0 0 5 NAS-Port 0-1 0-1 0 0 6 Service-Type 0-1 0-1 0 0 7 Framed-Protocol 0-1 0-1 0 0 8 Framed-IP-Address 0-1 0-1 0 0 9 Framed-IP-Netmask 0 0-1 0 0 10 Framed-Routing 0 0+ 0 0 11 Filter-Id 0-1 0-1 0 0 12 Framed-MTU 0+ 0+ 0 0 13 Framed-Compression 0+ 0+ 0 0 14 Login-IP-Host 0 0-1 0 0 15 Login-Service 0 0-1 0 0 16 Login-TCP-Port 0 0+ 0+ 0+ 18 Reply-Message 0-1 0-1 0 0 19 Callback-Number 0 0-1 0 0 20 Callback-Id 0 0+ 0 0 22 Framed-Route 0 0-1 0 0 23 Framed-IPX-Network 0-1 0-1 0 0-1 24 State [Note 1] 0 0+ 0 0 25 Class 0+ 0+ 0 0+ 26 Vendor-Specific 0 0-1 0 0-1 27 Session-Timeout 0 0-1 0 0-1 28 Idle-Timeout 0 0-1 0 0 29 Termination-Action 0-1 0 0 0 30 Called-Station-Id 0-1 0 0 0 31 Calling-Station-Id 0-1 0 0 0 32 NAS-Identifier [Note 2] 0+ 0+ 0+ 0+ 33 Proxy-State 0-1 0-1 0 0 34 Login-LAT-Service 0-1 0-1 0 0 35 Login-LAT-Node
Request Accept Reject Challenge # Attribute 0-1 0-1 0 0 1 User-Name 0-1 0 0 0 2 User-Password [Note 1] 0-1 0 0 0 3 CHAP-Password [Note 1] 0-1 0 0 0 4 NAS-IP-Address [Note 2] 0-1 0 0 0 5 NAS-Port 0-1 0-1 0 0 6 Service-Type 0-1 0-1 0 0 7 Framed-Protocol 0-1 0-1 0 0 8 Framed-IP-Address 0-1 0-1 0 0 9 Framed-IP-Netmask 0 0-1 0 0 10 Framed-Routing 0 0+ 0 0 11 Filter-Id 0-1 0-1 0 0 12 Framed-MTU 0+ 0+ 0 0 13 Framed-Compression 0+ 0+ 0 0 14 Login-IP-Host 0 0-1 0 0 15 Login-Service 0 0-1 0 0 16 Login-TCP-Port 0 0+ 0+ 0+ 18 Reply-Message 0-1 0-1 0 0 19 Callback-Number 0 0-1 0 0 20 Callback-Id 0 0+ 0 0 22 Framed-Route 0 0-1 0 0 23 Framed-IPX-Network 0-1 0-1 0 0-1 24 State [Note 1] 0 0+ 0 0 25 Class 0+ 0+ 0 0+ 26 Vendor-Specific 0 0-1 0 0-1 27 Session-Timeout 0 0-1 0 0-1 28 Idle-Timeout 0 0-1 0 0 29 Termination-Action 0-1 0 0 0 30 Called-Station-Id 0-1 0 0 0 31 Calling-Station-Id 0-1 0 0 0 32 NAS-Identifier [Note 2] 0+ 0+ 0+ 0+ 33 Proxy-State 0-1 0-1 0 0 34 Login-LAT-Service 0-1 0-1 0 0 35 Login-LAT-Node
0-1 0-1 0 0 36 Login-LAT-Group 0 0-1 0 0 37 Framed-AppleTalk-Link 0 0+ 0 0 38 Framed-AppleTalk-Network 0 0-1 0 0 39 Framed-AppleTalk-Zone 0-1 0 0 0 60 CHAP-Challenge 0-1 0 0 0 61 NAS-Port-Type 0-1 0-1 0 0 62 Port-Limit 0-1 0-1 0 0 63 Login-LAT-Port Request Accept Reject Challenge # Attribute
0-1 0-1 0 0 36登录LAT组0-1 0 0 37框架AppleTalk链接0+0 0 38框架AppleTalk网络0-1 0 0 39框架AppleTalk区域0-1 0 0 0 0 60 CHAP质询0-1 0 0 0 61 NAS端口类型0-1 0-1 0 0 62端口限制0-1 0-1 0 0 0 63登录LAT端口请求接受拒绝质询#属性
[Note 1] An Access-Request MUST contain either a User-Password or a CHAP-Password or State. An Access-Request MUST NOT contain both a User-Password and a CHAP-Password. If future extensions allow other kinds of authentication information to be conveyed, the attribute for that can be used in an Access-Request instead of User-Password or CHAP-Password.
[注意1]访问请求必须包含用户密码或CHAP密码或状态。访问请求不能同时包含用户密码和CHAP密码。如果将来的扩展允许传输其他类型的身份验证信息,则可以在访问请求中使用该信息的属性,而不是用户密码或CHAP密码。
[Note 2] An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier (or both).
[注意2]访问请求必须包含NAS IP地址或NAS标识符(或两者都包含)。
The following table defines the meaning of the above table entries.
下表定义了上述表格条目的含义。
0 This attribute MUST NOT be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet. 1 Exactly one instance of this attribute MUST be present in packet.
0此属性不能出现在数据包中。数据包中可能存在0+零个或多个此属性的实例。0-1数据包中可能存在该属性的零个或一个实例。1数据包中必须正好存在此属性的一个实例。
This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of values related to the RADIUS protocol, in accordance with BCP 26 [13].
根据BCP 26[13],本节为互联网分配号码管理局(IANA)提供了有关RADIUS协议相关值注册的指南。
There are three name spaces in RADIUS that require registration: Packet Type Codes, Attribute Types, and Attribute Values (for certain Attributes).
RADIUS中有三个名称空间需要注册:数据包类型代码、属性类型和属性值(对于某些属性)。
RADIUS is not intended as a general-purpose Network Access Server (NAS) management protocol, and allocations should not be made for purposes unrelated to Authentication, Authorization or Accounting.
RADIUS不应作为通用网络访问服务器(NAS)管理协议,也不应将分配用于与身份验证、授权或记帐无关的目的。
The following terms are used here with the meanings defined in BCP 26: "name space", "assigned value", "registration".
以下术语的含义见BCP 26:“名称空间”、“赋值”、“注册”。
The following policies are used here with the meanings defined in BCP 26: "Private Use", "First Come First Served", "Expert Review", "Specification Required", "IETF Consensus", "Standards Action".
此处使用以下政策,其含义见BCP 26:“私人使用”、“先到先得”、“专家评审”、“所需规范”、“IETF共识”、“标准行动”。
For registration requests where a Designated Expert should be consulted, the IESG Area Director for Operations should appoint the Designated Expert.
对于需要咨询指定专家的注册申请,IESG区域运营总监应任命指定专家。
For registration requests requiring Expert Review, the ietf-radius mailing list should be consulted.
对于需要专家审查的注册请求,应参考ietf radius邮件列表。
Packet Type Codes have a range from 1 to 254, of which 1-5,11-13 have been allocated. Because a new Packet Type has considerable impact on interoperability, a new Packet Type Code requires Standards Action, and should be allocated starting at 14.
数据包类型代码的范围为1到254,其中1-5,11-13已分配。因为新的数据包类型对互操作性有很大的影响,所以新的数据包类型代码需要标准操作,并且应该从14开始分配。
Attribute Types have a range from 1 to 255, and are the scarcest resource in RADIUS, thus must be allocated with care. Attributes 1-53,55,60-88,90-91 have been allocated, with 17 and 21 available for re-use. Attributes 17, 21, 54, 56-59, 89, 92-191 may be allocated following Expert Review, with Specification Required. Release of blocks of Attribute Types (more than 3 at a time for a given purpose) should require IETF Consensus. It is recommended that attributes 17 and 21 be used only after all others are exhausted.
属性类型的范围为1到255,是RADIUS中最稀缺的资源,因此必须小心分配。属性1-53、55、60-88、90-91已分配,17和21可重复使用。属性17、21、54、56-59、89、92-191可在专家审查后分配,并要求规范。属性类型块的发布(对于给定目的,一次超过3个)应要求IETF一致同意。建议仅在耗尽所有其他属性后才使用属性17和21。
Note that RADIUS defines a mechanism for Vendor-Specific extensions (Attribute 26) and the use of that should be encouraged instead of allocation of global attribute types, for functions specific only to one vendor's implementation of RADIUS, where no interoperability is deemed useful.
注意,RADIUS定义了供应商特定扩展(属性26)的机制,应鼓励使用该机制,而不是分配全局属性类型,用于仅针对一家供应商的RADIUS实现的功能,在这种情况下,互操作性被认为是没有用的。
As stated in the "Attributes" section above:
如上文“属性”部分所述:
"[Attribute Type] Values 192-223 are reserved for experimental use, values 224-240 are reserved for implementation-specific use, and values 241-255 are reserved and should not be used."
[属性类型]值192-223保留供实验使用,值224-240保留供实现特定使用,值241-255保留且不应使用
Therefore Attribute values 192-240 are considered Private Use, and values 241-255 require Standards Action.
因此属性值192-240被视为专用,而值241-255需要标准操作。
Certain attributes (for example, NAS-Port-Type) in RADIUS define a list of values to correspond with various meanings. There can be 4 billion (2^32) values for each attribute. Adding additional values to the list can be done on a First Come, First Served basis by the IANA.
RADIUS中的某些属性(例如NAS端口类型)定义了一个值列表,以对应不同的含义。每个属性可以有40亿(2^32)个值。IANA可以在先到先得的基础上向列表中添加附加值。
A few examples are presented to illustrate the flow of packets and use of typical attributes. These examples are not intended to be exhaustive, many others are possible. Hexadecimal dumps of the example packets are given in network byte order, using the shared secret "xyzzy5461".
给出了几个示例来说明数据包的流程和典型属性的使用。这些示例并非详尽无遗,其他许多示例都是可能的。示例数据包的十六进制转储以网络字节顺序给出,使用共享密钥“xyzzy5461”。
The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named nemo logging in on port 3 with password "arctangent".
位于192.168.1.16的NAS向RADIUS服务器发送一个访问请求UDP数据包,供名为nemo的用户使用密码“arccantent”登录端口3。
The Request Authenticator is a 16 octet random number generated by the NAS.
请求验证器是NAS生成的16个八位字节的随机数。
The User-Password is 16 octets of password padded at end with nulls, XORed with MD5(shared secret|Request Authenticator).
用户密码是16个八位字节的密码,最后填充为空,与MD5(共享密钥|请求验证器)异或。
01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 00 00 03
01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d是70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 03
1 Code = Access-Request (1) 1 ID = 0 2 Length = 56 16 Request Authenticator
1代码=访问请求(1)1 ID=0 2长度=56 16请求验证器
Attributes: 6 User-Name = "nemo" 18 User-Password 6 NAS-IP-Address = 192.168.1.16 6 NAS-Port = 3
属性:6 User Name=“nemo”18用户密码6 NAS IP地址=192.168.1.16 6 NAS端口=3
The RADIUS server authenticates nemo, and sends an Access-Accept UDP packet to the NAS telling it to telnet nemo to host 192.168.1.3.
RADIUS服务器对nemo进行身份验证,并将Access Accept UDP数据包发送到NAS,告知telnet nemo主机192.168.1.3。
The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the Request Authenticator from above, the attributes in this reply, and the shared secret.
响应验证器是由代码(2)、id(0)、长度(38)、上面的请求验证器、此回复中的属性和共享机密组成的16个八位MD5校验和。
02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 0e 06 c0 a8 01 03
02 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 01 0f 06 00 00 00 00 06 c0 a8 01 03
1 Code = Access-Accept (2) 1 ID = 0 (same as in Access-Request) 2 Length = 38 16 Response Authenticator
1代码=访问接受(2)1 ID=0(与访问请求中相同)2长度=38 16响应验证器
Attributes: 6 Service-Type (6) = Login (1) 6 Login-Service (15) = Telnet (0) 6 Login-IP-Host (14) = 192.168.1.3
属性:6服务类型(6)=登录(1)6登录服务(15)=Telnet(0)6登录IP主机(14)=192.168.1.3
The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named flopsy logging in on port 20 with PPP, authenticating using CHAP. The NAS sends along the Service-Type and Framed-Protocol attributes as a hint to the RADIUS server that this user is looking for PPP, although the NAS is not required to do so.
位于192.168.1.16的NAS向RADIUS服务器发送一个访问请求UDP数据包,供名为flopsy的用户使用PPP登录端口20,并使用CHAP进行身份验证。NAS将服务类型和框架协议属性发送给RADIUS服务器,作为该用户正在寻找PPP的提示,尽管NAS不需要这样做。
The Request Authenticator is a 16 octet random number generated by the NAS, and is also used as the CHAP Challenge.
请求验证器是NAS生成的16个八位随机数,也用作CHAP质询。
The CHAP-Password consists of a 1 octet CHAP ID, in this case 22, followed by the 16 octet CHAP response.
CHAP密码由1个八位字节的CHAP ID(在本例中为22)和16个八位字节的CHAP响应组成。
01 01 00 47 2a ee 86 f0 8d 0d 55 96 9c a5 97 8e 0d 33 67 a2 01 08 66 6c 6f 70 73 79 03 13 16 e9 75 57 c3 16 18 58 95 f2 93 ff 63 44 07 72 75 04 06 c0 a8 01 10 05 06 00 00 00 14 06 06 00 00 00 02 07 06 00 00 00 01
01 01 00 47 2a ee 86 f0 8d 0d 55 96 9c a5 97 8e 0d 33 67 a2 01 08 66 6c 6f 70 73 79 03 13 16 e9 75 57 c3 16 18 58 95 f2 93 ff 63 44 07 72 75 04 06 c0 a8 01 10 05 06 00 00 14 06 00 02 06 00 01
1 Code = 1 (Access-Request) 1 ID = 1 2 Length = 71 16 Request Authenticator
1代码=1(访问请求)1 ID=1 2长度=71 16请求验证器
Attributes: 8 User-Name (1) = "flopsy" 19 CHAP-Password (3) 6 NAS-IP-Address (4) = 192.168.1.16 6 NAS-Port (5) = 20 6 Service-Type (6) = Framed (2) 6 Framed-Protocol (7) = PPP (1)
属性:8用户名(1)=“flopsy”19 CHAP密码(3)6 NAS IP地址(4)=192.168.1.16 6 NAS端口(5)=20 6服务类型(6)=帧(2)6帧协议(7)=PPP(1)
The RADIUS server authenticates flopsy, and sends an Access-Accept UDP packet to the NAS telling it to start PPP service and assign an address for the user out of its dynamic address pool.
RADIUS服务器验证flopsy,并向NAS发送Access Accept UDP数据包,告知其启动PPP服务,并从其动态地址池中为用户分配地址。
The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (1), Length (56), the Request Authenticator from above, the attributes in this reply, and the shared secret.
响应验证器是由代码(2)、id(1)、长度(56)、来自上面的请求验证器、此回复中的属性和共享机密组成的16个八位MD5校验和。
02 01 00 38 15 ef bc 7d ab 26 cf a3 dc 34 d9 c0 3c 86 01 a4 06 06 00 00 00 02 07 06 00 00 00 01 08 06 ff ff ff fe 0a 06 00 00 00 02 0d 06 00 00 00 01 0c 06 00 00 05 dc
02 01 00 38 15 ef bc 7d ab 26 cf a3 dc 34 d9 c0 3c 86 01 a4 06 06 00 00 02 06 00 00 01 08 ff ff fe 0a 06 00 00 02 0d 06 00 00 01 0c 06 00 05 dc
1 Code = Access-Accept (2) 1 ID = 1 (same as in Access-Request) 2 Length = 56 16 Response Authenticator
1代码=访问接受(2)1 ID=1(与访问请求中相同)2长度=56 16响应验证器
Attributes: 6 Service-Type (6) = Framed (2) 6 Framed-Protocol (7) = PPP (1) 6 Framed-IP-Address (8) = 255.255.255.254 6 Framed-Routing (10) = None (0) 6 Framed-Compression (13) = VJ TCP/IP Header Compression (1) 6 Framed-MTU (12) = 1500
属性:6服务类型(6)=帧(2)6帧协议(7)=PPP(1)6帧IP地址(8)=255.255.255.254 6帧路由(10)=无(0)6帧压缩(13)=VJ TCP/IP头压缩(1)6帧MTU(12)=1500
The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named mopsy logging in on port 7. The user enters the dummy password "challenge" in this example. The challenge and response generated by the smart card for this example are "32769430" and "99101462".
位于192.168.1.16的NAS向RADIUS服务器发送访问请求UDP数据包,供名为mopsy的用户登录端口7。在本例中,用户输入虚拟密码“challenge”。本例中,智能卡生成的质询和响应为“32769430”和“99101462”。
The Request Authenticator is a 16 octet random number generated by the NAS.
请求验证器是NAS生成的16个八位字节的随机数。
The User-Password is 16 octets of password, in this case "challenge", padded at the end with nulls, XORed with MD5(shared secret|Request Authenticator).
用户密码是16个八位字节的密码,在本例中为“挑战”,在结尾处填充空值,与MD5(共享机密|请求认证器)异或。
01 02 00 39 f3 a4 7a 1f 6a 6d 76 71 0b 94 7a b9 30 41 a0 39 01 07 6d 6f 70 73 79 02 12 33 65 75 73 77 82 89 b5 70 88 5e 15 08 48 25 c5 04 06 c0 a8 01 10 05 06 00 00 00 07
01 02 00 39 f3 a4 7a 1f 6a 6d 76 71 0b 94 7a b9 30 41 a0 39 01 07 6d 6f 70 73 79 02 12 33 75 73 77 82 89 b5 70 88 5e 15 08 48 25 c5 04 06 c0 a8 01 10 05 06 00 07
1 Code = Access-Request (1) 1 ID = 2 2 Length = 57 16 Request Authenticator
1代码=访问请求(1)1 ID=2长度=57 16请求验证器
Attributes: 7 User-Name (1) = "mopsy" 18 User-Password (2) 6 NAS-IP-Address (4) = 192.168.1.16 6 NAS-Port (5) = 7
属性:7用户名(1)=“mopsy”18用户密码(2)6 NAS IP地址(4)=192.168.1.16 6 NAS端口(5)=7
The RADIUS server decides to challenge mopsy, sending back a challenge string and looking for a response. The RADIUS server therefore and sends an Access-Challenge UDP packet to the NAS.
RADIUS服务器决定质询mopsy,发回质询字符串并寻找响应。因此,RADIUS服务器将发送一个访问质询UDP数据包到NAS。
The Response Authenticator is a 16-octet MD5 checksum of the code (11), id (2), length (78), the Request Authenticator from above, the attributes in this reply, and the shared secret.
响应验证器是由代码(11)、id(2)、长度(78)、来自上面的请求验证器、此回复中的属性和共享机密组成的16个八位MD5校验和。
The Reply-Message is "Challenge 32769430. Enter response at prompt."
回复消息是“挑战32769430。在提示下输入响应。”
The State is a magic cookie to be returned along with user's response; in this example 8 octets of data (33 32 37 36 39 34 33 30 in hex).
状态是一个神奇的cookie,将随用户的响应一起返回;在本例中,8个八位字节的数据(33 32 37 36 39 34 33 30十六进制)。
0b 02 00 4e 36 f3 c8 76 4a e8 c7 11 57 40 3c 0c 71 ff 9c 45 12 30 43 68 61 6c 6c 65 6e 67 65 20 33 32 37 36 39 34 33 30 2e 20 20 45 6e 74 65 72 20 72 65 73 70 6f 6e 73 65 20 61 74 20 70 72 6f 6d 70 74 2e 18 0a 33 32 37 36 39 34 33 30
0b 02 00 4e 36 f3 c8 76 4a e8 c7 11 57 40 3c 0c 71 ff 9c 45 12 30 43 68 6 C 6 C 65 6 E 67 20 33 37 36 34 30 2 E 20 45 6 E 74 65 72 20 72 65 70 6 F 6 E 73 65 20 61 74 20 70 6 F 6 D 70 74 2 E 18 0 A 33 36 34 33 30
1 Code = Access-Challenge (11) 1 ID = 2 (same as in Access-Request) 2 Length = 78 16 Response Authenticator
1代码=访问质询(11)1 ID=2(与访问请求中相同)2长度=78 16响应验证器
Attributes: 48 Reply-Message (18) 10 State (24)
属性:48回复消息(18)10状态(24)
The user enters his response, and the NAS send a new Access-Request with that response, and includes the State Attribute.
用户输入其响应,NAS将发送一个新的访问请求和该响应,并包括State属性。
The Request Authenticator is a new 16 octet random number.
请求验证器是一个新的16个八位组的随机数。
The User-Password is 16 octets of the user's response, in this case "99101462", padded at the end with nulls, XORed with MD5(shared secret|Request Authenticator).
用户密码是用户响应的16个八位字节,在本例中为“99101462”,在末尾用空值填充,用MD5(共享密钥|请求认证器)XORD。
The state is the magic cookie from the Access-Challenge packet, unchanged.
状态是访问质询数据包中的魔法cookie,未更改。
01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07 c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f 20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0 a8 01 10 05 06 00 00 00 07 18 10 33 32 37 36 39 34 33 30
01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07 c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f 20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0 a8 01 10 05 06 00 00 07 18 10 33 37 39 33 30
1 Code = Access-Request (1) 1 ID = 3 (Note that this changes.) 2 Length = 67 16 Request Authenticator
1代码=访问请求(1)1 ID=3(请注意,此更改。)2长度=67 16请求验证器
Attributes: 7 User-Name = "mopsy" 18 User-Password 6 NAS-IP-Address (4) = 192.168.1.16 6 NAS-Port (5) = 7 10 State (24)
属性:7 User Name=“mopsy”18用户密码6 NAS IP地址(4)=192.168.1.16 6 NAS端口(5)=7 10状态(24)
The Response was incorrect (for the sake of example), so the RADIUS server tells the NAS to reject the login attempt.
响应不正确(为了示例),因此RADIUS服务器告诉NAS拒绝登录尝试。
The Response Authenticator is a 16 octet MD5 checksum of the code (3), id (3), length(20), the Request Authenticator from above, the attributes in this reply (in this case, none), and the shared secret.
响应验证器是由代码(3)、id(3)、长度(20)、来自上面的请求验证器、此回复中的属性(在本例中为无)和共享机密组成的16个八位MD5校验和。
03 03 00 14 a4 2f 4f ca 45 91 6c 4e 09 c8 34 0f 9e 74 6a a0
03 03 00 14 a4 2f 4f ca 45 91 6c 4e 09 c8 34 0f 9e 74 6a a0
1 Code = Access-Reject (3) 1 ID = 3 (same as in Access-Request) 2 Length = 20 16 Response Authenticator
1代码=访问拒绝(3)1 ID=3(与访问请求中相同)2长度=20 16响应验证器
Attributes: (none, although a Reply-Message could be sent)
属性:(无,但可以发送回复消息)
Security issues are the primary topic of this document.
安全问题是本文档的主要主题。
In practice, within or associated with each RADIUS server, there is a database which associates "user" names with authentication information ("secrets"). It is not anticipated that a particular named user would be authenticated by multiple methods. This would make the user vulnerable to attacks which negotiate the least secure method from among a set. Instead, for each named user there should be an indication of exactly one method used to authenticate that user name. If a user needs to make use of different authentication methods under different circumstances, then distinct user names SHOULD be employed, each of which identifies exactly one authentication method.
实际上,在每个RADIUS服务器内部或与之关联的数据库中,都有一个将“用户名”与身份验证信息(“机密”)关联的数据库。预计特定的命名用户不会通过多种方法进行身份验证。这会使用户容易受到攻击,这些攻击会协商集合中最不安全的方法。相反,对于每个命名用户,应该有一个用于验证该用户名的方法的指示。如果用户需要在不同的情况下使用不同的身份验证方法,则应使用不同的用户名,每个用户名仅标识一种身份验证方法。
Passwords and other secrets should be stored at the respective ends such that access to them is as limited as possible. Ideally, the secrets should only be accessible to the process requiring access in order to perform the authentication.
密码和其他机密应存储在各自的端部,以便尽可能限制对它们的访问。理想情况下,只有需要访问才能执行身份验证的流程才能访问机密。
The secrets should be distributed with a mechanism that limits the number of entities that handle (and thus gain knowledge of) the secret. Ideally, no unauthorized person should ever gain knowledge of the secrets. It is possible to achieve this with SNMP Security Protocols [14], but such a mechanism is outside the scope of this specification.
秘密应该通过一种机制来分发,该机制限制处理(从而获得)秘密的实体数量。理想情况下,任何未经授权的人都不应该知道这些秘密。使用SNMP安全协议[14]可以实现这一点,但这种机制超出了本规范的范围。
Other distribution methods are currently undergoing research and experimentation. The SNMP Security document [14] also has an excellent overview of threats to network protocols.
其他分配方法目前正在进行研究和试验。SNMP安全文档[14]还对网络协议的威胁进行了极好的概述。
The User-Password hiding mechanism described in Section 5.2 has not been subjected to significant amounts of cryptanalysis in the published literature. Some in the IETF community are concerned that this method might not provide sufficient confidentiality protection [15] to passwords transmitted using RADIUS. Users should evaluate their threat environment and consider whether additional security mechanisms should be employed.
第5.2节中描述的用户密码隐藏机制在已发表的文献中没有进行过大量的密码分析。IETF社区的一些人担心,这种方法可能无法为使用RADIUS传输的密码提供足够的保密保护[15]。用户应该评估他们的威胁环境,并考虑是否应该使用额外的安全机制。
The following changes have been made from RFC 2138:
对RFC 2138进行了以下更改:
Strings should use UTF-8 instead of US-ASCII and should be handled as 8-bit data.
字符串应使用UTF-8而不是US-ASCII,并应作为8位数据处理。
Integers and dates are now defined as 32 bit unsigned values.
整数和日期现在定义为32位无符号值。
Updated list of attributes that can be included in Access-Challenge to be consistent with the table of attributes.
更新了可包含在访问质询中的属性列表,以与属性表保持一致。
User-Name mentions Network Access Identifiers.
用户名表示网络访问标识符。
User-Name may now be sent in Access-Accept for use with accounting and Rlogin.
用户名现在可以在Access Accept中发送,以便与记帐和Rlogin一起使用。
Values added for Service-Type, Login-Service, Framed-Protocol, Framed-Compression, and NAS-Port-Type.
为服务类型、登录服务、框架协议、框架压缩和NAS端口类型添加的值。
NAS-Port can now use all 32 bits.
NAS端口现在可以使用所有32位。
Examples now include hexadecimal displays of the packets.
现在的示例包括数据包的十六进制显示。
Source UDP port must be used in conjunction with the Request Identifier when identifying duplicates.
识别重复项时,源UDP端口必须与请求标识符一起使用。
Multiple subattributes may be allowed in a Vendor-Specific attribute.
供应商特定属性中可能允许多个子属性。
An Access-Request is now required to contain either a NAS-IP-Address or NAS-Identifier (or may contain both).
访问请求现在需要包含NAS IP地址或NAS标识符(或可能同时包含两者)。
Added notes under "Operations" with more information on proxy, retransmissions, and keep-alives.
在“操作”下添加了更多关于代理、重传和保持有效性的说明。
If multiple Attributes with the same Type are present, the order of Attributes with the same Type MUST be preserved by any proxies.
如果存在多个相同类型的属性,则任何代理都必须保留相同类型属性的顺序。
Clarified Proxy-State.
阐明了代理国。
Clarified that Attributes must not depend on position within the packet, as long as Attributes of the same type are kept in order.
阐明了只要相同类型的属性保持有序,属性就不能依赖于数据包中的位置。
Added IANA Considerations section.
增加了IANA注意事项部分。
Updated section on "Proxy" under "Operations".
更新了“操作”下的“代理”部分。
Framed-MTU can now be sent in Access-Request as a hint.
帧MTU现在可以在访问请求中作为提示发送。
Updated Security Considerations.
更新的安全注意事项。
Text strings identified as a subset of string, to clarify use of UTF-8.
将文本字符串标识为字符串的子集,以澄清UTF-8的使用。
[1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[1] Rigney,C.,Rubens,A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997.
[2] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[3] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[3] Rivest,R.和S.Dusse,“MD5消息摘要算法”,RFC 13211992年4月。
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
[4] Postel,J.,“用户数据报协议”,STD 6,RFC 768,1980年8月。
[5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[5] 里格尼,C.,“半径会计”,RFC 28662000年6月。
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[6] Reynolds,J.和J.Postel,“分配的数字”,标准2,RFC 1700,1994年10月。
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[7] “UTF-8,ISO 10646的转换格式”,RFC 2279,1998年1月。
[8] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.
[8] Aboba,B.和M.Beadles,“网络接入标识符”,RFC 2486,1999年1月。
[9] Kaufman, C., Perlman, R., and Speciner, M., "Network Security: Private Communications in a Public World", Prentice Hall, March 1995, ISBN 0-13-061466-1.
[9] 考夫曼,C.,帕尔曼,R.,和斯皮纳,M.,“网络安全:公共世界中的私人通信”,普伦蒂斯大厅,1995年3月,ISBN 0-13-061466-1。
[10] Jacobson, V., "Compressing TCP/IP headers for low-speed serial links", RFC 1144, February 1990.
[10] Jacobson,V.,“压缩低速串行链路的TCP/IP头”,RFC 1144,1990年2月。
[11] ISO 8859. International Standard -- Information Processing -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin Alphabet No. 1, ISO 8859-1:1987.
[11] ISO 8859。国际标准信息处理8位单字节编码图形字符集第1部分:拉丁字母表1。
[12] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990, August 1996.
[12] K.Sklower、Lloyd、B.McGregor、G.Carr、D.和T.Coradetti,“PPP多链路协议(MP)”,RFC 1990,1996年8月。
[13] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[13] Alvestrand,H.和T.Narten,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
[14] Galvin, J., McCloghrie, K. and J. Davin, "SNMP Security Protocols", RFC 1352, July 1992.
[14] Galvin,J.,McCloghrie,K.和J.Davin,“SNMP安全协议”,RFC 1352,1992年7月。
[15] Dobbertin, H., "The Status of MD5 After a Recent Attack", CryptoBytes Vol.2 No.2, Summer 1996.
[15] Dobbertin,H.,“最近一次攻击后MD5的状态”,CryptoBytes第2卷第2期,1996年夏季。
RADIUS was originally developed by Steve Willens of Livingston Enterprises for their PortMaster series of Network Access Servers.
RADIUS最初是由Livingston Enterprise的Steve Willens为其PortMaster系列网络访问服务器开发的。
The working group can be contacted via the current chair:
可通过现任主席联系工作组:
Carl Rigney Livingston Enterprises 4464 Willow Road Pleasanton, California 94588
加利福尼亚州普莱森顿市柳树路4464号卡尔·里格尼·利文斯顿企业,邮编94588
Phone: +1 925 737 2100 EMail: cdr@telemancy.com
Phone: +1 925 737 2100 EMail: cdr@telemancy.com
Questions about this memo can also be directed to:
有关本备忘录的问题,请联系:
Carl Rigney Livingston Enterprises 4464 Willow Road Pleasanton, California 94588
加利福尼亚州普莱森顿市柳树路4464号卡尔·里格尼·利文斯顿企业,邮编94588
Phone: +1 925 737 2100 EMail: cdr@telemancy.com
Phone: +1 925 737 2100 EMail: cdr@telemancy.com
Allan C. Rubens Merit Network, Inc. 4251 Plymouth Road Ann Arbor, Michigan 48105-2785
美国密歇根州安娜堡普利茅斯路4251号艾伦·C·鲁本斯美德网络公司,邮编:48105-2785
EMail: acr@merit.edu
EMail: acr@merit.edu
William Allen Simpson Daydreamer Computer Systems Consulting Services 1384 Fontaine Madison Heights, Michigan 48071
William Allen Simpson Daydreamer计算机系统咨询服务1384 Fontaine Madison Heights,Michigan 48071
EMail: wsimpson@greendragon.com
EMail: wsimpson@greendragon.com
Steve Willens Livingston Enterprises 4464 Willow Road Pleasanton, California 94588
Steve Willens Livingston Enterprises加利福尼亚州普莱森顿柳树路4464号94588
EMail: steve@livingston.com
EMail: steve@livingston.com
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。