Network Working Group C. Rigney Request for Comments: 2866 Livingston Category: Informational June 2000 Obsoletes: 2139
Network Working Group C. Rigney Request for Comments: 2866 Livingston Category: Informational June 2000 Obsoletes: 2139
RADIUS Accounting
半径会计
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server.
本文档描述了在网络访问服务器和共享记帐服务器之间传输记帐信息的协议。
Implementation Note
实施说明
This memo documents the RADIUS Accounting protocol. The early deployment of RADIUS Accounting was done using UDP port number 1646, which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813.
此备忘录记录了RADIUS记帐协议。RADIUS记帐的早期部署是使用UDP端口号1646完成的,这与“sa msg端口”服务冲突。RADIUS记帐的官方指定端口号为1813。
Table of Contents
目录
1. Introduction .................................... 2 1.1 Specification of Requirements ................. 3 1.2 Terminology ................................... 3 2. Operation ....................................... 4 2.1 Proxy ......................................... 4 3. Packet Format ................................... 5 4. Packet Types ................................... 7 4.1 Accounting-Request ............................ 8 4.2 Accounting-Response ........................... 9 5. Attributes ...................................... 10 5.1 Acct-Status-Type .............................. 12 5.2 Acct-Delay-Time ............................... 13 5.3 Acct-Input-Octets ............................. 14 5.4 Acct-Output-Octets ............................ 15 5.5 Acct-Session-Id ............................... 15
1. Introduction .................................... 2 1.1 Specification of Requirements ................. 3 1.2 Terminology ................................... 3 2. Operation ....................................... 4 2.1 Proxy ......................................... 4 3. Packet Format ................................... 5 4. Packet Types ................................... 7 4.1 Accounting-Request ............................ 8 4.2 Accounting-Response ........................... 9 5. Attributes ...................................... 10 5.1 Acct-Status-Type .............................. 12 5.2 Acct-Delay-Time ............................... 13 5.3 Acct-Input-Octets ............................. 14 5.4 Acct-Output-Octets ............................ 15 5.5 Acct-Session-Id ............................... 15
5.6 Acct-Authentic ................................ 16 5.7 Acct-Session-Time ............................. 17 5.8 Acct-Input-Packets ............................ 18 5.9 Acct-Output-Packets ........................... 18 5.10 Acct-Terminate-Cause .......................... 19 5.11 Acct-Multi-Session-Id ......................... 21 5.12 Acct-Link-Count ............................... 22 5.13 Table of Attributes ........................... 23 6. IANA Considerations ............................. 25 7. Security Considerations ......................... 25 8. Change Log ...................................... 25 9. References ...................................... 26 10. Acknowledgements ................................ 26 11. Chair's Address ................................. 26 12. Author's Address ................................ 27 13. Full Copyright Statement ........................ 28
5.6 Acct-Authentic ................................ 16 5.7 Acct-Session-Time ............................. 17 5.8 Acct-Input-Packets ............................ 18 5.9 Acct-Output-Packets ........................... 18 5.10 Acct-Terminate-Cause .......................... 19 5.11 Acct-Multi-Session-Id ......................... 21 5.12 Acct-Link-Count ............................... 22 5.13 Table of Attributes ........................... 23 6. IANA Considerations ............................. 25 7. Security Considerations ......................... 25 8. Change Log ...................................... 25 9. References ...................................... 26 10. Acknowledgements ................................ 26 11. Chair's Address ................................. 26 12. Author's Address ................................ 27 13. Full Copyright Statement ........................ 28
Managing dispersed serial line and modem pools for large numbers of users can create the need for significant administrative support. Since modem pools are by definition a link to the outside world, they require careful attention to security, authorization and accounting. This can be best achieved by managing a single "database" of users, which allows for authentication (verifying user name and password) as well as configuration information detailing the type of service to deliver to the user (for example, SLIP, PPP, telnet, rlogin).
为大量用户管理分散的串行线和调制解调器池可能需要大量的管理支持。由于调制解调器池定义为与外部世界的链接,因此需要仔细注意安全性、授权和记帐。这可以通过管理单个用户“数据库”来实现,该数据库允许身份验证(验证用户名和密码)以及详细说明要向用户提供的服务类型的配置信息(例如,SLIP、PPP、telnet、rlogin)。
The RADIUS (Remote Authentication Dial In User Service) document [2] specifies the RADIUS protocol used for Authentication and Authorization. This memo extends the use of the RADIUS protocol to cover delivery of accounting information from the Network Access Server (NAS) to a RADIUS accounting server.
RADIUS(远程身份验证拨入用户服务)文档[2]指定了用于身份验证和授权的RADIUS协议。本备忘录扩展了RADIUS协议的使用范围,以涵盖从网络访问服务器(NAS)到RADIUS记帐服务器的记帐信息传递。
This document obsoletes RFC 2139 [1]. A summary of the changes between this document and RFC 2139 is available in the "Change Log" appendix.
本文件废除了RFC 2139[1]。本文件与RFC 2139之间的变更摘要见“变更日志”附录。
Key features of RADIUS Accounting are:
RADIUS会计的主要特点是:
Client/Server Model
客户机/服务器模型
A Network Access Server (NAS) operates as a client of the RADIUS accounting server. The client is responsible for passing user accounting information to a designated RADIUS accounting server.
网络访问服务器(NAS)作为RADIUS记帐服务器的客户端运行。客户端负责将用户记帐信息传递到指定的RADIUS记帐服务器。
The RADIUS accounting server is responsible for receiving the accounting request and returning a response to the client indicating that it has successfully received the request.
RADIUS记帐服务器负责接收记帐请求,并向客户端返回一个响应,指示它已成功接收该请求。
The RADIUS accounting server can act as a proxy client to other kinds of accounting servers.
RADIUS记帐服务器可以充当其他类型记帐服务器的代理客户端。
Network Security
网络安全
Transactions between the client and RADIUS accounting server are authenticated through the use of a shared secret, which is never sent over the network.
客户机和RADIUS accounting server之间的事务通过使用共享机密进行身份验证,该机密永远不会通过网络发送。
Extensible Protocol
可扩展协议
All transactions are comprised of variable length Attribute-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol.
所有事务都由可变长度属性长度值3元组组成。可以添加新的属性值,而不会干扰协议的现有实现。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [3]. These key words mean the same thing whether capitalized or not.
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[3]中所述进行解释。无论大写与否,这些关键词的意思都是一样的。
This document uses the following terms:
本文件使用以下术语:
service The NAS provides a service to the dial-in user, such as PPP or Telnet.
服务NAS向拨入用户提供服务,如PPP或Telnet。
session Each service provided by the NAS to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the NAS supports that, with each session generating a separate start and stop accounting record with its own Acct-Session-Id.
会话NAS向拨入用户提供的每个服务都构成一个会话,会话的开始定义为首次提供服务的点,会话的结束定义为服务的结束点。如果NAS支持,一个用户可以并行或串联多个会话,每个会话都会生成一个单独的启动和停止记帐记录,并具有自己的Acct-session-Id。
silently discard This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter.
静默丢弃这意味着实现在不进行进一步处理的情况下丢弃数据包。实现应该提供记录错误的能力,包括静默丢弃的数据包的内容,并且应该在统计计数器中记录事件。
When a client is configured to use RADIUS Accounting, at the start of service delivery it will generate an Accounting Start packet describing the type of service being delivered and the user it is being delivered to, and will send that to the RADIUS Accounting server, which will send back an acknowledgement that the packet has been received. At the end of service delivery the client will generate an Accounting Stop packet describing the type of service that was delivered and optionally statistics such as elapsed time, input and output octets, or input and output packets. It will send that to the RADIUS Accounting server, which will send back an acknowledgement that the packet has been received.
当客户机配置为使用RADIUS记帐时,在服务交付开始时,它将生成一个记帐开始数据包,描述正在交付的服务类型和它要交付给的用户,并将其发送到RADIUS记帐服务器,该服务器将发送回已收到数据包的确认。在服务交付结束时,客户机将生成一个记帐停止数据包,该数据包描述已交付的服务的类型,以及可选的统计信息,如运行时间、输入和输出八位字节或输入和输出数据包。它将把数据包发送到RADIUS记帐服务器,该服务器将发送回已收到数据包的确认。
The Accounting-Request (whether for Start or Stop) is submitted to the RADIUS accounting server via the network. It is recommended that the client continue attempting to send the Accounting-Request packet until it receives an acknowledgement, using some form of backoff. If no response is returned within a length of time, the request is re-sent a number of times. The client can also forward requests to an alternate server or servers in the event that the primary server is down or unreachable. An alternate server can be used either after a number of tries to the primary server fail, or in a round-robin fashion. Retry and fallback algorithms are the topic of current research and are not specified in detail in this document.
记帐请求(无论是启动还是停止)通过网络提交给RADIUS记帐服务器。建议客户机继续尝试发送记帐请求数据包,直到收到确认为止,使用某种形式的回退。如果在一段时间内没有返回响应,则会多次重新发送请求。当主服务器关闭或无法访问时,客户端还可以将请求转发到备用服务器。备用服务器可以在主服务器多次尝试失败后使用,也可以以循环方式使用。重试和回退算法是当前研究的主题,本文档中没有详细说明。
The RADIUS accounting server MAY make requests of other servers in order to satisfy the request, in which case it acts as a client.
RADIUS记帐服务器可以向其他服务器发出请求以满足请求,在这种情况下,它充当客户端。
If the RADIUS accounting server is unable to successfully record the accounting packet it MUST NOT send an Accounting-Response acknowledgment to the client.
如果RADIUS记帐服务器无法成功记录记帐数据包,则不得向客户端发送记帐响应确认。
See the "RADIUS" RFC [2] for information on Proxy RADIUS. Proxy Accounting RADIUS works the same way, as illustrated by the following example.
有关代理半径的信息,请参见“半径”RFC[2]。代理记帐半径的工作方式与此相同,如下例所示。
1. The NAS sends an accounting-request to the forwarding server.
1. NAS向转发服务器发送记帐请求。
2. The forwarding server logs the accounting-request (if desired), adds its Proxy-State (if desired) after any other Proxy-State attributes, updates the Request Authenticator, and forwards the request to the remote server.
2. 转发服务器记录记帐请求(如果需要),在任何其他代理状态属性之后添加其代理状态(如果需要),更新请求验证器,并将请求转发到远程服务器。
3. The remote server logs the accounting-request (if desired), copies all Proxy-State attributes in order and unmodified from the request to the response packet, and sends the accounting-response to the forwarding server.
3. 远程服务器记录记帐请求(如果需要),将请求中的所有代理状态属性按顺序复制到响应数据包,并将记帐响应发送到转发服务器。
4. The forwarding server strips the last Proxy-State (if it added one in step 2), updates the Response Authenticator and sends the accounting-response to the NAS.
4. 转发服务器剥离最后一个代理状态(如果在步骤2中添加了代理状态),更新响应验证器并将记帐响应发送到NAS。
A forwarding server MUST not modify existing Proxy-State or Class attributes present in the packet.
转发服务器不得修改数据包中现有的代理状态或类属性。
A forwarding server may either perform its forwarding function in a pass through manner, where it sends retransmissions on as soon as it gets them, or it may take responsibility for retransmissions, for example in cases where the network link between forwarding and remote server has very different characteristics than the link between NAS and forwarding server.
转发服务器可以以直通方式执行其转发功能,在这种情况下,它在收到重传后立即发送重传,或者它可以负责重传,例如,在转发和远程服务器之间的网络链路与NAS和转发服务器之间的链路具有非常不同的特性的情况下。
Extreme care should be used when implementing a proxy server that takes responsibility for retransmissions so that its retransmission policy is robust and scalable.
在实现负责重传的代理服务器时,应格外小心,以使其重传策略具有健壮性和可扩展性。
Exactly one RADIUS Accounting packet is encapsulated in the UDP Data field [4], where the UDP Destination Port field indicates 1813 (decimal).
UDP数据字段[4]中封装了一个RADIUS记帐数据包,其中UDP目标端口字段指示1813(十进制)。
When a reply is generated, the source and destination ports are reversed.
生成应答时,源端口和目标端口会反转。
This memo documents the RADIUS Accounting protocol. The early deployment of RADIUS Accounting was done using UDP port number 1646, which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813.
此备忘录记录了RADIUS记帐协议。RADIUS记帐的早期部署是使用UDP端口号1646完成的,这与“sa msg端口”服务冲突。RADIUS记帐的官方指定端口号为1813。
A summary of the RADIUS data format is shown below. The fields are transmitted from left to right.
RADIUS数据格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
The Code field is one octet, and identifies the type of RADIUS packet. When a packet is received with an invalid Code field, it is silently discarded.
代码字段是一个八位字节,用于标识RADIUS数据包的类型。当接收到带有无效代码字段的数据包时,它将被自动丢弃。
RADIUS Accounting Codes (decimal) are assigned as follows:
半径核算代码(十进制)分配如下:
4 Accounting-Request 5 Accounting-Response
4会计请求5会计响应
Identifier
标识符
The Identifier field is one octet, and aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
标识符字段是一个八位字节,有助于匹配请求和响应。如果RADIUS服务器在短时间内具有相同的客户端源IP地址、源UDP端口和标识符,则RADIUS服务器可以检测到重复请求。
Length
长
The Length field is two octets. It indicates the length of the packet including the Code, Identifier, Length, Authenticator and Attribute fields. Octets outside the range of the Length field MUST be treated as padding and ignored on reception. If the packet is shorter than the Length field indicates, it MUST be silently discarded. The minimum length is 20 and maximum length is 4095.
长度字段是两个八位字节。它指示数据包的长度,包括代码、标识符、长度、验证器和属性字段。长度字段范围之外的八位字节必须视为填充,并在接收时忽略。如果数据包短于长度字段指示的长度,则必须以静默方式将其丢弃。最小长度为20,最大长度为4095。
Authenticator
验证者
The Authenticator field is sixteen (16) octets. The most significant octet is transmitted first. This value is used to authenticate the messages between the client and RADIUS accounting server.
验证器字段为十六(16)个八位字节。最重要的八位字节首先传输。此值用于验证客户端和RADIUS记帐服务器之间的消息。
Request Authenticator
请求验证器
In Accounting-Request Packets, the Authenticator value is a 16 octet MD5 [5] checksum, called the Request Authenticator.
在记帐请求数据包中,验证器值是一个16位字节的MD5[5]校验和,称为请求验证器。
The NAS and RADIUS accounting server share a secret. The Request Authenticator field in Accounting-Request packets contains a one-way MD5 hash calculated over a stream of octets consisting of the Code + Identifier + Length + 16 zero octets + request attributes + shared secret (where + indicates concatenation). The 16 octet MD5 hash value is stored in the Authenticator field of the Accounting-Request packet.
NAS和RADIUS记帐服务器共享一个秘密。记帐请求数据包中的请求验证器字段包含一个单向MD5散列,该散列在由代码+标识符+长度+16个零八位字节+请求属性+共享密钥(其中+表示串联)组成的八位字节流上计算。16个八位MD5散列值存储在记帐请求数据包的验证器字段中。
Note that the Request Authenticator of an Accounting-Request can not be done the same way as the Request Authenticator of a RADIUS Access-Request, because there is no User-Password attribute in an Accounting-Request.
请注意,记帐请求的请求验证器不能与RADIUS访问请求的请求验证器相同,因为记帐请求中没有用户密码属性。
Response Authenticator
响应验证器
The Authenticator field in an Accounting-Response packet is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of the Accounting-Response Code, Identifier, Length, the Request Authenticator field from the Accounting-Request packet being replied to, and the response attributes if any, followed by the shared secret. The resulting 16 octet MD5 hash value is stored in the Authenticator field of the Accounting-Response packet.
记帐响应数据包中的认证符字段称为响应认证符,并包含在八位字节流上计算的单向MD5哈希,八位字节流包括记帐响应代码、标识符、长度、来自被应答的记帐请求数据包的请求认证符字段以及响应属性(如果有),然后是共享的秘密。产生的16个八位MD5散列值存储在记帐响应数据包的验证器字段中。
Attributes
属性
Attributes may have multiple instances, in such a case the order of attributes of the same type SHOULD be preserved. The order of attributes of different types is not required to be preserved.
属性可能有多个实例,在这种情况下,应保留相同类型属性的顺序。不需要保留不同类型属性的顺序。
The RADIUS packet type is determined by the Code field in the first octet of the packet.
RADIUS数据包类型由数据包第一个八位字节中的代码字段确定。
Description
描述
Accounting-Request packets are sent from a client (typically a Network Access Server or its proxy) to a RADIUS accounting server, and convey information used to provide accounting for a service provided to a user. The client transmits a RADIUS packet with the Code field set to 4 (Accounting-Request).
记帐请求数据包从客户端(通常是网络访问服务器或其代理)发送到RADIUS记帐服务器,并传递用于为提供给用户的服务提供记帐的信息。客户端传输一个RADIUS数据包,代码字段设置为4(记帐请求)。
Upon receipt of an Accounting-Request, the server MUST transmit an Accounting-Response reply if it successfully records the accounting packet, and MUST NOT transmit any reply if it fails to record the accounting packet.
在收到记帐请求后,如果服务器成功记录记帐数据包,则必须发送记帐响应回复;如果服务器未能记录记帐数据包,则不得发送任何回复。
Any attribute valid in a RADIUS Access-Request or Access-Accept packet is valid in a RADIUS Accounting-Request packet, except that the following attributes MUST NOT be present in an Accounting-Request: User-Password, CHAP-Password, Reply-Message, State. Either NAS-IP-Address or NAS-Identifier MUST be present in a RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS-Port-Type attribute or both unless the service does not involve a port or the NAS does not distinguish among its ports.
RADIUS访问请求或访问接受数据包中有效的任何属性在RADIUS记帐请求数据包中均有效,但记帐请求中不得存在以下属性:用户密码、CHAP密码、回复消息、状态。RADIUS记帐请求中必须存在NAS IP地址或NAS标识符。它应该包含NAS端口或NAS端口类型属性或两者,除非服务不涉及端口或NAS不区分其端口。
If the Accounting-Request packet includes a Framed-IP-Address, that attribute MUST contain the IP address of the user. If the Access-Accept used the special values for Framed-IP-Address telling the NAS to assign or negotiate an IP address for the user, the Framed-IP-Address (if any) in the Accounting-Request MUST contain the actual IP address assigned or negotiated.
如果记帐请求数据包包含带帧的IP地址,则该属性必须包含用户的IP地址。如果Access Accept使用框架IP地址的特殊值来通知NAS为用户分配或协商IP地址,则记帐请求中的框架IP地址(如果有)必须包含分配或协商的实际IP地址。
A summary of the Accounting-Request packet format is shown below.
记帐请求数据包格式的摘要如下所示。
The fields are transmitted from left to right.
字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Request Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Request Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
4 for Accounting-Request.
4.会计申请。
Identifier
标识符
The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions where the contents are identical, the Identifier MUST remain unchanged.
每当Attributes字段的内容发生更改时,以及每当收到前一个请求的有效答复时,都必须更改Identifier字段。对于内容相同的重传,标识符必须保持不变。
Note that if Acct-Delay-Time is included in the attributes of an Accounting-Request then the Acct-Delay-Time value will be updated when the packet is retransmitted, changing the content of the Attributes field and requiring a new Identifier and Request Authenticator.
请注意,如果会计请求的属性中包含Acct Delay Time,则当数据包被重新传输时,Acct Delay Time值将被更新,从而更改属性字段的内容,并需要新的标识符和请求验证器。
Request Authenticator
请求验证器
The Request Authenticator of an Accounting-Request contains a 16-octet MD5 hash value calculated according to the method described in "Request Authenticator" above.
记帐请求的请求验证器包含根据上面“请求验证器”中描述的方法计算的16个八位MD5散列值。
Attributes
属性
The Attributes field is variable in length, and contains a list of Attributes.
“属性”字段的长度可变,并包含属性列表。
Description
描述
Accounting-Response packets are sent by the RADIUS accounting server to the client to acknowledge that the Accounting-Request has been received and recorded successfully. If the Accounting-Request was recorded successfully then the RADIUS accounting server MUST transmit a packet with the Code field set to 5 (Accounting-Response). On reception of an Accounting-Response by the client, the Identifier field is matched with a pending Accounting-Request. The Response Authenticator field MUST contain the correct response for the pending Accounting-Request. Invalid packets are silently discarded.
RADIUS记帐服务器向客户端发送记帐响应数据包,以确认已成功接收并记录记帐请求。如果成功记录记帐请求,则RADIUS记帐服务器必须发送一个代码字段设置为5(记帐响应)的数据包。在客户端接收到记帐响应时,标识符字段与挂起的记帐请求相匹配。响应验证器字段必须包含挂起的记帐请求的正确响应。无效的数据包将被自动丢弃。
A RADIUS Accounting-Response is not required to have any attributes in it.
RADIUS记帐响应不需要包含任何属性。
A summary of the Accounting-Response packet format is shown below. The fields are transmitted from left to right.
记帐响应数据包格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Code
密码
5 for Accounting-Response.
5.会计回应。
Identifier
标识符
The Identifier field is a copy of the Identifier field of the Accounting-Request which caused this Accounting-Response.
标识符字段是导致此记帐响应的记帐请求的标识符字段的副本。
Response Authenticator
响应验证器
The Response Authenticator of an Accounting-Response contains a 16-octet MD5 hash value calculated according to the method described in "Response Authenticator" above.
记帐响应的响应验证器包含根据上面“响应验证器”中描述的方法计算的16个八位MD5散列值。
Attributes
属性
The Attributes field is variable in length, and contains a list of zero or more Attributes.
Attributes字段长度可变,包含零个或多个属性的列表。
RADIUS Attributes carry the specific authentication, authorization and accounting details for the request and response.
RADIUS属性包含请求和响应的特定身份验证、授权和记帐详细信息。
Some attributes MAY be included more than once. The effect of this is attribute specific, and is specified in each attribute description.
某些属性可能包含多次。其效果是特定于属性的,并在每个属性描述中指定。
The end of the list of attributes is indicated by the Length of the RADIUS packet.
属性列表的末尾由RADIUS数据包的长度表示。
A summary of the attribute format is shown below. The fields are transmitted from left to right.
属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
The Type field is one octet. Up-to-date values of the RADIUS Type field are specified in the most recent "Assigned Numbers" RFC [6]. Values 192-223 are reserved for experimental use, values 224-240 are reserved for implementation-specific use, and values 241-255 are reserved and should not be used. This specification concerns the following values:
类型字段是一个八位字节。半径类型字段的最新值在最近的“已分配编号”RFC[6]中指定。值192-223保留供实验使用,值224-240保留供具体实现使用,值241-255保留且不应使用。本规范涉及以下值:
1-39 (refer to RADIUS document [2]) 40 Acct-Status-Type 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 45 Acct-Authentic 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause 50 Acct-Multi-Session-Id 51 Acct-Link-Count 60+ (refer to RADIUS document [2])
1-39(参见RADIUS文档[2])40账户状态类型41账户延迟时间42账户输入八位字节43账户输出八位字节44账户会话Id 45账户真实性46账户会话时间47账户输入数据包48账户输出数据包49账户终止原因50账户多会话Id 51账户链路计数60+(参见RADIUS文档[2])
Length
长
The Length field is one octet, and indicates the length of this attribute including the Type, Length and Value fields. If an attribute is received in an Accounting-Request with an invalid Length, the entire request MUST be silently discarded.
长度字段是一个八位字节,表示该属性的长度,包括类型、长度和值字段。如果在记帐请求中接收到长度无效的属性,则必须以静默方式放弃整个请求。
Value
价值
The Value field is zero or more octets and contains information specific to the attribute. The format and length of the Value field is determined by the Type and Length fields.
值字段为零个或多个八位字节,包含特定于属性的信息。值字段的格式和长度由类型和长度字段决定。
Note that none of the types in RADIUS terminate with a NUL (hex 00). In particular, types "text" and "string" in RADIUS do not terminate with a NUL (hex 00). The Attribute has a length field and does not use a terminator. Text contains UTF-8 encoded 10646
请注意,RADIUS中的所有类型都不会以NUL(十六进制00)终止。特别是,RADIUS中的类型“text”和“string”不会以NUL(十六进制00)结尾。该属性有一个长度字段,不使用终止符。文本包含UTF-8编码的10646
[7] characters and String contains 8-bit binary data. Servers and servers and clients MUST be able to deal with embedded nulls. RADIUS implementers using C are cautioned not to use strcpy() when handling strings.
[7] 字符和字符串包含8位二进制数据。服务器、服务器和客户端必须能够处理嵌入的空值。使用C的RADIUS实现者在处理字符串时应注意不要使用strcpy()。
The format of the value field is one of five data types. Note that type "text" is a subset of type "string."
值字段的格式是五种数据类型之一。请注意,“text”类型是“string”类型的子集
text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.
文本1-253个八位字节,包含UTF-8编码的10646[7]个字符。不得发送长度为零(0)的文本;而忽略整个属性。
string 1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.
字符串1-253个八位字节,包含二进制数据(0到255个十进制值,含)。不得发送长度为零(0)的字符串;而忽略整个属性。
address 32 bit value, most significant octet first.
地址32位值,最重要的八位位组在前。
integer 32 bit unsigned value, most significant octet first.
整数32位无符号值,最高有效八位位组在先。
time 32 bit unsigned value, most significant octet first -- seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.
时间32位无符号值,最高有效八位组第一位--自1970年1月1日UTC 00:00:00以来的秒数。标准属性不使用此数据类型,但此处提供此数据类型以供将来的属性使用。
Description
描述
This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop).
此属性指示此记帐请求是标记用户服务的开始(开始)还是结束(停止)。
It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off.
客户端可以使用它通过指定记帐打开来标记记帐的开始(例如,在引导时),并通过指定记帐关闭来标记记帐的结束(例如,在计划重新启动之前)。
A summary of the Acct-Status-Type attribute format is shown below. The fields are transmitted from left to right.
账户状态类型属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
40 for Acct-Status-Type.
40表示帐户状态类型。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
1 Start 2 Stop 3 Interim-Update 7 Accounting-On 8 Accounting-Off 9-14 Reserved for Tunnel Accounting 15 Reserved for Failed
1开始2停止3临时更新7记帐打开8记帐关闭9-14保留用于隧道记帐15保留用于失败
Description
描述
This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.)
此属性表示客户端尝试发送此记录的秒数,可以从到达服务器的时间中减去此属性,以查找生成此记帐请求的事件的大致时间。(忽略网络传输时间。)
Note that changing the Acct-Delay-Time causes the Identifier to change; see the discussion under Identifier above.
请注意,更改帐户延迟时间会导致标识符更改;请参阅上面标识符下的讨论。
A summary of the Acct-Delay-Time attribute format is shown below. The fields are transmitted from left to right.
Acct Delay Time属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
41 for Acct-Delay-Time.
41表示帐户延迟时间。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.
此属性表示在提供此服务的过程中从端口接收到的八位字节数,并且只能出现在Acct Status Type设置为Stop的记帐请求记录中。
A summary of the Acct-Input-Octets attribute format is shown below. The fields are transmitted from left to right.
Acct输入八位字节属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
42 for Acct-Input-Octets.
42用于Acct输入八位字节。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.
此属性表示在提供此服务的过程中已向端口发送了多少个八位字节,并且只能出现在Acct Status Type设置为Stop的记帐请求记录中。
A summary of the Acct-Output-Octets attribute format is shown below. The fields are transmitted from left to right.
Acct输出八位字节属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
43 for Acct-Output-Octets.
43用于Acct输出八位字节。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session.
此属性是唯一的记帐ID,便于匹配日志文件中的开始和停止记录。给定会话的开始和停止记录必须具有相同的Acct-session-Id。记帐请求数据包必须具有Acct-session-Id。访问请求数据包可以具有Acct会话Id;如果是,则NAS必须在该会话的记帐请求数据包中使用相同的Acct会话Id。
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters.
帐户会话Id应包含UTF-8编码的10646[7]个字符。
For example, one implementation uses a string with an 8-digit upper case hexadecimal number, the first two digits increment on each reboot (wrapping every 256 reboots) and the next 6 digits counting from 0 for the first person logging in after a reboot up to 2^24-1, about 16 million. Other encodings are possible.
例如,一个实现使用了一个字符串,该字符串具有8位大写十六进制数,每次重新启动时的前两位增量(每256次重新启动包装一次),接下来的6位数字从0开始计算,从重新启动后登录的第一个人的数字一直到2^24-1,大约1600万。其他编码是可能的。
A summary of the Acct-Session-Id attribute format is shown below. The fields are transmitted from left to right.
Acct会话Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
44 for Acct-Session-Id.
44用于Acct-Session-Id。
Length
长
>= 3
>= 3
String
一串
The String field SHOULD be a string of UTF-8 encoded 10646 [7] characters.
字符串字段应为UTF-8编码的10646[7]个字符的字符串。
Description
描述
This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.
该属性可以包含在记帐请求中,以指示用户是如何通过RADIUS、NAS本身或其他远程身份验证协议进行身份验证的。未经验证而交付服务的用户不应生成会计记录。
A summary of the Acct-Authentic attribute format is shown below. The fields are transmitted from left to right.
Acct Authentic属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
45 for Acct-Authentic.
会计真实性为45。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
1 RADIUS 2 Local 3 Remote
1半径2本地3远程
Description
描述
This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.
此属性表示用户已接收服务的秒数,并且只能出现在Acct Status Type设置为Stop的记帐请求记录中。
A summary of the Acct-Session-Time attribute format is shown below. The fields are transmitted from left to right.
Acct会话时间属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
46 for Acct-Session-Time.
46用于帐户会话时间。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.
此属性表示在向框架用户提供此服务的过程中从端口接收到多少数据包,并且只能出现在Acct Status Type设置为Stop的记帐请求记录中。
A summary of the Acct-Input-packets attribute format is shown below. The fields are transmitted from left to right.
Acct Input packets属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
47 for Acct-Input-Packets.
47用于Acct输入数据包。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.
此属性表示在向框架用户提供此服务的过程中已向端口发送了多少数据包,并且只能出现在Acct Status Type设置为Stop的记帐请求记录中。
A summary of the Acct-Output-Packets attribute format is shown below. The fields are transmitted from left to right.
Acct Output Packets属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
48 for Acct-Output-Packets.
48用于Acct输出数据包。
Length
长
6
6.
Value
价值
The Value field is four octets.
值字段是四个八位字节。
Description
描述
This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop.
此属性表示会话是如何终止的,并且只能出现在Acct Status Type设置为Stop的记帐请求记录中。
A summary of the Acct-Terminate-Cause attribute format is shown below. The fields are transmitted from left to right.
Acct Terminate Cause属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
49 for Acct-Terminate-Cause
49.账户终止原因
Length
长
6
6.
Value
价值
The Value field is four octets, containing an integer specifying the cause of session termination, as follows:
值字段是四个八位字节,包含一个整数,指定会话终止的原因,如下所示:
1 User Request 2 Lost Carrier 3 Lost Service 4 Idle Timeout 5 Session Timeout 6 Admin Reset 7 Admin Reboot 8 Port Error 9 NAS Error 10 NAS Request 11 NAS Reboot 12 Port Unneeded 13 Port Preempted 14 Port Suspended 15 Service Unavailable 16 Callback 17 User Error 18 Host Request
1用户请求2载波丢失3服务丢失4空闲超时5会话超时6管理员重置7管理员重新启动8端口错误9 NAS错误10 NAS请求11 NAS重新启动12端口不需要13端口抢占14端口挂起15服务不可用16回调17用户错误18主机请求
The termination causes are as follows:
终止原因如下:
User Request User requested termination of service, for example with LCP Terminate or by logging out.
用户请求用户请求终止服务,例如通过LCP终止或注销。
Lost Carrier DCD was dropped on the port.
丢失的载波DCD被丢弃在端口上。
Lost Service Service can no longer be provided; for example, user's connection to a host was interrupted.
无法再提供丢失服务;例如,用户与主机的连接被中断。
Idle Timeout Idle timer expired.
空闲超时空闲计时器已过期。
Session Timeout Maximum session length timer expired.
会话超时最大会话长度计时器已过期。
Admin Reset Administrator reset the port or session.
管理员重置管理员重置端口或会话。
Admin Reboot Administrator is ending service on the NAS, for example prior to rebooting the NAS.
管理员重新启动管理员正在终止NAS上的服务,例如在重新启动NAS之前。
Port Error NAS detected an error on the port which required ending the session.
端口错误NAS在需要结束会话的端口上检测到错误。
NAS Error NAS detected some error (other than on the port) which required ending the session.
NAS错误NAS检测到某些错误(端口上的错误除外),需要结束会话。
NAS Request NAS ended session for a non-error reason not otherwise listed here.
NAS请求NAS因非错误原因结束会话,此处未另行列出。
NAS Reboot The NAS ended the session in order to reboot non-administratively ("crash").
NAS重新启动NAS结束会话以便以非管理方式重新启动(“崩溃”)。
Port Unneeded NAS ended session because resource usage fell below low-water mark (for example, if a bandwidth-on-demand algorithm decided that the port was no longer needed).
不需要端口的NAS结束会话,因为资源使用率低于低水位线(例如,如果按需带宽算法决定不再需要该端口)。
Port Preempted NAS ended session in order to allocate the port to a higher priority use.
端口抢占NAS结束会话,以便将端口分配给更高优先级的使用。
Port Suspended NAS ended session to suspend a virtual session.
端口挂起NAS已结束会话以挂起虚拟会话。
Service Unavailable NAS was unable to provide requested service.
服务不可用NAS无法提供请求的服务。
Callback NAS is terminating current session in order to perform callback for a new session.
回调NAS正在终止当前会话,以便对新会话执行回调。
User Error Input from user is in error, causing termination of session.
来自用户的用户错误输入出错,导致会话终止。
Host Request Login Host terminated session normally.
主机请求登录主机正常终止会话。
Description
描述
This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.
此属性是一个唯一的记帐ID,便于将日志文件中的多个相关会话链接在一起。链接在一起的每个会话都有一个唯一的Acct会话Id,但具有相同的Acct-Multi-session-Id。强烈建议Acct-Multi-session Id包含UTF-8编码的10646[7]个字符。
A summary of the Acct-Session-Id attribute format is shown below. The fields are transmitted from left to right.
Acct会话Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
50 for Acct-Multi-Session-Id.
50用于Acct-Multi-Session-Id。
Length
长
>= 3
>= 3
String
一串
The String field SHOULD contain UTF-8 encoded 10646 [7] characters.
字符串字段应包含UTF-8编码的10646[7]个字符。
Description
描述
This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the Acct-Link-Count attribute in any Accounting-Request which might have multiple links.
此属性提供在生成记帐记录时已知处于给定多链接会话中的链接数。NAS可以在任何可能有多个链路的记帐请求中包含Acct Link Count属性。
A summary of the Acct-Link-Count attribute format is show below. The fields are transmitted from left to right.
Acct Link Count属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
51 for Acct-Link-Count.
51用于帐户链接计数。
Length
长
6
6.
Value
价值
The Value field is four octets, and contains the number of links seen so far in this Multilink Session.
值字段是四个八位字节,包含到目前为止在此多链接会话中看到的链接数。
It may be used to make it easier for an accounting server to know when it has all the records for a given Multilink session. When the number of Accounting-Requests received with Acct-Status-Type = Stop and the same Acct-Multi-Session-Id and unique Acct-Session-Id's equals the largest value of Acct-Link-Count seen in those Accounting-Requests, all Stop Accounting-Requests for that Multilink Session have been received.
它可以使记帐服务器更容易地知道它何时拥有给定多链接会话的所有记录。当接收到的Acct Status Type=Stop且相同Acct多会话Id和唯一Acct会话Id的记帐请求数等于这些记帐请求中看到的Acct Link Count的最大值时,该多链路会话的所有停止记帐请求都已收到。
An example showing 8 Accounting-Requests should make things clearer. For clarity only the relevant attributes are shown, but additional attributes containing accounting information will also be present in the Accounting-Request.
一个显示8个会计请求的示例应该会让事情更清楚。为清晰起见,仅显示相关属性,但包含会计信息的其他属性也将显示在会计请求中。
Multi-Session-Id Session-Id Status-Type Link-Count "10" "10" Start 1 "10" "11" Start 2 "10" "11" Stop 2 "10" "12" Start 3 "10" "13" Start 4 "10" "12" Stop 4 "10" "13" Stop 4 "10" "10" Stop 4
多会话Id会话Id状态类型链接计数“10”“10”开始1“10”“11”开始2“10”“11”停止2“10”“12”开始3“10”“13”开始4“10”“12”停止4“10”“13”停止4“10”“10”停止4
The following table provides a guide to which attributes may be found in Accounting-Request packets. No attributes should be found in Accounting-Response packets except Proxy-State and possibly Vendor-Specific.
下表提供了在记帐请求数据包中可以找到哪些属性的指南。除了代理状态和可能的特定于供应商的属性外,在记帐响应数据包中不应找到任何属性。
# Attribute 0-1 User-Name 0 User-Password 0 CHAP-Password
#属性0-1用户名0用户密码0 CHAP密码
0-1 NAS-IP-Address [Note 1] 0-1 NAS-Port 0-1 Service-Type 0-1 Framed-Protocol 0-1 Framed-IP-Address 0-1 Framed-IP-Netmask 0-1 Framed-Routing 0+ Filter-Id 0-1 Framed-MTU 0+ Framed-Compression 0+ Login-IP-Host 0-1 Login-Service 0-1 Login-TCP-Port 0 Reply-Message 0-1 Callback-Number 0-1 Callback-Id 0+ Framed-Route 0-1 Framed-IPX-Network 0 State 0+ Class 0+ Vendor-Specific 0-1 Session-Timeout 0-1 Idle-Timeout 0-1 Termination-Action 0-1 Called-Station-Id 0-1 Calling-Station-Id 0-1 NAS-Identifier [Note 1] 0+ Proxy-State 0-1 Login-LAT-Service 0-1 Login-LAT-Node 0-1 Login-LAT-Group 0-1 Framed-AppleTalk-Link 0-1 Framed-AppleTalk-Network 0-1 Framed-AppleTalk-Zone 1 Acct-Status-Type 0-1 Acct-Delay-Time 0-1 Acct-Input-Octets 0-1 Acct-Output-Octets 1 Acct-Session-Id 0-1 Acct-Authentic 0-1 Acct-Session-Time 0-1 Acct-Input-Packets 0-1 Acct-Output-Packets 0-1 Acct-Terminate-Cause 0+ Acct-Multi-Session-Id 0+ Acct-Link-Count 0 CHAP-Challenge
0-1 NAS IP地址[注1]0-1 NAS端口0-1服务类型0-1框架协议0-1框架IP地址0-1框架IP网络掩码0-1框架路由0+筛选器Id 0-1框架MTU 0+框架压缩0+登录IP主机0-1登录服务0-1登录TCP端口0回复消息0-1回拨号码0-1回拨Id 0+框架路由0-1框架IPX网络0状态0+类0+特定于供应商的0-1会话超时0-1空闲超时0-1终止操作0-1被叫站Id 0-1主叫站Id 0-1 NAS标识符[注1]0+代理状态0-1登录LAT服务0-1登录LAT节点0-1登录LAT组0-1框架AppleTalk链接0-1框架AppleTalk网络0-1框架AppleTalk区域1帐户状态类型0-1帐户延迟时间0-1帐户输入八位字节0-1帐户输出八位字节1帐户会话Id 0-1帐户真实0-1帐户会话时间0-1帐户输入数据包0-1帐户输出数据包0-1帐户终止原因0+帐户多会话Id 0+帐户链接计数0 CHAP挑战
0-1 NAS-Port-Type 0-1 Port-Limit 0-1 Login-LAT-Port
0-1 NAS端口类型0-1端口限制0-1登录LAT端口
[Note 1] An Accounting-Request MUST contain either a NAS-IP-Address or a NAS-Identifier (or both).
[注意1]记帐请求必须包含NAS IP地址或NAS标识符(或两者都包含)。
The following table defines the above table entries.
下表定义了上述表格条目。
0 This attribute MUST NOT be present 0+ Zero or more instances of this attribute MAY be present. 0-1 Zero or one instance of this attribute MAY be present. 1 Exactly one instance of this attribute MUST be present.
0此属性不能存在0+此属性可能存在零个或多个实例。0-1此属性可能存在零个或一个实例。1此属性必须仅存在一个实例。
The Packet Type Codes, Attribute Types, and Attribute Values defined in this document are registered by the Internet Assigned Numbers Authority (IANA) from the RADIUS name spaces as described in the "IANA Considerations" section of RFC 2865 [2], in accordance with BCP 26 [8].
根据BCP 26[8],本文件中定义的数据包类型代码、属性类型和属性值由互联网分配号码管理局(IANA)根据RFC 2865[2]中“IANA注意事项”部分所述的RADIUS名称空间进行注册。
Security issues are discussed in sections concerning the authenticator included in accounting requests and responses, using a shared secret which is never sent over the network.
安全问题将在有关记帐请求和响应中包含的身份验证器的章节中讨论,使用的是从未通过网络发送的共享秘密。
US-ASCII replaced by UTF-8.
UTF-8取代了US-ASCII。
Added notes on Proxy.
添加了关于代理的注释。
Framed-IP-Address should contain the actual IP address of the user.
框架IP地址应包含用户的实际IP地址。
If Acct-Session-ID was sent in an access-request, it must be used in the accounting-request for that session.
如果在访问请求中发送了Acct会话ID,则必须在该会话的记帐请求中使用该ID。
New values added to Acct-Status-Type.
添加到帐户状态类型的新值。
Added an IANA Considerations section.
增加了IANA注意事项部分。
Updated references.
更新参考资料。
Text strings identified as a subset of string, to clarify use of UTF-8.
将文本字符串标识为字符串的子集,以澄清UTF-8的使用。
[1] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.
[1] 里格尼,C.,“半径会计”,RFC 21391997年4月。
[2] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[2] Rigney,C.,Willens,S.,Rubens,A.和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997.
[3] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
[4] Postel,J.,“用户数据报协议”,STD 6,RFC 768,1980年8月。
[5] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[5] Rivest,R.和S.Dusse,“MD5消息摘要算法”,RFC 13211992年4月。
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[6] Reynolds,J.和J.Postel,“分配的数字”,标准2,RFC 1700,1994年10月。
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[7] “UTF-8,ISO 10646的转换格式”,RFC 2279,1998年1月。
[8] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[8] Alvestrand,H.和T.Narten,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
RADIUS and RADIUS Accounting were originally developed by Steve Willens of Livingston Enterprises for their PortMaster series of Network Access Servers.
RADIUS和RADIUS Accounting最初由Livingston Enterprise的Steve Willens为其PortMaster系列网络访问服务器开发。
The RADIUS working group can be contacted via the current chair:
可通过现任主席联系RADIUS工作组:
Carl Rigney Livingston Enterprises 4464 Willow Road Pleasanton, California 94588
加利福尼亚州普莱森顿市柳树路4464号卡尔·里格尼·利文斯顿企业,邮编94588
Phone: +1 925 737 2100 EMail: cdr@telemancy.com
Phone: +1 925 737 2100 EMail: cdr@telemancy.com
Questions about this memo can also be directed to:
有关本备忘录的问题,请联系:
Carl Rigney Livingston Enterprises 4464 Willow Road Pleasanton, California 94588
加利福尼亚州普莱森顿市柳树路4464号卡尔·里格尼·利文斯顿企业,邮编94588
EMail: cdr@telemancy.com
EMail: cdr@telemancy.com
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。