A NAS sends authentication requests (packets with code Access-Request) to a RADIUS server when a user is trying to connect to that NAS. Such requests convey information used to determine whether a user is allowed access to the NAS, and any special services requested for that user.
An Access-Request must contain a User-Name attribute
section User-Name. It should contain either a NAS-IP-Address
attribute or NAS-Identifier attribute, or both of them.
It also must contain either a Password attribute or CHAP-Password
attribute. These attributes are passed encoded using a method based
on the RSA Message Digest Algorithm MD5.
The Access-Request should contain a NAS-Port or NAS-Port-Type
attribute or both unless the type of access being requested does
not involve a port or the NAS does not distinguish among its
ports.
Upon receiving Access-Request packet for a particular user and authenticating that user, Radius server replies to the NAS that has sent the packet with either of the following packets:
Radius replies with Access-Accept packet when it has successfully authenticated the user. Such reply packet provides specific configuration information necessary to begin delivery of service to the user.
Radius replies with Access-Reject packet when it was unable to
authenticate the user. Such packet may contain a descriptive
text encapsulated in one or more Reply-Message attributes.
The NAS may display this text along with its response to the
user.
Radius replies with Access-Challenge packet when it desires to obtain more information from the user in order to determine its authenticity or to determine the kind of service to be provided to the user.
An Access-Challenge packet may include one or more Reply-Message
attributes, and may also include a single State attribute, or
none. No other Attributes are permitted in an Access-Challenge.
On receipt of an Access-Challenge, the Identifier field is matched with a pending Access-Request. Additionally, the Response Authenticator field must contain the correct response for the pending Access-Request. Radius discards invalid packets and issues appropriate log message.
If the NAS does not support challenge/response, it treats an
Access-Challenge as though it had received an Access-Reject instead.
Otherwise, upon receipt of a valid Access-Challenge the NAS prompts the
user for a response, possibly displaying the text message provided in
Reply-Message attributes of the request. It then sends its
original Access-Request with a new request ID and Request Authenticator,
with the Password attribute replaced by the encrypted user's
response, and including the State attribute from the
Access-Challenge, if any.
Go to the first, previous, next, last section, table of contents.