Bay Networks RADIUS, Reference Manual

Page 1: ...Part No 119347 A Rev A September 1997 Marketing Version Number 5 1 RADIUS Attributes Reference ...

Page 2: ...s Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithstanding any other license agreement that may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial C...

Page 3: ...UDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties ...

Page 4: ...ensors retain all title and ownership in both the Software and user manuals including any revisions made by Bay Networks or its licensors The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals Licensee may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from...

Page 5: ...ftware to reconstruct lost or altered files data or programs 4 Limitation of liability IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT SPECIAL INDIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE EVEN IF BAY NET...

Page 6: ...and approvals required by the U S Government i export re export transfer or divert any such Software or technical data or any direct product thereof to any country to which such exports or re exports are restricted or embargoed under United States export control laws and regulations or to any national or resident of such restricted or embargoed countries or ii provide the Software or related techn...

Page 7: ...vii RADIUS Attributes Reference Revision Level History Revision Description A Initial Release ...

Page 8: ...RADIUS Attributes Reference Revision Level History viii ...

Page 9: ... 11 Framed Routing 10 11 Filter Id 11 12 Framed MTU 12 13 Framed Compression 13 13 Login IP Host 14 14 Login Service 15 15 Login TCP Port 16 16 Unassigned 17 16 Reply Message 18 16 Callback Number 19 17 Callback Id 20 17 Unassigned 21 18 Framed Route 22 18 Framed IPX Network 23 19 State 24 19 Class 25 19 Vendor Specific 26 20 Session Timeout 27 20 Idle Timeout 28 21 Termination Action 29 21 Called...

Page 10: ...tributes 34 Annex Filter VSA Bay Networks 28 34 Annex CLI Command VSA Bay Networks 29 35 Annex CLI Filter VSA Bay Networks 30 35 Annex Host Restrict VSA Bay Networks 31 36 Annex Host Allow VSA Bay Networks 32 37 Annex Product Name VSA Bay Networks 33 37 Annex SW Version VSA Bay Networks 34 38 Annex Local IP Address VSA Bay Networks 35 38 Annex Tunnel Type VSA Bay Networks 36 39 Annex Tunnel Medium...

Page 11: ...umustcompletethefollowingprocedures For a new RAC or Annex Install the hardware and boot the unit as described in the appropriate hardware installation manual for example for the Model 8000 RAC this is the Bay Networks publication Installing the Model 8000 Remote Access Concentrator Install the software Make sure that the unit is operational Have a RADIUS server available on your network Change an...

Page 12: ...dicates that pressing the Return key enters the default value lowercase bold Lowercase bold indicates commands pathnames or filenames that must be entered as displayed lowercase italics In the context of commands and command syntax lowercase italics indicate variables for which the user supplies a value In command dialogue square brackets indicate default values Pressing the Return key selects thi...

Page 13: ...nit Interface BFS Block File Server BootP Bootstrap Protocol BRI Basic Rate Interface CAS Channel Associated Signalling CCITT International Telegraph and Telephone Consultative Committee now ITU T CSMA CD Carrier Sense Multiple Access with Collision Detection DLCMI Data Link Control Management Interface erpcd expedited remote procedure call daemon FTP File Transfer Protocol GUI Graphical User Inte...

Page 14: ...pendent interface with crossover NBMA nonbroadcast multi access OSI Open Systems Interconnection PPP Point to Point Protocol PRI Primary Rate ISDN RIP Routing Information Protocol RAC Bay Networks Remote Access Concentrator RADIUS Remote Authentication Dial In User Service SMDS Switched Multimegabit Data Service SNMP Simple Network Management Protocol TCP IP Transmission Control Protocol Internet ...

Page 15: ... tpubs Bay Networks Customer Service You can purchase a support contract from your Bay Networks distributor or authorized reseller or directly from Bay Networks Services For information about or to purchase a Bay Networks service contract call either your local Bay Networks field sales office or one of the following numbers Information about customer service is also available on the World Wide Web...

Page 16: ...tributor or reseller for assistance If you purchased a Bay Networks service program call one of the following Bay Networks Technical Solutions Centers Technical Solutions Center Telephone number Fax number Billerica MA 800 2LANWAN 508 916 3514 Santa Clara CA 800 2LANWAN 408 495 1188 Valbonne France 33 4 92 96 69 68 33 4 92 96 69 98 Sydney Australia 61 2 9927 8800 61 2 9927 8811 Tokyo Japan 81 3 54...

Page 17: ...e attribute are allowed in the same packet Dependencies if appropriate In the descriptions that follow Attribute numbers are enclosed in parentheses for example Service Type 6 Enumeration numbers are enclosed in square brackets for example Login 1 To use RADIUS you must set the RAC auth_protocol parameter to radius which is not the default Once auth_protocol is set to radius all RADIUS attribute a...

Page 18: ...ackets User Password 2 Specifies either the password of the user attempting access or the password entered by the user in response to an Access Challenge The password is encrypted when transmitted to the RADIUS server Usage This can be a fixed password such as a PAP password or a one time password such as a SecurID password It is a string of 1 through 128 characters Multiple Instances Allowed No D...

Page 19: ...owed No Dependencies Used in Access Request packets only Must be present if User Password 2 is not NAS IP Address 4 Specifies the RAC s IP address as a form of identification Usage This attribute cannot be used by the server to look up the RADIUS secret the IP header must be used for that purpose Multiple Instances Allowed No Dependencies Required in Access Request and Accounting Request packets ...

Page 20: ... number from 1 through the total number of possible RAC ports of a given type as defined by NAS Port Type 61 If NAS Port Type 61 Virtual 5 NAS Port 5 indicates the RAC virtual port number which is represented as follows For example if two users are connected via FTP at the same time the port number of the first user to connect is 2001 and the port number of the second user is 2002 Port Number Virt...

Page 21: ...cc is the channel For example the first ISDN channel used on WAN 2 would be reported as 10201 If radius_port_encoding is set to channel and the NAS Port Type 61 is Virtual 5 the port number is represented as Multiple Instances Allowed No Dependencies Used only in Access Request and Accounting Request packets Port Number Virtual Device Type 200 port_index VCLI and FTP 300 port_index Dialout 400 por...

Page 22: ...RAC starts a framed protocol session Framed protocol users are permitted asynchronous CLI access to the RAC They are prompted for login information and converted to the specified protocol service after authentication Callback Login 3 The user is disconnected and dialed back then connected to a host via a terminal service protocol Callback Framed 4 The same as Framed 2 except that the RAC terminate...

Page 23: ...ce type allows the user to connect either to a given framed protocol or to the CLI After authorization the RAC converts the CLI session to a SLIP PPP or ARAP session Service types Login 1 and NAS Prompt 7 require that the user has not connected via a framed protocol such as PPP If the service type is Login 1 and a Login Service 15 has not been specified the user is placed at the CLI If the service...

Page 24: ... reject reject reject NAS Prompt accept accept reject reject reject reject reject Outbound reject reject reject reject reject accept reject Administrative accept accept reject reject reject reject accept Authenticate Only accept accept accept accept accept accept reject Callback Login accept accept reject reject reject reject reject Callback NAS Prompt accept accept reject reject reject reject rej...

Page 25: ...st as a hint to the RADIUS server The server returns the authorized framed service in the Access Response If the returned value does not match the protocol in use the RAC rejects the user When the user is running a framed protocol and the server does not return the Framed Protocol attribute the RAC allows the use of any framed protocol However if this attribute is not returned when the user is con...

Page 26: ...formation about remote_address and address_origin see the Remote Access Concentrator Software Reference or the Remote Annex Administrator s Guide for the platform you are using RADIUS defines two special values for Framed IP Address 8 255 255 255 255 which indicates that the RAC allows the remote user to negotiate the address 255 255 255 254 which indicates that the RAC uses DHCP to assign an addr...

Page 27: ...gful only for framed IP connections The RAC ignores it for other connection types Framed Routing 10 Specifies the routing method that the RAC uses for a framed IP connection Usage None 0 The RAC neither sends nor listens for routing packets Send 1 The RAC sends routing packets but does not listen for them Listen 2 The RAC listens for routing packets but does not send them This is the RADIUS defaul...

Page 28: ...RAC issues a new Access Request using the value of the returned Filter Id 11 attribute for User Name 2 and the special value Filter Id for User Password 2 The RAC then waits for an Access Accept that contains the actual list of filters to be used The filter list is a series of Annex Filter VSA Bay Networks 28 attributes each of which is a filter In creating filters the server must follow the rules...

Page 29: ...ic and 599 bytes for AppleTalk traffic Multiple Instances Allowed No Dependencies Overridden for PPP if the RAC receives an MTU value from the remote peer Framed Compression 13 Specifies the type of compression if any to be used on the connection Usage The RAC supports values of None 0 and VJ TCP IP 1 The default is None 0 Multiple Instances Allowed Yes Dependencies The value of this attribute sup...

Page 30: ...n Service 15 is Telnet or Rlogin a terminal service connection is started for the user immediately after login If the attribute is not specified for a Login Service 5 user the RAC displays the CLI prompt If the value of the attribute is 255 255 255 255 the user is allowed to select an IP address The RAC prompts the user for this address and then issues the appropriate CLI command If the value of t...

Page 31: ...If Service Type 6 is Login 1 and this attribute is omitted the RAC places the user at the CLI Multiple Instances Allowed No Dependencies The RAC ignores this attribute if Service Type 6 is anything other than Login 1 The attribute value is handled as follows If the value is Telnet 0 or Rlogin 1 the Login IP Host 14 attribute must be specified If it is not the RAC prompts the user for a target host...

Page 32: ...lnet and 513 for Rlogin Multiple Instances Allowed No Dependencies The RAC ignores this attribute for connection types other than Telnet or Rlogin Unassigned 17 RADIUS has not assigned Attribute 17 Reply Message 18 Contains the text of a prompt or a message Usage In Access Accept packets this message is displayed to a terminal service user after login and authentication In Access Reject messages t...

Page 33: ...ed only when Service Type 6 is Callback Login 3 or Callback Framed 4 If specified this attribute indicates the number for the RAC to dial If the attribute is omitted the RAC prompts the user for the telephone number Multiple Instances Allowed No Dependencies The RAC ignores this attribute for connection types other than callback Callback Id 20 Specifies the name of a location to be called back Usa...

Page 34: ... of the destination optional mask specifies the subnet mask for the destination address Enter this as the number of 1 bits in the subnet mask from left to right For example 24 indicates a subnet mask of 255 255 255 0 gateway is the IP address in dotted decimal notation of the gateway the RAC uses as the next hop to the destination If 0 0 0 0 is specified for gateway the RAC uses the remote user s ...

Page 35: ... the RADIUS server Usage This server sends this attribute in an Access Challenge and the RAC echoes it in the subsequent Access Request packet The information in the attribute depends on the server Multiple Instances Allowed Yes Class 25 Contains information from the authorization database to be used for accounting purposes Usage One or more of these attributes are sent in anAccess Accept from the...

Page 36: ...ceofBayNetworksvendor specificattributes The attributes supported are described in Bay Networks Vendor Specific Attributes on page 34 Multiple Instances Allowed Yes Session Timeout 27 Specifies the number of seconds that the user can be dialed into the RAC before the RAC terminates the session Usage This optional attribute is used to restrict the duration of a user s session Multiple Instances All...

Page 37: ...stances Allowed No Dependencies This attribute applies to all types of RAC sessions Termination Action 29 Specifies theaction that the RAC takes upon termination of a CLI session Usage This optional attribute can be used in conjunction with other attributes such as Annex CLI Command VSA Bay Networks 29 to script the user s session The default terminates the entire user session Multiple Instances A...

Page 38: ...lowed No Dependencies Applicable to digital service only Calling Station Id 31 Specifies the telephone number from which the user called Usage The RAC sends this information when available in Access Request and Accounting Request packets Multiple Instances Allowed No Dependencies Applicable to digital service only NAS Identifier 32 Uniquely specifies the NAS Usage Not supported NAS IP Address 4 is...

Page 39: ...ne Login LAT Service 34 Specifies the name of the LAT service to which the RAC connects the user via the CLI connect command Usage This attribute is used when Login Service 15 is LAT 4 to restrict the user to a LAT service pool If Login Service 15 is LAT 4 and Login LAT Service 34 is not specified the RAC puts the user in CLI command mode Multiple Instances Allowed No Dependencies This attribute i...

Page 40: ...contains a node name Multiple Instances Allowed No Dependencies This attribute is meaningful only for LAT Login Service connections The RAC ignores it for other connection types Framed AppleTalk Link 37 Indicates the AppleTalk Network number which should be used for the link to another AppleTalk router Usage Not supported Multiple Instances Allowed No Framed AppleTalk Network 38 Specifies the Appl...

Page 41: ...equest packets only Multiple Instances Allowed No Dependencies 16 byte challenges can be specified in the Request Authenticator field instead of as an attribute NAS Port Type 41 Specifies the hardware type of the RAC port to which the user is connected Usage The following values are supported Async 0 Sync 1 ISDN Sync 2 ISDN Async V 120 3 ISDN Async V 110 4 Virtual 5 NAS Port 5 further encodes the ...

Page 42: ...wed No Dependencies This attribute is meaningful only for PPP Framed connections The RAC ignores it for other connection types Login LAT Port 43 Specifies the LAT port to which a reverse LAT connection is to be made Usage This optional attribute is used to further specify LAT connections Multiple Instances Allowed No Dependencies This attribute is meaningful for LAT Login Service connections only ...

Page 43: ...ng Off 8 The RAC stopped RADIUS accounting This is recorded when the RAC reboots it indicates that all sessions have been terminated User Reject VSE Bay Networks 10389025 The user was authenticated but not authorized to start a session Call Reject VSE Bay Networks 10389026 The call was rejected before user authentication IPCP Start VSE Bay Networks 10389027 IPCP has come up The log contains the ne...

Page 44: ...after previously enabling it by using the enable_security parameter and then issuing the na or admin command reset annex security Tunnel Start VSE Bay Networks 10389032 A Layer 2 or Layer 3 tunnel was established Tunnel Stop VSE Bay Networks 10389034 A Layer 2 or Layer 3 tunnel was destroyed Tunnel Reject VSE Bay Networks 10389035 A Layer 2 or Layer 3 tunnel failed peer authentication MP Start VSE...

Page 45: ...ting request Multiple Instances Allowed No Dependencies None Acct Input Octets 42 Indicates the number of input octets for the session Usage Used only at the end of a session that is whenAcct Status Type 41 is Stop 2 Multiple Instances Allowed No Dependencies Available only for physical or tunneled connections Acct Output Octets 43 Indicates the number of output octets for this session Usage Used ...

Page 46: ...t session the RAC increments the previous session identifier by 1 Multiple Instances Allowed No Acct Authentic 45 Indicates the user authentication method Usage For RADIUS users the method indicated is always RADIUS 1 Multiple Instances Allowed No Dependencies This is recorded in each Accounting Request packet when Acct Status Type 40 Start 1 Acct Session Time 46 Indicates the duration of the user...

Page 47: ...orded at the end of a session that is when Acct Status Type 41 is Stop 2 Applies only to physical or tunneled connections Acct Output Packets 48 Indicates the number of output packets for the user session Multiple Instances Allowed No Dependencies Recorded only at the end of a session that is when Acct Status Type 41 is Stop 2 Applies only to physical or tunneled connections ...

Page 48: ...er or net_inactivity Session Timeout 5 The maximum connect time was exceeded The na or admin configuration parameter max_logon defines this maximum Admin Reset 6 The administrator reset the connection by using for example the na or admin reset port command Port Error 8 A port error such as a failed dialin attempt or a modem failure occurred Callback 16 The RAC terminated the session in order to di...

Page 49: ...ultisession identifiers Usage Used in Accounting Request messages Multiple Instances Allowed No Dependencies Meaningful only for MP connections Acct Link Count 51 Indicates the current count of links for a multilink session Usage This optional attribute can appear in any Accounting Request message for a session with multiple links Multiple Instances Allowed No Dependencies Meaningful only for MP c...

Page 50: ...format as that used for the filter keyword in the acp_userinfo file except that the filter and end keywords are omitted For example the following defines a filter that discards any outbound IP packets destined for address 132 245 4 33 output include dst_address 132 245 4 33 discard For complete information on filter formats seeManaging Remote Access Concentrators Using Command Line Interfaces or t...

Page 51: ...DIUS attribute If the RAC detects an error the error is syslogged the remaining commands are ignored and the session is terminated Multiple Instances Allowed Yes Each attribute is treated as a separate CLI command Dependencies This attribute applies to Service Type NAS Prompt 7 CLI sessions only Annex CLI Filter VSA Bay Networks 30 Specifies aCLI command that the RAC does not allow the user to exe...

Page 52: ...cifies the dotted decimal IP address of the host whose access is to be restricted A zero in one address component matches any value for example 132 254 9 0 matches any host on subnet 9 One space must separate the host address and the port numbers if any The subsequent characters specify the TCP or UDP ports on the host to which access is to be restricted Use commas to specify multiple ports and a ...

Page 53: ...ong with Annex Host Allow VSA Bay Networks 32 attributes are processed in the order in which they appear on a first match basis The format for this attribute is the same as that for Annex Host Restrict VSA Bay Networks 31 Multiple Instances Allowed Yes Each attribute is treated as a separate host and port specification Dependencies This attribute applies to Service Type 6 NAS Prompt 7 or Login 1 A...

Page 54: ... uses the attribute value as the IP network address of the local RAC port interface If the attribute is not specified or if address_origin is local the IP address defaults to the value specified by the na or admin port parameter local_address RADIUS defines two special values for this attribute 255 255 255 255 which indicates that the RAC allows the remote peer to negotiate the address 255 255 255...

Page 55: ...iated Multiple Instances Allowed No Dependencies This attribute is meaningful only for tunneled applications Annex Tunnel Medium Type VSA Bay Networks 37 Indicates to the RAC the medium over which a tunneling protocol is to run Usage The RAC supports the value IP 1 Multiple Instances Allowed No Dependencies This attribute is used to define the type of address that is used in the Annex Tunnel Clien...

Page 56: ...a network tunnel Usage This is a string attribute with the following format n n n n port type DCLI The arguments are n n n n is the IP address of the server in dotted decimal notation port type optional is the type of connection Valid values which must be preceded by a space are none sl ppp and fr DCLI optional is the circuit identifier for frame relay circuits It must be specified as a hexadecima...

Page 57: ...of the Annex Tunnel Type VSA Bay Networks 36 attribute For L2TP 3 this is the 16 bit Tunnel ID Annex Tunnel Connection Id VSA Bay Networks 41 Specifies a tunnel connection identifier that is unique among all connections in that tunnel Usage This is a character string It can be used with the Annex Tunnel Type VSA Bay Networks 36 Annex Tunnel Medium Type VSA Bay Networks 37 Annex Tunnel Client Endpo...

Page 58: ...bit mask for asynchronous ports Each bit corresponds to a port for example the fortieth bit is for port 40 Multiple Instances Allowed No Dependencies This attribute is meaningful only when Service Type 6 is Callback Login 3 Callback Framed 4 or Callback NAS Prompt 9 The attribute is primarily useful for Remote Annex Models 2000 4000 and 6100 on which there are numbered physical ports ...