Name
Access-Request
Synopsis
Request |
Response |
Code |
1 |
Identifier |
Unique per request |
Length |
Header length plus all additional attribute data |
Authenticator |
Request |
Attribute Data |
2 or more |
The Access-Request
packet
is used by the service consumer when it
is requesting a particular service from a network. The client sends a
Request packet to the RADIUS server with a list of the requested
services. The key factor in this transmission is the code field in
the packet header: it must be set to 1, the unique value of the
Request packet. The RFC states that replies must be sent to all valid
Request packets, whether the reply is an authorization or a
rejection.
The payload of the Access-Request
packet should
include the username attribute to identify the person attempting to
gain access to the network resource. The payload is required to
contain the IP address or canonical name of the network equipment
from which it is requesting service. It also has to contain a user
password, a CHAP-based password, or a state identifier, but not both
types of passwords. The user password must be hashed using MD5.
How do these rules apply to RADIUS proxy chains? Basically, new packets need to be created whenever attributes are changed, since identifying information is changed. Attributes with shared secrets, which are covered in detail later in this chapter, need to be reversed by the proxy server (to obtain the original payload information) and then encrypted again with the secret ...
Get RADIUS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.