Radius

Esta guía actúa como una declaración de conformidad de la implementación del protocolo para el protocolo Radius.
Categoría:

Temas en este documento:

Protocolo RADIUS

Esta sección proporciona información sobre cómo AAA Gateway mapea los mensajes de control de acceso RADIUS para el protocolo RADIUS definido en RFC-2865 y RFC-2869.

Conformidad de la sección

La Tabla 1-1 a continuación enumera la información de conformidad para las secciones del protocolo RADIUS en RFC-2865.

Tabla 1-1: Conformidad de la sección RFC-2865

Número de secciónSecciónEstadoNotas
1IntroductionNot applicable-
1.1Specification of RequirementsNot applicable-
1.2TerminologyNot applicable-
2OperationPartially supported-
2.1Challenge/ResponseSupported-
2.2Interoperation with PAP and CHAPNot supported-
2.3ProxyNot applicable-
2.4Why UDP?Not applicable-
2.5Retransmission HintsSupported-
2.6Keep-Alives Considered HarmfulSupported-
3Packet FormatSupported-
4Packet TypesSupported-
4.1Access-RequestSupported-
4.2Access-AcceptSupported-
4.3Access-RejectSupported-
4.4Access-ChallengeSupported-
5AttributesSupported-
5.1User-NameSupported-
5.2User-PasswordSupported-
5.3CHAP-PasswordSupported-
5.4NAS-IP-AddressSupported-
5.5NAS-PortSupported-
5.6Service-TypeSupported-
5.7Framed-ProtocolSupported-
5.8Framed-IP-AddressSupported-
5.9Framed-IP-NetmaskSupported-
5.10Framed-RoutingSupported-
5.11Filter-IdSupported-
5.12Framed-MTUSupported-
5.13Framed-CompressionSupported-
5.14Login-IP-HostSupported-
5.15Login-ServiceSupported-
5.16Login-TCP-PortSupported-
5.17(unassigned)Supported-
5.18Reply-MessageSupported-
5.19Callback-NumberSupported-
5.20Callback-IdSupported-
5.21(unassigned)Supported-
5.22Framed-RouteSupported-
5.23Framed-IPX-NetworkSupported-
5.24StateSupported-
5.25ClassSupported-
5.26Vendor-SpecificSupported-
5.27Session-TimeoutSupported-
5.28Idle-TimeoutSupported-
5.29Termination-ActionSupported-
5.30Called-Station-IdSupported-
5.31Calling-Station-IdSupported-
5.32NAS-IdentifierSupported-
5.33Proxy-StateSupported-
5.34Login-LAT-ServiceSupported-
5.35Login-LAT-NodeSupported-
5.36Login-LAT-GroupSupported-
5.37Framed-AppleTalk-LinkSupported-
5.38Framed-AppleTalk-NetworkSupported-
5.39Framed-AppleTalk-ZoneSupported-
5.40CHAP-ChallengeSupported-
5.41NAS-Port-TypeSupported-
5.42Port-LimitSupported-
5.43Login-LAT-PortSupported-
5.44Table of AttributesSupported-
6IANA ConsiderationsNo requirement-
6.1Definition of TermsNo requirement-
6.2Recommended Registration PoliciesNo requirement-
7ExamplesSupported-
7.1User Telnet to Specified HostSupported-
7.2Framed User Authenticating with CHAPSupported-
7.3User with Challenge-Response cardNot supported-
8Security ConsiderationsNot supported-
9Change LogNo requirement-
10ReferencesNo requirement-
11AcknowledgementsNo requirement-
12Chair’s AddressNo requirement-
13Authors’ AddressesNo requirement-
14Full Copyright StatementNo requirement-

La siguiente Tabla 1-2 proporciona una lista de la información de conformidad para las secciones del protocolo RADIUS en RFC-2869.

Tabla 1-2: Conformidad de la sección RFC-2869

Número de secciónSecciónEstadoNotas
1IntroductionNot applicable-
1.1Specification of RequirementsNot applicable-
1.2TerminologyNot applicable-
2OperationPartially supported-
2.1RADIUS support for Interim Accounting UpdatesNot supported-
2.2RADIUS support for Apple Remote Access ProtocolNot supported-
2.3RADIUS Support for Extensible Authentication Protocol (EAP)Supported-
2.3.1Protocol OverviewSupported-
2.3.2RetransmissionSupported-
2.3.3FragmentationNot supported-
2.3.4ExamplesSupported-
2.3.5Alternative UsesSupported-
3Packet FormatSupported-
4Packet TypesSupported-
5AttributesPartially supported-
5.1Acct-Input-GigawordsNot supported-
5.2Acct-Output-GigawordsNot supported-
5.3Event-TimestampNot supported-
5.4ARAP-PasswordNot supported-
5.5ARAP-FeaturesNot supported-
5.6ARAP-Zone-AccessNot supported-
5.7ARAP-SecurityNot supported-
5.8ARAP-Security-DataNot supported-
5.9Password-RetryNot supported-
5.10PromptNot supported-
5.11Connect-InfoNot supported-
5.12Configuration-TokenNot supported-
5.13EAP-MessageSupported-
5.14Message-AuthenticatorSupported-
5.15ARAP-Challenge-ResponseNot supported-
5.16Acct-Interim-IntervalNot supported-
5.17NAS-Port-IdSupported-
5.18Framed-PoolNot supported-
5.19Table of AttributesNot supported-
6IANA ConsiderationsNo requirement-
7Security ConsiderationsSupported-
7.1Message-Authenticator SecuritySupported-
7.2EAP SecuritySupported-
7.2.1Separation of EAP server and PPP authenticatorNot supported-
7.2.2Connection hijackingNot supported-
7.2.3Man in the middle attacksNot supported-
7.2.4Multiple databasesNot supported-
7.2.5Negotiation attacksNot supported-
8ReferencesNo requirement-
9AcknowledgementsNo requirement-
10Chair’s AddressNo requirement-
11Authors’ AddressesNo requirement-
12Full Copyright StatementNo requirement-

AVPs de Access-Request

Aquí hay una Tabla 1-3 con la información de conformidad para los pares atributo-valor (AVP (ang. Attribute-Value Pair)) de Access-Request.

Tabla 1-3: AVPs de Access-Request

AVP de RADIUSEstadoNotas
User-NameSupported-
User-PasswordSupported-
CHAP-PasswordSupported-
CHAP-ChallengeSupported-
NAS-IP-AddressSupported-
NAS-PortSupported-
NAS-Port-TypeSupported-
NAS-IdentifierSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Callback-NumberSupported-
Called-Station-IdSupported-
Calling-Station-IdSupported-
StateSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
Vendor-SpecificSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

AVPs de Access-Accept

A continuación se muestra la información de conformidad para los AVPs de Access-Accept.

Tabla 1-4: AVPs de Access-Accept

AVP de RADIUSEstadoNotas
User-NameSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-RoutingSupported-
Framed-RouteSupported-
Framed-IPX-NetworkSupported-
Framed-AppleTalk-LinkSupported-
Framed-AppleTalk-NetworkSupported-
Framed-AppleTalk-ZoneSupported-
Filter-IdSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Login-ServiceSupported-
Login-TCP-PortSupported-
Reply-MessageSupported-
Callback-NumberSupported-
Callback-IdSupported-
ClassSupported-
Session-TimeoutSupported-
Idle-TimeoutSupported-
Termination-ActionSupported-
StateSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
Port-LimitSupported-
Vendor-SpecificSupported-
Acct-Session-IdSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

AVPs de Access-Reject

La Tabla 1-5 tiene una lista de la información de conformidad para los AVPs de Access-Reject.

Tabla 1-5: AVPs de Access-Reject

AVP de RADIUSEstadoNotas
User-NameSupported-
Reply-MessageSupported-
ClassSupported-
Proxy-StateSupported-
Vendor-SpecificSupported-
Acct-Session-IdSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

AVPs de Access-Challenge

La Tabla 1-6 contiene la información de conformidad para los AVPs de Access-Challenge.

Tabla 1-6: AVPs de Access-Challenge

AVP de RADIUSEstadoNotas
Reply-MessageSupported-
Session-TimeoutSupported-
Idle-TimeoutSupported-
StateSupported-
Proxy-StateSupported-
Vendor-SpecificSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

Protocolo de contabilidad RADIUS

Esta sección proporciona detalles sobre cómo AAA Gateway mapea los mensajes de contabilidad RADIUS para el protocolo RADIUS definido en RFC-2866.

Conformidad de la sección

A continuación se muestra una lista de la información de conformidad para las secciones del protocolo de contabilidad RADIUS en RFC-2866.

Tabla 2-1: Conformidad de la sección RFC-2866

Número de secciónSecciónEstadoNotas
1IntroductionNot applicable-
1.1Specification of RequirementNot applicable-
1.2TerminologyNot applicable-
2OperationSupported-
2.1ProxyNot supported-
3Packet FormatSupported-
4Packet TypesSupported-
4.1Accounting-RequestSupported-
4.2Accounting-ResponseSupported-
5AttributesSupported-
5.1Acct-Status-TypeSupported-
5.2Acct-Delay-TimeSupported-
5.3Acct-Input-OctetsSupported-
5.4Acct-Output-OctetsSupported-
5.5Acct-Session-IdSupported-
5.6Acct-AuthenticSupported-
5.7Acct-Session-TimeSupported-
5.8Acct-Input-PacketsSupported-
5.9Acct-Output-PacketsSupported-
5.10Acct-Terminate-CauseSupported-
5.11Acct-Multi-Session-IdSupported-
5.12Acct-Link-CountSupported-
5.13Table of AttributesSupported-
6IANA ConsiderationsSupported-
7Security ConsiderationsSupported-
8Change LogNot applicable-
9ReferencesNo Requirement-
10AcknowledgementsNo requirement-

AVPs de Accounting-Request

La siguiente tabla contiene la descripción de cómo ECE admite los pares atributo-valor (AVP) de Accounting-Request.

Tabla 2-2: AVPs de Accounting-Request

AVP de contabilidad RADIUSEstadoNotas
User-NameSupportedEste es un AVP obligatorio.
NAS-IP-AddressSupportedEste es un AVP obligatorio.
NAS-IdentifierSupportedEste es un AVP obligatorio.
NAS-Port-TypeSupported-
ClassSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Callback-NumberSupported-
Called-Station-IdSupported-
Calling-Station-IdSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
CHAP-ChallengeSupported-
Acct-Status-TypeSupportedEste es un AVP obligatorio.
Acct-Delay-TimeSupported-
Acct-Input-OctetsSupported-
Acct-Output-OctetsSupported-
Acct-Session-IdSupportedEste es un AVP obligatorio.
Acct-AuthenticSupported-
Acct-Session-TimeSupported-
Acct-Input-PacketsSupported-
Acct-Output-PacketsSupported-
Acct-Terminate-CauseSupported-
Acct-Multi-Session-IdSupported-
Acct-Link-CountSupported-
Vendor-SpecificSupported-

AVPs de Accounting-Response

El mensaje de Accounting-Response no tiene ningún AVP.

Protocolo de desconexión RADIUS

Esta sección describe cómo AAA Gateway mapea los mensajes de desconexión RADIUS para el protocolo RADIUS definido en RFC-3576.

Conformidad de la sección

A continuación se muestra la información de conformidad para las secciones del protocolo de desconexión RADIUS en RFC-3576.

Tabla 3-1: Conformidad de la sección RFC-3576

Número de secciónSecciónEstadoNotas
1Introduction--
1.1Applicability--
1.2Requirements Language--
1.3Terminology--
2Overview--
2.1Disconnect Messages (DM)--
2.2Change-of-Authorization Messages (CoA)--
2.3Packet Format--
3Attributes--
3.1Error-Cause--
3.2Table of Attributes--
4IANA Considerations--
5Security Considerations--
5.1Authorization Issues--
5.2Impersonation--
5.3IPsec Usage Guidelines--
5.4Replay Protection--
6Example Traces--
7References--
7.1Normative References--
7.2Informative References--
8Intellectual Property Statement--
9Acknowledgements--
10Author’s Addresses--
11Full Copyright Statement--

AVPs de Disconnect-Request

La siguiente Tabla 3-2 enumera la información de conformidad para los AVPs de Disconnect-Request.

Tabla 3-2: AVPs de Disconnect-Request

AVP de RADIUSEstadoNotas
User-NameSupported-
User-PasswordSupported-
CHAP-PasswordSupported-
CHAP-ChallengeSupported-
NAS-IP-AddressSupported-
NAS-PortSupported-
NAS-Port-TypeSupported-
NAS-IdentifierSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Callback-NumberSupported-
Called-Station-IdSupported-
Calling-Station-IdSupported-
StateSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
Vendor-SpecificSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

AVPs de Disconnect-Response

El mensaje Disconnect-Response no tiene AVPs.

Anterior
5G CHF
Siguiente
Preguntas frecuentes