Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
21222324252627282930
26 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
response (Access-Accept) containing the information of user’s right. If the
authentication fails, it returns an Access-Reject message.
4 The RADIUS client acts on the returned authentication result to accept or deny the
user. If it is allowed to accept the user, the RADIUS client sends an accounting start
request (Accounting-Request) to the RADIUS server, with the value of Status-Type
being "start".
5 The RADIUS server returns a start-accounting response (Accounting-Response).
6 The RADIUS client sends a stop-accounting request (Accounting-Request) to the
RADIUS server, with the value of Status-Type being "stop".
7 The RADIUS server returns a stop-accounting response (Accounting-Response).
RADIUS packet structure
RADIUS uses UDP to transmit messages; with timer management, retransmission,
and slave server mechanisms, it ensures the smooth message exchange between
the RADIUS server and the client. The following figure shows the RADIUS packet
structure.
Figure 5 RADIUS packet structure
The Identifier field is used for matching request packets and response packets. It
varies with the Attribute field and the received valid response packets, but keeps
unchanged during retransmission. The 16-byte Authenticator field is used to
authenticate the request transmitted by the RADIUS server, and it also applies to
the password hidden algorithm. There are two kinds of authenticators: Request
and Response.
Request Authenticator is the random code of 16 bytes in length.
Response Authenticator is the result of applying the MD5 algorithm to Code,
Identifier, Request Authenticator, Length, Attribute and shared-key.
1 The Code field decides the type of a RADIUS packet, as shown in the following
table.
Code
Identifier Length
Authenticator
Attribute
Tabl e 10 Code values
Code Packet type Description
1 Access-Request
The packet carries user information and is transmitted by the
client to the server to help the client determine whether the
user can access the network. The packet carries the required
attribute of User-Name and some other options, such as
NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
The packet is transmitted by the server to the client. If all the
attribute values carried in the Access-Request are acceptable,
the server allows the user to pass authentication and sends
back an Access-Accept response.