Raritan Computer IPR-TR364 用户手册
C
HAPTER
4:
A
DMINISTRATIVE
F
UNCTIONS
59
Returning User Group Information via RADIUS
When a RADIUS authentication attempt succeeds, IP-Reach determines the permissions for a given user
based on the permissions of the user’s group.
When a RADIUS authentication attempt succeeds, IP-Reach determines the permissions for a given user
based on the permissions of the user’s group.
Your remote RADIUS server can provide these user group names by returning an attribute, implemented as
a RADIUS FILTER-ID. The FILTER-ID should be formatted as follows:
a RADIUS FILTER-ID. The FILTER-ID should be formatted as follows:
Raritan:G{GROUP_NAME}
where
GROUP_NAME
is a string, denoting the name of the group to which the user belongs.
RADIUS Communication Exchange Specifications
IP-Reach sends the following information to RADIUS server in an authentication query:
A
TTRIBUTE
D
ATA
USER-NAME
The user name entered at the login screen.
USER-PASSWORD
In PAP mode, the encrypted password entered at the login screen.
CHAP-PASSWORD
In CHAP mode, the CHAP protocol response computed from the password and
the CHAP challenge data.
the CHAP challenge data.
NAS-IP-ADDRESS IP-Reach’s
IP
Address
NAS-IDENTIFIER
The IP-Reach unit name as configured in “Network Configuration” (see previous
section).
section).
NAS-PORT-TYPE
The value ASYNC (0) for modem connections and ETHERNET (15) for network
connections.
connections.
NAS-PORT Always
0.
STATE
If this request is in response to an ACCESS-CHALLENGE, the state data from the
ACCESS-CHALLENGE packet will be returned.
ACCESS-CHALLENGE packet will be returned.
PROXY-STATE
If this request is in response to an ACCESS-CHALLENGE, the proxy state data
from the ACCESS-CHALLENGE packet will be returned.
from the ACCESS-CHALLENGE packet will be returned.
IP-Reach sends the following RADIUS attributes to the RADIUS server with each accounting request:
A
TTRIBUTE
D
ATA
SESSION-TYPE
Either START (1) for log in or STOP (2) for log out.
SESSION-ID
A string containing a unique session name. The name is in the format of “<NAS-
IDENTIFIER>:<user IP address>:<unique session number>”
Example: “IP-Reach:192.168.1.100:122”
IDENTIFIER>:<user IP address>:<unique session number>”
Example: “IP-Reach:192.168.1.100:122”
USER-NAME As
above.
NAS-IP-ADDRESS As
above.
NAS-IDENTIFIER As
above.
NAS-PORT-TYPE As
above.
NAS-PORT As
above.
FILTER-ID
Any FILTER-ID attributes returned by the RADIUS server during authentication
will be sent in each accounting request.
will be sent in each accounting request.
CLASS
Any CLASS attributes returned by the RADIUS server during authentication will be
sent in each accounting request.
sent in each accounting request.
ACCT-
AUTHENTIC
AUTHENTIC
How the user was authenticated. Either RADIUS (1) if the user was authenticated by
the RADIUS server or LOCAL (2) if the user was authenticated by IP-Reach’s built-
in user name database.
the RADIUS server or LOCAL (2) if the user was authenticated by IP-Reach’s built-
in user name database.
TERMINATE-
CAUSE
CAUSE
If this is a STOP request, the reason the user was terminated. Either
USER_REQUEST (1), LOST_SERVICE (3), SESSION_TIMEOUT (5), or
ADMIN_RESET (6).
USER_REQUEST (1), LOST_SERVICE (3), SESSION_TIMEOUT (5), or
ADMIN_RESET (6).