1. Radius Attributes报文结构
在radius请求或者回复报文中或者在radius 计费报文中都会携带radius 属性,radius属性中会包含一些特定的认证或者授权信息。一次radius请求或者回复报文中可能会包含多个radius属性。
Radius属性报文格式如下,包含三个部分,Type + Length + Value:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type字段,一个字节(8 bit),值的范围是:0 – 255,具体详见radius type表,其中值 192-223 保留用于实验用途,值 224-240 保留用于特定实现的用途,值 241-255 保留且不应使用。
Length字段,一个字节(8 bit),表示radius属性的长度(包含type、length、value字段),如果在Access-Request 中接收到一个radius属性,但长度无效,则应该发送一个 Access-Reject。
Vaule字段,0 – 8个字节(0-64 bit),包含该Radius 属性Type的内容。Vaule字段的数据类型取决于Type,Value的长度取决于Length。Value的数据类型格式有五种,分别是text、string、address、integer、time。
参考:RFC 2865
2. 常见的标准Radius Attributes
常见标准radius属性值如下(这里只列出了看1-63),完整radius标准属性详见附件:radius standard attributes types ,标准radius属性是每个厂商都通用的。
| Value | Description | Data Type | Reference |
| 1 | User-Name | text | [RFC2865] |
| 2 | User-Password | string | [RFC2865] |
| 3 | CHAP-Password | string | [RFC2865] |
| 4 | NAS-IP-Address | ipv4addr | [RFC2865] |
| 5 | NAS-Port | integer | [RFC2865] |
| 6 | Service-Type | enum | [RFC2865] |
| 7 | Framed-Protocol | enum | [RFC2865] |
| 8 | Framed-IP-Address | ipv4addr | [RFC2865] |
| 9 | Framed-IP-Netmask | ipv4addr | [RFC2865] |
| 10 | Framed-Routing | enum | [RFC2865] |
| 11 | Filter-Id | text | [RFC2865] |
| 12 | Framed-MTU | integer | [RFC2865] |
| 13 | Framed-Compression | enum | [RFC2865] |
| 14 | Login-IP-Host | ipv4addr | [RFC2865] |
| 15 | Login-Service | enum | [RFC2865] |
| 16 | Login-TCP-Port | integer | [RFC2865] |
| 17 | Unassigned | ||
| 18 | Reply-Message | text | [RFC2865] |
| 19 | Callback-Number | text | [RFC2865] |
| 20 | Callback-Id | text | [RFC2865] |
| 21 | Unassigned | ||
| 22 | Framed-Route | text | [RFC2865] |
| 23 | Framed-IPX-Network | ipv4addr | [RFC2865] |
| 24 | State | string | [RFC2865] |
| 25 | Class | string | [RFC2865] |
| 26 | Vendor-Specific | vsa | [RFC2865] |
| 27 | Session-Timeout | integer | [RFC2865] |
| 28 | Idle-Timeout | integer | [RFC2865] |
| 29 | Termination-Action | enum | [RFC2865] |
| 30 | Called-Station-Id | text | [RFC2865] |
| 31 | Calling-Station-Id | text | [RFC2865] |
| 32 | NAS-Identifier | text | [RFC2865] |
| 33 | Proxy-State | string | [RFC2865] |
| 34 | Login-LAT-Service | text | [RFC2865] |
| 35 | Login-LAT-Node | text | [RFC2865] |
| 36 | Login-LAT-Group | string | [RFC2865] |
| 37 | Framed-AppleTalk-Link | integer | [RFC2865] |
| 38 | Framed-AppleTalk-Network | integer | [RFC2865] |
| 39 | Framed-AppleTalk-Zone | text | [RFC2865] |
| 40 | Acct-Status-Type | enum | [RFC2866] |
| 41 | Acct-Delay-Time | integer | [RFC2866] |
| 42 | Acct-Input-Octets | integer | [RFC2866] |
| 43 | Acct-Output-Octets | integer | [RFC2866] |
| 44 | Acct-Session-Id | text | [RFC2866] |
| 45 | Acct-Authentic | enum | [RFC2866] |
| 46 | Acct-Session-Time | integer | [RFC2866] |
| 47 | Acct-Input-Packets | integer | [RFC2866] |
| 48 | Acct-Output-Packets | integer | [RFC2866] |
| 49 | Acct-Terminate-Cause | enum | [RFC2866] |
| 50 | Acct-Multi-Session-Id | text | [RFC2866] |
| 51 | Acct-Link-Count | integer | [RFC2866] |
| 52 | Acct-Input-Gigawords | integer | [RFC2869] |
| 53 | Acct-Output-Gigawords | integer | [RFC2869] |
| 54 | Unassigned | ||
| 55 | Event-Timestamp | time | [RFC2869] |
| 56 | Egress-VLANID | integer | [RFC4675] |
| 57 | Ingress-Filters | enum | [RFC4675] |
| 58 | Egress-VLAN-Name | text | [RFC4675] |
| 59 | User-Priority-Table | string | [RFC4675] |
| 60 | CHAP-Challenge | string | [RFC2865] |
| 61 | NAS-Port-Type | enum | [RFC2865] |
| 62 | Port-Limit | integer | [RFC2865] |
| 63 | Login-LAT-Port | text | [RFC2865] |
3. 常见的Aruba Radius Attributes
在radius属性里 type为26的属性是每个厂商自定义的radius属性(vendor -specific),每个radius报文里的vendor-specific属性可能会有多个。
厂商自定义radius属性的报文格式如下:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type字段,所有的VSA属性的Type都是固定值:26
Length字段,大于7
Vendor-Id字段,4字节(32 bit),每个厂商对应固定的值,例如Aruba的Vendor-ID为14823
String字段, 是vendor-specific属性的内容,格式如下:Vendor Type + Vendor Length + Attribute-Specific
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Aruba Vendor- Specific属性如下表所示:
| Value | VSA | Data Type | Description |
| 1 | Aruba-User-Role | String | This VSA returns the role, to be assigned to the user post authentication. The user will be granted access based on the role attributes defined in the role. |
| 2 | Aruba-User-Vlan | Integer | This VSA is used to return the VLAN to be used by the client. The range for this VSA value is 1 – 4094, inclusive. |
| 3 | Aruba-Priv-Admin-User | Integer | If this VSA is set in the RADIUS accept message, the user can bypass the enable prompt. |
| 4 | Aruba-Admin-Role | String | This VSA returns the management role to be assigned to the user post management authentication. This role can be seen using the command show mgmt-role in the command-line interface. |
| 5 | Aruba-Essid-Name | String | String that identifies the name of the ESSID |
| 6 | Aruba-Location-Id | String | String that identifies the name of the AP location. |
| 7 | Aruba-Port-Id | String | String that identifies the Port ID. |
| 8 | Aruba-Template-User | String | String that identifies the name of an Aruba user template. |
| 9 | Aruba-Named-User-Vlan | String | This VSA returns a VLAN name for a user. This vlan name on a controllercould be mapped to user-defined name or or multiple VLAN IDs. |
| 10 | Aruba-AP-Group | String | String that identifies the name of an Aruba AP Group. |
| 11 | Aruba-Framed-IPv6-Address | String | This attribute is used for RADIUS accounting for IPv6 users. |
| 12 | Aruba-Device-Type | String | String that identifies an Aruba device on the network. |
| 14 | Aruba-No-DHCP-Fingerprint | Integer | This VSA prevents the controllerfrom deriving a role and VLAN based on DHCP finger printing. |
| 15 | Aruba-Mdps-Device-Udid | String | UDID is unique device identifier which is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the ClearPass Policy Manager (CPPM). The UDID is used to check against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 16 | Aruba-Mdps-Device-Imei | String | IMEI is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. IMEI checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 17 | Aruba-Mdps-Device-Iccid | String | ICCID is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. ICCID checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 18 | Aruba-Mdps-Max-Devices | String | Used by Onboard as a way to define and enforce the maximum number of devices that can be provisioned by a given user. |
| 19 | Aruba-Mdps-Device-Name | String | The device name is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device name checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 20 | Aruba-Mdps-Device-Product | String | The device product is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Product checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 21 | Aruba-Mdps-Device-Version | String | The device version is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Version checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 22 | Aruba-Mdps-Device-Serial | String | The device serial number is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Serial checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded. |
| 24 | Aruba-AirGroup-User-Name | String | A device owner or username associated with the device. |
| 25 | Aruba-AirGroup-Shared-User | String | This VSA contains a comma separated list of user names with whom the device is shared. |
| 26 | Aruba-AirGroup-Shared-Role | String | This VSA contains a comma separated list of user roles with whom the device is shared. |
| 27 | Aruba-AirGroup-Device-Type | Integer | A value of 1 for this VSA indicates that the device authenticating on the network is a personal device and a value of 2 indicates that it is a shared device. |
| 28 | Aruba-Auth-Survivability | String | This VSA is used by the Instant AP Auth survivability feature to indicate that the CPPM server sends the Aruba-AS-User-Name and Aruba-AS-Credential-Hash values. This attribute is just used as a flag and no specific value is required. |
| 29 | Aruba-AS-User-Name | String | This VSA is used by Auth survivability feature for Instant APs. The CPPM sends the actual user name to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable. |
| 30 | Aruba-AS-Credential-Hash | String | This VSA is used by Auth survivability feature for Instant APs. The CPPM sends the NT hash of the password to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable. |
| 31 | Aruba-WorkSpace-App-Name | String | This VSA identifies an application supported by Aruba WorkSpace. |
| 32 | Aruba-Mdps-Provisioning-Settings | String | Used as part of the ClearPass Onboard technology, this attribute allows the CPPM to signal back to the onboard process the context of the device provisioning settings that should be applied to the device based on applied role mappings. |
| 33 | Aruba-Mdps-Device-Profile | String | Used as part of the ClearPass Onboard technology, this attribute allows CPPM to signal back to the onboard process the device profile that should be applied to the device based on applied role mappings. |
802.1X 認證后AC收到了access-accpect,上面有session-timeout的時間,但超過時間AC沒有發送accounting-stop給radius,請問是什麽問題,PS:portal認證可以收到,就802.1X不行
请教个问题,aruba控制器上某个VAP认证配置成802.1x认证(终结在radius服务器上)终端请求是username和password,但是控制器发给radius server的radius报文没有password属性是什么问题?
802.1X的加密是ms chap v2,看不到的。