Radius Attributes介绍

1.     Radius Attributes报文结构

在radius请求或者回复报文中或者在radius 计费报文中都会携带radius 属性,radius属性中会包含一些特定的认证或者授权信息。一次radius请求或者回复报文中可能会包含多个radius属性。

Radius属性报文格式如下,包含三个部分,Type + Length + Value:

    0                   1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
   |     Type      |    Length     |  Value ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type字段,一个字节(8 bit),值的范围是:0 – 255,具体详见radius type表,其中值 192-223 保留用于实验用途,值 224-240 保留用于特定实现的用途,值 241-255 保留且不应使用。

Length字段,一个字节(8 bit),表示radius属性的长度(包含type、length、value字段),如果在Access-Request 中接收到一个radius属性,但长度无效,则应该发送一个 Access-Reject。

Vaule字段,0 – 8个字节(0-64 bit),包含该Radius 属性Type的内容。Vaule字段的数据类型取决于Type,Value的长度取决于Length。Value的数据类型格式有五种,分别是text、string、address、integer、time。

参考:RFC 2865

2.     常见的标准Radius Attributes

常见标准radius属性值如下(这里只列出了看1-63),完整radius标准属性详见附件:radius standard attributes types ,标准radius属性是每个厂商都通用的。

ValueDescriptionData TypeReference
1User-Nametext[RFC2865]
2User-Passwordstring[RFC2865]
3CHAP-Passwordstring[RFC2865]
4NAS-IP-Addressipv4addr[RFC2865]
5NAS-Portinteger[RFC2865]
6Service-Typeenum[RFC2865]
7Framed-Protocolenum[RFC2865]
8Framed-IP-Addressipv4addr[RFC2865]
9Framed-IP-Netmaskipv4addr[RFC2865]
10Framed-Routingenum[RFC2865]
11Filter-Idtext[RFC2865]
12Framed-MTUinteger[RFC2865]
13Framed-Compressionenum[RFC2865]
14Login-IP-Hostipv4addr[RFC2865]
15Login-Serviceenum[RFC2865]
16Login-TCP-Portinteger[RFC2865]
17Unassigned  
18Reply-Messagetext[RFC2865]
19Callback-Numbertext[RFC2865]
20Callback-Idtext[RFC2865]
21Unassigned  
22Framed-Routetext[RFC2865]
23Framed-IPX-Networkipv4addr[RFC2865]
24Statestring[RFC2865]
25Classstring[RFC2865]
26Vendor-Specificvsa[RFC2865]
27Session-Timeoutinteger[RFC2865]
28Idle-Timeoutinteger[RFC2865]
29Termination-Actionenum[RFC2865]
30Called-Station-Idtext[RFC2865]
31Calling-Station-Idtext[RFC2865]
32NAS-Identifiertext[RFC2865]
33Proxy-Statestring[RFC2865]
34Login-LAT-Servicetext[RFC2865]
35Login-LAT-Nodetext[RFC2865]
36Login-LAT-Groupstring[RFC2865]
37Framed-AppleTalk-Linkinteger[RFC2865]
38Framed-AppleTalk-Networkinteger[RFC2865]
39Framed-AppleTalk-Zonetext[RFC2865]
40Acct-Status-Typeenum[RFC2866]
41Acct-Delay-Timeinteger[RFC2866]
42Acct-Input-Octetsinteger[RFC2866]
43Acct-Output-Octetsinteger[RFC2866]
44Acct-Session-Idtext[RFC2866]
45Acct-Authenticenum[RFC2866]
46Acct-Session-Timeinteger[RFC2866]
47Acct-Input-Packetsinteger[RFC2866]
48Acct-Output-Packetsinteger[RFC2866]
49Acct-Terminate-Causeenum[RFC2866]
50Acct-Multi-Session-Idtext[RFC2866]
51Acct-Link-Countinteger[RFC2866]
52Acct-Input-Gigawordsinteger[RFC2869]
53Acct-Output-Gigawordsinteger[RFC2869]
54Unassigned  
55Event-Timestamptime[RFC2869]
56Egress-VLANIDinteger[RFC4675]
57Ingress-Filtersenum[RFC4675]
58Egress-VLAN-Nametext[RFC4675]
59User-Priority-Tablestring[RFC4675]
60CHAP-Challengestring[RFC2865]
61NAS-Port-Typeenum[RFC2865]
62Port-Limitinteger[RFC2865]
63Login-LAT-Porttext[RFC2865]

3.     常见的Aruba Radius Attributes

在radius属性里 type为26的属性是每个厂商自定义的radius属性(vendor -specific),每个radius报文里的vendor-specific属性可能会有多个。

厂商自定义radius属性的报文格式如下:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |  Length       |            Vendor-Id
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Vendor-Id (cont)           |  String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type字段,所有的VSA属性的Type都是固定值:26

Length字段,大于7

Vendor-Id字段,4字节(32 bit),每个厂商对应固定的值,例如Aruba的Vendor-ID为14823

String字段, 是vendor-specific属性的内容,格式如下:Vendor Type + Vendor Length + Attribute-Specific

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |  Length       |            Vendor-Id
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Vendor-Id (cont)           | Vendor type   | Vendor length |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Attribute-Specific...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Aruba Vendor- Specific属性如下表所示:

ValueVSAData TypeDescription
1Aruba-User-RoleStringThis VSA returns the role, to be assigned to the user post authentication. The user will be granted access based on the role attributes defined in the role.
2Aruba-User-VlanIntegerThis VSA is used to return the VLAN to be used by the client. The range for this VSA value is 1 – 4094, inclusive.
3Aruba-Priv-Admin-UserIntegerIf this VSA is set in the RADIUS accept message, the user can bypass the enable prompt.
4Aruba-Admin-RoleStringThis VSA returns the management role to be assigned to the user post management authentication. This role can be seen using the command show mgmt-role in the command-line interface.
5Aruba-Essid-NameStringString that identifies the name of the ESSID
6Aruba-Location-IdStringString that identifies the name of the AP location.
7Aruba-Port-IdStringString that identifies the Port ID.
8Aruba-Template-UserStringString that identifies the name of an Aruba user template.
9Aruba-Named-User-VlanStringThis VSA returns a VLAN name for a user. This vlan name on a controllercould be mapped to user-defined name or or multiple VLAN IDs.
10Aruba-AP-GroupStringString that identifies the name of an Aruba AP Group.
11Aruba-Framed-IPv6-AddressStringThis attribute is used for RADIUS accounting for IPv6 users.
12Aruba-Device-TypeStringString that identifies an Aruba device on the network.
14Aruba-No-DHCP-FingerprintIntegerThis VSA prevents the controllerfrom deriving a role and VLAN based on DHCP finger printing.
15Aruba-Mdps-Device-UdidStringUDID is unique device identifier which is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the ClearPass Policy Manager (CPPM). The UDID is used to check against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
16Aruba-Mdps-Device-ImeiStringIMEI is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. IMEI checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
17Aruba-Mdps-Device-IccidStringICCID is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. ICCID checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
18Aruba-Mdps-Max-DevicesStringUsed by Onboard as a way to define and enforce the maximum number of devices that can be provisioned by a given user.
19Aruba-Mdps-Device-NameStringThe device name is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device name checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
20Aruba-Mdps-Device-ProductStringThe device product is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Product checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
21Aruba-Mdps-Device-VersionStringThe device version is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Version checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
22Aruba-Mdps-Device-SerialStringThe device serial number is used as input attribute by the Onboard application while performing the device authorization to the internal RADIUS server within the CPPM. Device Serial checks against role mappings or enforcement policies to determine if the device is authorized to be onboarded.
24Aruba-AirGroup-User-NameStringA device owner or username associated with the device.
25Aruba-AirGroup-Shared-UserStringThis VSA contains a comma separated list of user names with whom the device is shared.
26Aruba-AirGroup-Shared-RoleStringThis VSA contains a comma separated list of user roles with whom the device is shared.
27Aruba-AirGroup-Device-TypeIntegerA value of 1 for this VSA indicates that the device authenticating on the network is a personal device and a value of 2 indicates that it is a shared device.
28Aruba-Auth-SurvivabilityStringThis VSA is used by the Instant AP Auth survivability feature to indicate that the CPPM server sends the Aruba-AS-User-Name and Aruba-AS-Credential-Hash values. This attribute is just used as a flag and no specific value is required.
29Aruba-AS-User-NameStringThis VSA is used by Auth survivability feature for Instant APs. The CPPM sends the actual user name to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable.
30Aruba-AS-Credential-HashStringThis VSA is used by Auth survivability feature for Instant APs. The CPPM sends the NT hash of the password to the Instant AP which can be used by the Instant AP to authenticate the user if the CPPM server is not reachable.
31Aruba-WorkSpace-App-NameStringThis VSA identifies an application supported by Aruba WorkSpace.
32Aruba-Mdps-Provisioning-SettingsStringUsed as part of the ClearPass Onboard technology, this attribute allows the CPPM to signal back to the onboard process the context of the device provisioning settings that should be applied to the device based on applied role mappings.
33Aruba-Mdps-Device-ProfileStringUsed as part of the ClearPass Onboard technology, this attribute allows CPPM to signal back to the onboard process the device profile that should be applied to the device based on applied role mappings.

This Post Has 3 Comments

  1. 802.1X 認證后AC收到了access-accpect,上面有session-timeout的時間,但超過時間AC沒有發送accounting-stop給radius,請問是什麽問題,PS:portal認證可以收到,就802.1X不行

  2. 请教个问题,aruba控制器上某个VAP认证配置成802.1x认证(终结在radius服务器上)终端请求是username和password,但是控制器发给radius server的radius报文没有password属性是什么问题?

请登录评论。