Popular Posts
-
The MU to MU disallow feature allows the RF Switch to block communications exchanged between clients associated to a WLAN.With the Motorola ... -
Pre-Requisites: Requirements: The following requirements must be met prior to attempting this configuration: One (or more) RF Switc... -
LDAP Server can be used as the database with WS5100 radius server. This document provides the details of configuration need to done for WS5... -
RADIUS Authentication Attributes: The RADIUS protocol follows client-server architecture and uses the User Datagram Protocol (UDP) as de... -
WS5100 login: cli User Access Verification Username: restore Password: restoreDefaultPassword WARNING:This will wipe out the con... -
IPSec VPN offers the security and encryption features necessary to protect enterprise data, voice, and video traffic as it traverses public... -
Use of ARP Cache in a network device Most of the network devices will have anARP cache; the content of the same will be a collection of IP... -
Requirements: The following requirements must be met prior to attempting this configuration: One RFS4000 or RFS6000 WLAN Switch Contr... -
Components Used: The information in this document is based on the following hardware and software versions: · 1 x RFS4000 Swit...
WiNG RADIUS Attributes
RADIUS
Authentication Attributes:
The RADIUS protocol follows client-server
architecture and uses the User Datagram Protocol (UDP) as described in RFC
2865. The RF Switch sends user information to the RADIUS server in an
Access-Request message and after receiving a reply from the server acts according
to the returned information.The RADIUS server receives user requests for access
from the client, attempts to authenticate the user, and returns the
configuration information and polices to the client. The RADIUS server may be
configured to authenticate an Access-Request locally or against SQL, Kerberos,
LDAP, or Active Directory.
During authentication the RADIUS server then returns
one of three responses to the NAS RF Switch:
1)
Access-Reject – The user is unconditionally denied access to the
requested network resource. Failure reasons may include an invalid credentials
or an inactive account.
2)
Access-Challenge – Requests additional information from the user such as
a secondary password, PIN, token or card. Access-Challenge is also used in more
complex authentication when a secure tunnel is established between the user and
the Radius Server such as authentication using Extensible Authentication
Protocol (EAP).
3)
Access-Accept – The user is permitted access. The Access-Request often
includes additional configuration information for the user using return
attributes.RADIUS services can be enabled on the RF Switch for management user
authentication as well as WLAN user authentication. RADIUS services are
required for WLANs implementing 802.1X EAP and Hotspot services but may also be
enabled for MAC based authentication.
RADIUS
Accounting Attributes:
RADIUS accounting is used to send accounting
information about an authenticated session to the RADIUS accounting server.
Accounting information is sent to the server when a user connects and disconnects
from a WLAN and may also be periodically forwarded during the session.
RADIUS accounting information can be used to track
individual user’s network usage for billing purposes as well as be used as a
tool for gathering statistic for general network monitoring.When network access
is granted to the user by the RF Switch, an Accounting-Request message with the
Acct-Status-Type field set to Start is forwarded by the RF Switch to the RADIUS
server to signal the start of the user's network access. Start records
typically contain the user's identification, network address, point of
attachment and a unique session identifier.Optionally periodic
Accounting-Request messages with the Acct-Status-Type field set to Interim
Update may be sent by the RF Switch to the RADIUS server to update it on the status
of an active session. Interim records typically convey the current session
duration and information on current data usage.When the user's session is
closed, the RF Switch forwards an Accounting-Request message with the
Acct-Status-Type field set to Stop. This provides
information on the final usage in terms of time, packets transferred, data
transferred and reason for disconnect and other information related to the
user's network access.
RADIUS Accounting can be enabled / disabled on the
RF Switch for each WLAN profile and administrators can select how the RF Switch
forwards accounting information to the RADIUS server. For each WLAN profile the
following accounting configuration is supported:
1) Start-Stop
– The RF Switch will forward Accounting-Requests at the start and end of the
user sessions.
2) Stop-Only
– The RF Switch will forward Accounting-Requests at the end of the user
sessions.
3)
Start-Interim-Stop – The RF Switch will forward Accounting-Requests at
the start and end of the user sessions as well as periodically during the
lifetime of the sessions.
Dynamic
Authorization Extensions:
The RADIUS authentication protocol does not support
unsolicited messages sent from the RADIUS server to the RF Switch. However,
there are many instances in which it is desirable for changes to be made to
session characteristics without requiring the RF Switch to initiate the
exchange.
To overcome these limitations several vendors have
implemented additional RADIUS extensions support unsolicited messages sent from
the RADIUS server to a RF Switch. These extensions support Disconnect and
Change-of-Authorization (CoA) messages that can be used to terminate an active
user session or change the characteristics of an active session.
1)
Disconnect-Request – Causes a user session to be terminated. The
Disconnect-Request packet identifies the NAS as well as the user session to be
terminated by inclusion of the identification attributes shown in table 3.0.
2)
CoA-Request – Causes session information to by dynamically updated on
the RF Switch. Currently a CoA-Request packet may only be used to change the
session-timeout and the idle-timeout of a user.The following table outlines the
dynamic authorization extension attributes that have been implemented on the RF
Switch in accordance to RFC 3576.
Reference
Documentation:
Subscribe to:
Post Comments (Atom)
Social Icons
Popular Posts
-
Components Used: The information in this document is based on the following Motorola hardware and software versions: 1 x RFS6000 or ... -
RADIUS Authentication Attributes: The RADIUS protocol follows client-server architecture and uses the User Datagram Protocol (UDP) as de... -
Requirements: The following requirements must be met prior to attempting this configuration: One RFS4000 or RFS6000 WLAN Switch Contr... -
The Motorola Hotspot authentication feature offers a simple way to provide secure authenticated access on a WLAN for users and devices usin... -
WS5100 login: cli User Access Verification Username: restore Password: restoreDefaultPassword WARNING:This will wipe out the con... -
LDAP Server can be used as the database with WS5100 radius server. This document provides the details of configuration need to done for WS5... -
1. Use case • Branch office locations can take advantage of centralized services hosted at the corporate office. • T... -
Smart ( S elf M onitoring A t R un T ime) RF: • Next generation RF Management feature • Selects the optimal initial c... -
Use of ARP Cache in a network device Most of the network devices will have anARP cache; the content of the same will be a collection of IP...
0 nhận xét:
Post a Comment