Filter
Top Products
Introduction to AAA Server
RADIUS Overview
Chapter 1 5
If all conditions are met, the server will send an Access-Accept packet to
the client; otherwise, the server will send an Access-Reject. An
Access-Accept data packet often includes authorization information that
specifies what services the user can access and other session
information, such as a timeout value that will indicate when the user
should be disconnected from the system.
When the client receives an Access-Accept packet, it will generate an
Accounting-Request to start the session and send the request to the
server. The Accounting-Request data packet describes the type of service
being delivered and the user that will use the service. The server will
respond with an Accounting-Response to acknowledge that the request
was successfully received and recorded. The user’s session will end when
the client generates an Accounting-Request—triggered by the user, by
the client, or an interruption in service—to stop the session. Again, the
server will acknowledge the Accounting-Request with an
Accounting-Response.
Supported Authentication Methods
The following list describes the authentication methods the HP-UX AAA
Server supports:
• Password Authentication Protocol (PAP) is not a strong
authentication method to establish a connection; passwords are sent
in clear text between the user and client. When used with RADIUS
for authentication, the messages exchanged between the client and
server to establish a PPP connection corresponds to Figure 1-2. This
authentication method is most appropriately used where a plaintext
password must be available to simulate a login at a remote host. In
such use, this method provides a similar level of security to the usual
user login at the remote host.
• Challenge-Handshake Authentication Protocol (CHAP) is a
stronger authentication protocol to establish a connection. When
used with RADIUS for authentication, the messages exchanged
between the client and server to establish a PPP connection is
similar to Figure 1-2. One difference, however, is that a challenge
occurs between the user and NAS before the NAS sends an
Access-Request. The user must respond by encrypting the challenge
(usually a random number) and returning the result. Authorized
users are equipped with special devices, like smart cards or software,