CHAPTER 4: ADMINISTRATIVE FUNCTIONS 59
Returning User Group Information via RADIUS
When a RADIUS authentication attempt succeeds, IP-Reach determines the permissions for a given user
based on the permissions of the user’s group.
Your remote RADIUS server can provide these user group names by returning an attribute, implemented as
a RADIUS FILTER-ID. The FILTER-ID should be formatted as follows:
Raritan:G{GROUP_NAME}
where GROUP_NAME is a string, denoting the name of the group to which the user belongs.
RADIUS Communication Exchange Specifications
IP-Reach sends the following information to RADIUS server in an authentication query:
ATTRIBUTE DATA
USER-NAME The user name entered at the login screen.
USER-PASSWORD In PAP mode, the encrypted password entered at the login screen.
CHAP-PASSWORD In CHAP mode, the CHAP protocol response computed from the password and
the CHAP challenge data.
NAS-IP-ADDRESS IP-Reach’s IP Address
NAS-IDENTIFIER The IP-Reach unit name as configured in “Network Configuration” (see previous
section).
NAS-PORT-TYPE The value ASYNC (0) for modem connections and ETHERNET (15) for network
connections.
NAS-PORT Always 0.
STATE If this request is in response to an ACCESS-CHALLENGE, the state data from the
ACCESS-CHALLENGE packet will be returned.
PROXY-STATE If this request is in response to an ACCESS-CHALLENGE, the proxy state data
from the ACCESS-CHALLENGE packet will be returned.
IP-Reach sends the following RADIUS attributes to the RADIUS server with each accounting request:
ATTRIBUTE DATA
SESSION-TYPE Either START (1) for log in or STOP (2) for log out.
SESSION-ID A string containing a unique session name. The name is in the format of “<NAS-
IDENTIFIER>:<user IP address>:<unique session number>”
Example: “IP-Reach:192.168.1.100:122”
USER-NAME As above.
NAS-IP-ADDRESS As above.
NAS-IDENTIFIER As above.
NAS-PORT-TYPE As above.
NAS-PORT As above.
FILTER-ID Any FILTER-ID attributes returned by the RADIUS server during authentication
will be sent in each accounting request.
CLASS Any CLASS attributes returned by the RADIUS server during authentication will be
sent in each accounting request.
ACCT-
AUTHENTIC
How the user was authenticated. Either RADIUS (1) if the user was authenticated by
the RADIUS server or LOCAL (2) if the user was authenticated by IP-Reach’s built-
in user name database.
TERMINATE-
CAUSE
If this is a STOP request, the reason the user was terminated. Either
USER_REQUEST (1), LOST_SERVICE (3), SESSION_TIMEOUT (5), or
ADMIN_RESET (6).