Support User Manuals

Raritan Computer TR361 Switch User Manual

Open as PDF

of 84

CHAPTER 4: ADMINISTRATIVE FUNCTIONS 59

Returning User Group Information via RADIUS

When a RADIUS authentication attempt succeeds, IP-Reach determines the permissions for a given user

based on the permissions of the user’s group.

Your remote RADIUS server can provide these user group names by returning an attribute, implemented as

a RADIUS FILTER-ID. The FILTER-ID should be formatted as follows:

Raritan:G{GROUP_NAME}

where GROUP_NAME is a string, denoting the name of the group to which the user belongs.

RADIUS Communication Exchange Specifications

IP-Reach sends the following information to RADIUS server in an authentication query:

ATTRIBUTE DATA

USER-NAME The user name entered at the login screen.

USER-PASSWORD In PAP mode, the encrypted password entered at the login screen.

CHAP-PASSWORD In CHAP mode, the CHAP protocol response computed from the password and

the CHAP challenge data.

NAS-IP-ADDRESS IP-Reach’s IP Address

NAS-IDENTIFIER The IP-Reach unit name as configured in “Network Configuration” (see previous

section).

NAS-PORT-TYPE The value ASYNC (0) for modem connections and ETHERNET (15) for network

connections.

NAS-PORT Always 0.

STATE If this request is in response to an ACCESS-CHALLENGE, the state data from the

ACCESS-CHALLENGE packet will be returned.

PROXY-STATE If this request is in response to an ACCESS-CHALLENGE, the proxy state data

from the ACCESS-CHALLENGE packet will be returned.

IP-Reach sends the following RADIUS attributes to the RADIUS server with each accounting request:

ATTRIBUTE DATA

SESSION-TYPE Either START (1) for log in or STOP (2) for log out.

SESSION-ID A string containing a unique session name. The name is in the format of “<NAS-

IDENTIFIER>:<user IP address>:<unique session number>”

Example: “IP-Reach:192.168.1.100:122”

USER-NAME As above.

NAS-IP-ADDRESS As above.

NAS-IDENTIFIER As above.

NAS-PORT-TYPE As above.

NAS-PORT As above.

FILTER-ID Any FILTER-ID attributes returned by the RADIUS server during authentication

will be sent in each accounting request.

CLASS Any CLASS attributes returned by the RADIUS server during authentication will be

sent in each accounting request.

ACCT-

AUTHENTIC

How the user was authenticated. Either RADIUS (1) if the user was authenticated by

the RADIUS server or LOCAL (2) if the user was authenticated by IP-Reach’s built-

in user name database.

TERMINATE-

CAUSE

If this is a STOP request, the reason the user was terminated. Either

USER_REQUEST (1), LOST_SERVICE (3), SESSION_TIMEOUT (5), or

ADMIN_RESET (6).

previous next