01. How do RADIUS attributes work?
- 01. How do RADIUS attributes work?
- 02. RADIUS auth - PAP, CHAP, MS-CHAP ...
This is first entry in our blog. We will talk about some general terms found in business of Internet Service Providers, namely the RADIUS packets and attributes. We hope this text will be easy to understand even to non technical personnel. But please keep in mind, we will not talk here about what RADIUS protocol is or how it works.
One of the most important part of RADIUS protocol is how is communication made between Network Access Servers (NAS) and RADIUS server. Not going into details of how it is done using UDP protocol, what interests us is what is in packet sent over network.
Here comes in RADIUS packet. Or in a nutshell - glorified configuration file sent as 100 or more bytes in UDP packet. Each packet is little more than zero or more name = value pairs, each containing attribute name and a attribute value that describe what is going on and what are we trying to accomplish.
There are many types of RADIUS packets that are used in separate, exactly defined situations. Some of them are sent only by NAS server, some of them only by RADIUS server. What is important is that all of them may contain zero, one or many attributes per RADIUS packet, though some packet types really do not have to. And there are clear specifications which attribute may go in which type of packet and how many times. It is rare but possible for a same attribute to be present more than once in a packet, so think of them as unique per packet.
For an example, when client is trying to authenticate, RADIUS receives auth request packet from NAS server that contains attributes like this :
User-Name = firstname.lastname@example.org User-Password = 0x3827fe085adf987ca9b8210 Nas-Identifier = hotspot_12 NAS-IP-Address = 192.168.0.1
In example packet you see some common attributes. They are all defined as standard RADIUS attributes and are described in special textual files called RADIUS dictionaries. Standard attributes are understood and used by most, if not all NAS server types you may find (Cisco, MikroTik etc.). Part of its standard dictionary is:
ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port 5 integer ATTRIBUTE Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer
As you can see, each attribute is defined with specific type. There are string, ipaddr, integer types and some other, not so common ones. They are more just than a clue for you what type of information goes with attribute - they are instructions for RADIUS and NAS servers on how to build packets on byte level.
Going back to our auth request example. Attributes in that packet provide enough information for RADIUS server so it can decide what to do with that request. If RADIUS decides it is valid, then access accept packet will be sent back containing:
Framed-IP-Address = 188.8.131.52 Session-Timeout = 86400 Mikrotik-Recv-Limit = 100000
Again, all standard RADIUS attributes present, except the last one. Each NAS server type may have specific attributes it can understand, and they are called vendor specific attributes. They are defined same as standard attributes in a separate dictionaries provided with NAS server. Purpose of them is to inform RADIUS of specific and unique features that NAS server type has to offer. Keep in mind that nothing will happen if you use these attributes with different NAS servers. They all by default ignore attributes they do not understand.
By here you have basic understanding of what RADIUS packets and attributes are and how they work. There are a lot more things to learn and we will soon cover questions like:
- What types of packets exist and when are they used?
- What standard and vendor specific attributes are there and how to use them?
If you are using BlissRADIUS, then you may have already found out that configuring RADIUS attributes using admin portal is easy as writing them down as you see them in examples here. You might have already found out that BlissRADIUS uses rather advanced inheritance rules. You can override attributes depending on which NAS server or account type request is coming.
Copyright © 2014 - 2021 LightBulb Software™ All Rights Reserved.
- Volume discount for monthly BlissRADIUS™ licenses is available now.
- BlissRADIUS Embedded™ 1.11 is released. This version will focus on incremental security and performance improvements.
- BlissRADIUS Embedded™ 1.10 is out with incremental improvements.
- BlissRADIUS Embedded™ 1.9 brings new features and performance improvements.
- BlissRADIUS Embedded™ 1.8 is out with performance enhancements.
- BlissRADIUS Embedded™ 1.7 maintenance release is out.
- BlissRADIUS Embedded™ 1.6 is out with incremental improvements and new usability features.