Internet Authentication Service
Internet Authentication Service |
|
The following section provides information that might be useful for the following:
RADIUS packets sent to the RADIUS server are sent as User Datagram Protocol (UDP) messages using UDP port 1812 for RADIUS authentication messages and UDP port 1813 for RADIUS accounting messages. Some older network access servers use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. IAS supports the receiving of RADIUS messages on both sets of UDP ports. Exactly one RADIUS packet is encapsulated in the UDP payload.
Figure 8.1 shows the general structure of a RADIUS packet.
Figure 8.1 General Structure of RADIUS Packet
The Code field is 1 byte long and indicates the type of RADIUS packet. A packet with an invalid Code field is silently discarded. The defined values for the RADIUS Code field are listed in Table 8.1.
Table 8.1 Values for the RADIUS Code Field
| Codes (Decimal) | Packets |
|---|---|
| 1 | Access-Request |
| 2 | Access-Accept |
| 3 | Access-Reject |
| 4 | Accounting-Request |
| 5 | Accounting-Response |
| 11 | Access-Challenge |
| 12 | Status-Server (experimental) |
| 13 | Status-Client (experimental) |
| 255 | Reserved |
The Identifier field is 1 byte long and is used to match a request with its corresponding response.
The Length field is two octets long and indicates the entire length of the packet and RADIUS message, including the Code, Identifier, Length, and Authenticator fields, and the RADIUS Attributes. The Length field can vary from 20 to 4,096 bytes.
The Authenticator field is sixteen octets long and contains the information that the RADIUS client and server use to authenticate each other.
The Attributes section of the RADIUS packet contains one or more RADIUS attributes, which carry the specific authentication, authorization, information, and configuration details for RADIUS packets. For attributes that have multiple instances, the order of the attributes must be preserved. Otherwise, attribute types do not have to have their order preserved.
Figure 8.2 shows the structure of each RADIUS attribute. RADIUS attributes use the common Type-Length-Value format used by other protocols.
Figure 8.2 RADIUS Attribute Structure
The Type field is 1 byte long and indicates the specific type of RADIUS attribute. For information about the most recent RADIUS attributes, see the Radius Types link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
Some of the attributes are listed in Table 8.2. For information about other RADIUS attributes and their use, see RFCs 2138 and 2139.
Table 8.2 RADIUS Attribute Types
| Type Values | Description |
|---|---|
| 1 | User-Name |
| 2 | User-Password |
| 3 | CHAP-Password |
| 4 | NAS-IP-Address |
| 5 | NAS-Port |
| 6 | Service-Type |
| 7 | Framed-Protocol |
| 8 | Framed-IP-Address |
| 9 | Framed-IP-Netmask |
| 10 | Framed-Routing |
| 11 | Filter-ID |
| 12 | Framed-MTU |
| 13 | Framed-Compression |
| 19 | Reply-Message |
| 24 | State |
| 25 | Class |
| 26 | Vendor-Specific |
| 27 | Session-Timeout |
| 28 | Idle-Timeout |
| 29 | Termination-Action |
| 32 | NAS-Identifier |
| 61 | NAS-Port-Type |
| 62 | Port-Limit |
Type values 192 through 223 are reserved for experimental use, values 224 through 240 are reserved for implementation-specific use, and values 241 through 255 are reserved and must not be used. Value 26 is reserved for vendor-specific attributes (VSAs).
The Length field indicates the length of the attribute, including the Type, Length, and Value fields.
The Value field is zero or more octets and contains information specific to the Attribute. The format and length of the Value field is based on the type of RADIUS attribute.
VSAs are available to allow vendors to support their own proprietary attributes that are not covered by RFC 2138. IAS includes VSAs from a number of vendors in its multivendor dictionary. However, this list evolves over time and new attributes and vendors are always being added.
To accommodate for attributes that are not in the IAS multivendor dictionary, IAS allows you to add them as Vendor-Specific (attribute type 26) in the Advanced tab of a remote access policy profile. To use attribute type 26, an administrator needs to know the VSA format, as well as the exact information to enter. The VSA formats are documented in the following section. For information about what to enter, see your NAS documentation.
The structure of the vendor-specific attribute is shown in Figure 8.3.
Figure 8.3 Vendor-Specific Attribute Structure
The Type value is set to 26 (0x1A) to indicate a VSA.
The Length value is set to the number of bytes in the VSA.
The high-order octet is 0 (0x00) and 4 octets long, and the low-order 3 octets are the Structure and Identification of Management Information (SMI) Network Management Private Enterprise Code of the vendor.
The String field is the VSA consisting of one or more octets. To conform with the recommendation of RFC 2138, the String field should consist of the fields as shown in Figure 8.4.
Figure 8.4 Structure of the String Field
The Type value is used to indicate a specific VSA for the vendor.
The Type value is set to the number of bytes in the string.
The Attribute-Specific field contains the data for the specific vendor attribute.
Vendors that do not conform to RFC 2138 use the attribute type 26 to identify a vendor-specific attribute but do not use the Vendor Type, Vendor Length, and Attribute-Specific fields within the String field. In this case, the vendor-specific attribute format appears as shown in Figure 8.4.
When adding a VSA for a particular NAS as type 26, you need to know whether the attribute conforms to RFC 2138. For information about whether your NAS uses the VSA format documented in Figure 8.4, see your NAS documentation.
VSAs are configured from the Vendor-Specific Attribute Information dialog box when adding a Vendor-Specific Attribute from the Advanced tab of a remote access policy profile. If the VSA format conforms to RFC 2138, select the Yes. It conforms. option and configure the attribute with the vendor-assigned attribute number, attribute format, and attribute value as defined in NAS documentation. If the VSA format does not conform to RFC 2138, choose No. It does not conform., and configure the attribute with the hexadecimal attribute value, which includes the string of the VSA format (everything after Vendor-ID) as defined in NAS documentation. For more information about configuring vendor-specific attributes, see "IAS Authorization" later in this chapter.
A Windows 2000 PPTP client attempts a remote access connection to a Windows 2000 VPN server. The VPN server is at the IP address 10.10.210.13, and the IAS server is at the IP address 10.10.210.12.
The following Network Monitor trace shows the Access-Request packet sent by the VPN server to the IAS server.
+ IP: ID = 0x850; Proto = UDP; Len: 248
+ UDP: Src Port: Unknown, (1327); Dst Port: Unknown (1812); Length = 228 (0xE4)
RADIUS: Message Type: Access Request(1)
RADIUS: Message Type = Access Request
RADIUS: Identifier = 2 (0x2)
RADIUS: Length = 220 (0xDC)
RADIUS: Authenticator = 8A 6F DC 03 23 5F 4B 62 CA 40 92 38 DC 75
CB 74
RADIUS: Attribute Type: NAS IP Address(4)
RADIUS: Attribute type = NAS IP Address
RADIUS: Attribute length = 6 (0x6)
RADIUS: NAS IP address = 10.10.210.13
RADIUS: Attribute Type: Service Type(6)
RADIUS: Attribute type = Service Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Service type = Framed
RADIUS: Attribute Type: Framed Protocol(7)
RADIUS: Attribute type = Framed Protocol
RADIUS: Attribute length = 6 (0x6)
RADIUS: Framed protocol = PPP
RADIUS: Attribute Type: NAS Port(5)
RADIUS: Attribute type = NAS Port
RADIUS: Attribute length = 6 (0x6)
RADIUS: NAS port = 32 (0x20)
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 12 (0xC)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 18 (0x12)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = MSRASV5.00
RADIUS: Attribute Type: NAS Port Type(61)
RADIUS: Attribute type = NAS Port Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: NAS port type = Virtual
RADIUS: Attribute Type: Tunnel Type(64)
RADIUS: Attribute type = Tunnel Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Tag = 0 (0x0)
RADIUS: Tunnel type = Point-to-Point Tunneling Protocol(PPTP)
RADIUS: Attribute Type: Tunnel Media Type(65)
RADIUS: Attribute type = Tunnel Media Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Tag = 0 (0x0)
RADIUS: Tunnel media type = IP (IP version 4)
RADIUS: Attribute Type: Calling Station ID(31)
RADIUS: Attribute type = Calling Station ID
RADIUS: Attribute length = 14 (0xE)
RADIUS: Calling station ID = 10.10.14.226
RADIUS: Attribute Type: Tunnel Client Endpoint(66)
RADIUS: Attribute type = Tunnel Client Endpoint
RADIUS: Attribute length = 14 (0xE)
RADIUS: Tunnel client endpoint = 10.10.14.226
RADIUS: Attribute Type: User Name(1)
RADIUS: Attribute type = User Name
RADIUS: Attribute length = 18 (0x12)
RADIUS: User name = NTRESKIT\johndoe
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 24 (0x18)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _¦ì1/2+-_¦e_$+fN<åN
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 58 (0x3A)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _4
The RADIUS attributes sent by the VPN server include the user name, the service types, the framed protocol, various tunnel attributes for the PPTP connection, and a series of vendor-specific attributes for
The following Network Monitor trace shows the Access-Accept packet sent by the IAS server to the VPN server.
+ IP: ID = 0xB18; Proto = UDP; Len: 248
+ UDP: Src Port: Unknown, (1812); Dst Port: Unknown (1327); Length = 228 (0xE4)
RADIUS: Message Type: Access Accept(2)
RADIUS: Message Type = Access Accept
RADIUS: Identifier = 2 (0x2)
RADIUS: Length = 220 (0xDC)
RADIUS: Authenticator = 52 E2 19 98 2E F8 E2 D3 B7 3B E1 24 5B 72
55 9E
RADIUS: Attribute Type: Framed Protocol(7)
RADIUS: Attribute type = Framed Protocol
RADIUS: Attribute length = 6 (0x6)
RADIUS: Framed protocol = PPP
RADIUS: Attribute Type: Service Type(6)
RADIUS: Attribute type = Service Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Service type = Framed
RADIUS: Attribute Type: Class(25)
RADIUS: Attribute type = Class
RADIUS: Attribute length = 32 (0x20)
RADIUS: Class = <$_@
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 42 (0x2A)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _$Ç_DZ¦,S¯c7__æ:+RW_tÖ-qxF¦ (-+¦%p6
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 42 (0x2A)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _$Ç_
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 51 (0x33)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _-
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 21 (0x15)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string =
The RADIUS attributes sent by the IAS server include the user name, the service type, the framed protocol, the service class, and a series of vendor-specific attributes for
