124
Figure 4-1: RADIUS Topology
The server can authenticate the user itself or make use of a back-end device to ascertain authenticity. In
either case a response may or may not be forthcoming to the client. If the server accepts the user, it
returns a positive result with attributes containing configuration information. If the server rejects the user,
it returns a negative result. If the server rejects the client or the shared secrets differ, the server returns no
result. If the server requires additional verification from the user, it returns a challenge, and the request
process begins again.
If you use a RADIUS server to authenticate users, you must configure user attributes in the user database
on the RADIUS server. The user attributes include the user name, password, and privilege level.
4.1.1.1. RADIUS Dynamic Authorization
The RADIUS Dynamic Authorization feature implements part of the Dynamic Authorization Server (DAS)
functionality defined in RFC 5176 (Dynamic Authorization Extensions to Remote Authentication Dial In User
Services). This feature enables a RADIUS server or any other external server to send messages to a Network
Access Server (NAS) to terminate a user’s session. This is desirable when a device or user session is causing
problems in normal network operation.
RFC 5176 defines the DAS and Dynamic Authorization Client (DAC) and the following types of messages:
Disconnect messages—This message from the DAC may result in terminating a user's session.
Change of Authorization messages—This message from a DAC results in changing
authorization status of the session.
As of current QNOS release, the DAS implementation handles Disconnect message only.
When QNOS DAS receives Disconnect Message from DAC, it looks for NAS identification and User Identity
attributes available in the Disconnect Message. If the match for the NAS attribute and user's identify is
found then it disconnect matching sessions and when successful, sends an ACK to DAC. The DAS sends a
NAK with “Acct-Terminate-Cause” attribute (49) with value set to 6 if the user's session is not available or
one or more sessions could not be disconnected by DAS.
The following example configures dynamic authorization on a DAC and server host.
To Next Page
Loading...
Need help?
General