Bay Networks Radius Bedienungsanleitung PDF herunterladen (Seite 7)

Following authentication in the AAA

transaction is authorization.Along with the

authentication information that the user

includes as part of a

RADIUS request,the

RAS also passes information about the type

of connection the user is trying to establish.

The

RADIUS server uses this information

either to further authorize the user and issue

an accept,or to deny access based upon

disallowed conditions and issue a reject.

Authorization is controlled by the user’s

profile residing in the

RADIUS server’s data-

base.Each profile lists two types of

RADIUS-

standard attributes:check-list attributes and

return-list attributes.Vendor-Specific

Attributes are commonly used variants of

RADIUS-standard check-list and return-list

attributes and represent proprietary vendor

extensions to the

RADIUS protocol.

Check-list Attributes

Check-list attributes define a set of require-

ments for the connection.During the

authentication transaction,the

RAS must

send attributes to the

RADIUS server that

match the check-list; if they don’t match,the

RADIUS server will issue a reject even if the

user can be authenticated.By including

appropriate attributes in the check-list,a

variety of rules could be enforced.For exam-

ple,only certain users might be permitted

to either use

ISDN connections,or to dial in

to a particular

RAS.Or,Caller ID could be

used to validate a user against a list of legal,

originating phone numbers.

Return-list Attributes

Return-list attributes are attributes that the

RADIUS server sends back to the RAS once

authentication is successful.The return-list

defines additional parameters that the

RAS

should assign to the connection,typically as

part of

PPP negotiations.

For example,specific users could be

assigned either a particular

IP addresses,an

IP address from a dynamically allocated pool

of

IP addresses,or IPX network numbers.

Other attributes could include

IP header

compression enabling/disabling,or a time

limit could be assigned to the connection.

Vendor-Specific Attributes

A

RADIUS server may use Dictionary files

to establish vendor-specific check-list and

return list attribute values in environments

where the remote access equipment is

from a variety of vendors.The Dictionary file

contains vendor-specific,proprietary items

which may be set for a particular vendor’s

RAS equipment.The RADIUS server differ-

entiates between various vendors’

RAS

equipment.Its Dictionary files provide

communications between various makes

of remote access servers.This provides an

open and adaptive solution,embracing

whatever

RAS products the subscriber has

implemented,while allowing the subscriber

to fulfill application needs where the

RADIUS

standard does not yet provide coverage.

RADIUS Authorization

3Com

ACC

ADC Kentrox

Ascend

Bay Networks

Check Point

Cisco

Compatible Systems

Digi International

DEC

Gandalf

IBM

Lantronix

LeeMah

Livingston

Motorola

Kasten Chase

Penril

Perle

Raptor Systems

Secure Computing

Shiva

US Robotics

Xyplex

Table 1 Vendors Supporting RADIUS

Table 1: RADIUS provides full support to remote

access equipment from vendors which conform

to the RADIUS standard.

6 White Paper RADIUS Security Technology

1 2 3 4 5 6 7 8 9 10

Kommentare zu diesen Handbüchern

Keine Kommentare