NO IMAGE

1、 RADIUS協議的包格式

RADIUS資料包是被封裝在UDP的資料域中的。

RADIUS的包資料格式如下所示,各域(Fields)的先後次序是從左到右。

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |     Code      |  Identifier   |            Length             |

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |                                                               |

   |                         Authenticator                         |

   |                                                               |

   |                                                               |

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |  Attributes …

   – – – – – – – – – – – – –

Code

Code域有一個位元組長度,用來標示RADIUS通訊包的型別。當收到一個非法的包型別,將被丟棄。

Code可代表如下型別(十進位制):

1       Access-Request

        2       Access-Accept

        3       Access-Reject

        4       Accounting-Request

        5       Accounting-Response

       11       Access-Challenge

       12       Status-Server (experimental)

       13       Status-Client (experimental)

      255       Reserved

Identifier

Identifier有一個位元組長度,用來匹配RADIUS的請求和應答。

Length

Length2個位元組長度,它標明整個RADIUS資料包的長度,包括:Code, Identifier, Length, Authenticator AttributesLength的最小值為20,最大值為4096RADIUS的應用程式將丟棄小於20的包;對大於4096的包將把超出部分丟棄,只處理有效部分(超出部分被認為是填充域)。

Authenticator

Authenticator域有16個位元組。這個域用來完成安全性檢查,所以是非常重要的。Authenticator的作用有兩個,一個是驗證從RADIUS伺服器返回的應答;另一個是為對口令部分加密演算法做引數。

有兩種Authenticator

1)          Request Authenticator

出現在通訊包“Access-Request”中,是長度為16位元組的隨機二進位制串。格式為:

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |     Code      |  Identifier   |            Length             |

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |                                                               |

   |                     Request Authenticator                     |

   |                                                               |

   |                                                               |

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |  Attributes …

   – – – – – – – – – – – – –

RADIUS協議建議Request Authenticator應該是不可預測和在整個生命期內是唯一的。這是為了防止攻擊者偽裝成通訊的一方的措施。RADIUS請求方(NAS)用Request Authenticatior加密使用者密碼;相反,RADIUS伺服器則用它來對使用者密碼,並生成應答包的AuthenticatorResponse Authenticatior)。如果Request Authenticator不是唯一的話,網路竊聽者將可以偽造RADIUS伺服器的應答,因為此時Response Authenticator的加密演算法有相同的引數(詳見下文)。

使用者密碼部分的加密演算法是:

enpassword = password XOR MD5(secret Request Authenticator)

2)          Response Authenticator

出現在通訊包“Access-Accept”、“Access-Reject”、“Access-Challenge”和“Accounting-Response”中。格式為:

    0                   1                   2                   3

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |     Code      |  Identifier   |            Length             |

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |                                                               |

   |                     Response Authenticator                    |

   |                                                               |

   |                                                               |

   – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

   |  Attributes …

   – – – – – – – – – – – – –

Response Authenticator產生的演算法:

 Response Authenticator =

MD5Code Id Length Req-Authenticator Attributes Secret

Attributes

RADIUS通訊包裝載了驗證、授權、統計等資訊。這些資訊都是用Attribute資料結構來表示的。Attributes域包含了0到數個屬性描述(Attribute)。

2、 Attribute格式

Attributes域包含了0到數個屬性描述(Attribute)。Attribute的基本格式在請求包和應答包中是一樣的,各域(Fields)的先後次序是從左到右。

    0                   1                   2

    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0

   – – – – – – – – – – – – – – – – – – – – – –

   |     Type      |    Length     |  Value …

   – – – – – – – – – – – – – – – – – – – – – –

Type

Type域長度為一個位元組。數值192-223被保留作實驗使用;數值224-240被保留作特殊的應用;數值241-255被不建議使用。RADIUS伺服器和客戶機將可能忽略未知的Type值。被定義的值如下所列:

     #      attribute                               value-type

     ——-  —————————      —————–

          1      User-Name                  string

          2      User-Password              string

          3      CHAP-Password              string

          4      NAS-IP-Address             address

          5      NAS-Port                   string

          6      Service-Type               integer

          7      Framed-Protocol            integer

          8      Framed-IP-Address          address

          9      Framed-IP-Netmask          address

         10      Framed-Routing             integer

         11      Filter-Id                  string

         12      Framed-MTU                 integer

         13      Framed-Compression         integer

         14      Login-IP-Host              address

         15      Login-Service              integer

         16      Login-TCP-Port             integer

         17      (unassigned)

         18      Reply-Message              string

         19      Callback-Number            string

         20      Callback-Id                string

         21      (unassigned)

         22      Framed-Route               integer

         23      Framed-IPX-Network         integer

         24      State                      string

         25      Class                      string

         26      Vendor-Specific            string

         27      Session-Timeout            integer

         28      Idle-Timeout               integer

         29      Termination-Action         integer

         30      Called-Station-Id          string

         31      Calling-Station-Id         string

         32      NAS-Identifier             string

         33      Proxy-State                string

         34      Login-LAT-Service          string

         35      Login-LAT-Node             string

         36      Login-LAT-Group            string

         37      Framed-AppleTalk-Link      integer

         38      Framed-AppleTalk-Network   integer

         39      Framed-AppleTalk-Zone      string

  40      Acct-Status-Type           integer

         41      Acct-Delay-Time            integer

         42      Acct-Input-Octets          integer

         43      Acct-Output-Octets         integer

         44      Acct-Session-Id            string

         45      Acct-Authentic             integer

         46      Acct-Session-Time          integer

         47      Acct-Input-Packets         integer

         48      Acct-Output-Packets        integer

         49      Acct-Terminate-Cause       integer

         50      Acct-Multi-Session-Id      string

 51                     Acct-Link-Count             integer

         52-59   (unassigned)        

         60      CHAP-Challenge             string

         61      NAS-Port-Type              integer

         62      Port-Limit                 integer

         63      Login-LAT-Port             string

 

 

         60      CHAP-Challenge             string

 

 

         61      NAS-Port-Type              integer

 

 

         62      Port-Limit                 integer

 

 

         63      Login-LAT-Port             string

 

 

 70     ARAP-Password                string

 71     ARAP-Features                string

 72     ARAP-Zone-Access             integer

 73     ARAP-Security                integer

 74     ARAP-Security-Data           string

 75     Password-Retry               integer

 76     Prompt                       integer

 77     Connect-Info                 string

 78     Configuration-Token          string

 79     EAP-Message                  string

 80     Message-Authenticator        string # 18 octets

 84     ARAP-Challenge-Response      string # 10 octets

 85     Acct-Interim-Interval        integer

 87     NAS-Port-Id                  string

 88     Framed-Pool                  string

Length

Length域長度為一個位元組,標示Attribute的總長度,包括TypeLengthValue域。

Value

Value域長度可以是0到若干個位元組,它包含了Attribte規定的值。Value的格式和長度由TypeLength域來決定。

Value有如下四種資料格式:

      string    0-253 octets,does not require termination by an ASCII null.

 

 

      address   32 bit value, most significant octet first.

 

 

      integer   32 bit value, most significant octet first.

 

 

      time      32 bit value, most significant octet first — seconds

                since 00:00:00 GMT, January 1, 1970.  The standard

                Attributes do not use this data type but it is presented

                here for possible use within Vendor-Specific attributes.

 

 

3、 Attribute在驗證通訊包中的要求

下列表格顯示各屬性(Attribute)在RADIUS驗證通訊包中的要求:

   Request   Accept   Reject   Challenge   #    Attribute

   1         0        0        0            1   User-Name

   0-1       0        0        0            2   User-Password [注 1]

   0-1       0        0        0            3   CHAP-Password [注 1]

   0-1       0        0        0            4   NAS-IP-Address

   0-1       0        0        0            5   NAS-Port

   0-1       0-1      0        0            6   Service-Type

   0-1       0-1      0        0            7   Framed-Protocol

   0-1       0-1      0        0            8   Framed-IP-Address

   0-1       0-1      0        0            9   Framed-IP-Netmask

   0         0-1      0        0           10   Framed-Routing

   0         0        0        0           11   Filter-Id

   0         0-1      0        0           12   Framed-MTU

   0         0        0        0           13   Framed-Compression

   0         0        0        0           14   Login-IP-Host

   0         0-1      0        0           15   Login-Service

   0         0-1      0        0           16   Login-TCP-Port

   0         0        0        0           18   Reply-Message

   0-1       0-1      0        0           19   Callback-Number

   0         0-1      0        0           20   Callback-Id

   0         0        0        0           22   Framed-Route

   0         0-1      0        0           23   Framed-IPX-Network

   0-1       0-1      0        0-1         24   State

   0         0        0        0           25   Class

   0         0        0        0           26   Vendor-Specific

   0         0-1      0        0-1         27   Session-Timeout

   0         0-1      0        0-1         28   Idle-Timeout

   0         0-1      0        0           29   Termination-Action

   0-1       0        0        0           30   Called-Station-Id

   0-1       0        0        0           31   Calling-Station-Id

   0-1       0        0        0           32   NAS-Identifier

   0         0        0        0           33   Proxy-State

   0-1       0-1      0        0           34   Login-LAT-Service

   0-1       0-1      0        0           35   Login-LAT-Node

   0-1       0-1      0        0           36   Login-LAT-Group

   0         0-1      0        0           37   Framed-AppleTalk-Link

   0         0        0        0           38   Framed-AppleTalk-Network

   0         0-1      0        0           39   Framed-AppleTalk-Zone

   0-1       0        0        0           60   CHAP-Challenge

   0-1       0        0        0           61   NAS-Port-Type

   0-1       0-1      0        0           62   Port-Limit

   0-1       0-1      0        0           63   Login-LAT-Port

1:在Access-Request中,只能且必須包含User-PasswordCHAP-Password兩者其中一個。

上表中數字代表的意義是:

    0     這個屬性必須不出現在通訊包中。

    0     此屬性可能有0或多個出現在通訊包中。

    0-1   此屬性只能有0個或一個出現在通訊包中。

    1     此屬性必須有一個出現在通訊包中。

4、 Attribute在統計通訊包中的要求

RADIUS協議規範中,在Account-Response通訊包不應該有任何屬性(Attribute)。下列表格顯示各屬性在RADIUS統計通訊包Accounting-Request中的要求:

 

 

                      #     Attribute

                      0-1   User-Name

                      0     User-Password

                      0     CHAP-Password

                      0-1   NAS-IP-Address [注 1]

                      0-1   NAS-Port

                      0-1   Service-Type

                      0-1   Framed-Protocol

                      0-1   Framed-IP-Address

                      0-1   Framed-IP-Netmask

                      0-1   Framed-Routing

                      0     Filter-Id

                      0-1   Framed-MTU

                      0     Framed-Compression

                      0     Login-IP-Host

                      0-1   Login-Service

                      0-1   Login-TCP-Port

                      0     Reply-Message

                      0-1   Callback-Number

                      0-1   Callback-Id

                      0     Framed-Route

                      0-1   Framed-IPX-Network

                      0     State

                      0     Class

                      0     Vendor-Specific

                      0-1   Session-Timeout

                      0-1   Idle-Timeout

                      0-1   Termination-Action

                      0-1   Called-Station-Id

                      0-1   Calling-Station-Id

                      0-1   NAS-Identifier [注 1]

                      0     Proxy-State

                      0-1   Login-LAT-Service

                      0-1   Login-LAT-Node

                      0-1   Login-LAT-Group

                      0-1   Framed-AppleTalk-Link

                      0-1   Framed-AppleTalk-Network

                      0-1   Framed-AppleTalk-Zone

                      1     Acct-Status-Type

                      0-1   Acct-Delay-Time

                      0-1   Acct-Input-Octets

                      0-1   Acct-Output-Octets

                      1     Acct-Session-Id

                      0-1   Acct-Authentic

                      0-1   Acct-Session-Time

                      0-1   Acct-Input-Packets

                      0-1   Acct-Output-Packets

                      0-1   Acct-Terminate-Cause

                      0     Acct-Multi-Session-Id

                      0     Acct-Link-Count

                      0     CHAP-Challenge

                      0-1   NAS-Port-Type

                      0-1   Port-Limit

                      0-1   Login-LAT-Port

1:在Accounting-Request通訊包中,必須包含NAS-IP-AddressNAS-Identifer中的一個,也可以同時包含兩者,但不建議。

上表中數字代表的意義是:

    0     這個屬性必須不出現在通訊包中。

    0     此屬性可能有0或多個出現在通訊包中。

    0-1   此屬性只能有0個或一個出現在通訊包中。

    1     此屬性必須有一個出現在通訊包中。