Table 1. RADIUS Authentication Messages and Attributes (Continued)

Message Conditions

Purpose of Message Attributes

 

 

When a RADIUS server authenticates a

Allow the RAS to complete access

connection request, it returns a RADIUS

negotiations.

Access-Accept to the RAS.

Configure connection details such as

 

providing the RAS with an IP address it

 

can assign to the user.

 

Enforce time limits and other “class of

 

service” restrictions on the connection.

 

 

When a RADIUS server is unable to

Terminate access negotiations.

authenticate a connection request, it

Identify the reason for the authorization

returns an Access-Reject to the RAS.

failure.

 

 

 

If initial authentication conditions are

Enable the RAS to prompt the user for

met, but additional input is needed from

more authentication data.

the user, the RADIUS server returns an

Complete the current Access-Request, so

Access-Challenge to the RAS.

the RAS can issue a new one.

 

 

 

Accounting

To understand the RSA RADIUS Server accounting sequence, you need an overview of RADIUS accounting messages. Table 2 describes the conditions under which each type of message is issued, and the purpose of any RADIUS attributes that a message contains.

Table 2. Message Conditions and Attributes

Message Conditions

Purpose of Message Attributes

Accounting data is sent from client to server using an Accounting-Request message. The client manufacturer decides which types of accounting requests are sent, and under which conditions. This table describes the most typical conditions.

The client ensures that the server receives accounting requests. Most clients retry periodically until the server responds.

Depending on the value of the Acct-Status-Type attribute, the message type is considered to be Start, Stop, Interim-Acct, Accounting-On, or Accounting-Off.

RSA RADIUS Server 6.1 Administrator’s Guide

About RSA RADIUS Server

9

Page 21
Image 21
RSA Security 6.1 manual Accounting