Jump to content
Калькуляторы

Протокол RADIUS и Access-Request без пароля

В http://tools.ietf.org/html/rfc2865 в 5.44. Table of Attributes пишут:

[Note 1] An Access-Request MUST contain either a User-Password or a
   CHAP-Password or State.  An Access-Request MUST NOT contain both a
   User-Password and a CHAP-Password.  If future extensions allow other
   kinds of authentication information to be conveyed, the attribute for
   that can be used in an Access-Request instead of User-Password or
   CHAP-Password.

В пункте 5.24 описывается атрибут State.

 

Вопросы:

1. получается, что первый Access-Request должен быть обязательно или с User-Password, или с CHAP-Password;

2. принимают ли RADIUS сервера Access-Request без пароля;

3. как настроить FreeRadius, если можно, чтобы он принимал Access-Request без пароля?

 

По ходу будут заданы дополнительные вопросы.

 

 

Share this post


Link to post
Share on other sites

Нашёл дополнительно.

В RFC5080 по поводу State много написано:

   The only permissible values for a State attribute are values provided
   in an Access-Accept, Access-Challenge, CoA-Request or Disconnect-
   Request packet.  A RADIUS client MUST use only those values for the
   State attribute that it has previously received from a server.  An
   Access-Request sent as a result of a new or restarted authentication
   run MUST NOT include the State attribute, even if a State attribute
   has previously been received in an Access-Challenge for the same user
   and port.

   Access-Request packets that contain a Service-Type attribute with the
   value Authorize Only (17) MUST contain a State attribute.  Access-
   Request packets that contain a Service-Type attribute with value Call
   Check (10) SHOULD NOT contain a State attribute.  Any other Access-
   Request packet that performs authorization checks MUST contain a
   State attribute.  This last requirement often means that an Access-
   Accept needs to contain a State attribute, which can then be used in
   a later Access-Request that performs authorization checks.

То есть, у нас в любом случае атрибут State отсутствует. Ибо Service-Type у меня = Call Check(10).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this