Jump to content

Протокол RADIUS и Access-Request без пароля

leveler
 Share

Recommended Posts

leveler

leveler

Posted
Posted

В http://tools.ietf.org/html/rfc2865 в 5.44. Table of Attributes пишут:

[Note 1] An Access-Request MUST contain either a User-Password or a
   CHAP-Password or State.  An Access-Request MUST NOT contain both a
   User-Password and a CHAP-Password.  If future extensions allow other
   kinds of authentication information to be conveyed, the attribute for
   that can be used in an Access-Request instead of User-Password or
   CHAP-Password.

В пункте 5.24 описывается атрибут State.

 

Вопросы:

1. получается, что первый Access-Request должен быть обязательно или с User-Password, или с CHAP-Password;

2. принимают ли RADIUS сервера Access-Request без пароля;

3. как настроить FreeRadius, если можно, чтобы он принимал Access-Request без пароля?

 

По ходу будут заданы дополнительные вопросы.

 

 

leveler

leveler

Posted
  • Author
Posted

Нашёл дополнительно.

В RFC5080 по поводу State много написано:

   The only permissible values for a State attribute are values provided
   in an Access-Accept, Access-Challenge, CoA-Request or Disconnect-
   Request packet.  A RADIUS client MUST use only those values for the
   State attribute that it has previously received from a server.  An
   Access-Request sent as a result of a new or restarted authentication
   run MUST NOT include the State attribute, even if a State attribute
   has previously been received in an Access-Challenge for the same user
   and port.

   Access-Request packets that contain a Service-Type attribute with the
   value Authorize Only (17) MUST contain a State attribute.  Access-
   Request packets that contain a Service-Type attribute with value Call
   Check (10) SHOULD NOT contain a State attribute.  Any other Access-
   Request packet that performs authorization checks MUST contain a
   State attribute.  This last requirement often means that an Access-
   Accept needs to contain a State attribute, which can then be used in
   a later Access-Request that performs authorization checks.

То есть, у нас в любом случае атрибут State отсутствует. Ибо Service-Type у меня = Call Check(10).

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.