[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPv6
Alan DeKok [mailto://aland@deployingradius.com] writes:
> Wojciech Dec (wdec) wrote:
> > Guess someone forgot to add a character encoding set limitation to
> the
> > definition of "string" above. Without it, any sequence of 1-253
> octets
> > falls neatly under the "a string".
>
> Is this a joke?
>
> Here's a short explanation, as it's clear you are completely
> unfamiliar with RADIUS.
Well, _someone_ is...
>
> RADIUS attributes are typed.
In your mind, perhaps; in the real world (where RFC 2865 exists), one may
read page after page without ever seeing an attribute "typed". A brief
example:
5.4. NAS-IP-Address
Description
This Attribute indicates the identifying IP Address of the NAS
which is requesting authentication of the user, and SHOULD be
unique to the NAS within the scope of the RADIUS server. NAS-IP-
Address is only used in Access-Request packets. Either NAS-IP-
Address or NAS-Identifier MUST be present in an Access-Request
packet.
Note that NAS-IP-Address MUST NOT be used to select the shared
secret used to authenticate the request. The source IP address of
the Access-Request packet MUST be used to select the shared
secret.
A summary of the NAS-IP-Address Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
4 for NAS-IP-Address.
Length
6
Address
The Address field is four octets.
5.5. NAS-Port
Description
This Attribute indicates the physical port number of the NAS which
is authenticating the user. It is only used in Access-Request
packets. Note that this is using "port" in its sense of a
physical connection on the NAS, not in the sense of a TCP or UDP
port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD
be present in an Access-Request packet, if the NAS differentiates
among its ports.
A summary of the NAS-Port Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
5 for NAS-Port.
Length
6
Value
The Value field is four octets.
5.6. Service-Type
Description
This Attribute indicates the type of service the user has
requested, or the type of service to be provided. It MAY be used
in both Access-Request and Access-Accept packets. A NAS is not
required to implement all of these service types, and MUST treat
unknown or unsupported Service-Types as though an Access-Reject
had been received instead.
A summary of the Service-Type Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
6 for Service-Type.
Length
6
Value
The Value field is four octets.
1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative
The service types are defined as follows when used in an Access-
Accept. When used in an Access-Request, they MAY be considered to
be a hint to the RADIUS server that the NAS has reason to believe
the user would prefer the kind of service indicated, but the
server is not required to honor the hint.
Login The user should be connected to a host.
Framed A Framed Protocol should be started for the
User, such as PPP or SLIP.
Callback Login The user should be disconnected and called
back, then connected to a host.
Callback Framed The user should be disconnected and called
back, then a Framed Protocol should be started
for the User, such as PPP or SLIP.
Outbound The user should be granted access to outgoing
devices.
Administrative The user should be granted access to the
administrative interface to the NAS from which
privileged commands can be executed.
NAS Prompt The user should be provided a command prompt
on the NAS from which non-privileged commands
can be executed.
Authenticate Only Only Authentication is requested, and no
authorization information needs to be returned
in the Access-Accept (typically used by proxy
servers rather than the NAS itself).
Callback NAS Prompt The user should be disconnected and called
back, then provided a command prompt on the
NAS from which non-privileged commands can be
executed.
Call Check Used by the NAS in an Access-Request packet to
indicate that a call is being received and
that the RADIUS server should send back an
Access-Accept to answer the call, or an
Access-Reject to not accept the call,
typically based on the Called-Station-Id or
Calling-Station-Id attributes. It is
recommended that such Access-Requests use the
value of Calling-Station-Id as the value of
the User-Name.
Callback Administrative
The user should be disconnected and called
back, then granted access to the
administrative interface to the NAS from which
privileged commands can be executed.
5.7. Framed-Protocol
Description
This Attribute indicates the framing to be used for framed access.
It MAY be used in both Access-Request and Access-Accept packets.
A summary of the Framed-Protocol Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
7 for Framed-Protocol.
Length
6
Value
The Value field is four octets.
1 PPP
2 SLIP
3 AppleTalk Remote Access Protocol (ARAP)
4 Gandalf proprietary SingleLink/MultiLink protocol
5 Xylogics proprietary IPX/SLIP
6 X.75 Synchronous
5.8. Framed-IP-Address
Description
This Attribute indicates the address to be configured for the
user. It MAY be used in Access-Accept packets. It MAY be used in
an Access-Request packet as a hint by the NAS to the server that
it would prefer that address, but the server is not required to
honor the hint.
A summary of the Framed-IP-Address Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
8 for Framed-IP-Address.
Length
6
Address
The Address field is four octets. The value 0xFFFFFFFF indicates
that the NAS Should allow the user to select an address (e.g.
Negotiated). The value 0xFFFFFFFE indicates that the NAS should
select an address for the user (e.g. Assigned from a pool of
addresses kept by the NAS). Other valid values indicate that the
NAS should use that value as the user's IP address.
> The list of types is small. Each type
> is statically defined in an RFC.
In what RFC is the "8-bit Tag + 24-bit Integer" "data type" defined? That's
easy, none. The fact that some implementations _treat_ it as a "data type"
doesn't make it so, since there are other ways to implement a tag.
> RADIUS implementations use these
> definitions to determine how to manipulate the attributes (parse,
> print,
> wire-encode, wire-decode). The types cannot be changed, because they
> have existing definitions. Defining new encoding/decode means defining
> new types... because you can't encode the OLD type in a NEW way, and
> you
> can't encode the NEW type in the OLD way.
>
> Otherwise... please suggest how implementations can do the
> impossible,
> and encode these new attributes using a novel format, without adding a
> new encoding method.
>
> > That said, rfc 3162 clearly already
> > has a "call it whatever you want" data-type for "Framed-IPv6-Prefix",
> > which happens to be the same type of data as in the IPv6-Prefix in
> > draft-lourdelet.
>
> Absolute nonsense. Framed-IPv6-Prefix has a different on-the-wire
> format than IPv6-prefix. Therefore, they are different data types.
Alan, who's spouting nonsense here? Are you claiming that entire attributes
are "data types" now?
> > The odd one out is probably the IPv6-Route-Option-Preference in
> > draft-lourdelet, which has an rfc4191 derived 2 bit signed integer.
> No
> > problem in changing that to a simple signed integer, while
> restricting
> > the values.
>
> RADIUS has no support for signed integers. See:
>
> http://tools.ietf.org/html/draft-ietf-radext-design-08
>
> I suggest reading the document before posting any more confusion
> about
> data types in RADIUS. It describes the
DeKok
> data model, along with
> supported and not-supported data types.
...
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
- Follow-Ups:
- Re: IPv6
- From: Alan DeKok <aland@deployingradius.com>
- References:
- Re: IPv6
- From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: IPv6
- From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: IPv6
- From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: IPv6
- From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: IPv6
- From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- Re: IPv6
- From: Alan DeKok <aland@deployingradius.com>
- RE: IPv6
- From: Bernard Aboba <bernard_aboba@hotmail.com>
- RE: IPv6
- From: "Wojciech Dec (wdec)" <wdec@cisco.com>
- Re: IPv6
- From: Alan DeKok <aland@deployingradius.com>
- RE: IPv6
- From: "Wojciech Dec (wdec)" <wdec@cisco.com>
- Re: IPv6
- From: Alan DeKok <aland@deployingradius.com>
- RE: IPv6
- From: "Wojciech Dec (wdec)" <wdec@cisco.com>
- Re: IPv6
- From: Alan DeKok <aland@deployingradius.com>