Appendix B - The RADIUS Protocol
On This Page
General Packet Structure
RADIUS Attributes
Vendor-Specific Attributes
RADIUS Packet Example
An understanding of the RADIUS protocol is helpful in doing the following:
Interpreting a Network Monitor capture.
Understanding the different packet formats when analyzing the accounting log.
Entering vendor-specific attribute numbers.
RADIUS packets sent to the RADIUS server are sent as User Datagram Protocol (UDP) messages using UDP port 1812 for RADIUS authentication messages and UDP port 1813 for RADIUS accounting messages. Some earlier network access servers use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, IAS supports the receiving of RADIUS messages on both sets of UDP ports. One RADIUS packet is encapsulated in the UDP payload.
General Packet Structure
Figure 27 shows the general structure of a RADIUS packet:
Figure 27: The General Structure of a RADIUS Packet
Code
The Code field is one byte long and indicates the RADIUS packet type. A packet with an invalid Code field is silently discarded. The defined values for the RADIUS Code field are listed in Table 4.
Table 4 - Values for the RADIUS Code Field
Codes (decimal)
Packets
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge
12
Status-Server (experimental)
13
Status-Client (experimental)
255
Reserved
Identifier
The Identifier field is one byte long and is used to match a request with its corresponding response.
Length
The Length field is two octets long and indicates the entire length of the packet and RADIUS message, including the Code, Identifier, Length, and Authenticator fields, and the RADIUS attributes. The Length field can vary from 20 through 4,096 bytes.
Authenticator
The Authenticator field is 16 octets long and contains the information that the RADIUS client and server use to authenticate each other.
Attributes
The Attributes section of the RADIUS packet contains one or more RADIUS attributes, which carry the specific authentication, authorization, information, and configuration details for RADIUS packets. For attributes that have multiple instances, the order of the attributes must be preserved. Otherwise, attribute types do not need to have their order preserved.
RADIUS Attributes
Figure 28 shows the structure of each RADIUS attribute. RADIUS attributes use the common Type-Length-Value format used by other protocols:
Figure 28: The RADIUS Attribute Structure
Type
The Type field is one byte long and indicates the specific type of RADIUS attribute. Some of the attributes are listed in Table 5. For information about other RADIUS attributes and their use, see RFCs 2138 and 2139.
Table 5 - RADIUS Attribute Types
Type Values
Description
1
User-Name
2
User-Password
3
CHAP-Password
4
NAS-IP-Address
5
NAS-Port
6
Service-Type
7
Framed-Protocol
8
Framed-IP-Address
9
Framed-IP-Netmask
10
Framed-Routing
11
Filter-ID
12
Framed-MTU
13
Framed-Compression
19
Reply-Message
24
State
25
Class
26
Vendor-Specific
27
Session-Timeout
28
Idle-Timeout
29
Termination-Action
32
NAS-Identifier
61
NAS-Port-Type
62
Port-Limit
Type values 192 through 223 are reserved for experimental use, values 224 through 240 are reserved for implementation-specific use, and values 241 through 255 are reserved and must not be used. Value 26 is reserved for vendor-specific attributes (VSAs).
Length
The Length field indicates the length of the attribute, including the Type, Length, and Value fields.
Value
The Value field is zero or more octets and contains information specific to the attribute. The format and length of the Value field is based on the type of RADIUS attribute.
Vendor-Specific Attributes
VSAs are available to allow vendors to support their own proprietary attributes that are not covered by RFC 2138. IAS includes VSAs from a number of vendors in its multi-vendor dictionary. This list evolves over time, and new attributes and vendors are always being added.
To accommodate attributes that are not in the IAS multi-vendor dictionary, you can add them through IAS as Vendor-Specific (attribute type 26) in the Advanced tab of a remote access policy profile. To use attribute type 26, you need to know the VSA format and other required information. The VSA formats are documented in the following section. For the other required information, see your NAS documentation.
The structure of the vendor-specific attribute is shown in Figure 29:
Figure 29: The Vendor-Specific Attribute Structure
Type
The Type value is set to 26 (0x1A) to indicate a VSA.
Length
The Length value is set to the number of bytes in the VSA.
Vendor ID
The vendor ID is four octets long. The high-order octet is 0 (0x00), and the low-order three octets are the Structure and Identification of Management Information (SMI) Network Management Private Enterprise Code of the vendor.
String
The String field is the VSA, consisting of one or more octets. To conform to RFC 2138, the String field should consist of the fields shown in Figure 30:
Figure 30: The String Field Structure
Vendor Type
The Type value is used to indicate a specific VSA for the vendor.
Vendor Length
The Type value is set to the number of bytes in the string.
Attribute-Specific
The Attribute-Specific field contains the data for the specific vendor attribute.
Vendors that do not conform to RFC 2138 use the attribute type 26 to identify a vendor-specific attribute, but do not use the Vendor Type, Vendor Length, and Attribute-Specific fields within the String field. In this case, the vendor-specific attribute format appears as shown in Figure 29.
When adding a VSA for a specific NAS as type 26, you need to know whether the attribute conforms to RFC 2138. For information about whether your NAS uses the VSA format documented in Figure 30, see your NAS documentation.
VSAs are configured from the Vendor-Specific Attribute Information dialog box when adding a Vendor-Specific Attribute from the Advanced tab of a remote access policy profile. If the VSA format conforms to RFC 2138, you can configure the attribute with the vendor-assigned attribute number, format, and value, as defined in NAS documentation. If the VSA format does not conform to RFC 2138, you can configure the attribute with the hexadecimal attribute value, which includes the string of the VSA format (everything after Vendor-ID) as defined in NAS documentation.
RADIUS Packet Example
A Windows 2000 PPTP client attempts a remote access connection to a Windows 2000 VPN server. The VPN server has an IP address of 10.10.210.13 and the IAS server has an IP address of 10.10.210.12.
Access-Request Packet
The following Network Monitor trace shows the Access-Request packet sent by the VPN server to the IAS server.
RADIUS: Message Type: Access Request(1) RADIUS: Message Type = Access Request RADIUS: Identifier = 2 (0x2) RADIUS: Length = 220 (0xDC) RADIUS: Authenticator = 8A 6F DC 03 23 5F 4B 62 CA 40 92 38 DC 75 CB 74 RADIUS: Attribute Type: NAS IP Address(4) RADIUS: Attribute type = NAS IP Address RADIUS: Attribute length = 6 (0x6) RADIUS: NAS IP address = 10.10.210.13 RADIUS: Attribute Type: Service Type(6) RADIUS: Attribute type = Service Type RADIUS: Attribute length = 6 (0x6) RADIUS: Service type = Framed RADIUS: Attribute Type: Framed Protocol(7) RADIUS: Attribute type = Framed Protocol RADIUS: Attribute length = 6 (0x6) RADIUS: Framed protocol = PPP RADIUS: Attribute Type: NAS Port(5) RADIUS: Attribute type = NAS Port RADIUS: Attribute length = 6 (0x6) RADIUS: NAS port = 32 (0x20) RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 12 (0xC) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 18 (0x12) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = MSRASV5.00 RADIUS: Attribute Type: NAS Port Type(61) RADIUS: Attribute type = NAS Port Type RADIUS: Attribute length = 6 (0x6) RADIUS: NAS port type = Virtual RADIUS: Attribute Type: Tunnel Type(64) RADIUS: Attribute type = Tunnel Type RADIUS: Attribute length = 6 (0x6) RADIUS: Tag = 0 (0x0) RADIUS: Tunnel type = Point-to-Point Tunneling Protocol(PPTP) RADIUS: Attribute Type: Tunnel Media Type(65) RADIUS: Attribute type = Tunnel Media Type RADIUS: Attribute length = 6 (0x6) RADIUS: Tag = 0 (0x0) RADIUS: Tunnel media type = IP (IP version 4) RADIUS: Attribute Type: Calling Station ID(31) RADIUS: Attribute type = Calling Station ID RADIUS: Attribute length = 14 (0xE) RADIUS: Calling station ID = 10.10.14.226 RADIUS: Attribute Type: Tunnel Client Endpoint(66) RADIUS: Attribute type = Tunnel Client Endpoint RADIUS: Attribute length = 14 (0xE) RADIUS: Tunnel client endpoint = 10.10.14.226 RADIUS: Attribute Type: User Name(1) RADIUS: Attribute type = User Name RADIUS: Attribute length = 18 (0x12) RADIUS: User name = NTRESKIT\user1 RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 24 (0x18) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = ¦ì½+-_¦e $+fN<åN RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 58 (0x3A) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = 4
The RADIUS attributes sent by the VPN server include the user name, the service types, the framed protocol, various tunnel attributes for the PPTP connection, and a series of vendor-specific attributes for MS-CHAP authentication. For more information about Microsoft VSAs, see RFC 2548.
Access-Accept Packet
The following Network Monitor trace shows the Access-Accept packet sent by the IAS server to the VPN server.
+ IP: ID = 0xB18; Proto = UDP; Len: 248 + UDP: Src Port: Unknown, (1812); Dst Port: Unknown (1327); Length = 228 (0xE4) RADIUS: Message Type: Access Accept(2) RADIUS: Message Type = Access Accept RADIUS: Identifier = 2 (0x2) RADIUS: Length = 220 (0xDC) RADIUS: Authenticator = 52 E2 19 98 2E F8 E2 D3 B7 3B E1 24 5B 72 55 9E RADIUS: Attribute Type: Framed Protocol(7) RADIUS: Attribute type = Framed Protocol RADIUS: Attribute length = 6 (0x6) RADIUS: Framed protocol = PPP RADIUS: Attribute Type: Service Type(6) RADIUS: Attribute type = Service Type RADIUS: Attribute length = 6 (0x6) RADIUS: Service type = Framed RADIUS: Attribute Type: Class(25) RADIUS: Attribute type = Class RADIUS: Attribute length = 32 (0x20) RADIUS: Class = <$ @ RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 42 (0x2A) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = $Ç DZ¦,S¯c7 _æ:+RW_tÖ-qxF¦ (-+¦%p6 RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 42 (0x2A) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = $Ç RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 51 (0x33) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string = - RADIUS: Attribute Type: Vendor Specific(26) RADIUS: Attribute type = Vendor Specific RADIUS: Attribute length = 21 (0x15) RADIUS: Vendor ID = 311 (0x137) RADIUS: Vendor string =
The RADIUS attributes sent by the IAS server include the user name, the service type, the framed protocol, the service class, and a series of vendor-specific attributes for MS-CHAP authentication.