Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
en:syces:nasrequirements [2014/09/22 10:07]
tf 		en:syces:nasrequirements [2014/09/22 10:55] (current)
tf
Line 7: Line 7:
  
 ===== Captive Portal ===== ===== Captive Portal =====
-A captive portal (CP) redirects unauthenticated users to a login form. Two different types (internal, external) of CPs may be implemented. At least one CP should be configurable per Gateway. In enterprise environments it should be possible to define multiple CPs and assign them to SSIDs (wireless) or VLANs (wired)+A captive portal (CP) redirects unauthenticated users to a login form. Two different types (internal, external) of CPs may be implemented. At least one CP should be configurable per Gateway. In enterprise environments it should be possible to define multiple CPs and assign them to SSIDs (wireless)VLANs (wired) or physical interfaces.
  
 ==== Common Requirements ==== ==== Common Requirements ====
Line 43: Line 43:
 ==== Radius Authentication  ==== ==== Radius Authentication  ====
 === Access Request === === Access Request ===
 +The access-request packet  sent by the NAS needs the folllowing attributes :
 +  * User-Name (RFC 2865 5.1)\\ A maximum of 30 characters plus '@' plus a maximum of 19 characters for the domain (<username>@<domain>), makes a total of maximal 50 characters. Treated as case-insensitive.
 +  * User-Password (RFC 2865 5.2)\\ 1 to 25 characters 
 +  * NAS-IP-Address (RFC 2865 5.4)\\ External NAS IP-Address 
 +  * NAS-Identifier\\ Name of NAS. Used for limit accounts to specific hosts
 +  * NAS-Port (RFC 2865 5.5)\\ physical port number
 +  * NAS-Port-Type (RFC 2865 5.41)\\ e.g\\ 15 : Ethernet\\ 19 : Wireless - IEEE 802.11\\ see RFC
 +Any other attributes will currently be ignored.
 === Access Accept === === Access Accept ===
 +In case of a successful authentication the radius server sends an acces-accept packet that may contain the following attributes::
 +  * Session-Timeout (RFC 2865 5.27)\\ session limit in seconds
 +  * Reply-Message (RFC 2865 5.18)\\ - XYM -volume limit  in MiB
 +
 +The NAS should use one of the following method:
 +  - Either use the received attributes to find out when to stop the session\\ or
 +  - the NAS regularly retries to get users authenticated and stops the session when this fails 
 +The manufacturer may decide which method to chose. The first one produces less traffic, but doesn't keep up to the frontend functionalities like a volume check. The second one is more flexible.
 +The NAS can't rely on receiving one of the above attributes (see RFC2865  4.2. Access Accept).
 +Other attributes are currently not used.
 +
 === Access Reject === === Access Reject ===
  
 ==== Radius Accounting  ==== ==== Radius Accounting  ====
 === Accounting Start === === Accounting Start ===
 +The  Accounting-Start packet needs to be generated right after a successful authentication.
 +
 +It consists of an Accounting-Request (RFC 2866 4.1) with the following atttributes:
 +  * Acct-Status-Type (RFC 2866 5.1)\\ "Start" 
 +  * User-Name (RFC 2865 5.1)\\ A maximum of 30 characters plus '@' plus a maximum of 19 characters for the domain (<username>@<domain>), makes a total of maximal 50 characters. Treated as case-insensitive.
 +  * NAS-IP-Address (RFC 2865 5.4)\\ External NAS IP-Address
 +  * NAS-Port (RFC 2865 5.5)\\ physical port number
 +  * NAS-Port-Type (RFC 2865 5.41) (optional)\\ e.g\\ 15 : Ethernet\\ 19 : Wireless - IEEE 802.11\\ see RFC
 +  * Framed-IP-Address (RFC 2865 5.8)\\ User IP address (Client).
 +  * Acct-Session-Id (RFC 2866 5.5)\\ Unique Session-ID to identity the current session and update the counters
 +  * Called-Station-Id (RFC 2865 5.30)\\ other than in RFC:  MAC address of gateway or wireless controller
 +  * Calling-Station-Id (RFC 2865 5.31)\\ other than in RFC: MAC address of client 
 +Apart from the attributes marked as optional all other attributes have to be implemented due to §113 TKG.
 +
 === Interim Update === === Interim Update ===
 +With Interim Updates volume based accounts can be handled. They are optional, but recommended.
 +With UDP protocol it is possible that packets get lost, therefore it is recommended to always send interim-update packets.
 +And it is possible to contiunally inform the user about the reamining volume and time. 
 +
 +In an Accounting-Update packet the following attributes have to be sent:
 +  * Acct-Status-Type (RFC 2866 5.1)\\ "Interim-Update"
 +  * User-Name (RFC 2865 5.1)\\ A maximum of 30 characters plus '@' plus a maximum of 19 characters for the domain (<username>@<domain>), makes a total of maximal 50 characters. Treated as case-insensitive.
 +  * NAS-IP-Address (RFC 2865 5.4)\\ External NAS IP-Address
 +  * Acct-Input-Octets (RFC 2866 5.3)\\ Input volume in bytes within a user session.. According to RFC this should only be sent with a Stop-Packet, but SyCes also takes it into account in Interim-Update packets. NAS must always send the total volume from the beginning of the session, not only the volume since the last interim-update. 
 +  * Acct-Output-Octets (RFC 2866 5.4)\\ Output volume in bytes within a user session.. According to RFC this should only be sent with a Stop-Packet, but SyCes also takes it into account in Interim-Update packets. NAS must always send the total volume from the beginning of the  session, not only the volume since the last interim-update. 
 +  * Acct-Session-Id (RFC 2866 5.5)\\ Unique Session-ID to identity the current session and update the counters
 +  * Acct-Session-Time (RFC 2866 5.7)\\ Duration of session in seconds. According to RFC this should only be sent with a Stop-Packet, but SyCes also takes it into account in Interim-Update packets. NAS must always send the total duration from the beginning of the session, not only the duration since the last interim-update. 
 +  * Called-Station-Id (RFC 2865 5.30)\\ other than in RFC:  MAC address of gateway or wireless controller
 +  * Calling-Station-Id (RFC 2865 5.31)\\ other than in RFC: MAC address of client  
 +  * Framed-IP-Address (RFC 2865 5.8)\\ user IP address (Client).
 +  * Vendor-Specific (RFC 2865 5.26)\\ When this attribute is NOT sent the RADIUS-Server assumes that Acct-Session-Time, Acct-Output-Octets und Acct-Input-Octets contain deltas other to RFC.
 +
 === Accounting Stop === === Accounting Stop ===
- +The  Accounting-Stop-Paket must be sent directly after session end. 
 +It consists of an accounting-Request (RFC 2866 4.1) with the following attributes: 
 +  * Acct-Status-Type (RFC 2866 5.1)\\ "Stop" 
 +  * User-Name (RFC 2865 5.1)\\ A maximum of 30 characters plus '@' plus a maximum of 19 characters for the domain (<username>@<domain>), makes a total of maximal 50 characters. Treated as case-insensitive. 
 +  * NAS-IP-Address (RFC 2865 5.4)\\ External NAS IP-Address 
 +  * Acct-Input-Octets (RFC 2866 5.3)\\ input volume in bytes within a session 
 +  * Acct-Output-Octets (RFC 2866 5.4)\\ output volume in bytes within a session 
 +  * Acct-Session-Id (RFC 2866 5.5)\\ Unique Session-ID to identity the current session and update the counters 
 +  * Acct-Session-Time (RFC 2866 5.7)\\ duration in seconds 
 +  * Acct-Terminate-Cause (RFC 2866 5.10) (optional)\\ Cause of session termination. 
 +  * Called-Station-Id (RFC 2865 5.30)\\ other than in RFC:  MAC address of gateway or wireless controller 
 +  * Calling-Station-Id (RFC 2865 5.31)\\ other than in RFC: MAC address of client  
 +  * Framed-IP-Address (RFC 2865 5.8)\\ user IP address (Client). 
 +Apart from the attributes marked as optional all other attributes have to be implemented due to §113 TKG.
  

Trace:

QR Code
QR Code NAS requirements (generated for current page)