5.2. Authentication Modes
Additional message types have been added to negotiate passcode
changes for token card servers.
- Next Passcode
- New PIN
- Password Expired
They allow the NAS or RADIUS server negotiate passcode changes with
an external security server.
5.3. Menus
At least two vendors have built menuing interaction systems for use
with terminal dial-ins.
One implementation uses the Reply-Message string as the menu text to
be displayed, and the State attribute to keep track of the place in
the menu. The menu is displayed using the Access-Challenge message.
The response is encoded in the User-Password field like an ordinary
challenge sequence would.
Some RADIUS clients have problems with this because they cannot
handle long or multiple Reply-Message attributes that may have
embedded carriage returns and line-feeds. The new Echo attribute
should also control echo behavior on the menu response. Use of the
State attribute to keep track of a Challenge sequence is also
standard behavior.
Another implementation uses two vendor attributes (VSA-Menu-Item, and
VSA-Menu-Selector as well as VSA-Third-Prompt) to convey this
information. This implementation is vendor specific.
Mitton Informational [Page 8]
RFC 2882 Extended RADIUS Practices July 2000
5.4. Pseudo Users
One client implementation takes advantage of your vanilla RADIUS
server's ability to be used as a remote database server. By using
some well-known, implementation specific, strings for Username and
Password attributes, the NAS can request information from the server,
such as: Static IP routes, Static IPX routes, or the Message of the
Day.
These are called pseudo-user requests, because they use a user entry
with this manufactured name, for purposes other than authentication.
Another client also uses a pseudo-user technique for resolving
unknown Filter-ID(11) values. An Access-Request message is sent to
the RADIUS server with the Filter-ID as the Username value, the
password is a known string, and the Service-Type is VSE-
Authorization-Only. The response must also be of the same Service-
Type, or the response will be ignored. The responding profile should
contain the IP-Filter VSA attributes that will define the desired
filter.
It should be noticed that pseudo-user profiles could be a security
problem if a specific or operationally invalid Service-Type is not
(74 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales