Symantec Access Management

 View Only

Policy Server :: Radius : Service-Type

  • 1.  Policy Server :: Radius : Service-Type

    Broadcom Employee
    Posted Dec 15, 2014 03:08 AM

    When running Policy Server as Radius Server, does the Policy Server

    expect a specific value for Service-Type attribute ?

     

    The Radius server should not send the attribute

    for which the value is unknown. Following the RFC 2865,

    if the Radius Server receives an attribute for which

    the value is unknown, it should replies with Access-Reject

    as for example in a network traces :

     

    The Policy Server receives attributes :

     

        AVP: l=6 t=Service-Type(6): Unknown(134217728)

        AVP: l=6 t=NAS-Port(5): 0

        AVP: l=6 t=NAS-IP-Address(4): 10.1.1.10

     

    and it should send back :

     

        Code: Access-Reject (3)

        AVP: l=14 t=Reply-Message(18): Packet Error

     

    From https://tools.ietf.org/html/rfc2865

     

        A NAS that does not implement a given service MUST

        NOT implement the RADIUS attributes for that service.

        For example, a NAS that is unable to offer ARAP

        service MUST NOT implement the RADIUS attributes

        for ARAP.  A NAS MUST treat a RADIUS access-accept

        authorizing an unavailable service as an

        access-reject instead.

     

    [...]

     

    1.2.  Terminology

     

    service   The NAS provides a service to the dial-in user,

       such as PPP or Telnet.

     

    [...]

     

    5.6.  Service-Type

     

       Description

     

          This Attribute indicates the type of service the

          user has requested, or the type of service to be

          provided. It MAY be used in both Access-Request

          and Access-Accept packets.  A NAS is not required

          to implement all of these service types, and MUST

          treat unknown or unsupported Service-Types as

          though an Access-Reject had been received instead.

     

          [...]

     

          6 Administrative

     

    Usually, the Service-Type value is defined in the Agent Type for

    the Agent. It might also be set by a response. You might check both

    in the configuration of the Agent and Policy.