This section describes the RADIUS schema. It lists the object classes and attributes that are required to use the RADIUS service. The RADIUS schema is automatically added to the directory server schema when you run the RADIUS initialization script, setup_rad, as described in "Initializing RADIUS".
RADIUS Object Classes
RADIUS object classes are defined in the radius.oc.conf file. This file is located in the /opt/SUNWconn/ldap/default/schema directory.
The RADIUS service includes the following specific object classes:
nas
Description: Defines a Network Access Server used in the context of RADIUS authentication.
Superior object class: device
Mandatory attributes: iphostNumber, sharedKey
Optional attributes: acctattrFile, dictionaryFile
remoteUser
Description: In the context of RADIUS authentication, used to define remote users who access the network through a Network Access Server (NAS). The remoteUser object class is an auxiliary object class. This means that it can be used with any structural object class, for example the person or organizational person object class. The uid attribute is mandatory because it is always passed in the connection request transmitted by the NAS to the RADIUS server. It is the key attribute used in the search filter applied by the RADIUS server to look for the remote user's entry in the directory. The optional attributes are the LDAP translation of the RADIUS attributes. They define all the possible connection parameters that can be passed in a connection request transmitted by the NAS to the RADIUS server.
Superior object class: top
Mandatory attribute: uid (userid)
Optional attributes: acctAuthentic, acctDelayTime, acctInputOctet, acctInputPacket, acctOutputOctet, acctOutputPacket, acctSessionId, acctSessionTime, acctStatusType, acctTerminateCause, authCalledStationId, authCallingStationId, authFilterId, authHostPortNumber, authHostPortType, authLoginService, authNASidentifier, authPortLimit, authPrefixName, authReplyMessage, authServiceProtocol, authType, authStartMenuId, authState, authStopMenuId, authSuffixName, authTerminationAction, chapPassword, cn (commonName), dynamicSessionCounter, dynamicSessionId, dynamicIPAddress, dynamicIPaddrBinding, expirationDate, framedCompression, framedIPAddress, framedMTU, framedRoute, framedRouting, framedProtocol, grpCheckInfo, grpReplyInfo, idleTimeoutNumber, ipHostNumber, ipLoginHost, ipLoginPort, ipNetmaskNumber, ipxNetworkNumber, pamServiceName, radiusLoginProfile, radiusPppProfile, radiusSlipProfile, radiusAuthFailedAccess, radiusLoginExpiration, radiusLoginPasswd, radiusPppExpiration, radiusPppPasswd, radiusSlipExpiration, radiusSlipPasswd, sessionTimeoutNumber, userCallbackId, userCallbackNumber, userPassword.
radiusServer
Description: This object class is reserved for future use.
Superior object class: applicationProcess
Mandatory attributes: host, sharedKey
Optional attributes: dictionaryFile, acctattrFile, authHostPortNumber, acctHostPortNumber, radiusServerRealm, radiusServerFlags
RADIUS Attributes
RADIUS attributes are defined in the radius.at.conf file. This file is located in the /opt/SUNWconn/ldap/default/schema directory.
All attributes defined in the RADIUS schema have one of the following syntaxes:
The following list of attributes in the RADIUS schema gives the attribute syntax, any alternative names, and explains how the attribute is used.
acctattrFile
Description: Specifies the name of the dynamic accounting attributes file to be used to interpret the dynamic accounting information received from the NAS described by the entry.
Syntax: ces
Contained in object class: nas, radiusServer
acctAuthentic
Description: Used in RADIUS accounting requests to indicate how the user described by the entry was authenticated.
Syntax: ces
Contained in object class: remoteUser
acctDelayTime
Description: Used in RADIUS accounting requests to indicate for how long the NAS has been trying to send an accounting report. The delay is deducted from the time of arrival of the report to determine the actual time at which the event occurred.
Syntax: ces
Contained in object class: remoteUser
acctInputOctet
Description: Used in RADIUS accounting requests to indicate the number of octets received during the provision of service.
Syntax: ces
Contained in object class: remoteUser
acctInputPacket
Description: Used in RADIUS accounting requests to indicate the number of packets received during the provision of service.
Syntax: ces
Contained in object class: remoteUser
acctOutputOctet
Description: Used in RADIUS accounting requests to indicate the number of octets sent during the provision of service.
Syntax: ces
Contained in object class: remoteUser
acctOutputPacket
Description: Used in RADIUS accounting requests to indicate the number of packets sent during the provision of service.
Syntax: ces
Contained in object class: remoteUser
acctSessionId
Description: Used in RADIUS accounting to provide a unique accounting ID. It is used to match start and stop records for the same session.
Syntax: ces
Contained in object class: remoteUser
acctSessionTime
Description: Used in RADIUS accounting to indicate the number of seconds during which the user described by the entry has received service.
Syntax: ces
Contained in object class: remoteUser
acctStatusType
Description: Used in RADIUS accounting to indicate whether the current report marks the beginning of service (start) or the end (stop).
Syntax: ces
Contained in object class: remoteUser
acctTerminateCause
Description: Used in RADIUS accounting to indicate how a session was terminated.
Syntax: ces
Contained in object class: remoteUser
authCalledStationId
Description: Indicates the phone number called by the user to request access through a NAS.
Syntax: ces
Contained in object class: remoteUser
authCallingStationId
Description: Indicates the phone number from which the user called to request access through a NAS.
Syntax: ces
Contained in object class: remoteUser
authFilterId
Description: Indicates the name of the filter list for the user described by the entry.
Syntax: ces
Contained in object class: remoteUser
authHostPortNumber
Description: Indicates the physical port number of the NAS that is authenticating the user.
Syntax: ces
Contained in object classes: remoteUser, radiusServer
authHostPortType
Description: Indicates the type of physical port number of the NAS that is authenticating the user.
Syntax: ces
Contained in object class: remoteUser
authLoginService
Description: Indicates the service that should be used to connect the user to the login host.
Syntax: ces
Contained in object class: remoteUser
authNASidentifier
Description: Contains a string that identifies the NAS that transmitted an access request.
Syntax: ces
Contained in object class: remoteUser
authPortLimit
Description: Sets the maximum number of ports to be provided by the NAS to the user.
Syntax: ces
Contained in object class: remoteUser
authPrefixName
Description: Used internally by the RADIUS server to distinguish between the user name to be processed for authentication and a possible prefix. In some cases, the connection protocol can add a prefix to the user's name, for example, ppp%jsmith.
Syntax: ces
Contained in object class: remoteUser
authReplyMessage
Description: Contains text that the NAS can display to the user.
Syntax: cis
Contained in object class: remoteUser
authServiceProtocol
Description: Indicates the type of service requested by the user.
Syntax: ces
Contained in object class: remoteUser
authStartMenuId
Description: This attribute is used internally by the RADIUS server.
Syntax: ces
Contained in object class: remoteUser
authState
Description: A state attribute sent by the RADIUS server to the NAS. The NAS must send it back unchanged in the reply to the server. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
authStopMenuId
Description: Used internally by the RADIUS server.
Syntax: ces
Contained in object class: remoteUser
authType
Description: Indicates to the RADIUS server how passwords are stored, so that the password supplied by the user can be compared correctly against the password stored under the user's entry in the directory. Possible values for this attribute are:
Syntax: ces
Contained in object class: remoteUser
authSuffixName
Description: Used internally by the RADIUS server to distinguish between the user name to process for authentication and a possible suffix. In some cases, the domain name can be added to the user's name, for example, jsmith@eng.xyz.com.
Syntax: ces
Contained in object class: remoteUser
authTerminationAction
Description: Indicates the action to perform by the NAS when the service session is finished.
Syntax: ces
Contained in object class: remoteUser
chapPassword
Description: Contains the response value provided by a PPP Challenge Handshake Authentication Protocol (CHAP) user in response to a challenge. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
dictionaryFile
Description: Specifies the dictionary to be used by the RADIUS server when it receives a request from the NAS described by the entry.
Syntax: ces
Contained in object class: nas, radiusServer
dynamicIPaddressBinding
Description: When RADIUS accounting is activated, associates the dynamicIPAddress and the dynamicSessionId assigned to the remote user.
Syntax: cis
Contained in object class: remoteUser
dynamicIPaddress
Description: When RADIUS accounting is activated, the IP address assigned to the remote user is recorded in the user's entry using this attribute. This attribute is created when the session begins, and removed when the session ends.
Syntax: cis
Contained in object class: remoteUser
dynamicSessionCounter
Description: When RADIUS accounting is activated, the number of concurrent open sessions for a remote user is recorded in the user's entry using this attribute. This attribute is removed when the user ends the last session. This attribute is single-valued.
Syntax: int
Contained in object class: remoteUser
dynamicSessionId
Description: When RADIUS accounting is activated, the session identifier assigned to the remote user for a particular session is recorded in the user's entry using this attribute. This identifier is used in to open and close the accounting report for the session.
Syntax: cis
Contained in object class: remoteUser
expirationDate
Description: Indicates the expiration date for the password stored in the userPassword attribute. The expirationDate attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
framedCompression
Description: Indicates a compression protocol to be used for the link.
Syntax: ces
Contained in object class: remoteUser
framedIPAddress
Description: Indicates the address to be configured for the user.
Syntax: ces
Contained in object class: remoteUser
framedMTU
Description: Indicates the maximum transmission unit (MTU) to be configured for the user, when it is not negotiated by some other means (such as PPP).
Syntax: ces
Contained in object class: remoteUser
framedProtocol
Description: Indicates the framing to be used for framed access.
Syntax: ces
Contained in object class: remoteUser
framedRoute
Description: Provides routing information to be configured for the user on the NAS. Not to be confused with the framedRouting attribute.
Syntax: ces
Contained in object class: remoteUser
framedRouting
Description: Indicates the routing method for the user, when the user is a router to a network. Not to be confused with the framedRoute attribute.
Syntax: ces
Contained in object class: remoteUser
grpCheckInfo
Description: Contains a list of attributes (except uid) that must be checked by the RADIUS server against the information supplied by the remote user. If this attribute is not present, then access is denied. This attribute is used internally by the server.
Syntax: ces
Contained in object class: remoteUser
grpReplyInfo
Description: Contains a list of attributes returned by the RADIUS server with an access-accept or access-reject response. It can contain connection parameters such as a PPP or SLIP profile. If this attribute is not present, the remote user can connect from any host or IP address, and through any connection protocol. This attribute is used internally by the server.
Syntax: ces
Contained in object class: remoteUser
idleTimeoutNumber
Description: Sets the maximum number of consecutive seconds that the connection can remain idle before the session is terminated.
Syntax: ces
Contained in object class: remoteUser
ipLoginHost
Description: Indicates the system with which to connect the user, when the authLoginService attribute is included in the connection request.
Syntax: cis
Contained in object class: remoteUser
ipLoginPort
Description: Indicates the TCP port with which the user is to be connected, when the authLoginService attribute is included in the connection request.
Syntax: cis
Contained in object class: remoteUser
ipxNetworkNumber
Description: Indicates the IPX network number to be configured for the user.
Syntax: cis
Contained in object class: remoteUser
pamServiceName
Description: Specifies the name of the service that provides the PAM module. If you want to use PAM authentication with the RADIUS server, set the value of this attribute to be radius. You must also add pamServiceName to the list of attributes in the grpCheckInfo attribute. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusAuthFailedAccess
Description: Created dynamically in a remote user's entry when an access request is rejected. This counter is incremented by 1 at each failed attempt. The user account is blocked when this counter reaches the blocking value specified in the configuration (by default, 4). This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusLoginExpiration
Description: Indicates the expiration date for the password stored in the radiusLoginPasswd attribute. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusLoginPasswd
Description: Password provided by the remote user to gain access to the network through the LOGIN protocol. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusLoginProfile
Description: Flag with value 0 or 1. Value 1 enables checking of the password supplied by the user against the password stored in the radiusLoginPasswd attribute. Value 0 disables this check. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusPppExpiration
Description: Indicates the expiration date for the password stored in the radiusPppPasswd attribute. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusPppPasswd
Description: Password provided by the remote user to gain access to the network through the PPP protocol. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusPppProfile
Description: Flag with value 0 or 1. Value 1 enables checking of the password supplied by the user against the password stored in the radiusPppPasswd attribute. Value 0 disables this check. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusServerFlags
Description: Reserved for future use.
Syntax: ces
Contained in object class: radiusServer
radiusServerRealm
Description: Reserved for future use.
Syntax: ces
Contained in object class: radiusServer
radiusSlipExpiration
Description: Indicates the expiration date for the password stored in the radiusSlipPasswd attribute. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusSlipPasswd
Description: Password provided by the remote user to gain access to the network through the SLIP protocol. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
radiusSlipProfile
Description: Flag with value 0 or 1. Value 1 enables checking of the password supplied by the user against the password stored in the radiusSlipPasswd attribute. Value 0 disables this check. This attribute is single-valued.
Syntax: ces
Contained in object class: remoteUser
sessionTimeoutNumber
Description: Sets the maximum number of seconds of service to be provided to the user described in the entry before the session is shut down.
Syntax: ces
Contained in object class: remoteUser
sharedKey
Description: Specifies the shared secret used by the network access server (NAS) described by the entry during RADIUS authentication. This attribute is single-valued.
Syntax: ces
Contained in object classes: nas, radiusServer
userCallbackId
Description: Indicates a name of a place to be called. This attribute is interpreted by the NAS.
Syntax: ces
Contained in object class: remoteUser
userCallbackNumber
Description: Indicates a dialing string to use for callback to provide service to the user.
Syntax: ces
Contained in object class: remoteUser
userid
Description: The uid, or userid (mandatory), is always passed in the connection request transmitted by the NAS to the RADIUS server. It is the key attribute used in the search filter applied by the RADIUS server to look for the remote user's entry in the directory.
Syntax: cis
Contained in object class: remoteUser
userPassword
Description: The password that the user described by the entry uses to gain access to the entry. This password is automatically encrypted by the directory server.
Contained in object class: remoteUser