Basic authentication and authorization – Cisco Cisco Access Registrar 3.5 User Manual

Page 17

Advertising
background image

1-5

Cisco Access Registrar 3.5 Concepts and Reference Guide

OL-2683-02

Chapter 1 Overview

Basic Authentication and Authorization

Figure 1-2

Proxying to an LDAP Server for Authentication

Basic Authentication and Authorization

This section provides basic information about how Cisco Access Registrar performs the basic RADIUS
functions of authentication and authorization as defined in Internet RFC 2865.

Authentication—determining the identity of a user of a client NAS through user identification and
password validation and deciding whether to grant access

Authorization—determining the level of network services available to authenticated users after a
connection has been established

The Cisco Access Registrar (AR) server provides authentication and authorization service to clients
which are network access servers (NAS). The following paragraphs describe the steps to a connection.

1.

The process begins when user dials into the NAS and enters a user name and a password. The NAS
creates an Access-Request containing attributes such as the user's name, the user's password, the ID
of the client, and the Port ID the user is accessing.

2.

The Cisco AR server determines which hardware (client NAS) sent the request, parses the packet,
and determines whether to accept the request.

The Cisco AR server checks to see if the client's IP address is listed in
/Radius/Clients/<Name>/<IPAddress>.

3.

After accepting the request, the Cisco AR server does the following:

Sets up the Request Dictionary based on the packet information

Runs any incoming scripts (user-written extensions to Cisco Access Registrar)

An incoming script can examine and change the attributes of the request packet or the
environmental variables which can affect subsequent processing.

Based on default values or scripts, it chooses a service to authenticate and authorize the user.

The Cisco AR server directs the request to the appropriate service, which then performs
authentication and/or authorization according to the type specified in
/Radius/Services/<Name>/<Type>.

Performs session management, directing the request to the appropriate Session Manager.

NAS

Access

registrar

LDAP

22035

user=joe

password=xyz

request

response

1

6

2

5

3

4

Authorization

accounting

Authentication

Advertising
Popular Brands
Popular manuals