Patrick-Dussault

Policy Server :: Radius : Service-Type

Discussion created by Patrick-Dussault Employee on Dec 15, 2014

When running Policy Server as Radius Server, does the Policy Server

expect a specific value for Service-Type attribute ?

 

The Radius server should not send the attribute

for which the value is unknown. Following the RFC 2865,

if the Radius Server receives an attribute for which

the value is unknown, it should replies with Access-Reject

as for example in a network traces :

 

The Policy Server receives attributes :

 

    AVP: l=6 t=Service-Type(6): Unknown(134217728)

    AVP: l=6 t=NAS-Port(5): 0

    AVP: l=6 t=NAS-IP-Address(4): 10.1.1.10

 

and it should send back :

 

    Code: Access-Reject (3)

    AVP: l=14 t=Reply-Message(18): Packet Error

 

From https://tools.ietf.org/html/rfc2865

 

    A NAS that does not implement a given service MUST

    NOT implement the RADIUS attributes for that service.

    For example, a NAS that is unable to offer ARAP

    service MUST NOT implement the RADIUS attributes

    for ARAP.  A NAS MUST treat a RADIUS access-accept

    authorizing an unavailable service as an

    access-reject instead.

 

[...]

 

1.2.  Terminology

 

service   The NAS provides a service to the dial-in user,

   such as PPP or Telnet.

 

[...]

 

5.6.  Service-Type

 

   Description

 

      This Attribute indicates the type of service the

      user has requested, or the type of service to be

      provided. It MAY be used in both Access-Request

      and Access-Accept packets.  A NAS is not required

      to implement all of these service types, and MUST

      treat unknown or unsupported Service-Types as

      though an Access-Reject had been received instead.

 

      [...]

 

      6 Administrative

 

Usually, the Service-Type value is defined in the Agent Type for

the Agent. It might also be set by a response. You might check both

in the configuration of the Agent and Policy.

Outcomes