Go to the first, previous, next, last section, table of contents.
Upon receiving a request Radius applies to it a number of checks to
determine whether the request comes from an authorized source. If these
checks succeed, the request is processed and answered. Otherwise, the
request is dropped and corresponding error message is issued (see section Logging).
The following checks are performed:
- Check if the username is supplied
-
If the packet lacks
User-Name attribute it is not processed
- Check if the NAS is allowed to speak
-
The source IP address of the machine that sent the packet is looked
up in the `clients' file (see section Clients List -- `raddb/clients'). If no match is found,
the request is rejected.
- Compute the encryption key
-
Using the data from the packet and the shared key value from the `clients'
file, Radius computes the MD5 encryption key that will be used to decrypt
the value of the
Password attribute.
- Process user-name hints.
-
User-name hints are special rules that modify the request
depending on user name and his credentials. These rules allow to divide
users into distinct groups, each group having its own authentication
and/or accounting methods. The user-name hints are stored in
`raddb/hints' (see section Request Processing Hints -- `raddb/hints').
- Process huntgroup rules.
-
Huntgroup rules allow to segregate incoming requests depending
on the NAS and/or port number they came from. These rules are stored in
`raddb/huntgroups' (see section Huntgroups -- `raddb/huntgroups').
- Determine whether the request must be proxied to another radius
-
server
The requests pertaining to another realm are immediately forwarded
to the remote radius server for further processing. See section Proxying,
for the description of this process.
- Process individual user profiles.
-
This step applies only to authentication requests.
Go to the first, previous, next, last section, table of contents.