2.4 Processing Requests

Upon receiving a request, radiusd applies to it a number of checks to determine whether the request comes from an authorized source. If these checks succeed, the request is processed and answered. Otherwise, the request is dropped and corresponding error message is issued (see section Logging).

The following checks are performed:

Check if the username is supplied.

If the packet lacks the User-Name attribute, it is not processed.

Check if the NAS is allowed to speak.

The source IP of the machine that sent the packet is looked up in the ‘clients’ file (see section Clients List — ‘raddb/clients’). If no match is found, the request is rejected.

Compute the encryption key.

Using the data from the packet and the shared key value from the ‘clients’ file, Radius computes the MD5 encryption key that will be used to decrypt the value of the User-Password attribute.

Process user-name hints.

User-name hints are special rules that modify the request depending on the user's name and her credentials. These rules allow an administrator to divide users into distinct groups, each group having its own authentication and/or accounting methods. The user-name hints are stored in ‘raddb/hints’ (see section Request Processing Hints — ‘raddb/hints’).

Process huntgroup rules.

Huntgroup rules allow an administrator to segregate incoming requests depending on the NAS and/or port number they came from. These rules are stored in ‘raddb/huntgroups’ (see section Huntgroups — ‘raddb/huntgroups’).

Determine whether the request must be proxied to another RADIUS server.

The requests pertaining to another realm are immediately forwarded to the remote RADIUS server for further processing. See section Proxying, for the description of this process.

Process individual user profiles

This step applies only to authentication requests.

This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.