Example of RADIUS Packet Transactions

Few examples taken from RFC 2865 are presented to illustrate the flow of packets and use of typical attributes. These examples are not intended to be exhaustive, many others are possible.

User Telnet to Specified Host

The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named nemo logging in on port 3 with password "arctangent".

The User-Password is 16 octets of password padded at end with nulls, XORed with MD5(shared secret|Request Authenticator).

1 Code = Access-Request (1)
1 ID = 0
2 Length = 56
16 Request Authenticator

Attributes:
6 User-Name = "nemo"
18 User-Password
6 NAS-IP-Address = 192.168.1.16
6 NAS-Port = 3

The RADIUS server authenticates nemo, and sends an Access-Accept UDP packet to the NAS telling it to telnet nemo to host 192.168.1.3.

The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the Request Authenticator from above, the attributes in this reply, and the shared secret.

1 Code = Access-Accept (2)
1 ID = 0 (same as in Access-Request)
2 Length = 38
16 Response Authenticator

Attributes:
6 Service-Type (6) = Login (1)
6 Login-Service (15) = Telnet (0)
6 Login-IP-Host (14) = 192.168.1.3

Framed User Authenticating with CHAP

The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named flopsy logging in on port 20 with PPP, authenticating using CHAP. The NAS sends along the Service-Type and Framed-Protocol attributes as a hint to the RADIUS server that this user is looking for PPP, although the NAS is not required to do so.

The Request Authenticator is a 16 octet random number generated by the NAS, and is also used as the CHAP Challenge.

The CHAP-Password consists of a 1 octet CHAP ID, in this case 22, followed by the 16 octet CHAP response.

1 Code = 1 (Access-Request)
1 ID = 1
2 Length = 71
16 Request Authenticator

Attributes:
8 User-Name (1) = "flopsy"
19 CHAP-Password (3)
6 NAS-IP-Address (4) = 192.168.1.16
6 NAS-Port (5) = 20
6 Service-Type (6) = Framed (2)
6 Framed-Protocol (7) = PPP (1)

The RADIUS server authenticates flopsy, and sends an Access-Accept UDP packet to the NAS telling it to start PPP service and assign an address for the user out of its dynamic address pool.

The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (1), Length (56), the Request Authenticator from above, the attributes in this reply, and the shared secret.

1 Code = Access-Accept (2)
1 ID = 1 (same as in Access-Request)
2 Length = 56
16 Response Authenticator

Attributes:
6 Service-Type (6) = Framed (2)
6 Framed-Protocol (7) = PPP (1)
6 Framed-IP-Address (8) = 255.255.255.254
6 Framed-Routing (10) = None (0)
6 Framed-Compression (13) = VJ TCP/IP Header Compression (1)
6 Framed-MTU (12) = 1500

User with Challenge-Response Card

The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named mopsy logging in on port 7. The user enters the dummy password "challenge" in this example. The challenge and response generated by the smart card for this example are "32769430" and "99101462".

The Request Authenticator is a 16 octet random number generated by the NAS.

The User-Password is 16 octets of password, in this case "challenge", padded at the end with nulls, XORed with MD5(shared secret|Request Authenticator).

1 Code = Access-Request (1)
1 ID = 2
2 Length = 57
16 Request Authenticator

Attributes:
7 User-Name (1) = "mopsy"
18 User-Password (2)
6 NAS-IP-Address (4) = 192.168.1.16
6 NAS-Port (5) = 7

The RADIUS server decides to challenge mopsy, sending back a challenge string and looking for a response. The RADIUS server therefore and sends an Access-Challenge UDP packet to the NAS.

The Response Authenticator is a 16-octet MD5 checksum of the code (11), id (2), length (78), the Request Authenticator from above, the attributes in this reply, and the shared secret.

The Reply-Message is "Challenge 32769430. Enter response at prompt."

The State is a magic cookie to be returned along with user's response.

1 Code = Access-Challenge (11)
1 ID = 2 (same as in Access-Request)
2 Length = 78
16 Response Authenticator

Attributes:
48 Reply-Message (18)
10 State (24)

The user enters his response, and the NAS send a new Access-Request with that response, and includes the State Attribute.

The Request Authenticator is a new 16 octet random number.

The User-Password is 16 octets of the user's response, in this case "99101462", padded at the end with nulls, XORed with MD5(shared secret|Request Authenticator).

The state is the magic cookie from the Access-Challenge packet, unchanged.

1 Code = Access-Request (1)
1 ID = 3 (Note that this changes.)
2 Length = 67
16 Request Authenticator

Attributes:
7 User-Name = "mopsy"
18 User-Password
6 NAS-IP-Address (4) = 192.168.1.16
6 NAS-Port (5) = 7
10 State (24)

The Response was incorrect (for the sake of example), so the RADIUS server tells the NAS to reject the login attempt.

The Response Authenticator is a 16 octet MD5 checksum of the code (3), id (3), length(20), the Request Authenticator from above, the attributes in this reply (in this case, none), and the shared secret.

1 Code = Access-Reject (3)
1 ID = 3 (same as in Access-Request)
2 Length = 20
16 Response Authenticator

Attributes:
(none, although a Reply-Message could be sent)