|
A Network Access Server (NAS) operates as a
client of the server that supports the RADIUS
protocol. The server that supports the RADIUS
protocol is generally referred to as the RADIUS
server. The RADIUS client, that is, the NAS,
passes user information to designated RADIUS
servers, and then acts on the response that the
servers return. The request sent by the client
to the server in order to authenticate the user
is generally called an "authentication request."
The NAS also sends information to designated
RADIUS servers when the user logs on and logs
off. The requests
sent by the client to the server to record
logon/logoff and usage information are generally
called "accounting requests." The RADIUS Interim
Accounting Draft published by the Internet
Engineering Task Force (IETF) also allows the
NAS to send usage information on a periodic
basis while the session is in progress.
RADIUS servers receive connection requests from
remote users. For each user, the RADIUS server
authenticates the user, and returns
configuration information to the NAS so that it
can provide network service to the user. This
configuration information is composed of
"authorizations". The RADIUS server also
collects a variety of information sent by the
NAS that can be used for accounting and for
reporting on network activity.
A RADIUS server can act as a proxy client to
other RADIUS servers. In these cases, the RADIUS
server contacted by the NAS passes the
authentication request to another RADIUS server
that actually performs the authentication.
While the RADIUS server is processing the
authentication request, it can perform
authorization functions such as verifying the
user's telephone number and checking whether the
user already has a session in progress. The
RADIUS server can determine whether the user
already has a session in progress by contacting
a state server. |
|
This section describes how to implement DLLs
to extend the Internet Authentication Service (IAS).
It describes the interaction between IAS and the
DLLs, and presents some design considerations
regarding the DLLs.
IAS provides two "plug-in" points, one for
authentication and the other for authorization.
Authentication refers to verifying the identity
of the user. Authorization refers to determining
what services the network should provide to the
user. The two plug-in points correspond to
Extension DLLs and Authorization DLLs.
(Authorization DLLs are supported only on
Windows 2000 and later systems.) Each plug-in
point can support multiple DLLs.
IAS provides both authentication and
authorization services. Extension DLLs are
called by IAS prior to the built-in IAS
authentication and authorization. Authorization
DLLs are called after IAS authentication and
authorization. |
