Background Introduction
Bamboo Cloud IDaaS provides Radius Server capabilities, supporting various enterprise devices such as VPNs (SANGFOR, Huawei, Netentsec, etc.) and cloud desktops (Huawei) to authenticate through the Radius protocol after configuration.
This section introduces device mapping definitions and RADIUS attributes and other related information.
Device Mapping Definition
The device mapping definition of Bamboo Cloud IDaaS mainly returns the attributes required by the vendor device to the vendor under the vendor device's authentication success/failure/challenge code status.
Therefore, in the mapping definition selection, the device attribute names come from the vendor, and each device vendor has different attributes. This article mainly lists the currently supported vendor attributes for your configuration. The mapping definition mapping type is the same as in other parts of the product.
IDaaS can choose to return different attributes under different authentication statuses, determined by the Applicable Scenario. Access-Accept (success), Access-Reject (failure), and Access-Challenge (challenge code) mean that attributes can only be returned under the corresponding authentication packet scenario.
| Mapping Type | Description |
|---|---|
| User Attribute | You can select attributes available on the user attribute |
| Fixed Attribute Value | Fixed text |
| Dynamic Script | The script syntax can refer to Dynamic Script in Development Mapping Definition. Note that the script object for devices is only the User Object |
RADIUS Attributes
Protocols RFC2865, RFC2866, and RFC3576 define the following RADIUS standard attributes, which are basically supported by all mainstream device vendors. The RADIUS protocol has good scalability. The Vendor-Specific attribute (attribute number 26) defined in protocol (RFC2865) is used by device vendors to extend RADIUS to implement functions not defined by standard RADIUS.
RADIUS attributes do not always have return values in authentication packets; it depends on the attribute itself and the configuration in IDaaS. RADIUS authentication packet attributes have four states in total: Access-Request (request), Access-Accept (success), Access-Reject (failure), and Access-Challenge (challenge code).
The following introduces the vendor attributes supported by IDaaS.
| Attribute Name | Code | Attribute Description |
|---|---|---|
| User-Name | 1 | Username for authentication |
| User-Password | 2 | User password for authentication, valid only for PAP authentication |
| Challenge-Password | 3 | User password for authentication, valid only for CHAP authentication |
| NAS-IP-Address | 4 | Device IP address. If the RADIUS server group is bound to an interface address, the bound interface address is used. Otherwise, the interface address that sends the packet is used |
| NAS-Port | 5 | User access port, in the format "4-digit slot number + 2-digit card number + 5-digit port number + 21-digit VLAN" |
| Service-Type | 6 | User service type. Access user is 2, operation user is 6 |
| Framed-Protocol | 7 | Fixed at 1, indicating PPP type |
| Framed-IP-Address | 8 | IP address assigned to the user by the RADIUS server. 0xFFFFFFFE means the RADIUS server does not assign an address, and the device assigns an IP address to the user |
| Framed-Netmask | 9 | IP address mask assigned to the user by the RADIUS server |
| Filter-ID | 11 | Indicates the user group |
| Login-IP-Host | 14 | Host IP address of the Login connection |
| Login-Service | 15 | Login service type----Telnet, Rlogin, TCP Clear, PortMaster (proprietary), LAT |
| Reply-Message | 18 | Authentication success or rejection message |
| Callback-Number | 19 | Information passed by the authentication server that can be displayed to the user, such as mobile phone number, etc. |
| State | 24 | If the access challenge packet sent by the RADIUS server to the device contains this value, the device must include the same value in subsequent access request packets |
| Class | 25 | If the authentication accept packet sent by the RADIUS server to the device contains this value, the device must include the same value in subsequent accounting request packets; for standard RADIUS servers, the device can use the Class attribute to represent CAR parameters |
| Session-Timeout | 27 | Remaining time available to the user, in seconds; in EAP challenge packets, it serves as the user's re-authentication duration |
| Idle-Timeout | 28 | User idle disconnect time, in seconds |
| Termination-Action | 29 | Specified service termination method, re-authentication or forced user logout, etc. |
| Called-Station-Id | 30 | Allows NAS to send called number |
| Calling-Station-Id | 31 | Allows NAS to send calling number |
| NAS-Identifier | 32 | Device host name |
| Acct-Status-Type | 40 | Accounting packet type. 1 indicates start accounting packet, 2 indicates stop accounting packet, 3 indicates interim accounting packet |
| Acct-Delay-Time | 41 | Time spent generating the accounting packet, in seconds |
| Acct-Input-Octets | 42 | Uplink bytes, in Byte, kbyte, Mbyte, Gbyte. The specific unit can be configured through commands |
| Acct-Output-Octets | 43 | Downlink bytes, in Byte, kbyte, Mbyte, Gbyte. The specific unit can be configured through commands |
| Acct-Session-Id | 44 | Accounting connection number. For start, interim, and stop accounting packets of the same connection, the connection number must be the same |
| Acct-Authentic | 45 | User authentication mode. 1 indicates RADIUS authentication, 2 indicates local authentication |
| Acct-Session-Time | 46 | User online time, in seconds |
| Acct-Input-Packets | 47 | Uplink packet count |
| Acct-Output-Packets | 48 | Downlink packet count |
| Acct-Terminate-Cause | 49 | Reason for user connection interruption |
| Acct-Multi-Session-ID | 50 | Multi-session ID, used to identify related sessions in logs |
| Acct-Input-Gigawords | 52 | Indicates how many times the uplink bytes are of 4G(232)Byte, kbyte, Mbyte, Gbyte (the unit is determined by command configuration) |
| Acct-Output-Gigawords | 53 | Indicates how many times the downlink bytes are of 4G(232)Byte, kbyte, Mbyte, Gbyte (the unit is determined by command configuration) |
| Event-Timestamp | 55 | Time when the accounting packet is generated, in seconds, representing the absolute number of seconds since 00:00:00 on January 1, 1970 |
| CHAP-Challenge | 60 | CHAP authentication challenge word, used only for CHAP authentication |
| NAS-Port-Type | 61 | NAS port type, configurable in BAS interface view |
| Tunnel-Type | 64 | Tunnel protocol type, fixed at 3, indicating L2TP tunnel |
| Tunnel-Medium-Type | 65 | Tunnel medium type, fixed at 1, indicating IPv4 |
| Tunnel-Server-Endpoint | 67 | IP address of the tunnel server end |
| Tunnel-Password | 69 | Tunnel verification password. The first two bytes are SALT, and the following 16 bytes are the encrypted password |
| Tunnel-Private-Group-ID | 81 | Tunnel group name |
| Tunnel-Assignment-ID | 82 | Tunnel identifier name |
| Tunnel-Preference | 83 | Tunnel priority |
| Acct-Interim-Interval | 85 | Interim accounting interval, in seconds |
| NAS-Port-Id | 87 | User access port number, in the format "slot=XX;subslot=XX;port=XXX;VLANID=XXXX;" or "slot=XX;subslot=XX;port=XXX;VPI=XXX;VCI=XXXX" |
| Framed-Pool | 88 | Address pool name and address segment number, valid only when assigning IP addresses to PPP from the device's local address pool, in the format "address pool name#address segment number" |
| Tunnel-Client-Auth-ID | 90 | Local username passed in tunnel authentication |
| Tunnel_Server_Auth_id | 91 | Server-side username passed in tunnel authentication |