A
RADIUS session tracks the life of a user session through a series
of message exchanges. RADIUS sessions are used to limit simultaneous access
to a resource for users sharing the same credential, and to manage
the allocation and release of IP addresses acquired on behalf of the
user by the AAA server. Figure 1-2 illustrates the details of the transaction
between a RADIUS AAA server and a client:
When the user's device connects to the client, the client
sends a RADIUS Access-Request to the AAA server. When the server
receives the request, it validates the sending client. If the client
is permitted to send requests to the server, the server will then
take information from the Access-Request and attempt to match the
request to a user profile. If all conditions are met, the server
sends an Access-Accept packet to the client; otherwise, the server
sends an Access-Reject packet. An Access-Accept data packet often
includes authorization information that specifies the services the
user can access and other session information, such as a timeout
value that indicates when the user must be disconnected from the
system.
When the client receives an Access-Accept packet, it generates
an Accounting-Request to start the session and send the request
to the server. The Accounting-Request data packet describes the
type of service being delivered, and the user of the service. The
server then responds with an Accounting-Response to acknowledge
that the request was successfully received and recorded. The user's
session ends when the client generates an Accounting-Request-triggered
by the user, by the client, or an interruption in service-to stop
the session. The server then acknowledges the Accounting-Request
with an Accounting-Response.
Printable version
