Background Introduction
# Overview
BambooCloud IDaaS provides Radius Server capabilities, supporting various enterprise devices such as VPNs (Sangfor, Huawei, Wangyu, etc.) and cloud desktops (Huawei) to perform authentication after being configured via the Radius protocol.
This section introduces device mapping definitions and related information about RADIUS attributes.
# Device Mapping Definition
The primary purpose of device mapping definition in BambooCloud IDaaS is to return the attributes required by the vendor's device to the vendor upon successful/failed/challenge code authentication of the vendor's device.
Therefore, when selecting mapping definitions, the device attribute names come from the vendor, and attributes vary for each device vendor. This document mainly lists the currently supported vendor attributes for configuration. The mapping types for mapping definitions are the same as those in other parts of the product.
IDaaS can choose to return different attributes under different authentication states. Note that this is determined by the 【Applicable Scenario】. Access-Accept (success), Access-Reject (failure), Access-Challenge (challenge code), meaning attributes can only be returned in the corresponding scenarios of the authentication message.
| Mapping Type | Description |
|---|---|
| User Attribute | Can select attributes present on the user attribute |
| Fixed Attribute Value | Fixed text |
| Dynamic Script | Script syntax can refer to Dynamic Script in Development Mapping Definition. It should be noted that the script objects for devices only include the User object |
# RADIUS Attributes
Protocols RFC2865, RFC2866, and RFC3576 define the following RADIUS standard attributes, which are basically supported by all mainstream device vendors. The RADIUS protocol has good extensibility. Attribute 26 (Vendor-Specific) defined in the protocol (RFC2865) is used by device vendors to extend RADIUS to implement functions not defined by standard RADIUS.
Attributes in RADIUS authentication messages are not returned in all situations; it depends on the attribute itself and its configuration in IDaaS. There are four states for attributes in RADIUS authentication messages: Access-Request (request), Access-Accept (success), Access-Reject (failure), Access-Challenge (challenge code).
The following introduces the vendor attributes supported by IDaaS.
| Attribute Name | Code | Attribute Description |
|---|---|---|
| User-Name | 1 | Username for authentication |
| User-Password | 2 | User password for authentication, only valid for PAP authentication |
| Challenge-Password | 3 | User password for authentication, only valid for CHAP authentication |
| NAS-IP-Address | 4 | Device IP address. If the RADIUS server group is bound to an interface address, the bound interface address is used; otherwise, the interface address from which the message is sent is used. |
| NAS-Port | 5 | User access port, format is "4-bit slot number + 2-bit card number + 5-bit port number + 21-bit VLAN" |
| Service-Type | 6 | User service type, 2 for access users, 6 for operation users |
| Framed-Protocol | 7 | Fixed as 1, indicating PPP type |
| Framed-IP-Address | 8 | IP address assigned by the RADIUS server to the user. 0xFFFFFFFE indicates the RADIUS server does not assign an address, and the device assigns the IP address to the user. |
| Framed-Netmask | 9 | IP address subnet mask assigned by the RADIUS server to the user. |
| Filter-ID | 11 | Represents user group |
| Login-IP-Host | 14 | Host IP address of the Login connection user. |
| Login-Service | 15 | Login service type----Telnet, Rlogin, TCP Clear, PortMaster (proprietary), LAT |
| Reply-Message | 18 | Authentication success or rejection message. |
| Callback-Number | 19 | Information passed from the authentication server that can be displayed to the user, such as mobile phone number, etc. |
| State | 24 | If the value is included in the access challenge message sent by the RADIUS server to the device, the device must include the same value in subsequent access request messages. |
| Class | 25 | If the value is included in the authentication accept message sent by the RADIUS server to the device, the device must include the same value in subsequent accounting request messages; for standard RADIUS servers, the device can use the Class attribute to represent CAR parameters. |
| Session-Timeout | 27 | Remaining time available to the user, in seconds; in EAP challenge messages, used as the user's re-authentication duration. |
| Idle-Timeout | 28 | User idle timeout time, in seconds. |
| Termination-Action | 29 | Specified service termination method, such as re-authentication or forced user logout, etc. |
| Called-Station-Id | 30 | Allows NAS to send the called number. |
| Calling-Station-Id | 31 | Allows NAS to send the calling number. |
| NAS-Identifier | 32 | Device hostname. |
| Acct-Status-Type | 40 | Accounting message type: 1 for start accounting message, 2 for stop accounting message, 3 for interim accounting message. |
| Acct-Delay-Time | 41 | Time taken to generate the accounting message, in seconds. |
| Acct-Input-Octets | 42 | Uplink byte count, unit is Byte, kbyte, Mbyte, Gbyte. The specific unit used can be configured via command. |
| Acct-Output-Octets | 43 | Downlink byte count, unit is Byte, kbyte, Mbyte, Gbyte. The specific unit used can be configured via command. |
| Acct-Session-Id | 44 | Accounting session ID. For the start, interim, and stop accounting messages of the same session, the session ID must be the same. |
| Acct-Authentic | 45 | User authentication mode: 1 for RADIUS authentication, 2 for local authentication. |
| Acct-Session-Time | 46 | User online time, in seconds. |
| Acct-Input-Packets | 47 | Uplink packet count. |
| Acct-Output-Packets | 48 | Downlink packet count. |
| Acct-Terminate-Cause | 49 | Reason for user connection interruption. |
| Acct-Multi-Session-ID | 50 | Multi-session ID, used to identify related sessions in logs. |
| Acct-Input-Gigawords | 52 | Indicates how many times the uplink byte count is a multiple of 4G (2^32) Byte, kbyte, Mbyte, Gbyte (which unit is used depends on command configuration). |
| Acct-Output-Gigawords | 53 | Indicates how many times the downlink byte count is a multiple of 4G (2^32) Byte, kbyte, Mbyte, Gbyte (which unit is used depends on command configuration). |
| Event-Timestamp | 55 | Time when the accounting message was generated, in seconds, representing the absolute number of seconds since 00:00:00 on January 1, 1970. |
| CHAP-Challenge | 60 | CHAP authentication challenge string, only used for CHAP authentication. |
| NAS-Port-Type | 61 | NAS port type, can be configured under the BAS interface view. |
| Tunnel-Type | 64 | Tunnel protocol type, fixed as 3, indicating L2TP tunnel. |
| Tunnel-Medium-Type | 65 | Tunnel medium type, fixed as 1, indicating IPv4. |
| Tunnel-Server-Endpoint | 67 | Tunnel server endpoint IP address. |
| Tunnel-Password | 69 | Tunnel authentication password. The first two bytes are SALT, and the last 16 bytes are the encrypted password. |
| Tunnel-Private-Group-ID | 81 | Tunnel group name. |
| Tunnel-Assignment-ID | 82 | Tunnel assignment ID. |
| Tunnel-Preference | 83 | Tunnel priority. |
| Acct-Interim-Interval | 85 | Interim accounting interval, in seconds. |
| NAS-Port-Id | 87 | User access port number, format is "slot=XX;subslot=XX;port=XXX;VLANID=XXXX;" or "slot=XX;subslot=XX;port=XXX;VPI=XXX;VCI=XXXX" |
| Framed-Pool | 88 | Address pool name and address segment number, only valid for assigning IP addresses from the device's local address pool for PPP, format is "address_pool_name#address_segment_number". |
| Tunnel-Client-Auth-ID | 90 | Local username passed in tunnel authentication. |
| Tunnel_Server_Auth_id | 91 | Server-side username passed in tunnel authentication. |
Please paste the Markdown content you need translated.