Skip to main content

4.4 Access-Challenge

4.4. Access-Challenge

Description

  If the RADIUS server desires to send the user a challenge
  requiring a response, then the RADIUS server MUST respond to the
  Access-Request by transmitting a packet with the Code field set to
  11 (Access-Challenge).

  The Attributes field MAY have one or more Reply-Message
  Attributes, and MAY have a single State Attribute, or none.
  Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-State
  attributes MAY also be included.  No other Attributes defined in
  this document are permitted in an Access-Challenge.

  On receipt of an Access-Challenge, the Identifier field is matched
  with a pending Access-Request.  Additionally, the Response
  Authenticator field MUST contain the correct response for the
  pending Access-Request.  Invalid packets are silently discarded.

  If the NAS does not support challenge/response, it MUST treat an
  Access-Challenge as though it had received an Access-Reject
  instead.

  If the NAS supports challenge/response, receipt of a valid
  Access-Challenge indicates that a new Access-Request SHOULD be
  sent.  The NAS MAY display the text message, if any, to the user,
  and then prompt the user for a response.  It then sends its
  original Access-Request with a new request ID and Request
  Authenticator, with the User-Password Attribute replaced by the
  user's response (encrypted), and including the State Attribute
  from the Access-Challenge, if any.  Only 0 or 1 instances of the
  State Attribute can be present in an Access-Request.

  A NAS which supports PAP MAY forward the Reply-Message to the
  dialing client and accept a PAP response which it can use as
  though the user had entered the response.  If the NAS cannot do
  so, it MUST treat the Access-Challenge as though it had received
  an Access-Reject instead.

A summary of the Access-Challenge packet format is shown below. The fields are transmitted from left to right.

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Response Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-

Code

  11 for Access-Challenge.

Identifier

  The Identifier field is a copy of the Identifier field of the
  Access-Request which caused this Access-Challenge.

Response Authenticator

  The Response Authenticator value is calculated from the Access-
  Request value, as described earlier.

Attributes

  The Attributes field is variable in length, and contains a list of
  zero or more Attributes.
Last updated on