The following customized finite state
machine tables are available in /opt/aaa/examples/config/:
xas.fsm - Supports authentication, but not accounting.
las.fsm - Supports las policy and logs accounting
stop messages in Merit-style session logs.
default.fsm - Supports all that las.fsm does plus LDAP policy
and check/deny/reply items.
2-stage_wireless.fsm - Template file that enables EAP authentication
for user profiles stored on an LDAP or Oracle server.
logall.fsm - The default .fsm, logall.fsm supports all that check+policy+las.fsm does and all accounting messages.
proxyacct.fsm - Template file that allows all accounting
messages to be logged at a remote proxy server.
DNIS.fsm - Template file that adds an example
of DNIS routing to check+policy+las-logstop.fsm.
DAC.fsm - Template file that adds an example
of dynamic access control (DAC) to check+policy+las-logstop.fsm.
To use any of the above predefined state tables for AAA Server,
copy the required fsm file to /etc/opt/aaa/radius.fsm and start AAA Server. The default state table
in radius.fsm is logall.fsm.
Figure 14-1 “Default FSM State Transitions” illustrates
the state transitions that occur, because of a request, whether
from a NAS directly or from a proxy, in a finite state machine that
uses the default state table. On the left of the arrows are events, on the
right actions.
The Start state in this state table
is actually the starting point for a number of possible different
events. The starting event is determined by the value of the Interlink-Proxy-Action attribute,
which can be one of the following event names: AUTHEN, AUTH_ONLY,
AUTHENTICATE, ACCT, or MGT_POLL. The AAA server assigns this value
according to the type of request received (Access-Accept
or Accounting-Request) and from where the request is received
(NAS, forwarding proxy server).
Since there is no last action for a starting event, the Interlink-Proxy-Action attribute value,
prefixed with a +, replaces the Last-action placeholder to determine the first action to call.
For example, the *.+AUTHEN.ACK event is an Access-Request
from a NAS, while the *.+AUTHENTICATE.ACK event is an Access-Request
from a proxy server, and *.ACCT.ACK is an Accounting-Request.
If the Interlink-Proxy-Action attribute value
for the request is AUTHEN or AUTHENTICATE, the FSM will call the
AUTHENTICATE action and then transition to the Authen state with
the returned event name of ACK, ACC_CHALL, or NAK. If value is ACCT,
the FSM will call the LAS_ACCT action and transition to the ACCTwait state
with the returned event name of ACK or ACCT_DUP.
After an Access-Request is authenticated, the POLICY
AATV will evaluate by default any policy for users that belong to
a realm that is configured for the ProLDAP authentication type. Session
control based on policy can be accomplished through the POLICY AATV,
and defined decision groups. These policy-based decisions,
however, require modifications to the state table and configuration
of the policy.
After policy has been evaluated, the LAS AATV is called to
perform session control operations. Session control through the
LAS may be done both based on individual users or realms. If you
want to control sessions based on realm, you may need to add one
or more realm entries to the authfile and add service, and realm entries in the las.conf configuration file.
Printable version
