RADIUS.FSM(5)RADIUS.FSM(5)NAMEradius.fsm - Merit AAA server finite state machine config-
uration file
SYNOPSIS
../raddb/radius.fsm
DESCRIPTION
The radius.fsm file resides in the ../raddb directory. It
contains an entry for each state in the Merit AAA server
finite state machine (FSM) table. This file is optional
and is used to modify the built-in (default) sequence of
actions performed by the Merit AAA server. Comments are
indicated by leading pound sign ('#') characters. All
such comment lines are ignored (as are blank lines).
Each state consists of one or more entries described
below. Each state starts with a line containing just the
name of the state followed by a colon (':') character.
Subsequent lines have three required, and two optional,
white-space delimited fields. There is one line of the
following form for each expected event this state should
handle:
<event> <action> <next-state>
[<name=value>] [<name=string>]
For example:
; l l l l. Start:
*.*.AUTHEN AUTHENTICATE Await Await:
Start.AUTHENTICATE.ACK REPLY Hold Hold:
*.*.TIMEOUT NULL End
The <event> field describes an event which has occurred
and upon which the current state may be able to act. The
event field consists of three sub-fields separated by the
period ('.') character. The first sub-field is the name
of the state from which the event was generated. This
field may contain the "*" character to indicate a wild
card state which matches any state. The second sub-field
is the name of the action which generated the event. This
field may contain the "*" character to indicate a wild
card action which matches any action. This action is the
name of an Authentication/Authorization Transfer Vector
(AATV, see below). The third sub-field is the name of an
event from the list found in the include file, radius.h,
for the Merit AAA server. The current list of these
events is:
; l l l. ACK acknowledgment of the previous action
NAK negative acknowledgment of the previous action
WAIT the previous action generated a pending event
5 March 1997 1
RADIUS.FSM(5)RADIUS.FSM(5)
ERROR the previous action generated an error
FATAL the previous action generated a fatal error
DUP the incoming request is a duplicate
TIMER the timer value has expired
TIMEOUT the request has timed out due to inactivity
AUTHEN the incoming request is an Access-Request
ACCT the incoming request is an Accounting-Request
PASSWD the incoming request is a Passwd-Request
REACCESS the incoming request is is an Access-
Request with State ACC_CHAL the incoming request is
and Access-Challenge MGT_POLL the incoming request
is is a Status-Server AUTH_ONLY the incoming request
is for Authentication-Only RC1 general purpose
return code of one RC2 general purpose return code
of two RC3 general purpose return code of three
RC4 general purpose return code of four
RC5 general purpose return code of five
RC6 general purpose return code of six
RC7 general purpose return code of seven
RC8 general purpose return code of eight
RC9 general purpose return code of nine
RC10 general purpose return code of ten
RC11 general purpose return code of eleven
RC12 general purpose return code of twelve
The <action> field is the name of an AATV action function
to invoke when the associated <event> occurs. The current
list of these AATVs is:
; l l l. ACCT the AATV for Accounting requests
ACK utility AATV used to always signify success
AKERB the AATV for AFS Kerberos Authentication
AUTHENTICATE the AATV for Authentication requests
CLEANUP utility AATV used to exit the FSM
FILE the AATV for FILE Authentication The
FILE type is available only with the enhanced Merit AAA
server. KCHAP the AATV for KCHAP Authentication
KILL utility AATV used to unconditionally remove
pending events LOG utility AATV used to log some
error MKERB the AATV for MIT Kerberos Authentica-
tion NULL utility NULL AATV PASSWD the AATV
used to handle Passwd-Requests PENDING utility AATV
used to test for pending events RAD2RAD the AATV
used to send RADIUS proxy requests RADDNS the AATV
for resolving DNS names RADIUS the main AATV in
the Merit AAA server REALM the AATV for handling
realm based Authentication REDO utility AATV used to
re-invoke an action REPLY utility AATV used to
send a RADIUS reply SRV_STATUS the AATV for Sta-
tus-Server requests TACACS the AATV for TACACS
Authentication TIMEOUT utility AATV used to do
timeout logging TIMER utility AATV used to ini-
tialize the timeout value UNIX-PW the AATV for for
UNIX password file Authentication
5 March 1997 2
RADIUS.FSM(5)RADIUS.FSM(5)
The <next-state> field indicates which state the FSM
should enter following the completion of the <action>,
even if that <action> was deferred in one of several ways
allowed for an AATV. Each such state must appear in the
configuration file alone on a line and followed by a colon
(':') character.
The optional <name=value> and <name=string> fields are
simple keyword/value pairs which allow any AATV to be
given an arbitrary integer or string value (or both) as
configured in the FSM table. The name for integer values
is XVALUE and the name for string values is XSTRING.
NOTE: Only one action may result from entering any state
and this from the first entry which matches the given
event.
If the file radius.fsm does not exist, the server will use
the following built-in FSM table:
; l l l l . Start:
*.+AUTHEN.ACK AUTHENTICATE REPLYhold
*.+AUTH_ONLY.ACK AUTHENTICATE REPLYhold
*.+ACCT.ACK ACCT REPLYhold
*.+MGT_POLL.ACK SRV_STATUS REPLYhold
*.*.NAK REPLY End REPLYhold:
*.*.ACK REPLY Hold
*.*.NAK REPLY Hold
*.*.ACC_CHAL REPLY Hold Hold:
*.*.TIMEOUT NULL End End:
The radius.fsm file is read by radiusd upon startup, or
when a HUP signal is received by radiusd. The Merit AAA
server detects any out-of-date configuration files upon
receipt of a Status-Server (or Management-Poll) request
and re-reads all the configuration files. This file is
maintained by the system administrator using a text edi-
tor.
FILES
../raddb/radius.fsm
finite state machine configuration file
../src/radius.h
the main Merit AAA server include file
SEE ALSOsignal(3), radiusd(8)
5 March 1997 3
