Hi Mike,
right on your question:
1. regarding the attributes – no they should be not the same.
In Access-Request the NAS is sending to the Radius-server a set of attributes (like Username, Password, NAS-port, port-type, Service-Type, Calling-Station-ID and etc), by which
The Radius server should decide wether or not to allow access to the customer. In example, it will allow only customers with valid user&pass, who are asking for Service-Type = Login, or who are logging in only to NAS = x.x.x.x.
On Access-Accept, the Radius server is sending to the NAS (along with the instruction to let this user in) a set of instructions and rules against that user, like:
Session-Timeout = how many seconds this customer is allowed to stay;
What kind of MTU to set on the customer’s interface, wether or not to apply some kind of filter/access-list against the customer (set in the “Filter-ID” attribute).
The “Identifier” field at “Access-Accept” must match with the one sent with “Access-Request” (this is how NAS knows that this reply “Accept” is related to the same “Access-Request”).
Length is the calculated length of the message.
You should send this:
MD5(
Code=2 (Access Accept)
Identifier (It remains the same as in Access-Request)
… ..
Attributes – the attributes in Access-Accept
….
..
)
that is