Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and.

Similar presentations


Presentation on theme: "Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and."— Presentation transcript:

1 Introduction to the RADIUS protocol

2 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Module Objetives Identify the elements and architecture of remote access to networks Understand the way the RADIUS protocol works Get to know the attributes that control different type of access technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc) Way to code attributes and RADIUS packets, and the sense of a dictionary Cover the standard statistical information provided over SNMP View the extensions added to the RADIUS protocol

3 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview AAA A A uthentication Verify that a user really is who (s)he claims to be: Password, Token Cards, Calling number, X.509 digital certificate, SIM card, etc. A A uthorization Check that the user can access the service (s)he is trying to: Checking against a database, a file, etc. what the user can do, and restrict his/her access to the network A A ccounting Write down what the user has done during his connection Connection time, bytes sent/received, access service, etc. To get statistics about user accesses, billing, etc

4 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Switched connection diagram PPPIP Web Server ISP Modem User NAS / RAS ROUTER RADIUS AAA SERVER USER DB POP (Point of Presence) Internet PSTN

5 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Different ways for the AAA Local accounts in the NAS/RAS Only valid for small number of users Not valid if any user can connect at any NAS We would have to provision all users in all NAS's Proprietary software between NAS and an external server RADIUS Protocol RADIUS for a NAS to ask the server with centralized information about all users Or its evolution: Diameter NASREQ application Protocol TACACS (tacacs, tacacs+, xtacacs) Not widely implemented, apart from Cisco

6 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview RADIUS: Basic Principles RADIUS is not the server itself, but the protocol to exchange information Protocol to communicate between: a RADIUS client Typically the NAS (= Network Access Server) a remote AAA server Standarized by the IETF (Internet Engineering Task Force) by several RFCs: 2865 & 2866 And enhanced in RFCs: 2867, 2868 & 2869, Adopted by all vendors of access devices, as almost the only standard for AAA RADIUS stands-up for: Remote Authentication Dial-In User Service

7 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Users Database NAS User dials modem pool and establishes connection UserID: bob Password: ge55gep Framed- Address= Internet RADIUS Server Internet PPP connection established Access-Request User-Name: bob Password: ge55gep NAS-IP: Bob password=ge55gep Timeout = 3600 [other attributes] Select UserID=bob Access-Accept Framed-IP- Address= Session-Timeout=3600 [other attributes] Authentication DataFlow

8 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview ISP Accounting Database NAS Account-Request Acct-Status-Type = Start User-Name = bob Framed-Address = … Sun May 10 20:47: Acct-Status-Type = Start User-Name = bob Framed- Address= … Internet RADIUS Server PPP session Acknowledgement The Accounting Start Record Accounting DataFlow (Start)

9 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview ISP Accounting Database NAS Internet RADIUS server Account-Request Acct-Status-Type = Stop User-Name = bob Acct-Session-Time = 1432 Sun May 10 20:50: Acct-Status-Type = Stop User-Name = bob Acct-Session-Time = 1432 …... Acknowledgement The Accounting Stop Record The user disconnects Accounting DataFlow (Stop)

10 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Fault Tolerance Radius Servers List Authentication Accounting Auth_Timer Acct_Timer 1) ) ) The NAS selects the first RADIUS server on the list The first RADIUS server replies but the router drops the reply The NAS selects the second RADIUS server The request does not get to the RADIUS server The NAS selects the third RADIUS server The reply is received and the transaction ends * The retransmission strategy is not standardized: * some NASs fail over to another RADIUS server as soon as a timeout occurs * some NASs retry 1 or 2 times to the same RADIUS server before failing over Based on retransmissions by the Radius Client

11 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Information from NAS -> server for authentication Information related to RADIUS client (NAS) NAS-Ip-Address, or unique identification (NAS-Id) Information to authenticate the user connecting: User-Name & Password Information about the connection itself (for authorization): Calling number, called number (or APN for GPRS/UMTS), Modem/port taking the connection (NAS-Port) Type of session (PPP, SLIP,...) Type of connection (POTS, ISDN, ADSL, UMTS, GPRS, etc.)

12 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Authentication process in the server (I) 1.- Decode the user's password (it travels encrypted) Using the "shared secret key", known both by client and server 2.- Search the user connection profile in: Plain text file External SQL database LDAP server /etc/passwd file in UNIX User accounts in Windows Domains Etc. 3.- Authenticate the user

13 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Authentication process in the server (& II) 4.- Optionally, check extra data (check-items) Type of connection (POTS, ISDN, ADSL, cable, UMTS, etc.) Time of day Calling number, called number etc. 5.- Send Accept/Reject to the NAS with the right attibutes for this user session (reply-items) Idle and session timeout IP filters for this user Indication of IP address to assign to user For ISDN, max. number of channels to bond together (MLPPP) etc.

14 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Communication UDP ports Communication between client and server is done over UDP/IP RADIUS authentication and accounting servers are listening on 2 different ports Servers can listen on any port, but it is advisable to use the standard ones (defined in RFC's) RADIUS clients can send requests on any source UDP port they have available. Not limited in RFC's All requests need not come from same port, and usually don´t Though NAS's can be configured to send all request with the same source UDP port Only advisable for firewall restrictions UDP Ports UDP PortsNewOld Authentication Accounting

15 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview ¿Why UDP? In RADIUS it is not necessary the retransmision feature provided by TCP If client doesn´t get an answer, it sends another one to a secondary server The response to a retransmitted TCP request, could arrive too late Simplifies server implementation Specially for multi-threaded servers Reduces network traffic UDP has less overhead than TCP UDP needs not establish a session before sending data RFC2865

16 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview PPP overview and traditional authentication methods This Point-to-Point Protocol (PPP) allows sending several protocols above its headers The establishment of the PPP link requires certain handshaking. LCP - Link Control Messages To determine MLPPP, the MTU and decide the authentication algorithm for the user Authentication - It will depend on the protocol used: PAP, CHAP, MS- CHAPv2, EAP During this stage, the RADIUS server is contacted by the NAS NCP - Network Control Protocol, to negotiate extra parameters IPCP, the IP address assigned to the user CCP, if the data is going to be compressed ECP, if the data is going to be encrypted

17 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Password Authentication Protocol (PAP) The password travels in the clear (unencrypted) The password can be stored hashed in the RADIUS server Users credentials are verified only once At the beginning of the connection Initiator Responder PAP-Auth-Request #1 ( Name=jsmith, Passwd=red ) PAP-Auth- Success #1 (Message="00") PAP-Auth-Failure #1 (Message="Incorrect Password") Access-Request User-Name =jsmith User-Password =red Access-Accept Access-Reject RADIUS server

18 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Challenge Handshake Authentication Protocol (CHAP) User password is hashed using MD5 and a random challenge generated by the NAS (PPP responder) The password cannot be stored hashed in the RADIUS server Optionally, the user can be authenticated several times during the lifetime of the session Initiator Responder CHAP-Auth-Challenge #1 (Chall. Length=16, Challenge Value= 0c7d a8, Name= tnt2 ) Auth-Response #1 (Chall. Length=16, Challenge Value= 016b , Name= john ) CHAP-Auth-Success #1 (Message="00") CHAP-Auth-Failure #1 (Message="Incorrect Password") Access-Request User-Name =john CHAP-Password =016b [CHAP-Challenge* =0c7d203...a8] Access-Accept Access-Reject RADIUS server

19 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview LCP handshaking In the LCP handshaking, the user and the NAS determine the authentication protocol to use: The user may accept the proposal from the server The user may reject the server proposal, and expect to receive a new proposal Initiator Responder Authenticator Config-Request #1 (MRU=1524, auth=PAP,...) Config-Reject #1 ( auth=PAP ) Config-Request #2 (MRU=1524, auth=CHAP/MD5 ) Config-Ack #2 (MRU=1524, auth=CHAP/MD5 ) Config-Ack #2 (MRU=1524, auth=PAP,...) Config-Request #1 (MRU=1524, auth=PAP,...)

20 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Hashing of password The user password can only be hashed once (MD5, SHA1, etc) either at database storage or when the user transmits it As the hash algorithms are not reversible However, passwords can be stored encrypted (3DES, AES, …) Stored in the users database (text file, SQL, LDAP, etc) In the clearHashed (MD5, SHA1) Auth. algorithm used PAP, telnet/SSH... {User-Password(2)} OK CHAP, Eap-MD5... {Chap-Password(3),...} OK X User password typed in this connection attempt User password provisioned for this user Sent from NAS Read from database, text file,....PAP | CHAP

21 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview RADIUS packet format Identifier TypeLength Authenticator Attributes bytes Identifies the packet, along with source IP address and UDP port. Used to detect duplicate packets - In auth requests: to encrypt user password using the shared secret key (usually a random value) - In replies and accounting: to authenticate the message itself. Similar to a digital signature Length of RADIUS packet 20 < length < 4096 bytes *

22 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview RADIUS packet types Access-Request (1) Access-Request (1) - Authentication requests from NAS to server Access-Accept (2) Access-Accept (2) - Response from server to NAS accepting the user session Access-Reject (3) Access-Reject (3) - Response from server to NAS rejecting the user session Access-Challenge (11) Access-Challenge (11) - Request form server to NAS, asking for additional info from the user Used in token/crypto cards, and for EAP Account-Request (4) Account-Request (4) - The NAS sends accounting information to the server Account-Response (5) Account-Response (5) - The server ACKs the acct packet to the NAS RFC2865

23 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Authenticator field in auth The Authenticator field serves to 2 purposes depending if it is a request or an accept/reject Encryption of some attributes: User-Password Server authentication Random num. Shared key Hash MD5 PAP Passwd(clear text) XOR Authenticator field Attrib. User-Password Shared key Hash MD5 XOR Clear Passwd ClientServer Access-Request Request Authenticator Shared key Hash MD5 Authenticator Field Access-Accept/Reject Match? Server Authenticated X Discard packet Request Authenticator Shared key Response packet (without authenticator) Hash MD5 Response packet (without authenticator)

24 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Authenticator field in acct For accounting the authenticator only provides: Authentication of client and server –Similar to a digital signature Shared key Hash MD5 Authenticator field ClientServer Account-Request Request Authenticator Shared key Hash MD5 Authenticator field Account-Response Match? Authenticated X Discard packet Request Authenticator Shared key Acct packet (without authenticator) Hash MD5 Acct packet (without authenticator) Shared key Hash MD5 Match? X Discard Client Authenticated

25 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of successful auth: Dial-in user with PAP POTS Modem PSTN RADIUS server RADIUS client - NAS- IP Access-Request (1) - ID=1 User-Name (1) = pepe" User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = NAS-Port (5) = 20 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) NAS-Port-Type (61) = Async (0) Called-Station-Id (30) = Calling-Station-Id (31) = Access-Accept (2) - ID=1 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) Framed-IP-Address (8) = Framed-IP-Netmask (9) = Framed-Routing (10) = None (0) Framed-Compression (13) = VJ TCP/IP (1) Framed-MTU (12) = 1500 Session-Timeout (27) = 7200 *

26 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of an PPPoA (ADSL) connection RADIUS server IP Access-Request (1) - ID=1 User-Name = CHAP-Password = "\0011\266…\303" CHAP-Challenge = "e\241\…\000" NAS-IP-Address = NAS-Port = 3329 Ascend-NAS-Port-Format = 2_4_5_5 NAS-Port-Type = Sync Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = " " Access-Accept (2) - ID=1 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Source-IP-Check = Source-IP-Check-Yes Ascend-IP-Source-If = "sip100" Framed-Pool = 1 Filter-Id=Foo Ascend-Filter-Required=Required-Yes * RADIUS client -BRAS- For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id. For PPPoE, they represent the Ethernet MAC addresses For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id. For PPPoE, they represent the Ethernet MAC addresses DSLAM ATM ADSL line PPPoA Client

27 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of an UMTS/GPRS connection RADIUS server IP * SGSN RNC Node B RADIUS client -GGSN- The APN is sent in Called-Station-Id. It is used for the user to select the GGSN The APN is sent in Called-Station-Id. It is used for the user to select the GGSN Access-Request (1) - ID=1 NAS identifier(32) = "B-CER1N-GGSN2" User Name(1) = "WAPTM" User Password(2) ="§oà\009KFÏ\020#\145+\146®îf" NAS Port Type(61) = Virtual (5) Calling Station Id(31) = " " Called Station Id(30) "wap.movistar.es" Acct Session Id(44) ="646704d51e069701" Access-Accept (2) - ID=1 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) Framed-IP-Address (8) = Framed-IP-Netmask (9) = Session-Timeout (27) = 7200 Idle-Timeout (28) = 3600

28 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example for CDMA2000 1xEVDO (HRPD) AN-AAA (A12 interface) The A12 interface (AN – AAA) is used: to perform access authentication (with CHAP) of the AT device by the AN The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID) to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and cdma2000 systems. Is-878 RNC/PCF (BS Controller) BS (Base Station) AT (Access Terminal) PDSN (Packet Data Serving Node) PPP A10/A11 A8/A9 Access-Request User-Name = CHAP-Password = "\0011\266…\303" CHAP-Challenge = "e\241\…\000 NAS-IP-Address = GPP2-HRPD-Access- Authentication=True 3GPP2-AT-Hardware-Id=012…9012 Access-Accept (2) Callback-Id (20) = *

29 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example for CDMA2000 1xEVDO (HRPD) PDSN-AAA for Simple IP The PDSN is the classical PPP server The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to choose, or the PDSN will select it from a local pool New Access-Requests are sent when the AT hands-off between PCFs It is correlated to the current session with the 3GPP2-Correlation-Id AVP Is-835 RNC/PCF (BS Controller) BS (Base Station) AT (Access Terminal) PDSN (Packet Data Serving Node) PPP A10/A11 Access-Request User-Name = CHAP-Password = "\0011\266…\303" CHAP-Challenge = "e\241\…\000 NAS-IP-Address = Nas-Port-Type= Wireless-1X-EV 3GPP2-Correlation-Id=1234 Calling-Station-Id Access-Accept [Framed-IP-Address = ] Session-Timeout = 7200 *

30 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of pre-auth followed by PPP negotiation The pre-auth is done before the NAS takes the call off-hook Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC) The server decides to allow/refuse taking the call off-hook based on calling-number (CLID) or called-number (DNIS) For PPP users, normally they must also do PPP authentication (PAP, CHAP, etc) later PSTN IP Access-Accept (2) - ID=127 Ascend-Require-Auth (26->529(201)) = Require-Auth (1) Access-Request (1) - ID=127 User-Name (1) = " User-Password (2) = Ascend-DNIS NAS-IP-Address (4) = NAS-Port (5) = 20 NAS-Port-Type (61) = Async (0) Service-Type (6) = Call-Check (10) Called-Station-Id (30) = Calling-Station-Id (31) =

31 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of pre-auth for dataphones (PoS) The RADIUS server instructs the NAS how to handle this call, and even what modulation to use Before taking the call off-hook PSTN Access-Accept (2) - ID=10 User-Name = "PoS", Service-Type = Login Login-Service = TCP-clear, Login-IP-Host = , Login-TCP-Port = 8419 Ascend-AT-Answer-String ="&t4s18=15+MS=1 &g2S220=11S221=50S10=3" The bank system has a X.25 network PAD IP X.25 RADIUS server Bank X NAS Access-Request (1) - ID=10 User-Name (1) = 090" User-Password (2) = Ascend-DNIS NAS-IP-Address (4) = NAS-Port (5) = 20 NAS-Port-Type (61) = Async (0) Service-Type (6) = Call-Check (10) Called-Station-Id (30) = 090 Calling-Station-Id (31) = *

32 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of proxy-radius A RADIUS server redirects the request to a remote server, based on Called- Station-Id or user realm IP IP Forwarding Server Remote Server Access-Request (1) - ID=100 User-Name(1) = User-Password(2) = 5E%&gn)8 NAS-IP-Address(4)= NAS-Port (5) = 27 1 Access-Request (1) - ID=200 User-Name (1) = User-Password (2) = NAS-IP-Address(4)= NAS-Port (5) = 27 [Proxy-State(33) = ] 2 Access-Accept (2) - ID=200 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) [Proxy-State(33) = ] 3 Access-Accept (2) - ID=100 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) Framed-IP-Address(8)= Framed-IP-Netmask(9)= Session-Timeout (27) =

33 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of PPP tunneling Attribute coding as in RFC 2868 (tagged) POTS Modem POTS Public RADIUS server RADIUS client Tunnel client (LAC) Public IP network Access-Request (1) - ID=8 User-Name (1) = CHAP-Password (3) = 5E%&gn)8 CHAP-Challenge (60) = A0B NAS-IP-Address (4) = NAS-Port (5) = 20 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) NAS-Port-Type (61) = Async (0) Called-Station-Id (30) = Calling-Station-Id (31) = Access-Accept (2) - ID=8 Tunnel-Type(64)=L2TP : 1, Tunnel-Medium-Type(65) = IPv4, Tunnel-Server-Endpoint(67)= : 1, Tunnel-Password(69)=loloaqic : 1, Tunnel-Type(64)=PPTP : 2, Tunnel-Server-Endpoint(67)= : 2, Tunnel-Password(69)=itsAsecret : 2 Tunnel server (LNS) Intranet Corporate RADIUS server * Tunnel server (LNS)

34 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example for Ipsec authentication X-auth over IKE with Lucent Brick-LSMS Example with IKE authentication tunnel endpoints with pre-shared key User authentication with X-auth with login/password Ipsec client = user Ipsec server (Lucent Brick) X-auth in IKE Access-Request (1) - ID=150 User-Name (1) = usu1" User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = Called-Station-Id (30) = Service-Type (6) = Authenticate-Only (8) NAS-Port-Type (61) = Virtual (5) RADIUS client (LSMS) Access-Accept (2) - ID=150 Session-Timeout (27) = Idle-Timeout (28) = 3600 [Connect-Info (77)] = user_group1 [Framed-IP-Address (8) = ] * RADIUS server

35 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Authentication for device administration Example with Lucent TAOS IP RADIUS server telnet TNT2 Access-Request (1) - ID=10 User-Name (1) = amdinuser" User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = NAS-Port (5) = 0 NAS-Port-Type (61) = Virtual (5) Service-Type (6) = Administrative (6) [Calling-Station-Id= ] Access-Accept (2) - ID=10 Service-Type (6) = Administrative (6) Ascend-Telnet-Profile (26->529:91) = Admin

36 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of failed authentication: Crypto-Card (Challenge-Response) PSTN IP Access-Request (1) - ID=2 User-Name (1) = mycard" User-Password (2) = NAS-IP-Address (4) = NAS-Port (5) = 27 1 Access-Challenge (11) - ID=2 Reply-Message (18) =Challenge: State (24) = Prompt (76) = Echo (1) Session-Timeout (27) = Challenge: Response: Access-Request (1) - ID=3 User-Name (1) = mycard" User-Password (2) = NAS-IP-Address (4) = NAS-Port (5) = 27 State (24) = Access-Reject (3) - ID=3 Reply-Message (18) =Invalid Credentials 8 Token Card Server Proprietary protocol 2 3

37 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Digest Authentication for HTTP/SIP (I) Example to authenticate&authorize every VoIP call (INVITE) The authentication could also be done only during registration RFC4590 users database Access-Request User-Name=123 NAS-IP-Address = NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = Message-Authenticator = 08…8043 Access-Challenge Digest-Nonce = 3bada1a0 Digest-Realm = example.com Digest-Qop = auth Digest-Algorithm = MD5 Message-Authenticator = f8…da40 State=27 SIP proxy server RADIUS Client INVITE From: To: SIP UA AOR: RADIUS server SIP UA AOR: 100 TRYING 407 Proxy Authentication Required Proxy-Authenticate: - Digest realm="example.com", - nonce="3bada1a0", - qop=auth, - algorithm=MD5 Content-Length: 0 ACK

38 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Digest Authentication for HTTP/SIP (II) RFC4590 users database Access-Request User-Name=123 NAS-IP-Address = NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = SIP-AOR = Digest-Username = 123 Digest-Realm = example.com Digest-Response = f3c…97a4 Digest-Cnonce=0a7e75c4 Digest-Nonce-Count=1 Digest-Algorithm = md5 Digest-Nonce = 3bada1a0 Digest-Qop = auth Message-Authenticator = ff…e0ff State=27 Access-Accept Digest-Response-Auth = 63…e954 Digest-Nextnonce=fd0a…8765 Message-Authenticator = 75…aaf1 SIP proxy server RADIUS Client INVITE From: To: Proxy-Authorization: - username="123", - realm=" example.com ", - response="f3c…97a4" - Digest algorithm="md5", - nonce="3bada1a0", - - qop=auth, - algorithm=MD5 SIP UA AOR: RADIUS server SIP UA AOR: * NOTE: The next authentication for this user could save a round-trip if the radius client uses the Digest- Nextnonce to challenge the user

39 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Main attributes (I) User-Name (1) - Mandatory in Access-Request & Acct-Request The server may send it back in the Access-Accept, so that the NAS sends this new User-Name in Acct-Request packets User-Password (2) - Encrypted password with PAP authentication Minimum length: 16 bytes (due to the encryption algorithm) Only in Access-Request Also contains the characters introduced by user after an Access-Challenge CHAP-Password (3) - Encrypted password with CHAP authentication ID. attribAttrib. length.Attrib. value RFC2865

40 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Main attributes (II) CHAP-Challenge (60) - Challenge sent from the NAS to the user for CHAP authentication Optionally, this CHAP challenge can be sent in the authenticator field NAS-IP-Address (4) - IP address of the RADIUS client NAS-Port (5) - Physical port (modem) in the NAS processing the connection If there is not a physical modem, this number is virtual (sequence) Service-Type (6) - Type of service the user is requesting (Access- Request), or (s)he is allowed to have (Access-Accept): Login(1): The user is doing a telnet (TCP connection) to a host Framed(2): Usually, a PPP session with an IP address Callback Login(3), Callback Framed(4): Administrative(6): to manage a NAS via telnet Call-Check(10): for pre-authentication RFC2865

41 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Main attributes (III) Framed-Protocol (7): when service-type=framed PPP (1), SLIP (2), etc Framed-IP-Address (8): IP address to assign to the user. Can be: Regular IP address Special addresses meaning: = The NAS assigns dynamically one from any pool = The user may choose his/her IP address Framed-IP-Netmask (9): Usually, (1 IP address) Framed-Routing (10): Used for modem-routers talking RIP: None(0), Send routing packets (1), Listen for routing packets (2), Send and Listen (3) Filter-Id (11) - Name of the filter to apply to the user This filter name must be defined in the NAS or with a VSA RFC2865

42 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Main attributes (IV) Framed-MTU (12) - Maximum Transmission Unit for layer 2 Framed-Compression (13): VJ TCP/IP header compression for PPP (1) Login-IP-Host (14): In the Access-Accept the server instructs the NAS the IP address of a host to establish a TCP connection to Used when IP Service-Type=Login, Login-Service (15) – When Service-Type=Login: Telnet (0), Rlogin (1), TCP Clear (2), etc Reply-Message (18) – For an Access-Challenge, the message to show to the user. For an Access-Reject, may contain the cause to reject the connection RFC2865

43 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Main attributes (V) Vendor-Specific (26) - Specific attributes for this device, not defined by IETF but by the vendor who made the device (NAS) Session-Timeout (27) - Max. Connection time (sec.) Idle-Timeout (28) - Max. idle time (sec.) Called-Station-Id (30) - Also called DNIS In GPRS/UMTS: APN Calling-Station-Id (31) - Also called CLID 26Length.Vendor ID. VSA1 ID VSA1 Length VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2 RFC (or 2)1 1

44 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Main attributes (& VI) NAS-Id (32) - Alternative to the attrib. NAS-IP-Address to identify the NAS sending the requests Proxy-State (33) - May be used when a server is acting as proxy-RADIUS. The NAS never receives this attribute NAS-Port-Type (61) - Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN Async V.110 (4) = Mobile Virtual (5): ie, access via telnet xDSL (16), Cable (17) GPRS (18), Wi-Fi= (19), CDMA2000 (22), UMTS (23) Port-Limit (62) - To limit the max. number of calls that can be bonded together with MP (Multilink-Protocol), or concurrent sessions with the same User-Name RFC2865

45 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Protocol enhancement: RFCs 2867->2869 In RFCs 2867 and 2868 new attributes are defined for tunneled connections (mainly L2TP) RFC 2869 defines some general user attributes: Prompt (76) - In a Challenge-Response to tell the NAS if it has to echo user response Connect-Info (77) - May show info about user connection and speed. The format is NAS/vendor dependant: Ej: "28800 V42BIS/LAPM", "52000/31200 V90", "9600 V110/ISDN" Acct-Interim-Interval (85) - The RADIUS server can order the NAS to send Interim acct packets with a certain periodicity Framed-Pool (88) - In the Access-Accept, to tell the NAS what pool to use for user IP address assignment This pool must be defined locally in NAS RFCs2867->9

46 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview f 40 3f bd 83 d5 cb 98 f4 22 7a e 65 6d 6f d be 70 8d 93 d4 13 ce e4 3f 78 2a 0a ee c0 a Packet coding Message Type=Access-Request(1) Packet ID = 1 Length=56 Request Authenticator Attrib ID= User-Name(1) Length = 6 Value = nemo ID = User-Password(2) Length = 18 Encrypted password using authenticator field Attrib= NAS-IP-Address(4) Length = 6 Value = Attrib= NAS-Port(5) Length = 6 Value = 3

47 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Accounting special attibutes (I) Acct-Status-Type (40) - Type of accounting packet: Start (1), Stop (2), Interim-Update (3), etc. Accounting-On (7), Accounting-Off (8) The NAS is going to be/has been rebooted and won't send the Stop packets of users connected in that moment Acct-Delay-Time (41) - # of seconds between the acct event time and the generation of this packet Used mainly in retransmissions with a value != 0 Acct-Input-Octets (42) - In Stop/interim, bytes tx by the user (input bytes for the NAS) from the beginning of the session = Upstream Acct-Output-Octets (43) - Bytes received by the user = Downstream Acct-Input-Packets (47) - Acct-Output-Packets (48) -

48 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Accounting special attibutes (& II) Acct-Session-Id (44) - Identifies a session in a unique manner in the NAS This attribute may also be sent in the Access-Request packet (auth) The value must be the same in Start, Stop and Interim (and in auth) Acct-Authentic (45) - The way the user got authenticated RADIUS (1), Local (2), Remote (3) Acct-Session-Time (46) - How long (in seconds) the user was connected (Stop), has been connected up to the moment (interim) Acct-Terminate-Cause (49) - General cause User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)… Acct-Multi-Session-Id (50) - For MLPPP sessions, each call will have a different Acct-Session-Id, but the same Acct-Multi-Session-Id Acct-Link-Count (51) - In MLPPP, the max number of channels that have been bonded together

49 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of acct START packet TAOS 9.x Tue Ago 28 11:15: User-Name = user1_basic NAS-IP-Address = NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = Acct-Authentic = RADIUS Calling-Station-Id = Called-Station-Id = Framed-Protocol = PPP Framed-IP-Address = Service-Type = Framed-User NAS-Port-Type = Async Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Tue Ago 28 11:15: User-Name = user1_basic NAS-IP-Address = NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = Acct-Authentic = RADIUS Calling-Station-Id = Called-Station-Id = Framed-Protocol = PPP Framed-IP-Address = Service-Type = Framed-User NAS-Port-Type = Async Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 *

50 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Tue Ago 28 11:16: User-Name = user1_basico NAS-IP-Address = NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = Acct-Output-Octets = Calling-Station-Id = Called-Station-Id = Tue Ago 28 11:16: User-Name = user1_basico NAS-IP-Address = NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = Acct-Output-Octets = Calling-Station-Id = Called-Station-Id = Example of acct STOP packet (I) TAOS 9.x *

51 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example of acct STOP packet (& II) TAOS 9.x * Ascend-Data-Rate = Ascend-Xmit-Rate = Ascend-Disconnect-Cause = 185 Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = Ascend-Data-Rate = Ascend-Xmit-Rate = Ascend-Disconnect-Cause = 185 Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address =

52 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Message flow for a connection Access-Request Access-Accept Accounting-Request (START) Accounting-Response Accounting-Request (STOP) Accounting-Response The user successfully starts the session The user hangs-up PSTN Access-Request Access-Accept Because of signalling the NAS is aware it has an incoming call. Optionally, it asks the RADIUS server before taking the call off-hook (pre- auth) After taking the call off-hook, a "regular" auth packet is sent (User- Name/Password) Accounting-Request (INTERIM) Accounting-Response Accounting-Request (INTERIM) Accounting-Response Optionally, the NAS informs the server periodically the session is still up NAS RADIUS Server

53 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Accounting-Off example An Accounting-Off packet MAY be sent when the NAS ends sending accounting packets for users, because of: a reset, or the RADIUS feature has been disabled RADIUS server RADIUS client - NAS- IP Acct-Request (4) - ID=27 NAS-IP-Address (4) = Acct-Status-Type (40) = Accounting-Off (8) Acct-Delay-Time (41) = 10 Acct-Session-Id (44) = Acct-Response (5) - ID=27

54 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Files in the server Clients Contains information about the RADIUS clients IP address or FQDN Shared secret key Optionally, type of NAS, to know what dictionary it uses Dictionary Definition of all RADIUS attributes and their numeric coding In text format: a person can read and edit that file Type of attribute: Text, String, Integer, IP Address, Date Possible values for enumeration attributes

55 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Dictionary #Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255) ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer Ascend ATTRIBUTE Ascend-IP-TOS 87 integer Ascend ATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend... # RFC Attribute Values VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3... # Vendor codes VENDOR base 0 VENDOR livingston 307 VENDOR Ascend 529 VENDOR Lucent #Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255) ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer Ascend ATTRIBUTE Ascend-IP-TOS 87 integer Ascend ATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend... # RFC Attribute Values VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3... # Vendor codes VENDOR base 0 VENDOR livingston 307 VENDOR Ascend 529 VENDOR Lucent

56 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Dictionary File Decoding ATTRIBUTE VALUE Attribute Number RADIUS Request...|6|6|0| Attribute Length (in bytes) Attribute Value 6 2 integer RADIUS Dictionary Service-Type Framed-User Service-Type Framed-User2 6 Service-Type = Framed-User 0|0|2|

57 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Dictionary VSAs # Name Number Type [Vendor] [(Modifiers)] VENDOR Ascend 529 ATTRIBUTE Ascend-Send-Secret 214 string Ascend (asecret,hidden) Example Dictionary entry: | Attr. Number | Total Attr. Length | Vendor ID | data | VSA Attr.Number | VSA Attr. Length | VSA Attr. data

58 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Device configuration via RADIUS (I) Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.) have the capability of asking a RADIUS server about certain configuration parameters This configuration is based on certain Pseudo-Users with pre-defined User-Names The TAOS device will send an Access-Request (1) to the server with Service- Type=Outbound-User Example of pseudo-users in TAOS: banner - To configure a message for Terminal Server pools- - To define address pools for each device route-n - To define static routes and connections (Frame Relay, ATM, outgoing calls with PPP, etc.) For other vendors, the pseudo-users may be different or even non-existent

59 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview IP RADIUS server Access-Request (1) - ID=12 User-Name (1) = pools-TNT2" User-Password (3) = ascend NAS-IP-Address (4) = Service-Type (6) = Outbound-User (5) Access-Accept (2) - ID=12 Ascend-IP-Pool-Definition = " " Ascend-IP-Pool-Definition = " " Device configuration via RADIUS (II)

60 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview RADIUS extensions for NAS's Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.) can receive RADIUS packets for reconfiguration on already connected users In this case, the NAS can be considered as a server, as it receives requests, and must send a response The main actions a NAS may obey are: Disconnection of users Updating user filters on-the-fly These instructions are coded using a special RADIUS packet code 40 & 41 | 42= Disconnect-Request & ACK | NAK 43 & 44 | 45= Change-Filter-Request & ACK | NAK The NAS should be listening for requests on UDP port 3799 RFC2882,3576

61 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Example to disconnect a user PSTN RADIUS client - NAS- RADIUS server IP Disconnect-Request (40) - ID=1 User-Name(1) Framed-IP-Address(8) = Acct-Session-Id(44) = Nas-IP-Address = Disconnect-Ack (41) - ID=1 2 Disconnect-Nak (42)- ID=1 Error-Cause(101) = Residual Session Context Removed (201) 2B NOTE: The RADIUS client should know to which IP address it must send the request to. It will be different to the NAS-IP-Address if: - Nas-Id attribute is used - There is a proxy RADIUS in between *

62 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview SNMP MIBs for RADIUS It is standarized that the RADIUS servers and the clients should offer some statistical information via SNMP Defined in RFCs The new ones also support IPv6 A proxy-RADIUS behaves at the same time as a server and a client Should support both MIBs The OIDs are a branch of MIB-2 All of the OID are read-only, as they are statistical data Except for the reset of counters RFCsAuthAcct Client Server

63 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Auth Server MIB (I) The SNMP agent must store statistics for every client, as well as the aggregate statistics Index Client Address Client ID Access Req Duplic Req Access Accept Access Reject RAS … N GGSN TOTAL Serv Ident Serv UpTime Serv ResetTime NR

64 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Auth Server MIB (II) RFC2619 (.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent[SnmpAdminString] (.2) radiusAuthServUpTime[TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer] VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges[Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32] (.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent[SnmpAdminString] (.2) radiusAuthServUpTime[TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer] VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges[Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32] * Responses = AccessAccepts + AccessRejects + AccessChallenges * Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses * entries logged = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped * Responses = AccessAccepts + AccessRejects + AccessChallenges * Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses * entries logged = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped *

65 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Auth Server MIB (III) RFC2619 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.15) radiusAuthClientTable [ Sequence ] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClient Index [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.15) radiusAuthClientTable [ Sequence ] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClient Index [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups

66 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Acct Client MIB RFC2620 (.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32] (.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32] * Requests = Responses + PendingRequests + ClientTimeouts * Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped * Requests = Responses + PendingRequests + ClientTimeouts * Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped

67 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview List of standard attributes (I) (*) An Access-Request MUST contain either a User-Password or a CHAP- Password or State. An Access-Request MUST NOT contain both a User-Password and a CHAP- Password (**) An Access-Request and an Account-Request MUST contain either a NAS-IP-Address or a NAS-Identifier (or both) No attributes should be found in Accounting-Response packets except Proxy-State and possibly Vendor-Specific ones.

68 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview List of standard attributes (II) (***) An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attribute MUST NOT contain more than one type of those four attributes. If it does not contain any of those four attributes, it SHOULD contain a Message-Authenticator. If any packet type contains an EAP- Message attribute it MUST also contain a Message-Authenticator.

69 All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview (****) Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports. (-) Can be included in packet type 42=Disconnect-Nak or 45= CoA-Nak Access- Request Access- Accept Access- Reject Access- Chall. Acct- Request # AttributeRFC's ARAP-Challenge-Response Acct-Interim-Interval Acct-Tunnel-Packets-Lost NAS-Port-Id (****) Framed-Pool Chargeable-User-Id Tunnel-Client-Auth-ID Tunnel-Server-Auth-ID Nas-Filter-Rule NAS-IPv6-Address Framed-Interface-Id Framed-IPv6-Prefix Login-IPv6-Host Framed-IPv6-Route Framed-IPv6-Pool Error Cause Digest-Response Digest-Realm Digest-Nonce Digest-Response-Auth Digest-Nextnonce Digest-Method Digest-URI Digest-Qop Digest-Algorithm Digest-Entity-Body-Hash Digest-CNonce Digest-Nonce-Count Digest-Username Digest-Opaque Digest-Auth-Param Digest-AKA-Auts Digest-Domain Digest-Stale Digest-HA SIP-AOR Delegated-IPv6-Prefix4818


Download ppt "Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and."

Similar presentations


Ads by Google