Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and.

Introduction to the RADIUS protocol

All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and architecture of remote access to networks Understand the way the RADIUS protocol works Get to know the attributes that control different type of access technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc) Way to code attributes and RADIUS packets, and the sense of a dictionary Cover the standard statistical information provided over SNMP View the extensions added to the RADIUS protocol

All Rights Reserved © Alcatel-Lucent 2007 3 | RADIUS protocol Overview AAA A A uthentication Verify that a user really is who (s)he claims to be: Password, Token Cards, Calling number, X.509 digital certificate, SIM card, etc. A A uthorization Check that the user can access the service (s)he is trying to: Checking against a database, a file, etc. what the user can do, and restrict his/her access to the network A A ccounting Write down what the user has done during his connection Connection time, bytes sent/received, access service, etc. To get statistics about user accesses, billing, etc

All Rights Reserved © Alcatel-Lucent 2007 4 | RADIUS protocol Overview Switched connection diagram PPPIP Web Server ISP Modem User NAS / RAS ROUTER RADIUS AAA SERVER USER DB POP (Point of Presence) Internet PSTN

All Rights Reserved © Alcatel-Lucent 2007 5 | RADIUS protocol Overview Different ways for the AAA Local accounts in the NAS/RAS Only valid for small number of users Not valid if any user can connect at any NAS We would have to provision all users in all NAS's Proprietary software between NAS and an external server RADIUS Protocol RADIUS for a NAS to ask the server with centralized information about all users Or its evolution: Diameter NASREQ application Protocol TACACS (tacacs, tacacs+, xtacacs) Not widely implemented, apart from Cisco

All Rights Reserved © Alcatel-Lucent 2007 6 | RADIUS protocol Overview RADIUS: Basic Principles RADIUS is not the server itself, but the protocol to exchange information Protocol to communicate between: a RADIUS client Typically the NAS (= Network Access Server) a remote AAA server Standarized by the IETF (Internet Engineering Task Force) by several RFCs: 2865 & 2866 And enhanced in RFCs: 2867, 2868 & 2869, 3576... Adopted by all vendors of access devices, as almost the only standard for AAA RADIUS stands-up for: Remote Authentication Dial-In User Service

All Rights Reserved © Alcatel-Lucent 2007 7 | RADIUS protocol Overview Users Database NAS User dials modem pool and establishes connection UserID: bob Password: ge55gep Framed- Address=217.213.21.5 Internet RADIUS Server Internet PPP connection established Access-Request User-Name: bob Password: ge55gep NAS-IP: 207.12.4.1 Bob password=ge55gep Timeout = 3600 [other attributes] Select UserID=bob Access-Accept Framed-IP- Address=217.213.21.5 Session-Timeout=3600 [other attributes] Authentication DataFlow

All Rights Reserved © Alcatel-Lucent 2007 8 | RADIUS protocol Overview ISP Accounting Database NAS Account-Request Acct-Status-Type = Start User-Name = bob Framed-Address = 217.213.21.5 … Sun May 10 20:47:41 1998 Acct-Status-Type = Start User-Name = bob Framed- Address=217.213.21.5 … Internet RADIUS Server PPP session Acknowledgement The Accounting Start Record Accounting DataFlow (Start)

All Rights Reserved © Alcatel-Lucent 2007 9 | RADIUS protocol Overview ISP Accounting Database NAS Internet RADIUS server Account-Request Acct-Status-Type = Stop User-Name = bob Acct-Session-Time = 1432 Sun May 10 20:50:49 1998 Acct-Status-Type = Stop User-Name = bob Acct-Session-Time = 1432 …... Acknowledgement The Accounting Stop Record The user disconnects Accounting DataFlow (Stop)

All Rights Reserved © Alcatel-Lucent 2007 10 | RADIUS protocol Overview Fault Tolerance Radius Servers List Authentication Accounting Auth_Timer Acct_Timer 1) 10.0.1.1 10.0.1.3310 2) 10.0.1.2 10.0.1.4310 3) 10.0.1.3 10.0.1.5310 10.0.1.110.0.1.210.0.1.3 10.0.1.2 10.0.1.1 10.0.1.2 10.0.1.1 10.0.1.3 The NAS selects the first RADIUS server on the list The first RADIUS server replies but the router drops the reply The NAS selects the second RADIUS server The request does not get to the RADIUS server The NAS selects the third RADIUS server The reply is received and the transaction ends * The retransmission strategy is not standardized: * some NASs fail over to another RADIUS server as soon as a timeout occurs * some NASs retry 1 or 2 times to the same RADIUS server before failing over Based on retransmissions by the Radius Client

All Rights Reserved © Alcatel-Lucent 2007 11 | RADIUS protocol Overview Information from NAS -> server for authentication Information related to RADIUS client (NAS) NAS-Ip-Address, or unique identification (NAS-Id) Information to authenticate the user connecting: User-Name & Password Information about the connection itself (for authorization): Calling number, called number (or APN for GPRS/UMTS), Modem/port taking the connection (NAS-Port) Type of session (PPP, SLIP,...) Type of connection (POTS, ISDN, ADSL, UMTS, GPRS, etc.)

All Rights Reserved © Alcatel-Lucent 2007 12 | RADIUS protocol Overview Authentication process in the server (I) 1.- Decode the user's password (it travels encrypted) Using the "shared secret key", known both by client and server 2.- Search the user connection profile in: Plain text file External SQL database LDAP server /etc/passwd file in UNIX User accounts in Windows Domains Etc. 3.- Authenticate the user

All Rights Reserved © Alcatel-Lucent 2007 13 | RADIUS protocol Overview Authentication process in the server (& II) 4.- Optionally, check extra data (check-items) Type of connection (POTS, ISDN, ADSL, cable, UMTS, etc.) Time of day Calling number, called number etc. 5.- Send Accept/Reject to the NAS with the right attibutes for this user session (reply-items) Idle and session timeout IP filters for this user Indication of IP address to assign to user For ISDN, max. number of channels to bond together (MLPPP) etc.

All Rights Reserved © Alcatel-Lucent 2007 14 | RADIUS protocol Overview Communication UDP ports Communication between client and server is done over UDP/IP RADIUS authentication and accounting servers are listening on 2 different ports Servers can listen on any port, but it is advisable to use the standard ones (defined in RFC's) RADIUS clients can send requests on any source UDP port they have available. Not limited in RFC's All requests need not come from same port, and usually don´t Though NAS's can be configured to send all request with the same source UDP port Only advisable for firewall restrictions UDP Ports UDP PortsNewOld Authentication18121645 Accounting18131646

All Rights Reserved © Alcatel-Lucent 2007 15 | RADIUS protocol Overview ¿Why UDP? In RADIUS it is not necessary the retransmision feature provided by TCP If client doesn´t get an answer, it sends another one to a secondary server The response to a retransmitted TCP request, could arrive too late Simplifies server implementation Specially for multi-threaded servers Reduces network traffic UDP has less overhead than TCP UDP needs not establish a session before sending data RFC2865

All Rights Reserved © Alcatel-Lucent 2007 16 | RADIUS protocol Overview PPP overview and traditional authentication methods This Point-to-Point Protocol (PPP) allows sending several protocols above its headers The establishment of the PPP link requires certain handshaking. LCP - Link Control Messages To determine MLPPP, the MTU and decide the authentication algorithm for the user Authentication - It will depend on the protocol used: PAP, CHAP, MS- CHAPv2, EAP During this stage, the RADIUS server is contacted by the NAS NCP - Network Control Protocol, to negotiate extra parameters IPCP, the IP address assigned to the user CCP, if the data is going to be compressed ECP, if the data is going to be encrypted

All Rights Reserved © Alcatel-Lucent 2007 17 | RADIUS protocol Overview Password Authentication Protocol (PAP) The password travels in the clear (unencrypted) The password can be stored hashed in the RADIUS server Users credentials are verified only once At the beginning of the connection Initiator Responder PAP-Auth-Request #1 ( Name=jsmith, Passwd=red ) PAP-Auth- Success #1 (Message="00") PAP-Auth-Failure #1 (Message="Incorrect Password") Access-Request User-Name =jsmith User-Password =red Access-Accept Access-Reject RADIUS server

All Rights Reserved © Alcatel-Lucent 2007 18 | RADIUS protocol Overview Challenge Handshake Authentication Protocol (CHAP) User password is hashed using MD5 and a random challenge generated by the NAS (PPP responder) The password cannot be stored hashed in the RADIUS server Optionally, the user can be authenticated several times during the lifetime of the session Initiator Responder CHAP-Auth-Challenge #1 (Chall. Length=16, Challenge Value= 0c7d203....a8, Name= tnt2 ) Auth-Response #1 (Chall. Length=16, Challenge Value= 016b89....91, Name= john ) CHAP-Auth-Success #1 (Message="00") CHAP-Auth-Failure #1 (Message="Incorrect Password") Access-Request User-Name =john CHAP-Password =016b89..91 [CHAP-Challenge* =0c7d203...a8] Access-Accept Access-Reject RADIUS server

All Rights Reserved © Alcatel-Lucent 2007 19 | RADIUS protocol Overview LCP handshaking In the LCP handshaking, the user and the NAS determine the authentication protocol to use: The user may accept the proposal from the server The user may reject the server proposal, and expect to receive a new proposal Initiator Responder Authenticator Config-Request #1 (MRU=1524, auth=PAP,...) Config-Reject #1 ( auth=PAP ) Config-Request #2 (MRU=1524, auth=CHAP/MD5 ) Config-Ack #2 (MRU=1524, auth=CHAP/MD5 ) Config-Ack #2 (MRU=1524, auth=PAP,...) Config-Request #1 (MRU=1524, auth=PAP,...)

All Rights Reserved © Alcatel-Lucent 2007 20 | RADIUS protocol Overview Hashing of password The user password can only be hashed once (MD5, SHA1, etc) either at database storage or when the user transmits it As the hash algorithms are not reversible However, passwords can be stored encrypted (3DES, AES, …) Stored in the users database (text file, SQL, LDAP, etc) In the clearHashed (MD5, SHA1) Auth. algorithm used PAP, telnet/SSH... {User-Password(2)} OK CHAP, Eap-MD5... {Chap-Password(3),...} OK X User password typed in this connection attempt User password provisioned for this user Sent from NAS Read from database, text file,....PAP | CHAP

All Rights Reserved © Alcatel-Lucent 2007 21 | RADIUS protocol Overview RADIUS packet format Identifier TypeLength Authenticator Attributes 1 2 3 4 1-4 5-20 21-... bytes Identifies the packet, along with source IP address and UDP port. Used to detect duplicate packets - In auth requests: to encrypt user password using the shared secret key (usually a random value) - In replies and accounting: to authenticate the message itself. Similar to a digital signature Length of RADIUS packet 20 < length < 4096 bytes *

All Rights Reserved © Alcatel-Lucent 2007 22 | RADIUS protocol Overview RADIUS packet types Access-Request (1) Access-Request (1) - Authentication requests from NAS to server Access-Accept (2) Access-Accept (2) - Response from server to NAS accepting the user session Access-Reject (3) Access-Reject (3) - Response from server to NAS rejecting the user session Access-Challenge (11) Access-Challenge (11) - Request form server to NAS, asking for additional info from the user Used in token/crypto cards, and for EAP Account-Request (4) Account-Request (4) - The NAS sends accounting information to the server Account-Response (5) Account-Response (5) - The server ACKs the acct packet to the NAS RFC2865

All Rights Reserved © Alcatel-Lucent 2007 23 | RADIUS protocol Overview Authenticator field in auth The Authenticator field serves to 2 purposes depending if it is a request or an accept/reject Encryption of some attributes: User-Password Server authentication Random num. Shared key Hash MD5 PAP Passwd(clear text) XOR Authenticator field Attrib. User-Password Shared key Hash MD5 XOR Clear Passwd ClientServer Access-Request Request Authenticator Shared key Hash MD5 Authenticator Field Access-Accept/Reject Match? Server Authenticated X Discard packet Request Authenticator Shared key Response packet (without authenticator) Hash MD5 Response packet (without authenticator)

All Rights Reserved © Alcatel-Lucent 2007 24 | RADIUS protocol Overview Authenticator field in acct For accounting the authenticator only provides: Authentication of client and server –Similar to a digital signature Shared key Hash MD5 Authenticator field ClientServer Account-Request Request Authenticator Shared key Hash MD5 Authenticator field Account-Response Match? Authenticated X Discard packet Request Authenticator Shared key Acct packet (without authenticator) Hash MD5 Acct packet (without authenticator) Shared key Hash MD5 Match? X Discard Client Authenticated

All Rights Reserved © Alcatel-Lucent 2007 25 | RADIUS protocol Overview Example of successful auth: Dial-in user with PAP POTS Modem PSTN RADIUS server RADIUS client - NAS- IP Access-Request (1) - ID=1 User-Name (1) = pepe" User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 20 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) NAS-Port-Type (61) = Async (0) Called-Station-Id (30) = 917529000 Calling-Station-Id (31) = 918078419 Access-Accept (2) - ID=1 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) Framed-IP-Address (8) = 255.255.255.254 Framed-IP-Netmask (9) = 255.255.255.255 Framed-Routing (10) = None (0) Framed-Compression (13) = VJ TCP/IP (1) Framed-MTU (12) = 1500 Session-Timeout (27) = 7200 *

All Rights Reserved © Alcatel-Lucent 2007 26 | RADIUS protocol Overview Example of an PPPoA (ADSL) connection RADIUS server IP Access-Request (1) - ID=1 User-Name = "user11@aunadsl" CHAP-Password = "\0011\266…\303" CHAP-Challenge = "e\241\…\000" NAS-IP-Address = 1.2.3.4 NAS-Port = 3329 Ascend-NAS-Port-Format = 2_4_5_5 NAS-Port-Type = Sync Service-Type = Framed-User Framed-Protocol = PPP Acct-Session-Id = "483015958" Access-Accept (2) - ID=1 Service-Type = Framed-User Framed-Protocol = PPP Ascend-Source-IP-Check = Source-IP-Check-Yes Ascend-IP-Source-If = "sip100" Framed-Pool = 1 Filter-Id=Foo Ascend-Filter-Required=Required-Yes * RADIUS client -BRAS- For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id. For PPPoE, they represent the Ethernet MAC addresses For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id. For PPPoE, they represent the Ethernet MAC addresses DSLAM ATM ADSL line PPPoA Client

All Rights Reserved © Alcatel-Lucent 2007 27 | RADIUS protocol Overview Example of an UMTS/GPRS connection RADIUS server IP * SGSN RNC Node B RADIUS client -GGSN- The APN is sent in Called-Station-Id. It is used for the user to select the GGSN The APN is sent in Called-Station-Id. It is used for the user to select the GGSN Access-Request (1) - ID=1 NAS identifier(32) = "B-CER1N-GGSN2" User Name(1) = "WAPTM" User Password(2) ="§oà\009KFÏ\020#\145+\146®îf" NAS Port Type(61) = Virtual (5) Calling Station Id(31) = "34679912214" Called Station Id(30) "wap.movistar.es" Acct Session Id(44) ="646704d51e069701" Access-Accept (2) - ID=1 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) Framed-IP-Address (8) = 10.11.12.13 Framed-IP-Netmask (9) = 255.255.255.255 Session-Timeout (27) = 7200 Idle-Timeout (28) = 3600

All Rights Reserved © Alcatel-Lucent 2007 28 | RADIUS protocol Overview Example for CDMA2000 1xEVDO (HRPD) AN-AAA (A12 interface) The A12 interface (AN – AAA) is used: to perform access authentication (with CHAP) of the AT device by the AN The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID) to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and cdma2000 systems. Is-878 RNC/PCF (BS Controller) BS (Base Station) AT (Access Terminal) PDSN (Packet Data Serving Node) PPP A10/A11 A8/A9 Access-Request User-Name = 260071234567890@cdma1.com CHAP-Password = "\0011\266…\303" CHAP-Challenge = "e\241\…\000 NAS-IP-Address = 192.168.20.2 3GPP2-HRPD-Access- Authentication=True 3GPP2-AT-Hardware-Id=012…9012 Access-Accept (2) Callback-Id (20) = 0260071234567890 *

All Rights Reserved © Alcatel-Lucent 2007 29 | RADIUS protocol Overview Example for CDMA2000 1xEVDO (HRPD) PDSN-AAA for Simple IP The PDSN is the classical PPP server The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to choose, or the PDSN will select it from a local pool New Access-Requests are sent when the AT hands-off between PCFs It is correlated to the current session with the 3GPP2-Correlation-Id AVP Is-835 RNC/PCF (BS Controller) BS (Base Station) AT (Access Terminal) PDSN (Packet Data Serving Node) PPP A10/A11 Access-Request User-Name = john@cdma1.com CHAP-Password = "\0011\266…\303" CHAP-Challenge = "e\241\…\000 NAS-IP-Address = 192.168.30.3 Nas-Port-Type= Wireless-1X-EV 3GPP2-Correlation-Id=1234 Calling-Station-Id 0260071234567890 Access-Accept [Framed-IP-Address = 10.1.2.3] Session-Timeout = 7200 *

All Rights Reserved © Alcatel-Lucent 2007 30 | RADIUS protocol Overview Example of pre-auth followed by PPP negotiation The pre-auth is done before the NAS takes the call off-hook Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC) The server decides to allow/refuse taking the call off-hook based on calling-number (CLID) or called-number (DNIS) For PPP users, normally they must also do PPP authentication (PAP, CHAP, etc) later PSTN IP Access-Accept (2) - ID=127 Ascend-Require-Auth (26->529(201)) = Require-Auth (1) Access-Request (1) - ID=127 User-Name (1) = 909390390" User-Password (2) = Ascend-DNIS NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 20 NAS-Port-Type (61) = Async (0) Service-Type (6) = Call-Check (10) Called-Station-Id (30) = 909390390 Calling-Station-Id (31) = 918078419

All Rights Reserved © Alcatel-Lucent 2007 31 | RADIUS protocol Overview Example of pre-auth for dataphones (PoS) The RADIUS server instructs the NAS how to handle this call, and even what modulation to use Before taking the call off-hook PSTN Access-Accept (2) - ID=10 User-Name = "PoS", Service-Type = Login Login-Service = TCP-clear, Login-IP-Host = 192.168.20.4, Login-TCP-Port = 8419 Ascend-AT-Answer-String ="&t4s18=15+MS=1 &g2S220=11S221=50S10=3" The bank system has a X.25 network PAD IP X.25 RADIUS server Bank X NAS Access-Request (1) - ID=10 User-Name (1) = 090" User-Password (2) = Ascend-DNIS NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 20 NAS-Port-Type (61) = Async (0) Service-Type (6) = Call-Check (10) Called-Station-Id (30) = 090 Calling-Station-Id (31) = 918078419 *

All Rights Reserved © Alcatel-Lucent 2007 32 | RADIUS protocol Overview Example of proxy-radius A RADIUS server redirects the request to a remote server, based on Called- Station-Id or user realm IP IP Forwarding Server Remote Server Access-Request (1) - ID=100 User-Name(1) = pepe@realm1" User-Password(2) = 5E%&gn)8 NAS-IP-Address(4)=192.168.20.2 NAS-Port (5) = 27 1 Access-Request (1) - ID=200 User-Name (1) = pepe@realm1" User-Password (2) = NAS-IP-Address(4)=192.168.20.2 NAS-Port (5) = 27 [Proxy-State(33) =11379994] 2 Access-Accept (2) - ID=200 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) [Proxy-State(33) =11379994] 3 Access-Accept (2) - ID=100 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) Framed-IP-Address(8)=198.197.196.195 Framed-IP-Netmask(9)=255.255.255.255 Session-Timeout (27) = 36000 4

All Rights Reserved © Alcatel-Lucent 2007 33 | RADIUS protocol Overview Example of PPP tunneling Attribute coding as in RFC 2868 (tagged) POTS Modem POTS Public RADIUS server RADIUS client Tunnel client (LAC) Public IP network Access-Request (1) - ID=8 User-Name (1) = pepe@tunnel" CHAP-Password (3) = 5E%&gn)8 CHAP-Challenge (60) = A0B1...23 NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 20 Service-Type (6) = Framed (2) Framed-Protocol (7) = PPP (1) NAS-Port-Type (61) = Async (0) Called-Station-Id (30) = 917529000 Calling-Station-Id (31) = 918078419 Access-Accept (2) - ID=8 Tunnel-Type(64)=L2TP : 1, Tunnel-Medium-Type(65) = IPv4, Tunnel-Server-Endpoint(67)=1.1.1.1 : 1, Tunnel-Password(69)=loloaqic : 1, Tunnel-Type(64)=PPTP : 2, Tunnel-Server-Endpoint(67)=2.2.2.2 : 2, Tunnel-Password(69)=itsAsecret : 2 Tunnel server (LNS) 1.1.1.1 Intranet Corporate RADIUS server * 2.2.2.2 Tunnel server (LNS)

All Rights Reserved © Alcatel-Lucent 2007 34 | RADIUS protocol Overview Example for Ipsec authentication X-auth over IKE with Lucent Brick-LSMS Example with IKE authentication tunnel endpoints with pre-shared key User authentication with X-auth with login/password Ipsec client = user Ipsec server (Lucent Brick) X-auth in IKE Access-Request (1) - ID=150 User-Name (1) = usu1" User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = 135.88.101.111 Called-Station-Id (30) = 135.88.101.91 Service-Type (6) = Authenticate-Only (8) NAS-Port-Type (61) = Virtual (5) RADIUS client (LSMS) 135.88.101.111 135.88.101.91 Access-Accept (2) - ID=150 Session-Timeout (27) = 86400 Idle-Timeout (28) = 3600 [Connect-Info (77)] = user_group1 [Framed-IP-Address (8) = 135.88.101.222] * RADIUS server

All Rights Reserved © Alcatel-Lucent 2007 35 | RADIUS protocol Overview Authentication for device administration Example with Lucent TAOS IP RADIUS server telnet TNT2 Access-Request (1) - ID=10 User-Name (1) = amdinuser" User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 0 NAS-Port-Type (61) = Virtual (5) Service-Type (6) = Administrative (6) [Calling-Station-Id=1.2.3.4] Access-Accept (2) - ID=10 Service-Type (6) = Administrative (6) Ascend-Telnet-Profile (26->529:91) = Admin 1.2.3.4

All Rights Reserved © Alcatel-Lucent 2007 36 | RADIUS protocol Overview Example of failed authentication: Crypto-Card (Challenge-Response) PSTN IP Access-Request (1) - ID=2 User-Name (1) = mycard" User-Password (2) = NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 27 1 Access-Challenge (11) - ID=2 Reply-Message (18) =Challenge:12345678 State (24) = 13579 Prompt (76) = Echo (1) Session-Timeout (27) = 120 4 Challenge: 12345678 5 Response: 24058419 6 Access-Request (1) - ID=3 User-Name (1) = mycard" User-Password (2) = 24058419 NAS-IP-Address (4) = 192.168.20.2 NAS-Port (5) = 27 State (24) = 13579 7 Access-Reject (3) - ID=3 Reply-Message (18) =Invalid Credentials 8 Token Card Server Proprietary protocol 2 3

All Rights Reserved © Alcatel-Lucent 2007 37 | RADIUS protocol Overview Digest Authentication for HTTP/SIP (I) Example to authenticate&authorize every VoIP call (INVITE) The authentication could also be done only during registration RFC4590 users database Access-Request User-Name=123 NAS-IP-Address = 192.0.2.38 NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = sip:987@example.com Message-Authenticator = 08…8043 Access-Challenge Digest-Nonce = 3bada1a0 Digest-Realm = example.com Digest-Qop = auth Digest-Algorithm = MD5 Message-Authenticator = f8…da40 State=27 SIP proxy server RADIUS Client INVITE From: To: SIP UA AOR: 123@example.com RADIUS server SIP UA AOR: 987@example.com 100 TRYING 407 Proxy Authentication Required Proxy-Authenticate: - Digest realm="example.com", - nonce="3bada1a0", - qop=auth, - algorithm=MD5 Content-Length: 0 ACK

All Rights Reserved © Alcatel-Lucent 2007 38 | RADIUS protocol Overview Digest Authentication for HTTP/SIP (II) RFC4590 users database Access-Request User-Name=123 NAS-IP-Address = 192.0.2.38 NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = sip:987@example.com SIP-AOR = sip:123@example.com Digest-Username = 123 Digest-Realm = example.com Digest-Response = f3c…97a4 Digest-Cnonce=0a7e75c4 Digest-Nonce-Count=1 Digest-Algorithm = md5 Digest-Nonce = 3bada1a0 Digest-Qop = auth Message-Authenticator = ff…e0ff State=27 Access-Accept Digest-Response-Auth = 63…e954 Digest-Nextnonce=fd0a…8765 Message-Authenticator = 75…aaf1 SIP proxy server RADIUS Client INVITE From: To: Proxy-Authorization: - username="123", - realm=" example.com ", - response="f3c…97a4" - Digest algorithm="md5", - nonce="3bada1a0", - uri="sip:987@example.com", - qop=auth, - algorithm=MD5 SIP UA AOR: 123@example.com RADIUS server SIP UA AOR: 987@example.com * NOTE: The next authentication for this user could save a round-trip if the radius client uses the Digest- Nextnonce to challenge the user

All Rights Reserved © Alcatel-Lucent 2007 39 | RADIUS protocol Overview Main attributes (I) User-Name (1) - Mandatory in Access-Request & Acct-Request The server may send it back in the Access-Accept, so that the NAS sends this new User-Name in Acct-Request packets User-Password (2) - Encrypted password with PAP authentication Minimum length: 16 bytes (due to the encryption algorithm) Only in Access-Request Also contains the characters introduced by user after an Access-Challenge CHAP-Password (3) - Encrypted password with CHAP authentication ID. attribAttrib. length.Attrib. value 1 1... RFC2865

All Rights Reserved © Alcatel-Lucent 2007 40 | RADIUS protocol Overview Main attributes (II) CHAP-Challenge (60) - Challenge sent from the NAS to the user for CHAP authentication Optionally, this CHAP challenge can be sent in the authenticator field NAS-IP-Address (4) - IP address of the RADIUS client NAS-Port (5) - Physical port (modem) in the NAS processing the connection If there is not a physical modem, this number is virtual (sequence) Service-Type (6) - Type of service the user is requesting (Access- Request), or (s)he is allowed to have (Access-Accept): Login(1): The user is doing a telnet (TCP connection) to a host Framed(2): Usually, a PPP session with an IP address Callback Login(3), Callback Framed(4): Administrative(6): to manage a NAS via telnet Call-Check(10): for pre-authentication RFC2865

All Rights Reserved © Alcatel-Lucent 2007 41 | RADIUS protocol Overview Main attributes (III) Framed-Protocol (7): when service-type=framed PPP (1), SLIP (2), etc Framed-IP-Address (8): IP address to assign to the user. Can be: Regular IP address Special addresses meaning: 255.255.255.254 = The NAS assigns dynamically one from any pool 255.255.255.255 = The user may choose his/her IP address Framed-IP-Netmask (9): Usually, 255.255.255.255 (1 IP address) Framed-Routing (10): Used for modem-routers talking RIP: None(0), Send routing packets (1), Listen for routing packets (2), Send and Listen (3) Filter-Id (11) - Name of the filter to apply to the user This filter name must be defined in the NAS or with a VSA RFC2865

All Rights Reserved © Alcatel-Lucent 2007 42 | RADIUS protocol Overview Main attributes (IV) Framed-MTU (12) - Maximum Transmission Unit for layer 2 Framed-Compression (13): VJ TCP/IP header compression for PPP (1) Login-IP-Host (14): In the Access-Accept the server instructs the NAS the IP address of a host to establish a TCP connection to Used when IP Service-Type=Login, Login-Service (15) – When Service-Type=Login: Telnet (0), Rlogin (1), TCP Clear (2), etc Reply-Message (18) – For an Access-Challenge, the message to show to the user. For an Access-Reject, may contain the cause to reject the connection RFC2865

All Rights Reserved © Alcatel-Lucent 2007 43 | RADIUS protocol Overview Main attributes (V) Vendor-Specific (26) - Specific attributes for this device, not defined by IETF but by the vendor who made the device (NAS) Session-Timeout (27) - Max. Connection time (sec.) Idle-Timeout (28) - Max. idle time (sec.) Called-Station-Id (30) - Also called DNIS In GPRS/UMTS: APN Calling-Station-Id (31) - Also called CLID 26Length.Vendor ID. VSA1 ID VSA1 Length VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2 RFC2865 1 4 1 (or 2)1 1

All Rights Reserved © Alcatel-Lucent 2007 44 | RADIUS protocol Overview Main attributes (& VI) NAS-Id (32) - Alternative to the attrib. NAS-IP-Address to identify the NAS sending the requests Proxy-State (33) - May be used when a server is acting as proxy-RADIUS. The NAS never receives this attribute NAS-Port-Type (61) - Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN Async V.110 (4) = Mobile Virtual (5): ie, access via telnet xDSL (16), Cable (17) GPRS (18), Wi-Fi=802.11 (19), CDMA2000 (22), UMTS (23) Port-Limit (62) - To limit the max. number of calls that can be bonded together with MP (Multilink-Protocol), or concurrent sessions with the same User-Name RFC2865

All Rights Reserved © Alcatel-Lucent 2007 45 | RADIUS protocol Overview Protocol enhancement: RFCs 2867->2869 In RFCs 2867 and 2868 new attributes are defined for tunneled connections (mainly L2TP) RFC 2869 defines some general user attributes: Prompt (76) - In a Challenge-Response to tell the NAS if it has to echo user response Connect-Info (77) - May show info about user connection and speed. The format is NAS/vendor dependant: Ej: "28800 V42BIS/LAPM", "52000/31200 V90", "9600 V110/ISDN" Acct-Interim-Interval (85) - The RADIUS server can order the NAS to send Interim acct packets with a certain periodicity Framed-Pool (88) - In the Access-Accept, to tell the NAS what pool to use for user IP address assignment This pool must be defined locally in NAS RFCs2867->9

All Rights Reserved © Alcatel-Lucent 2007 46 | RADIUS protocol Overview 01 01 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 00 00 03 Packet coding Message Type=Access-Request(1) Packet ID = 1 Length=56 Request Authenticator Attrib ID= User-Name(1) Length = 6 Value = nemo ID = User-Password(2) Length = 18 Encrypted password using authenticator field Attrib= NAS-IP-Address(4) Length = 6 Value = 192.168.1.16 Attrib= NAS-Port(5) Length = 6 Value = 3

All Rights Reserved © Alcatel-Lucent 2007 47 | RADIUS protocol Overview Accounting special attibutes (I) Acct-Status-Type (40) - Type of accounting packet: Start (1), Stop (2), Interim-Update (3), etc. Accounting-On (7), Accounting-Off (8) The NAS is going to be/has been rebooted and won't send the Stop packets of users connected in that moment Acct-Delay-Time (41) - # of seconds between the acct event time and the generation of this packet Used mainly in retransmissions with a value != 0 Acct-Input-Octets (42) - In Stop/interim, bytes tx by the user (input bytes for the NAS) from the beginning of the session = Upstream Acct-Output-Octets (43) - Bytes received by the user = Downstream Acct-Input-Packets (47) - Acct-Output-Packets (48) -

All Rights Reserved © Alcatel-Lucent 2007 48 | RADIUS protocol Overview Accounting special attibutes (& II) Acct-Session-Id (44) - Identifies a session in a unique manner in the NAS This attribute may also be sent in the Access-Request packet (auth) The value must be the same in Start, Stop and Interim (and in auth) Acct-Authentic (45) - The way the user got authenticated RADIUS (1), Local (2), Remote (3) Acct-Session-Time (46) - How long (in seconds) the user was connected (Stop), has been connected up to the moment (interim) Acct-Terminate-Cause (49) - General cause User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)… Acct-Multi-Session-Id (50) - For MLPPP sessions, each call will have a different Acct-Session-Id, but the same Acct-Multi-Session-Id Acct-Link-Count (51) - In MLPPP, the max number of channels that have been bonded together

All Rights Reserved © Alcatel-Lucent 2007 49 | RADIUS protocol Overview Example of acct START packet TAOS 9.x Tue Ago 28 11:15:45 2001 User-Name = user1_basic NAS-IP-Address = 192.168.10.1 NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = 262282375 Acct-Authentic = RADIUS Calling-Station-Id = 917410029 Called-Station-Id = 917434000 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19 Service-Type = Framed-User NAS-Port-Type = Async Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Tue Ago 28 11:15:45 2001 User-Name = user1_basic NAS-IP-Address = 192.168.10.1 NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = 262282375 Acct-Authentic = RADIUS Calling-Station-Id = 917410029 Called-Station-Id = 917434000 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19 Service-Type = Framed-User NAS-Port-Type = Async Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 *

All Rights Reserved © Alcatel-Lucent 2007 50 | RADIUS protocol Overview Tue Ago 28 11:16:59 2001 User-Name = user1_basico NAS-IP-Address = 192.168.10.1 NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = 262282375 Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Calling-Station-Id = 917410029 Called-Station-Id = 917434000 Tue Ago 28 11:16:59 2001 User-Name = user1_basico NAS-IP-Address = 192.168.10.1 NAS-Port = 31 Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = 262282375 Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Calling-Station-Id = 917410029 Called-Station-Id = 917434000 Example of acct STOP packet (I) TAOS 9.x *

All Rights Reserved © Alcatel-Lucent 2007 51 | RADIUS protocol Overview Example of acct STOP packet (& II) TAOS 9.x * Ascend-Data-Rate = 31200 Ascend-Xmit-Rate = 48000 Ascend-Disconnect-Cause = 185 Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = 10.81.44.111 Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19 Ascend-Data-Rate = 31200 Ascend-Xmit-Rate = 48000 Ascend-Disconnect-Cause = 185 Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = 10.81.44.111 Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19

All Rights Reserved © Alcatel-Lucent 2007 52 | RADIUS protocol Overview Message flow for a connection Access-Request Access-Accept Accounting-Request (START) Accounting-Response Accounting-Request (STOP) Accounting-Response The user successfully starts the session The user hangs-up PSTN Access-Request Access-Accept Because of signalling the NAS is aware it has an incoming call. Optionally, it asks the RADIUS server before taking the call off-hook (pre- auth) After taking the call off-hook, a "regular" auth packet is sent (User- Name/Password) Accounting-Request (INTERIM) Accounting-Response Accounting-Request (INTERIM) Accounting-Response Optionally, the NAS informs the server periodically the session is still up NAS RADIUS Server

All Rights Reserved © Alcatel-Lucent 2007 53 | RADIUS protocol Overview Accounting-Off example An Accounting-Off packet MAY be sent when the NAS ends sending accounting packets for users, because of: a reset, or the RADIUS feature has been disabled RADIUS server RADIUS client - NAS- IP Acct-Request (4) - ID=27 NAS-IP-Address (4) = 192.168.20.2 Acct-Status-Type (40) = Accounting-Off (8) Acct-Delay-Time (41) = 10 Acct-Session-Id (44) = 891236709 Acct-Response (5) - ID=27

All Rights Reserved © Alcatel-Lucent 2007 54 | RADIUS protocol Overview Files in the server Clients Contains information about the RADIUS clients IP address or FQDN Shared secret key Optionally, type of NAS, to know what dictionary it uses Dictionary Definition of all RADIUS attributes and their numeric coding In text format: a person can read and edit that file Type of attribute: Text, String, Integer, IP Address, Date Possible values for enumeration attributes

All Rights Reserved © Alcatel-Lucent 2007 55 | RADIUS protocol Overview Dictionary #Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255) ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer Ascend ATTRIBUTE Ascend-IP-TOS 87 integer Ascend ATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend... # RFC Attribute Values VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3... # Vendor codes VENDOR base 0 VENDOR livingston 307 VENDOR Ascend 529 VENDOR Lucent1751 1751 #Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255) ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer Ascend ATTRIBUTE Ascend-IP-TOS 87 integer Ascend ATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend... # RFC Attribute Values VALUE Service-Type Login-User 1 VALUE Service-Type Framed-User 2 VALUE Service-Type Callback-Login-User 3... # Vendor codes VENDOR base 0 VENDOR livingston 307 VENDOR Ascend 529 VENDOR Lucent1751 1751

All Rights Reserved © Alcatel-Lucent 2007 56 | RADIUS protocol Overview Dictionary File Decoding ATTRIBUTE VALUE Attribute Number RADIUS Request...|6|6|0| Attribute Length (in bytes) Attribute Value 6 2 integer RADIUS Dictionary Service-Type Framed-User Service-Type Framed-User2 6 Service-Type = Framed-User 0|0|2|

All Rights Reserved © Alcatel-Lucent 2007 58 | RADIUS protocol Overview Device configuration via RADIUS (I) Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.) have the capability of asking a RADIUS server about certain configuration parameters This configuration is based on certain Pseudo-Users with pre-defined User-Names The TAOS device will send an Access-Request (1) to the server with Service- Type=Outbound-User Example of pseudo-users in TAOS: banner - To configure a message for Terminal Server pools- - To define address pools for each device route-n - To define static routes and connections (Frame Relay, ATM, outgoing calls with PPP, etc.) For other vendors, the pseudo-users may be different or even non-existent

All Rights Reserved © Alcatel-Lucent 2007 59 | RADIUS protocol Overview IP RADIUS server Access-Request (1) - ID=12 User-Name (1) = pools-TNT2" User-Password (3) = ascend NAS-IP-Address (4) = 192.168.20.2 Service-Type (6) = Outbound-User (5) Access-Accept (2) - ID=12 Ascend-IP-Pool-Definition = "1 10.1.0.1 7" Ascend-IP-Pool-Definition = "2 10.2.0.1 48" Device configuration via RADIUS (II)

All Rights Reserved © Alcatel-Lucent 2007 60 | RADIUS protocol Overview RADIUS extensions for NAS's Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.) can receive RADIUS packets for reconfiguration on already connected users In this case, the NAS can be considered as a server, as it receives requests, and must send a response The main actions a NAS may obey are: Disconnection of users Updating user filters on-the-fly These instructions are coded using a special RADIUS packet code 40 & 41 | 42= Disconnect-Request & ACK | NAK 43 & 44 | 45= Change-Filter-Request & ACK | NAK The NAS should be listening for requests on UDP port 3799 RFC2882,3576

All Rights Reserved © Alcatel-Lucent 2007 61 | RADIUS protocol Overview Example to disconnect a user PSTN RADIUS client - NAS- RADIUS server IP Disconnect-Request (40) - ID=1 User-Name(1) =pepe@terra Framed-IP-Address(8) = 193.168.1.2 Acct-Session-Id(44) = 262282375 Nas-IP-Address = 192.168.20.2 1 Disconnect-Ack (41) - ID=1 2 Disconnect-Nak (42)- ID=1 Error-Cause(101) = Residual Session Context Removed (201) 2B NOTE: The RADIUS client should know to which IP address it must send the request to. It will be different to the NAS-IP-Address if: - Nas-Id attribute is used - There is a proxy RADIUS in between *

All Rights Reserved © Alcatel-Lucent 2007 62 | RADIUS protocol Overview SNMP MIBs for RADIUS It is standarized that the RADIUS servers and the clients should offer some statistical information via SNMP Defined in RFCs The new ones also support IPv6 A proxy-RADIUS behaves at the same time as a server and a client Should support both MIBs The OIDs are a branch of MIB-2 All of the OID are read-only, as they are statistical data Except for the reset of counters RFCsAuthAcct Client 46684670 Server 46694671

All Rights Reserved © Alcatel-Lucent 2007 63 | RADIUS protocol Overview Auth Server MIB (I) The SNMP agent must store statistics for every client, as well as the aggregate statistics Index Client Address Client ID Access Req Duplic Req Access Accept Access Reject....... 1172.16.1.2RAS1271252 ….. 2172.1.2.312093.......... N192.18.1.2 GGSN1 109819100098 5720305520200...... TOTAL Serv Ident Serv UpTime Serv ResetTime NR136010600

All Rights Reserved © Alcatel-Lucent 2007 64 | RADIUS protocol Overview Auth Server MIB (II) RFC2619 (.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent[SnmpAdminString] (.2) radiusAuthServUpTime[TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer] VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges[Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32] (.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent[SnmpAdminString] (.2) radiusAuthServUpTime[TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer] VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges[Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32] * Responses = AccessAccepts + AccessRejects + AccessChallenges * Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses * entries logged = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped * Responses = AccessAccepts + AccessRejects + AccessChallenges * Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses * entries logged = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped *

All Rights Reserved © Alcatel-Lucent 2007 65 | RADIUS protocol Overview Auth Server MIB (III) RFC2619 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.15) radiusAuthClientTable [ Sequence ] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClient Index [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.15) radiusAuthClientTable [ Sequence ] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClient Index [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups

All Rights Reserved © Alcatel-Lucent 2007 66 | RADIUS protocol Overview Acct Client MIB RFC2620 (.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32] (.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32] * Requests = Responses + PendingRequests + ClientTimeouts * Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped * Requests = Responses + PendingRequests + ClientTimeouts * Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped

All Rights Reserved © Alcatel-Lucent 2007 67 | RADIUS protocol Overview List of standard attributes (I) (*) An Access-Request MUST contain either a User-Password or a CHAP- Password or State. An Access-Request MUST NOT contain both a User-Password and a CHAP- Password (**) An Access-Request and an Account-Request MUST contain either a NAS-IP-Address or a NAS-Identifier (or both) No attributes should be found in Accounting-Response packets except Proxy-State and possibly Vendor-Specific ones.

All Rights Reserved © Alcatel-Lucent 2007 68 | RADIUS protocol Overview List of standard attributes (II) (***) An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attribute MUST NOT contain more than one type of those four attributes. If it does not contain any of those four attributes, it SHOULD contain a Message-Authenticator. If any packet type contains an EAP- Message attribute it MUST also contain a Message-Authenticator.

All Rights Reserved © Alcatel-Lucent 2007 69 | RADIUS protocol Overview (****) Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports. (-) Can be included in packet type 42=Disconnect-Nak or 45= CoA-Nak Access- Request Access- Accept Access- Reject Access- Chall. Acct- Request # AttributeRFC's 00-10 084ARAP-Challenge-Response2869 00-100085Acct-Interim-Interval2869 00000-186Acct-Tunnel-Packets-Lost2867 0-1000 87NAS-Port-Id (****)2869 00-100 88Framed-Pool2869 0-1 00 89Chargeable-User-Id4372 0+ 000-190Tunnel-Client-Auth-ID2868 0+ 000-191Tunnel-Server-Auth-ID2868 00+00 92Nas-Filter-Rule4849 0-1000 95NAS-IPv6-Address3162 0-1 00 96Framed-Interface-Id3162 0+ 00 97Framed-IPv6-Prefix3162 0+ 00 98Login-IPv6-Host3162 00+00 99Framed-IPv6-Route3162 00-100 100Framed-IPv6-Pool3162 00000101Error Cause3576 0-10000103 Digest-Response4590 0-10010104 Digest-Realm4590 0-10010105 Digest-Nonce4590 0 0-1000106 Digest-Response-Auth4590 0 0-1000107 Digest-Nextnonce4590 0-10000108 Digest-Method4590 0-10000109 Digest-URI4590 0-100 0+0110 Digest-Qop4590 0-100 0111 Digest-Algorithm4590 0-10000112 Digest-Entity-Body-Hash4590 0-10000113 Digest-CNonce4590 0-10000114 Digest-Nonce-Count4590 0-10000115 Digest-Username4590 0-100 0116 Digest-Opaque4590 0+ 0 0117 Digest-Auth-Param4590 0-10000118 Digest-AKA-Auts4590 000 0+0119 Digest-Domain4590 000 0-10120 Digest-Stale4590 0 0-1000121 Digest-HA14590 0-10000122 SIP-AOR4590 0+ 00 123Delegated-IPv6-Prefix4818

Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and.

Similar presentations

Presentation on theme: "Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and.

Similar presentations

Presentation on theme: "Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol Overview Module Objetives Identify the elements and."— Presentation transcript:

Similar presentations

About project

Feedback