Presentation is loading. Please wait.

Presentation is loading. Please wait.

RADIUS Messages RADIUS Message Structure RADIUS Attributes Vendor-Specific Attributes RADIUS Message Exchanges Authentication of Network Access Accounting.

Similar presentations


Presentation on theme: "RADIUS Messages RADIUS Message Structure RADIUS Attributes Vendor-Specific Attributes RADIUS Message Exchanges Authentication of Network Access Accounting."— Presentation transcript:

1 RADIUS Messages RADIUS Message Structure RADIUS Attributes Vendor-Specific Attributes RADIUS Message Exchanges Authentication of Network Access Accounting of Network Access RADIUS Proxy Forwarding Summary

2 Access-Request Access-Challenge Access-Accept Access-Reject Accounting-Request Accounting-Response

3

4 RADIUS attributes carry data values that are used in the authentication, authorization, and accounting functions carried out by RADIUS clients, servers, and proxies. These attributes can appear in network access and accounting requests and in response messages. An attribute represents a specific data item, such as a user name or the tunneling protocol in use, sent between the RADIUS client and server. Some attributes can be included more than once, the effect of which is dependent on the specific attribute. When used as RADIUS proxy, NPS preserves the order of the attributes received from the client in messages transmitted to a RADIUS server. There are two types of RADIUS attributes: standard attributes and vendor-specific attributes (VSAs). Standard attributes are defined in RFCs 2865 through 2869 and are used by all RADIUS clients and servers. VSAs are proprietary. Not all RADIUS clients and servers imple-ment all VSAs. For more information, see the section “Vendor-Specific Attributes” later in this chapter.

5

6 Vendor Type Value Attribute NameDescription 1MS-CHAP-Response จะถูกส่งในการตรวจสอบ CHAP Response ซึ่งได้รับจาก Access Client 9MS-RAS-Vendor จะถูกส่งในการตรวจสอบเพื่อระบุ Vendor (Microsoft) 10MS-CHAP-Domain จะสามารถ Access-Accept และ Access-Response Message ระบุ Domain ในที่ผู้ใช้จะได้รับสิทธิ์ 11MS-CHAP-Challenge CHAP-Challenge ที่ใช้ในการตรวจสอบ CHAP, Microsoft CHAP (MS-CHAP) หรือ MS-CHAP v2 16MS-MPPE-Send-Key จะถือ key session เพื่อใช้สำหรับ Microsoft point-to-point encryption (MPPE) คีย์นี้สำหรับเข้ารหัสข้อความที่ส่งมา จาก NAS ถึง Access Client และถูกส่งเฉพาะใน Access- Accept Message ได้รับการเข้ารหัสโดย RADIUS shared secret 17MS-MPPE-Recv-Key จะเป็น key session สำหรับ MPPE จะใช้สำหรับการเข้ารหัส ของแพ็กเก็จ ที่ได้รับ NAS จาก Access-Client และใช้ เฉพาะใน Access-Accept Message 18MS-RAS-Version เป็น Version ของ Routing และ Remote Access ที่เป็นของ RADIUS Message การส่งนี้จะอยู่ใน Access-Request และ Accounting-Request Message 25MS-CHAP2-Response เพื่อตรวจสอบ MS-CHAP v2 ตอบรับจาก Access Client 26MS-CHAP2-Success เพื่อตรวจสอบ MS-CHAP v2 เพื่อบอกว่าการตรวจสอบ สำเร็จ Table 17-3 Common Vendor-Specific Attributes

7 This section describes common RADIUS message exchanges for the following: ■ Authentication of network access ■ Accounting of network access ■ RADIUS proxy forwarding

8 ■ Access-Request followed by Access-Accept ■ Access-Request followed by Access-Reject ■ Access-Request followed by Access- Challenge

9 Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 30882, Total IP Length = Udp: SrcPort = 3065, DstPort = 1812, Length = 257 SourcePort: 3065, 3065(0xbf9) DestinationPort: 1812, 1812(0x714) TotalLength: 257 (0x101) Checksum: (0xA751) - Radius: Access Request, Id = 12, Length = 249 MessageType: Access Request, 1(0x01) Identifier: 12 (0xC) AllLength: 249 (0xF9) Authenticator: DB A 2B FF 75 F1 1D 19 2C 1A 7F + AttributeNasIPAddress: AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1)

10 + AttributeNasPort: AttributeVendorSpecific: + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP), 1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: AttributeTunnelClientEndpoint: + AttributeVendorSpecific: + AttributeUserName: KAPOHO\tfl + AttributeVendorSpecific:

11 Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 39615, Total IP Length = Udp: SrcPort = 1812, DstPort = 3065, Length = Radius: Access Accept, Id = 12, Length = 214 MessageType: Access Accept, 2(0x02) Identifier: 12 (0xC) AllLength: 214 (0xD6) Authenticator: 5F C EA 31 7A A3 4F 82 B1 FA DE AttributeFramedProtocol: PPP, 1(0x1) + AttributeServiceType: Framed, 2(0x2) + AttributeClass: + AttributeVendorSpecific:

12 Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 30899, Total IP Length = Udp: SrcPort = 3066, DstPort = 1813, Length = Radius: Accounting Request, Id = 3, Length = 275 MessageType: Accounting Request, 4(0x04) Identifier: 3 (0x3) AllLength: 275 (0x113) Authenticator: EA BB 33 E2 85 8D F8 D5 A6 5C AttributeAcctStatusType: Start, 1(0x1) + AttributeAcctDelayTime: 0 + AttributeNasIPAddress: AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1) An example of an Accounting-Request/Accounting-Response message exchange is Capture (Frame 1)

13 + AttributeNasPort: AttributeVendorSpecific: + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP),1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: AttributeTunnelClientEndpoint: + AttributeVendorSpecific: + AttributeClass: + AttributeVendorSpecific: + AttributeAcctSessionID: 4 + AttributeUserName: KAPOHO\tfl + AttributeFramedIPAddress: AttributeFramedMTU: AttributeAcctMultiSessionID: 27 + AttributeAcctLinkCount: 1 + AttributeEventTimestamp: AttributeAcctAuthentic: RADIUS, 1(0x1) + AttributeVendorSpecific:

14 Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 40023, Total IP Length = 48 + Udp: SrcPort = 1813, DstPort = 3066, Length = 28 - Radius: Accounting Response, Id = 3, Length = 20 MessageType: Accounting Response, 5(0x05) Identifier: 3 (0x3) AllLength: 20 (0x14) Authenticator: F0 A D B 7E C7 8A 83 E4 B

15 An example of an Access-Request message that is forwarded by a RADIUS proxy is Capture (Frame 1) Frame: + Ethernet: Etype = Internet IP (IPv4) - Ipv4: Next Protocol = UDP, Packet ID = 7567, Total IP Length = Versions: IPv4, Internet Protocol; Header Length = 20 + DifferentiatedServicesField: DSCP: 0, ECN: 0 TotalLength: 278 (0x116) Identification: 7567 (0x1D8F) + FragmentFlags: 0 (0x0) TimeToLive: 128 (0x80) NextProtocol: UDP, 17(0x11) Checksum: 1238 (0x4D6) SourceAddress: DestinationAddress: Udp: SrcPort = 1711, DstPort = 1812, Length = 258

16 - Radius: Access Request, Id = 8, Length = 250 MessageType: Access Request, 1(0x01) Identifier: 8 (0x8) AllLength: 250 (0xFA) Authenticator: B2 3F 8A F4 14 4C E 34 5A AttributeNasIPAddress: AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1) + AttributeNasPort: AttributeVendorSpecific: + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP), 1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: AttributeTunnelClientEndpoint: + AttributeVendorSpecific: + AttributeUserName: TCP1\rebecca + AttributeVendorSpecific:

17 Frame: + Ethernet: Etype = Internet IP (IPv4) - Ipv4: Next Protocol = UDP, Packet ID = 2894, Total IP Length = Versions: IPv4, Internet Protocol; Header Length = 20 + DifferentiatedServicesField: DSCP: 0, ECN: 0 TotalLength: 288 (0x120) Identification: 2894 (0xB4E) + FragmentFlags: 0 (0x0) TimeToLive: 128 (0x80) NextProtocol: UDP, 17(0x11) Checksum: 0 (0x0) SourceAddress: DestinationAddress: Udp: SrcPort = 2203, DstPort = 1812, Length = Radius: Access Request, Id = 2, Length = 260 MessageType: Access Request, 1(0x01) Identifier: 2 (0x2) AllLength: 260 (0x104)

18 Authenticator: B2 3F 8A F4 14 4C E 34 5A AttributeNasIPAddress: AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1) + AttributeNasPort: AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP), 1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: AttributeTunnelClientEndpoint: + AttributeUserName: TCP1\ rebecca + AttributeVendorSpecific: - AttributeProxyState: Type: Proxy State, 33(0x21) Length: 10 (0xA) ProxyState: Binary Large Object (8 Bytes)

19 RADIUS messages have a common structure consisting of a fixed-size portion and a variable-size portion. The fixed-size portion contains fields common to all RADIUS messages. The variable-size portion contains RADIUS attributes, which can be standard attributes or VSAs. RADIUS attributes carry data values that are used in authentication, authorization, and accounting of network access. An authentication exchange is one of the following: Access-Request/Access-Accept for a successful authentication and authorization, Access-Request/Access-Reject for an unsuccessful authentication or authorization, or Access-Request/Access-Challenge when the RADIUS server needs more information to evaluate authentication and authorization. An accounting exchange consists of an Accounting-Request and an Accounting-Response. When RADIUS proxies are between RADIUS clients and RADIUS servers, they modify RADIUS messages by adding or removing a Proxy-State attribute.

20 นางสาว ภาวิณี แก้วสุข รหัส กลุ่ม 51346CPE


Download ppt "RADIUS Messages RADIUS Message Structure RADIUS Attributes Vendor-Specific Attributes RADIUS Message Exchanges Authentication of Network Access Accounting."

Similar presentations


Ads by Google