Presentation is loading. Please wait.

Presentation is loading. Please wait.

RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala.

Published byGwen Williams Modified over 8 years ago

Similar presentations

Presentation on theme: "RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala."— Presentation transcript:

1 RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala

2 Outline Introduction Features of RADIUS Protocol Overview Proxy Server Operations of RADIUS Packet format Vulnerabilities Conclusion References

3 Introduction Remote Authentication Dial In User Service AAA protocol (Authentication, Authorization and Accounting) Supports applications such as Network access IP mobility Used in embedded network devices such as modems servers, routers, switches Works in both local and roaming situations

4 Network Topology

5 Features of RADIUS Client-server Model Network Security Flexible Authentication Mechanisms Extensible Protocol

6 Protocol Overview RADIUS client sends a message to a RADIUS server RADIUS server authenticates and authorizes requests and sends back a response message Client and server use a pre-shared secret key Accounting messages sent from clients to severs, and acknowledged by servers

7 Logical System View PPPIP Remote Server Information Provider WorkstationModem Customer NAS / RAS ROUTER RADIUS AAA SERVER USER DB ISP POP PSTN Internet

8 RADIUS Details RADIUS uses UDP instead of TCP as a transport protocol The following are some of the reasons for using UDP: 1. User can wait for only few seconds. It can’t wait for several minutes 2. No special handling for rebooting or offline clients and servers

9 RADIUS Details Contd.. Reasons for using UDP: 3. Stateless protocol 4. Easy to implement multi-threaded server to service multiple client requests

10 Advantages Facilitates Centralized user administration Provides certain level of protection against sniffing and active attackers Omni present support Current standard for remote authentication Current versions of RADIUS protocol: RFC 2865 (RADIUS) RFC 2866 (RADIUS Accounting)

11 Access and Accounting Details Access to a network includes both authentication and authorization RFC 2865 protocol helps for carrying access Port 1812 Accounting RFC 2866 protocol used The assigned port number for RADIUS accounting is 1813

12 Access Messages Access-Request : authentication and authorization for a connection attempt by a RADIUS client Possible responses from the server to the client: Access-Accept : connection attempt is authenticated and authorized provides specific configuration information necessary to begin the delivery of service to the user

13 Access messages Contd.. Responses from the server Access-Reject : issued by the server when unacceptable attributes are received Access-Challenge : demands challenge response and causes access deny for subscribers

14 Accounting messages Accounting-Request : sent by the RADIUS client to specify accounting information for the connection accepted Accounting-Response : acknowledges the successful receipt and processing of Accounting- Request message

15 Client-server Transaction

16 RADIUS Clients Theorem (for Java) Livingstone (for c, unix) Radiusclient (for c, unix) Vopcom (for VC++)

17 RADIUS Server Cistron freeRADIUS ICRADIUS YARD RADIUS GNU-radius

18 RADIUS Proxying The proxy feature forwards authentication (and accounting) to another server Used for Carriers Roaming users Applications where different organizations use shared resources

19 Proxy Setup

20 RADIUS Proxy Servers Client sends access request to forwarding server Gets forwarded to remote server Remote server sends access-accept Forwarding server sends the access accept to the client

21 RADIUS Operations

22 Operations Authentication Accounting

23 Subscriber PSTN Data Store User Information Access Accept Access Request The Authentication Process Access Request Access Accept User Information RADIUS Server the Internet

24 When a client is configured to use RADIUS, any user of the client presents authentication information to the client. Once the client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access- Request“ containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. The Access-Request is submitted to the RADIUS server via the network. Once the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded.

25 Authentication Flow

26 If any condition is not met, the RADIUS server sends an "Access- Reject" response indicating that this user request is invalid. If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an "Access-Challenge" response. If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re- submits its original Access-Request with a new request ID. If all conditions are met, the list of configuration values for the user are placed into an "Access-Accept" response.

27 RADIUS: Basics Authentication Data Flow ISP User Database ISP Modem Pool User dials modem pool and establishes connection UserID: bob Password: ge55gep UserID: bob Password: ge55gep NAS-ID: 207.12.4.1 Select UserID=bob Bob password=ge55gep Timeout=3600 [other attributes] Access-Accept User-Name=bob [other attributes] Framed-Address=217.213.21.5 The Internet ISP RADIUS Server Internet PPP connection established

28 Accounting Process At the start of service delivery it will generate an Accounting Start packet describing the type of service being delivered and the user it is being delivered to, and will send that to the RADIUS Accounting server, which will send back an acknowledgement that the packet has been received. The Accounting-Request (whether for Start or Stop) is submitted to the RADIUS accounting server via the network. It is recommended that the client continue attempting to send the Accounting-Request packet until it receives an acknowledgement, using some form of backoff.

29 RADIUS: Basics Accounting Data Flow ISP Accounting Database ISP Modem Pool Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 …... Sun May 10 20:47:41 1998 Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 …... The Internet ISP RADIUS Server Internet PPP connection established Acknowledgement The Accounting “Start” Record

30 RADIUS: Basics Accounting Data Flow ISP Accounting Database ISP Modem Pool The Internet ISP RADIUS Server Internet PPP connection established Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 …... Sun May 10 20:50:49 1998 Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 …... Acknowledgement The Accounting “Stop” Record User Disconnects

31 RADIUS Packet Format

32 RADIUS Packet

33 Packet Details Code (8 bits) indicates the type of RADIUS packet The table shows the codes assigned to packet types 255 is reserved for future use Packet with invalid code is discarded

34 Packet Details Identifier (8 bits) helps in matching requests and response Server can use identifier to detect duplicate requests from the same client IP address Identifiers must be reused frequently

35 Packet Details Length (16 bits) indicates the entire length of the RADIUS packet If packet received was shorter than Length, then it is dropped The extra bits are ignored, if packet is longer than Length Minimum length is 20 bits and maximum is 4096 bits

36 Packet Details Authenticator (16 bytes) used to authenticate the reply from the RADIUS server Different for both access and accounting requests and responses Request Authenticator: The value should be unique and unpredictable random number over the entire lifetime of the secret key

37 Packet Details Request Authenticator: Secret key followed by Request Authenticator is put through MD5 hash, then XORed with user password Result is placed in the password attribute Response Authenticator: The values of authentication fields in all access responses indicate Response Authenticator

38 Packet Details Response Authenticator: MD5 hash over concatenated fields Code + ID + Length + Request Authenticator + Attributes + Secret key Accounting Authenticator: Request Authenticator: MD5 hash over concatenated fields Code + ID + Length +Request Authenticator + Response attributes + shared secret

39 Packet Details Accounting Authentication: Response Authenticator: MD5 hash over Response code + ID + Length + Request Authenticator +Response attributes +shared secret Attributes ( variable length) contains the list of attributes that are required for the type of service

40 Vulnerability RADIUS hiding method ( MD5 hash and stream cipher) may not be adequate. Client Access-Request message is not authenticated. Request Authenticators may be poorly implemented. Administrators may choose the RADIUS shared secrets poorly. Multiple clients sharing the same secret make the key easier to discover.

41 Conclusion RADIUS is Commonly used in embedded systems (routers, switches, etc), which cannot handle large numbers of users with distinct authentication information. Facilitates centralized user administration (useful for ISPs) Other alternatives have less security. Widely implemented by hardware vendors.

42 Questions What are the possible responses to an Access- Request packet? Access-Accept, Access-Reject, Access-Challenge Explain the unique timing requirements of RADIUS (i.e. why is UPD used rather than TCP).  User can wait a few seconds to be authenticated, no ack overhead and aggressive packet retransmission required.  Users don’t want to wait several minutes, so a reliable delivery 2 minutes later is unacceptable. Send request to alternate server instead.

43 Questions What are the 2 primary concerns or best practices for a RADIUS installation?  High “information entropy” (randomness) in the shared secret.  Unpredictable and unique random numbers are generated for Request Authentication.

44 References http://www.zvon.org/tmRFC/RFC2138/Output/ http://www.untruth.org/~josh/security/radius/radius- auth.html http://www.untruth.org/~josh/security/radius/radius- auth.html http://docs.hp.com/en/T1428- 90056/ch01s01.html#d0e382 http://docs.hp.com/en/T1428- 90056/ch01s01.html#d0e382 Richard Perlman For CEENet #9 Budapest, Hungary Richard Perlman For CEENet #9 Budapest, Hungary

Download ppt "RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.

PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.

Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Similar presentations

Ads by Google