Beruflich Dokumente
Kultur Dokumente
Security
AAA/RADIUS/HWTACACS
AAA/RADIUS/HWTACACS
AAA Overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for
configuring these three security functions to implement the network security
management.
The network security mentioned here refers to access control and includes these
problems:
z
I. Authentication
AAA supports the following authentication methods:
z
II. Authorization
AAA supports the following authorization methods:
z
Direct authorization: All users are trusted and authorized. A user gets the default
rights of the system.
Local authorization: Users are authorized according to the attributes configured for
them on the device.
Technology Introduction
Security
AAA/RADIUS/HWTACACS
only in this case that the RADIUS authorization process works. The authentication
information is carried in the RADIUS authentication response.
III. Accounting
AAA supports the following accounting methods:
z
None accounting: The system does not keep accounts on the users.
Local accounting: Local accounting is for controlling the number of local user
connections and collecting statistics on number of users; it does not provide
statistics on the charges of users. Note that the controlling of the local user
connections does not affect the local authentication and authorization.
AAA usually uses a client/server model, where the client runs on the device that
controls user access and the server stores user information. The framework of AAA
thus allows for excellent scalability and centralized user information management.
Being a management framework, AAA can be implemented through multiple protocols.
Currently, AAA is implemented based on RADIUS or HWTACACS.
RADIUS Overview
As described previously, AAA is a management framework and can be implemented
through multiple protocols. However, RADIUS is usually used in practice.
I. What is RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information
interaction protocol in the client/server model. RADIUS can prevent the network from
interruption of unauthorized access and is often used in network environments where
both high security and remote user access are required. For example, it is often used
for managing a large number of geographically dispersed dial-in users that use
Modems.
Technology Introduction
Security
AAA/RADIUS/HWTACACS
Protocol: Based on the UDP, RFC 2865 and RFC 2866 define the RADIUS frame
format and the message transfer mechanism, and use 1812 as the authentication
port and 1813 as the accounting port.
Server: The RADIUS server runs on the computer or workstation at the center,
and maintains information for user authentication and network service access.
Client: The RADIUS client runs on the NASs located throughout the network.
In the client/server model of RADIUS, the client, a router or a switch, passes user
information to the designated RADIUS server and acts on the response of the server
(such as connecting/disconnecting users). The RADIUS server receives user
connection requests, authenticates users, and returns the required information to the
client.
In general, the RADIUS server maintains three databases, namely, Users, Clients, and
Dictionary, as shown in Figure 1:
z
z
z
Clients: Stores information about RADIUS clients such as the shared key.
Dictionary: Stores the information for interpreting RADIUS protocol attributes and
their values.
RADIUS servers
Users
Clients
Dictionary
Technology Introduction
Security
AAA/RADIUS/HWTACACS
Host
RADIUS Client
RADIUS Server
2)
Having received the username and password, the RADIUS client sends an
authentication request (Access-Request) to the RADIUS server.
3)
The RADIUS server compares the received user information with that in the Users
database. If the authentication succeeds, it sends back an Access-Accept
message containing the information of users right. If the authentication fails, it
returns an Access-Reject message.
4)
The RADIUS client accepts or denies the user according to the returned
authentication result. If it accepts the user, it sends an accounting start request
(Accounting-Request) to the RADIUS server, with the value of Status-Type being
start.
5)
The
RADIUS
server
returns
start-accounting
response
(Accounting-Response).
6)
7)
8)
9)
Technology Introduction
Security
AAA/RADIUS/HWTACACS
7
Code
31
15
7
Length
Identifier
Authenticator
Attribute
The Code field (1-byte long) is for indicating the type of the RADIUS packet. Table
1 gives the possible values and their meanings.
Packet type
Description
Access-Request
Access-Accept
Access-Reject
Technology Introduction
Security
AAA/RADIUS/HWTACACS
Code
2)
Packet type
Description
Accounting-Request
Accounting-Response
The Identifier field (1-byte long) is for matching request packets and response
packets. It varies with the Attribute field and the received valid response packets,
but keeps unchanged during retransmission.
3)
The Length field (2-byte long) indicates the length of the entire packet, including
the Code, Identifier, Length, Authenticator, and Attribute fields. Bytes beyond the
length are considered the padding and are neglected at receipt. If the length of a
packet is less than that indicated by the Length field, the packet is dropped.
4)
The Authenticator field (16-byte long) is used to authenticate the reply from the
RADIUS server, and is also used in the password hiding algorithm. There are two
kinds of authenticators: Request and Response.
5)
The Attribute field carries information about the configuration details of a request
or response. This field is represented in triplets of Type, Length, and Value.
Type: One byte, in the range 1 to 255. It is for indicating the type of the attribute.
Commonly used attributes for RADIUS authentication and authorization are listed
in Table 2.
Length: One byte for indicating the length of the attribute in bytes, including the
Attribute type
Type
Attribute type
User-Name
23
Framed-IPX-Network
User-Password
24
State
Technology Introduction
Security
Type
AAA/RADIUS/HWTACACS
Attribute type
Type
Attribute type
CHAP-Password
25
Class
NAS-IP-Address
26
Vendor-Specific
NAS-Port
27
Session-Timeout
Service-Type
28
Idle-Timeout
Framed-Protocol
29
Termination-Action
Framed-IP-Address
30
Called-Station-Id
Framed-IP-Netmask
31
Calling-Station-Id
10
Framed-Routing
32
NAS-Identifier
11
Filter-ID
33
Proxy-State
12
Framed-MTU
34
Login-LAT-Service
13
Framed-Compression
35
Login-LAT-Node
14
Login-IP-Host
36
Login-LAT-Group
15
Login-Service
37
Framed-AppleTalk-Link
16
Login-TCP-Port
38
Framed-AppleTalk-Netw
ork
17
(unassigned)
39
Framed-AppleTalk-Zone
18
Reply_Message
40-59
19
Callback-Number
60
CHAP-Challenge
20
Callback-ID
61
NAS-Port-Type
21
(unassigned)
62
Port-Limit
22
Framed-Route
63
Login-LAT-Port
Technology Introduction
Security
0
AAA/RADIUS/HWTACACS
7
Type
15
31
7
Vendor-ID
Length
Vendor-ID
Type (specified)
Length (specified)
HWTACACS Overview
I. What is HWTACACS
Huawei terminal access controller access control system (HWTACACS) is an
enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses
the server/client model to implement AAA for the accessing of different types of users,
such as Point-to-Point Protocol (PPP), Virtual Private Dial-up Network (VPDN), and
login users.
Compared with RADIUS, HWTACACS provides more reliable transmission and
encryption, and therefore is more suitable for security control. Table 3 lists the primary
differences between HWTACACS and RADIUS.
Table 3 Primary differences between HWTACACS and RADIUS
HWTACACS
RADIUS
Uses UDP
In a typical HWTACACS application, a terminal user needs to log onto the device for
operations. Working as the HWTACACS client, the device sends the username and
password to the HWTACACS server for authentication. After passing authentication
Technology Introduction
Security
AAA/RADIUS/HWTACACS
and being authorized, the user can log onto the device to perform operations, as shown
in Figure 5.
HWTACACS server
Host
HWTACACS client
HWTACACS server
Technology Introduction
Security
AAA/RADIUS/HWTACACS
HWTACACS
server
HWTACACS
client
User
The user logs in
authorization
A user requests to access the NAS. Upon receiving the request, the HWTACACS
client sends a start-authentication packet to the TACACS server.
After receiving the username from the user, the HWTACACS client sends to the
server an authentication continuance packet carrying the username.
After receiving the login password, the HWTACACS client sends to the
HWTACACS server an authentication continuance packet carrying the login
password.
10
Technology Introduction
Security
z
AAA/RADIUS/HWTACACS
The HWTACACS client sends the user authorization packet to the HWTACACS
server.
The HWTACACS server sends back the authorization response, indicating that
the user is authorized now.
Knowing that the user is now authorized, the HWTACACS client pushes the
configuration interface of the router or switch to the user.
The HWTACACS server sends back an accounting response, indicating that it has
received the start-accounting request.
When the user logs off, the HWTACACS client sends a stop-accounting request to
the HWTACACS server.
The HWTACACS server sends back a stop-accounting packet, indicating that the
stop-accounting request has been received.
11