Beruflich Dokumente
Kultur Dokumente
RADIUS protocol
Module Objetives
Identify the elements and architecture of remote access to networks
Understand the way the RADIUS protocol works
Get to know the attributes that control different type of access
technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc)
Way to code attributes and RADIUS packets, and the sense of a
dictionary
Cover the standard statistical information provided over SNMP
View the extensions added to the RADIUS protocol
Authorization
Check that the user can access the service (s)he is trying to:
Checking against a database, a file, etc. what the user can do, and restrict his/her
access to the network
Accounting
Write down what the user has done during his connection
Connection time, bytes sent/received, access service, etc.
To get statistics about user accesses, billing, etc
PPP IP
POP
(Point of Presence) ISP
User
NAS / RAS
ROUTER
PSTN Internet
Modem
Web
RADIUS
Server
AAA
SERVER
USER
DB
Adopted by all vendors of access devices, as almost the only standard for
AAA
RADIUS stands-up for:
Remote Authentication Dial-In User Service
Access-Request Users
User-Name: bob Database
Password: ge55gep Select
NAS NAS-IP: 207.12.4.1 UserID=bob
Bob
Access-Accept password=ge55gep
UserID: bob Timeout = 3600
Password: ge55gep
Framed-IP- RADIUS
Address=217.213.21.5 [other attributes]
Server
Session-Timeout=3600
[other attributes]
Framed-
Address=217.213.21.5
Internet
Internet
PPP session
Internet
5.- Send Accept/Reject to the NAS with the right attibutes for this user
session (reply-items)
Idle and session timeout
IP filters for this user
Indication of IP address to assign to user
For ISDN, max. number of channels to bond together (MLPPP)
etc.
RADIUS clients can send requests on any source UDP port they have
available. Not limited in RFC's
All requests need not come from same port, and usually dont
Though NAS's can be configured to send all request with the same source UDP
port
Only advisable for firewall restrictions
Access-Accept
PAP-Auth-Success #1 (Message="00")
Access-Reject
PAP-Auth-Failure #1 (Message="Incorrect Password")
Initiator Responder
CHAP-Auth-Challenge #1 (Chall. Length=16,
Challenge Value= 0c7d203....a8, Name= tnt2)
RADIUS server
Auth-Response #1 (Chall. Length=16, Challenge Value= Access-Request
016b89....91, Name= john) User-Name=john
CHAP-Password=016b89..91
[CHAP-Challenge*=0c7d203...a8]
Responder
Initiator Authenticator
Config-Request #1 (MRU=1524, auth=PAP, ...)
Config-Ack #2 (MRU=1524, auth=PAP, ...)
The user password can only be hashed once (MD5, SHA1, etc)
either at database storage or when the user transmits it
As the hash algorithms are not reversible
However, passwords can be stored encrypted (3DES, AES, )
5-20 Authenticator
21-... Attributes
Access-Challenge (11) - Request form server to NAS, asking for additional info
from the user R
Used in token/crypto cards, and for EAP F
C
2
Account-Request (4) - The NAS sends accounting information to the server 8
6
Account-Response (5) - The server ACKs the acct packet to the NAS 5
Client Server
Random num. Authenticator field
Hash MD5
Hash MD5 Shared key
Shared key Attrib. User-Password
XOR XOR
PAP Passwd(clear text) Access-Request Clear Passwd
Client Server
Acct packet (without Account-Request Acct packet (without
authenticator) authenticator)
Hash MD5 Hash MD5
Authenticator field
Shared key Shared key
Match?
Discard X Client Authenticated
Request Authenticator Request Authenticator
Authenticator field
Shared key Hash MD5 Hash MD5 Shared key
Acct packet (without
authenticator)
Account-Response Acct packet (without
authenticator)
Match?
X
Discard packet Authenticated
All Rights Reserved Alcatel-Lucent 2007
Example of successful auth:
Dial-in user with PAP
Access-Request (1) - ID=1
User-Name (1) = pepe"
User-Password (2) = 5E%&gn)8
NAS-IP-Address (4) = 192.168.20.2
NAS-Port (5) = 20
Service-Type (6) = Framed (2)
Framed-Protocol (7) = PPP (1)
NAS-Port-Type (61) = Async (0) IP
Called-Station-Id (30) = 917529000 RADIUS
Calling-Station-Id (31) = 918078419 RADIUS server
client
- NAS-
Access-Accept (2) - ID=1
Service-Type (6) = Framed (2)
PSTN Framed-Protocol (7) = PPP (1)
Framed-IP-Address (8) = 255.255.255.254
Framed-IP-Netmask (9) = 255.255.255.255
POTS Framed-Routing (10) = None (0)
POTS Framed-Compression (13) = VJ TCP/IP (1)
Modem Framed-MTU (12) = 1500
Session-Timeout (27) = 7200
*
All Rights Reserved Alcatel-Lucent 2007
Example of an PPPoA (ADSL) connection
Access-Request (1) - ID=1
User-Name = "user11@aunadsl"
ForADSL
ADSLwith
withPPPoA,
PPPoA,there
thereisisno
no CHAP-Password = "\0011\266\303"
For
Called-Station-IdororCalling-Station
Calling-StationId.
Id. CHAP-Challenge = "e\241\\000"
Called-Station-Id
NAS-IP-Address = 1.2.3.4
ForPPPoE,
For PPPoE,they
theyrepresent
representthe
the NAS-Port = 3329
EthernetMAC
Ethernet MACaddresses
addresses Ascend-NAS-Port-Format = 2_4_5_5
NAS-Port-Type = Sync
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "483015958"
IP
RADIUS
ATM server
RADIUS Access-Accept (2) - ID=1
client Service-Type = Framed-User
ADSL line DSLAM Framed-Protocol = PPP
-BRAS-
Ascend-Source-IP-Check = Source-IP-Check-Yes
Ascend-IP-Source-If = "sip100"
Framed-Pool = 1
PPPoA Filter-Id=Foo
Client
* Ascend-Filter-Required=Required-Yes
All Rights Reserved Alcatel-Lucent 2007
Example of an UMTS/GPRS connection
Access-Request (1) - ID=1
TheAPN
APNisissent
sentinin
The
Called-Station-Id. NAS identifier(32) = "B-CER1N-GGSN2"
Called-Station-Id.
It is usedfor
It is used forthe
theuser
usertoto User Name(1) = "WAPTM"
selectthe
select theGGSN
GGSN User Password(2) ="o\009KF\020#\145+\146f"
NAS Port Type(61) = Virtual (5)
Calling Station Id(31) = "34679912214"
Called Station Id(30) "wap.movistar.es"
Acct Session Id(44) ="646704d51e069701"
IP
RADIUS
RADIUS server
client Access-Accept (2) - ID=1
SGSN -GGSN- Service-Type (6) = Framed (2)
Framed-Protocol (7) = PPP (1)
Framed-IP-Address (8) = 10.11.12.13
RNC Framed-IP-Netmask (9) = 255.255.255.255
Session-Timeout (27) = 7200
Node B Idle-Timeout (28) = 3600
*
All Rights Reserved Alcatel-Lucent 2007
Example for CDMA2000 1xEVDO (HRPD)
AN-AAA (A12 interface)
The A12 interface (AN AAA) is used:
to perform access authentication (with CHAP) of the AT device by the AN
The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID)
to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces
This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and cdma2000
systems.
I
Access-Request s
AT User-Name = 260071234567890@cdma1.com-
(Access Terminal)
BS RNC/PCF PDSN CHAP-Password = "\0011\266\303" 8
(Base Station) 7
(BS Controller) (Packet Data CHAP-Challenge = "e\241\\000
Serving Node) NAS-IP-Address = 192.168.20.2 8
3GPP2-HRPD-Access-
A8/A9 Authentication=True
3GPP2-AT-Hardware-Id=0129012
A10/A11
Access-Accept (2)
Callback-Id (20) = 0260071234567890
* PPP
All Rights Reserved Alcatel-Lucent 2007
Example for CDMA2000 1xEVDO (HRPD)
PDSN-AAA for Simple IP
The PDSN is the classical PPP server
The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to
choose, or the PDSN will select it from a local pool
New Access-Requests are sent when the AT hands-off between PCFs
It is correlated to the current session with the 3GPP2-Correlation-Id AVP
I
s
AT -
(Access Terminal)
BS RNC/PCF PDSN Access-Request 8
(Base Station)
(BS Controller) (Packet Data
User-Name = john@cdma1.com 3
Serving Node) CHAP-Password = "\0011\266\303" 5
CHAP-Challenge = "e\241\\000
NAS-IP-Address = 192.168.30.3
Nas-Port-Type= Wireless-1X-EV
A10/A11 3GPP2-Correlation-Id=1234
Calling-Station-Id 0260071234567890
Access-Accept
[Framed-IP-Address = 10.1.2.3]
* PPP Session-Timeout = 7200
All Rights Reserved Alcatel-Lucent 2007
Example of pre-auth followed by PPP
negotiation
The pre-auth is done before the NAS takes the call off-hook
Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC)
PSTN IP
X.25
Access-Request (1) - ID=10 The bank system has a X.25
User-Name (1) = 090" network
User-Password (2) = Ascend-DNIS
NAS-IP-Address (4) = 192.168.20.2 PAD
NAS-Port (5) = 20 IP
NAS-Port-Type (61) = Async (0)
Service-Type (6) = Call-Check (10)
Called-Station-Id (30) = 090 Access-Accept (2) - ID=10
Calling-Station-Id (31) = 918078419 User-Name = "PoS",
Service-Type = Login
RADIUS
PSTN NAS Login-Service = TCP-clear,
server
Login-IP-Host = 192.168.20.4,
* Login-TCP-Port = 8419
Ascend-AT-Answer-String="&t4s18=15+MS=1
&g2S220=11S221=50S10=3"
RADIUS client
(LSMS)
135.88.101.111
135.88.101.91
RADIUS
server
Ipsec server
Ipsec client
(Lucent Brick)
= user Access-Accept (2) - ID=150
X-auth in IKE Session-Timeout (27) = 86400
Idle-Timeout (28) = 3600
[Connect-Info (77)] = user_group1
[Framed-IP-Address (8) = 135.88.101.222]
*
All Rights Reserved Alcatel-Lucent 2007
Authentication for device administration
Example with Lucent TAOS
IP
RADIUS
telnet TNT2 server
1.2.3.4
Access-Request (1) - ID=10
User-Name (1) = amdinuser"
User-Password (2) = 5E%&gn)8
Access-Accept (2) - ID=10
NAS-IP-Address (4) = 192.168.20.2
Service-Type (6) = Administrative (6)
NAS-Port (5) = 0
Ascend-Telnet-Profile (26->529:91) = Admin
NAS-Port-Type (61) = Virtual (5)
Service-Type (6) = Administrative (6)
[Calling-Station-Id=1.2.3.4]
INVITE
From: <sip:123@example.com> Access-Request
To: <sip:987@example.com> User-Name=123 Access-Accept
Proxy-Authorization: NAS-IP-Address = 192.0.2.38 Digest-Response-Auth = 63e954 R
- username="123" , NAS-Port-Type = Virtual Digest-Nextnonce=fd0a8765 F
- realm="example.com" , Digest-Method = INVITE Message-Authenticator = 75aaf1 C
- response="f3c97a4" Digest-URI = sip:987@example.com
- Digest algorithm="md5", SIP-AOR = sip:123@example.com
- nonce="3bada1a0" , 4
Digest-Username = 123 5
- uri="sip:987@example.com", Digest-Realm = example.com
- qop=auth, 9
Digest-Response = f3c97a4
- algorithm=MD5
Digest-Cnonce=0a7e75c4 0
Digest-Nonce-Count=1 NOTE:The
NOTE: Thenext
nextauthentication
authenticationfor
for
Digest-Algorithm = md5 thisuser
this usercould
couldsave
saveaaround-trip
round-tripifif
Digest-Nonce = 3bada1a0 theradius
the radiusclient
clientuses
usesthe
theDigest-
Digest-
Digest-Qop = auth Nextnoncetotochallenge
Nextnonce challengethe
theuser
user
Message-Authenticator = ffe0ff
* State=27
All Rights Reserved Alcatel-Lucent 2007
Main attributes (I)
1 1 ...
ID. attrib Attrib. length. Attrib. value
User-Name (1) -
Mandatory in Access-Request & Acct-Request
R
The server may send it back in the Access-Accept, so that the NAS sends this F
new User-Name in Acct-Request packets C
Login-IP-Host (14): In the Access-Accept the server instructs the NAS the
IP address of a host to establish a TCP connection to
R
Used when IP Service-Type=Login, F
C
Login-Service (15) When Service-Type=Login:
Telnet (0), Rlogin (1), TCP Clear (2), etc 2
8
Reply-Message (18) 6
5
For an Access-Challenge, the message to show to the user.
For an Access-Reject, may contain the cause to reject the connection
1 1 4 1 (or 2) 1
26 Length. Vendor ID. VSA1 ID VSA1 Length
VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2
NAS-Port-Type (61) -
R
Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN Async F
V.110 (4) = Mobile C
Virtual (5): ie, access via telnet 2
xDSL (16), Cable (17) 8
6
GPRS (18), Wi-Fi=802.11 (19), CDMA2000 (22), UMTS (23) 5
Port-Limit (62) - To limit the max. number of calls that can be bonded
together with MP (Multilink-Protocol), or concurrent sessions with the
same User-Name
Message Type=Access-Request(1)
Packet ID = 1 Attrib ID= User-Name(1)
Request Authenticator
Length=56 Length = 6
Value = nemo
01 01 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb ID = User-Password(2)
98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d Length = 18
Encrypted password
93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 using authenticator field
01 10 05 06 00 00 00 03
Attrib= NAS-IP-Address(4)
Attrib= NAS-Port(5)
Length = 6
Length = 6
Value = 192.168.1.16
Value = 3
Acct-Session-Time (46) - How long (in seconds) the user was connected
(Stop), has been connected up to the moment (interim)
Acct-Terminate-Cause (49) - General cause
User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)
*
All Rights Reserved Alcatel-Lucent 2007
Example of acct STOP packet (& II)
TAOS 9.x
Ascend-Data-Rate == 31200
Ascend-Data-Rate 31200
Ascend-Xmit-Rate == 48000
Ascend-Xmit-Rate 48000
Ascend-Disconnect-Cause == 185
Ascend-Disconnect-Cause 185
Ascend-Connect-Progress == LAN-session-is-up
Ascend-Connect-Progress LAN-session-is-up
Ascend-PreSession-Time == 00
Ascend-PreSession-Time
Ascend-First-Dest == 10.81.44.111
Ascend-First-Dest 10.81.44.111
Ascend-Pre-Input-Octets == 174
Ascend-Pre-Input-Octets 174
Ascend-Pre-Output-Octets == 204
Ascend-Pre-Output-Octets 204
Ascend-Pre-Input-Packets == 77
Ascend-Pre-Input-Packets
Ascend-Pre-Output-Packets == 88
Ascend-Pre-Output-Packets
Ascend-Modem-PortNo == 66
Ascend-Modem-PortNo
Ascend-Modem-SlotNo == 22
Ascend-Modem-SlotNo
Ascend-Modem-ShelfNo == 11
Ascend-Modem-ShelfNo
Framed-Protocol == PPP
Framed-Protocol PPP
Framed-IP-Address == 91.87.84.19
Framed-IP-Address 91.87.84.19
*
All Rights Reserved Alcatel-Lucent 2007
Message flow for a connection
Access-Request
PSTN Access-Accept
NAS RADIUS
Access-Request
Server
Access-Accept
Because of signalling the NAS is
aware it has an incoming call. The user
Optionally, it asks the RADIUS server Accounting-Request (START) successfully
before taking the call off-hook (pre- Accounting-Response starts the
auth) session
Accounting-Request (INTERIM)
After taking the call off-hook, a Accounting-Response
"regular" auth packet is sent (User-
Name/Password) Accounting-Request (INTERIM)
Optionally, the NAS informs the Accounting-Response
server periodically the session is
still up The user Accounting-Request (STOP)
hangs-up Accounting-Response
All Rights Reserved Alcatel-Lucent 2007
Accounting-Off example
Acct-Request (4) - ID=27
NAS-IP-Address (4) = 192.168.20.2
Acct-Status-Type (40) = Accounting-Off (8)
Acct-Delay-Time (41) = 10
Acct-Session-Id (44) = 891236709
IP
RADIUS
RADIUS server
client
- NAS- Acct-Response (5) - ID=27
Dictionary
Definition of all RADIUS attributes and their numeric coding
In text format: a person can read and edit that file
Type of attribute: Text, String, Integer, IP Address, Date
Possible values for enumeration attributes
Attribute Attribute
Number Attribute Value
Length
(in bytes)
RADIUS Dictionary
ATTRIBUTE Service-Type 6 integer
214
IP
RADIUS
server
Access-Request (1) - ID=12
User-Name (1) = pools-TNT2"
Access-Accept (2) - ID=12
User-Password (3) = ascend
Ascend-IP-Pool-Definition = "1 10.1.0.1 7"
NAS-IP-Address (4) = 192.168.20.2
Ascend-IP-Pool-Definition = "2 10.2.0.1 48"
Service-Type (6) = Outbound-User (5)
IP
RADIUS
- NAS- client
RADIUS server 2
Disconnect-Ack (41)- ID=1
PSTN
2B
Disconnect-Nak (42)- ID=1
Error-Cause(101) =Residual Session Context Removed (201)
List of standard
Request Accept Reject Chall. Request # Attribute RFC's
0 0 0 0 0-1 42 Acct-Input-Octets 2866
0
0-1
0
0
0-1
0
0
0
0
0
0
0
0-1
1
0-1
43
44
45
Acct-Output-Octets
Acct-Session-Id
Acct-Authentic
2866
2866
2866
attributes (II)
0 0 0 0 0-1 46 Acct-Session-Time 2866
0 0 0 0 0-1 47 Acct-Input-Packets 2866
0 0 0 0 0-1 48 Acct-Output-Packets 2866
0 0 0 0 0-1 49 Acct-Terminate-Cause 2866
0 0 0 0 0+ 50 Acct-Multi-Session-Id 2866
0 0 0 0 0+ 51 Acct-Link-Count 2866 (***) An Access-Request that
0 0 0 0 0-1 52 Acct-Input-Gigawords 2869 contains either a User-Password or
0 0 0 0 0-1 53 Acct-Output-Gigawords 2869
0 0 0 0 0-1 55 Event-Timestamp 2869 CHAP-Password or ARAP-Password
0+ 0+ 0 0 0+ 56 Egress-VLANID 4675 or one or more EAP-Message attribute
0-1 0-1 0 0 0-1 57 Ingress-Filters 4675
MUST NOT contain more than one type
0+ 0+ 0 0 0+ 58 Egress-VLAN-Name 4675
0 0-1 0 0 0 59 User-Priority-Table 4675 of those four attributes.
0-1 0 0 0 0 60 CHAP-Challenge 2865, 2866 If it does not contain any of those four
0-1 0 0 0 0-1 61 NAS-Port-Type 2865, 2866
0-1 0-1 0 0 0-1 62 Port-Limit 2865, 2866
attributes, it SHOULD contain a
0-1 0-1 0 0 0-1 63 Login-LAT-Port 2865, 2866 Message-Authenticator.
0+ 0+ 0 0 0-1 64 Tunnel-Type 2867, 2868 If any packet type contains an EAP-
0+ 0+ 0 0 0-1 65 Tunnel-Medium-Type 2867, 2868
0+ 0+ 0 0 0-1 66 Tunnel-Client-Endpoint 2867, 2868 Message attribute it MUST also contain
0+ 0+ 0 0 0-1 67 Tunnel-Server-Endpoint 2867, 2868 a Message-Authenticator.
0 0+ 0 0 0 69 Tunnel-Password 2867, 2868
0-1 0 0 0 0 70 ARAP-Password (***) 2869
0 0-1 0 0-1 0 71 ARAP-Features 2869
0 0-1 0 0 0 72 ARAP-Zone-Access 2869
0-1 0 0 0-1 0 73 ARAP-Security 2869
0+ 0 0 0+ 0 74 ARAP-Security-Data 2869
0 0 0-1 0 0 75 Password-Retry 2869
0 0 0 0-1 0 76 Prompt 2869
0-1 0 0 0 0-1 77 Connect-Info 2869
0 0+ 0 0 0 78 Configuration-Token 2869
0+ 0+ 0+ 0+ 0 79 EAP-Message (***) 2869
0-1 0-1 0-1 0-1 0 80 Message-Authenticator (***) 2869
0+ 0+ 0 0 0-1 81 Tunnel-Private-Group-ID 2867, 2868
0 0+ 0 0 0-1 82 Tunnel-Assignment-ID 2867, 2868
All Rights Reserved Alcatel-Lucent 2007
0+ 0+ 0 0 0 83 Tunnel-Preference 2867, 2868
Access- Access- Access- Access- Acct-
Request Accept Reject Chall. Request # Attribute RFC's
0 0-1 0 0-1 0 84ARAP-Challenge-Response 2869
0 0-1 0 0 0 85Acct-Interim-Interval 2869
0 0 0 0 0-1 86Acct-Tunnel-Packets-Lost 2867
0-1 0 0 0 0-1 87NAS-Port-Id (****) 2869
0 0-1 0 0 88Framed-Pool 2869
0-1 0-1 0 0 0-1 89Chargeable-User-Id 4372
0+ 0+ 0 0 0-1 90Tunnel-Client-Auth-ID 2868 (****) Either NAS-Port or NAS-Port-Id
0+ 0+ 0 0 0-1 91Tunnel-Server-Auth-ID 2868 SHOULD be present in an Access-
0 0+ 0 0 0+ 92Nas-Filter-Rule 4849
0-1 0 0 0 0-1 95NAS-IPv6-Address 3162 Request packet, if the NAS
0-1 0-1 0 0 0-1 96Framed-Interface-Id 3162 differentiates among its ports.
0+ 0+ 0 0 0+ 97Framed-IPv6-Prefix 3162
0+ 0+ 0 0 0+ 98Login-IPv6-Host 3162
NAS- Port-Id is intended for use by
0 0+ 0 0 0+ 99Framed-IPv6-Route 3162 NASes which cannot conveniently
0 0-1 0 0 0-1 100Framed-IPv6-Pool 3162 number their ports.
0 0 0 0 0 101Error Cause 3576
0-1 0 0 0 0 103 Digest-Response 4590
0-1 0 0 1 0 104 Digest-Realm 4590
0-1 0 0 1 0 105 Digest-Nonce 4590
0 0-1 0 0 0 106 Digest-Response-Auth 4590 (-) Can be included in
0 0-1 0 0 0 107 Digest-Nextnonce 4590 packet type 42=Disconnect-Nak or 45=
0-1 0 0 0 0 108 Digest-Method 4590
0-1 0 0 0 0 109 Digest-URI 4590 CoA-Nak
0-1 0 0 0+ 0 110 Digest-Qop 4590
0-1 0 0 0-1 0 111 Digest-Algorithm 4590
0-1 0 0 0 0 112 Digest-Entity-Body-Hash 4590
0-1 0 0 0 0 113 Digest-CNonce 4590
0-1 0 0 0 0 114 Digest-Nonce-Count 4590
0-1 0 0 0 0 115 Digest-Username 4590
0-1 0 0 0-1 0 116 Digest-Opaque 4590
0+ 0+ 0 0+ 0 117 Digest-Auth-Param 4590
0-1 0 0 0 0 118 Digest-AKA-Auts 4590
0 0 0 0+ 0 119 Digest-Domain 4590
0 0 0 0-1 0 120 Digest-Stale 4590
0 0-1 0 0 0 121 Digest-HA1 4590
0-1 0 0 0 0 122 SIP-AOR 4590
0+ 0+ 0 0 0+ 123Delegated-IPv6-Prefix 4818