aaa support by the radius and the diameter protocol · diameter protocol contd.. ¾ the diameter...
TRANSCRIPT
AAA Support by the RADIUS and
the Diameter Protocol
Ahana Mallik
Department of Informatics – University of Zurich
May 26, 2016
Overview
1. Authentication, Authorization and Accounting (AAA).
2. AAA Services, Protocols and Architecture.
3. RADIUS Protocol.
4. Diameter Protocol.
5. Comparison of RADIUS and Diameter Protocol.
6. Applications of RADIUS and Diameter Protocol.
7. Summary.
8. Discussion Topic.
Importance of Authentication,
Authorization and Accounting (AAA)
Authentication
Control user Identity
Credentials provided by the user to
prove his/her Id
Examples of credentials:
1.passwords.
2.one-time token.
3.digital certificates,
4.Or any other
information
related to the identity
(e.g. biometric
parameters.)
Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf
Authorization
The process of verifying whether
a particular user is allowed to
access network resources.
Only allows legitimate users to
access the network
The malicious users are denied
from accessing network resources.
Examples :
1. IP address filtering.
2. IP address assignment.
3. Route assignment.
4. Encryption.
Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf
Accounting
Tracking of the consumption
of network resources by
users
Typical information gathered
in accounting report:
1. User Id.
2. Service description.
3. Session duration.
Useful for management,
planning, billing.
Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf
Authentication in Proxy Appliance
1. The User sends request (eg: www.yahoo.com) to Proxy Appliance.
2. The Proxy appliance (ProxySG Product of BlueCoat) initiates the process of
Authentication. The ProxySG appliance sends a credential challenge response
to the user.
3. The user then sends the credential information.
4. The user data is sent to the Authentication Server for the purpose of verification.
5. After the verification process is successful, the user is then identified in the network.
6. The user request for the required website from internet.
7. The user gets response from the internet.
8. The gets the response and is able to access the desired resource.
Authentication in Proxy Appliance
contd……
Source Url:
https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_
Authorization,_and_Accounting.4.pdf
AAA Mechanism
Authentication-based mechanisms :
The user authentication information is used as precondition for the
authorization process
Credential-based mechanisms:
This method uses credential information which is a important and
trustworthy information for the purpose of authorization.
The Accounting system performs the following essential tasks:
1. The system gathers or aggregates all data or information from
metering systems.
2. The system then stores this data in accounting system.
AAA Protocols
RADIUS : The protocol carries AAA Information which helps to determine a
RADIUS Server and a RADIUS Client. This protocol is based on Client/Server
Model and supports a wide range of users.
Diameter: This peer to peer protocol carries AAA information in a reliable
manner. This is more secured and reliable than Radius. This is a successor of
Radius protocol and overcomes many limitations of Radius.
COPS: This stands for The Common Open Policy Service. This protocol deals
with policy information.
SNMP: This stands for Simple Network Management Protocol. The accounting
information or records are all transferred to MIB (Management Information
Base) and it is sorted or classified there and finally stored.
AAA Services
In the context of AAA services we have AAA server which is located
in an administrative domain.
Distributed Servers:
1. The goal of distributed servers is to provide
authentication, authorization and accounting.
2.The server provides the authorization service by deciding
whether to grant or deny a request sent by the user
3. In case it grants access to the user, then it sets up a
authorization session and logs the session data.
AAA Architecture
The Architectural Components and their roles
There is an ASM (Application Specific Module) present in the architectural
framework of AAA.
The primary task of ASM is to enforce the policy actions.
The ASM accordingly configure the SE (Service Equipment) in order to
provide the necessary service .
The goal of the AAA server is to evaluate and determine the user requests
based on the set of policies.
The policies which are used by the AAA server are all stored in the PR
(Policy Repository).
AAA Architecture contd…
In order to determine the policy condition the AAA server sometimes
need to consult the other AAA servers.
This can be achieved by either sending requests to other AAA servers
or with the help of ASM.
Depending on different predefined policies a server can accordingly act
as an agent.
AAA Architecture contd…
Remote Authentication Dial-in-User
Service (RADIUS) It is a well know protocol and is widely practiced.
It is based on client/server model.
Some of the important functions of RADIUS are
1. centralized management
2. security.
The process of authentication is based on Server and Client concept.
The users send request to the server and the server authenticates the user
against a central database.
If the authentication is successful then the user is granted access to the
network else the user is denied.
RADIUS contd….
Source Url:https://www.rivier.edu/journal/ROAJ-Fall-2009/J286-RADIUS-
Sood.pdf
RADIUS Client/Server Architecture
The RADIUS protocol is based on Client/Server architecture.
There are two different RADIUS servers available.
1. RADIUS Authentication server
2. RADIUS Accounting server.
The RADIUS Authentication server is responsible for necessary security and
it stores security data.
The RADIUS Accounting server takes care of statistical data.
RADIUS Client/Server Architecture
Contd….
The Network Access Server (NAS) which resides inside the RADIUS client.
The NAS helps the remote users to access the desired network resources.
The NAS has the facility to access a local RADIUS server as well as a
remote RADIUS server with the help of WAN.
The RADIUS clients at times uses alternate servers to avoid redundancy
and fault tolerance.
RADIUS Client/Server Architecture
Contd….
Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_
Authorization,_and_Accounting.4.pdf
RADIUS Services
The RADIUS supports multiple authentication protocols
1. Password Authentication Protocol (PAP)
2. Challenge Handshake Authentication Protocol (CHAP).
The user initially establishes a connection with the Network Access Server
(NAS). Step 1 in the figure in slide no: 23.
The NAS wants to authenticate the user on the network so it requests for user
id or username and password. Step 2 in the figure in slide no: 23.
The user provides his/her credential information (User id or username and
password). Step 3 in the figure in slide no: 23.
The NAS then sends a Authentication Request Packet to the RADIUS Server
for the purpose of authentication. Step 4 in the figure in slide no: 23.
RADIUS Services Contd.
The Server then validates the user and sends a Authentication
Acknowledgement. Step 5 in the figure in slide no: 23.
The Server can either allow the user to access the desired network
resource or deny the user from accessing the network resource.
Authorization: The RADIUS server is responsible for providing services
and privileges to only legitimate users. Protocols which help in
authorization.
1. PPP
2. Telnet
RADIUS Services Contd.
Accounting: This process is concerned with aggregating and storing
statistical information. The Accounting data consists of
1.time duration.
2. packet and bytes send and received.
The Radius Clients sends request to Accounting Server and accordingly
the server responds with statistic data.
RADIUS Services Contd.
Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_
Authorization,_and_Accounting.4.pdf
RADIUS Standards
RADIUS initially came into picture in January 1997 by the Lucent
Technologies.
It is one of the IETF (Internet Engineering Task Force) standard.
The second generation of RADIUS standard (Standards – RFC2138 and
RFC 2139) was developed in the year April 1997.
In June 2000 the third generation of RADIUS came into the market
(standards- RFC2865 and RFC2866)
RADIUS Security
The user identification and passwords which are sent during
the authentication process from the NAS to the RADIUS Server
are always encrypted. This encryption is achieved by using
several hashing algorithms like MD5
It is very important to have security else confidential
information about users will be revealed and malicious users
will be able to access the network resources by extracting
these confidential information.
Diameter Protocol The Diameter protocol is strong, reliable and secured protocol which
provides Authentication, Authorization and Accounting for computer
networks.
The Diameter protocol provides functionalities like Error Handling,
Capability Negotiation and maintaining user sessions and accounting.
The data which is delivered by this protocol is always in form of AVP
(Attribute Value Pair). AVP carries AAA information which is needed to
from Server to Client.
The AVP also plays an important role in routing and redirecting the
Diameter messages.
The Diameter protocol provides secured data transfer without packet
loss. This is achieved through the reliable TCP
Diameter Protocol Contd..
The Diameter protocol supports several agents like relays, proxies etc.
The relay agents are responsible for routing the diameter messages which
contain user information from one node to another
The Diameter protocol helps to establish and maintain session between the
server and the client at the application level.
In case of Diameter protocol the servers and the clients have the authority
to know each others capability
Protocol Description
The Diameter packet consists of header part and several AVPs.
Version field indicates the version of the Diameter protocol.
Flag field has several flags each of them have a specific meaning and
functionality.
1. R bit which stands for request bit. If it is set the message is a request send
from client to server and if it is off then the message is an answer.
2.There is P bit, if this bit is set then the message is either redirected or routed
else the message is locally processed.
3. E bit ,if this particular bit is set then there is protocol error in message and
these messages are then referred as error messages.
4. T bit ,if this bit is set it indicates duplicate requests.
Protocol Description Contd..
AVP : Attribute Value Pair
Source url: https://en.wikipedia.org/wiki/Diameter_(protocol)
Session Management
The Diameter protocol establishes or initiates a session with
the help of a message which has Auth-Session-State set to
STATE-MAINTAINED.
The server when receives this message it does not release
any resources from the network until the session terminates.
The server also maintains the state of the session.
The messages which are transmitted from client to server
should have a unique session id and must have the same
session id for one particular session.
A particular session can initiate a child session also referred
as sub session and in the same manner a multi session can
also be established.
Session Management Contd..
There are two types of Diameter session.
1. The authorization session: This is used for The former is used
for authentication and authorization.
2. Accounting session. This is used for accounting purpose.
The Diameter session can be stateful session or a stateless session.
This highly depends on the application, whether the application wants to
maintain the session for a certain duration or not.
Comparison of RADIUS and
Diameter Protocol
RADIUS Protocol Diameter Protocol
1. Radius Server can not initiate
message.
1.The Diameter Server can initiate
messages. 2.Radius uses UDP for packet
transfer,less secure.
2. Diameter uses TCP for data
transmission,more secured.
3.The scalability is less. 3.The scalability is more compared to
Radius.
4.This protocol do not support
capability negotiation.
4.This Protocol supports capability
negotiation.
5.In context of version compatibility
the Radius has poor performance.
5.The Diameter nodes are capable to
know each others version number.
6.The Radius Server can not demand
for reauthentication or reauthorization.
6.The Diameter server can demand for
reauthentication or reauthorizatio.
7.The Radius is less reliable. 7.The Diameter is more reliable.
Comparison of RADIUS and
Diameter Protocol contd…
RADIUS Protocol
Diameter Protocol
8. This protocol do not provide end to
end authentication.
8.The Diameter provides end to end
authentication.
9.Radius has offline states.No state
information is maintained.
9.The Diameter has authentication
and authorization states.
Applications of RADIUS and
Diameter
RADIUS Protocol
1. ISP.
2.Email Services.
3.VPN (Virtual Private
Network).
4.DSL.
5.Web servers.
6.Modems.
Diameter Protocol
1.Credit Control application.
2.Mobile IPV4 application.
3.Network Access Server
application.
Summary
Usage of AAA.
RADIUS protocol, it implements AAA to provide security to RADIUS
clients and servers.
Diameter protocol to be much more robust, secure and reliable
protocol which implements the AAA.
The Diameter is a peer to peer protocol which maintains session
states, has capability negotiation and error handling mechanism.
Discussion Topic
1. The Necessity of Authentication, Authorization and Accounting?
Discussion Topic 1
Discussion Topic 2
2. Do AAA serves perfectly? If Limitations then what are the limitation?
Discussion Topic 3
3. Which Protocol is preferable among RADIUS and Diameter?
Thank You