AAA Support by the RADIUS and

the Diameter Protocol

Ahana Mallik

Department of Informatics – University of Zurich

May 26, 2016

Overview

1. Authentication, Authorization and Accounting (AAA).

2. AAA Services, Protocols and Architecture.

3. RADIUS Protocol.

4. Diameter Protocol.

5. Comparison of RADIUS and Diameter Protocol.

6. Applications of RADIUS and Diameter Protocol.

7. Summary.

8. Discussion Topic.

Importance of Authentication,

Authorization and Accounting (AAA)

Authentication

Control user Identity

Credentials provided by the user to

prove his/her Id

Examples of credentials:

1.passwords.

2.one-time token.

3.digital certificates,

4.Or any other

information

related to the identity

(e.g. biometric

parameters.)

Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf

Authorization

The process of verifying whether

a particular user is allowed to

access network resources.

Only allows legitimate users to

access the network

The malicious users are denied

from accessing network resources.

Examples :

1. IP address filtering.

2. IP address assignment.

3. Route assignment.

4. Encryption.

Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf

Accounting

Tracking of the consumption

of network resources by

users

Typical information gathered

in accounting report:

1. User Id.

2. Service description.

3. Session duration.

Useful for management,

planning, billing.

Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf

Authentication in Proxy Appliance

1. The User sends request (eg: www.yahoo.com) to Proxy Appliance.

2. The Proxy appliance (ProxySG Product of BlueCoat) initiates the process of

Authentication. The ProxySG appliance sends a credential challenge response

to the user.

3. The user then sends the credential information.

4. The user data is sent to the Authentication Server for the purpose of verification.

5. After the verification process is successful, the user is then identified in the network.

6. The user request for the required website from internet.

7. The user gets response from the internet.

8. The gets the response and is able to access the desired resource.

Authentication in Proxy Appliance

contd……

Source Url:

https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_

Authorization,_and_Accounting.4.pdf

AAA Mechanism

Authentication-based mechanisms :

The user authentication information is used as precondition for the

authorization process

Credential-based mechanisms:

This method uses credential information which is a important and

trustworthy information for the purpose of authorization.

The Accounting system performs the following essential tasks:

1. The system gathers or aggregates all data or information from

metering systems.

2. The system then stores this data in accounting system.

AAA Protocols

RADIUS : The protocol carries AAA Information which helps to determine a

RADIUS Server and a RADIUS Client. This protocol is based on Client/Server

Model and supports a wide range of users.

Diameter: This peer to peer protocol carries AAA information in a reliable

manner. This is more secured and reliable than Radius. This is a successor of

Radius protocol and overcomes many limitations of Radius.

COPS: This stands for The Common Open Policy Service. This protocol deals

with policy information.

SNMP: This stands for Simple Network Management Protocol. The accounting

information or records are all transferred to MIB (Management Information

Base) and it is sorted or classified there and finally stored.

AAA Services

In the context of AAA services we have AAA server which is located

in an administrative domain.

Distributed Servers:

1. The goal of distributed servers is to provide

authentication, authorization and accounting.

2.The server provides the authorization service by deciding

whether to grant or deny a request sent by the user

3. In case it grants access to the user, then it sets up a

authorization session and logs the session data.

AAA Architecture

The Architectural Components and their roles

There is an ASM (Application Specific Module) present in the architectural

framework of AAA.

The primary task of ASM is to enforce the policy actions.

The ASM accordingly configure the SE (Service Equipment) in order to

provide the necessary service .

The goal of the AAA server is to evaluate and determine the user requests

based on the set of policies.

The policies which are used by the AAA server are all stored in the PR

(Policy Repository).

AAA Architecture contd…

In order to determine the policy condition the AAA server sometimes

need to consult the other AAA servers.

This can be achieved by either sending requests to other AAA servers

or with the help of ASM.

Depending on different predefined policies a server can accordingly act

as an agent.

AAA Architecture contd…

Remote Authentication Dial-in-User

Service (RADIUS) It is a well know protocol and is widely practiced.

It is based on client/server model.

Some of the important functions of RADIUS are

1. centralized management

2. security.

The process of authentication is based on Server and Client concept.

The users send request to the server and the server authenticates the user

against a central database.

If the authentication is successful then the user is granted access to the

network else the user is denied.

RADIUS contd….

Source Url:https://www.rivier.edu/journal/ROAJ-Fall-2009/J286-RADIUS-

Sood.pdf

RADIUS Client/Server Architecture

The RADIUS protocol is based on Client/Server architecture.

There are two different RADIUS servers available.

1. RADIUS Authentication server

2. RADIUS Accounting server.

The RADIUS Authentication server is responsible for necessary security and

it stores security data.

The RADIUS Accounting server takes care of statistical data.

RADIUS Client/Server Architecture

Contd….

The Network Access Server (NAS) which resides inside the RADIUS client.

The NAS helps the remote users to access the desired network resources.

The NAS has the facility to access a local RADIUS server as well as a

remote RADIUS server with the help of WAN.

The RADIUS clients at times uses alternate servers to avoid redundancy

and fault tolerance.

RADIUS Client/Server Architecture

Contd….

Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_

Authorization,_and_Accounting.4.pdf

RADIUS Services

The RADIUS supports multiple authentication protocols

1. Password Authentication Protocol (PAP)

2. Challenge Handshake Authentication Protocol (CHAP).

The user initially establishes a connection with the Network Access Server

(NAS). Step 1 in the figure in slide no: 23.

The NAS wants to authenticate the user on the network so it requests for user

id or username and password. Step 2 in the figure in slide no: 23.

The user provides his/her credential information (User id or username and

password). Step 3 in the figure in slide no: 23.

The NAS then sends a Authentication Request Packet to the RADIUS Server

for the purpose of authentication. Step 4 in the figure in slide no: 23.

RADIUS Services Contd.

The Server then validates the user and sends a Authentication

Acknowledgement. Step 5 in the figure in slide no: 23.

The Server can either allow the user to access the desired network

resource or deny the user from accessing the network resource.

Authorization: The RADIUS server is responsible for providing services

and privileges to only legitimate users. Protocols which help in

authorization.

1. PPP

2. Telnet

RADIUS Services Contd.

Accounting: This process is concerned with aggregating and storing

statistical information. The Accounting data consists of

1.time duration.

2. packet and bytes send and received.

The Radius Clients sends request to Accounting Server and accordingly

the server responds with statistic data.

RADIUS Services Contd.

Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_

Authorization,_and_Accounting.4.pdf

RADIUS Standards

RADIUS initially came into picture in January 1997 by the Lucent

Technologies.

It is one of the IETF (Internet Engineering Task Force) standard.

The second generation of RADIUS standard (Standards – RFC2138 and

RFC 2139) was developed in the year April 1997.

In June 2000 the third generation of RADIUS came into the market

(standards- RFC2865 and RFC2866)

RADIUS Security

The user identification and passwords which are sent during

the authentication process from the NAS to the RADIUS Server

are always encrypted. This encryption is achieved by using

several hashing algorithms like MD5

It is very important to have security else confidential

information about users will be revealed and malicious users

will be able to access the network resources by extracting

these confidential information.

Diameter Protocol The Diameter protocol is strong, reliable and secured protocol which

provides Authentication, Authorization and Accounting for computer

networks.

The Diameter protocol provides functionalities like Error Handling,

Capability Negotiation and maintaining user sessions and accounting.

The data which is delivered by this protocol is always in form of AVP

(Attribute Value Pair). AVP carries AAA information which is needed to

from Server to Client.

The AVP also plays an important role in routing and redirecting the

Diameter messages.

The Diameter protocol provides secured data transfer without packet

loss. This is achieved through the reliable TCP

Diameter Protocol Contd..

The Diameter protocol supports several agents like relays, proxies etc.

The relay agents are responsible for routing the diameter messages which

contain user information from one node to another

The Diameter protocol helps to establish and maintain session between the

server and the client at the application level.

In case of Diameter protocol the servers and the clients have the authority

to know each others capability

Protocol Description

The Diameter packet consists of header part and several AVPs.

Version field indicates the version of the Diameter protocol.

Flag field has several flags each of them have a specific meaning and

functionality.

1. R bit which stands for request bit. If it is set the message is a request send

from client to server and if it is off then the message is an answer.

2.There is P bit, if this bit is set then the message is either redirected or routed

else the message is locally processed.

3. E bit ,if this particular bit is set then there is protocol error in message and

these messages are then referred as error messages.

4. T bit ,if this bit is set it indicates duplicate requests.

Protocol Description Contd..

AVP : Attribute Value Pair

Source url: https://en.wikipedia.org/wiki/Diameter_(protocol)

Session Management

The Diameter protocol establishes or initiates a session with

the help of a message which has Auth-Session-State set to

STATE-MAINTAINED.

The server when receives this message it does not release

any resources from the network until the session terminates.

The server also maintains the state of the session.

The messages which are transmitted from client to server

should have a unique session id and must have the same

session id for one particular session.

A particular session can initiate a child session also referred

as sub session and in the same manner a multi session can

also be established.

Session Management Contd..

There are two types of Diameter session.

1. The authorization session: This is used for The former is used

for authentication and authorization.

2. Accounting session. This is used for accounting purpose.

The Diameter session can be stateful session or a stateless session.

This highly depends on the application, whether the application wants to

maintain the session for a certain duration or not.

Comparison of RADIUS and

Diameter Protocol

RADIUS Protocol Diameter Protocol

1. Radius Server can not initiate

message.

1.The Diameter Server can initiate

messages. 2.Radius uses UDP for packet

transfer,less secure.

2. Diameter uses TCP for data

transmission,more secured.

3.The scalability is less. 3.The scalability is more compared to

Radius.

4.This protocol do not support

capability negotiation.

4.This Protocol supports capability

negotiation.

5.In context of version compatibility

the Radius has poor performance.

5.The Diameter nodes are capable to

know each others version number.

6.The Radius Server can not demand

for reauthentication or reauthorization.

6.The Diameter server can demand for

reauthentication or reauthorizatio.

7.The Radius is less reliable. 7.The Diameter is more reliable.

Comparison of RADIUS and

Diameter Protocol contd…

RADIUS Protocol

Diameter Protocol

8. This protocol do not provide end to

end authentication.

8.The Diameter provides end to end

authentication.

9.Radius has offline states.No state

information is maintained.

9.The Diameter has authentication

and authorization states.

Applications of RADIUS and

Diameter

RADIUS Protocol

1. ISP.

2.Email Services.

3.VPN (Virtual Private

Network).

4.DSL.

5.Web servers.

6.Modems.

Diameter Protocol

1.Credit Control application.

2.Mobile IPV4 application.

3.Network Access Server

application.

Summary

Usage of AAA.

RADIUS protocol, it implements AAA to provide security to RADIUS

clients and servers.

Diameter protocol to be much more robust, secure and reliable

protocol which implements the AAA.

The Diameter is a peer to peer protocol which maintains session

states, has capability negotiation and error handling mechanism.

Discussion Topic

1. The Necessity of Authentication, Authorization and Accounting?

Discussion Topic 1

Discussion Topic 2

2. Do AAA serves perfectly? If Limitations then what are the limitation?

Discussion Topic 3

3. Which Protocol is preferable among RADIUS and Diameter?

Thank You