introduction to the radius protocol. all rights reserved © alcatel-lucent 2007 2 | radius protocol...
TRANSCRIPT
Introduction to the RADIUS protocol
2 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Module Objetives Identify the elements and architecture of remote access to
networks
Understand the way the RADIUS protocol works
Get to know the attributes that control different type of access technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc)
Way to code attributes and RADIUS packets, and the sense of a dictionary
Cover the standard statistical information provided over SNMP
View the extensions added to the RADIUS protocol
3 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
AAA
AAuthentication Verify that a user really is who (s)he claims to be:
Password, Token Cards, Calling number, X.509 digital certificate, SIM card, etc.
AAuthorization Check that the user can access the service (s)he is trying to:
Checking against a database, a file, etc. what the user can do, and restrict his/her access to the network
AAccounting Write down what the user has done during his connection
Connection time, bytes sent/received, access service, etc.
To get statistics about user accesses, billing, etc
4 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Switched connection diagram
PPP IP
WebServer
ISP
Modem
UserNAS / RAS
ROUTER
RADIUS AAA
SERVERUSER
DB
POP (Point of Presence)
InternetPSTN
5 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Different ways for the AAA Local accounts in the NAS/RAS
Only valid for small number of users Not valid if any user can connect at any NAS
We would have to provision all users in all NAS's
Proprietary software between NAS and an external server
Protocol RADIUSRADIUS for a NAS to ask the server with centralized information about all users Or its evolution: Diameter NASREQ application
Protocol TACACS (tacacs, tacacs+, xtacacs) Not widely implemented, apart from Cisco
6 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
RADIUS: Basic Principles RADIUS is not the server itself, but the protocol to exchange
information
Protocol to communicate between: a RADIUS client
Typically the NAS (= Network Access Server)
a remote AAA server
Standarized by the IETF (Internet Engineering Task Force) by several RFC’s: 2865 & 2866 And enhanced in RFC’s: 2867, 2868 & 2869, 3576...
Adopted by all vendors of access devices, as almost the only standard for AAA
RADIUS stands-up for: Remote Authentication Dial-In User Service
7 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Users Database
NAS
User dials modem pool and establishes
connection
UserID: bobPassword: ge55gep
Framed-Address=217.213.21.5
Internet
RADIUS
Server
Internet PPP connection established
Access-Request
User-Name: bobPassword: ge55gepNAS-IP: 207.12.4.1
Bobpassword=ge55gepTimeout = 3600[other attributes]
Select UserID=bob
Access-AcceptFramed-IP-Address=217.213.21.5
Session-Timeout=3600[other attributes]
Authentication DataFlow
8 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
ISP AccountingDatabase
NAS
Account-Request
Acct-Status-Type = StartUser-Name = bobFramed-Address = 217.213.21.5…
Sun May 10 20:47:41 1998 Acct-Status-Type = Start User-Name = bob Framed-Address=217.213.21.5 …
Internet
RADIUS
Server
PPP session
Acknowledgement
The Accounting “Start” Record
Accounting DataFlow (Start)
9 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
ISP AccountingDatabase
NAS
Internet
RADIUS
server
Account-Request
Acct-Status-Type = StopUser-Name = bobAcct-Session-Time = 1432
Sun May 10 20:50:49 1998 Acct-Status-Type = Stop User-Name = bob Acct-Session-Time = 1432 … ...
Acknowledgement
The Accounting “Stop” Record
The user disconnects
Accounting DataFlow (Stop)
10 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Fault Tolerance
Radius Servers List Authentication Accounting Auth_Timer Acct_Timer1) 10.0.1.1 10.0.1.3 3 102) 10.0.1.2 10.0.1.4 3 103) 10.0.1.3 10.0.1.5 3 10
10.0.1.1
10.0.1.2
10.0.1.310.0.1.210.0.1.110.0.1.210.0.1.1
10.0.1.3
The NAS selects the first RADIUS server on the
list
The first RADIUS server replies but the router
drops the replyThe NAS selects the
second RADIUS serverThe request does not get to the RADIUS server
The NAS selects the third RADIUS server
The reply is received and the transaction ends
*
The retransmission strategy is not standardized:* some NAS’s fail over to another RADIUS server as soon as a timeout occurs* some NAS’s retry 1 or 2 times to the same RADIUS server before failing over
•Based on retransmissions by the Radius Client
11 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Information from NAS -> server for authentication
Information related to RADIUS client (NAS) NAS-Ip-Address, or unique identification (NAS-Id)
Information to authenticate the user connecting: User-Name & Password
Information about the connection itself (for authorization): Calling number, called number (or APN for GPRS/UMTS),
Modem/port taking the connection (NAS-Port)
Type of session (PPP, SLIP, ...)
Type of connection (POTS, ISDN, ADSL, UMTS, GPRS, etc.)
12 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Authentication process in the server (I) 1.- Decode the user's password (it travels encrypted)
Using the "shared secret key", known both by client and server
2.- Search the user connection profile in: Plain text file External SQL database LDAP server /etc/passwd file in UNIX User accounts in Windows Domains Etc.
3.- Authenticate the user
13 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Authentication process in the server (& II)
4.- Optionally, check extra data (check-items) Type of connection (POTS, ISDN, ADSL, cable, UMTS, etc.) Time of day Calling number, called number etc.
5.- Send Accept/Reject to the NAS with the right attibutes for this user session (reply-items) Idle and session timeout IP filters for this user Indication of IP address to assign to user For ISDN, max. number of channels to bond together (MLPPP) etc.
14 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Communication UDP ports
Communication between client and server is done over UDP/IP RADIUS authentication and accounting servers are listening on 2
different ports Servers can listen on any port, but it is advisable to use the standard
ones (defined in RFC's)
RADIUS clients can send requests on any source UDP port they have available. Not limited in RFC's All requests need not come from same port, and usually don´t Though NAS's can be configured to send all request with the same
source UDP port Only advisable for firewall restrictions
UDP PortsUDP Ports New OldAuthentication 1812 1645Accounting 1813 1646
15 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
¿Why UDP? In RADIUS it is not necessary the retransmision feature provided
by TCP If client doesn´t get an answer, it sends another one to a secondary
server The response to a retransmitted TCP request, could arrive too late
Simplifies server implementation Specially for multi-threaded servers
Reduces network traffic UDP has less overhead than TCP UDP needs not establish a session before sending data
RRFFCC
22886655
16 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
PPP overview and traditional authentication methods
This Point-to-Point Protocol (PPP) allows sending several protocols above its headers
The establishment of the PPP link requires certain handshaking. LCP - Link Control Messages
To determine MLPPP, the MTU and decide the authentication algorithm for the user
Authentication - It will depend on the protocol used: PAP, CHAP, MS-CHAPv2, EAP During this stage, the RADIUS server is contacted by the NAS
NCP - Network Control Protocol, to negotiate extra parameters IPCP, the IP address assigned to the user CCP, if the data is going to be compressed ECP, if the data is going to be encrypted
17 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Password Authentication Protocol (PAP) The password travels in the clear (unencrypted)
The password can be stored hashed in the RADIUS server
Users credentials are verified only once At the beginning of the connection
Initiator Responder
PAP-Auth-Request #1 (Name=jsmith, Passwd=red)
PAP-Auth-Success #1 (Message="00")
PAP-Auth-Failure #1 (Message="Incorrect Password")
Access-RequestUser-Name=jsmithUser-Password=red
Access-Accept
Access-Reject
RADIUS server
18 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Challenge Handshake Authentication Protocol (CHAP) User password is hashed using MD5 and a random
challenge generated by the NAS (PPP responder) The password cannot be stored hashed in the RADIUS server
Optionally, the user can be authenticated several times during the lifetime of the session
Initiator ResponderCHAP-Auth-Challenge #1 (Chall. Length=16, Challenge Value= 0c7d203....a8, Name= tnt2)
Auth-Response #1 (Chall. Length=16, Challenge Value= 016b89....91, Name= john)
CHAP-Auth-Success #1 (Message="00")
CHAP-Auth-Failure #1 (Message="Incorrect Password")
Access-RequestUser-Name=johnCHAP-Password=016b89..91[CHAP-Challenge*=0c7d203...a8]
Access-Accept
Access-Reject
RADIUS server
19 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
LCP handshaking In the LCP handshaking, the user and the NAS determine the
authentication protocol to use: The user may accept the proposal from the server The user may reject the server proposal, and expect to receive a
new proposal
InitiatorResponder
AuthenticatorConfig-Request #1 (MRU=1524, auth=PAP, ...)
Config-Reject #1 (auth=PAP)
Config-Request #2 (MRU=1524, auth=CHAP/MD5)
Config-Ack #2 (MRU=1524, auth=CHAP/MD5)
Config-Ack #2 (MRU=1524, auth=PAP, ...)
Config-Request #1 (MRU=1524, auth=PAP, ...)
20 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Hashing of password
The user password can only be hashed once (MD5, SHA1, etc) either at database storage or when the user transmits it
As the hash algorithms are not reversible However, passwords can be stored encrypted (3DES, AES, …)
Stored in the users’ database (text file, SQL, LDAP, etc)
In the clear Hashed (MD5, SHA1)
Auth. algorithm
used
PAP, telnet/SSH...
{User-Password(2)}OK OK
CHAP, Eap-MD5...
{Chap-Password(3),...}OK X
User password typed in this connection attempt
User password provisioned for this user
Sent from NAS Read from database, text file, ....PAP | CHAP
21 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
RADIUS packet format
IdentifierType Length
Authenticator
Attributes
1 2 3 4
1-4
5-20
21-...
bytes
Identifies the packet, along with source IP address and UDP
port. Used to detect duplicate packets
- In auth requests: to encrypt user password using the shared secret key (usually a random value)- In replies and accounting: to authenticate the message itself. Similar to a digital signature
Length of RADIUS packet20 < length < 4096 bytes
*
22 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
RADIUS packet types Access-Request (1)Access-Request (1) - Authentication requests from NAS to server
Access-Accept (2)Access-Accept (2) - Response from server to NAS accepting the user session
Access-Reject (3)Access-Reject (3) - Response from server to NAS rejecting the user session
Access-Challenge (11)Access-Challenge (11) - Request form server to NAS, asking for additional info from the user
Used in token/crypto cards, and for EAP
Account-Request (4)Account-Request (4) - The NAS sends accounting information to the server
Account-Response (5)Account-Response (5) - The server ACKs the acct packet to the NAS
RRFFCC
22886655
23 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Authenticator field in auth
The ‘Authenticator’ field serves to 2 purposes depending if it is a request or an accept/reject
Encryption of some attributes: User-Password Server authentication
Random num.
Shared keyHash MD5
PAP Passwd(clear text)XOR
Authenticator field
Attrib. User-PasswordShared key
Hash MD5
XOR
Clear Passwd
Client Server
Access-Request
Request Authenticator
Shared key Hash MD5Authenticator Field
Access-Accept/Reject
Match?Server AuthenticatedXDiscard packet
Request Authenticator
Shared keyResponse packet
(without authenticator)
Hash MD5Response packet
(without authenticator)
24 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Authenticator field in acct For accounting the authenticator only provides:
Authentication of client and server–Similar to a digital signature
Shared keyHash MD5
Authenticator field
Client Server
Account-Request
Request Authenticator
Shared key Hash MD5Authenticator field
Account-Response
Match?AuthenticatedXDiscard packet
Request Authenticator
Shared key
Acct packet (without authenticator)
Hash MD5Acct packet (without authenticator)
Acct packet (without authenticator)
Acct packet (without authenticator)
Shared keyHash MD5
Match?
XDiscard Client Authenticated
25 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of successful auth:Dial-in user with PAP
POTS
POTSModem
PSTN
RADIUSserverRADIUS
client- NAS-
IP
Access-Request (1) - ID=1User-Name (1) = ”pepe"User-Password (2) = 5E%&gn)8NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)NAS-Port-Type (61) = Async (0)Called-Station-Id (30) = 917529000Calling-Station-Id (31) = 918078419
Access-Accept (2) - ID=1Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)Framed-IP-Address (8) = 255.255.255.254Framed-IP-Netmask (9) = 255.255.255.255Framed-Routing (10) = None (0)Framed-Compression (13) = VJ TCP/IP (1)Framed-MTU (12) = 1500Session-Timeout (27) = 7200
*
26 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of an PPPoA (ADSL) connection
RADIUSserver
IP
Access-Request (1) - ID=1User-Name = "user11@aunadsl"CHAP-Password = "\0011\266…\303"CHAP-Challenge = "e\241\…\000" NAS-IP-Address = 1.2.3.4NAS-Port = 3329Ascend-NAS-Port-Format = 2_4_5_5NAS-Port-Type = SyncService-Type = Framed-UserFramed-Protocol = PPPAcct-Session-Id = "483015958"
Access-Accept (2) - ID=1Service-Type = Framed-UserFramed-Protocol = PPPAscend-Source-IP-Check = Source-IP-Check-YesAscend-IP-Source-If = "sip100"Framed-Pool = 1Filter-Id=FooAscend-Filter-Required=Required-Yes *
RADIUS client-BRAS-
For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id.
For PPPoE, they represent the Ethernet MAC addresses
For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id.
For PPPoE, they represent the Ethernet MAC addresses
DSLAM
ATM
ADSL line
PPPoA Client
27 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of an UMTS/GPRS connection
RADIUSserver
IP
*
SGSN
RNC
Node B
RADIUS client-GGSN-
The APN is sent inCalled-Station-Id.
It is used for the user to select the GGSN
The APN is sent inCalled-Station-Id.
It is used for the user to select the GGSN
Access-Request (1) - ID=1NAS identifier(32) = "B-CER1N-GGSN2"User Name(1) = "WAPTM"User Password(2) ="§oà\009KFÏ\020#\145+\146®îf"NAS Port Type(61) = Virtual (5)Calling Station Id(31) = "34679912214"Called Station Id(30) "wap.movistar.es"Acct Session Id(44) ="646704d51e069701"
Access-Accept (2) - ID=1Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)Framed-IP-Address (8) = 10.11.12.13Framed-IP-Netmask (9) = 255.255.255.255Session-Timeout (27) = 7200Idle-Timeout (28) = 3600
28 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example for CDMA2000 1xEVDO (HRPD)AN-AAA (A12 interface)
The A12 interface (AN – AAA) is used: to perform access authentication (with CHAP) of the AT device by the AN
The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID)
to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and
cdma2000 systems.
IIss--887788
RNC/PCF (BS Controller)
BS (Base Station)
AT (Access Terminal) PDSN
(Packet Data Serving Node)
PPP
A10/A11
A8/A9
Access-Request User-Name = [email protected] = "\0011\266…\303"CHAP-Challenge = "e\241\…\000“NAS-IP-Address = 192.168.20.2 3GPP2-HRPD-Access- Authentication=True3GPP2-AT-Hardware-Id=012…9012
Access-Accept (2) Callback-Id (20) = 0260071234567890
*
29 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example for CDMA2000 1xEVDO (HRPD)PDSN-AAA for Simple IP
The PDSN is the “classical” PPP server The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to
choose, or the PDSN will select it from a local pool
New Access-Requests are sent when the AT hands-off between PCF’s It is correlated to the current session with the 3GPP2-Correlation-Id AVP
IIss--883355
RNC/PCF (BS Controller)
BS (Base Station)
AT (Access Terminal) PDSN
(Packet Data Serving Node)
PPP
A10/A11
Access-Request User-Name = [email protected] = "\0011\266…\303"CHAP-Challenge = "e\241\…\000“NAS-IP-Address = 192.168.30.3Nas-Port-Type= Wireless-1X-EV 3GPP2-Correlation-Id=1234Calling-Station-Id 0260071234567890
Access-Accept[Framed-IP-Address = 10.1.2.3]
Session-Timeout = 7200*
30 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of pre-auth followed by PPP negotiation
The pre-auth is done before the NAS takes the call off-hook Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC)
The server decides to allow/refuse taking the call off-hook based on calling-number (CLID) or called-number (DNIS)
For PPP users, normally they must also do PPP authentication (PAP, CHAP, etc) later
PSTN IPIP
Access-Accept (2) - ID=127Ascend-Require-Auth (26->529(201)) =
Require-Auth (1)
Access-Request (1) - ID=127User-Name (1) = ”909390390"User-Password (2) = Ascend-DNISNAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20NAS-Port-Type (61) = Async (0)Service-Type (6) = Call-Check (10)Called-Station-Id (30) = 909390390Calling-Station-Id (31) = 918078419
31 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of pre-auth for dataphones (PoS)
The RADIUS server instructs the NAS how to handle this call, and even what modulation to use Before taking the call off-hook
PSTN
Access-Accept (2) - ID=10User-Name = "PoS", Service-Type = LoginLogin-Service = TCP-clear, Login-IP-Host = 192.168.20.4,Login-TCP-Port = 8419Ascend-AT-Answer-String="&t4s18=15+MS=1
&g2S220=11S221=50S10=3"
The bank system has a X.25 network
PADIP
X.25
RADIUS server
Bank X
NAS
Access-Request (1) - ID=10User-Name (1) = ”090"User-Password (2) = Ascend-DNISNAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20NAS-Port-Type (61) = Async (0)Service-Type (6) = Call-Check (10)Called-Station-Id (30) = 090Calling-Station-Id (31) = 918078419
*
32 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of proxy-radius
A RADIUS server redirects the request to a remote server, based on Called-Station-Id or user realm
IPIP
ForwardingServer
RemoteServer
Access-Request (1) - ID=100User-Name(1) = ”pepe@realm1"User-Password(2) = 5E%&gn)8NAS-IP-Address(4)=192.168.20.2NAS-Port (5) = 27
1
Access-Request (1) - ID=200User-Name (1) = ”pepe@realm1"User-Password (2) =NAS-IP-Address(4)=192.168.20.2NAS-Port (5) = 27[Proxy-State(33) =11379994]
2
Access-Accept (2) - ID=200Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)[Proxy-State(33) =11379994]
3
Access-Accept (2) - ID=100Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)Framed-IP-Address(8)=198.197.196.195Framed-IP-Netmask(9)=255.255.255.255Session-Timeout (27) = 36000
4
33 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of PPP tunneling Attribute coding as in RFC 2868 (tagged)
POTS
Modem
POTS
PublicRADIUS server
RADIUS clientTunnel client
(LAC)
Public IP network
Access-Request (1) - ID=8User-Name (1) = ”pepe@tunnel"CHAP-Password (3) = 5E%&gn)8CHAP-Challenge (60) = A0B1...23NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)NAS-Port-Type (61) = Async (0)Called-Station-Id (30) = 917529000Calling-Station-Id (31) = 918078419
Access-Accept (2) - ID=8Tunnel-Type(64)=L2TP : 1,Tunnel-Medium-Type(65) = IPv4,Tunnel-Server-Endpoint(67)=1.1.1.1 : 1,Tunnel-Password(69)=loloaqic : 1,Tunnel-Type(64)=PPTP : 2,Tunnel-Server-Endpoint(67)=2.2.2.2 : 2,Tunnel-Password(69)=itsAsecret : 2
Tunnel server(LNS)1.1.1.1
IntranetCorporate RADIUS server
*
2.2.2.2
Tunnel server (LNS)
34 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example for Ipsec authenticationX-auth over IKE with Lucent Brick-LSMS
Example with IKE authentication tunnel endpoints with pre-shared key
User authentication with X-auth with login/password
Ipsec client= user
Ipsec server(Lucent Brick)
X-auth in IKE
Access-Request (1) - ID=150User-Name (1) = ”usu1"User-Password (2) = 5E%&gn)8NAS-IP-Address (4) = 135.88.101.111Called-Station-Id (30) = 135.88.101.91Service-Type (6) = Authenticate-Only (8)NAS-Port-Type (61) = Virtual (5)
RADIUS client(LSMS)
135.88.101.111
135.88.101.91
Access-Accept (2) - ID=150Session-Timeout (27) = 86400Idle-Timeout (28) = 3600[Connect-Info (77)] = user_group1[Framed-IP-Address (8) = 135.88.101.222]
*
RADIUS server
35 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Authentication for device administration Example with Lucent TAOS
IP
RADIUSservertelnet TNT2
Access-Request (1) - ID=10User-Name (1) = ”amdinuser"User-Password (2) = 5E%&gn)8NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 0NAS-Port-Type (61) = Virtual (5)Service-Type (6) = Administrative (6)[Calling-Station-Id=1.2.3.4]
Access-Accept (2) - ID=10Service-Type (6) = Administrative (6)Ascend-Telnet-Profile (26->529:91) = “Admin”
1.2.3.4
36 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of failed authentication: Crypto-Card (Challenge-Response)
PSTNIPIP
Access-Request (1) - ID=2User-Name (1) = ”mycard"User-Password (2) =NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 27
1
Access-Challenge (11) - ID=2Reply-Message (18) =“Challenge:12345678”State (24) = “13579”Prompt (76) = Echo (1)Session-Timeout (27) = 120
4
Challenge: 123456785
Response: 24058419
6
Access-Request (1) - ID=3User-Name (1) = ”mycard"User-Password (2) = 24058419NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 27State (24) = “13579” 7
Access-Reject (3) - ID=3Reply-Message (18) =“Invalid Credentials”
8
Token Card
Server
Proprietary protocol
2 3
37 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Digest Authentication for HTTP/SIP (I) Example to authenticate&authorize every VoIP call (INVITE)
The authentication could also be done only during registration
RRFFCC
44559900
users’ databa
se
Access-RequestUser-Name=123NAS-IP-Address = 192.0.2.38 NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = sip:[email protected] Message-Authenticator = 08…8043
Access-ChallengeDigest-Nonce = 3bada1a0
Digest-Realm = example.com Digest-Qop = auth
Digest-Algorithm = MD5 Message-Authenticator = f8…da40
State=27
SIP proxy serverRADIUS Client
INVITEFrom: <sip:[email protected]> To: <sip:[email protected]>
SIP UAAOR: [email protected]
RADIUS server
SIP UAAOR: [email protected]
100 TRYING
407 Proxy Authentication RequiredProxy-Authenticate: - Digest realm="example.com" , - nonce="3bada1a0", - qop=auth, - algorithm=MD5 Content-Length: 0
ACK
38 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Digest Authentication for HTTP/SIP (II)
RRFFCC
44559900
users’ databa
se
Access-RequestUser-Name=123NAS-IP-Address = 192.0.2.38 NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = sip:[email protected] SIP-AOR = sip:[email protected] = 123Digest-Realm = example.comDigest-Response = f3c…97a4 Digest-Cnonce=0a7e75c4Digest-Nonce-Count=1Digest-Algorithm = md5Digest-Nonce = 3bada1a0 Digest-Qop = authMessage-Authenticator = ff…e0ffState=27
Access-AcceptDigest-Response-Auth = 63…e954
Digest-Nextnonce=fd0a…8765 Message-Authenticator = 75…aaf1
SIP proxy serverRADIUS Client
INVITEFrom: <sip:[email protected]> To: <sip:[email protected]>Proxy-Authorization: - username="123" , - realm="example.com" , - response="f3c…97a4" - Digest algorithm="md5", - nonce="3bada1a0" , - uri="sip:[email protected]", - qop=auth, - algorithm=MD5
SIP UAAOR: [email protected]
RADIUS server
SIP UAAOR: [email protected]
*
NOTE: The next authentication for this user could save a round-trip if the radius client uses the Digest-Nextnonce to challenge the user
NOTE: The next authentication for this user could save a round-trip if the radius client uses the Digest-Nextnonce to challenge the user
39 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Main attributes (I)
User-Name (1) - Mandatory in Access-Request & Acct-Request
The server may send it back in the Access-Accept, so that the NAS sends this new User-Name in Acct-Request packets
User-Password (2) - Encrypted password with PAP authentication Minimum length: 16 bytes (due to the encryption algorithm)
Only in Access-Request
Also contains the characters introduced by user after an Access-Challenge
CHAP-Password (3) - Encrypted password with CHAP authentication
ID. attrib Attrib. length. Attrib. value1 1 ...
RRFFCC
22886655
40 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Main attributes (II) CHAP-Challenge (60) - Challenge sent from the NAS to the
user for CHAP authentication Optionally, this CHAP challenge can be sent in the authenticator
field
NAS-IP-Address (4) - IP address of the RADIUS client NAS-Port (5) - Physical port (modem) in the NAS processing
the connection If there is not a physical modem, this number is virtual (sequence)
Service-Type (6) - Type of service the user is requesting (Access-Request), or (s)he is allowed to have (Access-Accept): Login(1): The user is doing a telnet (TCP connection) to a host Framed(2): Usually, a PPP session with an IP address Callback Login(3), Callback Framed(4): Administrative(6): to manage a NAS via telnet Call-Check(10): for pre-authentication
RRFFCC
22886655
41 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Main attributes (III) Framed-Protocol (7): when service-type=framed
PPP (1), SLIP (2), etc
Framed-IP-Address (8): IP address to assign to the user. Can be: Regular IP address
Special addresses meaning: 255.255.255.254 = The NAS assigns dynamically one from any pool
255.255.255.255 = The user may choose his/her IP address
Framed-IP-Netmask (9): Usually, 255.255.255.255 (1 IP address)
Framed-Routing (10): Used for modem-routers talking RIP: None(0), Send routing packets (1), Listen for routing packets (2), Send
and Listen (3)
Filter-Id (11) - Name of the filter to apply to the user This filter name must be defined in the NAS or with a VSA
RRFFCC
22886655
42 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Main attributes (IV) Framed-MTU (12) - ‘Maximum Transmission Unit’ for layer 2
Framed-Compression (13): VJ TCP/IP header compression for PPP (1)
Login-IP-Host (14): In the Access-Accept the server instructs the NAS the IP address of a host to establish a TCP connection to Used when IP Service-Type=Login,
Login-Service (15) – When Service-Type=Login: Telnet (0), Rlogin (1), TCP Clear (2), etc
Reply-Message (18) – For an Access-Challenge, the message to show to the user.
For an Access-Reject, may contain the cause to reject the connection
RRFFCC
22886655
43 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Main attributes (V)
Vendor-Specific (26) - Specific attributes for this device, not defined by IETF but by the vendor who made the device (NAS)
Session-Timeout (27) - Max. Connection time (sec.)
Idle-Timeout (28) - Max. idle time (sec.)
Called-Station-Id (30) - Also called DNIS In GPRS/UMTS: APN
Calling-Station-Id (31) - Also called CLID
26 Length. Vendor ID. VSA1 ID VSA1 Length
VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2
RRFFCC
22886655
1 4 1 (or 2) 11
44 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Main attributes (& VI) NAS-Id (32) - Alternative to the attrib. NAS-IP-Address to identify
the NAS sending the requests
Proxy-State (33) - May be used when a server is acting as proxy-RADIUS. The NAS never receives this attribute
NAS-Port-Type (61) - Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN
Async V.110 (4) = Mobile
Virtual (5): ie, access via telnet
xDSL (16), Cable (17)
GPRS (18), Wi-Fi=802.11 (19), CDMA2000 (22), UMTS (23)
Port-Limit (62) - To limit the max. number of calls that can be bonded together with MP (Multilink-Protocol), or concurrent sessions with the same User-Name
RRFFCC
22886655
45 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Protocol enhancement: RFC’s 2867->2869
In RFC’s 2867 and 2868 new attributes are defined for tunneled connections (mainly L2TP)
RFC 2869 defines some general user attributes: Prompt (76) - In a Challenge-Response to tell the NAS if it has to echo
user response
Connect-Info (77) - May show info about user connection and speed. The format is NAS/vendor dependant: Ej: "28800 V42BIS/LAPM", "52000/31200 V90", "9600 V110/ISDN"
Acct-Interim-Interval (85) - The RADIUS server can order the NAS to send Interim acct packets with a certain periodicity
Framed-Pool (88) - In the Access-Accept, to tell the NAS what pool to use for user IP address assignment This pool must be defined locally in NAS
RRFFC’C’ss
22886677->->99
46 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
01 01 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a801 10 05 06 00 00 00 03
Packet coding
Message Type=Access-Request(1)
Packet ID = 1Length=56
Request Authenticator Attrib ID= User-Name(1)Length = 6Value = nemo
ID = User-Password(2)Length = 18Encrypted password using authenticator field
Attrib= NAS-IP-Address(4)Length = 6Value = 192.168.1.16
Attrib= NAS-Port(5)Length = 6Value = 3
47 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Accounting special attibutes (I) Acct-Status-Type (40) - Type of accounting packet:
Start (1), Stop (2), Interim-Update (3), etc. Accounting-On (7), Accounting-Off (8)
The NAS is going to be/has been rebooted and won't send the Stop packets of users connected in that moment
Acct-Delay-Time (41) - # of seconds between the acct event time and the generation of this packet Used mainly in retransmissions with a value != 0
Acct-Input-Octets (42) - In Stop/interim, bytes tx by the user (input bytes for the NAS) from the beginning of the session = Upstream
Acct-Output-Octets (43) - Bytes received by the user = Downstream
Acct-Input-Packets (47) - Acct-Output-Packets (48) -
48 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Accounting special attibutes (& II) Acct-Session-Id (44) - Identifies a session in a unique manner in
the NAS This attribute may also be sent in the Access-Request packet (auth)
The value must be the same in Start, Stop and Interim (and in auth)
Acct-Authentic (45) - The way the user got authenticated RADIUS (1), Local (2), Remote (3)
Acct-Session-Time (46) - How long (in seconds) the user was connected (Stop), has been connected up to the moment (interim)
Acct-Terminate-Cause (49) - General cause User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)…
Acct-Multi-Session-Id (50) - For MLPPP sessions, each call will have a different Acct-Session-Id, but the same Acct-Multi-Session-Id
Acct-Link-Count (51) - In MLPPP, the max number of channels that have been bonded together
49 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of acct START packet TAOS 9.x
Tue Ago 28 11:15:45 2001User-Name = “user1_basic”NAS-IP-Address = 192.168.10.1NAS-Port = 31
Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = “262282375”Acct-Authentic = RADIUSCalling-Station-Id = “917410029”Called-Station-Id = “917434000”Framed-Protocol = PPPFramed-IP-Address = 91.87.84.19Service-Type = Framed-UserNAS-Port-Type = AsyncAscend-Modem-PortNo = 6Ascend-Modem-SlotNo = 2Ascend-Modem-ShelfNo = 1
Tue Ago 28 11:15:45 2001User-Name = “user1_basic”NAS-IP-Address = 192.168.10.1NAS-Port = 31
Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = “262282375”Acct-Authentic = RADIUSCalling-Station-Id = “917410029”Called-Station-Id = “917434000”Framed-Protocol = PPPFramed-IP-Address = 91.87.84.19Service-Type = Framed-UserNAS-Port-Type = AsyncAscend-Modem-PortNo = 6Ascend-Modem-SlotNo = 2Ascend-Modem-ShelfNo = 1
*
50 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Tue Ago 28 11:16:59 2001
User-Name = “user1_basico” NAS-IP-Address = 192.168.10.1 NAS-Port = 31
Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User
NAS-Port-Type = Async
Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = “262282375” Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Calling-Station-Id = “917410029” Called-Station-Id = “917434000”
Tue Ago 28 11:16:59 2001
User-Name = “user1_basico” NAS-IP-Address = 192.168.10.1 NAS-Port = 31
Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User
NAS-Port-Type = Async
Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = “262282375” Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Calling-Station-Id = “917410029” Called-Station-Id = “917434000”
Example of acct STOP packet (I) TAOS 9.x
*
51 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example of acct STOP packet (& II) TAOS 9.x
*
Ascend-Data-Rate = 31200 Ascend-Xmit-Rate = 48000 Ascend-Disconnect-Cause = 185Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = 10.81.44.111
Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19
Ascend-Data-Rate = 31200 Ascend-Xmit-Rate = 48000 Ascend-Disconnect-Cause = 185Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = 10.81.44.111
Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19
52 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Message flow for a connection
Access-Request
Access-Accept
Accounting-Request (START)
Accounting-Response
Accounting-Request (STOP)
Accounting-Response
The user successfully starts the session
The user hangs-up
PSTN
Access-Request
Access-AcceptBecause of signalling the NAS is aware it has an incoming call.Optionally, it asks the RADIUS server before taking the call off-hook (pre-auth)
After taking the call off-hook, a "regular" auth packet is sent (User-Name/Password)
Accounting-Request (INTERIM)
Accounting-Response
Accounting-Request (INTERIM)
Accounting-ResponseOptionally, the NAS informs the server periodically the session is still up
NAS RADIUSServer
53 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Accounting-Off example
An Accounting-Off packet MAY be sent when the NAS ends sending accounting packets for users, because of: a reset, or
the RADIUS feature has been disabled
RADIUSserverRADIUS
client- NAS-
IP
Acct-Request (4) - ID=27NAS-IP-Address (4) = 192.168.20.2Acct-Status-Type (40) = Accounting-Off (8)Acct-Delay-Time (41) = 10Acct-Session-Id (44) = 891236709
Acct-Response (5) - ID=27
54 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Files in the server Clients
Contains information about the RADIUS clients IP address or FQDN
Shared secret key
Optionally, type of NAS, to know what dictionary it uses
Dictionary Definition of all RADIUS attributes and their numeric coding
In text format: a person can read and edit that file
Type of attribute: Text, String, Integer, IP Address, Date
Possible values for enumeration attributes
55 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Dictionary
#Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255)ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer AscendATTRIBUTE Ascend-IP-TOS 87 integer AscendATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend...# RFC Attribute ValuesVALUE Service-Type Login-User 1VALUE Service-Type Framed-User 2VALUE Service-Type Callback-Login-User 3...# Vendor codesVENDOR base 0VENDOR livingston 307VENDOR Ascend 529VENDOR Lucent1751 1751
#Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255)ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer AscendATTRIBUTE Ascend-IP-TOS 87 integer AscendATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend...# RFC Attribute ValuesVALUE Service-Type Login-User 1VALUE Service-Type Framed-User 2VALUE Service-Type Callback-Login-User 3...# Vendor codesVENDOR base 0VENDOR livingston 307VENDOR Ascend 529VENDOR Lucent1751 1751
56 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Dictionary File Decoding
ATTRIBUTE
VALUE
AttributeNumber
RADIUS Request... | 6 | 6 | 0 | ...
AttributeLength
(in bytes)
AttributeValue
6
2
integer
RADIUS Dictionary
Service-Type
Service-Type
Framed-User
Service-Type
Service-Type Framed-User 2
6
Service-Type = Framed-User
0 | 0 | 2 |
57 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Dictionary VSAs
# Name Number Type [Vendor] [(Modifiers)]
VENDOR Ascend 529
ATTRIBUTE Ascend-Send-Secret 214 string Ascend (asecret,hidden)
Example Dictionary entry:
| Attr. Number | Total Attr. Length | Vendor ID | data |
VSA Attr.Number | VSA Attr. Length | VSA Attr. data
214
26 529
58 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Device configuration via RADIUS (I) Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.)
have the capability of asking a RADIUS server about certain configuration parameters
This configuration is based on certain Pseudo-Users with pre-defined User-Names
The TAOS device will send an Access-Request (1) to the server with Service-
Type=Outbound-User
Example of pseudo-users in TAOS:
banner - To configure a message for Terminal Server
pools-<device_name> - To define address pools for each device
route-n - To define static routes and connections (Frame Relay, ATM, outgoing calls
with PPP, etc.)
For other vendors, the pseudo-users may be different or even non-existent
59 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
IP
RADIUSserver
Access-Request (1) - ID=12User-Name (1) = ”pools-TNT2"User-Password (3) = ascendNAS-IP-Address (4) = 192.168.20.2Service-Type (6) = Outbound-User (5)
Access-Accept (2) - ID=12Ascend-IP-Pool-Definition = "1 10.1.0.1 7"Ascend-IP-Pool-Definition = "2 10.2.0.1 48"
Device configuration via RADIUS (II)
60 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
RADIUS extensions for NAS's Some devices, such as Lucent-Ascend's with TAOS (TNT, APX,
Stinger, etc.) can receive RADIUS packets for reconfiguration on already connected users In this case, the NAS can be considered as a server, as it receives
requests, and must send a response
The main actions a NAS may obey are: Disconnection of users
Updating user filters on-the-fly
These instructions are coded using a special RADIUS packet code 40 & 41 | 42 = Disconnect-Request & ACK | NAK
43 & 44 | 45 = Change-Filter-Request & ACK | NAK
The NAS should be listening for requests on UDP port 3799
RRFFCC
2288882,2,
33557766
61 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Example to disconnect a user
PSTN
RADIUSclient- NAS-
RADIUS server
IP
Disconnect-Request (40)- ID=1User-Name(1) =pepe@terraFramed-IP-Address(8) = 193.168.1.2Acct-Session-Id(44) = 262282375Nas-IP-Address = 192.168.20.2
1
Disconnect-Ack (41)- ID=12
Disconnect-Nak (42)- ID=1Error-Cause(101) =Residual Session Context Removed (201)
2B
NOTE: The RADIUS “client” should know to which IP address it must send the request to.It will be different to the NAS-IP-Address if:- Nas-Id attribute is used- There is a proxy RADIUS in between
*
62 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
SNMP MIBs for RADIUS It is standarized that the RADIUS servers and the clients should
offer some statistical information via SNMP Defined in RFCs
The new ones also support IPv6
A proxy-RADIUS behaves at the same time as a server and a client Should support both MIBs
The OIDs are a branch of MIB-2
All of the OID are read-only, as they are statistical data
Except for the reset of counters
RFC’s Auth Acct
Client 4668 4670
Server 4669 4671
63 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Server MIB (I) The SNMP agent must store statistics for every client, as well as
the aggregate statistics
Index Client
Address
Client ID Access
Req
Duplic
Req
Access
Accept
Access
Reject
.......
1 172.16.1.2 RAS1 27 1 25 2 …..
2 172.1.2.3 12 0 9 3 .....
... ..
N 192.18.1.2 GGSN1 1098 19 1000 98
5720 30 5520 200 ......
TOTAL
Serv
Ident
Serv
UpTime
Serv
ResetTime
NR1 36010 600
64 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Server MIB (II)
RRFFCC
22661199
(.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent [SnmpAdminString] (.2) radiusAuthServUpTime [TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer]
VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges [Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32]
(.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent [SnmpAdminString] (.2) radiusAuthServUpTime [TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer]
VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges [Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32]
* Responses = AccessAccepts + AccessRejects + AccessChallenges* Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses* entries logged = Requests - DupRequests -BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped
* Responses = AccessAccepts + AccessRejects + AccessChallenges* Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses* entries logged = Requests - DupRequests -BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped
•*
65 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Server MIB (III)
RRFFCC
22661199
(.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ
(.15) radiusAuthClientTable [Sequence] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClientIndex [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups
(.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ
(.15) radiusAuthClientTable [Sequence] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClientIndex [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups
66 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
Acct Client MIB
RRFFCC
22662200
(.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32]
(.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32]
* Requests = Responses + PendingRequests + ClientTimeouts* Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped
* Requests = Responses + PendingRequests + ClientTimeouts* Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped
67 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
List of standard attributes (I)
Access-
Request
Access-
Accept
Access-
Reject
Access-
Chall.
Acct-
Request # Attribute RFC's
0-1 0-1 0 0 0-1 1 User-Name 2865, 28660-1 0 0 0 0 2 User-Password (*) 2865, 28660-1 0 0 0 0 3 CHAP-Password (*) 2865, 28660-1 0 0 0 0-1 4 NAS-IP-Address (**) 2865, 28660-1 0 0 0 0-1 5 NAS-Port (****) 2865, 28660-1 0-1 0 0 0-1 6 Service-Type 2865, 28660-1 0-1 0 0 0-1 7 Framed-Protocol 2865, 28660-1 0-1 0 0 0-1 8 Framed-IP-Address 2865, 28660-1 0-1 0 0 0-1 9 Framed-IP-Netmask 2865, 28660 0-1 0 0 0-1 10 Framed-Routing 2865, 28660 0+ 0 0 0+ 11 Filter-Id 2865, 2866
0-1 0-1 0 0 0-1 12 Framed-MTU 2865, 28660+ 0+ 0 0 0+ 13 Framed-Compression 2865, 28660+ 0+ 0 0 0+ 14 Login-IP-Host 2865, 28660 0-1 0 0 0-1 15 Login-Service 2865, 28660 0-1 0 0 0-1 16 Login-TCP-Port 2865, 28660 0+ 0+ 0+ 0 18 Reply-Message 2865, 2866
0-1 0-1 0 0 0-1 19 Callback-Number 2865, 28660 0-1 0 0 0-1 20 Callback-Id 2865, 28660 0+ 0 0 0+ 22 Framed-Route 2865, 28660 0-1 0 0 0-1 23 Framed-IPX-Network 2865, 2866
0-1 0-1 0 0-1 0 24 State (*) 2865, 28660 0+ 0 0 0+ 25 Class 2865, 2866
0+ 0+ 0 0+ 0+ 26 Vendor-Specific 2865, 28660 0-1 0 0-1 0-1 27 Session-Timeout 2865, 28660 0-1 0 0-1 0-1 28 Idle-Timeout 2865, 28660 0-1 0 0 0-1 29 Termination-Action 2865, 2866
0-1 0 0 0 0-1 30 Called-Station-Id 2865, 28660-1 0 0 0 0-1 31 Calling-Station-Id 2865, 28660-1 0 0 0 0-1 32 NAS-Identifier (**) 2865, 28660+ 0+ 0+ 0+ 0+ 33 Proxy-State 2865, 28660-1 0-1 0 0 0-1 34 Login-LAT-Service 2865, 28660-1 0-1 0 0 0-1 35 Login-LAT-Node 2865, 28660-1 0-1 0 0 0-1 36 Login-LAT-Group 2865, 28660 0-1 0 0 0-1 37 Framed-AppleTalk-Link 2865, 28660 0+ 0 0 0-1 38 Framed-AppleTalk-Network 2865, 28660 0-1 0 0 0-1 39 Framed-AppleTalk-Zone 2865, 28660 0 0 0 1 40 Acct-Status-Type 28660 0 0 0 0-1 41 Acct-Delay-Time 2866
(*) An Access-Request MUST contain either a User-Password or a CHAP-Password or State. An Access-Request MUST NOT contain both a User-Password and a CHAP-Password
(**) An Access-Request and an Account-Request MUST contain either a NAS-IP-Address or a NAS-Identifier (or both)
No attributes should be found in Accounting-Response packets except Proxy-State and possibly Vendor-Specific ones.
68 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
List of standard attributes (II)
(***) An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attribute MUST NOT contain more than one type of those four attributes. If it does not contain any of those four attributes, it SHOULD contain a Message-Authenticator. If any packet type contains an EAP-Message attribute it MUST also contain a Message-Authenticator.
Access-
Request
Access-
Accept
Access-
Reject
Access-
Chall.
Acct-
Request # Attribute RFC's
0 0 0 0 0-1 42 Acct-Input-Octets 28660 0 0 0 0-1 43 Acct-Output-Octets 2866
0-1 0-1 0 0 1 44 Acct-Session-Id 28660 0 0 0 0-1 45 Acct-Authentic 28660 0 0 0 0-1 46 Acct-Session-Time 28660 0 0 0 0-1 47 Acct-Input-Packets 28660 0 0 0 0-1 48 Acct-Output-Packets 28660 0 0 0 0-1 49 Acct-Terminate-Cause 28660 0 0 0 0+ 50 Acct-Multi-Session-Id 28660 0 0 0 0+ 51 Acct-Link-Count 28660 0 0 0 0-1 52 Acct-Input-Gigawords 28690 0 0 0 0-1 53 Acct-Output-Gigawords 28690 0 0 0 0-1 55 Event-Timestamp 2869
0+ 0+ 0 0 0+ 56 Egress-VLANID 46750-1 0-1 0 0 0-1 57 Ingress-Filters 46750+ 0+ 0 0 0+ 58 Egress-VLAN-Name 46750 0-1 0 0 0 59 User-Priority-Table 4675
0-1 0 0 0 0 60 CHAP-Challenge 2865, 28660-1 0 0 0 0-1 61 NAS-Port-Type 2865, 28660-1 0-1 0 0 0-1 62 Port-Limit 2865, 28660-1 0-1 0 0 0-1 63 Login-LAT-Port 2865, 28660+ 0+ 0 0 0-1 64 Tunnel-Type 2867, 28680+ 0+ 0 0 0-1 65 Tunnel-Medium-Type 2867, 28680+ 0+ 0 0 0-1 66 Tunnel-Client-Endpoint 2867, 28680+ 0+ 0 0 0-1 67 Tunnel-Server-Endpoint 2867, 28680 0+ 0 0 0 69 Tunnel-Password 2867, 2868
0-1 0 0 0 0 70 ARAP-Password (***) 28690 0-1 0 0-1 0 71 ARAP-Features 28690 0-1 0 0 0 72 ARAP-Zone-Access 2869
0-1 0 0 0-1 0 73 ARAP-Security 28690+ 0 0 0+ 0 74 ARAP-Security-Data 28690 0 0-1 0 0 75 Password-Retry 28690 0 0 0-1 0 76 Prompt 2869
0-1 0 0 0 0-1 77 Connect-Info 28690 0+ 0 0 0 78 Configuration-Token 2869
0+ 0+ 0+ 0+ 0 79 EAP-Message (***) 28690-1 0-1 0-1 0-1 0 80 Message-Authenticator (***) 28690+ 0+ 0 0 0-1 81 Tunnel-Private-Group-ID 2867, 28680 0+ 0 0 0-1 82 Tunnel-Assignment-ID 2867, 2868
0+ 0+ 0 0 0 83 Tunnel-Preference 2867, 2868
69 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007
(****) Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports.
(-) Can be included in packet type 42=Disconnect-Nak or 45= CoA-Nak
Access-Request
Access-
AcceptAccess-Reject
Access-Chall.
Acct-Request # Attribute RFC's
0 0-1 0 0-1 0 84ARAP-Challenge-Response 28690 0-1 0 0 0 85Acct-Interim-Interval 28690 0 0 0 0-1 86Acct-Tunnel-Packets-Lost 2867
0-1 0 0 0 0-1 87NAS-Port-Id (****) 28690 0-1 0 0 88Framed-Pool 2869
0-1 0-1 0 0 0-1 89Chargeable-User-Id 43720+ 0+ 0 0 0-1 90Tunnel-Client-Auth-ID 28680+ 0+ 0 0 0-1 91Tunnel-Server-Auth-ID 28680 0+ 0 0 0+ 92Nas-Filter-Rule 4849
0-1 0 0 0 0-1 95NAS-IPv6-Address 31620-1 0-1 0 0 0-1 96Framed-Interface-Id 31620+ 0+ 0 0 0+ 97Framed-IPv6-Prefix 31620+ 0+ 0 0 0+ 98Login-IPv6-Host 31620 0+ 0 0 0+ 99Framed-IPv6-Route 31620 0-1 0 0 0-1 100Framed-IPv6-Pool 31620 0 0 0 0 101Error Cause 3576
0-1 0 0 0 0 103 Digest-Response 4590 0-1 0 0 1 0 104 Digest-Realm 4590 0-1 0 0 1 0 105 Digest-Nonce 4590
0 0-1 0 0 0 106 Digest-Response-Auth 45900 0-1 0 0 0 107 Digest-Nextnonce 4590
0-1 0 0 0 0 108 Digest-Method 4590 0-1 0 0 0 0 109 Digest-URI 4590 0-1 0 0 0+ 0 110 Digest-Qop 4590 0-1 0 0 0-1 0 111 Digest-Algorithm 4590 0-1 0 0 0 0 112 Digest-Entity-Body-Hash 4590 0-1 0 0 0 0 113 Digest-CNonce 4590 0-1 0 0 0 0 114 Digest-Nonce-Count 4590 0-1 0 0 0 0 115 Digest-Username 4590 0-1 0 0 0-1 0 116 Digest-Opaque 4590 0+ 0+ 0 0+ 0 117 Digest-Auth-Param 4590 0-1 0 0 0 0 118 Digest-AKA-Auts 4590
0 0 0 0+ 0 119 Digest-Domain 45900 0 0 0-1 0 120 Digest-Stale 45900 0-1 0 0 0 121 Digest-HA1 4590
0-1 0 0 0 0 122 SIP-AOR 45900+ 0+ 0 0 0+ 123Delegated-IPv6-Prefix 4818