RADUIS is an Internet Engineering Task Force (IETF) standard that is used for AAA. It is also a client/server model. This means the AAA client sends user information to the AAA server, in this case via the RADIUS protocol, and the RADIUS server responds with all the information that is needed for the AAA client to provide connectivity and service to the end user. The AAA client acts in response to the reply it receives from the RADIUS server. For network authentication, a shared secret key authenticates messages between the AAA/RADIUS server and the AAA client. The shared secret key is never actually sent across the wire so the integrity of the key is maintained. When RADIUS authenticates users, numerous authentication methods can be used. RADIUS supports authentication via Point-to-Point Protocol Challenge Handshake Authentication Protocol (PPP CHAP) and PPP Password Authentication Protocol (PAP), as well as others. In addition to these features, RADIUS is an extensible protocol that allows vendors the ability to add new attribute values without creating a problem for existing attributes values. A major difference between TACACS+ and RADIUS is that RADIUS does not separate authentication and authorization. RADIUS also provides for better accounting. In this section, you see the operation and functionality of RADIUS. NOTE Note that in June 1996, draft 5 of the RADIUS protocol specification was submitted to the Internet Engineering Task Force (IETF). The RADIUS specification (RFC 2058) and RADIUS accounting standard (RFC 2059) are now proposed standard protocols. The text of the IETF proposed standards can be found at the following URLs: http://www.ietf.org/rfc/rfc2058.txt?number=2058 http://www.ietf.org/rfc/rfc2059.txt?number=2059 RADIUS operates under the UDP protocol. RADIUS uses ports 1645 and 1812 for authentication and 1646 and 1813 for accounting. The ports 1812 and 1813 are seen in newer RADIUS implementations. The use of RADIUS port 1645 in early implementations conflicts with the "datametrics" service. Therefore, the officially assigned port is 1812. Generally, the RADIUS protocol is considered to be a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol. This functionality differs from TACACS+, where the reliability in the protocol is dependent on the TCP protocol. RADIUS OperationThe following is the process used in a RADIUS managed login:
The Access-Request packet contains the username, encrypted password, IP address of the AAA client, and port. The format of the request also provides information on the type of session that the user wants to initiate. The format of the RADIUS packet is seen in Figure 2-5. Figure 2-5. RADIUS Packet FormatEach RADIUS packet contains the following information:
The attributes that are seen in Figure 2-5 are RADIUS AV pairs. These specific attributes and corresponding values are discussed in Appendix A, "RADIUS Attribute Tables." RADIUS EncryptionEncryption in RADIUS differs from that of TACACS+ because RADIUS encrypts only the password and the rest is sent in clear text. The process of encrypting the password in RADIUS is as follows:
RADIUS Authentication and AuthorizationWhen an AAA server running RADIUS receives the Access-Request from the AAA client, it searches a database for the username listed. If the username does not exist in the database, either a default profile is loaded, or the RADIUS server immediately sends an Access-Reject message. This Access-Reject message can be accompanied by an optional text message, which could indicate the reason for the refusal. If the username is found and the password is correct, the RADIUS server returns an Access-Accept response, including a list of Attribute-Value pairs that describe the parameters to be used for this session. Typical parameters include service type (shell or framed), protocol type, IP address to assign the user (static or dynamic), access list to apply, or a static route to install in the AAA client's routing table. The configuration information in the RADIUS server defines what is installed on the AAA client. Optionally, the AAA server can send an Access-Challenge request to the AAA client to request a new password. Figure 2-6 demonstrates a RADIUS exchange between an AAA client and AAA server. Figure 2-6. A RADIUS ExchangeAuthorization within RADIUS is done in conjunction with authentication. As a server returns an Access-Accept message, it also includes the list of AV pairs that the user is authorized for. Table 2-3 lists the RADIUS AV pairs (nonproprietary) supported in Cisco IOS up to version 12.2. These AV pairs are discussed in further detail in Appendix A.
RADIUS AccountingRADIUS accounting is performed by sending messages at the start and the stop of a session. These messages include information about the session. Information that might be included includes time, packets, bytes, and so on. These messages are sent using UDP port 1813. The accounting process for RADIUS is seen in RFC 2866. The messages that are sent between the AAA server and the AAA client are Accounting-Request and Accounting-Response. The basic process of RADIUS accounting is seen in Figure 2-7. Figure 2-7. RADIUS AccountingDuring this process, the accounting information is also sent via AV pairs. The RADIUS AV pairs supported in Cisco IOS up to version 12.2 are also included in Table 2-3. |