RADIUS in Detail


RADUIS is an Internet Engineering Task Force (IETF) standard that is used for AAA. It is also a client/server model. This means the AAA client sends user information to the AAA server, in this case via the RADIUS protocol, and the RADIUS server responds with all the information that is needed for the AAA client to provide connectivity and service to the end user. The AAA client acts in response to the reply it receives from the RADIUS server.

For network authentication, a shared secret key authenticates messages between the AAA/RADIUS server and the AAA client. The shared secret key is never actually sent across the wire so the integrity of the key is maintained.

When RADIUS authenticates users, numerous authentication methods can be used. RADIUS supports authentication via Point-to-Point Protocol Challenge Handshake Authentication Protocol (PPP CHAP) and PPP Password Authentication Protocol (PAP), as well as others.

In addition to these features, RADIUS is an extensible protocol that allows vendors the ability to add new attribute values without creating a problem for existing attributes values.

A major difference between TACACS+ and RADIUS is that RADIUS does not separate authentication and authorization. RADIUS also provides for better accounting. In this section, you see the operation and functionality of RADIUS.

NOTE

Note that in June 1996, draft 5 of the RADIUS protocol specification was submitted to the Internet Engineering Task Force (IETF). The RADIUS specification (RFC 2058) and RADIUS accounting standard (RFC 2059) are now proposed standard protocols. The text of the IETF proposed standards can be found at the following URLs:

http://www.ietf.org/rfc/rfc2058.txt?number=2058

http://www.ietf.org/rfc/rfc2059.txt?number=2059


RADIUS operates under the UDP protocol. RADIUS uses ports 1645 and 1812 for authentication and 1646 and 1813 for accounting. The ports 1812 and 1813 are seen in newer RADIUS implementations. The use of RADIUS port 1645 in early implementations conflicts with the "datametrics" service. Therefore, the officially assigned port is 1812.

Generally, the RADIUS protocol is considered to be a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol. This functionality differs from TACACS+, where the reliability in the protocol is dependent on the TCP protocol.

RADIUS Operation

The following is the process used in a RADIUS managed login:

Step 1.

A user login generates a query (Access-Request) from the AAA client to the RADIUS server.

Step 2.

A corresponding response (Access-Accept or Access-Reject) is returned by the server.

The Access-Request packet contains the username, encrypted password, IP address of the AAA client, and port. The format of the request also provides information on the type of session that the user wants to initiate.

The format of the RADIUS packet is seen in Figure 2-5.

Figure 2-5. RADIUS Packet Format


Each RADIUS packet contains the following information:

  • Code The code field is one octet; it identifies one of the following types of RADIUS packets:

    - Access-Request (1)

    - Access-Accept (2)

    - Access-Reject (3)

    - Accounting-Request (4)

    - Accounting-Response (5)

    - Access-Challenge (11)

    - Status-Server (12)

    - Status-Client (13)

    - Reserved (255)

    NOTE

    Status-Server and Status-Client are experimental.


  • Identifier The identifier field is one octet; it helps the RADIUS server match requests and responses and detect duplicate requests.

  • Length The length field is two octets; it specifies the length of the entire packet.

  • Request Authenticator The authenticator field is 16 octets. The most significant octet is transmitted first; it authenticates the reply from the RADIUS server. Two types of authenticators are as follows:

    - Request-Authenticator Available in Access-Request and Accounting-Request packets

    - Response-Authenticator Available in Access-Accept, Access-Reject, Access-Challenge, and Accounting-Response packets

The attributes that are seen in Figure 2-5 are RADIUS AV pairs. These specific attributes and corresponding values are discussed in Appendix A, "RADIUS Attribute Tables."

RADIUS Encryption

Encryption in RADIUS differs from that of TACACS+ because RADIUS encrypts only the password and the rest is sent in clear text.

The process of encrypting the password in RADIUS is as follows:

Step 1.

A RADIUS packet includes an Authenticator field, as seen in Figure 2-5. This is a field that contains a 16-octet random number called the Request Authenticator.

Step 2.

The Request Authenticator is combined with the pre-shared key value and runs through an MD5 hash algorithm. This derives a 16-octet hash. For this example, this is called HASH_A. Therefore, HASH_A is equal to the MD5 request authentication plus pre-shared key.

Step 3.

The user-provided password is padded in the message with a null value so that it reaches a 16-octet value.

Step 4.

HASH_A is then XORed with the padded password from Step 3, and that generates the cipher text that is transmitted to the AAA server running RADIUS.

Step 5.

The AAA server calculates HASH_A on its own and XORs it with the received cipher text to get the padded user-provided password back to clear text.

RADIUS Authentication and Authorization

When an AAA server running RADIUS receives the Access-Request from the AAA client, it searches a database for the username listed. If the username does not exist in the database, either a default profile is loaded, or the RADIUS server immediately sends an Access-Reject message. This Access-Reject message can be accompanied by an optional text message, which could indicate the reason for the refusal.

If the username is found and the password is correct, the RADIUS server returns an Access-Accept response, including a list of Attribute-Value pairs that describe the parameters to be used for this session. Typical parameters include service type (shell or framed), protocol type, IP address to assign the user (static or dynamic), access list to apply, or a static route to install in the AAA client's routing table. The configuration information in the RADIUS server defines what is installed on the AAA client.

Optionally, the AAA server can send an Access-Challenge request to the AAA client to request a new password.

Figure 2-6 demonstrates a RADIUS exchange between an AAA client and AAA server.

Figure 2-6. A RADIUS Exchange


Authorization within RADIUS is done in conjunction with authentication. As a server returns an Access-Accept message, it also includes the list of AV pairs that the user is authorized for. Table 2-3 lists the RADIUS AV pairs (nonproprietary) supported in Cisco IOS up to version 12.2. These AV pairs are discussed in further detail in Appendix A.

Table 2-3. RADIUS AV Pairs (Nonproprietary)

Number

IETF Attribute

11.1

11.2

11.3

11.3 AA

11.3T

12.0

12.1

12.2

1

User-Name

yes

yes

yes

yes

yes

yes

yes

yes

2

User-Password

yes

yes

yes

yes

yes

yes

yes

yes

3

CHAP-Password

yes

yes

yes

yes

yes

yes

yes

yes

4

NAS-IP Address

yes

yes

yes

yes

yes

yes

yes

yes

5

NAS-Port

yes

yes

yes

yes

yes

yes

yes

yes

6

Service-Type

yes

yes

yes

yes

yes

yes

yes

yes

7

Framed-Protocol

yes

yes

yes

yes

yes

yes

yes

yes

8

Framed-IP-Address

yes

yes

yes

yes

yes

yes

yes

yes

9

Framed-IP-Netmask

yes

yes

yes

yes

yes

yes

yes

yes

10

Framed-Routing

yes

yes

yes

yes

yes

yes

yes

yes

11

Filter-Id

yes

yes

yes

yes

yes

yes

yes

yes

12

Framed-MTU

yes

yes

yes

yes

yes

yes

yes

yes

13

Framed-Compression

yes

yes

yes

yes

yes

yes

yes

yes

14

Login-IP-Host

yes

yes

yes

yes

yes

yes

yes

yes

15

Login-Service

yes

yes

yes

yes

yes

yes

yes

yes

16

Login-TCP-Port

yes

yes

yes

yes

yes

yes

yes

yes

18

Reply-Message

yes

yes

yes

yes

yes

yes

yes

yes

19

Callback-Number

no

no

no

no

no

no

yes

yes

20

Callback-ID

no

no

no

no

no

no

no

no

22

Framed-Route

yes

yes

yes

yes

yes

yes

yes

yes

23

Framed-IPX-Network

no

no

no

no

no

no

no

no

24

State

yes

yes

yes

yes

yes

yes

yes

yes

25

Class

yes

yes

yes

yes

yes

yes

yes

yes

26

Vendor-Specific

yes

yes

yes

yes

yes

yes

yes

yes

27

Session-Timeout

yes

yes

yes

yes

yes

yes

yes

yes

28

Idle-Timeout

yes

yes

yes

yes

yes

yes

yes

yes

29

Termination-Action

no

no

no

no

no

no

no

no

30

Called-Station-Id

yes

yes

yes

yes

yes

yes

yes

yes

31

Calling-Station-Id

yes

yes

yes

yes

yes

yes

yes

yes

32

NAS-Identifier

no

no

no

no

no

no

no

yes

33

Proxy-State

no

no

no

no

no

no

no

no

34

Login-LAT-Service

yes

yes

yes

yes

yes

yes

yes

yes

35

Login-LAT-Node

no

no

no

no

no

no

no

yes

36

Login-LAT-Group

no

no

no

no

no

no

no

no

37

Framed-AppleTalk-Link

no

no

no

no

no

no

no

no

38

Framed-AppleTalk-Network

no

no

no

no

no

no

no

no

39

Framed-AppleTalk-Zone

no

no

no

no

no

no

no

no

40

Acct-Status-Type

yes

yes

yes

yes

yes

yes

yes

yes

41

Acct-Delay-Time

yes

yes

yes

yes

yes

yes

yes

yes

42

Acct-Input-Octets

yes

yes

yes

yes

yes

yes

yes

yes

43

Acct-Output-Octets

yes

yes

yes

yes

yes

yes

yes

yes

44

Acct-Session-Id

yes

yes

yes

yes

yes

yes

yes

yes

45

Acct-Authentic

yes

yes

yes

yes

yes

yes

yes

yes

46

Acct-Session-Time

yes

yes

yes

yes

yes

yes

yes

yes

47

Acct-Input-Packets

yes

yes

yes

yes

yes

yes

yes

yes

48

Acct-Output-Packets

yes

yes

yes

yes

yes

yes

yes

yes

49

Acct-Terminate-Cause

no

no

no

yes

yes

yes

yes

yes

50

Acct-Multi-Session-Id

no

yes

yes

yes

yes

yes

yes

yes

51

Acct-Link-Count

no

yes

yes

yes

yes

yes

yes

yes

52

Acct-Input-Gigawords

no

no

no

no

no

no

no

no

53

Acct-Output-Gigawords

no

no

no

no

no

no

no

no

55

Event-Timestamp

no

no

no

no

no

no

no

yes

60

CHAP-Challenge

yes

yes

yes

yes

yes

yes

yes

yes

61

NAS-Port-Type

yes

yes

yes

yes

yes

yes

yes

yes

62

Port-Limit

yes

yes

yes

yes

yes

yes

yes

yes

63

Login-LAT-Port

no

no

no

no

no

no

no

no

64

Tunnel-Type

no

no

no

no

no

no

yes

yes

65

Tunnel-Medium-Type

no

no

no

no

no

no

yes

yes

66

Tunnel-Client-Endpoint

no

no

no

no

no

no

yes

yes

67

Tunnel-Server-Endpoint

no

no

no

no

no

no

yes

yes

68

Acct-Tunnel-Connection-ID

no

no

no

no

no

no

yes

yes

69

Tunnel-Password

no

no

no

no

no

no

yes

yes

70

ARAP-Password

no

no

no

no

no

no

no

no

71

ARAP-Features

no

no

no

no

no

no

no

no

72

ARAP-Zone-Access

no

no

no

no

no

no

no

no

73

ARAP-Security

no

no

no

no

no

no

no

no

74

ARAP-Security-Data

no

no

no

no

no

no

no

no

75

Password-Retry

no

no

no

no

no

no

no

no

76

Prompt

no

no

no

no

no

no

yes

yes

77

Connect-Info

no

no

no

no

no

no

no

yes

78

Configuration-Token

no

no

no

no

no

no

no

no

79

EAP-Message

no

no

no

no

no

no

no

no

80

Message-Authenticator

no

no

no

no

no

no

no

no

81

Tunnel-Private-Group-ID

no

no

no

no

no

no

no

no

82

Tunnel-Assignment-ID

no

no

no

no

no

no

yes

yes

83

Tunnel-Preference

no

no

no

no

no

no

no

yes

84

ARAP-Challenge-Response

no

no

no

no

no

no

no

no

85

Acct-Interim-Interval

no

no

no

no

no

no

yes

yes

86

Acct-Tunnel-Packets-Lost

no

no

no

no

no

no

no

no

87

NAS-Port-ID

no

no

no

no

no

no

no

no

88

Framed-Pool

no

no

no

no

no

no

no

no

90

Tunnel-Client-Auth-ID

no

no

no

no

no

no

no

yes

91

Tunnel-Server-Auth-ID

no

no

no

no

no

no

no

yes

200

IETF-Token-Immediate

no

no

no

no

no

no

no

no


RADIUS Accounting

RADIUS accounting is performed by sending messages at the start and the stop of a session. These messages include information about the session. Information that might be included includes time, packets, bytes, and so on. These messages are sent using UDP port 1813. The accounting process for RADIUS is seen in RFC 2866. The messages that are sent between the AAA server and the AAA client are Accounting-Request and Accounting-Response. The basic process of RADIUS accounting is seen in Figure 2-7.

Figure 2-7. RADIUS Accounting


During this process, the accounting information is also sent via AV pairs. The RADIUS AV pairs supported in Cisco IOS up to version 12.2 are also included in Table 2-3.




Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net