SlideShare a Scribd company logo

Radius Protocol

Netwax Lab
Netwax Lab

RADIUS is a protocol for carrying information related to authentication, authorization, and configuration between a Network Access Server that desires to authenticate its links and a shared Authentication Server.  RADIUS stands for Remote Authentication Dial In User Service.  RADIUS is an AAA protocol for applications such as Network Access or IP Mobility  It works in both situations, Local and Mobile.  It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.  It look in text file, LDAP Servers, Database for authentication.

Technology
1 of 9
Download to read offline
RADIUS Protocol RADIUS is a protocol for carrying information related to authentication, authorization, and configuration between a Network Access Server that desires to authenticate its links and a shared Authentication Server.  RADIUS stands for Remote Authentication Dial In User Service.  RADIUS is an AAA protocol for applications such as Network Access or IP Mobility  It works in both situations, Local and Mobile.  It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.  It look in text file, LDAP Servers, Database for authentication.  After authentication services parameters passed back to NAS.  It notifies when a session starts and stop. This data is used for Billing or Statistics purposes.  SNMP is used for remote monitoring.  It can be used as a proxy.  RADIUS is a client/server protocol that runs in the application layer, using UDP as transport.  The Remote Access Server, the Virtual Private Network server, the Network switch with port- based authentication, and the Network Access Server (NAS), are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server.  RADIUS is often the backend of choice for 802.1X authentication as well.  RADIUS server is usually a background process running on a UNIX or Microsoft Windows server.  RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866).  The RADIUS specification RFC 2865 obsoletes RFC 2138. The RADIUS accounting standard RFC 2866 obsoletes RFC 2139. Figure 1 Simple Network Diagram of Radius
RADIUS Protocol Client/Server Model Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol. RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. 1. User initiates PPP authentication to the NAS. 2. NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). 3. User replies. 4. RADIUS client sends username and encrypted password to the RADIUS server. 5. RADIUS server responds with Accept, Reject, or Challenge. 6. The RADIUS client acts upon services and services parameters bundled with Accept or Reject. Network Security  Transactions between a client and a server are authenticated through the use of a shared key. This key is never sent over the network.  Password is encrypted before sending it over the network. Flexible Authentication Mechanisms Radius supports the following protocols for authentication purpose:  Point-to-Point Protocol - PPP Figure 2 Shows the interaction between a dial-in user and the RADIUS Client and Server
RADIUS Protocol  Password Authentication Protocol - PAP  Challenge Handshake Authentication Protocol - CHAP  Simple UNIX Login Extensible Protocol  Radius is extensible; most vendors of Radius hardware and software implement their own dialects.  Stateless protocol, using UDP, runs at port 1812. Before the Client starts communicating with the Radius Server, it is required that the secret key is shared between the Client and the Server and the Client must be configured to use Radius server to get service. Radius Codes (decimal) are assigned as follows:  1 Access-Request  2 Access-Accept  3 Access-Reject  4 Accounting-Request  5 Accounting-Response  11 Access-Challenge  12 Status-Server (experimental)  13 Status-Client (experimental)  255 Reserved  No Keep Alive concept - Good or Bad?? Codes 4 and 5 are related to Radius Accounting Functionality. Codes 12 and 13 are reserved for possible use. The packet format of Radius is as shown below: Figure 3 RADIUS Packet Format
RADIUS Protocol  Code: This is 1 Octet (1 byte) long and identifies various types of packets. Normally 1 Octet means 1 Byte.  Identifier: This is again 1 Octet long and aids in matching responses with requests.  Length: This is 2 Octets long and specifies the length of the packet including code, identifier, length, and authenticator. (Min packet is 20 Octets and max is 4096 Octets).  Authenticator: This is 16 Octets long and filled up in case of some requests and responses.  List of Attributes: There is a list of 63+ attributes and a Radius attribute will also have a defined format which is described in next chapter. A Radius attribute consists of the following three parts:  Type: 1 Octet long, identifies various types of attributes. It is an attribute code listed below.  Length: 1 Octet long, length of the attribute including Type.  Value: 0 or more Octets long, contains information specific to attribute. Radius Request Example Let us have a look into a Radius Request example:  The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named Nemo logging in on port 3 with password "arctangent".  The Request Authenticator is a 16 octet random number generated by the NAS.  The User-Password is 16 octets padded at end with nulls, XORed with D5 (Shared Secret|Request Authenticator).  01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 00 00 03  1 Code = Access-Request (1) o 1 Identifier = 0 o 2 Length = 56 o 16 Request Authenticator  Attribute List o 6 User-Name = "Nemo" o 18 User-Password o 6 NAS-IP-Address = 192.168.1.16 o 6 NAS-Port = 3 Radius Response Example Here is an example of Response Packets:  The Radius server authenticates Nemo and sends an Access-Accept UDP packet to the NAS telling it to telnet Nemo to host 192.168.1.3
RADIUS Protocol  The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the Request Authenticator from above, the attributes in this reply, and the shared secret.  02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 0e 06 c0 a8 01 03  1 Code = Access-Accept (2) o 1 Identifier = 0 (same as in Access-Request) o 2 Length = 38 o 16 Response Authenticator Attribute List  6 Service-Type (6) = Login (1)  6 Login-Service (15) = Telnet (0)  6 Login-IP-Host (14) = 192.168.1.3 DIAMETER Diameter is a planned replacement of RADIUS. It is an AAA protocol for applications such as network access and IP mobility. Listed below are a few points that you need to know about Diameter:  It is intended to work in both local and roaming AAA situations.  Diameter is just twice the predecessor protocol Radius.  It uses TCP or SCTP and not UDP.  It uses transport level security (IPSEC or TLS).  It has 32 bit identifier instead of 8 bit.  It supports stateless as well as stateful mode.  It supports application layer acknowledgement, define failover.  It offers better roaming support.  It uses AVPs.  Diameter allows to define new commands and attributes. It is easy to extend. RADIUS Infrastructure Components The following components are part of the RADIUS authentication, authorization, and accounting infrastructure:  Access clients An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or LAN clients connected to a switch.
RADIUS Protocol  Access servers (RADIUS clients) An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server. The following are examples of access servers: o Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running Windows Server® 2003 and the Routing and Remote Access service and providing either traditional dial-up or virtual private network (VPN) services to an organization's intranet. o Wireless access points that provide physical layer access to an organization's network, using wireless-based transmission and reception technologies. o Switches that provide physical layer access to an organization's network, using traditional LAN technologies, such as Ethernet.  RADIUS Proxies A RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS clients (and RADIUS proxies) and RADIUS servers (or RADIUS proxies). The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Figure 4 RADIUS Infrastructure Components
RADIUS Protocol Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server. A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations.  RADIUS Servers A RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. Based on a set of rules and the information in the user account database, the RADIUS server either authenticates and authorizes the connection and sends back an Access-Accept message or sends back an Access-Reject message. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.  User Account Databases The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. The user account databases that NPS can use are the local Security Accounts Manager (SAM), a Microsoft Windows NT 4.0 domain, or Active Directory® Domain Services (AD DS). For AD DS, NPS can provide authentication and authorization for user or computer accounts in the domain in which the NPS server is a member, two-way trusted domains, and trusted forests with domain controllers running Windows Server® 2008; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for AD DS include untrusted forests, untrusted domains, or one-way trusted domains. Roaming RADIUS is commonly used to facilitate roaming between ISPs, for example:  by companies which provide a single global set of credentials that are usable on many public networks;
RADIUS Protocol  by independent, but collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution, such as in eduroam. RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.  Realms A realm is commonly appended to a user's user name and delimited with an '@' sign, resembling an email address domain name. This is known as postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using '' as a delimiter. Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '' are usually used. Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example: somedomain.comusername@anotherdomain.com could be a valid username with two realms.  Proxy Operations When a RADIUS server receives an AAA request for a user name containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behavior of the proxying server regarding the removal of the realm from the request ("stripping") is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied over time again. Figure 5 Roaming using a proxy RADIUS AAA Server
RADIUS Protocol  Security Roaming with RADIUS exposes the users to various security and privacy concerns. More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users' credentials cannot be intercepted while being proxied across the internet. This is a concern as the MD5 hash built into RADIUS is considered insecure.

Recommended

Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Radius1
Radius1Radius1
Radius1balamurugan.k Kalibalamurugan
 
Tacacs
TacacsTacacs
Tacacs1 2d
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS ProtocolNetwax Lab
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 

Recommended

Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Radius1
Radius1Radius1
Radius1balamurugan.k Kalibalamurugan
 
Tacacs
TacacsTacacs
Tacacs1 2d
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS ProtocolNetwax Lab
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCPHameda Hurmat
 
Aruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentalsAruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentalsAruba, a Hewlett Packard Enterprise company
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIPMahmoud Abudaqa
 
LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
CCNA ppt
CCNA pptCCNA ppt
CCNA pptSumant Garg
 
OSI layer by cisco
OSI layer by ciscoOSI layer by cisco
OSI layer by ciscoSMKN 3 Kota Tangerang
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
Ospf
OspfOspf
OspfAlp isik
 
SNMP
SNMPSNMP
SNMPOECLIB Odisha Electronics Control Library
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocolsJUW Jinnah University for Women
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesAruba, a Hewlett Packard Enterprise company
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH ConfigurationVinod Gour
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 
Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 

More Related Content

What's hot

6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCPHameda Hurmat
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIPMahmoud Abudaqa
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH ConfigurationVinod Gour
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authenticationAlberto Rivai
 

What's hot (20)

6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCP
 
Aruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentalsAruba WLANs 101 and design fundamentals
Aruba WLANs 101 and design fundamentals
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIP
 
LDAP
LDAPLDAP
LDAP
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
 
OSI layer by cisco
OSI layer by ciscoOSI layer by cisco
OSI layer by cisco
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
Ospf
OspfOspf
Ospf
 
SNMP
SNMPSNMP
SNMP
 
Application layer protocols
Application layer protocolsApplication layer protocols
Application layer protocols
 
Optimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming DevicesOptimizing Aruba WLANs for Roaming Devices
Optimizing Aruba WLANs for Roaming Devices
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH Configuration
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 

Similar to Radius Protocol

Remote access service
Remote access serviceRemote access service
Remote access serviceApoorw Pandey
 
Introduction to DIAMETER
Introduction to DIAMETERIntroduction to DIAMETER
Introduction to DIAMETERHossein Yavari
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best PracticesSagar Gor
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotikAdi Utami
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
Radius client
Radius clientRadius client
Radius clientdhenis1
 
Dcn Networking Between Server And Client Machine
Dcn Networking Between Server And Client MachineDcn Networking Between Server And Client Machine
Dcn Networking Between Server And Client MachineRohan Bhatkar
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxacarolyn
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guideWilson Ospina
 
lec3_10.ppt
lec3_10.pptlec3_10.ppt
lec3_10.pptImXaib
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005FNian
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficTal Lavian Ph.D.
 

Similar to Radius Protocol (20)

Remote access service
Remote access serviceRemote access service
Remote access service
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
AAA server
AAA serverAAA server
AAA server
 
Introduction to DIAMETER
Introduction to DIAMETERIntroduction to DIAMETER
Introduction to DIAMETER
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
 
Introduction to Diameter Protocol - Part1
Introduction to Diameter Protocol - Part1Introduction to Diameter Protocol - Part1
Introduction to Diameter Protocol - Part1
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
Radius client
Radius clientRadius client
Radius client
 
Dcn Networking Between Server And Client Machine
Dcn Networking Between Server And Client MachineDcn Networking Between Server And Client Machine
Dcn Networking Between Server And Client Machine
 
Unit 6 : Application Layer
Unit 6 : Application LayerUnit 6 : Application Layer
Unit 6 : Application Layer
 
STUN protocol
STUN protocolSTUN protocol
STUN protocol
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docx
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
lec3_10.ppt
lec3_10.pptlec3_10.ppt
lec3_10.ppt
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
4 vpn s
4 vpn s4 vpn s
4 vpn s
 
Method and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport trafficMethod and apparatus for classifying remote procedure call transport traffic
Method and apparatus for classifying remote procedure call transport traffic
 

More from Netwax Lab

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeNetwax Lab
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Netwax Lab
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionNetwax Lab
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionNetwax Lab
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewallNetwax Lab
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access listNetwax Lab
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNetwax Lab
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunkingNetwax Lab
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Netwax Lab
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting Netwax Lab
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNetwax Lab
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNetwax Lab
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Netwax Lab
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cliNetwax Lab
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failoverNetwax Lab
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iiiNetwax Lab
 

More from Netwax Lab (20)

Eincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static routeEincop Netwax Lab: Lab 1 static route
Eincop Netwax Lab: Lab 1 static route
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
Eincop Netwax Lab: Redistribution
Eincop Netwax Lab: RedistributionEincop Netwax Lab: Redistribution
Eincop Netwax Lab: Redistribution
 
Eincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route RedistributionEincop Netwax Lab: Route Redistribution
Eincop Netwax Lab: Route Redistribution
 
Nxll12 zone based firewall
Nxll12 zone based firewallNxll12 zone based firewall
Nxll12 zone based firewall
 
Nxll11 bgp
Nxll11 bgpNxll11 bgp
Nxll11 bgp
 
Nxll09 access list
Nxll09 access listNxll09 access list
Nxll09 access list
 
Nxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarizationNxll21 ospf filtering & summarization
Nxll21 ospf filtering & summarization
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunking
 
Nxll16 basic asa v8.2
Nxll16 basic asa v8.2Nxll16 basic asa v8.2
Nxll16 basic asa v8.2
 
Nxll20 na ting
Nxll20 na ting Nxll20 na ting
Nxll20 na ting
 
Nxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asaNxll14 cut through-proxy on asa
Nxll14 cut through-proxy on asa
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asa
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)Nxll19 vrrp (virtual router redundancy protocol)
Nxll19 vrrp (virtual router redundancy protocol)
 
Nxll22 role based cli
Nxll22 role based cliNxll22 role based cli
Nxll22 role based cli
 
Nxll25 hsrp with failover
Nxll25 hsrp with failoverNxll25 hsrp with failover
Nxll25 hsrp with failover
 
Nxll26 bgp ii
Nxll26 bgp iiNxll26 bgp ii
Nxll26 bgp ii
 
Nxll28 ospf iii
Nxll28 ospf iiiNxll28 ospf iii
Nxll28 ospf iii
 
Nxll23 i pv6
Nxll23 i pv6Nxll23 i pv6
Nxll23 i pv6
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Radius Protocol

  • 1. RADIUS Protocol RADIUS is a protocol for carrying information related to authentication, authorization, and configuration between a Network Access Server that desires to authenticate its links and a shared Authentication Server.  RADIUS stands for Remote Authentication Dial In User Service.  RADIUS is an AAA protocol for applications such as Network Access or IP Mobility  It works in both situations, Local and Mobile.  It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.  It look in text file, LDAP Servers, Database for authentication.  After authentication services parameters passed back to NAS.  It notifies when a session starts and stop. This data is used for Billing or Statistics purposes.  SNMP is used for remote monitoring.  It can be used as a proxy.  RADIUS is a client/server protocol that runs in the application layer, using UDP as transport.  The Remote Access Server, the Virtual Private Network server, the Network switch with port- based authentication, and the Network Access Server (NAS), are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server.  RADIUS is often the backend of choice for 802.1X authentication as well.  RADIUS server is usually a background process running on a UNIX or Microsoft Windows server.  RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866).  The RADIUS specification RFC 2865 obsoletes RFC 2138. The RADIUS accounting standard RFC 2866 obsoletes RFC 2139. Figure 1 Simple Network Diagram of Radius
  • 2. RADIUS Protocol Client/Server Model Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol. RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. 1. User initiates PPP authentication to the NAS. 2. NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). 3. User replies. 4. RADIUS client sends username and encrypted password to the RADIUS server. 5. RADIUS server responds with Accept, Reject, or Challenge. 6. The RADIUS client acts upon services and services parameters bundled with Accept or Reject. Network Security  Transactions between a client and a server are authenticated through the use of a shared key. This key is never sent over the network.  Password is encrypted before sending it over the network. Flexible Authentication Mechanisms Radius supports the following protocols for authentication purpose:  Point-to-Point Protocol - PPP Figure 2 Shows the interaction between a dial-in user and the RADIUS Client and Server
  • 3. RADIUS Protocol  Password Authentication Protocol - PAP  Challenge Handshake Authentication Protocol - CHAP  Simple UNIX Login Extensible Protocol  Radius is extensible; most vendors of Radius hardware and software implement their own dialects.  Stateless protocol, using UDP, runs at port 1812. Before the Client starts communicating with the Radius Server, it is required that the secret key is shared between the Client and the Server and the Client must be configured to use Radius server to get service. Radius Codes (decimal) are assigned as follows:  1 Access-Request  2 Access-Accept  3 Access-Reject  4 Accounting-Request  5 Accounting-Response  11 Access-Challenge  12 Status-Server (experimental)  13 Status-Client (experimental)  255 Reserved  No Keep Alive concept - Good or Bad?? Codes 4 and 5 are related to Radius Accounting Functionality. Codes 12 and 13 are reserved for possible use. The packet format of Radius is as shown below: Figure 3 RADIUS Packet Format
  • 4. RADIUS Protocol  Code: This is 1 Octet (1 byte) long and identifies various types of packets. Normally 1 Octet means 1 Byte.  Identifier: This is again 1 Octet long and aids in matching responses with requests.  Length: This is 2 Octets long and specifies the length of the packet including code, identifier, length, and authenticator. (Min packet is 20 Octets and max is 4096 Octets).  Authenticator: This is 16 Octets long and filled up in case of some requests and responses.  List of Attributes: There is a list of 63+ attributes and a Radius attribute will also have a defined format which is described in next chapter. A Radius attribute consists of the following three parts:  Type: 1 Octet long, identifies various types of attributes. It is an attribute code listed below.  Length: 1 Octet long, length of the attribute including Type.  Value: 0 or more Octets long, contains information specific to attribute. Radius Request Example Let us have a look into a Radius Request example:  The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named Nemo logging in on port 3 with password "arctangent".  The Request Authenticator is a 16 octet random number generated by the NAS.  The User-Password is 16 octets padded at end with nulls, XORed with D5 (Shared Secret|Request Authenticator).  01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 00 00 03  1 Code = Access-Request (1) o 1 Identifier = 0 o 2 Length = 56 o 16 Request Authenticator  Attribute List o 6 User-Name = "Nemo" o 18 User-Password o 6 NAS-IP-Address = 192.168.1.16 o 6 NAS-Port = 3 Radius Response Example Here is an example of Response Packets:  The Radius server authenticates Nemo and sends an Access-Accept UDP packet to the NAS telling it to telnet Nemo to host 192.168.1.3
  • 5. RADIUS Protocol  The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the Request Authenticator from above, the attributes in this reply, and the shared secret.  02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 0e 06 c0 a8 01 03  1 Code = Access-Accept (2) o 1 Identifier = 0 (same as in Access-Request) o 2 Length = 38 o 16 Response Authenticator Attribute List  6 Service-Type (6) = Login (1)  6 Login-Service (15) = Telnet (0)  6 Login-IP-Host (14) = 192.168.1.3 DIAMETER Diameter is a planned replacement of RADIUS. It is an AAA protocol for applications such as network access and IP mobility. Listed below are a few points that you need to know about Diameter:  It is intended to work in both local and roaming AAA situations.  Diameter is just twice the predecessor protocol Radius.  It uses TCP or SCTP and not UDP.  It uses transport level security (IPSEC or TLS).  It has 32 bit identifier instead of 8 bit.  It supports stateless as well as stateful mode.  It supports application layer acknowledgement, define failover.  It offers better roaming support.  It uses AVPs.  Diameter allows to define new commands and attributes. It is easy to extend. RADIUS Infrastructure Components The following components are part of the RADIUS authentication, authorization, and accounting infrastructure:  Access clients An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or LAN clients connected to a switch.
  • 6. RADIUS Protocol  Access servers (RADIUS clients) An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server. The following are examples of access servers: o Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running Windows Server® 2003 and the Routing and Remote Access service and providing either traditional dial-up or virtual private network (VPN) services to an organization's intranet. o Wireless access points that provide physical layer access to an organization's network, using wireless-based transmission and reception technologies. o Switches that provide physical layer access to an organization's network, using traditional LAN technologies, such as Ethernet.  RADIUS Proxies A RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS clients (and RADIUS proxies) and RADIUS servers (or RADIUS proxies). The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Figure 4 RADIUS Infrastructure Components
  • 7. RADIUS Protocol Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server. A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations.  RADIUS Servers A RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. Based on a set of rules and the information in the user account database, the RADIUS server either authenticates and authorizes the connection and sends back an Access-Accept message or sends back an Access-Reject message. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.  User Account Databases The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information. The user account databases that NPS can use are the local Security Accounts Manager (SAM), a Microsoft Windows NT 4.0 domain, or Active Directory® Domain Services (AD DS). For AD DS, NPS can provide authentication and authorization for user or computer accounts in the domain in which the NPS server is a member, two-way trusted domains, and trusted forests with domain controllers running Windows Server® 2008; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for AD DS include untrusted forests, untrusted domains, or one-way trusted domains. Roaming RADIUS is commonly used to facilitate roaming between ISPs, for example:  by companies which provide a single global set of credentials that are usable on many public networks;
  • 8. RADIUS Protocol  by independent, but collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution, such as in eduroam. RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.  Realms A realm is commonly appended to a user's user name and delimited with an '@' sign, resembling an email address domain name. This is known as postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using '' as a delimiter. Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '' are usually used. Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example: somedomain.comusername@anotherdomain.com could be a valid username with two realms.  Proxy Operations When a RADIUS server receives an AAA request for a user name containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behavior of the proxying server regarding the removal of the realm from the request ("stripping") is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied over time again. Figure 5 Roaming using a proxy RADIUS AAA Server
  • 9. RADIUS Protocol  Security Roaming with RADIUS exposes the users to various security and privacy concerns. More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users' credentials cannot be intercepted while being proxied across the internet. This is a concern as the MD5 hash built into RADIUS is considered insecure.