SlideShare a Scribd company logo

AAA & RADIUS Protocols

Peter R. Egli
Peter R. Egli

Short overview of AAA and the RADIUS protocol. The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user). AAA is typically employed at network ingress points to control user's access to the network and resources. The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count). RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.

Technology
1 of 12
Download to read offline
© Peter R. Egli 2015 1/12 Rev. 2.70 AAA / RADIUS indigoo.com Peter R. Egli INDIGOO.COM INTRODUCTION TO RADIUS, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES AAA / RADIUS REMOTE AUTHENTICATION DIAL IN USER SERVICE
© Peter R. Egli 2015 2/12 Rev. 2.70 AAA / RADIUS indigoo.com Contents 1. AAA - Access Control 2. RADIUS architectures 3. RADIUS RFC2865 protocol 4. RADIUS transaction 5. RADIUS accounting RFC2866 6. RADIUS applications
© Peter R. Egli 2015 3/12 Rev. 2.70 AAA / RADIUS indigoo.com NAS / RAS User Internet / Intranet AAA server (authentication, authorization accounting) 1. AAA - Access Control (1/2) What is AAA? The term AAA (say "triple A") subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. Authentication: Is the one I‘m talking to the one he pretends to be (is a user authentic)? Authorization: Find out what the user is allowed to do (and what not). Accounting: Log the user‘s activity to charge him accordingly. Accounting information may be used to track the user's usage for charging but also for auditing purposes. AAA is used in scenarios where a NAS (network access server) or a RAS (remote access server) acts like a switch granting or denying access to the Internet or Intranet for a user based on AAA authentication and authorization.
© Peter R. Egli 2015 4/12 Rev. 2.70 AAA / RADIUS indigoo.com 1. AAA - Access Control (2/2) Most important AAA protocols: 1. RADIUS RFC2865: Remote Authentication Dial In User Service. 2. TACACS+ RFC1492: Terminal Access Controller Access Control System by Cisco. 3. Diameter RFC3588: Diameter is not an acronym. Diameter is a successor to RADIUS that should fix some of the shortcomings of RADIUS. Diameter uses reliable transport connections, i.e. runs on TCP or SCTP (Stream Control Transmission Protocol).  Nota Bene: RADIUS (and TACACS+) are AAA access control protocols, but do not define a policy (who is granted access, what is the user allowed to do etc.). These protocols merely provide a means to transport such information between a client and an authentication server. The policy is implemented as an application on the RADIUS server (possibly doing LDAP/SQL lookups to obtain access rules).
© Peter R. Egli 2015 5/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (1/2) Scenario 1: In this scenario, a front-end NAS (network access server) or RAS (remote access server) performs authentication of a user with a backend RADIUS server. The NAS/RAS sends user information (credentials) to the RADIUS server carried in RADIUS packets. The RADIUS server implements the access policy (who is granted access with what authorizations) or may retrieve policies from a database through LDAP (Lightweight Directory Access Protocol). RADIUS Server RADIUS LDAP/SQL RADIUS server may optionally contain policy DB LDAP SQL NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
© Peter R. Egli 2015 6/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (2/2) Scenario 2: In this scenario, a first RADIUS server does not perform authentication but acts as a proxy that routes RADIUS requests to the appropriate home RADIUS server. The routing is based on username and realm. The home RADIUS server performs the actual authentication by accessing a user DB. A concurrency RADIUS server may be employed to make sure that a user is not logged in more than once, e.g. in scenarios with multiple RADIUS servers for redundancy / load balancing. RADIUS Proxy Server RADIUS RADIUS Server #1 Home RADIUS Server RADIUS Server #2 Concurrency RADIUS Server RADIUS NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
© Peter R. Egli 2015 7/12 Rev. 2.70 AAA / RADIUS indigoo.com 3. RADIUS RFC2865 protocol RADIUS uses UDP (port 1842) since it is a simple ‚Request-Reply‘ protocol (Accept/Request). RADIUS packet format: Code field: Defines the packet type (Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response). Identifier: ID to match requests and replies. Length: Length of packet. Authenticator: Used to authenticate the RADIUS transaction itself. The authenticator authenticates the reply from the server. The RADIUS client sends a challenge in the Access-Request packet and the RADIUS server returns a challenge-response in the Authenticator field (shared secret between NAS and RADIUS server). Attributes: AAA-information such as username, password, CHAP-Password, callback-phone-# etc. The attribute encoding is as follows: Byte 0 Byte 1 Byte 3 Code LengthIdentifier Authenticator List of attributes Byte 2 Type Length Value
© Peter R. Egli 2015 8/12 Rev. 2.70 AAA / RADIUS indigoo.com 4. RADIUS transaction A RADIUS transaction typically starts with an Access-Request carrying user credentials followed by a RADIUS server response with a grant or denial of access. User NAS Access-Request with username and hashed password (RSA MD5) User data packet Access-Reject DB Lookup credentials for authorization 'Wrong credentials' RADIUS server Reject access Access-Request with username and hashed password (RSA MD5) User data packet Access-Accept Lookup credentials for authorization. Create session record. 'Correct credentials' Grant access Auth.failureAuth.success
© Peter R. Egli 2015 9/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (1/2) Once a network session is up and running (successful authentication), the NAS may request to start counting network usage of the user. User NAS DBRADIUS server Accounting-Request (Start) User data packet Accounting-Response Start counting resource usage (e.g. online time) End of network session Accounting-Request (Stop) Accounting-Response Stop counting resource usage
© Peter R. Egli 2015 10/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (2/2) Accounting with RADIUS is specified in a separate RFC (RFC2866). A set of special accounting RADIUS attributes (attribute values 40 – 59) are used to transfer accounting data between the RADIUS client (NAS) and server. Value Type Description 40 Acct-Status-Type Indicates start or stop of accounting. 41 Acct-Delay-Time Delay between event causing accounting request and server response (used to compensate for processing delay time). 42 Acct-Input-Octets Used by client to report number of received octets to server. 43 Acct-Output-Octets Used by client to report number of transmitted octets to server. 44 Acct-Session-Id Used by client to identify user session to server. 45 Acct-Authentic Used by client to report authentication method to server, e.g. user autenticated by NAS itself, user authenticated by RADIUS or user authenticated by external protocol. 46 Acct-Session-Time Used by client to report to server how many seconds the user session is running. 47 Acct-Input-Packets Used by client to report number of packets received by a user. 48 Acct-Output-Packets Used by client to report number of packets sent by a user. 49 Acct-Terminate-Cause Used by client to report cause of service termination (e.g. error, termination upon user request, timeout). 50 Acct-Multi-Session-Id Similar to Acct-Session-Id, but used to link multiple sessions to one for correlation in log file. 51 Acct-Link-Count Used by client to report number of links used by user.
© Peter R. Egli 2015 11/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (1/2) NAS network access (ISP): A user dials in on a NAS server run by the Internet provider. Prior to granting access to the Internet, the NAS authenticates the user with RADIUS. RAS Intranet access (enterprise dial-in): This application is similar to the NAS scenario. The RAS (Remote Access Server) sits at the edge of the company network and authenticates a user prior to granting access to the network. RADIUS NAS Access Line (e.g. PPP) RADIUS Server Internet User DB NAS RADIUS Server Internet / Intranet User DB Intranet / company network RADIUS
© Peter R. Egli 2015 12/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (2/2) 802.1X backend control for Ethernet and WLAN network access: IEEE 802.1X is a generic protocol for authentication and authorization in IEEE 802 based networks. The 802.1X supplicant ('the user') sends an EAPOL (Extensible Authentication Protocol Over LAN) message to the 802.1X authenticator (switch, access point). The switch or access point enables the Ethernet or WiFi port if the backend authentication based on credentials provided via 802.1X is successful. Using a central server for authentication (username and password storage) eases administration in large networks. * 802.1X capable Ethernet switch * 802.1X authenticator * RADIUS client Ethernet with 802.1X EAPOL 802.11 WLAN with 802.1X EAPOL RADIUSRADIUS 802.1X Supplicant RADIUS Server * 802.11 Access point * 802.1X authenticator * RADIUS client PDA LAN

Recommended

Radius1
Radius1Radius1
Radius1balamurugan.k Kalibalamurugan
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS ProtocolNetwax Lab
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 

Recommended

Radius1
Radius1Radius1
Radius1balamurugan.k Kalibalamurugan
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS ProtocolNetwax Lab
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA ImplementationAhmad El Tawil
 
RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Tacacs
TacacsTacacs
Tacacs1 2d
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCPHameda Hurmat
 
Wireless Networking Security
Wireless Networking SecurityWireless Networking Security
Wireless Networking SecurityAnshuman Biswal
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
802.1x
802.1x802.1x
802.1xakruthi k
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Dhcp presentation 01
Dhcp presentation 01Dhcp presentation 01
Dhcp presentation 01maverick4489
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Acl
AclAcl
AclRaghu Kiran
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMEMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMAruba, a Hewlett Packard Enterprise company
 
AAA server
AAA serverAAA server
AAA serverhetvi naik
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 

More Related Content

What's hot

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Tacacs
TacacsTacacs
Tacacs1 2d
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCPHameda Hurmat
 
Wireless Networking Security
Wireless Networking SecurityWireless Networking Security
Wireless Networking SecurityAnshuman Biswal
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Dhcp presentation 01
Dhcp presentation 01Dhcp presentation 01
Dhcp presentation 01maverick4489
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAAdkaya
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 

What's hot (20)

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Tacacs
TacacsTacacs
Tacacs
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
LDAP
LDAPLDAP
LDAP
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Ldap intro
Ldap introLdap intro
Ldap intro
 
6 understanding DHCP
6 understanding DHCP6 understanding DHCP
6 understanding DHCP
 
Wireless Networking Security
Wireless Networking SecurityWireless Networking Security
Wireless Networking Security
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its Types
 
802.1x
802.1x802.1x
802.1x
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Dhcp presentation 01
Dhcp presentation 01Dhcp presentation 01
Dhcp presentation 01
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
 
Acl
AclAcl
Acl
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMEMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
 

Similar to AAA & RADIUS Protocols

8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guideWilson Ospina
 
CCNP Switching Chapter 7
CCNP Switching Chapter 7CCNP Switching Chapter 7
CCNP Switching Chapter 7Chaing Ravuth
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best PracticesSagar Gor
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005FNian
 
Radius client
Radius clientRadius client
Radius clientdhenis1
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxacarolyn
 
TekRADIUS Datasheet
TekRADIUS DatasheetTekRADIUS Datasheet
TekRADIUS DatasheetYasin KAPLAN
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleMariaDB plc
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotikAdi Utami
 
ARPMiner Datasheet
ARPMiner DatasheetARPMiner Datasheet
ARPMiner DatasheetYasin KAPLAN
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...Radiator Software
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
Integrated server
Integrated serverIntegrated server
Integrated serverfebru
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScaleMariaDB plc
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 

Similar to AAA & RADIUS Protocols (20)

AAA server
AAA serverAAA server
AAA server
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
CCNP Switching Chapter 7
CCNP Switching Chapter 7CCNP Switching Chapter 7
CCNP Switching Chapter 7
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 
Radius client
Radius clientRadius client
Radius client
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docx
 
TekRADIUS Datasheet
TekRADIUS DatasheetTekRADIUS Datasheet
TekRADIUS Datasheet
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
 
ARPMiner Datasheet
ARPMiner DatasheetARPMiner Datasheet
ARPMiner Datasheet
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
Integrated server
Integrated serverIntegrated server
Integrated server
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScale
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 

More from Peter R. Egli

LPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M ScenariosLPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M ScenariosPeter R. Egli
 
Data Networking Concepts
Data Networking ConceptsData Networking Concepts
Data Networking ConceptsPeter R. Egli
 
Communication middleware
Communication middlewareCommunication middleware
Communication middlewarePeter R. Egli
 
Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)Peter R. Egli
 
Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)Peter R. Egli
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET PlatformPeter R. Egli
 
Overview of Cloud Computing
Overview of Cloud ComputingOverview of Cloud Computing
Overview of Cloud ComputingPeter R. Egli
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Enterprise Application Integration Technologies
Enterprise Application Integration TechnologiesEnterprise Application Integration Technologies
Enterprise Application Integration TechnologiesPeter R. Egli
 
Overview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technologyOverview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technologyPeter R. Egli
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Peter R. Egli
 
MSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message QueueingMSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message QueueingPeter R. Egli
 
Common Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBACommon Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBAPeter R. Egli
 
Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)Peter R. Egli
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging ServicePeter R. Egli
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Peter R. Egli
 

More from Peter R. Egli (20)

LPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M ScenariosLPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
 
Data Networking Concepts
Data Networking ConceptsData Networking Concepts
Data Networking Concepts
 
Communication middleware
Communication middlewareCommunication middleware
Communication middleware
 
Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)
 
Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
 
Overview of Cloud Computing
Overview of Cloud ComputingOverview of Cloud Computing
Overview of Cloud Computing
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message Queueing
 
Enterprise Application Integration Technologies
Enterprise Application Integration TechnologiesEnterprise Application Integration Technologies
Enterprise Application Integration Technologies
 
Overview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technologyOverview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technology
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)
 
Web services
Web servicesWeb services
Web services
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)
 
MSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message QueueingMSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message Queueing
 
Common Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBACommon Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBA
 
Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging Service
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)
 

Recently uploaded

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Recently uploaded (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

AAA & RADIUS Protocols

  • 1. © Peter R. Egli 2015 1/12 Rev. 2.70 AAA / RADIUS indigoo.com Peter R. Egli INDIGOO.COM INTRODUCTION TO RADIUS, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES AAA / RADIUS REMOTE AUTHENTICATION DIAL IN USER SERVICE
  • 2. © Peter R. Egli 2015 2/12 Rev. 2.70 AAA / RADIUS indigoo.com Contents 1. AAA - Access Control 2. RADIUS architectures 3. RADIUS RFC2865 protocol 4. RADIUS transaction 5. RADIUS accounting RFC2866 6. RADIUS applications
  • 3. © Peter R. Egli 2015 3/12 Rev. 2.70 AAA / RADIUS indigoo.com NAS / RAS User Internet / Intranet AAA server (authentication, authorization accounting) 1. AAA - Access Control (1/2) What is AAA? The term AAA (say "triple A") subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. Authentication: Is the one I‘m talking to the one he pretends to be (is a user authentic)? Authorization: Find out what the user is allowed to do (and what not). Accounting: Log the user‘s activity to charge him accordingly. Accounting information may be used to track the user's usage for charging but also for auditing purposes. AAA is used in scenarios where a NAS (network access server) or a RAS (remote access server) acts like a switch granting or denying access to the Internet or Intranet for a user based on AAA authentication and authorization.
  • 4. © Peter R. Egli 2015 4/12 Rev. 2.70 AAA / RADIUS indigoo.com 1. AAA - Access Control (2/2) Most important AAA protocols: 1. RADIUS RFC2865: Remote Authentication Dial In User Service. 2. TACACS+ RFC1492: Terminal Access Controller Access Control System by Cisco. 3. Diameter RFC3588: Diameter is not an acronym. Diameter is a successor to RADIUS that should fix some of the shortcomings of RADIUS. Diameter uses reliable transport connections, i.e. runs on TCP or SCTP (Stream Control Transmission Protocol).  Nota Bene: RADIUS (and TACACS+) are AAA access control protocols, but do not define a policy (who is granted access, what is the user allowed to do etc.). These protocols merely provide a means to transport such information between a client and an authentication server. The policy is implemented as an application on the RADIUS server (possibly doing LDAP/SQL lookups to obtain access rules).
  • 5. © Peter R. Egli 2015 5/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (1/2) Scenario 1: In this scenario, a front-end NAS (network access server) or RAS (remote access server) performs authentication of a user with a backend RADIUS server. The NAS/RAS sends user information (credentials) to the RADIUS server carried in RADIUS packets. The RADIUS server implements the access policy (who is granted access with what authorizations) or may retrieve policies from a database through LDAP (Lightweight Directory Access Protocol). RADIUS Server RADIUS LDAP/SQL RADIUS server may optionally contain policy DB LDAP SQL NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
  • 6. © Peter R. Egli 2015 6/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (2/2) Scenario 2: In this scenario, a first RADIUS server does not perform authentication but acts as a proxy that routes RADIUS requests to the appropriate home RADIUS server. The routing is based on username and realm. The home RADIUS server performs the actual authentication by accessing a user DB. A concurrency RADIUS server may be employed to make sure that a user is not logged in more than once, e.g. in scenarios with multiple RADIUS servers for redundancy / load balancing. RADIUS Proxy Server RADIUS RADIUS Server #1 Home RADIUS Server RADIUS Server #2 Concurrency RADIUS Server RADIUS NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
  • 7. © Peter R. Egli 2015 7/12 Rev. 2.70 AAA / RADIUS indigoo.com 3. RADIUS RFC2865 protocol RADIUS uses UDP (port 1842) since it is a simple ‚Request-Reply‘ protocol (Accept/Request). RADIUS packet format: Code field: Defines the packet type (Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response). Identifier: ID to match requests and replies. Length: Length of packet. Authenticator: Used to authenticate the RADIUS transaction itself. The authenticator authenticates the reply from the server. The RADIUS client sends a challenge in the Access-Request packet and the RADIUS server returns a challenge-response in the Authenticator field (shared secret between NAS and RADIUS server). Attributes: AAA-information such as username, password, CHAP-Password, callback-phone-# etc. The attribute encoding is as follows: Byte 0 Byte 1 Byte 3 Code LengthIdentifier Authenticator List of attributes Byte 2 Type Length Value
  • 8. © Peter R. Egli 2015 8/12 Rev. 2.70 AAA / RADIUS indigoo.com 4. RADIUS transaction A RADIUS transaction typically starts with an Access-Request carrying user credentials followed by a RADIUS server response with a grant or denial of access. User NAS Access-Request with username and hashed password (RSA MD5) User data packet Access-Reject DB Lookup credentials for authorization 'Wrong credentials' RADIUS server Reject access Access-Request with username and hashed password (RSA MD5) User data packet Access-Accept Lookup credentials for authorization. Create session record. 'Correct credentials' Grant access Auth.failureAuth.success
  • 9. © Peter R. Egli 2015 9/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (1/2) Once a network session is up and running (successful authentication), the NAS may request to start counting network usage of the user. User NAS DBRADIUS server Accounting-Request (Start) User data packet Accounting-Response Start counting resource usage (e.g. online time) End of network session Accounting-Request (Stop) Accounting-Response Stop counting resource usage
  • 10. © Peter R. Egli 2015 10/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (2/2) Accounting with RADIUS is specified in a separate RFC (RFC2866). A set of special accounting RADIUS attributes (attribute values 40 – 59) are used to transfer accounting data between the RADIUS client (NAS) and server. Value Type Description 40 Acct-Status-Type Indicates start or stop of accounting. 41 Acct-Delay-Time Delay between event causing accounting request and server response (used to compensate for processing delay time). 42 Acct-Input-Octets Used by client to report number of received octets to server. 43 Acct-Output-Octets Used by client to report number of transmitted octets to server. 44 Acct-Session-Id Used by client to identify user session to server. 45 Acct-Authentic Used by client to report authentication method to server, e.g. user autenticated by NAS itself, user authenticated by RADIUS or user authenticated by external protocol. 46 Acct-Session-Time Used by client to report to server how many seconds the user session is running. 47 Acct-Input-Packets Used by client to report number of packets received by a user. 48 Acct-Output-Packets Used by client to report number of packets sent by a user. 49 Acct-Terminate-Cause Used by client to report cause of service termination (e.g. error, termination upon user request, timeout). 50 Acct-Multi-Session-Id Similar to Acct-Session-Id, but used to link multiple sessions to one for correlation in log file. 51 Acct-Link-Count Used by client to report number of links used by user.
  • 11. © Peter R. Egli 2015 11/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (1/2) NAS network access (ISP): A user dials in on a NAS server run by the Internet provider. Prior to granting access to the Internet, the NAS authenticates the user with RADIUS. RAS Intranet access (enterprise dial-in): This application is similar to the NAS scenario. The RAS (Remote Access Server) sits at the edge of the company network and authenticates a user prior to granting access to the network. RADIUS NAS Access Line (e.g. PPP) RADIUS Server Internet User DB NAS RADIUS Server Internet / Intranet User DB Intranet / company network RADIUS
  • 12. © Peter R. Egli 2015 12/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (2/2) 802.1X backend control for Ethernet and WLAN network access: IEEE 802.1X is a generic protocol for authentication and authorization in IEEE 802 based networks. The 802.1X supplicant ('the user') sends an EAPOL (Extensible Authentication Protocol Over LAN) message to the 802.1X authenticator (switch, access point). The switch or access point enables the Ethernet or WiFi port if the backend authentication based on credentials provided via 802.1X is successful. Using a central server for authentication (username and password storage) eases administration in large networks. * 802.1X capable Ethernet switch * 802.1X authenticator * RADIUS client Ethernet with 802.1X EAPOL 802.11 WLAN with 802.1X EAPOL RADIUSRADIUS 802.1X Supplicant RADIUS Server * 802.11 Access point * 802.1X authenticator * RADIUS client PDA LAN