SlideShare a Scribd company logo

AAA & RADIUS Protocols

Peter R. Egli
Peter R. Egli

Short overview of AAA and the RADIUS protocol. The term AAA (say triple A) subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. AAA stands for Authentication (is the user authentic?), Authorization (what is the user allowed to do?) and Accounting (track resource usage by the user). AAA is typically employed at network ingress points to control user's access to the network and resources. The most prominent protocol for AAA is RADIUS (Remote Authentication Dial In User Service) which defines messages for opening and closing a network session and counting network usage (packet and byte count). RADIUS usually works in conjunction with an LDAP server that stores the policies and user authorizations in a central repository.

Technology
1 of 12
Download to read offline
© Peter R. Egli 2015 1/12 Rev. 2.70 AAA / RADIUS indigoo.com Peter R. Egli INDIGOO.COM INTRODUCTION TO RADIUS, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES AAA / RADIUS REMOTE AUTHENTICATION DIAL IN USER SERVICE
© Peter R. Egli 2015 2/12 Rev. 2.70 AAA / RADIUS indigoo.com Contents 1. AAA - Access Control 2. RADIUS architectures 3. RADIUS RFC2865 protocol 4. RADIUS transaction 5. RADIUS accounting RFC2866 6. RADIUS applications
© Peter R. Egli 2015 3/12 Rev. 2.70 AAA / RADIUS indigoo.com NAS / RAS User Internet / Intranet AAA server (authentication, authorization accounting) 1. AAA - Access Control (1/2) What is AAA? The term AAA (say "triple A") subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. Authentication: Is the one I‘m talking to the one he pretends to be (is a user authentic)? Authorization: Find out what the user is allowed to do (and what not). Accounting: Log the user‘s activity to charge him accordingly. Accounting information may be used to track the user's usage for charging but also for auditing purposes. AAA is used in scenarios where a NAS (network access server) or a RAS (remote access server) acts like a switch granting or denying access to the Internet or Intranet for a user based on AAA authentication and authorization.
© Peter R. Egli 2015 4/12 Rev. 2.70 AAA / RADIUS indigoo.com 1. AAA - Access Control (2/2) Most important AAA protocols: 1. RADIUS RFC2865: Remote Authentication Dial In User Service. 2. TACACS+ RFC1492: Terminal Access Controller Access Control System by Cisco. 3. Diameter RFC3588: Diameter is not an acronym. Diameter is a successor to RADIUS that should fix some of the shortcomings of RADIUS. Diameter uses reliable transport connections, i.e. runs on TCP or SCTP (Stream Control Transmission Protocol).  Nota Bene: RADIUS (and TACACS+) are AAA access control protocols, but do not define a policy (who is granted access, what is the user allowed to do etc.). These protocols merely provide a means to transport such information between a client and an authentication server. The policy is implemented as an application on the RADIUS server (possibly doing LDAP/SQL lookups to obtain access rules).
© Peter R. Egli 2015 5/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (1/2) Scenario 1: In this scenario, a front-end NAS (network access server) or RAS (remote access server) performs authentication of a user with a backend RADIUS server. The NAS/RAS sends user information (credentials) to the RADIUS server carried in RADIUS packets. The RADIUS server implements the access policy (who is granted access with what authorizations) or may retrieve policies from a database through LDAP (Lightweight Directory Access Protocol). RADIUS Server RADIUS LDAP/SQL RADIUS server may optionally contain policy DB LDAP SQL NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
© Peter R. Egli 2015 6/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (2/2) Scenario 2: In this scenario, a first RADIUS server does not perform authentication but acts as a proxy that routes RADIUS requests to the appropriate home RADIUS server. The routing is based on username and realm. The home RADIUS server performs the actual authentication by accessing a user DB. A concurrency RADIUS server may be employed to make sure that a user is not logged in more than once, e.g. in scenarios with multiple RADIUS servers for redundancy / load balancing. RADIUS Proxy Server RADIUS RADIUS Server #1 Home RADIUS Server RADIUS Server #2 Concurrency RADIUS Server RADIUS NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
© Peter R. Egli 2015 7/12 Rev. 2.70 AAA / RADIUS indigoo.com 3. RADIUS RFC2865 protocol RADIUS uses UDP (port 1842) since it is a simple ‚Request-Reply‘ protocol (Accept/Request). RADIUS packet format: Code field: Defines the packet type (Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response). Identifier: ID to match requests and replies. Length: Length of packet. Authenticator: Used to authenticate the RADIUS transaction itself. The authenticator authenticates the reply from the server. The RADIUS client sends a challenge in the Access-Request packet and the RADIUS server returns a challenge-response in the Authenticator field (shared secret between NAS and RADIUS server). Attributes: AAA-information such as username, password, CHAP-Password, callback-phone-# etc. The attribute encoding is as follows: Byte 0 Byte 1 Byte 3 Code LengthIdentifier Authenticator List of attributes Byte 2 Type Length Value
© Peter R. Egli 2015 8/12 Rev. 2.70 AAA / RADIUS indigoo.com 4. RADIUS transaction A RADIUS transaction typically starts with an Access-Request carrying user credentials followed by a RADIUS server response with a grant or denial of access. User NAS Access-Request with username and hashed password (RSA MD5) User data packet Access-Reject DB Lookup credentials for authorization 'Wrong credentials' RADIUS server Reject access Access-Request with username and hashed password (RSA MD5) User data packet Access-Accept Lookup credentials for authorization. Create session record. 'Correct credentials' Grant access Auth.failureAuth.success
© Peter R. Egli 2015 9/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (1/2) Once a network session is up and running (successful authentication), the NAS may request to start counting network usage of the user. User NAS DBRADIUS server Accounting-Request (Start) User data packet Accounting-Response Start counting resource usage (e.g. online time) End of network session Accounting-Request (Stop) Accounting-Response Stop counting resource usage
© Peter R. Egli 2015 10/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (2/2) Accounting with RADIUS is specified in a separate RFC (RFC2866). A set of special accounting RADIUS attributes (attribute values 40 – 59) are used to transfer accounting data between the RADIUS client (NAS) and server. Value Type Description 40 Acct-Status-Type Indicates start or stop of accounting. 41 Acct-Delay-Time Delay between event causing accounting request and server response (used to compensate for processing delay time). 42 Acct-Input-Octets Used by client to report number of received octets to server. 43 Acct-Output-Octets Used by client to report number of transmitted octets to server. 44 Acct-Session-Id Used by client to identify user session to server. 45 Acct-Authentic Used by client to report authentication method to server, e.g. user autenticated by NAS itself, user authenticated by RADIUS or user authenticated by external protocol. 46 Acct-Session-Time Used by client to report to server how many seconds the user session is running. 47 Acct-Input-Packets Used by client to report number of packets received by a user. 48 Acct-Output-Packets Used by client to report number of packets sent by a user. 49 Acct-Terminate-Cause Used by client to report cause of service termination (e.g. error, termination upon user request, timeout). 50 Acct-Multi-Session-Id Similar to Acct-Session-Id, but used to link multiple sessions to one for correlation in log file. 51 Acct-Link-Count Used by client to report number of links used by user.
© Peter R. Egli 2015 11/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (1/2) NAS network access (ISP): A user dials in on a NAS server run by the Internet provider. Prior to granting access to the Internet, the NAS authenticates the user with RADIUS. RAS Intranet access (enterprise dial-in): This application is similar to the NAS scenario. The RAS (Remote Access Server) sits at the edge of the company network and authenticates a user prior to granting access to the network. RADIUS NAS Access Line (e.g. PPP) RADIUS Server Internet User DB NAS RADIUS Server Internet / Intranet User DB Intranet / company network RADIUS
© Peter R. Egli 2015 12/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (2/2) 802.1X backend control for Ethernet and WLAN network access: IEEE 802.1X is a generic protocol for authentication and authorization in IEEE 802 based networks. The 802.1X supplicant ('the user') sends an EAPOL (Extensible Authentication Protocol Over LAN) message to the 802.1X authenticator (switch, access point). The switch or access point enables the Ethernet or WiFi port if the backend authentication based on credentials provided via 802.1X is successful. Using a central server for authentication (username and password storage) eases administration in large networks. * 802.1X capable Ethernet switch * 802.1X authenticator * RADIUS client Ethernet with 802.1X EAPOL 802.11 WLAN with 802.1X EAPOL RADIUSRADIUS 802.1X Supplicant RADIUS Server * 802.11 Access point * 802.1X authenticator * RADIUS client PDA LAN

Recommended

RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Radius1
Radius1Radius1
Radius1balamurugan.k Kalibalamurugan
 
WPA2
WPA2WPA2
WPA2Mshari Alabdulkarim
 
Tacacs
TacacsTacacs
Tacacs1 2d
 

Recommended

RADIUS
RADIUSRADIUS
RADIUSamogh_ubale
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius ProtocolNetwax Lab
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsDhananjay Aloorkar
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+Netwax Lab
 
Radius1
Radius1Radius1
Radius1balamurugan.k Kalibalamurugan
 
WPA2
WPA2WPA2
WPA2Mshari Alabdulkarim
 
Tacacs
TacacsTacacs
Tacacs1 2d
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
SSL
SSLSSL
SSLBadrul Alam bulon
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Kerberos
KerberosKerberos
KerberosSparkbit
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerNishant Pahad
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS ProtocolNetwax Lab
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail securityDr.Florence Dayana
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Digital certificates
Digital certificatesDigital certificates
Digital certificatesBuddhika Karunanayaka
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
AAA server
AAA serverAAA server
AAA serverhetvi naik
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 

More Related Content

What's hot

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS ProtocolNetwax Lab
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 

What's hot (20)

Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
SSL
SSLSSL
SSL
 
Kerberos
KerberosKerberos
Kerberos
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Kerberos
KerberosKerberos
Kerberos
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
IP Security
IP SecurityIP Security
IP Security
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
SSL intro
SSL introSSL intro
SSL intro
 

Similar to AAA & RADIUS Protocols

8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guideWilson Ospina
 
CCNP Switching Chapter 7
CCNP Switching Chapter 7CCNP Switching Chapter 7
CCNP Switching Chapter 7Chaing Ravuth
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best PracticesSagar Gor
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyKarri Huhtanen
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005FNian
 
Radius client
Radius clientRadius client
Radius clientdhenis1
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxacarolyn
 
TekRADIUS Datasheet
TekRADIUS DatasheetTekRADIUS Datasheet
TekRADIUS DatasheetYasin KAPLAN
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleMariaDB plc
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotikAdi Utami
 
ARPMiner Datasheet
ARPMiner DatasheetARPMiner Datasheet
ARPMiner DatasheetYasin KAPLAN
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...Radiator Software
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)Karri Huhtanen
 
Integrated server
Integrated serverIntegrated server
Integrated serverfebru
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScaleMariaDB plc
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 

Similar to AAA & RADIUS Protocols (20)

AAA server
AAA serverAAA server
AAA server
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
8021x feature config_guide
8021x feature config_guide8021x feature config_guide
8021x feature config_guide
 
CCNP Switching Chapter 7
CCNP Switching Chapter 7CCNP Switching Chapter 7
CCNP Switching Chapter 7
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
 
Radius client
Radius clientRadius client
Radius client
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docx
 
TekRADIUS Datasheet
TekRADIUS DatasheetTekRADIUS Datasheet
TekRADIUS Datasheet
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
 
ARPMiner Datasheet
ARPMiner DatasheetARPMiner Datasheet
ARPMiner Datasheet
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
 
Integrated server
Integrated serverIntegrated server
Integrated server
 
MariaDB MaxScale
MariaDB MaxScaleMariaDB MaxScale
MariaDB MaxScale
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 

More from Peter R. Egli

LPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M ScenariosLPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M ScenariosPeter R. Egli
 
Data Networking Concepts
Data Networking ConceptsData Networking Concepts
Data Networking ConceptsPeter R. Egli
 
Communication middleware
Communication middlewareCommunication middleware
Communication middlewarePeter R. Egli
 
Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)Peter R. Egli
 
Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)Peter R. Egli
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET PlatformPeter R. Egli
 
Overview of Cloud Computing
Overview of Cloud ComputingOverview of Cloud Computing
Overview of Cloud ComputingPeter R. Egli
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Enterprise Application Integration Technologies
Enterprise Application Integration TechnologiesEnterprise Application Integration Technologies
Enterprise Application Integration TechnologiesPeter R. Egli
 
Overview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technologyOverview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technologyPeter R. Egli
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development KitPeter R. Egli
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Peter R. Egli
 
MSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message QueueingMSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message QueueingPeter R. Egli
 
Common Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBACommon Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBAPeter R. Egli
 
Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)Peter R. Egli
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging ServicePeter R. Egli
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Peter R. Egli
 

More from Peter R. Egli (20)

LPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M ScenariosLPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
LPWAN Technologies for Internet of Things (IoT) and M2M Scenarios
 
Data Networking Concepts
Data Networking ConceptsData Networking Concepts
Data Networking Concepts
 
Communication middleware
Communication middlewareCommunication middleware
Communication middleware
 
Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)Transaction Processing Monitors (TPM)
Transaction Processing Monitors (TPM)
 
Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)Business Process Model and Notation (BPMN)
Business Process Model and Notation (BPMN)
 
Microsoft .NET Platform
Microsoft .NET PlatformMicrosoft .NET Platform
Microsoft .NET Platform
 
Overview of Cloud Computing
Overview of Cloud ComputingOverview of Cloud Computing
Overview of Cloud Computing
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message Queueing
 
Enterprise Application Integration Technologies
Enterprise Application Integration TechnologiesEnterprise Application Integration Technologies
Enterprise Application Integration Technologies
 
Overview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technologyOverview of Microsoft .Net Remoting technology
Overview of Microsoft .Net Remoting technology
 
Android Native Development Kit
Android Native Development KitAndroid Native Development Kit
Android Native Development Kit
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)
 
Web services
Web servicesWeb services
Web services
 
Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)Overview of Spanning Tree Protocol (STP & RSTP)
Overview of Spanning Tree Protocol (STP & RSTP)
 
MSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message QueueingMSMQ - Microsoft Message Queueing
MSMQ - Microsoft Message Queueing
 
Common Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBACommon Object Request Broker Architecture - CORBA
Common Object Request Broker Architecture - CORBA
 
Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)Component Object Model (COM, DCOM, COM+)
Component Object Model (COM, DCOM, COM+)
 
JMS - Java Messaging Service
JMS - Java Messaging ServiceJMS - Java Messaging Service
JMS - Java Messaging Service
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

AAA & RADIUS Protocols

  • 1. © Peter R. Egli 2015 1/12 Rev. 2.70 AAA / RADIUS indigoo.com Peter R. Egli INDIGOO.COM INTRODUCTION TO RADIUS, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES AAA / RADIUS REMOTE AUTHENTICATION DIAL IN USER SERVICE
  • 2. © Peter R. Egli 2015 2/12 Rev. 2.70 AAA / RADIUS indigoo.com Contents 1. AAA - Access Control 2. RADIUS architectures 3. RADIUS RFC2865 protocol 4. RADIUS transaction 5. RADIUS accounting RFC2866 6. RADIUS applications
  • 3. © Peter R. Egli 2015 3/12 Rev. 2.70 AAA / RADIUS indigoo.com NAS / RAS User Internet / Intranet AAA server (authentication, authorization accounting) 1. AAA - Access Control (1/2) What is AAA? The term AAA (say "triple A") subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. Authentication: Is the one I‘m talking to the one he pretends to be (is a user authentic)? Authorization: Find out what the user is allowed to do (and what not). Accounting: Log the user‘s activity to charge him accordingly. Accounting information may be used to track the user's usage for charging but also for auditing purposes. AAA is used in scenarios where a NAS (network access server) or a RAS (remote access server) acts like a switch granting or denying access to the Internet or Intranet for a user based on AAA authentication and authorization.
  • 4. © Peter R. Egli 2015 4/12 Rev. 2.70 AAA / RADIUS indigoo.com 1. AAA - Access Control (2/2) Most important AAA protocols: 1. RADIUS RFC2865: Remote Authentication Dial In User Service. 2. TACACS+ RFC1492: Terminal Access Controller Access Control System by Cisco. 3. Diameter RFC3588: Diameter is not an acronym. Diameter is a successor to RADIUS that should fix some of the shortcomings of RADIUS. Diameter uses reliable transport connections, i.e. runs on TCP or SCTP (Stream Control Transmission Protocol).  Nota Bene: RADIUS (and TACACS+) are AAA access control protocols, but do not define a policy (who is granted access, what is the user allowed to do etc.). These protocols merely provide a means to transport such information between a client and an authentication server. The policy is implemented as an application on the RADIUS server (possibly doing LDAP/SQL lookups to obtain access rules).
  • 5. © Peter R. Egli 2015 5/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (1/2) Scenario 1: In this scenario, a front-end NAS (network access server) or RAS (remote access server) performs authentication of a user with a backend RADIUS server. The NAS/RAS sends user information (credentials) to the RADIUS server carried in RADIUS packets. The RADIUS server implements the access policy (who is granted access with what authorizations) or may retrieve policies from a database through LDAP (Lightweight Directory Access Protocol). RADIUS Server RADIUS LDAP/SQL RADIUS server may optionally contain policy DB LDAP SQL NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
  • 6. © Peter R. Egli 2015 6/12 Rev. 2.70 AAA / RADIUS indigoo.com 2. RADIUS architectures (2/2) Scenario 2: In this scenario, a first RADIUS server does not perform authentication but acts as a proxy that routes RADIUS requests to the appropriate home RADIUS server. The routing is based on username and realm. The home RADIUS server performs the actual authentication by accessing a user DB. A concurrency RADIUS server may be employed to make sure that a user is not logged in more than once, e.g. in scenarios with multiple RADIUS servers for redundancy / load balancing. RADIUS Proxy Server RADIUS RADIUS Server #1 Home RADIUS Server RADIUS Server #2 Concurrency RADIUS Server RADIUS NAS / RAS Towards the InternetAccess Line (e.g. PPP) User
  • 7. © Peter R. Egli 2015 7/12 Rev. 2.70 AAA / RADIUS indigoo.com 3. RADIUS RFC2865 protocol RADIUS uses UDP (port 1842) since it is a simple ‚Request-Reply‘ protocol (Accept/Request). RADIUS packet format: Code field: Defines the packet type (Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response). Identifier: ID to match requests and replies. Length: Length of packet. Authenticator: Used to authenticate the RADIUS transaction itself. The authenticator authenticates the reply from the server. The RADIUS client sends a challenge in the Access-Request packet and the RADIUS server returns a challenge-response in the Authenticator field (shared secret between NAS and RADIUS server). Attributes: AAA-information such as username, password, CHAP-Password, callback-phone-# etc. The attribute encoding is as follows: Byte 0 Byte 1 Byte 3 Code LengthIdentifier Authenticator List of attributes Byte 2 Type Length Value
  • 8. © Peter R. Egli 2015 8/12 Rev. 2.70 AAA / RADIUS indigoo.com 4. RADIUS transaction A RADIUS transaction typically starts with an Access-Request carrying user credentials followed by a RADIUS server response with a grant or denial of access. User NAS Access-Request with username and hashed password (RSA MD5) User data packet Access-Reject DB Lookup credentials for authorization 'Wrong credentials' RADIUS server Reject access Access-Request with username and hashed password (RSA MD5) User data packet Access-Accept Lookup credentials for authorization. Create session record. 'Correct credentials' Grant access Auth.failureAuth.success
  • 9. © Peter R. Egli 2015 9/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (1/2) Once a network session is up and running (successful authentication), the NAS may request to start counting network usage of the user. User NAS DBRADIUS server Accounting-Request (Start) User data packet Accounting-Response Start counting resource usage (e.g. online time) End of network session Accounting-Request (Stop) Accounting-Response Stop counting resource usage
  • 10. © Peter R. Egli 2015 10/12 Rev. 2.70 AAA / RADIUS indigoo.com 5. RADIUS accounting RFC2866 (2/2) Accounting with RADIUS is specified in a separate RFC (RFC2866). A set of special accounting RADIUS attributes (attribute values 40 – 59) are used to transfer accounting data between the RADIUS client (NAS) and server. Value Type Description 40 Acct-Status-Type Indicates start or stop of accounting. 41 Acct-Delay-Time Delay between event causing accounting request and server response (used to compensate for processing delay time). 42 Acct-Input-Octets Used by client to report number of received octets to server. 43 Acct-Output-Octets Used by client to report number of transmitted octets to server. 44 Acct-Session-Id Used by client to identify user session to server. 45 Acct-Authentic Used by client to report authentication method to server, e.g. user autenticated by NAS itself, user authenticated by RADIUS or user authenticated by external protocol. 46 Acct-Session-Time Used by client to report to server how many seconds the user session is running. 47 Acct-Input-Packets Used by client to report number of packets received by a user. 48 Acct-Output-Packets Used by client to report number of packets sent by a user. 49 Acct-Terminate-Cause Used by client to report cause of service termination (e.g. error, termination upon user request, timeout). 50 Acct-Multi-Session-Id Similar to Acct-Session-Id, but used to link multiple sessions to one for correlation in log file. 51 Acct-Link-Count Used by client to report number of links used by user.
  • 11. © Peter R. Egli 2015 11/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (1/2) NAS network access (ISP): A user dials in on a NAS server run by the Internet provider. Prior to granting access to the Internet, the NAS authenticates the user with RADIUS. RAS Intranet access (enterprise dial-in): This application is similar to the NAS scenario. The RAS (Remote Access Server) sits at the edge of the company network and authenticates a user prior to granting access to the network. RADIUS NAS Access Line (e.g. PPP) RADIUS Server Internet User DB NAS RADIUS Server Internet / Intranet User DB Intranet / company network RADIUS
  • 12. © Peter R. Egli 2015 12/12 Rev. 2.70 AAA / RADIUS indigoo.com 6. RADIUS applications (2/2) 802.1X backend control for Ethernet and WLAN network access: IEEE 802.1X is a generic protocol for authentication and authorization in IEEE 802 based networks. The 802.1X supplicant ('the user') sends an EAPOL (Extensible Authentication Protocol Over LAN) message to the 802.1X authenticator (switch, access point). The switch or access point enables the Ethernet or WiFi port if the backend authentication based on credentials provided via 802.1X is successful. Using a central server for authentication (username and password storage) eases administration in large networks. * 802.1X capable Ethernet switch * 802.1X authenticator * RADIUS client Ethernet with 802.1X EAPOL 802.11 WLAN with 802.1X EAPOL RADIUSRADIUS 802.1X Supplicant RADIUS Server * 802.11 Access point * 802.1X authenticator * RADIUS client PDA LAN