Examples of credentials include passwords, one-time tokens, digital certificates, and phone numbers (calling/called). Show
Authorization
Accounting
AAA server provides all the above services to its clients. AAA ProtocolsRadius is an AAA protocol for applications such as Network Access or IP Mobility. Besides Radius, we have the following protocols in AAA: Terminal Access Controller Access Control System (TACACS)TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in Unix networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. TACACS+TACACS+ provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization, and accounting services. It works on port 49. DIAMETERDiameter is a planned replacement of Radius. What is Network Access Server?The Network Access Server (NAS) is a service element that clients dial in order to get access to the network. An NAS is a device having interfaces both to the backbone and to the POTS or ISDN, and receives calls from hosts that want to access the backbone by dialup services. NAS is located at an Internet provider's point of presence to provide Internet access to its customers. A Network Access Server is:
Examples include:
The following figure shows a basic architecture of Radius. RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server.
Simple RADIUS Network DiagramHere is a list of all the key features of Radius: Client/Server Model
Network Security
Flexible Authentication MechanismsRadius supports the following protocols for authentication purpose:
Extensible ProtocolRadius is extensible; most vendors of Radius hardware and software implement their own dialects. Stateless protocol, using UDP, runs at port 1812. Here is the detail of RADIUS Operations. Before Client starts communicating with RADIUS Server, it is required that shared secret must be shared between Client and Server and Client must be configured to use RADIUS server to get service. Once Client is configured properly then :
RADIUS Codes (decimal) are assigned as follows:
Codes 4 and 5 are related to RADIUS Accounting Functionality. Codes 12 and 13 are reserved for possible use, but are not further mentioned here. The packet format of Radius is as shown below: Code: This is 1 Octet (1 byte) long and identifies various types of packets. Normally 1 Octet means 1 Byte. Identifier: This is again 1 Octet long and aids in matching responses with requests. Length: This is 2 Octets long and specifies the length of the packet including code, identifier, length, and authenticator. (Min packet is 20 Octets and max is 4096 Octets). Authenticator: This is 16 Octets long and filled up in case of some requests and responses. List of Attributes: There is a list of 63+ attributes and a Radius attribute will also have a defined format which is described in next chapter. A Radius attribute consists of the following three parts:
RADIUS Attributes ListCodeAttributes1User-Name2User-Password3CHAP-Password4NAS-IP-Address5NAS-Port6Service-Type7Framed-Protocol8Framed-IP-Address9Framed-IP-Netmask10Framed-Routing11Filter-Id12Framed-MTU13Framed-Compression14Login-IP-Host15Login-Service16Login-TCP-Port17(unassigned)18Reply-Message19Callback-Number20Callback-Id21(unassigned)22Framed-Route23Framed-IPX-Network24State25Class26Vendor-Specific27Session-Timeout28Idle-Timeout29Termination-Action30Called-Station-Id31Calling-Station-Id32NAS-Identifier33Proxy-State34Login-LAT-Service35Login-LAT-Node 336Login-LAT-Group37Framed-AppleTalk-Link38Framed-AppleTalk-Network39Framed-AppleTalk-Zone40-59(reserved for accounting)60CHAP-Challenge61NAS-Port-Type62Port-Limit63Login-LAT-PortRadius Request ExampleLet us have a look into a Radius Request example:
Radius Response ExampleHere is an example of Response Packets:
Diameter is a planned replacement of RADIUS. It is an AAA protocol for applications such as network access and IP mobility. Listed below are a few points that you need to know about Diameter:
What is Next?Now you have a basic understanding of Radius and Diameter. To gain more knowledge about these protocols, you need to go through various RFCs and other resources mentioned in the Resources section. What is the primary purpose of RADIUS quizlet?RADIUS combines authenticaiton and authorization into a single function; TACACS+ allows these services to be split between different servers. Which of the following protocols can be used to centralize remote access authentication? RADIUS is primarily used for what purpose? - Managing access to a network over a VPN.
What are the main advantages of RADIUS?The Pros of RADIUS
Added security benefits: RADIUS allows for unique credentials for each user, which lessens the threat of hackers infiltrating a network (e.g. WiFi) since there is no unified password shared among a number of people.
What are the three major functions of RADIUS?The RADIUS server then returns one of three responses to the NAS: 1) Access Reject, 2) Access Challenge, or 3) Access Accept. The user is unconditionally denied access to all requested network resources.
How does the RADIUS work?The RADIUS server authenticates a user by verifying their credentials against a database. The RADIUS client sends its credentials to the RADIUS server, which then authenticates them against an authentication database. If the credentials are valid, authorization information is returned to the client.
|