Hiral ShahTable of Contents1. Introduction:2. Key features of RADIUS:Client Server Model3. Terminology4. Overview5. Detailed working of RADIUSAuthentication and Authorization:Accounting:6. Packet Format7. Limitations8. ConclusionRADIUS ProtocolPresented toDr. Mark StampDepartment of Computer ScienceSan Jose State UniversitySubmitted ByHiral ShahVarsha MahalingappaApril 04, 2004RADIUS PROTOCOL – CS265 SP2004 Hiral Shah Varsha Mahalingappa0Table of Contents1. INTRODUCTION........................................................................................22. KEY FEATURES OF RADIUS................................................................23. TERMINOLOGY......................................................................................34. OVERVIEW...............................................................................................45. DETAILED WORKING OF RADIUS....................................................46. PACKET FORMAT ...………………………………………………… 57. LIMITATIONS..........................................................................................68. CONCLUSION..........................................................................................69. REFERENCES..........................................................................................7RADIUS PROTOCOL – CS265 SP2004 Hiral Shah Varsha Mahalingappa11. Introduction:Remote Authentication Dial-In User Service (RADIUS) is a Client/Server Protocol.Network administrators have to guard their modems against break-ins in order tomaintain the security of the network. The strategy for verifying the identity of, grantingaccess to, and tracking the actions of remote users is known as Authentication,Authorization and Accounting (AAA) RADIUS uses UDP as the Transport Protocol. UDP port 1812 is used for RADIUSauthentication messages and UDP port 1813 for the authenticating messages. RADIUSutilizes MD5 algorithm for secure password hashing. RADIUS is a fully open protocol,distributed in source code format, which can be modified to work with any securitysystem currently available on the market.2. Key features of RADIUS:- Client Server Model A NAS operates as a RADIUS client. The client passes user information to the RADIUSserver and then acts on the response returned. Radius servers receive user connectionrequests, authenticate the user and return all the configuration information necessary forthe client to deliver service to the user. A RADIUS server can act as a proxy client toother RADIUS server or other kinds of authentication servers.- Network SecurityTransactions between the client and the RADIUS server are authenticated using a sharedsecret, which is never sent over the network. Also, any user password sent between theclient and the RADIUS server are encrypted to eliminate someone snooping on aninsecure network from determining a user’s password.- Flexible Authentication MechanismThe RADIUS server can support a variety of methods to authenticate a user. When it isprovided with the username and password, it can support Point-to-Point Protocol (PPP),Password Authentication Protocol (PAP) or Challenge-Handshake AuthenticationProtocol (CHAP), UNIX login and other authentication mechanisms.RADIUS PROTOCOL – CS265 SP2004 Hiral Shah Varsha Mahalingappa2- Extensible ProtocolAll transactions are comprised of variable length attribute-length-value 3-tuples. Newattribute values can be added without disturbing existing implementation of the protocol.3. Terminology Service: NAS provides a service to the dial-in user.Session: Each service provided by the NAS to the dial in user constitutes a Session.Silently discard: The packet is discarded without further processing.Access-Request: Sent by a RADIUS client to request authentication andauthorization for a network access connection attempt.Access-Accept: Sent by a RADIUS server in response to an Access-Requestmessage. This message informs the RADIUS client that theconnection attempt is authenticated and authorized. Access-Reject: Sent by a RADIUS server in response to an Access-Requestmessage. This message informs the RADIUS client that theconnection attempt is rejected. A RADIUS server sends thismessage if either the credentials are not authentic or the connectionattempt is not authorized.Access-Challenge: Sent by a RADIUS server in response to an Access-Requestmessage. This message is a challenge to the RADIUS client thatrequires a response.Accounting-Request:Sent by a RADIUS client to specify accounting information for aconnection that was accepted. Accounting-Response: Sent by the RADIUS server in response to the Accounting-Request message. This message acknowledges the successful receipt and processing ofthe Accounting-Request messageRADIUS PROTOCOL – CS265 SP2004 Hiral Shah Varsha Mahalingappa34. OverviewThe user connects a server through a modem pool and once the connection is made, theserver will prompt the user for his name and password. The RADIUS client will receivethe detail from the user and will encrypt his password. Then, the authentication requestwill be received by the RADIUS server, which will validate the request and decrypt thedata. The user’s name and password will be sent for verification by the security system,and then (if the data is correct) the server will send Authentication Acknowledgment,which includes data about the user’s network system and service requirements. Theauthentication process will limit specific users to the specific network resources it isallowed to use. Once the server receives all the information, the user will receive networkservice, which are customized for his needs. While the user is connected to the server, theRADIUS client will send the server data for Accounting used for billings.5. Detailed working of RADIUSAuthentication and Authorization:Any user of a RADIUS configured client should present authentication information (forexample, username and password). The client creates an Access-Request framecontaining the username, password, ID of the client and the port ID that the user isaccessing. This frame is submitted to the RADIUS server via the
View Full Document
Unlocking...