1 / 10

Chapter 18 RADIUS

Chapter 18 RADIUS. RADIUS. Remote Authentication Dial-In User Service Protocol used for communication between NAS and AAA server Supports authentication, authorization, and accounting Defined in RFC 2865. Features of RADIUS. Client/Server model

maja
Download Presentation

Chapter 18 RADIUS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 18 RADIUS

  2. RADIUS • Remote Authentication Dial-In User Service • Protocol used for communication between NAS and AAA server • Supports authentication, authorization, and accounting • Defined in RFC 2865

  3. Features of RADIUS • Client/Server model • NAS operates as a RADIUS client by passing user info to RADIUS server and acting on response from server • RADIUS server receives connection requests, authenticates user, and provides configuration settings to client • RADIUS server can act as a proxy client to other authentication servers • Flexible authentication mechanisms • Can support PPP PAP or CHAP, Unix login, and other authentication mechanisms • Extensible • All transactions con attribute/value tuples • New attributes can be added to existing protocol

  4. RADIUS Architecture • Defined in RFC 2865 • Uses UDP port 1645 or 1812 • Communication between RADIUS server and client is in clear-text except for passwords

  5. RADIUS Packet Format • Code field used to identify type of packet: access-request, access-accept, access-reject, accounting-request, accounting-response, access-challenge • Identifier field used to match requests with replies • Authenticator field contains a 16-byte random number used to authenticate the reply from the RADIUS server and to hide the password

  6. Password Encryption • Encrypted password transmitted is equal to (Hash_A) XOR (padded user password) Where Hash_A = MD5 { request authenticator, preshared secret} • Receiver calculates Hash_A on its own and XORs it with the encrypted password to get the padded password back in clear-text

  7. RADIUS Authentication • NAS sends Access-Request message to RADIUS server containing username, encrypted password, IP address of NAS, and type of service • RADIUS server replies with Access-Accept, Access-Reject, or Access-Challenge message

  8. RADIUS Authentication

  9. RADIUS Accounting • Start/Stop records sent at start/end of sessions using UDP port 1646 or 1813 • RFC 2866

  10. RADIUS Authorization • Authorization data in Accept message lists user authorized services (eg. telnet, rlogin, PPP) and client IP address

More Related