1 / 20

Chapter 17 Remote Authentication Dial-In User Service (RADIUS)

Chapter 17 Remote Authentication Dial-In User Service (RADIUS). RADIUS Messages RADIUS Message Structure RADIUS Attributes Vendor-Specific Attributes RADIUS Message Exchanges Authentication of Network Access Accounting of Network Access RADIUS Proxy Forwarding Summary.

zorion
Download Presentation

Chapter 17 Remote Authentication Dial-In User Service (RADIUS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 17 Remote Authentication Dial-In User Service (RADIUS) RADIUS Messages RADIUS Message StructureRADIUS Attributes Vendor-Specific Attributes RADIUS Message Exchanges Authentication of Network Access Accounting of Network Access RADIUS Proxy Forwarding Summary

  2. RADIUS Messages • Access-Request • Access-Challenge • Access-Accept • Access-Reject • Accounting-Request • Accounting-Response

  3. RADIUS Message Structure

  4. RADIUSAttribute RADIUS attributes carry data values that are used in the authentication, authorization, and accounting functions carried out by RADIUS clients, servers, and proxies. These attributes can appear in network access and accounting requests and in response messages. An attribute represents a specific data item, such as a user name or the tunneling protocol in use, sent between the RADIUS client and server. Some attributes can be included more than once, the effect of which is dependent on the specific attribute. When used as RADIUS proxy, NPS preserves the order of the attributes received from the client in messages transmitted to a RADIUS server. There are two types of RADIUS attributes: standard attributes and vendor-specific attributes (VSAs). Standard attributes are defined in RFCs 2865 through 2869 and are used by all RADIUS clients and servers. VSAs are proprietary. Not all RADIUS clients and servers imple-ment all VSAs. For more information, see the section “Vendor-Specific Attributes” later in this chapter.

  5. Vendor-Specific Attributes

  6. Table 17-3 Common Vendor-Specific Attributes

  7. RADIUS Message Exchanges This section describes common RADIUS message exchanges for the following: ■Authentication of network access ■Accounting of network access ■RADIUS proxy forwarding

  8. Authentication of Network Access ■ Access-Request followed by Access-Accept ■ Access-Request followed by Access-Reject ■ Access-Request followed by Access-Challenge

  9. An example of an Access-Request/Access-Accept message exchange is Capture 17-01 (Frame 1) Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 30882, Total IP Length = 277 - Udp: SrcPort = 3065, DstPort = 1812, Length = 257 SourcePort: 3065, 3065(0xbf9) DestinationPort: 1812, 1812(0x714) TotalLength: 257 (0x101) Checksum: 42833 (0xA751) - Radius: Access Request, Id = 12, Length = 249 MessageType: Access Request, 1(0x01) Identifier: 12 (0xC) AllLength: 249 (0xF9) Authenticator: DB 60 44 6A 2B 19 83 57 FF 75 F1 1D 19 2C 1A 7F + AttributeNasIPAddress: 10.10.1.150 + AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1)

  10. + AttributeNasPort: 128 + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP), 1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: 10.10.1.62 + AttributeTunnelClientEndpoint: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeUserName: KAPOHO\tfl + AttributeVendorSpecific: + AttributeVendorSpecific:

  11. the corresponding Access-Accept message from Capture 17-01 (Frame 2) Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 39615, Total IP Length = 242 + Udp: SrcPort = 1812, DstPort = 3065, Length = 222 - Radius: Access Accept, Id = 12, Length = 214 MessageType: Access Accept, 2(0x02) Identifier: 12 (0xC) AllLength: 214 (0xD6) Authenticator: 5F C7 93 40 22 EA 31 7A A3 4F 82 B1 FA DE 15 77 + AttributeFramedProtocol: PPP, 1(0x1) + AttributeServiceType: Framed, 2(0x2) + AttributeClass: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeVendorSpecific:

  12. Accounting of Network Access An example of an Accounting-Request/Accounting-Response message exchange is Capture 17-03 (Frame 1) Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 30899, Total IP Length = 303 + Udp: SrcPort = 3066, DstPort = 1813, Length = 283 - Radius: Accounting Request, Id = 3, Length = 275 MessageType: Accounting Request, 4(0x04) Identifier: 3 (0x3) AllLength: 275 (0x113) Authenticator: EA BB 33 E2 85 8D F8 D5 A6 5C 40 76 54 73 49 09 + AttributeAcctStatusType: Start, 1(0x1) + AttributeAcctDelayTime: 0 + AttributeNasIPAddress: 10.10.1.150 + AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1)

  13. + AttributeNasPort: 128 + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP),1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: 10.10.1.62 + AttributeTunnelClientEndpoint: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeClass: + AttributeVendorSpecific: + AttributeAcctSessionID: 4 + AttributeUserName: KAPOHO\tfl + AttributeFramedIPAddress: 10.10.1.177 + AttributeFramedMTU: 1400 + AttributeAcctMultiSessionID: 27 + AttributeAcctLinkCount: 1 + AttributeEventTimestamp: 1010156648 + AttributeAcctAuthentic: RADIUS, 1(0x1) + AttributeVendorSpecific:

  14. the corresponding Accounting-Response message from Capture 17-03 (Frame 2) Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 40023, Total IP Length = 48 + Udp: SrcPort = 1813, DstPort = 3066, Length = 28 - Radius: Accounting Response, Id = 3, Length = 20 MessageType: Accounting Response, 5(0x05) Identifier: 3 (0x3) AllLength: 20 (0x14) Authenticator: F0 A9 27 34 0D 42 36 4B 7E C7 8A 83 E4 B6 98 41

  15. RADIUS Proxy Forwarding An example of an Access-Request message that is forwarded by a RADIUS proxy is Capture 17-04 (Frame 1) Frame: + Ethernet: Etype = Internet IP (IPv4) - Ipv4: Next Protocol = UDP, Packet ID = 7567, Total IP Length = 278 + Versions: IPv4, Internet Protocol; Header Length = 20 + DifferentiatedServicesField: DSCP: 0, ECN: 0 TotalLength: 278 (0x116) Identification: 7567 (0x1D8F) + FragmentFlags: 0 (0x0) TimeToLive: 128 (0x80) NextProtocol: UDP, 17(0x11) Checksum: 1238 (0x4D6) SourceAddress: 10.10.1.150 DestinationAddress: 10.10.1.201 + Udp: SrcPort = 1711, DstPort = 1812, Length = 258

  16. - Radius: Access Request, Id = 8, Length = 250 MessageType: Access Request, 1(0x01) Identifier: 8 (0x8) AllLength: 250 (0xFA) Authenticator: B2 3F 8A 21 54 25 F4 14 4C 30 08 4E 34 5A 82 27 + AttributeNasIPAddress: 10.10.1.150 + AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1) + AttributeNasPort: 128 + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP), 1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: 10.10.1.62 + AttributeTunnelClientEndpoint: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeUserName: TCP1\rebecca + AttributeVendorSpecific: + AttributeVendorSpecific:

  17. The Access-Request message as forwarded by the RADIUS proxy to a RADIUS server (at the IP address 10.10.1.151) from Capture 17-04 (Frame 2) Frame: + Ethernet: Etype = Internet IP (IPv4) - Ipv4: Next Protocol = UDP, Packet ID = 2894, Total IP Length = 288 + Versions: IPv4, Internet Protocol; Header Length = 20 + DifferentiatedServicesField: DSCP: 0, ECN: 0 TotalLength: 288 (0x120) Identification: 2894 (0xB4E) + FragmentFlags: 0 (0x0) TimeToLive: 128 (0x80) NextProtocol: UDP, 17(0x11) Checksum: 0 (0x0) SourceAddress: 10.10.1.201 DestinationAddress: 10.10.1.151 + Udp: SrcPort = 2203, DstPort = 1812, Length = 268 - Radius: Access Request, Id = 2, Length = 260 MessageType: Access Request, 1(0x01) Identifier: 2 (0x2) AllLength: 260 (0x104)

  18. Authenticator: B2 3F 8A 21 54 25 F4 14 4C 30 08 4E 34 5A 82 27 + AttributeNasIPAddress: 10.10.1.150 + AttributeServiceType: Framed, 2(0x2) + AttributeFramedProtocol: PPP, 1(0x1) + AttributeNasPort: 128 + AttributeRadiusNASPortType: Virtual, 5(0x5) + AttributeTunnelType: Point-to-Point Tunneling Protocol (PPTP), 1(0x1) + AttributeTunnelMediumType: IPv4, 1(0x1) + AttributeStationID: 10.10.1.62 + AttributeTunnelClientEndpoint: + AttributeUserName: TCP1\ rebecca + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeVendorSpecific: + AttributeVendorSpecific: - AttributeProxyState: Type: Proxy State, 33(0x21) Length: 10 (0xA) ProxyState: Binary Large Object (8 Bytes)

  19. Summary RADIUS messages have a common structure consisting of a fixed-size portion and a variable-size portion. The fixed-size portion contains fields common to all RADIUS messages. The variable-size portion contains RADIUS attributes, which can be standard attributes or VSAs. RADIUS attributes carry data values that are used in authentication, authorization, and accounting of network access. An authentication exchange is one of the following: Access-Request/Access-Accept for a successful authentication and authorization, Access-Request/Access-Reject for an unsuccessful authentication or authorization, or Access-Request/Access-Challenge when the RADIUS server needs more information to evaluate authentication and authorization. An accounting exchange consists of an Accounting-Request and an Accounting-Response. When RADIUS proxies are between RADIUS clients and RADIUS servers, they modify RADIUS messages by adding or removing a Proxy-State attribute.

  20. จัดทำโดย นางสาว ภาวิณี แก้วสุข รหัส 115130462031-3 กลุ่ม 51346CPE

More Related