RADIUS

This section takes a few steps to describe the basic principles of the AAA methodology, which is considered to be the fundamental structure behind the Remote Authentication Dial-In User Service (RADIUS). Additionally we briefly identify the functionality and principles of the RADIUS protocol. In the middle of the section we go through the steps required to install, configure, maintain, and monitor your RADIUS services. We conclude with practical implementations of the RADIUS protocol in relation to user authentication on wireless networks, as well as suggest useful software that will assist with your day-to-day use and administration of RADIUS servers for wireless user authentication.

Basics of AAA Framework

Authentication, authorization, and accounting (AAA) can be interpreted as a structure for controlling access to computer resources, enforcing policies, analyzing usage of resources, and providing the information necessary to charge for this service. These processes are considered vital for efficient and effective network management and security enforcement.

Even though the RADIUS protocol was developed before the existence of the AAA framework, it gives a good example of its implementation in practice. The AAA model outlines the three basic aspects of user access control, namely authentication, authorization, and accounting. These specifications are described next.

Authentication

Authentication is the process that provides a method of identifying users by requesting and comparing a valid set of credentials. The authentication is based on each user having a unique criteria for gaining access. The AAA-compliant server compares the user's authentication references with the database-stored information. If the credentials match, the user is granted access to the requested network resources; otherwise, the authentication process fails and network access is denied.

Authorization

Authorization follows authentication and is the process of determining whether the user is approved to request or use certain tasks, network resources, or operations. Usually, authorization occurs within the context of authentication and once the client is approved, he or she can use the requested resources. Therefore, authorization is a vital aspect of a healthy policy administration.

Accounting

The final aspect of the AAA structure is accounting, and it is best described as the process of measuring and recording the consumption of network resources. This allows the monitoring and reporting of events and usage for various purposes, including billing, trend analysis, resource utilization, capacity planning, and ongoing policy maintenance.

An Overview of the RADIUS Protocol

RADIUS is a widely used protocol implemented in many network environments. RADIUS can be defined as a security protocol that uses a client/server approach to authenticate remote users. This is carried out through a series of challenges and responses that the client relays between the Network Access Server (NAS) and the enduser. The RADIUS protocol has been composed because of the emerging demand for a method of authenticating, authorizing, and accounting for users who needed access to heterogeneous computing environments.

Unfortunately, the scope of this book does not allow us to go deeply into RADIUS, but we intend to cover enough aspects of this protocol to enable the reader to understand the practical implications of RADIUS in relation to wireless network authentication. If required, the complete description of the protocol and accounting procedures can be found in RFCs 2138 and 2139, which can be downloaded from http://www.ietf.org/rfc/rfc2138.txt and http://www.ietf.org/rfc/rfc2139.txt, respectively.

RADIUS Features

The RFC 2138 identifies the following key features of the RADIUS protocol:

Client/server model. A NAS operates as a client of RADIUS. The client is responsible for transferring user information to designated RADIUS servers and then acting on the received response. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all the configuration details necessary for the client to deliver services to the user. Additionally the RADIUS server can act as a proxy client to other RADIUS servers or similar authentication servers.
Network security. Communication between the client and the RADIUS server is authenticated through the use of a shared secret that is never sent over the network in clear text. Also, the user passwords are sent encrypted between the client and the RADIUS server to eliminate the possibility of a sniffing attack.
Flexible authentication mechanisms. The RADIUS server allows for a variety of methods of authenticating a user. When it is provided with the username and original password given by the user, it can support PAP or CHAP, UNIX login, and other authentication methods such as PAM, LDAP, SQL, and so on.
Extensible protocol. All transactions are comprised of variable length Attribute–Length–Value (ALV) 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol, thus making the protocol more flexible and dynamic to support new implementations.

Packet Formats

The RADIUS packet is encapsulated in a stateless UDP data stream that is addressed with the destination ports 1812, 1813, and 1814, representing access, accounting, and proxying, respectively. For compatibility and historical values, some servers are still erroneously running over ports 1645 and 1646. This dates from the early stages of the development of RADIUS and now actually conflicts with the "datametrics" service.

The RFC specifies that RADIUS uses an expected packet structure for the communication process, depicted in Figure 13-1.

Figure 13.1. RADIUS packet structure.

[View full size image]

The elements of the RADIUS packet are described next.

Code. The Code field is one octet in length and identifies the type of RADIUS packet. When a server receives a packet with an invalid Code field, it ignores it without further notification. The packet types are examined in the next section.
Identifier. The identifier is a one-octet value that allows the RADIUS client to match a RADIUS response with the correct outstanding request.
Length. The Length field is two octets. It indicates the length of the RADIUS message and represents the corresponding sum of the Code, Identifier, Length, Authenticator, and Attribute fields.
Authenticator. This value is 16 octets long and is used to authenticate and verify the reply from the RADIUS server, and it is also used as the password hiding mechanism. The two types of values are the Request and Response authenticators. The former type should be a random and unique value used with Access and Accounting Request packets. The latter type is used in Access-Accept, Access-Reject, and Access-Challenge packets and contains a one-way MD5 hash calculated from a stream of values consisting of the Code, Identifier, Length, and Request Authenticator fields and the response Attributes, followed by the shared secret.
Attributes. The Attributes section of the packet classifies various characteristics and behavior patterns of the service, which usually announces a particular feature of the offered or requested service type. The six attribute types and their possible values are shown in Table 13-1.

Table 13.1. RADIUS Attribute Types
Attribute Value
Length in Octets
Size (Bits)
Examples
INT (Integer)
4
32
256

65536
ENUM (Enumerated)
4
32
1 = user name

2 = user password

13 = framed compression

26 = vendor-specific
STRING (String)
1–253
Varies
"Any-string"

"192.168.111.111"

"www.arhont.com"
IPADDR (IP address)
4
32
0xFFFFFF

0x00000A
DATE (Date)
4
32
0xFFFFFF

0x00000A
BINARY (Binary)
1
1
0

Packet Types

The RADIUS server identifies the message types by the Code field in the RADIUS packet. The description of the codes can be found in Table 13-2. This section does not go into details of each of the RADIUS codes, as we consider them to be self-explanatory. However, if you require more details, please look at the Packet Types section of RFC 2138.

Table 13.2. RADIUS Packet Codes
RADIUS Code
Description
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge
12
Status-Server (experimental)
13
Status-Client (experimental)
255
Reserved

< Day Day Up >