|
|
|
|
Remote Authentication Dial-In User Service |
|
Protocol used for communication between NAS and
AAA server |
|
Supports authentication, authorization, and
accounting |
|
Defined in RFC 2865 |
|
|
|
|
|
Client/Server model |
|
NAS operates as a RADIUS client by passing user
info to RADIUS server and acting on response from server |
|
RADIUS server receives connection requests,
authenticates user, and provides configuration settings to client |
|
RADIUS server can act as a proxy client to other
authentication servers |
|
Flexible authentication mechanisms |
|
Can support PPP PAP or CHAP, Unix login, and
other authentication mechanisms |
|
Extensible |
|
All transactions con attribute/value tuples |
|
New attributes can be added to existing protocol |
|
|
|
|
Defined in RFC 2865 |
|
Uses UDP port 1645 or 1812 |
|
Communication between RADIUS server and client
is in clear-text except for passwords |
|
|
|
|
Code field used to identify type of packet: access-request, access-accept,
access-reject, accounting-request, accounting-response, access-challenge |
|
Identifier field used to match requests with
replies |
|
Authenticator field contains a 16-byte random
number used to authenticate the reply from the RADIUS server and to hide
the password |
|
|
|
|
|
Encrypted password transmitted is equal to |
|
(Hash_A) XOR (padded user password) |
|
Where
Hash_A = MD5 { request authenticator, preshared secret} |
|
|
|
|
NAS sends Access-Request message to RADIUS
server containing username,
encrypted password, IP address of NAS, and type of service |
|
RADIUS server replies with Access-Accept,
Access-Reject, or Access-Challenge message |
|
|
|
|
|
Start/Stop records sent at start/end of sessions
using UDP port 1646 or 1813 |
|
RFC 2866 |
|
|
|
|
Authorization data in Accept message lists user
authorized services (eg. telnet, rlogin, PPP) and client IP address |
|