01 RADIUS Intro

Introduction to the
RADIUS protocol
Module Objetives
Identify the elements and architecture of remote access to networks
Understand the way the RADIUS protocol works
Get to know the attributes that control different type of access
technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc)
Way to code attributes and RADIUS packets, and the sense of a
dictionary
Cover the standard statistical information provided over SNMP
View the extensions added to the RADIUS protocol
2 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
AAA
Authentication
Verify that a user really is who (s)he claims to be:
Password, Token Cards, Calling number, X.509 digital certificate, SIM card, etc.
Authorization
Check that the user can access the service (s)he is trying to:
Checking against a database, a file, etc. what the user can do, and restrict his/her
access to the network
Accounting
Write down what the user has done during his connection
Connection time, bytes sent/received, access service, etc.
To get statistics about user accesses, billing, etc
3 | RADIUS protocol
Switched connection diagram
PPP IP
POP
(Point of Presence) ISP
User
NAS / RAS
ROUTER
PSTN Internet
Modem
Web
RADIUS
Server
AAA
SERVER
USER
DB
4 | RADIUS protocol
Different ways for the AAA
Local accounts in the NAS/RAS
Only valid for small number of users
Not valid if any user can connect at any NAS
We would have to provision all users in all NAS's
Proprietary software between NAS and an external server

Protocol RADIUS for a NAS to ask the server with centralized information about
all users
Or its evolution: Diameter NASREQ application
Protocol TACACS (tacacs, tacacs+, xtacacs)
Not widely implemented, apart from Cisco
5 | RADIUS protocol
RADIUS: Basic Principles
RADIUS is not the server itself, but the protocol to exchange information
Protocol to communicate between:
a RADIUS client
Typically the NAS (= Network Access Server)
a remote AAA server
Standarized by the IETF (Internet Engineering Task Force) by several

RFCs: 2865 & 2866
And enhanced in RFCs: 2867, 2868 & 2869, 3576...
Adopted by all vendors of access devices, as almost the only standard for
AAA
RADIUS stands-up for:
Remote Authentication Dial-In User Service
6 | RADIUS protocol
Authentication DataFlow
Access-Request Users
User-Name: bob Database
Password: ge55gep Select
NAS NAS-IP: 207.12.4.1 UserID=bob
Bob
Access-Accept password=ge55gep
UserID: bob Timeout = 3600
Password: ge55gep
Framed-IP- RADIUS
Address=217.213.21.5 [other attributes]
Server
Session-Timeout=3600
[other attributes]
Framed-
Address=217.213.21.5
Internet
User dials modem pool

and establishes Internet PPP connection established
connection
7 | RADIUS protocol
Accounting DataFlow (Start)
Sun May 10 20:47:41 1998
Account-Request Acct-Status-Type = Start
Acct-Status-Type = Start User-Name = bob
User-Name = bob Framed-
Framed-Address = Address=217.213.21.5
NAS 217.213.21.5

ISP
Acknowledgement
Accounting
RADIUS Database
Server
Internet
PPP session
The Accounting Start Record

8 | RADIUS protocol
Accounting DataFlow (Stop)
Sun May 10 20:50:49 1998
Account-Request Acct-Status-Type = Stop
User-Name = bob
Acct-Status-Type = Stop Acct-Session-Time = 1432
User-Name = bob
NAS ...
Acct-Session-Time = 1432
ISP
Acknowledgement
Accounting
RADIUS Database
server
Internet
The user disconnects
The Accounting Stop Record

9 | RADIUS protocol
Fault Tolerance
Based on retransmissions by the Radius Client
ThefirstRADIUSserver
TheNASselectsthefirst
TheNASselectsthethird
Thereplyisreceivedand
Therequestdoesnotget
TheNASselectsthe
repliesbuttherouter
RADIUSserveronthe
secondRADIUSserver
totheRADIUSserver
thetransactionends
RADIUSserver
dropsthereply
list 10.0.1.1
The retransmission
strategy is not
standardized:
* some NASs fail over to
another RADIUS server as
10.0.1.2 soon as a timeout occurs
* some NASs retry 1 or 2
times to the same RADIUS
server before failing over
RadiusServersList
AuthenticationAccountingAuth_TimerAcct_Timer
10.0.1.1
1)10.0.1.110.0.1.3 3 10
10.0.1.2 10.0.1.3
2)10.0.1.210.0.1.4 3 10
10.0.1.3
3)10.0.1.310.0.1.5 3 10
10 | RADIUS protocol
*Overview All Rights Reserved Alcatel-Lucent 2007
Information from NAS -> server for
authentication
Information related to RADIUS client (NAS)
NAS-Ip-Address, or unique identification (NAS-Id)
Information to authenticate the user connecting:

User-Name & Password
Information about the connection itself (for authorization):

Calling number, called number (or APN for GPRS/UMTS),
Modem/port taking the connection (NAS-Port)
Type of session (PPP, SLIP, ...)
Type of connection (POTS, ISDN, ADSL, UMTS, GPRS, etc.)
Authentication process in the server (I)
1.- Decode the user's password (it travels encrypted)
Using the "shared secret key", known both by client and server
2.- Search the user connection profile in:

Plain text file
External SQL database
LDAP server
/etc/passwd file in UNIX
User accounts in Windows Domains
Etc.
3.- Authenticate the user
Authentication process in the server (& II)
4.- Optionally, check extra data (check-items)
Type of connection (POTS, ISDN, ADSL, cable, UMTS, etc.)
Time of day
Calling number, called number
etc.
5.- Send Accept/Reject to the NAS with the right attibutes for this user
session (reply-items)
Idle and session timeout
IP filters for this user
Indication of IP address to assign to user
For ISDN, max. number of channels to bond together (MLPPP)
etc.
Communication UDP ports
Communication between client and server is done over UDP/IP

RADIUS authentication and accounting servers are listening on 2 different
ports
Servers can listen on any port, but it is advisable to use the standard ones
(defined in RFC's)
UDP Ports New Old

Authentication 1812 1645
Accounting 1813 1646
RADIUS clients can send requests on any source UDP port they have
available. Not limited in RFC's
All requests need not come from same port, and usually dont
Though NAS's can be configured to send all request with the same source UDP
port
Only advisable for firewall restrictions
Why UDP?
In RADIUS it is not necessary the retransmision feature provided by TCP
If client doesnt get an answer, it sends another one to a secondary server
The response to a retransmitted TCP request, could arrive too late
Simplifies server implementation

Specially for multi-threaded servers
R
F
C
Reduces network traffic
UDP has less overhead than TCP 2
UDP needs not establish a session before sending data 8
6
5
PPP overview and traditional authentication
methods
This Point-to-Point Protocol (PPP) allows sending several protocols
above its headers
The establishment of the PPP link requires certain handshaking.
LCP - Link Control Messages
To determine MLPPP, the MTU and decide the authentication algorithm for the user
Authentication - It will depend on the protocol used: PAP, CHAP, MS-
CHAPv2, EAP
During this stage, the RADIUS server is contacted by the NAS
NCP - Network Control Protocol, to negotiate extra parameters
IPCP, the IP address assigned to the user
CCP, if the data is going to be compressed
ECP, if the data is going to be encrypted
Password Authentication Protocol (PAP)
The password travels in the clear (unencrypted)
The password can be stored hashed in the RADIUS server
Users credentials are verified only once
At the beginning of the connection
Initiator Responder RADIUS server

PAP-Auth-Request #1 (Name=jsmith, Passwd=red)
Access-Request
User-Name=jsmith
User-Password=red
Access-Accept
PAP-Auth-Success #1 (Message="00")
Access-Reject
PAP-Auth-Failure #1 (Message="Incorrect Password")
Challenge Handshake Authentication Protocol
(CHAP)
User password is hashed using MD5 and a random challenge
generated by the NAS (PPP responder)
The password cannot be stored hashed in the RADIUS server
Optionally, the user can be authenticated several times during the
lifetime of the session
Initiator Responder
CHAP-Auth-Challenge #1 (Chall. Length=16,
Challenge Value= 0c7d203....a8, Name= tnt2)
RADIUS server
Auth-Response #1 (Chall. Length=16, Challenge Value= Access-Request
016b89....91, Name= john) User-Name=john
CHAP-Password=016b89..91
[CHAP-Challenge*=0c7d203...a8]
CHAP-Auth-Success #1 (Message="00") Access-Accept

CHAP-Auth-Failure #1 (Message="Incorrect Password")
Access-Reject
LCP handshaking
In the LCP handshaking, the user and the NAS determine the
authentication protocol to use:
The user may accept the proposal from the server
The user may reject the server proposal, and expect to receive a new
proposal
Responder
Initiator Authenticator
Config-Request #1 (MRU=1524, auth=PAP, ...)
Config-Ack #2 (MRU=1524, auth=PAP, ...)
Config-Request #1 (MRU=1524, auth=PAP, ...)

Config-Reject #1 (auth=PAP)
Config-Request #2 (MRU=1524, auth=CHAP/MD5)
Config-Ack #2 (MRU=1524, auth=CHAP/MD5)

Hashing of password
The user password can only be hashed once (MD5, SHA1, etc)
either at database storage or when the user transmits it
As the hash algorithms are not reversible
However, passwords can be stored encrypted (3DES, AES, )
User password typed in this User password provisioned

connection attempt for this user
PAP | CHAP Sent from NAS Read from database, text file, ....
Stored in the users database (text file,

SQL, LDAP, etc)
In the clear Hashed (MD5, SHA1)
Auth. algorithm PAP, telnet/SSH... OK OK
used {User-Password(2)}
CHAP, Eap-MD5... OK X
{Chap-Password(3),...}
RADIUS packet format
1 2 3 4 bytes
1-4 Type Identifier Length
5-20 Authenticator
21-... Attributes
Identifies the packet, along with

Length of RADIUS packet
source IP address and UDP
20 < length < 4096 bytes
port. Used to detect duplicate
packets
- In auth requests: to encrypt user password using the shared secret
key (usually a random value)
- In replies and accounting: to authenticate the message itself. Similar
*21 |toRADIUS protocol
a digital signature
RADIUS packet types
Access-Request (1) - Authentication requests from NAS to server
Access-Accept (2) - Response from server to NAS accepting the user session
Access-Reject (3) - Response from server to NAS rejecting the user session
Access-Challenge (11) - Request form server to NAS, asking for additional info
from the user R
Used in token/crypto cards, and for EAP F
C
2
Account-Request (4) - The NAS sends accounting information to the server 8
6
Account-Response (5) - The server ACKs the acct packet to the NAS 5
Authenticator field in auth
The Authenticator field serves to 2 purposes depending if it is a request or an

accept/reject
Encryption of some attributes: User-Password
Server authentication
Client Server
Random num. Authenticator field
Hash MD5
Hash MD5 Shared key
Shared key Attrib. User-Password
XOR XOR
PAP Passwd(clear text) Access-Request Clear Passwd
Request Authenticator Request Authenticator

Authenticator Field
Shared key Hash MD5 Hash MD5 Shared key
Response packet Response packet
Access-Accept/Reject
(without authenticator) (without authenticator)
23 | RADIUS protocol Match?
X Server Authenticated
Overview
Discard packet
All Rights Reserved Alcatel-Lucent 2007
Authenticator field in acct
For accounting the authenticator only provides:
Authentication of client and server
Similar to a digital signature
Client Server
Acct packet (without Account-Request Acct packet (without
authenticator) authenticator)
Hash MD5 Hash MD5
Authenticator field
Shared key Shared key
Match?
Discard X Client Authenticated
Request Authenticator Request Authenticator
Authenticator field
Shared key Hash MD5 Hash MD5 Shared key
Acct packet (without
authenticator)
Account-Response Acct packet (without
authenticator)
Match?
X Authenticated
Discard packet

Example of successful auth:
Dial-in user with PAP
Access-Request (1) - ID=1
User-Name (1) = pepe"
User-Password (2) = 5E%&gn)8
NAS-IP-Address (4) = 192.168.20.2
NAS-Port (5) = 20
Service-Type (6) = Framed (2)
Framed-Protocol (7) = PPP (1)
NAS-Port-Type (61) = Async (0) IP
Called-Station-Id (30) = 917529000 RADIUS
Calling-Station-Id (31) = 918078419RADIUS server
client
- NAS-
Access-Accept (2) - ID=1
PSTN Framed-Protocol (7) = PPP (1)
Framed-IP-Address (8) = 255.255.255.254
Framed-IP-Netmask (9) = 255.255.255.255
POTS Framed-Routing (10) = None (0)
POTS Framed-Compression (13) = VJ TCP/IP (1)
Modem Framed-MTU (12) = 1500
Session-Timeout (27) = 7200
*25
| RADIUS protocol
Example of an PPPoA (ADSL) connection
User-Name = "user11@aunadsl"
ForADSL
ADSLwith
withPPPoA,
PPPoA,therethereisisno
no CHAP-Password = "\0011\266\303"
For
Called-Station-IdororCalling-Station
Calling-StationId.
Id. CHAP-Challenge = "e\241\\000"
Called-Station-Id
NAS-IP-Address = 1.2.3.4
ForPPPoE,
For PPPoE,they
theyrepresent
representthe
the NAS-Port = 3329
EthernetMAC
Ethernet MACaddresses
addresses Ascend-NAS-Port-Format = 2_4_5_5
NAS-Port-Type = Sync
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Session-Id = "483015958"
IP
RADIUS
ATM server
RADIUS Access-Accept (2) - ID=1
client Service-Type = Framed-User
ADSL line DSLAM -BRAS- Framed-Protocol = PPP
Ascend-Source-IP-Check = Source-IP-Check-Yes
Ascend-IP-Source-If = "sip100"
Framed-Pool = 1
PPPoA Filter-Id=Foo
*26
| RADIUS protocol
Client
Ascend-Filter-Required=Required-Yes
Example of an UMTS/GPRS connection
TheAPN
APNisissent
sentinin
The
Called-Station-Id. NAS identifier(32) = "B-CER1N-GGSN2"
Called-Station-Id.
It is usedfor
It is used forthe
theuser
usertoto User Name(1) = "WAPTM"
selectthe
select theGGSN
GGSN User Password(2) ="o\009KF\020#\145+\146f"
NAS Port Type(61) = Virtual (5)
Calling Station Id(31) = "34679912214"
Called Station Id(30) "wap.movistar.es"
Acct Session Id(44) ="646704d51e069701"
IP
RADIUS
RADIUS server
client Access-Accept (2) - ID=1
SGSN -GGSN- Service-Type (6) = Framed (2)
Framed-IP-Address (8) = 10.11.12.13
RNC Framed-IP-Netmask (9) = 255.255.255.255
Node B
27 | RADIUS protocol Idle-Timeout (28) = 3600
*
Example for CDMA2000 1xEVDO (HRPD)
AN-AAA (A12 interface)
The A12 interface (AN AAA) is used:
to perform access authentication (with CHAP) of the AT device by the AN
The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID)
to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces
This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and cdma2000
systems.
I
Access-Request s
AT -
User-Name = 260071234567890@cdma1.com
(Access Terminal)
BS RNC/PCF PDSN CHAP-Password = "\0011\266\303" 8
(Base Station) 7
(BS Controller) (Packet Data CHAP-Challenge = "e\241\\000
Serving Node)NAS-IP-Address = 192.168.20.2 8
3GPP2-HRPD-Access-
A8/A9 Authentication=True
3GPP2-AT-Hardware-Id=0129012
A10/A11
Access-Accept (2)
Callback-Id (20) = 0260071234567890
* 28 | RADIUS
PPP protocol
Example for CDMA2000 1xEVDO (HRPD)
PDSN-AAA for Simple IP
The PDSN is the classical PPP server
The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to
choose, or the PDSN will select it from a local pool
New Access-Requests are sent when the AT hands-off between PCFs
It is correlated to the current session with the 3GPP2-Correlation-Id AVP
I
s
AT -
(Access Terminal)
BS RNC/PCF PDSN Access-Request 8
(Base Station)
(BS Controller) (Packet Data
User-Name = john@cdma1.com 3
Serving Node)CHAP-Password = "\0011\266\303" 5
CHAP-Challenge = "e\241\\000
NAS-IP-Address = 192.168.30.3
Nas-Port-Type= Wireless-1X-EV
A10/A11 3GPP2-Correlation-Id=1234
Calling-Station-Id 0260071234567890
Access-Accept
[Framed-IP-Address = 10.1.2.3]
* 29 | RADIUS protocol
PPP Session-Timeout = 7200
Example of pre-auth followed by PPP
negotiation
The pre-auth is done before the NAS takes the call off-hook
Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC)
The server decides to allow/refuse taking the call off-hook based on

calling-number (CLID) or called-number (DNIS)
For PPP users, normally they must also do PPP authentication (PAP,
CHAP, etc) later
PSTN IP

User-Name (1) = 909390390" Access-Accept (2) - ID=127
User-Password (2) = Ascend-DNIS Ascend-Require-Auth (26->529(201)) =
NAS-IP-Address (4) = 192.168.20.2
Require-Auth (1)
NAS-Port (5) = 20
NAS-Port-Type (61) = Async (0)
30 | RADIUS
Service-Type (6) = protocol
Call-Check (10)
Called-Station-Id (30) = 909390390
Overview
Calling-Station-Id (31) = 918078419 All Rights Reserved Alcatel-Lucent 2007
Example of pre-auth for dataphones (PoS)
The RADIUS server instructs the NAS how to handle this call, and even
what modulation to use
Bank X
Before taking the call off-hook
X.25
Access-Request (1) - ID=10 The bank system has a X.25
User-Name (1) = 090" network
User-Password (2) = Ascend-DNIS
NAS-IP-Address (4) = 192.168.20.2 PAD
NAS-Port (5) = 20 IP
Service-Type (6) = Call-Check (10)
Called-Station-Id (30) = 090 Access-Accept (2) - ID=10
Calling-Station-Id (31) = 918078419 User-Name = "PoS",
Service-Type = Login
RADIUS
PSTN NAS Login-Service = TCP-clear,
server
Login-IP-Host = 192.168.20.4,
* Login-TCP-Port = 8419
Ascend-AT-Answer-String ="&t4s18=15+MS=1
&g2S220=11S221=50S10=3"
Example of proxy-radius
A RADIUS server redirects Access-Accept (2) - ID=100

the request to a remote Service-Type (6) = Framed (2)
server, based on Called- Framed-Protocol (7) = PPP (1)
Station-Id or user realm Framed-IP-Address(8)=198.197.196.195
Framed-IP-Netmask(9)=255.255.255.255
4 Access-Request (1) - ID=200
2 User-Name (1) = pepe@realm1"
Access-Request (1) - ID=100 User-Password (2) =
User-Name(1) = pepe@realm1" NAS-IP-Address(4)=192.168.20.2
User-Password(2) = 5E%&gn)8 Forwarding
Server NAS-Port (5) = 27
NAS-IP-Address(4)=192.168.20.2 [Proxy-State(33) =11379994]
NAS-Port (5) = 27 3
1
IP Access-Accept (2) - ID=200
Remote [Proxy-State(33) =11379994]
Server
Example of PPP tunneling
Attribute coding as in RFC 2868 (tagged)

User-Name (1) = pepe@tunnel" Corporate
CHAP-Password (3) = 5E%&gn)8 Tunnel Intranet RADIUS
CHAP-Challenge (60) = A0B1...23 server (LNS) server
NAS-IP-Address (4) = 192.168.20.2 Tunnel server
NAS-Port (5) = 20 2.2.2.2 (LNS)
1.1.1.1
Called-Station-Id (30) = 917529000 Public IP network
Calling-Station-Id (31) = 918078419
Public
RADIUS client RADIUS
Tunnel client server
(LAC) Access-Accept (2) - ID=8
POTS Tunnel-Type(64)=L2TP : 1,
Tunnel-Medium-Type(65) = IPv4,
Tunnel-Server-Endpoint(67)=1.1.1.1 : 1,
POTS
Tunnel-Password(69)=loloaqic : 1,
Modem Tunnel-Type(64)=PPTP : 2,
Tunnel-Server-Endpoint(67)=2.2.2.2 : 2,
*33
| RADIUS protocol Tunnel-Password(69)=itsAsecret : 2
Example for Ipsec authentication
X-auth over IKE with Lucent Brick-LSMS
Example with IKE authentication
tunnel endpoints with pre-shared Access-Request (1) - ID=150
key User-Name (1) = usu1"
User authentication with X-auth NAS-IP-Address (4) = 135.88.101.111
with login/password Called-Station-Id (30) = 135.88.101.91
Service-Type (6) = Authenticate-Only (8)
NAS-Port-Type (61) = Virtual (5)
RADIUS client
(LSMS)
135.88.101.111
135.88.101.91
RADIUS
server
Ipsec server
Ipsec client
(Lucent Brick)
= user Access-Accept (2) - ID=150
X-auth in IKE Session-Timeout (27) = 86400
Idle-Timeout (28) = 3600
[Connect-Info (77)] = user_group1
34 | RADIUS protocol [Framed-IP-Address (8) = 135.88.101.222]
Overview
*
Authentication for device administration
Example with Lucent TAOS
IP
RADIUS
telnet TNT2 server
1.2.3.4
User-Name (1) = amdinuser"
NAS-IP-Address (4) = 192.168.20.2
Service-Type (6) = Administrative (6)
NAS-Port (5) = 0
Ascend-Telnet-Profile (26->529:91) = Admin
NAS-Port-Type (61) = Virtual (5)
Service-Type (6) = Administrative (6)
[Calling-Station-Id=1.2.3.4]
Example of failed authentication:
Crypto-Card (Challenge-Response)
Token
Access-Request (1) - ID=3 Access-Request (1) - ID=2 Card
User-Name (1) = mycard" User-Name (1) = mycard" Server
User-Password (2) = 24058419 User-Password (2) =
NAS-IP-Address (4) = 192.168.20.2 NAS-IP-Address (4) = 192.168.20.2
NAS-Port (5) = 27 NAS-Port (5) = 27 2
State (24) = 13579 7 1 3
Proprietary
protocol
Response: IP
24058419 PSTN
6 4
Access-Challenge (11) - ID=2
Reply-Message (18) =Challenge:12345678
5 Challenge: 12345678 State (24) = 13579
Prompt (76) = Echo (1)
8
Access-Reject (3) - ID=3
36 | RADIUS protocol Reply-Message (18) =Invalid Credentials
Digest Authentication for HTTP/SIP (I)
Example to authenticate&authorize every VoIP call (INVITE)
The authentication could also be done only during registration
SIP UA SIP proxy server SIP UA RADIUS users

AOR: 123@example.com RADIUS Client AOR: 987@example.com server database
INVITE 100 TRYING

From: <sip:123@example.com> Access-Request
To: <sip:987@example.com> User-Name=123 Access-Challenge R
NAS-IP-Address = 192.0.2.38 Digest-Nonce = 3bada1a0 F
NAS-Port-Type = Virtual Digest-Realm = example.com C
407 Proxy Authentication Required Digest-Method = INVITE Digest-Qop = auth
Proxy-Authenticate: Digest-URI = sip:987@example.com Digest-Algorithm = MD5 4
- Digest realm="example.com" , Message-Authenticator = f8da40
ACK Message-Authenticator = 088043 5
- nonce="3bada1a0", State=27 9
- qop=auth,
- algorithm=MD5
0
Content-Length: 0
Digest Authentication for HTTP/SIP (II)
SIP UA SIP proxy server SIP UA RADIUS users
AOR: 123@example.com RADIUS Client AOR: 987@example.com server database
INVITE
From: <sip:123@example.com> Access-Request
To: <sip:987@example.com> User-Name=123 Access-Accept
Proxy-Authorization: NAS-IP-Address = 192.0.2.38 Digest-Response-Auth = 63e954 R
- username="123" , NAS-Port-Type = Virtual Digest-Nextnonce=fd0a8765 F
- realm="example.com" , Digest-Method = INVITE Message-Authenticator = 75aaf1 C
- response="f3c97a4" Digest-URI = sip:987@example.com
- Digest algorithm="md5", SIP-AOR = sip:123@example.com
- nonce="3bada1a0" , 4
Digest-Username = 123 5
- uri="sip:987@example.com", Digest-Realm = example.com
- qop=auth, 9
Digest-Response = f3c97a4
- algorithm=MD5
Digest-Cnonce=0a7e75c4 0
Digest-Nonce-Count=1 NOTE:The
NOTE: Thenext
nextauthentication
authenticationfor
for
Digest-Algorithm = md5 thisuser
this usercould
couldsave
saveaaround-trip
round-tripifif
Digest-Nonce = 3bada1a0 theradius
the radiusclient
clientuses
usesthe
theDigest-
Digest-
protocolDigest-Qop = auth Nextnoncetotochallenge

challengethe
theuser
user
38 | RADIUS Message-Authenticator = ffe0ff
Nextnonce
Overview
* State=27
Main attributes (I)
1 1 ...
ID. attrib Attrib. length. Attrib. value
User-Name (1) -
Mandatory in Access-Request & Acct-Request
R
The server may send it back in the Access-Accept, so that the NAS sends this F
new User-Name in Acct-Request packets C
User-Password (2) - Encrypted password with PAP authentication 2

8
Minimum length: 16 bytes (due to the encryption algorithm)
6
Only in Access-Request 5
Also contains the characters introduced by user after an Access-Challenge
CHAP-Password (3) - Encrypted password with CHAP authentication
Main attributes (II)
CHAP-Challenge (60) - Challenge sent from the NAS to the user for
CHAP authentication
Optionally, this CHAP challenge can be sent in the authenticator field
NAS-IP-Address (4) - IP address of the RADIUS client
NAS-Port (5) - Physical port (modem) in the NAS processing the
connection R
If there is not a physical modem, this number is virtual (sequence) F
C
Service-Type (6) - Type of service the user is requesting (Access-
Request), or (s)he is allowed to have (Access-Accept): 2
Login(1): The user is doing a telnet (TCP connection) to a host 8
Framed(2): Usually, a PPP session with an IP address 6
5
Callback Login(3), Callback Framed(4):
Administrative(6): to manage a NAS via telnet
Call-Check(10): for pre-authentication
Main attributes (III)
Framed-Protocol (7): when service-type=framed
PPP (1), SLIP (2), etc
Framed-IP-Address (8): IP address to assign to the user. Can be:

Regular IP address
Special addresses meaning:
R
255.255.255.254 = The NAS assigns dynamically one from any pool
F
255.255.255.255 = The user may choose his/her IP address C
Framed-IP-Netmask (9): Usually, 255.255.255.255 (1 IP address) 2

8
Framed-Routing (10): Used for modem-routers talking RIP: 6
None(0), Send routing packets (1), Listen for routing packets (2), Send and 5
Listen (3)
Filter-Id (11) - Name of the filter to apply to the user
This filter name must be defined in the NAS or with a VSA
Main attributes (IV)
Framed-MTU (12) - Maximum Transmission Unit for layer 2
Framed-Compression (13):
VJ TCP/IP header compression for PPP (1)
Login-IP-Host (14): In the Access-Accept the server instructs the NAS the
IP address of a host to establish a TCP connection to
R
Used when IP Service-Type=Login, F
C
Login-Service (15) When Service-Type=Login:
Telnet (0), Rlogin (1), TCP Clear (2), etc 2
8
Reply-Message (18) 6
5
For an Access-Challenge, the message to show to the user.
For an Access-Reject, may contain the cause to reject the connection
Main attributes (V)
1 1 4 1 (or 2) 1
26 Length. Vendor ID. VSA1 ID VSA1 Length
VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2
Vendor-Specific (26) - Specific attributes for this device, not defined R

by IETF but by the vendor who made the device (NAS) F
C
Session-Timeout (27) - Max. Connection time (sec.)
2
Idle-Timeout (28) - Max. idle time (sec.) 8
6
Called-Station-Id (30) - Also called DNIS 5
In GPRS/UMTS: APN
Calling-Station-Id (31) - Also called CLID
Main attributes (& VI)
NAS-Id (32) - Alternative to the attrib. NAS-IP-Address to identify the
NAS sending the requests
Proxy-State (33) - May be used when a server is acting as proxy-RADIUS.
The NAS never receives this attribute
NAS-Port-Type (61) -
R
Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN Async F
V.110 (4) = Mobile C
Virtual (5): ie, access via telnet 2

xDSL (16), Cable (17) 8
6
GPRS (18), Wi-Fi=802.11 (19), CDMA2000 (22), UMTS (23) 5
Port-Limit (62) - To limit the max. number of calls that can be bonded
together with MP (Multilink-Protocol), or concurrent sessions with the
same User-Name
Protocol enhancement: RFCs 2867->2869
In RFCs 2867 and 2868 new attributes are defined for tunneled
connections (mainly L2TP)
RFC 2869 defines some general user attributes:
Prompt (76) - In a Challenge-Response to tell the NAS if it has to echo user
response
Connect-Info (77) - May show info about user connection and speed. The R
F
format is NAS/vendor dependant: C
Ej: "28800 V42BIS/LAPM", "52000/31200 V90", "9600 V110/ISDN" s
Acct-Interim-Interval (85) - The RADIUS server can order the NAS to send 2
Interim acct packets with a certain periodicity 8
Framed-Pool (88) - In the Access-Accept, to tell the NAS what pool to use for 6
7
user IP address assignment ->
This pool must be defined locally in NAS 9
Packet coding
Message Type=Access-Request(1)
Packet ID = 1 Attrib ID= User-Name(1)
Request Authenticator
Length=56 Length = 6
Value = nemo
01 01 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb ID = User-Password(2)
98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d Length = 18
Encrypted password
93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 using authenticator field
01 10 05 06 00 00 00 03
Attrib= NAS-IP-Address(4)
Attrib= NAS-Port(5)
Length = 6
Length = 6
Value = 192.168.1.16
Value = 3
Accounting special attibutes (I)
Acct-Status-Type (40) - Type of accounting packet:
Start (1), Stop (2), Interim-Update (3), etc.
Accounting-On (7), Accounting-Off (8)
The NAS is going to be/has been rebooted and won't send the Stop packets of users
connected in that moment
Acct-Delay-Time (41) - # of seconds between the acct event time and

the generation of this packet
Used mainly in retransmissions with a value != 0
Acct-Input-Octets (42) - In Stop/interim, bytes tx by the user (input
bytes for the NAS) from the beginning of the session = Upstream
Acct-Output-Octets (43) - Bytes received by the user = Downstream
Acct-Input-Packets (47) -
Acct-Output-Packets (48) -
Accounting special attibutes (& II)
Acct-Session-Id (44) - Identifies a session in a unique manner in the NAS
This attribute may also be sent in the Access-Request packet (auth)
The value must be the same in Start, Stop and Interim (and in auth)
Acct-Authentic (45) - The way the user got authenticated

RADIUS (1), Local (2), Remote (3)
Acct-Session-Time (46) - How long (in seconds) the user was connected
(Stop), has been connected up to the moment (interim)
Acct-Terminate-Cause (49) - General cause
User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)
Acct-Multi-Session-Id (50) - For MLPPP sessions, each call will have a

different Acct-Session-Id, but the same Acct-Multi-Session-Id
Acct-Link-Count (51) - In MLPPP, the max number of channels that have
been bonded together
Example of acct START packet
TAOS 9.x
Tue Ago
Tue Ago 28
28 11:15:45
11:15:45 2001
2001
User-Name == user1_basic
User-Name user1_basic
NAS-IP-Address == 192.168.10.1
NAS-IP-Address 192.168.10.1
NAS-Port == 31
NAS-Port 31
Ascend-NAS-Port-Format == 2_4_5_5
Ascend-NAS-Port-Format 2_4_5_5
Acct-Status-Type == Start
Acct-Status-Type Start
Acct-Delay-Time == 00
Acct-Delay-Time
Acct-Session-Id == 262282375
Acct-Session-Id 262282375
Acct-Authentic == RADIUS
Acct-Authentic RADIUS
Calling-Station-Id == 917410029
Called-Station-Id == 917434000
Called-Station-Id 917434000
Framed-Protocol == PPP
Framed-Protocol PPP
Framed-IP-Address == 91.87.84.19
Framed-IP-Address 91.87.84.19
Service-Type == Framed-User
Service-Type Framed-User
NAS-Port-Type == Async
NAS-Port-Type Async
Ascend-Modem-PortNo == 66
Ascend-Modem-PortNo
Ascend-Modem-SlotNo == 22
Ascend-Modem-SlotNo
Ascend-Modem-ShelfNo == 11
*49
| RADIUS protocol
Ascend-Modem-ShelfNo

Example of acct STOP packet (I)
TAOS 9.x
Tue Ago
Tue Ago 28
28 11:16:59
11:16:59 2001
2001
User-Name == user1_basico
User-Name user1_basico
NAS-IP-Address == 192.168.10.1
NAS-IP-Address 192.168.10.1
NAS-Port == 31
NAS-Port 31
Ascend-NAS-Port-Format == 2_4_5_5
Ascend-NAS-Port-Format 2_4_5_5
Service-Type == Framed-User
NAS-Port-Type == Async
NAS-Port-Type Async
Acct-Status-Type == Stop
Acct-Status-Type Stop
Acct-Delay-Time == 00
Acct-Delay-Time
Acct-Session-Id == 262282375
Acct-Session-Id 262282375
Acct-Authentic == RADIUS
Acct-Authentic RADIUS
Acct-Session-Time == 74
Acct-Session-Time 74
Acct-Input-Octets == 459078
Acct-Input-Octets 459078
Acct-Output-Octets == 4440286
Acct-Output-Octets 4440286
Calling-Station-Id == 917410029
Called-Station-Id == 917434000
Called-Station-Id 917434000
*50
| RADIUS protocol
Example of acct STOP packet (& II)
TAOS 9.x
Ascend-Data-Rate == 31200
Ascend-Data-Rate 31200
Ascend-Xmit-Rate == 48000
Ascend-Xmit-Rate 48000
Ascend-Disconnect-Cause == 185
Ascend-Disconnect-Cause 185
Ascend-Connect-Progress == LAN-session-is-up
Ascend-Connect-Progress LAN-session-is-up
Ascend-PreSession-Time == 00
Ascend-PreSession-Time
Ascend-First-Dest == 10.81.44.111
Ascend-First-Dest 10.81.44.111
Ascend-Pre-Input-Octets == 174
Ascend-Pre-Input-Octets 174
Ascend-Pre-Output-Octets == 204
Ascend-Pre-Output-Octets 204
Ascend-Pre-Input-Packets == 77
Ascend-Pre-Input-Packets
Ascend-Pre-Output-Packets == 88
Ascend-Pre-Output-Packets
Ascend-Modem-PortNo == 66
Ascend-Modem-PortNo
Ascend-Modem-SlotNo == 22
Ascend-Modem-SlotNo
Ascend-Modem-ShelfNo == 11
Ascend-Modem-ShelfNo
Framed-Protocol == PPP
Framed-Protocol PPP
Framed-IP-Address == 91.87.84.19
Framed-IP-Address 91.87.84.19
*51
| RADIUS protocol
Message flow for a connection
Access-Request
PSTN Access-Accept
NAS RADIUS
Access-Request
Server
Access-Accept
Because of signalling the NAS is
aware it has an incoming call. The user
Optionally, it asks the RADIUS server Accounting-Request (START) successfully
before taking the call off-hook (pre- Accounting-Response starts the
auth) session
Accounting-Request (INTERIM)
After taking the call off-hook, a Accounting-Response
"regular" auth packet is sent (User-
Name/Password) Accounting-Request (INTERIM)
Optionally, the NAS informs the Accounting-Response
server periodically the session is still
up The user Accounting-Request (STOP)
52 | RADIUS protocol hangs-up Accounting-Response
Accounting-Off example
Acct-Request (4) - ID=27
NAS-IP-Address (4) = 192.168.20.2
Acct-Status-Type (40) = Accounting-Off (8)
Acct-Delay-Time (41) = 10
Acct-Session-Id (44) = 891236709
IP
RADIUS
RADIUS server
client
- NAS- Acct-Response (5) - ID=27
An Accounting-Off packet MAY be sent when the NAS ends sending

accounting packets for users, because of:
a reset, or
53 | the RADIUS feature

RADIUS has been disabled
protocol
Files in the server
Clients
Contains information about the RADIUS clients
IP address or FQDN
Shared secret key
Optionally, type of NAS, to know what dictionary it uses
Dictionary
Definition of all RADIUS attributes and their numeric coding
In text format: a person can read and edit that file
Type of attribute: Text, String, Integer, IP Address, Date
Possible values for enumeration attributes
Dictionary
#Keyword
#Keyword Attribute
Attribute Name
Name Attr.Num
Attr.Num Attr.Type
Attr.Type
ATTRIBUTE
ATTRIBUTE User-Name
User-Name 11 string
string
ATTRIBUTE
ATTRIBUTE Password
Password 22 string
string
ATTRIBUTE
ATTRIBUTE CHAP-Password
CHAP-Password 33 string
string
ATTRIBUTE
ATTRIBUTE NAS-IP-Address
NAS-IP-Address 44 ipaddr
ipaddr
...
...
## TAOS
TAOS specific
specific attributes
attributes (Ascend
(Ascend 0-255)
0-255)
ATTRIBUTE
ATTRIBUTE Ascend-IP-Pool-Chaining
Ascend-IP-Pool-Chaining 85
85 integer
integer Ascend
Ascend
ATTRIBUTE
ATTRIBUTE Ascend-IP-TOS
Ascend-IP-TOS 87
87 integer
integer Ascend
Ascend
ATTRIBUTE
ATTRIBUTE Ascend-IP-TOS-Precedence
Ascend-IP-TOS-Precedence 88
88 integer
integer Ascend
Ascend
...
...
## RFC
RFC Attribute
Attribute Values
Values
VALUE
VALUE Service-Type
Service-Type Login-User
Login-User 11
VALUE
VALUE Service-Type
Framed-User 22
VALUE
VALUE Service-Type
Service-Type Callback-Login-User
Callback-Login-User 33
...
...
## Vendor
Vendor codes
codes
VENDOR
VENDOR base
base 00
VENDOR
VENDOR livingston
livingston 307
307
VENDOR
VENDOR Ascend
Ascend 529
529
55 |
VENDORRADIUS
VENDOR
protocol
Lucent1751
Lucent1751 1751
1751
Dictionary File Decoding
Service-Type = Framed-User
RADIUS Request
... | 6 | 6 | 0 | 0 | 0 | 2 | ...
Attribute Attribute
Number Attribute Value
Length
(in bytes)
RADIUS Dictionary
ATTRIBUTE Service-Type 6 integer
VALUE Service-Type Framed-User 2

Dictionary VSAs
Example Dictionary entry:
# Name Number Type [Vendor] [(Modifiers)]
VENDOR Ascend 529
ATTRIBUTE Ascend-Send-Secret 214 string Ascend (asecret,hidden)

26 529
| Attr. Number | Total Attr. Length | Vendor ID | data |
VSA Attr.Number | VSA Attr. Length | VSA Attr. data
214
Device configuration via RADIUS (I)
Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.) have
the capability of asking a RADIUS server about certain configuration parameters
This configuration is based on certain Pseudo-Users with pre-defined User-
Names
The TAOS device will send an Access-Request (1) to the server with Service-
Type=Outbound-User
Example of pseudo-users in TAOS:

banner - To configure a message for Terminal Server
pools-<device_name> - To define address pools for each device
route-n - To define static routes and connections (Frame Relay, ATM, outgoing calls
with PPP, etc.)
For other vendors, the pseudo-users may be different or even non-existent
Device configuration via RADIUS (II)
IP
RADIUS
server
User-Name (1) = pools-TNT2"
User-Password (3) = ascend
Ascend-IP-Pool-Definition = "1 10.1.0.1 7"
NAS-IP-Address (4) = 192.168.20.2
Ascend-IP-Pool-Definition = "2 10.2.0.1 48"
Service-Type (6) = Outbound-User (5)
RADIUS extensions for NAS's
Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger,
etc.) can receive RADIUS packets for reconfiguration on already
connected users
R
In this case, the NAS can be considered as a server, as it receives requests, F
and must send a response C
The main actions a NAS may obey are: 2

Disconnection of users 8
8
Updating user filters on-the-fly 2,
These instructions are coded using a special RADIUS packet code 3

40 & 41 | 42 = Disconnect-Request & ACK | NAK 5
7
43 & 44 | 45 = Change-Filter-Request & ACK | NAK 6
The NAS should be listening for requests on UDP port 3799
Example to disconnect a user
Disconnect-Request (40)- ID=1
User-Name(1) =pepe@terra
Framed-IP-Address(8) = 193.168.1.2
NOTE: The RADIUS client should know to Acct-Session-Id(44) = 262282375
which IP address it must send the request to. Nas-IP-Address = 192.168.20.2
It will be different to the NAS-IP-Address if:
- Nas-Id attribute is used 1
- There is a proxy RADIUS in between
IP
RADIUS
- NAS- client
RADIUS server 2
Disconnect-Ack (41)- ID=1
PSTN
2B
Disconnect-Nak (42)- ID=1
Error-Cause(101) =Residual Session Context Removed (201)
Overview
* All Rights Reserved Alcatel-Lucent 2007
SNMP MIBs for RADIUS
It is standarized that the RADIUS servers and the clients should offer
some statistical information via SNMP
Defined in RFCs RFCs Auth Acct
The new ones also support IPv6 Client 4668 4670
Server 4669 4671
A proxy-RADIUS behaves at the same time as a server and a client
Should support both MIBs
The OIDs are a branch of MIB-2

All of the OID are read-only,
as they are statistical data
Except for the reset of counters
Auth Server MIB (I)
The SNMP agent must store statistics for every client, as well as the
aggregate statistics
Index Client Client Access Duplic Access Access .......

Address ID Req Req Accept Reject
1 172.16.1.2 RAS1 27 1 25 2 ..
2 172.1.2.3 12 0 9 3 .....
... ..
N 192.18.1.2 GGSN1 1098 19 1000 98
Serv Serv Serv

5720 30 5520 200 ......
Ident UpTime ResetTime
TOTAL
NR1 36010 600
* *Responses
Responses==AccessAccepts
AccessAccepts++AccessRejects
AccessRejects
Auth Server MIB (II) ++AccessChallenges
AccessChallenges
* *Pending
Pending==Requests
Requests- -DupRequests
DupRequests- -
BadAuthenticators- -MalformedRequests
BadAuthenticators MalformedRequests- -
(.1)Mib-2
(.1) Mib-2 UnknownTypes- - PacketsDropped
PacketsDropped- -Responses
Responses
(.67)radiusMIB
radiusMIB UnknownTypes
(.67) * *entries
entrieslogged
logged==Requests
Requests- -DupRequests
DupRequests
(.1)radiusAuthentication
(.1) radiusAuthentication -BadAuthenticators- -MalformedRequests
MalformedRequests- -
-BadAuthenticators
(.1)radiusAuthServMIB
(.1) radiusAuthServMIB UnknownTypes- -PacketsDropped
PacketsDropped
UnknownTypes
(.1)radiusAuthServMIBObjects
(.1) radiusAuthServMIBObjects
(.1)radiusAuthServ
(.1) radiusAuthServ
(.1)radiusAuthServIdent
(.1) radiusAuthServIdent [SnmpAdminString]
[SnmpAdminString]
(.2)radiusAuthServUpTime
radiusAuthServUpTime [TimeTicks] R
(.2) [TimeTicks]
(.3)radiusAuthServResetTime
radiusAuthServResetTime [TimeTicks] F
(.3) [TimeTicks]
(.4)radiusAuthServConfigReset
radiusAuthServConfigReset [integer] C
(.4) [integer]
VALUES:{other(1),reset(2),initializing(3),
VALUES: {other(1),reset(2),initializing(3),running(4)}
running(4)}
(.5)radiusAuthServTotalAccessRequests
radiusAuthServTotalAccessRequests [Counter32] 2
(.5) [Counter32] 6
(.6)radiusAuthServTotalInvalidRequests
(.6) radiusAuthServTotalInvalidRequests [Counter32]
[Counter32]
(.7)radiusAuthServTotalDupAccessRequests
radiusAuthServTotalDupAccessRequests [Counter32] 1
(.7) [Counter32] 9
(.8)radiusAuthServTotalAccessAccepts
(.8) radiusAuthServTotalAccessAccepts [Counter32]
[Counter32]
(.9)radiusAuthServTotalAccessRejects
(.9) radiusAuthServTotalAccessRejects [Counter32]
[Counter32]
(.10)radiusAuthServTotalAccessChallenges
(.10) radiusAuthServTotalAccessChallenges [Counter32]
[Counter32]
(.11)radiusAuthServTotalMalformedAccessRequests
(.11) radiusAuthServTotalMalformedAccessRequests [Counter32] [Counter32]
(.12)radiusAuthServTotalBadAuthenticators
(.12) radiusAuthServTotalBadAuthenticators [Counter32]
[Counter32]
(.13)radiusAuthServTotalPacketsDropped
(.13) radiusAuthServTotalPacketsDropped [Counter32]
[Counter32]
*
64 | RADIUS (.14) protocol
(.14)radiusAuthServTotalUnknownTypes
radiusAuthServTotalUnknownTypes [Counter32]
[Counter32]
Auth Server MIB (III)
(.67)radiusMIB
(.67) radiusMIB
(.1)radiusAuthentication
(.1) radiusAuthentication
(.1)radiusAuthServMIB
(.1) radiusAuthServMIB
(.1)radiusAuthServMIBObjects
(.1) radiusAuthServMIBObjects
(.1)radiusAuthServ
(.1) radiusAuthServ
(.15)radiusAuthClientTable
(.15) radiusAuthClientTable [Sequence]
[Sequence]
(.1)radiusAuthClientEntry
(.1) radiusAuthClientEntry [Entry]
[Entry]
(.1)radiusAuthClientIndex
(.1) radiusAuthClientIndex [Integer32]
[Integer32] R
(.2)radiusAuthClientAddress
(.2) radiusAuthClientAddress [IpAddress]
[IpAddress] F
(.3)radiusAuthClientID
(.3) radiusAuthClientID [SnmpAdminString]
[SnmpAdminString] C
(.4)radiusAuthServAccessRequests
(.4) radiusAuthServAccessRequests [Counter32]
[Counter32]
(.5)radiusAuthServDupAccessRequests
(.5) radiusAuthServDupAccessRequests [Counter32]
[Counter32] 2
(.6)radiusAuthServAccessAccepts
(.6) radiusAuthServAccessAccepts [Counter32]
[Counter32] 6
(.7)radiusAuthServAccessRejects
(.7) radiusAuthServAccessRejects [Counter32]
[Counter32] 1
(.8)radiusAuthServAccessChallenges
(.8) radiusAuthServAccessChallenges [Counter32]
[Counter32] 9
(.9)radiusAuthServMalformedAccessRequests
(.9) radiusAuthServMalformedAccessRequests [Counter32]
[Counter32]
(.10)radiusAuthServBadAuthenticators
(.10) radiusAuthServBadAuthenticators [Counter32]
[Counter32]
(.11)radiusAuthServPacketsDropped
(.11) radiusAuthServPacketsDropped [Counter32]
[Counter32]
(.12)radiusAuthServUnknownTypes
(.12) radiusAuthServUnknownTypes [Counter32]
[Counter32]
(.2)radiusAuthServMIBConformance
(.2) radiusAuthServMIBConformance
(.1)radiusAuthServMIBCompliances
(.1) radiusAuthServMIBCompliances
(.2) radiusAuthServMIBGroups
Overview(.2) radiusAuthServMIBGroups All Rights Reserved Alcatel-Lucent 2007
* *Requests
Requests==Responses
Responses++PendingRequests
PendingRequests++
Acct Client MIB ClientTimeouts
ClientTimeouts
* *Successfully
Successfullyreceived
received==Responses
Responses- -
MalformedResponses- -BadAuthenticators
MalformedResponses BadAuthenticators- -UnknownTypes
UnknownTypes- -
(.67)radiusMIB
(.67) radiusMIB PacketsDropped
(.2)radiusAccounting
radiusAccounting PacketsDropped
(.2)
(.2)radiusAccClientMIB
(.2) radiusAccClientMIB
(.1)radiusAccClientMIBObjects
(.1) radiusAccClientMIBObjects
(.1)radiusAccClient
(.1) radiusAccClient
(.1)radiusAccClientInvalidServerAddresses
(.1) radiusAccClientInvalidServerAddresses [Counter32]
[Counter32]
(.2)radiusAccClientIdentifier
(.2) radiusAccClientIdentifier [SnmpAdminString]
[SnmpAdminString]
(.3)radiusAccServerTable
radiusAccServerTable [Sequence] R
(.3) [Sequence]
(.1)radiusAccServerEntry
radiusAccServerEntry [Entry] F
(.1) [Entry]
(.1)radiusAccServerIndex
radiusAccServerIndex [Integer32] C
(.1) [Integer32]
(.2)radiusAccServerAddress
(.2) radiusAccServerAddress [IpAddress]
[IpAddress]
(.3)radiusAccClientServerPortNumber
radiusAccClientServerPortNumber [Integer32] 2
(.3) [Integer32] 6
(.4)radiusAccClientRoundTripTime
(.4) radiusAccClientRoundTripTime [TimeTicks]
[TimeTicks]
(.5)radiusAccClientRequests
radiusAccClientRequests [Counter32] 2
(.5) [Counter32] 0
(.6)radiusAccClientRetransmissions
(.6) radiusAccClientRetransmissions [Counter32]
[Counter32]
(.7)radiusAccClientResponses
(.7) radiusAccClientResponses [Counter32]
[Counter32]
(.8)radiusAccClientMalformedResponses
(.8) radiusAccClientMalformedResponses [Counter32]
[Counter32]
(.9)radiusAccClientBadAuthenticators
(.9) radiusAccClientBadAuthenticators [Counter32]
[Counter32]
(.10)radiusAccClientPendingRequests
(.10) radiusAccClientPendingRequests [Gauge32]
[Gauge32]
(.11)radiusAccClientTimeouts
(.11) radiusAccClientTimeouts [Counter32]
[Counter32]
66 | RADIUS(.12) protocol
(.12) radiusAccClientUnknownTypes
radiusAccClientUnknownTypes [Counter32]
[Counter32]
Overview (.13) (.13)radiusAccClientPacketsDropped
radiusAccClientPacketsDropped [Counter32]
[Counter32]
Access- Access-Access-Access- Acct-
Request Accept Reject Chall. Request # Attribute RFC's
0-1 0-1 0 0 0-1 1 User-Name 2865, 2866
0-1
0-1
0
0
0
0
0
0
0
0
2
3
User-Password (*)
CHAP-Password (*)
2865, 2866
2865, 2866 List of standard
0-1
0-1
0-1
0
0
0-1
0
0
0
0
0
0
0-1
0-1
0-1
4
5
6
NAS-IP-Address (**)
NAS-Port (****)
Service-Type
2865, 2866
2865, 2866
2865, 2866
attributes (I)
0-1 0-1 0 0 0-1 7 Framed-Protocol 2865, 2866
0-1 0-1 0 0 0-1 8 Framed-IP-Address 2865, 2866
0-1 0-1 0 0 0-1 9 Framed-IP-Netmask 2865, 2866
0 0-1 0 0 0-1 10 Framed-Routing 2865, 2866
0 0+ 0 0 0+ 11 Filter-Id 2865, 2866 No attributes should be found
0-1 0-1 0 0 0-1 12 Framed-MTU 2865, 2866 in Accounting-Response packets
0+ 0+ 0 0 0+ 13 Framed-Compression 2865, 2866
0+ 0+ 0 0 0+ 14 Login-IP-Host 2865, 2866 except Proxy-State and
0 0-1 0 0 0-1 15 Login-Service 2865, 2866 possibly Vendor-Specific ones.
0 0-1 0 0 0-1 16 Login-TCP-Port 2865, 2866
0 0+ 0+ 0+ 0 18 Reply-Message 2865, 2866
0-1 0-1 0 0 0-1 19 Callback-Number 2865, 2866
0 0-1 0 0 0-1 20 Callback-Id 2865, 2866
0 0+ 0 0 0+ 22 Framed-Route 2865, 2866
0 0-1 0 0 0-1 23 Framed-IPX-Network 2865, 2866
0-1
0
0-1
0+
0
0
0-1
0
0
0+
24
25
State (*)
Class
2865, 2866
2865, 2866
(*) An Access-Request MUST contain
0+ 0+ 0 0+ 0+ 26 Vendor-Specific 2865, 2866 either a User-Password or a CHAP-
0 0-1 0 0-1 0-1 27 Session-Timeout 2865, 2866 Password or State.
0 0-1 0 0-1 0-1 28 Idle-Timeout 2865, 2866
0 0-1 0 0 0-1 29 Termination-Action 2865, 2866
An Access-Request MUST NOT
0-1 0 0 0 0-1 30 Called-Station-Id 2865, 2866 contain both a User-Password and a
0-1 0 0 0 0-1 31 Calling-Station-Id 2865, 2866 CHAP-Password
0-1 0 0 0 0-1 32 NAS-Identifier (**) 2865, 2866
0+
0-1
0+
0-1
0+
0
0+
0
0+
0-1
33
34
Proxy-State
Login-LAT-Service
2865, 2866
2865, 2866
(**) An Access-Request and an
0-1 0-1 0 0 0-1 35 Login-LAT-Node 2865, 2866 Account-Request MUST contain either
0-1 0-1 0 0 0-1 36 Login-LAT-Group 2865, 2866 a NAS-IP-Address or a NAS-Identifier
0
0
0-1
0+
0
0
0
0
0-1
0-1
37
38
Framed-AppleTalk-Link
Framed-AppleTalk-Network 2865, 2866
2865, 2866
(or both)
Overview
0
0
0-1
0
0
0
0
0
0-1
1
39
40
Framed-AppleTalk-Zone
Acct-Status-Type
2865, 2866
2866
0 0 0 0 0-1 41 Acct-Delay-Time 2866
Access- Access-Access-Access- Acct-
List of standard
0 0 0 0 0-1 42 Acct-Input-Octets 2866
0
0-1
0
0
0-1
0
0
0
0
0
0
0
0-1
1
0-1
43
44
45
Acct-Output-Octets
Acct-Session-Id
Acct-Authentic
2866
2866
2866
attributes (II)
0 0 0 0 0-1 46 Acct-Session-Time 2866
0 0 0 0 0-1 47 Acct-Input-Packets 2866
0 0 0 0 0-1 48 Acct-Output-Packets 2866
0 0 0 0 0-1 49 Acct-Terminate-Cause 2866
0 0 0 0 0+ 50 Acct-Multi-Session-Id 2866
0 0 0 0 0+ 51 Acct-Link-Count 2866 (***) An Access-Request that
0 0 0 0 0-1 52 Acct-Input-Gigawords 2869 contains either a User-Password or
0 0 0 0 0-1 53 Acct-Output-Gigawords 2869
0 0 0 0 0-1 55 Event-Timestamp 2869 CHAP-Password or ARAP-Password
0+ 0+ 0 0 0+ 56 Egress-VLANID 4675 or one or more EAP-Message attribute
0-1 0-1 0 0 0-1 57 Ingress-Filters 4675
MUST NOT contain more than one
0+ 0+ 0 0 0+ 58 Egress-VLAN-Name 4675
0 0-1 0 0 0 59 User-Priority-Table 4675 type of those four attributes.
0-1 0 0 0 0 60 CHAP-Challenge 2865, 2866 If it does not contain any of those four
0-1 0 0 0 0-1 61 NAS-Port-Type 2865, 2866
0-1 0-1 0 0 0-1 62 Port-Limit 2865, 2866
attributes, it SHOULD contain a
0-1 0-1 0 0 0-1 63 Login-LAT-Port 2865, 2866 Message-Authenticator.
0+ 0+ 0 0 0-1 64 Tunnel-Type 2867, 2868 If any packet type contains an EAP-
0+ 0+ 0 0 0-1 65 Tunnel-Medium-Type 2867, 2868
0+ 0+ 0 0 0-1 66 Tunnel-Client-Endpoint 2867, 2868 Message attribute it MUST also
0+ 0+ 0 0 0-1 67 Tunnel-Server-Endpoint 2867, 2868 contain a Message-Authenticator.
0 0+ 0 0 0 69 Tunnel-Password 2867, 2868
0-1 0 0 0 0 70 ARAP-Password (***) 2869
0 0-1 0 0-1 0 71 ARAP-Features 2869
0 0-1 0 0 0 72 ARAP-Zone-Access 2869
0-1 0 0 0-1 0 73 ARAP-Security 2869
0+ 0 0 0+ 0 74 ARAP-Security-Data 2869
0 0 0-1 0 0 75 Password-Retry 2869
0 0 0 0-1 0 76 Prompt 2869
0-1 0 0 0 0-1 77 Connect-Info 2869
0 0+ 0 0 0 78 Configuration-Token 2869
0+
0-1
0+
0-1
0+
0-1
0+
0-1
0
0
79
80
EAP-Message (***)
Message-Authenticator (***) 2869
2869
Overview
0+ 0+ 0 0 0-1 81 Tunnel-Private-Group-ID 2867, 2868
0 0+ 0 0 0-1 82 Tunnel-Assignment-ID 2867, 2868
0+ 0+ 0 0 0 83 Tunnel-Preference 2867, 2868
Access- Access- Access- Access- Acct-
0 0-1 0 0-1 0 84ARAP-Challenge-Response 2869
0 0-1 0 0 0 85Acct-Interim-Interval 2869
0 0 0 0 0-1 86Acct-Tunnel-Packets-Lost 2867
0-1 0 0 0 0-1 87NAS-Port-Id (****) 2869
0 0-1 0 0 88Framed-Pool 2869
0-1 0-1 0 0 0-1 89Chargeable-User-Id 4372
0+ 0+ 0 0 0-1 90Tunnel-Client-Auth-ID 2868 (****) Either NAS-Port or NAS-Port-
0+ 0+ 0 0 0-1 91Tunnel-Server-Auth-ID 2868 Id SHOULD be present in an Access-
0 0+ 0 0 0+ 92Nas-Filter-Rule 4849
0-1 0 0 0 0-1 95NAS-IPv6-Address 3162 Request packet, if the NAS
0-1 0-1 0 0 0-1 96Framed-Interface-Id 3162 differentiates among its ports.
0+ 0+ 0 0 0+ 97Framed-IPv6-Prefix 3162
0+ 0+ 0 0 0+ 98Login-IPv6-Host 3162
NAS- Port-Id is intended for use by
0 0+ 0 0 0+ 99Framed-IPv6-Route 3162 NASes which cannot conveniently
0 0-1 0 0 0-1 100Framed-IPv6-Pool 3162 number their ports.
0 0 0 0 0 101Error Cause 3576
0-1 0 0 0 0 103 Digest-Response 4590
0-1 0 0 1 0 104 Digest-Realm 4590
0-1 0 0 1 0 105 Digest-Nonce 4590
0 0-1 0 0 0 106 Digest-Response-Auth 4590 (-) Can be included in
0 0-1 0 0 0 107 Digest-Nextnonce 4590 packet type 42=Disconnect-Nak or 45=
0-1 0 0 0 0 108 Digest-Method 4590
0-1 0 0 0 0 109 Digest-URI 4590 CoA-Nak
0-1 0 0 0+ 0 110 Digest-Qop 4590
0-1 0 0 0-1 0 111 Digest-Algorithm 4590
0-1 0 0 0 0 112 Digest-Entity-Body-Hash 4590
0-1 0 0 0 0 113 Digest-CNonce 4590
0-1 0 0 0 0 114 Digest-Nonce-Count 4590
0-1 0 0 0 0 115 Digest-Username 4590
0-1 0 0 0-1 0 116 Digest-Opaque 4590
0+ 0+ 0 0+ 0 117 Digest-Auth-Param 4590
0-1 0 0 0 0 118 Digest-AKA-Auts 4590
0 0 0 0+ 0 119 Digest-Domain 4590
0 0 0 0-1 0 120 Digest-Stale 4590
0 0-1 0 0 0 121 Digest-HA1 4590
0-1
0+
0
0+
0
0
0
0
0
0+
122 SIP-AOR
123Delegated-IPv6-Prefix
4590
4818

01 RADIUS Intro

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 RADIUS Intro

Uploaded by

Copyright:

Available Formats

Introduction to the

Proprietary software between NAS and an external server

Standarized by the IETF (Internet Engineering Task Force) by several

User dials modem pool

The Accounting Start Record

The user disconnects

The Accounting Stop Record

Information to authenticate the user connecting:

Information about the connection itself (for authorization):

2.- Search the user connection profile in:

3.- Authenticate the user

Communication between client and server is done over UDP/IP

UDP Ports New Old

Simplifies server implementation

Initiator Responder RADIUS server

CHAP-Auth-Success #1 (Message="00") Access-Accept

Config-Request #1 (MRU=1524, auth=PAP, ...)

Config-Ack #2 (MRU=1524, auth=CHAP/MD5)

User password typed in this User password provisioned

Stored in the users database (text file,

Identifies the packet, along with

The Authenticator field serves to 2 purposes depending if it is a request or an

Request Authenticator Request Authenticator

Overview All Rights Reserved Alcatel-Lucent 2007

The server decides to allow/refuse taking the call off-hook based on

Access-Request (1) - ID=127

A RADIUS server redirects Access-Accept (2) - ID=100

Access-Request (1) - ID=8

SIP UA SIP proxy server SIP UA RADIUS users

INVITE 100 TRYING

protocolDigest-Qop = auth Nextnoncetotochallenge

User-Password (2) - Encrypted password with PAP authentication 2

CHAP-Password (3) - Encrypted password with CHAP authentication

Framed-IP-Address (8): IP address to assign to the user. Can be:

Framed-IP-Netmask (9): Usually, 255.255.255.255 (1 IP address) 2

Vendor-Specific (26) - Specific attributes for this device, not defined R

Calling-Station-Id (31) - Also called CLID

Virtual (5): ie, access via telnet 2

Acct-Delay-Time (41) - # of seconds between the acct event time and

Acct-Authentic (45) - The way the user got authenticated

Acct-Multi-Session-Id (50) - For MLPPP sessions, each call will have a

Overview All Rights Reserved Alcatel-Lucent 2007

An Accounting-Off packet MAY be sent when the NAS ends sending

53 | the RADIUS feature

VALUE Service-Type Framed-User 2

VENDOR Ascend 529

ATTRIBUTE Ascend-Send-Secret 214 string Ascend (asecret,hidden)

VSA Attr.Number | VSA Attr. Length | VSA Attr. data

Example of pseudo-users in TAOS:

For other vendors, the pseudo-users may be different or even non-existent

The main actions a NAS may obey are: 2

These instructions are coded using a special RADIUS packet code 3

The NAS should be listening for requests on UDP port 3799

The OIDs are a branch of MIB-2

Index Client Client Access Duplic Access Access .......

Serv Serv Serv

Overview All Rights Reserved Alcatel-Lucent 2007

You might also like