Professional Documents
Culture Documents
RADIUS protocol
Module Objetives
Identify the elements and architecture of remote access to networks
Understand the way the RADIUS protocol works
Get to know the attributes that control different type of access
technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc)
Way to code attributes and RADIUS packets, and the sense of a
dictionary
Cover the standard statistical information provided over SNMP
View the extensions added to the RADIUS protocol
2 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
AAA
Authentication
Verify that a user really is who (s)he claims to be:
Password, Token Cards, Calling number, X.509 digital certificate, SIM card, etc.
Authorization
Check that the user can access the service (s)he is trying to:
Checking against a database, a file, etc. what the user can do, and restrict his/her
access to the network
Accounting
Write down what the user has done during his connection
Connection time, bytes sent/received, access service, etc.
To get statistics about user accesses, billing, etc
3 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Switched connection diagram
PPP IP
POP
(Point of Presence) ISP
User
NAS / RAS
ROUTER
PSTN Internet
Modem
Web
RADIUS
Server
AAA
SERVER
USER
DB
4 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Different ways for the AAA
Local accounts in the NAS/RAS
Only valid for small number of users
Not valid if any user can connect at any NAS
We would have to provision all users in all NAS's
5 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
RADIUS: Basic Principles
RADIUS is not the server itself, but the protocol to exchange information
Protocol to communicate between:
a RADIUS client
Typically the NAS (= Network Access Server)
a remote AAA server
Adopted by all vendors of access devices, as almost the only standard for
AAA
RADIUS stands-up for:
Remote Authentication Dial-In User Service
6 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Authentication DataFlow
Access-Request Users
User-Name: bob Database
Password: ge55gep Select
NAS NAS-IP: 207.12.4.1 UserID=bob
Bob
Access-Accept password=ge55gep
UserID: bob Timeout = 3600
Password: ge55gep
Framed-IP- RADIUS
Address=217.213.21.5 [other attributes]
Server
Session-Timeout=3600
[other attributes]
Framed-
Address=217.213.21.5
Internet
Internet
PPP session
Internet
11 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Authentication process in the server (I)
1.- Decode the user's password (it travels encrypted)
Using the "shared secret key", known both by client and server
12 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Authentication process in the server (& II)
4.- Optionally, check extra data (check-items)
Type of connection (POTS, ISDN, ADSL, cable, UMTS, etc.)
Time of day
Calling number, called number
etc.
5.- Send Accept/Reject to the NAS with the right attibutes for this user
session (reply-items)
Idle and session timeout
IP filters for this user
Indication of IP address to assign to user
For ISDN, max. number of channels to bond together (MLPPP)
etc.
13 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Communication UDP ports
RADIUS clients can send requests on any source UDP port they have
available. Not limited in RFC's
All requests need not come from same port, and usually dont
Though NAS's can be configured to send all request with the same source UDP
port
Only advisable for firewall restrictions
14 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Why UDP?
In RADIUS it is not necessary the retransmision feature provided by TCP
If client doesnt get an answer, it sends another one to a secondary server
The response to a retransmitted TCP request, could arrive too late
15 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
PPP overview and traditional authentication
methods
This Point-to-Point Protocol (PPP) allows sending several protocols
above its headers
The establishment of the PPP link requires certain handshaking.
LCP - Link Control Messages
To determine MLPPP, the MTU and decide the authentication algorithm for the user
Authentication - It will depend on the protocol used: PAP, CHAP, MS-
CHAPv2, EAP
During this stage, the RADIUS server is contacted by the NAS
NCP - Network Control Protocol, to negotiate extra parameters
IPCP, the IP address assigned to the user
CCP, if the data is going to be compressed
ECP, if the data is going to be encrypted
16 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Password Authentication Protocol (PAP)
The password travels in the clear (unencrypted)
The password can be stored hashed in the RADIUS server
Users credentials are verified only once
At the beginning of the connection
Access-Accept
PAP-Auth-Success #1 (Message="00")
Access-Reject
PAP-Auth-Failure #1 (Message="Incorrect Password")
17 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Challenge Handshake Authentication Protocol
(CHAP)
User password is hashed using MD5 and a random challenge
generated by the NAS (PPP responder)
The password cannot be stored hashed in the RADIUS server
Optionally, the user can be authenticated several times during the
lifetime of the session
Initiator Responder
CHAP-Auth-Challenge #1 (Chall. Length=16,
Challenge Value= 0c7d203....a8, Name= tnt2)
RADIUS server
Auth-Response #1 (Chall. Length=16, Challenge Value= Access-Request
016b89....91, Name= john) User-Name=john
CHAP-Password=016b89..91
[CHAP-Challenge*=0c7d203...a8]
Responder
Initiator Authenticator
Config-Request #1 (MRU=1524, auth=PAP, ...)
Config-Ack #2 (MRU=1524, auth=PAP, ...)
The user password can only be hashed once (MD5, SHA1, etc)
either at database storage or when the user transmits it
As the hash algorithms are not reversible
However, passwords can be stored encrypted (3DES, AES, )
20 | RADIUS protocol
CHAP, Eap-MD5... OK X
{Chap-Password(3),...}
Overview All Rights Reserved Alcatel-Lucent 2007
RADIUS packet format
1 2 3 4 bytes
1-4 Type Identifier Length
5-20 Authenticator
21-... Attributes
Access-Reject (3) - Response from server to NAS rejecting the user session
Access-Challenge (11) - Request form server to NAS, asking for additional info
from the user R
Used in token/crypto cards, and for EAP F
C
2
Account-Request (4) - The NAS sends accounting information to the server 8
6
Account-Response (5) - The server ACKs the acct packet to the NAS 5
22 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Authenticator field in auth
Client Server
Random num. Authenticator field
Hash MD5
Hash MD5 Shared key
Shared key Attrib. User-Password
XOR XOR
PAP Passwd(clear text) Access-Request Clear Passwd
Client Server
Acct packet (without Account-Request Acct packet (without
authenticator) authenticator)
Hash MD5 Hash MD5
Authenticator field
Shared key Shared key
Match?
Discard X Client Authenticated
Request Authenticator Request Authenticator
Authenticator field
Shared key Hash MD5 Hash MD5 Shared key
Acct packet (without
authenticator)
Account-Response Acct packet (without
authenticator)
Match?
X Authenticated
24 | RADIUS protocol
Discard packet
IP
RADIUS
ATM server
RADIUS Access-Accept (2) - ID=1
client Service-Type = Framed-User
ADSL line DSLAM -BRAS- Framed-Protocol = PPP
Ascend-Source-IP-Check = Source-IP-Check-Yes
Ascend-IP-Source-If = "sip100"
Framed-Pool = 1
PPPoA Filter-Id=Foo
*26
| RADIUS protocol
Client
Ascend-Filter-Required=Required-Yes
Overview All Rights Reserved Alcatel-Lucent 2007
Example of an UMTS/GPRS connection
Access-Request (1) - ID=1
TheAPN
APNisissent
sentinin
The
Called-Station-Id. NAS identifier(32) = "B-CER1N-GGSN2"
Called-Station-Id.
It is usedfor
It is used forthe
theuser
usertoto User Name(1) = "WAPTM"
selectthe
select theGGSN
GGSN User Password(2) ="o\009KF\020#\145+\146f"
NAS Port Type(61) = Virtual (5)
Calling Station Id(31) = "34679912214"
Called Station Id(30) "wap.movistar.es"
Acct Session Id(44) ="646704d51e069701"
IP
RADIUS
RADIUS server
client Access-Accept (2) - ID=1
SGSN -GGSN- Service-Type (6) = Framed (2)
Framed-Protocol (7) = PPP (1)
Framed-IP-Address (8) = 10.11.12.13
RNC Framed-IP-Netmask (9) = 255.255.255.255
Session-Timeout (27) = 7200
Node B
27 | RADIUS protocol Idle-Timeout (28) = 3600
*
Overview All Rights Reserved Alcatel-Lucent 2007
Example for CDMA2000 1xEVDO (HRPD)
AN-AAA (A12 interface)
The A12 interface (AN AAA) is used:
to perform access authentication (with CHAP) of the AT device by the AN
The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID)
to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces
This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and cdma2000
systems.
I
Access-Request s
AT -
User-Name = 260071234567890@cdma1.com
(Access Terminal)
BS RNC/PCF PDSN CHAP-Password = "\0011\266\303" 8
(Base Station) 7
(BS Controller) (Packet Data CHAP-Challenge = "e\241\\000
Serving Node)NAS-IP-Address = 192.168.20.2 8
3GPP2-HRPD-Access-
A8/A9 Authentication=True
3GPP2-AT-Hardware-Id=0129012
A10/A11
Access-Accept (2)
Callback-Id (20) = 0260071234567890
* 28 | RADIUS
PPP protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Example for CDMA2000 1xEVDO (HRPD)
PDSN-AAA for Simple IP
The PDSN is the classical PPP server
The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to
choose, or the PDSN will select it from a local pool
New Access-Requests are sent when the AT hands-off between PCFs
It is correlated to the current session with the 3GPP2-Correlation-Id AVP
I
s
AT -
(Access Terminal)
BS RNC/PCF PDSN Access-Request 8
(Base Station)
(BS Controller) (Packet Data
User-Name = john@cdma1.com 3
Serving Node)CHAP-Password = "\0011\266\303" 5
CHAP-Challenge = "e\241\\000
NAS-IP-Address = 192.168.30.3
Nas-Port-Type= Wireless-1X-EV
A10/A11 3GPP2-Correlation-Id=1234
Calling-Station-Id 0260071234567890
Access-Accept
[Framed-IP-Address = 10.1.2.3]
* 29 | RADIUS protocol
PPP Session-Timeout = 7200
Overview All Rights Reserved Alcatel-Lucent 2007
Example of pre-auth followed by PPP
negotiation
The pre-auth is done before the NAS takes the call off-hook
Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC)
PSTN IP
X.25
Access-Request (1) - ID=10 The bank system has a X.25
User-Name (1) = 090" network
User-Password (2) = Ascend-DNIS
NAS-IP-Address (4) = 192.168.20.2 PAD
NAS-Port (5) = 20 IP
NAS-Port-Type (61) = Async (0)
Service-Type (6) = Call-Check (10)
Called-Station-Id (30) = 090 Access-Accept (2) - ID=10
Calling-Station-Id (31) = 918078419 User-Name = "PoS",
Service-Type = Login
RADIUS
PSTN NAS Login-Service = TCP-clear,
server
Login-IP-Host = 192.168.20.4,
* Login-TCP-Port = 8419
Ascend-AT-Answer-String ="&t4s18=15+MS=1
&g2S220=11S221=50S10=3"
31 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Example of proxy-radius
RADIUS client
(LSMS)
135.88.101.111
135.88.101.91
RADIUS
server
Ipsec server
Ipsec client
(Lucent Brick)
= user Access-Accept (2) - ID=150
X-auth in IKE Session-Timeout (27) = 86400
Idle-Timeout (28) = 3600
[Connect-Info (77)] = user_group1
34 | RADIUS protocol [Framed-IP-Address (8) = 135.88.101.222]
Overview
*
All Rights Reserved Alcatel-Lucent 2007
Authentication for device administration
Example with Lucent TAOS
IP
RADIUS
telnet TNT2 server
1.2.3.4
Access-Request (1) - ID=10
User-Name (1) = amdinuser"
User-Password (2) = 5E%&gn)8
Access-Accept (2) - ID=10
NAS-IP-Address (4) = 192.168.20.2
Service-Type (6) = Administrative (6)
NAS-Port (5) = 0
Ascend-Telnet-Profile (26->529:91) = Admin
NAS-Port-Type (61) = Virtual (5)
Service-Type (6) = Administrative (6)
[Calling-Station-Id=1.2.3.4]
35 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Example of failed authentication:
Crypto-Card (Challenge-Response)
Token
Access-Request (1) - ID=3 Access-Request (1) - ID=2 Card
User-Name (1) = mycard" User-Name (1) = mycard" Server
User-Password (2) = 24058419 User-Password (2) =
NAS-IP-Address (4) = 192.168.20.2 NAS-IP-Address (4) = 192.168.20.2
NAS-Port (5) = 27 NAS-Port (5) = 27 2
State (24) = 13579 7 1 3
Proprietary
protocol
Response: IP
24058419 PSTN
6 4
Access-Challenge (11) - ID=2
Reply-Message (18) =Challenge:12345678
5 Challenge: 12345678 State (24) = 13579
Prompt (76) = Echo (1)
Session-Timeout (27) = 120
8
Access-Reject (3) - ID=3
36 | RADIUS protocol Reply-Message (18) =Invalid Credentials
Overview All Rights Reserved Alcatel-Lucent 2007
Digest Authentication for HTTP/SIP (I)
Example to authenticate&authorize every VoIP call (INVITE)
The authentication could also be done only during registration
INVITE
From: <sip:123@example.com> Access-Request
To: <sip:987@example.com> User-Name=123 Access-Accept
Proxy-Authorization: NAS-IP-Address = 192.0.2.38 Digest-Response-Auth = 63e954 R
- username="123" , NAS-Port-Type = Virtual Digest-Nextnonce=fd0a8765 F
- realm="example.com" , Digest-Method = INVITE Message-Authenticator = 75aaf1 C
- response="f3c97a4" Digest-URI = sip:987@example.com
- Digest algorithm="md5", SIP-AOR = sip:123@example.com
- nonce="3bada1a0" , 4
Digest-Username = 123 5
- uri="sip:987@example.com", Digest-Realm = example.com
- qop=auth, 9
Digest-Response = f3c97a4
- algorithm=MD5
Digest-Cnonce=0a7e75c4 0
Digest-Nonce-Count=1 NOTE:The
NOTE: Thenext
nextauthentication
authenticationfor
for
Digest-Algorithm = md5 thisuser
this usercould
couldsave
saveaaround-trip
round-tripifif
Digest-Nonce = 3bada1a0 theradius
the radiusclient
clientuses
usesthe
theDigest-
Digest-
Overview
* State=27
All Rights Reserved Alcatel-Lucent 2007
Main attributes (I)
1 1 ...
ID. attrib Attrib. length. Attrib. value
User-Name (1) -
Mandatory in Access-Request & Acct-Request
R
The server may send it back in the Access-Accept, so that the NAS sends this F
new User-Name in Acct-Request packets C
39 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Main attributes (II)
CHAP-Challenge (60) - Challenge sent from the NAS to the user for
CHAP authentication
Optionally, this CHAP challenge can be sent in the authenticator field
NAS-IP-Address (4) - IP address of the RADIUS client
NAS-Port (5) - Physical port (modem) in the NAS processing the
connection R
If there is not a physical modem, this number is virtual (sequence) F
C
Service-Type (6) - Type of service the user is requesting (Access-
Request), or (s)he is allowed to have (Access-Accept): 2
Login(1): The user is doing a telnet (TCP connection) to a host 8
Framed(2): Usually, a PPP session with an IP address 6
5
Callback Login(3), Callback Framed(4):
Administrative(6): to manage a NAS via telnet
Call-Check(10): for pre-authentication
40 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Main attributes (III)
Framed-Protocol (7): when service-type=framed
PPP (1), SLIP (2), etc
Login-IP-Host (14): In the Access-Accept the server instructs the NAS the
IP address of a host to establish a TCP connection to
R
Used when IP Service-Type=Login, F
C
Login-Service (15) When Service-Type=Login:
Telnet (0), Rlogin (1), TCP Clear (2), etc 2
8
Reply-Message (18) 6
5
For an Access-Challenge, the message to show to the user.
For an Access-Reject, may contain the cause to reject the connection
42 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Main attributes (V)
1 1 4 1 (or 2) 1
26 Length. Vendor ID. VSA1 ID VSA1 Length
VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2
43 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Main attributes (& VI)
NAS-Id (32) - Alternative to the attrib. NAS-IP-Address to identify the
NAS sending the requests
Proxy-State (33) - May be used when a server is acting as proxy-RADIUS.
The NAS never receives this attribute
NAS-Port-Type (61) -
R
Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN Async F
V.110 (4) = Mobile C
Port-Limit (62) - To limit the max. number of calls that can be bonded
together with MP (Multilink-Protocol), or concurrent sessions with the
same User-Name
44 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Protocol enhancement: RFCs 2867->2869
In RFCs 2867 and 2868 new attributes are defined for tunneled
connections (mainly L2TP)
RFC 2869 defines some general user attributes:
Prompt (76) - In a Challenge-Response to tell the NAS if it has to echo user
response
Connect-Info (77) - May show info about user connection and speed. The R
F
format is NAS/vendor dependant: C
Ej: "28800 V42BIS/LAPM", "52000/31200 V90", "9600 V110/ISDN" s
Acct-Interim-Interval (85) - The RADIUS server can order the NAS to send 2
Interim acct packets with a certain periodicity 8
Framed-Pool (88) - In the Access-Accept, to tell the NAS what pool to use for 6
7
user IP address assignment ->
This pool must be defined locally in NAS 9
45 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Packet coding
Message Type=Access-Request(1)
Packet ID = 1 Attrib ID= User-Name(1)
Request Authenticator
Length=56 Length = 6
Value = nemo
01 01 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb ID = User-Password(2)
98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d Length = 18
Encrypted password
93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 using authenticator field
01 10 05 06 00 00 00 03
Attrib= NAS-IP-Address(4)
Attrib= NAS-Port(5)
Length = 6
Length = 6
Value = 192.168.1.16
Value = 3
46 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Accounting special attibutes (I)
Acct-Status-Type (40) - Type of accounting packet:
Start (1), Stop (2), Interim-Update (3), etc.
Accounting-On (7), Accounting-Off (8)
The NAS is going to be/has been rebooted and won't send the Stop packets of users
connected in that moment
47 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Accounting special attibutes (& II)
Acct-Session-Id (44) - Identifies a session in a unique manner in the NAS
This attribute may also be sent in the Access-Request packet (auth)
The value must be the same in Start, Stop and Interim (and in auth)
Acct-Session-Time (46) - How long (in seconds) the user was connected
(Stop), has been connected up to the moment (interim)
Acct-Terminate-Cause (49) - General cause
User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)
*50
| RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Example of acct STOP packet (& II)
TAOS 9.x
Ascend-Data-Rate == 31200
Ascend-Data-Rate 31200
Ascend-Xmit-Rate == 48000
Ascend-Xmit-Rate 48000
Ascend-Disconnect-Cause == 185
Ascend-Disconnect-Cause 185
Ascend-Connect-Progress == LAN-session-is-up
Ascend-Connect-Progress LAN-session-is-up
Ascend-PreSession-Time == 00
Ascend-PreSession-Time
Ascend-First-Dest == 10.81.44.111
Ascend-First-Dest 10.81.44.111
Ascend-Pre-Input-Octets == 174
Ascend-Pre-Input-Octets 174
Ascend-Pre-Output-Octets == 204
Ascend-Pre-Output-Octets 204
Ascend-Pre-Input-Packets == 77
Ascend-Pre-Input-Packets
Ascend-Pre-Output-Packets == 88
Ascend-Pre-Output-Packets
Ascend-Modem-PortNo == 66
Ascend-Modem-PortNo
Ascend-Modem-SlotNo == 22
Ascend-Modem-SlotNo
Ascend-Modem-ShelfNo == 11
Ascend-Modem-ShelfNo
Framed-Protocol == PPP
Framed-Protocol PPP
Framed-IP-Address == 91.87.84.19
Framed-IP-Address 91.87.84.19
*51
| RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Message flow for a connection
Access-Request
PSTN Access-Accept
NAS RADIUS
Access-Request
Server
Access-Accept
Because of signalling the NAS is
aware it has an incoming call. The user
Optionally, it asks the RADIUS server Accounting-Request (START) successfully
before taking the call off-hook (pre- Accounting-Response starts the
auth) session
Accounting-Request (INTERIM)
After taking the call off-hook, a Accounting-Response
"regular" auth packet is sent (User-
Name/Password) Accounting-Request (INTERIM)
Optionally, the NAS informs the Accounting-Response
server periodically the session is still
up The user Accounting-Request (STOP)
52 | RADIUS protocol hangs-up Accounting-Response
Overview All Rights Reserved Alcatel-Lucent 2007
Accounting-Off example
Acct-Request (4) - ID=27
NAS-IP-Address (4) = 192.168.20.2
Acct-Status-Type (40) = Accounting-Off (8)
Acct-Delay-Time (41) = 10
Acct-Session-Id (44) = 891236709
IP
RADIUS
RADIUS server
client
- NAS- Acct-Response (5) - ID=27
Dictionary
Definition of all RADIUS attributes and their numeric coding
In text format: a person can read and edit that file
Type of attribute: Text, String, Integer, IP Address, Date
Possible values for enumeration attributes
54 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Dictionary
#Keyword
#Keyword Attribute
Attribute Name
Name Attr.Num
Attr.Num Attr.Type
Attr.Type
ATTRIBUTE
ATTRIBUTE User-Name
User-Name 11 string
string
ATTRIBUTE
ATTRIBUTE Password
Password 22 string
string
ATTRIBUTE
ATTRIBUTE CHAP-Password
CHAP-Password 33 string
string
ATTRIBUTE
ATTRIBUTE NAS-IP-Address
NAS-IP-Address 44 ipaddr
ipaddr
...
...
## TAOS
TAOS specific
specific attributes
attributes (Ascend
(Ascend 0-255)
0-255)
ATTRIBUTE
ATTRIBUTE Ascend-IP-Pool-Chaining
Ascend-IP-Pool-Chaining 85
85 integer
integer Ascend
Ascend
ATTRIBUTE
ATTRIBUTE Ascend-IP-TOS
Ascend-IP-TOS 87
87 integer
integer Ascend
Ascend
ATTRIBUTE
ATTRIBUTE Ascend-IP-TOS-Precedence
Ascend-IP-TOS-Precedence 88
88 integer
integer Ascend
Ascend
...
...
## RFC
RFC Attribute
Attribute Values
Values
VALUE
VALUE Service-Type
Service-Type Login-User
Login-User 11
VALUE
VALUE Service-Type
Service-Type Framed-User
Framed-User 22
VALUE
VALUE Service-Type
Service-Type Callback-Login-User
Callback-Login-User 33
...
...
## Vendor
Vendor codes
codes
VENDOR
VENDOR base
base 00
VENDOR
VENDOR livingston
livingston 307
307
VENDOR
VENDOR Ascend
Ascend 529
529
55 |
VENDORRADIUS
VENDOR
protocol
Lucent1751
Lucent1751 1751
1751
Overview All Rights Reserved Alcatel-Lucent 2007
Dictionary File Decoding
Service-Type = Framed-User
RADIUS Request
... | 6 | 6 | 0 | 0 | 0 | 2 | ...
Attribute Attribute
Number Attribute Value
Length
(in bytes)
RADIUS Dictionary
ATTRIBUTE Service-Type 6 integer
214
57 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Device configuration via RADIUS (I)
Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.) have
the capability of asking a RADIUS server about certain configuration parameters
This configuration is based on certain Pseudo-Users with pre-defined User-
Names
The TAOS device will send an Access-Request (1) to the server with Service-
Type=Outbound-User
58 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Device configuration via RADIUS (II)
IP
RADIUS
server
Access-Request (1) - ID=12
User-Name (1) = pools-TNT2"
Access-Accept (2) - ID=12
User-Password (3) = ascend
Ascend-IP-Pool-Definition = "1 10.1.0.1 7"
NAS-IP-Address (4) = 192.168.20.2
Ascend-IP-Pool-Definition = "2 10.2.0.1 48"
Service-Type (6) = Outbound-User (5)
59 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
RADIUS extensions for NAS's
Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger,
etc.) can receive RADIUS packets for reconfiguration on already
connected users
R
In this case, the NAS can be considered as a server, as it receives requests, F
and must send a response C
60 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Example to disconnect a user
Disconnect-Request (40)- ID=1
User-Name(1) =pepe@terra
Framed-IP-Address(8) = 193.168.1.2
NOTE: The RADIUS client should know to Acct-Session-Id(44) = 262282375
which IP address it must send the request to. Nas-IP-Address = 192.168.20.2
It will be different to the NAS-IP-Address if:
- Nas-Id attribute is used 1
- There is a proxy RADIUS in between
IP
RADIUS
- NAS- client
RADIUS server 2
Disconnect-Ack (41)- ID=1
PSTN
2B
Disconnect-Nak (42)- ID=1
Error-Cause(101) =Residual Session Context Removed (201)
61 | RADIUS protocol
Overview
* All Rights Reserved Alcatel-Lucent 2007
SNMP MIBs for RADIUS
It is standarized that the RADIUS servers and the clients should offer
some statistical information via SNMP
Defined in RFCs RFCs Auth Acct
The new ones also support IPv6 Client 4668 4670
Server 4669 4671
A proxy-RADIUS behaves at the same time as a server and a client
Should support both MIBs
62 | RADIUS protocol
Overview All Rights Reserved Alcatel-Lucent 2007
Auth Server MIB (I)
The SNMP agent must store statistics for every client, as well as the
aggregate statistics
Overview
0
0
0-1
0
0
0
0
0
0-1
1
39
40
Framed-AppleTalk-Zone
Acct-Status-Type
2865, 2866
2866
All Rights Reserved Alcatel-Lucent 2007
0 0 0 0 0-1 41 Acct-Delay-Time 2866
Access- Access-Access-Access- Acct-
List of standard
Request Accept Reject Chall. Request # Attribute RFC's
0 0 0 0 0-1 42 Acct-Input-Octets 2866
0
0-1
0
0
0-1
0
0
0
0
0
0
0
0-1
1
0-1
43
44
45
Acct-Output-Octets
Acct-Session-Id
Acct-Authentic
2866
2866
2866
attributes (II)
0 0 0 0 0-1 46 Acct-Session-Time 2866
0 0 0 0 0-1 47 Acct-Input-Packets 2866
0 0 0 0 0-1 48 Acct-Output-Packets 2866
0 0 0 0 0-1 49 Acct-Terminate-Cause 2866
0 0 0 0 0+ 50 Acct-Multi-Session-Id 2866
0 0 0 0 0+ 51 Acct-Link-Count 2866 (***) An Access-Request that
0 0 0 0 0-1 52 Acct-Input-Gigawords 2869 contains either a User-Password or
0 0 0 0 0-1 53 Acct-Output-Gigawords 2869
0 0 0 0 0-1 55 Event-Timestamp 2869 CHAP-Password or ARAP-Password
0+ 0+ 0 0 0+ 56 Egress-VLANID 4675 or one or more EAP-Message attribute
0-1 0-1 0 0 0-1 57 Ingress-Filters 4675
MUST NOT contain more than one
0+ 0+ 0 0 0+ 58 Egress-VLAN-Name 4675
0 0-1 0 0 0 59 User-Priority-Table 4675 type of those four attributes.
0-1 0 0 0 0 60 CHAP-Challenge 2865, 2866 If it does not contain any of those four
0-1 0 0 0 0-1 61 NAS-Port-Type 2865, 2866
0-1 0-1 0 0 0-1 62 Port-Limit 2865, 2866
attributes, it SHOULD contain a
0-1 0-1 0 0 0-1 63 Login-LAT-Port 2865, 2866 Message-Authenticator.
0+ 0+ 0 0 0-1 64 Tunnel-Type 2867, 2868 If any packet type contains an EAP-
0+ 0+ 0 0 0-1 65 Tunnel-Medium-Type 2867, 2868
0+ 0+ 0 0 0-1 66 Tunnel-Client-Endpoint 2867, 2868 Message attribute it MUST also
0+ 0+ 0 0 0-1 67 Tunnel-Server-Endpoint 2867, 2868 contain a Message-Authenticator.
0 0+ 0 0 0 69 Tunnel-Password 2867, 2868
0-1 0 0 0 0 70 ARAP-Password (***) 2869
0 0-1 0 0-1 0 71 ARAP-Features 2869
0 0-1 0 0 0 72 ARAP-Zone-Access 2869
0-1 0 0 0-1 0 73 ARAP-Security 2869
0+ 0 0 0+ 0 74 ARAP-Security-Data 2869
0 0 0-1 0 0 75 Password-Retry 2869
0 0 0 0-1 0 76 Prompt 2869
0-1 0 0 0 0-1 77 Connect-Info 2869
0 0+ 0 0 0 78 Configuration-Token 2869
0+
68 | RADIUS protocol
0-1
0+
0-1
0+
0-1
0+
0-1
0
0
79
80
EAP-Message (***)
Message-Authenticator (***) 2869
2869
Overview
0+ 0+ 0 0 0-1 81 Tunnel-Private-Group-ID 2867, 2868
0 0+ 0 0 0-1 82 Tunnel-Assignment-ID 2867, 2868
All Rights Reserved Alcatel-Lucent 2007
0+ 0+ 0 0 0 83 Tunnel-Preference 2867, 2868
Access- Access- Access- Access- Acct-
Request Accept Reject Chall. Request # Attribute RFC's
0 0-1 0 0-1 0 84ARAP-Challenge-Response 2869
0 0-1 0 0 0 85Acct-Interim-Interval 2869
0 0 0 0 0-1 86Acct-Tunnel-Packets-Lost 2867
0-1 0 0 0 0-1 87NAS-Port-Id (****) 2869
0 0-1 0 0 88Framed-Pool 2869
0-1 0-1 0 0 0-1 89Chargeable-User-Id 4372
0+ 0+ 0 0 0-1 90Tunnel-Client-Auth-ID 2868 (****) Either NAS-Port or NAS-Port-
0+ 0+ 0 0 0-1 91Tunnel-Server-Auth-ID 2868 Id SHOULD be present in an Access-
0 0+ 0 0 0+ 92Nas-Filter-Rule 4849
0-1 0 0 0 0-1 95NAS-IPv6-Address 3162 Request packet, if the NAS
0-1 0-1 0 0 0-1 96Framed-Interface-Id 3162 differentiates among its ports.
0+ 0+ 0 0 0+ 97Framed-IPv6-Prefix 3162
0+ 0+ 0 0 0+ 98Login-IPv6-Host 3162
NAS- Port-Id is intended for use by
0 0+ 0 0 0+ 99Framed-IPv6-Route 3162 NASes which cannot conveniently
0 0-1 0 0 0-1 100Framed-IPv6-Pool 3162 number their ports.
0 0 0 0 0 101Error Cause 3576
0-1 0 0 0 0 103 Digest-Response 4590
0-1 0 0 1 0 104 Digest-Realm 4590
0-1 0 0 1 0 105 Digest-Nonce 4590
0 0-1 0 0 0 106 Digest-Response-Auth 4590 (-) Can be included in
0 0-1 0 0 0 107 Digest-Nextnonce 4590 packet type 42=Disconnect-Nak or 45=
0-1 0 0 0 0 108 Digest-Method 4590
0-1 0 0 0 0 109 Digest-URI 4590 CoA-Nak
0-1 0 0 0+ 0 110 Digest-Qop 4590
0-1 0 0 0-1 0 111 Digest-Algorithm 4590
0-1 0 0 0 0 112 Digest-Entity-Body-Hash 4590
0-1 0 0 0 0 113 Digest-CNonce 4590
0-1 0 0 0 0 114 Digest-Nonce-Count 4590
0-1 0 0 0 0 115 Digest-Username 4590
0-1 0 0 0-1 0 116 Digest-Opaque 4590
0+ 0+ 0 0+ 0 117 Digest-Auth-Param 4590
0-1 0 0 0 0 118 Digest-AKA-Auts 4590
0 0 0 0+ 0 119 Digest-Domain 4590
0 0 0 0-1 0 120 Digest-Stale 4590
0 0-1 0 0 0 121 Digest-HA1 4590
69 | RADIUS protocol
0-1
0+
0
0+
0
0
0
0
0
0+
122 SIP-AOR
123Delegated-IPv6-Prefix
4590
4818