aaainanutshell-131022170019-phpapp02

8/16/2019 aaainanutshell-131022170019-phpapp02

http://slidepdf.com/reader/full/aaainanutshell-131022170019-phpapp02 1/18

RADIUS SBRin a nutshell



Outline

● AAA.

● Radius Key Features.

● Radius Operation.

● Accounting.

● SBR.

●

Future.



AAA

● Architecture.

● Distributed Systems.

● Authentication, Authoriation and Accounting.

● Radius, Diameter.





Radius Operation

● User presents auth in0o to client.

● "lient sends 1message2 to Ser$er.

● "an load3balance ser$ers.

● Ser$er $alidates the shared secret.

● Radius ser$er consults DB 'henrecei$ing the re4uest.

● Ser$er can 1accept2, 1re5ect2,1challenge2 the user.

● I0 all conditions are met, ser$ersends a list o0 con0iguration $alues+li(e I6 address, %U, .. etc/ to theuser in the response.



"hallenge

● Used 'ith de$icessuch as smart cards.

● Unpredictable

number to the user,encryption, gi$ingbac( the result.



6ro*y

7ith pro*y RADIUS, one RADIUS ser$er recei$es an authentication+or accounting/ re4uest 0rom a RADIUS client +such as a &AS/,0or'ards the re4uest to a remote RADIUS ser$er, recei$es the reply0rom the remote ser$er, and sends that reply to the client, possibly 'ithchanges to re0lect local administrati$e policy. A common use 0or pro*y RADIUS is roaming.he choice o0 'hich ser$er recei$es the 0or'arded re4uest S8OU-Dbe based on the authentication 9realm9.





Radius 6ac(et



Radius 6ac(et ! "ode Field

he "ode 0ield is one octet, and identi0ies the type o0 RADIUS pac(et.

RADIUS "odes +decimal/ are assigned as 0ollo's:

; Access3Re4uest

< Access3Accept

= Access3Re5ect

> Accounting3Re4uest

? Accounting3Response

;; Access3"hallenge

;< Status3Ser$er +e*perimental/

;= Status3"lient +e*perimental/

<?? Reser$ed





Radius 6ac(et ! Authenticator Field

● his $alue is used to authenticate the reply0rom the RADIUS ser$er, and is used in the

pass'ord hiding algorithm.

● Re4uest Authenticator and Response Authenticator.



Radius 6ac(et ! Attributes

● RADIUS Attributes carry the speci0ic authentication,authoriation, in0ormation and con0iguration details 0orthe re4uest and reply.

; User3&ame

< User36ass'ord

= "8A636ass'ord

> &AS3I63Address

? &AS36ort

@ Ser$ice3ype

….



Radius Accounting

● "lient generates an Accountingstart pac(et to accounting ser$er.

● Ser$er ac(no'ledges reception o0the pac(et.

● At the end o0 the ser$ice, clientgenerates a stop pac(et.

● Ser$er ac(no'ledges reception o0the pac(et.



Radius shortcomings

● Doesnt de0ine 0ail3o$er mechanisms.

● Does not pro$ide support 0or per3pac(et con0identiality.

● In Accounting it assumes that replay protection is pro$ided by the bac(endser$er not the protocol.

● Doesnt De0ine re3transmission +UD6/, 'hich is a ma5or issue inaccounting.

● does not pro$ide 0or e*plicit support 0or agents, including pro*ies,redirects, and relays.

● Ser$er3initiated messages are optional.

● RADIUS does not support error messages, capability negotiation, or amandatory#non3mandatory 0lag 0or attributes.



Diameter

● It e$ol$ed 0rom and replaces RADIUS protocol.

● Ability to e*change messages and deli$er A6s.

● "apabilities negotiation.

● )rror noti0ication.

● )*tensibility, re4uired in RF"<CCE, throughaddition o0 ne' applications, commands, and A6s

●

Basic ser$ices necessary 0or applications, such asthe handling o0 user sessions or accounting





SBR 3 Features

● "entralied management o0 user access control and security simpli0ies accessadministration.

● po'er0ul pro*y RADIUS 0eatures enable to easily distribute authentication andaccounting re4uests to the appropriate RADIUS ser$er 0or processing.

● )*ternal authentication 0eatures enable you to authenticate against multiple, redundant

● Structured Huery -anguage +SH-/ or -ight'eight Directory Access 6rotocol +-DA6/databases according to con0igurable load balancing and retry strategies.

● Support 0or a 'ide $ariety o0 <.;G3compliant access points and other net'or(access ser$ers.

● Jou can de0ine users allo'ed access hours

● %ultiple management inter0aces +LUI, -"I, "-I, G%-#86S, S&%6/.

●

=L66 support 0acilitates the management o0 mobile sessions and their associatedresources

Documents

aaainanutshell-131022170019-phpapp02