RADIUS and DIAMETER

Document

Jun 10, 2009 9:33 PM
Jun 10th, 2009

Remote Authentication Dial-In User Service (RADIUS).

What is RADIUS?

RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server.

  •     RADIUS stands for Remote Authentication Dial In User Service.

  •     RADIUS is an AAA protocol for applications such as Network Access or IP Mobility

  •     Works in both situations (a) Local (b) Mobile.

  •     Uses PAP, CHAP or EAP protocols to authenticate users.

  •     Look in text file, LDAP Servers, Database for authentication.

  •     After authentication services parameters passed back to NAS.

  •     Be notified when the session starts and top. This data will be used for Billing or Statistics purposes.

  •     SNMP is used for remote monitoring

radius-arch.gif

FEATURES of RADIUS Server:

There is the list of key features of RADIUS:

Client/Server Model:

  • NAS will work as a client for RADIUS server.
  • RADIUS server is responsible for getting user connection requests, authenticating the user and then returning all configuration information necessary for the client to deliver service to the user.
  • A RADIUS server can act as a proxy client to other RADIUS servers.

Network Security:

  • Transactions between client and server are authenticated through the use of a shared key and this key is never sent over the network.
  • Password is encrypted before sending it over network.

Flexible Authentication Mechanisms:

RADIUS supports following protocols for authentication purpose:

  • Point-to-Point Protocal - PPP
  • Password authentication protocol - PAP
  • Challenge-handshake authentication protocol - CHAP
  • Simple UNIX Login

Extensible Protocol:

RADIUS is extensible; most vendors of RADIUS hardware and software implement their own dialects.

Stateless protocol, Using UDP, Runs at Port 1812.

Operation of RADIUS Server:

Here is the detail of RADIUS Operations. Before Client starts communicating with RADIUS Server, it is required that shared secret must be shared between Client and Server and Client must be configured to use RADIUS server to get service.

Once Client is configured properly then :

  • Client starts with Access-Request.
  • Server sends either Access-Accept, Access-Reject or Access-Challenge.
  • Access-Accept keeps all required attribute to provide a service to user.

RADIUS Codes (decimal) are assigned as follows:

  •     1 Access-Request
  •     2 Access-Accept
  •     3 Access-Reject
  •     4 Accounting-Request
  •     5 Accounting-Response
  •     11 Access-Challenge
  •     12 Status-Server (experimental)
  •     13 Status-Client (experimental)
  •     255 Reserved

What is updated version of RADIUS?

Update to RADIUS is DIAMETER.

Features of DIAMETER:

  • DIAMETER is a AAA protocol for the applications such as net work access and IP mobility.
  • Intended to work in both local & Roaming AAA situations.
  • DIAMETER is just twice the predecessor protocol RADIUS.
  • Uses TCP or SCTP and not UDP.
  • It uses transport level security ( IPSEC or TLS ).
  • 32 bit identifier in stead of 8 bit.
  • Stateless as well as stateful modes supported.
  • Supports application layer acknowledgement, define failover.
  • Better roaming support.
  • Easy to extend, new commands and attributes can be defined.

Also See:

    Average Rating: 5 (1 ratings)

    Comments

    pengfang Sun, 11/01/2009 - 12:21

    Hi, where can I find an instruction document how to use cisco av-pair attribute , I can find some samples only, but not sure the syntex and what attribute are available.

    Actions

    Login or Register to take actions

    This Document

    Posted June 10, 2009 at 9:33 PM
    Stats:
    Comments:2 Avg. Rating:5
    Views:4799 Contributors:2
    Shares:0

    Related Content