Radius: Protocol Dependencies

Download as doc, pdf, or txt
Download as doc, pdf, or txt
You are on page 1of 6

Radius

RADIUS
From FreeRADIUS Wiki
RADIUS is a protocol for remote user Authorization, Authentication and Accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralised authentication and/or accounting service for its workstations. RADIUS is often used in larger Wi-Fi (wireless) networks for authentication purposes, replacing the simple shared key methods which are uncomfortable if a Wi-Fi network reaches a specific size. The protocol originally was designed by the well known terminal server manufacturer Livingston for use with their Portmaster series of terminal servers. Since then it has been implemented by hundreds other vendors and has a become an Internet Standard RFC. The DIAMETER protocol is the designated successor, but RADIUS is still commonly used today. [edit]

Protocol dependencies
UDP: RADIUS uses UDP as its underlying protocol. The registered UDP port for RADIUS traffic is 1812; the early deployment of RADIUS used UDP port 1645, which conflicted with the "datametrics" service. When RADIUS is used for accounting rather than authentication and configuration, the registered UDP port is 1813; the early deployment used port 1646, which conflicted with the "sa-msg-port" service. [edit]

External links
[edit] RFC 2865 Remote Authentication Dial In User Service (RADIUS) RFC 2866 RADIUS Accounting RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions RADIUS attributes and packet type codes

See Also
FreeRADIUS RADIUS Clients Other RADIUS Servers

Authorization
From FreeRADIUS Wiki
Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunnelling to a specific endpoint, and encryption. [edit]

Authorization methods
The following authorization methods are supported by FreeRADIUS Local files Local DB/DBM database LDAP Database o Novell eDirectory o Sun One Directory Server o OpenLDAP o Any LDAPv3 compliant directory A locally executed program (like a CGI program) Perl program Python program Java program SQL Database o Oracle o MySQL o PostgreSQL o Sybase o IBM DB2 o Any iODBC or unixODBC supported database

[edit]

See Also
Supported Attributes RFC 2865 AAA AAAA

Authentication
From FreeRADIUS Wiki
Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called). [edit]

Authentication methods
The following authentication types are some of the methods which are supported by the server : Clear-text password in local configuration file (PAP) Encrypted password in local configuration file CHAP MS-CHAP MS-CHAPv2 Windows Domain Controller Authentication (via ntlm_auth and winbind) Proxy to another RADIUS server System authentication (usually through /etc/passwd) PAM (Pluggable Authentication Modules) LDAP (PAP only) PAM (PAP only) CRAM Perl program Python program Java as a JRadius handler SIP Digest (Cisco VoIP boxes, SER) A locally executed program. (like a CGI program.) Netscape-MTA-MD5 encrypted passwords Kerberos authentication X9.9 authentication token (e.g. CRYPTOCard) EAP wireless with embedded authentication methods o EAP-MD5 o Cisco LEAP o EAP-MSCHAP-V2 (as implemented by Microsoft), o EAP-GTC o EAP-SIM o EAP-TLS o EAP-TTLS (with any authentication protocol inside of the TLS tunnel) o EAP-PEAP (with tunnelled EAP)

[edit]

See Also

RFC 2865 AAA AAAA

Accounting
From FreeRADIUS Wiki
Accounting refers to the tracking of the consumption of NAS resources by users. This information may be used for management, planning, billing, or other purposes. Realtime accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended. [edit]

See Also
RFC 2866 AAA AAAA

Network Access Server


(Redirected from NAS)
Contents
[hide]

1 Overview 2 Examples 3 Associated Protocols 4 See Also

[edit]

Overview
A Network Access Server (NAS) is a system that provides access to a network. In some cases also known as a Terminal Server or Remote Access Server (RAS). The NAS is meant to act as a gateway to guard access to a protected resource. This can be anything from a telephone network, to printers, to the Internet. The client connects to the NAS. The NAS then connects to another resource asking whether the client's supplied credentials are valid. Based on that answer the NAS then allows or disallows access to the protected resource. The NAS contains no information about what clients can connect or what credentials are valid. All the NAS does is send the credentials the client supplied to a resource which does know how to process the credentials. [edit]

Examples
The above translates into different implementations for different uses. Here are some examples. The most common use would be for access to the Internet. A user opens their browser. The NAS detects that the user is not currently authorized to have access to the Internet, so the NAS prompts the user for their username and password. The user supplies them and sends them back to the NAS. The NAS then uses RADIUS to connect to an AAA server (in this case, it is running FreeRADIUS) and passes off the username and password to the FreeRADIUS server. The FreeRADIUS server searches through its resources and finds that the credentials are valid and notifies the NAS they are valid. The NAS then grants the user access to the internet. Another use of a NAS would be in VoIP. However, instead of using a username and password, many times a phone number or IP Address are used. If the phone number is a valid customer then the call can be completed. Other uses might be if the phone number has long distance access or is a telephone card and has minutes left.

[edit]

Associated Protocols
Although not required, NAS are almost exclusively used with AAA servers. Of the AAA protocols available, RADIUS tends to be the most widely used. DIAMETER is a new protocol which extends on RADIUS by providing error handling and inter-domain communications which is starting to be implimented in some high end NAS. [edit]

See Also
RFC 2881 (Network Access Server Requirements Next Generation NAS Model, July 2000) RFC 2882 (Network Access Servers Requirements: Extended RADIUS Practices, July 2000)

You might also like