2-Aug-2007 RADIUS. BRAS Recap Aggregates user sessions, and allows the ISP to apply policy and QOS...
-
Upload
christopher-mcdowell -
Category
Documents
-
view
217 -
download
5
Transcript of 2-Aug-2007 RADIUS. BRAS Recap Aggregates user sessions, and allows the ISP to apply policy and QOS...
2-Aug-20072-Aug-2007
RADIUSRADIUS
BRAS RecapBRAS Recap
Aggregates user sessions, and allows the Aggregates user sessions, and allows the ISP to apply policy and QOSISP to apply policy and QOS
Interfaces with RADIUS (AAA)Interfaces with RADIUS (AAA)
Introduction to RADIUSIntroduction to RADIUS
Remote Authentication Dial In User Remote Authentication Dial In User ServiceService
Provides Authentication, Authorisation & Provides Authentication, Authorisation & Accounting (AAA)Accounting (AAA)
RFC2058 & RFC2059; later updated to RFC2058 & RFC2059; later updated to RFC2865 & RFC2866 RFC2865 & RFC2866
UDP ports 1645 & 1646 or 1812 & 1813UDP ports 1645 & 1646 or 1812 & 1813
AAAAAA
Authentication, Authorization and Authentication, Authorization and Accounting Accounting
AAA ProtocolsAAA Protocols RADIUSRADIUS DIAMETERDIAMETER TACACSTACACS TACACS+TACACS+
Core
RADIUS AuthenticationRADIUS Authentication
NAS
RADIUS
1: LLP connection established between end client and NAS
1
RADIUS Client
2
2: Access request: User authentication credentials passed to RADIUS server
3: Access reply: Accept / Deny; may include framed parameters
34
4: Service initiated. Accounting start: request and accept
Other: Accounting interim updates Accounting stop
shared secretshared secret
RADIUS ProxyRADIUS Proxy
Core RADIUSProxy
NAS(RADIUS
Client) RADIUSEnd
Authenticator
RADIUSProxy
RADIUSEnd
Authenticator
NAS(RADIUS
Client)
NAS(RADIUS
Client)
NAS(RADIUS
Client)
Non-RADIUSEnd
Authenticator
RADIUS PacketRADIUS Packet 0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length | | Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| Authenticator | | Authenticator |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ... | Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
RADIUS AttributesRADIUS Attributes
Attribute formatAttribute format
0 1 2 0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ... | Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Sample AttributeSample Attribute
TypesTypes1 User-Name1 User-Name 2 User-Password 2 User-Password
4 NAS-IP-Address 4 NAS-IP-Address
5 NAS-Port 5 NAS-Port
6 Service-Type 6 Service-Type
7 Framed-Protocol 7 Framed-Protocol
8 Framed-IP-Address 8 Framed-IP-Address
9 Framed-IP-Netmask 9 Framed-IP-Netmask
26 Vendor-Specific 26 Vendor-Specific
30 Called-Station-Id 30 Called-Station-Id
31 Calling-Station-Id 31 Calling-Station-Id
32 NAS-Identifier 32 NAS-Identifier
64 Tunnel-Type 64 Tunnel-Type
87 NAS-Port-Id 87 NAS-Port-Id
88 Framed-Pool88 Framed-Pool
Attribute 26: VSAsAttribute 26: VSAs
Vendor-Specific AttributesVendor-Specific Attributes
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 10 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id | Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Sub-Attribute(s)... Vendor-Id (cont) | Sub-Attribute(s)...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
RADIUS DictionariesRADIUS Dictionaries
Dictionary ExampleDictionary Example# Cisco 6510 SSG v1.1 RADIUS dictionary# Cisco 6510 SSG v1.1 RADIUS dictionary### This dictionary is designed for and only intended to # This dictionary is designed for and only intended to
be be # used with the Cisco 6510 Service Selection Gateway# used with the Cisco 6510 Service Selection Gateway# Version 1.0. It contains a minimal set of RADIUS# Version 1.0. It contains a minimal set of RADIUS# Attribute Value Pair definitions which is not # Attribute Value Pair definitions which is not
sufficientsufficient# for use with a typical Network Access Server.# for use with a typical Network Access Server.### This file can be used as a dictionary file # This file can be used as a dictionary file
replacement for replacement for # a shareware/freeware RADIUS AAA Server when the # a shareware/freeware RADIUS AAA Server when the
RADIUSRADIUS# client is the Cisco 6510 Service Selection Gateway # client is the Cisco 6510 Service Selection Gateway
version 1.0.version 1.0.# # # It is important to note that if you decide to use a # It is important to note that if you decide to use a
Freeware Freeware # RADIUS Server with the 6510 Service Selection # RADIUS Server with the 6510 Service Selection
Gateway, it mustGateway, it must# support Vendor Specific Attributes in both Access-# support Vendor Specific Attributes in both Access-
Requests andRequests and# Accounting-Requests.# Accounting-Requests.##ATTRIBUTE User-Name 1 stringATTRIBUTE User-Name 1 stringATTRIBUTE User-Password 2 stringATTRIBUTE User-Password 2 stringATTRIBUTE NAS-IP-Address 4 ipaddrATTRIBUTE NAS-IP-Address 4 ipaddrATTRIBUTE Service-Type 6 integerATTRIBUTE Service-Type 6 integerATTRIBUTE Framed-IP-Address 8 ipaddrATTRIBUTE Framed-IP-Address 8 ipaddrATTRIBUTE Reply-Message 18 stringATTRIBUTE Reply-Message 18 stringATTRIBUTE Class 25 stringATTRIBUTE Class 25 stringATTRIBUTE Vendor-Specific 26 stringATTRIBUTE Vendor-Specific 26 stringATTRIBUTE Session-Timeout 27 integerATTRIBUTE Session-Timeout 27 integerATTRIBUTE Idle-Timeout 28 integerATTRIBUTE Idle-Timeout 28 integerATTRIBUTE Proxy-State 33 stringATTRIBUTE Proxy-State 33 stringATTRIBUTE Acct-Status-Type 40 integerATTRIBUTE Acct-Status-Type 40 integerATTRIBUTE Acct-Input-Octets 42 integerATTRIBUTE Acct-Input-Octets 42 integerATTRIBUTE Acct-Output-Octets 43 integerATTRIBUTE Acct-Output-Octets 43 integer
RADIUS IssuesRADIUS Issues
IESG Note: This protocol is widely IESG Note: This protocol is widely implemented and used. Experience has implemented and used. Experience has shown that it can suffer degraded shown that it can suffer degraded performance and lost data when used in performance and lost data when used in large scale systems, in part because it large scale systems, in part because it does not include provisions for congestion does not include provisions for congestion control. control.
Source: RFC2865: Source: RFC2865: http://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2865.txt
QOS recapQOS recap
Quality of Service Quality of Service Prioritisation of network traffic to ensure Prioritisation of network traffic to ensure
important or sensitive traffic traverses the important or sensitive traffic traverses the network rapidlynetwork rapidly
Dynamic Profile AssignmentDynamic Profile Assignment
Profiles are configured at (in) the BRASProfiles are configured at (in) the BRAS
RADIUS accept includes profile namesRADIUS accept includes profile names
BRAS applies profiles as per RADIUSBRAS applies profiles as per RADIUS
Profile types may includeProfile types may include Rate-limit profilesRate-limit profiles QoS profilesQoS profiles Filters Filters