Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol...

Introduction to the RADIUS protocol

2 | RADIUS protocol Overview All Rights Reserved © Alcatel-Lucent 2007

Module Objetives Identify the elements and architecture of remote access to

networks

Understand the way the RADIUS protocol works

Get to know the attributes that control different type of access technologies (dial-up, ADSL, GPRS/UMTS, CDMA2000, etc)

Way to code attributes and RADIUS packets, and the sense of a dictionary

Cover the standard statistical information provided over SNMP

View the extensions added to the RADIUS protocol


AAA

AAuthentication Verify that a user really is who (s)he claims to be:

Password, Token Cards, Calling number, X.509 digital certificate, SIM card, etc.

AAuthorization Check that the user can access the service (s)he is trying to:

Checking against a database, a file, etc. what the user can do, and restrict his/her access to the network

AAccounting Write down what the user has done during his connection

Connection time, bytes sent/received, access service, etc.

To get statistics about user accesses, billing, etc


Switched connection diagram

PPP IP

WebServer

ISP

Modem

UserNAS / RAS

ROUTER

RADIUS AAA

SERVERUSER

DB

POP (Point of Presence)

InternetPSTN


Different ways for the AAA Local accounts in the NAS/RAS

Only valid for small number of users Not valid if any user can connect at any NAS

We would have to provision all users in all NAS's

Proprietary software between NAS and an external server

Protocol RADIUSRADIUS for a NAS to ask the server with centralized information about all users Or its evolution: Diameter NASREQ application

Protocol TACACS (tacacs, tacacs+, xtacacs) Not widely implemented, apart from Cisco


RADIUS: Basic Principles RADIUS is not the server itself, but the protocol to exchange

information

Protocol to communicate between: a RADIUS client

Typically the NAS (= Network Access Server)

a remote AAA server

Standarized by the IETF (Internet Engineering Task Force) by several RFC’s: 2865 & 2866 And enhanced in RFC’s: 2867, 2868 & 2869, 3576...

Adopted by all vendors of access devices, as almost the only standard for AAA

RADIUS stands-up for: Remote Authentication Dial-In User Service


Users Database

NAS

User dials modem pool and establishes

connection

UserID: bobPassword: ge55gep

Framed-Address=217.213.21.5

Internet

RADIUS

Server

Internet PPP connection established

Access-Request

User-Name: bobPassword: ge55gepNAS-IP: 207.12.4.1

Bobpassword=ge55gepTimeout = 3600[other attributes]

Select UserID=bob

Access-AcceptFramed-IP-Address=217.213.21.5

Session-Timeout=3600[other attributes]

Authentication DataFlow


ISP AccountingDatabase

NAS

Account-Request

Acct-Status-Type = StartUser-Name = bobFramed-Address = 217.213.21.5…

Sun May 10 20:47:41 1998 Acct-Status-Type = Start User-Name = bob Framed-Address=217.213.21.5 …

Internet

RADIUS

Server

PPP session

Acknowledgement

The Accounting “Start” Record

Accounting DataFlow (Start)


ISP AccountingDatabase

NAS

Internet

RADIUS

server

Account-Request

Acct-Status-Type = StopUser-Name = bobAcct-Session-Time = 1432

Sun May 10 20:50:49 1998 Acct-Status-Type = Stop User-Name = bob Acct-Session-Time = 1432 … ...

Acknowledgement

The Accounting “Stop” Record

The user disconnects

Accounting DataFlow (Stop)


Fault Tolerance

Radius Servers List Authentication Accounting Auth_Timer Acct_Timer1) 10.0.1.1 10.0.1.3 3 102) 10.0.1.2 10.0.1.4 3 103) 10.0.1.3 10.0.1.5 3 10

10.0.1.1

10.0.1.2

10.0.1.310.0.1.210.0.1.110.0.1.210.0.1.1

10.0.1.3

The NAS selects the first RADIUS server on the

list

The first RADIUS server replies but the router

drops the replyThe NAS selects the

second RADIUS serverThe request does not get to the RADIUS server

The NAS selects the third RADIUS server

The reply is received and the transaction ends

*

The retransmission strategy is not standardized:* some NAS’s fail over to another RADIUS server as soon as a timeout occurs* some NAS’s retry 1 or 2 times to the same RADIUS server before failing over

•Based on retransmissions by the Radius Client


Information from NAS -> server for authentication

Information related to RADIUS client (NAS) NAS-Ip-Address, or unique identification (NAS-Id)

Information to authenticate the user connecting: User-Name & Password

Information about the connection itself (for authorization): Calling number, called number (or APN for GPRS/UMTS),

Modem/port taking the connection (NAS-Port)

Type of session (PPP, SLIP, ...)

Type of connection (POTS, ISDN, ADSL, UMTS, GPRS, etc.)


Authentication process in the server (I) 1.- Decode the user's password (it travels encrypted)

Using the "shared secret key", known both by client and server

2.- Search the user connection profile in: Plain text file External SQL database LDAP server /etc/passwd file in UNIX User accounts in Windows Domains Etc.

3.- Authenticate the user


Authentication process in the server (& II)

4.- Optionally, check extra data (check-items) Type of connection (POTS, ISDN, ADSL, cable, UMTS, etc.) Time of day Calling number, called number etc.

5.- Send Accept/Reject to the NAS with the right attibutes for this user session (reply-items) Idle and session timeout IP filters for this user Indication of IP address to assign to user For ISDN, max. number of channels to bond together (MLPPP) etc.


Communication UDP ports

Communication between client and server is done over UDP/IP RADIUS authentication and accounting servers are listening on 2

different ports Servers can listen on any port, but it is advisable to use the standard

ones (defined in RFC's)

RADIUS clients can send requests on any source UDP port they have available. Not limited in RFC's All requests need not come from same port, and usually don´t Though NAS's can be configured to send all request with the same

source UDP port Only advisable for firewall restrictions

UDP PortsUDP Ports New OldAuthentication 1812 1645Accounting 1813 1646


¿Why UDP? In RADIUS it is not necessary the retransmision feature provided

by TCP If client doesn´t get an answer, it sends another one to a secondary

server The response to a retransmitted TCP request, could arrive too late

Simplifies server implementation Specially for multi-threaded servers

Reduces network traffic UDP has less overhead than TCP UDP needs not establish a session before sending data

RRFFCC

22886655


PPP overview and traditional authentication methods

This Point-to-Point Protocol (PPP) allows sending several protocols above its headers

The establishment of the PPP link requires certain handshaking. LCP - Link Control Messages

To determine MLPPP, the MTU and decide the authentication algorithm for the user

Authentication - It will depend on the protocol used: PAP, CHAP, MS-CHAPv2, EAP During this stage, the RADIUS server is contacted by the NAS

NCP - Network Control Protocol, to negotiate extra parameters IPCP, the IP address assigned to the user CCP, if the data is going to be compressed ECP, if the data is going to be encrypted


Password Authentication Protocol (PAP) The password travels in the clear (unencrypted)

The password can be stored hashed in the RADIUS server

Users credentials are verified only once At the beginning of the connection

Initiator Responder

PAP-Auth-Request #1 (Name=jsmith, Passwd=red)

PAP-Auth-Success #1 (Message="00")

PAP-Auth-Failure #1 (Message="Incorrect Password")

Access-RequestUser-Name=jsmithUser-Password=red

Access-Accept

Access-Reject

RADIUS server


Challenge Handshake Authentication Protocol (CHAP) User password is hashed using MD5 and a random

challenge generated by the NAS (PPP responder) The password cannot be stored hashed in the RADIUS server

Optionally, the user can be authenticated several times during the lifetime of the session

Initiator ResponderCHAP-Auth-Challenge #1 (Chall. Length=16, Challenge Value= 0c7d203....a8, Name= tnt2)

Auth-Response #1 (Chall. Length=16, Challenge Value= 016b89....91, Name= john)

CHAP-Auth-Success #1 (Message="00")

CHAP-Auth-Failure #1 (Message="Incorrect Password")

Access-RequestUser-Name=johnCHAP-Password=016b89..91[CHAP-Challenge*=0c7d203...a8]

Access-Accept

Access-Reject

RADIUS server


LCP handshaking In the LCP handshaking, the user and the NAS determine the

authentication protocol to use: The user may accept the proposal from the server The user may reject the server proposal, and expect to receive a

new proposal

InitiatorResponder

AuthenticatorConfig-Request #1 (MRU=1524, auth=PAP, ...)

Config-Reject #1 (auth=PAP)

Config-Request #2 (MRU=1524, auth=CHAP/MD5)

Config-Ack #2 (MRU=1524, auth=CHAP/MD5)

Config-Ack #2 (MRU=1524, auth=PAP, ...)

Config-Request #1 (MRU=1524, auth=PAP, ...)


Hashing of password

The user password can only be hashed once (MD5, SHA1, etc) either at database storage or when the user transmits it

As the hash algorithms are not reversible However, passwords can be stored encrypted (3DES, AES, …)

Stored in the users’ database (text file, SQL, LDAP, etc)

In the clear Hashed (MD5, SHA1)

Auth. algorithm

used

PAP, telnet/SSH...

{User-Password(2)}OK OK

CHAP, Eap-MD5...

{Chap-Password(3),...}OK X

User password typed in this connection attempt

User password provisioned for this user

Sent from NAS Read from database, text file, ....PAP | CHAP


RADIUS packet format

IdentifierType Length

Authenticator

Attributes

1 2 3 4

1-4

5-20

21-...

bytes

Identifies the packet, along with source IP address and UDP

port. Used to detect duplicate packets

- In auth requests: to encrypt user password using the shared secret key (usually a random value)- In replies and accounting: to authenticate the message itself. Similar to a digital signature

Length of RADIUS packet20 < length < 4096 bytes

*


RADIUS packet types Access-Request (1)Access-Request (1) - Authentication requests from NAS to server

Access-Accept (2)Access-Accept (2) - Response from server to NAS accepting the user session

Access-Reject (3)Access-Reject (3) - Response from server to NAS rejecting the user session

Access-Challenge (11)Access-Challenge (11) - Request form server to NAS, asking for additional info from the user

Used in token/crypto cards, and for EAP

Account-Request (4)Account-Request (4) - The NAS sends accounting information to the server

Account-Response (5)Account-Response (5) - The server ACKs the acct packet to the NAS

RRFFCC

22886655


Authenticator field in auth

The ‘Authenticator’ field serves to 2 purposes depending if it is a request or an accept/reject

Encryption of some attributes: User-Password Server authentication

Random num.

Shared keyHash MD5

PAP Passwd(clear text)XOR

Authenticator field

Attrib. User-PasswordShared key

Hash MD5

XOR

Clear Passwd

Client Server

Access-Request

Request Authenticator

Shared key Hash MD5Authenticator Field

Access-Accept/Reject

Match?Server AuthenticatedXDiscard packet


Shared keyResponse packet

(without authenticator)

Hash MD5Response packet

(without authenticator)


Authenticator field in acct For accounting the authenticator only provides:

Authentication of client and server–Similar to a digital signature

Shared keyHash MD5

Authenticator field

Client Server

Account-Request


Shared key Hash MD5Authenticator field

Account-Response

Match?AuthenticatedXDiscard packet


Shared key

Acct packet (without authenticator)

Hash MD5Acct packet (without authenticator)



Shared keyHash MD5

Match?

XDiscard Client Authenticated


Example of successful auth:Dial-in user with PAP

POTS

POTSModem

PSTN

RADIUSserverRADIUS

client- NAS-

IP

Access-Request (1) - ID=1User-Name (1) = ”pepe"User-Password (2) = 5E%&gn)8NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)NAS-Port-Type (61) = Async (0)Called-Station-Id (30) = 917529000Calling-Station-Id (31) = 918078419

Access-Accept (2) - ID=1Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)Framed-IP-Address (8) = 255.255.255.254Framed-IP-Netmask (9) = 255.255.255.255Framed-Routing (10) = None (0)Framed-Compression (13) = VJ TCP/IP (1)Framed-MTU (12) = 1500Session-Timeout (27) = 7200

*


Example of an PPPoA (ADSL) connection

RADIUSserver

IP

Access-Request (1) - ID=1User-Name = "user11@aunadsl"CHAP-Password = "\0011\266…\303"CHAP-Challenge = "e\241\…\000" NAS-IP-Address = 1.2.3.4NAS-Port = 3329Ascend-NAS-Port-Format = 2_4_5_5NAS-Port-Type = SyncService-Type = Framed-UserFramed-Protocol = PPPAcct-Session-Id = "483015958"

Access-Accept (2) - ID=1Service-Type = Framed-UserFramed-Protocol = PPPAscend-Source-IP-Check = Source-IP-Check-YesAscend-IP-Source-If = "sip100"Framed-Pool = 1Filter-Id=FooAscend-Filter-Required=Required-Yes *

RADIUS client-BRAS-

For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id.

For PPPoE, they represent the Ethernet MAC addresses

For ADSL with PPPoA, there is no Called-Station-Id or Calling-Station Id.

For PPPoE, they represent the Ethernet MAC addresses

DSLAM

ATM

ADSL line

PPPoA Client


Example of an UMTS/GPRS connection

RADIUSserver

IP

*

SGSN

RNC

Node B

RADIUS client-GGSN-

The APN is sent inCalled-Station-Id.

It is used for the user to select the GGSN

The APN is sent inCalled-Station-Id.

It is used for the user to select the GGSN

Access-Request (1) - ID=1NAS identifier(32) = "B-CER1N-GGSN2"User Name(1) = "WAPTM"User Password(2) ="§oà\009KFÏ\020#\145+\146®îf"NAS Port Type(61) = Virtual (5)Calling Station Id(31) = "34679912214"Called Station Id(30) "wap.movistar.es"Acct Session Id(44) ="646704d51e069701"

Access-Accept (2) - ID=1Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)Framed-IP-Address (8) = 10.11.12.13Framed-IP-Netmask (9) = 255.255.255.255Session-Timeout (27) = 7200Idle-Timeout (28) = 3600


Example for CDMA2000 1xEVDO (HRPD)AN-AAA (A12 interface)

The A12 interface (AN – AAA) is used: to perform access authentication (with CHAP) of the AT device by the AN

The User-Name is the IMSI for the SIM card (MCC, MNC, MN_ID)

to return the MN ID (e.g: IMSI) that is used on A8/A9 and A10/A11 interfaces This ID permits handoffs of PDSN packet data sessions between ANs and between HRPD and

cdma2000 systems.

IIss--887788

RNC/PCF (BS Controller)

BS (Base Station)

AT (Access Terminal) PDSN

(Packet Data Serving Node)

PPP

A10/A11

A8/A9

Access-Request User-Name = [email protected] = "\0011\266…\303"CHAP-Challenge = "e\241\…\000“NAS-IP-Address = 192.168.20.2 3GPP2-HRPD-Access- Authentication=True3GPP2-AT-Hardware-Id=012…9012

Access-Accept (2) Callback-Id (20) = 0260071234567890

*


Example for CDMA2000 1xEVDO (HRPD)PDSN-AAA for Simple IP

The PDSN is the “classical” PPP server The AAA server might return 1 IPv4 and/or 1 IPv6 address for the user to

choose, or the PDSN will select it from a local pool

New Access-Requests are sent when the AT hands-off between PCF’s It is correlated to the current session with the 3GPP2-Correlation-Id AVP

IIss--883355

RNC/PCF (BS Controller)

BS (Base Station)

AT (Access Terminal) PDSN

(Packet Data Serving Node)

PPP

A10/A11

Access-Request User-Name = [email protected] = "\0011\266…\303"CHAP-Challenge = "e\241\…\000“NAS-IP-Address = 192.168.30.3Nas-Port-Type= Wireless-1X-EV 3GPP2-Correlation-Id=1234Calling-Station-Id 0260071234567890

Access-Accept[Framed-IP-Address = 10.1.2.3]

Session-Timeout = 7200*


Example of pre-auth followed by PPP negotiation

The pre-auth is done before the NAS takes the call off-hook Requires ISDN signalling (Q.931) or SS7 with Softwswitch (MGC)

The server decides to allow/refuse taking the call off-hook based on calling-number (CLID) or called-number (DNIS)

For PPP users, normally they must also do PPP authentication (PAP, CHAP, etc) later

PSTN IPIP

Access-Accept (2) - ID=127Ascend-Require-Auth (26->529(201)) =

Require-Auth (1)

Access-Request (1) - ID=127User-Name (1) = ”909390390"User-Password (2) = Ascend-DNISNAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20NAS-Port-Type (61) = Async (0)Service-Type (6) = Call-Check (10)Called-Station-Id (30) = 909390390Calling-Station-Id (31) = 918078419


Example of pre-auth for dataphones (PoS)

The RADIUS server instructs the NAS how to handle this call, and even what modulation to use Before taking the call off-hook

PSTN

Access-Accept (2) - ID=10User-Name = "PoS", Service-Type = LoginLogin-Service = TCP-clear, Login-IP-Host = 192.168.20.4,Login-TCP-Port = 8419Ascend-AT-Answer-String="&t4s18=15+MS=1

&g2S220=11S221=50S10=3"

The bank system has a X.25 network

PADIP

X.25

RADIUS server

Bank X

NAS

Access-Request (1) - ID=10User-Name (1) = ”090"User-Password (2) = Ascend-DNISNAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20NAS-Port-Type (61) = Async (0)Service-Type (6) = Call-Check (10)Called-Station-Id (30) = 090Calling-Station-Id (31) = 918078419

*


Example of proxy-radius

A RADIUS server redirects the request to a remote server, based on Called-Station-Id or user realm

IPIP

ForwardingServer

RemoteServer

Access-Request (1) - ID=100User-Name(1) = ”pepe@realm1"User-Password(2) = 5E%&gn)8NAS-IP-Address(4)=192.168.20.2NAS-Port (5) = 27

1

Access-Request (1) - ID=200User-Name (1) = ”pepe@realm1"User-Password (2) =NAS-IP-Address(4)=192.168.20.2NAS-Port (5) = 27[Proxy-State(33) =11379994]

2

Access-Accept (2) - ID=200Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)[Proxy-State(33) =11379994]

3

Access-Accept (2) - ID=100Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)Framed-IP-Address(8)=198.197.196.195Framed-IP-Netmask(9)=255.255.255.255Session-Timeout (27) = 36000

4


Example of PPP tunneling Attribute coding as in RFC 2868 (tagged)

POTS

Modem

POTS

PublicRADIUS server

RADIUS clientTunnel client

(LAC)

Public IP network

Access-Request (1) - ID=8User-Name (1) = ”pepe@tunnel"CHAP-Password (3) = 5E%&gn)8CHAP-Challenge (60) = A0B1...23NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 20Service-Type (6) = Framed (2)Framed-Protocol (7) = PPP (1)NAS-Port-Type (61) = Async (0)Called-Station-Id (30) = 917529000Calling-Station-Id (31) = 918078419

Access-Accept (2) - ID=8Tunnel-Type(64)=L2TP : 1,Tunnel-Medium-Type(65) = IPv4,Tunnel-Server-Endpoint(67)=1.1.1.1 : 1,Tunnel-Password(69)=loloaqic : 1,Tunnel-Type(64)=PPTP : 2,Tunnel-Server-Endpoint(67)=2.2.2.2 : 2,Tunnel-Password(69)=itsAsecret : 2

Tunnel server(LNS)1.1.1.1

IntranetCorporate RADIUS server

*

2.2.2.2

Tunnel server (LNS)


Example for Ipsec authenticationX-auth over IKE with Lucent Brick-LSMS

Example with IKE authentication tunnel endpoints with pre-shared key

User authentication with X-auth with login/password

Ipsec client= user

Ipsec server(Lucent Brick)

X-auth in IKE

Access-Request (1) - ID=150User-Name (1) = ”usu1"User-Password (2) = 5E%&gn)8NAS-IP-Address (4) = 135.88.101.111Called-Station-Id (30) = 135.88.101.91Service-Type (6) = Authenticate-Only (8)NAS-Port-Type (61) = Virtual (5)

RADIUS client(LSMS)

135.88.101.111

135.88.101.91

Access-Accept (2) - ID=150Session-Timeout (27) = 86400Idle-Timeout (28) = 3600[Connect-Info (77)] = user_group1[Framed-IP-Address (8) = 135.88.101.222]

*

RADIUS server


Authentication for device administration Example with Lucent TAOS

IP

RADIUSservertelnet TNT2

Access-Request (1) - ID=10User-Name (1) = ”amdinuser"User-Password (2) = 5E%&gn)8NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 0NAS-Port-Type (61) = Virtual (5)Service-Type (6) = Administrative (6)[Calling-Station-Id=1.2.3.4]

Access-Accept (2) - ID=10Service-Type (6) = Administrative (6)Ascend-Telnet-Profile (26->529:91) = “Admin”

1.2.3.4


Example of failed authentication: Crypto-Card (Challenge-Response)

PSTNIPIP

Access-Request (1) - ID=2User-Name (1) = ”mycard"User-Password (2) =NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 27

1

Access-Challenge (11) - ID=2Reply-Message (18) =“Challenge:12345678”State (24) = “13579”Prompt (76) = Echo (1)Session-Timeout (27) = 120

4

Challenge: 123456785

Response: 24058419

6

Access-Request (1) - ID=3User-Name (1) = ”mycard"User-Password (2) = 24058419NAS-IP-Address (4) = 192.168.20.2NAS-Port (5) = 27State (24) = “13579” 7

Access-Reject (3) - ID=3Reply-Message (18) =“Invalid Credentials”

8

Token Card

Server

Proprietary protocol

2 3


Digest Authentication for HTTP/SIP (I) Example to authenticate&authorize every VoIP call (INVITE)

The authentication could also be done only during registration

RRFFCC

44559900

users’ databa

se

Access-RequestUser-Name=123NAS-IP-Address = 192.0.2.38 NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = sip:[email protected] Message-Authenticator = 08…8043

Access-ChallengeDigest-Nonce = 3bada1a0

Digest-Realm = example.com Digest-Qop = auth

Digest-Algorithm = MD5 Message-Authenticator = f8…da40

State=27

SIP proxy serverRADIUS Client

INVITEFrom: <sip:[email protected]> To: <sip:[email protected]>

SIP UAAOR: [email protected]

RADIUS server


100 TRYING

407 Proxy Authentication RequiredProxy-Authenticate: - Digest realm="example.com" , - nonce="3bada1a0", - qop=auth, - algorithm=MD5 Content-Length: 0

ACK


Digest Authentication for HTTP/SIP (II)

RRFFCC

44559900

users’ databa

se

Access-RequestUser-Name=123NAS-IP-Address = 192.0.2.38 NAS-Port-Type = Virtual Digest-Method = INVITE Digest-URI = sip:[email protected] SIP-AOR = sip:[email protected] = 123Digest-Realm = example.comDigest-Response = f3c…97a4 Digest-Cnonce=0a7e75c4Digest-Nonce-Count=1Digest-Algorithm = md5Digest-Nonce = 3bada1a0 Digest-Qop = authMessage-Authenticator = ff…e0ffState=27

Access-AcceptDigest-Response-Auth = 63…e954

Digest-Nextnonce=fd0a…8765 Message-Authenticator = 75…aaf1

SIP proxy serverRADIUS Client

INVITEFrom: <sip:[email protected]> To: <sip:[email protected]>Proxy-Authorization: - username="123" , - realm="example.com" , - response="f3c…97a4" - Digest algorithm="md5", - nonce="3bada1a0" , - uri="sip:[email protected]", - qop=auth, - algorithm=MD5


RADIUS server


*

NOTE: The next authentication for this user could save a round-trip if the radius client uses the Digest-Nextnonce to challenge the user

NOTE: The next authentication for this user could save a round-trip if the radius client uses the Digest-Nextnonce to challenge the user


Main attributes (I)

User-Name (1) - Mandatory in Access-Request & Acct-Request

The server may send it back in the Access-Accept, so that the NAS sends this new User-Name in Acct-Request packets

User-Password (2) - Encrypted password with PAP authentication Minimum length: 16 bytes (due to the encryption algorithm)

Only in Access-Request

Also contains the characters introduced by user after an Access-Challenge

CHAP-Password (3) - Encrypted password with CHAP authentication

ID. attrib Attrib. length. Attrib. value1 1 ...

RRFFCC

22886655


Main attributes (II) CHAP-Challenge (60) - Challenge sent from the NAS to the

user for CHAP authentication Optionally, this CHAP challenge can be sent in the authenticator

field

NAS-IP-Address (4) - IP address of the RADIUS client NAS-Port (5) - Physical port (modem) in the NAS processing

the connection If there is not a physical modem, this number is virtual (sequence)

Service-Type (6) - Type of service the user is requesting (Access-Request), or (s)he is allowed to have (Access-Accept): Login(1): The user is doing a telnet (TCP connection) to a host Framed(2): Usually, a PPP session with an IP address Callback Login(3), Callback Framed(4): Administrative(6): to manage a NAS via telnet Call-Check(10): for pre-authentication

RRFFCC

22886655


Main attributes (III) Framed-Protocol (7): when service-type=framed

PPP (1), SLIP (2), etc

Framed-IP-Address (8): IP address to assign to the user. Can be: Regular IP address

Special addresses meaning: 255.255.255.254 = The NAS assigns dynamically one from any pool

255.255.255.255 = The user may choose his/her IP address

Framed-IP-Netmask (9): Usually, 255.255.255.255 (1 IP address)

Framed-Routing (10): Used for modem-routers talking RIP: None(0), Send routing packets (1), Listen for routing packets (2), Send

and Listen (3)

Filter-Id (11) - Name of the filter to apply to the user This filter name must be defined in the NAS or with a VSA

RRFFCC

22886655


Main attributes (IV) Framed-MTU (12) - ‘Maximum Transmission Unit’ for layer 2

Framed-Compression (13): VJ TCP/IP header compression for PPP (1)

Login-IP-Host (14): In the Access-Accept the server instructs the NAS the IP address of a host to establish a TCP connection to Used when IP Service-Type=Login,

Login-Service (15) – When Service-Type=Login: Telnet (0), Rlogin (1), TCP Clear (2), etc

Reply-Message (18) – For an Access-Challenge, the message to show to the user.

For an Access-Reject, may contain the cause to reject the connection

RRFFCC

22886655


Main attributes (V)

Vendor-Specific (26) - Specific attributes for this device, not defined by IETF but by the vendor who made the device (NAS)

Session-Timeout (27) - Max. Connection time (sec.)

Idle-Timeout (28) - Max. idle time (sec.)

Called-Station-Id (30) - Also called DNIS In GPRS/UMTS: APN

Calling-Station-Id (31) - Also called CLID

26 Length. Vendor ID. VSA1 ID VSA1 Length

VSA1 Value ID. VSA2 Long. VSA2 Valor VSA2

RRFFCC

22886655

1 4 1 (or 2) 11


Main attributes (& VI) NAS-Id (32) - Alternative to the attrib. NAS-IP-Address to identify

the NAS sending the requests

Proxy-State (33) - May be used when a server is acting as proxy-RADIUS. The NAS never receives this attribute

NAS-Port-Type (61) - Async/POTS (0), Sync (1), ISDN Sync (2), ISDN Async V.120 (3), ISDN

Async V.110 (4) = Mobile

Virtual (5): ie, access via telnet

xDSL (16), Cable (17)

GPRS (18), Wi-Fi=802.11 (19), CDMA2000 (22), UMTS (23)

Port-Limit (62) - To limit the max. number of calls that can be bonded together with MP (Multilink-Protocol), or concurrent sessions with the same User-Name

RRFFCC

22886655


Protocol enhancement: RFC’s 2867->2869

In RFC’s 2867 and 2868 new attributes are defined for tunneled connections (mainly L2TP)

RFC 2869 defines some general user attributes: Prompt (76) - In a Challenge-Response to tell the NAS if it has to echo

user response

Connect-Info (77) - May show info about user connection and speed. The format is NAS/vendor dependant: Ej: "28800 V42BIS/LAPM", "52000/31200 V90", "9600 V110/ISDN"

Acct-Interim-Interval (85) - The RADIUS server can order the NAS to send Interim acct packets with a certain periodicity

Framed-Pool (88) - In the Access-Accept, to tell the NAS what pool to use for user IP address assignment This pool must be defined locally in NAS

RRFFC’C’ss

22886677->->99


01 01 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a801 10 05 06 00 00 00 03

Packet coding

Message Type=Access-Request(1)

Packet ID = 1Length=56

Request Authenticator Attrib ID= User-Name(1)Length = 6Value = nemo

ID = User-Password(2)Length = 18Encrypted password using authenticator field

Attrib= NAS-IP-Address(4)Length = 6Value = 192.168.1.16

Attrib= NAS-Port(5)Length = 6Value = 3


Accounting special attibutes (I) Acct-Status-Type (40) - Type of accounting packet:

Start (1), Stop (2), Interim-Update (3), etc. Accounting-On (7), Accounting-Off (8)

The NAS is going to be/has been rebooted and won't send the Stop packets of users connected in that moment

Acct-Delay-Time (41) - # of seconds between the acct event time and the generation of this packet Used mainly in retransmissions with a value != 0

Acct-Input-Octets (42) - In Stop/interim, bytes tx by the user (input bytes for the NAS) from the beginning of the session = Upstream

Acct-Output-Octets (43) - Bytes received by the user = Downstream

Acct-Input-Packets (47) - Acct-Output-Packets (48) -


Accounting special attibutes (& II) Acct-Session-Id (44) - Identifies a session in a unique manner in

the NAS This attribute may also be sent in the Access-Request packet (auth)

The value must be the same in Start, Stop and Interim (and in auth)

Acct-Authentic (45) - The way the user got authenticated RADIUS (1), Local (2), Remote (3)

Acct-Session-Time (46) - How long (in seconds) the user was connected (Stop), has been connected up to the moment (interim)

Acct-Terminate-Cause (49) - General cause User Request(1), Lost Carrier(2), Idle Timeout (4), Callback(16)…

Acct-Multi-Session-Id (50) - For MLPPP sessions, each call will have a different Acct-Session-Id, but the same Acct-Multi-Session-Id

Acct-Link-Count (51) - In MLPPP, the max number of channels that have been bonded together


Example of acct START packet TAOS 9.x

Tue Ago 28 11:15:45 2001User-Name = “user1_basic”NAS-IP-Address = 192.168.10.1NAS-Port = 31

Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = “262282375”Acct-Authentic = RADIUSCalling-Station-Id = “917410029”Called-Station-Id = “917434000”Framed-Protocol = PPPFramed-IP-Address = 91.87.84.19Service-Type = Framed-UserNAS-Port-Type = AsyncAscend-Modem-PortNo = 6Ascend-Modem-SlotNo = 2Ascend-Modem-ShelfNo = 1

Tue Ago 28 11:15:45 2001User-Name = “user1_basic”NAS-IP-Address = 192.168.10.1NAS-Port = 31

Ascend-NAS-Port-Format = 2_4_5_5 Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = “262282375”Acct-Authentic = RADIUSCalling-Station-Id = “917410029”Called-Station-Id = “917434000”Framed-Protocol = PPPFramed-IP-Address = 91.87.84.19Service-Type = Framed-UserNAS-Port-Type = AsyncAscend-Modem-PortNo = 6Ascend-Modem-SlotNo = 2Ascend-Modem-ShelfNo = 1

*


Tue Ago 28 11:16:59 2001

User-Name = “user1_basico” NAS-IP-Address = 192.168.10.1 NAS-Port = 31

Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User

NAS-Port-Type = Async

Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = “262282375” Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Calling-Station-Id = “917410029” Called-Station-Id = “917434000”

Tue Ago 28 11:16:59 2001

User-Name = “user1_basico” NAS-IP-Address = 192.168.10.1 NAS-Port = 31

Ascend-NAS-Port-Format = 2_4_5_5 Service-Type = Framed-User

NAS-Port-Type = Async

Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = “262282375” Acct-Authentic = RADIUS Acct-Session-Time = 74 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Calling-Station-Id = “917410029” Called-Station-Id = “917434000”

Example of acct STOP packet (I) TAOS 9.x

*


Example of acct STOP packet (& II) TAOS 9.x

*

Ascend-Data-Rate = 31200 Ascend-Xmit-Rate = 48000 Ascend-Disconnect-Cause = 185Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = 10.81.44.111

Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19

Ascend-Data-Rate = 31200 Ascend-Xmit-Rate = 48000 Ascend-Disconnect-Cause = 185Ascend-Connect-Progress = LAN-session-is-up Ascend-PreSession-Time = 0 Ascend-First-Dest = 10.81.44.111

Ascend-Pre-Input-Octets = 174 Ascend-Pre-Output-Octets = 204 Ascend-Pre-Input-Packets = 7 Ascend-Pre-Output-Packets = 8 Ascend-Modem-PortNo = 6 Ascend-Modem-SlotNo = 2 Ascend-Modem-ShelfNo = 1 Framed-Protocol = PPP Framed-IP-Address = 91.87.84.19


Message flow for a connection

Access-Request

Access-Accept

Accounting-Request (START)

Accounting-Response

Accounting-Request (STOP)

Accounting-Response

The user successfully starts the session

The user hangs-up

PSTN

Access-Request

Access-AcceptBecause of signalling the NAS is aware it has an incoming call.Optionally, it asks the RADIUS server before taking the call off-hook (pre-auth)

After taking the call off-hook, a "regular" auth packet is sent (User-Name/Password)

Accounting-Request (INTERIM)

Accounting-Response

Accounting-Request (INTERIM)

Accounting-ResponseOptionally, the NAS informs the server periodically the session is still up

NAS RADIUSServer


Accounting-Off example

An Accounting-Off packet MAY be sent when the NAS ends sending accounting packets for users, because of: a reset, or

the RADIUS feature has been disabled

RADIUSserverRADIUS

client- NAS-

IP

Acct-Request (4) - ID=27NAS-IP-Address (4) = 192.168.20.2Acct-Status-Type (40) = Accounting-Off (8)Acct-Delay-Time (41) = 10Acct-Session-Id (44) = 891236709

Acct-Response (5) - ID=27


Files in the server Clients

Contains information about the RADIUS clients IP address or FQDN

Shared secret key

Optionally, type of NAS, to know what dictionary it uses

Dictionary Definition of all RADIUS attributes and their numeric coding

In text format: a person can read and edit that file

Type of attribute: Text, String, Integer, IP Address, Date

Possible values for enumeration attributes


Dictionary

#Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255)ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer AscendATTRIBUTE Ascend-IP-TOS 87 integer AscendATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend...# RFC Attribute ValuesVALUE Service-Type Login-User 1VALUE Service-Type Framed-User 2VALUE Service-Type Callback-Login-User 3...# Vendor codesVENDOR base 0VENDOR livingston 307VENDOR Ascend 529VENDOR Lucent1751 1751

#Keyword Attribute Name Attr.Num Attr.Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE NAS-IP-Address 4 ipaddr... # TAOS specific attributes (Ascend 0-255)ATTRIBUTE Ascend-IP-Pool-Chaining 85 integer AscendATTRIBUTE Ascend-IP-TOS 87 integer AscendATTRIBUTE Ascend-IP-TOS-Precedence 88 integer Ascend...# RFC Attribute ValuesVALUE Service-Type Login-User 1VALUE Service-Type Framed-User 2VALUE Service-Type Callback-Login-User 3...# Vendor codesVENDOR base 0VENDOR livingston 307VENDOR Ascend 529VENDOR Lucent1751 1751


Dictionary File Decoding

ATTRIBUTE

VALUE

AttributeNumber

RADIUS Request... | 6 | 6 | 0 | ...

AttributeLength

(in bytes)

AttributeValue

6

2

integer

RADIUS Dictionary

Service-Type

Service-Type

Framed-User

Service-Type

Service-Type Framed-User 2

6

Service-Type = Framed-User

0 | 0 | 2 |


Device configuration via RADIUS (I) Some devices, such as Lucent-Ascend's with TAOS (TNT, APX, Stinger, etc.)

have the capability of asking a RADIUS server about certain configuration parameters

This configuration is based on certain Pseudo-Users with pre-defined User-Names

The TAOS device will send an Access-Request (1) to the server with Service-

Type=Outbound-User

Example of pseudo-users in TAOS:

banner - To configure a message for Terminal Server

pools-<device_name> - To define address pools for each device

route-n - To define static routes and connections (Frame Relay, ATM, outgoing calls

with PPP, etc.)

For other vendors, the pseudo-users may be different or even non-existent


IP

RADIUSserver

Access-Request (1) - ID=12User-Name (1) = ”pools-TNT2"User-Password (3) = ascendNAS-IP-Address (4) = 192.168.20.2Service-Type (6) = Outbound-User (5)

Access-Accept (2) - ID=12Ascend-IP-Pool-Definition = "1 10.1.0.1 7"Ascend-IP-Pool-Definition = "2 10.2.0.1 48"

Device configuration via RADIUS (II)


RADIUS extensions for NAS's Some devices, such as Lucent-Ascend's with TAOS (TNT, APX,

Stinger, etc.) can receive RADIUS packets for reconfiguration on already connected users In this case, the NAS can be considered as a server, as it receives

requests, and must send a response

The main actions a NAS may obey are: Disconnection of users

Updating user filters on-the-fly

These instructions are coded using a special RADIUS packet code 40 & 41 | 42 = Disconnect-Request & ACK | NAK

43 & 44 | 45 = Change-Filter-Request & ACK | NAK

The NAS should be listening for requests on UDP port 3799

RRFFCC

2288882,2,

33557766


Example to disconnect a user

PSTN

RADIUSclient- NAS-

RADIUS server

IP

Disconnect-Request (40)- ID=1User-Name(1) =pepe@terraFramed-IP-Address(8) = 193.168.1.2Acct-Session-Id(44) = 262282375Nas-IP-Address = 192.168.20.2

1

Disconnect-Ack (41)- ID=12

Disconnect-Nak (42)- ID=1Error-Cause(101) =Residual Session Context Removed (201)

2B

NOTE: The RADIUS “client” should know to which IP address it must send the request to.It will be different to the NAS-IP-Address if:- Nas-Id attribute is used- There is a proxy RADIUS in between

*


SNMP MIBs for RADIUS It is standarized that the RADIUS servers and the clients should

offer some statistical information via SNMP Defined in RFCs

The new ones also support IPv6

A proxy-RADIUS behaves at the same time as a server and a client Should support both MIBs

The OIDs are a branch of MIB-2

All of the OID are read-only, as they are statistical data

Except for the reset of counters

RFC’s Auth Acct

Client 4668 4670

Server 4669 4671


Auth Server MIB (I) The SNMP agent must store statistics for every client, as well as

the aggregate statistics

Index Client

Address

Client ID Access

Req

Duplic

Req

Access

Accept

Access

Reject

.......

1 172.16.1.2 RAS1 27 1 25 2 …..

2 172.1.2.3 12 0 9 3 .....

... ..

N 192.18.1.2 GGSN1 1098 19 1000 98

5720 30 5520 200 ......

TOTAL

Serv

Ident

Serv

UpTime

Serv

ResetTime

NR1 36010 600


Auth Server MIB (II)

RRFFCC

22661199

(.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent [SnmpAdminString] (.2) radiusAuthServUpTime [TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer]

VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges [Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32]

(.1) Mib-2 (.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ (.1) radiusAuthServIdent [SnmpAdminString] (.2) radiusAuthServUpTime [TimeTicks] (.3) radiusAuthServResetTime [TimeTicks] (.4) radiusAuthServConfigReset [integer]

VALUES: {other(1),reset(2),initializing(3), running(4)} (.5) radiusAuthServTotalAccessRequests [Counter32] (.6) radiusAuthServTotalInvalidRequests [Counter32] (.7) radiusAuthServTotalDupAccessRequests [Counter32] (.8) radiusAuthServTotalAccessAccepts [Counter32] (.9) radiusAuthServTotalAccessRejects [Counter32] (.10) radiusAuthServTotalAccessChallenges [Counter32] (.11) radiusAuthServTotalMalformedAccessRequests [Counter32] (.12) radiusAuthServTotalBadAuthenticators [Counter32] (.13) radiusAuthServTotalPacketsDropped [Counter32] (.14) radiusAuthServTotalUnknownTypes [Counter32]

* Responses = AccessAccepts + AccessRejects + AccessChallenges* Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses* entries logged = Requests - DupRequests -BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped

* Responses = AccessAccepts + AccessRejects + AccessChallenges* Pending = Requests - DupRequests - BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped - Responses* entries logged = Requests - DupRequests -BadAuthenticators - MalformedRequests - UnknownTypes - PacketsDropped

•*


Auth Server MIB (III)

RRFFCC

22661199

(.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ

(.15) radiusAuthClientTable [Sequence] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClientIndex [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups

(.67) radiusMIB (.1) radiusAuthentication (.1) radiusAuthServMIB (.1) radiusAuthServMIBObjects (.1) radiusAuthServ

(.15) radiusAuthClientTable [Sequence] (.1) radiusAuthClientEntry [Entry] (.1) radiusAuthClientIndex [Integer32] (.2) radiusAuthClientAddress [IpAddress] (.3) radiusAuthClientID [SnmpAdminString] (.4) radiusAuthServAccessRequests [Counter32] (.5) radiusAuthServDupAccessRequests [Counter32] (.6) radiusAuthServAccessAccepts [Counter32] (.7) radiusAuthServAccessRejects [Counter32] (.8) radiusAuthServAccessChallenges [Counter32] (.9) radiusAuthServMalformedAccessRequests [Counter32] (.10) radiusAuthServBadAuthenticators [Counter32] (.11) radiusAuthServPacketsDropped [Counter32] (.12) radiusAuthServUnknownTypes [Counter32] (.2) radiusAuthServMIBConformance (.1) radiusAuthServMIBCompliances (.2) radiusAuthServMIBGroups


Acct Client MIB

RRFFCC

22662200

(.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32]

(.67) radiusMIB (.2) radiusAccounting (.2) radiusAccClientMIB (.1) radiusAccClientMIBObjects (.1) radiusAccClient (.1) radiusAccClientInvalidServerAddresses [Counter32] (.2) radiusAccClientIdentifier [SnmpAdminString] (.3) radiusAccServerTable [Sequence] (.1) radiusAccServerEntry [Entry] (.1) radiusAccServerIndex [Integer32] (.2) radiusAccServerAddress [IpAddress] (.3) radiusAccClientServerPortNumber [Integer32] (.4) radiusAccClientRoundTripTime [TimeTicks] (.5) radiusAccClientRequests [Counter32] (.6) radiusAccClientRetransmissions [Counter32] (.7) radiusAccClientResponses [Counter32] (.8) radiusAccClientMalformedResponses [Counter32] (.9) radiusAccClientBadAuthenticators [Counter32] (.10) radiusAccClientPendingRequests [Gauge32] (.11) radiusAccClientTimeouts [Counter32] (.12) radiusAccClientUnknownTypes [Counter32] (.13) radiusAccClientPacketsDropped [Counter32]

* Requests = Responses + PendingRequests + ClientTimeouts* Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped

* Requests = Responses + PendingRequests + ClientTimeouts* Successfully received = Responses - MalformedResponses - BadAuthenticators - UnknownTypes - PacketsDropped


List of standard attributes (I)

Access-

Request

Access-

Accept

Access-

Reject

Access-

Chall.

Acct-

Request # Attribute RFC's

0-1 0-1 0 0 0-1 1 User-Name 2865, 28660-1 0 0 0 0 2 User-Password (*) 2865, 28660-1 0 0 0 0 3 CHAP-Password (*) 2865, 28660-1 0 0 0 0-1 4 NAS-IP-Address (**) 2865, 28660-1 0 0 0 0-1 5 NAS-Port (****) 2865, 28660-1 0-1 0 0 0-1 6 Service-Type 2865, 28660-1 0-1 0 0 0-1 7 Framed-Protocol 2865, 28660-1 0-1 0 0 0-1 8 Framed-IP-Address 2865, 28660-1 0-1 0 0 0-1 9 Framed-IP-Netmask 2865, 28660 0-1 0 0 0-1 10 Framed-Routing 2865, 28660 0+ 0 0 0+ 11 Filter-Id 2865, 2866

0-1 0-1 0 0 0-1 12 Framed-MTU 2865, 28660+ 0+ 0 0 0+ 13 Framed-Compression 2865, 28660+ 0+ 0 0 0+ 14 Login-IP-Host 2865, 28660 0-1 0 0 0-1 15 Login-Service 2865, 28660 0-1 0 0 0-1 16 Login-TCP-Port 2865, 28660 0+ 0+ 0+ 0 18 Reply-Message 2865, 2866

0-1 0-1 0 0 0-1 19 Callback-Number 2865, 28660 0-1 0 0 0-1 20 Callback-Id 2865, 28660 0+ 0 0 0+ 22 Framed-Route 2865, 28660 0-1 0 0 0-1 23 Framed-IPX-Network 2865, 2866

0-1 0-1 0 0-1 0 24 State (*) 2865, 28660 0+ 0 0 0+ 25 Class 2865, 2866

0+ 0+ 0 0+ 0+ 26 Vendor-Specific 2865, 28660 0-1 0 0-1 0-1 27 Session-Timeout 2865, 28660 0-1 0 0-1 0-1 28 Idle-Timeout 2865, 28660 0-1 0 0 0-1 29 Termination-Action 2865, 2866

0-1 0 0 0 0-1 30 Called-Station-Id 2865, 28660-1 0 0 0 0-1 31 Calling-Station-Id 2865, 28660-1 0 0 0 0-1 32 NAS-Identifier (**) 2865, 28660+ 0+ 0+ 0+ 0+ 33 Proxy-State 2865, 28660-1 0-1 0 0 0-1 34 Login-LAT-Service 2865, 28660-1 0-1 0 0 0-1 35 Login-LAT-Node 2865, 28660-1 0-1 0 0 0-1 36 Login-LAT-Group 2865, 28660 0-1 0 0 0-1 37 Framed-AppleTalk-Link 2865, 28660 0+ 0 0 0-1 38 Framed-AppleTalk-Network 2865, 28660 0-1 0 0 0-1 39 Framed-AppleTalk-Zone 2865, 28660 0 0 0 1 40 Acct-Status-Type 28660 0 0 0 0-1 41 Acct-Delay-Time 2866

(*) An Access-Request MUST contain either a User-Password or a CHAP-Password or State. An Access-Request MUST NOT contain both a User-Password and a CHAP-Password

(**) An Access-Request and an Account-Request MUST contain either a NAS-IP-Address or a NAS-Identifier (or both)

No attributes should be found in Accounting-Response packets except Proxy-State and possibly Vendor-Specific ones.


List of standard attributes (II)

(***) An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attribute MUST NOT contain more than one type of those four attributes. If it does not contain any of those four attributes, it SHOULD contain a Message-Authenticator. If any packet type contains an EAP-Message attribute it MUST also contain a Message-Authenticator.

Access-

Request

Access-

Accept

Access-

Reject

Access-

Chall.

Acct-

Request # Attribute RFC's

0 0 0 0 0-1 42 Acct-Input-Octets 28660 0 0 0 0-1 43 Acct-Output-Octets 2866

0-1 0-1 0 0 1 44 Acct-Session-Id 28660 0 0 0 0-1 45 Acct-Authentic 28660 0 0 0 0-1 46 Acct-Session-Time 28660 0 0 0 0-1 47 Acct-Input-Packets 28660 0 0 0 0-1 48 Acct-Output-Packets 28660 0 0 0 0-1 49 Acct-Terminate-Cause 28660 0 0 0 0+ 50 Acct-Multi-Session-Id 28660 0 0 0 0+ 51 Acct-Link-Count 28660 0 0 0 0-1 52 Acct-Input-Gigawords 28690 0 0 0 0-1 53 Acct-Output-Gigawords 28690 0 0 0 0-1 55 Event-Timestamp 2869

0+ 0+ 0 0 0+ 56 Egress-VLANID 46750-1 0-1 0 0 0-1 57 Ingress-Filters 46750+ 0+ 0 0 0+ 58 Egress-VLAN-Name 46750 0-1 0 0 0 59 User-Priority-Table 4675

0-1 0 0 0 0 60 CHAP-Challenge 2865, 28660-1 0 0 0 0-1 61 NAS-Port-Type 2865, 28660-1 0-1 0 0 0-1 62 Port-Limit 2865, 28660-1 0-1 0 0 0-1 63 Login-LAT-Port 2865, 28660+ 0+ 0 0 0-1 64 Tunnel-Type 2867, 28680+ 0+ 0 0 0-1 65 Tunnel-Medium-Type 2867, 28680+ 0+ 0 0 0-1 66 Tunnel-Client-Endpoint 2867, 28680+ 0+ 0 0 0-1 67 Tunnel-Server-Endpoint 2867, 28680 0+ 0 0 0 69 Tunnel-Password 2867, 2868

0-1 0 0 0 0 70 ARAP-Password (***) 28690 0-1 0 0-1 0 71 ARAP-Features 28690 0-1 0 0 0 72 ARAP-Zone-Access 2869

0-1 0 0 0-1 0 73 ARAP-Security 28690+ 0 0 0+ 0 74 ARAP-Security-Data 28690 0 0-1 0 0 75 Password-Retry 28690 0 0 0-1 0 76 Prompt 2869

0-1 0 0 0 0-1 77 Connect-Info 28690 0+ 0 0 0 78 Configuration-Token 2869

0+ 0+ 0+ 0+ 0 79 EAP-Message (***) 28690-1 0-1 0-1 0-1 0 80 Message-Authenticator (***) 28690+ 0+ 0 0 0-1 81 Tunnel-Private-Group-ID 2867, 28680 0+ 0 0 0-1 82 Tunnel-Assignment-ID 2867, 2868

0+ 0+ 0 0 0 83 Tunnel-Preference 2867, 2868


(****) Either NAS-Port or NAS-Port-Id SHOULD be present in an Access- Request packet, if the NAS differentiates among its ports. NAS- Port-Id is intended for use by NASes which cannot conveniently number their ports.

(-) Can be included in packet type 42=Disconnect-Nak or 45= CoA-Nak

Access-Request

Access-

AcceptAccess-Reject

Access-Chall.

Acct-Request # Attribute RFC's

0 0-1 0 0-1 0 84ARAP-Challenge-Response 28690 0-1 0 0 0 85Acct-Interim-Interval 28690 0 0 0 0-1 86Acct-Tunnel-Packets-Lost 2867

0-1 0 0 0 0-1 87NAS-Port-Id (****) 28690 0-1 0 0 88Framed-Pool 2869

0-1 0-1 0 0 0-1 89Chargeable-User-Id 43720+ 0+ 0 0 0-1 90Tunnel-Client-Auth-ID 28680+ 0+ 0 0 0-1 91Tunnel-Server-Auth-ID 28680 0+ 0 0 0+ 92Nas-Filter-Rule 4849

0-1 0 0 0 0-1 95NAS-IPv6-Address 31620-1 0-1 0 0 0-1 96Framed-Interface-Id 31620+ 0+ 0 0 0+ 97Framed-IPv6-Prefix 31620+ 0+ 0 0 0+ 98Login-IPv6-Host 31620 0+ 0 0 0+ 99Framed-IPv6-Route 31620 0-1 0 0 0-1 100Framed-IPv6-Pool 31620 0 0 0 0 101Error Cause 3576

0-1 0 0 0 0 103 Digest-Response 4590 0-1 0 0 1 0 104 Digest-Realm 4590 0-1 0 0 1 0 105 Digest-Nonce 4590

0 0-1 0 0 0 106 Digest-Response-Auth 45900 0-1 0 0 0 107 Digest-Nextnonce 4590

0-1 0 0 0 0 108 Digest-Method 4590 0-1 0 0 0 0 109 Digest-URI 4590 0-1 0 0 0+ 0 110 Digest-Qop 4590 0-1 0 0 0-1 0 111 Digest-Algorithm 4590 0-1 0 0 0 0 112 Digest-Entity-Body-Hash 4590 0-1 0 0 0 0 113 Digest-CNonce 4590 0-1 0 0 0 0 114 Digest-Nonce-Count 4590 0-1 0 0 0 0 115 Digest-Username 4590 0-1 0 0 0-1 0 116 Digest-Opaque 4590 0+ 0+ 0 0+ 0 117 Digest-Auth-Param 4590 0-1 0 0 0 0 118 Digest-AKA-Auts 4590

0 0 0 0+ 0 119 Digest-Domain 45900 0 0 0-1 0 120 Digest-Stale 45900 0-1 0 0 0 121 Digest-HA1 4590

0-1 0 0 0 0 122 SIP-AOR 45900+ 0+ 0 0 0+ 123Delegated-IPv6-Prefix 4818

Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol...

Documents

Transcript of Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent 2007 2 | RADIUS protocol...