AAA Support by the RADIUS and

the Diameter Protocol

Ahana Mallik

Department of Informatics University of Zurich

May 26, 2016

 Overview

1. Authentication, Authorization and Accounting (AAA).

2. AAA Services, Protocols and Architecture.

3. RADIUS Protocol.

4. Diameter Protocol.

5. Comparison of RADIUS and Diameter Protocol.

6. Applications of RADIUS and Diameter Protocol.

7. Summary.

8. Discussion Topic.
 Importance of Authentication,
Authorization and Accounting (AAA)
 Authentication

Control user Identity

Credentials provided by the user to

prove his/her Id

Examples of credentials:
1.passwords.
2.one-time token.
3.digital certificates,
4.Or any other
information
related to the identity
(e.g. biometric
parameters.)

Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf

 Authorization

The process of verifying whether

a particular user is allowed to
access network resources.

Only allows legitimate users to

access the network

The malicious users are denied

from accessing network resources.

Examples :
1. IP address filtering.
2. IP address assignment.
3. Route assignment.
4. Encryption.

Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf

 Accounting

Tracking of the consumption

of network resources by
users

Typical information gathered

in accounting report:

1. User Id.
2. Service description.
3. Session duration.

Useful for management,

planning, billing.

Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf

 Authentication in Proxy Appliance
1. The User sends request (eg: www.yahoo.com) to Proxy Appliance.

2. The Proxy appliance (ProxySG Product of BlueCoat) initiates the process of

Authentication. The ProxySG appliance sends a credential challenge response
to the user.

3. The user then sends the credential information.

4. The user data is sent to the Authentication Server for the purpose of verification.

5. After the verification process is successful, the user is then identified in the network.

6. The user request for the required website from internet.

7. The user gets response from the internet.

8. The gets the response and is able to access the desired resource.
 Authentication in Proxy Appliance
contd

Source Url:
https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_
Authorization,_and_Accounting.4.pdf
 AAA Mechanism
Authentication-based mechanisms :
The user authentication information is used as precondition for the
authorization process

Credential-based mechanisms:
This method uses credential information which is a important and
trustworthy information for the purpose of authorization.

The Accounting system performs the following essential tasks:

1. The system gathers or aggregates all data or information from

metering systems.
2. The system then stores this data in accounting system.
 AAA Protocols

RADIUS : The protocol carries AAA Information which helps to determine a

RADIUS Server and a RADIUS Client. This protocol is based on Client/Server
Model and supports a wide range of users.

Diameter: This peer to peer protocol carries AAA information in a reliable

manner. This is more secured and reliable than Radius. This is a successor of
Radius protocol and overcomes many limitations of Radius.

COPS: This stands for The Common Open Policy Service. This protocol deals
with policy information.

SNMP: This stands for Simple Network Management Protocol. The accounting
information or records are all transferred to MIB (Management Information
Base) and it is sorted or classified there and finally stored.
 AAA Services

In the context of AAA services we have AAA server which is located

in an administrative domain.

Distributed Servers:
1. The goal of distributed servers is to provide
authentication, authorization and accounting.

2.The server provides the authorization service by deciding

whether to grant or deny a request sent by the user

3. In case it grants access to the user, then it sets up a

authorization session and logs the session data.
 AAA Architecture
The Architectural Components and their roles

There is an ASM (Application Specific Module) present in the architectural

framework of AAA.

The primary task of ASM is to enforce the policy actions.

The ASM accordingly configure the SE (Service Equipment) in order to

provide the necessary service .

The goal of the AAA server is to evaluate and determine the user requests
based on the set of policies.

The policies which are used by the AAA server are all stored in the PR
(Policy Repository).
 AAA Architecture contd

In order to determine the policy condition the AAA server sometimes

need to consult the other AAA servers.

This can be achieved by either sending requests to other AAA servers

or with the help of ASM.

Depending on different predefined policies a server can accordingly act

as an agent.
AAA Architecture contd
 Remote Authentication Dial-in-User
Service (RADIUS)
It is a well know protocol and is widely practiced.

It is based on client/server model.

Some of the important functions of RADIUS are

1. centralized management
2. security.

The process of authentication is based on Server and Client concept.

The users send request to the server and the server authenticates the user
against a central database.

If the authentication is successful then the user is granted access to the

network else the user is denied.
 RADIUS contd.

Source Url:https://www.rivier.edu/journal/ROAJ-Fall-2009/J286-RADIUS-
Sood.pdf
RADIUS Client/Server Architecture

The RADIUS protocol is based on Client/Server architecture.

There are two different RADIUS servers available.

1. RADIUS Authentication server
2. RADIUS Accounting server.

The RADIUS Authentication server is responsible for necessary security and

it stores security data.

The RADIUS Accounting server takes care of statistical data.

 RADIUS Client/Server Architecture
Contd.

The Network Access Server (NAS) which resides inside the RADIUS client.

The NAS helps the remote users to access the desired network resources.

The NAS has the facility to access a local RADIUS server as well as a
remote RADIUS server with the help of WAN.

The RADIUS clients at times uses alternate servers to avoid redundancy

and fault tolerance.
 RADIUS Client/Server Architecture
Contd.

Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_

Authorization,_and_Accounting.4.pdf
 RADIUS Services
The RADIUS supports multiple authentication protocols

1. Password Authentication Protocol (PAP)

2. Challenge Handshake Authentication Protocol (CHAP).

The user initially establishes a connection with the Network Access Server
(NAS). Step 1 in the figure in slide no: 23.

The NAS wants to authenticate the user on the network so it requests for user
id or username and password. Step 2 in the figure in slide no: 23.

The user provides his/her credential information (User id or username and

password). Step 3 in the figure in slide no: 23.

The NAS then sends a Authentication Request Packet to the RADIUS Server
for the purpose of authentication. Step 4 in the figure in slide no: 23.
 RADIUS Services Contd.

The Server then validates the user and sends a Authentication

Acknowledgement. Step 5 in the figure in slide no: 23.

The Server can either allow the user to access the desired network
resource or deny the user from accessing the network resource.

Authorization: The RADIUS server is responsible for providing services

and privileges to only legitimate users. Protocols which help in
authorization.

1. PPP
2. Telnet
 RADIUS Services Contd.

Accounting: This process is concerned with aggregating and storing

statistical information. The Accounting data consists of

1.time duration.
2. packet and bytes send and received.

The Radius Clients sends request to Accounting Server and accordingly

the server responds with statistic data.
 RADIUS Services Contd.

Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_

Authorization,_and_Accounting.4.pdf
 RADIUS Standards
RADIUS initially came into picture in January 1997 by the Lucent
Technologies.

It is one of the IETF (Internet Engineering Task Force) standard.

The second generation of RADIUS standard (Standards RFC2138 and

RFC 2139) was developed in the year April 1997.

In June 2000 the third generation of RADIUS came into the market
(standards- RFC2865 and RFC2866)
 RADIUS Security

The user identification and passwords which are sent during

the authentication process from the NAS to the RADIUS Server
are always encrypted. This encryption is achieved by using
several hashing algorithms like MD5

It is very important to have security else confidential

information about users will be revealed and malicious users
will be able to access the network resources by extracting
these confidential information.
 Diameter Protocol
The Diameter protocol is strong, reliable and secured protocol which
provides Authentication, Authorization and Accounting for computer
networks.

The Diameter protocol provides functionalities like Error Handling,

Capability Negotiation and maintaining user sessions and accounting.

The data which is delivered by this protocol is always in form of AVP

(Attribute Value Pair). AVP carries AAA information which is needed to
from Server to Client.

The AVP also plays an important role in routing and redirecting the
Diameter messages.

The Diameter protocol provides secured data transfer without packet

loss. This is achieved through the reliable TCP
 Diameter Protocol Contd..

The Diameter protocol supports several agents like relays, proxies etc.

The relay agents are responsible for routing the diameter messages which
contain user information from one node to another

The Diameter protocol helps to establish and maintain session between the
server and the client at the application level.

In case of Diameter protocol the servers and the clients have the authority
to know each others capability
 Protocol Description
The Diameter packet consists of header part and several AVPs.

Version field indicates the version of the Diameter protocol.

Flag field has several flags each of them have a specific meaning and
functionality.

1. R bit which stands for request bit. If it is set the message is a request send
from client to server and if it is off then the message is an answer.

2.There is P bit, if this bit is set then the message is either redirected or routed
else the message is locally processed.

3. E bit ,if this particular bit is set then there is protocol error in message and
these messages are then referred as error messages.

4. T bit ,if this bit is set it indicates duplicate requests.

 Protocol Description Contd..

Source url: https://en.wikipedia.org/wiki/Diameter_(protocol)

AVP : Attribute Value Pair

 Session Management

The Diameter protocol establishes or initiates a session with

the help of a message which has Auth-Session-State set to
STATE-MAINTAINED.

The server when receives this message it does not release

any resources from the network until the session terminates.
The server also maintains the state of the session.

The messages which are transmitted from client to server

should have a unique session id and must have the same
session id for one particular session.

A particular session can initiate a child session also referred

as sub session and in the same manner a multi session can
also be established.
 Session Management Contd..

There are two types of Diameter session.

1. The authorization session: This is used for The former is used

for authentication and authorization.

2. Accounting session. This is used for accounting purpose.

The Diameter session can be stateful session or a stateless session.

This highly depends on the application, whether the application wants to

maintain the session for a certain duration or not.
 Comparison of RADIUS and
Diameter Protocol
RADIUS Protocol
1. Radius Server can not initiate
message.
2.Radius uses UDP for packet
transfer,less secure.
3.The scalability is less.
4.This protocol do not support
capability negotiation.
5.In context of version compatibility
the Radius has poor performance.
6.The Radius Server can not demand
for reauthentication or reauthorization.
7.The Radius is less reliable.
Diameter Protocol
1.The Diameter Server can initiate
messages.
2. Diameter uses TCP for data
transmission,more secured.
3.The scalability is more compared to
Radius.
4.This Protocol supports capability
negotiation.
5.The Diameter nodes are capable to
know each others version number.
6.The Diameter server can demand for
reauthentication or reauthorizatio.
7.The Diameter is more reliable.
 Comparison of RADIUS and
Diameter Protocol contd

RADIUS Protocol Diameter Protocol

8. This protocol do not provide end to 8.The Diameter provides end to end
end authentication. authentication.
9.Radius has offline states.No state 9.The Diameter has authentication
information is maintained. and authorization states.
 Applications of RADIUS and
Diameter
RADIUS Protocol Diameter Protocol

1.Credit Control application.

1. ISP.

2.Email Services. 2.Mobile IPV4 application.

3.VPN (Virtual Private

Network). 3.Network Access Server
application.
4.DSL.

5.Web servers.

6.Modems.
 Summary
Usage of AAA.

RADIUS protocol, it implements AAA to provide security to RADIUS

clients and servers.

Diameter protocol to be much more robust, secure and reliable

protocol which implements the AAA.

The Diameter is a peer to peer protocol which maintains session

states, has capability negotiation and error handling mechanism.
Discussion Topic
 Discussion Topic 1

1. The Necessity of Authentication, Authorization and Accounting?

 Discussion Topic 2

2. Do AAA serves perfectly? If Limitations then what are the limitation?

 Discussion Topic 3

3. Which Protocol is preferable among RADIUS and Diameter?

Thank You