RADIUS ..

RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. It works on AAA ( Authentication, Authorization , Accounting)

1. to authenticate users or devices before granting them access to a network,(server side) 2. to authorize those users or devices for certain network services and( server side for client side) 3. to account for usage of those services.

The RADIUS server checks that the information (sent by client to authenticate himself ) is correct using authentication schemes like PAP (Point-to-Point Protocol), CHAP ( Challenge Handshake Authentication Protocol)or EAP( Extensible

Authentication

Protocol).
The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL,Kerberos, LDAP, or Active Directory servers - to verify the user's credentials.

AAA Protocols
y
Terminal Access Controller Access Control System (TACACS):
TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Unix daemon is TACACSD and runs on port 49. It uses TCP.

TACACS+ :
TACACS+ is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization and accounting services. Port is 49.

RADIUS DIAMETER

Network Access Server (NAS)

The Network Access Server(NAS) is a service element that clients dial in order to get access to the network. A Network Access Server is a device which usually has interfaces both to the backbone and to the telco (POTS or ISDN) and receives calls from hosts that want to access the backbone by dialup services. A Network Access Server(NAS) is: A single point of access to a remote resource Remote Access Server, because it allows remote access to a network.

y y

y y

Initial Entry Point to a network Gateway to guard access to protected resource

ew examples are: Internet Access Verification using User ID and Password Using VoIP, FoIP, VMoIP require valid Phone Number or IP Address. Telephone Prepaid Card uses Prepaid Card Number.

y y y

RADIUS OPERATION:

1. User initiates PPP authentication to the NAS. 2. NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]). 3. User replies. 4. RADIUS client sends username and encrypted password to the RADIUS server. 5. RADIUS server responds with Accept, Reject, or Challenge. 6. The RADIUS client acts upon services and services parameters bundled with Accept or Reject.

Client starts communicating with RADIUS Server, it is required that shared secret must be shared between Client and Server and Client must be configured to use RADIUS server to get service. Once Client is configured properly then : Client starts with Access-Request. Server sends either Access-Accept, Access-Reject or Access-Challenge. Access-Accept keeps all required attribute to provide a service to user.

y y y

Cisco:
RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. PAP: password authenticate protocol CHAP : challenge handshake authenticate protocol RADIUS Port: 1812 Software are available for RADIOUS. DIAMETER :

Diameter is an authentication, authorization and accounting protocol for computer networks, and a successor to RADIUS. Diameter Applications extend the base protocol by adding new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP). Diameter is not directly backwards compatible, but provides an upgrade path for RADIUS. main differences :

 

Reliable transport protocols (TCP or SCTP(Stream

Control Transmission Protocol), not UDP)

Network or transport layer security (IPsec or TLS) Both stateful and stateless models can be used

 

Error notification Better roaming support

RADIUS had issues with reliability, scalability, security and flexibility. RADIUS cannot effectively deal well with remote access, IP mobility and policy control. The Diameter protocol defines a policy protocol used by clients to perform Policy, AAA and Resource Control. This allows a single server to handle policies for many services.

Comparison: RADIUS operates in a pure client-server paradigm, where the NAS acts as client. The RADIUS server does not initiate any messages, but only replies to the messages sent by the clients. Diameter operation resembles that of RADIUS, as NASes act as Diameter clients to the Diameter server. However, with Diameter any node can initiate a request, which makes Diameter more of a peer-to-peer protocol. Diameter maintains also more state information

than RADIUS. The cost of using UDP is that RADIUS implementations have to create and manage retransmission timers themselves, as UDP provides no retransmission strategy.

Both RADIUS and Diameter allow additional nodes on the path between the communicating client and server. With RADIUS these nodes are generally referred to as proxies. [1] With Diameter the term agent is used, because Diameter speci_es several agent types, of which "proxy" is one type. Diameter de_nes four kinds of agents, which provide relay, proxy, redirect or translation services. With RADIUS only clients can make reauthentication requests. This is done by simply sending a new authentication request to the server. However, the server cannot demand reauthentication on demand, as it cannot initiate messages (for server-initiated messages see Sec. 2.3). [1] Diameter instead speci_es two message types, Re-Auth-Request and Re-Auth-Answer, which allow also server-initiated reauthentication. RADIUS does not support error messages. When faults occur, RADIUS simply silently discards packets - drops them without further processing. Diameter has an error reporting mechanism. Diameter messages are silently discarded only, when it is the most suitable way to solve the problem. For example received duplicate answers are still silently discarded. Thus different RADIUS versions will work together only as long as they use same code and type information. Diameter is also designed to be backward compatible with RADIUS. When a RADIUS client _nds the server to be down or unreachable, it can forward its request to an alternate server,but still its reliability depends on particular implementation..and it varies base don it. Diameter nodes maintain a pending message queue, which contains sent messages which haven't received an answer yet. After detecting a transport failure, messages in the queue are sent to an alternate agent. Scalability : As the identi_er _eld of RADIUS is eight bits long, RADIUS can in principle have only 256 pending request at the same time. For Diameter with its 32-bit field the theoretical maxmimum is over 4 billion. RADIUS has no provisions for congestion control. That is one reason for why RADIUS may not be suitable for large-scale systems, as it may suffer degraded performance and lose data. Diameter does not either have any application level support for congestion control. However, it runs over TCP or SCTP, both of which are reliable transport protocols and able to self-clock. both RADIUS and Diameter meet the requirements of running over IPv4 and IPv6 totally.

Security : All Diameter clients must support IPSec and may support TLS (Transport Layer Security) protocol, and Diameter servers must support both. Diameter implementations must always use some kind of transmission-level security. Diameter has also a separate end-to-end security framework, "Diameter CMS Security application", which provides many security services. It offers wider transport-layer protection than mere IPSec or TLS do.