Radius Details
Content
Text-only version
This is Google's cache of http://www.ceenet.org/workshops/lecture98/richard/radius1a.htm. It is a snapshot of the page as it appeared on 13 Mar 2011 02:40:48 GMT. The
current page could have changed in the meantime. Learn more
Radius
Remote Authentication Dial In User Service
This article can be found at: http://www.squashduck.com/~roundman/radius/
Group #1
Bob Full
Mike Roderick
Michele Clark
Jeff Vian
Radius: A Brief Introduction
Radius is an authentication server which can be modified to different kinds of networks. Radius is not yet considered a standard by the IETF (Internet Engineering Task Force),
but an RFC Draft has been submitted to them for approval, and it will no doubt soon become an industry standard. Radius is rapidly gaining popularity because of the open
protocol it utilizes (covered in detail later) which makes it easy and efficient to interface with networks which have large modem pools. The presence of a large modem pool
(Internet Provider Services , Universities, etc.) always increases network security problems, because there are more "holes" or opportunities for people to break in or abuse
access privileges. This paper will begin with a history and description of Radius and some recent improvements, then give a detailed overview of the entire authentication process
(using a flowchart), and also outline the functional specifications Radius requires and why it works the way it does. It will also discuss the increasing needs for Network Security,
and how Radius is handling these needs.
Radius: What is It?
Radius is a distributed security system developed by Livingston Enterprises which uses an authentication server to solve the security problems associated with remote computing.
Distributed security separates user authentication and authorization from the communications process and creates a single, central location for user authentication data. Livingston
originally built the server around a model of distributed security previously defined by the IETF. Recently, Merit* has improved the Radius system and it is now a fully open
protocol with a scalable client/server security system. Radius is prov ided free of charge to customers and it supports the Radius client protocols in the PortMaster family of
communication servers. Early systems were built and tested on the PDP-11 around 1989. Obviously, the entire security system has come a long way since then. Now new
security technologies can be added to the network without Livingston or Merit supporting them. The customer can ad d new features to the server, or have an outside resource
add them. This is one of the aspects which Radius' extensible architecture will support. One Radius server can support up to tens of thousands of users, making it a very practical
service for rapi dly growing networks.
What is a Distributed Security System?
Distributed security is a client/server approach which allows a number of communication servers, or clients, to authenticatea dial-in user's identity through a single, central
database, or Authentication Server, which stores all information about users, t heir passwords, and access privileges. Distributed Security is better than other types of security
because of the central location for authentication data which makes it more secure than scattering information on different devices throughout a network. It is also scalable, which
makes it conform to customers' client needs, and it is easier to manage with all the data in one, secure place.
Why Do We Need This Network Security?
Network Security has always been an issue in the field of computing. However, it is relatively new to personal computing. Accessing a network with a pc is a wonderful new
opportunity but it also creates a huge security risk with the sheer volume of users that are doing so. Every remote login brings with it a new chance of a security breach. In the
past, large mainframes used very high-level security measures to protect sensitive data, and most office computers were stand-alone CPU's which posed no securit y threat.
Today, stand-alones are basically extinct and the entire system has been replaced with LAN's or WAN's. Now everyone can communicate over the Network, but hackers see
this as an opportunity to wreak havoc with the system and bring it down. A more serious concern is the possibility of confidential information being stolen and misused or
destroyed.
How Does Radius Work?
Radius authenticates users through a series of communications between the client and the server. Once a user is authenticated, the client provides theuser with access to the
appropriate network services. Following this section is a detailed flow chart tra cing the path of the client/server interaction of Radius. The user dials in via modem to a modem
connected to a PortMaster Communications Server. Once the modem connection is completed, the PortMaster prompts the user for a name and password. Now the
PortMaster creates a data packet from this information called the authentication request. This packet includes information identifying the specific PortMaster sending the
authentication request, the port that is being used for the modem connection, and the user name and password. For protection from eavesdropping hackers, the PortMaster,
actin g as the Radius client, encrypts the password before it is sent on its journey to the Radius server. The Authentication Request is sent over the network from the Radius client
to the Radius server. This communication can be done over a LAN or WAN, allowing network managers to locate Radius clients remotely from the Radius server. If the Radius
server can't be reached, the Radius client can route the request to an alternate server. When an Authentication Request is received, the Authentication Server validates the
request and then decrypts the data packet to access the user name and password information. This information is passed on to the appropriate security system being supported.
This could be UNIX password files, Kerberos, a commercially available securit y system or even a custom developed security system. If the user name and password are
correct, the server sends an Authentication Acknowledgement that includes information on the user's network system and service requirements. For example, the Radius server
will tell the PortMaster that a user needs TCP/IP and/or NetWare using PPP (Point-to-Point Protocol) or that the user needs SLIP (Serial Line InterNet Protocol) to connect to
the network. the acknowledgement can even contain filtering information to limit a user's access to specific resourced on the net work. If at any point in this log-in process
conditions are not met, the Radius server send an Authentication Reject to the PortMaster and the useris denied access to the network. To ensure that requests are not
responded to by unauthorized hackers on the network, the Radius server send an authentication key, or signature, identifying itself to the Radius client. Once this information is
17-03-2011 Radius Details
…googleusercontent.com/search?q=ca… 1/5
received by the PortMaster, it enable sthe n ecessary configuration to deliver the right network services to the user. Flow Chart Functional Details of the Radius Server
Details/Functionality
Why UDP? Why two ports? Supported Features Protocols
Why UDP?
When a authentication request to a primary server fails, a request can be made to a secondary server. To do this, there needs to be a copy of the request kept above the
transport layer. This need lends itself to UDP.
The user of a radius product will wait a few seconds for retransmission, however most users will not be willing to wait much longer like TCP would expect them to wait under
non-prime conditions.
UDP implementation of RADIUS is simplified by it's stateless nature.
The use of UDP makes the implementation of the RADIUS server much simplier; using a multi-threaded implementaion.
"Without TCP we would still probably be using tin cans connected by string. But for this particular protocol, UDP is a better choice." Quote from draft RFC version 04.
Why two ports?
PORT 1645: Used for authentication requests, replies, and challenges.
PORT 1646: Used for accounting purposes.
Supported Features:
Client/Server Model: The NAS(ie: a Livingston Portmaster acts as the client in this protocol. Also there ususally is a authentication server running some form of a RADIUS
server(either the Livingston version or the newest Merit AAA Server version). Usually the RADIUS server is run on a UNIX machine. A good example of a practicle in-use
version of this system is the internet service provider : TerraWorld.
Also, RADIUS servers can act as clients to other kinds of authentication servers.
RADIUS is a open protocol, so the server can be modified to meet each site's individual needs.
All transactions between the client and the RADIUS server are encrypted with a shared secret, which should NEVER be sent over the network.
RADIUS supports several authentication techniques including PPP, PAP or CHAP, UNIX login, and other authentication mechanisms.
RADIUS's use of the variable length Attrib-Length-Value 3-tuples allows new attribute values can be added without disturbing the existing implementation.
The availibility of RADIUS's source code allows the RADIUS protocol to be enhanced faster because each person does not have to re-invent the wheel.
Radius Protocol:
Packet Format:
Exactly one RADIUS packet is encapsulated in a single UDP packet.
The RADIUS packet includes 5 seperate packet-fields
0 1 ...
0 1 2 3 6 ... 01234567890123456789012345678901234 ... 890123 ... CCCCCCCCIIIIIIIILLLLLLLLLLLLLLLLAAA ... AAAttt ...
Where the following key holds:
C = Code octet of packet.
I = Identifier octet of packet.
L = Length octet pair of packet.
A = Authenticator group of 16 octets of packet.
t = Attributes or parameters of the code.
Code
The code is a single octet which identifies the type of RADIUS packet. If a RADIUS server recieves a packet with an invalid code, the server will silently discard or simply read
and forget about the packet.
Valid RADIUS codes are:
1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server 13 Status-Client 255 Reserved
17-03-2011 Radius Details
…googleusercontent.com/search?q=ca… 2/5
NOTE: Codes 4 and 5 are sent to port 1646 instead of 1645 for accounting purposes;
and 12 and 13 are experimental codes at this point
Identifier
The Identifier is a single octet used to match requests and replies.
Length
The Length is two octets that determine the overall length of the packet; ie: the sum of the length of the Code, Identifier, Length, Authenticator, and the Attribute fields.
NOTE: Starting with the (Length+1)th octet, the extra, or over length octets are considered padding and silently discarded!
Authenticator
The Authenticator field a sixteen octet field transmitted most significant octet first which is used by the RADIUS client to determine the validity of the RADIUS server response;
and used by the RADIUS server for password hiding.
Access-Request packets:
The authenticator should be a sixteen octet random number which demonstrates not only unpredictability, but also both temporal and global uniqueness. The shared secret (or
key) held by both the RADIUS server and RADI S US client is fed into a one-way MD5 hash followed by this Authenticator to create a sixteen octet value which is xored with
the User-Password in the Access-Request packet.
Access-Response packets (Including Access-Accept, Access-Reject, and Access-Challenge):
The authenticator of a response packet is obtained by pumping the Code, Identifier, the Length, and the Authenticator fields from the Access-Request packet with the response
attributes and finally the shared secret through a one-way MD5 hash to obtain the response sixteen octet Authenticator.
Attributes
0 1 2 ...
012345678901234567890 ...
TTTTTTTTLLLLLLLLVVVVV ...
Where the following key holds:
T Attribute type
L Length
V Value
Type
The type field is a single octet which is one of the following:
Type Description Attribute Length
1 User-Name =3
2 User-Password =18
3 CHAP-Password =19
4 NAS-IP-Address 6
5 NAS-Port 6
6 Service-Type 6
7 Framed-Protocol 6
8 Framed-IP-Address 6
9 Framed-IP-Netmask 6
10 Framed-Routing 6
11 Filter-Id =3
12 Framed-MTU 6
13 Framed-Compression 6
14 Login-IP-Host 6
15 Login-Service 6
16 Login-Port 6
17 (unassigned) N/A
18 Reply-Message =3
19 Login-Callback-Number =3
20 Framed-Callback-Id =3
21 (unassigned) N/A
22 Framed-Route =3
17-03-2011 Radius Details
…googleusercontent.com/search?q=ca… 3/5
22 Framed-Route =3
23 Framed-IPX-Network 6
24 State =3
25 Class =3
26 Vendor-Specific =7
27 Session-Timeout 6
28 Idle-Timeout 6
29 Termination-Action 6
30 Client-Port-DNIS =3
31 Caller-ID =3
32 NAS-Identifier =3
33 Proxy-State =3
34 Login-LAT-Service =3
35 Login-LAT-Node =3
36 Login-LAT-Group 34
37 Framed-AppleTalk-Link 6
38 Framed-AppleTalk-Network 6
39 Framed-AppleTalk-Zone =3
40 Acct-Status-Type 6
41 Acct-Delay-Time 6
42 Acct-Input-Octets 6
43 Acct-Output-Octets 6
44 Acct-Session-Id =3
45 Acct-Authentic 6
46 Acct-Session-Time 6
47 Acct-Input-Packets 6
48 Acct-Output-Packets 6
49 (reserved for future accounting) N/A
192 - 223 (reserved for experimental use) N/A
224 - 240 (reserved for implemention-specific use) N/A
241 - 255 (reserved: DO NOT USE) N/A
Length
The length field of the attributes is a single octet which specifies the length of the attribute including the type, length, and value.
NOTE: If a RADIUS server receives a Access-Request packet with attributes which specify the wrong length, the server should reject the request!
Value
The value field is a number of octets between zero and two hundred fifty-three. The Type and Length fields can be used to determine the length, because the length is type
dependent, and some types stil have variable lengths. The four types of value are:
string 0-253 octets
address 4 octets most significant octet first
integer 4 octets most significant octet first
time 4 octets most significant octet first which contains the number of seconds since Midnight, 1/1/70
NOTE: In the event of multiple attributes with the same type, the attributes should maintain their order, however if only one type of any attribute is in a packet, the order does not need to be
maintained.
Benefits
Benefits of Using Radius Radius is a versatile, inexpensive, and effective security system for networks which are growing rapidly. The distributed security system makes it a
practical option for companies who need to protect their networks while allowing their employees easy acce ss to areas in which they have approved access. Centralizing all the
security information makes it easier to modify the system and also makes security breaches easier to find. The architecture of the server supports increasing the number of users
without disturbing the effciency of the system, decreasing the amount of "down" time on the network. Because of it's network-friendly features Radius is rapidly becoming the
standard for Network security systems. The RFC Draft which has been presented to the IETF will no doubt soon be approved and confirm the status of Radius as the best
security system for networks in the computing industry. .
References
Merit AAA Server FAQ http://www.merit.edu/aaa/documentation.html
Livingston Whitepaper http://www.livingston.com/Marketing/Whitepapers/radius_paper.shtml
Livingston http://www.livingston.com/
17-03-2011 Radius Details
…googleusercontent.com/search?q=ca… 4/5
Merit AAA Server http://www.merit.edu/aaa/
17-03-2011 Radius Details
…googleusercontent.com/search?q=ca… 5/5
