AAA Support by the RADIUS and the Diameter Protocol Ahana Mallik Department of Informatics – University of Zurich May 26, 2016
Overview 1. Authentication, Authorization and Accounting (AAA). 2. AAA Services, Protocols and Architecture. 3. RADIUS Protocol. 4. Diameter Protocol. 5. Comparison of RADIUS and Diameter Protocol. 6. Applications of RADIUS and Diameter Protocol. 7. Summary. 8. Discussion Topic.
Importance of Authentication, Authorization and Accounting (AAA)
Authentication Control user Identity Credentials provided by the user to prove his/her Id Examples of credentials: 1.passwords. 2.one-time token. 3.digital certificates, 4.Or any other information related to the identity (e.g. biometric parameters.) Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf
Authorization The process of verifying whether a particular user is allowed to access network resources. Only allows legitimate users to access the network The malicious users are denied from accessing network resources. Examples : 1. IP address filtering. 2. IP address assignment. 3. Route assignment. 4. Encryption. Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf
Accounting Tracking of the consumption of network resources by users Typical information gathered in accounting report: 1. User Id. 2. Service description. 3. Session duration. Useful for management, planning, billing. Source Url: https://www.ietf.org/edu/tutorials/IETF89-Tutorial-AAA.pdf
Authentication in Proxy Appliance 1. The User sends request (eg: www.yahoo.com) to Proxy Appliance. 2. The Proxy appliance (ProxySG Product of BlueCoat) initiates the process of Authentication. The ProxySG appliance sends a credential challenge response to the user. 3. The user then sends the credential information. 4. The user data is sent to the Authentication Server for the purpose of verification. 5. After the verification process is successful, the user is then identified in the network. 6. The user request for the required website from internet. 7. The user gets response from the internet. 8. The gets the response and is able to access the desired resource.
Authentication in Proxy Appliance contd…… Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_ Authorization,_and_Accounting.4.pdf
AAA Mechanism Authentication-based mechanisms : The user authentication information is used as precondition for the authorization process Credential-based mechanisms: This method uses credential information which is a important and trustworthy information for the purpose of authorization. The Accounting system performs the following essential tasks: 1. The system gathers or aggregates all data or information from metering systems. 2. The system then stores this data in accounting system.
AAA Protocols RADIUS : The protocol carries AAA Information which helps to determine a RADIUS Server and a RADIUS Client. This protocol is based on Client/Server Model and supports a wide range of users. Diameter: This peer to peer protocol carries AAA information in a reliable manner. This is more secured and reliable than Radius. This is a successor of Radius protocol and overcomes many limitations of Radius. COPS: This stands for The Common Open Policy Service. This protocol deals with policy information. SNMP: This stands for Simple Network Management Protocol. The accounting information or records are all transferred to MIB (Management Information Base) and it is sorted or classified there and finally stored.
AAA Services In the context of AAA services we have AAA server which is located in an administrative domain. Distributed Servers: 1. The goal of distributed servers is to provide authentication, authorization and accounting. 2.The server provides the authorization service by deciding whether to grant or deny a request sent by the user 3. In case it grants access to the user, then it sets up a authorization session and logs the session data.
AAA Architecture The Architectural Components and their roles There is an ASM (Application Specific Module) present in the architectural framework of AAA. The primary task of ASM is to enforce the policy actions. The ASM accordingly configure the SE (Service Equipment) in order to provide the necessary service . The goal of the AAA server is to evaluate and determine the user requests based on the set of policies. The policies which are used by the AAA server are all stored in the PR (Policy Repository).
AAA Architecture contd… In order to determine the policy condition the AAA server sometimes need to consult the other AAA servers. This can be achieved by either sending requests to other AAA servers or with the help of ASM. Depending on different predefined policies a server can accordingly act as an agent.
AAA Architecture contd…
Remote Authentication Dial-in-User Service (RADIUS) It is a well know protocol and is widely practiced. It is based on client/server model. Some of the important functions of RADIUS are 1. centralized management 2. security. The process of authentication is based on Server and Client concept. The users send request to the server and the server authenticates the user against a central database. If the authentication is successful then the user is granted access to the network else the user is denied.
RADIUS contd…. Source Url: https://www.rivier.edu/journal/ROAJ-Fall-2009/J286-RADIUS- Sood.pdf
RADIUS Client/Server Architecture The RADIUS protocol is based on Client/Server architecture. There are two different RADIUS servers available. 1. RADIUS Authentication server 2. RADIUS Accounting server. The RADIUS Authentication server is responsible for necessary security and it stores security data. The RADIUS Accounting server takes care of statistical data.
RADIUS Client/Server Architecture Contd…. The Network Access Server (NAS) which resides inside the RADIUS client. The NAS helps the remote users to access the desired network resources. The NAS has the facility to access a local RADIUS server as well as a remote RADIUS server with the help of WAN. The RADIUS clients at times uses alternate servers to avoid redundancy and fault tolerance.
RADIUS Client/Server Architecture Contd…. Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_ Authorization,_and_Accounting.4.pdf
RADIUS Services The RADIUS supports multiple authentication protocols 1. Password Authentication Protocol (PAP) 2. Challenge Handshake Authentication Protocol (CHAP). The user initially establishes a connection with the Network Access Server (NAS). Step 1 in the figure in slide no: 23. The NAS wants to authenticate the user on the network so it requests for user id or username and password. Step 2 in the figure in slide no: 23 . The user provides his/her credential information (User id or username and password). Step 3 in the figure in slide no: 23. The NAS then sends a Authentication Request Packet to the RADIUS Server for the purpose of authentication. Step 4 in the figure in slide no: 23.
RADIUS Services Contd. The Server then validates the user and sends a Authentication Acknowledgement. Step 5 in the figure in slide no: 23. The Server can either allow the user to access the desired network resource or deny the user from accessing the network resource. Authorization: The RADIUS server is responsible for providing services and privileges to only legitimate users. Protocols which help in authorization. 1. PPP 2. Telnet
RADIUS Services Contd. Accounting: This process is concerned with aggregating and storing statistical information. The Accounting data consists of 1.time duration. 2. packet and bytes send and received. The Radius Clients sends request to Accounting Server and accordingly the server responds with statistic data.
RADIUS Services Contd. Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_ Authorization,_and_Accounting.4.pdf
RADIUS Standards RADIUS initially came into picture in January 1997 by the Lucent Technologies. It is one of the IETF (Internet Engineering Task Force) standard. The second generation of RADIUS standard (Standards – RFC2138 and RFC 2139) was developed in the year April 1997. In June 2000 the third generation of RADIUS came into the market (standards- RFC2865 and RFC2866)
RADIUS Security The user identification and passwords which are sent during the authentication process from the NAS to the RADIUS Server are always encrypted. This encryption is achieved by using several hashing algorithms like MD5 It is very important to have security else confidential information about users will be revealed and malicious users will be able to access the network resources by extracting these confidential information.
Recommend
More recommend