The Internet NG Project
D5.1 Contents
RADIUS
Description - Packet Format - Sequence Diagram - Protocol Characteristics - Current Developments - References - Products
Description
RADIUS is an authentication, authorization and accounting client-server protocol. The client is a Network Access Server which desires to authenticate its links. The server is a server which has access to a user database with authentication information. It has been developed by Livingston Enterprises around 1989 and further improved by Merit (University of Michigan). The following RFC's have been accepted at the IETF in 1997:
The protocol is supported and used by many terminal server vendors such as Cisco, Ascend, Livingston and others.
It is a client/server protocol where a client (Network Access Servers) sends a request, which is responded by the server (RADIUS server). The protocol is based on the UDP transport protocol. The main reason to use this protocol instead of the more reliable TCP transport protocol is that when a RADIUS server fails, TCP takes to much time to determine this and switch to a secondary server. With UDP you can build your own retransmission scheme which can detect a failure of a RADIUS server at an earlier stage.
Packet Format
The data between client and server are exchanged in RADIUS packets. Exactly one RADIUS packet is encapsulated in the UDP detailed. Every packet contains the following information:
Figure 1: RADIUS Packet Format. The fields in a RADIUS packet are:
- Code - An octet containing the RADIUS command/response.
- Identifier - An octet used to match the command and response.
- Length - The length of the packet (2 octets).
- Authenticator - Value used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm..
- Attributes - The data belonging to the command or response.
RADIUS communication uses the request-response paradigm, request are issued by the client and send to the server, responses are issued by the server and send to the client. Possible request-response pairs are:
- access-request, (client->server), request access for an user with certain services.
The possible responses this this command are:
- access-accept, (server->client), positive response on an access-request from a client.
- access-reject, (server->client), negative response on an access-request from a client.
- access-challenge, (server->client), response on an access-reuquest, where the server expects a response from the client encapsulated in an access-request.
- accounting request, (client->server), request to store accounting data
within packet on the server. The response for this command is:
- accounting response, (server->client), response to client when accounting data has successfully been stored on the server.
Sequence Diagram
Below is a drawing of a sequence diagram when a user accesses the network through the Network Access Server and disconects itself.
Figure 2: RADIUS Message Flow.
- Network Access Server get username/password pair from remote user, crypts this information with a shared secret key and sends this with an 'Access-request' to the RADIUS Server (Authentication phase).
- When the user and password combination is valid then the RADIUS Server sends an 'Accept-accept' with extra information (For example: IP-address, network mask, allowed session time, etc.) to the Network Access Server (Authorization phase).
- The network Access Server sends an 'Accounting-request (start)' to indicate that the user is logged onto the network (Accounting phase).
- The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.
- When a user logs out then the Network Access Server will send an 'Accounting-request
(Stop)' with the following information :
- Delay time, the time it's trying to send this message.
- Input octets, the number of octets received by the user.
- Output octets, the number of octets send by the user.
- Session time, the number of second the user is logged on.
- Input packets, the number of packets received by the user.
- Output packets, the number of packets send by the user.
- Reason, reason why the user is dicsonnected from the network.
- The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.
Protocol characteristics
| Protocol used for | Authentication, Authorization and Accounting |
| Transport protocol used | UDP |
| Message traffic | request/response from client to server. |
| hop-by-hop security | Encryption of the passwords with a shared secret (MD5 Message-Digest Algorithm [RFC1321]). |
| end-to-end security (for use through proxies) | Not available |
| Message size | Header size (12 bytes) + NrOfAttributes(0 ..N) * Attribute (3..255 bytes) |
| Total number of different Attributes | 256 |
Current developments
Within the IETF there is the working group
"Remote Authentication Dial-In User Service (RADIUS)", which is working on
the RADIUS protocol and it's extensions.
A lot of drafts have been produced for possible extensions on the RADIUS
protocol. A few vendors produced drafts where they specify their own defined
attributes they use in their specific implematation of RADIUS.
References
| [RFC2138] | Rigney, C., Rubens, A., Simpson, W, and Willens, S.; Remote Authentication Dial In User Service (RADIUS), RFC 2138, january 1997 |
| [RFC2139] | Rigney, C.; RADIUS Accounting, RFC 2139, January 1997 |
| [RFC1321] | R. Rivest; The MD5 Message-Digest Algorithm, RFC 1321, April 1992 |
Products
| Product (Company) | Platform | Supported protocols |
| NTX Access (Internet Transaction Services) | NT | RADIUS, XTACACS |
| DTC Radius ver. 2.03 (Digital Technologies Corporation) | UNIX, NT | RADIUS |
| RADIATOR Radius server (Open System Consultans Pty. Lts.) | UNIX, WIN95/98, NT | RADIUS, TACACS+ |
| Freeware Radius server (Lucent Technologies) | UNIX, NT | RADIUS |
| PortAuthority (Lucent Technologies) | JAVA | RADIUS |
| NavisRadius (Lucent Technologies) | UNIX, NT | RADIUS |
| Authentication, Authorization and Accounting Server (Merit) | UNIX | RADIUS |
| Cistron Radius Server (Cistron) | UNIX | RADIUS |
| Proxy & Roaming Radius Server (PRRS) (Vircom) | NT | RADIUS |
| RadiusNT (IEA Software, Inc) | NT | RADIUS |
| Total Control Managment Software (3COM) | --- | RADIUS |
| Radtac Manager Server 4.2.1 (Media Online Italia s.r.l.) | WIN98, NT | RADIUS, TACACS |
| Steel-belted radius (Funk software) | UNIX, NT | RADIUS |
| Shiva Access Manager (Shiva) | UNIX, WIN95/98, NT | RADIUS, TACACS, XTACACS, TACACS+ |
| RADIUS-VMS (DLS Internet services, Inc.) | OpenVMS | RADIUS |
| DRAS (Digital Equipment Corporation) | OpenVMS, UNIX, NT | RADIUS |
| Extent (Extent technologies) | UNIX, NT | RADIUS |
| NTTacplus release 2.0 (NTTacplus) | WIN95/98, NT | RADIUS, TACACS+ |
| Internet Authentication Service (Microsoft) | WIN2000, NT | RADIUS |
| Jam-Radius (Dynamic Network Technologies) | JAVA | RADIUS |
| RaDial (Dotstar) | NT | RADIUS |
| MacRadius (Cyno) | MacOs | RADIUS |
| PerlRadius | Perl | RADIUS |
| FreeRadius | UNIX, OS/2 | RADIUS |
| IcRadius | UNIX | RADIUS |
| ESVA and N2H2 Radius | UNIX | RADIUS |
| IMS 3.1 (Bellesystems) | UNIX | RADIUS |