|ClearBox Server v1.2 User's Guide|
RADIUS (Remote Authentication Dial In User Service) is a standardized method of information exchange between a device that provides network access to users (the "RADIUS client") and a device that contains authentication information for those users (the "RADIUS server"). The RADIUS protocol is widely used in network environments to provide AAA services (authentication, authorization and accounting.) to both embedded routers, modem servers, software, and wireless applications. It provides centralized authentication and administration (including configuration) for thousands and sometimes millions of entities. In addition it offers roaming and distributed authentication / accounting through it's ability to proxy requests to other servers regardless of the originating client's location.
The RADIUS protocol provides good protection against common attacks (sniffers and replay) better than LDAP (no protection against sniffers) and TACACS+ which has some subtle security flaws.
The RADIUS protocol is the de-facto standard for authentication by hardware and is uniformly supported as a standard. Changes to the RADIUS protocol generally have minimal (if any) effects on older RADIUS clients and servers. No other protocol has nearly the same support RADIUS enjoys.
The RADIUS-based remote access environment has three major components:
Access Client, Network Access Server, and RADIUS Server.
The Access Client may be a person dialing into a Service Provider network to connect to various Internet sites (the traditional User role). Alternatively, the Access Client may be a device; it may be an ISDN router or a dial-on-demand router that provides network access to multiple users at a small office/home office.
A Network Access Server (NAS) is a device that can recognize and
handle connection requests from outside the network "edge".
When the NAS receives a user's connection request, it may perform an initial
access negotiation with the user (PPP or SLIP). This negotiation will
establish certain data (username, password, NAS device identifier, NAS
port number, and so on). The NAS will then pass this data to the RADIUS
server and request authentication.
The RADIUS server will authenticate the request, and will authorize services over the connection. The RADIUS server does this by matching data from the NAS's request with entries in some well-known, trusted database.
If a match can be found, the RADIUS server will accept the user. Otherwise, it will reject the user. Based on this response from the RADIUS server, the NAS will decide whether to establish the user's connection ("accept packet" or "accept user") or terminate the user's connection attempt ("reject packet" or "reject user"). Finally, the NAS issues accounting data to the RADIUS server to document the transaction; the RADIUS server may store or forward this data as needed to support billing for the services provided.
These behaviors together with basic components described above are similar to TACACS+ concepts.
A RADIUS client and RADIUS server communicate by means of RADIUS packets. RADIUS packets are formatted using conventions outlined in RFC 2865 "Remote Authentication Dial In User Service (RADIUS)" and RFC 2866 "RADIUS Accounting."
To configure ClearBox Server, the essential information you'll need about RADIUS packets is the following:
RADIUS defines 6 standard packet types:
Besides these types, ClearBox Server may support additional packet types
not covered in RFC 2865 (such as Disconnect Request, Disconnect Ack, ...
See RFC 2882 "Network
Access Servers Requirements: Extended RADIUS Practices" for more
The RADIUS "shared secret" is used to validate RADIUS communications between two devices. The shared secret may be any alphanumeric string. Each shared secret must be configured on both client and server sides.
IMPORTANT: Upper- and lowercase letters make a difference!
During an authentication transaction, password information must be transmitted securely between the RADIUS client and the RADIUS server. Password security may be addressed using a variety of protocols such as PAP, CHAP, or MS-CHAP. When PAP is used, the password is encrypted and decrypted using the authentication shared secret.
No encryption is involved in transmitting accounting data between a RADIUS client and RADIUS server. However, the accounting shared secret is used by each device to verify that it can "trust" any RADIUS communications it receives from the other device. Accounting packets may be "signed" by a key different from the key used for authentication packets.
It is server extension dependent how shared secrets are stored as it may be required in different ways. See ICommonExtender interface description.
When the RADIUS standard was first written, the standard ports to use for RADIUS authentication and accounting packets were 1645 and 1646, respectively. Then it emerged that these ports had been assigned to another standard. The RADIUS standards group responded by changing the port assignments to 1812 and 1813, but many organizations still use the old assignments.
As with the RADIUS shared secret, any two devices that exchange RADIUS packets must use compatible UDP port numbers. That is, if you are configuring a NAS to exchange authentication packets with a RADIUS server, you must find out which port the server uses to receive authentication packets from its clients (1812, for example). You must then configure the NAS to send authentication packets on the same port (1812). The same is true for RADIUS accounting.
ClearBox Server uses default port assignments of 1812 and 1813 for authentication and accounting, respectively. If you wish to reassign ports, you may do it with Server Manager utility.
© 2001-2003 XPerience Technologies. www.xperiencetech.com
|Created by chm2web html help conversion utility.|