RADIUS [Remote Authentication Dial In User Service]

Radius is a protocol for carrying information related to authentication, authorization, and

configuration between a Network Access Server (NAS) that desires to authenticate its links and
a shared Authentication Server.

This below explanation starts with an overview of Radius followed by its features, operations,
packet format, and attributes. Subsequently provides a few examples of Radius request and
response, and terminates with a brief introduction to Diameter, a planned replacement of
Radius.

Before we start learning about Radius, it is important that we understand:

What is AAA?

What is NAS?

So let us first have a basic idea about these two topics.

WHAT IS AAA?
AAA stands for Authentication, Authorization, and Accounting.

Authentication:

Refers to confirmation that a user who is requesting a service is a valid user.

Accomplished via the presentation of an identity and credentials.

Examples of credentials include passwords, one-time tokens, digital certificates, and phone numbers
(calling/called).

AUTHORIZATION:
Refers to the granting of specific types of service (including "no service") to the users based on their
authentication.

May be based on restrictions, for example, time-of-day restrictions, or physical location restrictions, or
restrictions against multiple logins by the same user.

Examples of services include, IP address filtering, address assignment, route assignment, encryption,
QoS/differential services, bandwidth control/traffic management, etc.

ACCOUNTING:
Refers to the tracking of the consumption of network resources by users.

Typical information that is gathered in accounting include the identity of the user, the nature of the
service delivered, when the service began, and when it ended.
 May be used for management, planning, billing, etc.

AAA server provides all the above services to its clients.

AAA PROTOCOLS
Radius is an AAA protocol for applications such as Network Access or IP Mobility. Besides
Radius, we have the following protocols in AAA:

Terminal Access Controller Access Control System (TACACS) :

TACACS is a remote authentication protocol that is used to communicate with an authentication
server commonly used in Unix networks. TACACS allows a remote access server to
communicate with an authentication server in order to determine if the user has access to the
network.

TACACS+ :
TACACS+ provides access control for routers, network access servers, and other networked
computing devices via one or more centralized servers. It uses TCP and provides separate
authentication, authorization, and accounting services. It works on port 49.

DIAMETER :Diameter is a planned replacement of Radius.

WHAT IS NETWORK ACCESS SERVER?

The Network Access Server (NAS) is a service element that clients dial in order to get access to
the network. An NAS is a device having interfaces both to the backbone and to the POTS or
ISDN, and receives calls from hosts that want to access the backbone by dialup services. NAS
is located at an Internet provider's point of presence to provide Internet access to its customers.

A Network Access Server is:

A single point of access to a remote resource.

A Remote Access Server, because it allows remote access to a network.

An Initial Entry Point to a network.

A Gateway to guard to protected resource.

Examples include:
 Internet Access Verification using User ID and Password.

VoIP, FoIP, and VMoIP require a valid Phone Number or IP Address.

Telephone Prepaid Card uses Prepaid Card Number.

The following figure shows a basic architecture of Radius.

RADIUS - Overview
 RADIUS is a protocol for carrying information related to authentication, authorization,
and configuration between a Network Access Server that desires to authenticate its
links and a shared Authentication Server.

RADIUS stands for Remote Authentication Dial In User Service.

RADIUS is an AAA protocol for applications such as Network Access or IP Mobility

It works in both situations, Local and Mobile.

It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol

(CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.

It look in text file, LDAP Servers, Database for authentication.

After authentication services parameters passed back to NAS.

It notifies when a session starts and stop. This data is used for Billing or Statistics purposes.

SNMP is used for remote monitoring.

It can be used as a proxy.

Here is a Simple Network Diagram of Radius:

 RADIUS - Features
Here is a list of all the key features of Radius:

CLIENT/SERVER MODEL
NAS works as a client for the Radius server.

Radius server is responsible for getting user connection requests, authenticating the user, and then
returning all the configuration information necessary for the client to deliver service to the user.

A Radius server can act as a proxy client to other Radius servers.

NETWORK SECURITY
Transactions between a client and a server are authenticated through the use of a shared key. This
key is never sent over the network.

Password is encrypted before sending it over the network.

FLEXIBLE AUTHENTICATION MECHANISMS

Radius supports the following protocols for authentication purpose:

Point-to-Point Protocal - PPP

Password Authentication Protocol - PAP

Challenge Handshake Authentication Protocol - CHAP

Simple UNIX Login

EXTENSIBLE PROTOCOL
Radius is extensible; most vendors of Radius hardware and software implement their own
dialects.

Stateless protocol, using UDP, runs at port 1812.

 RADIUS - Operations
Before the Client starts communicating with the Radius Server, it is required that the
secret key is shared between the Client and the Server and the Client must be
configured to use Radius server to get service.

Once Client is configured properly then:

The Client starts with Access-Request.

The Server sends either Access-Accept, Access-Reject, or Access-Challenge.

Access-Accept keeps all the required attributes to provide service to the user.

Radius Codes (decimal) are assigned as follows:

1 Access-Request

2 Access-Accept

3 Access-Reject

4 Accounting-Request

5 Accounting-Response

11 Access-Challenge

12 Status-Server (experimental)

13 Status-Client (experimental)

255 Reserved

No Keep Alive concept - Good or Bad??

Codes 4 and 5 are related to Radius Accounting Functionality. Codes 12 and 13 are
reserved for possible use.

RADIUS - Packet Format

The packet format of Radius is as shown below:
 Code: This is 1 Octet (1 byte) long and identifies various types of packets. Normally 1
Octet means 1 Byte.

Identifier: This is again 1 Octet long and aids in matching responses with requests.

Length: This is 2 Octets long and specifies the length of the packet including code,
identifier, length, and authenticator. (Min packet is 20 Octets and max is 4096 Octets).

Authenticator: This is 16 Octets long and filled up in case of some requests and
responses.

List of Attributes: There is a list of 63+ attributes and a Radius attribute will also have
a defined format which is described in next chapter

RADIUS - Attributes Format

A Radius attribute consists of the following three parts:

Type: 1 Octet long, identifies various types of attributes. It is an attribute code listed below.

Length: 1 Octet long, length of the attribute including Type.

Value: 0 or more Octets long, contains information specific to attribute.

RADIUS Attributes List
Code Attributes

1 User-Name

2 User-Password

3 CHAP-Password

4 NAS-IP-Address

5 NAS-Port

6 Service-Type

7 Framed-Protocol

8 Framed-IP-Address

9 Framed-IP-Netmask

10 Framed-Routing

11 Filter-Id

12 Framed-MTU

13 Framed-Compression

14 Login-IP-Host

15 Login-Service

16 Login-TCP-Port

17 (unassigned)
18 Reply-Message

19 Callback-Number

20 Callback-Id

21 (unassigned)

22 Framed-Route

23 Framed-IPX-Network

24 State

25 Class

26 Vendor-Specific

27 Session-Timeout

28 Idle-Timeout

29 Termination-Action

30 Called-Station-Id

31 Calling-Station-Id

32 NAS-Identifier

33 Proxy-State

34 Login-LAT-Service

35 Login-LAT-Node 3

36 Login-LAT-Group
 37 Framed-AppleTalk-Link

38 Framed-AppleTalk-Network

39 Framed-AppleTalk-Zone

40-59 (reserved for accounting)

60 CHAP-Challenge

61 NAS-Port-Type

62 Port-Limit

63 Login-LAT-Port

RADIUS REQUEST EXAMPLE

Let us have a look into a Radius Request example:

The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user
named Nemo logging in on port 3 with password "arctangent".

The Request Authenticator is a 16 octet random number generated by the NAS.

The User-Password is 16 octets padded at end with nulls, XORed with D5 (Shared Secret|Request
Authenticator).

01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d 93
d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 00 00 03

1 Code = Access-Request (1)

1 Identifier = 0

2 Length = 56

16 Request Authenticator

Attribute List
 6 User-Name = "Nemo"

18 User-Password

6 NAS-IP-Address = 192.168.1.16

6 NAS-Port = 3

RADIUS RESPONSE EXAMPLE

Here is an example of Response Packets:

The Radius server authenticates Nemo and sends an Access-Accept UDP packet to the NAS telling it
to telnet Nemo to host 192.168.1.3

The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the
Request Authenticator from above, the attributes in this reply, and the shared secret.

02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 0e
06 c0 a8 01 03

1 Code = Access-Accept (2)

1 Identifier = 0 (same as in Access-Request)

2 Length = 38

16 Response Authenticator

Attribute List:

6 Service-Type (6) = Login (1)

6 Login-Service (15) = Telnet (0)

6 Login-IP-Host (14) = 192.168.1.3

What is DIAMETER
 Diameter is a planned replacement of RADIUS. It is an AAA protocol for applications such as
network access and IP mobility. Listed below are a few points that you need to know about
Diameter:

It is intended to work in both local and roaming AAA situations.

Diameter is just twice the predecessor protocol Radius.

It uses TCP or SCTP and not UDP.

It uses transport level security (IPSEC or TLS).

It has 32 bit identifier instead of 8 bit.

It supports stateless as well as stateful mode.

It supports application layer acknowledgement, define failover.

It offers better roaming support.

It uses AVPs.

Diameter allows to define new commands and attributes. It is easy to extend.

USEFUL LINKS ON RADIUS

Wiki - Wikipedia reference for RADIUS

RFC 2865 Remote Authentication Dial In User Service (RADIUS)

RFC 2866 RADIUS Accounting

RFC 3162 RADIUS Extensions

RFC 2903 Generic AAA Architecture

RFC 4004 Diameter Mobile IPv4 Application