Scribd Logo
Upload

Welcome to Scribd!

  • 18 views

    AAA (Authentication, Authorization Accounting) With Radius

    Uploaded by

    Onsongo Nyamwaya
    AAA (Authentication, Authorization, Accounting) uses RADIUS (Remote Authentication Dial In User Service) protocol for centralized control over user access and resource usage tracking. RADIUS uses a client-server model where network devices act as clients that pass user information to RADIUS servers, which authenticate users and provide authorization and accounting functions. RADIUS supports flexible authentication mechanisms over UDP and provides an extensible framework to define new attribute types for authentication, authorization, and accounting transactions.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    AAA (Authentication, Authorization Accounting) With Radius

    Uploaded by

    Onsongo Nyamwaya
    18 views15 pages
    AAA (Authentication, Authorization, Accounting) uses RADIUS (Remote Authentication Dial In User Service) protocol for centralized control over user access and resource usage tracking. RADIUS uses a client-server model where network devices act as clients that pass user information to RADIUS servers, which authenticate users and provide authorization and accounting functions. RADIUS supports flexible authentication mechanisms over UDP and provides an extensible framework to define new attribute types for authentication, authorization, and accounting transactions.

    Original Title

    AAA with radius

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    AAA (Authentication, Authorization, Accounting) uses RADIUS (Remote Authentication Dial In User Service) protocol for centralized control over user access and resource usage tracking. RADIUS uses a client-server model where network devices act as clients that pass user information to RADIUS servers, which authenticate users and provide authorization and accounting functions. RADIUS supports flexible authentication mechanisms over UDP and provides an extensible framework to define new attribute types for authentication, authorization, and accounting transactions.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    18 views15 pages

    AAA (Authentication, Authorization Accounting) With Radius

    Uploaded by

    Onsongo Nyamwaya
    AAA (Authentication, Authorization, Accounting) uses RADIUS (Remote Authentication Dial In User Service) protocol for centralized control over user access and resource usage tracking. RADIUS uses a client-server model where network devices act as clients that pass user information to RADIUS servers, which authenticate users and provide authorization and accounting functions. RADIUS supports flexible authentication mechanisms over UDP and provides an extensible framework to define new attribute types for authentication, authorization, and accounting transactions.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    of 15

    AAA ( Authentication, Authorization

    Accounting)
    with
    RADIUS
    What is AAA ?

    It refers to a security architecture for
    distributed systems that enables control
    over which users are allowed access to
    which services and that keeps tabs on
    what resources they have used.
    Authentication

    This refers to the process where an
    entity’s identity is authenticated,
    typically by providing evidence that it
    holds a specific digital identity, such as
    an identifier and the corresponding
    credentials.

    Examples of types of credentials are
    passwords, one-time tokens, digital
    certificates, digital signatures.
    Authorization

    This function determines whether a
    particular entity is authorized to perform
    a given activity, typically inherited from
    authentication when logging on to an
    application or service.

    Authorization may be determined based
    on a range of restrictions
    Accounting

    This refers to the tracking of network
    resource consumption by users for the
    purpose of capacity and trend analysis,
    cost allocation, and billing.

    In addition, it may record events like
    authentication and authorization failures
    as well as audit functionality, verifying
    that correct procedures were carried out
    based on accounting data
    Radius

    Remote Authentication Dial In User
    Service (RADIUS) is a networking
    protocol that provides centralized
    Authentication, Authorization, and
    Accounting (AAA) management for
    users that connect and use a network
    service.
    RADIUS

    Remote Authentication Dial-In User Service

    Protocol used for communication between
    Network Access Server NAS and AAA
    server

    Supports authentication, authorization, and
    accounting
    Features of RADIUS

    Client/Server model

    NAS operates as a RADIUS client by passing user
    info to RADIUS server and acting on response from
    server

    RADIUS server receives connection requests,
    authenticates user, and provides configuration
    settings to client

    RADIUS server can act as a proxy client to other
    authentication servers

    Flexible authentication mechanisms

    Can support PPP PAP or CHAP, Unix login, and
    other authentication mechanisms

    Extensible

    All transactions con attribute/value tuples

    New attributes can be added to existing protocol
    RADIUS Architecture


    Uses UDP port 1645 or 1812

    Communication between RADIUS server
    and client is in clear-text except for
    passwords
    RADIUS Packet Format


    Code field used to identify type of packet: access-
    request, access-accept, access-reject, accounting-
    request, accounting-response, access-challenge

    Identifier field used to match requests with replies

    Authenticator field contains a 16-byte random
    number used to authenticate the reply from the
    RADIUS server and to hide the password
    Password Encryption

    Encrypted password transmitted is equal to
    (Hash_A) XOR (padded user password)
    Where Hash_A = MD5 { request authenticator,
    preshared secret}

     Receiver calculates Hash_A on its own and


    XORs it with the encrypted password to get
    the padded password back in clear-text
    RADIUS Authentication

    NAS sends Access-Request message to
    RADIUS server containing username,
    encrypted password, IP address of NAS,
    and type of service

    RADIUS server replies with Access-Accept,
    Access-Reject, or Access-Challenge
    message
    RADIUS Authentication
    RADIUS Accounting


    Start/Stop records sent at start/end of
    sessions using UDP port 1646 or 1813

    RFC 2866
    RADIUS Authorization


    Authorization data in Accept message lists
    user authorized services (eg. telnet, rlogin,
    PPP) and client IP address

    You might also like