Download 5. Detailed working of RADIUS - Department of Computer Science

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cross-site scripting wikipedia , lookup

Proxy server wikipedia , lookup

Mobile security wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Wireless security wikipedia , lookup

Authentication wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Unix security wikipedia , lookup

Electronic authentication wikipedia , lookup

3-D Secure wikipedia , lookup

Transcript 
RADIUS Protocol
Presented to
Dr. Mark Stamp
Department of Computer Science
San Jose State University
Submitted By
Hiral Shah
Varsha Mahalingappa
April 04, 2004
Table of Contents
1. INTRODUCTION..................................................................................... 2
2. KEY FEATURES OF RADIUS ............................................................... 2
3. TERMINOLOGY ..................................................................................... 3
4. OVERVIEW .............................................................................................. 4
5. DETAILED WORKING OF RADIUS ................................................... 4
6. PACKET FORMAT ...………………………………………………… 5
7. LIMITATIONS ......................................................................................... 6
8. CONCLUSION ......................................................................................... 6
9. REFERENCES .......................................................................................... 7
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
1
1. Introduction:
Remote Authentication Dial-In User Service (RADIUS) is a Client/Server Protocol.
Network administrators have to guard their modems against break-ins in order to
maintain the security of the network. The strategy for verifying the identity of, granting
access to, and tracking the actions of remote users is known as Authentication,
Authorization and Accounting (AAA)
RADIUS uses UDP as the Transport Protocol. UDP port 1812 is used for RADIUS
authentication messages and UDP port 1813 for the authenticating messages. RADIUS
utilizes MD5 algorithm for secure password hashing. RADIUS is a fully open protocol,
distributed in source code format, which can be modified to work with any security
system currently available on the market.
2. Key features of RADIUS:
 Client Server Model
A NAS operates as a RADIUS client. The client passes user information to the RADIUS
server and then acts on the response returned. Radius servers receive user connection
requests, authenticate the user and return all the configuration information necessary for
the client to deliver service to the user. A RADIUS server can act as a proxy client to
other RADIUS server or other kinds of authentication servers.

Network Security
Transactions between the client and the RADIUS server are authenticated using a shared
secret, which is never sent over the network. Also, any user password sent between the
client and the RADIUS server are encrypted to eliminate someone snooping on an
insecure network from determining a user’s password.

Flexible Authentication Mechanism
The RADIUS server can support a variety of methods to authenticate a user. When it is
provided with the username and password, it can support Point-to-Point Protocol (PPP),
Password Authentication Protocol (PAP) or Challenge-Handshake Authentication
Protocol (CHAP), UNIX login and other authentication mechanisms.
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
2

Extensible Protocol
All transactions are comprised of variable length attribute-length-value 3-tuples. New
attribute values can be added without disturbing existing implementation of the protocol.
3. Terminology
Service:
NAS provides a service to the dial-in user.
Session:
Each service provided by the NAS to the dial in user constitutes a
Session.
Silently discard:
The packet is discarded without further processing.
Access-Request:
Sent by a RADIUS client to request authentication and
authorization for a network access connection attempt.
Access-Accept:
Sent by a RADIUS server in response to an Access-Request
message. This message informs the RADIUS client that the
connection attempt is authenticated and authorized.
Access-Reject:
Sent by a RADIUS server in response to an Access-Request
message. This message informs the RADIUS client that the
connection attempt is rejected. A RADIUS server sends this
message if either the credentials are not authentic or the connection
attempt is not authorized.
Access-Challenge:
Sent by a RADIUS server in response to an Access-Request
message. This message is a challenge to the RADIUS client that
requires a response.
Accounting-Request: Sent by a RADIUS client to specify accounting information for a
connection that was accepted.
Accounting-Response: Sent by the RADIUS server in response to the AccountingRequest message. This message acknowledges the successful receipt and processing of
the Accounting-Request message
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
3
4. Overview
The user connects a server through a modem pool and once the connection is made, the
server will prompt the user for his name and password. The RADIUS client will receive
the detail from the user and will encrypt his password. Then, the authentication request
will be received by the RADIUS server, which will validate the request and decrypt the
data. The user’s name and password will be sent for verification by the security system,
and then (if the data is correct) the server will send Authentication Acknowledgment,
which includes data about the user’s network system and service requirements. The
authentication process will limit specific users to the specific network resources it is
allowed to use. Once the server receives all the information, the user will receive network
service, which are customized for his needs. While the user is connected to the server, the
RADIUS client will send the server data for Accounting used for billings.
5. Detailed working of RADIUS
Authentication and Authorization:
Any user of a RADIUS configured client should present authentication information (for
example, username and password). The client creates an Access-Request frame
containing the username, password, ID of the client and the port ID that the user is
accessing. This frame is submitted to the RADIUS server via the network. If there is no
response from the server within a certain length of time, then the request is resent a
number of times. The client can also forward requests to an alternate server or servers if
the primary server cannot be reached. Once the RADIUS server receives a request, it
validates the sending client. If the server recognizes the client as a valid one, it consults a
database of users to find the user whose name matches the request. If the client is not
recognized, the request is ignored. The user entry in the database contains a list of
requirements, which have to be satisfied to allow access for the users. The RADIUS
server can send back an Access-Reject, an Access-Challenge or an Access-Accept.
RADIUS server uses Challenge-Response authentication to check exclusively authorized
users. Here the user is given an unpredictable number and challenged to encrypt it and
give the result back. Authorized users have special devices that can calculate the correct
response with ease.
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
4
Accounting:
At the beginning of a transaction, the client always sends a RADIUS accounting packet
consisting of the destination user and the type of service that occurs in this transaction to
the RADIUS accounting server. On receiving the packet, the server immediately sends an
acknowledgement that the packet has been received. The Accounting–Request must be
sent by the client until an Accounting-Response is received. At the end of the transaction,
the client sends to the RADIUS accounting server an Accounting Stop packet stating that
the transaction is over. It can also send some optional data such as the type of service that
was delivered and the elapsed time.
6. Packet Format
0
Code
78
Identifier
Authenticator
Attributes
15 16
Length
31
Identifier:
The Identifier field is one octet, and aids in matching requests and replies. The RADIUS
server can detect a duplicate request if it has the same client source IP address and source
UDP port and Identifier within a short span of time.
Length:
The Length field is two octets. It indicates the length of the packet including the Code,
Identifier, Length, Authenticator and Attribute fields. Octets outside the range of the
Length field MUST be treated as padding and ignored on reception. If the packet is
shorter than the Length field indicates, it MUST be silently discarded. The minimum
length is 20 and maximum length is 4096.
Authenticator:
The Authenticator field is sixteen (16) octets. The most significant octet is transmitted
first. This value is used to authenticate the reply from the RADIUS server, and is used in
the password-hiding algorithm. In Access-Request Packets, the Authenticator value is a
16 octet random number, called the Request Authenticator. The value of the
Authenticator field in Access-Accept, Access- Reject, and Access-Challenge packets is
called the Response Authenticator.
Attributes:
The Attribute field is variable in length, and contains a list of zero or more Attributes.
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
5
7. Limitations
The protocol can suffer degraded performance and lost data when used in large-scale
Systems, maybe because in part because it does not include provisions for congestion
control.









Response Authenticator Based Shared Secret Attack
User-Password Attribute Cipher Design Comments
User-Password Attribute Based Shared Secret Attack
User-Password Based Password Attack
Request Authenticator Based Attacks
Passive User-Password Compromise Through Repeated Request Authenticators
Active User-Password Compromise through Repeated Request Authenticators
Replay of Server Responses through Repeated Request Authenticators
Shared Secret Hygiene
8. Conclusion
The RADIUS protocol has several interesting issues that arise from its design. The design
and policy characteristics that seem to be principally responsible for the security
problems are as follows:

The User-Password protection technique is flawed in many ways. It should not
use a stream cipher
 The Response Authenticator is a good, but its not implemented well
 The Access-Request packet is not authenticated at all.
 Many client implementations do not create Request Authenticators that are
sufficiently random.
The solution for this is being worked on in the industry for a while. The Protocol that
would eventually replace RADIUS is known as DIAMETER. The Protocol would
include a fail-over strategy, use of TCP for reliable transport (instead of UDP, as in
RADIUS), and more general support for transmission-level security using IPSEC.
DIAMETER is not fully ready as yet in terms of standard vendor support or market
acceptance to merit consideration for near-term implementation.
Radius can be downloaded from http://ftp.gnu.org/gnu/radius/
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
6
REFERENCES
http://www.panasia.org.sg/conf/pan/c001p028.htm
http://www.ietf.org/rfc/rfc2865.txt
http://www.ietf.org/rfc/rfc2866.txt
http://www.gnu.org/software/radius/radius.html
http://www2.rad.com/networks/2000/radius/home.htm
http://www.microsoft.com/windows2000/techinfo/administration/radius.asp
RADIUS PROTOCOL – CS265 SP2004
Hiral Shah
Varsha Mahalingappa
7
Related documents
Physics 111
Physics 111
notesfunctions1
notesfunctions1
PHYS 196 Class Problem 1
PHYS 196 Class Problem 1
A jewelry maker has total revenue for her necklaces given by R(x
A jewelry maker has total revenue for her necklaces given by R(x
Solutions to Graded Problems Math 200 Homework 1 September 10
Solutions to Graded Problems Math 200 Homework 1 September 10
The Sun: center of the Solar System
The Sun: center of the Solar System
Quiz Suppose a particle of mass m is attracted to the origin with a
Quiz Suppose a particle of mass m is attracted to the origin with a
Practice - Circular Motion
Practice - Circular Motion
The Periodic Table - Newburyport High School
The Periodic Table - Newburyport High School
Name Unit 4 Vectors
Name Unit 4 Vectors
1. A bar magnet is broken in half. Each half is broken in half again
1. A bar magnet is broken in half. Each half is broken in half again