Download Overview of Nomadix` RADIUS Implementation Solution Outline

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
Document related concepts

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Lag wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Real-Time Messaging Protocol wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Overview of Nomadix’
RADIUS Implementation
Solution Outline
Confidential
Copyright © 2003 Nomadix, Inc. All Rights Reserved.
Monday, July 21, 2003
31355 Agoura Road
Westlake Village, CA 91361, USA
www.nomadix.com
White Paper
Page 2 of 14
White Paper
Executive Summary
RADIUS is a proven carrier-class protocol to perform accurate time and volume-based billing.
Coming from the traditional dial-up Internet access world, this mature protocol has been adapted
to perform the same tasks in modern broadband environments, both for public access and
residential solutions. The core RADIUS client implementation of the Nomadix family of gateway
products is being used in carrier networks every day by hundreds of thousands of users
worldwide, providing accurate authentication and accounting information in conjunction with
virtually all major RADIUS servers (e.g. Lucent, Funk, Microsoft and Cisco).
Nomadix’ RADIUS client implementation is characterized not only by carrier-class redundancy,
but also by an innovative implementation of new features improving:
•
authentication security (e.g. SSL and EAP);
•
authentication accuracy (e.g. MAC address transmission);
•
accounting accuracy (e.g. accurate time stamps and bytes sent/received information even
during network maintenance);
•
accounting flexibility (interim accounting messages);
•
user convenience to maximize revenues (e.g. ability to dynamically change service plan and
update accounting records in real time).
This document is intended for an audience that is familiar with the core features of the RADIUS
protocol (RFCs 2865 and 2866). It is also intended as a discussion basis to help determine any
specific areas that you would like to explore in more detail.
Confidential
Page 3 of 14
White Paper
Introduction
Objective of this document
This document aims to provide a visual description of the RADIUS-based authentication,
authorization and accounting (AAA) process used in the Nomadix family of public access
gateway products to ensure accurate, carrier-class time and volume-based billing. Additionally,
this document describes unique Nomadix implementations for automatic RADIUS retransmissions, ‘Remember Me’ cookies (especially for PDA-based access), dynamic service plan
upgrades and RADIUS interim accounting messages.
Most emerging providers of public access broadband networks are interested in creating the
largest possible customer ‘funnel’ to ensure a speedy ROI on the network infrastructure. To
achieve this ‘open user group’ objective, both plug-n-play technologies (to also ensure low call
center support costs) as well support for additional payment mechanisms are needed. Nomadix
has tailored its solutions to simultaneously support the widest range of alternative RADIUS-based
AAA mechanisms (e.g. paysafecard, Smart Clients) as well as support for pre-paid methods that
are preferred by temporary ‘out-of-town’ users (e.g. Credit Card), or are specific to high density
points of potential customers (e.g. hotel PMS system for USGII and HSG product lines). Should
the interest exist, Nomadix would be happy to outline these additional payment mechanisms in a
separate document.
Caveats:
Nomadix reserves the right to change its implementation without notice in future releases.
Information about these changes will be contained in the README accompanying the release of
the gateway product.
Confidential
Page 4 of 14
White Paper
RADIUS time-based billing
RADIUS Messages and RADIUS attributes
The Nomadix wireless gateway RADIUS functionality can be broken down into the following
categories:
-
Access-Request
-
Access-Accept Parsing
-
Acct-Request
Access-Request Attributes
-
Username.
-
Password.
-
Service-Type.
-
NAS-Port (port number).
-
NAS-Identifier.
-
Framed-IP.
-
Called-Station-Id.
-
Calling-Station-Id.
-
NAS-IP.
-
NAS-Port-Type.
-
Acct-Session-ID.
-
State.
Nomadix Vendor Specific Attributes:
-
Log-Off-URL
string
Access-Accept Parsing
-
Reply-Message.
-
State.
-
Class.
-
Session-Timeout.
Confidential
Page 5 of 14
White Paper
-
Idle-Timeout.
-
Acct-Interim-Interval.
Nomadix Vendor Specific Attributes:
-
Nomadix-Bw-Up
integer
-
Nomadix-Bw-Down
integer
-
Nomadix-URL-Redirection
string
-
Nomadix-Expiration
string
-
Nomadix-MaxBytesUp
integer
-
Nomadix-MaxBytesDown
integer
-
Nomadix- Session-Terminate-End-Of-Day
integer
Acct-Request
-
Username.
-
Called-Station-Id.
-
Calling-Station-Id.
-
Acct-Status-Type (Start/Stop).
-
Acct-Session-ID.
-
Acct-Output-Octets.
-
Acct-Input-Octets.
-
Acct-Output-Packets.
-
Acct-Input-Packets.
-
Class.
-
Acct-Session-Time (Stop).
-
Terminate-Cause (Stop).
-
NAS-IP.
-
NAS-Port-Type.
-
NAS-Port.
-
Framed-IP.
-
Acct-Delay-Time
Confidential
Page 6 of 14
White Paper
The Nomadix wireless gateway will also wait for the receipt of an Accounting Reply message. If
no reply is received, the accounting request will be sent to the secondary server.
Definitions
The following definitions refer to the diagrams below.
Event:
‘Event’ is defined as one of three things:
-
action by a user
-
packet transmission initiated by a user
-
packet transmission initiated by a network device
Client:
‘Client’ refers to the PC or PDA the user employs to gain access to the network.
Nomadix Wireless gateway:
“Nomadix Wireless gateway” refers to a device from the Nomadix family of public access
gateway devices. This device acts as the RADIUS Network Access Server (NAS). We assume
that the Nomadix Wireless gateway also acts as the local DHCP server.
RADIUS Server:
“RADIUS server” refers to any RFC-compliant RADIUS server. The RADIUS server can also be
a proxy server relaying requests to a home RADIUS server (as defined in the Nomadix Wireless
ISP roaming model). We assume that the RADIUS authentication and the RADIUS accounting
function are being undertaken by the same server/IP address. Some providers prefer to use
separate servers (e.g. performance and security reasons). Nomadix’ RADIUS client
implementation fully supports carrier-class RADIUS server redundancy (i.e. separate
Authentication and Accounting servers, separate Primary and Secondary servers).
Confidential
Page 7 of 14
White Paper
Confidential
Page 8 of 14
White Paper
Unique Nomadix RADIUS client features
In addition to the RADIUS VSA’s outlined above, the Nomadix wireless gateway also provides a
number of unique RADIUS-driven features that improve the customer experience and can be
effectively used to increase revenues for you.
Dynamic Service Plan change via intelligent JAVA-applet
The Nomadix Wireless gateway allows the end-user to dynamically change his service plan
without contacting you. The billing records are kept up-to-date via a real time RADIUS
accounting request message. This feature allows you to upsell a premium service plan at zero cost
to the company for premium users. For example, a user may be synchronizing his email at a train
station when he notices that a customer has sent him a 20 MByte presentation. Since the user only
subscribes to the most cost effective plan at 256kbit/s, it may mean that he has to miss his train
because he cannot exceed this speed. With the Nomadix wireless gateway, the user can simply
choose a faster plan and only get billed for the time he is using the plan.
logout
Another example would be if the user wishes to increase his bandwidth to follow a live video
stream of the 2006 Soccer World Cup final game of Spain beating Holland 2:0.
The JAVA applet also contains a ‘logout’ button that allows the end-user to terminate a session
(explicit logout). Upon pressing the logout button and confirming the explicit session termination
attempt in an additional pop-up window, the JAVA applet will send an XML command to the
Nomadix wireless gateway. The Nomadix wireless gateway will then immediately send an
Accounting Stop message to the RADIUS server. Alternatively, the user can also type in 1.1.1.1
Confidential
Page 9 of 14
White Paper
into his browser to initiate a session termination. An appropriate confirmation message will be
shown in the user’s browser to confirm the explicit session termination.
‘Automatic Re-transmission’ and ‘Remember Me’
Most network operators consider it important to implement short idle timeouts to improve
network efficiency. Idle-timeouts can be effectively used to ensure accurate billing for users that
either turn off their laptop or lose network access for any other reason (e.g. AP becomes
inoperable). Alternatively, in many Wi-Fi networks, environmentally caused radio interferences
are not uncommon. In either case, this means that the user will have to login again after a period
of inactivity. PDA users are particularly affected by this fact since it is still cumbersome to enter a
user name and pass word into a small screen browser. The Nomadix wireless gateway contains
two features to improve the user experience – RADIUS re-authentication and “Remember Me’.
Both features allow the user to seamlessly re-authenticate upon entering the network again
without having to type in the user name and password.
Data volume information transmission (bytes sent/received)
The Nomadix RADIUS client implementation allows you to accurately track the exact number of
bytes sent and received by:
-
username
-
IP address (Framed IP)
-
MAC address of the user (Calling Station ID)
As shown in the sample below, the byte counts are sent in the Accounting ‘Alive’ and
Accounting ‘Stop’ messages. As mentioned before, Accounting ‘Stop’ messages can be generated
by:
-
an explicit customer logout (via JAVA applet or by typing 1.1.1.1);
-
session time-out;
-
idle time-out;
-
deleting the user from the “Current’ screen in the Nomadix wireless gateway.
The message will indicate the type of action that initiated the Accounting ‘Stop’.
Confidential
Page 10 of 14
White Paper
To ensure accuracy, the Nomadix wireless gateway will temporarily save the Accounting
information per user in case of an administrator reboot. An administrator reboot may need to be
initiated when network maintenance is performed (e.g. change of DHCP pool size).
Location – based billing
As shown in the sample RADIUS accounting log below, one of the parameters sent by the
Nomadix wireless gateway is the “Location ID”. For the network operator, this means that
location-based billing can be flexibly implemented. For example, it is possible to create three
service plans with three different geographic coverage areas. Details of such as service plan
scheme can be found below:
1) Service Plan A “Local” – geographic coverage: ‘All hotspots with Location ID ‘Madrid’
– cost: EURO 10 per month – target audience: Local students
2) Service Plan B “National” – geographic coverage: ‘All hotspots with Location ID ‘Spain’
etc… - cost: EURO 20 per month – target audience: National business travelers
3) Service Plan C “Global’ – geographic coverage: n/a – cost EURO 30 per month – target
audience: Global business travelers
Depending on the capabilities of the RADIUS server, it is also possible to start charging a
premium for users that roam outside their Service Plan (similar to mobile phone billing schemes).
Conclusions
RADIUS time-based billing for Wi-Fi networks is a proven technology to accurately and
transparently account for network usage by clearing defining an unambiguous start and stop time
of the accounting period. In addition, it offers the flexibility to generate additional revenues as
well as improve the network access for increasingly popular devices such as PDAs.
Suggested additional areas for discussion:
This document makes reference to a number of additional Nomadix features that may be suitable
for your network.
•
Alternative RADIUS implementations such as Smart Clients and paysafecards
•
Credit Card
Confidential
Page 11 of 14
White Paper
Appendix:
Sample RADIUS transmissions
Actual Authentication and Accounting log with all attributes turned on in the Nomadix
wireless gateway.
Authentication Request Message
Authentication Request
Received From: ip=208.50.30.135 port=1025
Packet : Code = 0x1 ID = 0xaf
Client Name = 208.50.30.135 Dictonary Name = nomadix.dct
Vector =
000: c6410000 7e160000 81270000 6b440000 |.A..~....'..kD..|
Parsed Packet =
User-Name : String Value = everything
User-Password : Value =
000: ee15e6f9 abc1658a 49b590a7 240ac052 |......e.I...$..R|
NAS-IP-Address : IPAddress = 208.50.30.135
NAS-Port : Integer Value = 7
Service-Type : Integer Value = 1
Acct-Session-Id : String Value = 50000001
Called-Station-Id : String Value = 00-50-E8-01-02-9D
Calling-Station-Id : String Value = 00-04-AC-25-EB-2D
Unknown type : Value =
000: 00000ced 0a106874 74703a2f 2f312e31 |......http://1.1|
010: 2e312e31
|.1.1
|
NAS-Identifier : String Value = USG_1000
NAS-Port-Type : Integer Value = 19
Framed-IP-Address : IPAddress = 55.56.57.58
Accounting Start Message
Wed Apr 02 09:09:39 2003
User-Name = "everything"
NAS-IP-Address = 208.50.30.98
NAS-Port = 0
Acct-Status-Type = Start
Acct-Session-Id = "08000002"
Class = "USG testing"
Called-Station-Id = "00-50-E8-01-04-98"
Calling-Station-Id = "00-04-AC-C5-0E-72"
NAS-Identifier = "HSG"
NAS-Port-Type = Async
Framed-IP-Address = 10.0.0.12
Nomadix-URL-Redirection = "http://www.fruit.com"
Confidential
Page 12 of 14
White Paper
Acct-Delay-Time = 0
Accounting Interim Message
Wed Apr 02 09:16:26 2003
User-Name = "everything"
NAS-IP-Address = 208.50.30.98
NAS-Port = 0
Acct-Status-Type = Alive
Acct-Session-Id = "08000002"
Acct-Output-Octets = 8748
Acct-Input-Octets = 210711
Acct-Output-Packets = 81
Acct-Input-Packets = 259
Class = "USG testing"
Nomadix-Bw-Up = 1024
Nomadix-Bw-Down = 1024
Nomadix-MaxBytesUp = 20000000
Nomadix-MaxBytesDown = 20000000
Called-Station-Id = "00-50-E8-01-04-98"
Calling-Station-Id = "00-04-AC-C5-0E-72"
Acct-Session-Time = 393
NAS-Identifier = "HSG"
NAS-Port-Type = Async
Framed-IP-Address = 10.0.0.12
Nomadix-URL-Redirection = "http://www.fruit.com"
Acct-Delay-Time = 0
Accounting Stop Message
Wed Apr 02 09:25:22 2003
User-Name = "everything"
NAS-IP-Address = 208.50.30.98
NAS-Port = 0
Acct-Status-Type = Stop
Acct-Session-Id = "08000002"
Acct-Output-Octets = 28651
Acct-Input-Octets = 307058
Acct-Output-Packets = 245
Acct-Input-Packets = 440
Class = "USG testing"
Nomadix-Bw-Up = 1024
Nomadix-Bw-Down = 1024
Nomadix-MaxBytesUp = 20000000
Nomadix-MaxBytesDown = 20000000
Called-Station-Id = "00-50-E8-01-04-98"
Calling-Station-Id = "00-04-AC-C5-0E-72"
Acct-Session-Time = 943
Acct-Terminate-Cause = User-Request
Confidential
Page 13 of 14
White Paper
NAS-Identifier = "HSG"
NAS-Port-Type = Async
Framed-IP-Address = 10.0.0.12
Nomadix-URL-Redirection = "http://www.fruit.com"
Acct-Delay-Time = 0
Selected descriptions of RADIUS attributes
Acct-Session-ID
The Acct-Session-ID is created when the RADIUS authentication request is built. It is transmitted
in both the Access-Request and the Accounting-Request.
Session Timeout
If the Radius server does not send a Session-Timeout, the USG will set the subscriber expiration
time to 0, which means indefinite access.
Idle Timeout
The management interface of the Nomadix wireless gateway allows the setting of a default
timeout. If the Radius server does not send an Idle-Timeout in the Radius Access-Accept, the
USG will use the default one to disconnect subscribers. “0” means indefinite.
Subscriber Session Duration
Acct-Session-Time is calculated the following way (for each transmitted/retransmitted AcctStop): Acct-Session-Time = time of last sent packet – subscriber login time.
Interim Accounting Updates
The Nomadix wireless gateway parses the attribute Acct-Interim-Interval in an Access-Accept. If
this attribute is present, the devices tries every [Acct-Interim-Interval] seconds to send a Radius
Accounting Interim message for the specific subscriber. If this attribute is not present or equal to
0, no Interim message is sent.
The precision is 2 minutes, i.e. the device will not send Interim messages more frequently than
every 2 minutes.
Packet Count Attributes in Acct-Request
The Nomadix Wireless gateway sends the following attributes in an Accounting-Stop:
-
Acct-Output-Packets: number of packets sent by subscriber.
Confidential
Page 14 of 14
White Paper
-
Acct-Input-Packets: number of packets received by subscriber.
Upon a device reboot that was initiated by an administrator, these 2 attributes are saved in the
device flash the same way as for Acct-Input-Octets and Acct-Input-Octets. This is important since
it ensures data and billing accuracy while allowing the network administrator to perform
necessary network maintenance (e.g. change the DHCP pool size).
Nomadix Vendor Specific Attributes
Nomadix-Bw-Up
This attribute value (in Kbps) restricts the speed at which uploads are performed.
Nomadix-Bw-Down.
This attribute value (in Kbps) restricts the speed at which downloads are performed.
Nomadix-URL-Redirection.
This attribute allows the administrator to redirect the user to a page of the administrator’s choice
after every successful login.
Nomadix-IP-Upsell.
This attribute allows the user to receive a public address from a different DHCP pool when the
USG has the IP-Upsell feature enabled.
Nomadix-Expiration.
This attribute defines a fixed time and date at which a session will be terminated. This feature can
be used to cut off access to a certain profile for a defined user group at a specific time.
Nomadix-MaxBytesUp
This attribute defines the maximum number of packets the user can send through the Nomadix
wireless gateway. Therefore, this attribute constitutes the upstream volume-based session
timeout.
Nomadix-MaxBytesDown
This attribute defines the maximum number of packets the user can receive through the Nomadix
wireless gateway. Therefore, this attribute constitutes the downstream volume-based session
timeout.
Nomadix-Session-Terminate-End-Of-Day
This attribute defines a session timeout at midnight every day.
Confidential
Related documents
Technical Overview
Technical Overview
Readme x4 1
Readme x4 1
handout 8 - Research 2
handout 8 - Research 2
notesfunctions1
notesfunctions1
HW10 - University of St. Thomas
HW10 - University of St. Thomas
PHYS 196 Class Problem 1
PHYS 196 Class Problem 1
Practice questions for centripetal motion
Practice questions for centripetal motion
A jewelry maker has total revenue for her necklaces given by R(x
A jewelry maker has total revenue for her necklaces given by R(x
Solutions to Graded Problems Math 200 Homework 1 September 10
Solutions to Graded Problems Math 200 Homework 1 September 10
OAKS Test Review PRACTICE Name ANSWER KEY Date Period
OAKS Test Review PRACTICE Name ANSWER KEY Date Period
Worksheet 6.5 - Equipotential Lines and Changes in Energy
Worksheet 6.5 - Equipotential Lines and Changes in Energy
Gravitation Worksheet
Gravitation Worksheet