* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Overview of Nomadix` RADIUS Implementation Solution Outline
Survey
Document related concepts
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Policies promoting wireless broadband in the United States wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Wireless security wikipedia , lookup
Transcript
Overview of Nomadix’ RADIUS Implementation Solution Outline Confidential Copyright © 2003 Nomadix, Inc. All Rights Reserved. Monday, July 21, 2003 31355 Agoura Road Westlake Village, CA 91361, USA www.nomadix.com White Paper Page 2 of 14 White Paper Executive Summary RADIUS is a proven carrier-class protocol to perform accurate time and volume-based billing. Coming from the traditional dial-up Internet access world, this mature protocol has been adapted to perform the same tasks in modern broadband environments, both for public access and residential solutions. The core RADIUS client implementation of the Nomadix family of gateway products is being used in carrier networks every day by hundreds of thousands of users worldwide, providing accurate authentication and accounting information in conjunction with virtually all major RADIUS servers (e.g. Lucent, Funk, Microsoft and Cisco). Nomadix’ RADIUS client implementation is characterized not only by carrier-class redundancy, but also by an innovative implementation of new features improving: • authentication security (e.g. SSL and EAP); • authentication accuracy (e.g. MAC address transmission); • accounting accuracy (e.g. accurate time stamps and bytes sent/received information even during network maintenance); • accounting flexibility (interim accounting messages); • user convenience to maximize revenues (e.g. ability to dynamically change service plan and update accounting records in real time). This document is intended for an audience that is familiar with the core features of the RADIUS protocol (RFCs 2865 and 2866). It is also intended as a discussion basis to help determine any specific areas that you would like to explore in more detail. Confidential Page 3 of 14 White Paper Introduction Objective of this document This document aims to provide a visual description of the RADIUS-based authentication, authorization and accounting (AAA) process used in the Nomadix family of public access gateway products to ensure accurate, carrier-class time and volume-based billing. Additionally, this document describes unique Nomadix implementations for automatic RADIUS retransmissions, ‘Remember Me’ cookies (especially for PDA-based access), dynamic service plan upgrades and RADIUS interim accounting messages. Most emerging providers of public access broadband networks are interested in creating the largest possible customer ‘funnel’ to ensure a speedy ROI on the network infrastructure. To achieve this ‘open user group’ objective, both plug-n-play technologies (to also ensure low call center support costs) as well support for additional payment mechanisms are needed. Nomadix has tailored its solutions to simultaneously support the widest range of alternative RADIUS-based AAA mechanisms (e.g. paysafecard, Smart Clients) as well as support for pre-paid methods that are preferred by temporary ‘out-of-town’ users (e.g. Credit Card), or are specific to high density points of potential customers (e.g. hotel PMS system for USGII and HSG product lines). Should the interest exist, Nomadix would be happy to outline these additional payment mechanisms in a separate document. Caveats: Nomadix reserves the right to change its implementation without notice in future releases. Information about these changes will be contained in the README accompanying the release of the gateway product. Confidential Page 4 of 14 White Paper RADIUS time-based billing RADIUS Messages and RADIUS attributes The Nomadix wireless gateway RADIUS functionality can be broken down into the following categories: - Access-Request - Access-Accept Parsing - Acct-Request Access-Request Attributes - Username. - Password. - Service-Type. - NAS-Port (port number). - NAS-Identifier. - Framed-IP. - Called-Station-Id. - Calling-Station-Id. - NAS-IP. - NAS-Port-Type. - Acct-Session-ID. - State. Nomadix Vendor Specific Attributes: - Log-Off-URL string Access-Accept Parsing - Reply-Message. - State. - Class. - Session-Timeout. Confidential Page 5 of 14 White Paper - Idle-Timeout. - Acct-Interim-Interval. Nomadix Vendor Specific Attributes: - Nomadix-Bw-Up integer - Nomadix-Bw-Down integer - Nomadix-URL-Redirection string - Nomadix-Expiration string - Nomadix-MaxBytesUp integer - Nomadix-MaxBytesDown integer - Nomadix- Session-Terminate-End-Of-Day integer Acct-Request - Username. - Called-Station-Id. - Calling-Station-Id. - Acct-Status-Type (Start/Stop). - Acct-Session-ID. - Acct-Output-Octets. - Acct-Input-Octets. - Acct-Output-Packets. - Acct-Input-Packets. - Class. - Acct-Session-Time (Stop). - Terminate-Cause (Stop). - NAS-IP. - NAS-Port-Type. - NAS-Port. - Framed-IP. - Acct-Delay-Time Confidential Page 6 of 14 White Paper The Nomadix wireless gateway will also wait for the receipt of an Accounting Reply message. If no reply is received, the accounting request will be sent to the secondary server. Definitions The following definitions refer to the diagrams below. Event: ‘Event’ is defined as one of three things: - action by a user - packet transmission initiated by a user - packet transmission initiated by a network device Client: ‘Client’ refers to the PC or PDA the user employs to gain access to the network. Nomadix Wireless gateway: “Nomadix Wireless gateway” refers to a device from the Nomadix family of public access gateway devices. This device acts as the RADIUS Network Access Server (NAS). We assume that the Nomadix Wireless gateway also acts as the local DHCP server. RADIUS Server: “RADIUS server” refers to any RFC-compliant RADIUS server. The RADIUS server can also be a proxy server relaying requests to a home RADIUS server (as defined in the Nomadix Wireless ISP roaming model). We assume that the RADIUS authentication and the RADIUS accounting function are being undertaken by the same server/IP address. Some providers prefer to use separate servers (e.g. performance and security reasons). Nomadix’ RADIUS client implementation fully supports carrier-class RADIUS server redundancy (i.e. separate Authentication and Accounting servers, separate Primary and Secondary servers). Confidential Page 7 of 14 White Paper Confidential Page 8 of 14 White Paper Unique Nomadix RADIUS client features In addition to the RADIUS VSA’s outlined above, the Nomadix wireless gateway also provides a number of unique RADIUS-driven features that improve the customer experience and can be effectively used to increase revenues for you. Dynamic Service Plan change via intelligent JAVA-applet The Nomadix Wireless gateway allows the end-user to dynamically change his service plan without contacting you. The billing records are kept up-to-date via a real time RADIUS accounting request message. This feature allows you to upsell a premium service plan at zero cost to the company for premium users. For example, a user may be synchronizing his email at a train station when he notices that a customer has sent him a 20 MByte presentation. Since the user only subscribes to the most cost effective plan at 256kbit/s, it may mean that he has to miss his train because he cannot exceed this speed. With the Nomadix wireless gateway, the user can simply choose a faster plan and only get billed for the time he is using the plan. logout Another example would be if the user wishes to increase his bandwidth to follow a live video stream of the 2006 Soccer World Cup final game of Spain beating Holland 2:0. The JAVA applet also contains a ‘logout’ button that allows the end-user to terminate a session (explicit logout). Upon pressing the logout button and confirming the explicit session termination attempt in an additional pop-up window, the JAVA applet will send an XML command to the Nomadix wireless gateway. The Nomadix wireless gateway will then immediately send an Accounting Stop message to the RADIUS server. Alternatively, the user can also type in 1.1.1.1 Confidential Page 9 of 14 White Paper into his browser to initiate a session termination. An appropriate confirmation message will be shown in the user’s browser to confirm the explicit session termination. ‘Automatic Re-transmission’ and ‘Remember Me’ Most network operators consider it important to implement short idle timeouts to improve network efficiency. Idle-timeouts can be effectively used to ensure accurate billing for users that either turn off their laptop or lose network access for any other reason (e.g. AP becomes inoperable). Alternatively, in many Wi-Fi networks, environmentally caused radio interferences are not uncommon. In either case, this means that the user will have to login again after a period of inactivity. PDA users are particularly affected by this fact since it is still cumbersome to enter a user name and pass word into a small screen browser. The Nomadix wireless gateway contains two features to improve the user experience – RADIUS re-authentication and “Remember Me’. Both features allow the user to seamlessly re-authenticate upon entering the network again without having to type in the user name and password. Data volume information transmission (bytes sent/received) The Nomadix RADIUS client implementation allows you to accurately track the exact number of bytes sent and received by: - username - IP address (Framed IP) - MAC address of the user (Calling Station ID) As shown in the sample below, the byte counts are sent in the Accounting ‘Alive’ and Accounting ‘Stop’ messages. As mentioned before, Accounting ‘Stop’ messages can be generated by: - an explicit customer logout (via JAVA applet or by typing 1.1.1.1); - session time-out; - idle time-out; - deleting the user from the “Current’ screen in the Nomadix wireless gateway. The message will indicate the type of action that initiated the Accounting ‘Stop’. Confidential Page 10 of 14 White Paper To ensure accuracy, the Nomadix wireless gateway will temporarily save the Accounting information per user in case of an administrator reboot. An administrator reboot may need to be initiated when network maintenance is performed (e.g. change of DHCP pool size). Location – based billing As shown in the sample RADIUS accounting log below, one of the parameters sent by the Nomadix wireless gateway is the “Location ID”. For the network operator, this means that location-based billing can be flexibly implemented. For example, it is possible to create three service plans with three different geographic coverage areas. Details of such as service plan scheme can be found below: 1) Service Plan A “Local” – geographic coverage: ‘All hotspots with Location ID ‘Madrid’ – cost: EURO 10 per month – target audience: Local students 2) Service Plan B “National” – geographic coverage: ‘All hotspots with Location ID ‘Spain’ etc… - cost: EURO 20 per month – target audience: National business travelers 3) Service Plan C “Global’ – geographic coverage: n/a – cost EURO 30 per month – target audience: Global business travelers Depending on the capabilities of the RADIUS server, it is also possible to start charging a premium for users that roam outside their Service Plan (similar to mobile phone billing schemes). Conclusions RADIUS time-based billing for Wi-Fi networks is a proven technology to accurately and transparently account for network usage by clearing defining an unambiguous start and stop time of the accounting period. In addition, it offers the flexibility to generate additional revenues as well as improve the network access for increasingly popular devices such as PDAs. Suggested additional areas for discussion: This document makes reference to a number of additional Nomadix features that may be suitable for your network. • Alternative RADIUS implementations such as Smart Clients and paysafecards • Credit Card Confidential Page 11 of 14 White Paper Appendix: Sample RADIUS transmissions Actual Authentication and Accounting log with all attributes turned on in the Nomadix wireless gateway. Authentication Request Message Authentication Request Received From: ip=208.50.30.135 port=1025 Packet : Code = 0x1 ID = 0xaf Client Name = 208.50.30.135 Dictonary Name = nomadix.dct Vector = 000: c6410000 7e160000 81270000 6b440000 |.A..~....'..kD..| Parsed Packet = User-Name : String Value = everything User-Password : Value = 000: ee15e6f9 abc1658a 49b590a7 240ac052 |......e.I...$..R| NAS-IP-Address : IPAddress = 208.50.30.135 NAS-Port : Integer Value = 7 Service-Type : Integer Value = 1 Acct-Session-Id : String Value = 50000001 Called-Station-Id : String Value = 00-50-E8-01-02-9D Calling-Station-Id : String Value = 00-04-AC-25-EB-2D Unknown type : Value = 000: 00000ced 0a106874 74703a2f 2f312e31 |......http://1.1| 010: 2e312e31 |.1.1 | NAS-Identifier : String Value = USG_1000 NAS-Port-Type : Integer Value = 19 Framed-IP-Address : IPAddress = 55.56.57.58 Accounting Start Message Wed Apr 02 09:09:39 2003 User-Name = "everything" NAS-IP-Address = 208.50.30.98 NAS-Port = 0 Acct-Status-Type = Start Acct-Session-Id = "08000002" Class = "USG testing" Called-Station-Id = "00-50-E8-01-04-98" Calling-Station-Id = "00-04-AC-C5-0E-72" NAS-Identifier = "HSG" NAS-Port-Type = Async Framed-IP-Address = 10.0.0.12 Nomadix-URL-Redirection = "http://www.fruit.com" Confidential Page 12 of 14 White Paper Acct-Delay-Time = 0 Accounting Interim Message Wed Apr 02 09:16:26 2003 User-Name = "everything" NAS-IP-Address = 208.50.30.98 NAS-Port = 0 Acct-Status-Type = Alive Acct-Session-Id = "08000002" Acct-Output-Octets = 8748 Acct-Input-Octets = 210711 Acct-Output-Packets = 81 Acct-Input-Packets = 259 Class = "USG testing" Nomadix-Bw-Up = 1024 Nomadix-Bw-Down = 1024 Nomadix-MaxBytesUp = 20000000 Nomadix-MaxBytesDown = 20000000 Called-Station-Id = "00-50-E8-01-04-98" Calling-Station-Id = "00-04-AC-C5-0E-72" Acct-Session-Time = 393 NAS-Identifier = "HSG" NAS-Port-Type = Async Framed-IP-Address = 10.0.0.12 Nomadix-URL-Redirection = "http://www.fruit.com" Acct-Delay-Time = 0 Accounting Stop Message Wed Apr 02 09:25:22 2003 User-Name = "everything" NAS-IP-Address = 208.50.30.98 NAS-Port = 0 Acct-Status-Type = Stop Acct-Session-Id = "08000002" Acct-Output-Octets = 28651 Acct-Input-Octets = 307058 Acct-Output-Packets = 245 Acct-Input-Packets = 440 Class = "USG testing" Nomadix-Bw-Up = 1024 Nomadix-Bw-Down = 1024 Nomadix-MaxBytesUp = 20000000 Nomadix-MaxBytesDown = 20000000 Called-Station-Id = "00-50-E8-01-04-98" Calling-Station-Id = "00-04-AC-C5-0E-72" Acct-Session-Time = 943 Acct-Terminate-Cause = User-Request Confidential Page 13 of 14 White Paper NAS-Identifier = "HSG" NAS-Port-Type = Async Framed-IP-Address = 10.0.0.12 Nomadix-URL-Redirection = "http://www.fruit.com" Acct-Delay-Time = 0 Selected descriptions of RADIUS attributes Acct-Session-ID The Acct-Session-ID is created when the RADIUS authentication request is built. It is transmitted in both the Access-Request and the Accounting-Request. Session Timeout If the Radius server does not send a Session-Timeout, the USG will set the subscriber expiration time to 0, which means indefinite access. Idle Timeout The management interface of the Nomadix wireless gateway allows the setting of a default timeout. If the Radius server does not send an Idle-Timeout in the Radius Access-Accept, the USG will use the default one to disconnect subscribers. “0” means indefinite. Subscriber Session Duration Acct-Session-Time is calculated the following way (for each transmitted/retransmitted AcctStop): Acct-Session-Time = time of last sent packet – subscriber login time. Interim Accounting Updates The Nomadix wireless gateway parses the attribute Acct-Interim-Interval in an Access-Accept. If this attribute is present, the devices tries every [Acct-Interim-Interval] seconds to send a Radius Accounting Interim message for the specific subscriber. If this attribute is not present or equal to 0, no Interim message is sent. The precision is 2 minutes, i.e. the device will not send Interim messages more frequently than every 2 minutes. Packet Count Attributes in Acct-Request The Nomadix Wireless gateway sends the following attributes in an Accounting-Stop: - Acct-Output-Packets: number of packets sent by subscriber. Confidential Page 14 of 14 White Paper - Acct-Input-Packets: number of packets received by subscriber. Upon a device reboot that was initiated by an administrator, these 2 attributes are saved in the device flash the same way as for Acct-Input-Octets and Acct-Input-Octets. This is important since it ensures data and billing accuracy while allowing the network administrator to perform necessary network maintenance (e.g. change the DHCP pool size). Nomadix Vendor Specific Attributes Nomadix-Bw-Up This attribute value (in Kbps) restricts the speed at which uploads are performed. Nomadix-Bw-Down. This attribute value (in Kbps) restricts the speed at which downloads are performed. Nomadix-URL-Redirection. This attribute allows the administrator to redirect the user to a page of the administrator’s choice after every successful login. Nomadix-IP-Upsell. This attribute allows the user to receive a public address from a different DHCP pool when the USG has the IP-Upsell feature enabled. Nomadix-Expiration. This attribute defines a fixed time and date at which a session will be terminated. This feature can be used to cut off access to a certain profile for a defined user group at a specific time. Nomadix-MaxBytesUp This attribute defines the maximum number of packets the user can send through the Nomadix wireless gateway. Therefore, this attribute constitutes the upstream volume-based session timeout. Nomadix-MaxBytesDown This attribute defines the maximum number of packets the user can receive through the Nomadix wireless gateway. Therefore, this attribute constitutes the downstream volume-based session timeout. Nomadix-Session-Terminate-End-Of-Day This attribute defines a session timeout at midnight every day. Confidential