Upload
ananthadiga
View
226
Download
0
Embed Size (px)
Citation preview
8/14/2019 Prasadadiga Seminar
1/7
ABSTRACT
Remote Authentication Dial In User Service (RADIUS) is a
networking protocol that provides centralized access,
authorization and accounting management for people or
computers to connect and use a network service. When a person
or device connects to a network often "Authentication" is
required. Networks or services not requiring authentication are
said to be anonymous or open. RADIUS is a common
authentication protocol utilized by the IEEE 802.1X security
standard (often used in wireless networks). Although RADIUS was
not initially intended to be a wireless security authentication
method, it improves the WEP encryption key standard, in
conjunction with other security methods such as EAP-PEAP.
8/14/2019 Prasadadiga Seminar
2/7
INTRODUCTION
Remote Authentication Dial-In User Service (RADIUS) is a widely
deployed protocol enabling centralized authentication,authorization, and accounting for network access. Originally
developed for dial-up remote access, RADIUS is now supported by
virtual private network (VPN) servers, wireless access
points,authenticating Ethernet switches, Digital Subscriber Line
(DSL) access, and other network access types. RADIUS is
described in RFC 2865, "Remote Authentication Dial-in User
Service (RADIUS)," (IETF Draft Standard) and RFC 2866, "RADIUS
Accounting" (Informational). A RADIUS client (typically an access
server such as a dial-up server, VPN server, or wireless access
point)sends user credentials and connection parameter
information in the form of a RADIUS message to a RADIUS server.
The RADIUS server authenticates and authorizes the RADIUS
client request, and sends back a RADIUS message response.
RADIUS clients also send RADIUS accounting messages to RADIUS
servers. Additionally, the RADIUS standards support the use of
RADIUS proxies. A RADIUS proxy is a computer that forwards
RADIUS messages between RADIUS clients, RADIUS servers, and
other RADIUS proxies. RADIUS messages are never sent between
the access client and the access server. RADIUS messages are
sent as User Datagram Protocol (UDP) messages. UDP port 1812
is used for RADIUS authentication messages and UDP port 1813 is
used for RADIUS accounting messages. Some access servers
8/14/2019 Prasadadiga Seminar
3/7
might use UDP port 1645 for RADIUS authentication messages
and UDP port 1646 for
RADIUS accounting messages. Only one RADIUS message is
included in the UDP payload of a RADIUS packet.
Managing dispersed serial line and modem pools for large
numbers of users can create the need for significant
administrative support. Since modem pools are by definition a link
to the outside world, they require careful attention to security,
authorization and accounting. This can be best achieved by
managing a single "database" of users, which allows for
authentication (verifying user name and password) as well as
configuration information detailing the type of service to deliver
to the user (for example, SLIP, PPP, telnet,rlogin).
Packet Format
8/14/2019 Prasadadiga Seminar
4/7
Code - The message type as described as follows:
o 1Access-Request
o 2Access-Accept
o 3Access-Reject
o 4Accounting-Request
o 5Accounting-Response
o 11 Access-Challenge
o 12 Status-Server (experimental)
o 13 Status-Client (experimental)
o
255 Reserved Identifier - The identifier matches requests and replies.
Length - The message length including the header.
Authenticator - A field used to authenticate the reply from
the radius server and in the password hiding algorithm.
Key features of RADIUS are
Client/Server Model
A Network Access Server (NAS) operates as a client of
RADIUS. The client is responsible for passing user
information to designated RADIUS servers, and then acting
on the response which is returned.RADIUS servers are
responsible for receiving user connection requests,
authenticating the user, and then returning all configuration
information necessary for the client to deliver service to the
user..
8/14/2019 Prasadadiga Seminar
5/7
Network Security
Transactions between the client and RADIUS server are
authenticated through the use of a shared secret,which is
never sent over the network. In addition, any user passwords
are sent encrypted between the client and RADIUS server, to
eliminate the possibility that someone snooping on an
unsecure network could determine a user's password.
Flexible Authentication Mechanisms
The RADIUS server can support a variety of methods to
authenticate a user. When it is provided with the user name
and original password given by the user, it can support PPP
PAP or CHAP, UNIX login, and other authentication
mechanisms.
Extensible Protocol
All transactions are comprised of variable length Attribute
Length-Value 3-tuples.
8/14/2019 Prasadadiga Seminar
6/7
CONCLUSION
This provides an overview of both RADIUS and EAP and described
how RADIUS security issues are addressed or minimized using
implementation and deployment best practices. These practices
include using strong shared secrets, the Message-Authenticator
attribute, cryptographic-quality values for the Request
Authenticator, different shared secrets for each RADIUS
client/server pair, and IPsec to provide data confidentiality forRADIUS messages.
8/14/2019 Prasadadiga Seminar
7/7
REFERENCES
IEEE transaction volume 5,issue 12 ,2006
http://www.wikipedia.org
http://www.howstuffworks.com
http://www.erodov.com
http://ieeexplore.org
[1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service(RADIUS)", RFC 2138, April
2007.
[2] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March,1997.
[3] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm",
RFC 1321, April 2002.
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August1980.
[5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2006.
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC
1700, October 2004.
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
RFC 2279, January 2008.