Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Giuseppe Bianchi<br />
<strong>RADIUS</strong><br />
Provides centralized AAA functionalities<br />
Authentication<br />
are you really the one you claim to be?<br />
Authorization<br />
Do you have permissions to access a service?<br />
Accounting<br />
what are you currently doing/using/paying?<br />
» Transmitted bytes, billing, etc<br />
Client-Server protocol<br />
NAS acts as <strong>RADIUS</strong> client<br />
1 primary server (0+ secondary servers - replicated)<br />
Management of replicated servers implementation dependent<br />
Server may in turns act as a proxy<br />
Based on UDP/IP<br />
Server port 1812 (client port ephemeral, as usual in C/S)<br />
<strong>RADIUS</strong> architecture<br />
<strong>RADIUS</strong> Server application<br />
Registered User Database<br />
For each entry (user_name), contains (at least):<br />
Authentication information (secrets)<br />
Authentication Method<br />
» One per user! Otherwise attacker would negotiate the least<br />
secure method from among a set<br />
» If multiple authentication methods provided, much better use<br />
distinct user names!<br />
Authorization attributes (access profile per each user)<br />
Client database<br />
Cliends which are entitled to communicate with the server<br />
Accounting Database<br />
Whhen radius used for accounting<br />
Frequently used only for authentication<br />
Giuseppe Bianchi<br />
2