|< Day Day Up >|
This section takes a few steps to describe the basic principles of the AAA methodology, which is considered to be the fundamental structure behind the Remote Authentication Dial-In User Service (RADIUS). Additionally we briefly identify the functionality and principles of the RADIUS protocol. In the middle of the section we go through the steps required to install, configure, maintain, and monitor your RADIUS services. We conclude with practical implementations of the RADIUS protocol in relation to user authentication on wireless networks, as well as suggest useful software that will assist with your day-to-day use and administration of RADIUS servers for wireless user authentication.
Basics of AAA Framework
Authentication, authorization, and accounting (AAA) can be interpreted as a structure for controlling access to computer resources, enforcing policies, analyzing usage of resources, and providing the information necessary to charge for this service. These processes are considered vital for efficient and effective network management and security enforcement.
Even though the RADIUS protocol was developed before the existence of the AAA framework, it gives a good example of its implementation in practice. The AAA model outlines the three basic aspects of user access control, namely authentication, authorization, and accounting. These specifications are described next.
Authentication is the process that provides a method of identifying users by requesting and comparing a valid set of credentials. The authentication is based on each user having a unique criteria for gaining access. The AAA-compliant server compares the user's authentication references with the database-stored information. If the credentials match, the user is granted access to the requested network resources; otherwise, the authentication process fails and network access is denied.
Authorization follows authentication and is the process of determining whether the user is approved to request or use certain tasks, network resources, or operations. Usually, authorization occurs within the context of authentication and once the client is approved, he or she can use the requested resources. Therefore, authorization is a vital aspect of a healthy policy administration.
The final aspect of the AAA structure is accounting, and it is best described as the process of measuring and recording the consumption of network resources. This allows the monitoring and reporting of events and usage for various purposes, including billing, trend analysis, resource utilization, capacity planning, and ongoing policy maintenance.
An Overview of the RADIUS Protocol
RADIUS is a widely used protocol implemented in many network environments. RADIUS can be defined as a security protocol that uses a client/server approach to authenticate remote users. This is carried out through a series of challenges and responses that the client relays between the Network Access Server (NAS) and the enduser. The RADIUS protocol has been composed because of the emerging demand for a method of authenticating, authorizing, and accounting for users who needed access to heterogeneous computing environments.
Unfortunately, the scope of this book does not allow us to go deeply into RADIUS, but we intend to cover enough aspects of this protocol to enable the reader to understand the practical implications of RADIUS in relation to wireless network authentication. If required, the complete description of the protocol and accounting procedures can be found in RFCs 2138 and 2139, which can be downloaded from http://www.ietf.org/rfc/rfc2138.txt and http://www.ietf.org/rfc/rfc2139.txt, respectively.
The RFC 2138 identifies the following key features of the RADIUS protocol:
The RADIUS packet is encapsulated in a stateless UDP data stream that is addressed with the destination ports 1812, 1813, and 1814, representing access, accounting, and proxying, respectively. For compatibility and historical values, some servers are still erroneously running over ports 1645 and 1646. This dates from the early stages of the development of RADIUS and now actually conflicts with the "datametrics" service.
The RFC specifies that RADIUS uses an expected packet structure for the communication process, depicted in Figure 13-1.
Figure 13.1. RADIUS packet structure.
The elements of the RADIUS packet are described next.
The RADIUS server identifies the message types by the Code field in the RADIUS packet. The description of the codes can be found in Table 13-2. This section does not go into details of each of the RADIUS codes, as we consider them to be self-explanatory. However, if you require more details, please look at the Packet Types section of RFC 2138.
|< Day Day Up >|