Remote Authentication Dial In User Service RADIUS

1
Remote Authentication Dial In User Service
(RADIUS)

• RFC 2865
• Yi-Fang, Lee

2
Outline

• Introduction.
• Operation.
• Packet format.
• Packet type.
• Attributes.
• Example.

3
Introduction

• RADIUS is a client/server protocol and software
  that enables remote access servers to communicate
  with a central server to authenticate dial-in
  users and authorize their access to the requested
  system or service.

4
Introduction(cont.)

• Key features of RADIUS
• Client/Server Model.
• Client Network Access Server(NAS)
• Network Security.
• Through the use of a shared secret
• Flexible Authentication Mechanisms.
• Support PPP PAP or CHAP, Unix login
• Extensible Protocol.

5
Operation

• How to present authentication information to the
  client
• With a customizable login prompt.
• Use a link framing protocol such as the PPP,
  which has authentication packets.
• When a password is present, it is hidden using a
  method based on the RSA Message Digest Algorithm
  MD5.

6
Operation(cont.)
Access-Request
Validate Sending client
Dont have a shared secret
Receive request
Silently discard
Have a shared secret
Consult DB to Find users Information.
7
Operation(cont.)

• Access-Reject
• If any condition is not met.
• A NAS that doesnt implement a given service MUST
  NOT implement the RADIUS attribute for that
  service. A NAS MUST treat a RADIUS access-accept
  authorizing an unavailable service as an
  access-reject instead.

8
Operation(cont.)

• Access-challenge
• If all conditions are met and RADIUS server
  wishes to issue a challenge to which the user
  must response.
• The client resubmits its original Access-Request
  with a new request ID, response (encrypted), and
  including the Attribute from the Access-challenge.

9
Operation(cont.)

• Access-accept
• All conditions are met.
• Contain the list of configuration values for the
  user.
• These values include the type of service and all
  necessary values to deliver the desired service.

10
Challenge / Response

• User is given an unpredictable number and
  challenged to encrypt it and give back the
  result.
• Authorized users are equipped with special
  devices such as smart cards or software.
• After calculate the challenge, the user send a
  second Access-Request.

11
Challenge / Response(cont.)

• Example

Server
Client
Access-Request (NAS-ID, NAS-port, user name,
user-password)
Access-challenge (challenge 12345678, enter your
response at the prompt)
Access-Request (new) (new NAS-ID, NAS-port,
user-name, encrypted)
Access-Accept or Access-Reject or another
Access-Challenge
12
Interoperation with PAP and CHAP

• For PAP
• User-name PAP ID
• User-password PAP password
• Attribute
• Service-Type Framed-User
• Framed-Protocol PPP

13
Interoperation with PAP and CHAP

• For CHAP
• NAS generates a random challenge to user, who
  returns a CHAP response along with a CHAP ID and
  CHAP username.
• User-name CHAP username
• CHAP-password CHAP ID and CHAP response
• Attribute
• Service-Type Framed-User
• Framed-Protocol PPP

14
Proxy

• Receive an authentication request from a RADIUS
  client (such as NAS), forwards the request to a
  remote RADIUS server, and vice versa.
• A common use for proxy RADIUS is roaming.
• The choice of which server receives the forwarded
  request should be based on the authentication
  realm.

15
UDP

• Port 1812.
• Why UDP
• If the request to a primary Authentication server
  fails, a secondary server must be queried.
• The timing requirements of this particular
  protocol are significantly different than TCP
  provides.
• The stateless nature of this protocol simplified
  the use of UDP.
• UDP simplifies the server implementation.

16
UDP(cont.)

• UDP is not all a panacea. With UDP we must
  artificially manage retransmission timer to the
  same server, although they dont require the same
  attention to timing provided by TCP.

17
Retransmission

• If the RADIUS server and alternate RADIUS server
  share the same shared secret can use the same
  ID and Request Authenticator.
• If retransmit to the same server as before and
  attributes havent changed must use the same
  Request Authenticator, ID, and source port.

18
Retransmission (cont.)

• If change any contents of the attribute need a
  new Request Authenticator and new ID.
• This allows up to 16 million or so outstanding
  requests at one time to a single server.

19
Packet format

• RADIUS data format

0
7
8
16
31
15
Code
Identifier
Length
Authenticator
Attributes
20
Packet format (cont.)

• Codes
• 1 Access-Request
• 2 Access-Accept
• 3 Access-Reject
• 4 Accounting-Request
• 5 Accounting-Response
• 11 Access-Challenge
• 12 Status-Server
• 13 Status-Client
• 255 Reserved

21
Packet format (cont.)

• Identifier
• Aids in matching requests and replies.
• The RADIUS server can detect a duplicate request
  if it has the same client source IP address and
  source UDP port and Identifier within a short
  span of time.

22
Packet format (cont.)

• Length
• Indicates the length of the packet including the
  Code, Identifier, Length, Authenticator and
  Attribute fields.
• Octets gt length treated as padding and ignored
  on reception.
• Octets lt length silently discarded.
• Length between 20 to 4096.

23
Packet format (cont.)

• Authenticator(Sixteen octets)
• Request Authenticator
• The Authenticator value is a 16 octet random
  number.
• The value should be unpredictable and unique.
• Response Authenticator
• ResponseAuth
• MD5(Code ID Length RequestAuth
  Attributes Secret)

24
Packet type

• Determined by the Code field.
• Access-Request.
• Access-Accept.
• Access-Reject.
• Access-challenge.

25
Access-Request

• Used to determine whether a user is allowed
  access to a specific NAS, and any special
  services requested for that user.
• Should contain
• 1. User-Name attribute.
• 2. NAS-Port or NAS-Port-Type attribute or both.

26
Access-Request(cont.)

• Must contain
• 1. NAS-IP-Address attribute or NAS-Identifier
  attribute or both.
• 2. User-Password or CHAP-password or a State.
• Code 1
• Request Authenticator
• Must be changed each time a new Identifier is
  used.

27
Access-Accept

• Provide specific configuration information
  necessary to begin delivery of service to the
  user.
• All Attribute values received in an
  Access-Request are acceptable.
• Code 2
• Identifier a copy of the Identifier field of the
  Access-Request.

28
Access-Reject

• Any value of the received attributes is not
  acceptable.
• It may include one or more Reply-Message
  Attributes with a text message.
• Code 3

29
Access-Challenge

• If the NAS does not support challenge / response,
  it must treat an Access-Challenge as though it
  had received an Access-Reject instead.
• Code 11

30
Attributes

• RADIUS Attributes carry the specific
  authentication, authorization, information and
  configuration details for the request and reply.
• The end of the list of Attributes is indicated by
  the Length of the RADIUS packet.

0
8
16
Type
Value
Length
31
Example

• User telnet to specified host.
• Shared secret xyzzy5461
• NAS at 192.168.1.16 sends an Access-Request UDP
  packet to the RADIUS server for a user named nemo
  logging in on port 3 with password arctangent.
• User-Password is 16 octets of password padding at
  end with nulls, XORed with MD5(shared
  secretRequest Authenticator)

32
Example (cont.)

• Packet
• 1 Code Access-Request (1)
• 1 ID 0
• 2 Length 56
• 16 Request Authenticator a random number
• generated by NAS
• Attributes
• 6 User-Name nemo
• 18 User-Password
• 6 NAS-IP-Address 192.168.1.16
• 6 NAS-Port 3