Remote Dial User Certification Service (RADIUS)
Http://91mail.51.net provides translation for learning only
Do not make other uses, otherwise the consequences are at your own risk
Summary: This document describes a protocol that transmits authentication, authorization, and configuration information between network access servers and shared authentication servers who want to authenticate it.
Application Tip: The memo description is the RADIUS protocol. Early RADIUS configurations use UDP ports, the port number is 1645, which is conflict with the Datameter service. Radius officially allocated port numbers are 1812
1 Introduction
??? This document abolished RFC2138 [1]. This document is found to be found in the "Chang Log" appendix of the RFC2138.
??? Manage users a large number of decentralized serial lines or modem pools users produce a significant management support requirement. Since the modem pools have been explained as a connection to the external world, they need to pay serious attention in security, authorization, and billing. By managing a user database, you can refer to good reflection. This database takes into account the authentication (authentication user name and password) and configuration information details - Delivery to the user's service type (such as a Serial Line Interface Protocol (SLIP), an end-to-end protocol (PPP), and remote connection standard protocol ( Telnet, remote login (rlogin).
Customer / Service Mode (Client / Server)
The network access server (Network Access Server) is operated as a client of RADIUS. This client is responsible for passing the user information to the specified RADIUS server and is responsible for performing the returned response.
??? Radius ?????? The server is responsible for receiving the user's connection request, identifying the user, and returning all the configuration information necessary for the client to provide the user.
??? A RADIUS server can take a proxy for other RADIUS Server or other types of authentication servers.
Network Security
The transaction between the client and the RADIUS server is to be identified by using a shared confidence that is never transmitted online. In addition, any user password between the client and the RADIUS server is transmitted after being encrypted, which is to prevent some people to listen to the possibility of obtaining the user password on an insecure network.
Flexible authentication mechanism (Flexible Authentication Mechanisms)
??? ADIUS server supports a number of certified users. When the user provides the username and the original password, the RADIUS server can support point-to-point PAP authentication (PPP PAP), point-to-point Chap Certification (PPP Chap), Unix Login, and other authentication mechanisms.
Extensible Protocol
All transactions are made of length, length, and values, such a three-way group. The value of the new attribute can be added without interrupting the presented protocol execution.
1.1 Description of the terminology
The keywords "must", "must not", "require", "should not", "", "", "should not", "" The election "explanation in this document is the same as the meaning described in BCP 14 [2]. And regardless of whether they are uppercase, they express the same meaning.
??? If an action does not meet the protocol it performs, the operation is not performed if the protocol it executes or the condition that must be conditionally or satisfied. An operation of the protocol to be executed satisfies all "must", "must not", "should", "should not", it is called "unconditional service"; one operation is to be executed The agreement satisfies all "must", "must not" necessary conditions, but not completely reached "will", "no" condition, is called "conditional obedience". A network access server that does not perform a given service must have no RADIUS properties that execute the service. For example, a NAS server that cannot provide the Apple Talk Remote Access Protocol (ARAP) service must not meet the execution ARAP service RADIUS property. A NAS ?????? The server will definitely regard an unauthorized specified service in the access allowable packet as a receipt of the access denial of data.
1.2 term
This document will often use the following terms:
service????
Network Access Server provides a service provided by users dial-up access. For example, point-to-point transmission, remote login.
Session
???? Each service provided by the NAS server is composed of session, and its start is defined as the service
The time provided, the session end is defined as the end of the service. Under the premise of supporting the NAS server, users can have multiple parallel or serial sessions.
Discard
??? This means that the implementation of the operation does not do further processing, just discarding the data package. This implementation should be mentioned
For recording errors, such as discarding the contents of the package; and record the event at the Statistics Office.
2. Run
After a client is set to use the RADIUS protocol, any users who use this terminal need to provide authentication information to this client. This information may appear in a customized prompt information, the user needs to enter their username and password. Perhaps you can also choose a configuration connection protocol, such as a transfer protocol of point-point-point point, and pass this authentication information through the authentication package.
Once the client receives such information, it will choose to use the RADIUS protocol to authenticate. After that, the client creates an "Access Request" packet that contains port numbers such as the user name, user password, client ID, and users being accessed. When the password appears, there is a method based on the information classification algorithm of the RSA lab (MSSAGE Digest Algorithm) MD5 [3].
"Access Request" is submitted to the RADIUS server via the network. If in a certain length of time, the server does not return response information, and the request will be repeatedly transmitted many times. In the case where the primary server failure or cannot be connected, the client can continue to send a request to one or more backup servers. The backup server is selected after multiple attempts to connect the primary server, or after the end of a round of loop mode. Retry and rollover algorithms are the topic of current research, this article does not explain it.
Once the RADIUS server receives the request information, it verifies the client of the transfer information. A client request from no confidential confidential confidentiality with the RADIUS server, which is simply discarded. If the client is legal, the RADIUS server queries the user database to find this user and compare the query user name. The user record in the database contains a set of user access conditions that must be met to the user. It is not just a password verification information including the user, and can also specify the client and port number that allows access.
When a request is met, the RADIUS server can also transmit a request to another server as a client.
If any "Proxy-State" property occurs in the access request packet, they must copy to the response packet without any changes and keep the original order. Other properties can be placed in front of the "Proxy-State" property, and even the middle. If there is no condition not satisfied, the RADIUS server will issue an "Access-Reject" response indicating that the user request is invalid. If required, the RADIUS server can include text messages in the access rejection response, which can be displayed via the client. There is no other attribute in addition to the proxy status (Proxy-State attribute) Allows the Access-Reject response.
If all the conditions are met and the server transmits a user that the user must respond, the RADIUS server will transmit a "Access Challenge" response. It may contain a text message that can be displayed in response to the user to the user, and can include a state property.
If the client receives an access inventory and supports the "CHALLENGE / RESPOND", if any, it displays text information to the user and prompts the user to respond. The client then submits a source access request containing the new request number, and replaces the user password property with an encryption response, and if any, the status attribute from the access convention is also included. The status attribute should only appear in a request only 0 or 1 constant. The server can respond to this new access request with "Access-Accept", "Access-Reject" or "Access-Challenge".
If all conditions are met, the user's configuration table is placed in an access allowable response. These values include service types (such as Serial Line Interface Protocol (SLIP), Point-to-Point Transfer Protocol (PPP), login user (login user) and all of the required values for delivery requirements. For Serial Line Interface Protocol (SLIP) and Point Transfer Protocol (PPP), these values may include, for example, IP addresses, subnet masks, maximum transmission units (MTUs), require compression ratios and designated packet filtering flags. For users of the character mode, these values may also include the requested protocols and hosts.
2.1 disc / response
??? During the disclaimer, the user is given an unpredictable number and requires the result of returning the number after encryption. Authorized users have special devices such as smart cards or software, which can calculate the correct response results. Unauthorized users can only speculate on the response because they lack appropriate equipment or software and required key knowledge to simulate this device or software.
??? Access disk question packet typically contains a reply information, which includes a convention that can be displayed to the user, such as a value that is impossible to be repeated. Typical situations are from the expansion server, the extension server is a user who knows that the authentication code corresponding to this already authorized, so the random or non-repetitive pseudo-random number of the appropriate base and length can be selected.
??? Users then enter this convention (not repeated value) into his device or software, and calculate a response value, the user enters this value to the client, by the client through the second access request data The package is submitted to the RADIUS server. If the response message matches the response packet expected with the RADIUS server, the server will send an access allowable packet, otherwise it is a return access denied packet.
For example, a network access server transmits an access request packet to the RADIUS server, the package contains the logo of the network access server, the network access server's port number, user name, user password (this password may be a "challenge" Similar fixed strings, or negligible). The server is sent back to an access disk text package with status and reply messages, where the reply message contains "Challenge 12345678, enters your response value at the prompt", which can be displayed by the access server to the user. Network Access Server (NAS) provides prompt information for this response, transmits a new access request to the server (with new package number), including NAS identity, NAS port number, user name, user password (just entered by the user The response value, now encrypted), and the same status attribute as the server-side access disk. Depending on whether the determined response value matches the required value, the server feeds back an access allows or access to reject the packet, or even transmit another access to the data package. 2.2 Using no encrypted verification and encryption verification cooperation action
???? Password Verification Protocol (PAP), NAS takes a PAP ID and password, transmitting them as a username and user password in an access request package. NAS can include service type properties attribute service-type = framed-user, and framed-protocol = PPP as a prompt telling the RADIUS server PPP service is the desired service.
??? Handshake identity authentication protocol (CHAP), NAS creates a random question (preferably 16 bytes), then transfer it to the user, the user returns a CHAP response with the CHAP ID and CHAP username . NAS then transmits a request access packet to the RADIUS server. In the request package, the CHAP user name replaces the user name, the CHAP ID and the encrypted response value instead of the CHAP password (attribute 3). . A random question or is included in a chap-chap-challenge property, or if it is 16 bytes long, it can be placed in the request authenticator domain in the access request packet. NAS can include attribute service-type = framed-user, and framed-protocol = PPP as a prompt telling the RADIUS server PPP service is the desired service.
??? Radius server checks the corresponding password according to the username, the encrypted disk, with the MD5 algorithm to the chap ID byte, the password and the CHAP in the front, if there is any in the chap attribute, otherwise come from the requesting authenticator) , Compare this result with the CHAP password. If they match, the server feeds back an access allowable packet, otherwise send an access denied packet.
If the RADIUS server cannot perform the requested authentication, it must return an access denial of the packet. For example, CHAP requires to transfer passwords to the server in a clear text so that it can encrypt the CHAP and compare with the CHAP response. If it is not transferring password in a clear text, the server will definitely transmit an access refusal package to the client.
2.3 agent
For the RADIUS proxy server, a RADIUS server submits the request to a remote RADIUS server after receiving a verification request (or billing request) from the RADIUS client (such as NAS server), and receives a remote RADIUS server, receives from the remote server After replying, transfer this reply to the customer, this reply may have a change in local management strategy. Using the RADIUS proxy server is usually for roaming. Roaming features allow two or more management entities to allow each user to direct a service to any entity network. ??? NAS Transfer RADIUS Access Request to the "Forwarding Server", the transfer server converts this request to the Remote Server. " The remote server feeds a response (access allowable, access rejection, access challenge) to the transfer server, and the transfer server returns this response to NAS. For RADIUS proxy operation, the username property can contain a network interface identifier [8]. Which server should receive a transfer request is determined according to the authentication domain. The authentication domain can be part of the network interface identifier (specified domain). Alternatively, which server receives the selection of the transfer request can be based on the criteria specified by any transfer server, such as the "called-station ID".
??? A RADIUS server can run simultaneously as a transfer server and a remote server. As a forwarding server in some domains, in other domains as a remote server. A forwarding server can be a forwarder of any quantity remote server. A remote server can have any number of forwarding servers forward, and can also provide authentication to any quantity domain. A forwarding server can forward another forwarding server to generate a proxy chain, and should pay attention to avoiding cyclic references.
• The following explains the communication between a proxy server in a NAS server, forwarding the server, and the remote server.
1. NAS issues an access request to a forwarding server.
??? 2. The forwarding server forwards this request to a remote server.
??? 3. The remote server is sent back to the forwarding server back to the access, the access refusal or the access disk. In this example, the server is sent back to access allowment.
??? 4. The forwarding server allows access to allow transmission to NAS.
The forwarding server must regard any proxy status attribute already existing in the packet as an invisible data. Its operation is forbidden to rely on the content added to the proxy status attribute by the previous server.
??? If there is any agent status property from the request from the client, the forwarding server must include these proxy status properties in the reply to the client. When the forwarding server forwards this request, it can be included in it, or ignore the proxy status attribute in the forwarded request. If the forwarding server ignores the agent status attribute in the forwarded access request, it must add these proxy status properties to the response before the response is returned to the user.
??? Now we will explain every step in more detail.
??? 1. NAS transmits its access request to the forwarding server. If the user password exists, the forwarding server will decrypt the user password with the key with the NAS. If there is a CHAP password attribute in the packet, there is no CHAP disc present, the forwarding server must ensure that the request authentication code is complete, or copy it to the CHAP inquiry attribute.
??? Forwarding servers can add a proxy status attribute to the packet (only one). If it adds a proxy status, the agent status can only appear after any other proxy status attribute in the packet. The forwarding server disables modifying any other proxy status attribute already existing in the packet (forwarding server can choose not to forward them, but must not be modified). The forwarding server prohibits changing the order of any attributes including the proxy status.
??? 2. If the user password exists, the forwarding server is encrypted by the key password with the remote server. It also forwards the logo to the remote server as required to forward access requests to the remote server. ??? 3. Remote Server (if the final target server) uses the user password, the CHAP password, or some methods specified in the future to verify the legality of the user, and then return access allows, access rejection or access disk asked the forwarding server. For this example, the remote server transmits an access allowable packet, and the remote server must copy all proxy status properties from the access request from the access request to the response data in the case of the original order and do not do any modifications.
in the bag.
4. The forwarding server uses it to verify the response authenticator, if the verification fails, it will discard the packet. If verified, the forwarding server removes the last proxy status (if it is attached within the packet), use it to sign the response authentication code with the NAS shared key, restore the identifier to match the source request of NAS transmission, then transfer Access allows NAS.
The forwarding server may modify the property to perform a local policy. The discussion of this strategy is outside this document, and is subject to the following restrictions. The forwarding server disables the modification of the proxy status, status, or category attributes existing in the packet.
2.4 Why use UDP
???? A frequently asked question is why use UDP instead of TCP as a transfer protocol. Selecting UDP is based on stringent technologies.
??? This has many arguments that must be understood. Radius is a transaction based on several protocols with interesting features.
??? 1. If the request sent to the main verification server fails, the standby server must be found.
In order to meet this request, consider the transfer request to the alternate server, the request copy must be retained in the transport layer, meaning that the heavy-to-turn timer is still needed.
?2. The timing requirements of this special agreement are different from TCPs.
In an extreme case, Radius does not do the response check for loss of data. Users are willing to wait for the verification for a few seconds. Usually with aggressive TCP relay (based on average round trip time) is unnecessary, TC confirmation P overhead is not required.
• In another extreme, users don't want to spend a few minutes waiting for verification. So after two minutes, reliable TCP data delivery is also invalid. Quick use of alternate servers can be accessed before the user waives.
3. 3. The stateless characteristics of the protocol simplifies the use of UDP
Server and clients keep changing. The system is restarted, or the single-circuit power is powered. Usually, this will not produce problems.
However, it can cause timeout and TCP interruption detection, which can handle such exception events by writing coding. Regardless of how UDP completely eliminates this type of special processing and any of them. Each server and client only turn on their UDP transfer at a time, and then the transfer can be turned on, and may be transmitted from starting from start to end on the network.
4.UDP simplifies the implementation of the server
In the earliest RADIUS implementation, the server is single-threaded. This means that there is only one request to be received, handled, and returned. It is then found that it is difficult to manage in an environment that will occupy real-time time (1 second or more) in the background security mechanism. The server's request queue is filled, and there is a hundred thousand users who are waiting for the verification environment, and the request time is long, and in the database is in the database. A special lookup, or the time spent on the DNS is greater than 30 seconds). Obvious solution is multithreaded. Solving this problem with UDP is very simple. Each request gets a separate process, performs raw communication with the client through a simple UDP packet, thereby achieving the purpose of directly responding to the client NAS.
UDP is not a universal medicine. It should be noted that using UDP requires an embedded TCP function: Using UDP, we must contact the same server relay timer through manually successful management, but we don't need to spend the same, we must contact the same Server relay timer, but we don't need to spend the same attention to TCP. This is in this agreement with a small price to change the penalty of many advantages. There may still use tin can communications with metal wires without TCP. But for this special protocol, UDP is a better choice.
2.5 Relay Tips
If the RADIUS server and the secondary RADIUS server has a shared key, it is feasible to use the same ID and request sheet code when forwarding the packet to the standby server, as the content of the attribute does not change. It is also possible to transfer to standby servers with a new request.
If you change the content of the user password property (or other properties), you need a new request authentication code, so a new ID is also required.
If NAS transmits RADIUS requests to a server that is exactly the same as the previous server, and the property content does not change, you must use the same request authentication code, ID, and source port number. If the property is modified, you must use the new request letter code and ID.
NAS can use the same ID in all servers or use a separate ID for each server, which is determined according to the user's requirements. If an additional request is required, a NAS requires more than 256 IDs, which can transmit these requests with additional source port numbers and track each source port ID. To do this, an additional request for a certain server is approximately 16,000,000.
2.6 Maintaining the damage that should be considered
Some applicants have taken the RADIUS request to the server to see if the server is active. This approach is not available because it increases additional loads, and because no additional useful information is provided, it is damaged. Because a RADIUS request is included in a separate packet, you may pass a RADIUS request in this time you send Ping, you may be able to transmit a RADIUS response to you know the RADIUS server is active. If you don't have the RADIUS request to be transferred, you don't have to care if the server is active because you didn't use it.
If you want to monitor your RADIUS server, you can use Simple Network Management Protocol (SNMP), which is the accusation of SNMP.
