Enterprise requires only authorized users to access their own internal networks, and the education network takes the strategy based on traffic bills, and the VOD system charges according to the time broadcast, and so on. These most common network applications are facing a same problem: How to authenticate and billing users? A common authentication billing method - ARADIUS protocol may help us solve these problems.
RADIUS protocol: Certification and billing
The Radius (Remote Authentication Dial In User Service) protocol was originally proposed by Livingston, the original purpose was to authenticate and billing dialing users. Later, after many improvements, a general authentication billing agreement was formed.
RADIUS is a C / S structure protocol that initially is the NAS (NET Access Server) server, and now any computer running the RADIUS client software can be a client of RADIUS. The RADIUS protocol certification mechanism is flexible and can be used in PAP, CHAP or UNIX login authentication. RADIUS is an extensible protocol that is all based on the vector based on attribute-length-value.
The basic working principle of RADIUS. User Access NAS, NAS Submit user information to the RADIUS server, including related information such as username, password, etc., wherein the user password is encrypted by MD5. The two parties use the shared key. This key is not transmitted. The RADIUS server is verified for the legality of the username and password. If necessary, a Challenge can be proposed, requiring further authentication of the user, or a similar authentication of NAS; if legal, return the access-accept packet to NAS, allow the user to do Next step, otherwise returning the Access-Reject packet, rejects user access; if you are allowed, NAS will make a billing request Account-request to the RADIUS server, the RADIUS server responds to Account-Accept, starting the user, while the user can do Your own related operation.
RADIUS also supports proxy and roaming. Simply put, the agent is a server, can be used as a proxy for other RADIUS servers, responsible for forwarding RADIUS authentication and billing packets. The so-called roaming function is a specific implementation of the agent, which allows the user to authenticate through the RADIUS server originally unrelated.
The RADIUS server and NAS server communicate via UDP protocol, and the 1812 port of the RADIUS server is responsible for authentication, and the 1813 port is responsible for accounting. Basic considerations with UDP are because NAS and RADIUS servers are mostly in the same LAN, and UDP is more quickly and more convenient.
The RADIUS protocol also stipulates a retransmission mechanism. If the NAS submits the request to a RADIUS server without receiving the return message, then the backup RADIUS server retransmission can be required. Because there are multiple backup RADIUS servers, a polling method can be employed when NAS is retransmitted. If the key to the backup of the RADIUS server is different, you need to re-authenticate.
The RADIUS protocol application has a wide range of applications, including ordinary phones, online billing, and support for VPN allows users with different dial-in servers to have different permissions. Recently IEEE proposes 802.1x standards, which is a port-based standard for access authentication of wireless networks, and uses RADIUS protocols when certified.
Common certification meter mechanism and system:
The currently common certification mechanism has the following:
● DCE / KERBEROS based authentication mechanism; ● Public key-based authentication mechanism;
● Based on challenge / response (Challenge / Response) certification mechanism.
The current common billing system has the following:
● IP phone billing: Billing with the RADIUS protocol, a relatively small change in the agreement itself. Since the RADIUS protocol is originally a certified billing service for dialing users, it is basically competent in terms of IP telephony business.
● Based on traffic on traffic: In many universities, the campus network users use this billing method. This fees are characterized by no real-time requirements for billing, and the time particle size is relatively single.
Many problems encountered in actual streaming media on demand, challenged existing billing agreements and solutions. With the further acceleration of the access network, broadband IP network will carry rich data, voice, image and other multimedia integrated business, as a user management and billing system of streaming media business support platform, has its own new business characteristics, such as Time, traffic, multiple billing rules, multiple media formats, etc., in terms of selective, efficiency, real-time, reliability, and security, will propose higher requirements than user management and billing systems for telecommunications services. One of the most important points is that streaming supports a variety of media formats, and can support multiple different yields, and even adaptively adjust the code rate based on network conditions when transmitting, this will bring real-time traffic bills. Difficulties, the current agreement does not support real-time traffic information.
For user authentication and billing of stream media on demand systems, the management experience of the existing telecommunications system is known, but it is not advisable to move the user management and billing system of the telecommunications business to the streaming media system. On the basis of absorbing the mature experience of the telecommunications system, according to the self-characteristics of the streaming business, the user management and billing system can be tailored to realize the effective support platform for streaming media value-added services, making the business operation of streaming. Help operators are in a fierce competition.
Tsinghua University Broadband Network Research Center has developed a user-certified and billing system based on RADIUS protocol. The first time running on Linux systems, and can complete a variety of user types, and a variety of accounting strategies.
The core of the billing system is based on Oracle's MySQL database. In the database, you can implement the classification and different billing rates of the user and the billing strategy. The core of communication is the RADIUS protocol. The certification fee is implemented on both servers. The front desk server is primarily certified, and communicating with the RADIUS protocol between the Linux streaming server. Another job in the front desk is the proxy for RADIUS and forward the billing packet from the front desk to the background server. Since the RADIUS protocol does not have more provisions on billing and certification, its core is to package data, safe and secure transmission, so the program communication part of the RADIUS protocol is used in normal socket programming.
Since multiple users are handled concurrent, multiple sub-processs are needed, and the information simultaneously logged in, and in the function to implement a process only, if the IP and session ID of the login package is the same The RADIUS server should compare the vector in Attribute, if the same is filtered, and the repeat processing is prevented in this way.
Another task to be completed at the front desk is to forward billing packets to the background. Here mainly applies RADIUS agent agreement. A basic consideration of the front desk in two servers is because the background server needs to perform real-time billing for some users, so that the database needs to be accessed, and the access database requires a lot of system resources. In order to improve system performance, They are implemented on two servers.
The backstage billing server can achieve different billing strategies. Depending on the type of user, it can be divided into two kinds of ordinary and prepaid users. In these users, according to the consumption situation, it can be divided into different levels. For programs, the billing can be performed based on traffic or on-demand, and can be charged according to different program content, each program has its corresponding rate. RADIUS Agreement: To constantly improve
Radius is one of the most commonly used certification billing agreements, it is simple and safe, easy to manage, and has good extension, so it is widely used. However, due to the defects of the agreement itself, such as UDP-based transmission, simple packet loss mechanism, there is no other regulations and centralized billing services, which make it less adapt to the development of the current network, need further improvement.
The current IETF has established a special working group to discuss issues on authentication, authorization, and accounting (AAA), they believe that a good AAA protocol must have the following characteristics:
● The protocol must be clearly defined for the needs of typical information and collaborative work.
● The protocol must define an error information category and can be correctly returned according to the error category. The error information category must overwrite all operational errors.
● The charging operation model must describe all networked methods.
● The protocol must be able to run normally on IP V6.
● The protocol should be able to properly process the congestion problem during the transmission process.
● Support agents.
● Compatible with RADIUS.
● The protocol should define a lightweight data object to facilitate NAS implementation.
● The protocol should provide the logical difference between the protocol itself and the data model, and support more data types.
● MIB must be defined, support IP V4 and IP V6 operations.
Based on the above, the IETF AAA Working Group proposed a draft certification billing agreement called Diameter in March 2002. The Diameter protocol supports the authentication, authorization, and billing work of mobile IP, NAS requests, and mobile agents. The implementation of the protocol and the RADIUS are similar, but also use Attribute-length-value ternary groups, but in detail, the error handling is specified.
