AAA and RADIUS Protocol Configuration

AaaAnd RADIUS Protocol Configuration

I. Introduction to AAA and radius protocols
1. AAA Functions
AAA is short for authentication, authorization, and accounting. It provides three security functions: authentication, authorization, and billing. The details are as follows:
A. Authentication: whether users can obtain access and determine which users can access the network.
B. Authorization: services that can be used by authorized users.
C. Billing: records the usage of network resources.
AAA generally adopts the Client/Server structure. The client runs on the managed resource side, and the server stores user information in a centralized manner. This structure not only has good scalability, but also facilitates centralized management of user information.
Billing gateway uses the authentication function in AAA to authenticate end users.
2. RADIUS protocol
(1) radius Overview
Radius is short for Remote Authentication Dial-In User Service (Remote Authentication dialing user service). It was initially developed by Livingston enterprise as a distributed client/server system, provides AAA functions. Radius technology protects the network from unauthorized access, it is often used in a variety of network environments that require high security and remote user access (for example, to manage a large number of scattered dial-up users using serial ports and modem ).
The RADIUS service consists of three components:
A. Protocols: rfc2865 and 2866 define the radius frame format and message transmission mechanism based on the UDP/IP layer, and define 1812 as the authentication port and 1813 as the billing port.
B. SERVER: the RADIUS server runs on a central computer or workstation and contains user authentication and Network Service access information.
C. Client: the client is located on the Network Access Server (NAS) and can be deployed throughout the network.
Radius is based on the customer/server model. As a radius client, NAS (such as a router) transmits user information to the specified RADIUS server, then, process the information returned from the slave server (for example, the user is connected or hung up ). The RADIUS server is responsible for receiving user connection requests, authenticating users, and then returning all required information to NAs.
The RADIUS server usually maintains three databases: the first database "users" is used to store user information (such as user names, passwords, protocols used, IP addresses, and other configurations ), the second database "clients" is used to store information about the radius client (such as shared keys), and the third Database "Dictionary" is used to explain the meaning of attributes and attribute values in the RADIUS protocol. As shown in:

Figure 5-1 Composition of the RADIUS server
In addition, the RADIUS server can also perform proxy authentication or billing as clients of other AAA servers. The RADIUS server supports multiple authentication methods, such as PPP-based Pap, CHAP authentication, and UNIX-based login.
(2) Basic message interaction process of Radius
The authentication process of the RADIUS server to users usually requires the proxy authentication function of the NAS and other devices. The radius client and the RADIUS server communicate with each other through the shared key authentication, user passwords are transmitted over the network in ciphertext mode, enhancing security. The RADIUS protocol combines authentication and authorization processes, that is, the Response Message carries the authorization information. The flowchart and steps are as follows:

Figure 5-2 basic message interaction process of Radius
The basic interaction steps are as follows:
A. Enter the user name and password;
B. The radius client sends an access-request packet to the RADIUS server based on the obtained user name and password ).
C. The RADIUS server compares the user information with the users database information. If the authentication succeeds, the user's permission information is sent to the radius client using the authentication response packet (access-accept; if the authentication fails, the access-reject response packet is returned.
D. The radius client accesses/rejects users based on the received authentication results. If users can be accessed, the radius client sends a billing start request packet (accounting-request) to the RADIUS server ), the value of status-type is start;
E. The RADIUS server returns the billing start response packet (accounting-response );
F. The radius client sends a billing stop request packet (accounting-request) to the RADIUS server. The value of status-type is stop;
G. The RADIUS server returns the billing end response packet (accounting-response ).
(3) packet structure of RADIUS protocol
Radius uses UDP to transmit messages. It uses the timer management mechanism, retransmission mechanism, and backup server mechanism to ensure that the interactive messages between the RADIUS server and the client are correctly sent and received. The radius packet structure is as follows:

Figure 5-3 radius packet structure
The Identifier Field is used to match request packets and response packets. The field changes with the attribute field and receives valid response packets, but remains unchanged during re-transmission. The Authenticator domain (16 bytes) is used to verify the request sent back from the RADIUS server and to hide the password. Algorithm Request authenticator and response authenticator.
A. Request authenticator uses a 16-byte random code.
B. Response authenticator is the result of MD5 Algorithm for code identifier, request authenticator, length, attribute, and shared key.
The type of radius packet is determined by the Code domain, mainly including:
Table 5-8 description of main values of code fields

The attribute field carries special authentication, authorization, and billing information to provide configuration details for request and response packets. This field is provided in the form of three tuples (type, length, value, the standard attribute fields defined in RFC generally include:
Table 5-9 description of main values of attribute Fields

The RADIUS protocol has good scalability. The attribute No. 26 (vender-specific) defined in the Protocol can be easily extended to support custom extended attributes. The packet structure is shown in:

Figure 5-4 radius packet segment with extended attributes
(4) radius features
Radius uses UDP as the transmission protocol and has good real-time performance. It also supports retransmission and backup server mechanisms to ensure better reliability. The implementation of radius is relatively simple and suitable for the multi-thread structure on the server side when the number of users is large. Because of this, the RADIUS protocol has been widely used.
(5) Configure AAA and radius
The AAA configuration of the billing gateway includes the following three parts:
A. Enable aaa
B. Configure the Authentication Scheme
C. Configure the Application Authentication Solution
Enable aaa
You can use the various commands provided by AAA to configure AAA only when you use AAA.
Perform the following configuration in the System View.
Table 5-10 enable or disable aaa

AAA is disabled by default.
3. Configure the Authentication Scheme
The configuration authentication scheme includes the following Configuration:
A. Configure the user authentication Solution
B. Configure local priority Authentication
(1) configure the user authentication Solution
The billing gateway user refers to the login user. Here, login refers to logging on to the billing gateway through FTP or telnet, and terminal service (such as the Aux port of the Console port) go to the billing gateway for configuration. It is different from the PPP users connected to the server.
Perform the following configuration in the System View.
Table 5-11 AAA login authentication solution configuration


Here, method is the authentication method, which can be a combination of the following:
A, none
B. Local
C. Radius
D. radius none
E. radius local
F. template server-template-name none
G. template server-template-name local
FTP, terminal, and SSH are not the standard attribute values of the RADIUS protocol. You need to modify the attributes of the RADIUS server and add two values in the attribute login-Service (Standard attribute 15:
Login-Service (50) = FTP
Login-Service (51) = Terminal
Login-Service (52) = SSH
After modification, start the RADIUS server.
(2) Configure local priority authentication for AAA
Local priority authentication configuration is optional. If local priority authentication is not configured, RADIUS Authentication is performed on the user first.
Perform the following configuration in the System View and radius template configuration view.
Table 5-12 local priority authentication configuration for AAA

Local priority authentication is disabled by default.
When you use local priority authentication, you must first perform local authentication. If the authentication fails, you must use the method in the configured authentication scheme for authentication.
4. Application Authentication Solution
The Application Authentication solution is to configure the user authentication method in the user interface view. For details, see 5.2.1 configure the user authentication method.
5. Configure the RADIUS server
If you select the RADIUS Authentication Method in the authentication scheme, you need to configure the RADIUS server to include the following Configuration:
A. Configure the RADIUS server template (optional)
B. Configure the RADIUS server
C. Configure the RADIUS server specified by the user (optional)
D. Configure the radius key (optional)
E. Configure the radius response timeout (optional)
F. Configure the number of radius retransmission times (optional)
G. Configure the recovery time after the RADIUS server is down (optional)
H. Configure the radius real-time billing package sending interval (optional)
You can configure the RADIUS server in the System View and server template view. To configure a RADIUS server template, you must first create a RADIUS server template and enter the RADIUS server template view.
The RADIUS server configuration includes configuring the server address and listening port, and other attributes related to the radius protocol, this includes the shared key, retransmission count, timeout retransmission interval, specifying the authentication server service for PPP users, and the recovery time after the server is down.
(1) configure the RADIUS server Template
The RADIUS server template is a set of RADIUS servers. Before configuring servers in the RADIUS server template, you must create a RADIUS server template. When creating a RADIUS server template, if the specified RADIUS server template does not exist, add a new RADIUS server template and enter the radius template view. In the radius template view, you can configure the RADIUS server and its attributes for this RADIUS server template.
Perform the following configuration in the System View.
Table 5-13 configure the RADIUS server Template

(2) configure the RADIUS server
Perform the following operations to specify the address and listening port number of the RADIUS server. You can configure multiple RADIUS servers. A maximum of 15 RADIUS servers can be configured in the System View, and a maximum of five RADIUS servers can be configured in a radiustemplate.
Each radius template can only be configured with one master RADIUS Authentication Server and one master radius billing server. When configuring the radius master server, if there is already a master RADIUS server in the radius template, the newly configured RADIUS server will be used as the master server, and the original master server will no longer be used as the master server.
If the master RADIUS server is not specified, the system selects the RADIUS server based on the configuration time. When a server fails, the system automatically selects the next server.
After the master RADIUS server is configured, the master RADIUS server is preferred to implement AAA. When the master RADIUS server does not work normally, use other RADIUS servers and try again at a certain time to check whether the master RADIUS server can work normally, if it is found that it can work normally, the master RADIUS server will be restored immediately.
Perform the following configuration in the System View and radius template view.
Table 5-14 configure the RADIUS server

The default value of the authentication port number is 1812. If it is set to 0, the current server is not used as the authentication server.
The default value of the billing port number is 1813. If it is set to 0, the current server is not used as the billing server.
Use auth-primary to configure the RADIUS server as the master authentication server. Use Acct-primary to configure the RADIUS server as the primary billing server.
(3) configure the RADIUS server specified by the user
Users can specify the RADIUS server to authenticate users.
① This function requires the username to be in the form of "userid @ server", where userid is the username and server is the RADIUS server used.
② This function should be used together with the authentication solution on the interface. The configuration takes effect only when the first authentication method configured on the interface is the radius method.
When users are authenticated, they will try to use the RADIUS server specified by the user. When the RADIUS server cannot work normally, they will then use other RADIUS servers for authentication.
If you want to recover to a RADIUS server that is not specified by the user, run the rundo radius appoint-authentication command.
Perform the following configuration in the System View and radius template view.
Table 5-15 configure the RADIUS server specified by the user

Restricted indicates that only the specified RADIUS server can be used to authenticate users. After this option is configured, the user request is rejected if the specified RADIUS server does not exist or cannot work.
(4) configure the radius key
The accesskey is used to encrypt user passwords and generate response authenticator ).
Perform the following configuration in the System View and radius template view.
Table 5-16 configure the radius key

The configured key must be the same as the key set in the RADIUS server.
(5) configure the radius response timeout time
For packets sent from the radius client (billing gateway), if you need a RADIUS server response, you need to set a timeout timer. If you do not receive a response from the RADIUS server within the specified time, the radius client resends the message.
Perform the following configuration in the System View and radius template view.
Table 5-17 configure radius response timeout

The default radius response timeout is 5 seconds.
(6) configure the number of radius retransmission times
When the radius client (billing gateway) sends an AAA request to the RADIUS server and fails to receive a response from the RADIUS server within the specified timeout period, the client will re-Send the AAA request. After the maximum number of retransmission requests is exceeded, the server cannot work properly.
Perform the following configuration in the System View and radius template view.
Table 5-18 configure radius retransmission times

The default retransmission count is 3.
(7) configure the interval between detection and recovery after the RADIUS server goes down
The default recovery time of the radius client (billing gateway) after the RADIUS server is down is 5 minutes.
Perform the following configuration in the System View and radius template view.
Table 5-19 configure the recovery time after the RADIUS server is down

(8) configure the radius real-time billing package sending Interval
After the user passes authentication, NAS sends the user's real-time billing information to the RADIUS server at the configured interval. If the real-time billing request fails, the user will be processed based on the configuration of the AAA accounting-scheme optional command. If the user configures AAA accounting-scheme optional, NAS will allow the user to continue to use the network service, otherwise, NAS will stop the user.
By default, real-time billing is not used.
Perform the following configuration in the System View and radius template view.
Table 5-20 configure the radius real-time billing package sending Interval

Ii. AAA and radius display and debugging
After completing the preceding configuration, execute the display command in all views to display the running status of AAA and radius after the configuration, and view the effect of the Information Authentication configuration.
Run the debugging command to debug AAA and radius.
Table 5-21 AAA and radius display and debugging