Bas/bras/radius Introduction

label: Java RADIUS Protocol Linux RADIUS authentication server turn from: http://blog.csdn.net/sun93732/article/details/5999274

Defined by rfc2865,rfc2866, is currently the most widely used AAA protocol.
The RADIUS protocol was originally proposed by Livingston Corporation, which was originally designed to authenticate and charge dial-up users. Later, after several improvements, a general authentication billing protocol was formed.
Founded in 1966, Merit Network, Inc. is a nonprofit company at the University of Michigan, whose business is to operate and maintain the school's internet-connected michnet. In 1987, merit in the U.S. NSF (National Science Foundation) bidding win, won the NSFNet (that is, the Internet predecessor) operating contract. Because NSFNet is an IP-based network, and Michnet is based on proprietary network protocols, merit is confronted with how to Evolve Michnet's proprietary network protocol into an IP protocol, and also to port a large number of dial-up services on Michnet and their associated proprietary protocols to IP networks.
In 1991, merit decided to bid for the dial-up server supplier, and a few months later, a company called Livingston made a recommendation, named Radius, and got a contract for it.
In the fall of 1992, the IETF Nasreq Working Group was established, with the consequent submission of radius as a draft. Soon, RADIUS became the de facto network access standard, and almost all network access server vendors implemented the protocol.
In 1997, Radius RFC2039 was released, followed by RFC2138, and the latest RADIUS RFC2865 was published in June 2000.
RADIUS is a C/S architecture protocol whose client is initially a NAS (Net Access Server) server, and now any computer running the RADIUS client software can be a RADIUS client. The RADIUS protocol authentication mechanism is flexible and can be used in many ways, such as PAP, chap or UNIX login authentication. RADIUS is an extensible protocol, and all of its work is based on attribute-length-value vectors. RADIUS also supports vendor-expanded proprietary attributes.
The basic working principle of radius. User access Nas,nas to the RADIUS server using Access-require packets to submit user information, including user name, password and other related information, where the user password is MD5 encrypted, the two sides use a shared key, the key is not network-propagated The RADIUS server verifies the legality of the user name and password, can propose a challenge if necessary, requires further authentication to the user, or similar authentication to the NAS, and if it is legal, returns the Access-accept packet to the NAS, allowing the user to do the next work , otherwise the Access-reject packet is returned, the user is denied access, and if access is allowed, the NAS charges a request to the RADIUS server Account-require,radius the server responds account-accept, the user's billing starts, At the same time users can do their own related operations.
RADIUS also supports proxy and roaming capabilities. Simply put, a proxy is a server that can act as a proxy for other RADIUS servers and is responsible for forwarding RADIUS authentication and billing packets. The so-called roaming function, is a specific implementation of the agent, which allows users to authenticate through the original and its unrelated RADIUS server, the user to the location of non-attribution operators can also get services, can also achieve virtual operations.
The RADIUS server and the NAS server communicate through the UDP protocol, the 1812 port of the RADIUS server is responsible for authentication, and the 1813 port is responsible for the billing work. The basic consideration for using UDP is that NAS and RADIUS servers are mostly in the same LAN, and UDP is faster and easier to use.
The RADIUS protocol also provides for retransmission mechanisms. If the NAS submits a request to a RADIUS server without receiving return information, the backup RADIUS server can be requested to retransmit. Because there are multiple backup RADIUS servers, the method of polling can be used when the NAS is re-transmitted. If the backup RADIUS server's key differs from the previous RADIUS server's key, it needs to be re-authenticated.
Because the RADIUS protocol is simple and clear, extensible, it has been widely used, including ordinary telephone internet, ADSL Internet, cell broadband Internet, IP Phone, VPDN (virtual Private Dialup Networks, based on dial-up users of the fictitious private dial-up network Service), Mobile phone prepaid fees and other services. Recently, the IEEE has proposed a 802.1X standard, a port-based standard for access authentication of wireless networks, and a RADIUS protocol for authentication.

===============================================

Bas/bras/radius Introduction

BAS's basic function is to realize the management features and business initiation functions of broadband users, including user identification, authentication, billing, IP address management, security management and so on;
Broadband Access Server (Broadband Remote access server, referred to as bras) is a new access gateway for broadband network applications, it is located in the edge layer of the backbone network, can complete the user bandwidth of the IP/ATM network data access (currently access means mainly based on xdsl/ Cable modem/High-speed Ethernet (LAN)/Wireless Broadband data access (WLAN), and so on, to achieve broadband Internet access for commercial buildings and residential quarters, IP VPN services based on IPSec (IP Security Protocol), building an intranet within the enterprise, Support ISP to the user wholesale business and other applications. The Broadband Access server (BRAS) mainly completes two aspects function, one is the network load-carrying function: is responsible for the endThe user's PPPoE (point-to-point Potocol over Ethernet, which is a way to transmit PPP sessions on Ethernet networks) connects and aggregates the user's traffic functions, and the second is the control implementation function: With the authentication system, The accounting system and the customer management system and the service strategy control system are in line with the authentication, billing and management functions of user access;

The RADIUS (Remote authentication Dial in user Service) protocol was originally proposed by Livingston Corporation, originally designed to authenticate and charge dial-up users. Later, after several improvements, a general authentication billing protocol was formed.

RADIUS is a C/S architecture protocol whose client is initially a NAS (Net Access Server) server, and now any computer running the RADIUS client software can be a RADIUS client. The RADIUS protocol authentication mechanism is flexible and can be used in many ways, such as PAP, chap or UNIX login authentication. RADIUS is an extensible protocol, and all of its work is based on attribute-length-value vectors.

The basic working principle of radius. User access Nas,nas to the RADIUS server using Access-require packets to submit user information, including user name, password and other related information, where the user password is MD5 encrypted, the two sides use a shared key, the key is not network-propagated The RADIUS server verifies the legality of the user name and password, can propose a challenge if necessary, requires further authentication to the user, or similar authentication to the NAS, and if it is legal, returns the Access-accept packet to the NAS, allowing the user to do the next work , otherwise the Access-reject packet is returned, the user is denied access, and if access is allowed, the NAS charges a request to the RADIUS server Account-require,radius the server responds account-accept, the user's billing starts, At the same time users can do their own related operations.

RADIUS also supports proxy and roaming capabilities. Simply put, a proxy is a server that can act as a proxy for other RADIUS servers and is responsible for forwarding RADIUS authentication and billing packets. The so-called roaming function is a specific implementation of the agent, which allows the user to authenticate through the original and its unrelated RADIUS server.

The RADIUS server and the NAS server communicate through the UDP protocol, the 1812 port of the RADIUS server is responsible for authentication, and the 1813 port is responsible for the billing work. The basic consideration for using UDP is that NAS and RADIUS servers are mostly in the same LAN, and UDP is faster and easier to use.

The RADIUS protocol also provides for retransmission mechanisms. If the NAS submits a request to a RADIUS server without receiving return information, the backup RADIUS server can be requested to retransmit. Because there are multiple backup RADIUS servers, the method of polling can be used when the NAS is re-transmitted. If the backup RADIUS server's key differs from the previous RADIUS server's key, it needs to be re-authenticated.

RADIUS protocol has a wide range of applications, including ordinary telephone, Internet service billing, VPN support can make different dial-in Server users have different permissions. Recently, the IEEE has proposed a 802.1X standard, a port-based standard for access authentication of wireless networks, and a RADIUS protocol for authentication.

Bas/bras/radius Introduction