Article Title: Building a RADIUS server in Linux (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: He qijun
RADIUS is used to authorize and authenticate the remote dial-in user. It can only use a single "Database" to authenticate users (verify the user name and password ). It mainly targets remote logon types such as SLIP, PPP, telnet, and rlogin.
Its main features include:
1. Client/Server (C/S) Mode
A Network Access Server (NAS) serves as a RADIUS client. It is responsible for transmitting user information to the RADIUS server and then taking corresponding actions according to the different responses of the RADIUS server. In addition, the RADIUS server can act as a proxy customer of another RADIUS server or another type of authentication server.
2. Network Security)
The transaction information exchange between the NAS and the RADIUS server is encrypted by the keys shared by the two, and the information is not leaked between the two.
3. Flexible Authentication mechanism)
The RADIUS server supports multiple authentication mechanisms. It can verify the validity of user information from logon to PPP, PAP, CHAP, and UNIX systems.
4. Extensible Protocol)
All authentication protocols are composed of three elements: "Attribute-length-attribute value. Therefore, the Protocol is very convenient to expand. In many later versions of Linux, they all include the RADIUS installer in the system source code. In this way, we can easily learn the principles and applications of RADIUS authorization and Authentication through the free Linux system.
RADIUS protocol Principle
To find out why the RADIUS protocol implements authorization and authentication, we must understand the RADIUS protocol in four aspects: Basic Principles of the protocol, data packet structure, data packet type, and Protocol attributes. Next we will introduce these contents in detail.
Basic Principles
There may be many types of services that NAS provides to users. For example, when using telnet, the user provides the user name and password information, while when using PPP, the user sends data packets with authentication information.
Once NAS obtains this information, it creates and sends an "Access-Request" packet to the RADIUS server, which contains the user name and password (based on MD5 encryption) the ID of the NAS instance and the port number accessed by the user.
If the RADIUS server does not respond within a specified period of time, NAS will resend the preceding data packet. If there are multiple RADIUS servers, after the NAS fails to attempt the master RADIUS server repeatedly, other RADIUS servers will be used instead.
The RADIUS server directly discards requests without the "Shared Secret" and does not respond. If the data packet is valid, the RADIUS server accesses the authenticated database to check whether the user exists. If yes, the user information list is extracted, including the user password, access port, and access permission.
When a RADIUS server cannot meet your needs, it will turn to other RADIUS servers, which act as a client.
If the user information is denied, the RADIUS server sends an "Access-Reject" packet to the client, indicating that the user is illegal. If necessary, the RADIUS server also adds a text message containing the error information to the packet, so that the client can feedback the error information to the user.
On the contrary, if the user is confirmed, the RADIUS server sends an "Access-Challenge" packet to the client, and adds the information that the client sends to the user in the packet, including the status attribute. Next, the client prompts the user to respond to provide further information. After the client obtains the information, it submits the "Access-Request" packet with the new Request ID to the RADIUS server again, what is different from the original "Access-Request" packet content is: at first, the "user name/password" information in the "Access-Request" packet is replaced with the current response information of this user (encrypted ), the data packet also contains the status attribute (expressed as 0 or 1) in "Access-Challenge ). In this case, the RADIUS server may have three reactions to the new "Access-Request": "Access-Accept", "Access-Reject", or "Access-Challenge ".
If all the requirements are valid, RADIUS returns an "Access-Accept" response, including the service type (SLIP, PPP, Login User, etc.) and its ancillary information. For example, for SLIP and PPP, The response includes IP addresses, subnet masks, MTU, and packet filtering information.
Data Packet Structure
The RADIUS packet is encapsulated in the Data field of the UDP datagram, And the destination port is 1812. The specific data packet structure is shown in table 1.
· The length of the Code field is 8 bits. The specific values are shown in table 2. Among them, 1, 2, 3 are used for user authentication, while 4 and 5 are used for traffic statistics, 12 and 13 are used for the test phase, and 255 are reserved.
· The length of the Identifier domain is 8 bits. It is mainly used to match request and response data packets, that is, the number of data packets.
· Length is 16 bits, value range (20 <= Length <= 4096 ), this Length includes the total Length of the five data fields Code, Identifier, Length, Authenticator, and Attribute (Code, Identifier, Length, Authenticator is set to a fixed Length, Attribute is variable Length ). Data out of the range will be considered as additional data (Padding) or directly ignored.
· The Authenticator consists of 16 bytes (128 bits) and is mainly used to Authenticator responses from the RADIUS server. It is also used to encrypt user passwords.
(1) Request Authenticator
In an "Access-Request" packet, Authenticator is a 16-byte random number called "Request Authenticator ". It is unique throughout the entire life cycle of data transmission between the NAS and the RADIUS server through the "secret.
(2) Response Authenticator
The Authenticator domain in "Access-Accept", "Access-Reject", and "Access-Challenge" is called "Response Authenticator ".
The RADIUS data packet type is specified by its Code field (the first 8 bits.
· Access-Request (Access-Request)
The "Access-Request" packet is sent by the NAS and received by the RADIUS server.
The "User-Password" or "CHAP-Password" attribute values are encrypted by MD5 by default.
The data packet structure is shown in table 5.
8-bit, 8-bit, 16-bit
Code = 1 Identifier-the Length remains unchanged when the Value of Attributes changes.
Authenticator (128-bit)-changed based on Identifier changes
Attributes... (Not long)
Attributes should include the following Attributes:
"Access-Accept" is sent by the RADIUS server and returned to the NAS. Indicates that the user information is valid. It includes necessary configuration information for the next step to provide services to users. The data packet structure is shown in table 6.
8-bit, 8-bit, 16-bit
Code = 2 Identifier-the same Length as the "Access-Request" Identifier
Authenticator (128 bits)-belongs to Response Authenticator and is calculated by Formula 1.
Attributes... (Not long)
Access-Reject "Access-Reject" is sent by the RADIUS server and returned to the NAS. Indicates that the user information is invalid. It should include one or more "Reply-messages" (Reply messages, including some error messages that are convenient for NAS to return to users ). The data packet structure is shown in table 7.
8-bit, 8-bit, 16-bit
Code = 3 Identifier-the same Length as the "Access-Request" Identifier
Authenticator (128 bits)-belonging to the Response Authenticator, calculated by Formula 1
Attributes... (Not long)
Attribute
The attributes are shown in table 8. Here, the Length calculation method is: Type + Length + Value.
8-bit 8-bit length (0 or multiple bytes)
Type Length Value...
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
