Remote Authentication Dial-Up User Service protocol Remote Authentication Dial In User Service, RADIUS) was initially proposed by Livingston to provide Authentication and billing for Dial-up users. After many improvements, it gradually becomes a common network authentication and billing Protocol and is defined in RFC2865 and RFC2866 files submitted by IETF. The radius protocol works in Client/Server mode, and the Client is the Network Access Server NAS). It submits authentication, billing, and other information to the RADIUS Server, and the radius Server processes the information and returns the result to the NAS.
The RADIUS protocol is widely used in mobile, data, and Intelligent Network Authentication and billing systems. In the 802.1X Authentication Framework of the wireless LAN, RADIUS protocol is also recommended on the authentication end.
This article will discuss the principle of RADIUS protocol, and discuss its application and implementation scheme in WLAN.
2 RADIUS protocol
2.1 WLAN Network Model
For a commercial wireless LAN, you can use LAN switches to implement port control in the 802.1X authentication protocol. To ensure network security, add a firewall to the egress and authentication end of the wireless LAN. RADIUS servers and databases can also adopt a master-slave structure to ensure network robustness.
Shows the network model:
Figure 1 Wireless LAN Network Model
The authentication terminal of the wireless LAN is composed of the RADIUS server, network access server NAS) and database. Where:
NAS: acts as the client of the RADIUS server and transfers user authentication information to the RADIUS server. After authentication, the user sends the billing information to the RADIUS server.
RADIUS server: as the central server of the authentication system, it is connected to NAS and database. It accepts information submitted from NAS, performs corresponding operations on the database, and returns the processing result to NAS.
Database: stores all user information, billing information, and other information. User information is added to the database by the network administrator. The billing information is from the RADIUS server. Other information includes log information.
2.2 RADIUS packet structure
RADIUS is the protocol at the application layer. In the transport layer, its packets are encapsulated in UDP packets and then encapsulated into the IP packet. Port 1812 is used for RADIUS Authentication, and port 1813 is used for billing.
The packet structure after RADIUS encapsulation on Ethernet:
RADIUS data packets are divided into five parts:
1) Code: 1 byte, used to distinguish the RADIUS package type: common types include:
Access Request Access-Request), Code = 1; Access response Access-Accept), Code = 2; Access rejection Access-Reject), Code = 3; billing Request Accounting-Request ), code = 4.
2) Identifier: a byte used for matching requests and response packets.
3) Length: two bytes, indicating the Length of the RADIUS data zone, including Code, Identifier, Length, Authenticator, and Attributes. The unit is byte. The minimum value is 20 and the maximum value is 4096.
4) Authenticator: 16 bytes, used to verify the server response, and also used to encrypt the user password. Shared Secret (Shared Secret) and Request authentication code (Request Authenticator) and Response authentication code (Response Authenticator) of the RADIUS server and NAS support integrity and authentication of sending and receiving packets. In addition, the user password cannot be transmitted in plain text between the NAS and the RADIUS server. Generally, the Shared Secret and Authenticator are used for encryption and hiding through the MD5 encryption algorithm.
5) Attributes: the minimum length is 0 bytes. Attributes of the RADIUS protocol, such as the user name, password, and IP address, are stored in this data segment.
2.3 RADIUS Authentication and billing process
1 network model:
1) when the applicant logs on to the network, NAS will have a user-defined Login prompt asking the applicant to enter the user name and password). The applicant enters the relevant authentication information and waits for the authentication result.
2) After obtaining user information, NAS sends an "Access Request" Access-Request packet to the RADIUS server based on the RADIUS data packet format. The package generally includes the following RADIUS attribute values: User Name, user password, Access Server ID, and access port ID.
3) when the RADIUS server receives the "access request" package, it first verifies that the NAS shared password is consistent with the preset password in the RADIUS server to confirm that it belongs to the RADIUS client. After checking the correctness of the package, the RADIUS server checks whether the user record exists in the user database based on the user name in the package. If the user information does not match, an "Access denial" Access-Reject packet is sent to NAS. After receiving the REJECT packet, NAS immediately stops the service requirement of the user's connection port, and the user is forced to exit.
4) if all user information is correct, the server sends an Access-Challenge packet to NAS for further verification. These include user passwords, IP addresses used to log on to the server, and physical port numbers used to log on to the server. After receiving the "access question" package, NAS displays the message to the user, asking the user to further confirm the login request. After the user confirms the request again, the RADIUS server compares the request information twice and determines how to respond to the user's Access-Accept, Access-Reject, or Access-Challenge ).
5) After all the verification conditions and handshake sessions are passed, the RADIUS server will put the user configuration information in the database in the "Access Accept" Access-Accept) package and return it to the NAS, the latter limits the user's network access capability based on the configuration information in the package. Including service types: SLIP, PPP, Login User, Rlogin, Framed, and Callback. It also includes configuration information related to the service type: IP address, time limit, and so on.
6) After all authentication and authorization are completed, the control port of the LAN switch is opened. You can access the network through a vswitch. At the same time, NAS sends the "billing Request Start" package Accounting-Request Start to the RADIUS server to notify the RADIUS server to Start billing. When a user goes offline, NAS sends the "billing Request end" packet Accounting-Request Stop to the RADIUS server. The RADIUS server calculates the network usage fee based on the billing package information.