RADIUS, which is the abbreviation for Remote Authentication Dial-in User Service. Radius was originally designed to authenticate and charge dial-up users. Later, after several improvements, a general authentication billing protocol was formed, which mainly carried out authentication, authorization, billing and configuration information between the network access device and the authentication server. RADIUS is a C/S architecture protocol whose client is initially a NAS server, and now any computer running the RADIUS client software can be a RADIUS client.
RADIUS Fundamentals: User Access Nas,nas to the RADIUS server using Access-request packets to submit user information, including user name, password and other related information, where the user password is MD5 encrypted, both sides use the shared key, the key is not network-propagated The RADIUS server verifies the legality of the user name and password, can propose a challenge if necessary, requires further authentication to the user, or similar authentication to the NAS, and if it is legal, returns the Access-accept packet to the NAS, allowing the user to do the next work , otherwise the Access-reject packet is returned, the user is denied access, and if access is allowed, the NAS charges a request to the RADIUS server Account-request,radius the server responds account-accept, and the user begins to charge At the same time users can do their own related operations.
The RADIUS protocol has the following characteristics:
L client/server structure;
L use shared secret key to ensure network transmission security;
L Good scalability;
L authentication mechanism is flexible;
The RADIUS protocol is hosted on UDP, and the official port number is the authentication authorization port 1812 and the billing ports 1813. The RADIUS protocol is defined in RFC2865, RFC2866. The communication between the Ruijie network Rg-sam system and the NAS uses the RADIUS protocol. Thanks to the good scalability of the RADIUS protocol, many manufacturers have extended their radius and our company has extended it. When using, we should be aware that different companies are not fully compatible with the RADIUS Protocol Extensions section.
2 RADIUS Protocol Message Structure 2.1 RADIUS protocol message Format
As shown in the RADIUS message format, the contents of each domain are routed from left to right
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
2.2 Code Domain
The code domain is 1 bytes long and is used to indicate the type of RADIUS packet, and if the contents of the code domain are invalid values, the message will be discarded the valid values for the RADIUS Code field are as follows:
Code=1 Access-request
code=2 access-accept
Code=3 Access-reject
Code=4 Accounting-request
Code=5 Accounting-response
Code=11 Access-challenge
Code=12 Status-server (experimental)
Code=13 Status-client (experimental)
CODE=65 Business Modification Request message
CODE=66 Business Modification Request Response message
CODE=67 Business Modification Request Response reject message
code=255 Reserved
Where 12 13 255 is typically not encountered for reserved code values, 1 2 3 4 5 11 are more common, indicating the type of message is authentication request, authentication acceptance, authentication rejection, billing request, billing response, billing success and access challenge.
2.3 Identifier Domain
The identifier domain is 1 bytes long and is used to match the requested response. If the RADIUS server receives a message from the same source IP, the same source port, and the same identity domain in a short time, it is considered to have received a duplicate request.
2.4 Length Field
The Length field is two bytes, which indicates the effective length of the message, and the byte portion of the extra-length field is considered a fill. is ignored when it is received. If the message length is less than the value in the Length field, the entire message is discarded. The range of length fields is between 20 and 4096.
2.5 Authenticator
The authentication word domain occupies 16 bytes, which is used for the validity of message authentication between RADIUS Client and server, and the password-hiding algorithm.
The value of the authentication word in the Access Request Access-request message is a 16-byte random number, and the value of the authentication Word cannot be predicted and is unique within the lifetime of a shared key.
Access Request Access-request Authentication Word
The value of the authenticated word in the Access-request package is a 16-byte random number, and the value of the authentication Word cannot be predicted and is unique within the lifetime of a shared key;
Access Response authentication Word
The authentication word in the Access-accept Access-reject and Access-challenge package is called the Access response authentication Word, and the value of the Access response authentication Word is defined as MD5 (code+id+length+requestauth+ Attributes+secret);
Billing Request Accounting-request Authentication Word
In the billing request package, the authentication Word field is called the billing request authentication Word, it is a 16-byte MD5 checksum, the value of the billing request authentication Word is defined as MD5 (Code + Identifier + Length + zero octets + request attributes +sh Ared secret);
Billing Response Accounting-response Authentication Word
The authentication Word field in the billing response message is called the billing response authentication word, and its value is defined as MD5 (accounting-response Code + Identifier + Length + the Requestauthenticator field from the Accounting-request packet being replied to +the response attributes + GKFX secret);
2.6 Attributes Domain
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
The length of the domain is mutable, which is a property chain that consists of the required and optional properties of the business type. A property consists of the following three parts:
2.6.1 Type field
The Type field is one byte long, and the RADIUS server and client can ignore it when they encounter an unrecognized property. Commonly used attribute types see RFC2865 RFC2866;
2.6.2 Length Field
The Length field length is one byte, indicating the type, length, and total length of the range of a property. If a property with an invalid attribute length is carried in the authentication request message, the access reject message must be responded to, and if there is an illegal attribute length in the access response message, the message must be discarded directly or considered a denial of access message.
2.6.3 Value Field
A range consists of 0 or more bytes of packages, with detailed attribute information, and its format is determined by the length and type of the property. Note that there is no type of domain value in radius that ends with null (hex 00), which means that there is no terminator in the range, and the server and the client need to be able to handle the inline null.
The data type of the domain is one of the following 5 types. The "text" type is a subset of the "string" type:
Text 1-253 bytes Long
String 1-253 bytes long can contain binary data
Address 4 byte high in front
Integer 4-byte unsigned number high in front
Time 4 bytes Unsigned number high in front represents the number of seconds from January 1, 1970 0 0 seconds to present
RADIUS message Parsing