SlideShare a Scribd company logo

AAA in a nutshell

Mohamed Daif, profile picture
Mohamed Daif

This document discusses RADIUS, a protocol for authentication, authorization, and accounting. It describes key RADIUS features like its client/server model and extensibility. It explains how RADIUS operates, including how clients authenticate users and how servers can accept, reject, or challenge requests. The document also covers RADIUS accounting, shortcomings like lack of failover support, and how Diameter evolved from RADIUS to address some of these issues. It introduces SBR as a Juniper RADIUS product and describes its modular design and features like centralized management, proxy support, and 3GPP integration.

Technology
1 of 18
Downloaded 123 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
RADIUS SBR in a nutshell
Outline ● AAA. ● Radius Key Features. ● Radius Operation. ● Accounting. ● SBR. ● Future.
AAA ● Architecture. ● Distributed Systems. ● ● Authentication, Authorization and Accounting. Radius, Diameter.
Radius – Key Features ● Client/Server Model. ● Network Security. ● Extensibility (TLVs). ● Flexible Authentication.
Radius Operation ● User presents auth info to client. ● Client sends “message” to Server. ● Can load-balance servers. ● Server validates the shared secret. ● ● ● Radius server consults DB when receiving the request. Server can “accept”, “reject”, “challenge” the user. If all conditions are met, server sends a list of configuration values (like IP address, MTU, .. etc) to the user in the response.
Challenge ● ● Used with devices such as smart cards. Unpredictable number to the user, encryption, giving back the result.
Proxy With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy.  A common use for proxy RADIUS is roaming. The choice of which server receives the forwarded request SHOULD be based on the authentication "realm". 
UDP ● ● ● ● Retransmission timers are required. The timing requirements of this particular protocol are significantly different than TCP provides. The stateless nature of this protocol simplifies the use of UDP. UDP simplifies the server implementation.
Radius Packet
Radius Packet – Code Field The Code field is one octet, and identifies the type of RADIUS packet. RADIUS Codes (decimal) are assigned as follows: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved
Radius Packet – Identifier Field ● ● Aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
Radius Packet – Authenticator Field ● This value is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm. ● Request Authenticator and Response Authenticator.
Radius Packet – Attributes ● RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply. 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type ….
Radius Accounting ● ● ● ● Client generates an Accounting start packet to accounting server. Server acknowledges reception of the packet. At the end of the service, client generates a stop packet. Server acknowledges reception of the packet.
Radius shortcomings ● Doesn't define fail-over mechanisms. ● Does not provide support for per-packet confidentiality. ● ● ● ● ● In Accounting it assumes that replay protection is provided by the backend server not the protocol. Doesn't Define re-transmission (UDP), which is a major issue in accounting. does not provide for explicit support for agents, including proxies, redirects, and relays. Server-initiated messages are optional. RADIUS does not support error messages, capability negotiation, or a mandatory/non-mandatory flag for attributes.
Diameter ● It evolved from and replaces RADIUS protocol. ● Ability to exchange messages and deliver AVPs. ● Capabilities negotiation. ● Error notification. ● ● Extensibility, required in [RFC2989], through addition of new applications, commands, and AVPs Basic services necessary for applications, such as the handling of user sessions or accounting
SBR ● ● ● ● A Juniper Radius product. Delivers a total authentication, authorization, and accounting (AAA) solution on the scale required by Internet service providers and carriers. Provides data services for wireline, wireless carriers. Modular design that supports add-on functionality to meet your specific site requirements (SIM, CDMA, WiMAX, Session Control Module).
SBR - Features ● ● ● ● Centralized management of user access control and security simplifies access administration. powerful proxy RADIUS features enable to easily distribute authentication and accounting requests to the appropriate RADIUS server for processing. External authentication features enable you to authenticate against multiple, redundant Structured Query Language (SQL) or Lightweight Directory Access Protocol (LDAP) databases according to configurable load balancing and retry strategies. ● Support for a wide variety of 802.1X-compliant access points and other network access servers. ● You can define user’s allowed access hours ● Multiple management interfaces (GUI, LCI, CLI, XML/HTTPS, SNMP). ● 3GPP support facilitates the management of mobile sessions and their associated resources

More Related Content

PPT
RADIUS
amogh_ubale
 
PPT
Implementing Cisco AAA
dkaya
 
PPTX
Radius server,PAP and CHAP Protocols
Dhananjay Aloorkar
 
PDF
AAA & RADIUS Protocols
Peter R. Egli
 
PPT
Radiojungle AAA RADIUS introduction
smoscato
 
PPT
Radius1
balamurugan.k Kalibalamurugan
 
PDF
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
PDF
radius dhcp dot1.x (802.1x)
rinnocente
 
RADIUS
amogh_ubale
 
Implementing Cisco AAA
dkaya
 
Radius server,PAP and CHAP Protocols
Dhananjay Aloorkar
 
AAA & RADIUS Protocols
Peter R. Egli
 
Radiojungle AAA RADIUS introduction
smoscato
 
Radius1
balamurugan.k Kalibalamurugan
 
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
radius dhcp dot1.x (802.1x)
rinnocente
 

What's hot (20)

PDF
Radius Protocol
Netwax Lab
 
PDF
AAA Protocol
Netwax Lab
 
PDF
Cisco acs configuration guide
RichardsCCNA
 
PDF
Radius vs. Tacacs+
Netwax Lab
 
PDF
TACACS Protocol
Netwax Lab
 
PPT
Design and Performance Optimization of Authentication, Authorization, and Acc...
saidzaghloul
 
PDF
Tacacs
1 2d
 
PDF
EAP-TLS
Karri Huhtanen
 
PDF
Routing host certificates in eduroam/govroam
Karri Huhtanen
 
PPT
Implementing 802.1x Authentication
dkaya
 
PDF
EAP-TLS (extended version)
Karri Huhtanen
 
PDF
TLS and Certificates
Karri Huhtanen
 
PPT
10215 A 14
Juanchi_43
 
PDF
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
PDF
At8000 s configurando_8021x
NetPlus
 
PPTX
Security
Akram Salih
 
PDF
Managing HotSpot Clients With FreeRadius
Dashamir Hoxha
 
PPTX
802.1x Authentication Standard
Dan Miller
 
PDF
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PPTX
PIW ISE best practices
Sergey Kucherenko
 
Radius Protocol
Netwax Lab
 
AAA Protocol
Netwax Lab
 
Cisco acs configuration guide
RichardsCCNA
 
Radius vs. Tacacs+
Netwax Lab
 
TACACS Protocol
Netwax Lab
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
saidzaghloul
 
Tacacs
1 2d
 
EAP-TLS
Karri Huhtanen
 
Routing host certificates in eduroam/govroam
Karri Huhtanen
 
Implementing 802.1x Authentication
dkaya
 
EAP-TLS (extended version)
Karri Huhtanen
 
TLS and Certificates
Karri Huhtanen
 
10215 A 14
Juanchi_43
 
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
At8000 s configurando_8021x
NetPlus
 
Security
Akram Salih
 
Managing HotSpot Clients With FreeRadius
Dashamir Hoxha
 
802.1x Authentication Standard
Dan Miller
 
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PIW ISE best practices
Sergey Kucherenko
 
Ad

Viewers also liked (18)

PPTX
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
PPTX
Authentication and Authorization in Asp.Net
Shivanand Arur
 
PPT
CCNA Security 06- AAA
Ahmed Habib
 
PPTX
Introduction to Diameter Protocol - Part1
Basim Aly (JNCIP-SP, JNCIP-ENT)
 
PPTX
Diameter Presentation
Beny Haddad
 
PPT
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
PPT
Granite Introduction 11
tnorenberg
 
PPTX
Stylish Bathroom Accessories
Business Services Week
 
PPTX
NoSQL Databases for Implementing Data Services – Should I Care?
Guido Schmutz
 
PPT
Acit Mumbai - understanding vpns
Sleek International
 
PPT
Telecordia Ims Presentation Expections And Challenges
Jeanne Rog
 
PPTX
Capturing Network Traffic into Database
Tigran Tsaturyan
 
PPT
CCNA Security 07-Securing the local area network
Ahmed Habib
 
PPTX
Wireshar training
Luke Luo
 
PPTX
Convert Wireshark PCAP Files to Sequence Diagrams
EventHelix.com Inc.
 
PDF
Identity Services Engine Overview and Update
Cisco Canada
 
PDF
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
PPT
CCNA Security - Chapter 3
Irsandi Hasan
 
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Authentication and Authorization in Asp.Net
Shivanand Arur
 
CCNA Security 06- AAA
Ahmed Habib
 
Introduction to Diameter Protocol - Part1
Basim Aly (JNCIP-SP, JNCIP-ENT)
 
Diameter Presentation
Beny Haddad
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Granite Introduction 11
tnorenberg
 
Stylish Bathroom Accessories
Business Services Week
 
NoSQL Databases for Implementing Data Services – Should I Care?
Guido Schmutz
 
Acit Mumbai - understanding vpns
Sleek International
 
Telecordia Ims Presentation Expections And Challenges
Jeanne Rog
 
Capturing Network Traffic into Database
Tigran Tsaturyan
 
CCNA Security 07-Securing the local area network
Ahmed Habib
 
Wireshar training
Luke Luo
 
Convert Wireshark PCAP Files to Sequence Diagrams
EventHelix.com Inc.
 
Identity Services Engine Overview and Update
Cisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
CCNA Security - Chapter 3
Irsandi Hasan
 
Ad

Similar to AAA in a nutshell (20)

PPTX
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
PDF
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Radiator Software
 
DOC
Tutorial radius client mikrotik
Adi Utami
 
PDF
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
Radiator Software
 
DOCX
AAA server
hetvi naik
 
PDF
SIM Authentication Architectures and Interfaces
Radiator Software
 
PDF
Introduction to DIAMETER
Hossein Yavari
 
PDF
SIM Authentication Architectures and Interfaces
Karri Huhtanen
 
PPTX
AAA Best Practices
Sagar Gor
 
DOCX
RADIUS provides three services- authentication- authorization- and acc.docx
acarolyn
 
PDF
Radius client
dhenis1
 
PPT
RSASecureID.ppt
PepeMartin23
 
PPT
RSASecureID (2).ppt
PepeMartin23
 
PPTX
TekRADIUS
Yasin KAPLAN
 
PPTX
TekRADIUS
Yasin KAPLAN
 
PDF
Les fonctionnalites mariadb
lemugfr
 
PDF
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
PPTX
WiFi Hotspot Password
Maryam Namira
 
PPTX
Adapting to evolving user, security, and business needs with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Radiator Software
 
Tutorial radius client mikrotik
Adi Utami
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
Radiator Software
 
AAA server
hetvi naik
 
SIM Authentication Architectures and Interfaces
Radiator Software
 
Introduction to DIAMETER
Hossein Yavari
 
SIM Authentication Architectures and Interfaces
Karri Huhtanen
 
AAA Best Practices
Sagar Gor
 
RADIUS provides three services- authentication- authorization- and acc.docx
acarolyn
 
Radius client
dhenis1
 
RSASecureID.ppt
PepeMartin23
 
RSASecureID (2).ppt
PepeMartin23
 
TekRADIUS
Yasin KAPLAN
 
TekRADIUS
Yasin KAPLAN
 
Les fonctionnalites mariadb
lemugfr
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
WiFi Hotspot Password
Maryam Namira
 
Adapting to evolving user, security, and business needs with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Teaching material agriculture food technology
LiaRayya
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Approach and Philosophy of On baking technology
30anthuong17
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KodekX | Application Modernization Development
KodekX
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

AAA in a nutshell

  • 1. RADIUS SBR in a nutshell
  • 2. Outline ● AAA. ● Radius Key Features. ● Radius Operation. ● Accounting. ● SBR. ● Future.
  • 4. Radius – Key Features ● Client/Server Model. ● Network Security. ● Extensibility (TLVs). ● Flexible Authentication.
  • 5. Radius Operation ● User presents auth info to client. ● Client sends “message” to Server. ● Can load-balance servers. ● Server validates the shared secret. ● ● ● Radius server consults DB when receiving the request. Server can “accept”, “reject”, “challenge” the user. If all conditions are met, server sends a list of configuration values (like IP address, MTU, .. etc) to the user in the response.
  • 6. Challenge ● ● Used with devices such as smart cards. Unpredictable number to the user, encryption, giving back the result.
  • 7. Proxy With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy.  A common use for proxy RADIUS is roaming. The choice of which server receives the forwarded request SHOULD be based on the authentication "realm". 
  • 8. UDP ● ● ● ● Retransmission timers are required. The timing requirements of this particular protocol are significantly different than TCP provides. The stateless nature of this protocol simplifies the use of UDP. UDP simplifies the server implementation.
  • 10. Radius Packet – Code Field The Code field is one octet, and identifies the type of RADIUS packet. RADIUS Codes (decimal) are assigned as follows: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved
  • 11. Radius Packet – Identifier Field ● ● Aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
  • 12. Radius Packet – Authenticator Field ● This value is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm. ● Request Authenticator and Response Authenticator.
  • 13. Radius Packet – Attributes ● RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply. 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type ….
  • 14. Radius Accounting ● ● ● ● Client generates an Accounting start packet to accounting server. Server acknowledges reception of the packet. At the end of the service, client generates a stop packet. Server acknowledges reception of the packet.
  • 15. Radius shortcomings ● Doesn't define fail-over mechanisms. ● Does not provide support for per-packet confidentiality. ● ● ● ● ● In Accounting it assumes that replay protection is provided by the backend server not the protocol. Doesn't Define re-transmission (UDP), which is a major issue in accounting. does not provide for explicit support for agents, including proxies, redirects, and relays. Server-initiated messages are optional. RADIUS does not support error messages, capability negotiation, or a mandatory/non-mandatory flag for attributes.
  • 16. Diameter ● It evolved from and replaces RADIUS protocol. ● Ability to exchange messages and deliver AVPs. ● Capabilities negotiation. ● Error notification. ● ● Extensibility, required in [RFC2989], through addition of new applications, commands, and AVPs Basic services necessary for applications, such as the handling of user sessions or accounting
  • 17. SBR ● ● ● ● A Juniper Radius product. Delivers a total authentication, authorization, and accounting (AAA) solution on the scale required by Internet service providers and carriers. Provides data services for wireline, wireless carriers. Modular design that supports add-on functionality to meet your specific site requirements (SIM, CDMA, WiMAX, Session Control Module).
  • 18. SBR - Features ● ● ● ● Centralized management of user access control and security simplifies access administration. powerful proxy RADIUS features enable to easily distribute authentication and accounting requests to the appropriate RADIUS server for processing. External authentication features enable you to authenticate against multiple, redundant Structured Query Language (SQL) or Lightweight Directory Access Protocol (LDAP) databases according to configurable load balancing and retry strategies. ● Support for a wide variety of 802.1X-compliant access points and other network access servers. ● You can define user’s allowed access hours ● Multiple management interfaces (GUI, LCI, CLI, XML/HTTPS, SNMP). ● 3GPP support facilitates the management of mobile sessions and their associated resources