radius presentation by sunil vallamkonda 1 radius sunil vallamkonda oct. 25, 2006

65
RADIUS presentation by Su nil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

Upload: adrian-preston

Post on 23-Dec-2015

229 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

1

RADIUSSunil Vallamkonda

Oct. 25, 2006

Page 2: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

2

What is AAA ?

• Authentication

• Authorization

• Accounting

Page 3: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

3

Authentication

• Verify a person’s or machine’s declared identity.

• Mechanisms: passwords, PKI.

• Key aspect is Trust relationships between servers.

Page 4: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

4

Authorization

• Rules or templates on what a authenticated user can do on a system.

• Dial up user requests can be one link or multiple.

Page 5: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

5

Accounting

• Measures and tracks resources a user accesses.

• Include time, amount of data, session statistics, resource utilization etc.

• Logs sent and analyzed for billing, security servers.

Page 6: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

6

Page 7: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

7

Page 8: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

8

Page 9: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

9

Properties

• Client/server model

• UDP based

• Hop by hop security

• Stateless

• Uses MD5 for password hiding.

• A-V pairs

• PAP/CHAP via PPP

Page 10: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

10

Packet format

• ACCESS-REQUEST (1)• ACCESS-RESPONSE (2)• ACCESS-REJECT (3)• ACCESS-CHALLENGE (11)• ACCOUNTING-REQUEST (4)• ACCOUNTING-RESPONSE (5)• STATUS-SERVER (12)• STATUS-CLIENT (13)

Page 11: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

11

RADIUS Packet

• Header : Code (1), Identifier (1), length (2), Authenticator (16), payload

• Code: as above• Identifier: used to perform auto linking of

initial requests and subsequent replies.• Length: valid range: 20 – 4096.• Authenticator: used to conceal passwords

using one way MD5. Request (random number) / Response authenticators.

Page 12: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

12

Packet formats

Page 13: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

13

Packet formats

Page 14: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

14

Access-Request/Accept Packet

Page 15: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

15

Access-Reject

Page 16: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

16

Authentication methods

• PAP: Password Authentication Protocol (MD5/XOR).

• CHAP: Challenge Access protocol: password is never sent on wire.

• PAP is preferred sometimes in cases where authorization must travel outside the realm of control

Page 17: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

17

Page 18: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

18

The CHAP 3-way handshake

Page 19: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

19

CHAP Security

Page 20: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

20

Using RADIUS and CHAP

Page 21: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

21

Page 22: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

22

Realm

• Identifiers placed before or after values normally contained in User-Name attribute for server to identify which server to contact.

• Examples: prefix realm such as @, \,/ as CSI\john.

• Suffix realms as: james@itmm

Page 23: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

23

Hints

• RADIUS can be setup to handle service authorizations based on hints.

• To controls resources needed to provision service for client

• Example: specific IP address, IP pool.• If NAS cannot allocate, service is

disconnected.• Can be temporary, optional or extra

characteristics.

Page 24: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

24

Attributes• Describe a property of type of service.• RADIUS attributes vs VSA.• RADIUS attribute types (RFC): • INT (4, 32 bit unsigned), ENUM(4, 32 bit unsigned), IPADDR (4, 32-

bit) , STRING (1-253, variable), DATE (4, 32-bit unsigned), BINARY (1,1 bit).

• Examples: • INT: 6, 256• ENUM: 3 = callback-login, 4 = callback-Framed.• STRING: “Charlotte”, “San Jose”• IPADDR: 0x1954ff8e• DATE: 0x00000a• BINARY: 1

Page 25: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

25

Attributes - example

Standard: Example – call back-number

Number: 19

Length: 3 or more octets

Value: String

Allowed in: Access-Request, Access-Accept

Prohibited in: Access-Reject, Access-Challenge

Maximum Iterations: 1

Presence in packet: not required

Page 26: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

26

Dictionary

• Server machines has a way of relating which attribute corresponds to which attribute number and expected type.

• Example:• Attribute-Name: User-Name, Type: String• Attribute-Name: NAS-IP-ADDR, Type:

IPADDR• Attribute-Name: Service-Type, Type:

ENUM

Page 27: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

27

AVP pattern

Page 28: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

28

Accounting

• Client/Server model.

• Extensible: proxy, defined and qualified by AVPs.

• Packet: Accounting-Request Start/Stop.

• Accounting- Response.

Page 29: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

29

Ports

• Authentication: udp/1812

• Accounting: udp/1813

Page 30: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

30

Implementations

• Livingston

• GNU

• FreeRADIUS

• Cistron

• Radiator

• Alepo

• Juniper: Steel Belt.

Page 31: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

31

Performance

• Logons per second

• Logoffs per second

• Rejects per second

• Reject cause threshold

• Total packets per second per interface

• Load average

• Memory, disk usage

Page 32: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

32

EAP

• Extensible Authentication Protocol

• Used over links running on PPP

• Authentication schemes such as public key, smart cards, OTP, Kerberos etc. are supported over PPP when EAP is used.

• RADIUS includes 2 new attributes: EAP-Message and Message-Authenticator.

Page 33: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

33

EAP architecture

User EAP Authentication Protocol (PAP, CHAP, MS-CHAP, etc.)

EAP

Inner Application Extension to TLS

TLS

EAP - TTLS

Carrier Protocol (PPP, EAPOL, RADIUS, etc)

Page 34: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

34

User protocol : EAP layering

User EAP Authentication Protocol (MD-Challenge, etc.)

EAP

Inner Application extension to TLS

TLS

EAP - TTLS

EAP

Carrier Protocol (PPP, EAPOL, RADIUS, Diameter, etc)

Page 35: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

35

802.1x

Page 36: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

36

Port based authentication

• Why is it called "port"-based authentication? The Authenticator deals with controlled and uncontrolled ports. Both the controlled and the uncontrolled port are logical entities (virtual ports), but use the same physical connection to the LAN (same point of attachment).

Page 37: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

37

Port based Auth

Page 38: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

38

contd

• Figure port: The authorization state of the controlled port.

• Before authentication, only the uncontrolled port is "open". The only traffic allowed is EAPOL; see Authenticator System 1 on figure port. After the Supplicant has been authenticated, the controlled port is opened, and access to other LAN resources are granted; see Authenticator System 2 on figure port.

• 802.1X plays a major role in the new IEEE wireless standard 802.11i.

Page 39: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

39

WEP

• Wired Equivalent Privacy (WEP), which is part of the original 802.11 standard, should provide confidentiality. Unfortunately WEP is poorly designed and easily cracked. There is no authentication mechanism, only a weak form of access control (must have the shared key to communicate).

• As a response to WEP broken security, IEEE has come up with a new wireless security standard named 802.11i. 802.1X plays a major role in this new standard.

Page 40: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

40

802.11

• The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories:

• Temporary Key Integrity Protocol (TKIP) is a short-term solution that fixes all WEP weaknesses. TKIP can be used with old 802.11 equipment (after a driver/firmware upgrade) and provides integrity and confidentiality.

• Counter Mode with CBC-MAC Protocol (CCMP) [RFC2610] is a new protocol, designed from ground up. It uses AES [FIPS 197] as its cryptographic algorithm, and, since this is more CPU intensive than RC4 (used in WEP and TKIP), new 802.11 hardware may be required. Some drivers can implement CCMP in software. CCMP provides integrity and confidentiality.

• 802.1X Port-Based Network Access Control: Either when using TKIP or CCMP, 802.1X is used for authentication.

• In addition, an optional encryption method called "Wireless Robust Authentication Protocol" (WRAP) may be used instead of CCMP. WRAP was the original AES-based proposal for 802.11i, but was replaced by CCMP since it became plagued by property encumbrances. Support for WRAP is optional, but CCMP support is mandatory in 802.11i.

• 802.11i also has an extended key derivation/management.

Page 41: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

41

802.1x

• 802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN.

• 802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X).

Page 42: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

42

Page 43: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

43

8021.X and RADIUS

• Remote Authentication Dial-In User Service (RADIUS) is defined in [RFC2865] (with friends), and was primarily used by ISPs who authenticated username and password before the user got authorized to use the ISP's network.

• 802.1X does not specify what kind of back-end authentication server must be present, but RADIUS is the "de-facto" back-end authentication server used in 802.1X.

• There are not many AAA protocols available, but both RADIUS and DIAMETER [RFC3588] (including their extensions) conform to full AAA support. AAA stands for Authentication, Authorization, and Accounting (IETF's AAA Working Group

Page 44: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

44

EAP methods

• EAP-MD5: MD5-Challenge requires username/password, and is equivalent to the PPP CHAP protocol [RFC1994]. This method does not provide dictionary attack resistance, mutual authentication, or key derivation, and has therefore little use in a wireless authentication enviroment.

• Lightweight EAP (LEAP): A username/password combination is sent to a Authentication Server (RADIUS) for authentication. Leap is a proprietary protocol developed by Cisco, and is not considered secure. Cisco is phasing out LEAP in favor of PEAP. Ref: http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html

Page 45: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

45

EAP- methods (contd)

• EAP-TLS: Creates a TLS session within EAP, between the Supplicant and the Authentication Server. Both the server and the client(s) need a valid (x509) certificate, and therefore a PKI. This method provides authentication both ways. EAP-TLS is described in [RFC2716].

• EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data. Within the TLS tunnel, (any) other authentication methods may be used. Developed by Funk Software and Meetinghouse, and is currently an IETF draft.

Page 46: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

46

Methods (contd)

• Protected EAP (PEAP): Uses, as EAP-TTLS, an encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS and EAP-PEAP are optional, but server (AS) certificates are required. Developed by Microsoft, Cisco, and RSA Security, and is currently an IETF draft.

• EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2 [RFC2759]. Usually used inside of a PEAP-encrypted tunnel. Developed by Microsoft, and is currently an IETF draft.

Page 47: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

47

Page 48: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

48

Page 49: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

49

Authentication methods• Authentication methods• The following authentication types are some of the methods which are

supported by the server• Clear-text password in local configuration file (PAP) • Encrypted password in local configuration file • CHAP • MS-CHAP • MS-CHAPv2 • authentication to a Windows Domain Controller (via ntlm_auth and winbindd) • Proxy to another RADIUS server • System authentication. (usually through /etc/passwd ) • PAM (Pluggable Authentication Modules) • LDAP (PAP only) • PAM (PAP only) • CRAM • Perl program • Python program • SIP Digest (Cisco VOIP boxes)

Page 50: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

50

Contd (methods)• A locally executed program. (like a CGI program.) • Netscape-MTA-MD5 encrypted passwords • Kerberos authentication • X9.9 authentication token (e.g. CRYPTOCard) • EAP, with embedded authentication methods

– EAP-MD5, – Cisco LEAP, – EAP-MSCHAP-V2 (as implemented by Microsoft), – EAP-GTC, – EAP-SIM, – EAP-TLS, – EAP-TTLS, with any authentication protocol inside of the TLS

tunnel, – EAP-PEAP, with tunneled EAP

Page 51: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

51

server attributes

• Append attributes to the request • Re-write any attribute of the request • Proxy or replicate the request to another RADIUS server,

based on any criteria, not just '@realm'. • Choose an authentication method to use for this user. • Administer users by groups • Implement time of day access restrictions • Execute a local program • Limit the number of simultaneous logins by the user

Page 52: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

52

Typical server configuration• Attributes which have a given value • Attributes which do not have a given value • Attributes which are in the request (independent of their value) • Attributes which are not in the request • String attributes which match a regular expression • Integer attributes which match a range (e.g. <, >, <=, >=) • Source IP address of the request. This can be different than the

NAS-IP-Address attribute • Group of NAS boxes. (These may be grouped based on Source IP

address, NAS-IP-Address, or any other configuration) • User-Name • a DEFAULT configuration • multiple DEFAULT configurations

Page 53: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

53

Databases

• Oracle • Informix • Sybase • mSQL • MySQL • Microsoft SQL including versions 6.5, 7 and 2000 • ODBC • Interbase • SAP • PostgreSQL • SQLite

Page 54: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

54

Authorization methods

• Local files • Local DB/DBM database • LDAP • A locally executed program. (like a CGI program.) • Perl program • Python program • MySQL DB • PostgreSQL DB • Oracle SQL DB • any IODBC SQL DB • IBM's DB2

Page 55: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

55

Accounting methods

• Local 'detail' files

• Local 'wtmp' and 'utmp' files

• Proxy to another RADIUS server

• Replicate to one or more RADIUS servers

• SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc)

Page 56: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

56

Tools

• Users in LDAP database • Users and Groups in SQL database (MySQL or

PostgreSQL) • Create, test, delete, change personal information, check

accounting and change dialup settings for a user • Accounting Report Generator • Bad Users facility to keep a record of users creating

problems • Online finger facility , Test radius server • Online Usage Statistics • Perl, Python• Configufration GUI

Page 57: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

57

Other features

• Can optionally act as a TACACS+ server, converting TACACS+ requests into RADIUS requests

• Optional tunnelling of Radius requests using SOAP over HTTP or HTTPS for improved security.

• SNMP support for the IETF Radius Server MIB: gather server stats with SNMP

Page 58: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

58

Features (contd)

• Web reports for usage analysis users sessions details. Allows your administrators and customers to see usage information on a web page and drill down to connection details.

• Block authentication according to time of day and day of week, and force disconnection at the end of valid time blocks.

Page 59: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

59

Token based

• Encotone telID

• RSA SecurID

• Safeword

• VASCO Digipass

Page 60: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

60

Platforms

• Solaris • Unix including Linux (Red Hat, Debian, Mandrake, SuSE,

Lindows, Slackware, Ubuntu etc on Intel, Sparc, PPC, HP-PA etc), Solaris (Intel and Sparc), FreeBSD, NetBSD, SunOS, AIX, IRIX, SCO Open Server, Digital, HP-UX, etc

• Windows 95, 98, NT, 2000, ME, XP, 2003, etc. • Mac OS9, Mac OS X. • Novell Open Enterprise Server (NetWare) 6.5 • VMS

Page 61: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

61

Third-party• Billing packages: Platypus, Emerald, Billmax, interbiller, Jet-ISP billing,

Optigold ISP.• NAS: Alcatel DANA • Altiga • Apple AirPort • Ascend (all models) • Assured Access X1000 • Bay including RAC8000 and Annex Server 5399 • Breezecom • Cisco routers and NAS's • Cisco Aironet AP340 and AP350 wireless Access Points • Cisco SSG and SESM • Computone • Enterasys SS2200, SSR8000 SSR8600 • Ericsson ACC • Ericsson GSN • GRIC AimTraveler

Page 62: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

62

VSA• USR/3COM • Cisco (including VOIP) • Nortel CVX 4-byte Vendor Specific Attributes, including the Vendor Specific boolean data type. • Ascend • Breezecom with broken VSA's • Bay • Shiva • ACC • Microsoft • Shasta • Springtide • Altiga • Redcreek • Unisphere • Extreme • KarlNet • Colubris • Level3 • 3GPP2 • DTag (Deutsche Telekom) • Nomadix • Redback 64bit integers

Page 63: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

63

References

• 2139/2866 (accounting)• 2138/2865 (RADIUS)• 2548 (MS-VSA)• 2882(NAS)• 2869 (Extensions)• 3162 (v6)• 3579 (EAP)• 3580 (802.1x)

Page 64: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

64

References (contd)

• http://tools.ietf.org/wg/eap/draft-funk-eap-ttls-v1-01.txt

• http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx

• http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html

• http://www.wi-fiplanet.com/tutorials/article.php/3073201

Page 65: RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

RADIUS presentation by Sunil Vallamkonda

65

Future

• Diameter: RFC3588

• IPv6 and RADIUS: RFC3162

Contact: [email protected]