The document discusses AAA (authentication, authorization, and accounting) support provided by the RADIUS and Diameter protocols. RADIUS is a client-server protocol that allows centralization of AAA management and provides security. It uses passwords or one-time tokens to authenticate users. Diameter is the successor to RADIUS and is more secure and reliable with peer-to-peer capabilities. Both protocols are used to authenticate users, authorize access to resources, and track resource usage for billing purposes.
The document discusses AAA (authentication, authorization, and accounting) support provided by the RADIUS and Diameter protocols. RADIUS is a client-server protocol that allows centralization of AAA management and provides security. It uses passwords or one-time tokens to authenticate users. Diameter is the successor to RADIUS and is more secure and reliable with peer-to-peer capabilities. Both protocols are used to authenticate users, authorize access to resources, and track resource usage for billing purposes.
The document discusses AAA (authentication, authorization, and accounting) support provided by the RADIUS and Diameter protocols. RADIUS is a client-server protocol that allows centralization of AAA management and provides security. It uses passwords or one-time tokens to authenticate users. Diameter is the successor to RADIUS and is more secure and reliable with peer-to-peer capabilities. Both protocols are used to authenticate users, authorize access to resources, and track resource usage for billing purposes.
The document discusses AAA (authentication, authorization, and accounting) support provided by the RADIUS and Diameter protocols. RADIUS is a client-server protocol that allows centralization of AAA management and provides security. It uses passwords or one-time tokens to authenticate users. Diameter is the successor to RADIUS and is more secure and reliable with peer-to-peer capabilities. Both protocols are used to authenticate users, authorize access to resources, and track resource usage for billing purposes.
1. Authentication, Authorization and Accounting (AAA).
2. AAA Services, Protocols and Architecture.
3. RADIUS Protocol.
4. Diameter Protocol.
5. Comparison of RADIUS and Diameter Protocol.
6. Applications of RADIUS and Diameter Protocol.
7. Summary.
8. Discussion Topic. Importance of Authentication, Authorization and Accounting (AAA) Authentication
Control user Identity
Credentials provided by the user to
prove his/her Id
Examples of credentials: 1.passwords. 2.one-time token. 3.digital certificates, 4.Or any other information related to the identity (e.g. biometric parameters.)
Authentication in Proxy Appliance 1. The User sends request (eg: www.yahoo.com) to Proxy Appliance.
2. The Proxy appliance (ProxySG Product of BlueCoat) initiates the process of
Authentication. The ProxySG appliance sends a credential challenge response to the user.
3. The user then sends the credential information.
4. The user data is sent to the Authentication Server for the purpose of verification.
5. After the verification process is successful, the user is then identified in the network.
6. The user request for the required website from internet.
7. The user gets response from the internet.
8. The gets the response and is able to access the desired resource. Authentication in Proxy Appliance contd
Source Url: https://www.bluecoat.com/sites/default/files/documents/files/Authentication,_ Authorization,_and_Accounting.4.pdf AAA Mechanism Authentication-based mechanisms : The user authentication information is used as precondition for the authorization process
Credential-based mechanisms: This method uses credential information which is a important and trustworthy information for the purpose of authorization.
The Accounting system performs the following essential tasks:
1. The system gathers or aggregates all data or information from
metering systems. 2. The system then stores this data in accounting system. AAA Protocols
RADIUS : The protocol carries AAA Information which helps to determine a
RADIUS Server and a RADIUS Client. This protocol is based on Client/Server Model and supports a wide range of users.
Diameter: This peer to peer protocol carries AAA information in a reliable
manner. This is more secured and reliable than Radius. This is a successor of Radius protocol and overcomes many limitations of Radius.
COPS: This stands for The Common Open Policy Service. This protocol deals with policy information.
SNMP: This stands for Simple Network Management Protocol. The accounting information or records are all transferred to MIB (Management Information Base) and it is sorted or classified there and finally stored. AAA Services
In the context of AAA services we have AAA server which is located
in an administrative domain.
Distributed Servers: 1. The goal of distributed servers is to provide authentication, authorization and accounting.
2.The server provides the authorization service by deciding
whether to grant or deny a request sent by the user
3. In case it grants access to the user, then it sets up a
authorization session and logs the session data. AAA Architecture The Architectural Components and their roles
There is an ASM (Application Specific Module) present in the architectural
framework of AAA.
The primary task of ASM is to enforce the policy actions.
The ASM accordingly configure the SE (Service Equipment) in order to
provide the necessary service .
The goal of the AAA server is to evaluate and determine the user requests based on the set of policies.
The policies which are used by the AAA server are all stored in the PR (Policy Repository). AAA Architecture contd
In order to determine the policy condition the AAA server sometimes
need to consult the other AAA servers.
This can be achieved by either sending requests to other AAA servers
or with the help of ASM.
Depending on different predefined policies a server can accordingly act
as an agent. AAA Architecture contd Remote Authentication Dial-in-User Service (RADIUS) It is a well know protocol and is widely practiced.
It is based on client/server model.
Some of the important functions of RADIUS are
1. centralized management 2. security.
The process of authentication is based on Server and Client concept.
The users send request to the server and the server authenticates the user against a central database.
If the authentication is successful then the user is granted access to the
The user initially establishes a connection with the Network Access Server (NAS). Step 1 in the figure in slide no: 23.
The NAS wants to authenticate the user on the network so it requests for user id or username and password. Step 2 in the figure in slide no: 23.
The user provides his/her credential information (User id or username and
password). Step 3 in the figure in slide no: 23.
The NAS then sends a Authentication Request Packet to the RADIUS Server for the purpose of authentication. Step 4 in the figure in slide no: 23. RADIUS Services Contd.
The Server then validates the user and sends a Authentication
Acknowledgement. Step 5 in the figure in slide no: 23.
The Server can either allow the user to access the desired network resource or deny the user from accessing the network resource.
Authorization: The RADIUS server is responsible for providing services
and privileges to only legitimate users. Protocols which help in authorization.
1. PPP 2. Telnet RADIUS Services Contd.
Accounting: This process is concerned with aggregating and storing
statistical information. The Accounting data consists of
1.time duration. 2. packet and bytes send and received.
The Radius Clients sends request to Accounting Server and accordingly
the server responds with statistic data. RADIUS Services Contd.
Authorization,_and_Accounting.4.pdf RADIUS Standards RADIUS initially came into picture in January 1997 by the Lucent Technologies.
It is one of the IETF (Internet Engineering Task Force) standard.
The second generation of RADIUS standard (Standards RFC2138 and
RFC 2139) was developed in the year April 1997.
In June 2000 the third generation of RADIUS came into the market (standards- RFC2865 and RFC2866) RADIUS Security
The user identification and passwords which are sent during
the authentication process from the NAS to the RADIUS Server are always encrypted. This encryption is achieved by using several hashing algorithms like MD5
It is very important to have security else confidential
information about users will be revealed and malicious users will be able to access the network resources by extracting these confidential information. Diameter Protocol The Diameter protocol is strong, reliable and secured protocol which provides Authentication, Authorization and Accounting for computer networks.
The Diameter protocol provides functionalities like Error Handling,
Capability Negotiation and maintaining user sessions and accounting.
The data which is delivered by this protocol is always in form of AVP
(Attribute Value Pair). AVP carries AAA information which is needed to from Server to Client.
The AVP also plays an important role in routing and redirecting the Diameter messages.
The Diameter protocol provides secured data transfer without packet
loss. This is achieved through the reliable TCP Diameter Protocol Contd..
The Diameter protocol supports several agents like relays, proxies etc.
The relay agents are responsible for routing the diameter messages which contain user information from one node to another
The Diameter protocol helps to establish and maintain session between the server and the client at the application level.
In case of Diameter protocol the servers and the clients have the authority to know each others capability Protocol Description The Diameter packet consists of header part and several AVPs.
Version field indicates the version of the Diameter protocol.
Flag field has several flags each of them have a specific meaning and functionality.
1. R bit which stands for request bit. If it is set the message is a request send from client to server and if it is off then the message is an answer.
2.There is P bit, if this bit is set then the message is either redirected or routed else the message is locally processed.
3. E bit ,if this particular bit is set then there is protocol error in message and these messages are then referred as error messages.
4. T bit ,if this bit is set it indicates duplicate requests.
The Diameter protocol establishes or initiates a session with
the help of a message which has Auth-Session-State set to STATE-MAINTAINED.
The server when receives this message it does not release
any resources from the network until the session terminates. The server also maintains the state of the session.
The messages which are transmitted from client to server
should have a unique session id and must have the same session id for one particular session.
A particular session can initiate a child session also referred
as sub session and in the same manner a multi session can also be established. Session Management Contd..
There are two types of Diameter session.
1. The authorization session: This is used for The former is used
for authentication and authorization.
2. Accounting session. This is used for accounting purpose.
The Diameter session can be stateful session or a stateless session.
This highly depends on the application, whether the application wants to
maintain the session for a certain duration or not. Comparison of RADIUS and Diameter Protocol RADIUS Protocol Diameter Protocol
1. Radius Server can not initiate 1.The Diameter Server can initiate message. messages. 2.Radius uses UDP for packet 2. Diameter uses TCP for data transfer,less secure. transmission,more secured. 3.The scalability is less. 3.The scalability is more compared to Radius. 4.This protocol do not support 4.This Protocol supports capability capability negotiation. negotiation. 5.In context of version compatibility 5.The Diameter nodes are capable to the Radius has poor performance. know each others version number. 6.The Radius Server can not demand 6.The Diameter server can demand for for reauthentication or reauthorization. reauthentication or reauthorizatio. 7.The Radius is less reliable. 7.The Diameter is more reliable. Comparison of RADIUS and Diameter Protocol contd
RADIUS Protocol Diameter Protocol
8. This protocol do not provide end to 8.The Diameter provides end to end end authentication. authentication. 9.Radius has offline states.No state 9.The Diameter has authentication information is maintained. and authorization states. Applications of RADIUS and Diameter RADIUS Protocol Diameter Protocol
1.Credit Control application.
1. ISP.
2.Email Services. 2.Mobile IPV4 application.
3.VPN (Virtual Private
Network). 3.Network Access Server application. 4.DSL.
5.Web servers.
6.Modems. Summary Usage of AAA.
RADIUS protocol, it implements AAA to provide security to RADIUS
clients and servers.
Diameter protocol to be much more robust, secure and reliable
protocol which implements the AAA.
The Diameter is a peer to peer protocol which maintains session
states, has capability negotiation and error handling mechanism. Discussion Topic Discussion Topic 1
1. The Necessity of Authentication, Authorization and Accounting?
Discussion Topic 2
2. Do AAA serves perfectly? If Limitations then what are the limitation?
Discussion Topic 3
3. Which Protocol is preferable among RADIUS and Diameter?
