Authentication,
Authorization,
Accounting (AAA)
Raj Jain
Washington University in Saint Louis
Saint Louis, MO 63130
Audio/Video recordings of this lecture are available at:
http://www.cse.wustl.edu/~jain/cse571-09/
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-1
, Overview
RADIUS
Authentication Protocols: PAP, CHAP, MS-CHAP
Extensible Authentication Protocol (EAP)
EAP Upper Layer Protocols
802.1X
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-2
, RADIUS
Remote Authentication Dial-In User Service
Central point for Authorization, Accounting, and Auditing data
⇒ AAA server
Network Access servers get authentication info from RADIUS
servers
Allows RADIUS Proxy Servers ⇒ ISP roaming alliances
Uses UDP: In case of server failure, the request must be re-sent
to backup ⇒ Application level retransmission required
¾ TCP takes to long to indicate failure
Proxy
RADIUS
RADIUS Network
Remote
Customer Access User
Access ISP Net
Network Server
Server
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-3
, RADIUS Messages
Network Authentication
Access Server Server
Username Access-Request
Challenge Access-Challenge
Response Access-Request
OK Access-Accept
Four Core Messages: Request, Challenge, Accept, Reject.
Message Format: Code is the message type.
Identifier is used to match request/response.
Code Identifier Length Authenticator Attributes
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-4
Authorization,
Accounting (AAA)
Raj Jain
Washington University in Saint Louis
Saint Louis, MO 63130
Audio/Video recordings of this lecture are available at:
http://www.cse.wustl.edu/~jain/cse571-09/
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-1
, Overview
RADIUS
Authentication Protocols: PAP, CHAP, MS-CHAP
Extensible Authentication Protocol (EAP)
EAP Upper Layer Protocols
802.1X
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-2
, RADIUS
Remote Authentication Dial-In User Service
Central point for Authorization, Accounting, and Auditing data
⇒ AAA server
Network Access servers get authentication info from RADIUS
servers
Allows RADIUS Proxy Servers ⇒ ISP roaming alliances
Uses UDP: In case of server failure, the request must be re-sent
to backup ⇒ Application level retransmission required
¾ TCP takes to long to indicate failure
Proxy
RADIUS
RADIUS Network
Remote
Customer Access User
Access ISP Net
Network Server
Server
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-3
, RADIUS Messages
Network Authentication
Access Server Server
Username Access-Request
Challenge Access-Challenge
Response Access-Request
OK Access-Accept
Four Core Messages: Request, Challenge, Accept, Reject.
Message Format: Code is the message type.
Identifier is used to match request/response.
Code Identifier Length Authenticator Attributes
Washington University in St. Louis CSE571S ©2009 Raj Jain
18-4
