SlideShare a Scribd company logo

AAA in a nutshell

Download as ODP, PDF
Mohamed Daif
Mohamed Daif

This document discusses RADIUS, a protocol for authentication, authorization, and accounting. It describes key RADIUS features like its client/server model and extensibility. It explains how RADIUS operates, including how clients authenticate users and how servers can accept, reject, or challenge requests. The document also covers RADIUS accounting, shortcomings like lack of failover support, and how Diameter evolved from RADIUS to address some of these issues. It introduces SBR as a Juniper RADIUS product and describes its modular design and features like centralized management, proxy support, and 3GPP integration.

1 of 18
Downloaded 122 times
RADIUS SBR in a nutshell
Outline ● AAA. ● Radius Key Features. ● Radius Operation. ● Accounting. ● SBR. ● Future.
AAA ● Architecture. ● Distributed Systems. ● ● Authentication, Authorization and Accounting. Radius, Diameter.
Radius – Key Features ● Client/Server Model. ● Network Security. ● Extensibility (TLVs). ● Flexible Authentication.
Radius Operation ● User presents auth info to client. ● Client sends “message” to Server. ● Can load-balance servers. ● Server validates the shared secret. ● ● ● Radius server consults DB when receiving the request. Server can “accept”, “reject”, “challenge” the user. If all conditions are met, server sends a list of configuration values (like IP address, MTU, .. etc) to the user in the response.
Challenge ● ● Used with devices such as smart cards. Unpredictable number to the user, encryption, giving back the result.
Proxy With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy.  A common use for proxy RADIUS is roaming. The choice of which server receives the forwarded request SHOULD be based on the authentication "realm". 
UDP ● ● ● ● Retransmission timers are required. The timing requirements of this particular protocol are significantly different than TCP provides. The stateless nature of this protocol simplifies the use of UDP. UDP simplifies the server implementation.
Radius Packet
Radius Packet – Code Field The Code field is one octet, and identifies the type of RADIUS packet. RADIUS Codes (decimal) are assigned as follows: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved
Radius Packet – Identifier Field ● ● Aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
Radius Packet – Authenticator Field ● This value is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm. ● Request Authenticator and Response Authenticator.
Radius Packet – Attributes ● RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply. 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type ….
Radius Accounting ● ● ● ● Client generates an Accounting start packet to accounting server. Server acknowledges reception of the packet. At the end of the service, client generates a stop packet. Server acknowledges reception of the packet.
Radius shortcomings ● Doesn't define fail-over mechanisms. ● Does not provide support for per-packet confidentiality. ● ● ● ● ● In Accounting it assumes that replay protection is provided by the backend server not the protocol. Doesn't Define re-transmission (UDP), which is a major issue in accounting. does not provide for explicit support for agents, including proxies, redirects, and relays. Server-initiated messages are optional. RADIUS does not support error messages, capability negotiation, or a mandatory/non-mandatory flag for attributes.
Diameter ● It evolved from and replaces RADIUS protocol. ● Ability to exchange messages and deliver AVPs. ● Capabilities negotiation. ● Error notification. ● ● Extensibility, required in [RFC2989], through addition of new applications, commands, and AVPs Basic services necessary for applications, such as the handling of user sessions or accounting
SBR ● ● ● ● A Juniper Radius product. Delivers a total authentication, authorization, and accounting (AAA) solution on the scale required by Internet service providers and carriers. Provides data services for wireline, wireless carriers. Modular design that supports add-on functionality to meet your specific site requirements (SIM, CDMA, WiMAX, Session Control Module).
SBR - Features ● ● ● ● Centralized management of user access control and security simplifies access administration. powerful proxy RADIUS features enable to easily distribute authentication and accounting requests to the appropriate RADIUS server for processing. External authentication features enable you to authenticate against multiple, redundant Structured Query Language (SQL) or Lightweight Directory Access Protocol (LDAP) databases according to configurable load balancing and retry strategies. ● Support for a wide variety of 802.1X-compliant access points and other network access servers. ● You can define user’s allowed access hours ● Multiple management interfaces (GUI, LCI, CLI, XML/HTTPS, SNMP). ● 3GPP support facilitates the management of mobile sessions and their associated resources
Ad

Recommended

RADIUS
RADIUSRADIUS
RADIUS
amogh_ubale
 
Implementing Cisco AAA
Implementing Cisco AAAImplementing Cisco AAA
Implementing Cisco AAA
dkaya
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
Dhananjay Aloorkar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
Peter R. Egli
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introduction
smoscato
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)The Three Musketeers (Authentication, Authorization, Accounting)
The Three Musketeers (Authentication, Authorization, Accounting)
Sarah Conway
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
rinnocente
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
Netwax Lab
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
RichardsCCNA
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...
saidzaghloul
 
Tacacs
TacacsTacacs
Tacacs
1 2d
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
Karri Huhtanen
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
Karri Huhtanen
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
Karri Huhtanen
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
Karri Huhtanen
 
10215 A 14
10215 A 1410215 A 14
10215 A 14
Juanchi_43
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021x
NetPlus
 
Security
SecuritySecurity
Security
Akram Salih
 
Managing HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusManaging HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadius
Dashamir Hoxha
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
Sergey Kucherenko
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Ad

More Related Content

What's hot (20)

Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
Netwax Lab
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
RichardsCCNA
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...
saidzaghloul
 
Tacacs
TacacsTacacs
Tacacs
1 2d
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
Karri Huhtanen
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
Karri Huhtanen
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
Karri Huhtanen
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
Karri Huhtanen
 
10215 A 14
10215 A 1410215 A 14
10215 A 14
Juanchi_43
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021x
NetPlus
 
Security
SecuritySecurity
Security
Akram Salih
 
Managing HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusManaging HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadius
Dashamir Hoxha
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
Sergey Kucherenko
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
AAA Protocol
AAA ProtocolAAA Protocol
AAA Protocol
Netwax Lab
 
Cisco acs configuration guide
Cisco acs configuration guideCisco acs configuration guide
Cisco acs configuration guide
RichardsCCNA
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
TACACS Protocol
TACACS ProtocolTACACS Protocol
TACACS Protocol
Netwax Lab
 
Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...Design and Performance Optimization of Authentication, Authorization, and Acc...
Design and Performance Optimization of Authentication, Authorization, and Acc...
saidzaghloul
 
Tacacs
TacacsTacacs
Tacacs
1 2d
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
Karri Huhtanen
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
Karri Huhtanen
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
Karri Huhtanen
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
Karri Huhtanen
 
10215 A 14
10215 A 1410215 A 14
10215 A 14
Juanchi_43
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
At8000 s configurando_8021x
At8000 s configurando_8021xAt8000 s configurando_8021x
At8000 s configurando_8021x
NetPlus
 
Security
SecuritySecurity
Security
Akram Salih
 
Managing HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadiusManaging HotSpot Clients With FreeRadius
Managing HotSpot Clients With FreeRadius
Dashamir Hoxha
 
802.1x Authentication Standard
802.1x Authentication Standard802.1x Authentication Standard
802.1x Authentication Standard
Dan Miller
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
Sithideth Banavong
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
Sergey Kucherenko
 

Viewers also liked (18)

Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAA
Ahmed Habib
 
Introduction to Diameter Protocol - Part1
Introduction to Diameter Protocol - Part1Introduction to Diameter Protocol - Part1
Introduction to Diameter Protocol - Part1
Basim Aly (JNCIP-SP, JNCIP-ENT)
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
Beny Haddad
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Granite Introduction 11
Granite Introduction 11Granite Introduction 11
Granite Introduction 11
tnorenberg
 
Stylish Bathroom Accessories
Stylish Bathroom AccessoriesStylish Bathroom Accessories
Stylish Bathroom Accessories
Business Services Week
 
NoSQL Databases for Implementing Data Services – Should I Care?
NoSQL Databases for Implementing Data Services – Should I Care?NoSQL Databases for Implementing Data Services – Should I Care?
NoSQL Databases for Implementing Data Services – Should I Care?
Guido Schmutz
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
Sleek International
 
Telecordia Ims Presentation Expections And Challenges
Telecordia Ims Presentation Expections And ChallengesTelecordia Ims Presentation Expections And Challenges
Telecordia Ims Presentation Expections And Challenges
Jeanne Rog
 
Capturing Network Traffic into Database
Capturing Network Traffic into Database Capturing Network Traffic into Database
Capturing Network Traffic into Database
Tigran Tsaturyan
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
Ahmed Habib
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
Luke Luo
 
Convert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence DiagramsConvert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence Diagrams
EventHelix.com Inc.
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
Cisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAA
Ahmed Habib
 
Introduction to Diameter Protocol - Part1
Introduction to Diameter Protocol - Part1Introduction to Diameter Protocol - Part1
Introduction to Diameter Protocol - Part1
Basim Aly (JNCIP-SP, JNCIP-ENT)
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
Beny Haddad
 
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
The Future of Identity in the Cloud: Requirements, Risks and Opportunities - ...
gueste4e93e3
 
Granite Introduction 11
Granite Introduction 11Granite Introduction 11
Granite Introduction 11
tnorenberg
 
Stylish Bathroom Accessories
Stylish Bathroom AccessoriesStylish Bathroom Accessories
Stylish Bathroom Accessories
Business Services Week
 
NoSQL Databases for Implementing Data Services – Should I Care?
NoSQL Databases for Implementing Data Services – Should I Care?NoSQL Databases for Implementing Data Services – Should I Care?
NoSQL Databases for Implementing Data Services – Should I Care?
Guido Schmutz
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
Sleek International
 
Telecordia Ims Presentation Expections And Challenges
Telecordia Ims Presentation Expections And ChallengesTelecordia Ims Presentation Expections And Challenges
Telecordia Ims Presentation Expections And Challenges
Jeanne Rog
 
Capturing Network Traffic into Database
Capturing Network Traffic into Database Capturing Network Traffic into Database
Capturing Network Traffic into Database
Tigran Tsaturyan
 
CCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area networkCCNA Security 07-Securing the local area network
CCNA Security 07-Securing the local area network
Ahmed Habib
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
Luke Luo
 
Convert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence DiagramsConvert Wireshark PCAP Files to Sequence Diagrams
Convert Wireshark PCAP Files to Sequence Diagrams
EventHelix.com Inc.
 
Identity Services Engine Overview and Update
Identity Services Engine Overview and UpdateIdentity Services Engine Overview and Update
Identity Services Engine Overview and Update
Cisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISEDemystifying TrustSec, Identity, NAC and ISE
Demystifying TrustSec, Identity, NAC and ISE
Cisco Canada
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
 
Ad

Similar to AAA in a nutshell (20)

08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network InfrastructureRADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network InfrastructureRADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Radiator Software
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
Adi Utami
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
Radiator Software
 
AAA server
AAA serverAAA server
AAA server
hetvi naik
 
SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Radiator Software
 
Introduction to DIAMETER
Introduction to DIAMETERIntroduction to DIAMETER
Introduction to DIAMETER
Hossein Yavari
 
SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Karri Huhtanen
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
Sagar Gor
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docx
acarolyn
 
Radius client
Radius clientRadius client
Radius client
dhenis1
 
RSASecureID.ppt
RSASecureID.pptRSASecureID.ppt
RSASecureID.ppt
PepeMartin23
 
RSASecureID (2).ppt
RSASecureID (2).pptRSASecureID (2).ppt
RSASecureID (2).ppt
PepeMartin23
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
Yasin KAPLAN
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
Yasin KAPLAN
 
Les fonctionnalites mariadb
Les fonctionnalites mariadbLes fonctionnalites mariadb
Les fonctionnalites mariadb
lemugfr
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
Maryam Namira
 
Adapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear passAdapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 
08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network InfrastructureRADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Karri Huhtanen
 
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network InfrastructureRADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure
Radiator Software
 
Tutorial radius client mikrotik
Tutorial radius client mikrotikTutorial radius client mikrotik
Tutorial radius client mikrotik
Adi Utami
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
Radiator Software
 
AAA server
AAA serverAAA server
AAA server
hetvi naik
 
SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Radiator Software
 
Introduction to DIAMETER
Introduction to DIAMETERIntroduction to DIAMETER
Introduction to DIAMETER
Hossein Yavari
 
SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Karri Huhtanen
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
Sagar Gor
 
RADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docxRADIUS provides three services- authentication- authorization- and acc.docx
RADIUS provides three services- authentication- authorization- and acc.docx
acarolyn
 
Radius client
Radius clientRadius client
Radius client
dhenis1
 
RSASecureID.ppt
RSASecureID.pptRSASecureID.ppt
RSASecureID.ppt
PepeMartin23
 
RSASecureID (2).ppt
RSASecureID (2).pptRSASecureID (2).ppt
RSASecureID (2).ppt
PepeMartin23
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
Yasin KAPLAN
 
TekRADIUS
TekRADIUSTekRADIUS
TekRADIUS
Yasin KAPLAN
 
Les fonctionnalites mariadb
Les fonctionnalites mariadbLes fonctionnalites mariadb
Les fonctionnalites mariadb
lemugfr
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
Maryam Namira
 
Adapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear passAdapting to evolving user, security, and business needs with aruba clear pass
Adapting to evolving user, security, and business needs with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 
Ad

Recently uploaded (20)

Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 

AAA in a nutshell

  • 1. RADIUS SBR in a nutshell
  • 2. Outline ● AAA. ● Radius Key Features. ● Radius Operation. ● Accounting. ● SBR. ● Future.
  • 4. Radius – Key Features ● Client/Server Model. ● Network Security. ● Extensibility (TLVs). ● Flexible Authentication.
  • 5. Radius Operation ● User presents auth info to client. ● Client sends “message” to Server. ● Can load-balance servers. ● Server validates the shared secret. ● ● ● Radius server consults DB when receiving the request. Server can “accept”, “reject”, “challenge” the user. If all conditions are met, server sends a list of configuration values (like IP address, MTU, .. etc) to the user in the response.
  • 6. Challenge ● ● Used with devices such as smart cards. Unpredictable number to the user, encryption, giving back the result.
  • 7. Proxy With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy.  A common use for proxy RADIUS is roaming. The choice of which server receives the forwarded request SHOULD be based on the authentication "realm". 
  • 8. UDP ● ● ● ● Retransmission timers are required. The timing requirements of this particular protocol are significantly different than TCP provides. The stateless nature of this protocol simplifies the use of UDP. UDP simplifies the server implementation.
  • 10. Radius Packet – Code Field The Code field is one octet, and identifies the type of RADIUS packet. RADIUS Codes (decimal) are assigned as follows: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 255 Reserved
  • 11. Radius Packet – Identifier Field ● ● Aids in matching requests and replies. The RADIUS server can detect a duplicate request if it has the same client source IP address and source UDP port and Identifier within a short span of time.
  • 12. Radius Packet – Authenticator Field ● This value is used to authenticate the reply from the RADIUS server, and is used in the password hiding algorithm. ● Request Authenticator and Response Authenticator.
  • 13. Radius Packet – Attributes ● RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply. 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type ….
  • 14. Radius Accounting ● ● ● ● Client generates an Accounting start packet to accounting server. Server acknowledges reception of the packet. At the end of the service, client generates a stop packet. Server acknowledges reception of the packet.
  • 15. Radius shortcomings ● Doesn't define fail-over mechanisms. ● Does not provide support for per-packet confidentiality. ● ● ● ● ● In Accounting it assumes that replay protection is provided by the backend server not the protocol. Doesn't Define re-transmission (UDP), which is a major issue in accounting. does not provide for explicit support for agents, including proxies, redirects, and relays. Server-initiated messages are optional. RADIUS does not support error messages, capability negotiation, or a mandatory/non-mandatory flag for attributes.
  • 16. Diameter ● It evolved from and replaces RADIUS protocol. ● Ability to exchange messages and deliver AVPs. ● Capabilities negotiation. ● Error notification. ● ● Extensibility, required in [RFC2989], through addition of new applications, commands, and AVPs Basic services necessary for applications, such as the handling of user sessions or accounting
  • 17. SBR ● ● ● ● A Juniper Radius product. Delivers a total authentication, authorization, and accounting (AAA) solution on the scale required by Internet service providers and carriers. Provides data services for wireline, wireless carriers. Modular design that supports add-on functionality to meet your specific site requirements (SIM, CDMA, WiMAX, Session Control Module).
  • 18. SBR - Features ● ● ● ● Centralized management of user access control and security simplifies access administration. powerful proxy RADIUS features enable to easily distribute authentication and accounting requests to the appropriate RADIUS server for processing. External authentication features enable you to authenticate against multiple, redundant Structured Query Language (SQL) or Lightweight Directory Access Protocol (LDAP) databases according to configurable load balancing and retry strategies. ● Support for a wide variety of 802.1X-compliant access points and other network access servers. ● You can define user’s allowed access hours ● Multiple management interfaces (GUI, LCI, CLI, XML/HTTPS, SNMP). ● 3GPP support facilitates the management of mobile sessions and their associated resources