work tcchualogics and platforms. In practice, an AAA sewcr with a database of user profiles and configuration data comniunicatcs with AAA clicnts resid- ing on network componeuts, such as NAS and routers, to provide distrib- utrd AAA services. A closcr look at thc individual pieccs is the besl way to understarid tlic scrvices providcd within thc AAA framework. Authentication iuvolver validating tlic cud users' identity prior to permitting them network acccss. This proccss keys on thc uotion that the cnd-user possesses a uniquc pirce AAA PROTOCOLS: of information-a usernamelpass- word combination, a sccret key, or perhaps biometric data (fingerprints. Authentication, for exatnpk-that serves as unam- biguous identification crrdrntials. The AAA server cuniparcs thc user- Authorization, supplicd authentication data with tl~c uscr-associaicd data stored in its data- base, and if tlic crcdcntials match, thc and Accounting user is grauted network access. Anon- match rcsults in an authentication failure and a dcnial of nctwork access. for the Internet AuthorizaiiorJ dcfincs what rights and services thc end user is allowed Christopher Meb Cisco Systems chmeizBcrsco cm once ncrworI< ~CCCSSis grantcd. This might iiidudt. providing an IP addrcss, invoking a filtrr to detcrmine which Interim scrvicc pruviden (ISPs) ofh- call. ~1,~~must protcct against theft- applicatiim or protocols are supported, ing dial-up access and purveyors of of-scrvicc attacks by unscrupulous and so 011. Authentication and autho- enterprise nctworks supporting individuals with excess frcc time; they rization are usually performed togcthcr tclecominuters face somc difficult chal- must vcrify subscribers' lcvcls of in an AAA-managcd environment. lenges. Ever-increasing rrsidential dial- acccss authorization; and for cmst Accounting, the third 'X," provides up subscribcrs dcmand avai1:ihlc rccovcry, billing, and rcsource plan- rhc mcthoclology Cor collecting infor- modcm (or ISDN) por~s,or thrcatcn ning puqnscs, thcy may need to mation about thc end user's rcsourcc to take thcir busincss elsewhere. To inictcr the conneciion time to thc net- consumption, which can then bc mcct this detnand, ISPs (dial pruviders) work. l'urthcrmore, to provide maxi- processed for billing, auditing, and are dcplaying a large number of coni- mum coverage to a growing roaming capacity-planning purposes. plex, port-dense ncnvorli access semers and mobile suhscribet basc, thcy may Pigurc 1 illustratcs tlic compouenLs (NAS) to handle thousands of individ- choose to pool their NAS rcsourccs of an AAA solution. Tlic AAA scrv- ual dial-up connccrions. wliilc retaining contrul ovrr their cr--multiple scrvcrs can be uscd for At the same tirnc, the miniaturiza- subscribcrs' acccss, usage, arid billing rcesilicncy-is attached to the uetwork tion of statiunary office csscntials, information. All thcsc scrviccs requirc and servcs as a central repository for such as the laptop computer and cel- coordination brtween thc various storing and distributing AMinforma- lular telephone, has coupled with tlic administrative systems supported hy tion. Thc device acting as the point of nerd for maximum customer face ihc dial providrrs in partnership with entry into the nrtwork is typically a time to create a workforcc in pcrpct- each other, NAS (although it could also be a ual motion. Thcse "road warriors'' routcr, a teriniiial server, or perhaps rcquirc secure and rcliable access toe- AAA Framework another host) that contains an AAA mail and Web resources from hutcls, Meeting these ch:illcngcs in a sirnpliGcd client funcrion. AAA processing can airports, and virtual offices around and scalable manner lies at thc heart of he summarizcd in the following steps: the world. Authentication, Authorization. and But dial providers must do more Accounting. AAA rssentially dcfincs a End user cotinects to thc point-of- than simply offer an avdahlc modcm fiamcwork for coordinating rhcsr: indi- cntry dcvicc and rcqucsrs accrss to port at thc other end of a telephone vidual disciplines across multiple net- thc nctwork.
Ittf lNlERNE1 COMPUIING http:llcomputer.orglinternet/ NOVEMBER * DECEMBER I999 75 COLUMN
basic functions and message formats are documentcd in RFC 2138.3 Its functional attributes cousist of
Client-server-based operations. A RADIUS clicnt resides on the NAS and communicates over the network with a RADIUS server running on a host computer. Network Additionally, a RADIUS server may serve as a proxy client for another RADIUS or authentica- tion servcr. Network security. All communica- 9 tions between a RADIUS clicnt and server are authenticated by virtue of a shared secret key that is never sent over the network. In addition, user passwords con- tained in RADIUS messages are encrypted to prevent hackers from LJ reading them by snooping the c network. End user w Flexible authentication. 1WDIUS Figure 1. AAA architecture. The AAA client ot the network point of entry (NAS) can support multiple authentica- communicates with the AAA server to provide AAA services. tion mechanisms, including PAP I and CHAP. w Attributehlue pairs. RADIUS rn NAS AAA client functioii collccts the many cnd-user connections. mcssages carry AAA information and forwards the end user's cre- A single AAA server can act as a encoded in type-length-value dentials to the AAA server. centralized administrative control fields, callcd attributes (or w AAA server processes the data and point for multiple AAA clients coli- attributelvalue pairs). Common returns an accept or reject tained within different vendor- examples of attributes include response and othcr relevant data sourced NAS and network compo- User-Name, User-Password, to the AAA client. nents. Thus, AAA functions can be Framed-Protocol (such as PPP), rn AAA client on the NAS notifies added to the server, and incrementally Framed-IP-Address (IP address for the end user that access is granted to the client, without disrupting exist- elid user), and so on. RFC 2138 or denied for the specified ing network functions. There is no and vendor-specific documcnta- resources. need to incur the operational burden tion contain more complete lists of placing AAA information on the of RADIUS attributes supported 'The NAS may also send an account- NAS itself. The AAA Working Group by servers and clients. ing message to the AAA server during within the IETF is also currently connection setup and termination for developing a set of requirements to Figure 2 illustrates a typical configu- record collection and storage. support AAA across dial, roaming, ration employing RADIUS authenti- and mobile IP environments.' cation. An cnd-user dials into a NAS AAA Computing Needs that supports a RADIUS client. One of this architecture's benefits is RADIUS Using a prompt, or pcrhaps PP1' that the AAA scrvei can be housed on The best-known and most widely frames, the NAS collects the user- a general-purpose computing system, deployed AAA protocol is name and password from the end which can typically be found at a RADIUS-a clever acronym for the user, It then USCS UDPIIP to forward good pricc-to-performancc ratio, rather ordinary-sounding Rcmote an encrypted Acccss-Request message offering higlwolume disk storage and Access Dial-In User Service. It was over the network to the RADIUS optimized datahasc administration. developed in the mid-1990s by server. The messagc may also contain This gives dial providers thc horse- Livingston Enterprises (since acquired attributes such as the NAS port ID power needed to proccss bursts of by 1.ucent) to providc authentication and IP address. AAA requests from the inany port- and accounting scrvices to their NAS The RADIUS scrver then checks densc NAS devices as well as the stnr- devices. The IETF formalized that the User-Name attribute for a match- age capacity needed to record effort in 1996 with the RADIUS ing entry stored in its databasc. If accounting information on each of Working Group2 and the protocol's there is no match, then the server ON THE WIRE
returns an Access-Reject message to the NAS along with an optional text message indicating the reason for the failure. The NAS, in turn, notifies the end user of the authentication failure. If a match is found and the password is corrcct, then the RADIUS server retiirns an Access-Accept message to the NAS along with any additional configuration information required to complete the connection, such as an NAS IP address for the end user or a filter .I_-_ that limits them to a specific protocol hm*.~- type, like Teliiet or HTTl? End user
RADIUS Tunnels. RADIUS is also Figure 2. The RADIUS client on the NAS forwards the end user's credentials in an important for provisioning compulsory Access-Request message to the RADIUS server. After validating the end user's cre- tunnels in a dial-up virtual private net- dentials, the RADIUS server returns an Access-Accept message to the client. work (dial VPN) environment.4 A compulsory tunnel between the NAS and the corporate network gateway both ends and assists in provisioning dial VPN services to other ISPs while extends the dial end-user's PPP conoec- the tunnel by supplying configuration retaining strict control over the AAA tion all the way to the corporate net- parameters to the NAS in the form of process. The only requirements are for work so that it appears to be directly RADIUS attributes. The Access- the ISP to maintain a RADIUS proxy attached. Tunneling protocols, like the Accept message from the proxy server server that contains iuformation on Layer 2 Tunneling Protocol (LZTP), to the NAS may also contain tunuel the corporate dial end-user communi- are used to create the 11' tunnels that attributes such as the tunnel-type ty and for the master to be able to carry PPP connections through IP net- (LZTP, for instance) and tunnel end- reach it. works.5 The tuunel is compulsory point IP addresses. The NAS then (mandatory) because the end user has establishes an LZTP tnnuel to the cor- RADIUS Accounting. In addition to no choice in the matter: Any packets porate network (home) gateway, and authentication and authorization, destined for the corporate network will the end user is reauthenticated by the RADIUS was extended to provide a flow through the tunnel between the same master RADIUS server that was technique for collecting accounting NAS and corporate network gateway. used by the NAS (via proxy) during information specific to the end user's Figure 3 illustrates how RADIUS the initial authentication. communication session and storing it supports dial VPN compulsory tun- Using RADIUS to authenticate on an accounting server. If the NAS is neling. The end user dials into a and provision dial VPN compulsory configured for RADIUS accounting, NAS, and is authenticated by a tunnels enhances network security by it forwards an Accounting-Start mes- RADIUS proxy server (thr master offering dual authentication from the sage to the accounting server as soon RADIUS server is maintained inside same corporate-maintained RADIUS as the connection is established and the corporate network). RADIUS server. Further, this approach enables then collects information about the provides authentication services at corporate nenvorlu to nutsource their session, including iuput and output
1- 1- PPP connection -1 Figure 3. LZTP tunnel establishment using RADIUS. A proxy RADIUS server and master RADIUS server provide AAA services far end-users "tunneling" through an IP network and facilitate L2TP tunnel establishment.
IBE INIERNET COMPUllNG http~ll~ompufer.org/internel/ NOVEMBER. DECEMBERI999 77 COLUMN
octcts, input and output packeis, scs- a transport whereas RADIUS uscs Visited lS1' RADILJS proxy servers sinn duration, and termination C~USC UDl! support AAA services in a distributed (such as uscr request or idle timc- Pucket encryption. TA(:ACS+ will fashion, and thc home El' inaiiitains out). When the scssion is tcrminaicd, encrypt tlie entire packet paylnatl a master RADIUS server for its sub- the NAS sends an Accounting-Stop whereas RADIUS encrypts only scribcr base to support access control message ro the server indicating that the user password. and billing. A third-party servcr or thc session is over. RADIUS account- Authentication and authorization. "broker" could also hr used to scale ing is described in RFC 2139.& TACACS+ permits scparatc this approach and reducc configura- authcntication and authorization rioo requireincnts on the visited TACACS+ solutions whercas RADIUS con- proxy sc~vers.In that scciiario, AAA Another protocol that provides AAA bines the two. data cxchangos bctween the visited services is the Terminal Access and homr 1L4DIUS scrvcrs would bc Controller Access Control Systciiis Roaming fiinneled tlirough thc broker. protocol. Originally described in KFC 'l'he significant role pcrrormed by In addition to the dial VI" for 1492,' it has bccrr reenginccred uvcr AAA protocols in enabling global corporate networks, other caiididatcs the ycars by Cisco and is supported Intemct connectivity cannot bc over- for roaming scivice includc rcgional or on many terminal scrvcrs, routers, statcd. For cxamplr, they will be national ISl's looking to form consor- and NAS devices found in cliterprise used to facilitate conncctivity for the tium to provide broader covcragc to a networks today The current version is scrvicr known as roaming. Roaming constituency in diffcrcnt geographic called 'TACACS+, which reflects thc is a gcneralization of thc dial VPN areas. One such group is the Global many cnhanccments made to the coiiccpt in which remote rnd-users Rcach Intcrnct Consortium (GRIC), original TA(:ACS protocol. coiinrct to, and arc authrnticatcd hy, which offcts roaming Internet coiuiec- TACACS+ is a client-scrvcr AAA a local (visited) ISP tliar is cliffcrenr tivity and services to its collectivc sub- protocol and orCers many of the same from their home ISI! Koaming ser- scribers. I-Pass is another that offcrcrs its AAA services as IIADIUS. The prima- vice will offcr traveling end users fast, ISI' mcinbers a roaming authcntic:i- ry differences arc in convenient, and incxpcnsivc local tion and clcaringhousc service. access tu the lntcmct honi anywhere In borh cases, a distrihuied AAA 7i.ansport. 'I'ACACS+ uses TC1' as in thc world. approach enablcs ihe home ISP tu inaincain ~CCCSScontrol while provid- ing enhanced coniicctivity scrviccs. Roaming ciistomcrs can access the AAA Protocol Activity netwtirk through visited ISPs. l'he IETF has also forincd the ROAMOPS Working Group to furthcr study the IETF Mobile IP Working Group requireincars and solutions for roan- http://www.ietf.org/ht&ho;ters/mobileip-charter. html ing lntcrnct operations.'
IETF Network Access Server Requirements Working Group Diameter Protocol http://www.ietf.org/html.charters/nasreq-charter. html RADIUS and TACACS+ coiitinuc to cnjoy widcspread support amang IS1' Lucent Technologies' RADIUS Server and entcrprisc network managcrs. http://www.livingston.com:80/marketing/products/radius. html Roth protocols, Iiowcver, wcre origi- nally enginccrcd fbr sidlnetwork Nortel RADIUS Server devices supporting just a fcw end- http://www.nortelnetworks,com/products/O 1 /presidepolicy/i ndex.html uscrs requiring simplc server-based authentication Dial providers must TACACS Authentication Protocols now provide AAA services for hun- http://www.cisco.com/worp/pu blic/480/4.html#tacacst dreds and thousaids of concurrent cnd uscrs accessing network scrvices Global Reach Internet Consortium (GRIC) over a variety of technologics. They http://www.gric.net/ must also support AAA services across IS1' boundarics in a seciirc and scal- I-Pass able maimer. This is hrginning to http://w.ipass.com/ placc a Iwrden on the functional capabilities of the existing AAA proto- Merit Network RADIUS-based AAA server cols. Thercfore, thc IETF has undrr- http://w.merit.edu/aaa/ taken an effort to develop a ncxt-gcn- ctation AAA protocol.'
78 NOVEMBIR * PICEMBIR 1999 http:llcompu~er.orglinierneti ItttlNliRHIl COMPUllNG ON 1HI WIRE
A New Foundation. Diameter is a lightwciglit, pecr-based AAA proto- broker col designed to offer a scalable foun- dation for introducing new pnlicy and AAA services over existing (PPP) and emerging (roaming, mobile IP) network technol~gies.'~It employs many of the same mechanisms as RADIUS, including UDI' transport, Mobile node '-J Visited network encoded attributelvaluc pairs, and 0 proxy server support." Diameter also attempts to corrcct limitations inherent in thr RADIUS protocol. For example, a RADIUS attrihutc value cannot cxcccd 255 bytes, which may be too small in somc cases, and a RADIUS compo- Figure 4. Roaming/mobile IP AAA with Diameter. Diameter brokers AAA informo- nent can only have 255 messages nut- tion between AAA servers on the visited and home nehvorks. standing before an acknowlcdgment is necessary. For a server or NAS deal- ing with thousands of iodividnal coli- peer with thr broker to execute AAA 3. C. Kigncy cc al., "l