Remote Authentication Dial-In User Service (RADIUS) 是主從式網路應用協定,提供用戶使用網路服務集中式認證、授權、和記帳 (Authentication, Authorization, and Accounting, AAA) 管理,定義在 RFC2865 和 RFC2866。
- Network Access Server (NAS)
-
- 也就是 RADIUS Client,負責 passing 用戶認證和記帳資訊給 RADIUS Server 或 Accounting Server。
+---------+ +------------+ +------+ +-----+ | RADIUS | | RADIUS | | User | | NAS | | Server | | Accounting | +--+---+ +--+--+ +----+----+ +------+-----+ | 連線請求 (用戶名、密碼) | | | |---------------------->| Access-Request | | | |---------------->| | | | Access-Accept | | | 連線通知 |<----------------| | |<----------------------| | | | Accounting-Request start | | |------------------------------->| | | Accounting-Response | | |<-------------------------------| / / / / / / | 斷線請求 | | |---------------------->| Accounting-Request stop | | |------------------------------->| | | Accounting-Response | | 斷線通知 |<-------------------------------| |<----------------------| |
RADIUS Server 使用 UDP port 1812。早期用 UDP port 1645 會和「datametrics」衝突。RADIUS Accounting Server 使用 UDP port 1813。早期用 UDP port 1646 會和「sa-msg-port」衝突。
封包格式 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| 16 octets |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
- Code:type of RADIUS packet
- 1= Access-Request
- 2= Access-Accept
- 3= Access-Reject
- 4= Accounting-Request
- 5= Accounting-Response:Server 收到 Accounting-Request 後成功紀錄後才回,不然不回應。
- 11= Access-Challenge
- 12= Status-Server, experimental
- 13= Status-Server, experimental
- invalid Code:silently discarded.
- Identifier:辨別重傳,和回應配對請求。新 Access-Request 和 Accounting-Request 訊息用新的 Identifier,重傳用原本的 Identifier。Access-Accept、Access-Reject、和 Access-Challenge 用 Access-Request 的 Identifier。Accounting-Response 用 Accounting-Request 的 Identifier。
- Length:從 Code 開始到所有 Attribute 的長度,20~4095,如果封包比 Length 短:silently discarded。
- Authenticator:用來 authenticate Client 和 Server 間的訊息。
- 在 Access-Request...
- 在 Accounting-Request 是 Code、Identifier、Length、16 zero octets、attributes、加上 shared secret 的 MD5 checksum。The NAS and RADIUS accounting server share a secret.
- 在回應是 Code、Identifier、Length、請求的 Authenticator、attributes、加上 shared secret 的 MD5 hash。
- Attributes:Attributes may have multiple instances, in such a case the order of attributes of the same type SHOULD be preserved. The order of attributes of different types is not required to be preserved.
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Length 值包含 Type、Length、和 Value,最小是 2。Value 的格式和長度由 Type 和 Length 決定,完整 Type 列表見 IANA。Value 的類型有:
- string:1-253 octets 二進位資料 (0 ~ 255),未必有 NULL 結尾。注意:至少 1 octet。
- text:1-253 octets UTF-8 encoded 的 10646 characters,未必有 NULL 結尾,是 string 的 subset。注意:至少 1 octet。
- address:32-bit value, most significant octet first.
- integer:32-bit unsigned value, most significant octet first.
- time:32-bit unsigned value, most significant octet first。從 1970 UTC 開始妙數。
| # | type | len | value | 說明 |
|---|---|---|---|---|
| 5 | NAS-Port | 6 | integer | 用戶使用的界面編號。 |
| 26 | Vendor-Specific | ≥7 | vsa | 4-byte Vender-Id + string。Vendor-Id 是 Vendor 的 SMI Network Management Private Enterprise Code。string 由 Vendor 自行定義,例如 1-octet vendor type + 1-octet length + value。 |
| 40 | Acct-Status-Type | 6 | enum | Accounting-Request 記帳開始或結束: 1=Start 2=Stop 3=Interim-Update 7=Accounting-On 8=Accounting-Off 9-14=Reserved for Tunnel Accounting 15=Reserved for Failed |
| 41 | Acct-Delay-Time | 6 | integer | 送這個紀錄時延遲的秒數。 |
| 42 | Acct-Input-Octets | 6 | integer | |
| 43 | Acct-Output-Octets | 6 | integer | |
| 44 | Acct-Session-Id | ≥3 | text | 方便 |
| 45 | Acct-Authentic | 6 | enum | Accounting-Request 時表示認證方式 |
| 46 | Acct-Session-Time | 6 | integer | 服務秒數,Accounting-Request 的 Acct-Status-Type=Stop 時回報。 |
| 47 | Acct-Input-Packets | 6 | integer | |
| 48 | Acct-Output-Packets | 6 | integer | |
| 49 | Acct-Terminate-Cause | 6 | enum | |
| 50 | Acct-Multi-Session-Id | ≥3 | text | |
| 51 | Acct-Link-Count | 6 | integer | |
| 61 | NAS-Port-Type | 6 | enum | 用戶使用的界面類型: 0=Async 1=Sync 2=ISDN Sync 3=ISDN Async V.120 4=ISDN Async V.110 5=Virtual 6=PIAFS 7=HDLC Clear Channel 8=X.25 9=X.75 10=G.3 Fax 11=SDSL 12=ADSL-CAP 13=ADSL-DMT 14=IDSL 15=Ethernet 16=xDSL 17=Cable 18=Wireless - Other 19=Wireless - IEEE 802.11 |
| 87 | NAS-Port-Id | ≥3 | text | 描述用戶使用的界面。例如「ISDN 7/2:D:1」。 |
認證和授權
記帳
服務開始:送 Accounting Start (type of service being delivered and the user it is being delivered to) 給 RADIUS Accounting server 服務結束:送 Accounting Stop (type of service that was delivered and optionally statistics such as elapsed time, input and output octets, or input and output packets) 給 RADIUS Accounting server Accounting-Request (whether for Start or Stop) 成功的話 RADIUS Accounting server 回 Accounting-Response acknowledgment 建議 Client continue attempting to send the Accounting-Request 直到收到 acknowledgement, using some form of backoff. alternate server (after a number of tries to the primary server fail, or in a round-robin fashion)
Accounting-Request 的 Attribute- 必須放的:NAS-IP-Address 或 NAS-Identifier
- 應該放的:NAS-Port or NAS- Port-Type attribute or both unless the service does not involve a port or the NAS does not distinguish among its ports
- 如果有 Framed-IP-Address,必須含用戶的 IP address。可能是透過 Access-Accept 指定或協調的。
- 不能放的:User-Password, CHAP-Password, Reply-Message, State。
如果 Accounting-Request 有 invalid Length,整個 request MUST be silently discarded。
參考
- https://en.wikipedia.org/wiki/RADIUS
- 802.1X
- RADIUS Server:FreeRadius
- CDR configuration with Radius Accounting:CISCO 設備只送 Accounting-Request stop 作為 CDR,可使用標準 RADIUS Attribute 或 CISCO VSA Attribute。
沒有留言:
張貼留言