IP Network - Security - RADIUS

 

 

 

RADIUS stands for Remote Authentication Dial-In User Service. It is a kind of Triple A (AAA, Authentication, Authorization, and Accounting ) adopted at various networks like modems, DSL, access points, VPNs, network ports, web servers.  Usually it is used as a client-server model based on UDP, but it is often used as 802.1X authentication as well.

 

Following is overal RADIUS procedure that is used as 802.1X authentication.

 

 

(1) Beacon

 

This belongs to 802.11 protocol. Details of this step is out of the scope of this page. If you want to know the details of this step, refer to step (1) in WLAN Protocol page.

 

(2) SSID Selection

 

Once UE (WiFi device) decode Beacon, it will show all the SSID it detected. Then you can select a specific SSID manually or the device automatically select the SSID in a certain order you have configured.

 

(3) 802.11

 

This belongs to 802.11 protocol. Details of this step is out of the scope of this page. If you want to know the details of this step, refer to step (2)~(7) in WLAN Protocol page.

 

(5.a) RADIUS-Access-Request

 

Radius Protocol

    Code: Access-Request (1)

    Packet identifier: 0x24 (36)

    Length: 237

    Authenticator: bdecb10e7c41855a9ded31a368a9fb21

    [The response to this request is in frame 34]

    Attribute Value Pairs

        AVP: l=53 t=User-Name(1): 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org

            User-Name: 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org

        AVP: l=6 t=Framed-MTU(12): 1400

            Framed-MTU: 1400

        AVP: l=30 t=Called-Station-Id(30): AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST

            Called-Station-Id: AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST

        AVP: l=19 t=Calling-Station-Id(31): FF-EE-DD-CC-BB-AA

            Calling-Station-Id: FF-EE-DD-CC-BB-AA

        AVP: l=6 t=Service-Type(6): Login(1)

            Service-Type: Login (1)

        AVP: l=18 t=Message-Authenticator(80): a87015020fd7285494ccc90ab264a8b6

            Message-Authenticator: a87015020fd7285494ccc90ab264a8b6

        AVP: l=58 t=EAP-Message(79) Last Segment[1]

            EAP fragment

            Extensible Authentication Protocol

                Code: Response (2)

                Id: 1

                Length: 56

                Type: Identity (1)

                Identity: 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org

        AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)

            NAS-Port-Type: Wireless-802.11 (19)

        AVP: l=6 t=NAS-Port(5): 298

            NAS-Port: 298

        AVP: l=5 t=NAS-Port-Id(87): 298

            NAS-Port-Id: 298

        AVP: l=6 t=NAS-IP-Address(4): 192.168.0.100

            NAS-IP-Address: 192.168.0.100 (192.168.0.100)

        AVP: l=4 t=NAS-Identifier(32): ap

            NAS-Identifier: ap

 

(5.b) RADIUS-Access-Challenge

 

Radius Protocol

    Code: Access-Challenge (11)

    Packet identifier: 0x24 (36)

    Length: 126

    Authenticator: 900430bc6361e3f7e457d1895753ca95

    [This is a response to a request in frame 31]

    [Time from request: 0.005006000 seconds]

    Attribute Value Pairs

        AVP: l=18 t=State(24): 0123456789abcdeffedcba9876543210

            State: 0123456789abcdeffedcba9876543210

        AVP: l=70 t=EAP-Message(79) Last Segment[1]

            EAP fragment

            Extensible Authentication Protocol

                Code: Request (1)

                Id: 2

                Length: 68

                Type: UMTS Authentication and Key Agreement EAP (EAP-AKA) (23)

                EAP-AKA Subtype: AKA-Challenge (1)

                EAP-AKA Reserved: 0x0000

                EAP-AKA Attribute: AT_RAND (1)

                    EAP-AKA Type: AT_RAND (1)

                    EAP-AKA Length: 5

                    EAP-AKA Value: 000094d89d270744eb83324d05e7d4653000

                EAP-AKA Attribute: AT_AUTN (2)

                    EAP-AKA Type: AT_AUTN (2)

                    EAP-AKA Length: 5

                    EAP-AKA Value: 00001443118df4ba000094c9bf1443118df4

                EAP-AKA Attribute: AT_MAC (11)

                    EAP-AKA Type: AT_MAC (11)

                    EAP-AKA Length: 5

                    EAP-AKA Value: 00005bb41b500656ad412eba489db5defdf0

        AVP: l=18 t=Message-Authenticator(80): 1473c48d5490b3f0dbed210c7ff28f68

            Message-Authenticator: 1473c48d5490b3f0dbed210c7ff28f68

 

 

(5.c) RADIUS-Access-Request

 

Radius Protocol

    Code: Access-Request (1)

    Packet identifier: 0x25 (37)

    Length: 251

    Authenticator: 0142218b21804f05e70010072fa6bde0

    [The response to this request is in frame 40]

    Attribute Value Pairs

        AVP: l=53 t=User-Name(1): 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org

            User-Name: 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org

        AVP: l=6 t=Framed-MTU(12): 1400

            Framed-MTU: 1400

        AVP: l=30 t=Called-Station-Id(30): AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST

            Called-Station-Id: AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST

        AVP: l=19 t=Calling-Station-Id(31): FF-EE-DD-CC-BB-AA

            Calling-Station-Id: FF-EE-DD-CC-BB-AA

        AVP: l=6 t=Service-Type(6): Login(1)

            Service-Type: Login (1)

        AVP: l=18 t=Message-Authenticator(80): 156a8ee61ae68696e68802b869d8d82f

            Message-Authenticator: 156a8ee61ae68696e68802b869d8d82f

        AVP: l=54 t=EAP-Message(79) Last Segment[1]

            EAP fragment

            Extensible Authentication Protocol

                Code: Response (2)

                Id: 2

                Length: 52

                Type: UMTS Authentication and Key Agreement EAP (EAP-AKA) (23)

                EAP-AKA Subtype: AKA-Challenge (1)

                EAP-AKA Reserved: 0x0000

                EAP-AKA Attribute: AT_RES (3)

                    EAP-AKA Type: AT_RES (3)

                    EAP-AKA Length: 5

                    EAP-AKA Value: 008094c9bf1443118df4bad4af5c18b8deff

                EAP-AKA Attribute: AT_CHECKCODE (134)

                    EAP-AKA Type: AT_CHECKCODE (134)

                    EAP-AKA Length: 1

                    EAP-AKA Value: 0000

                EAP-AKA Attribute: AT_MAC (11)

                    EAP-AKA Type: AT_MAC (11)

                    EAP-AKA Length: 5

                    EAP-AKA Value: 0000a77ceba33d9fa47b193fe520939357be

        AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)

            NAS-Port-Type: Wireless-802.11 (19)

        AVP: l=6 t=NAS-Port(5): 298

            NAS-Port: 298

        AVP: l=5 t=NAS-Port-Id(87): 298

            NAS-Port-Id: 298

        AVP: l=18 t=State(24): 0123456789abcdeffedcba9876543210

            State: 0123456789abcdeffedcba9876543210

        AVP: l=6 t=NAS-IP-Address(4): 192.168.0.100

            NAS-IP-Address: 192.168.0.100 (192.168.0.100)

        AVP: l=4 t=NAS-Identifier(32): ap

            NAS-Identifier: ap

 

 

(5.d) RADIUS-Access-Accept

 

Radius Protocol

    Code: Access-Accept (2)

    Packet identifier: 0x25 (37)

    Length: 172

    Authenticator: 91b6be9b253920873621b38558f4a263

    [This is a response to a request in frame 39]

    [Time from request: 0.005842000 seconds]

    Attribute Value Pairs

        AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

            VSA: l=52 t=MS-MPPE-Recv-Key(17): 9eacf45ef6473fde1c98b31c9eea1cd746afff158dc2350c...

                MS-MPPE-Recv-Key: 9eacf45ef6473fde1c98b31c9eea1cd746afff158dc2350c...

        AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

            VSA: l=52 t=MS-MPPE-Send-Key(16): a3bf190301febc71c4f132442df2b5c74df5d2d0ed5ceb0b...

                MS-MPPE-Send-Key: a3bf190301febc71c4f132442df2b5c74df5d2d0ed5ceb0b...

        AVP: l=6 t=EAP-Message(79) Last Segment[1]

            EAP fragment

            Extensible Authentication Protocol

                Code: Success (3)

                Id: 2

                Length: 4

        AVP: l=18 t=Message-Authenticator(80): 07e1b2faa24d8a98b6aff9e2ed0c8616

            Message-Authenticator: 07e1b2faa24d8a98b6aff9e2ed0c8616

        AVP: l=6 t=Idle-Timeout(28): 600

            Idle-Timeout: 600

        AVP: l=6 t=Session-Timeout(27): 86400

            Session-Timeout: 86400

 

(6) After the completion of RADIUS, UE need to get an IP address to exchange IP packets. If UE already assigned any static IP (Manual setting), it would not need this step and jump to step (7). However, if UE has no IP assigned before, it would initiate a dynamic IP assignement procedure. What kind of dynamic IP allocation procedure it would trigger is up to UE implementation. It may use DHCP (for IPv4) or DHCPv6 (for IPv6) or IPv6 NDP to get the IP dynamically.