|
IP/Network |
||
|
Security - RADIUS
RADIUS stands for Remote Authentication Dial-In User Service. It is a kind of Triple A (AAA, Authentication, Authorization, and Accounting ) adopted at various networks like modems, DSL, access points, VPNs, network ports, web servers. Usually it is used as a client-server model based on UDP, but it is often used as 802.1X authentication as well.
Following is overal RADIUS procedure that is used as 802.1X authentication.
(1) Beacon
This belongs to 802.11 protocol. Details of this step is out of the scope of this page. If you want to know the details of this step, refer to step (1) in WLAN Protocol page.
(2) SSID Selection
Once UE (WiFi device) decode Beacon, it will show all the SSID it detected. Then you can select a specific SSID manually or the device automatically select the SSID in a certain order you have configured.
(3) 802.11
This belongs to 802.11 protocol. Details of this step is out of the scope of this page. If you want to know the details of this step, refer to step (2)~(7) in WLAN Protocol page.
(5.a) RADIUS-Access-Request
Radius Protocol Code: Access-Request (1) Packet identifier: 0x24 (36) Length: 237 Authenticator: bdecb10e7c41855a9ded31a368a9fb21 [The response to this request is in frame 34] Attribute Value Pairs AVP: l=53 t=User-Name(1): 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org User-Name: 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org AVP: l=6 t=Framed-MTU(12): 1400 Framed-MTU: 1400 AVP: l=30 t=Called-Station-Id(30): AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST Called-Station-Id: AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST AVP: l=19 t=Calling-Station-Id(31): FF-EE-DD-CC-BB-AA Calling-Station-Id: FF-EE-DD-CC-BB-AA AVP: l=6 t=Service-Type(6): Login(1) Service-Type: Login (1) AVP: l=18 t=Message-Authenticator(80): a87015020fd7285494ccc90ab264a8b6 Message-Authenticator: a87015020fd7285494ccc90ab264a8b6 AVP: l=58 t=EAP-Message(79) Last Segment[1] EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 56 Type: Identity (1) Identity: 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) NAS-Port-Type: Wireless-802.11 (19) AVP: l=6 t=NAS-Port(5): 298 NAS-Port: 298 AVP: l=5 t=NAS-Port-Id(87): 298 NAS-Port-Id: 298 AVP: l=6 t=NAS-IP-Address(4): 192.168.0.100 NAS-IP-Address: 192.168.0.100 (192.168.0.100) AVP: l=4 t=NAS-Identifier(32): ap NAS-Identifier: ap
(5.b) RADIUS-Access-Challenge
Radius Protocol Code: Access-Challenge (11) Packet identifier: 0x24 (36) Length: 126 Authenticator: 900430bc6361e3f7e457d1895753ca95 [This is a response to a request in frame 31] [Time from request: 0.005006000 seconds] Attribute Value Pairs AVP: l=18 t=State(24): 0123456789abcdeffedcba9876543210 State: 0123456789abcdeffedcba9876543210 AVP: l=70 t=EAP-Message(79) Last Segment[1] EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 68 Type: UMTS Authentication and Key Agreement EAP (EAP-AKA) (23) EAP-AKA Subtype: AKA-Challenge (1) EAP-AKA Reserved: 0x0000 EAP-AKA Attribute: AT_RAND (1) EAP-AKA Type: AT_RAND (1) EAP-AKA Length: 5 EAP-AKA Value: 000094d89d270744eb83324d05e7d4653000 EAP-AKA Attribute: AT_AUTN (2) EAP-AKA Type: AT_AUTN (2) EAP-AKA Length: 5 EAP-AKA Value: 00001443118df4ba000094c9bf1443118df4 EAP-AKA Attribute: AT_MAC (11) EAP-AKA Type: AT_MAC (11) EAP-AKA Length: 5 EAP-AKA Value: 00005bb41b500656ad412eba489db5defdf0 AVP: l=18 t=Message-Authenticator(80): 1473c48d5490b3f0dbed210c7ff28f68 Message-Authenticator: 1473c48d5490b3f0dbed210c7ff28f68
(5.c) RADIUS-Access-Request
Radius Protocol Code: Access-Request (1) Packet identifier: 0x25 (37) Length: 251 Authenticator: 0142218b21804f05e70010072fa6bde0 [The response to this request is in frame 40] Attribute Value Pairs AVP: l=53 t=User-Name(1): 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org User-Name: 0001010123456789@wlan.mnc001.mcc001.3gppnetwork.org AVP: l=6 t=Framed-MTU(12): 1400 Framed-MTU: 1400 AVP: l=30 t=Called-Station-Id(30): AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST Called-Station-Id: AA-BB-CC-DD-EE-FF:WLAN_SSID_TEST AVP: l=19 t=Calling-Station-Id(31): FF-EE-DD-CC-BB-AA Calling-Station-Id: FF-EE-DD-CC-BB-AA AVP: l=6 t=Service-Type(6): Login(1) Service-Type: Login (1) AVP: l=18 t=Message-Authenticator(80): 156a8ee61ae68696e68802b869d8d82f Message-Authenticator: 156a8ee61ae68696e68802b869d8d82f AVP: l=54 t=EAP-Message(79) Last Segment[1] EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 52 Type: UMTS Authentication and Key Agreement EAP (EAP-AKA) (23) EAP-AKA Subtype: AKA-Challenge (1) EAP-AKA Reserved: 0x0000 EAP-AKA Attribute: AT_RES (3) EAP-AKA Type: AT_RES (3) EAP-AKA Length: 5 EAP-AKA Value: 008094c9bf1443118df4bad4af5c18b8deff EAP-AKA Attribute: AT_CHECKCODE (134) EAP-AKA Type: AT_CHECKCODE (134) EAP-AKA Length: 1 EAP-AKA Value: 0000 EAP-AKA Attribute: AT_MAC (11) EAP-AKA Type: AT_MAC (11) EAP-AKA Length: 5 EAP-AKA Value: 0000a77ceba33d9fa47b193fe520939357be AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) NAS-Port-Type: Wireless-802.11 (19) AVP: l=6 t=NAS-Port(5): 298 NAS-Port: 298 AVP: l=5 t=NAS-Port-Id(87): 298 NAS-Port-Id: 298 AVP: l=18 t=State(24): 0123456789abcdeffedcba9876543210 State: 0123456789abcdeffedcba9876543210 AVP: l=6 t=NAS-IP-Address(4): 192.168.0.100 NAS-IP-Address: 192.168.0.100 (192.168.0.100) AVP: l=4 t=NAS-Identifier(32): ap NAS-Identifier: ap
(5.d) RADIUS-Access-Accept
Radius Protocol Code: Access-Accept (2) Packet identifier: 0x25 (37) Length: 172 Authenticator: 91b6be9b253920873621b38558f4a263 [This is a response to a request in frame 39] [Time from request: 0.005842000 seconds] Attribute Value Pairs AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311) VSA: l=52 t=MS-MPPE-Recv-Key(17): 9eacf45ef6473fde1c98b31c9eea1cd746afff158dc2350c... MS-MPPE-Recv-Key: 9eacf45ef6473fde1c98b31c9eea1cd746afff158dc2350c... AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311) VSA: l=52 t=MS-MPPE-Send-Key(16): a3bf190301febc71c4f132442df2b5c74df5d2d0ed5ceb0b... MS-MPPE-Send-Key: a3bf190301febc71c4f132442df2b5c74df5d2d0ed5ceb0b... AVP: l=6 t=EAP-Message(79) Last Segment[1] EAP fragment Extensible Authentication Protocol Code: Success (3) Id: 2 Length: 4 AVP: l=18 t=Message-Authenticator(80): 07e1b2faa24d8a98b6aff9e2ed0c8616 Message-Authenticator: 07e1b2faa24d8a98b6aff9e2ed0c8616 AVP: l=6 t=Idle-Timeout(28): 600 Idle-Timeout: 600 AVP: l=6 t=Session-Timeout(27): 86400 Session-Timeout: 86400
(6) After the completion of RADIUS, UE need to get an IP address to exchange IP packets. If UE already assigned any static IP (Manual setting), it would not need this step and jump to step (7). However, if UE has no IP assigned before, it would initiate a dynamic IP assignement procedure. What kind of dynamic IP allocation procedure it would trigger is up to UE implementation. It may use DHCP (for IPv4) or DHCPv6 (for IPv6) or IPv6 NDP to get the IP dynamically.
|
||
