AAA Session
AAA Session
AAA Session
Introduction
RADIUS(AAA)
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. RADIUS servers use the AAA concept to manage network access in the following two-step process, also known as an "AAA transaction". AAA stands for authentication, authorization and accounting. Policy/portal serverA policy/portal server is the network element that provides the service control that allows for the management and modification of services in real time. Billing serverThe billing server maintains user account information, including the amount of credit remaining for prepaid services. When a user initiates services, the ISG contacts the billing server to determine if the user has credit available. AAA serverIn IP deployments, the network utilizes a single authentication, authorization, and accounting (AAA) server. The AAA server maintains user authentication information and information about services available to users. When the ISG receives a username and password, it forwards them to the AAA server for authentication. When a user activates a service, the ISG contacts the AAA server, which replies to the ISG with information on the service.
Introduction
CPEThe customer premises equipment (CPE) router is a small router such as the Cisco 800 series router that is used either as a bridge or to initiate IP connections from the customer PC to the ISG. A broadband remote access server (BRAS, B-RAS or BBRAS) routes traffic to and from broadband remote access devices such as digital subscriber line access multiplexers (DSLAM) on an Internet service provider's (ISP) network. BRAS can also be referred to as a Broadband Network Gateway (BNG). The BRAS sits at the core of an ISP's network, and aggregates user sessions from the access network. It is at the BRAS that an ISP can inject policy management and IP Quality of Service (QoS).
Access models One of the decisions to be made when running Bras is the type of access that is preferred. There are 2 key options which is PPPoE (PPP over Ethernet) or IPoE. PPPoE sessions are triggered by the reception of a PADI and IP sessions are created by using DHCP as a session trigger.
Flow 1 A DHCP DISCOVERY message is initiated by subscriber. An intermediate device (DSLAM or switch) populates DHCP Option-82 information to identify the subscriber's physical location. The ISG interface is configured to start a new session using DHCP control traffic. Upon starting, the policy starts default service and authorizes the session based on network identifiers. Flow 2 The ISG issues an Accept Request to authorize the session at AAA. The request includes DHCP option 82 information and the client's MAC address as a username. Flow 3 Upon successful identity verification, the AAA server responds with an Access Request, which includes the user profile and services to be activated. If the AAA server sends an Access Reject message, it means that user authorization failed; the L4 Redirect service will be activated and the subscriber will be forced to log into the account. Flow 4 Assuming that services to be activated for the session are not already cached on the ISG, the ISG sends an Access Request to the AAA server to download the service definition. Flow 5 TAL is successful, and the DHCP module sends a DHCP OFFER message to the DHCP client. Flow 6 Accounting Start Record begins for the parent session and service. Flow 7 The ISG assigns an IP address to the client.
The RADIUS Attribute Value Pairs (AVP) carry data in both the request and the response for the authentication, authorization, and accounting transactions. The length of the radius packet is used to determine the end of the AVPs.
AVP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Assignment User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Login-TCP-Port (unassigned) Reply-Message Callback-Number Callback-Id (unassigned) Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52-59 60 61 62 63
Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count (reserved for accounting) CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
The following is the "debug aaa authentication" output from the router.
User Access Verification Username: Jun 3 12:13:01.422 EDT: AAA: parse name=tty72 idb type=-1 tty=-1 Jun 3 12:13:01.422 EDT: AAA: name=tty72 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 2 channel=0 Jun 3 12:13:01.422 EDT: AAA/MEMORY: create_user (0x82A1CA18) user='NULL' ruser='NULL' ds0 =0 port='tty72' rem_addr='10.20.1.1' authen_type=ASCII service=LOGIN priv=15 initial_task_ id='0' Jun 3 12:13:01.422 EDT: AAA/AUTHEN/START (4245677897): port='tty72' list='' action=LOGIN service=LOGIN Jun 3 12:13:01.422 EDT: AAA/AUTHEN/START (4245677897): using "default" list Jun 3 12:13:01.426 EDT: AAA/AUTHEN/START (4245677897): Method=tacacs+ (tacacs+)te Jun 3 12:13:01.426 EDT: TAC+: send AUTHEN/START packet ver=192 id=4245677897 Jun 3 12:13:01.638 EDT: TAC+: ver=192 id=4245677897 received AUTHEN status = GETUSER Jun 3 12:13:01.638 EDT: AAA/AUTHEN (4245677897): status = GETUSERst1 Password: Jun 3 12:13:03.746 EDT: AAA/AUTHEN/CONT (4245677897): continue_login (user='(undef)') Jun 3 12:13:03.746 EDT: AAA/AUTHEN (4245677897): status = GETUSER Jun 3 12:13:03.746 EDT: AAA/AUTHEN (4245677897): Method=tacacs+ (tacacs+) Jun 3 12:13:03.746 EDT: TAC+: send AUTHEN/CONT packet id=4245677897 Jun 3 12:13:03.950 EDT: TAC+: ver=192 id=4245677897 received AUTHEN status = GETPASS Jun 3 12:13:03.950 EDT: AAA/AUTHEN (4245677897): status = GETPASS Jun 3 12:13:06.318 EDT: AAA/AUTHEN/CONT (4245677897): continue_login (user='test1') Jun 3 12:13:06.318 EDT: AAA/AUTHEN (4245677897): status = GETPASS Jun 3 12:13:06.322 EDT: AAA/AUTHEN (4245677897): Method=tacacs+ (tacacs+) Jun 3 12:13:06.322 EDT: TAC+: send AUTHEN/CONT packet id=4245677897 Jun 3 12:13:06.523 EDT: TAC+: ver=192 id=4245677897 received AUTHEN status = PASS Jun 3 12:13:06.523 EDT: AAA/AUTHEN (4245677897): status = PASS