Professional Documents
Culture Documents
Radius Server 1205
Radius Server 1205
I HC QUC GIA THNH PH H CH MINH TRNG I HC KHOA HC T NHIN KHOA IN T - VIN THNG
BO CO TI
Mn hc: Cng ngh mng
Nhm thc hin: Nguyn Vn Quc Bo 0820005 Nguyn Quc Hng Nguyn Tin Hong Trng Quang Thng 0820073 0820061 0820165
Lp 08VT1
- Thng 10/2011 -
Tho lun,trao i ....(24-9==>29-9) Bc thm thuyt trnh vi nhm 2. Chnh sa ni dung v lm slide gi thy. Lp dn bi thuyt trnh v lm slide . Thuyt trnh th. (30-9==>12/10)
Mc Lc
Phn I. Giao thc RADIUS ........................................................................................................... 0 1. Tng quan v giao thc RADIUS ........................................................................................... 0 2. Gii thiu ................................................................................................................................ 1 3. Tnh cht ca RADIUS ........................................................................................................... 1 4. Giao thc RADIUS 1 .............................................................................................................. 3 4.1. C ch hot ng ............................................................................................................. 3 4.2. Dng gi ca packet ......................................................................................................... 4 4.3. Packet type (kiu packet) ................................................................................................. 7 5. Giao thc RADIUS 2 ............................................................................................................ 13 5.1. C ch hot ng ........................................................................................................... 13 5.2. Packet Format ................................................................................................................ 14 6. Phng php m ha v gi m ............................................................................................ 14 Phn II. RADIUS SERVER......................................................................................................... 15 1. Tng quan ............................................................................................................................. 15 2. Xc thc- cp php v kim ton .......................................................................................... 16 3. S bo mt v tnh m rng .................................................................................................. 17 4. p dng RADIUS cho WLAN ............................................................................................. 18 5. Cc ty chn b sung ............................................................................................................ 19 Ti liu tham kho.
Giao thc Remote Authentication Dial In User Service (RADIUS) c nh ngha trong RFC 2865 c a ra vi nh ngha: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy cp (Authentication, Authorization, v Access Control AAA) cho cc phin lm vic vi SLIP v PPP Dial-up nh vic cung cp xc thc ca cc nh cung cp dch v Internet (ISP) u da trn giao thc ny xc thc ngi dng khi h truy cp Internet. N cn thit trong tt c cc Network Access Server (NAS) lm vic vi danh sch cc username v password cho vic cp php, RADIUS Access-Request s chuyn cc thng tin ti mt Authentication Server, thng thng n l mt AAA Server (AAA Authentication, Authoriztion, v Accounting). Trong kin trc cua h thng n to ra kh nng tp trung cc d thng tin ca ngi dng, cc iu kin truy cp trn mt im duy nht (single point), trong khi c kh nng cung cp cho mt h thng ln, cung cp gii php NASs. Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-Request ti my ch AAA Server, chuyn cc thng tin nh username v password, thng qua mt port xc nh, NAS identify, v mt message Authenticator. Sau khi nhn c cc thng tin my ch AAA s dng cc gi tin c cung cp nh, NAS identify, v Authenticator thm nh li vic NAS c c php gi cc yu cu khng. Nu c kh nng, my ch AAA s tm kim tra thng tin username v password m ngi dng yu cu truy cp trong c s d lu. Nu qu trnh kim tra l ng th n s mang mt thng tin trong Access-Request quyt nh qu trnh truy cp ca user l c chp nhn. Khi qu trnh xc thc bt u c s dng, my ch AAA c th s tr v mt RADIUS Access-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t xa (vi v d ny s dng CHAP). Khi ngi dng s phi tr li ng cc yu cu xc nhn (trong v d ny, a ra li ngh m ho password), sau NAS s chuyn ti my ch AAA mt message RADIUS Access-Request. Nu my ch AAA sau khi kim tra cc thng tin ca ngi dng hon ton tho mn s cho php s dng dch v, n s tr v mt message dng RADIUS
0
Access-Accept. Nu khng tho mn my ch AAA s tr v mt tin RADIUS Access-Reject v NAS s ngt kt ni vi user. Khi mt gi tin Access-Accept c nhn v RADIUS Accounting c thit lp, NAS s gi mtgi tin RADIUS Accounting-Request (Start) ti my ch AAA. My ch s thm cc thng tin vo file Log ca n, vi vic NAS s cho php phin lm vic vi user bt u khi no, v kt thc khi no, RADIUS Accouting lm nhim v ghi li qu trnh xc thc ca user vo h thng, khi kt thc phin lm vic NAS s gi mt thng tin RADIUS Accounting-Request (stop).
RADIUS l mt giao thc s dng rng ri cho php xc thc tp trung, y quyn v kim ton truy cp cho mng. Ban u c pht trin cho thit lp kt ni t xa. Radius bu gi th h tr cho my ch VPN, cc im truy cp khng dy, chng thc chuyn mch internet, truy cp DSL, v cc loi truy cp mng khc. RADIUS c m t trong RFC 2865, "Remote Authentication Dial-in User Service (RADIUS), (IETF Draft Standard) and RFC 2866, "RADIUS Accounting" (Informational). 2. Gii thiu C 2 loi giao thc RADIUS m t v: Giao thc RADIUS 1: Xc nhn quyn (authentication), phn quyn (authorization), thng tin cu hnh gia my ch qun l truy cp (NAS-Network Access Server) m c cc yu cu cn xc nhn v my ch xc nhn quyn dng chung (Shared Authentication Server). Giao thc RADIUS 2: Thng tin v ti khong gia NAS v my ch qun l ti khon dng chung. 3. Tnh cht ca RADIUS RADIUS thc ra l mt giao dch c xy dng trn giao thc c cc tnh cht chnh nh sau: Nu nh yu cu (request) gi ti my ch xc nhn quyn s cp (primary authentication server) tht bi, th yu cu ny phi c gi ti my ch s cp (secondary server). thc hin yu cu ny, mt bn sao yu cu phi c lu trn lp
1
transport cho php vic truyn lun phin. iu ny c ngha l phi c timers cho vic truyn li (retransmission). Cc i hi v thi gian ca RADIUS rt khc bit so vi TCP. Mt mt, RADIUS khng yu cu cu tr li (responsive) v vic d tm d liu b mt. User sn sang ch trong nhiu giy cho vic xc nhn quyn c hon thnh. Vic truyn li thng xy ra i vi cc TCP da trn thi gian truyn nhn trung bnh khng cn thit na, k c thi gian hao tn cho vic nhn bit phn hi v. Mt khc, user khng th ch i qu lu trong nhiu pht cho vic xc nhn quyn. Vic phi ch i qu lu l khng hu ch. Vic s dng lun phin nhanh chng cc server s cho php user truy cp c vo mng trc khi h b cuc. Trng thi rt t do ca RADIUS n gin ha vic s dng UDP. Cc client v server c th ng k vo hoc ra khi mng. H thng b khi ng li v mt l do no , nh: Ngun in b mtCc s kin bt thng ny ni chung s khng gy nguy him nu nh c nhng timeout tt v xc nh c cc cu ni TCP b t. Tuy nhin UDP hon ton b qua cc s c t bit ny; Cc client v server c th mt chuyn vn chuyn d liu UDP ngay lp tc v n t nhin truyn trn mng vi cc s kin c th c. UDP n gin ha vic thc hin server. nhng phin bn trc, server c thc hin n lung (single thread), c ngha l mi lc ch c mt yu cu c nhn, x l v tr v. iu ny khng th qun l c trong mi trng k thut an ton quay vng (back-end security mechanism) dng thi gian thc (real-time). Hng i yu cu ca server s b y, v trong mt mi trng c hng trm ngi c yu cu xc nhn quyn trong mi pht, thi gian quay vng ca yu cu s ln hn rt nhiu so vi thi gian m user ch i. Do vy, gii php c chn l thc hin server ch a lung (multu-thread) vi UDP. Nhng qu trnh x l c lp s c sinh ra trn server tng ng vi mi yu cu v nhng qu trnh ny s tr li trc tip vi cc NAS khch hng bng gi UDP ti lp truyn dn chnh ca client.
4. Giao thc RADIUS 1 4.1. C ch hot ng Khi mt client c cu hnh s dng RADIUS, th bt k user no ca client u gii thiu nhng thng tin xc nhn quyn vi client. c th l du nhc lnh ng k vo mng yu cu user nhp username v password vo. User c th la chn vic s dng protocol thch hp thc hin gii thiu nhng thng tin ny cc gi d liu chng hn nh PPP. Mi client nhn c thng tin nh vy, n c th chn dng RADIUS xc nhn quyn. Client s to ra mt yu cu truy cp (access request) cha cc thuc tnh nh trn: mt khu ca user, ID ca client v ID port m user ny s truy cp vo. Mt khu khi nhp vo s c n (M ha RSA hoc MD5). Yu cu truy cp (access request) s c gi cho RADIUS thng qua mng. Nu khng tr li trong mt khong thi gian qui c th yu cu s c gi li. Client c th chuyn (forward) yu cu cho cc server d phng trong trng hp server chnh b tt hoc h hng hoc hot ng theo kiu round-bin. Mi khi RADIUS server nhn c yu cu, n s xc nhn client gi. Nhng yu cu t cc client no khng chia s thng tin bo mt vi RADIUS s khng c xc nhn v tr li. Nu client l hp l, RADIUS server s tm kim trong c s d liu (CSDL) user c cng tn trong yu cu. Ch mc ca user trong CSDL s cha da nh sch cc i hi cn thit cho php user truy cp vo mng. RADIUS lun lun xc nhn mt khu ca user v c th c ID ca client v ID port m user c php truy cp. RADIUS server c th yu cu cc server khc xc nhn yu cu. Lc RADIUS ng vai tr ca mt client. Nu bt c iu kin no khng tha mn, RADIUS server s gi mt tr li t chi truy cp (access reject) biu th rng yu cu ca user l khng hp l. Server c th km theo mt thng bo dng vn bn (text massage) trong access-reject client c
th hin th cho user. Khng c mt thuc tnh no khc c php cha trong accessreject. Nu tt c cc iu kin u tha mn v RADIUS server mun a ra mt yu cu i hi user phi tr li, th RADIUS s gi mt tr li i hi truy cp (accesschallenge), n c th di dng mt thng bo dng vn bn c hin th cho user bi client hoc l mt thuc tnh trng thi (state attribute). Client s nhn access-challenge, v nu n c trang b challenge/ response, n s hin th thng bo nhc nh user tr li yu cu. Sau client s gi li (re-submit) yu cu truy cp (original accessrequest) vi mt s hiu yu cu (request ID) mi, nhng thuc tnh usename -password c ly t thng tin va mi np vo, v km lun c thuc tnh trng thi t accesschallenge. RADIUS server c th tr li mt access-request bng mt access-accept, access-reject hoc mt access-challenge khc. Nu cui cng tt c cc iu kin trn c tha mn, th danh sch cc gi tr cu hnh cho user c t vo tr li access-accept. Cc gi tr ny bao gm kiu ca dch v (SLIP, PPP, Login..) v cc gi tr cn thit cp pht dch v ny. V d nh i vi SLIP hay PPP, cc gi tr ny c th l a ch IP, subnet mask, MTU, phng php nn v s hiu lc gi. ch k t (character mode), cc gi tr ny c th l giao thc v tn my ch. 4.2. Dng gi ca packet Mt cch chnh xc, mt gi RADIUS c bao bc trong trng d liu ca gi UDP, v trng a ch ch c s hiu cng l 1812. Khi gi tr li c to ra, s hiu cng ca a ch ngun v ch c bo lu. Mt gi d liu ca RADIUS c xc nh nh sau (cc trng c gi i t tri sang phi).
Hnh I-1 Packet Format Code: Code field l mt octet, v xc nh kiu gi ca RADIUS. Khi mt gi c m khng hp l s khng c xc nhn RADIUS code (decimal) c ch nh nh sau: 1 2 3 4 5 11 12 13 255 Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge Status-Server (experimental) Status-Client (experimental) Reserved
M s 4 v s 4 c che y trong ti liu RADIUS accouting [5]. M s 12 v 13 l dnh ring cho vic c th s dng, nhng n khng c cp y. Identifier (Trng nh danh )
Indentifier field l mt octet, v ph hp vi vic h tr yu cu v tr li. Cc my ch RADIUS c th pht hin mt yu cu trng lp, nu c cc client c cng mt a ch IP ngun v UDP port v nh danh trong mt thi gian ngn. Length Length field l hai octet, n bao gm cc code field, indentifier, length, authentication, v trng thuc tnh (attribute field). Nhng byte nm ngoi khong qui nh bi length s c coi l nhng byte tha, v s b b qua khi nhn. Nu gi ngn hn gi tr trng length, n s khng c xc nhn v tr li. Gi tr nh nht ca trng length l 20 v gi tr ln nht l 4096. Authenticator Trng authenticator l 16 octet. Octet ln nht c truyn i u tin. Gi tr ny c s dng xc nhn cc tr li t RADIUS server v c s dng trong thut ton n mt khu. Request Authenticator: Trong cc gi access-request, gi tr ca trng xc nhn (authenticator field) l mt s ngu nhin 16 byte c gi l b xc nhn yu cu (request authenticator). Gi tr ny khng th d on trc v duy nht trong sut thi gian sng ca thng tin b mt (mt khu dng chung gia client v RADIUS server); V nu c s lp li ca gi tr ny c ngha l mt attacker c th tr li cu hi ny khng cn s xc nhn ca RADIUS server. Do , b xc nhn yu cu nn c gi tr ton cc v duy nht theo thi gian. Mc d, giao thc RADIUS khng c kh nng ngn chn s nghe l phin xc thc qua ng dy, nhng vic sinh ra cc gi tr khng th on trc c cho b xc nhn yu cu c th hn ch rt nhiu s kin ny. NAS v RADIUS server chia s thng tin b mt. Thng tin b mt chung ny c c sau khi gi tr ca b xc nhn yu cu c thut ton MD5 bm to ra gi tr 16 byte. Gi tr ny c XOR vi mt khu m user nhp vo, kt qu s c t vo thuc tnh user-password trong gi access-accept.
Response authenticator: Gi tr ca trng xc nhn (authenticator field value) trong cc gi access-request, access-reject, access-challenge c coi l b xc nhn tr li (response authenticator). Gi tr ny c tnh bi bm MD5 chui cc byte ca code field, indentifier, length, xc nhn ca gi access-request, v cng thm cc thuc tnh tr li v thng tin b mt dng chung ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation. Administrative Note Thng tin b mt (chia s password gia client v RADIUS server) nn t nht l ln v pht tp l cch la chn mt khu tt. Mc u tin c th chp nhn c t nht l 16 octet. iu ny m bo phm vi ln cho vic cung cp cc c ch bo mt chng li cc cuc tn cng tm kim. 4.3. Packet type (kiu packet) Packet type c xc nh bi code field chim byte u tin ca gi RADIUS. Access-Request Gi access-request c gi ti RADIUS server. N chuyn ch thng tin dng xc nh xem user c c php truy cp vo NAS v cc dch v c ch nh hay khng. Code field ca gi phi c gi tr 1. Gi access-request phi cha cc thuc tnh user-name, user-password hoc CHAP-password, v c th cha cc thuc tnh NAS-IPAddress, NAS-Indentifier, NAS-PORT, NAS-PORT-TYPE. Trng indentifier phi c thay i khi ni dung ca trng thuc tnh b thay i khi ni dung ca trng thuc tnh b thay i hoc l nhn c tr li hp l cho yu cu trc . Trong trng hp phi gi li gi, trng indentifier khng thay i.
Hnh I-2 Access-request Packet Format Access-accept Gi access-accept c gi tr bi RADIUS server khi tt c cc gi tr thuc tnh ca gi access-request. N cung cp thng tin cu hnh cn thit cp pht cc dch v cho user. Trng code phi c gi tr 2. Gi access-accept nhn c NAS phi c trng danh hiu trng khp vi access-request tng ng gi trc v phi c xc nhn (response authenticator) ph hp vi thng tin b mt dng chung.
Hnh I-3 Access-accept Packet Format Access-reject Gi access-reject c gi tr t RADIUS server khi c gi tr thuc tnh khng c tha. Trng code ca m phi c gi tr 3. Gi c th cha 1 hoc nhiu thuc tnh
reply-message vi mt thng bo dng vn bn m NAS s hin th n vi user. Trng indentifier ca gi access-reject chnh l bn sao ca gi access-request tng ng.
Hnh I-4 Access-reject packet format Access-challenge Gi access-challenge c RADIUS server gi n user i hi thm thng tin cn thit m user phi tr li. Trng code ca gi phi c gi tr 11. Gi c th cha 1 hoc nhiu thuc tnh reply-message v c th c 1 thuc tnh state. Cc thuc tnh khc khng c xut hin trong gi access-chanllenge. Trng indentifier ca gi accesschallenge phi trng khp vi gi access-request tng ng gi i trc v phi c trng xc nhn (authenticator field) ph hp vi thng tin b mt dng chung. Nu NAS khng c trang b challenge/ response th gi access-challenge nhn c s coi nh gi access-reject. Nu NAS c trang b chc nng challenge/ response v gi accesschallenge nhn c l hp l th NAS s hin th thng bo v yu cu user tr li thng tin m RADIUS server yu cu. Sau NAS s gi gi access-request gc nhng vi danh hiu yu cu (request ID) v xc nhn yu cu (request authenticator) mi, ng thi thuc tnh user-password cng c thay th bi thng tin tr li ca user ( c m ha) v c th bao gm c thuc tnh state t gi access-challenge.
Hnh I-5 Access-challenge packet format Attributes (cc thuc tnh) Cc thuc tnh ca RADIUS, cha trong cc gi yu cu/ tr li, mang thng tin xc thc quyn, phn quyn, cu hnh cn thit cp pht cc dch v cho user. Gi tr cc trng length ca gi RADIUS s qui nh im kt thc ca cc thuc tnh trong gi. Dng ca thuc tnh nh sau:
Hnh I-6 Attributes type o Type Mi trng type l mt octet, gi tr t 192-223 l dnh ring cho nghin cu, gi tr t 224-240 l dnh cho vic thc hin c th, 241-255 l dnh ring v khng nn s dng. RADIUS server c th b qua cc thuc tnh vi mt loi khng r. RADIUS client c th b qua cc thuc tnh vi mt loi khng r. iu ny quan tm c t cc gi tr sau: 1 User-Name
10
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port (unassigned) Reply-Message Callback-Number Callback-Id (unassigned) Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id
11
31 32 33 34 35 36 37 38 39
40-59 (reserved for accounting) 60 61 62 63 CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port o Length (trng di)
Biu th di ca thuc tnh cho cc trng kiu, length v value. Nu thuc tnh trong gi access-request c trng di khng hp l th RADIUS server s tr v gi access-reject. Nu thuc tnh trong gi access-reject, access-accept, access-challenge c trng di khng hp l th NAS client s xem nh l gi access -reject hoc l khng xc nhn v tr li. o Value (trng gi tr)
Dng v chiu di ca trng gi tr c xc nh bi trng kiu (type field) v trng di (length field). C 4 loi d liu cho trng gi tr nh sau: Text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.
String
255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.
Integer
Time
32 bit unsigned value, most significant octet first -seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.
5. Giao thc RADIUS 2 5.1. C ch hot ng Khi client c ci t s dng RADIUS Accouting, th lc bt u cp pht dch v client s sinh ra mt gi bt u cp pht ti khon m t kiu ca dch v s c cp pht v user s c cp pht dch v ; sau gi gi ny n RADIUS accouting server m ti lt n s gi li mt thng bo nhn bit l gi c nhn. Lc kt thc cp pht dch v client s sinh ra mt gi kt thc cp pht ti khon m t kiu dch c cp pht v cc thng tin thng k c th lc da nh thi gian tri qau, cc byte nhp/ xut, cc gi nhp/xut; sau gi gi ny n RADIUS accouting server m ti lt n s gi li mt thng bo nhn bit l gi nhn c. Yu cu cp pht ti khon (accouting-request) ca hai loi start v stop c gi cho RADIUS accouting server qua mng. thng th client s tip tc c gng gi gi accouting-request sau mt khong thi gian nht nh cho ti khi nhn c phn hi (ACK). Client c th gi tip (forward) cho cc server khc nhau trong trng hp server chnh b off hoc hng. Trong trng hp ny RADIUS accouting server ng vai tr ca mt client.
13
5.2. Packet Format Ging nh giao thc RADIUS 1, giao thc RADIUS 2 cng c 4 trng: code, indentifier, length, authentication, attributes v ch khc ni dung th hin Trng code ch c hai gi tr 4 v 5 c trng cho hai kiu gi accouting-request v accouting-response. Cc thuc tnh hp l trong gi RADIUS dng access-request, access-accept s hp l trong cc gi accouting-request, tr mt s thuc tnh khng th hin nh: UserPassword, CHAP-Password, Reply-Message,State. Mt s thuc tnh phi lun lun c mt trong gi accouting-request nh: NAS-IP-Address, NAS-Indentifier v mt s thuc tnh khc nn c mt nh: NAS-port, NAS-Port-Type. Cn mt s chi tit khc cc bn c th tham kho ti :
http://www.faqs.org/rfcs/rfc2865.html
6. Phng php m ha v gi m Thuc tnh user-password cha trong cc gi access-request hoc accesschallenge, c trng cho mt khu (password) ca user, s c n trong khi truyn ti RADIUS server. Mt khu s c thm vo cc k t NULL sao cho di l bi ca 16 buye. Bm MD5 mt chiu (one-way MD5 hash) s c xy dng t chui cc byte ca thng tin b mt chung gia NAS v RADIUS server v thng xc nhn yu cu.Gi tr tnh c s c XOR vi on 16 byte u tin ca mt khu, kt qu s c t vo 16 byte u tin ca trng gi tr ca thuc tnh user-password. Nu password di hn 16 k t th gi tr bm th hai c tnh t chui cc byte tip theo ca thng tin b mt chung v kt qu ca XOR ln trc. Gi tr bm c c s XOR vi 16 byte tip theo ca mt khu, kt qu s c t vo 16 byte tip theo ca trng gi tr kiu string ca thuc tnh user-password. Qu trnh tip theo c tip din n khi ht cc on (segment) c chia ca mt khu (ti a l 128 k t). Bn c th tham kho thm ti liu RFC 2865
14
Gi s gi thng tin b mt chung l S, gi tr ca trng xc nh yu cu (request authentication) 128 bit l RA. Chia mt khu c lp y bi cc k t NULL (nu cn) thnh cc phn con (chunks) p1, p2Gi cc khi mt m dng vn bn (ciphertext blocks) l c(1), c(2),v cc gi tr trung gian l b1, b2Du + l php cng chui.
b1 = MD5(S + RA) b2 = MD5(S + c(1)) . . . . . . c(1) = p1 xor b1 c(2) = p2 xor b2
bi = MD5(S + c(i-1)) c(i) = pi xor bi The String will contain c(1)+c(2)+...+c(i) where + denotes concatenation.
15
Hnh II-1 M hnh xc thc s dng RADIUS Server 2. Xc thc- cp php v kim ton Giao thc RADIUS c nh ngha trong RFC 2865 nh sau: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy cp (Authentication, Authorization v Accouting-AAA) cho cc phin lm vic vi SLIP v PPP Dial-Up. Nh vic cung cp dch v internet (ISP) u da trn giao thc ny xc thc ngi dng khi h truy cp internet. N cn thit trong cc NAS lm vic vi danh sch cc username v password cho vic cp php, RADIUS Access-request s chuyn thng tin ti mt Authentication Server, thng thng n l mt AAA Server. Trong kin trc ca h thng n to ra kh nng tp trung cc d liu, thng tin ca ngi dng, cc iu khin truy cp trn mt im duy nht (single point), trong khi c kh nng cung cp cho mt h thng ln, cung cp gii php NASs
16
Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-request ti my ch AAA Server, chuyn cc thng tin nh Username, Password , UDP port, NAS indentifier v mt Authentication message. Sau khi nhn cc thng tin AAA s dng gi tin c cung cp nh NAS Indentify, v Authentication thm nh li vic NAS c c php gi cc yu cu khng?Nu c kh nng, AAA server s kim tra thng tin username v password m ngi dng yu cu truy cp trong database. Nu qu trnh kim tra l ng th n s mang mt thng tin trong Access-request quyt nh qu trnh truy cp ca user l c chp nhn. Khi qu trnh chng thc bt u c s dng, AAA server c th tr v mt RADIUS Access-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t xa. Khi ngi dng s phi tr li ng yu cu xc nhn, sau NAS s chuyn n AAA server mt RADIUS Access-Request AAA server sau khi kim tra cc thng tin ca ngi dng hon ton tha mn s cho php s dng dch v, n s tr v mt message dng RADIUS Access-accept. Nu khng tha mn AAA server s tr v mt tin RADIUS Access-reject v NAS s ngt dch v. Khi gi tin Access-accept c nhn v RADIUS Accouting c thit lp, NAS s gi mt gi tin RADIUS Accouting request ti AAA server. My ch s thm cc thng tin vo logfile ca n, vi vic NAS s cho php phin lm vic vi User bt u khi no v kt thc khi no. RADIUS Accouting lm nhim v ghi li qu trnh xc thc ca user vo h thng, khi kt thc phin lm vic NAS s gi thng tin RADIUS Accouting-request 3. S bo mt v tnh m rng Tt c cc message ca RADIUS u ng gi bi UDP Datagram s, n bao gm cc thng tin nh: message type, sequence number, length, authenticator, v mt lot cc attributes values m chng ta tm hiu trn.
17
4. p dng RADIUS cho WLAN Trong mt mng WLAN s dng 802.11x port access control, cc my trm s dng Wireless ng vai tr Remote Access v Wireless Access Point lm vic nh mt NAS-Network Access Server. thay th vic kt ni n NAS vi dial-up nh giao thc PPP, Wireless station kt ni n AP bng vic s dng giao thc 802.11 Mt qu trnh c thc hin , wireless station gi mt EAP-Start ti AP. AP s yu cu station nhn dng v chuyn thng tin ti mt AAA server vi thng tin l RADIUS Access-request Usename attribute. AAA server v Wireless Station hon thnh bng vic chuyn cc thng tin RADIUS Access-challenge v Access-request qua AP. c quyt nh bi pha trn l mt dng EAP, thng tin ny c chuyn trong mt ng hm c m ha TLS (Encypted TLS Tunnel). Nu AAA server gi mt message Access-accept, AP v Wireless station s hon thnh qu trnh kt ni v hon thnh phin lm vic vi vic s dng WEP hay TKIP m ha d liu. V ti im , AP s khng cm cng v wireless station c th gi v nhn d liu t h thng mng mt cch bnh thng. Cn ch l qu trnh m ha d liu gia wireless station v AP khc qu trnh m ha t AP n AAA server. Nu AAA server gi mt message Access-reject, AP s ngt kt ni n wireless station. Wireless station c th c gng th li qu trnh xc thc, nhng AP cm wireless station ny khng c gi cc gi UDP n cc AP gn . Ch l station ny hon ton c th lng nghe cc d liu c truyn i t cc station khc. Trn thc t d liu c truyn qua song radio v l l do ti sao bn phi m ha d liu khi truyn trn mng khng dy. Attribute-value pare bao gm trn cc message ca RADIUS c th s dng AAA server quyt nh phin lm vic gia AP v wireless station, nh session-timeout hay VLAN tag (Tunnel-Type=VLAN, Tunnel-Private-Group-ID=TAG). Chnh xc thng tin
18
thm vo c th ph thuc vo AAA server hay AP v wireless station m bn ang s dng. 5. Cc ty chn b sung Mt vn u tin bn phi hiu vai tr ca RADIUS trong qu trnh xc thc ca WLAN, bn cn thit lp mt AAA server h tr interaction. Nu mt AAA server gi l RADIUS, n sn sang h tr xc thc cho chun 802.11x v cho php la chn cc dng EAP. Nu c bn chuyn n bc tip theo l lm th no thit lp tnh nng ny. Nu bn c mt RADIUS h tr 802.11x, hoc khng h tr dng EAP, bn c th la chn bng cch cp nht cc phin bn phn mm mi hn cho server, hay bn c th ci t mt my ch mi. Nu bn ci mt server mi c h tr xc thc cho chun 802.11x, bn c th s dng tnh nng RADIUS proxy thit lp mt chui cc my ch, cng chia s mt c s d liu tp trung, RADIUS proxy c th s dng chuyn cc yu cu xc thc n cc my ch c kh nng xc thc chun 802.11x Nu bn khng c my ch RADIUS, bn cn thit phi ci t mt my ch cho qu trnh xc thc WLAN, la chn ci t ny l mt cng vic th v. Vi c s trung tm Gii php s dng RADIUS cho mng WLAN l rt quan trng bi nu mt h thng mng ca bn c nhiu AP th vic cu hnh bo mt h thng ny rt kh qun l ring bit, ngi dng c th xc thc t nhiu AP khc nhau v iu l khng thc s bo mt Khi s dng RADIUS cho WLAN mang li kh nng tin li rt cao, xc thc cho ton b h thng nhiu AP,cung cp cc gii php thng minh hn.
19
20