z

I HC QUC GIA THNH PH H CH MINH TRNG I HC KHOA HC T NHIN KHOA IN T - VIN THNG

BO CO TI
Mn hc: Cng ngh mng

Tm hiu Radius Server

Ging vin ph trch

: CH. Nguyn Vit H

Nhm thc hin: Nguyn Vn Quc Bo 0820005 Nguyn Quc Hng Nguyn Tin Hong Trng Quang Thng 0820073 0820061 0820165

Lp 08VT1

- Thng 10/2011 -

Qu trnh thc hin ti:

Tm hiu tng quan Radius Server tun 1(169==>23-9)

Tho lun,trao i ....(24-9==>29-9) Bc thm thuyt trnh vi nhm 2. Chnh sa ni dung v lm slide gi thy. Lp dn bi thuyt trnh v lm slide . Thuyt trnh th. (30-9==>12/10)

Mc Lc
Phn I. Giao thc RADIUS ........................................................................................................... 0 1. Tng quan v giao thc RADIUS ........................................................................................... 0 2. Gii thiu ................................................................................................................................ 1 3. Tnh cht ca RADIUS ........................................................................................................... 1 4. Giao thc RADIUS 1 .............................................................................................................. 3 4.1. C ch hot ng ............................................................................................................. 3 4.2. Dng gi ca packet ......................................................................................................... 4 4.3. Packet type (kiu packet) ................................................................................................. 7 5. Giao thc RADIUS 2 ............................................................................................................ 13 5.1. C ch hot ng ........................................................................................................... 13 5.2. Packet Format ................................................................................................................ 14 6. Phng php m ha v gi m ............................................................................................ 14 Phn II. RADIUS SERVER......................................................................................................... 15 1. Tng quan ............................................................................................................................. 15 2. Xc thc- cp php v kim ton .......................................................................................... 16 3. S bo mt v tnh m rng .................................................................................................. 17 4. p dng RADIUS cho WLAN ............................................................................................. 18 5. Cc ty chn b sung ............................................................................................................ 19 Ti liu tham kho.

Phn I. Giao thc RADIUS

1. Tng quan v giao thc RADIUS Authentication, Authorization, and Accounting

Giao thc Remote Authentication Dial In User Service (RADIUS) c nh ngha trong RFC 2865 c a ra vi nh ngha: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy cp (Authentication, Authorization, v Access Control AAA) cho cc phin lm vic vi SLIP v PPP Dial-up nh vic cung cp xc thc ca cc nh cung cp dch v Internet (ISP) u da trn giao thc ny xc thc ngi dng khi h truy cp Internet. N cn thit trong tt c cc Network Access Server (NAS) lm vic vi danh sch cc username v password cho vic cp php, RADIUS Access-Request s chuyn cc thng tin ti mt Authentication Server, thng thng n l mt AAA Server (AAA Authentication, Authoriztion, v Accounting). Trong kin trc cua h thng n to ra kh nng tp trung cc d thng tin ca ngi dng, cc iu kin truy cp trn mt im duy nht (single point), trong khi c kh nng cung cp cho mt h thng ln, cung cp gii php NASs. Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-Request ti my ch AAA Server, chuyn cc thng tin nh username v password, thng qua mt port xc nh, NAS identify, v mt message Authenticator. Sau khi nhn c cc thng tin my ch AAA s dng cc gi tin c cung cp nh, NAS identify, v Authenticator thm nh li vic NAS c c php gi cc yu cu khng. Nu c kh nng, my ch AAA s tm kim tra thng tin username v password m ngi dng yu cu truy cp trong c s d lu. Nu qu trnh kim tra l ng th n s mang mt thng tin trong Access-Request quyt nh qu trnh truy cp ca user l c chp nhn. Khi qu trnh xc thc bt u c s dng, my ch AAA c th s tr v mt RADIUS Access-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t xa (vi v d ny s dng CHAP). Khi ngi dng s phi tr li ng cc yu cu xc nhn (trong v d ny, a ra li ngh m ho password), sau NAS s chuyn ti my ch AAA mt message RADIUS Access-Request. Nu my ch AAA sau khi kim tra cc thng tin ca ngi dng hon ton tho mn s cho php s dng dch v, n s tr v mt message dng RADIUS
0

Access-Accept. Nu khng tho mn my ch AAA s tr v mt tin RADIUS Access-Reject v NAS s ngt kt ni vi user. Khi mt gi tin Access-Accept c nhn v RADIUS Accounting c thit lp, NAS s gi mtgi tin RADIUS Accounting-Request (Start) ti my ch AAA. My ch s thm cc thng tin vo file Log ca n, vi vic NAS s cho php phin lm vic vi user bt u khi no, v kt thc khi no, RADIUS Accouting lm nhim v ghi li qu trnh xc thc ca user vo h thng, khi kt thc phin lm vic NAS s gi mt thng tin RADIUS Accounting-Request (stop).
RADIUS l mt giao thc s dng rng ri cho php xc thc tp trung, y quyn v kim ton truy cp cho mng. Ban u c pht trin cho thit lp kt ni t xa. Radius bu gi th h tr cho my ch VPN, cc im truy cp khng dy, chng thc chuyn mch internet, truy cp DSL, v cc loi truy cp mng khc. RADIUS c m t trong RFC 2865, "Remote Authentication Dial-in User Service (RADIUS), (IETF Draft Standard) and RFC 2866, "RADIUS Accounting" (Informational). 2. Gii thiu C 2 loi giao thc RADIUS m t v: Giao thc RADIUS 1: Xc nhn quyn (authentication), phn quyn (authorization), thng tin cu hnh gia my ch qun l truy cp (NAS-Network Access Server) m c cc yu cu cn xc nhn v my ch xc nhn quyn dng chung (Shared Authentication Server). Giao thc RADIUS 2: Thng tin v ti khong gia NAS v my ch qun l ti khon dng chung. 3. Tnh cht ca RADIUS RADIUS thc ra l mt giao dch c xy dng trn giao thc c cc tnh cht chnh nh sau: Nu nh yu cu (request) gi ti my ch xc nhn quyn s cp (primary authentication server) tht bi, th yu cu ny phi c gi ti my ch s cp (secondary server). thc hin yu cu ny, mt bn sao yu cu phi c lu trn lp
1

transport cho php vic truyn lun phin. iu ny c ngha l phi c timers cho vic truyn li (retransmission). Cc i hi v thi gian ca RADIUS rt khc bit so vi TCP. Mt mt, RADIUS khng yu cu cu tr li (responsive) v vic d tm d liu b mt. User sn sang ch trong nhiu giy cho vic xc nhn quyn c hon thnh. Vic truyn li thng xy ra i vi cc TCP da trn thi gian truyn nhn trung bnh khng cn thit na, k c thi gian hao tn cho vic nhn bit phn hi v. Mt khc, user khng th ch i qu lu trong nhiu pht cho vic xc nhn quyn. Vic phi ch i qu lu l khng hu ch. Vic s dng lun phin nhanh chng cc server s cho php user truy cp c vo mng trc khi h b cuc. Trng thi rt t do ca RADIUS n gin ha vic s dng UDP. Cc client v server c th ng k vo hoc ra khi mng. H thng b khi ng li v mt l do no , nh: Ngun in b mtCc s kin bt thng ny ni chung s khng gy nguy him nu nh c nhng timeout tt v xc nh c cc cu ni TCP b t. Tuy nhin UDP hon ton b qua cc s c t bit ny; Cc client v server c th mt chuyn vn chuyn d liu UDP ngay lp tc v n t nhin truyn trn mng vi cc s kin c th c. UDP n gin ha vic thc hin server. nhng phin bn trc, server c thc hin n lung (single thread), c ngha l mi lc ch c mt yu cu c nhn, x l v tr v. iu ny khng th qun l c trong mi trng k thut an ton quay vng (back-end security mechanism) dng thi gian thc (real-time). Hng i yu cu ca server s b y, v trong mt mi trng c hng trm ngi c yu cu xc nhn quyn trong mi pht, thi gian quay vng ca yu cu s ln hn rt nhiu so vi thi gian m user ch i. Do vy, gii php c chn l thc hin server ch a lung (multu-thread) vi UDP. Nhng qu trnh x l c lp s c sinh ra trn server tng ng vi mi yu cu v nhng qu trnh ny s tr li trc tip vi cc NAS khch hng bng gi UDP ti lp truyn dn chnh ca client.

4. Giao thc RADIUS 1 4.1. C ch hot ng Khi mt client c cu hnh s dng RADIUS, th bt k user no ca client u gii thiu nhng thng tin xc nhn quyn vi client. c th l du nhc lnh ng k vo mng yu cu user nhp username v password vo. User c th la chn vic s dng protocol thch hp thc hin gii thiu nhng thng tin ny cc gi d liu chng hn nh PPP. Mi client nhn c thng tin nh vy, n c th chn dng RADIUS xc nhn quyn. Client s to ra mt yu cu truy cp (access request) cha cc thuc tnh nh trn: mt khu ca user, ID ca client v ID port m user ny s truy cp vo. Mt khu khi nhp vo s c n (M ha RSA hoc MD5). Yu cu truy cp (access request) s c gi cho RADIUS thng qua mng. Nu khng tr li trong mt khong thi gian qui c th yu cu s c gi li. Client c th chuyn (forward) yu cu cho cc server d phng trong trng hp server chnh b tt hoc h hng hoc hot ng theo kiu round-bin. Mi khi RADIUS server nhn c yu cu, n s xc nhn client gi. Nhng yu cu t cc client no khng chia s thng tin bo mt vi RADIUS s khng c xc nhn v tr li. Nu client l hp l, RADIUS server s tm kim trong c s d liu (CSDL) user c cng tn trong yu cu. Ch mc ca user trong CSDL s cha da nh sch cc i hi cn thit cho php user truy cp vo mng. RADIUS lun lun xc nhn mt khu ca user v c th c ID ca client v ID port m user c php truy cp. RADIUS server c th yu cu cc server khc xc nhn yu cu. Lc RADIUS ng vai tr ca mt client. Nu bt c iu kin no khng tha mn, RADIUS server s gi mt tr li t chi truy cp (access reject) biu th rng yu cu ca user l khng hp l. Server c th km theo mt thng bo dng vn bn (text massage) trong access-reject client c

th hin th cho user. Khng c mt thuc tnh no khc c php cha trong accessreject. Nu tt c cc iu kin u tha mn v RADIUS server mun a ra mt yu cu i hi user phi tr li, th RADIUS s gi mt tr li i hi truy cp (accesschallenge), n c th di dng mt thng bo dng vn bn c hin th cho user bi client hoc l mt thuc tnh trng thi (state attribute). Client s nhn access-challenge, v nu n c trang b challenge/ response, n s hin th thng bo nhc nh user tr li yu cu. Sau client s gi li (re-submit) yu cu truy cp (original accessrequest) vi mt s hiu yu cu (request ID) mi, nhng thuc tnh usename -password c ly t thng tin va mi np vo, v km lun c thuc tnh trng thi t accesschallenge. RADIUS server c th tr li mt access-request bng mt access-accept, access-reject hoc mt access-challenge khc. Nu cui cng tt c cc iu kin trn c tha mn, th danh sch cc gi tr cu hnh cho user c t vo tr li access-accept. Cc gi tr ny bao gm kiu ca dch v (SLIP, PPP, Login..) v cc gi tr cn thit cp pht dch v ny. V d nh i vi SLIP hay PPP, cc gi tr ny c th l a ch IP, subnet mask, MTU, phng php nn v s hiu lc gi. ch k t (character mode), cc gi tr ny c th l giao thc v tn my ch. 4.2. Dng gi ca packet Mt cch chnh xc, mt gi RADIUS c bao bc trong trng d liu ca gi UDP, v trng a ch ch c s hiu cng l 1812. Khi gi tr li c to ra, s hiu cng ca a ch ngun v ch c bo lu. Mt gi d liu ca RADIUS c xc nh nh sau (cc trng c gi i t tri sang phi).

Hnh I-1 Packet Format Code: Code field l mt octet, v xc nh kiu gi ca RADIUS. Khi mt gi c m khng hp l s khng c xc nhn RADIUS code (decimal) c ch nh nh sau: 1 2 3 4 5 11 12 13 255 Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge Status-Server (experimental) Status-Client (experimental) Reserved

M s 4 v s 4 c che y trong ti liu RADIUS accouting [5]. M s 12 v 13 l dnh ring cho vic c th s dng, nhng n khng c cp y. Identifier (Trng nh danh )

Indentifier field l mt octet, v ph hp vi vic h tr yu cu v tr li. Cc my ch RADIUS c th pht hin mt yu cu trng lp, nu c cc client c cng mt a ch IP ngun v UDP port v nh danh trong mt thi gian ngn. Length Length field l hai octet, n bao gm cc code field, indentifier, length, authentication, v trng thuc tnh (attribute field). Nhng byte nm ngoi khong qui nh bi length s c coi l nhng byte tha, v s b b qua khi nhn. Nu gi ngn hn gi tr trng length, n s khng c xc nhn v tr li. Gi tr nh nht ca trng length l 20 v gi tr ln nht l 4096. Authenticator Trng authenticator l 16 octet. Octet ln nht c truyn i u tin. Gi tr ny c s dng xc nhn cc tr li t RADIUS server v c s dng trong thut ton n mt khu. Request Authenticator: Trong cc gi access-request, gi tr ca trng xc nhn (authenticator field) l mt s ngu nhin 16 byte c gi l b xc nhn yu cu (request authenticator). Gi tr ny khng th d on trc v duy nht trong sut thi gian sng ca thng tin b mt (mt khu dng chung gia client v RADIUS server); V nu c s lp li ca gi tr ny c ngha l mt attacker c th tr li cu hi ny khng cn s xc nhn ca RADIUS server. Do , b xc nhn yu cu nn c gi tr ton cc v duy nht theo thi gian. Mc d, giao thc RADIUS khng c kh nng ngn chn s nghe l phin xc thc qua ng dy, nhng vic sinh ra cc gi tr khng th on trc c cho b xc nhn yu cu c th hn ch rt nhiu s kin ny. NAS v RADIUS server chia s thng tin b mt. Thng tin b mt chung ny c c sau khi gi tr ca b xc nhn yu cu c thut ton MD5 bm to ra gi tr 16 byte. Gi tr ny c XOR vi mt khu m user nhp vo, kt qu s c t vo thuc tnh user-password trong gi access-accept.

Response authenticator: Gi tr ca trng xc nhn (authenticator field value) trong cc gi access-request, access-reject, access-challenge c coi l b xc nhn tr li (response authenticator). Gi tr ny c tnh bi bm MD5 chui cc byte ca code field, indentifier, length, xc nhn ca gi access-request, v cng thm cc thuc tnh tr li v thng tin b mt dng chung ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation. Administrative Note Thng tin b mt (chia s password gia client v RADIUS server) nn t nht l ln v pht tp l cch la chn mt khu tt. Mc u tin c th chp nhn c t nht l 16 octet. iu ny m bo phm vi ln cho vic cung cp cc c ch bo mt chng li cc cuc tn cng tm kim. 4.3. Packet type (kiu packet) Packet type c xc nh bi code field chim byte u tin ca gi RADIUS. Access-Request Gi access-request c gi ti RADIUS server. N chuyn ch thng tin dng xc nh xem user c c php truy cp vo NAS v cc dch v c ch nh hay khng. Code field ca gi phi c gi tr 1. Gi access-request phi cha cc thuc tnh user-name, user-password hoc CHAP-password, v c th cha cc thuc tnh NAS-IPAddress, NAS-Indentifier, NAS-PORT, NAS-PORT-TYPE. Trng indentifier phi c thay i khi ni dung ca trng thuc tnh b thay i khi ni dung ca trng thuc tnh b thay i hoc l nhn c tr li hp l cho yu cu trc . Trong trng hp phi gi li gi, trng indentifier khng thay i.

Hnh I-2 Access-request Packet Format Access-accept Gi access-accept c gi tr bi RADIUS server khi tt c cc gi tr thuc tnh ca gi access-request. N cung cp thng tin cu hnh cn thit cp pht cc dch v cho user. Trng code phi c gi tr 2. Gi access-accept nhn c NAS phi c trng danh hiu trng khp vi access-request tng ng gi trc v phi c xc nhn (response authenticator) ph hp vi thng tin b mt dng chung.

Hnh I-3 Access-accept Packet Format Access-reject Gi access-reject c gi tr t RADIUS server khi c gi tr thuc tnh khng c tha. Trng code ca m phi c gi tr 3. Gi c th cha 1 hoc nhiu thuc tnh

reply-message vi mt thng bo dng vn bn m NAS s hin th n vi user. Trng indentifier ca gi access-reject chnh l bn sao ca gi access-request tng ng.

Hnh I-4 Access-reject packet format Access-challenge Gi access-challenge c RADIUS server gi n user i hi thm thng tin cn thit m user phi tr li. Trng code ca gi phi c gi tr 11. Gi c th cha 1 hoc nhiu thuc tnh reply-message v c th c 1 thuc tnh state. Cc thuc tnh khc khng c xut hin trong gi access-chanllenge. Trng indentifier ca gi accesschallenge phi trng khp vi gi access-request tng ng gi i trc v phi c trng xc nhn (authenticator field) ph hp vi thng tin b mt dng chung. Nu NAS khng c trang b challenge/ response th gi access-challenge nhn c s coi nh gi access-reject. Nu NAS c trang b chc nng challenge/ response v gi accesschallenge nhn c l hp l th NAS s hin th thng bo v yu cu user tr li thng tin m RADIUS server yu cu. Sau NAS s gi gi access-request gc nhng vi danh hiu yu cu (request ID) v xc nhn yu cu (request authenticator) mi, ng thi thuc tnh user-password cng c thay th bi thng tin tr li ca user ( c m ha) v c th bao gm c thuc tnh state t gi access-challenge.

Hnh I-5 Access-challenge packet format Attributes (cc thuc tnh) Cc thuc tnh ca RADIUS, cha trong cc gi yu cu/ tr li, mang thng tin xc thc quyn, phn quyn, cu hnh cn thit cp pht cc dch v cho user. Gi tr cc trng length ca gi RADIUS s qui nh im kt thc ca cc thuc tnh trong gi. Dng ca thuc tnh nh sau:

Hnh I-6 Attributes type o Type Mi trng type l mt octet, gi tr t 192-223 l dnh ring cho nghin cu, gi tr t 224-240 l dnh cho vic thc hin c th, 241-255 l dnh ring v khng nn s dng. RADIUS server c th b qua cc thuc tnh vi mt loi khng r. RADIUS client c th b qua cc thuc tnh vi mt loi khng r. iu ny quan tm c t cc gi tr sau: 1 User-Name
10

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port (unassigned) Reply-Message Callback-Number Callback-Id (unassigned) Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id
11

31 32 33 34 35 36 37 38 39

Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone

40-59 (reserved for accounting) 60 61 62 63 CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port o Length (trng di)

Biu th di ca thuc tnh cho cc trng kiu, length v value. Nu thuc tnh trong gi access-request c trng di khng hp l th RADIUS server s tr v gi access-reject. Nu thuc tnh trong gi access-reject, access-accept, access-challenge c trng di khng hp l th NAS client s xem nh l gi access -reject hoc l khng xc nhn v tr li. o Value (trng gi tr)

Dng v chiu di ca trng gi tr c xc nh bi trng kiu (type field) v trng di (length field). C 4 loi d liu cho trng gi tr nh sau: Text 1-253 octets containing UTF-8 encoded 10646 [7] characters. Text of length zero (0) MUST NOT be sent; omit the entire attribute instead.

String

1-253 octets containing binary data (values 0 through

12

255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead.

Address 32 bit value, most significant octet first.

Integer

32 bit unsigned value, most significant octet first.

Time

32 bit unsigned value, most significant octet first -seconds since 00:00:00 UTC, January 1, 1970. The standard Attributes do not use this data type but it is presented here for possible use in future attributes.

5. Giao thc RADIUS 2 5.1. C ch hot ng Khi client c ci t s dng RADIUS Accouting, th lc bt u cp pht dch v client s sinh ra mt gi bt u cp pht ti khon m t kiu ca dch v s c cp pht v user s c cp pht dch v ; sau gi gi ny n RADIUS accouting server m ti lt n s gi li mt thng bo nhn bit l gi c nhn. Lc kt thc cp pht dch v client s sinh ra mt gi kt thc cp pht ti khon m t kiu dch c cp pht v cc thng tin thng k c th lc da nh thi gian tri qau, cc byte nhp/ xut, cc gi nhp/xut; sau gi gi ny n RADIUS accouting server m ti lt n s gi li mt thng bo nhn bit l gi nhn c. Yu cu cp pht ti khon (accouting-request) ca hai loi start v stop c gi cho RADIUS accouting server qua mng. thng th client s tip tc c gng gi gi accouting-request sau mt khong thi gian nht nh cho ti khi nhn c phn hi (ACK). Client c th gi tip (forward) cho cc server khc nhau trong trng hp server chnh b off hoc hng. Trong trng hp ny RADIUS accouting server ng vai tr ca mt client.
13

5.2. Packet Format Ging nh giao thc RADIUS 1, giao thc RADIUS 2 cng c 4 trng: code, indentifier, length, authentication, attributes v ch khc ni dung th hin Trng code ch c hai gi tr 4 v 5 c trng cho hai kiu gi accouting-request v accouting-response. Cc thuc tnh hp l trong gi RADIUS dng access-request, access-accept s hp l trong cc gi accouting-request, tr mt s thuc tnh khng th hin nh: UserPassword, CHAP-Password, Reply-Message,State. Mt s thuc tnh phi lun lun c mt trong gi accouting-request nh: NAS-IP-Address, NAS-Indentifier v mt s thuc tnh khc nn c mt nh: NAS-port, NAS-Port-Type. Cn mt s chi tit khc cc bn c th tham kho ti :

http://www.faqs.org/rfcs/rfc2865.html

6. Phng php m ha v gi m Thuc tnh user-password cha trong cc gi access-request hoc accesschallenge, c trng cho mt khu (password) ca user, s c n trong khi truyn ti RADIUS server. Mt khu s c thm vo cc k t NULL sao cho di l bi ca 16 buye. Bm MD5 mt chiu (one-way MD5 hash) s c xy dng t chui cc byte ca thng tin b mt chung gia NAS v RADIUS server v thng xc nhn yu cu.Gi tr tnh c s c XOR vi on 16 byte u tin ca mt khu, kt qu s c t vo 16 byte u tin ca trng gi tr ca thuc tnh user-password. Nu password di hn 16 k t th gi tr bm th hai c tnh t chui cc byte tip theo ca thng tin b mt chung v kt qu ca XOR ln trc. Gi tr bm c c s XOR vi 16 byte tip theo ca mt khu, kt qu s c t vo 16 byte tip theo ca trng gi tr kiu string ca thuc tnh user-password. Qu trnh tip theo c tip din n khi ht cc on (segment) c chia ca mt khu (ti a l 128 k t). Bn c th tham kho thm ti liu RFC 2865

14

Gi s gi thng tin b mt chung l S, gi tr ca trng xc nh yu cu (request authentication) 128 bit l RA. Chia mt khu c lp y bi cc k t NULL (nu cn) thnh cc phn con (chunks) p1, p2Gi cc khi mt m dng vn bn (ciphertext blocks) l c(1), c(2),v cc gi tr trung gian l b1, b2Du + l php cng chui.
b1 = MD5(S + RA) b2 = MD5(S + c(1)) . . . . . . c(1) = p1 xor b1 c(2) = p2 xor b2

bi = MD5(S + c(i-1)) c(i) = pi xor bi The String will contain c(1)+c(2)+...+c(i) where + denotes concatenation.

Khi gi RADIUS c nhn, qu trnh s din ra ngc li trong qu trnh gii m.

Phn II. RADIUS SERVER

1. Tng quan Vic bo mt WLAN s dng chun 802.11x kt hp vi xc thc ngi dng trn AP. Mt my ch thc hin vic xc thc trn nn tng RADIUS c th l mt gii php tt nht cung cp xc thc cho chun 802.11x

15

Hnh II-1 M hnh xc thc s dng RADIUS Server 2. Xc thc- cp php v kim ton Giao thc RADIUS c nh ngha trong RFC 2865 nh sau: Vi kh nng cung cp xc thc tp trung, cp php v iu khin truy cp (Authentication, Authorization v Accouting-AAA) cho cc phin lm vic vi SLIP v PPP Dial-Up. Nh vic cung cp dch v internet (ISP) u da trn giao thc ny xc thc ngi dng khi h truy cp internet. N cn thit trong cc NAS lm vic vi danh sch cc username v password cho vic cp php, RADIUS Access-request s chuyn thng tin ti mt Authentication Server, thng thng n l mt AAA Server. Trong kin trc ca h thng n to ra kh nng tp trung cc d liu, thng tin ca ngi dng, cc iu khin truy cp trn mt im duy nht (single point), trong khi c kh nng cung cp cho mt h thng ln, cung cp gii php NASs
16

Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-request ti my ch AAA Server, chuyn cc thng tin nh Username, Password , UDP port, NAS indentifier v mt Authentication message. Sau khi nhn cc thng tin AAA s dng gi tin c cung cp nh NAS Indentify, v Authentication thm nh li vic NAS c c php gi cc yu cu khng?Nu c kh nng, AAA server s kim tra thng tin username v password m ngi dng yu cu truy cp trong database. Nu qu trnh kim tra l ng th n s mang mt thng tin trong Access-request quyt nh qu trnh truy cp ca user l c chp nhn. Khi qu trnh chng thc bt u c s dng, AAA server c th tr v mt RADIUS Access-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t xa. Khi ngi dng s phi tr li ng yu cu xc nhn, sau NAS s chuyn n AAA server mt RADIUS Access-Request AAA server sau khi kim tra cc thng tin ca ngi dng hon ton tha mn s cho php s dng dch v, n s tr v mt message dng RADIUS Access-accept. Nu khng tha mn AAA server s tr v mt tin RADIUS Access-reject v NAS s ngt dch v. Khi gi tin Access-accept c nhn v RADIUS Accouting c thit lp, NAS s gi mt gi tin RADIUS Accouting request ti AAA server. My ch s thm cc thng tin vo logfile ca n, vi vic NAS s cho php phin lm vic vi User bt u khi no v kt thc khi no. RADIUS Accouting lm nhim v ghi li qu trnh xc thc ca user vo h thng, khi kt thc phin lm vic NAS s gi thng tin RADIUS Accouting-request 3. S bo mt v tnh m rng Tt c cc message ca RADIUS u ng gi bi UDP Datagram s, n bao gm cc thng tin nh: message type, sequence number, length, authenticator, v mt lot cc attributes values m chng ta tm hiu trn.

17

4. p dng RADIUS cho WLAN Trong mt mng WLAN s dng 802.11x port access control, cc my trm s dng Wireless ng vai tr Remote Access v Wireless Access Point lm vic nh mt NAS-Network Access Server. thay th vic kt ni n NAS vi dial-up nh giao thc PPP, Wireless station kt ni n AP bng vic s dng giao thc 802.11 Mt qu trnh c thc hin , wireless station gi mt EAP-Start ti AP. AP s yu cu station nhn dng v chuyn thng tin ti mt AAA server vi thng tin l RADIUS Access-request Usename attribute. AAA server v Wireless Station hon thnh bng vic chuyn cc thng tin RADIUS Access-challenge v Access-request qua AP. c quyt nh bi pha trn l mt dng EAP, thng tin ny c chuyn trong mt ng hm c m ha TLS (Encypted TLS Tunnel). Nu AAA server gi mt message Access-accept, AP v Wireless station s hon thnh qu trnh kt ni v hon thnh phin lm vic vi vic s dng WEP hay TKIP m ha d liu. V ti im , AP s khng cm cng v wireless station c th gi v nhn d liu t h thng mng mt cch bnh thng. Cn ch l qu trnh m ha d liu gia wireless station v AP khc qu trnh m ha t AP n AAA server. Nu AAA server gi mt message Access-reject, AP s ngt kt ni n wireless station. Wireless station c th c gng th li qu trnh xc thc, nhng AP cm wireless station ny khng c gi cc gi UDP n cc AP gn . Ch l station ny hon ton c th lng nghe cc d liu c truyn i t cc station khc. Trn thc t d liu c truyn qua song radio v l l do ti sao bn phi m ha d liu khi truyn trn mng khng dy. Attribute-value pare bao gm trn cc message ca RADIUS c th s dng AAA server quyt nh phin lm vic gia AP v wireless station, nh session-timeout hay VLAN tag (Tunnel-Type=VLAN, Tunnel-Private-Group-ID=TAG). Chnh xc thng tin
18

thm vo c th ph thuc vo AAA server hay AP v wireless station m bn ang s dng. 5. Cc ty chn b sung Mt vn u tin bn phi hiu vai tr ca RADIUS trong qu trnh xc thc ca WLAN, bn cn thit lp mt AAA server h tr interaction. Nu mt AAA server gi l RADIUS, n sn sang h tr xc thc cho chun 802.11x v cho php la chn cc dng EAP. Nu c bn chuyn n bc tip theo l lm th no thit lp tnh nng ny. Nu bn c mt RADIUS h tr 802.11x, hoc khng h tr dng EAP, bn c th la chn bng cch cp nht cc phin bn phn mm mi hn cho server, hay bn c th ci t mt my ch mi. Nu bn ci mt server mi c h tr xc thc cho chun 802.11x, bn c th s dng tnh nng RADIUS proxy thit lp mt chui cc my ch, cng chia s mt c s d liu tp trung, RADIUS proxy c th s dng chuyn cc yu cu xc thc n cc my ch c kh nng xc thc chun 802.11x Nu bn khng c my ch RADIUS, bn cn thit phi ci t mt my ch cho qu trnh xc thc WLAN, la chn ci t ny l mt cng vic th v. Vi c s trung tm Gii php s dng RADIUS cho mng WLAN l rt quan trng bi nu mt h thng mng ca bn c nhiu AP th vic cu hnh bo mt h thng ny rt kh qun l ring bit, ngi dng c th xc thc t nhiu AP khc nhau v iu l khng thc s bo mt Khi s dng RADIUS cho WLAN mang li kh nng tin li rt cao, xc thc cho ton b h thng nhiu AP,cung cp cc gii php thng minh hn.

19

Ti liu tham kho

[1] Wikipedia.org [2] RFC 2059,2865.... [3]www.nhatnghe.com/forum [4]www.netpro.com.vn

20