3Com 10014298 manual Radius

216CHAPTER 9: AAA AND RADIUS OPERATION

The network security mentioned here refers to access control, including:

■Which user can access the network server

■Which service can the authorized user enjoy

■How to keep accounts for the user who is using network resource

AAA provides the following services:

■Authenticates whether the user can access the network server.

■Authorizes the user with specified services.

■Accounts for network resources that are consumed by the user.

Generally, by applying client/server architecture, AAA framework boasts the following advantages:

■Good scalability.

■Ability to use standard authentication schemes.

■Easy control, and convenient for centralized management of user information.

■Ability to use multiple-level backup systems to enhance the security of the whole framework.

As mentioned above, AAA is a management framework, so it can be implemented by some protocols. RADIUS is frequently used.

Remote Authentication Dial-In User Service (RADIUS) is distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from an interruption by unauthorized access, and it is often used in the network environments requiring both high security and remote user access. For example, it is often used for managing a large number of scattering dial-in users who use serial ports and modems. RADIUS system is the important auxiliary part of Network Access Server (NAS).

After the RADIUS system is started, if the user wants to access other networks or use network resources through connection to NAS (dial-in access server in PSTN environment or Ethernet switch with access function in Ethernet environment), the RADIUS client transmits the user's AAA request to the RADIUS server. The RADIUS server has a user database recording all user authentication and network services information. On receiving the user's request from NAS, the RADIUS server performs AAA through user database query and update, and returns the configuration information and accounting data to NAS. NAS then controls supplicant and corresponding connections, while the RADIUS protocol regulates how to transmit configuration and accounting information between NAS and

RADIUS.

NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (like password etc.) to avoid being intercepted or stolen.