RSA Security 6.1 manual Tunneled Accounting

Tunneled Accounting

During authentication, a user is typically identified by attributes such as User-Name (in the authentication request) and Class (in the authentication accept response). Standard RADIUS accounting requests typically include these attributes in messages flagging Start, Interim, and Stop events so that the user’s identity can be recorded for accounting and auditing purposes.

When an organization uses a tunneled authentication protocol such as EAP/TTLS or EAP/PEAP, the identity of a user requesting authentication might be concealed from the RAS; the User-Name attribute carried by the outer authentication protocol is typically a nonunique value such as anonymous. As a result, the outer User-Name value included in accounting requests might not be sufficient to determine a user’s identity. Class attributes provided by an authentication server cannot be included in cleartext in an outer Access-Accept message because they might contain clues about the user’s identity, thereby defeating the identity-hiding feature of the tunneled protocol.

Tunneled accounting enables RSA RADIUS Server to pass user identity information to accounting processes without exposing user identities to a RAS or AP that should not see them. When tunneled accounting is enabled, RADIUS attributes are encrypted and encapsulated in a Class attribute. If the information for a Class attribute exceeds the attribute payload size (253 octets),

RSA RADIUS Server returns more than one Class attribute for a user.

Tunneled accounting works as follows:

1The RSA RADIUS Server acting as the tunnel endpoint for EAP/TTLS or EAP/PEAP encrypts a user’s inner User-Name and Class attributes when it authenticates the user.

2The server returns the encrypted information to the RAS or AP encapsulated in a Class attribute in the outer Access-Accept message. The RAS or AP associates this encapsulated identity attribute with the user, and echoes the encapsulated identity attribute whenever it generates an accounting request for the user.

3When the RSA RADIUS Server receives an accounting request from a RAS or Access Point, the server scans the request for an encapsulated identity attribute.

4If the server finds an encapsulated identity attribute, it decapsulates and decrypts the attributes to reconstitute the original inner User-Name and Class attributes.

5The server substitutes the decrypted attributes for the ones returned from the RAS or AP.