RADIUS, Diameter, and TACACS+ are three protocols for carrying Authentication, Authorization, and Accounting (AAA) information between a Network Access Server (NAS) that wants to authenticate its links or end users and a shared authentication server. The end user connects to the NAS, which in turn becomes a AAA client trying to authenticate the end user to the AAA server.
This section concentrates on the last "A" of AAA (even though most of the time AAA is not primarily used for billing, but for authentication and authorization). However, when binding the accounting information with the authentication informs, the AAA protocols offer an interesting advantage for billing: the authenticated username.
Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol developed by the IETF. The RADIUS client is typically a NAS, and the RADIUS server is usually a daemon process running on a UNIX or Windows server.
The RADIUS client (that is, the NAS) passes user information to designated RADIUS servers and acts on the returned response. RADIUS servers receive user connection requests via the NAS, authenticate the user, and then provide the NAS with configuration information necessary for it to deliver a specific service to the user.
Transactions between the RADIUS client and RADIUS server are authenticated with a shared secret key, which is never sent over the network. In addition, user passwords are sent encrypted between the RADIUS client and RADIUS server to eliminate the possibility that someone snooping on an insecure network could determine a user's password.
The accounting features of the RADIUS protocol can be used independently of RADIUS authentication or authorization. The NAS, which provides a service to the dial-in user (such as PPP or Telnet) is responsible for passing user accounting information to a designated RADIUS accounting server. At the start of service delivery, the NAS generates an "Accounting Start" packet describing the type of service being delivered and the user accessing the service. This packet is sent to the RADIUS accounting server, which returns an acknowledgment (the Accounting-Response) to the NAS, acknowledging that the "Accounting Start" packet has been received. At the end of the service delivery, the NAS client generates an "Accounting Stop" packet, describing the type of service that was delivered and session statistics such as elapsed time, input and output octets, and input and output packets. Here is the complete list of RADIUS accounting attributes, as described in RFC 2866: Acct-Status-Type, Acct-Delay-Time, Acct-Input-Octets, Acct-Output-Octets, Acct-Session-Id, Acct-Authentic, Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets, Acct-Terminate-Cause, Acct-Multi-Session-Id, and Acct-Link-Count. If the RADIUS server returns no response to the RADIUS client within a defined timeout, the request is resent a number of times. The RADIUS client can also forward requests to an alternate RADIUS server or servers in case the primary server is down or unreachable.
The UDP transport is a major issue in RADIUS accounting, where packet loss may translate directly into revenue loss.
For further references on RADIUS, refer to Table 3-9, which mainly focuses on the RADIUS accounting references. Note, for completeness, that other RADIUS RFCs are available: 2548, 2618, 2619, 2809, 2882, 3162, 3575, 3576, 3579, and 3580.
RFC | Status | Title | Description |
---|---|---|---|
2620 | Informational | RADIUS Accounting Client MIB | Managed objects used to manage RADIUS accounting clients |
2621 | Informational | RADIUS Accounting Server MIB | Managed objects used to manage RADIUS accounting servers |
2865 | Standard | Remote Authentication Dial-In User Service (RADIUS) | Protocol specifications for authentication, authorization, and configuration information |
2866 | Standard | RADIUS Accounting | Specifies the RADIUS Accounting protocol |
2867 | Informational | RADIUS Accounting Modifications for Tunnel Protocol Support | Defines new RADIUS Accounting attributes and new values for tunneling in dialup networks |
2868 | Informational | RADIUS Attributes for Tunnel Protocol Support | RADIUS attributes designed to support the provision of compulsory tunneling in dialup networks |
2869 | Informational | RADIUS Extensions | Attributes for carrying authentication, authorization, and accounting information |
Note that the IETF RADIUS Extensions Working Group currently is focusing on extensions to the RADIUS protocol required to enable its use in applications such as IP telephony and local-area network AAA. To keep backward compatibility, the working group decided not to define new transports (such as TCP and SCTP).
Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco-proprietary AAA protocol. Even though it's proprietary, TACACS+ is well-known across the industry. It is recommended for rich feature support because it allows command authorization and accounting. The biggest difference compared to RADIUS is that TACACS+ runs on the top of TCP and encrypts the full packet, not just the password section.
The Diameter protocol, standardized by the IETF Authentication, Authorization and Accounting working group, is the successor to the RADIUS protocol and was developed to overcome several limitations of RADIUS.
AAA protocols such as TACACS+ and RADIUS were initially deployed to provide dialup Point-to-Point Protocol (PPP) and terminal server access. Over time, with the growth of the Internet and the introduction of new access technologies, including wireless, DSL, Mobile IP, and Ethernet, routers and network access servers (NAS) have increased in complexity and density, putting new demands on AAA protocols.
Diameter introduced a couple of improvements compared to RADIUS:
Application-layer acknowledgments and failover algorithms
Mandatory IPsec and optional TLS supports
Reliable transport mechanisms (TCP, SCTP)
Support for server-initiated messages
Data object security is supported but not mandatory
Capability negotiation between clients and servers
Peer discovery and configuration
Table 3-10 lists the Diameter references.
RFC | Status | Title | Description |
---|---|---|---|
3588 | Standard | Diameter Base Protocol | Protocol description |
3589 | Informational | Diameter Command Codes for Third Generation Partnership Project | Managed objects used to manage RADIUS accounting clients |
For completeness, RFC 3589 also deals with Diameter, but not with accounting. Note also that several Diameter IETF drafts currently are in progress.