RADIUS Server Application Blog

This RADIUS server application blog is about RADIUS servers in general and Interlink's RAD-Series RADIUS Server specifically. Our goal here is to discuss how different RADIUS server applications can be extended to build unique, differentiated offerings for Carriers and ISPs.

Tuesday, September 4, 2007

802.1X Terminology and the RADIUS Server

Many networking terms such as client and server have become overloaded, leading to confusion. In order to clear some of the confusion, here are some of the basic terms frequently used in 802.1X discussions and how it relates to the RADIUS Server.

802.1X

The IEEE 802.1X standard, Port Based Network Access Control, defines a mechanism for port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. The 802.1X specification includes a number of features aimed specifically at supporting the use of Port Access Control in IEEE 802.11 Wireless LANs (WLANs). These include the ability for a WLAN Access Point to distribute or obtain global key information to/from attached stations, following successful authentication.

Extensible Authentication Protocol (EAP)

The Extensible Authentication Protocol (EAP), specified in RFC 2284, is a method of conducting an authentication conversation between a Supplicant and an Authentication Server. Intermediate devices such as Access Points and proxy servers do not take part in the conversation. Their role is to relay EAP messages between the parties performing the authentication. The EAP messages are transported between a wireless station and an 802.1XAuthenticator using EAPOL. The EAP messages are transported between an 802.1XAuthenticator and the Authentication Server using RADIUS. The EAP framework supports the definition of Authentication Methods. Currently implemented EAP Authentication Methods include MD5, TLS, TTLS, PEAP, and Ciscos’s LEAP.

Supplicant

The Supplicant is the client authentication software/firmware. It runs on the station seeking WLAN access and conducts an authentication conversation with the Authentication Server (RADIUS Server) using EAP Until authenticated, the Supplicant can only communicate with the Authentication (RADIUS) Server.

Authenticator

An Authenticator performs port-based access control on a Network Access Server such as a Wireless Access Point. During authentication it relays EAP messages between the Supplicant and Authentication (RADIUS) Server and discards all other traffic from the Supplicant.

Once notified of successful authentication by the Authentication (RADIUS) Server, the Authenticator establishes the session and provides network access to the Supplicant using any session keys provided by the Authentication (RADIUS) Server.

Authentication Server (RADIUS Server)

The Authentication Server (typically a RADIUS Server) provides authentication services to the Authenticator. The Authenticator and Authentication (RADIUS) Server have a trusted (client/server) relationship over the secure (usually wired) portion of the network. The Authentication (RADIUS) Server conducts an authentication conversation with the Supplicant using EAP. The Authentication (RADIUS) Server authenticates the Supplicant based upon a user profile that can be maintained either locally or remotely. The Authentication (RADIUS) Server may also perform authorization, collect accounting, and provide session keys to the Authenticator.

Labels: , , ,

posted by RADIUS Server Blogger @ 7:20 PM   0 Comments