High Performance RADIUS Server

The RAD-Series RADIUS Server is the high end, high performance RADIUS server specifically designed for Carrier, Service Provider and OEM applications that require high throughput and carrier class reliability. Interlink Networks' RADIUS server delivers well over 2000 authentications per second on the Intel-based Linux platforms and Sun-based Solaris platforms.

Network Computing's independent Real-World Labs tested the RAD-Series RADIUS Server against four other popular RADIUS Server products: Cisco ACS, Lucent NavisRadius, Funk Steel-Belted Radius and IEA running on a common hardware platform. In Network Computing's words, Interlink's RADIUS Server delivered a "jaw-dropping" 1900 authentication and accounting transactions per second, compared to between 170 and 320 transactions per second from each of the other RADIUS servers. Their test results are shown below.

RADIUS Server	Performance
Interlink RAD-Series RADIUS Server	1900 trans/sec
IEA RadiusNT RADIUS Server	170 trans/sec
Lucent NavisRadius RADIUS Server	170 trans/sec
Cisco ACS RADIUS Server	170 trans/sec
Funk Steel-Belted Radius Server	320 trans/sec

Interlink's RADIUS Server outperformed Funk Steel-Belted Radius server by a factor of almost 6 to 1. Interlink's RAD-Series outperformed Cisco ACS and Lucent NavisRadius by over 1000%. These tests were run by Network Computing in their Real-World Labs on a Dell PowerEdge 2450 PCs with 1 GB of RAM, 25-GB SCSI hard drives and 993-MHz dual processors running against Windows Active Directory.

The RAD-Series RADIUS Server delivers similar performance on Sun Solaris. Running on a Sun v240 1.2GHz CPU against an LDAP directory server RADIUS delivers over 2400 authentications per second.

Of course, performance is both hardware and application dependent, varying on factors that include hardware platform, software configuration and the data store interface.

A Primer on Using Interlink’s Powerful RADIUS Server Software Developer’s Kit (RADIUS SDK)

Interlink’s RADIUS Server SDK is ideal for customers wishing to customize and enhance the RAD-Series RADIUS Server to meet their specific application requirements. The RADIUS Server SDK provides a set of easy-to-implement, modular tools to develop extensions to the core RADIUS architecture. The tool kit provides APIs (Application Program Interfaces) that make it easy to build custom modules for unique RADIUS authentication, authorization, or accounting methods; modify the internal RADIUS processing engine; set user-based policy; and to customize user interfaces.

With the SDK, you can write capabilities to:

• Authenticate users stored in any data source, including off-the-shelf and proprietary databases
• Track and control usage based on unique billing systems
• Implement highly customized authorization schemes
• Add support for unique network access hardware

RADIUS plug-in modules allow feature enhancements without editing, recompiling, and retesting all of the server code, providing for speedy development of additional functionality. The RADIUS Server SDK functions follow standard ANSI C, so there is no specialized programming or scripting language to learn.

Major system integrator and mobile communication companies throughout the world have used our RADIUS SDK to customize their RADIUS server to meet their specific application needs.

Achieving Ease of Use in RADIUS Management While Maintaining Network Security

The need for ease of use in network management has never been greater. The ever-increasing pace of technical innovation has made it impractical for some of the most technical IT personnel to keep up with the innumerable configuration options and syntaxes. This has led to the widespread use of Graphical User Interfaces (GUIs). This allows the user navigates through a sequence of configuration screens and be presented with a list of options, instead of having to remember what configuration details are required and how to type the corresponding commands at the console prompt. Everyone is familiar with this style of interface on their desktop computer. The same ease of use has been extended to remote network devices through web-based graphical interfaces and the HyperText Transfer Protocol (HTTP).

With this ease of use come a number of security problems.

1. HTTP uses clear text making it easy to intercept passwords.
2. Default passwords for well-known applications become “back doors” to the system if they are not changed or disabled.
3. Well-known port numbers for administrative interfaces make themselves subject to attack.
4. Managing security issues becomes more difficult when each device must be managed by its own independent interface.

Keeping network devices such as a RADIUS Server behind a firewall does not solve the problem. Not all employees are intended to have administrative access to network resources. Security must be applied on the inside of an organization as well as outside. In addition, any successful attempt to hack through the firewall now has access to hack any device behind the firewall, creating yet more holes.

Interlink Networks RAD-Series RADIUS Server Manager

The RAD-Series RADIUS Server Manager addresses all of the above security issues.

1. The RADIUS Server Manager is easily configured to use HTTPS instead of HTTP. This is the same protocol used by commercial web sites to provide secure encrypted communications for sensitive information like credit card numbers.
2. Unlike many administrative interfaces, the RADIUS Server Manager requires an administrative username in addition to a password. To further protect against a default password being used as a back door, the RADIUS Server Manager installer prompts for the Administrator’s login name and password instead of always starting with a default.
3. The RADIUS Server Manager is easily configured to use any desired port number rather than being limited to a fixed default port.
4. A single Server Manager can manage multiple RAD-Series RADIUS Servers. This contributes to ease of use and the assurance that all servers will be managed in a consistent and secure fashion. Communication between the RADIUS Server Manager and the servers is further secured through the use of a shared secret.

Ease of use and secure operations are both important goals in managing the corporate network. With the RAD-Series RADIUS Server Manager, both of these goals can be achieved without diminishing the other.

Protecting AAA RADIUS Accounting Information

The third A of AAA – RADIUS Accounting - often does not get as much attention as Authentication and Authorization, but it is vitally important. The RADIUS server accounting session logs provide usage information for billing in commercial applications and an audit trail in all cases. Because RADIUS is transported by UDP, a datagram protocol that does not guarantee delivery, it is possible for valuable accounting information to be lost in the network. In particular, the loss of RADIUS Accounting-Stops creates several problems including:

1) Incomplete billing information for metered services resulting in lost revenue.

2) Valid users are locked out where Simultaneous Session Control is implemented because the end of their last session was not received. This results in unhappy customers and increased customer support overhead.

3) Incomplete audit trails.

These are important problems. The RAD-Series RADIUS Server cannot always know when a RADIUS Accounting-Stop has been lost in the network but there are several steps that can be taken to improve the situation.

1) Probably the first and most important thing to do is to find out where and why the RADIUS Accounting-Stops are being lost and then fix the root cause of the problem. Do you have problems with NASs crashing? Do you have infrastructure problems where the NAS loses contact with the RADIUS Server for long periods of time? Do you have network congestion problems where packets are lost? Is the machine where the RADIUS Server runs overloaded and running behind?

Check the RADIUS Server logfile to see if it is discarding accounting messages because the queue is full. If it is, then you need to address the overload by either getting a faster machine/disk or by implementing another RAD-Series RADIUS Server. If these are only momentary overloads, then another option is to increase the size of the RADIUS accounting request queue in engine.config from its default value of 2000:

global_acct_q.limit=3000

2) If the packet loss is out of your control or cannot be quickly fixed, then the next step is to configure the NASs to retransmit more effectively. In RADIUS the client is responsible for retransmitting requests for which it receives no reply. Most NASs have parameters to configure the timeout between retransmissions and the number of retransmissions to attempt.

Increasing the retry limit improves the chances of a request getting through. The overall time attempting to get the request through is also increased, giving congestion due to traffic spikes a chance to clear.

Increasing the timeout before retransmitting also increases the overall time attempting to get the request through. Additionally, it has the advantage that by waiting longer to retransmit, the NAS is not contributing as much to the congestion.

3) Configure the NASs to send RADIUS Accounting Interim-Updates. This has two advantages:

a) If the RADIUS Accounting-Stop at the end of the session is lost, then you at least have the accounting information up to the point of the last Accounting-Interim-Update.

b) If the RAD-Series RADIUS Server has received at least one Accounting-Interim-Update, but has not received one within the last 15 minutes + 15 seconds, then the server will move that session to the "suspended" state. If a session is in the suspended state, then it will not count toward the simultaneous session limit and the user should be able to reconnect.

Before enabling RADIUS Accounting-Interim-Updates, be sure to check that your accounting software can handle them correctly. Accounting-Interim-Updates report the cumulative session totals, not incremental amounts. To bill accurately, the accounting software must process only the RADIUS Accounting-Stop or the last RADIUS Accounting-Interim-Update for any given session.

Also note that enabling this RADIUS Accounting-Interim-Updates message will increase the traffic between the NASs and the RADIUS Server.

To log RADIUS Accounting-Interim-Updates, the RAD-Series RADIUS Server’s finite state machine table must be modified at state ACCTlog from:

ACCTlog:

*.*.ACCT_START REPLY Hold

*.*.ACCT_STOP LOG REPLYHold

*.*.ACCT_ALIVE REPLY Hold

to:

ACCTlog:

*.*.ACCT_START REPLY Hold

*.*.ACCT_STOP LOG REPLYHold

*.*.ACCT_ALIVE LOG REPLYHold

4) Set the Session-Timeout attribute as a reply item in the user profile. If the RADIUS Server has not received the RADIUS Accounting-Stop by the end of the Session-Timeout period, (plus a delay factor), then it will move the session to the suspended state where it will not count toward the Simultaneous Session Control Limit.

5) Configure your NAS/telco to hunt in a round robin fashion instead of filling in the first available port. If the RADIUS Server finds a new session connected to the same port, it will close out the old session. Configuring your NAS to hunt round robin insures that all of your ports get reused instead of the first ports getting most of the calls.

Session logging is a crucial aspect of managing a network. An understanding of both the limitations and capabilities of RADIUS, a good handle on network performance, and a few key NAS and RAD-Series RADIUS Server configuration parameters can put you in control of collecting this network asset.