RADIUS Server Application Blog

This RADIUS server application blog is about RADIUS servers in general and Interlink's RAD-Series RADIUS Server specifically. Our goal here is to discuss how different RADIUS server applications can be extended to build unique, differentiated offerings for Carriers and ISPs.

Monday, September 17, 2007

High Performance RADIUS Server

The RAD-Series RADIUS Server is the high end, high performance RADIUS server specifically designed for Carrier, Service Provider and OEM applications that require high throughput and carrier class reliability. Interlink Networks' RADIUS server delivers well over 2000 authentications per second on the Intel-based Linux platforms and Sun-based Solaris platforms.

Network Computing's independent Real-World Labs tested the RAD-Series RADIUS Server against four other popular RADIUS Server products: Cisco ACS, Lucent NavisRadius, Funk Steel-Belted Radius and IEA running on a common hardware platform. In Network Computing's words, Interlink's RADIUS Server delivered a "jaw-dropping" 1900 authentication and accounting transactions per second, compared to between 170 and 320 transactions per second from each of the other RADIUS servers. Their test results are shown below.

RADIUS Server
Performance
Interlink RAD-Series RADIUS Server
1900 trans/sec
IEA RadiusNT RADIUS Server
170 trans/sec
Lucent NavisRadius RADIUS Server
170 trans/sec
Cisco ACS RADIUS Server
170 trans/sec
Funk Steel-Belted Radius Server
320 trans/sec

Interlink's RADIUS Server outperformed Funk Steel-Belted Radius server by a factor of almost 6 to 1. Interlink's RAD-Series outperformed Cisco ACS and Lucent NavisRadius by over 1000%. These tests were run by Network Computing in their Real-World Labs on a Dell PowerEdge 2450 PCs with 1 GB of RAM, 25-GB SCSI hard drives and 993-MHz dual processors running against Windows Active Directory.

The RAD-Series RADIUS Server delivers similar performance on Sun Solaris. Running on a Sun v240 1.2GHz CPU against an LDAP directory server RADIUS delivers over 2400 authentications per second.

Of course, performance is both hardware and application dependent, varying on factors that include hardware platform, software configuration and the data store interface.

Labels: , , , , ,

posted by RADIUS Server Blogger @ 10:52 AM   0 Comments

Tuesday, September 4, 2007

802.1X Terminology and the RADIUS Server

Many networking terms such as client and server have become overloaded, leading to confusion. In order to clear some of the confusion, here are some of the basic terms frequently used in 802.1X discussions and how it relates to the RADIUS Server.

802.1X

The IEEE 802.1X standard, Port Based Network Access Control, defines a mechanism for port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. The 802.1X specification includes a number of features aimed specifically at supporting the use of Port Access Control in IEEE 802.11 Wireless LANs (WLANs). These include the ability for a WLAN Access Point to distribute or obtain global key information to/from attached stations, following successful authentication.

Extensible Authentication Protocol (EAP)

The Extensible Authentication Protocol (EAP), specified in RFC 2284, is a method of conducting an authentication conversation between a Supplicant and an Authentication Server. Intermediate devices such as Access Points and proxy servers do not take part in the conversation. Their role is to relay EAP messages between the parties performing the authentication. The EAP messages are transported between a wireless station and an 802.1XAuthenticator using EAPOL. The EAP messages are transported between an 802.1XAuthenticator and the Authentication Server using RADIUS. The EAP framework supports the definition of Authentication Methods. Currently implemented EAP Authentication Methods include MD5, TLS, TTLS, PEAP, and Ciscos’s LEAP.

Supplicant

The Supplicant is the client authentication software/firmware. It runs on the station seeking WLAN access and conducts an authentication conversation with the Authentication Server (RADIUS Server) using EAP Until authenticated, the Supplicant can only communicate with the Authentication (RADIUS) Server.

Authenticator

An Authenticator performs port-based access control on a Network Access Server such as a Wireless Access Point. During authentication it relays EAP messages between the Supplicant and Authentication (RADIUS) Server and discards all other traffic from the Supplicant.

Once notified of successful authentication by the Authentication (RADIUS) Server, the Authenticator establishes the session and provides network access to the Supplicant using any session keys provided by the Authentication (RADIUS) Server.

Authentication Server (RADIUS Server)

The Authentication Server (typically a RADIUS Server) provides authentication services to the Authenticator. The Authenticator and Authentication (RADIUS) Server have a trusted (client/server) relationship over the secure (usually wired) portion of the network. The Authentication (RADIUS) Server conducts an authentication conversation with the Supplicant using EAP. The Authentication (RADIUS) Server authenticates the Supplicant based upon a user profile that can be maintained either locally or remotely. The Authentication (RADIUS) Server may also perform authorization, collect accounting, and provide session keys to the Authenticator.

Labels: , , ,

posted by RADIUS Server Blogger @ 7:20 PM   0 Comments

Monday, June 11, 2007

Implementing Simultaneous Session Control in a AAA RADIUS Server

One of the most frequently requested features of the RAD-Series RADIUS Server is simultaneous session control. Service Providers selling low cost flat rate Internet access cannot afford the abuse of users sharing accounts. Simultaneous session control addresses this problem by limiting the number of sessions granted to an account at any given time. The RAD-Series RADIUS Server goes beyond a check box implementation by making the number of simultaneous sessions allowed a configurable item on a per user basis.

As an example, let us look at a small ISP that wants to limit its users to two simultaneous sessions, maintains its users list in a Unix password file, and whose users logon as user@isp.com.

There are four configuration steps to restrict simultaneous session use:

1) Simultaneous session control requires the active session management provided by the LAS (Local Authentication Service). Therefore the realm, isp.com must be defined in las.conf as follows:

Realm isp.com
 End-Realm

2) The realm must also be configured in the authfile. In this example the realm is configured for Unix password file authentication.

isp.com UNIX-PW

3) The RAD-Series RADIUS Server must load a finite state machine (FSM) table that supports the LAS (has las in its name). If the RADIUS server was installed with the default FSM table, check+policy+las.fsm, then the LAS is already supported.

4) By default, simultaneous use is set to one session when the LAS is enabled. To change this default to two sessions for our example, Simultaneous-Use will be added as a Check-Item to the DEFAULT entry in the users file.

DEFAULT Authentication-Type=Realm, Simultaneous-Use = 2

Simultaneous session control is an example of Authorization, the second A in AAA. As illustrated by this simple example, authorization adds value beyond simple authentication by further defining the conditions and limits of authorized use.

Labels: , ,

posted by RADIUS Server Blogger @ 6:03 PM   0 Comments