Data Collection Protocols: AAA (RADIUS, Diameter, and TACACS+)

Data Collection Protocols: AAA (RADIUS, Diameter, and TACACS+)

RADIUS, Diameter, and TACACS+ are three protocols for carrying Authentication, Authorization, and Accounting (AAA) information between a Network Access Server (NAS) that wants to authenticate its links or end users and a shared authentication server. The end user connects to the NAS, which in turn becomes a AAA client trying to authenticate the end user to the AAA server.

On this entry will concentrates on the last "A" of AAA (even though most of the time AAA is not primarily used for billing, but for authentication and authorization). However, when binding the accounting information with the authentication informs, the AAA protocols offer an interesting advantage for billing: the authenticated username.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol developed by the IETF. The RADIUS client is typically a NAS, and the RADIUS server is usually a daemon process running on a UNIX or Windows server.

The RADIUS client (that is, the NAS) passes user information to designated RADIUS servers and acts on the returned response. RADIUS servers receive user connection requests via the NAS, authenticate the user, and then provide the NAS with configuration information necessary for it to deliver a specific service to the user.

Transactions between the RADIUS client and RADIUS server are authenticated with a shared secret key, which is never sent over the network. In addition, user passwords are sent encrypted between the RADIUS client and RADIUS server to eliminate the possibility that someone snooping on an insecure network could determine a user's password.

The accounting features of the RADIUS protocol can be used independently of RADIUS authentication or authorization. The NAS, which provides a service to the dial-in user (such as PPP or Telnet) is responsible for passing user accounting information to a designated RADIUS accounting server. At the start of service delivery, the NAS generates an "Accounting Start" packet describing the type of service being delivered and the user accessing the service. This packet is sent to the RADIUS accounting server, which returns an acknowledgment (the Accounting-Response) to the NAS, acknowledging that the "Accounting Start" packet has been received. At the end of the service delivery, the NAS client generates an "Accounting Stop" packet, describing the type of service that was delivered and session statistics such as elapsed time, input and output octets, and input and output packets. Here is the complete list of RADIUS accounting attributes, as described in RFC 2866: Acct-Status-Type, Acct-Delay-Time, Acct-Input-Octets, Acct-Output-Octets, Acct-Session-Id, Acct-Authentic, Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets, Acct-Terminate-Cause, Acct-Multi-Session-Id, and Acct-Link-Count. If the RADIUS server returns no response to the RADIUS client within a defined timeout, the request is resent a number of times. The RADIUS client can also forward requests to an alternate RADIUS server or servers in case the primary server is down or unreachable.

The UDP transport is a major issue in RADIUS accounting, where packet loss may translate directly into revenue loss.

For further references on RADIUS, refer to Table 3-9, which mainly focuses on the RADIUS accounting references. Note, for completeness, that other RADIUS RFCs are available: 2548, 2618, 2619, 2809, 2882, 3162, 3575, 3576, 3579, and 3580.

Note that the IETF RADIUS Extensions Working Group currently is focusing on extensions to the RADIUS protocol required to enable its use in applications such as IP telephony and local-area network AAA. To keep backward compatibility, the working group decided not to define new transports (such as TCP and SCTP).

Diameter

The Diameter protocol, standardized by the IETF Authentication, Authorization and Accounting working group, is the successor to the RADIUS protocol and was developed to overcome several limitations of RADIUS.

AAA protocols such as TACACS+ and RADIUS were initially deployed to provide dialup Point-to-Point Protocol (PPP) and terminal server access. Over time, with the growth of the Internet and the introduction of new access technologies, including wireless, DSL, Mobile IP, and Ethernet, routers and network access servers (NAS) have increased in complexity and density, putting new demands on AAA protocols.

Diameter introduced a couple of improvements compared to RADIUS:

For completeness, RFC 3589 also deals with Diameter, but not with accounting. Note also that several Diameter IETF drafts currently are in progress.