Radius AAA & NAS


在開始學習RADIUS,需要了解以下兩個重要的概念

  • 什麼是AAA?

  • 什麼是NAS?

所以讓我們先有關於這兩個BAISC思想:

什麼是AAA?

AAA代表就(i)驗證(二)授權及(iii)核算。

認證:

  • 是指確認請求服務的使用者是誰,是一個有效的使用者.

  • 通過提供呈現完成身份和憑證.

  • 憑據的例子是密碼,一次性令牌,數位證書和電話號碼(主/被叫).

授權 :

  • Refers to the granting of specific types of service (including "no service") to a user, based on their authentication.

  • May be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user.

  • Examples of services include, but are not limited to: IP address filtering, address assignment, route assignment, encryption, QoS/differential services, bandwidth control/traffic management.

核算 :

  • Refers to the tracking of the consumption of network resources by users.

  • Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.

  • May be used for management, planning, billing etc.

AAA server provides all the above services to its clients.

AAA Protocols

  • Terminal Access Controller Access Control System (TACACS):

    TACACS is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Unix daemon is TACACSD and runs on port 49. It uses TCP.

  • TACACS+ :

    TACACS+ is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. It uses TCP and provides separate authentication, authorization and accounting services. Port is 49.

  • RADIUS :

    Remote Authentication Dial In User Service is an AAA protocol for applications such as Network Access or IP Mobility. We will see more about RADIUS in subsequent chapters.

  • DIAMETER :

    Diameter is a planned replacement of RADIUS.

What is Network Access Server (NAS) ?

The Network Access Server(NAS) is a service element that clients dial in order to get access to the network. A Network Access Server is a device which usually has interfaces both to the backbone and to the telco (POTS or ISDN) and receives calls from hosts that want to access the backbone by dialup services. A NAS is located at an internet provider's point of presence to give their customers internet access.

A Network Access Server(NAS) is:

  • A single point of access to a remote resource

  • Remote Access Server, because it allows remote access to a network.

  • Initial Entry Point to a network

  • Gateway to guard access to protected resource

Few examples are:

  • Internet Access Verification using User ID and Password

  • Using VoIP, FoIP, VMoIP require valid Phone Number or IP Address.

  • Telephone Prepaid Card uses Prepaid Card Number.

NAS Architecture