Authentication, Authorization and Accounting (AAA) Protocols

Authentication, Authorization and Accounting (AAA) Protocols Agententechnologien in der Telekommunikation Sommersemester 2009 Babak Shafieian babak.shafieian@dai-labor.de 10.06.2009 Agententechnologien in betrieblichen Anwendungen und der Telekommunikation

Overview Agententechnologien in der Telekommunikation - 2

Motivation (Why AAA?) Telecommunications services are a global market worth over US$ 1.5 trillion in revenue. Home Entertainment Voice over IP (VoIP) Multimedia Conference Messaging/ Presence Agententechnologien in der Telekommunikation - 3

Authentication (Who is babak.shafieian@dai.de) Authentication is the process of verifying user s identity using credentials like username, password or certificates. After the successful match of user s authentication credentials with the credentials stored in the database of the service provider, the user is granted access to the network, otherwise the access is denied. Agententechnologien in der Telekommunikation - 4

Authorization Is the process of enforcing policies. It determines what types or qualities of network resources or specific services the user is permitted. By using the access policy defined for a specific user, the service provider grants or rejects the access requests from the user. Access policy could be applied on a per user or group basis. Agententechnologien in der Telekommunikation - 5

Accounting Is the process of keeping track of what the user is doing. It includes: Amount of the time spent in the network (duration of session) Number of packets(or bytes) transmitted during a session. The accessed services during a session. It may be used for: Billing Trend analysis Capacity planning and resource utilization Auditing Agententechnologien in der Telekommunikation - 6

History of AAA 1950 s/60 s: Classic Login Good old terminal logins on mainframes 1993: TACACS (RFC 1492) Terminal Access Controller Access-Control System (TACACS) was originally designed to handle the access control in ARPANET. XTACACS is the extended version introduced by Cisco. The current version TACACS+ is an entirely new protocol and not compatible with older versions. 1997: RADIUS (RFC 2058/2138/2865) 1998: Diameter Framework Document (Internet Draft) 2003: Diameter Base Protocol (RFC 3588) 2005: Diameter Mobile IPv4 Application (RFC 4004) Agententechnologien in der Telekommunikation - 7

IRTF AAA Research Group The Authentication, Authorization and Accounting Working Group focused on the development of requirements for Authentication, Authorization and Accounting as applied to network access. Archive available under http://www.aaaarch.org/ Major RFCs: RFC 2903 Generic AAA Architecture RFC 2904 AAA Authorization Framework RFC 2905 AAA Authorization Application Examples RFC 2906 AAA Authorization Requirements Agententechnologien in der Telekommunikation - 8

AAA Architecture Agententechnologien in der Telekommunikation - 10

AAA Components End-User: Establishes a connection to the NAS via PPP and sends his credentials to it. AAA Client: Gets the requests from the end-user and communicates via RADIUS protocol with AAA server. If the user could not be authenticated locally via PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), the AAA client sends a request to the AAA server. AAA Server: The user data are stored in a database, LDAP directory or a text file. Agententechnologien in der Telekommunikation - 11

Flow of AAA Communication Agententechnologien in der Telekommunikation - 12

Flow of AAA Communication 1) In order to establish a connection with the network, the user sends his credentials to the AAA client. 2) The AAA client sends an Access-Request including user s data to the AAA server. 3) The AAA server verifies the user s credentials. In the case of successful authentication it replies with an Access-Accept otherwise with an Access-Reject. 4) The accounting data are sent to the AAA server after the user s log-in and log-off. Other service related information could be also sent to the AAA server. Agententechnologien in der Telekommunikation - 13

AAA Failover For the sake of failover the administrator can define a list of AAA servers. If the R1-Server responds with the PASS to the authentication request, then the access is granted. If the R1- Server responds with the FAIL to the authentication request, then the access is rejected. If there is no response at all from R1-Server, then the R2-Server is contacted. Agententechnologien in der Telekommunikation - 14

Authorization Sequences There are three types of communication relationships between the AAA components (in RFC 2904 as Single Domain Case Message Sequences): 1) Agent Sequence 2) Pull Sequence 3) Push Sequence Agententechnologien in der Telekommunikation - 15

Agent Sequence 1) The user sends a request to the AAA-Server 2) The AAA-Server authenticates the user and verifies whether the user is authorized for the service and requests the service from the service provider. 3) The service provider accepts the request. 4) The AAA-Server lets the user know that the access to service is granted. Agententechnologien in der Telekommunikation - 16

Pull Sequence 1) The user asks the AAA-Server directly for the service. 2) The service provider authenticates the user and verifies user s credentials via AAA- Server. 3) The AAA-Server sends back the result. 4) The service provider provides the service. Agententechnologien in der Telekommunikation - 17

Push Sequence 1) The user is directly authenticated by the AAA-Server 2) The AAA-Server issues a signed ticket containing the authorization details. 3) The user presents the ticket to the service provider. 4) The service provider provides the service. Agententechnologien in der Telekommunikation - 18

AAA in CDMA Agententechnologien in der Telekommunikation - 20

AAA in CDMA Access Network AAA: Enables authentication and authorization functions at the AN. Broker AAA: Acts as an intermediary to proxy AAA traffic between roaming partner networks. (i.e., home network and serving network) Home AAA: The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information. Visited AAA: The V-AAA communicates with the H-AAA. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA. Agententechnologien in der Telekommunikation - 21

RADIUS History 1991: Originally specified by Merit Network to control dial-in access to NSFNET. 1993: First RADIUS server developed by Livingston Enterprises. 1996: IETF formalized Livingston s work in 1996 by appointing RADIUS WG (Working Group). 1997: First RADIUS RFC (RFC 2058) 2001: RADIUS and IPv6 (RFC 3162) 2008: RADIUS Extension for Digest Authentication (RFC 5090) Agententechnologien in der Telekommunikation - 23

RADIUS Functionality Basics: RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. Client-server-based operations: A RADIUS client resides on a NAS (e.g. WLAN access point, Foreign Agent, GGSN) collects user s requests and forwards them to the RADIUS server. The RADIUS server may handle them locally or acts as a proxy for another RADIUS server. Network Security: The communication between a RADIUS client and server is authenticated by a shared secret key that is never sent over the network. The passwords are obfuscated using shared secrets along with the MD5 hashing algorithm. Agententechnologien in der Telekommunikation - 24

RADIUS Functionality Authentication Methods: RADIUS supports a wide range of authentication methods like PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol) and EAP (Extended Authentication Protocol). Attribute Value Pairs (AVP): Transports AAA information in a RADIUS message. New attributes could be added. Agententechnologien in der Telekommunikation - 25

RADIUS Packet 1 Code: determines the type of message. Identifier: helps to match requests and replies. Length: indicates the length of the entire RADIUS packet. Agententechnologien in der Telekommunikation - 26

RADIUS Packet 2 Authenticator: is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords. Attributes: contains the AAA information and configuration details regarding the requests/responses. Agententechnologien in der Telekommunikation - 27

Major RADIUS Codes Agententechnologien in der Telekommunikation - 28

Attribute-Value Pair (AVP) Agententechnologien in der Telekommunikation - 29

RADIUS Example ISP Dial-In 1) User initiates PPP authentication to the NAS. 2) NAS prompts for username and password (if PAP) or challenge (if CHAP). 3) User replies. 4) RADIUS client sends username and encrypted password to the server. 5) RADIUS server responds with Accept, Reject, or Challenge. 6) The RADIUS client acts upon services parameters bundled with response. Agententechnologien in der Telekommunikation - 30

Extensible Authentication Protocol (EAP) Is a authentication framework used in wireless networks and PPP connections. IETF Standard (defined in RFC 3748) It runs directly over data link layers such as PPP or IEEE 802. It does not perform AAA tasks. It encapsulates third-party messages within its own messages, enabling client-server communication using any protocol. Supports a wide range of authentication methods e.g. TLS, MD5, PSK (Pre-Shared Key), SIM (Subscriber Identity) and AKA (Authentication and Key Agreement). Agententechnologien in der Telekommunikation - 32

EAP Message Flow Agententechnologien in der Telekommunikation - 33

EAP Framework Agententechnologien in der Telekommunikation - 34

Diameter It is a successor to RADIUS and is backward compatible to it. It was created to fix all the known RADIUS deficiencies. The Diameter Base Protocol is defined by RFC 3588 (2003) It can be extended to use it with new applications. Agententechnologien in der Telekommunikation - 36

New Functionalities Reliable message transport via TCP or SCTP. Server is able to initiate messages. Vendor specific AVPs could be integrated. Accounting information could be sent to the servers other than Authentication/Authorization Server. Hop-by-hop and end-to-end security with IPsec or TLS. Larger address space for attribute-value pairs (AVPs). Agententechnologien in der Telekommunikation - 37

RADIUS vs. Diameter Characteristic RADIUS Diameter Strict limitation of attribute data Inefficient retransmission algorithm No failover server support Hop-by-hop security Only 1 byte reserved for the length of a data field (max. 255) in its attribute header Only 1 byte as identifier field to identify retransmissions. This limits the number of requests that can be pending (max. 255) Server has no way of indicating that it is going down or is currently running. Supports only hop-by-hop security; every hop can easily modify information that cannot be traced to its origin. Reserves 2 bytes for its length of a data field (max. 16535) Reserved 4 bytes for this purpose (max. 2^32) Supports keep-alive messages and messages that indicate that a server is going down for a time period. Different services specified at each layer interface Supports end-to-end security, which guarantees that information cannot be modified without notice. Agententechnologien in der Telekommunikation - 38

Packet Format... Agententechnologien in der Telekommunikation - 39

Diameter Design Diameter is defined as a Base Protocol which could be extended to the set of applications. Source Destination Agententechnologien in der Telekommunikation - 40

Diameter Applications Mobile IPv4 Application: It allows a Diameter server to authenticate, authorize and collect accounting information for Mobile IPv4 services rendered to a mobile node. Network Access Server Application (NASREQ): It is used for Authentication, Authorization, and Accounting (AAA) services in the Network Access Server (NAS) environment. EAP Application: It defines the Command-Codes and AVPs necessary to carry EAP packets between a Network Access Server (NAS) and a back-end authentication server. SIP Application: It provides a Diameter client co-located with a SIP server, with the ability to request the authentication of users and authorization of SIP resources usage from a Diameter server. Agententechnologien in der Telekommunikation - 41

Diameter Nodes Diameter Client: Performs the access control. E.g. Network Access Server (NAS) or Foreign Agent (FA). Diameter Server: Handles authentication, authorization and accounting requests for a particular realm. Relay Agent: Forwards the Diameter messages based on their information. Is able to modify routing information in the messages. Proxy Agent: Forwards the Diameter messages. Is able to modify information in the messages. Redirect Agent: Provides routing functionality. Acts as a centralized configuration repository for other Diameter nodes. Translation Agent: Translates between different AAA protocols. Agententechnologien in der Telekommunikation - 42

Message Flows Agententechnologien in der Telekommunikation - 43

Commands Capabilities-Exchange-Request (CER): Is sent to exchange local capabilities. Capabilities-Exchange-Answer (CEA): Is sent in response to a CER message. Device-Watchdog-Request (DWR): Is sent to a peer when no traffic has been exchanged between two peers. Device-Watchdog-Answer (DWA): Is sent as a response to the DWR message. Disconnect-Peer-Request (DPR): Is sent to a peer to inform its intentions to shutdown the transport connection. Disconnect-Peer-Answer (DPA): Is sent as a response to the DPR message. Agententechnologien in der Telekommunikation - 44

Major RFCs RFC 3588: Diameter Base Protocol. RFC 3589: Diameter Command Codes for Third Generation Partnership Project. RFC 4004: Diameter Mobile IPv4 Application. RFC 4005: Diameter Network Access Server Application. RFC 4072: Diameter Extensible Authentication Protocol (EAP) Application. RFC 4740: Diameter Session Initiation Protocol (SIP) Application. RFC 5431: Diameter ITU-T Rw Policy Enforcement Interface Application. RFC 5447: Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction. Agententechnologien in der Telekommunikation - 45

Real Life Scenario - emobility Agententechnologien in der Telekommunikation - 47

???????? Agententechnologien in der Telekommunikation - 50