Skip to content

Page251

Access Control Protocols and Frameworks

Both centralized and decentralized models may support remote users authenticating to local systems. A number of protocols and frameworks may be used to support this need, including RADIUS, Diameter, TACACS/TACACS+, PAP and CHAP, and Microsoft Active Directory.

RADIUS

The Remote Authentication Dial In User Service (RADIUS) protocol is a third-party authentication system. RADIUS is described in RFCs 2865 and 2866, and uses the User Datagram Protocol (UDP) ports 1812 (authentication) and 1813 (accounting). RADIUS formerly used the (unofficially assigned) ports of 1645 and 1646 for the same respective purposes; some implementations continue to use those ports.

RADIUS is considered an “AAA” system, comprised of three components: authentication, authorization, and accounting. It authenticates a subject’s credentials against an authentication database. It authorizes users by allowing specific users to access specific data objects. It accounts for each data session by creating a log entry for each RADIUS connection made.

RADIUS request and response data is carried in Attribute Value Pairs (AVPs). According to RFC 2865 (https://datatracker.ietf.org/doc/html/rfc2865), RADIUS supports the following codes:

  • Access-Request
  • Access-Accept
  • Access-Reject
  • Accounting-Request
  • Accounting-Response
  • Access-Challenge
  • Status-Server (experimental)
  • Status-Client (experimental) [14]