There’s been much talk of AAA and so little of RADIUS. This is largely because RADIUS will not be eternally the access control protocol of choice. In fact, RADIUS was created by a separate working group long before the AAA design and fundamentals were brought to existence. The similarities are, however, remarkable.
AAA is the foundation of the next generation remote access protocol. Developments in creating the next protocol are being made as I write this, so the days of RADIUS being the standard aren’t infinite. But on the same token, RADIUS has an established and well-respected presence in the industry, so it has a definite future.
RADIUS, like most innovative products, was built from a need. In this case, the need was to have a method of authenticating, authorizing, and accounting for users needing access to heterogeneous computing resources. Merit Networks, a big player in creating the Internet as we know it, operated a pool of dial-up resources across California. At the time, authentication methods were peculiar to specific pieces of equipment, which added a lot of overhead and didn’t allow for much in the way of management flexibility and reporting. As the dial-up user group grew, the corporation realized they needed a mechanism more flexible and extensible than remaining with their proprietary, unwieldy equipment and scripts. Merit sent out a request for proposal, and Livingston Enterprises was one of the first respondents. Representatives for Merit and Livingston contacted each other, and after meeting at a conference, a very early version of RADIUS was written. More software was constructed to operate between the service equipment Livingston manufactured and the RADIUS server at Merit, which was operating with Unix. The developer of RADIUS, Steve Willins, still remains on the RFC document. From that point on, Livingston Enterprises became Lucent, and Merit and Lucent took the RADIUS protocol through the steps to formalization and industry acceptance. Both companies now offer a RADIUS server to the public at no charge.
Is a UDP-based connectionless protocol that doesn’t use direct connections
Uses a hop-by-hop security model
Is stateless (more to come on that later)
Supports PAP and CHAP authentication via PPP
Uses MD5 for password-hiding algorithms
Provides over 50 attribute/value pairs with the ability to create vendor-specific pairs
Supports the authentication-authorization-accounting model
In addition, RADIUS enjoys support by virtually every commercially available NAS product, ensuring its future well into the next 10 years.
First, security is an obstacle in some implementations. Despite the irony, if an implementation in which there are several proxy RADIUS servers is used, all hops must view, perform logic on, and pass on all data in the request, hidden or not. This means that all data is available at every hop, which is not the most secure environment in which to place such sensitive data as certificates and passwords.
Second, RADIUS, at least in its most general incarnation, has no support for recalling and deallocating resources after an authorization has been issued. For instance, as mentioned earlier, it’s possible to have a multi-hop proxy RADIUS chain in which the first server grants the request and subsequently contacts the necessary equipment to provision the services. If for some reason the service is not available (possibly because of a time-of-day restriction or an account suspension that the frontline RADIUS server isn’t aware of), there is no provision in the RFC specification to deny and disconnect the service now that a rejection has been made. Some vendors have developed support for subsequent rejections—including knocking a user off at his specific time limit rather than just denying him access the next time he attempts to connect—but there’s not a provision for this in the official specification.
Third, RADIUS is stateless (you heard about this earlier). That is to say, it does not keep track of configuration settings, transaction information, or any other data for the next session. When a program “does not maintain state” (is stateless) or when the infrastructure of a system prevents a program from maintaining state, it cannot take information about the last session into the next, such as settings the user made or conditions that arose during processing. In terms of using RADIUS, this complicates resource and session management solutions like I described previously.
And finally, users of RADIUS have noted that RADIUS has scalability problems. On the first page of the RFC is a note from the IESG: “Experience has shown that [RADIUS] can suffer degraded performance and lost data when used in large scale systems, in part because it does not include provisions for congestion control. Readers of this document may find it beneficial to track the progress of the IETF’s AAA Working Group, which may develop a successor protocol that better addresses the scaling and congestion control issues.”
If you were reading closely, you’d see that even the RADIUS RFC, itself, notes the fact that it’s a limited protocol. Unfortunately, adding the complications of just some of the limitations I presented here can cause problems on a large-scale enterprise level. RADIUS is not always going to be the key authenticator protocol, but its basis on the AAA framework (and your familiarity with its underpinnings, because of this book) makes the transition from RADIUS to the next, more scalable protocol much easier.