内容纲要

radius 服务包括三个组成部分:

  • 协议:rfc2865、2866 协议基于udp/ip 层定义了radius 帧格式及消息传输机制,并定义了1812 作为认证端口,1813 作为计费端口。
  • 服务器:radius 服务器运行在中心计算机或工作站上,包含了相关的用户认证和网络服务访问信息。
  • 客户端:位于拨号访问服务器nas(network access server)侧,可以遍布整个网络。

radius 基于客户/服务器模型,nas(如路由器)作为radius 客户端,负责传输用户信息到指定的radius 服务器,然后根据从服务器返回的信息进行相应处理(如接入/挂断用户)。radius 服务器负责接收用户连接请求,认证用户,然后给nas返回所有需要的信息。

radius 服务器通常要维护三个数据库:第一个数据库“users”用于存储用户信息(如用户名、口令以及使用的协议、ip 地址等配置),第二个数据库“clients”用于存储radius 客户端的信息(如共享密钥),第三个数据库“dictionary”存储的信息用于解释radius 协议中的属性和属性值的含义。如下图所示:

1812 端口认证

  • 10.10.100.34 radius 客户端
  • 10.10.100.250 radius 服务器

请求

Frame 105151: 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits) on interface 0
Ethernet II, Src: Microsof_b3:0a:10 (00:15:5d:b3:0a:10), Dst: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7)
    Destination: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7)
    Source: Microsof_b3:0a:10 (00:15:5d:b3:0a:10)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.10.100.34, Dst: 10.10.100.250
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 154
    Identification: 0x430a (17162)
    Flags: 0x4000, Don't fragment
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x1a19 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.10.100.34
    Destination: 10.10.100.250
User Datagram Protocol, Src Port: 50392, Dst Port: 1812
    Source Port: 50392
    Destination Port: 1812
    Length: 134
    Checksum: 0xb386 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 13]
    [Timestamps]
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x15 (21)
    Length: 126
    Authenticator: d1848b1abab8469701d1dce433274717
    [The response to this request is in frame 105165]
    Attribute Value Pairs
        AVP: t=User-Name(1) l=8 val=hhhhhh
        AVP: t=User-Password(2) l=18 val=Encrypted
        AVP: t=NAS-IP-Address(4) l=6 val=1.1.1.1
        AVP: t=NAS-Port(5) l=6 val=1
        AVP: t=Service-Type(6) l=6 val=Dialout-Framed-User(5)
        AVP: t=Calling-Station-Id(31) l=15 val=10.10.100.212
        AVP: t=NAS-Identifier(32) l=7 val=ceshi
        AVP: t=Acct-Session-Id(44) l=34 val=E3B3505368EC4A823BAA740045216025
        AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)

响应

Frame 105165: 92 bytes on wire (736 bits), 92 bytes captured (736 bits) on interface 0
Ethernet II, Src: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7), Dst: Microsof_b3:0a:10 (00:15:5d:b3:0a:10)
    Destination: Microsof_b3:0a:10 (00:15:5d:b3:0a:10)
    Source: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.10.100.250, Dst: 10.10.100.34
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 78
    Identification: 0xd34b (54091)
    Flags: 0x4000, Don't fragment
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x8a23 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.10.100.250
    Destination: 10.10.100.34
User Datagram Protocol, Src Port: 1812, Dst Port: 50392
    Source Port: 1812
    Destination Port: 50392
    Length: 58
    Checksum: 0xdd7b [unverified]
    [Checksum Status: Unverified]
    [Stream index: 13]
    [Timestamps]
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x15 (21)
    Length: 50
    Authenticator: 78ecca9332e4d174fefdf455252cef2e
    [This is a response to a request in frame 105151]
    [Time from request: 0.001165000 seconds]
    Attribute Value Pairs
        AVP: t=Service-Type(6) l=6 val=Dialout-Framed-User(5)
        AVP: t=Framed-IP-Address(8) l=6 val=172.0.0.4
            Type: 8
            Length: 6
            Framed-IP-Address: 172.0.0.4
        AVP: t=Framed-IP-Netmask(9) l=6 val=255.255.255.255
            Type: 9
            Length: 6
            Framed-IP-Netmask: 255.255.255.255
        AVP: t=Session-Timeout(27) l=6 val=8177001
            Type: 27
            Length: 6
            Session-Timeout: 8177001
        AVP: t=Acct-Interim-Interval(85) l=6 val=60
            Type: 85
            Length: 6
            Acct-Interim-Interval: 60

1813 端口计费

  • 10.10.100.34 radius 客户端
  • 10.10.100.250 radius 服务器

请求

Frame 105235: 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits) on interface 0
Ethernet II, Src: Microsof_b3:0a:10 (00:15:5d:b3:0a:10), Dst: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7)
    Destination: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7)
    Source: Microsof_b3:0a:10 (00:15:5d:b3:0a:10)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.10.100.34, Dst: 10.10.100.250
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 154
    Identification: 0x430b (17163)
    Flags: 0x4000, Don't fragment
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x1a18 [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.10.100.34
    Destination: 10.10.100.250
User Datagram Protocol, Src Port: 45998, Dst Port: 1813
    Source Port: 45998
    Destination Port: 1813
    Length: 134
    Checksum: 0xa869 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 14]
    [Timestamps]
RADIUS Protocol
    Code: Accounting-Request (4)
    Packet identifier: 0x58 (88)
    Length: 126
    Authenticator: 583c4aaf5459896c3b1249fd457d08be
    [The response to this request is in frame 105286]
    Attribute Value Pairs
        AVP: t=User-Name(1) l=8 val=hhhhhh
        AVP: t=NAS-IP-Address(4) l=6 val=1.1.1.1
        AVP: t=NAS-Port(5) l=6 val=1
        AVP: t=Service-Type(6) l=6 val=Dialout-Framed-User(5)
        AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
        AVP: t=Framed-IP-Address(8) l=6 val=172.0.0.26
            Type: 8
            Length: 6
            Framed-IP-Address: 172.0.0.26
        AVP: t=Calling-Station-Id(31) l=15 val=10.10.100.212
        AVP: t=NAS-Identifier(32) l=7 val=ceshi
        AVP: t=Acct-Status-Type(40) l=6 val=Start(1)
        AVP: t=Acct-Session-Id(44) l=34 val=E3B3505368EC4A823BAA740045216025
        AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)

响应

Frame 105286: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0
Ethernet II, Src: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7), Dst: Microsof_b3:0a:10 (00:15:5d:b3:0a:10)
    Destination: Microsof_b3:0a:10 (00:15:5d:b3:0a:10)
    Source: Vmware_ef:f2:a7 (00:0c:29:ef:f2:a7)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.10.100.250, Dst: 10.10.100.34
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 48
    Identification: 0xd351 (54097)
    Flags: 0x4000, Don't fragment
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x8a3b [validation disabled]
    [Header checksum status: Unverified]
    Source: 10.10.100.250
    Destination: 10.10.100.34
User Datagram Protocol, Src Port: 1813, Dst Port: 45998
    Source Port: 1813
    Destination Port: 45998
    Length: 28
    Checksum: 0xdd5d [unverified]
    [Checksum Status: Unverified]
    [Stream index: 14]
    [Timestamps]
RADIUS Protocol
    Code: Accounting-Response (5)
    Packet identifier: 0x58 (88)
    Length: 20
    Authenticator: fddb9cd9adec1b07881074d34aa6dacb
    [This is a response to a request in frame 105235]
    [Time from request: 0.004600000 seconds]

参考

发表评论

电子邮件地址不会被公开。 必填项已用*标注