RADIUS Interface to I2A2
I2A2 provides a protocol converter that can
- Translate the Remote Authentication Dial In User Service (RADIUS) pain text user authentication and authorization protocol to I2A2 DBM authentication and authorization protocol, bypassing the net daemon I2A2 external protocol;
- Communicate with I2A2 DBMs;
- Return DBM replies converted to RADIUS protocol.
The RADIUS protocol is described in RFC 2865 and related RFCs. It has an open source
instantiation for a server, called FreeRadius. The I2A2 LDAP protocol converter is
implemented as a custom module of a FreeRadius 0.8.1 server.
A client to a RADIUS server is called a Network Access Server (NAS). Often NAS clients are also called terminal servers. A RADIUS
server can provide authentication and authorization services to more than one NAS client, allowing authentication and authorization
tasks to be centralized, and leaving the NAS clients free to concentrate on terminal services to their clients.
I2A2 RADIUS Protocol Converter Addresses
The I2A2 LDAP protocol converter listens on the I2A2 DBM system whose host address is:
dbm.i2a2.purdue.edu
The standard RADIUS UDP protocol ports, 1812 (authorization and authentication) and 1813 (accounting), are used. Port 1812 sometimes
has the "radius" service name; 1813, "radacct" or "radius-acct".
RADIUS service names can be found in the Purdue IT Telecommunications
service map
Shared Secret
A RADIUS server and each of its NAS clients must share a "secret." The secret is used to encrypt authentication data so that it is not
transmitted on the network in plain text.
As a consequence, if you want to use the I2A2 RADIUS Protocol Converter, you must register your NAS client system with
I2A2 Administration and negotiate a shared secret. Your system's network identity and shared
secret will then be added to the I2A2 RADIUS Protocol Converter's configuration files.
Supported RADIUS Operations
The I2A2 RADIUS protocol converter currently supports authentication by common plain text password, authentication by the MS-CHAP
version 1 and 2 challenge-response protocols, accounting, and it optionally supports authorization tests tailored to each NAS. The
I2A2 RADIUS protocol converter does not support the CHAP challenge-response authentication protocol.
The I2A2 RADIUS protocol converter support for MS-CHAP versions 1 and 2 includes generation of Microsoft Point-to-Point Encryption
keys.
RADIUS Authorization
RADIUS protocol authorization is optional with the I2A2 RADIUS Protocol Converter. It is performed with
I2A2 characteristic Boolean expressions, tailored
to each NAS. A NAS may have exactly one expression. It is defined and referenced in the I2A2 RADIUS Protocol Converter's
configuration files. Contact I2A2 Administration to register a NAS client, negotiate a
secret, and arrange for an I2A2 characteristic Boolean expression to be assigned to your NAS.
Authorization for the Network Access Systems of Purdue Air Link (PAL) wireless is tested using the PAL Boolean characteristic macro.
Supported RADIUS Attributes
I2A2 RADIUS uses standard RADIUS attributes, which are specific to the authentication protocol used. They include user-name and
password.
I2A2 RADIUS also defines some Purdue-specific attributes for special data management operations related to the Purdue Air Link (PAL)
wireless system. Contact I2A2 Administration if you want to know more about these
attributes.
The user-name Attribute - The user-name attribute may contain a PUID in its formal five-dash-five notation or as a decimal
integer with or without leading zeroes -- e.g.,
user-name=00000-00026
user-name=26
Or the user-name attribute may contain the PUID's alias -- e.g.,
user-name=alias
The password Attribute
The password attribute may be used to supply an I2A2 password. If the password is being supplied from a command-line client, such as
the FreeRadius radclient(1) program, you may need to surround the password with quotation marks -- e.g.,
$ radclient <host> auth <secret>
user-name=00000-00000
password="x+y=z!!!"
I2A2 Authentication Realm
The user-name attribute may contain an I2A2
authentication realm name in standard RADIUS notation -- i.e., following an '@' that follows the user-name.
Since the default I2A2 authentication realm name is "purdue," it normally need not be specified. If it were, it would be specified as:
user-name=alias@purdue
user-name=00000-00026@purdue
user-name=26@purdue
Two other authentication realms are used for MS-CHAP authentication, "purdueLM" and "purdueNT". The "purdueLM" realm holds that same
password held by the "purdue" realm, but hashed in MicroSoft LAN Manager (LanMan) style. The "purdueNT" realm holds the same password
held by the "purdue" and "purdueLM" realms, but hashed in the MicroSoft NT style. The "purdueLM" and "purdueNT" realm names should not
be used in a user-name attribute; they are useful only for MS-CHAP authentication.