Bridgewater/Samsung. PANA RADIUS - PowerPoint PPT Presentation

About This Presentation
Title:

Bridgewater/Samsung. PANA RADIUS

Description:

Bridgewater/Samsung. PANA RADIUS. draft-lior-pana-radius-00.txt ... Bridgewater/Samsung. Re-authentication. PaC or PAA can trigger ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 12
Provided by: avil
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Bridgewater/Samsung. PANA RADIUS


1
PANA RADIUS draft-lior-pana-radius-00.txt
  • Avi Lior, Bridgewater Systems
    avi_at_bridgewatersystems.com
  • Alper Yegin, Samsung
    alper.yegin_at_samsung.com

2
Introduction
  • PANA RADIUS
  • Mapping of PANA messages AVPs to RADIUS packets
    Attributes
  • The draft does not introduce any new attributes
    does raise some issues.
  • Relies on the following RFCs/Drafts
  • draft-ietf-pana-pana-07
  • RFC3579, RADIUS Support For EAP
  • RFC3576, Dynamic Authorization Ext. for RADIUS
  • Various RADIUS RFCs 2865,2866,2869
  • 802.1x has RFC 3580

3
Architecture
  • ------------------------
    ------
  • ----- ----- ---------------
    ---------------

  • PaC ----- PAA -- RADIUS client
    ------- RADIUS server

  • ----- ----- ---------------
    ---------------
  • Network Access Server(NAS)
  • ------------------------------
  • Simplifications
  • No RADIUS Proxy Chains
  • EAP Authentication Server is collocated with
    RADIUS server
  • NAS consists of
  • PAA
  • RADIUS client and
  • PEP.

4
PANA Phases
5
PANA Single Authentication
  • PaC NAS
    RADIUS

  • Server
  • a) lt Discovery and handshake phasegt

  • lt Authentication Authorization phasegt
  • PANA-Auth-Request(x)
  • b) lt---------------------
  • PANA-Auth-Answer(x)
  • c) ---------------------gt
  • RADIUS Access-Request
  • d) ----------------------
    -gt
  • RADIUS Challenge
  • e) lt---------------------
    --
  • PANA-Auth-Request(x1)
  • f) lt---------------------......................
    ..
  • PANA-Auth-Answer(x1)
  • g) ---------------------gt......................
    ..
  • RADIUS
    Access-Request
  • h) ----------------------
    -gt
  • Triggered by EAP exchange
  • RADIUS messages are typically routed using NAI in
    user-name.
  • EAP is carried in EAP-Message attribute(s)
  • Session starts is signled by Accounting Start

6
PANA Multiple Authentication
  • Same call-flow as single authentication. Except
  • May use one or two RADIUS servers
  • We only generate an Accounting Start at the end
    when the session starts (PANA-Bind-Answer)
  • One or two Accounting Starts have to sent out.
  • Issue with Access-Reject (EAP-Failure)
  • PANA the session may still go on
  • RADIUS Access-Reject implies No Access!!!

7
Termination
  • Triggered by PAC or PAA
  • Triggered by RADIUS
  • can send Session-Timeout to specify the length of
    the session.
  • RADIUS server can send a Disconnect Message (RFC
    3576)
  • RADIUS application running on NAS (E.g. Prepaid)
    can trigger termination.

8
Re-authentication
  • PaC or PAA can trigger
  • RADIUS can send Session-Timeout and
    Terminate-Action RADIUS to set when
    re-authentication should occur.

9
Attribute Mapping
  • User-Name(1)
  • Need is NAI for routing the request. Users
    identity is not required.
  • Here we get into the situation of Network
    Selection
  • PANA Session
  • Map to Acct-Multi-Session-Id(50)
  • Perhaps Acct-Session-Id
  • If I-D.zorn-radius-logoff then Session-Id
  • Session-Timeout ? Session-Lifetime
  • Session-Lifetime gt Session-Timeout
  • Session-Timeout specifies when to reauthenticate.
  • Acct-Terminate-Cause ? Termination-Cause AVP
  • Good mapping between PANA and RADIUS vals.

10
Way Forward
  • Resolve the Access-Reject issue
  • Keep up with PANA
  • Roaming etc
  • Changes to pana-pana
  • Diameter
  • Add to this item or separate document
  • WG Item?
  • Should be done here RADEXT should review

11
THANK YOU
Write a Comment
User Comments (0)
About PowerShow.com