PANA RADIUS draft-lior-pana-radius-00.txt

1. PANA RADIUSdraft-lior-pana-radius-00.txt Avi Lior,Bridgewater Systemsavi@bridgewatersystems.com Alper Yegin, Samsungalper.yegin@samsung.com Bridgewater/Samsung

2. Introduction • PANA RADIUS • Mapping of PANA messages & AVPs to RADIUS packets & Attributes • The draft does not introduce any new attributes – does raise some issues. • Relies on the following RFCs/Drafts • draft-ietf-pana-pana-07 • RFC3579, “RADIUS Support For EAP” • RFC3576, “Dynamic Authorization Ext. for RADIUS” • Various RADIUS RFCs: 2865,2866,2869 • 802.1x has RFC 3580 Bridgewater/Samsung

3. Architecture +------------------------------+ +-----+ | +-----+ +---------------+ | +---------------+ | | | | | | | | | | | PaC +---+--+ PAA +--+ RADIUS client |--+-----+ RADIUS server | | | | | | | | | | | +-----+ | +-----+ +---------------+ | +---------------+ | Network Access Server(NAS) | +------------------------------+ • Simplifications: • No RADIUS Proxy Chains • EAP Authentication Server is collocated with RADIUS server • NAS consists of • PAA; • RADIUS client; and • PEP. Bridgewater/Samsung

4. PANA Phases Bridgewater/Samsung

5. PANA Single Authentication PaC NAS RADIUS Server a) < Discovery and handshake phase> | | | < Authentication Authorization phase> |PANA-Auth-Request(x) | | b) |<---------------------| | |PANA-Auth-Answer(x) | | c) |--------------------->| | | |RADIUS Access-Request | d) | |----------------------->| | |RADIUS Challenge | e) | |<-----------------------| |PANA-Auth-Request(x+1)| | f) |<---------------------|........................| |PANA-Auth-Answer(x+1) | | g) |--------------------->|........................| | | RADIUS Access-Request | h) | |----------------------->| | | RADIUS Access-Accept | i) | |<-----------------------| |PANA-Bind-Request | | j) |<---------------------| | |PANA-Bind-Answer | | k) |--------------------->| | | |RADIUS Accounting(Start)| l) | |----------------------->| | | | < PANA access phase > Triggered by EAP exchange RADIUS messages are typically routed using NAI in user-name. EAP is carried in EAP-Message attribute(s) Session starts is signled by Accounting Start Bridgewater/Samsung

6. PANA Multiple Authentication • Same call-flow as single authentication. Except: • May use one or two RADIUS servers • We only generate an Accounting Start at the end when the session starts (PANA-Bind-Answer) • One or two Accounting Starts have to sent out. • Issue with Access-Reject (EAP-Failure) • PANA the session may still go on • RADIUS Access-Reject implies No Access!!! Bridgewater/Samsung

7. Termination • Triggered by PAC or PAA • Triggered by RADIUS • can send Session-Timeout to specify the length of the session. • RADIUS server can send a Disconnect Message (RFC 3576) • RADIUS application running on NAS (E.g. Prepaid) can trigger termination. Bridgewater/Samsung

8. Re-authentication • PaC or PAA can trigger • RADIUS can send Session-Timeout and Terminate-Action = “RADIUS” to set when re-authentication should occur. Bridgewater/Samsung

9. Attribute Mapping • User-Name(1) • Need is NAI for routing the request. User’s identity is not required. • Here we get into the situation of Network Selection • PANA Session • Map to Acct-Multi-Session-Id(50) • Perhaps Acct-Session-Id • If I-D.zorn-radius-logoff then Session-Id • Session-Timeout  Session-Lifetime • Session-Lifetime > Session-Timeout • Session-Timeout specifies when to reauthenticate. • Acct-Terminate-Cause  Termination-Cause AVP • Good mapping between PANA and RADIUS vals. Bridgewater/Samsung

10. Way Forward • Resolve the Access-Reject issue • Keep up with PANA • Roaming etc… • Changes to pana-pana • Diameter • Add to this item or separate document • WG Item? • Should be done here – RADEXT should review Bridgewater/Samsung

11. THANK YOU Bridgewater/Samsung