1 / 11

PANA RADIUS draft-lior-pana-radius-00.txt

PANA RADIUS draft-lior-pana-radius-00.txt. Avi Lior, Bridgewater Systems avi@bridgewatersystems.com Alper Yegin , Samsung alper.yegin@samsung.com. Introduction. PANA RADIUS Mapping of PANA messages & AVPs to RADIUS packets & Attributes

corin
Télécharger la présentation

PANA RADIUS draft-lior-pana-radius-00.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PANA RADIUSdraft-lior-pana-radius-00.txt Avi Lior,Bridgewater Systemsavi@bridgewatersystems.com Alper Yegin, Samsungalper.yegin@samsung.com Bridgewater/Samsung

  2. Introduction • PANA RADIUS • Mapping of PANA messages & AVPs to RADIUS packets & Attributes • The draft does not introduce any new attributes – does raise some issues. • Relies on the following RFCs/Drafts • draft-ietf-pana-pana-07 • RFC3579, “RADIUS Support For EAP” • RFC3576, “Dynamic Authorization Ext. for RADIUS” • Various RADIUS RFCs: 2865,2866,2869 • 802.1x has RFC 3580 Bridgewater/Samsung

  3. Architecture +------------------------------+ +-----+ | +-----+ +---------------+ | +---------------+ | | | | | | | | | | | PaC +---+--+ PAA +--+ RADIUS client |--+-----+ RADIUS server | | | | | | | | | | | +-----+ | +-----+ +---------------+ | +---------------+ | Network Access Server(NAS) | +------------------------------+ • Simplifications: • No RADIUS Proxy Chains • EAP Authentication Server is collocated with RADIUS server • NAS consists of • PAA; • RADIUS client; and • PEP. Bridgewater/Samsung

  4. PANA Phases Bridgewater/Samsung

  5. PANA Single Authentication PaC NAS RADIUS Server a) < Discovery and handshake phase> | | | < Authentication Authorization phase> |PANA-Auth-Request(x) | | b) |<---------------------| | |PANA-Auth-Answer(x) | | c) |--------------------->| | | |RADIUS Access-Request | d) | |----------------------->| | |RADIUS Challenge | e) | |<-----------------------| |PANA-Auth-Request(x+1)| | f) |<---------------------|........................| |PANA-Auth-Answer(x+1) | | g) |--------------------->|........................| | | RADIUS Access-Request | h) | |----------------------->| | | RADIUS Access-Accept | i) | |<-----------------------| |PANA-Bind-Request | | j) |<---------------------| | |PANA-Bind-Answer | | k) |--------------------->| | | |RADIUS Accounting(Start)| l) | |----------------------->| | | | < PANA access phase > Triggered by EAP exchange RADIUS messages are typically routed using NAI in user-name. EAP is carried in EAP-Message attribute(s) Session starts is signled by Accounting Start Bridgewater/Samsung

  6. PANA Multiple Authentication • Same call-flow as single authentication. Except: • May use one or two RADIUS servers • We only generate an Accounting Start at the end when the session starts (PANA-Bind-Answer) • One or two Accounting Starts have to sent out. • Issue with Access-Reject (EAP-Failure) • PANA the session may still go on • RADIUS Access-Reject implies No Access!!! Bridgewater/Samsung

  7. Termination • Triggered by PAC or PAA • Triggered by RADIUS • can send Session-Timeout to specify the length of the session. • RADIUS server can send a Disconnect Message (RFC 3576) • RADIUS application running on NAS (E.g. Prepaid) can trigger termination. Bridgewater/Samsung

  8. Re-authentication • PaC or PAA can trigger • RADIUS can send Session-Timeout and Terminate-Action = “RADIUS” to set when re-authentication should occur. Bridgewater/Samsung

  9. Attribute Mapping • User-Name(1) • Need is NAI for routing the request. User’s identity is not required. • Here we get into the situation of Network Selection • PANA Session • Map to Acct-Multi-Session-Id(50) • Perhaps Acct-Session-Id • If I-D.zorn-radius-logoff then Session-Id • Session-Timeout  Session-Lifetime • Session-Lifetime > Session-Timeout • Session-Timeout specifies when to reauthenticate. • Acct-Terminate-Cause  Termination-Cause AVP • Good mapping between PANA and RADIUS vals. Bridgewater/Samsung

  10. Way Forward • Resolve the Access-Reject issue • Keep up with PANA • Roaming etc… • Changes to pana-pana • Diameter • Add to this item or separate document • WG Item? • Should be done here – RADEXT should review Bridgewater/Samsung

  11. THANK YOU Bridgewater/Samsung

More Related