RADIUS Sunil Vallamkonda Apr. 15, 2008 RADIUS presentation by Sunil Vallamkonda 1 What is AAA ? • Authentication • Authorization • Accounting RADIUS presentation by Sunil Vallamkonda 2 Authentication • Verify a person’s or machine’s declared identity. • Mechanisms: passwords, PKI. • Key aspect is Trust relationships between servers. RADIUS presentation by Sunil Vallamkonda 3 Authorization • Rules or templates on what a authenticated user can do on a system. • Dial up user requests can be one link or multiple. RADIUS presentation by Sunil Vallamkonda 4 Accounting • Measures and tracks resources a user accesses. • Include time, amount of data, session statistics, resource utilization etc. • Logs sent and analyzed for billing, security servers. RADIUS presentation by Sunil Vallamkonda 5 RADIUS presentation by Sunil Vallamkonda 6 RADIUS presentation by Sunil Vallamkonda 7 RADIUS presentation by Sunil Vallamkonda 8 Properties • • • • • • • Client/server model UDP based Hop by hop security Stateless Uses MD5 for password hiding. A-V pairs PAP/CHAP via PPP RADIUS presentation by Sunil Vallamkonda 9 Packet format • • • • • • • • ACCESS-REQUEST (1) ACCESS-RESPONSE (2) ACCESS-REJECT (3) ACCESS-CHALLENGE (11) ACCOUNTING-REQUEST (4) ACCOUNTING-RESPONSE (5) STATUS-SERVER (12) STATUS-CLIENT (13) RADIUS presentation by Sunil Vallamkonda 10 RADIUS Packet • Header : Code (1), Identifier (1), length (2), Authenticator (16), payload • Code: as above • Identifier: used to perform auto linking of initial requests and subsequent replies. • Length: valid range: 20 – 4096. • Authenticator: used to conceal passwords using one way MD5. Request (random number) / Response authenticators. RADIUS presentation by Sunil Vallamkonda 11 Packet formats RADIUS presentation by Sunil Vallamkonda 12 Packet formats RADIUS presentation by Sunil Vallamkonda 13 Access-Request/Accept Packet RADIUS presentation by Sunil Vallamkonda 14 Access-Reject RADIUS presentation by Sunil Vallamkonda 15 Example • • • • • • • • • • • • • • Framed-MTU = 1480 NAS-IP-Address = 192.168.0.1 NAS-Identifier = "hp-e-its-dev8021x-sw1" User-Name = "user" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet NAS-Port-Id = "2" Called-Station-Id = "00-14-38-fb-94-3e" Calling-Station-Id = "00-18-8b-1f-ea-c3" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "700" EAP-Message = 0x0201000a016163323231 Message-Authenticator = 0x5128a826dfedf51040215eb6fef398df RADIUS presentation by Sunil Vallamkonda 16 Authentication methods • PAP: Password Authentication Protocol (MD5/XOR). • CHAP: Challenge Access protocol: password is never sent on wire. • PAP is preferred sometimes in cases where authorization must travel outside the realm of control RADIUS presentation by Sunil Vallamkonda 17 RADIUS presentation by Sunil Vallamkonda 18 The CHAP 3-way handshake RADIUS presentation by Sunil Vallamkonda 19 CHAP Security RADIUS presentation by Sunil Vallamkonda 20 Protocol Structure - CHAP: Challenge Handshake Authentication Protocol Configuration Option for CHAP 8 Type 16 Length 32 Authentication-Protocol 40bit Algorithm •Type - 3 •Length - 5 •Authentication-Protocol - C223 (Hex) for CHAP •Algorithm The Algorithm field is one octet and indicates the authentication method to be used. One CHAP packet is encapsulated in the Information field of a PPP data link layer frame where the protocol field indicates type hex c223. The structure of the CHAP packet is shown in the following illustration. RADIUS presentation by Sunil Vallamkonda 21 8 Code 16 Identifier 32bit Length Variable Data . . . •Code - Identifies the type of CHAP packet. CHAP codes are assigned as follows: •Challenge •Response •Success •Failure •Identifier - Aids in matching challenges, responses and replies. •Length - Length of the CHAP packet including the Code, Identifier, Length and Data fields. •Data - Zero or more octets, the format of which is determined by the Code field. •For Success and Failure, the data field contains a variable message field which is implementation dependent. RADIUS presentation by Sunil Vallamkonda 22 Using RADIUS and CHAP RADIUS presentation by Sunil Vallamkonda 23 RADIUS presentation by Sunil Vallamkonda 24 Realm • Identifiers placed before or after values normally contained in User-Name attribute for server to identify which server to contact. • Examples: prefix realm such as @, \,/ as CSI\john. • Suffix realms as: james@itmm RADIUS presentation by Sunil Vallamkonda 25 Hints • RADIUS can be setup to handle service authorizations based on hints. • To controls resources needed to provision service for client • Example: specific IP address, IP pool. • If NAS cannot allocate, service is disconnected. • Can be temporary, optional or extra characteristics. RADIUS presentation by Sunil Vallamkonda 26 Attributes • • • • • • • • • • • Describe a property of type of service. RADIUS attributes vs VSA. RADIUS attribute types (RFC): INT (4, 32 bit unsigned), ENUM(4, 32 bit unsigned), IPADDR (4, 32bit) , STRING (1-253, variable), DATE (4, 32-bit unsigned), BINARY (1,1 bit). Examples: INT: 6, 256 ENUM: 3 = callback-login, 4 = callback-Framed. STRING: “Charlotte”, “San Jose” IPADDR: 0x1954ff8e DATE: 0x00000a BINARY: 1 RADIUS presentation by Sunil Vallamkonda 27 Attributes - example Standard: Example – call back-number Number: 19 Length: 3 or more octets Value: String Allowed in: Access-Request, Access-Accept Prohibited in: Access-Reject, Access-Challenge Maximum Iterations: 1 Presence in packet: not required RADIUS presentation by Sunil Vallamkonda 28 Dictionary • Server machines has a way of relating which attribute corresponds to which attribute number and expected type. • Example: • Attribute-Name: User-Name, Type: String • Attribute-Name: NAS-IP-ADDR, Type: IPADDR • Attribute-Name: Service-Type, Type: ENUM RADIUS presentation by Sunil Vallamkonda 29 Vendor-Specific Attribute Format Byte Value Description 1 26 Vendor-specific attribute type per RFC 2865 2 (4 * sizeof (BYTE)) + (2 * sizeof (DWORD)) This is the length in bytes of the full attribute specification beginning with attribute type (byte 1), should come out to 12 if each byte size = 1. 3-6 5263 Vendor-ID value. 7 1 Vendor data type; 1 indicates bandwidth kbps value. 8 (2 * sizeof (BYTE)) + sizeof (DWORD) This is the length in bytes of the vendorspecific portion of the attribute specification starting with vendor-specific attribute data type, should come out to 6 if each byte size = 1. 9-12 9-12 Actual bandwidth kbps value (ulong). RADIUS presentation by Sunil Vallamkonda 30 AVP pattern RADIUS presentation by Sunil Vallamkonda 31 Accounting • Client/Server model. • Extensible: proxy, defined and qualified by AVPs. • Packet: Accounting-Request Start/Stop. • Accounting- Response. • RFC 2139 RADIUS presentation by Sunil Vallamkonda 32 Accounting packet • • • • • • • • • • • • • • • • • The following example displays two accounting records in a detail file. Tue Jul 30 14:48:18 1996 Acct-Session-Id = "35000004" User-Name = "bob" NAS-IP-Address = 172.16.64.91 NAS-Port = 1 NAS-Port-Type = Async Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Login-User Login-Service = Telnet Login-IP-Host = 172.16.64.25 Acct-Delay-Time = 0 Timestamp = 838763298 Acct-Input-Octets = 22 Acct-Output-Octets = 187 Acct-Terminate-Cause = Host-Request RADIUS presentation by Sunil Vallamkonda 33 RADIUS Access-Request Accounting Packet Attribute Description User-Name Name entered by the end user to authenticate against the RADIUS server via NAS User-Password Password entered by the end user to authenticate against the RADIUS server and access the Internet via NAS. Acct-Session-ID The unique Session ID assigned to each NAS end user session. This value is used to identify all authentication and accounting messages generated for a single user session. NAS-IP-Address Contains either the IP address of the NAS external NIC or the IP address entered in the WEBconfig Server web page as the NAT IP Address. NAS-Identifier Contains the NAS Identifier value entered in the WEBconfig Server web page. If no value is entered in this field, NAS will not include this attribute in the RADIUS Access-Request packet. NAS-Port See "NAS-Port Mapping" below. NAS-Port-Type 5 indicates Virtual. Framed-Protocol 1 indicates PPP. Framed-IP-Address IP address of client computer (PC) connecting to the Internet. RADIUS presentation by Sunil Vallamkonda 34 RADIUS Accounting Packets Attribute Description Acct-Status-Type 1: Indicates a Start Accounting-Request packet—Requests that a message be sent when the user gains access. 2: Indicates a Stop Accounting-Request packet—Requests that a message be sent at regular intervals, as configured. 3: Indicates an Interim-Update Accounting-Request packet—Requests that a message be sent when the end user disconnects. User-Name Name entered by the end user to authenticate against the RADIUS server and access the Internet via NAS. Acct-Session-ID The unique Session ID assigned to each NAS end user session. This value is used to identify all authentication and accounting messages generated for a single user session. NAS-IP-Address Contains either the IP address of the NAS external NIC or the IP address entered in the WEBconfig Server web page as the NAT IP Address. NAS-Identifier Contains the NAS Identifier value entered in the WEBconfig Server web page. If no value is entered in this field, NAS will not include this attribute in the RADIUS Access-Request packet. NAS-Port See "NAS-Port Mapping" below. NAS-Port-Type 5: Indicates Virtual. Framed-Protocol 1: Indicates PPP. Framed-IP-Address IP address of the client (PC) connecting to the Internet through BBSM. Vendor-Specific Attribute containing the bandwidth kbps value that the end user selects when requesting Internet access. This attribute is only sent to RADIUS accounting servers if the user-selected bandwidth feature is enabled. See the "Vendor-Specific Attribute Byte Format" section below for information on how this attribute is formatted. RADIUS presentation by Sunil Vallamkonda 35 Accounting Start • • • • • • • • • • • • • • Acct-Session-Id = "2400020E" User-Name = "Pbob“ NAS-IP-Address = 172.16.1.21 NAS-Port = 12 NAS-Port-Type = ISDN Acct-Status-Type = Start Acct-Authentic = RADIUS Called-Station-Id = "5551111“ Calling-Station-Id = "5105552222“ Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 172.16.93.1 Acct-Delay-Time = 0 Timestamp = 838763356 RADIUS presentation by Sunil Vallamkonda 36 Accounting Stop • • • • • • • • • • • • • • • • • Acct-Session-Id = "2400020E" User-Name = "Pbob" NAS-IP-Address = 172.16.1.21 NAS-Port = 12 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 7177 Acct-Authentic = RADIUS Acct-Input-Octets = 14994 Acct-Output-Octets = 90862 Called-Station-Id = "5551111" Calling-Station-Id = "5105552222" Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 172.16.93.1 Acct-Delay-Time = 0 Timestamp = 838763378 RADIUS presentation by Sunil Vallamkonda 37 Ports • Authentication: udp/1812 • Accounting: udp/1813 RADIUS presentation by Sunil Vallamkonda 38 Implementations • • • • • • • Livingston GNU FreeRADIUS Cistron Radiator Alepo Juniper: Steel Belt. RADIUS presentation by Sunil Vallamkonda 39 Performance • • • • • • • Logons per second Logoffs per second Rejects per second Reject cause threshold Total packets per second per interface Load average Memory, disk usage RADIUS presentation by Sunil Vallamkonda 40 EAP • Extensible Authentication Protocol • Used over links running on PPP • Authentication schemes such as public key, smart cards, OTP, Kerberos etc. are supported over PPP when EAP is used. • RADIUS includes 2 new attributes: EAPMessage and Message-Authenticator. RADIUS presentation by Sunil Vallamkonda 41 EAP architecture User EAP Authentication Protocol (PAP, CHAP, MS-CHAP, etc.) Inner Application Extension to TLS TLS EAP - TTLS EAP Carrier Protocol (PPP, EAPOL, RADIUS, etc) RADIUS presentation by Sunil Vallamkonda 42 User protocol : EAP layering User EAP Authentication Protocol (MD-Challenge, etc.) EAP Inner Application extension to TLS TLS EAP - TTLS EAP RADIUS by Sunil Carrier Protocol (PPP,presentation EAPOL, RADIUS, Diameter, etc) Vallamkonda 43 802.1x RADIUS presentation by Sunil Vallamkonda 44 Port based authentication • Why is it called "port"-based authentication? The Authenticator deals with controlled and uncontrolled ports. Both the controlled and the uncontrolled port are logical entities (virtual ports), but use the same physical connection to the LAN (same point of attachment). RADIUS presentation by Sunil Vallamkonda 45 Port based Auth RADIUS presentation by Sunil Vallamkonda 46 contd • Figure port: The authorization state of the controlled port. • Before authentication, only the uncontrolled port is "open". The only traffic allowed is EAPOL; see Authenticator System 1 on figure port. After the Supplicant has been authenticated, the controlled port is opened, and access to other LAN resources are granted; see Authenticator System 2 on figure port. • 802.1X plays a major role in the new IEEE wireless standard 802.11i. RADIUS presentation by Sunil Vallamkonda 47 WEP • Wired Equivalent Privacy (WEP), which is part of the original 802.11 standard, should provide confidentiality. Unfortunately WEP is poorly designed and easily cracked. There is no authentication mechanism, only a weak form of access control (must have the shared key to communicate). • As a response to WEP broken security, IEEE has come up with a new wireless security standard named 802.11i. 802.1X plays a major role in this new standard. • RADIUS presentation by Sunil Vallamkonda 48 802.11 • The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories: • Temporary Key Integrity Protocol (TKIP) is a short-term solution that fixes all WEP weaknesses. TKIP can be used with old 802.11 equipment (after a driver/firmware upgrade) and provides integrity and confidentiality. • Counter Mode with CBC-MAC Protocol (CCMP) [RFC2610] is a new protocol, designed from ground up. It uses AES [FIPS 197] as its cryptographic algorithm, and, since this is more CPU intensive than RC4 (used in WEP and TKIP), new 802.11 hardware may be required. Some drivers can implement CCMP in software. CCMP provides integrity and confidentiality. • 802.1X Port-Based Network Access Control: Either when using TKIP or CCMP, 802.1X is used for authentication. In addition, an optional encryption method called "Wireless Robust Authentication Protocol" (WRAP) may be used instead of CCMP. WRAP was the original AES-based proposal for 802.11i, but was replaced by CCMP since it became plagued by property encumbrances. Support for WRAP is optional, but CCMP support is mandatory in 802.11i. 802.11i also has an extended key derivation/management. • • RADIUS presentation by Sunil Vallamkonda 49 802.1x • 802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN. • 802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X). RADIUS presentation by Sunil Vallamkonda 50 RADIUS presentation by Sunil Vallamkonda 51 8021.X and RADIUS • Remote Authentication Dial-In User Service (RADIUS) is defined in [RFC2865] (with friends), and was primarily used by ISPs who authenticated username and password before the user got authorized to use the ISP's network. • 802.1X does not specify what kind of back-end authentication server must be present, but RADIUS is the "de-facto" back-end authentication server used in 802.1X. • There are not many AAA protocols available, but both RADIUS and DIAMETER [RFC3588] (including their extensions) conform to full AAA support. AAA stands for Authentication, Authorization, and Accounting (IETF's AAA Working Group RADIUS presentation by Sunil Vallamkonda 52 EAP methods • EAP-MD5: MD5-Challenge requires username/password, and is equivalent to the PPP CHAP protocol [RFC1994]. This method does not provide dictionary attack resistance, mutual authentication, or key derivation, and has therefore little use in a wireless authentication enviroment. • Lightweight EAP (LEAP): A username/password combination is sent to a Authentication Server (RADIUS) for authentication. Leap is a proprietary protocol developed by Cisco, and is not considered secure. Cisco is phasing out LEAP in favor of PEAP. Ref: http://lists.cistron.nl/pipermail/cistron-radius/2001September/002042.html RADIUS presentation by Sunil Vallamkonda 53 EAP- methods (contd) • EAP-TLS: Creates a TLS session within EAP, between the Supplicant and the Authentication Server. Both the server and the client(s) need a valid (x509) certificate, and therefore a PKI. This method provides authentication both ways. EAPTLS is described in [RFC2716]. • EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data. Within the TLS tunnel, (any) other authentication methods may be used. Developed by Funk Software and Meetinghouse, and is currently an IETF draft. RADIUS presentation by Sunil Vallamkonda 54 Methods (contd) • Protected EAP (PEAP): Uses, as EAP-TTLS, an encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS and EAP-PEAP are optional, but server (AS) certificates are required. Developed by Microsoft, Cisco, and RSA Security, and is currently an IETF draft. • EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2 [RFC2759]. Usually used inside of a PEAP-encrypted tunnel. Developed by Microsoft, and is currently an IETF draft. RADIUS presentation by Sunil Vallamkonda 55 RADIUS presentation by Sunil Vallamkonda 56 RADIUS presentation by Sunil Vallamkonda 57 Authentication methods • • • • • • • • • • • • • • • • • Authentication methods The following authentication types are some of the methods which are supported by the server Clear-text password in local configuration file (PAP) Encrypted password in local configuration file CHAP MS-CHAP MS-CHAPv2 authentication to a Windows Domain Controller (via ntlm_auth and winbindd) Proxy to another RADIUS server System authentication. (usually through /etc/passwd ) PAM (Pluggable Authentication Modules) LDAP (PAP only) PAM (PAP only) CRAM Perl program Python program SIP Digest (Cisco VOIP boxes) RADIUS presentation by Sunil Vallamkonda 58 Contd (methods) • • • • • A locally executed program. (like a CGI program.) Netscape-MTA-MD5 encrypted passwords Kerberos authentication X9.9 authentication token (e.g. CRYPTOCard) EAP, with embedded authentication methods – EAP-MD5, – Cisco LEAP, – EAP-MSCHAP-V2 (as implemented by Microsoft), – EAP-GTC, – EAP-SIM, – EAP-TLS, – EAP-TTLS, with any authentication protocol inside of the TLS tunnel, – EAP-PEAP, with tunneled EAP RADIUS presentation by Sunil Vallamkonda 59 server attributes • Append attributes to the request • Re-write any attribute of the request • Proxy or replicate the request to another RADIUS server, based on any criteria, not just '@realm'. • Choose an authentication method to use for this user. • Administer users by groups • Implement time of day access restrictions • Execute a local program • Limit the number of simultaneous logins by the user RADIUS presentation by Sunil Vallamkonda 60 Typical server configuration • • • • • • • • • • • Attributes which have a given value Attributes which do not have a given value Attributes which are in the request (independent of their value) Attributes which are not in the request String attributes which match a regular expression Integer attributes which match a range (e.g. <, >, <=, >=) Source IP address of the request. This can be different than the NAS-IP-Address attribute Group of NAS boxes. (These may be grouped based on Source IP address, NAS-IP-Address, or any other configuration) User-Name a DEFAULT configuration multiple DEFAULT configurations RADIUS presentation by Sunil Vallamkonda 61 Databases • • • • • • • • • • • Oracle Informix Sybase mSQL MySQL Microsoft SQL including versions 6.5, 7 and 2000 ODBC Interbase SAP PostgreSQL SQLite RADIUS presentation by Sunil Vallamkonda 62 Authorization methods • • • • • • • • • • • Local files Local DB/DBM database LDAP A locally executed program. (like a CGI program.) Perl program Python program MySQL DB PostgreSQL DB Oracle SQL DB any IODBC SQL DB IBM's DB2 RADIUS presentation by Sunil Vallamkonda 63 Accounting methods • • • • • Local 'detail' files Local 'wtmp' and 'utmp' files Proxy to another RADIUS server Replicate to one or more RADIUS servers SQL (Oracle, MySQL, PostgreSQL, Sybase, IODBC, etc) RADIUS presentation by Sunil Vallamkonda 64 Tools • Users in LDAP database • Users and Groups in SQL database (MySQL or PostgreSQL) • Create, test, delete, change personal information, check accounting and change dialup settings for a user • Accounting Report Generator • Bad Users facility to keep a record of users creating problems • Online finger facility , Test radius server • Online Usage Statistics • Perl, Python • Configufration GUI RADIUS presentation by Sunil Vallamkonda 65 Other features • Can optionally act as a TACACS+ server, converting TACACS+ requests into RADIUS requests • Optional tunnelling of Radius requests using SOAP over HTTP or HTTPS for improved security. • SNMP support for the IETF Radius Server MIB: gather server stats with SNMP RADIUS presentation by Sunil Vallamkonda 66 Features (contd) • Web reports for usage analysis users sessions details. Allows your administrators and customers to see usage information on a web page and drill down to connection details. • Block authentication according to time of day and day of week, and force disconnection at the end of valid time blocks. RADIUS presentation by Sunil Vallamkonda 67 Token based • • • • Encotone telID RSA SecurID Safeword VASCO Digipass RADIUS presentation by Sunil Vallamkonda 68 Platforms • Solaris • Unix including Linux (Red Hat, Debian, Mandrake, SuSE, Lindows, Slackware, Ubuntu etc on Intel, Sparc, PPC, HP-PA etc), Solaris (Intel and Sparc), FreeBSD, NetBSD, SunOS, AIX, IRIX, SCO Open Server, Digital, HP-UX, etc • Windows 95, 98, NT, 2000, ME, XP, 2003, etc. • Mac OS9, Mac OS X. • Novell Open Enterprise Server (NetWare) 6.5 • VMS RADIUS presentation by Sunil Vallamkonda 69 Third-party • • • • • • • • • • • • • • • • Billing packages: Platypus, Emerald, Billmax, interbiller, Jet-ISP billing, Optigold ISP. NAS: Alcatel DANA Altiga Apple AirPort Ascend (all models) Assured Access X1000 Bay including RAC8000 and Annex Server 5399 Breezecom Cisco routers and NAS's Cisco Aironet AP340 and AP350 wireless Access Points Cisco SSG and SESM Computone Enterasys SS2200, SSR8000 SSR8600 Ericsson ACC Ericsson GSN GRIC AimTraveler RADIUS presentation by Sunil Vallamkonda 70 VSA • • • • • • • • • • • • • • • • • • • • • • USR/3COM Cisco (including VOIP) Nortel CVX 4-byte Vendor Specific Attributes, including the Vendor Specific boolean data type. Ascend Breezecom with broken VSA's Bay Shiva ACC Microsoft Shasta Springtide Altiga Redcreek Unisphere Extreme KarlNet Colubris Level3 3GPP2 DTag (Deutsche Telekom) Nomadix Redback 64bit integers RADIUS presentation by Sunil Vallamkonda 71 References • • • • • • • • 2139/2866 (accounting) 2138/2865 (RADIUS) 2548 (MS-VSA) 2882(NAS) 2869 (Extensions) 3162 (v6) 3579 (EAP) 3580 (802.1x) RADIUS presentation by Sunil Vallamkonda 72 References (contd) • http://tools.ietf.org/wg/eap/draft-funk-eapttls-v1-01.txt • http://www.microsoft.com/technet/commun ity/columns/cableguy/cg0702.mspx • http://www.oreillynet.com/pub/a/wireless/2 002/10/17/peap.html • http://www.wifiplanet.com/tutorials/article.php/3073201 RADIUS presentation by Sunil Vallamkonda 73 Future • Diameter: RFC3588 • IPv6 and RADIUS: RFC3162 Contact: sunil_vall@yahoo.com RADIUS presentation by Sunil Vallamkonda 74