2.3. RADIUS Accounting
2.3.1. Overview
Within a network environment containing large numbers of users, it is advantageous to have one or
a cluster of central servers that maintain user account information and are responsible for
authentication and authorization tasks. The central database residing on the dedicated server(s)
contains all user credentials as well as details of connections, significantly reducing administration
complexity. The Remote Authentication Dial-in User Service (RADIUS) is an Authentication,
Authorization and Accounting (AAA) protocol widely used to implement this approach and is used
by NetDefendOS to implement user accounting.
RADIUS Architecture
The RADIUS protocol is based on a client/server architecture. The D-Link Firewall acts as the client
of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS
terminology the firewall acts as the Network Access Server (NAS).
For user authentication, the RADIUS server receives the requests, verifies the user's information by
consulting its database, and returns either an "ACCEPT" or "REJECT" decision to the requested
client. In RFC2866, RADIUS was extended to handle the delivery of accounting information and
this is the standard followed by NetDefendOS for user accounting. The benefits of having
centralized servers are thus extended to user connection accounting. (For details of the usage of
RADIUS for NetDefendOS authentication see Section 8.2, “Authentication Setup”).
2.3.2. RADIUS Accounting Messages
Statistics, such as number of bytes sent and received, and number of packets sent and received are
updated and stored throughout RADIUS sessions. All statistics are updated for an authenticated user
whenever a connection related to an authenticated user is closed.
When a new client session is started by a user establishing a new connection through the D-Link
Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS
server, to record the start of the new session. User account information is also delivered to the
RADIUS server. The server will send back an AccountingResponse message to NetDefendOS,
acknowledging that the message has been received.
When a user is no longer authenticated, for example, after the user logs out or the session time
expires, an AccountingRequest STOP message is sent by NetDefendOS containing the relevant
session statistics. The information included in these statistics is user configurable. The contents of
the START and STOP messages are described in detail below:
START Message Parameters
Parameters included in START messages sent by NetDefendOS are:
•
Type - Marks this AccountingRequest as signalling the beginning of the service (START).
•
ID - A unique identifier to enable matching of an AccountingRequest with Acct-Status-Type set
to STOP.
•
User Name - The user name of the authenticated user.
•
NAS IP Address - The IP address of the D-Link Firewall.
•
NAS Port - The port of the NAS on which the user was authenticated (this is a physical port and
not a TCP or UDP port).
•
User IP Address - The IP address of the authenticated user. This is sent only if specified on the
2.3. RADIUS Accounting
Chapter 2. Management and Maintenance
54
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...