8.9. RADIUS Accounting
8.9.1. Overview
The Central Database Approach
Within a network environment containing large numbers of users, it is advantageous to have one
or a cluster of central servers that maintain user account information and are responsible for
authentication and authorization tasks. The central database residing on such dedicated servers
contains all user credentials as well as details of connections. This significantly reducing
administration complexity.
The
Remote Authentication Dial-in User Service
(RADIUS) is an
Authentication, Authorization and
Accounting
(AAA) protocol widely used to implement this central database approach and is used
by NetDefendOS to implement user accounting.
RADIUS Architecture
The RADIUS protocol is based on a client/server architecture. The NetDefend Firewall acts as the
client of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS
terminology the firewall acts as the
Network Access Server
(NAS).
For user authentication, the RADIUS server receives the requests, verifies the user's information
by consulting its database, and returns either an "accept" or "reject" reply to the requesting
client.
With the RFC 2866 standard, RADIUS was extended to handle the delivery of accounting
information and this is the standard followed by NetDefendOS for user accounting. In this way,
all the benefits of centralized servers are thus extended to user connection accounting.
The usage of RADIUS for NetDefendOS authentication is discussed in
.
8.9.2. RADIUS Accounting Messages
Message Generation
Statistics, such as number of bytes sent and received, and number of packets sent and received
are updated and stored throughout RADIUS sessions. All statistics are updated for an
authenticated user whenever a connection related to an authenticated user is closed.
When a new client session is started by a user establishing a new connection through the
NetDefend Firewall, NetDefendOS sends an
AccountingRequest
START message to a nominated
RADIUS server, to record the start of the new session. User account information is also delivered
to the RADIUS server. The server will send back an
AccountingResponse
message to
NetDefendOS, acknowledging that the message has been received.
When a user is no longer authenticated, for example, after the user logs out or the session time
expires, an
AccountingRequest
STOP message is sent by NetDefendOS containing the relevant
session statistics. The information included in these statistics is user configurable. The contents
of the START and STOP messages are described in detail below:
START Message Parameters
Chapter 8: User Authentication
659
Содержание NetDefendOS
Страница 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Страница 32: ...Chapter 1 NetDefendOS Overview 32 ...
Страница 144: ...Chapter 2 Management and Maintenance 144 ...
Страница 220: ... Enable DHCP passthrough Enable L2 passthrough for non IP protocols 4 Click OK Chapter 3 Fundamentals 220 ...
Страница 267: ... SourceNetwork lannet DestinationInterface any DestinationNetwork all nets 4 Click OK Chapter 3 Fundamentals 267 ...
Страница 284: ...Chapter 3 Fundamentals 284 ...
Страница 360: ...The ospf command options are fully described in the separate NetDefendOS CLI Reference Guide Chapter 4 Routing 360 ...
Страница 392: ...Chapter 4 Routing 392 ...
Страница 396: ...Web Interface 1 Go to Network Ethernet If1 2 Select Enable DHCP 3 Click OK Chapter 5 DHCP Services 396 ...
Страница 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Страница 420: ...Chapter 5 DHCP Services 420 ...
Страница 424: ...2 Now enter Name lan_Access Action Expect Interface lan Network lannet 3 Click OK Chapter 6 Security Mechanisms 424 ...
Страница 573: ...Chapter 6 Security Mechanisms 573 ...
Страница 575: ...This section describes and provides examples of configuring NAT and SAT rules Chapter 7 Address Translation 575 ...
Страница 607: ...Chapter 7 Address Translation 607 ...
Страница 666: ...Chapter 8 User Authentication 666 ...
Страница 775: ...Chapter 9 VPN 775 ...
Страница 819: ...Chapter 10 Traffic Management 819 ...
Страница 842: ...Chapter 11 High Availability 842 ...
Страница 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Страница 879: ...Chapter 13 Advanced Settings 879 ...