Home About Us Products Services News Contact Us
 
  ANUBIS

Authentication, authorization, and accounting are among the most important tasks that anyone providing remote access to network services must provide. Good, solid authentication is clearly necessary because one needs to ensure that indeed, the service is being provided to a legitimate client and not some impostor. A method must also be provided to grant access to the client once he or she has been properly authenticated. Finally, in order to determine how much a particular client must be billed and to monitor how much of the service he or she has made use of a method for accounting usage of the service must also be developed.

An Internet standard, codified in RFC's 2865 and 2866, provides all of these services in a protocol known as RADIUS, which stands for Remote Authentication Dial-In User Service. RFC 2865 defines a method for providing authentication and authorization by means of authentication servers that contain a database of valid clients and their authentication credentials (e.g. passwords or other secrets), which are queried by Network Access Servers (NASes) in order to authorize clients to use a network service. RFC 2866 defines methods for providing accounting. The same NASes that provided authorization for the client to access the service are also clients for accounting servers. A NAS would send accounting information at intervals to an accounting server which would store and process this information to produce, say, a billing statement based on how much usage a particular client has consumed.

As a concrete example, a typical dialup Internet Service Provider setup usually consists of a pool of E1R2 lines that clients would dial up to. These E1R2's are connected to a RADIUS-compliant network access server that produces authentication prompts, requesting a user's authentication credentials, for instance his or her username and password. The NAS encodes these credentials into a RADIUS authentication request that it then sends to the ISP's RADIUS authentication server. The authentication server receives these encoded credentials and validates them against its database, and sends a reply to the NAS stating whether the credentials it received are valid or not. If the credentials are declared valid by the authentication server, the NAS grants access to the client, providing an IP address and other information necessary to establish an Internet connection, otherwise it breaks the client's connection. After a connection has been established in this way, the NAS then sends a RADIUS accounting packet to the accounting server that describes the service being delivered, the user account it is being delivered to, and any other auxiliary information required by the accounting system (e.g. what IP address was assigned to the user, the port on the NAS connected to, and so on). The accounting server acknowledges receipt of this packet, and stores this information. Once the client disconnects from the service, the NAS then sends another accounting packet to the server, which it acknowledges and takes note of.

The authentication, authorization, and accounting service defined by the RADIUS protocol is flexible and powerful enough to accomodate nearly any conceivable billing and access scheme. Though it is designed primarily for dial-in access as its name implies, it may also be readily adapted for broadband Internet access (via PPP over Ethernet for instance) or authentication of other services, e.g. POP3 mail and authentication for virtual private networks. Accounting may be performed based on the amount of time the user remains connected (as it is traditionally done) or based on the amount of bandwidth consumed, given the proper routers and other support hardware. Prepaid as well as postpaid access may also be readily provided within this framework.

OpenS2 provides a full range of RADIUS authentication, authorization, and accounting services based on GNU/Linux technology, making our solutions both cost-effective and reliable. The architecture of our RADIUS authentication and accounting servers is based on the MySQL database, which are further hardened against malicious attackers with a multi-tiered system for prevention, detection, and response to compromise attempts. Enterprise-class reliability, availability, and serviceability is provided by a cluster of such servers using MySQL's replication clustering system. Maintenance of and reports on accounts are generated by means of software especially customized to suit a particular customer's needs and business requirements.

Network access servers used with our system may be any of the many industry-standard NASes available. A NAS is also available, also based on GNU/Linux and Free software, which may be used to authorize and generate accounting information for either dialup users or broadband clients over PPPoE. 		 
 
COPYRIGHT © 2005, OPENS2 CORPORATION. ALL RIGHTS RESERVED.
SITE DESIGN BY IMPERIUM TECHNOLOGY, INC.