Connect to the Purdue Home Page

Purdue University

Identity and Access Management

RADIUS Interface to I2A2

I2A2 provides a protocol converter that can

  • Translate the Remote Authentication Dial In User Service (RADIUS) pain text user authentication and authorization protocol to I2A2 DBM authentication and authorization protocol, bypassing the net daemon I2A2 external protocol;
  • Communicate with I2A2 DBMs;
  • Return DBM replies converted to RADIUS protocol.

The RADIUS protocol is described in RFC 2865 and related RFCs. It has an open source instantiation for a server, called FreeRadius. The I2A2 LDAP protocol converter is implemented as a custom module of a FreeRadius 0.8.1 server.

A client to a RADIUS server is called a Network Access Server (NAS). Often NAS clients are also called terminal servers. A RADIUS server can provide authentication and authorization services to more than one NAS client, allowing authentication and authorization tasks to be centralized, and leaving the NAS clients free to concentrate on terminal services to their clients.

I2A2 RADIUS Protocol Converter Addresses

The I2A2 LDAP protocol converter listens on the I2A2 DBM system whose host address is:

dbm.i2a2.purdue.edu

The standard RADIUS UDP protocol ports, 1812 (authorization and authentication) and 1813 (accounting), are used. Port 1812 sometimes has the "radius" service name; 1813, "radacct" or "radius-acct".

RADIUS service names can be found in the Purdue IT Telecommunications service map

Shared Secret

A RADIUS server and each of its NAS clients must share a "secret." The secret is used to encrypt authentication data so that it is not transmitted on the network in plain text.

As a consequence, if you want to use the I2A2 RADIUS Protocol Converter, you must register your NAS client system with I2A2 Administration and negotiate a shared secret. Your system's network identity and shared secret will then be added to the I2A2 RADIUS Protocol Converter's configuration files.

Supported RADIUS Operations

The I2A2 RADIUS protocol converter currently supports authentication by common plain text password, authentication by the MS-CHAP version 1 and 2 challenge-response protocols, accounting, and it optionally supports authorization tests tailored to each NAS. The I2A2 RADIUS protocol converter does not support the CHAP challenge-response authentication protocol.

The I2A2 RADIUS protocol converter support for MS-CHAP versions 1 and 2 includes generation of Microsoft Point-to-Point Encryption keys.

RADIUS Authorization

RADIUS protocol authorization is optional with the I2A2 RADIUS Protocol Converter. It is performed with I2A2 characteristic Boolean expressions, tailored to each NAS.  A NAS may have exactly one expression. It is defined and referenced in the I2A2 RADIUS Protocol Converter's configuration files. Contact I2A2 Administration to register a NAS client, negotiate a secret, and arrange for an I2A2 characteristic Boolean expression to be assigned to your NAS.

Authorization for the Network Access Systems of Purdue Air Link (PAL) wireless is tested using the PAL Boolean characteristic macro.

Supported RADIUS Attributes

I2A2 RADIUS uses standard RADIUS attributes, which are specific to the authentication protocol used. They include user-name and password.

I2A2 RADIUS also defines some Purdue-specific attributes for special data management operations related to the Purdue Air Link (PAL) wireless system. Contact I2A2 Administration if you want to know more about these attributes.

The user-name Attribute - The user-name attribute may contain a PUID in its formal five-dash-five notation or as a decimal integer with or without leading zeroes -- e.g.,

user-name=00000-00026
user-name=26

Or the user-name attribute may contain the PUID's alias -- e.g.,

user-name=alias

The password Attribute

The password attribute may be used to supply an I2A2 password. If the password is being supplied from a command-line client, such as the FreeRadius radclient(1) program, you may need to surround the password with quotation marks -- e.g.,

$ radclient <host> auth <secret>
user-name=00000-00000
password="x+y=z!!!"

I2A2 Authentication Realm

The user-name attribute may contain an I2A2 authentication realm name in standard RADIUS notation -- i.e., following an '@' that follows the user-name.

Since the default I2A2 authentication realm name is "purdue," it normally need not be specified. If it were, it would be specified as:

user-name=alias@purdue
user-name=00000-00026@purdue
user-name=26@purdue

Two other authentication realms are used for MS-CHAP authentication, "purdueLM" and "purdueNT". The "purdueLM" realm holds that same password held by the "purdue" realm, but hashed in MicroSoft LAN Manager (LanMan) style. The "purdueNT" realm holds the same password held by the "purdue" and "purdueLM" realms, but hashed in the MicroSoft NT style. The "purdueLM" and "purdueNT" realm names should not be used in a user-name attribute; they are useful only for MS-CHAP authentication.

Feedback | Contact Purdue | Style Standards
Maintained by: IAMO Team

Purdue University, West Lafayette, IN 47907, (765) 494-4600
© 2010 - 2013 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact the CSC at itap@purdue.edu or (765) 494-4000.