top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Diameter Vs Radius Protocol?

+1 vote
695 views

Diameter and Radius both are used for authentication, authorization, and accounting in network/telecom system. My question here is why someone should use diameter where we already have proven Radius protocol.

posted Apr 4, 2013 by Salil Agrawal

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

Few things I managed to gather

RADIUS

  • RADIUS has a limited command and attribute address space (maximum 256 attributes), and is therefore considered not very extensible.
  • Uses only UDP as transport. Therefore unreliable
  • In case of server failure, the RADIUS client will try to contact a backup RADIUS server. There is no state resynchronization

DIAMETER

  • DIAMETER resolves this limitation by defining a base protocol that can largely be extended with new attributes (AVP address space of 32 bit). Therefore highly extensible for Vendor specific AVPs.
  • TCP as transport. More sophisticated implementations use SCTP (which provides multihoming,reliability etc)
  • DIAMETER uses the Device-Reboot-Ind message, which is used to indicate an imminent reboot together with the Device-Watchdog-Ind message to provide peer failure recovery and a keepalive mechanism
answer Jun 25, 2013 by Chandra Javalkar
Similar Questions
+5 votes

Not sure I am missing something obvious, looking for a method to achieve Radius COA functionality with all possible command codes

Using Diameter. I see, it would be possible with server initiated messages, looking for more details in case any draft talks more about the respected messages.

+2 votes

I just want to covert my radius request as an diameter request for authentication.

So I configured radgw and all mentioned configurations.

But I'm facing below issue
"No suitable candidate to route the message to." and getting access reject

My setup is like below

Started freediameter with radgw support and initiated the radius request by executing radtest.

$ sudo ../../../build/freeDiameterd/freeDiameterd-1.1.4  freeDiameterd-1.1.4 -c freeDiameter-1.conf
libfdproto initialized.
libgnutls '2.12.14' initialized.
Generating fresh Diffie-Hellman parameters of size 1024 (this takes some time)...
Loading : /usr/local/lib/freeDiameter/test_app.fdx
Extension Test_App initialized with configuration: 'doc/test_app1.conf'
------- app_test configuration dump: ---------
 Vendor Id .......... : 999999
 Application Id ..... : 16777215
 Command Id ......... : 16777214
 AVP Id ............. : 16777215
 Mode ............... : Cli
 Destination Realm .. : localdomain
 Destination Host ... : - none -
 Signal ............. : 10
------- /app_test configuration dump ---------
Loading : /usr/local/lib/freeDiameter/dict_nasreq.fdx
Extension 'Dictionary definitions for NASREQ' initialized
Loading : /usr/local/lib/freeDiameter/dict_eap.fdx
Extension 'Dictionary definitions for EAP' initialized
Loading : /usr/local/lib/freeDiameter/app_radgw.fdx
Extension RADIUS Gateway initialized with configuration: 'doc/rgw.conf'
Loading : /usr/local/lib/freeDiameter/app_diameap.fdx
-------- DiamEAP extension : Configuration parameters (Dump) -------------
    -Configuration file.....: doc/app_diameap.conf
    -EAP Application Id.....: 5
    -EAP Application Command: 268
    -EAP Application Vendor.: 0
    -Max invalid EAP packets: 5
    -Multi-Round Timeout....: 30
    -MySQL Database Params..:
        User .......:root
        Server .....:127.0.0.1
        Database....:diameap
    -EAP Method Plugins.....:
         - EAP Identity plugin      [Type: 1, Vendor: 0]  loaded
-------- DiamEAP extension : Configuration parameters (End) ---------------
[DiamEAP extension] Diameter EAP Application Extension started successfully.
All extensions loaded.
-- Configuration :
  Debug trace level ...... : +1
  Configuration file ..... : freeDiameter-1.conf
  Diameter Identity ...... : peer1.localdomain (l:17)
  Diameter Realm ......... : localdomain (l:11)
  Tc Timer ............... : 30
  Tw Timer ............... : 30
  Local port ............. : 3868
  Local secure port ...... : 3869
  Number of SCTP streams . : 30
  Number of server threads : 4
  Local endpoints ........ : Default (use all available)
  Local applications ..... : App: 1    Au--    Vnd: 0
                             App: 3    --Ac    Vnd: 0
                             App: 5    Au--    Vnd: 0
                             App: 16777215    Au--    Vnd: 999999
  Flags : - IP ........... : Enabled
          - IPv6 ......... : Enabled
          - Relay app .... : Enabled
          - TCP .......... : Enabled
          - SCTP ......... : Enabled
          - Pref. proto .. : SCTP
          - TLS method ... : Separate port
  TLS :   - Certificate .. : peer1.cert.pem
          - Private key .. : peer1.key.pem
          - CA (trust) ... : cacert.pem (1 certs)
          - CRL .......... : (none)
          - Priority ..... : (default: 'NORMAL')
          - DH bits ...... : 1024
  Origin-State-Id ........ : **********
freeDiameterd daemon initialized.

------------- RADIUS/Diameter Request Debug -------------
 RADIUS request (0x8887088) DUMP:
 id  : 0xf7, code: 1 (Access-Request [RFC2865])
 auth: 41 f9 0b ae  86 19 2b 6c
       0b 59 1a 79  0f ae db cd
 RADIUS answer: NULL pointer
 Diameter message (0xb5000558) DUMP:
------ Dumping object 0xb5000558 (w)-------
|MSG: 0xb5000558
|   (no model)
|   public: V:1 L:20 fl:RP-- CC:265 A:1 hi:0 ei:ffe00000
|   intern: rwb:(nil) rt:0 cb:(nil)((nil)) qry:(nil) asso:0 sess:(nil) src:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 263 "Session-Id"
 |   public: C:263 fl:-M L:8 V:0  data:@0xb50008ac
 |   value t: 'UTF8String' (OCTETSTRING) v: chris-VirtualBox;**********;1;user;peer1.l
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 283 "Destination-Realm"
 |   public: C:283 fl:-M L:8 V:0  data:@0xb5000764
 |   value t: 'DiameterIdentity' (OCTETSTRING) v: localdomain
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 264 "Origin-Host"
 |   public: C:264 fl:-M L:8 V:0  data:@0xb5000624
 |   value t: 'DiameterIdentity' (OCTETSTRING) v: chris-VirtualBox
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 296 "Origin-Realm"
 |   public: C:296 fl:-M L:8 V:0  data:@0xb500069c
 |   value t: 'DiameterIdentity' (OCTETSTRING) v: localdomain
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,   UNSIGNED32, 258 "Auth-Application-Id"
 |   public: C:258 fl:-M L:12 V:0  data:@0xb500094c
 |   value (UNSIGNED32) v: 1 (0x1)
 |   intern: src:(nil) mf:0 raw:(nil)(0)
 |   model : v/m:-M/VM,    INTEGER32, 274 "Auth-Request-Type"
 |   public: C:274 fl:-M L:12 V:0  data:@0xb50009ac
 |   value t: 'Enumerated(Auth-Request-Type)' (INTEGER32) v: 'AUTHORIZE_AUTHENTICATE' (3 (0x3))
 |   intern: src:(nil) mf:0 raw:(nil)(0)
 |   model : v/m:-M/VM,   UNSIGNED32, 408 "Origin-AAA-Protocol"
 |   public: C:408 fl:-M L:12 V:0  data:@0xb5000a0c
 |   value t: 'Enumerated(Origin-AAA-Protocol)' (UNSIGNED32) v: 'RADIUS' (1 (0x1))
 |   intern: src:(nil) mf:0 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 1 "User-Name"
 |   public: C:1 fl:-M L:8 V:0  data:@0xb5000a6c
 |   value t: 'UTF8String' (OCTETSTRING) v: user
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 2 "User-Password"
 |   public: C:2 fl:-M L:8 V:0  data:@0xb5000adc
 |   value (OCTETSTRING) v: 75 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 4 "NAS-IP-Address"
 |   public: C:4 fl:-M L:8 V:0  data:@0xb5000b54
 |   value (OCTETSTRING) v: C0 A8 38 66
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,   UNSIGNED32, 5 "NAS-Port"
 |   public: C:5 fl:-M L:12 V:0  data:@0xb5000bc4
 |   value (UNSIGNED32) v: 0 (0x0)
 |   intern: src:(nil) mf:0 raw:(nil)(0)
------ /end of object 0xb5000558 -------
 Diameter session: chris-VirtualBox;**********;1;user;peer1.localdomain
===========  Debug complete =============
No suitable candidate to route the message to.
Logged: 05/11/15,08:50:59.543145

 |MSG: 0xb5000558
 |   model : v/m:RP--/RPE-, 265 "AA-Request"
 |   public: V:1 L:20 fl:RP-- CC:265 A:1 hi:0 ei:ffe00000
 |   intern: rwb:(nil) rt:0 cb:0xb4fe7ddb(0xb5001c28) qry:(nil) asso:0 sess:(nil) src:(nil)(0)
[auth.rgwx] Received Diameter answer with error code '3002' from server 'peer1.localdomain', session chris-VirtualBox;**********;1;user;peer1.localdomain, translating into Access-Reject
[auth.rgwx]   Error-Message content: 'No suitable candidate to route the message to'
------------- RADIUS/Diameter Answer Debug -------------
 Diameter message (0x88871b0) DUMP:
------ Dumping object 0x88871b0 (w)-------
|MSG: 0x88871b0
|   model : v/m:-P--/RP--, 265 "AA-Answer"
|   public: V:1 L:20 fl:--E- CC:265 A:1 hi:0 ei:ffe00000
|   intern: rwb:(nil) rt:0 cb:(nil)((nil)) qry:0xb5000558 asso:0 sess:0xb50007f0 src:(nil)(0)
------ /end of object 0x88871b0 -------
 RADIUS answer (0xb4c00508) DUMP:
 id  : 0xf7, code: 3 (Access-Reject [RFC2865])
 auth: 00 00 00 00  00 00 00 00
       00 00 00 00  00 00 00 00
  - len: 47, type:0x12 (Reply-Message )
  - len:  6, type:0x65 (Error-Cause Attribute[RFC3576])
===========  Debug complete =============
ERROR: in '(pthread_mutex_lock( &sess->stlock ))':    Invalid argument
freeDiameterd-1.1.4: /home/chris/diameter/freeDiameter-1.1.4/freeDiameter-1.1.4/libfdproto/sessions.c:626: fd_sess_destroy: Assertion `0' failed.

freediameter conf

# -------- Test configuration ---------

Identity = "peer1.localdomain";
Realm = "localdomain";
# Port = 3868;
# SecPort = 3869;

TLS_Cred = "peer1.cert.pem",
           "peer1.key.pem";
TLS_CA = "cacert.pem";

LoadExtension = "test_app.fdx" : "doc/test_app1.conf";
LoadExtension = "dict_nasreq.fdx":"doc/app_diameap.conf";
LoadExtension = "dict_eap.fdx":"doc/app_diameap.conf";
LoadExtension = "app_radgw.fdx":"doc/rgw.conf";
LoadExtension = "app_diameap.fdx":"doc/app_diameap.conf";

rgw.conf
# Handle some attributes
#RGWX = "echodrop.rgwx" : "doc/echodrop.rgwx.conf";

# Handle Accounting-Request messages received on the correct port
RGWX = "acct.rgwx" : acct : 4;

# Handle Access-Request messages received on the correct port
RGWX = "auth.rgwx" : auth : 1;

# Dump state when loop ends
RGWX = "debug.rgwx";

##################

nas = 192.168.56.101 / "radiusecret" ;
nas = 192.168.56.105 / "radiusecret" ;
nas = 127.0.0.1 / "radiusecret" ;
nas = 192.168.56.102 / "radiusecret" ;

Please help me to proceed further,

+2 votes

I am not able to figure out an use-case where radius authentication is used and also how the credentials are provided, like manually or automatically by UE, in LTE attach procedure?

Please help me with an example?

...