D-Link DFL-260E User Manual for DFL-260E - Page 65
RADIUS Accounting, 2.3.1. Overview, 2.3.2. RADIUS Accounting Messages
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 65 highlights
2.3. RADIUS Accounting Chapter 2. Management and Maintenance 2.3. RADIUS Accounting 2.3.1. Overview The Central Database Approach Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing on such dedicated servers contains all user credentials as well as details of connections. This significantly reducing administration complexity. The Remote Authentication Dial-in User Service (RADIUS) is an Authentication, Authorization and Accounting (AAA) protocol widely used to implement this central database approach and is used by NetDefendOS to implement user accounting. RADIUS Architecture The RADIUS protocol is based on a client/server architecture. The NetDefend Firewall acts as the client of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS terminology the firewall acts as the Network Access Server (NAS). For user authentication, the RADIUS server receives the requests, verifies the user's information by consulting its database, and returns either an "accept" or "reject" reply to the requesting client. With the RFC 2866 standard, RADIUS was extended to handle the delivery of accounting information and this is the standard followed by NetDefendOS for user accounting. In this way, all the benefits of centralized servers are thus extended to user connection accounting. The usage of RADIUS for NetDefendOS authentication is discussed in Section 8.2, "Authentication Setup". 2.3.2. RADIUS Accounting Messages Message Generation Statistics, such as number of bytes sent and received, and number of packets sent and received are updated and stored throughout RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed. When a new client session is started by a user establishing a new connection through the NetDefend Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session. User account information is also delivered to the RADIUS server. The server will send back an AccountingResponse message to NetDefendOS, acknowledging that the message has been received. When a user is no longer authenticated, for example, after the user logs out or the session time expires, an AccountingRequest STOP message is sent by NetDefendOS containing the relevant session statistics. The information included in these statistics is user configurable. The contents of the START and STOP messages are described in detail below: START Message Parameters Parameters included in START messages sent by NetDefendOS are: • Type - Marks this AccountingRequest as signalling the beginning of the service (START). 65