ADSL & PPPoE & RADIUS

ADSL & PPPoE & RADIUS
Seminar paper from Miao,yi WS04/05
11.2004
1

Content
1, Introduction 3
2, Overview 3
3,ADSL 4
3,1 The principle of the signal transmitting 4
3,2 The physical issues of signal transmission 5
3,3 Proposed modulation formats for ADSL 5
3,3,1 The modulation technique 5
3,3,1,1 Frequency modulation 5
3,3,1,2 Amplitude modulation 6
3,3,1,3 Phase modulation 6
3,3,2 Three different modulation of ADSL 6
3,3,2,1 QAM – Quadrature Amplitude modulation 6
3,3,2,2 CAP – Carrierless Amplitude phase 7
3,3,2,3 DMT – Discrete multi tone (multi carrier modulation) 7
3,4 The xDSL 8
4,PPPoE 10
4, 1 Introduction 10
4, 2 Two phases of PPPoE 10
4,2,1 PPPoE Discovery 11
4,2,2 PPPoE session 12
4,3,PPPoE Security Considerations 14
4,4,The data flower 14
4,5 The Experiment of the PPPoE 15
5 RADIUS 16
5,1 Introduce 16
5,1 Operations 17
5,3 RADIUS Security Considerations 18
6 Reference 19
2

1, Introduction
Asymmetric Digital Subscriber Lines (ADSL) is used to deliver high-rate
digital data over existing ordinary phone-lines. This makes it possible for all the
users who use phone line and modem to connect the Internet to get the cheap
and rapid solution. And it also keeps the original familiar operation interface.
There are some inconsistent targets for the modem internet connection: not
only to connect remote multi-users host via a connection device, but also to
provide some functionalities such connection control, fee calculation and
reduce the configuration for the users. The PPPOE Protocol and RADIUS
Protocol are to resolve the issues above. PPPoE (PPP over Ethernet) is a
Point to Point protocol on the Ethernet which is created after 1998. For the
connection control and fee calculation, Remote Authentication Dial In User
Service (RADIUS) will provide.
In the paper,I will describe the relationships among the three parts, the
principle of each part and the running mode of them in detail. I will show an
implementation based on the Point to Point protocol via Ethernet under Linux
OS. And some samples to connect the Internet via ADSL.
2, Overview
Why we use ADSL today? The most cost-effective method to connect
multiple hosts to the customer premise access device is via Ethernet. It is
important to require little or no configuration on the end user side while keeping
the cost of this device as low as possible. By combining two standards,
Ethernet and PPP, into PPP over Ethernet (PPPoE), it is required of the end
user only to set up standard dial-up Internet access. The PPPoE solution uses
existing PC hardware and software, existing Ethernet NICs, and existing
ADSL/DSL modems. It requires no special configuration or additions to the
customer premise modem or ADSL/DSL access network. It requires no special
wire for the high-speed networks and services.
Actually ADSL is fit into the existing equipment and operation system with
little disruption to ongoing subscriber services. A user places a telephone call
to establish physical layer connectivity. The voice signal and the data signal
will be departed via “Splitter”. The “Splitter” will modulate the signal from ADSL
Modem to high frequency signal. In this way, the ADSL and ISBN can be used
with phone at the same time. Using Dial-Up Networking in Windows, the user
makes a connection to the ISP via an ADSL/DSL access device (modem).
ISPs are accustomed to providing consumer Internet access through PPP
sessions. PPP can be easily adapted to broadband services with no changes
to the existing protocol. When the ISPs began to prepare their networks for the
3

introduction of ADSL Internet access services, they preserve the existing dial
ISP model for user authentication, provisioning, and accounting, typically
based on the combination of Point to Point Protocol (PPP) sessions and
RADIUS AAA servers.
Figure 1: The overview of ADSL&PPPoE&RADIUS
In the Figure 1, we can see the overview of the ADSL. An example of ADSL
connection is better for the understanding of the three parts in my paper. On
the PC, user clicks the browser or start the PPPoE-Client-Software, the data
packages will be transmitted to ADSL-Modem via the Ethernet. There these
packages will be parsed and transmitted to the “Splitter”. Then the data will go
to DSLAM (Digital Subscriber Line Access Multiplexer (big Splitter)) via phone
line. The voice signal will be transmitted to the telephone agency continuously
and the data signal will be transmitted to B-RAS (Broadband-Remote Access
Server) via ATM. B-RAS will send a package back via the same line. When the
PPPoE-Client on the PC in home receives the package, it will send back a
feedback package. After the B-RAS receives that feedback package from the
user PPPoE-Client, it will send a package with accounting information to
RADIUS-Server, where the account will be authorized and validated. Then the
related data and status of “OK” will be sent back to the correct IP-Address in
the same session. PPPoE-Client will start to configurate the PPP-Interface of
the PC, and then the PPPoE-Client will set the current B-RAS IP-Address as
the default route in the routing table and store it in the system. This means
from now on all the data packages will be sent to B-RAS via the PPP-Interface
(B-RAS will be treated as an Internet gateway) and continue the routing. At this
point, the user is connected to the service provider (and the Internet).
4

3,ADSL
Figure 2: The ADSL in the OSI seven layer model
The Open Systems Interconnection Reference Model (OSI Model or OSI
Reference Model for short) is a layered abstract description for
communications and computer network protocol in networking. It is also called
the OSI seven layer model.
The ADSL/DSL is in the first layer: physical layer in the OSI seven layer
models. Because the physical layer concerns itself with the transmission of bits,
I will introduce the physical aspects of the signal transmission in the next part.
3,1 The principle of the signal transmission
If the sender wants to send information, it will modulate the information to
signals and transmit them to the receiver via the physical intermediate. The
receiver will demodulate the signals to the original information, which can be
used. The transform is done by a device called “modem”.
3,2 The physical issues of signal transmission
When signal is transmitting in the intermediate, it will be attenuated
because of characteristic of the intermediate. After we know these issues, we
can try our best to reduce attenuation of signals when doing the prophetic
works.
a) Attenuation of signal: With the continuous attenuation and weakening
often signals in the transmitting process, it is possible that the signals
cannot reach the receiver.
b) Disturbance of signal: Because there might be some disturbance in the
transmitting process, such as some other signals from other signal sources,
5

what the receiver received would not be the original signals any more.
3,3 Proposed modulation formats for ADSL
Modulation is a technique that converts the digital signal (binary 0 and 1)
to analogy signal (such as the sine curve). The signal, that is modulated, is
consist of a whole RF carrier. The modulation is the process of varying the
amplitude, frequency, or phase of an RF carrier wave, the process whereby
some characteristic of one wave is varied in accordance with some
characteristic of another wave. The basic types of modulation are angle
modulation, including the special cases of frequency modulation, amplitude
modulation and phase modulation. The next part is the introduction of different
modulation techniques, which are used in ADSL.
3,3,1 The modulation technique
3,3,1,1 Frequency modulation
Frequency modulation is the simplest modulation. The definition of
frequency is that the number of times an electromagnetic signal repeats an
identical cycle (sine curve) in a unit of time, usually one second. The unit of
frequency is Hz. One Hertz (Hz) is one cycle per second.
There is a simple sample: if on a simple 300 band modem, 1070 Hz stands
for binary value 0 and 1270 Hz stands for binary 1. Then we can transmit the
binary values 0 and 1 by using these 2 frequencies. Of course, we can use
more frequencies to transmit more signals. We can use A, B, C, D four
frequencies to stand for 00, 01, 10, 11 four different signals. This makes the
speed of transmit more quick. And we also transmit 3 bit information at same
time when we use different 8 frequencies.
3,3,1,2 Amplitude modulation
After we know the principle of the frequency modulation, it is easier to
understand the amplitude and phase modulation. In the amplitude modulation,
we distinguish the different information via changing the amplitude,which is
the height of the amplitude. The principle is same as the frequency modulation.
3,3,1,3 Phase modulation
To change the phase of cycle (sine curve) in a specific period, then we
should send a new sine curve when stop to send the old sine curve in the
sender. The new sine curve has the same frequency and the amplitude as the
old sine curve. If we stop the old sine curve and start the new sine curve at the
same, then there will not any difference between the new signal and the old
6

one. But if we delay the sending of the new curve, that is to say: the phase of
the sine curve will be changed. We can evaluate the unit of the change: degree.
For the sin curve, 360 degree is a period. Using the different degree value in
the different periods, we have more types to stand for more bits.
3,3,2 Three different modulation of ADSL
If a technique of modulation only uses one carrier, then the modulation
belong to single carrier modulation. Or it is multi carrier modulation.
I will only introduce the three modulations related with ADSL, which are
used frequently: QAM, CAP and DMT.
3,3,2,1 QAM – Quadrature Amplitude modulation
(single carrier modulation)
QAM is the combination of the phase modulation and amplitude modulation
techniques. First it distinguishes the different types on the phase of the base
frequencies. Then it changes the amplitude. This technique can stands for
4bits and can be used on the modems which speed could be 14.4K,28.8K and
33.6K. Now it is no longer used on the 56K modem. But it is still used on the
56K modem to transmit the signals from PC to phone line. See the diagram
below. The diagram is a sample of 16QAM. It uses 12 different phases and
four different amplitudes.
Figure 3: Example of the QAM modulation
3,3,2,2 CAP – Carrierless Amplitude phase
(single carrier modulation)
CAP is the first modulation technique which is used on the ADSL and is
replaced with the DMT. CAP is also a technique that is combined the carrier
7

amplitude with the phase modulation. The efficiency of the single carrier
modulation is low because it is not only treated as the intermediate but also
needs to transmit signals. The next will be the multi carrier modulation.
3,3,2,3 DMT - Discrete multi tone (multi carrier modulation)
Multi carriers modulation uses multiple carriers , which we call as
“subcarriers” On each subcarrier, we can use different single carrier
modulation.
Figure 4: ADSL Frequency Spectra
Now most of the ADSL and VDSL use DMT. The basic idea of DMT is to
split the available bandwidth into a large number of subcarriers. DMT is able to
allocate data so that the throughput of every single subcarrier is maximized. If
some subcarrier can not carry any data, it can be turned off and the use of
available bandwidth is optimised.
First an equal number per tone is transmitted to measure the
characteristics of the line. The processing of the signal takes place in ATU-R,
and the optimised bit distribution information will be delivered for ATU-C by
using the same phone-line at a secure low speed.
ADSL DMT-systems the downstream carriers are divided into 256
4-kHz-wide tones. The upstream channels are divided into 32 subcarriers.
3,4 The xDSL
ADSL is the most popular form of xDSL technology. xDSL (Digital
subscriber line) is technology backed by telephone companies to provide next
generation high bandwidth services to the home and business using the
existing telephone cabling infrastructure. There are of xDSL, each designed for
specific goals and the needs of the marketplace. By using the different
8

modulation techniques,xDSL can be divided to several forms. The most
frequently used are ADSL,HDSL,SDSL and VDSL.
ADSL: Asymmetric DSL, with a larger portion of the capacity downstream,
less upstream POTS (Plain Old Telephone Service). This is the current
existing telecom device. The frequency values that can be used are from
300Hz to 3.4 KHz. Then the ADSL technique has enough space to transmit
signals. When signals are transmitting to home via the phone line, the splitter
will depart the low frequency signals. The signals which frequencies are lower
than 4 KHz are telephone signals. The splitter will transmit these signals to
telephone device. Those signals that are in high frequencies will be passed to
the modem. And the modem will modulate the signals until they become the
binary values what can be used by computer.
The diagram below is the work principle of ADSL. In the diagram, the
upload speed is from 16 to 768kbps and the download speed is from 1.5 to
9Mbps. Because most of the users receive their emails and read the news
when they use Internet, the download speed is more than the upload speed.
Because of the different upload speed and download speed, it is called
Asymmetric DSL. The ADSL cable line must be shorter than 6km.
Figure 5: Detailed ADSL Configuration
The ADSL what uses the CAP modulation technique will use 25-160Khz as the
upload channel and 240kHz-200kHz as download channel. The ADSL what
uses the DMT modulation technique will use 25kHz – 200kHz as the upload
channel and 240kHz – 1.1Mhz as the download channel.
HDSL: High-bit-rate DSL, a technology for the business market. This
technique uses two wire pairs. It was invented in 1980’s and developed for
voice broadcasting first. And later it was used for the data transmitting. The
length of the cable should be 3-4km. The limitation of the cable length is
decided by the physical characteristics of the signal transmission. The HDSL is
9

symmetric, that means the upload speed and download speed are same. If
single wire is used, then the speed is 1.544mbit per second. If both of the wires
are used, then the speed is 2mbit per second. Because of the same speeds
and the dual wires it is more expensive than the ADSL and mostly used in
companies. The HDSL uses the 300 -3.4Hz in the phone lien,so it doesn’t
provide the POTS service like ADSL.
SDSL: Symmetric DSL is a variation of HDSL using only one wire pair. The
name has become more generic over time to refer to symmetric service at a
variety of rates over a single loop.
VDSL: Very high-bit-rate DSL which provides speeds up to 52 Mbps, but
only for rather short distances, highest data rate of all。The intermediate of the
technique are the wire which is consisted of fiber. The limitation of the cable is
from 300m to 1.5km. The upload speed is 1.5-6.4Mbits per second and the
download speed is 13-52Mbits per second。In fact is uses the frequencies
above the voice frequency like ADSL. So it also uses POTS.
The above different DSL are work in the physical layer of OSI, now coming the
point of the network layer. In this layer, ADSL use PPP protocol to transmit the
information packets.
4,PPPoE
PPP, is a communications protocol for transmitting information over
standard telephone lines. It is a member of the TCP/IP suite of network
protocols. TCP/IP by itself cannot be transmitted over a serial link, so that we
use the PPP transmit TCP/IP packets over a serial link. Since PPP was
designed to do things that are not with Ethernet, there may be some confusion
as to use PPP over Ethernet. PPP over Ethernet (PPPoE) is the solution that
let the PPP (designed for serial communications) be adapted to an Ethernet
network.
4, 1 Introduction
By combining the most economical LAN technique and the features of
extensibility and the manageable control of the Ethernet Point to Point protocol,
the network service providers and the telecom agencies can use the reliable
and familiar techniques to speed up the deployment of high-speed internet
service. It makes the service providers easier to support the multi-user
wide-band connection services when they use the ADSL, cable modem or
wireless connection. It also simplifies the configuration for the end users when
they choose these services.
10

PPPoE, defined in RFC 2516 (“A Method for Transmitting PPP over
Ethernet (PPPoE)”) allows PPP transmission over Ethernet. This enables the
provider both the advantages of the well-known Ethernet media and the
advantages of a dial-up connection, in an “always-on” access network.
PPPoE provides the ability to connect a network of hosts over a simple
bridging access device to a remote Access Concentrator (AC). With this model,
each host utilizes it's own PPP stack and the user is presented with a familiar
user interface. PPPoE is easy to use - users accustomed to traditional dial-up
will already be familiar with the PPPoE connection model.
The below is the detail position of the PPPoE protocol in the data flow:
Figure 6: Detailed position of the PPPoE protocol in the data flow
4, 2 Two phases of PPPoE
There are phases to create a session based on the Point to Point protocol
of the Ethernet: PPPoE discovery and PPPoE session. But when a user to
creat the connection using the PPPoE, it is difficult to distinguish this phases.
Because the PPPoE discovery phase is the phase that to creating the
validation of the user connection of and connection contact phase. But the
PPPoE session phase is a normal PPP phase after the connection is built.
4,2,1 PPPoE Discovery
In the phase, a user host will find a correct server, and then build the
connection. The process can be four steps below:
1. At the beginning, the user host broadcast the packages of PPPoE PADI
(PPPoE Active Discovery Initiation) to find all the servers that can be
connected possibly. Until it gets the PADO (PPPoE Active Discovery Offer)
11

packages which were sent by one or more servers (most is one B-RAS).
The user host’s Ethernet target address is the a broadcast address which
is 0xfffffff and CODE field is 0x09,SESSION_ID is 0x0000. The PADI
package should contain one tag of service name (The filed of the tag type
is 0x0101) and the service which is asked for the server. A whole PADI
(including the head of PPPoE) cannot exceed 1484 bytes to remain the
enough for agent devices adding the tag of Relay-Session-Id.
2. When the server receives the package of PADI in its service range it will
send the PADO package to reponse the request. The PADO package
must contain one tag (AC-Name) of connecting device type (The field of
the AC-Name is 0x0102) and one or more tags of service names which
indicates what the service types that can provide to the user hosts are. The
CODE field is 0x07 and SESSION_ID still is 0x0000.
3. The user host could choose one of connection devices after it received the
PADO packages. The rule to choose is according the service name tags
and the content in the tags. The user host chooses that one that the
account is used in the server. Then the user host will send PPPoE PADR
(PPPoE Discovery Request) package to the selected server to build a
connection with the server. The CODE is 0x19 and SESSION_ID is still
0x0000. The PADR package must include one service name tag to confirm
the service type which requests to the connection devices. When the user
host doesn’t receive PADO in specific time, it will send PADI again and
wait double time at the same time. This process could be repeated several
times if necessary.
4. It starts the PPP session when the server received PADR package. After
that it sends a PPPoE PADS package. The field of CODE is 0x65 and
SESSION_ID is a unique session identity which is generated by the server.
The ID is corresponded to the MAC of the server. 0xffff is the remain
resource and cannot be used as SESSION_ID. PADS package must
contains a service name tag to confirm the services provided to the user
host. When the user host received the confirmation package both of them
go into the session phase. If the server cannot recognize the service name
tag which is in the PADR, it wills response a PADS package which
contains service name error. The SESSION_ID is still 0x0000. If the user
host doesn’t receive the PADS in a specific time, it will do the same as not
receiving the PADS package.
There is another package named PPPoE PADT. It can be sent at any time
when the session is created by any part of the server or the user host to
indicate the session is terminated. The PADT package doesn’t need any tags
and the code field is 0xA7 and the SESSION_ID is the session id of the PPP
12

session that needs to be terminated.
If you open software such Ethereal or Packet Sniffer when using the ADSL,
then these packets which are in the 4 steps of PPPoE Discovery can be got.
What should be noticed of the configuration in the PPPoE Discover phase is
the value of MTU (Maximum Transfer Unit). The maximum value of the
Ethernet packet is 1500bytes. But the header of PPPoE needs 8 bytes. That is
to say: when we setting the value of MTU, we have to minus the 8 bytes of the
PPPoE header. So the maximum value of MTU should be 1492 bytes and not
is 1500 bytes.
4,2,2 PPPoE session
Once each side knows the other's Ethernet address and the session
number, the PPP session can begin. This PPP session is just like the normal
PPP protocol.
This phase is also the phase when ADSL user does his login operation at
the ISP and prepares for later data transfer. In PPP phase, LCP (Link Control
Protocol) will be adopted to authenticate by negotiating the appropriate
protocol to proceed validation. LCP will also be adopted to handle some other
properties of point-to-point connection.
Figure 7: PPPoE Session Packets
In order to establish such connection, both side of the communication will
send a LCP packet to each other, which contains all possible options of
connection. A LCP Acknowledge packet will be sent back in the case that both
13

sides agree with these options. Otherwise, a LCP Nak (Not Acknowledge)
packet will be sent back if some options are not accepted and the sender will
keep waiting for the new Request packet. When the connection breaks finally,
both sides should know the broken status. So we can see the importance of a
sniffer program for the error control, because without a sniffer there is no other
way to know why and where the connection is broken.
There are two different ways to validate username and corresponding
password over PPP connection:
A) PAP Password Authentification Protocol
B) CHAP Challenge Handshake Authentification Protocol
PAP is simply sent the information of the username and password as the
plaintext in packet without encryption. Obviously, it is dangerous. Anyone
along the datalink can easily capture such critical information.
So the second way, CHAP, is securer for such sensible information. By
CHAP, sensible information such as password is not sent directly over the
connection. In stead, Server sends to Client a “Challenge” including session ID
and arbitrary challenge string; Client receives the “Challenge”, uses
one-way-hash or MD5 algorithm to encrypt its sensible information and the
received “Challenge” and sends the encrypted data back. Because Server
knows all usernames and their corresponding passwords, it can encrypt the
“challenge” and compares with the received the data. By this way, CHAP
ensures the security over peer-peer connection.
In ADSL technique, the authentication of the user login information is doing
by the RADIUS server via the B-RAS.
4,3,PPPoE Security Considerations
To prevent attack of DOS (Denial of Service),Access Device should be
able to generate a unique value according to the source address of PADR,
which can ensure the reachability of PADI and limit the count of concurrent
connections of this address. Although AC-Cookie is very useful and efficient, it
cannot prevent all attacks of DOS. Some other techniques and methods can
be used to against DOS on Access Device.
4,4,The data flower
The following sample explains the process of data transfer over PPP
connection.
Whenever a user wants to browse a normal webpage, he will input the right
URL address in the web browser like FireFox and press return. The Web
browser encapsulates all necessary information into a request packet
according to HTTP protocol and sends it. These data will normally be
14

transferred directly via TCP/IP stack and then physical layer. Now with PPPOE,
system knows that the net is connected by AC and PPP-Interface. Instead of
being sent to Ethernet Interface, these data will be sent to a virtual PPP
Interface according to PPP protocol format. The purpose of PPPoE is to
simulate a virtual PPP Interface, to encapsulate all received data with PPP
packet format from the virtual Interface into Ethernet packet format, and then
to send out all these encapsulated Ethernet data packet via the real Ethernet
network device.
Figure 8: Pseudo PPP TTY via PPPoE
4,5 The Experiment of the PPPoE
To see how the PPP protocol can work via Ethernet, and to analyze all the
packets of PPPoE, I did the flowing experiment of the PPPoE in the university.
Experimental environment: The university intranet PCs
Operation system:SUSE 9.1
Because the SUSE 9.1 has the PPPD, PPPoE and the PPPoE Server
packages, so that I must not to install them again. If we use other Linux OS,
maybe we should install such packages before.
At first I chose a PC as the PPPoE server
There are many options for the PPPoE Server, I selected the basic options.
>pppoe-server -I etho -F -N 10 noauth
And then I chose a PC to connect that PPPoE Server
>pppd pty‘ppoe -I etho’ noauth
15

At the same time I turn on the Ethereal, and I can catch all the packets of
PPPoE under Ethereal.
If there are many PPPoE Server in the intranet, we can use the useful option:
Server name of the PPPoE Server
>pppoe-server -I etho –N 10 – S servername noauth
>pppd pty‘ppoe -I etho -S servername’ noauth
For the authentication of the PPPoE connection, that is just like in normal
PPP connection.
Figure 9: PPPoE packets in Ethereal
5 RADIUS
PPP can authenticate the user name and password, but many Tele companies
have more than one AC (Access Concentrator) or B-RAS and they also
provide several different services. So it is necessary to maintain a
corresponding login record for each user to each ISP. The RADIUS is a
solution for that. In stead of the PPP protocol work in the network layer of OSI
model, the RADIUS protocol work in the application layer.
5,1 Introduce
16

RADIUS (Remote Authentication Dialin User Service Protocol) implements
centralized authentication, authorization, and accounting for remote dial-up
users in Client/Server mode. A RADIUS Client is typically a Network Access
Server (NAS) and it passes user information to RADIUS Server. The RADIUS
Server authenticates and authorizes the request from RADIUS Client, and
sends back the configuration information of the user. To ensure the security of
data transmission, all data between Client and Server are encrypted by MD5.
There are two different types of communication: Access Request and
Accounting Request.
RADIUS bases on UDP protocol and all RADIUS messages are sent and
received as UDP packets. Authentication Service listens to port 1812 and
Accounting Service listens to port 1813. RADIUS message consists of data
fields as Code, ID, Length, Authenticator and Attributes.
The login record data from user contains the username and password.
Furthermore, some other user information such as surfing time and fee should
also be stored in somewhere. That all of these different kinds of information
should be kept in databases makes it a real challenge to manage. A good
solution is to use central DBMS. So that RADIUS is the solution that widely
used in ADSL systems. RADIUS has two different kinds of databases: one is
for authentication with username and password information. The other is used
to store some other information as time and fee. By this way, RADIUS system
accesses the second database for user’s corresponding data after passing the
authentication.
Client is B-RAS. When establishing a PPP connection, the task of
authentication is passed to RADIUS Server instead of previously local
database. RADIUS Server will perform authentication by checking whether the
given password matches the stored password or not. The B-RAS now takes
over and carries the later actions according to the result of authentication
5,1 Operations
The type of packet is specified by the first byte of the packet.
1) Access-Request
This request is send by a RADIUS Client to Server when requesting
authentication and authorization for a network access connection attempt. The
request consists of username, password and NAS_Port and so on. Server will
check for the corresponding record. When the given data match the stored
data, Access-Accept response packet will be returned, otherwise
Access-Reject.
2) Access-Accept
As mentioned, Server will return Client the Access-Accept response when
the given data are all right, which means that the connection attempt is
17

authenticated and authorized. Some configuration parameters are returned in
the same response packet.
3) Access-Reject
Opposite to Access-Accept, Access-Reject is sent by Server to Client as
the response to failed authentication and authorization, which means that the
connection attempt is rejected.
4) Accounting-Request
This request is Send by the RADIUS Client to specify accounting
information for an accepted connection. There are two kinds of situations. One
is to inform Server to begin accounting when the connection passes
authentication and authorization successfully. The other situation is to inform
Server to stop accounting when the connection is broken. All of these
information are stored for future usage.
5) Accounting-Response
This response is Send by the RADIUS server in response to the
Accounting-Request message which informs the RADIUS Client the
successful receipt and processing of the Accounting-Request message.
5,3 RADIUS Security Considerations
RADIUS actually doesn't send the password via internet. Instead, it
generates a 128 bit random number (termed the "Request Authenticator"),
appends the "shared secret" (the RADIUS password) to the number, and runs
a one-way hash function or MD5 over it. It then takes this number and XORs
the entered password against it, and sticks this in the "Password" attribute of
an "Access-Request" packet.
Because that RADIUS clients stick the random number into the packet, as
the "Authenticator" field of the RADIUS packet, so that if an intruder already
knows the password that the NAS is trying to clear with the RADIUS server,
and the intruder can intercept the Access-Request packet sent by the NAS to
the RADIUS server, the intruder has enough information to launch a dictionary
attack against the RADIUS shared secret.
The other kind of attack is that a remote user can flood a NAS with PPP
requests that contain an invalid password, causing the NAS to turn around and
send an Access-Request to the RADIUS server. While the flooding attack is in
progress, it is reported that the RADIUS will lock up. When the attack stops,
the server reportedly will resume normal operation.
18

6 Reference
R. Stevens, TCP/IP Illustrated Vol. 1
[RFC-2516 ] PPP over Ethernet (PPPoE)
[RFC-1661 ] The Point-to-Point-Protocol (PPP)
[RFC-1334 ] Password Authenti_cation Protocol (PAP)
[RFC-1994 ] Challenge Handshake Authenti_cation Protocol (CHAP)
[RFC-2139 ] RADIUS Accounting
[RFC-2865 ] Remote Authentication Dial In User Service (RADIUS)
http://www.adslguide.org.uk/howitworks/authentication.asp
http://homepage.interaccess.com/~jkristof/xdsl-faq.txt
http://www.ks.uni-freiburg.de/download/inetworkSS04/pdf/inetwork04-11.pdf
http://www.webopedia.com/TERM/R/RADIUS.html
http://www.riverstonenet.com/solutions/802.1x.shtml
19