Network Access Server Requirements David Mitton
Internet Draft Bay Networks
Expires February 1999 August 1998
Network Access Server Requirements Next Generation (NASREQNG)
Operational Model
<draft-mitton-nasreqng-model-00.txt>
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To view the entire list of current Internet-Drafts, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
This document is a draft submission to the proposed Network-Access-
Server Requirements Next Generation (NASREQNG) Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the mailing list nasreqng@tdmx.rutgers.edu.
Abstract
This document describes the terminology and an operational model of
typical Network Access Server (NAS). The purpose of this effort is
to set the reference space for describing and evaluating NAS service
protocols, such as RADIUS (RFC 2138, 2139) and follow-on efforts like
Diameter (draft-calhoun-diameter-04.txt). These are protocols for
carrying authentication, authorization, and user configuration
information between a Network Access Server which desires to
authenticate its calls and a shared Authentication Server.
Scope
There are several tradeoffs taken in this document. The purpose of
this document is to describe a model for evaluating NAS service
protocols. It will mention examples of typical NAS hardware and
software features, but these are not to be taken as hard limitations
of the model, but merely illustrative of the point of discussion. An
important goal of the model is to allow further development and
expansion of capabilities in NAS development.
As with most IETF projects, the focus is on standardizing the protocol
interaction between the components of the system. The documents
produced will not address the following areas:
- AAA server back-end implementation is abstracted and not
proscribed.
The actual organization of the data in the server, it's interfaces,
and capabilities are left to the implementation.
- NAS front-end call technology is not constricted, alternate and
new technology will be accommodated. The resultant protocol
specifications must be flexible in design to allow for new
technologies and services to be added with minimal impact on existing
implementations.
Specific Terminology
The following terms are used in this document in this manner:
- Call - the arrival of a telephone call, or initiation of a
network service request
- Session - the provided service to a specific authorized user
Network Access System Equipment Assumptions
A typical hardware based NAS is implemented in a constrained system.
It is important that the NAS protocols dont assume unlimited
resources on the part of the platform. The following are typical
constraints:
- A computer system of minimal to moderate performance
(example processors: Intel 386 or 486, Motorola 68000)
- A moderate amount, but not large RAM (typically varies with
supported # of ports 1MB to 8MB)
- Some small amount of non-volatile memory, and/or way to be
configured out-of-band
- No assumption of a local file system or disk storage
A NAS system may consist of a system of interconnected specialized
processor system units. Typically they may circuit boards (or blades)
that are arrayed in a card cage (or chassis) and referred to by their
position (i.e. slot number). The interconnection methods are
typically proprietary and will not be addressed here.
A NAS is sometimes referred to as a Remote Access Server (RAS) as it
typically allows remote access to a network. However, a more general
picture is that of an "Edge Server", where the NAS sits on the edge of
a network of some type, and allows dynamic access to it.
Such systems typically have;
- At least one LAN or high performance network interface (e.g.
Ethernet, ATM, FR)
- At least one, but typically many, serial interface ports, which
could be;
- serial RS232 ports direct wired or wired to a modem, or
- have integral hardware or software modems (V.22bis,V.32, V.34,
X2, Kflex, V.90, etc.)
- have direct connections to telephone network digital WAN lines
(ISDN, T1, T3, NFAS, or SS7)
However, systems may perform some of the functions of a NAS, but not
have these kinds of hardware characteristics. An example would be a
industry personal computer server system, that has several modem line
connections. These lines will be managed like a dedicated NAS, but
the system itself is a general file server. Likewise, with the
development of tunneling protocols, tunnel server systems must behave
like a "virtual" NAS, where the calls come from the network tunneled
sessions and not hardware ports.
NAS Services:
The core of what a NAS provides, are dynamic network services. What
distinguishes a NAS from a typical routing system, is that these
services are provided on a per-user basis, and accounted for. This
accounting may lead to policies and controls to limit appropriate
usage to levels based on the availability of network bandwidth, or
service agreements between the user and the provider.
Typical services include:
- dial-up or direct access serial line access; Ability to access
the network using a the public telephone network.
- dial-out connections; Ability to cause the NAS to initiate a
connection over the public telephone network, typically based on the
arrival of traffic to a specific network system.
- callback (NAS generates call to caller); Ability to cause the NAS
to reverse or initiate a network connection based on the arrival of a
dial-in call.
- asynchronous terminal services (Telnet, Rlogin, LAT, others);
The NAS implements the network protocol on behalf of the caller, and
presents a terminal interface.
- network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows
the caller to access the network directly
- tunneling (from access connection to remote server); The NAS
transports the callers network packets over the internet to a remote
server using an encapsulation protocol.
Authentication, Authorization and Accounting (AAA) Servers
Because of the need to authenticate and account, and for practical
reasons of implementation, NAS systems have come to depend on external
server systems to implement authentication databases and accounting
recording.
By separating these functions from the NAS equipment, they can be
implemented in general purpose computer systems, that may provide
better suited long term storage media, and more sophisticated database
software infrastructures. Not to mention that a centralized server
can allow the coordinated administration of many NAS systems as
appropriate (for example a server may service an entire POP).
For ease of management, there is a strong desire to piggyback NAS
authentication information with other authentication databases, so
that authentication information can be managed for several services
(such as OS shell login, or Web Server access) from the same provider,
without creating separate passwords and accounts for the user.
Session action information is stored and processed to produce
accounting usage records. This is typically done with a long term
(nightly, weekly or monthly) batch type process.
However, as network operations grow in sophistication, there are
requirements to provide real-time monitoring of port and user status,
so that the state information can be used to implement policy
decisions and the ability to possibly terminate access for
administrative reasons. Typically only the NAS knows the true state
of a session.
Typical NAS Operation Sequence:
The following details a typical NAS operational sequence:
- Call arrival on port or network
- Port:
- auto-detect (or not) type of call
- CLI/SLIP: prompt for username and password (if security set)
- PPP: engage LCP, Authentication
- Request authentication from AAA server
- if okay, proceed to service
- may challenge
- may ask for password change/update
- Network:
- activate internal protocol server (telnet, ftp)
- engage protocol's authentication technique
- confirm authentication information with AAA server
- Call Management Services
- Information from the telephone system arrives indicating that a
call has been placed
- The AAA server is consulted using the information supplied by the
telephone system (typically Called or Calling number information)
- The server indicates whether to respond to the call by answering
it, or by returning a busy to the caller.
- The server may also need to allocate a port to receive a call,
and route it accordingly.
- Dial-out
- packet destination matches outbound route pre-configured
- find profile information to setup call
- Request information from AAA server for call details
- VPN/Tunneling (mandatory)
- authentication server identifies user as remote
- tunnel protocol is invoked to a remote server
- authentication information may be forwarded to remote AAA server
- if successful, the local link is given a remote identity
- Multi-link aggregation
- after a new call is authenticated by the AAA server, if MP
options are present, then other bundles with the same identifying
information is searched for
- bundle searches are performed across multiple systems
- join calls that match authentication and originator identities as
one network addressable data source with a single network IP address
- Hardwired (non-interactive) services
- permanent WAN connections (FR)
- permanent serial connections (printers)
Characteristics of systems and sessions:
Sessions must have a user identifier and authenticator to
complete the authentication process.
Accounting starts from time of call or service, though finer
details are allowed.
At the end of service, the call may be disconnected or allow re-
authentication.
Some systems allow decisions on call handling to be made on
telephone system information provided before the call is answered
(e.g. caller id or destination number)
In such systems, calls may be busied-out or non-answered if
system resources are not ready or available.
Authorization to run services are supplied and applied after
authentication.
A NAS may abort call if session authorization information
disagrees with call characteristics.
Some system resources may be controlled by server driven policies
Accounting messages are sent to the accounting server when
service begins, and ends.
Accounting is not a real-time service, the NAS may be queue and
batch send event records.
Separation of NAS and AAA server functions
As a distributed system, there is a separation of roles between the
NAS and the server:
- Server provides authentication services; checks passwords (static
or dynamic)
- Server databases may be organized in any way (only protocol
specified)
- Server may use external systems to authenticate (including OS
user dbs, token cards, one-time-lists, proxy or other means)
- Server provides authorization information to NAS
- The process of providing a service may lead to requests for
additional information
- Service authorization may require real-time enforcement
(services may be based on Time of Day, or variable cost debits)
- Session accounting information is tallied by the NAS and reported
to server
Administrative features and Management
The system may have other operational services that are used to run
and control the NAS. Some users that have Administrative privileges
may have access to system configuration tools, or services that affect
the operation and configuration of the system (e.g. loading boot
images, internal file system access, etc..) Access to these
facilities may be authenticated by the AAA server (provided it is
configured and reachable!) and levels of access authorization may be
provided.
The NAS system is presumed to have a method of configuration that
allows it to know it's identity and network parameters at boot time.
Likewise, this configuration information is typically managed using
the standard management protocols (e.g. SNMP). This will include the
configuration of the parameters necessary to contact the AAA server
itself. The purpose of the AAA server is not to provide network
management for the NAS, but to authorize and characterize the
individual services for the users. Therefore any feature that can be
user specific is open to supply from the AAA server.
Authentication Methods
A NAS system typically supports a number of authentication systems.
For async terminal users, these may be a simple as a prompt and input.
For network datalink users, such as PPP, several different
authentication methods will be supported (PAP, CHAP, MS-CHAP). Some
of these may actually be protocols in and of themselves (EAP,
Kerberos).
Additionally, the content of the authentication exchanges may not be
straightforward. Hard token cards, such as the Safeword and Securid,
systems may generate one-time passphrases that must be validated
against a proprietary server. In the case of multi-link support, it
may be necessary to carry a session token or certificate for later
links that could not generate the same authentication information.
In the cases of VPN and mandatory tunneling services, typically a
username is be presented that is parsed into a destination network
identifier. The authentication information may not be validated
locally, but at the remote end of the tunnel service.
Session Authorization Information
Once a user has been authenticated, there are a number of individual
bits of information that the network management may wish to configure
and authorize for the given user or class of users.
Typical examples include:
For async terminal users:
- banners
- custom prompts
- menus
- CLI macros - which could be used for: shortcuts, compound
commands, restrictive scripts
For network users:
- addresses, and routes
- callback instructions
- packet and activity filters
- host server addresses
Some services may require dynamic allocation of resources.
Information about the resources required may not be known during the
authentication phase, it may come up later. (e.g. IP Addresses for
multi-link bundles) It's also possible that the authorization will
change over the time of the session. To provide these there has to be
a division of responsibility between the NAS and the AAA server, or a
cooperation using a stateful service.
Such services include:
- IP Address management
- Concurrent login limitations
- Tunnel usage limitations
- Real-time account expirations
- Call management policies
In the process of resolving resource information, it may be required
that a certain level of service be supplied, and if not available, the
request refused, or corrective action taken.
References:
[1] Rigney, et.al. "Remote Authentication Dial In User Service
(RADIUS)" RFC 2138, April 1977
[2] Rigney, et.al. "RADIUS Accounting", RFC 2139, April 1977
[3] Aboba, Zorn, "Implementation of PPTP/L2TP Compulsory Tunneling via
RADIUS", draft-ietf-radius-tunnel-imp-03.txt, July 1997
[4] Calhoun, et.al. "Extensible Authentication Protocol Support in
RADIUS", draft-ietf-radius-eap-02.txt, May 1997
[5] Aboba, Zorn, "Dialup Roaming Requirements", draft-ietf-roamops-
roamreq-05.txt, July 1997
[6] Zorn, "Yet Another Authentication Protocol (YAAP)", draft-zorn-
yaap-01.txt, 30 June 1996
[7] Calhoun, "Diameter Base Protocol", draft-ietf-calhoun-diameter-
04.txt, July 1998
Author's Information:
David Mitton
Bay Networks
Access Division
8 Federal St. BL8-05
Billerica, MA 01821
Phone: 978-916-4570
Fax: 978-916-4789
mailto: dmitton@baynetworks.com
NASREQNG Operational Model draft-ietf-nasreqng-model-00.txt
Mitton, David Expires May 1999
Appendix - Acronyms and Glossary:
AAA - Authentication, Authorization, Accounting, The three
primary services required by a NAS server or protocol.
NAS - Network Access Server, a system that provides access to a
network.
CLI - Command Line Interface, an interface to a command line
service for use with an common asynchronous terminal facility.
SLIP - Serial Line Internet Protocol, an IP-only predecessor to
PPP
IPX - Novells NetWare transport protocol
NETBEUI - A Microsoft/IBM LAN protocol supported by Microsoft
file services
ARAP - AppleTalk Remote Access Protocol
LAT - Local Area Transport, a Digital Equipment LAN protocol for
terminal services
VPN - Virtual Private Network, a term for networks that appear to
be private to the user by the use of tunneling techniques.
FR - Frame Relay, a synchronous WAN protocol and telephone
network intraconnect service.
ISDN - Integrated Services Digital Network, a telephone network
facility for transmitting digital and analog information over a
digital network connection. A NAS may have the ability to
receive the information from the telephone network in digital
form.
BRI - Basic Rate Interface,
PRI - Primary Rate Interface, a digital telephone interface of
64K bits per second.
T1 - A digital telephone interface which provides 24-36 channels
of PRI data and one control channel (2.048 Mbps).
T3 - A digital telephone interface which provides 28 T1 services.
Control for the entire connection is provided on a single
channel.
NFAS - Non-Facility Associated Signaling, a telephone network
protocol/service for providing call information on a separate
wire connection from the call itself. Used with multiple T1 or
T3 connections.
SS7 - A telephone network protocol for communicating call
information on a separate data network from the voice network.
POP - Point Of Presence, a geographic location of equipment and
interconnection to the network. An ISP typically manages all
equipment in a single POP in a similar manner.