Radius accounting, Overview, Radius accounting messages – Amer Networks E5Web GUI User Manual

2.3. RADIUS Accounting

2.3.1. Overview

The Central Database Approach

Within a network environment containing large numbers of users, it is advantageous to have one
or a cluster of central servers that maintain user account information and are responsible for
authentication and authorization tasks. The central database residing on such dedicated servers
contains all user credentials as well as details of connections. This significantly reducing
administration complexity.

The Remote Authentication Dial-in User Service (RADIUS) is an Authentication, Authorization and
Accounting (AAA) protocol widely used to implement this central database approach and is used
by cOS Core to implement user accounting.

RADIUS Architecture

The RADIUS protocol is based on a client/server architecture. The Clavister Security Gateway acts
as the client of the RADIUS server, creating and sending requests to a dedicated server(s). In
RADIUS terminology the security gateway acts as the Network Access Server (NAS).

For user authentication, the RADIUS server receives the requests, verifies the user's information
by consulting its database, and returns either an "accept" or "reject" reply to the requesting
client.

With the RFC 2866 standard, RADIUS was extended to handle the delivery of accounting
information and this is the standard followed by cOS Core for user accounting. In this way, all the
benefits of centralized servers are thus extended to user connection accounting.

The usage of RADIUS for cOS Core authentication is discussed in Section 8.2, “Authentication
Setup”.

2.3.2. RADIUS Accounting Messages

Message Generation

Statistics, such as number of bytes sent and received, and number of packets sent and received
are updated and stored throughout RADIUS sessions. All statistics are updated for an
authenticated user whenever a connection related to an authenticated user is closed.

When a new client session is started by a user establishing a new connection through the
Clavister Security Gateway, cOS Core sends an AccountingRequest START message to a
nominated RADIUS server, to record the start of the new session. User account information is also
delivered to the RADIUS server. The server will send back an AccountingResponse message to cOS
Core, acknowledging that the message has been received.

When a user is no longer authenticated, for example, after the user logs out or the session time
expires, an AccountingRequest STOP message is sent by cOS Core containing the relevant session
statistics. The information included in these statistics is user configurable. The contents of the
START and STOP messages are described in detail below:

START Message Parameters

Chapter 2: Management and Maintenance

82