Radius Accounting; Overview; Radius Accounting Messages - D-Link NetDefend DFL-210 User Manual

2.3. RADIUS Accounting

2.3. RADIUS Accounting

2.3.1. Overview

Within a network environment containing large numbers of users, it is advantageous to have one or
a cluster of central servers that maintain user account information and are responsible for authentica-
tion and authorization tasks. The central database residing on the dedicated server(s) contains all
user credentials as well as details of connections, significantly reducing administration complexity.
The Remote Authentication Dial-in User Service (RADIUS) is an Authentication, Authorization and
Accounting (AAA) protocol widely used to implement this approach and is used by NetDefendOS
to implement user accounting.
The RADIUS protocol is based on a client/server architecture. The D-Link Firewall acts as the client
of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS termino-
logy the firewall acts as the Network Access Server (NAS). For user authentication, the RADIUS
server receives the requests, verifies the user's information by consulting its database, and returns
either an "ACCEPT" or "REJECT" decision to the requested client. In RFC2866, RADIUS was ex-
tended to handle the delivery of accounting information and this is the standard followed by NetDe-
fendOS for user accounting. The benefits of having centralized servers are thus extended to user
connection accounting. (For details of the usage of RADIUS for NetDefendOS authentication see
Section 8.2, "Authentication Components").

2.3.2. RADIUS Accounting messages

Statistics, such as number of bytes sent and received, and number of packets sent and received are
updated and stored throughout RADIUS sessions. All statistics are updated for an authenticated user
whenever a connection related to an authenticated user is closed.
When a new client session is started by a user establishing a new connection through the D-Link
Firewall, NetDefendOS sends an AccountingRequest START message to a nominated RADIUS
server, to record the start of the new session. User account information is also delivered to the RA-
DIUS server. The server will send back an AccountingResponse message to NetDefendOS, acknow-
ledging that the message has been received. The diagram below illustrates the message interaction.
When a user is no longer authenticated, for example, after the user logs out or the session time ex-
pires, an AccountingRequest STOP message is sent by NetDefendOS containing the relevant ses-
sion statistics. The information included in these statistics is user configurable. The contents of the
START and STOP messages are described in detail below:
START Message Parameters
Parameters included in START messages sent by NetDefendOS are:
• Type - Marks this AccountingRequest as signaling the beginning of the service (START).
• ID - A unique identifier to enable matching of an AccountingRequest with Acct-Status-Type set
to STOP.
• User Name - The user name of the authenticated user.
• NAS IP Address - The IP address of the D-Link Firewall.
• NAS Port - The port of the NAS on which the user was authenticated (this is a physical port and
not a TCP or UDP port).
• User IP Address - The IP address of the authenticated user. This is sent only if specified on the
authentication server.
• How Authenticated - How the user was authenticated. This is set to either RADIUS if the user
Chapter 2. Operations and Maintenance
24