RSA Security 6.1 User Manual

RSA RADIUS Server 6.1 Administrator’s Guide

About RSA RADIUS Server

11

Tunneled Accounting

During authentication, a user is typically identified by attributes such as
User-Name (in the authentication request) and Class (in the authentication accept
response). Standard RADIUS accounting requests typically include these
attributes in messages flagging Start, Interim, and Stop events so that the user’s
identity can be recorded for accounting and auditing purposes.

When an organization uses a tunneled authentication protocol such as
EAP/TTLS or EAP/PEAP, the identity of a user requesting authentication might
be concealed from the RAS; the User-Name attribute carried by the outer
authentication protocol is typically a nonunique value such as anonymous. As a
result, the outer User-Name value included in accounting requests might not be
sufficient to determine a user’s identity. Class attributes provided by an
authentication server cannot be included in cleartext in an outer Access-Accept
message because they might contain clues about the user’s identity, thereby
defeating the identity-hiding feature of the tunneled protocol.

Tunneled accounting enables RSA RADIUS Server to pass user identity
information to accounting processes without exposing user identities to a RAS or
AP that should not see them. When tunneled accounting is enabled, RADIUS
attributes are encrypted and encapsulated in a Class attribute. If the information
for a Class attribute exceeds the attribute payload size (253 octets),
RSA RADIUS Server returns more than one Class attribute for a user.

Tunneled accounting works as follows:

1

The RSA RADIUS Server acting as the tunnel endpoint for EAP/TTLS or
EAP/PEAP encrypts a user’s inner User-Name and Class attributes when it
authenticates the user.

2

The server returns the encrypted information to the RAS or AP encapsulated
in a Class attribute in the outer Access-Accept message. The RAS or AP
associates this encapsulated identity attribute with the user, and echoes the
encapsulated identity attribute whenever it generates an accounting request
for the user.

3

When the RSA RADIUS Server receives an accounting request from a RAS
or Access Point, the server scans the request for an encapsulated identity
attribute.

4

If the server finds an encapsulated identity attribute, it decapsulates and
decrypts the attributes to reconstitute the original inner User-Name and Class
attributes.

5

The server substitutes the decrypted attributes for the ones returned from
the RAS or AP.