- MVE Technical Blog - (index page)
Wm Magill - June 20, 2018
The field of Computer Networking is extensive, complex, pervasive, hidden and largely unknown to the general population.
It is part of the "infrastructure" just like water-mains, electric lines and streets and highways.
Therefore, this series of technical notes covers a lot of material that is likely not part of your everyday conversation if you are not "in the business", but which impacts your use of "the net" every day. And, just to throw some more gasoline on the fire, how you use the net is also changing every day as these technologies change!
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards.
The RADIUS protocol is often used by Internet service providers (ISPs) and enterprises, such as MVE, to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. These networks may incorporate modems, digital Subscriber line (DSL), access points, virtual private networks (VPNs), network ports, web servers, etc.
The Beginnings and History of RADIUS can be read in this paper. (PDF)
Authentication, Authorization, and Accounting
The AAA protocol, "Authentication, Authorization and Accounting", is an access control, policy enforcement and auditing framework for computing systems.
Authentication - The mechanism by which you demonstrate who you really are (a person, a device, or a software process).
As we have enlarged our circle of friends, the idea that you can be known -- with confidence -- by someone with whom you are not in constant daily contact has given rise to many different systems for authenticating your identity.
The concept of "authentication" is relevant to many aspects of everyday life, from art, antiques and anthropology to Banking and Computer Networking.
Many times, in today's Western World and especially here in the Masonic Village at Elizabethtown, authentication is taken for granted or ignored. There are so many different mechanisms for authentication, which have been around for so long, that they are simply accepted as part of everyday life:
In Freemasonry, the use of a sign, password, and counter sign are well established as the means to identify a Brother.
In Walmart, your VISA or MasterCard establishes your right to "charge" your purchases.
You are rarely confronted by an armed guard demanding, "Show me your papers!" But that is why Employees of the Masonic Village have their MV ID cards on display. . . so that you know they are actually an employee - not just some stranger walking in off the street, "pretending."
When you present your MV Photo ID card to Dining Services, you are stating that you are a Resident (Authentication) and eligible to eat in the MV Restaurant (Authorization). "Swiping your card" provides Dining Services with the mechanism to charge you for your meal, while at the same time, providing management a mechanism of tallying the number of diners being served at each meal (Accounting).
In the context of computer networking one normally authenticates one's device by the use of a Userid and a Password.
In the name of Ease of Use or User Friendliness, that Userid and Password is frequently remembered by your device and supplied automatically for you in response to Authentication requests, so that you do not have to do the work.
Two Factor Authentication - (Multi-factor authentication)
At present, MVnet does NOT use Multi-factor Authentication.
Today, many computer related authentications have moved to two-factor-authentication. Two-factor authentication is an extra layer of security for your userid designed to ensure that you're the only person who can access your account, even if someone knows your password, and requires a whole separate article of its own to explain in detail. You may find that your bank or financial instution uses this method. Many on-line services such as Apple's iCloud, Google's Cloud services, Amazon Web Services, Discord, Bilzzard's Battle-net and PayPal use two factor authentication.
Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know), possession (something they and only they have), and inherent (something they and only they are).
A typical situation involves something the user knows (Password) and a second factor. An example of a second factor is the user repeating back something that was sent to them through an out-of-band mechanism (i.e. different from the communications channel where the authentication is taking place) - typically a Text Message sent to their prerviously identified Cell Phone. Or the second step might be a 6 digit number generated by an application or device (a token or keyfob) that is common to the user and the authentication system.
Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming a user's claimed identity by utilizing a combination of two different factors, typically:: 1) something they know, 2) something they have.
A good example of two-factor authentication is the withdrawing of money from a ATM; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out.
Authorization - The process that determines what an authenticated client is allowed to do on the network.
Once you have authenticated yourself to the network, the next step is to determine what network resources you are authorized to utilize.
If you consider your Pennsylvania Drivers License -- it may or may not contain an "Endorsement." That endorsement might allow (authorize) you to operate a motorcycle or to drive a truck. Or you may have a Commercial Driver's License (CDL) which allows you to drive vehicles such as busses for hire. And if you want to drive a school bus, that requires yet another authorization!
In the context of MVnet, Authorization means you have signed up and authorized Masonic Village to bill you for using the network.
When you signed up for The Masonic Village's "Triple-play" communications package, which includes MVnet, you received your MVnet Userid and Password, and that information was recorded in the MVnet RADIUS database.
Authorization is accomplished by way of submitting your Userid and Password to the RADIUS processor's database.
This same Userid and Password can be associated with the ability to access certain files or databases. That information can all be maintained in the RADIUS authentication database. This is a primary mechanism used by enterprises (such as MVE) for controlling access to their many and varied computing resources.
A typical use of authorization is to control HOW MANY times a given userid and password (i.e. on unique devices) may be used at the same time.
Accounting - The process of monitoring and recording a client’s use of the network or other resource..
Often simply referred to as logging, accounting can be used for many different purposes.
In the context of MVnet, accounting is used to track your usage of the network primarily for trouble shooting purposes.
Accounting records the logon and logoff time of each user, so it’s possible to correlate network access with malfunctions, security breaches, and other problems. If something untoward happens on a network, RADIUS accounting can show what clients were logged on at the time. Without accounting records, it is not possible to determine what happened after the event has occurred!