This article provides a historical overview of the evolution of network access control technologies for dial-in services and local/metropolitan network areas.

The PPP (rfc1134 in 1989) data link protocol was the main technology for connecting terminals to the network over serial cables and phone links. It was the technology that allowed ISPs to implement the dial-up access service.

PPP's Link Control Protocol, allowed negociation of authentication protocols (PAP/CHAP) between the two ends of the PPP connection. The authentication required the availability of the whole user database for each modem on the ISP side.

To ease the management of modem pools and network access servers (NAS) in general for large number of subscribers, the IETF designed the RADIUS protocol (rfc2058 in 1997). The RADIUS protocol allowed the centralization of authentication, authorization and accounting operations by allowing the NAS to communicate with a back end database to authenticate users. The NAS, acting as a RADIUS client, forwards the PAP or CHAP login and password information to the RADIUS server which checks them against the users database. The NAS in a sense impersonates the user and grants access if the authentication with the RADIUS server succeeds.

With the growing concern about the security of PAP and CHAP, ISPs decided that they wanted to use RADIUS with different authentication protocols besides the original PAP and CHAP protocols. Rather than specifying new attributes for transporting new authentication protocols over RADIUS (which would require update on the NAS too). The IETF decided to specify a special authentication protocols called the Extensible Authentication Protocol (rfc2284 in 1998) that allows the negociation of authentication methods, which when executed authenticates the user. From the NAS point of view, the authentication consists in the exhange of EAP messages between the peer and RADIUS server that terminates with a success or failure indication. The NAS does not see which method was negociated and used, it merely repeats EAP messages between the peer and server and only processes result indications. Thanks to the EAP method, the NAS does not need to be updated when a new authentication method is deployed. Support for new authentication methods involves upgrading the peers and the RADIUS servers only.

To be continued.

• The Point-to-Point Protocol: A Proposal for Multi-Protocol Transmission of Datagrams Over Point-to-Point Links
• PPP Authentication Protocols
• Remote Authentication Dial In User Service (RADIUS) * [[http://www.ietf.org/rfc/rfc3588.txt|Diameter Base Protocol
• EAP Extensions for EAP Re-authentication Protocol (ERP)

Labels: security