The Remote Authentication Dial In User Service (RADIUS) protocol provides authentication, authorization, and accounting services between a Network Access Server (NAS) and a AAA server.
The test definition and measurements used in this test system refer to stateful session volumes and rates. Since RADIUS does not support a session as such, the following definitions of session, connect, established, disconnect, and pending apply when testing with RADIUS:
An authentication session consists of a single transaction, and is connected when an Access Request is sent to the SUT and the Access Response is received. It remains established until the test is stopped, or until the end of an iterative test run, when it is disconnected. The number of simultaneous sessions equates to the number of successful authentications. If another iteration will be run, the session enters the pending state when it is disconnected. Disconnecting an authentication session simply means that another Access Request using the same credentials could be sent.
An accounting session is connected when an Accounting Request - Start is sent to the SUT and the Accounting Response is received. It remains established (or started) until an Accounting Request - Stop is sent to the SUT and the Accounting Response is received, and then it is disconnected (or stopped). Accounting Request - Interim Updates can be sent while the session is established, and the number of simultaneous sessions equates to the number of open accounting records on the SUT. A disconnected accounting session cannot be restarted, therefore the pending state does not apply.
The successful establishment of a MN session is governed by the success of the authentication and/or accounting session. The MN session can be established with a successful authentication, but be disconnected if the accounting session fails.
A variety of authentication methods are supported:
PAP
CHAP
MD5 (EAP)
EAP-SIM
EAP-AKA
A subset of the basic RADIUS authentication, authorization, and accounting messages are supported:
Access Request — Sent from the NAS to the AAA server when a mobile user requests service.
Access Accept — Sent from the AAA server to the NAS when a request for service is accepted.
Change of Authorization (CoA) — A AAA server node can optionally send CoA requests to a Content Filtering (CF) or policy server when requests are received from a particular NAS.
Access Reject — Sent from the AAA server to the NAS when a request for service is denied.
Accounting Request — Sent from the NAS to the AAA server to activate or deactivate the accounting function on the AAA server, or to convey information used to start, stop, or update accounting for a service.
Accounting Response — Sent from the AAA server to the NAS in response to an Accounting Request.
Access Challenge — Sent from the AAA server to the NAS when the server wishes to send the mobile user a challenge requiring a response (Access Request). These messages are recognized by the test case, but not acted upon.
All other message types are treated as unknown message types and are discarded.
A simple, successful RADIUS message flow is shown in the example — the exact flow for a particular test depends on the test definition and the configuration. The AAA Server Nodal test case generates the messages from a NAS node to a AAA server SUT, and listens for and responds to the messages received from the AAA server. The AAA Server Node test case listens for and responds to messages received from a NAS SUT.