Migration from RADIUS to DIAMETER RADIUS offers support for HTTP Digest authentication in the RADIUS
Extension for Digest Authentication [RFC4590]. A number of AVPs (the
Digest-* AVPs) of this Diameter SIP application are imported from the
RADIUS attributes namespace, thus making the migration from RADIUS to
Diameter smooth.
Note that the RADIUS Extension for Digest Authentication [RFC4590]
provides a more limited scope than this Diameter SIP application.
Specifically, the RADIUS extension for Digest Authentication merely
provides support for HTTP Digest authentication, whereas the Diameter
SIP application provides support for user location, profile
downloading and update, etc.
The following sections discuss several configurations in which a
gateway translates RADIUS to Diameter and vice versa.
12.1. Gateway from RADIUS Client to Diameter Server
The gateway maps Access-Request messages to MAR request. If a RADIUS
Access-Request message contains at least one Digest-* attribute, the
gateway maps all Digest-* attributes to the AVPs of a Diameter
SIP-Authorization AVP, constructs a MAR message, and sends it to the
Diameter server. If the RADIUS Access-Request message does not
contain any Digest-* attribute, then the RADIUS client does not want
to apply HTTP Digest authentication, in which case, actions at the
gateway are outside the scope of this document.
The Diameter server responds with a MAA message. If the MAA message
contains a Result-Code AVP set to the value DIAMETER_MULTI_ROUND_AUTH
and contains challenge parameters in a SIP-Authenticate AVP, then the
gateway translates the AVPs of SIP-Authenticate AVP and puts the
resulting RADIUS attributes into an Access-Challenge message. It
sends the Access-Challenge message to the RADIUS client.
If the MAA message contains a SIP-Authentication-Info and a
Digest-Response AVP, the gateway converts these AVPs to the
corresponding RADIUS attributes and constructs a RADIUS message. If
the Result-Code AVP is DIAMETER_SUCCESS, an Access-Accept is sent.
In all other cases, an Access-Reject is sent.
12.2. Gateway from Diameter Client to RADIUS Server
The Diameter client sends a Diameter MAR message to the gateway. If
the MAR message does not contain SIP-Auth-Data-Item AVPs, the gateway
constructs an Access-Request message and maps the SIP-AOR and
SIP-Method AVPs to RADIUS attributes. The gateway sends the
Access-Request message to the RADIUS server, which will respond with
an Access-Challenge. The gateway creates a MAA message with a
Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH and maps the
Digest-* attributes to Diameter AVPs in a SIP-Authenticate AVP. The
gateway sends the resulting MAA to the Diameter client, which will
respond with a new MAR.
The gateway checks the SIP-Auth-Data-Item AVPs of this MAR for an AVP
where the Digest-Realm AVP matches the locally configured realm
value. It takes the AVPs from this SIP-Auth-Data-Item AVP, converts
them into the corresponding RADIUS attributes and constructs a RADIUS
Access-Request message. The gateway sends the Access-Request message
to the RADIUS server. If the RADIUS server responds with an
Access-Accept message, the gateway converts the RADIUS attributes to
Diameter AVPs, constructs a MAA message with a Result-Code AVP set to
DIAMETER_SUCCESS and sends this message to the Diameter client. If
the RADIUS server responds with an Access-Reject message, the gateway
converts the RADIUS attributes to Diameter AVPs, constructs a MAA
message with a Result-Code AVP set to
DIAMETER_ERROR_IDENTITIES_DONT_MATCH, and sends this message to the
Diameter client.
12.3. Known Limitations
As mentioned earlier, there is not a 100% match between the Diameter
SIP application and the RADIUS Extension for Digest Authentication
[RFC4590]. In particular, the RADIUS Extension for Digest
Authentication [RFC4590] does not offer equivalent functionality to
the Diameter UAR/UAA, SAR/SAA, LIR/LIA, RTR/RTA, and PPR/PPA messages
defined by this specification.
|
Tutorialsforu.info
