The Research Of EAP Authentication Subsystem In Radius Server

With the Internet seeing an explosive growth in the 21st century, how to provide safe,reliable and extensible user access management services emerges as a key issue that Internet access solution providers must address. AAA refers to authentication, authorization, and accounting, is an access control security management mechanism in network security, which provide AAA services when user access networks. Currently,AAA services usually functions on the basis of the standard Radius protocol. For users, hope Radius server has better security,maintainability and extensibility. Now there is an abundance of free and open-source Radius servers exist online. But they are incompetent in fulfilling commercial purposes, especially in enterprise network where the security,the strong expansibility and variety of authentications poses high demands that open-source Radius products can't perform. EAP protocol can provide a framework that user can use different EAP methods for authentication.To compensate for such disadvantages, this paper, dwelling on a Radius server by my internship company, designed and implemented an EAP system which could better support the performance of current Radius products. It has good expansibility and maintainability. The EAP authentication subsystem consists of four modules, respectively is EAP task modules,EAP processing module, EAP authentication module and EAP public service module.The new EAP system is proved to support five major methods in authentication, namely, EAP_MD5,EAP_MSCHAPv2, EAP_TLS, EAP_PEAP, and EAP_TTLS.Besides, compared with the ordinary PAP and CHAP authentication, EAP authentication has higher safety strength, so the authentication will have higher security; and the five kinds of authentication methods are inherited a public certification base class, both EAP_PEAP and EAP_TTLS authentication method is directly inherited EAP_TLS, can use the TLS tunnel establish method in EAP_TLS authentication method, so after the increase of other EAP authentication methods in this system, you just need to derive from the base class or EAP_TLS, so it boasts the potential to support other possible EAP authentication methods;and with the Radius server log system, EAP authentication subsystem has deploying lots of positioning log, So it has good maintainability.