1. Field of the Invention
The present invention relates to the field of network communications. More specifically, the present invention relates to matching of RADIUS request packets with corresponding RADIUS response packets.
2. The Background
Remote Authentication Dial In User Service (RADIUS) is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server (NAS) and a shared Authentication Server in a computer network. Once a client is configured to use RADIUS, users of the client may present authentication data to the client, such as by using a username and password prompt. When the client has received the authentication data, it may desire to authenticate using RADIUS. In doing so, it must create a RADIUS xe2x80x9cAccess-Requestxe2x80x9d packet containing the authentication data and additional information, such as the port ID the user is accessing.
The RADIUS xe2x80x9cAccess-Requestxe2x80x9d Packet may then be transmitted over the network to a RADIUS server, which validates the sending client. If the client is valid, the RADIUS server consults a user database to find the user whose name matches the request. A corresponding record in the database contains information regarding how much access the user may have and what requirements must be fulfilled before access is granted. The RADIUS server may then compare the authentication data received via the RADIUS xe2x80x9caccess-requestxe2x80x9d packet with this record to determine if the user is authenticated. It may then send an xe2x80x9cAccess-Acceptxe2x80x9d, xe2x80x9cAccess-Rejectxe2x80x9d, or xe2x80x9cAccess-Challengexe2x80x9d response packet back to the client. A similar process may be invoked for accounting requests.
The RADIUS protocol provides for a one-octet identifier in request and response packets. A value is assigned to the identifier when an xe2x80x9caccess-requestxe2x80x9d packet is sent. The RADIUS server then takes this identifier and copies it into whatever response packet is sent, ensuring that corresponding request and response packets have the same identifier and thus may be matched up by the client when the response packet is received.
However, when traffic is heavy, it is possible to have more than two hundred and fifty-six outstanding simultaneous request packets from a single client. Since a one-octet identifier only allows for two hundred and fifty-six unique identifiers, this creates a problem when traffic is heavy.
One solution is to alter the User Datagram Protocol (UDP) source port used for the packets when more than two hundred and fifty-six RADIUS request packets are outstanding. The client may then match both the UDP port and the identifier to correspond RADIUS requests and response packets. Unfortunately, many companies have designed their network hardware to utilize a fixed UDP port. Furthermore, these different companies often use different fixed ports. Thus, using the UDP port as a solution is not effective.
What is needed is a solution which provides for matching RADIUS request packets with corresponding RADIUS response packets when traffic is heavy enough to require more than two hundred and fifty-six simultaneous outstanding RADIUS request packets.
A solution for matching RADIUS request packets with corresponding RADIUS response packets when the number of simultaneous outstanding requests is greater than 256 involves using a sixteen-octet authenticator field in each packet. For each response packet that arrives, the identifier of the packet is compared in turn with the identifier of each outstanding request packet. If the identifiers match, the authenticators are then compared. If the results of the comparison indicate a match, the packet is accepted and no further processing of the outstanding requests is required. Otherwise, a search of the outstanding request packets is continued. This solution allows for more than 256 simultaneous outstanding RADIUS requests and only encounters a mismatch or ambiguous match with a probability of one in 3.4xc3x971038 packets.