Difference Between Diameter and Radius

Diameter and Radius (Remote Authentication Dial in User Service) are two protocols used for AAA (Authentication, Authorization, and Accounting) services. The basic operation of both RADIUS and Diameter is similar to each other, since they both carry authentication, authorization, and configuration information between a Network Access Server (NAS) and a shared Authentication Server. Diameter resembles many functionalities of RADIUS since it has evolved from Radius. Thus, in diameter, the packet format has improved dramatically, and the transport mechanisms have also improved shifting the overall concept from client-server towards peer-to-peer architecture.

What is Diameter?

Diameter is a protocol that provides a basic framework for any kind of services which require Access, Authorization, and Accounting (AAA) or Policy support across many IP based networks. This protocol was originally derived from the RADIUS protocol which is also a protocol provides AAA services to computers in order to connect and use a network. Diameter has come up with a lot of improvements over RADIUS in different aspects. It includes numerous enhancements such as error handling and message delivery reliability. Thus, it is aiming to become the next generation Authentication, Authorization, and Accounting (AAA) protocol.

Diameter delivers data in the form of an AVP (Attribute value pairs). Most of these AVP values are associated with particular applications that employ Diameter while some of them are used by the Diameter protocol itself. These attribute value pairs may be added randomly to the diameter messages, so it restricts, including any unwanted attribute value pairs, which are intentionally blocked as long as required attribute value pairs are included. These attribute value pairs are used by the base diameter protocol in order to support numerous required features.     

Generally with the diameter protocol, any host can be configured as either a client or a server, based on network infrastructure, since diameter is designed to facilitate Peer-To-Peer architecture. With the addition of new commands or Attribute value pairs, It is also possible for the base protocol to be expanded for use in new applications. A legacy AAA protocol used by many applications might provide different functionality not provided by Diameter. Thus, the designers who use diameter for new applications have to be very careful of their requirements.

What is Radius?

Similar to Diameter, RADIUS is a protocol designed for carrying authentication, authorization, and configuration information between a Network Access Server (NAS) and a shared Authentication Server. The NAS operates as a client of RADIUS and is responsible for passing user information to/from the designated RADIUS servers. On the other hand, RADIUS servers receive user connection requests, and they perform user authentication and return all the configuration information necessary for the client to deliver service to the user.

For example, when a client is configured to use RADIUS, the users of the client have to present authentication information (username and password). The user may use a link framing protocol such as the Point to Point Protocol (PPP), in order to carry this information. Once the client has received this information, it sends an “Access-Request” to the client with the user’s username and password. RADIUS use UDP port 1812 for authentication and port 1813 for RADIUS Accounting by the Internet Assigned Numbers Authority (IANA). RADIUS mainly uses PAP, CHAP or EAP protocols for user authentication.

The RADIUS packet structure includes a fixed size header first, followed by a variable number of attributes referred to as AVP (Attribute Value Pairs). Each of these AVP consists of attribute code, length, and value. The RADIUS header consists of fields namely code, identifier, length, and authenticator. The code field contains the message type and length. The Identifier field is used to match requests and replies. The length field gives the length of the entire RADIUS packet including all the relevant fields. The authenticator field authenticates the reply messages from the RADIUS server and encrypts the passwords.

Diameter vs Radius

Feature

Diameter

Radius

  Communication Ports

  3868 for base protocol

  1812 – UDP

  1813 – Accounting

  Message handling

  Server Initiated Messages are not supported

  Server Initiated Messages are  supported

  Error reporting scheme

  Supported

  Not Supported

  Security

  Diameter clients

support IPSec and may support TLS (Transport Layer Security) protocol

  RADIUS defines the use of IPSec, but supporting it is not mandatory.

  Transport  Methods

  Use either SCTP (Stream Control Transmission Protocol) or TCP (Transmission Control Protocol)

  Use UDP (User Datagram Protocol)

  Proxies and agents

  Diameter defines four kinds of agents, which support relay, proxy, redirect or translation

services.

  The RADIUS does not define

the behavior of proxies precisely, it can vary between different implementations.

  Authentication

  Using NAIs (Network Access Identifier), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol), and PAP (Password Authentication Protocol)

  Using NAIs (Network Access Identifier), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol), and PAP (Password Authentication Protocol)

  Discovering Node Capabilities

  Supported

  Not supported

  Maximum size of attributes

  16MB

  255 bytes

  Scalability

  Good

  Very poor

  Reliability

  Reliable transmission

  Transmission is not reliable