Diameter and Radius (Remote Authentication Dial in User Service) are two protocols used for AAA (Authentication, Authorization, and Accounting) services. The basic operation of both RADIUS and Diameter is similar to each other, since they both carry authentication, authorization, and configuration information between a Network Access Server (NAS) and a shared Authentication Server. Diameter resembles many functionalities of RADIUS since it has evolved from Radius. Thus, in diameter, the packet format has improved dramatically, and the transport mechanisms have also improved shifting the overall concept from client-server towards peer-to-peer architecture.
What is Diameter?
Diameter is a protocol that provides a basic framework for any kind of services which require Access, Authorization, and Accounting (AAA) or Policy support across many IP based networks. This protocol was originally derived from the RADIUS protocol which is also a protocol provides AAA services to computers in order to connect and use a network. Diameter has come up with a lot of improvements over RADIUS in different aspects. It includes numerous enhancements such as error handling and message delivery reliability. Thus, it is aiming to become the next generation Authentication, Authorization, and Accounting (AAA) protocol.
Diameter delivers data in the form of an AVP (Attribute value pairs). Most of these AVP values are associated with particular applications that employ Diameter while some of them are used by the Diameter protocol itself. These attribute value pairs may be added randomly to the diameter messages, so it restricts, including any unwanted attribute value pairs, which are intentionally blocked as long as required attribute value pairs are included. These attribute value pairs are used by the base diameter protocol in order to support numerous required features.
Generally with the diameter protocol, any host can be configured as either a client or a server, based on network infrastructure, since diameter is designed to facilitate Peer-To-Peer architecture. With the addition of new commands or Attribute value pairs, It is also possible for the base protocol to be expanded for use in new applications. A legacy AAA protocol used by many applications might provide different functionality not provided by Diameter. Thus, the designers who use diameter for new applications have to be very careful of their requirements.
What is Radius?
Similar to Diameter, RADIUS is a protocol designed for carrying authentication, authorization, and configuration information between a Network Access Server (NAS) and a shared Authentication Server. The NAS operates as a client of RADIUS and is responsible for passing user information to/from the designated RADIUS servers. On the other hand, RADIUS servers receive user connection requests, and they perform user authentication and return all the configuration information necessary for the client to deliver service to the user.
For example, when a client is configured to use RADIUS, the users of the client have to present authentication information (username and password). The user may use a link framing protocol such as the Point to Point Protocol (PPP), in order to carry this information. Once the client has received this information, it sends an “Access-Request” to the client with the user’s username and password. RADIUS use UDP port 1812 for authentication and port 1813 for RADIUS Accounting by the Internet Assigned Numbers Authority (IANA). RADIUS mainly uses PAP, CHAP or EAP protocols for user authentication.
The RADIUS packet structure includes a fixed size header first, followed by a variable number of attributes referred to as AVP (Attribute Value Pairs). Each of these AVP consists of attribute code, length, and value. The RADIUS header consists of fields namely code, identifier, length, and authenticator. The code field contains the message type and length. The Identifier field is used to match requests and replies. The length field gives the length of the entire RADIUS packet including all the relevant fields. The authenticator field authenticates the reply messages from the RADIUS server and encrypts the passwords.
Diameter vs Radius
|
Feature |
Diameter |
Radius |
|
Communication Ports |
3868 for base protocol |
1812 – UDP 1813 – Accounting |
|
Message handling |
Server Initiated Messages are not supported |
Server Initiated Messages are supported |
|
Error reporting scheme |
Supported |
Not Supported |
|
Security |
Diameter clients support IPSec and may support TLS (Transport Layer Security) protocol |
RADIUS defines the use of IPSec, but supporting it is not mandatory. |
|
Transport Methods |
Use either SCTP (Stream Control Transmission Protocol) or TCP (Transmission Control Protocol) |
Use UDP (User Datagram Protocol) |
|
Proxies and agents |
Diameter defines four kinds of agents, which support relay, proxy, redirect or translation services. |
The RADIUS does not define the behavior of proxies precisely, it can vary between different implementations. |
|
Authentication |
Using NAIs (Network Access Identifier), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol), and PAP (Password Authentication Protocol) |
Using NAIs (Network Access Identifier), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol), and PAP (Password Authentication Protocol) |
|
Discovering Node Capabilities |
Supported |
Not supported |
|
Maximum size of attributes |
16MB |
255 bytes |
|
Scalability |
Good |
Very poor |
|
Reliability |
Reliable transmission |
Transmission is not reliable |