RADIUS vs. Diameter Protocol: A Detailed Comparison

This article compares the Radius and Diameter protocols, highlighting the differences between them. Both are fundamental for AAA (Authentication, Authorization, and Accounting) servers. ISP roaming is facilitated by RADIUS servers, allowing users to access their registered ISP from various locations.

Both Radius and Diameter serve as AAA protocols, offering these key benefits:

• Simplifying NAS (Network Access Server) functionality.
• Centralizing user administration.
• Enabling user roaming.
• Providing protection against active attackers.

Figure 1: Radius and Diameter Network Architecture

RADIUS Protocol

RADIUS (Remote Authentication Dial-In User Service) is a protocol designed for AAA.

Key features include:

• Client/Server model
• Network security provision
• Flexible authentication methods
• Extensibility

RADIUS operates in the following modes:

• User-Name/Password
• Challenge/Response
• Interoperation with PAP/CHAP
• Proxy

A secret key is shared between the client and server before communication begins.

The following RADIUS packet types are exchanged:

• Access Request: Initiated by the client to the server.
• The server responds with either Access Accept, Access Reject, or Access Challenge.
• Access-Accept messages contain the necessary attributes to provide services to the user.

Figure 2: RADIUS Protocol Packet Header Format

Figure 2 illustrates the RADIUS protocol packet header, comprised of these fields:

• Code: A 1-byte field identifying packet types.
• Identifier: A 1-byte field for matching responses to requests.
• Length: A 2-byte field specifying the total packet length (20 to 4096 octets), including the code, identifier, length, and authenticator fields.
• Authenticator: A 16-octet field used in request/response messages.
• List of Attributes: RADIUS uses over 63 attributes, each consisting of a type, length, and value. Common attributes include User-Name, User-Password, CHAP-Password, NAS-IP-Address, and NAS-Port.

DIAMETER Protocol

Diameter is another AAA protocol offering similar functionalities to RADIUS but with enhanced and additional capabilities.

Key features of the DIAMETER Protocol:

• Capabilities negotiation
• AAA information carried in AVPs (Attribute Value Pairs)
• Error notification
• Extensibility through new commands and AVPs
• Basic services for user sessions, accounting, and session state maintenance
• Hop-by-hop security using IPSec (mandatory) and TLS (optional)
• Diameter clients must support TCP or SCTP, while agents and servers must support both.
• Independent authentication/authorization and accounting session management
• Peer-to-peer protocol

Figure 3: Diameter Protocol Header Format

Figure 3 shows the Diameter protocol header format, including:

• Flags: (13 bits) indicating the command type (request, reply, indication).
• Hop-by-Hop Identifier
• End-To-End Identifier
• Command Code
• AVPs: Encapsulate relevant information to the message

Figure 4: Diameter AVP Format

Figure 4 depicts the Diameter protocol AVP format, composed of:

• AVP Code: Uniquely identifies the attribute.
• AVP Flags: Indicate how the AVP should be handled: r (reserved), P (protected), M (mandatory), V (vendor-specific).

The Diameter base protocol provides a secure transport for messages defined in application-specific extensions. Data objects are encapsulated within Attribute Value Pairs (AVPs).

Radius vs. Diameter: Key Differences

The PDU header formats for Radius and Diameter protocols differ, as illustrated in Figures 2, 3, and 4.

In summary, Diameter offers improved transport, proxying, session control, and security compared to Radius. This is the core difference between the two protocols.