Project Description
A RADIUS authentication service demonstrating extensibility of the Windows Communication Framework. Implements PAP authentication and works with any ASP.NET membership provider for validating user credentials.

WCF provides an extensible framework allowing developers to customize any aspect of its operation including such examples as controlling the format and encoding of incoming messages, inspecting incoming messages for compliance and validating header content and, ultimately, developing a custom channel allowing to control any aspect working with data coming in from the wire. This project explores the architectural thinking behind extensibility points in the WCF message processing stack on the example of implementing a custom RADIUS server with the following WCF components:
  • An UDP Duplex MEP Channel based on the WCF UDP Binding sample released with .NET Framework 3.0;
  • A custom message encoder responsible for converting UDP/RADIUS packets into Message objects for passing up the stack and serializing server response messages into back into binary format. Binary serialization/de-serialization logic is using code from the Clutch.Radius project;
  • A message inspector responsible for ensuring RADIUS specification compliance for incoming data;
  • A custom RadiusBinding element employed to package commonly used channel settings pertaining to RADIUS, and lastly;
  • The authentication service written to perform user authentication based on provided credentials implemented very generically with little concern over the actual RADIUS protocol specifics.
Note: the custom UDP Duplex Channel will be depricated with the general release of .NET Framework 4.0 wherein the same functionality will be available out of the box.

System Integrator’s Rationale
The WCF RADIUS Authentication Service lowers the barrier of entry for implementing a custom authentication scheme based on the RADIUS Authentication protocol in deployments where a fully-fledged commercial or open-source product, such as FreeRADIUS, is not required and the use of PAP authentication betwenn the RADIUS Service and the RADIUS Client (network access point) is acceptable. The Service does not implement any user authorization functionality logic itself and in turn relies on a configured ASP.NET Membership Provider to perform authorization. This broadens system integrator’s possibilities in terms of the number of supported user authentication backends, including such options as the Hybrid AD / SQL Authentication Provider.

Provided below is an example of applying the Service in the context of a ISA-based reverse proxy used to secure an ASP.Net membership-aware and Java anonymous-profile legacy applications while providing transparent sign-on into the legacy application with credentials used for the ASP.Net app:

WCF Radius.png

Installation Guide
The service host is currently implemented as a console application. To prepare the Service for use, edit the Lab620.WcfRadiusService.exe.config file to customize the following:
1) Register a type for the membership provider used to authenticate users:

<membership defaultProvider="testProvider">
        <add name="testProvider" type="Lab620.WcfRadiusService.Test.TestMembershipProvider, Lab620.WcfRadiusService"/>

2) Set the Shared Secret and the membership provider name configured in step 1 in the RADIUS binding element:

    <binding name="radiusAuthService" sharedSecret="Blah" membershipProvider="testProvider" />

3) Optional: Customize the endpoint element to place the service on any port other than the default UDP port 1812 associated with the RADIUS Authentication protocol

<endpoint address="soap.udp://localhost:1812/" 
            contract="Lab620.WcfRadiusService.Contracts.IAuthenticationService" />

The code was tested with the nRadius Client and ISA 2006. To test with the test membership provider supplied with the project, use the following credentials:
  • User name: <User name>
  • Password: <User name>’s password

Last edited Feb 22, 2009 at 12:22 AM by valorekhov, version 9