AAA Services

AAA Services

 Authentication
 Authorization
 Accounting

2
 Authentication

Verifythe user is who

he/she claims to be
 Use Password, Special Token
card, Caller-ID, etc.
 May issue additional ‘challenge’

3
 Authorization

Check that the user

may access the services
he/she wishes.
 Check database or file information
about the user

4
 Accounting

Record what the user

has done.
 Timeonline. Bytes sent/received.
Services accessed. Files
downloaded. Etc.

5
 NAS/RAS
Network Access Server
Remote Access Server

TCP/IP
Network

Routing
Protocol Conversion

Modems

Phone Lines
6
 Types of AAA Services
Local accounts on the
NAS/RAS
Proprietary software between
NAS and server
 RADIUS
TACACS (tacacs, tacacs+, xtacacs)

7
 RADIUS Basics

 A protocol for communicating between a

Network Access Server (NAS) and a
remote Authentication/Access/Accounting
server
 Not the actual server itself

8
 RADIUS Basics

 Defined by IETF standard RFC2138 &

RFC2139
http://www.faqs.org/rfcs/rfc2138.html
http://www.faqs.org/rfcs/rfc2139.html
 Requires Clients (normally a NAS) and
servers (often called RADIUS servers)

9
 RADIUS: Basics
Authentication Data Flow
ISP User
Database
UserID: bob
Select UserID=bob
ISP Modem Pool Password: ge55gep
NAS-ID: 207.12.4.1

Bob
password=ge55gep
UserID: bob Access-Accept Timeout=3600
Password: ge55gep User-Name=bob ISP RADIUS [other attributes]
[other attributes]
Server

Framed-Address=217.213.21.5
The Internet

User dials modem pool and

Internet PPP connection established
establishes connection

10
 RADIUS: Basics
Authentication Data Flow Sun May 10 20:47:41 1998
Acct-Status-Type=Start
User-Name=bob
Acct-Status-Type=Start
Framed-Address=217.213.21.5
User-Name=bob
…
Framed-Address=217.213.21.5
ISP Modem Pool ...
…
...
ISP
Acknowledgement
Accounting
ISP RADIUS Database
Server

The Internet

Internet PPP connection established

The Accounting “Start” Record

11
 RADIUS: Basics
Authentication Data Flow Sun May 10 20:50:49 1998
Acct-Status-Type=Stop
User-Name=bob
Acct-Status-Type=Stop
Acct-Session-Time=1432
User-Name=bob
…
Acct-Session-Time=1432
ISP Modem Pool ...
…
...
ISP
Acknowledgement
Accounting
ISP RADIUS Database
Server

The Internet

User Disconnects
Internet PPP connection established

The Accounting “Stop” Record

12
 RADIUS: Basics
 Key data for Authentication
 NAS/Client Info
 IP Name and/or IP Address

 Shared Secret Key for encryption

 User Information
 User-Name & Password

 Session Information
 Speed, dialed number, port, NAS ID, etc.

13
 RADIUS Basics
The process flow

Decode Packet using shared

secret key

14
 RADIUS Basics
Shared Secret Keys
Shared
Secret
Session Key
Plaintext Plaintext

Encryption Ciphertext Decryption

Shared
Secret User 1
Session Key

Plaintext Decryption Ciphertext Encryption Plaintext Shared

Secret
Session Key

Shared
Secret
Session Key
15
 RADIUS Basics
The process flow
 Lookup users in local or
external database
 Text File
 Password file (UNIX)
 NT Registry/Netware Directory
 NIS/NIS+
 LDAP
 Etc., etc.

16
 RADIUS Basics
The process flow

Authenticate
User-Name, Password, etc.
Chap Challenge
SecurID Token card
Etc.

17
 RADIUS Basics
The process flow

Check arbitrary access

criteria
 Type of access (analog, ISDN)
 Time of day
 Called or Calling number

18
 RADIUS Basics
The process flow

Send Accept/Reject to NAS with

appropriate session attributes
 Session timers
 Filters (allow/reject IP addrs)
 IP Address
 ISDN session parameters
 Etc.

19
 RADIUS: Basics
Process Description

 Using a modem, the user dials-in to a modem

connected to a NAS. Once the modem connection is
completed, the NAS attempts to use the CHAP or
PAP protocol to determine the userID and password.
If that fails, the NAS prompts the user for the userID
and password.

20
 RADIUS: Basics
Process Description

 The NAS creates a data packet from this information

called the authentication request. This packet
includes information identifying the specific NAS
sending the authentication request, the port that is
being used for the modem connection, and the user
name and password. For protection from
eavesdropping the NAS, acting as a RADIUS client,
encrypts (using a shared secret key) the password
before it is sent to the RADIUS server.

21
 RADIUS: Basics
Process Description

 The Authentication Request is sent over the

network from the RADIUS client (I.e. the NAS) to
the RADIUS server. This communication can be
done over a local- or wide-area network, allowing
network managers to locate RADIUS clients
remotely from the RADIUS server. If the RADIUS
server cannot be reached, the NAS can usually
route the request to an alternate server.

22
 RADIUS: Basics
Process Description

 When an Authentication Request is received, the

RADIUS Server validates the request and then
decrypts the data packet to access the user name
and password information. This information is
passed on to the appropriate security system being
supported. This could be a text file, UNIX
password files, NIS, LDAP, a commercially
available security system or a custom database.

23
 RADIUS: Basics
Process Description

 If the user name and password are correct, the

server sends an Authentication Acknowledgment
that includes information on the user's network
system and service requirements. For example, the
RADIUS server will tell the NAS that a user needs
TCP/IP and/or NetWare using PPP (Point-to-Point
Protocol) or that the user needs SLIP (Serial Line
Internet Protocol) to connect to the network. The
acknowledgment can even contain filtering
information to limit a user's access to specific
resources on the network.

24
 RADIUS: Basics
Process Description

 If at any point in this log-in process conditions are

not met, the RADIUS server sends an
Authentication Reject to the NAS and the user is
denied access to the network.

25
 RADIUS: Basics
Process Description

 To ensure that requests are not responded to by

unauthorized persons or devices on the network,
the RADIUS server sends an authentication key, or
signature, identifying itself to the RADIUS client.

26
 RADIUS: Basics
Process Description

 Once the server information is received and

verified by the NAS, it enables the necessary
configuration to deliver the right network services
to the user.

27
RADIUS: Basics
Essential Server Data

 Client Information
 IP Name
 Shared secret key
Group Assignment
Special Parameters
NAS Type

28
 RADIUS: Basics
Essential Server Data
 NAS/Client Info
Stored in a “clients” file or similar data structure
# This file contains a list of clients
# which are allowed to make
# authentication requests and their
# encryption key. The first field is a
# valid hostname for the client.
# The second field (separated by blanks
# or tabs) is the encryption key.
#
#Client Name Key
#----------------------------------
portmaster1 wP40cQ0
portmaster2 A3X445A
192.168.1.2 wer369st

29
 RADIUS: Basics
Essential Server Data

 Dictionary
 Definition of RADIUS attributes
 Assign readable names to attribute
numbers
 String, Integer, IP Address, Date

30
 RADIUS: Basics
Essential Server Data
 Dictionary
Stored in a “dictionary” file or similar data structure
# This file contains dictionary
# translations for parsing requests and
# generating responses. All transactions
# are composed of Attribute/Value Pairs.
# The value of each attribute is specified
# as one of 4 data types. Valid data types
# are:
# string - 0-253 octets
# ipaddr - 4 octets in network byte order
# integer - 32 bit value (high byte first)
# date - 32 bit value - seconds since
# 00:00:00 GMT, Jan. 1, 1970

31
 RADIUS: Basics
Essential Server Data

 Dictionary
# Attr. Attr.
#Keyword Attribute Name Num Type
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE Client-Id 4 ipaddr
ATTRIBUTE Client-Port-Id 5 integer
ATTRIBUTE User-Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-Address 8 ipaddr
ATTRIBUTE Framed-Netmask 9 ipaddr
...
...

32
 RADIUS: Basics
Essential Server Data

 User Information (“users” file)

 User-Name
 Password
 Authentication method
 Check attributes
 Send attributes

33
 RADIUS: Basics
Essential Server Data

 User Data (Example 1)

bob Password = "ge55ep”
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = None,
Filter-Id = "std.ppp",
Framed-MTU = 1500

34
 RADIUS: Basics
Essential Server Data

 User Data (Example 2)

bob Password = "ge55gep",
NAS-IP-Address = 192.168.1.54,
NAS-Port-Type = ISDN
Service-Type = Framed-User,
Framed-Protocol = PPP

35
 RADIUS: Basics
Essential Server Data

 User Data (Example 3)

bob Password = "ge55gep”,
Caller-Id = “510-555-1212
Service-Type = Callback-Login-User,
Login-IP-Host = 192.168.1.76,
Login-Service = Telnet,
Login-TCP-Port = 23,
Callback-Number = "9,1-800-555-1234"

36
 RADIUS: Basics
Accounting Start Record

Sun May 10 20:47:41 1998

User-Name = ”bob”
Client-Id = 206.171.153.11
Client-Port-Id = 20110
Acct-Status-Type = Start
Acct-Delay-Time = 0
Acct-Session-Id = "262282375”
Acct-Authentic = RADIUS
Caller-Id = ”5105551212”
Client-Port-DNIS = ”5218296”
Framed-Protocol = PPP
Framed-Address = 209.79.145.46

37
 RADIUS: Basics
Accounting Stop Record

Sun May 10 20:50:49 1998

User-Name = ”bob”
Client-Id = 206.171.153.11
Client-Port-Id = 20110
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Session-Id = "262282353”
Acct-Authentic = RADIUS
Acct-Session-Time = 4871
Acct-Input-Octets = 459078
Acct-Output-Octets = 4440286
Caller-Id = ”5105551212”
Client-Port-DNIS = "4218296”
Framed-Protocol = PPP
Framed-Address = 209.79.145.46

38
 RADIUS: Basics
Proxy Services

 A forwarding or “proxy” server can forward

authentication and/or accounting requests to
another server for handling.
 In order to differentiate between requests
that should be handled locally and those that
should be forwarded the NAI needs to be
specially processed.

39
 RADIUS: Basics
Proxy Services

 The NAI (Network Access Identifier) is

commonly called the userID.
 In proxy and roaming situations the NAI is
modified to include both the userID and a
“realm” identifier.
 The realm is a keyword indicating the server
responsible for authenticating the userID.

40
 RADIUS: Basics
Proxy Services

 The standard way to send a userID and real

in the NAI is to separate them with a “@”.
 A typical proxy NAI looks like:
user@realm
 A proxy RADIUS server looks for the “@” in
the NAI to determine if it should handle the
request or forward it.

41
 RADIUS: Basics
Proxy Services

 If no “@” is present, the enter NAI is

assumed to be only a userID.
 If a “@” is present, the NAI is split into
two tokens (a userID and a realm label).

42
 RADIUS: Basics
Proxy Services
 The realm label is looked up in a local file or
database to find the address of the server
for the realm and the protocol (typically
RADIUS) used to connect to it.
 Although the realm label may look like a
domain name (E-Mail addresses are often used
as NAIs) it is not safe to assume that.

43
 RADIUS: Basics
Proxy Services

An example “realms” file might look like:

#realm IP
#label Address Port Protocol Secret
homeco 167.24.12.5 1812 Radius Don’t3v3rtell
biginiv 12.123.43.9 1645 Radius js&yWpnfE2vuR

(A real realms file might contain much more information. Each vendor
implements realm information differently.)

44
 RADIUS: Basics
Proxy Services

A typical bilateral proxy model looks like:

Access Request Access Request

UserID: bill@homeco UserID: bill
Password: mypass Password: mypass
NAS RADIUS RADIUS
Reply
Proxy Reply
DB
Realms
File Log Log
homeco

45
 RADIUS: Basics
Proxy Services

 Bilateral relationships, with all the realm

information stored in a local realms file or
table can be effective with a small number of
roaming or proxy partners.
 But, the files must be changed each time
there is a change in a server configuration.

46
 RADIUS: Basics
Proxy Services

 A consortium, or clearinghouse, solves

that problem by having all proxy requests
forwarded to it first.
 The consortium maintains a list of all the
server information for it’

47
 RADIUS: Basics
Proxy Services

 In the case of a roaming consortium or

clearinghouse it may be necessary to add
additional information to the NAI.
 This is because each server in the proxy
chain might strip off the realm before
passing the request on to the next server.

48
 RADIUS: Basics
Proxy Services

 A common solution is to use the “/” as an

additional separator.
 In the case of a consortium called “cons”
the NAI would look like:
cons/user@realm
An actual NAI might be:
infonet/rdperl@berkinet.com

49
 RADIUS: Basics
Proxy Services

 The first server may now strip-off “cons”

and forward the remaining two tokens.
 rdperl@berkinet.com

 The consortium’s server strips off the

remaining realm and forwards the userID
to the final server:
 rdperl

50
 RADIUS: Basics
Proxy Services

A consortium proxy model looks like:

Access Request Access Request Access Request

UserID: cons/bill@homeco UserID: bill@homeco UserID: bill
Password: mypass Password: mypass Password: mypass
RADIUS RADIUS
NAS RADIUS
Proxy Proxy
Reply Reply Reply
DB
Realms Realms
File Log File Log Log
cons homeco

51
 RADIUS: Basics
Proxy Services: Editing Attributes

 A proxy server may add, delete or modify

the attributes that it forwards.
 An IP Address may be invalid on a given
network, the maximum online time may be
different, local filters may be required, etc.

52
 RADIUS: Basics
Proxy Services: Editing Attributes

 In cases where special control of attributes is

required bi-lateral relationships may work
best.
 A proxy server may also need to translate
attributes intended for one brand of NAS into
another brands format (pools, filters, etc.)

53
 RADIUS Proxy Servers
 Freeware
 DTC - Radius 2.0 - NT/UNIX - (Japanese)
 http://www.dtc.co.jp/Radius2.0
 Commercial
 Shiva - Shiva Access Manager - 95/NT/UNIX
 http://athena.shiva.com/remote/radius
 Open System Consultants Pty Ltd - Radiator - NT/UNIX
 http://www.open.com.au/radiator/
 Microsoft - Microsoft Commercial Internet System (MCIS) - NT
 http://www.microsoft.com/mcis/guide/features.asp
 Funk - Steel-Belted Radius - Netware/NT
 http://www.funk.com/Radius/
 Vircom - Proxy & Roaming Radius Server (PRRS) - NT
 http://www.vircom.com/info/vprrsrel.htm
 Novell - BorderManager - Netware
 http://www.novell.com/text/bordermanager/radius.html
 Ascend Communications “Access Control” NT/UNIX
 http://www.ascend.com/324.html
 Merit - Merit AAA Server - UNIX
 http://www.merit.edu/aaa/

54
 Other Authentication
Protocols
 TACACS (TACACS+ and XTACACS)
 Developed by Cisco Systems for Military
applications. Originally used between Cisco
terminal server and a UNIX TACACS server.
 Mostly replaced by RADIUS since Cisco
added RADIUS support to access products
 Still used for SecurID lookups since SecurID
(ACE) server support TACACS. However,
new releases of SecurID now support
RADIUS.

55
 Other Authentication
Protocols
 SecurID ACE Server
 Uses “token” card with One-Time-Password.
 Can function as stand-alone server (RADIUS
or TACACS compatible).
 Can also handle queries from a RADIUS
server.
 ACE server software available for many
platforms.
http://www.securitydynamics.com/solutions/products/asvrdata.html

56