Professional Documents
Culture Documents
Aaa-Radius NTW
Aaa-Radius NTW
Aaa-Radius NTW
AAA Services
Authentication
Authorization
Accounting
2
Authentication
3
Authorization
4
Accounting
5
NAS/RAS
Network Access Server
Remote Access Server
TCP/IP
Network
Routing
Protocol Conversion
Modems
Phone Lines
6
Types of AAA Services
Local accounts on the
NAS/RAS
Proprietary software between
NAS and server
RADIUS
TACACS (tacacs, tacacs+, xtacacs)
7
RADIUS Basics
8
RADIUS Basics
9
RADIUS: Basics
Authentication Data Flow
ISP User
Database
UserID: bob
Select UserID=bob
ISP Modem Pool Password: ge55gep
NAS-ID: 207.12.4.1
Bob
password=ge55gep
UserID: bob Access-Accept Timeout=3600
Password: ge55gep User-Name=bob ISP RADIUS [other attributes]
[other attributes]
Server
Framed-Address=217.213.21.5
The Internet
10
RADIUS: Basics
Authentication Data Flow Sun May 10 20:47:41 1998
Acct-Status-Type=Start
User-Name=bob
Acct-Status-Type=Start
Framed-Address=217.213.21.5
User-Name=bob
…
Framed-Address=217.213.21.5
ISP Modem Pool ...
…
...
ISP
Acknowledgement
Accounting
ISP RADIUS Database
Server
The Internet
The Internet
User Disconnects
Internet PPP connection established
User Information
User-Name & Password
Session Information
Speed, dialed number, port, NAS ID, etc.
13
RADIUS Basics
The process flow
14
RADIUS Basics
Shared Secret Keys
Shared
Secret
Session Key
Plaintext Plaintext
Shared
Secret User 1
Session Key
Shared
Secret
Session Key
15
RADIUS Basics
The process flow
Lookup users in local or
external database
Text File
Password file (UNIX)
NT Registry/Netware Directory
NIS/NIS+
LDAP
Etc., etc.
16
RADIUS Basics
The process flow
Authenticate
User-Name, Password, etc.
Chap Challenge
SecurID Token card
Etc.
17
RADIUS Basics
The process flow
18
RADIUS Basics
The process flow
19
RADIUS: Basics
Process Description
20
RADIUS: Basics
Process Description
21
RADIUS: Basics
Process Description
22
RADIUS: Basics
Process Description
23
RADIUS: Basics
Process Description
24
RADIUS: Basics
Process Description
25
RADIUS: Basics
Process Description
26
RADIUS: Basics
Process Description
27
RADIUS: Basics
Essential Server Data
Client Information
IP Name
Shared secret key
Group Assignment
Special Parameters
NAS Type
28
RADIUS: Basics
Essential Server Data
NAS/Client Info
Stored in a “clients” file or similar data structure
# This file contains a list of clients
# which are allowed to make
# authentication requests and their
# encryption key. The first field is a
# valid hostname for the client.
# The second field (separated by blanks
# or tabs) is the encryption key.
#
#Client Name Key
#----------------------------------
portmaster1 wP40cQ0
portmaster2 A3X445A
192.168.1.2 wer369st
29
RADIUS: Basics
Essential Server Data
Dictionary
Definition of RADIUS attributes
Assign readable names to attribute
numbers
String, Integer, IP Address, Date
30
RADIUS: Basics
Essential Server Data
Dictionary
Stored in a “dictionary” file or similar data structure
# This file contains dictionary
# translations for parsing requests and
# generating responses. All transactions
# are composed of Attribute/Value Pairs.
# The value of each attribute is specified
# as one of 4 data types. Valid data types
# are:
# string - 0-253 octets
# ipaddr - 4 octets in network byte order
# integer - 32 bit value (high byte first)
# date - 32 bit value - seconds since
# 00:00:00 GMT, Jan. 1, 1970
31
RADIUS: Basics
Essential Server Data
Dictionary
# Attr. Attr.
#Keyword Attribute Name Num Type
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE Client-Id 4 ipaddr
ATTRIBUTE Client-Port-Id 5 integer
ATTRIBUTE User-Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-Address 8 ipaddr
ATTRIBUTE Framed-Netmask 9 ipaddr
...
...
32
RADIUS: Basics
Essential Server Data
33
RADIUS: Basics
Essential Server Data
34
RADIUS: Basics
Essential Server Data
35
RADIUS: Basics
Essential Server Data
36
RADIUS: Basics
Accounting Start Record
37
RADIUS: Basics
Accounting Stop Record
38
RADIUS: Basics
Proxy Services
39
RADIUS: Basics
Proxy Services
40
RADIUS: Basics
Proxy Services
41
RADIUS: Basics
Proxy Services
42
RADIUS: Basics
Proxy Services
The realm label is looked up in a local file or
database to find the address of the server
for the realm and the protocol (typically
RADIUS) used to connect to it.
Although the realm label may look like a
domain name (E-Mail addresses are often used
as NAIs) it is not safe to assume that.
43
RADIUS: Basics
Proxy Services
(A real realms file might contain much more information. Each vendor
implements realm information differently.)
44
RADIUS: Basics
Proxy Services
45
RADIUS: Basics
Proxy Services
46
RADIUS: Basics
Proxy Services
47
RADIUS: Basics
Proxy Services
48
RADIUS: Basics
Proxy Services
49
RADIUS: Basics
Proxy Services
50
RADIUS: Basics
Proxy Services
51
RADIUS: Basics
Proxy Services: Editing Attributes
52
RADIUS: Basics
Proxy Services: Editing Attributes
53
RADIUS Proxy Servers
Freeware
DTC - Radius 2.0 - NT/UNIX - (Japanese)
http://www.dtc.co.jp/Radius2.0
Commercial
Shiva - Shiva Access Manager - 95/NT/UNIX
http://athena.shiva.com/remote/radius
Open System Consultants Pty Ltd - Radiator - NT/UNIX
http://www.open.com.au/radiator/
Microsoft - Microsoft Commercial Internet System (MCIS) - NT
http://www.microsoft.com/mcis/guide/features.asp
Funk - Steel-Belted Radius - Netware/NT
http://www.funk.com/Radius/
Vircom - Proxy & Roaming Radius Server (PRRS) - NT
http://www.vircom.com/info/vprrsrel.htm
Novell - BorderManager - Netware
http://www.novell.com/text/bordermanager/radius.html
Ascend Communications “Access Control” NT/UNIX
http://www.ascend.com/324.html
Merit - Merit AAA Server - UNIX
http://www.merit.edu/aaa/
54
Other Authentication
Protocols
TACACS (TACACS+ and XTACACS)
Developed by Cisco Systems for Military
applications. Originally used between Cisco
terminal server and a UNIX TACACS server.
Mostly replaced by RADIUS since Cisco
added RADIUS support to access products
Still used for SecurID lookups since SecurID
(ACE) server support TACACS. However,
new releases of SecurID now support
RADIUS.
55
Other Authentication
Protocols
SecurID ACE Server
Uses “token” card with One-Time-Password.
Can function as stand-alone server (RADIUS
or TACACS compatible).
Can also handle queries from a RADIUS
server.
ACE server software available for many
platforms.
http://www.securitydynamics.com/solutions/products/asvrdata.html
56