Transcript RADIUS
RADIUS By: Nicole Cappella Overview Central Authentication Services Definition of RADIUS “AAA Transaction” Roaming Security Issues and How to Minimize Security Issues Central Authentication Service Central Authentication Service (CAS): Single sign-on protocol for the web Permit user to access multiple applications while providing credentials only once Web applications authenticate users without gaining access to user’s security credentials Central Authentication Servers Reason Needed: Employees need access and authorizations for a dozen or more servers Benefits: Reduce costs Consistency in authentication no matter where user or attacker comes into the network Company-wide changes can be made instantly RADIUS Remote Authentication Dial-In User Service Network protocol that provides security to networks against unauthorized access Enables centralized authentication of dial-in users and authorizing their access to use a network service Performs 3 major functions: Authenticates users trying to establish connection to network Authorizes users to access requested network services Accounts for use of those services RADIUS Most widely used standard for central authentication servers Allows company to maintain user profiles in a central database that all remote servers can share Provides better security Easier to track usage for billing and for keeping network statistics “AAA Transaction” • Authentication and Authorization • Request sent to Remote Access Server (RAS) • RAS sends RADIUS Access Request message to RADIUS server • Includes access credentials • RADIUS server checks if info is correct using authentication schemes: • PAP, CHAP, EAP RADIUS Authentication and Authorization Flow “AAA Transaction” RADIUS server returns one of three responses to the RAS 1. Access Reject Denied access to all requested network resources 2. Access Challenge Additional information needed from user 3. Access Accept User granted access “AAA Transaction” • Accounting • Accounting Start • sent by NAS to RADIUS sever to signal start of user’s network access • Interim Update • Update RADIUS server on status of an active session • Accounting Stop • Issued when user’s network access is closed RADIUS Accounting Flow Roaming Commonly used to facilitate roaming between ISPs Provides single global set of credentials to be used on any public network Facilitated by use of realms Realms: Appended to user’s user name and delimited with an ‘@’ Resemble domains, but do not contain real domain names Interaction between a dial-in user and the RADIUS client and server Security Access-Request messages sent by RADIUS clients are not authenticated Radius shared secret can be weak due to poor configuration and limited size Sensitive attributes are encrypted using the Radius hiding mechanism Poor request authenticator values can be used to decrypt encrypted attributes Minimize Security Issues Use strong shared secrets Require the Message-Authenticator attribute in all Access- Request messages Cryptographic-quality values for the Request Authenticator Different shared secrets for each RADIUS client/server pair Internet Protocol Security to provide data confidentiality for RADIUS messages Summary RADIUS stands for Remote Authentication Dial-In User Server RADIUS is the most widely used central authentication servers RADIUS servers use the “AAA Transaction” to manage network access Security issues arise, but if implemented correctly, they can be avoided References Janssen, Cory. "Remote Authentication Dial-in User Service (RADIUS)." Techopedias. N.p., n.d. Web. 02 Dec. 2013. "RADIUS Server." Webopedia. N.p., n.d. Web. 02 Dec. 2013. "RADIUS." Wikipedia. Wikimedia Foundation, 25 Nov. 2013. Web. 02 Dec. 2013.