Transcript Cataclysmic Revolution

Implementing RADIUS AAA
Phil & Rick
Content
• Terms and Concepts
•Access Control
•What is AAA?
•Benefits of AAA
•What is RADIUS?
• Microsoft IAS
•Overview
•Installation
•Management Console
• Case Study
•IAS Configuration
•Router Configuration
•Case Study Summary
•Resources
Terms and Concepts
Access Control
• Access control is the way you
control who is allowed access to
the network server and what
services they are allowed to use
once they have access.
• Authentication, Authorization, and
Accounting (AAA) provide the
primary framework through which
you set up access control on your
router or access server.
What is AAA?
• Authentication, Authorization
and Accounting
• Authentication
• Verifies users before they are
allowed access to the network and
network services
• Authorization
• Enables you to limit the services
available to a user
• Accounting
• Enables you to track the services that
users are accessing and the amount
of network resources they are
Benefits of AAA
• AAA provides the following
benefits:
•Increased flexibility and control of
access configuration
•Scalability
•Standardized authentication methods
such as RADIUS, TACACS+, and
Kerberos
•Multiple backup systems
• AAA is designed to enable you to
dynamically configure the type of
authentication and authorization
you want on a per-line (per-user) or
What is RADIUS?
• Remote Access Dial-in User Service
(RADIUS)
• Client/Server Protocol
•Client is typically a NAS
•Server is usually a daemon process
running on a Unix or Windows
machine
•The client passes user information to
the designated RADIUS servers, and
acts on the response that is returned
•RADIUS servers receive user
connection requests, authenticate the
user, and then return the
configuration information necessary
Internet Authentication Service
Overview
Internet Authentication Service
• Internet Authentication Service
• Performs centralized AAA of users who
connect to the network.
• Implements the IETF standard RADIUS
protocol.
• Implementing IAS Overview
• Configure your server with a static IP address
• IP Address: 192.5.5.10/24 (case study)
• Default Gateway: 192.5.5.1 (case study)
• Install IAS
• Create an IAS Management Console (optional)
• Create users and groups (case study)
• Edit system log to show IAS events (optional)
• Configure authentication and accounting
ports (optional)
• Configure IAS log (case study)
• Add a RADIUS client (case study)
• Creating Remote Access Policies (case study)
IAS
Installation
IAS Installation
• Installing IAS
•Start > Settings > Control Panel >
Add/Remove Programs
IAS Installation
•Open the Windows Component
Wizard by clicking Add/Remove
Windows Components
IAS Installation
•Highlight Network Services in the
Components box and then click details
IAS Installation
•Find Internet Authentication Service in
the Subcomponents of Networking
Services box
•Check the box to the left of IAS and
click OK
IAS Installation
•Click Next
•Click Finish
IAS Management Console
Creating and Using an IAS Management Console
IAS Management Console
• Microsoft management consoles
centralize IAS administration
• Creating an IAS Management
Console
•Start > Run > mmc
IAS Management Console
•In the MMC menu bar click Console >
Add/Remove snap-in
IAS Management Console
• From the Add/Remove snap-in
applet
•Click Add
IAS Management Console
• Adding a Standalone Snap-in
•Highlight Internet Authentication
Service Standalone Snap-In
•Click Add
IAS Management Console
• Select the computer you want the
snap-in to manage
•Select local computer
•Click Finish
IAS Management Console
• Add the following standalone
snap-ins
•Event Viewer
•Local Users and Groups
IAS Management Console
• The the management console
should look like the following
IAS Management Console
• Configuring the System Log to
display IAS events (optional)
•From the IAS Management Console
• Expand Event Viewer
• Right Click the System Log File > Properties
IAS Management Console
• Click the filter tab in the system log
properties
• Select IAS from the event source drop
down box
• Click OK
IAS Management Console
• Creating Users and Groups in the
IAS Management Console
•Expand Local Users and Groups
• Creating Groups
• Expand Groups
• Click Action > New Group
• Add the following groups
• Router_Admins
• Internet_Users
• Creating Users
• Expand Users
• Click Action > New User
• Add the following users
• Administrator member of group
Router_Admins
• I_User member of group
Case Study
Implementing RADIUS AAA
Case Study
You work for a small business and
would like to implement AAA for
remote users and telnet sessions.
Here are the requirements for your
design:
•Authenticate remote users who are
members of the group Router_Admins
and Internet_Users.
•Authorize Router_Admins for EXEC
sessions, PPP sessions and telnet.
•Authorize Internet_Users for PPP
sessions only.
•Implement accounting for EXEC
sessions, PPP sessions, and telnet
sessions.
Case Study
• Objectives
•Windows 2000 Server Administration
•Installing Microsoft’s IAS
•Using the Microsoft Management
Console
•Configuring AAA
•Viewing IAS accounting log
• Tools/Preparation
•1 Windows 2000 Server
•1 Cisco 1900 Catalyst
•1 Cisco 2600 Router
•2 modems and drivers
•1 PC running Windows 2000
Topology
PSTN
Implementing IAS Overview
IAS Installation
Policies
IAS Configuration
Remote Access
IAS Configuration
IAS Configuration
• Configuring IAS Authentication
and Accounting Ports (optional)
•IAS uses port 1845, 1645 by default for
authentication and 1846, 1646 by
default for accounting.
•Optional step but by following this
step we are only opening 2 ports on
our server instead of 4
•Open the IAS MC or IAS applet > Right
Click Internet Authentication Service >
Click Properties > Click the tab labeled
RADIUS
•Set the Authentication port to 1645
and the Accounting port to 1646 >
IAS Configuration
• Configuring IAS Accounting
• Open the IAS MC or IAS applet > click Remote
Access Logging > Right click Local File >
Properties
• Local file properties
• Select the settings tab > check the following
• Log Authentication Requests
• Log Accounting Requests
• Log Periodic Status
• Select the Local File tab > check the following
• Database compatible file format
• Click OK
• Note that the log will be saved to
C:\winnt\system32\logfiles
IAS Configuration
• Adding a RADIUS client overview
•Recall that RADIUS is a client/server
protocol.
•The RADIUS client is typically, a NAS or
router
•The RADIUS server is the machine
running the RADIUS daemon process,
which in our case is the IAS server
•The RADIUS server needs the
following information about the
RADIUS client
• IP Address
• Security Protocol being used
• Client-Vendor
• Shared-Secret (also known as a key)
IAS Configuration
• Adding a RADIUS client
•Open the IAS MC or the IAS applet
•Expand IAS
•Right click the folder labeled clients
•Click new client
IAS Configuration
• Adding a RADIUS client
•Enter the hostname of your router and
select the RADIUS protocol
•Click Next
IAS Configuration
• Adding a RADIUS client
•Enter the IP Address of the RADIUS
client
•Select Cisco as the client-vendor
•Enter a shared-secret (key)
•Finish
IAS Configuration
• Remote Access Policies
•IAS uses remote access policies to
authenticate and authorize users
•Keep in mind that a user may be
authenticated but not authorized to
use certain network services (PPP,
EXEC, telnet).
•The following is a guide if you trying
to implement the case study and you
are having a hard time recreating the
Remote Access Policies
•This does not follow the class
demonstration! But you’ll get the
same results
IAS Configuration
• Remote Access Policies
• Open the IAS applet or IAS MC
• Expand IAS
• Click Remote Access Policies
• Right click and delete the policy on the
right
IAS Configuration
• Remote Access Policies
•Right click remote access policies and
click new remote access policy
IAS Configuration
• Remote Access Policies
• Enter a Policy friendly name
• In our case we’ll enter “Allow members of the
group Internet_Users PPP network services”
• Click next
• Specifying conditions
• Click Add
IAS Configuration
• Remote Access Policies
•Highlight Windows-Groups click add
•In the Groups applet click add
•Highlight the Internet_Users group
and click add then OK
IAS Configuration
• Remote Access Policies
•Add another condition by clicking add
•Highlight NAS-port-type click add
•Highlight async(modem) click add
then click OK
IAS Configuration
• Remote Access Policies
•Your condition should look similar to
the following screen capture
IAS Configuration
• Remote Access Policies
•Click Next
•Select Grant remote access permission
•Click Next
•Click Edit Profile
•Click the Authentication tab
•Only check PAP uncheck all other
authentication methods
•Click the Advanced tab
•Service-type should be Framed
•Framed-Protocol should be PPP
•Click OK
•Ok, Now what did we just do?
IAS Configuration
• Remote Access Policies
• We created a remote access policy that said if
a user accesses the RADIUS client through an
async port and that user is a member of the
windows group Internet_Users authorize the
user to use the framed protocol PPP. Here’s a
shorten version of the condition
• Policy Name
• Allow members of the group
Internet_Users PPP network service.
• Windows-Groups
• Internet_Users
• NAS-Port-Type
• Async(modem)
• Service-Type
• Framed
• Framed Protocol
• PPP
IAS Configuration
• Remote Access Policies
•Create the following remote access
policies (demo in class)
• Policy Name
• Allow members of the group
Router_Admins PPP network service
and EXEC session.
• Windows-Groups
• Router_Admins
• NAS-Port-Type
• Async(modem)
• Service-Type
• Administrative
• Framed Protocol
• PPP
IAS Configuration
• Remote Access Policies
• Policy Name
• Allow members of the group
Router_Admins telnet access.
• Windows-Groups
• Router_Admins
• NAS-Port-Type
• Virtual(VPN)
• Service-Type
• Administrative
Router Configuration
The RADIUS client
Router Configuration
• The router is the RADIUS client.
• It must have the same IP address
that was entered in the IAS RADIUS
client configuration.
• Here is the router configuration file
without AAA
Router Configuration
• We need to know what a method
list is before we get started with
the router configuration
•Method list
•Defines the type of AAA to be
performed and the sequence in
which it will be performed
•Some types of AAA include
authentication login, authorization
exec and others
•An example of a sequence type is
checking a server or a local
database for user information
Router Configuration
• Here is the final configuration file
that was demonstrated.
• Demonstration notes and some
accounting database stuff
RADIUS Case Study
Summary
Case Study Summary
•
Authentication and Authorization
1. User initiates PPP authentication to the NAS.
2. NAS prompts for username and password (if
PAP) or challenge (if CHAP).
3. User replies.
4. RADIUS client sends username and password to
the RADIUS server.
5. RADIUS server responds with Accept, Reject, or
Challenge.
6. The RADIUS client acts upon service parameters
bundled with Accept or Reject.
Case Study Summary
• Accounting
• The NAS sends an Accounting-Request start
packet to the RADIUS security server
• The RADIUS security server sends an
Accounting-Response packet to acknowledge
the receipt of the Accounting-Request start
packet.
• After the NAS has sent all the accounting info
it wanted to send, it sends an AccountingRequest stop packet. This stop packet
describes the type of service delivered and
other optional values.
• The RADIUS server acknowledges receipt of
the Accounting-Request stop packet by
sending an Accounting-Response packet.
Resources
• http://www.cisco.com
• Search For:
•
•
•
•
•
•
•
Configuring Authentication
Configuring RADIUS
Configuring TACACS+
Configuring Kerberos
Configuring Authorization
RADIUS Attributes
Configuring Accounting
• http://www.microsoft.com
• Search For:
• Dialup Corporate Access
• Extranet Access for Business Partners
• Outsourced corporate access through service
providers
• Configuring IAS for dial-up and VPN access
• Configuring IAS to outsource dial-up access