Transcript RADIUS
RADIUS
By: Nicole Cappella
Overview
Central Authentication Services
Definition of RADIUS
“AAA Transaction”
Roaming
Security Issues and How to Minimize Security Issues
Central Authentication Service
Central Authentication Service (CAS):
Single sign-on protocol for the web
Permit user to access multiple applications while providing
credentials only once
Web applications authenticate users without gaining access to
user’s security credentials
Central Authentication Servers
Reason Needed:
Employees need access and authorizations for a dozen or more
servers
Benefits:
Reduce costs
Consistency in authentication no matter where user or attacker
comes into the network
Company-wide changes can be made instantly
RADIUS
Remote Authentication Dial-In User Service
Network protocol that provides security to networks against
unauthorized access
Enables centralized authentication of dial-in users and
authorizing their access to use a network service
Performs 3 major functions:
Authenticates users trying to establish connection to network
Authorizes users to access requested network services
Accounts for use of those services
RADIUS
Most widely used standard for central authentication servers
Allows company to maintain user profiles in a central
database that all remote servers can share
Provides better security
Easier to track usage for billing and for keeping network
statistics
“AAA Transaction”
•
Authentication and Authorization
• Request sent to Remote Access
Server (RAS)
• RAS sends RADIUS Access
Request message to RADIUS
server
• Includes access credentials
• RADIUS server checks if info is
correct using authentication
schemes:
• PAP, CHAP, EAP
RADIUS Authentication and
Authorization Flow
“AAA Transaction”
RADIUS server returns one of three responses to the RAS
1. Access Reject
Denied access to all requested network resources
2. Access Challenge
Additional information needed from user
3. Access Accept
User granted access
“AAA Transaction”
•
Accounting
• Accounting Start
• sent by NAS to RADIUS sever
to signal start of user’s
network access
• Interim Update
• Update RADIUS server on
status of an active session
• Accounting Stop
• Issued when user’s network
access is closed
RADIUS Accounting Flow
Roaming
Commonly used to facilitate roaming between ISPs
Provides single global set of credentials to be used on any public
network
Facilitated by use of realms
Realms:
Appended to user’s user name and delimited with an ‘@’
Resemble domains, but do not contain real domain names
Interaction between a dial-in user and the
RADIUS client and server
Security
Access-Request messages sent by RADIUS clients are not
authenticated
Radius shared secret can be weak due to poor configuration
and limited size
Sensitive attributes are encrypted using the Radius hiding
mechanism
Poor request authenticator values can be used to decrypt
encrypted attributes
Minimize Security Issues
Use strong shared secrets
Require the Message-Authenticator attribute in all Access-
Request messages
Cryptographic-quality values for the Request Authenticator
Different shared secrets for each RADIUS client/server pair
Internet Protocol Security to provide data confidentiality for
RADIUS messages
Summary
RADIUS stands for Remote Authentication Dial-In User
Server
RADIUS is the most widely used central authentication
servers
RADIUS servers use the “AAA Transaction” to manage
network access
Security issues arise, but if implemented correctly, they can
be avoided
References
Janssen, Cory. "Remote Authentication Dial-in User Service
(RADIUS)." Techopedias. N.p., n.d. Web. 02 Dec. 2013.
"RADIUS Server." Webopedia. N.p., n.d. Web. 02 Dec. 2013.
"RADIUS." Wikipedia. Wikimedia Foundation, 25 Nov. 2013.
Web. 02 Dec. 2013.