Transcript RADIUS

RADIUS
By: Nicole Cappella
Overview
 Central Authentication Services
 Definition of RADIUS
 “AAA Transaction”
 Roaming
 Security Issues and How to Minimize Security Issues
Central Authentication Service
 Central Authentication Service (CAS):
 Single sign-on protocol for the web
 Permit user to access multiple applications while providing
credentials only once
 Web applications authenticate users without gaining access to
user’s security credentials
Central Authentication Servers
 Reason Needed:
 Employees need access and authorizations for a dozen or more
servers
 Benefits:
 Reduce costs
 Consistency in authentication no matter where user or attacker
comes into the network
 Company-wide changes can be made instantly
RADIUS
 Remote Authentication Dial-In User Service
 Network protocol that provides security to networks against
unauthorized access
 Enables centralized authentication of dial-in users and
authorizing their access to use a network service
 Performs 3 major functions:
 Authenticates users trying to establish connection to network
 Authorizes users to access requested network services
 Accounts for use of those services
RADIUS
 Most widely used standard for central authentication servers
 Allows company to maintain user profiles in a central
database that all remote servers can share
 Provides better security
 Easier to track usage for billing and for keeping network
statistics
“AAA Transaction”
•
Authentication and Authorization
• Request sent to Remote Access
Server (RAS)
• RAS sends RADIUS Access
Request message to RADIUS
server
• Includes access credentials
• RADIUS server checks if info is
correct using authentication
schemes:
• PAP, CHAP, EAP
RADIUS Authentication and
Authorization Flow
“AAA Transaction”
 RADIUS server returns one of three responses to the RAS
 1. Access Reject
 Denied access to all requested network resources
 2. Access Challenge
 Additional information needed from user
 3. Access Accept
 User granted access
“AAA Transaction”
•
Accounting
• Accounting Start
• sent by NAS to RADIUS sever
to signal start of user’s
network access
• Interim Update
• Update RADIUS server on
status of an active session
• Accounting Stop
• Issued when user’s network
access is closed
RADIUS Accounting Flow
Roaming
 Commonly used to facilitate roaming between ISPs
 Provides single global set of credentials to be used on any public
network
 Facilitated by use of realms
 Realms:
 Appended to user’s user name and delimited with an ‘@’
 Resemble domains, but do not contain real domain names
Interaction between a dial-in user and the
RADIUS client and server
Security
 Access-Request messages sent by RADIUS clients are not
authenticated
 Radius shared secret can be weak due to poor configuration
and limited size
 Sensitive attributes are encrypted using the Radius hiding
mechanism
 Poor request authenticator values can be used to decrypt
encrypted attributes
Minimize Security Issues
 Use strong shared secrets
 Require the Message-Authenticator attribute in all Access-
Request messages
 Cryptographic-quality values for the Request Authenticator
 Different shared secrets for each RADIUS client/server pair
 Internet Protocol Security to provide data confidentiality for
RADIUS messages
Summary
 RADIUS stands for Remote Authentication Dial-In User
Server
 RADIUS is the most widely used central authentication
servers
 RADIUS servers use the “AAA Transaction” to manage
network access
 Security issues arise, but if implemented correctly, they can
be avoided
References
 Janssen, Cory. "Remote Authentication Dial-in User Service
(RADIUS)." Techopedias. N.p., n.d. Web. 02 Dec. 2013.
 "RADIUS Server." Webopedia. N.p., n.d. Web. 02 Dec. 2013.
 "RADIUS." Wikipedia. Wikimedia Foundation, 25 Nov. 2013.
Web. 02 Dec. 2013.