Document

Download Report

Transcript Document 

Using RADIUS as a AAA
backbone for
Windows networks
Kostas Kalevras NTUA Network
Operations Centre
Today’s World
Windows in the end user workstation
Unix/Linux/FreeBSD at the central server
Authentication Infrastructure
Windows authenticate through Active
Directory
Unix authenticates through LDAP
Problems faced
Multiple domains, users need to be
included/deleted in each one
Users exist in both AD and LDAP
Passwords are not synchronized
How to solve these problems
Meta-Directory
Replace GINA Windows authentication
with a custom one
Meta-Directory Problems
Not scalable for multiple domains
Closed protocols, closed products
Complex and hard administration and
troubleshooting
No open source solution
Case Study: Greek School Network
5000 domains (schools), central LDAP
service
Problems




No scaling
No deletes
Too much load on the LDAP service
Too much overhead for domain administration
pGina to the rescue
Replace GINA with a highly configurable
set of modules
Support for LDAP,RADIUS,SQL
Domain interaction (account creation on domains)
Account caching (AD is queried before the
modules)
http://pgina.xpasystems.com/
RADIUS Advantages
Decision point, not just a database
Dynamic expansion, calculated values for
returned attributes
Accounting
Delegated administration, multiple user
databases available (LDAP,SQL,etc)
Anonymous user support
Special features: default/group profiles,
user time quotas, login-time restrictions
RADIUS Problems
A RADIUS server is needed 
RADIUS secret is stored on each
workstation
RADIUS vs LDAP
RADIUS is a decision point
RADIUS provides accounting
LDAP access may be restricted with
RADIUS as frontend
Powerful vs Simple (LDAP is just a
database)
RADIUS is an extra
Team Involvement
pGina code patches mainly by Agis
Andreou
A large part of the radius plugin code
TODO List
Add EAP-TTLS support for password
transmission
Real Life Usage
Used in the NTUA Library providing
authentication to public workstations with
positive results
Scheduled to be used in the Greek School
Network
Conclusions
RADIUS can be a viable solution to
provide (in combination with pGina) the
framework for Windows AAA
Secure, scalable, powerful solution
Thank you!
Any questions?