No Slide Title
Download
Report
Transcript No Slide Title
RADIUS
Funk Software, Inc.
222 Third Street
Cambridge, MA 02142 USA
(617) 497-6339
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
What We Will Cover:
What is RADIUS?
How RADIUS works
RADIUS Messages
What is Proxy RADIUS?
How Proxy RADIUS works
What is Steel-Belted RADIUS?
Enterprise Features
SPE Features
Benefits
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
2
RADIUS 101
RADIUS RFCs
“The Internet Engineering Task Force (IETF) is a large open
international community of network designers, operators,
vendors, and researchers concerned with the evolution of the
Internet architecture and the smooth operation of the Internet.”
IETF Process:
– Draft RFC Proposed Standard Standard
RADIUS Standards:
– RFC2865 - RADIUS Authentication
– RFC2866 - RADIUS Accounting
Other IETF Standards – L2TP, EAP
Internet Engineering Task Force web site http://www.ietf.org
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
3
RADIUS 101
What Is RADIUS?
Client/Server protocol that enables remote access servers to communicate
with a central server to authenticate and authorize users to access that
system
Standardized method of info exchange between RADIUS Client and Server
Simply put, a mechanism for delivering information
RADIUS
Client
User
PPP or SLIP Negotiation
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS
Server
RADIUS Request/Response
4
RADIUS 101
Users
Mobile
Telecommuter
Small-office NAS
Wireless Laptops
PDAs
Cellular Phones
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
5
RADIUS 101
RADIUS Clients
PPP Servers
– 3Com Total Control Hub
– Cisco Access Servers
VPN
– 3Com Pathbuilder
– Nortel Extranet Switch
Firewalls
– Firewall-1
– Checkpoint
Wireless Lan Access Points
– Cisco Aironet
RADIUS Proxies
Back Office Software
– Oracle 8i, MSSQL
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
6
RADIUS 101
Steel-Belted Radius
Central hub for distributed services
– Authentication
– Authorization
– Accounting
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
7
RADIUS 101
RADIUS AAA Services
Authentication
– ‘Who are you and do you have permission to do what you are
requesting?’
– Match username/password to profile
Authorization
– ‘Did you provide enough info to connect?’ and ‘What can you do online?’
– User/Session-specific configuration
– Examples:
• What IP address do you get?
• How long can you connect to the Internet?
Accounting
– Track usage during connection’s lifetime
– Sort, filter, organize attributes
– Send attributes anywhere (logfile, Proxy, SQL)
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
8
RADIUS 101
Pre- RADIUS Infrastructure
Boston
10,000 Users
10 NAS’s
Worcester
Springfield
100,000
Management Tasks
NAS Devices
Multiple locations + multiple devices = management nightmare
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
9
RADIUS 101
RADIUS Implementation
10,000 Users
Boston
10 NAS’s
Worcester
RADIUS Server
1 AAA Server
Springfield
NAS Devices
10,000 Centrally
Managed Objects
Location – no longer an issue
Updates – centrally in one place
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
10
RADIUS 101
RADIUS Messages – Authentication Request
1.
2.
3.
User
RADIUS
Client
RADIUS
Server
Access Request Packet
(username/password)
Validation /
Authentication
User logs on to service
(Internet, Network)
PPP/SLIP connection
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
11
RADIUS 101
RADIUS Messages – Authentication Response
6.
5.
4.
User
RADIUS
Client
RADIUS
Server
RADIUS
Response Packet
Access Response
(ACCEPT/REJECT/
CHALLENGE)
ACCEPT/REJECT
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
12
RADIUS 101
Packet Attributes
What is an attribute?
– Carries info between the RADIUS Client and Server
– This info contains instructions to ‘flip the switch’ on a RADIUS server
– For accounting attributes, this could be statistical info about the user
(type of connection, account type, etc.)
– Based on RFC Standard 2865, 66
Types of Attributes:
– Standard – RFC specific, fixed
– Vendor-Specified Attribute (VSA) – Vendor created, flexible (Ascend,
3Com, Cisco)
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
16
RADIUS 101
Packet Attributes - Examples
1.
2.
3.
4.
5.
User-Name
Password
CHAP-Password
NAS-IP-Address
NAS-Port
6.
7.
8.
9.
10.
Service-Type
Framed-Protocol
Framed-IP-Address
Framed-Netmask
Framed-Routing
For a list of private enterprise attribute numbers, visit:
http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
17
RADIUS 101
What is Proxy RADIUS?
The ability for one RADIUS server to pass Access Requests to
another server
Proxy server only knows Realms, not users
Proxy RADIUS is how dial-up services work today
Example:
In a University scenario, the University controls network management,
the individual schools control user level access.
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
18
RADIUS 101
What Are Realms?
Refers to an organization containing multiple RADIUS
servers
Two types of Realms:
– Proxy Realm – hands off auth. requests to another server
– Directed Realm – handles auth. locally based on settings in
.dir/.pro files
Supports outsourced ISPs (i.e. Earthlink, Juno)
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
19
RADIUS 101
How Proxy Works (Request):
1.
User
User logs on
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
2.
RADIUS
Client
Access Request
(username/password)
3.
Proxy
Proxy Forward
4.
Target
Verification
20
RADIUS 101
How Proxy Works (Response):
4.
User
ACCEPT/REJECT
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
3.
RADIUS
Client
Response
Packet
2.
Proxy
Proxy Forward
Response Packet
1.
Target
Authentication
Response
21
RADIUS 101
How Proxy Works (Accounting):
1.
User
User logs on
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
2.
RADIUS
Client
ACCT Start/Stop
3.
Proxy
Proxy Forward
4.
Target
SQL INSERT
Statement
22
RADIUS 101
Managed Services and
Proxy RADIUS
Remote
Users
Ford
Outsourced
Service Provider
(AT&T Global Services)
Private
Network/
Internet
SBR
GM
Private
Network/
Internet
(300K Modems)
SBR
Steel-Belted
Radius
Chrysler
Private
Network/
Internet
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
SBR
23
RADIUS 101
Proxy Realm Scenario
UUNET
Earthlink
Sean@Earthlink
Juno
Emil@Juno
Mike@NetZero
NAS
Proxy Server
NetZero
AAA Servers
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
24
RADIUS 101
RADIUS Administrator’s Burden:
Provide remote access to allowed users
Keep up with different access technologies
Lower costs
Manage other aspects of network
Security!!
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
26
RADIUS 101
RADIUS Administrator’s Burden:
Problems:
1.
2.
‘Remote Users’ difficult user type
Rapidly changing technology (cable, DSL, ISDN, wireless devices,
modems 2.4kbps > 128kbs over 10 years)
Costs (buy or outsource?, cost tracking, access vs. risk)
Not enough hours in the day
Is allowing this access a security risk to the network?
3.
4.
5.
•
•
•
Is it secure?
Is it simple?
Does it work with other access options?
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
27
RADIUS 101
The SBR Solution
Saves time on remote access administration
– Without SBR, administrative burden staggering
– Centralized authentication across all gateways
– Don’t have to create and administer separate databases on each RADIUS
Client on the LAN
– Eliminate redundant work
Enhances security
– Common security model for all devices makes network more secure
Consolidates administration of all Intranet, Extranet, and Internet
access security
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
28
RADIUS 101
What is Steel-Belted Radius?
Complete implementation of RADIUS standard
Comprehensive feature set, designed for compatibility in
heterogeneous environment
– Multi-platform
– Multi-vendor
– Multiple back-end authentication databases
Multiple product solutions
– Enterprise
– Service Provider Edition
– 3G Mobility Module (formerly Advanced Wireless Edition)
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
29
RADIUS 101
Back-End Solution Compatibility
Authentication Server
SBR Product
ODBC/SQL (Oracle, Informix)
SPE
LDAP
SPE, Enterprise
NT Domains/Hosts
Enterprise
Active Directory
Enterprise
ACE
Enterprise
TACACS+
SPE, Enterprise
Proxy RADIUS
SPE, Enterprise
Netware NDS
Enterprise
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
30
RADIUS 101
SBR Enterprise Features
Multi-vendor Client support– PPP, DSL, PPPoE,
wLAN, Firewall, VPN (VSAs)
Multiple authentication types (SQL, LDAP, Tokens,
TACACS+, etc.)
Strong accounting options (SQL/Native)
Tunnel Support
User-friendly interface
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
31
RADIUS 101
Enterprise Features (cont’d)
Enterprise Proxy
– Support for ‘simple proxy’ from point A to B
– Makes “distributed authentication” possible (i.e. migrating from legacy
RADIUS server to SBR)
– Not required to have redundant authentication databases at each site
High-speed performance
– 400+ transactions per second
– Scaleable based on number of processors and amount of memory
Powerful, Flexible, Reliable, Fast
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
32
RADIUS 101
Transaction Speed Example
400 transactions/sec:
•
•
•
•
•
x 60 seconds = 24,000 transactions/min
x 60 minutes = 1.44 million transactions/hour
x 15 hours ‘uptime’ = 21.6 million transactions/day
/ 3 completed transactions per cycle = 7.2 mil./day
x 2 SBR redundancy = 14.4 million transactions/day
Case in Point:
PricewaterhouseCoopers employs approx. 140,000 people. They average
5 transactions/sec.
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
33
RADIUS 101
SBR Administrator Features
“Profiles” to differentiate class of service levels to groups of
similar users
IP / IPX Address Pooling assigns addresses based on user
name or device pool
Tunnel Management
– Return all tunnel set-up attributes based on make & model of request
– MS-CHAP / MPPE Key support
Statistics page gives useful information by detailing IP
addresses in use, number of accepts, rejects, etc.
Configuration Page allows selection of multiple authentication
methods, customized reject messaging, etc.
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
34
RADIUS 101
Steel-Belted Radius SPE
Carrier-grade feature set
Extended Proxy:
–
–
–
–
–
–
Flexible user name (name decoration)
Proxy packet filtering (filter.ini)
Multiple proxy targets (redundancy)
Configurable failure action (Fast-fail; .pro file)
Static Accounting Proxy
Account Spooling
Directed Realms
– ‘Realms’ refer to multiple RADIUS servers, or an organizational
structure
– Handle hosted authentication (outsourcing AAA services to ISPs
– ‘virtual ISPs’)
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
35
RADIUS 101
Steel-Belted Radius SPE
Service Provider-Specific Features:
Time-of-day restrictions (allowed-access-hours)
SNMP (SPE Solaris only) Traps & Alarms
Auto-restart/Retries (Perl script/bounce.ini)
LDAP Configuration Interface (optional in EE)
Administrative access privileges (access.ini/admin.ini)
Platform for add-on policy servers (PAS, Concurrency)
DHCP Pooling (dhcp.ini, pool.dhc)
Accounting capabilities:
Flexible logging capabilities
Attribute mapping (VSA dictionaries)
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
36
RADIUS 101
The Changing Infrastructure
NAS
(Cisco)
Firewall
(Checkpoint)
Today
NT Domain
wLAN
(3Com)
VPN
(Nortel)
SBR
Token Systems
(Ace)
Future
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
37