Global InternetIntranet Access Service - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

Global InternetIntranet Access Service

Description:

Check that the user may access the services he/she wishes. ... Shiva - Shiva Access Manager - 95/NT/UNIX. http://athena.shiva.com/remote/radius ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 59
Provided by: Fran199
Category:

less

Transcript and Presenter's Notes

Title: Global InternetIntranet Access Service


1
AAA Services
Richard PerlmanFor CEENET 6Budapest, Hungary
2
AAA Services
  • Authentication
  • Authorization
  • Accounting

3
Authentication
  • Verify the user is who he/she claims to be
  • Use Password, Special Token card, Caller-ID, etc.
  • May issue additional challenge

4
Authorization
  • Check that the user may access the services
    he/she wishes.
  • Check database or file information about the user

5
Accounting
  • Record what the user has done.
  • Time online. Bytes sent/received. Services
    accessed. Files downloaded. Etc.

6
NAS/RASNetwork Access ServerRemote Access Server
Phone Lines
7
Logical System View
8
Types of AAA Services
  • Local accounts on the NAS/RAS
  • Proprietary software between NAS and server
  • RADIUS
  • TACACS (tacacs, tacacs, xtacacs)

9
RADIUS Basics
  • A protocol for communicating between a Network
    Access Server (NAS) and a remote
    Authentication/Access/Accounting server
  • Not the actual server itself

10
RADIUS Basics
  • Defined by IETF standard RFC2138 RFC2139
  • http//www.faqs.org/rfcs/rfc2138.htmlhttp//www.
    faqs.org/rfcs/rfc2139.html
  • Requires Clients (normally a NAS) and servers
    (often called RADIUS servers)

11
The Authentication Process
Access Accept
Access Request
User Information
12
RADIUS BasicsAuthentication Data Flow
ISP User Database
UserID bobPassword ge55gepNAS-ID 207.12.4.1
Select UserIDbob
ISP Modem Pool
Bobpasswordge55gepTimeout3600other
attributes
UserID bobPassword ge55gep
Access-AcceptUser-Namebobother attributes
ISP RADIUS Server
Framed-Address217.213.21.5
The Internet
User dials modem pool and establishes connection
Internet PPP connection established
13
RADIUS BasicsAccounting Data Flow
Sun May 10 204741 1998 Acct-Status-TypeStar
t User-Namebob Framed-Address217.213.21.
5 ...
Acct-Status-TypeStartUser-NamebobFramed-Addres
s217.213.21.5...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
Internet PPP connection established
The Accounting Start Record
14
RADIUS BasicsAccounting Data Flow
Sun May 10 205049 1998 Acct-Status-TypeStop
User-Namebob Acct-Session-Time1432
...
Acct-Status-TypeStopUser-NamebobAcct-Session-T
ime1432...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
User Disconnects
Internet PPP connection established
The Accounting Stop Record
15
RADIUS Basics
  • Key data for Authentication
  • NAS/Client Info
  • IP Name and/or IP Address
  • Shared Secret Key for encryption
  • User Information
  • User-Name Password
  • Session Information
  • Speed, dialed number, port, NAS ID, etc.

16
RADIUS Basics The process flow
  • Decode Packet using shared secret key

17
RADIUS BasicsShared Secret Keys
Shared
Secret
Session Key
Plaintext
Plaintext
Ciphertext
Encryption
Decryption
Shared
Secret
User 1
Session Key
18
RADIUS Basics The process flow
  • Lookup users in local or external database
  • Text File
  • Password file (UNIX)
  • NT Registry/Netware Directory
  • NIS/NIS
  • LDAP
  • Etc., etc.

19
RADIUS Basics The process flow
  • Authenticate
  • User-Name, Password, etc.
  • Chap Challenge
  • SecurID Token card
  • Etc.

20
RADIUS Basics The process flow
  • Check arbitrary access criteria
  • Type of access (analog, ISDN)
  • Time of day
  • Called or Calling number

21
RADIUS Basics The process flow
  • Send Accept/Reject to NAS with appropriate
    session attributes
  • Session timers
  • Filters (allow/reject IP addrs)
  • IP Address
  • ISDN session parameters
  • Etc.

22
RADIUS BasicsProcess Description
  • Using a modem, the user dials-in to a modem
    connected to a NAS. Once the modem connection is
    completed, the NAS attempts to use the CHAP or
    PAP protocol to determine the userID and
    password. If that fails, the NAS prompts the user
    for the userID and password.

23
RADIUS BasicsProcess Description
  • The NAS creates a data packet from this
    information called the authentication request.
    This packet includes information identifying the
    specific NAS sending the authentication request,
    the port that is being used for the modem
    connection, and the user name and password. For
    protection from eavesdropping the NAS, acting as
    a RADIUS client, encrypts (using a shared secret
    key) the password before it is sent to the RADIUS
    server.

24
RADIUS BasicsProcess Description
  • The Authentication Request is sent over the
    network from the RADIUS client (I.e. the NAS) to
    the RADIUS server. This communication can be done
    over a local- or wide-area network, allowing
    network managers to locate RADIUS clients
    remotely from the RADIUS server. If the RADIUS
    server cannot be reached, the NAS can usually
    route the request to an alternate server.

25
RADIUS BasicsProcess Description
  • When an Authentication Request is received, the
    RADIUS Server validates the request and then
    decrypts the data packet to access the user name
    and password information. This information is
    passed on to the appropriate security system
    being supported. This could be a text file, UNIX
    password files, NIS, LDAP, a commercially
    available security system or a custom database.

26
RADIUS BasicsProcess Description
  • If the user name and password are correct, the
    server sends an Authentication Acknowledgment
    that includes information on the user's network
    system and service requirements. For example, the
    RADIUS server will tell the NAS that a user needs
    TCP/IP and/or NetWare using PPP (Point-to-Point
    Protocol) or that the user needs SLIP (Serial
    Line Internet Protocol) to connect to the
    network. The acknowledgment can even contain
    filtering information to limit a user's access to
    specific resources on the network.

27
RADIUS BasicsProcess Description
  • If at any point in this log-in process conditions
    are not met, the RADIUS server sends an
    Authentication Reject to the NAS and the user is
    denied access to the network.

28
RADIUS BasicsProcess Description
  • To ensure that requests are not responded to by
    unauthorized persons or devices on the network,
    the RADIUS server sends an authentication key, or
    signature, identifying itself to the RADIUS
    client.

29
RADIUS BasicsProcess Description
  • Once the server information is received and
    verified by the NAS, it enables the necessary
    configuration to deliver the right network
    services to the user.

30
RADIUS BasicsEssential Server Data
  • Client Information
  • IP Name
  • Shared secret key
  • Group Assignment
  • Special Parameters
  • NAS Type

31
RADIUS BasicsEssential Server Data
  • NAS/Client Info
  • Stored in a clients file or similar data
    structure
  • This file contains a list of clients which
    are allowed to make authentication requests
    and their encryption key. The first field is
    a valid hostname for the client. The second
    field (separated by blanks or tabs) is the
    encryption key. Client Name
    Key ---------------------------------- portmast
    er1 wP40cQ0 portmaster2
    A3X445A 192.168.1.2 wer369st

32
RADIUS BasicsEssential Server Data
  • Dictionary
  • Definition of RADIUS attributes
  • Assign readable names to attribute numbers
  • String, Integer, IP Address, Date

33
RADIUS BasicsEssential Server Data
  • Dictionary
  • Stored in a dictionary file or similar data
    structure
  • This file contains dictionary translations
    for parsing requests and generating responses.
    All transactions are composed of
    Attribute/Value Pairs. The value of each
    attribute is specified as one of 4 data types.
    Valid data types are string - 0-253
    octets ipaddr - 4 octets in network byte
    order integer - 32 bit value (high byte
    first) date - 32 bit value - seconds
    since 000000 GMT, Jan. 1, 1970

34
RADIUS BasicsEssential Server Data
  • Dictionary
  • Attr.
    Attr.Keyword Attribute Name Num Type
    ATTRIBUTE User-Name 1
    stringATTRIBUTE Password 2
    stringATTRIBUTE CHAP-Password 3
    stringATTRIBUTE Client-Id 4
    ipaddrATTRIBUTE Client-Port-Id 5
    integerATTRIBUTE User-Service-Type 6
    integerATTRIBUTE Framed-Protocol 7
    integerATTRIBUTE Framed-Address 8
    ipaddrATTRIBUTE Framed-Netmask 9
    ipaddr... ...

35
Dictionary File Decoding
Service-Type Framed-User
RADIUS Request
...

6

6

0

...
0

0

2

AttributeValue
AttributeNumber
AttributeLength (in bytes)
RADIUS Dictionary
  • ATTRIBUTE
  • VALUE

Service-Type
Service-Type
6
6
integer
2
Service-Type
Framed-User
Service-Type
Framed-User
2
36
Dictionary VSAs
Example Dictionary entry
  • Name
    Number Type Vendor (Modifiers)
  • VENDOR Ascend 529
  • ATTRIBUTE Ascend-Send-Secret 214 string Ascend

Attr. Number Total Attr. Length Vendor ID
data
VSA Attr.Number VSA Attr. Length VSA Attr.
data
37
RADIUS BasicsEssential Server Data
  • User Information (users file)
  • User-Name
  • Password
  • Authentication method
  • Check attributes
  • Send attributes

38
RADIUS BasicsEssential Server Data
  • User Data (Example 1)
  • bob Password "ge55ep Service-Type
    Framed-User, Framed-Protocol
    PPP, Framed-IP-Address 255.255.255.254, Framed
    -IP-Netmask 255.255.255.255, Framed-Routing
    None, Filter-Id "std.ppp", Framed-MTU 1500

39
RADIUS BasicsEssential Server Data
  • User Data (Example 2)
  • bob Password "ge55gep", NAS-IP-Address
    192.168.1.54, NAS-Port-Type
    ISDN Service-Type Framed-User, Framed-Protocol
    PPP

40
RADIUS BasicsEssential Server Data
  • User Data (Example 3)
  • bob Password "ge55gep, Caller-Id
    510-555-1212 Service-Type Callback-Login-User,
    Login-IP-Host 192.168.1.76, Login-Service
    Telnet, Login-TCP-Port 23, Callback-Number
    "9,1-800-555-1234"

41
RADIUS BasicsAccounting Start Record
  • Sun May 10 204741 1998 User-Name
    bob Client-Id 206.171.153.11 Client-Port-Id
    20110 Acct-Status-Type Start Acct-Delay-Time
    0 Acct-Session-Id "262282375 Acct-Authenti
    c RADIUS Caller-Id 5105551212 Client-Port
    -DNIS 5218296 Framed-Protocol
    PPP Framed-Address 209.79.145.46

42
RADIUS BasicsAccounting Stop Record
  • Sun May 10 205049 1998
  • User-Name bob Client-Id 206.171.153.11
    Client-Port-Id 20110 Acct-Status-Type
    Stop Acct-Delay-Time 0 Acct-Session-Id
    "262282353 Acct-Authentic RADIUS
    Acct-Session-Time 4871 Acct-Input-Octets
    459078 Acct-Output-Octets 4440286 Caller-Id
    5105551212 Client-Port-DNIS "4218296
    Framed-Protocol PPP Framed-Address
    209.79.145.46

43
RADIUS BasicsProxy Services
  • A forwarding or proxy server can forward
    authentication and/or accounting requests to
    another server for handling.
  • In order to differentiate between requests that
    should be handled locally and those that should
    be forwarded the NAI needs to be specially
    processed.

44
RADIUS BasicsProxy Services
  • The NAI (Network Access Identifier) is commonly
    called the userID.
  • In proxy and roaming situations the NAI is
    modified to include both the userID and a realm
    identifier.
  • The realm is a keyword indicating the server
    responsible for authenticating the userID.

45
RADIUS BasicsProxy Services
  • The standard way to send a userID and real in the
    NAI is to separate them with a _at_.
  • A typical proxy NAI looks like user_at_realm
  • A proxy RADIUS server looks for the _at_ in the
    NAI to determine if it should handle the request
    or forward it.

46
RADIUS BasicsProxy Services
  • If no _at_ is present, the enter NAI is assumed to
    be only a userID.
  • If a _at_ is present, the NAI is split into two
    tokens (a userID and a realm label).

47
RADIUS BasicsProxy Services
  • The realm label is looked up in a local file or
    database to find the address of the server for
    the realm and the protocol (typically RADIUS)
    used to connect to it.
  • Although the realm label may look like a domain
    name (E-Mail addresses are often used as NAIs) it
    is not safe to assume that.

48
RADIUS BasicsProxy Services
  • An example realms file might look like
  • realm IP
  • label Address Port Protocol
    Secrethomeco 167.24.12.5 1812 Radius
    Dont3v3rtellbiginiv 12.123.43.9 1645 Radius
    jsyWpnfE2vuR
  • (A real realms file might contain much more
    information. Each vendor implements realm
    information differently.)

49
RADIUS BasicsProxy Services
  • A typical bilateral proxy model looks like

Access Request UserID bill_at_homeco Password
mypass
Access Request UserID bill Password mypass
Reply
Reply
DB
50
RADIUS BasicsProxy Services
  • Bilateral relationships, with all the realm
    information stored in a local realms file or
    table can be effective with a small number of
    roaming or proxy partners.
  • But, the files must be changed each time there is
    a change in a server configuration.

51
RADIUS BasicsProxy Services
  • A consortium, or clearinghouse, solves that
    problem by having all proxy requests forwarded to
    it first.
  • The consortium maintains a list of all the server
    information for it

52
RADIUS BasicsProxy Services
  • In the case of a roaming consortium or
    clearinghouse it may be necessary to add
    additional information to the NAI.
  • This is because each server in the proxy chain
    might strip off the realm before passing the
    request on to the next server.

53
RADIUS BasicsProxy Services
  • A common solution is to use the / as an
    additional separator.
  • In the case of a consortium called cons the NAI
    would look like cons/user_at_realmAn actual NAI
    might be infonet/rdperl_at_berkinet.com

54
RADIUS BasicsProxy Services
  • The first server may now strip-off cons and
    forward the remaining two tokens.
  • rdperl_at_berkinet.com
  • The consortiums server strips off the remaining
    realm and forwards the userID to the final
    server
  • rdperl

55
RADIUS BasicsProxy Services
  • A consortium proxy model looks like

Access Request UserID cons/bill_at_homeco Password
mypass
Access Request UserID bill_at_homeco Password
mypass
Access Request UserID billPassword mypass
Reply
Reply
Reply
DB
RealmsFile homeco
56
RADIUS BasicsProxy Services Editing Attributes
  • A proxy server may add, delete or modify the
    attributes that it forwards.
  • An IP Address may be invalid on a given network,
    the maximum online time may be different, local
    filters may be required, etc.

57
RADIUS BasicsProxy Services Editing Attributes
  • In cases where special control of attributes is
    required bi-lateral relationships may work best.
  • A proxy server may also need to translate
    attributes intended for one brand of NAS into
    another brands format (pools, filters, etc.)

58
RADIUS Proxy Servers
  • Freeware
  • DTC - Radius 2.0 - NT/UNIX - (Japanese)
  • http//www.dtc.co.jp/Radius2.0
  • Commercial
  • Lucent Technologiess NavisRADIUS NT/UNIX
  • http//www.livingston.com
  • Shiva - Shiva Access Manager - 95/NT/UNIX
  • http//athena.shiva.com/remote/radius
  • Open System Consultants Pty Ltd - Radiator -
    NT/UNIX
  • http//www.open.com.au/radiator/
  • Microsoft - Microsoft Commercial Internet System
    (MCIS) - NT
  • http//www.microsoft.com/mcis/guide/features.asp
  • Funk - Steel-Belted Radius - Netware/NT
  • http//www.funk.com/Radius/
  • Vircom - Proxy Roaming Radius Server (PRRS) -
    NT
  • http//www.vircom.com/info/vprrsrel.htm
  • Novell - BorderManager - Netware
  • http//www.novell.com/text/bordermanager/radius.ht
    ml
  • Merit - Merit AAA Server - UNIX
Write a Comment
User Comments (0)
About PowerShow.com