Transcript No Slide Title
Funk Software, Inc.
222 Third Street Cambridge, MA 02142 USA (617) 497-6339 WWW.FUNK.COM
RADIUS
© Copyright Funk Software. All rights reserved.
What We Will Cover:
What is RADIUS?
How RADIUS works RADIUS Messages What is Proxy RADIUS?
How Proxy RADIUS works What is Steel-Belted RADIUS?
Enterprise Features SPE Features Benefits WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
2
RADIUS 101
RADIUS RFCs
“The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet.” IETF Process: – Draft RFC Proposed Standard Standard RADIUS Standards: – RFC2865 – RFC2866 - RADIUS Authentication - RADIUS Accounting Other IETF Standards – L2TP, EAP Internet Engineering Task Force web site
http://www.ietf.org
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
3
RADIUS 101
What Is RADIUS?
Client/Server protocol that enables remote access servers to communicate with a central server to authenticate and authorize users to access that system Standardized method of info exchange between RADIUS Client and Server Simply put, a mechanism for delivering information
User RADIUS Client RADIUS Server RADIUS Request/Response PPP or SLIP Negotiation
4 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
Users
Mobile Telecommuter Small-office NAS Wireless Laptops PDAs Cellular Phones WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
5
RADIUS Clients
PPP Servers – 3Com Total Control Hub – Cisco Access Servers VPN – 3Com Pathbuilder – Nortel Extranet Switch Firewalls – Firewall-1 – Checkpoint Wireless Lan Access Points – Cisco Aironet RADIUS Proxies Back Office Software – Oracle 8i, MSSQL WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
6
Steel-Belted Radius
Central hub for distributed services – A uthentication – – A uthorization A ccounting WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
7
RADIUS AAA Services
A uthentication – ‘Who are you and do you have permission to do what you are requesting?’ – Match username/password to profile A uthorization – ‘Did you provide enough info to connect?’ and ‘What can you do online?’ – User/Session-specific configuration – Examples: • What IP address do you get?
• How long can you connect to the Internet?
A ccounting – Track usage during connection’s lifetime – Sort, filter, organize attributes – Send attributes anywhere (logfile, Proxy, SQL) WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
8
RADIUS 101
Pre- RADIUS Infrastructure
Boston 10,000 Users 10 NAS’s Worcester Springfield NAS Devices 100,000 Management Tasks
Multiple locations + multiple devices = management nightmare WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
9
RADIUS Implementation
Boston Worcester RADIUS Server Springfield NAS Devices
Location – no longer an issue Updates – centrally in one place WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
10,000 Users 10 NAS’s 1 AAA Server 10,000 Centrally Managed Objects RADIUS 101
10
RADIUS Messages – Authentication Request
1.
User User logs on to service (Internet, Network)
2.
RADIUS Client Access Request Packet (username/password)
3.
RADIUS Server Validation / Authentication PPP/SLIP connection RADIUS 101
11 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS Messages – Authentication Response
RADIUS 101
6.
User
5.
RADIUS Client
4.
RADIUS Server RADIUS Response Packet Access Response (ACCEPT/REJECT/ CHALLENGE) ACCEPT/REJECT
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
12
RADIUS 101
Packet Attributes
What is an attribute?
– Carries info between the RADIUS Client and Server – This info contains instructions to ‘flip the switch’ on a RADIUS server – For accounting attributes, this could be statistical info about the user (type of connection, account type, etc.) – Based on RFC Standard 2865, 66 Types of Attributes: – Standard – RFC specific, fixed – Vendor-Specified Attribute (VSA) – Vendor created, flexible (Ascend, 3Com, Cisco) 16 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
Packet Attributes - Examples
1.
2.
3.
4.
5.
User-Name Password CHAP-Password NAS-IP-Address NAS-Port 6.
7.
8.
9.
10.
Service-Type Framed-Protocol Framed-IP-Address Framed-Netmask Framed-Routing RADIUS 101
For a list of private enterprise attribute numbers, visit: http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
17
RADIUS 101
What is Proxy RADIUS?
The ability for one RADIUS server to pass Access Requests to another server Proxy server only knows Realms, not users Proxy RADIUS is how dial-up services work today Example: In a University scenario, the University controls network management, the individual schools control user level access.
18 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
What Are Realms?
Refers to an organization containing multiple RADIUS servers Two types of Realms: – Proxy Realm – hands off auth. requests to another server – Directed Realm – handles auth. locally based on settings in .dir/.pro files Supports outsourced ISPs (i.e. Earthlink, Juno) 19 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
How Proxy Works (Request):
1.
User User logs on
2.
RADIUS Client Access Request (username/password)
3.
Proxy Proxy Forward
4.
Target Verification RADIUS 101
20 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
How Proxy Works (Response):
4.
User
3.
RADIUS Client
2.
Proxy
1.
Target RADIUS 101 ACCEPT/REJECT Response Packet Proxy Forward Response Packet Authentication Response
21 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
How Proxy Works (Accounting):
1.
User User logs on
2.
RADIUS Client ACCT Start/Stop
3.
Proxy Proxy Forward
4.
Target SQL INSERT Statement RADIUS 101
22 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
Managed Services and Proxy RADIUS
Remote Users Outsourced Service Provider (AT&T Global Services) (300K Modems) Steel-Belted Radius
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
Ford Private Network/ Internet Private Network/ Internet SBR GM SBR Chrysler Private Network/ Internet SBR
23
RADIUS 101
Proxy Realm Scenario
UUNET
Sean@Earthlink Emil@Juno Mike@NetZero
NAS Proxy Server AAA Servers
Earthlink Juno NetZero 24 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS Administrator’s Burden:
Provide remote access to allowed users Keep up with different access technologies Lower costs Manage other aspects of network Security!!
RADIUS 101
26 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS Administrator’s Burden:
3.
4.
5.
Problems: 1.
‘Remote Users’ difficult user type 2.
• • • Rapidly changing technology (cable, DSL, ISDN, wireless devices, modems 2.4kbps > 128kbs over 10 years) Costs (buy or outsource?, cost tracking, access vs. risk) Not enough hours in the day Is allowing this access a security risk to the network?
Is it secure?
Is it simple?
Does it work with other access options?
RADIUS 101
27 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
The SBR Solution
Saves time on remote access administration – Without SBR, administrative burden staggering – Centralized authentication across all gateways – Don’t have to create and administer separate databases on each RADIUS Client on the LAN – Eliminate redundant work Enhances security – Common security model for all devices makes network more secure Consolidates administration of all Intranet, Extranet, and Internet access security WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
28
What is Steel-Belted Radius?
Complete implementation of RADIUS standard Comprehensive feature set, designed for compatibility in heterogeneous environment – Multi-platform – Multi-vendor – Multiple back-end authentication databases Multiple product solutions – Enterprise – Service Provider Edition – 3G Mobility Module (formerly Advanced Wireless Edition) WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
29
Back-End Solution Compatibility
Authentication Server
ODBC/SQL (Oracle, Informix) LDAP NT Domains/Hosts Active Directory ACE TACACS+ Proxy RADIUS Netware NDS
SBR Product
SPE SPE, Enterprise Enterprise Enterprise Enterprise SPE, Enterprise SPE, Enterprise Enterprise
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
30
SBR Enterprise Features
Multi-vendor Client support– PPP, DSL, PPPoE, wLAN, Firewall, VPN (VSAs) Multiple authentication types (SQL, LDAP, Tokens, TACACS+, etc.) Strong accounting options (SQL/Native) Tunnel Support User-friendly interface
RADIUS 101
31 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
Enterprise Features (cont’d)
Enterprise Proxy – Support for ‘simple proxy’ from point A to B – Makes “distributed authentication” possible (i.e. migrating from legacy RADIUS server to SBR) – Not required to have redundant authentication databases at each site High-speed performance
– 400+ transactions per second
– Scaleable based on number of processors and amount of memory Powerful, Flexible, Reliable, Fast 32 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
Transaction Speed Example
400 transactions/sec: • x 60 seconds = 24,000 transactions/min • x 60 minutes = 1.44 million transactions/hour • x 15 hours ‘uptime’ = 21.6 million transactions/day • / 3 completed transactions per cycle = 7.2 mil./day • x 2 SBR redundancy = 14.4 million transactions/day Case in Point: PricewaterhouseCoopers employs approx. 140,000 people. They average 5 transactions/sec.
RADIUS 101
33 WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
SBR Administrator Features
“Profiles” to differentiate class of service levels to groups of similar users IP / IPX Address Pooling assigns addresses based on user name or device pool Tunnel Management – Return all tunnel set-up attributes based on make & model of request – MS-CHAP / MPPE Key support Statistics page gives useful information by detailing IP addresses in use, number of accepts, rejects, etc.
Configuration Page allows selection of multiple authentication methods, customized reject messaging, etc.
WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
34
Steel-Belted Radius SPE
Carrier-grade feature set Extended Proxy: – Flexible user name (name decoration) – Proxy packet filtering (filter.ini) – Multiple proxy targets (redundancy) – Configurable failure action (Fast-fail; .pro file) – Static Accounting Proxy – Account Spooling Directed Realms – ‘Realms’ refer to multiple RADIUS servers, or an organizational structure – Handle hosted authentication (outsourcing AAA services to ISPs – ‘virtual ISPs’) WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
35
Steel-Belted Radius SPE
Service Provider-Specific Features:
Time-of-day restrictions (allowed-access-hours) SNMP (SPE Solaris only) Traps & Alarms Auto-restart/Retries (Perl script/bounce.ini) LDAP Configuration Interface (optional in EE) Administrative access privileges (access.ini/admin.ini) Platform for add-on policy servers (PAS, Concurrency) DHCP Pooling (dhcp.ini, pool.dhc)
Accounting capabilities:
Flexible logging capabilities Attribute mapping (VSA dictionaries) WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
36
The Changing Infrastructure
Today
Firewall
(Checkpoint)
NAS
(Cisco)
wLAN
(3Com)
VPN
(Nortel)
SBR NT Domain Token Systems
(Ace) Future WWW.FUNK.COM
© Copyright Funk Software. All rights reserved.
RADIUS 101
37