No Slide Title

Download Report

Transcript No Slide Title

Funk Software, Inc.

222 Third Street Cambridge, MA 02142 USA (617) 497-6339 WWW.FUNK.COM

RADIUS

What We Will Cover:

What is RADIUS?

How RADIUS works RADIUS Messages What is Proxy RADIUS?

How Proxy RADIUS works What is Steel-Belted RADIUS?

Enterprise Features SPE Features Benefits WWW.FUNK.COM

RADIUS 101

RADIUS RFCs

“The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet.” IETF Process: – Draft  RFC  Proposed Standard  Standard RADIUS Standards: – RFC2865 – RFC2866 - RADIUS Authentication - RADIUS Accounting Other IETF Standards – L2TP, EAP Internet Engineering Task Force web site

http://www.ietf.org

WWW.FUNK.COM

RADIUS 101

What Is RADIUS?

Client/Server protocol that enables remote access servers to communicate with a central server to authenticate and authorize users to access that system Standardized method of info exchange between RADIUS Client and Server Simply put, a mechanism for delivering information

User RADIUS Client RADIUS Server RADIUS Request/Response PPP or SLIP Negotiation

4 WWW.FUNK.COM

Users

Mobile Telecommuter Small-office NAS Wireless Laptops PDAs Cellular Phones WWW.FUNK.COM

RADIUS 101

RADIUS Clients

PPP Servers – 3Com Total Control Hub – Cisco Access Servers VPN – 3Com Pathbuilder – Nortel Extranet Switch Firewalls – Firewall-1 – Checkpoint Wireless Lan Access Points – Cisco Aironet RADIUS Proxies Back Office Software – Oracle 8i, MSSQL WWW.FUNK.COM

RADIUS 101

Steel-Belted Radius

Central hub for distributed services – A uthentication – – A uthorization A ccounting WWW.FUNK.COM

RADIUS 101

RADIUS AAA Services

A uthentication – ‘Who are you and do you have permission to do what you are requesting?’ – Match username/password to profile A uthorization – ‘Did you provide enough info to connect?’ and ‘What can you do online?’ – User/Session-specific configuration – Examples: • What IP address do you get?

• How long can you connect to the Internet?

A ccounting – Track usage during connection’s lifetime – Sort, filter, organize attributes – Send attributes anywhere (logfile, Proxy, SQL) WWW.FUNK.COM

RADIUS 101

Pre- RADIUS Infrastructure

Boston 10,000 Users 10 NAS’s Worcester Springfield NAS Devices 100,000 Management Tasks

Multiple locations + multiple devices = management nightmare WWW.FUNK.COM

RADIUS Implementation

Boston Worcester RADIUS Server Springfield NAS Devices

Location – no longer an issue Updates – centrally in one place WWW.FUNK.COM

10,000 Users 10 NAS’s 1 AAA Server 10,000 Centrally Managed Objects RADIUS 101

RADIUS Messages – Authentication Request

User User logs on to service (Internet, Network)

RADIUS Client Access Request Packet (username/password)

RADIUS Server Validation / Authentication PPP/SLIP connection RADIUS 101

11 WWW.FUNK.COM

RADIUS Messages – Authentication Response

RADIUS 101

User

RADIUS Client

RADIUS Server RADIUS Response Packet Access Response (ACCEPT/REJECT/ CHALLENGE) ACCEPT/REJECT

WWW.FUNK.COM

RADIUS 101

Packet Attributes

What is an attribute?

– Carries info between the RADIUS Client and Server – This info contains instructions to ‘flip the switch’ on a RADIUS server – For accounting attributes, this could be statistical info about the user (type of connection, account type, etc.) – Based on RFC Standard 2865, 66 Types of Attributes: – Standard – RFC specific, fixed – Vendor-Specified Attribute (VSA) – Vendor created, flexible (Ascend, 3Com, Cisco) 16 WWW.FUNK.COM

Packet Attributes - Examples

User-Name Password CHAP-Password NAS-IP-Address NAS-Port 6.

10.

Service-Type Framed-Protocol Framed-IP-Address Framed-Netmask Framed-Routing RADIUS 101

For a list of private enterprise attribute numbers, visit: http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers WWW.FUNK.COM

RADIUS 101

What is Proxy RADIUS?

The ability for one RADIUS server to pass Access Requests to another server Proxy server only knows Realms, not users Proxy RADIUS is how dial-up services work today Example: In a University scenario, the University controls network management, the individual schools control user level access.

18 WWW.FUNK.COM

RADIUS 101

What Are Realms?

Refers to an organization containing multiple RADIUS servers Two types of Realms: – Proxy Realm – hands off auth. requests to another server – Directed Realm – handles auth. locally based on settings in .dir/.pro files Supports outsourced ISPs (i.e. Earthlink, Juno) 19 WWW.FUNK.COM

How Proxy Works (Request):

User User logs on

RADIUS Client Access Request (username/password)

Proxy Proxy Forward

Target Verification RADIUS 101

20 WWW.FUNK.COM

How Proxy Works (Response):

User

RADIUS Client

Proxy

Target RADIUS 101 ACCEPT/REJECT Response Packet Proxy Forward Response Packet Authentication Response

21 WWW.FUNK.COM

How Proxy Works (Accounting):

User User logs on

RADIUS Client ACCT Start/Stop

Proxy Proxy Forward

Target SQL INSERT Statement RADIUS 101

22 WWW.FUNK.COM

RADIUS 101

Managed Services and Proxy RADIUS

Remote Users Outsourced Service Provider (AT&T Global Services) (300K Modems) Steel-Belted Radius

WWW.FUNK.COM

Ford Private Network/ Internet Private Network/ Internet SBR GM SBR Chrysler Private Network/ Internet SBR

RADIUS 101

Proxy Realm Scenario

UUNET

Sean@Earthlink Emil@Juno Mike@NetZero

NAS Proxy Server AAA Servers

Earthlink Juno NetZero 24 WWW.FUNK.COM

RADIUS Administrator’s Burden:

Provide remote access to allowed users Keep up with different access technologies Lower costs Manage other aspects of network Security!!

RADIUS 101

26 WWW.FUNK.COM

RADIUS Administrator’s Burden:

Problems: 1.

‘Remote Users’ difficult user type 2.

• • • Rapidly changing technology (cable, DSL, ISDN, wireless devices, modems 2.4kbps > 128kbs over 10 years) Costs (buy or outsource?, cost tracking, access vs. risk) Not enough hours in the day Is allowing this access a security risk to the network?

Is it secure?

Is it simple?

Does it work with other access options?

RADIUS 101

27 WWW.FUNK.COM

RADIUS 101

The SBR Solution

Saves time on remote access administration – Without SBR, administrative burden staggering – Centralized authentication across all gateways – Don’t have to create and administer separate databases on each RADIUS Client on the LAN – Eliminate redundant work Enhances security – Common security model for all devices makes network more secure Consolidates administration of all Intranet, Extranet, and Internet access security WWW.FUNK.COM

What is Steel-Belted Radius?

Complete implementation of RADIUS standard Comprehensive feature set, designed for compatibility in heterogeneous environment – Multi-platform – Multi-vendor – Multiple back-end authentication databases Multiple product solutions – Enterprise – Service Provider Edition – 3G Mobility Module (formerly Advanced Wireless Edition) WWW.FUNK.COM

RADIUS 101

Back-End Solution Compatibility

Authentication Server

ODBC/SQL (Oracle, Informix) LDAP NT Domains/Hosts Active Directory ACE TACACS+ Proxy RADIUS Netware NDS

SBR Product

SPE SPE, Enterprise Enterprise Enterprise Enterprise SPE, Enterprise SPE, Enterprise Enterprise

WWW.FUNK.COM

RADIUS 101

SBR Enterprise Features

Multi-vendor Client support– PPP, DSL, PPPoE, wLAN, Firewall, VPN (VSAs) Multiple authentication types (SQL, LDAP, Tokens, TACACS+, etc.) Strong accounting options (SQL/Native) Tunnel Support User-friendly interface

RADIUS 101

31 WWW.FUNK.COM

RADIUS 101

Enterprise Features (cont’d)

Enterprise Proxy – Support for ‘simple proxy’ from point A to B – Makes “distributed authentication” possible (i.e. migrating from legacy RADIUS server to SBR) – Not required to have redundant authentication databases at each site High-speed performance

– 400+ transactions per second

– Scaleable based on number of processors and amount of memory Powerful, Flexible, Reliable, Fast 32 WWW.FUNK.COM

Transaction Speed Example

400 transactions/sec: • x 60 seconds = 24,000 transactions/min • x 60 minutes = 1.44 million transactions/hour • x 15 hours ‘uptime’ = 21.6 million transactions/day • / 3 completed transactions per cycle = 7.2 mil./day • x 2 SBR redundancy = 14.4 million transactions/day Case in Point: PricewaterhouseCoopers employs approx. 140,000 people. They average 5 transactions/sec.

RADIUS 101

33 WWW.FUNK.COM

SBR Administrator Features

“Profiles” to differentiate class of service levels to groups of similar users IP / IPX Address Pooling assigns addresses based on user name or device pool Tunnel Management – Return all tunnel set-up attributes based on make & model of request – MS-CHAP / MPPE Key support Statistics page gives useful information by detailing IP addresses in use, number of accepts, rejects, etc.

Configuration Page allows selection of multiple authentication methods, customized reject messaging, etc.

WWW.FUNK.COM

RADIUS 101

Steel-Belted Radius SPE

Carrier-grade feature set Extended Proxy: – Flexible user name (name decoration) – Proxy packet filtering (filter.ini) – Multiple proxy targets (redundancy) – Configurable failure action (Fast-fail; .pro file) – Static Accounting Proxy – Account Spooling Directed Realms – ‘Realms’ refer to multiple RADIUS servers, or an organizational structure – Handle hosted authentication (outsourcing AAA services to ISPs – ‘virtual ISPs’) WWW.FUNK.COM

RADIUS 101

Steel-Belted Radius SPE

Service Provider-Specific Features:

Time-of-day restrictions (allowed-access-hours) SNMP (SPE Solaris only) Traps & Alarms Auto-restart/Retries (Perl script/bounce.ini) LDAP Configuration Interface (optional in EE) Administrative access privileges (access.ini/admin.ini) Platform for add-on policy servers (PAS, Concurrency) DHCP Pooling (dhcp.ini, pool.dhc)

Accounting capabilities:

Flexible logging capabilities Attribute mapping (VSA dictionaries) WWW.FUNK.COM

RADIUS 101

The Changing Infrastructure

Today

Firewall

(Checkpoint)

NAS

(Cisco)

wLAN

(3Com)

VPN

(Nortel)

SBR NT Domain Token Systems

(Ace) Future WWW.FUNK.COM

RADIUS 101