Global InternetIntranet Access Service - PowerPoint PPT Presentation

1 / 58

About This Presentation

Title:

Global InternetIntranet Access Service

Description:

Check that the user may access the services he/she wishes. ... Shiva - Shiva Access Manager - 95/NT/UNIX. http://athena.shiva.com/remote/radius ... – PowerPoint PPT presentation

Number of Views:59

Avg rating:3.0/5.0

Slides: 59

Provided by: Fran199

Category:

more less

Transcript and Presenter's Notes

Title: Global InternetIntranet Access Service

1
AAA Services
Richard PerlmanFor CEENET 6Budapest, Hungary
2
AAA Services

Authentication
Authorization
Accounting

3
Authentication

Verify the user is who he/she claims to be
Use Password, Special Token card, Caller-ID, etc.
May issue additional challenge

4
Authorization

Check that the user may access the services
he/she wishes.
Check database or file information about the user

5
Accounting

Record what the user has done.
Time online. Bytes sent/received. Services
accessed. Files downloaded. Etc.

6
NAS/RASNetwork Access ServerRemote Access Server
Phone Lines
7
Logical System View
8
Types of AAA Services

Local accounts on the NAS/RAS
Proprietary software between NAS and server
RADIUS
TACACS (tacacs, tacacs, xtacacs)

9
RADIUS Basics

A protocol for communicating between a Network
Access Server (NAS) and a remote
Authentication/Access/Accounting server
Not the actual server itself

10
RADIUS Basics

Defined by IETF standard RFC2138 RFC2139
http//www.faqs.org/rfcs/rfc2138.htmlhttp//www.
faqs.org/rfcs/rfc2139.html
Requires Clients (normally a NAS) and servers
(often called RADIUS servers)

11
The Authentication Process
Access Accept
Access Request
User Information
12
RADIUS BasicsAuthentication Data Flow
ISP User Database
UserID bobPassword ge55gepNAS-ID 207.12.4.1
Select UserIDbob
ISP Modem Pool
Bobpasswordge55gepTimeout3600other
attributes
UserID bobPassword ge55gep
Access-AcceptUser-Namebobother attributes
ISP RADIUS Server
Framed-Address217.213.21.5
The Internet
User dials modem pool and establishes connection
Internet PPP connection established
13
RADIUS BasicsAccounting Data Flow
Sun May 10 204741 1998 Acct-Status-TypeStar
t User-Namebob Framed-Address217.213.21.
5 ...
Acct-Status-TypeStartUser-NamebobFramed-Addres
s217.213.21.5...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
Internet PPP connection established
The Accounting Start Record
14
RADIUS BasicsAccounting Data Flow
Sun May 10 205049 1998 Acct-Status-TypeStop
User-Namebob Acct-Session-Time1432
...
Acct-Status-TypeStopUser-NamebobAcct-Session-T
ime1432...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
User Disconnects
Internet PPP connection established
The Accounting Stop Record
15
RADIUS Basics

Key data for Authentication
NAS/Client Info
IP Name and/or IP Address
Shared Secret Key for encryption
User Information
User-Name Password
Session Information
Speed, dialed number, port, NAS ID, etc.

16
RADIUS Basics The process flow

Decode Packet using shared secret key

17
RADIUS BasicsShared Secret Keys
Shared
Secret
Session Key
Plaintext
Plaintext
Ciphertext
Encryption
Decryption
Shared
Secret
User 1
Session Key
18
RADIUS Basics The process flow

Lookup users in local or external database
Text File
Password file (UNIX)
NT Registry/Netware Directory
NIS/NIS
LDAP
Etc., etc.

19
RADIUS Basics The process flow

Authenticate
User-Name, Password, etc.
Chap Challenge
SecurID Token card
Etc.

20
RADIUS Basics The process flow

Check arbitrary access criteria
Type of access (analog, ISDN)
Time of day
Called or Calling number

21
RADIUS Basics The process flow

Send Accept/Reject to NAS with appropriate
session attributes
Session timers
Filters (allow/reject IP addrs)
IP Address
ISDN session parameters
Etc.

22
RADIUS BasicsProcess Description

Using a modem, the user dials-in to a modem
connected to a NAS. Once the modem connection is
completed, the NAS attempts to use the CHAP or
PAP protocol to determine the userID and
password. If that fails, the NAS prompts the user
for the userID and password.

23
RADIUS BasicsProcess Description

The NAS creates a data packet from this
information called the authentication request.
This packet includes information identifying the
specific NAS sending the authentication request,
the port that is being used for the modem
connection, and the user name and password. For
protection from eavesdropping the NAS, acting as
a RADIUS client, encrypts (using a shared secret
key) the password before it is sent to the RADIUS
server.

24
RADIUS BasicsProcess Description

The Authentication Request is sent over the
network from the RADIUS client (I.e. the NAS) to
the RADIUS server. This communication can be done
over a local- or wide-area network, allowing
network managers to locate RADIUS clients
remotely from the RADIUS server. If the RADIUS
server cannot be reached, the NAS can usually
route the request to an alternate server.

25
RADIUS BasicsProcess Description

When an Authentication Request is received, the
RADIUS Server validates the request and then
decrypts the data packet to access the user name
and password information. This information is
passed on to the appropriate security system
being supported. This could be a text file, UNIX
password files, NIS, LDAP, a commercially
available security system or a custom database.

26
RADIUS BasicsProcess Description

If the user name and password are correct, the
server sends an Authentication Acknowledgment
that includes information on the user's network
system and service requirements. For example, the
RADIUS server will tell the NAS that a user needs
TCP/IP and/or NetWare using PPP (Point-to-Point
Protocol) or that the user needs SLIP (Serial
Line Internet Protocol) to connect to the
network. The acknowledgment can even contain
filtering information to limit a user's access to
specific resources on the network.

27
RADIUS BasicsProcess Description

If at any point in this log-in process conditions
are not met, the RADIUS server sends an
Authentication Reject to the NAS and the user is
denied access to the network.

28
RADIUS BasicsProcess Description

To ensure that requests are not responded to by
unauthorized persons or devices on the network,
the RADIUS server sends an authentication key, or
signature, identifying itself to the RADIUS
client.

29
RADIUS BasicsProcess Description

Once the server information is received and
verified by the NAS, it enables the necessary
configuration to deliver the right network
services to the user.

30
RADIUS BasicsEssential Server Data

Client Information
IP Name
Shared secret key
Group Assignment
Special Parameters
NAS Type

31
RADIUS BasicsEssential Server Data

NAS/Client Info
Stored in a clients file or similar data
structure
This file contains a list of clients which
are allowed to make authentication requests
and their encryption key. The first field is
a valid hostname for the client. The second
field (separated by blanks or tabs) is the
encryption key. Client Name
Key ---------------------------------- portmast
er1 wP40cQ0 portmaster2
A3X445A 192.168.1.2 wer369st

32
RADIUS BasicsEssential Server Data

Dictionary
Definition of RADIUS attributes
Assign readable names to attribute numbers
String, Integer, IP Address, Date

33
RADIUS BasicsEssential Server Data

Dictionary
Stored in a dictionary file or similar data
structure
This file contains dictionary translations
for parsing requests and generating responses.
All transactions are composed of
Attribute/Value Pairs. The value of each
attribute is specified as one of 4 data types.
Valid data types are string - 0-253
octets ipaddr - 4 octets in network byte
order integer - 32 bit value (high byte
first) date - 32 bit value - seconds
since 000000 GMT, Jan. 1, 1970

34
RADIUS BasicsEssential Server Data

Dictionary
Attr.
Attr.Keyword Attribute Name Num Type
ATTRIBUTE User-Name 1
stringATTRIBUTE Password 2
stringATTRIBUTE CHAP-Password 3
stringATTRIBUTE Client-Id 4
ipaddrATTRIBUTE Client-Port-Id 5
integerATTRIBUTE User-Service-Type 6
integerATTRIBUTE Framed-Protocol 7
integerATTRIBUTE Framed-Address 8
ipaddrATTRIBUTE Framed-Netmask 9
ipaddr... ...

35
Dictionary File Decoding
Service-Type Framed-User
RADIUS Request
...

6

6

0

...
0

0

2

AttributeValue
AttributeNumber
AttributeLength (in bytes)
RADIUS Dictionary

ATTRIBUTE
VALUE

Service-Type
Service-Type
6
6
integer
2
Service-Type
Framed-User
Service-Type
Framed-User
2
36
Dictionary VSAs
Example Dictionary entry

Name
Number Type Vendor (Modifiers)
VENDOR Ascend 529
ATTRIBUTE Ascend-Send-Secret 214 string Ascend

Attr. Number Total Attr. Length Vendor ID
data
VSA Attr.Number VSA Attr. Length VSA Attr.
data
37
RADIUS BasicsEssential Server Data

User Information (users file)
User-Name
Password
Authentication method
Check attributes
Send attributes

38
RADIUS BasicsEssential Server Data

User Data (Example 1)
bob Password "ge55ep Service-Type
Framed-User, Framed-Protocol
PPP, Framed-IP-Address 255.255.255.254, Framed
-IP-Netmask 255.255.255.255, Framed-Routing
None, Filter-Id "std.ppp", Framed-MTU 1500

39
RADIUS BasicsEssential Server Data

User Data (Example 2)
bob Password "ge55gep", NAS-IP-Address
192.168.1.54, NAS-Port-Type
ISDN Service-Type Framed-User, Framed-Protocol
PPP

40
RADIUS BasicsEssential Server Data

User Data (Example 3)
bob Password "ge55gep, Caller-Id
510-555-1212 Service-Type Callback-Login-User,
Login-IP-Host 192.168.1.76, Login-Service
Telnet, Login-TCP-Port 23, Callback-Number
"9,1-800-555-1234"

41
RADIUS BasicsAccounting Start Record

Sun May 10 204741 1998 User-Name
bob Client-Id 206.171.153.11 Client-Port-Id
20110 Acct-Status-Type Start Acct-Delay-Time
0 Acct-Session-Id "262282375 Acct-Authenti
c RADIUS Caller-Id 5105551212 Client-Port
-DNIS 5218296 Framed-Protocol
PPP Framed-Address 209.79.145.46

42
RADIUS BasicsAccounting Stop Record

Sun May 10 205049 1998
User-Name bob Client-Id 206.171.153.11
Client-Port-Id 20110 Acct-Status-Type
Stop Acct-Delay-Time 0 Acct-Session-Id
"262282353 Acct-Authentic RADIUS
Acct-Session-Time 4871 Acct-Input-Octets
459078 Acct-Output-Octets 4440286 Caller-Id
5105551212 Client-Port-DNIS "4218296
Framed-Protocol PPP Framed-Address
209.79.145.46

43
RADIUS BasicsProxy Services

A forwarding or proxy server can forward
authentication and/or accounting requests to
another server for handling.
In order to differentiate between requests that
should be handled locally and those that should
be forwarded the NAI needs to be specially
processed.

44
RADIUS BasicsProxy Services

The NAI (Network Access Identifier) is commonly
called the userID.
In proxy and roaming situations the NAI is
modified to include both the userID and a realm
identifier.
The realm is a keyword indicating the server
responsible for authenticating the userID.

45
RADIUS BasicsProxy Services

The standard way to send a userID and real in the
NAI is to separate them with a _at_.
A typical proxy NAI looks like user_at_realm
A proxy RADIUS server looks for the _at_ in the
NAI to determine if it should handle the request
or forward it.

46
RADIUS BasicsProxy Services

If no _at_ is present, the enter NAI is assumed to
be only a userID.
If a _at_ is present, the NAI is split into two
tokens (a userID and a realm label).

47
RADIUS BasicsProxy Services

The realm label is looked up in a local file or
database to find the address of the server for
the realm and the protocol (typically RADIUS)
used to connect to it.
Although the realm label may look like a domain
name (E-Mail addresses are often used as NAIs) it
is not safe to assume that.

48
RADIUS BasicsProxy Services

An example realms file might look like
realm IP
label Address Port Protocol
Secrethomeco 167.24.12.5 1812 Radius
Dont3v3rtellbiginiv 12.123.43.9 1645 Radius
jsyWpnfE2vuR
(A real realms file might contain much more
information. Each vendor implements realm
information differently.)

49
RADIUS BasicsProxy Services

A typical bilateral proxy model looks like

Access Request UserID bill_at_homeco Password
mypass
Access Request UserID bill Password mypass
Reply
Reply
DB
50
RADIUS BasicsProxy Services

Bilateral relationships, with all the realm
information stored in a local realms file or
table can be effective with a small number of
roaming or proxy partners.
But, the files must be changed each time there is
a change in a server configuration.

51
RADIUS BasicsProxy Services

A consortium, or clearinghouse, solves that
problem by having all proxy requests forwarded to
it first.
The consortium maintains a list of all the server
information for it

52
RADIUS BasicsProxy Services

In the case of a roaming consortium or
clearinghouse it may be necessary to add
additional information to the NAI.
This is because each server in the proxy chain
might strip off the realm before passing the
request on to the next server.

53
RADIUS BasicsProxy Services

A common solution is to use the / as an
additional separator.
In the case of a consortium called cons the NAI
would look like cons/user_at_realmAn actual NAI
might be infonet/rdperl_at_berkinet.com

54
RADIUS BasicsProxy Services

The first server may now strip-off cons and
forward the remaining two tokens.
rdperl_at_berkinet.com
The consortiums server strips off the remaining
realm and forwards the userID to the final
server
rdperl

55
RADIUS BasicsProxy Services

A consortium proxy model looks like

Access Request UserID cons/bill_at_homeco Password
mypass
Access Request UserID bill_at_homeco Password
mypass
Access Request UserID billPassword mypass
Reply
Reply
Reply
DB
RealmsFile homeco
56
RADIUS BasicsProxy Services Editing Attributes

A proxy server may add, delete or modify the
attributes that it forwards.
An IP Address may be invalid on a given network,
the maximum online time may be different, local
filters may be required, etc.

57
RADIUS BasicsProxy Services Editing Attributes

In cases where special control of attributes is
required bi-lateral relationships may work best.
A proxy server may also need to translate
attributes intended for one brand of NAS into
another brands format (pools, filters, etc.)

58
RADIUS Proxy Servers