WISPCON RADIUS Session

1
WISPCON RADIUS Session

• Who Am I?
• What is RADIUS?
• What can RADIUS do?
• Benefits of using RADIUS
• RADIUS Records
• RADIUS Network Diagrams
• Alternatives to using RADIUS
• RADIUS Resources

2
Who Am I?

• http//www.shreve.net
• Northwest Louisiana and East Texas
• 8 sector POP at 350 (2.4GHz)
• 6 sector POP at 350 (5.8GHz)
• 1 sector POP at 65 (2.4GHz)
• Offer T1, DSL, Dialup, Fixed Wireless
• Perspective
• T1 30 users
• Wireless 130 users
• DSL 250 users
• Dialup and ISDN 7,000

3
What is RADIUS?

• RADIUS - Remote Authentication Dial In User
  Service
• RADIUS is a client-server protocol that controls
  authentication, accounting, and access-control in
  a networked, multi-user environment.

4
What is RADIUS? (cont)

• It is used primarily for authentication and
  access-control management by wired Internet
  Service Providers (ISPs) who use NAS/RAS systems
  for dial-up services.
• Typically RADIUS is the "midde-man" between the
  users' system attributes and billing system.

5
What is RADIUS (cont)

• Wireless provides an alternative to wired
  networks, however it also poses new security
  challenges for network and security
  administrators.
• Security for 802.11 networks can be broken down
  into two parts the authentication mechanism and
  algorithm and also encryption. RADIUS can help
  with authentication

6
Examples of RADIUS Servers

• Cistron http//www.radius.cistron.nl (free)
• FreeRADIUS http//www.freeradius.org (free)
• Steel-belted RADIUS http//www.funk.com
• Advanced RADIUS http//advancedradius.com
• RADIATOR http//www.open.com.au/radiator
• Many others

7
Examples of RADIUS Clients

• Most if not all NAS/RAS gear
• Some wireless AP's
• PPoE servers
• EAP/TLS and Cisco LEAP authenticators
• VoIP gateways
• Routers

8
What can RADIUS do?

• Authentication
• Authorization (privileges)
• Accounting
• Non-payment disconnection
• Station and Terminal Identity
• Bandwidth Usage
• Time-of-day blocking
• Session Timeouts

9
Benefits of using RADIUS

• Supports huge range of authentication protocols
• Works reliably in a huge range of environments
• Easy migration from small to large user
  populations
• Easy assimilation of new user populations
• Authenticate different realms in different ways
• Proxy RADIUS
• Fail-over Redundancy

10
RADIUS Server Front-End Protocols

• PPP
• PPoE
• EAP/TLS and EAP-TTLS
• Kerberos
• LDAP
• Many others

11
RADIUS Server Back-End Protocols

• Flat file or unix password file
• SQL or other DBMS
• Other RADIUS servers (Proxy RADIUS)

12
RADIUS Records

• Start Record
• Session ID
• RADIUS server ID
• Terminal ID
• Username
• Session Start Time
• IP Address

13
RADIUS Records (cont)

• Stop Record
• Typically everything in the Start Record plus
• Session End Time (Total Session Time)
• Bytes in and Bytes Out (usage)

14
Using PPPoE with RADIUS
CPE w/PPPoE
Access Point
PPPoE Server
RADIUS Server
DBMS Server
15
Using APs with RADIUS
CPE
RADIUS AP
RADIUS Server
DBMS Server
16
Using 802.1X with RADIUS
CPE w/802.1X
AP auth- enticator
RADIUS Server
DBMS Server
17
Vendor Specific Attributes (VSA)

• Specific to a particular brand/model of gear
• Someday, log items such as
• Speed or Modulation Type
• RSSI
• BER
• MIR/CIR
• Others

18
Alternatives to using RADIUS Authentication

• ESSID (Security through Obscurity)
• MAC/IP policies
• VPN
• Captive Portal or Subscriber Gateway
• http//www.wispfaq.com/subgateways.html

19
Alternatives to using RADIUS Accounting

• Non-SNMP (promiscuous sniffing/counting)
• SNMP (MRTG, PACT, Cricket, etc.)
• http//www.wispfaq.com/accounting.html
• Emulating RADIUS server log files when your AP
  and/or client radios don't support RADIUS. Sample
  Script to build RADIUS Records off of SNMP data
  in a MySQL database
• http//www.shreve.net/wispcon/radius_script.pl

20
RADIUS Resources

• "RADIUS" by Jonathan Hassell (O'Reilly)
• RADIUS Authentication RFC 2865
• RADIUS Accounting RFC 2866
• Obsoletes RFCs 2138 and 2139
• http//www.ietf.org/rfc