PRIMENA INTERNET AUTHENTICATION SERVER-A U RAČUNARSKOJ MREŽI KAMPUSA SREDNJE VELIČINE

Transcription

1 PRIMENA INTERNET AUTHENTICATION SERVER-A U RAČUNARSKOJ MREŽI KAMPUSA SREDNJE VELIČINE THE USAGE OF INTERNET AUTHENTICATION SERVER IN MEDIUM SIZE CAMPUS NETWORK Mladen Trikoš 1, Ass. Professor Dr. Dejan Simić 2, Dejan Savić 3 1 Military Academy, Ministry of Defence, Belgrade 2 Faculty of Organizational Sciences, University of Belgrade 3 Military Academy, Ministry of Defence, Belgrade Sadržaj: - Zajedno sa eksponencijalnim razvojem Interneta, značaj bezbedne mrežne autentifikacije postaje očigledniji nego ikada ranije. Povećanjem broja korisnika i njihovih zahteva za resursima računarske mreže javlja se problem kako da kontrolišemo pristup računarskoj mreži, naročito ako je ona veličine kampusa i prostire se na nekoliko udaljenih objekata. Rešenje smo pronašli u autentifikaciji i autorizaciji korisnika korišćenjem RADIUS servera sa AAA protokolom, Windows 2003 Server-om sa Active Directory, Certification Authority i Internet Authentication Service-om. Ovaj rad prikazuje praktičnu implementaciju tih rešenja. Abstract: - Along with the rapid growth of Internet, the importance of safe network authentication becomes more evident than ever before. Increasing number of users and their demands for resources leads to a problem of how to control access to a computer network, especialy in a campus sized network, where connected computers may expand to a few diffrent buildings. The solution we use to authenticate and authorize user access is to apply RADIUS server with AAA protocol and Windows 2003 server including ActiveDirectory, Certification Authority and Internet Authentication Service. This paper presents a practical implementation of these solutions. 1. INTRODUCTION The area of this research is the implementation of systems to control access to computer networks and resources that networks provide. Modern business of any serious institution at the present is largely relying on the great exchange of information. The need for communication and exchange of information for scientific and research institutions are even greater. Besides the usual clients, there are many "temporary" users who are in need of administrative services, and service dedicated to learning and scientific research. Scientific and research institutions are generally span in more than one building and very often are spatially located in several cities in kilometers distant from one another. The subject of this paper is to present a strong access control to improve the safety and security of computer networks campus, with a RADIUS server. 2. PROBLEM DESCRIPTION Оne of the essential jobs in securing of a computer network is to allow or deny access to basic physical communications medium based on some company rules. The authorized personality can get some services according to company pollicies, while unauthorized can not. In Ethernet LANs, this has long been accomplished by disabling unused RJ-45 jacks and latching Media Access Control (MAC) addresses to Ethernet switch ports. Wireless LANs followed suit by using access control lists (ACLs) to permit associations by known MAC addresses while rejecting all others. MAC ACLs are quite easy to understand and configure. However, these lists are hard to manage, especially in large and dynamic networks, and are easily circumvented by network interface cards (NICs) with programmable addresses. MAC address can be faked in the wired and the wireless networks. In wired networks, if attacker have a physical access to network, one can easily learn a valid MAC address. With simple reconfiguring of his network adapter he can get network access presenting himself as authorized computer. Many companies control access by using firewalls or VPNs (Virtual Private Network), by allowing the passage of packets from known IP (Internet Protocol) address or by requesting the user login before you are allowed to pass through the firewall. Control at higher layers can be very useful, but they are insufficient when used alone. For example: If you assign a static IP address, an attacker can sniff traffic to learn a valid IP address or systematically guess addresses, starting with common private subnets like If the approach is based on an user name and password without encryption, an attacker can listen to traffic and use a variety of tools to break the code.

2 2 Attackers can cause damage to the network without penetrating the firewall/gateway by launching attacks on switches, and peer stations, attempting to break into those systems to steal stored data, or simply flooding the LAN with bogus traffic. Supplicant, Authenticator (NAS), The authentication servers (AS). The combination of access control at the physical level with the controls at the higher layers can minimize these types of threats. If the attacker can't send data through a LAN port, he can't request an IP address from DHCP or systematically guess IPs. Therefore, if you can not receive data from the port then it is not possible to listen to the traffic or to gather passwords. The solution can be found in the access control based on ports and user authentication using a protocol for authentication. This paper show how one can control access to the computer networks and its services in a reliable and flexible system. 3. AAA Considering all aspects of LAN security in campus network, we use widely adopted AAA protocol which stands for authentication, authorization and accounting. The AAA model focuses on the three crucial aspects of user access control: authentication, authorization, and accounting [1]. 3.1 AUTHENTICATION Authentication is a process in which user, computer or both prove their identity usually by providing some sort of credentials. Those credentials could include passwords, tokens, digital certificates etc. 3.2 AUTHORIZATION Autorization is a part of AAA protocol which describes whether a certain type of user or device has a necessary privilage level to gain access to the network. 3.3 ACCOUNTING Accounting refers to the tracking and managing the consumption of network resources by the end user or service. These informations are later usualy used for planning, billing etc. 4. IEEE 802.1X IEEE 802.1X is a widely accepted standard used by network equipment manufacturers for network access control through switch ports or wireless access points. Network device that supports 802.1X can control its ports so that clients are only allowed to communicate through them if they match certain criteria of authentication and authorization. IEEE 802.1X authenticaton process consists of three components (Figure 1) [2]: Figure 1. Primary components of IEEE 802.1X 4.1 SUPPLICANT A supplicant is a client device that needs to be authenticated before being allowed access to the network. Their identity is in question until they can produce valid credentials to the authentication server. In order to be considered as valid supplicant, a typical client device, such as a laptop or IP phone, would need to implement 802.1X and a specific EAP-Method. The supplicant communicates with the authentication server using EAP as the transport and a specific EAP- Method that provides the actual authentication mechanism. The actual communications between the supplicant and the authenticator is accomplished via EAPOL, which is defined by 802.1X. EAPOL delivers (encapsulates) the EAP and EAP-Method frames as data. What makes 802.1X protocol comprehensive is the large number of authentication methods that can be used in the EAP. Currently available types of EAP authentication of users in LAN networks include EAP-MD5, EAP with One-Time Password (EAP-OTP), Generic Token Card (EAP-GTC), EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), EAP-Tunneled TLS (EAP- TTLS), EAP-Subscriber Identity Module (EAP-SIM). It is important to note that the encryption of authentication proccess does not also mean encryption of data sent from and to the client after successful authenticaton. However, together with the 802.1X authentication method, the distribution of encryption keys that clients can use for their traffic can be used. 4.2 AUTHENTICATOR An authenticator is a Layer 2 network device, such as an Ethernet switch. In an enterprise network, all switch ports need to mplement 802.1X in order to support companywide 802.1X port-based authentication. The authenticator

3 3 acts as a security gate between the supplicants and the protected network. The gate (actually, port) stays closed until the authentication system verifies the credentials of the supplicant and deems that the supplicant is authorized to access the protected network. Once the system authenticates the supplicant, the authenticator will open a port so that the supplicant can access the protected network. The authenticator is a translator between the supplicant and the authentication server. As the supplicant and authentication server converse, all communications flow through the authenticator. The supplicant will send its credentials to the authentication server by encapsulating the credentials (based on the specific EAP-Method) in an EAP frame, which is all encapsulated in an EAPOL frame. The EAPOL frame is sent to the authenticator, which then removes the EAP-Method data from the EAPOL frame. RADIUS server uses the AAA concept to manage network access [5]. RADIUS is protocol between the NAS and the AS. It is used to carry authentication, authorization, and accounting messages [6]. IEEE 802.1X protocol, which is used, is EAP. NAS encapsulates EAP content and transmits EAP messages to RADIUS authentication server. RADIUS authentication server reads them and either accepts them or rejects them (Figure 2). NAS, on the basis of instructions received from the RADIUS server, responds with a rejection or acceptance to a clients request to access the network. The authenticator sends the EAP-Method data encapsulated in a RADIUS frame directly to the authentication server. 4.3 AUTHENTICATION SERVER The authenticator and the supplicant have a conversation regarding the authentication. The authentication server, for instance, will at some point request the credentials from the supplicant. The supplicant will then offer the credentials to the authentication server. 5. RADIUS SERVER Figure 2: RADIUS server In case of successful authentication, RADIUS server sends to the NAS configuration options in order to control on which VLAN (virtual LAN) the client is assigned to. Different VLAN's can have different access rights and can be connected to different parts of the campus (Figure 3). RADIUS represents the acronym for Remote Authentication Dail In User Service and is defined by IETF RFC 2865 [3], "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866 [4], "RADIUS Accounting". Radius is a network protocol that provides centralized authentication and authorization of computers which want to access network resources [5]. It was developed by Livingston Enterprise Corporation in 1991 as an access server for authentication and accounting protocol [6]. RADIUS is client/server protocol that runs on the application layer, using UDP protocol. RAS (Remote Access Server), VPN server (Virtual Private Network), network switches with authentication on ports and NAS (Network Access Server) represent the gate that controls access to the network, and they all have the RADIUS client component that communicates with the RADIUS server [5]. RADIUS serves three functions: Figure 3: The structure of the local network Reference [3] and [4] define the following RADIUS message types: Access-Request, Access-Accept, Access- Reject, Access-Challenge, Accounting-Request, and Accounting- Response. Figure. 4 shows a typical sequence diagram of RADIUS protocol when a user accesses the network through NAS and disconnects itself. to authenticate users or devices before granting them access to a network, to authorize those users or devices for certain network services and to account for usage of those services.

4 4 consider the future expansion of network and the introduction of new services. During experiment, a medium size campus network was used. It has access level implemented with Layer 2 switches connected on distribution level via Layer 3 switches. For experiment we used CISCO twentyfour-port switch WS TT-L as access switch and eight-port CISCO switch WS-2960G-8TC-L for distribution level. Figure 4: Typical RADIUS sequence diagram A RADIUS message consists of a RADIUS header and RADIUS attributes. Each RADIUS attribute specifies a piece of information about the connection attempt and is described by variable length attribute-length-value 3- tuples. RADIUS attributes are described in RFCs, 2865[3], 2866[4], 2867[7], 2868[8],2869[9], and 3162[10]. 5.1 SECURITY MESURE OF RADIUS PROTOCOL To provide security for RADIUS messages, the RADIUS client and the RADIUS server are configured with a common shared-secret, which is never sent over the network. The RADIUS protocol adopts Authenticator mechanism. The Authenticator authenticates the reply from the RADIUS server to the NAS and is also used in encryption of User-Password attribute. Two different kinds of Authenticator fields are defined. Request Authenticator is the name of the Authenticator field in Access-Request type packets. It is a random number that the NAS generates in order to be able to authenticate that the reply is intended exactly for the request that the Request Authenticator was generated for. Therefore it must be unique and unpredictable. NAS also uses Request Authenticator when encrypting User- Password attribute. Response Authenticator is the name of the Authenticator field in Access-Accept, Access-Reject and Access- Challenge type packets. Its value is calculated by the RADIUS server. 6. EXPERIMENTAL SETUP At the beginning it is necessary to describe the basic purpose of campus computer network and its characteristics. Test network used during experiment is intended for academic staff in academic institutions, mainly for the use of Internet services and provision of modern forms of teaching supported by computer (Figure 5). Therefore, it has diferent VLANs whose purpose is to provide additional protection, which is achived through adding firewalls and routers. It is also important to The distribution and access switches support the IEEE 802.1X standard, which is disabled by default. To enable authentication, the devices must be running with an AAA protocol. Implementation of NAS devices regarding access switches to work with RADIUS server should be like this [11]: Switch(config)#aaa new-model Switch(config)#radius-server host IP.ADD.RAD.SER key PASSWORD Switch(config)#aaa authentication dot1x default group radius local Switch(config)#dot1x system-auth-control Switch(config)#interface fa0/x Switch(config-if)#switchport mode access Switch(config-if)#dot1x port-control force-authorized The Microsoft's IAS in Windows Server 2003 is used for RADIUS server [12]. A limitation of this solution is the number of NAS's (just 50) that are provided by Windows server 2003 SE, but this is quite enough for a mediumsized campus network. Clients must be added on the IAS for authentication (NAS), and IAS needs to be registered in AD. On the same server the following services must be started: Active Directory (AD), Internet Information Server (IIS), Certificate Authority (CA), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), When the client is connected to a switch port, switch establishes a connection to the IAS server to authenticate the client and check its credentials to access the network. In the process of identifying the switch acts as a device that checks rights of access (authentificator, the 802.1X standard) between the client (supplicant) and the IAS server service (check service). Client and IAS server communicate via EAP (eg. MD5 or PEAP) protocol. If PEAP protocol is used, the certification service (CA) must exist. As a result, ability to access computer network resoruces can be achieved by using Active Directory Group Policy.

5 5 Here we setup policy rights for each computer, user or user groups to determine who is eligible to access apropriate service or application on the network. When the RADIUS server and NAS are configured we must perform certain steps on supplicant computer before any process of authorisation occurs. Firstly, we must obtain user and computer certificate from CA in order to perform their authentication. Secondly, we must create that user and computer in Acitve Directory, and configure their policy rights in Group Policy Organization Unit. After that, we set up computer NIC, to use 802.1x protocol, with appropriate method of authorization and authentification (Figure 5). Figure 5: Campus network By forcing these set of rules in our campus network we have basicly implemented RADIUS server with AAA protocol, and as additional level of security we use digital certificates for authenticating both, user and computer. 7. CONCLUSION RADIUS is commonly used for embedded network devices such as routers, modem servers, switches, etc. RADIUS is currently the de-facto standard for remote authentication and accounting. By implementing RADIUS server, AAA protocol, digital certificates we have provided a secure model for managing all devices on campus network. Therefore, we have exluded posibility of using unauthorized devices on our campus network. In order to authenticate any computer a user must obtain digital certificate to connect to network. Figure 5: Set up computer NIC There are some lacks of using this solution: RADIUS uses UDP protocol (server that uses TCP protocol would be more prefered). Windows 2003 server SE IAS can use only 50 NAS (in case of expanding campus network this can be a significant problem). NAS must be manageable network switch in order to force AAA on switchports. Mangment of digital certificates is somewhat confusing in Windows server 2003 SE. Prior to connecting a computer to campus network, digital certificate for user and computer must be installed.

6 6 We must emphasize that windows 2003 server IAS and AD are not only solution aviable; There is also open source solutions that could be very efficiently used in campus sized networks. This leaves us opportunity to further develop and apply some new ideas as computer networks continue to evolve. REFERENCES [1] J. Hassen, RADIUS, O Reilly & Associates Inc, Sebastopol, [2] J. Geier, Implementing 802.1x Security Solutions for Wired and Wireless Networks, Wiley Publishing Inc, Indianapolis, [3] C. Rigney, A. Rubens, W. Simpson and S. Willens. RFC 2865: Remote Authentication Dail In User Service (RADIUS) [Online]. Available: [4] C. Rigney. RFC 2866: RADIUS Accounting [Online]. Available: [5] RADIUS [Online]. Available: [6] John Vollbrecht, The Beginnings and History of RADIUS, Interlink Networks, [7] G. Zorn, B. Aboba, D. Mitton. RFC 2867: RADIUS Accounting Modications for Tunnel Protocol Support [Online]. [8] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. Goyret. RFC 2868: RADIUS Attributes for Tunnel Protocol Support [Online]. Available: [9] C. Rigney, W. Willats, P.Calhoun. RFC 2869: RADIUS Extensions [Online]. Available: [10] B. Aboba, G. Zorn, D. Mitton. RFC 3162: RADIUS and Ipv6 [Online]. Available: [11] Cisco System Inc [Online]. Available: [12] Internet Authentication Service [Online]. Available: