TSIN02 - Internetworking

Similar documents
TSIN02 - Internetworking

TSIN02 - Internetworking

RADIUS - QUICK GUIDE AAA AND NAS?

Computer Networks II, advanced networking

Virtual Private Networks (VPNs)

Part II. Raj Jain. Washington University in St. Louis

Overview. RADIUS Protocol CHAPTER

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Configuring RADIUS Servers

RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values

DHCP Server RADIUS Proxy

A device that bridges the wireless link on one side to the wired network on the other.

Configuring Security for the ML-Series Card

Simple Network Management Protocol

Network Management System

Diameter. Term Paper Seminar in Communication Systems. Author: Christian Schulze Student ID: Date: February 4, 2003 Tutor: Martin Gutbrod

virtual-template virtual-template template-number no virtual-template Syntax Description

Terminal Services Commands translate lat

SNMP Simple Network Management Protocol

RADIUS Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values

Radius, LDAP, Radius, Kerberos used in Authenticating Users

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Top-Down Network Design

L2TP Network Server. LNS Service Operation

Configure SNMP. Understand SNMP. This chapter explains Simple Network Management Protocol (SNMP) as implemented by Cisco NCS 4000 series.

Table of Contents 1 AAA Overview AAA Configuration 2-1

Network Management. Raj Jain Raj Jain. Washington University in St. Louis

This chapter discusses configuration and use of the Remote Authentication Dial-In User Service (RADIUS) networking protocol on a BANDIT device.

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Network Management. Stuart Johnston 08 November 2010

Appendix C Software Specifications

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Radius, LDAP, Radius used in Authenticating Users

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Network Management. Stuart Johnston 13 October 2011

thus, the newly created attribute is accepted if the user accepts attribute 26.

This is an introductory tutorial designed for beginners to help them understand the basics of Radius.

Network System Services

Configuring L2TP over IPsec

RADIUS Attributes. RADIUS IETF Attributes

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

DC70 NETWORK MANAGEMENT DEC 2015

Implementing X Security Solutions for Wired and Wireless Networks

Configuring Security on the GGSN

Universal Port Resource Pooling for Voice and Data Services

SNMP. Simple Network Management Protocol

Simple Network Management Protocol. Slide Set 8

RADIUS Attributes Overview and RADIUS IETF Attributes

Configuring RADIUS and TACACS+ Servers

Autosense for ATM PVCs and MUX SNAP Encapsulation

thus, the newly created attribute is accepted if the user accepts attribute 26.

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Mobile WiMAX Security

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.

A Brief Introduction to Internet Network Management. Geoff Huston

Lecture 18: Network Management

RADIUS Tunnel Preference for Load Balancing

IP-LLA. Lease Line Access over IP

Diameter Overload Control Application (DOCA) draft-korhonen-dime-ovl-00 Jouni Korhonen DIME WG IETF #85

TCP/IP Protocol Suite and IP Addressing

Chapter 3 Protocols and the TCP/IP Suite

Configuring Switch-Based Authentication

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Encrypted Vendor-Specific Attributes

RADIUS Tunnel Attribute Extensions

, Network Management, Future

SNMP. Simple Network Management Protocol

TSIN02 - Internetworking

Implementing ADSL and Deploying Dial Access for IPv6

SNMP. Simple Network Management Protocol Philippines Network Operators Group, March Jonathan Brewer Telco2 Limited New Zealand

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

CHAPTER. Introduction

VPDN Tunnel Management

Chapter 9. introduction to network management. major components. MIB: management information base. SNMP: protocol for network management

Cisco 5921 Embedded Services Router

Internetworking. from the Webopedia Computer Dictionary

Switching on our smartphone and sending an to a friend living 5000 km from our home is something that we take for granted, but that involves a

Network Access Flows APPENDIXB

The ABCs of SNMP. Info Sheet. The ABC of SNMP INTRODUCTION. SNMP Versions

DHCP Overview. Information About DHCP. DHCP Overview

RADIUS Attributes Overview and RADIUS IETF Attributes

SNMP SIMULATOR. Description

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Monitoring PPPoE Sessions with SNMP

RESTCOMMONE. jdiameter. Copyright All Rights Reserved Page 2

Remote Access Controller

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Internet Engineering Task Force (IETF) Request for Comments: 6572 Category: Standards Track

Read addressing table and network map

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

Chapter 23. Simple Network Management Protocol (SNMP)

Configuring SNMP. Understanding SNMP CHAPTER

Network Policy Controller UAM/RADIUS Guide

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Table of Contents 1 AAA Overview AAA Configuration 2-1

Transcription:

TSIN02 - Internetworking Literature: Lecture 11: SNMP and AAA Forouzan, chapter 21 Diameter next generation's AAA protocol by Håkan Ventura, sections 2-3.3.6 RFC2881 (optional extra material) Outline: SNMP AAA introduction AAA in Network Access Servers DIAMETER, an AAA compliant protocol RFC2905 (optional extra material) RFC2903 (optional extra material) 2004 Image Coding Group, Linköpings Universitet 2 Management Information Base (MIB) Structure of Management Information (SMI) SNMP Security and Administration ASN1 Complex systems are difficult to manage. Too much happens in too many places. Information has to be pooled to be possible to overview. All large systems need to be managed systematically Industrial chemical processes Large organizations Electrical power system 3 4

Device Management Checking the state of a device Changing configuration of a device Activating or turning of a device Monitoring a software Network Management Shutting down a network interface on a router Checking the speed of an Ethernet interface Monitoring the temperature on a switch, and sending a warning if it gets too high Checking the state of a web server (the software) Collecting statistics about link usage Properties of the network as a whole 5 6 Managed devices contain objects whose data is gathered into a Management Information Base Introduced in 1988 To meet the need for a standard for managing IP devices. Replaced SGMP Simple Gateway Management Protocol was used for managing Internet routers Latest version is v3 7 8

SMI Structure of Management Information The language for defining MIB objects MIB Management Information Base Defines a set of objects, similar to a database SNMP Application program that allows the manager to retrieve and store object values in agents, and agents to send alarm messages to the manager Security The main addition from v2 to v3 9 10 A tree structure is the basis for SNMP naming Each tree node is described by dot-separated numbers/names!" ##$ # %& " & '( )* Managed agents are heterogenous and may represent data in many different ways There is a need for a well-defined and machine-independent syntax Solution: ASN.1 Simple datatypes are offered (signed and unsigned integers, strings, etc) Structured types can be built from simple types " &( &+ &$ #&, &- &.#&/.#&.#&/0".#&! ( #&1)+ 11 12

ISO standard, defines data types in a machine independent way Intermediate format for data type definitions on different machines 2 3 &# & 2 3 &# & 0# &# & )3 2 #&# # 13 14 ASN.1 is not enough for transmission, since it only makes an abstract definition of data types We need a standardized way of encoding data for transmission The solution for this is Basic Encoding Rules Tag-Length-Value Tag 00 ASN.1 01 SMI extensions 10 context-specific 11 private (vendor specific) Format 0 Simple 1 - Structured 15 16

17 18 Each agent has its own MIB The collection of objects that are managed The objects are sorted into the groups under 1.3.6.1.2.1 (mib-2) Only leaves in the tree are accessible The objects are accessed using SNMP operations Lots of standard objects; and extended by vendor specific ones 19 20

UDP Variables and Tables TSIN02 - Internetworking 21 22 23 24

25 26 SNMP Message Format TSIN02 - Internetworking 27 28

29 1) 30 Interpretation help: Data types Interpretation help: MIB2 tree 1) 31 32

UDP Ports TSIN02 - Internetworking Authentication Validate user identity. Authorization Check which services the user is allowed access to. Accounting Store information about use of a service, e.g. for billing purposes. 33 34 Validate the identity of a user Used for Access control Authorization decisions Accounting records Providing some credential that proves a claimed identity ID Smart card SIM Certificate Biometrics Password Public Secret Key pair 35 36

Something you have Something you know Something you are Example: If A wants to contact B through the Internet, how can A prove his/her identity? 37 38 Policy Identity Current actions Outside state Allowing access to services to authenticated users Tracking the usage of resources for Billing Management Planning Auditing 39 40

RADIUS TACACS COPS DIAMETER 41 A Network Access Server (NAS) is often the initial entry point to a network. A NAS is a gateway between the users and a network, supplying one or more ways to connect, e.g.: Dial-up direct network access (eg. through SLIP or PPP) asynchronous terminal services (eg. telnet) tunneling The NAS contacts an AAA server to see if the user is authorized to access the network. This communication needs a protocol! 42 The Diameter Base Protocol is intended to provide an Authentication, Authorization and Accounting framework for applications such as network access and IP mobility. The Diameter Base Protocol provides the following facilities: Delivery of attribute value pairs (AVPs) Capabilities negotiation Error notification Extendability, through addition of new commands and AVPs Basic services necessary for applications, such as handling of user sessions or accounting The Diameter Base Protocol provides the minimum requirements needed for an AAA-protocol, as defined in RFC2989 43 44

All data delivered by the protocol is in the form of an AVP. These are used by the base protocol to support the following features: Transporting of user authentication information, for the purpose of enabling the Diameter server to authenticate the user. Transporting of service specific authorization information, between client and servers, allowing the peers to decide whether a user's access should be granted. Exchanging resource usage information, which may be used for accounting purposes, capacity planning etc. Relaying, proxying and redirecting of Diameter messages through a server hierarchy. 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback