REMOTE AUTHENTICATION DIAL IN USER SERVICE

Similar documents
Overview. RADIUS Protocol CHAPTER

RADIUS - QUICK GUIDE AAA AND NAS?

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Radius, LDAP, Radius used in Authenticating Users

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Table of Contents 1 AAA Overview AAA Configuration 2-1

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Table of Contents 1 AAA Overview AAA Configuration 2-1

Part II. Raj Jain. Washington University in St. Louis

Application Note. Using RADIUS with G6 Devices

Chapter 4 Configuring 802.1X Port Security

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Network Access Flows APPENDIXB

Operation Manual Security. Table of Contents

TSIN02 - Internetworking

Radius Configuration FSOS

802.1x Configuration. FSOS 802.1X Configuration

Network System Services

Configuring Security Features on an External AAA Server

HP A5820X & A5800 Switch Series Security. Configuration Guide. Abstract

Cisco IOS Firewall Authentication Proxy

Alcatel-Lucent 8950 AAA. Release Enterprise Business Solution User Guide JUNE 2010 ISSUE 1.0

TopGlobal MB8000 Hotspots Solution

HP 5120 SI Switch Series

802.1x Configuration. Page 1 of 11

Configuring Security for the ML-Series Card

TSIN02 - Internetworking

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Controlled/uncontrolled port and port authorization status

Wireless LAN Controller Web Authentication Configuration Example

Operation Manual 802.1x. Table of Contents

Verify Radius Server Connectivity with Test AAA Radius Command

TSIN02 - Internetworking

Network security session 9-2 Router Security. Network II

AAA Administration. Setting up RADIUS. Information About RADIUS

Network Working Group Request for Comments: 2059 Category: Informational January 1997

ITDUMPS QUESTION & ANSWER. Accurate study guides, High passing rate! IT dumps provides update free of charge in one year!

Table of Contents X Configuration 1-1

Table of Contents X Configuration 1-1

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Chapter 10 Security Protocols of the Data Link Layer

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Configuring Switch-Based Authentication

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Data Structure Mapping

Cisco Transport Manager Release 9.2 Basic External Authentication

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

HP Unified Wired-WLAN Products

Configuring RADIUS Servers

Configuring Authentication Proxy

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Configuring RADIUS and TACACS+

Configuring Authentication Proxy

Configuring Content Authentication and Authorization on Standalone Content Engines

Data Structure Mapping

Implementing ADSL and Deploying Dial Access for IPv6

Data Structure Mapping

Data Structure Mapping

Configuring RADIUS Clients

ISE Primer.

802.1x Port Based Authentication

Elastic Charging Engine 11.3 RADIUS Gateway Protocol Implementation Conformance Statement Release 7.5

PPP Configuration Options

Configuring Request Authentication and Authorization

Configuring Port-Based and Client-Based Access Control (802.1X)

AAA Configuration. Terms you ll need to understand:

Network Working Group Request for Comments: D. Mitton RSA, Security Division of EMC B. Aboba Microsoft Corporation January 2008

Configuring Authentication Proxy

Cisco Prime Optical 9.5 Basic External Authentication

Configuring Local EAP

Data Structure Mapping

CENTRAL AUTHENTICATION USING RADIUS AND 802.1X

Configuring L2TP over IPsec

Data Structure Mapping

Configuring Authorization

Configure Maximum Concurrent User Sessions on ISE 2.2

How to Integrate an External Authentication Server

RADIUS Logical Line ID

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Study Guide. Module Two

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Examples of Cisco APE Scenarios

With 802.1X port-based authentication, the devices in the network have specific roles.

Configuring IEEE 802.1x Port-Based Authentication

C H A P T E R Overview Cisco Prime Access Registrar 6.0 User Guide OL

Authentication and Security: IEEE 802.1x and protocols EAP based

Cisco Exam Questions & Answers

Table of Contents. Diameter Base Protocol -- Pocket Guide 1

WHITE PAPER: 802.1X PORT AUTHENTICATION WITH MICROSOFT S ACTIVE DIRECTORY

Operation Manual Security. Table of Contents

PT Activity 5.6.1: Packet Tracer Skills Integration Challenge Topology Diagram

Virtual Private Networks (VPNs)

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

CSN11111 Network Security

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Diameter. Term Paper Seminar in Communication Systems. Author: Christian Schulze Student ID: Date: February 4, 2003 Tutor: Martin Gutbrod

Network Working Group Request for Comments: Category: Standards Track Merit W. Simpson Daydreamer June 2000

Transcription:

AAA / REMOTE AUTHENTICATION DIAL IN USER SERVICE INTRODUCTION TO, A PROTOCOL FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING SERVICES Peter R. Egli INDIGOO.COM 1/12

Contents 1. AAA - Access Control 2. architectures 3. RFC2865 protocol 4. transaction 5. accounting RFC2866 6. applications 2/12

1. AAA - Access Control (1/2) What is AAA? The term AAA (say "triple A") subsumes the functions used in network access to allow a user or a computer to access a network and use its resources. Authentication: Is the one I m talking to the one he pretends to be (is a user authentic)? Authorization: Find out what the user is allowed to do (and what not). Accounting: Log the user s activity to charge him accordingly. Accounting information may be used to track the user's usage for charging but also for auditing purposes. AAA is used in scenarios where a NAS (network access server) or a RAS (remote access server) acts like a switch granting or denying access to the Internet or Intranet for a user based on AAA authentication and authorization. AAA server (authentication, authorization accounting) User NAS / RAS Internet / Intranet 3/12

1. AAA - Access Control (2/2) Most important AAA protocols: 1. RFC2865: Remote Authentication Dial In User Service. 2. TACACS+ RFC1492: Terminal Access Controller Access Control System by Cisco. 3. Diameter RFC3588: Diameter is not an acronym. Diameter is a successor to that should fix some of the shortcomings of. Diameter uses reliable transport connections, i.e. runs on TCP or SCTP (Stream Control Transmission Protocol). Nota Bene: (and TACACS+) are AAA access control protocols, but do not define a policy (who is granted access, what is the user allowed to do etc.). These protocols merely provide a means to transport such information between a client and an authentication server. The policy is implemented as an application on the server (possibly doing LDAP/SQL lookups to obtain access rules). 4/12

2. architectures (1/2) Scenario 1: In this scenario, a front-end NAS (network access server) or RAS (remote access server) performs authentication of a user with a backend server. The NAS/RAS sends user information (credentials) to the server carried in packets. The server implements the access policy (who is granted access with what authorizations) or may retrieve policies from a database through LDAP (Lightweight Directory Access Protocol). server may optionally contain policy DB LDAP SQL Server LDAP/SQL User Access Line (e.g. PPP) NAS / RAS Towards the Internet 5/12

2. architectures (2/2) Scenario 2: In this scenario, a first server does not perform authentication but acts as a proxy that routes requests to the appropriate home server. The routing is based on username and realm. The home server performs the actual authentication by accessing a user DB. A concurrency server may be employed to make sure that a user is not logged in more than once, e.g. in scenarios with multiple servers for redundancy / load balancing. Server #2 Concurrency Server Server #1 Home Server Proxy Server User Access Line (e.g. PPP) NAS / RAS Towards the Internet 6/12

3. RFC2865 protocol uses UDP (port 1842) since it is a simple Request-Reply protocol (Accept/Request). packet format: Byte 0 Byte 1 Byte 2 Byte 3 Code Identifier Authenticator List of attributes Length Code field: Identifier: Length: Authenticator: Attributes: Defines the packet type (Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, Accounting-Response). ID to match requests and replies. Length of packet. Used to authenticate the transaction itself. The authenticator authenticates the reply from the server. The client sends a challenge in the Access-Request packet and the server returns a challenge-response in the Authenticator field (shared secret between NAS and server). AAA-information such as username, password, CHAP-Password, callback-phone-# etc. The attribute encoding is as follows: Type Length Value 7/12

Auth. success Auth. failure AAA / 4. transaction A transaction typically starts with an Access-Request carrying user credentials followed by a server response with a grant or denial of access. User NAS server DB User data packet Access-Request with username and hashed password (RSA MD5) Lookup credentials for authorization Reject access Access-Reject 'Wrong credentials' User data packet Access-Request with username and hashed password (RSA MD5) Lookup credentials for authorization. Create session record. Grant access Access-Accept 'Correct credentials' 8/12

5. accounting RFC2866 (1/2) Once a network session is up and running (successful authentication), the NAS may request to start counting network usage of the user. User NAS DB server User data packet Accounting-Request (Start) Start counting resource usage (e.g. online time) Accounting-Response End of network session Accounting-Request (Stop) Stop counting resource usage Accounting-Response 9/12

5. accounting RFC2866 (2/2) Accounting with is specified in a separate RFC (RFC2866). A set of special accounting attributes (attribute values 40 59) are used to transfer accounting data between the client (NAS) and server. Value Type Description 40 Acct-Status-Type Indicates start or stop of accounting. 41 Acct-Delay-Time Delay between event causing accounting request and server response (used to compensate for processing delay time). 42 Acct-Input-Octets Used by client to report number of received octets to server. 43 Acct-Output-Octets Used by client to report number of transmitted octets to server. 44 Acct-Session-Id Used by client to identify user session to server. 45 Acct-Authentic Used by client to report authentication method to server, e.g. user autenticated by NAS itself, user authenticated by or user authenticated by external protocol. 46 Acct-Session-Time Used by client to report to server how many seconds the user session is running. 47 Acct-Input-Packets Used by client to report number of packets received by a user. 48 Acct-Output-Packets Used by client to report number of packets sent by a user. 49 Acct-Terminate-Cause 50 Acct-Multi-Session-Id Used by client to report cause of service termination (e.g. error, termination upon user request, timeout). Similar to Acct-Session-Id, but used to link multiple sessions to one for correlation in log file. 51 Acct-Link-Count Used by client to report number of links used by user. 10/12

6. applications (1/2) NAS network access (ISP): A user dials in on a NAS server run by the Internet provider. Prior to granting access to the Internet, the NAS authenticates the user with. DB Server Access Line (e.g. PPP) Internet User NAS RAS Intranet access (enterprise dial-in): This application is similar to the NAS scenario. The RAS (Remote Access Server) sits at the edge of the company network and authenticates a user prior to granting access to the network. DB Server User Internet / Intranet NAS Intranet / company network 11/12

6. applications (2/2) 802.1X backend control for Ethernet and WLAN network access: IEEE 802.1X is a generic protocol for authentication and authorization in IEEE 802 based networks. The 802.1X supplicant ('the user') sends an EAPOL (Extensible Authentication Protocol Over LAN) message to the 802.1X authenticator (switch, access point). The switch or access point enables the Ethernet or WiFi port if the backend authentication based on credentials provided via 802.1X is successful. Using a central server for authentication (username and password storage) eases administration in large networks. Server 802.11 WLAN with 802.1X EAPOL Ethernet with 802.1X EAPOL LAN PDA 802.1X Supplicant * 802.1X capable Ethernet switch * 802.1X authenticator * client * 802.11 Access point * 802.1X authenticator * client 12/12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback