Implementing RADIUS AAA - PowerPoint PPT Presentation

1 / 56

About This Presentation

Title:

Implementing RADIUS AAA

Description:

AAA is designed to enable you to dynamically configure the type of ... Performs centralized AAA of users who connect to the network. ... – PowerPoint PPT presentation

Number of Views:557

Avg rating:3.0/5.0

Slides: 57

Provided by: philipl

Category:

more less

Transcript and Presenter's Notes

Title: Implementing RADIUS AAA

1
Implementing RADIUS AAA

Phil Rick

2
Content

Terms and Concepts
Access Control
What is AAA?
Benefits of AAA
What is RADIUS?
Microsoft IAS
Overview
Installation
Management Console
Case Study
IAS Configuration
Router Configuration
Case Study Summary
Resources

3
Terms and Concepts
4
Access Control

Access control is the way you control who is
allowed access to the network server and what
services they are allowed to use once they have
access.
Authentication, Authorization, and Accounting
(AAA) provide the primary framework through which
you set up access control on your router or
access server.

5
What is AAA?

Authentication, Authorization and Accounting
Authentication
Verifies users before they are allowed access to
the network and network services
Authorization
Enables you to limit the services available to a
user
Accounting
Enables you to track the services that users are
accessing and the amount of network resources
they are consuming

6
Benefits of AAA

AAA provides the following benefits
Increased flexibility and control of access
configuration
Scalability
Standardized authentication methods such as
RADIUS, TACACS, and Kerberos
Multiple backup systems
AAA is designed to enable you to dynamically
configure the type of authentication and
authorization you want on a per-line (per-user)
or per-service (for example, IP, IPX) basis

7
What is RADIUS?

Remote Access Dial-in User Service (RADIUS)
Client/Server Protocol
Client is typically a NAS
Server is usually a daemon process running on a
Unix or Windows machine
The client passes user information to the
designated RADIUS servers, and acts on the
response that is returned
RADIUS servers receive user connection requests,
authenticate the user, and then return the
configuration information necessary for the
client to deliver service to the user

8
Internet Authentication Service

Overview

9
Internet Authentication Service

Internet Authentication Service
Performs centralized AAA of users who connect to
the network.
Implements the IETF standard RADIUS protocol.
Implementing IAS Overview
Configure your server with a static IP address
IP Address 192.5.5.10/24 (case study)
Default Gateway 192.5.5.1 (case study)
Install IAS
Create an IAS Management Console (optional)
Create users and groups (case study)
Edit system log to show IAS events (optional)
Configure authentication and accounting ports
(optional)
Configure IAS log (case study)
Add a RADIUS client (case study)
Creating Remote Access Policies (case study)

10
IAS

Installation

11
IAS Installation

Installing IAS
Start Settings Control Panel Add/Remove
Programs

12
IAS Installation

Open the Windows Component Wizard by clicking
Add/Remove Windows Components

13
IAS Installation

Highlight Network Services in the Components box
and then click details

14
IAS Installation

Find Internet Authentication Service in the
Subcomponents of Networking Services box
Check the box to the left of IAS and click OK

15
IAS Installation

Click Next
Click Finish

16
IAS Management Console

Creating and Using an IAS Management Console

17
IAS Management Console

Microsoft management consoles centralize IAS
administration
Creating an IAS Management Console
Start Run mmc

18
IAS Management Console

In the MMC menu bar click Console Add/Remove
snap-in

19
IAS Management Console

From the Add/Remove snap-in applet
Click Add

20
IAS Management Console

Adding a Standalone Snap-in
Highlight Internet Authentication Service
Standalone Snap-In
Click Add

21
IAS Management Console

Select the computer you want the snap-in to
manage
Select local computer
Click Finish

22
IAS Management Console

Add the following standalone snap-ins
Event Viewer
Local Users and Groups

23
IAS Management Console

The the management console should look like the
following

24
IAS Management Console

Configuring the System Log to display IAS events
(optional)
From the IAS Management Console
Expand Event Viewer
Right Click the System Log File Properties

25
IAS Management Console

Click the filter tab in the system log properties
Select IAS from the event source drop down box
Click OK

26
IAS Management Console

Creating Users and Groups in the IAS Management
Console
Expand Local Users and Groups
Creating Groups
Expand Groups
Click Action New Group
Add the following groups
Router_Admins
Internet_Users
Creating Users
Expand Users
Click Action New User
Add the following users
Administrator member of group Router_Admins
I_User member of group Internet_Users

27
Case Study

Implementing RADIUS AAA

28
Case Study

You work for a small business and would like to
implement AAA for remote users and telnet
sessions. Here are the requirements for your
design
Authenticate remote users who are members of the
group Router_Admins and Internet_Users.
Authorize Router_Admins for EXEC sessions, PPP
sessions and telnet.
Authorize Internet_Users for PPP sessions only.
Implement accounting for EXEC sessions, PPP
sessions, and telnet sessions.

29
Case Study

Objectives
Windows 2000 Server Administration
Installing Microsofts IAS
Using the Microsoft Management Console
Configuring AAA
Viewing IAS accounting log
Tools/Preparation
1 Windows 2000 Server
1 Cisco 1900 Catalyst
1 Cisco 2600 Router
2 modems and drivers
1 PC running Windows 2000

30
Topology
Implementing IAS Overview IAS Configuration IAS
Installation Remote Access Policies IAS
Management Console
31
IAS Configuration
32
IAS Configuration

Configuring IAS Authentication and Accounting
Ports (optional)
IAS uses port 1845, 1645 by default for
authentication and 1846, 1646 by default for
accounting.
Optional step but by following this step we are
only opening 2 ports on our server instead of 4
Open the IAS MC or IAS applet Right Click
Internet Authentication Service Click
Properties Click the tab labeled RADIUS
Set the Authentication port to 1645 and the
Accounting port to 1646 Click OK

33
IAS Configuration

Configuring IAS Accounting
Open the IAS MC or IAS applet click Remote
Access Logging Right click Local File
Properties
Local file properties
Select the settings tab check the following
Log Authentication Requests
Log Accounting Requests
Log Periodic Status
Select the Local File tab check the following
Database compatible file format
Click OK
Note that the log will be saved to
C\winnt\system32\logfiles

34
IAS Configuration

Adding a RADIUS client overview
Recall that RADIUS is a client/server protocol.
The RADIUS client is typically, a NAS or router
The RADIUS server is the machine running the
RADIUS daemon process, which in our case is the
IAS server
The RADIUS server needs the following information
about the RADIUS client
IP Address
Security Protocol being used
Client-Vendor
Shared-Secret (also known as a key)

35
IAS Configuration

Adding a RADIUS client
Open the IAS MC or the IAS applet
Expand IAS
Right click the folder labeled clients
Click new client

36
IAS Configuration

Adding a RADIUS client
Enter the hostname of your router and select the
RADIUS protocol
Click Next

37
IAS Configuration

Adding a RADIUS client
Enter the IP Address of the RADIUS client
Select Cisco as the client-vendor
Enter a shared-secret (key)
Finish

38
IAS Configuration

Remote Access Policies
IAS uses remote access policies to authenticate
and authorize users
Keep in mind that a user may be authenticated but
not authorized to use certain network services
(PPP, EXEC, telnet).
The following is a guide if you trying to
implement the case study and you are having a
hard time recreating the Remote Access Policies
This does not follow the class demonstration!
But youll get the same results

39
IAS Configuration

Remote Access Policies
Open the IAS applet or IAS MC
Expand IAS
Click Remote Access Policies
Right click and delete the policy on the right

40
IAS Configuration

Remote Access Policies
Right click remote access policies and click new
remote access policy

41
IAS Configuration

Remote Access Policies
Enter a Policy friendly name
In our case well enter Allow members of the
group Internet_Users PPP network services
Click next
Specifying conditions
Click Add

42
IAS Configuration

Remote Access Policies
Highlight Windows-Groups click add
In the Groups applet click add
Highlight the Internet_Users group and click add
then OK

43
IAS Configuration

Remote Access Policies
Add another condition by clicking add
Highlight NAS-port-type click add
Highlight async(modem) click add then click OK

44
IAS Configuration

Remote Access Policies
Your condition should look similar to the
following screen capture

45
IAS Configuration

Remote Access Policies
Click Next
Select Grant remote access permission
Click Next
Click Edit Profile
Click the Authentication tab
Only check PAP uncheck all other authentication
methods
Click the Advanced tab
Service-type should be Framed
Framed-Protocol should be PPP
Click OK
Ok, Now what did we just do?

46
IAS Configuration

Remote Access Policies
We created a remote access policy that said if a
user accesses the RADIUS client through an async
port and that user is a member of the windows
group Internet_Users authorize the user to use
the framed protocol PPP. Heres a shorten
version of the condition
Policy Name
Allow members of the group Internet_Users PPP
network service.
Windows-Groups
Internet_Users
NAS-Port-Type
Async(modem)
Service-Type
Framed
Framed Protocol
PPP

47
IAS Configuration

Remote Access Policies
Create the following remote access policies (demo
in class)
Policy Name
Allow members of the group Router_Admins PPP
network service and EXEC session.
Windows-Groups
Router_Admins
NAS-Port-Type
Async(modem)
Service-Type
Administrative
Framed Protocol
PPP

48
IAS Configuration

Remote Access Policies
Policy Name
Allow members of the group Router_Admins telnet
access.
Windows-Groups
Router_Admins
NAS-Port-Type
Virtual(VPN)
Service-Type
Administrative

49
Router Configuration

The RADIUS client

50
Router Configuration

The router is the RADIUS client.
It must have the same IP address that was entered
in the IAS RADIUS client configuration.
Here is the router configuration file without AAA

51
Router Configuration

We need to know what a method list is before we
get started with the router configuration
Method list
Defines the type of AAA to be performed and the
sequence in which it will be performed
Some types of AAA include authentication login,
authorization exec and others
An example of a sequence type is checking a
server or a local database for user information

52
Router Configuration

Here is the final configuration file that was
demonstrated.
Demonstration notes and some accounting database
stuff

53
RADIUS Case Study

Summary

54
Case Study Summary

Authentication and Authorization
User initiates PPP authentication to the NAS.
NAS prompts for username and password (if PAP) or
challenge (if CHAP).
User replies.
RADIUS client sends username and password to the
RADIUS server.
RADIUS server responds with Accept, Reject, or
Challenge.
The RADIUS client acts upon service parameters
bundled with Accept or Reject.

55
Case Study Summary

Accounting
The NAS sends an Accounting-Request start packet
to the RADIUS security server
The RADIUS security server sends an
Accounting-Response packet to acknowledge the
receipt of the Accounting-Request start packet.
After the NAS has sent all the accounting info it
wanted to send, it sends an Accounting-Request
stop packet. This stop packet describes the type
of service delivered and other optional values.
The RADIUS server acknowledges receipt of the
Accounting-Request stop packet by sending an
Accounting-Response packet.

56
Resources