Implementing RADIUS AAA - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

Implementing RADIUS AAA

Description:

AAA is designed to enable you to dynamically configure the type of ... Performs centralized AAA of users who connect to the network. ... – PowerPoint PPT presentation

Number of Views:561
Avg rating:3.0/5.0
Slides: 57
Provided by: philipl
Category:
Tags: aaa | radius | aaa | implementing

less

Transcript and Presenter's Notes

Title: Implementing RADIUS AAA


1
Implementing RADIUS AAA
  • Phil Rick

2
Content
  • Terms and Concepts
  • Access Control
  • What is AAA?
  • Benefits of AAA
  • What is RADIUS?
  • Microsoft IAS
  • Overview
  • Installation
  • Management Console
  • Case Study
  • IAS Configuration
  • Router Configuration
  • Case Study Summary
  • Resources

3
Terms and Concepts
4
Access Control
  • Access control is the way you control who is
    allowed access to the network server and what
    services they are allowed to use once they have
    access.
  • Authentication, Authorization, and Accounting
    (AAA) provide the primary framework through which
    you set up access control on your router or
    access server.

5
What is AAA?
  • Authentication, Authorization and Accounting
  • Authentication
  • Verifies users before they are allowed access to
    the network and network services
  • Authorization
  • Enables you to limit the services available to a
    user
  • Accounting
  • Enables you to track the services that users are
    accessing and the amount of network resources
    they are consuming

6
Benefits of AAA
  • AAA provides the following benefits
  • Increased flexibility and control of access
    configuration
  • Scalability
  • Standardized authentication methods such as
    RADIUS, TACACS, and Kerberos
  • Multiple backup systems
  • AAA is designed to enable you to dynamically
    configure the type of authentication and
    authorization you want on a per-line (per-user)
    or per-service (for example, IP, IPX) basis

7
What is RADIUS?
  • Remote Access Dial-in User Service (RADIUS)
  • Client/Server Protocol
  • Client is typically a NAS
  • Server is usually a daemon process running on a
    Unix or Windows machine
  • The client passes user information to the
    designated RADIUS servers, and acts on the
    response that is returned
  • RADIUS servers receive user connection requests,
    authenticate the user, and then return the
    configuration information necessary for the
    client to deliver service to the user

8
Internet Authentication Service
  • Overview

9
Internet Authentication Service
  • Internet Authentication Service
  • Performs centralized AAA of users who connect to
    the network.
  • Implements the IETF standard RADIUS protocol.
  • Implementing IAS Overview
  • Configure your server with a static IP address
  • IP Address 192.5.5.10/24 (case study)
  • Default Gateway 192.5.5.1 (case study)
  • Install IAS
  • Create an IAS Management Console (optional)
  • Create users and groups (case study)
  • Edit system log to show IAS events (optional)
  • Configure authentication and accounting ports
    (optional)
  • Configure IAS log (case study)
  • Add a RADIUS client (case study)
  • Creating Remote Access Policies (case study)

10
IAS
  • Installation

11
IAS Installation
  • Installing IAS
  • Start Settings Control Panel Add/Remove
    Programs

12
IAS Installation
  • Open the Windows Component Wizard by clicking
    Add/Remove Windows Components

13
IAS Installation
  • Highlight Network Services in the Components box
    and then click details

14
IAS Installation
  • Find Internet Authentication Service in the
    Subcomponents of Networking Services box
  • Check the box to the left of IAS and click OK

15
IAS Installation
  • Click Next
  • Click Finish

16
IAS Management Console
  • Creating and Using an IAS Management Console

17
IAS Management Console
  • Microsoft management consoles centralize IAS
    administration
  • Creating an IAS Management Console
  • Start Run mmc

18
IAS Management Console
  • In the MMC menu bar click Console Add/Remove
    snap-in

19
IAS Management Console
  • From the Add/Remove snap-in applet
  • Click Add

20
IAS Management Console
  • Adding a Standalone Snap-in
  • Highlight Internet Authentication Service
    Standalone Snap-In
  • Click Add

21
IAS Management Console
  • Select the computer you want the snap-in to
    manage
  • Select local computer
  • Click Finish

22
IAS Management Console
  • Add the following standalone snap-ins
  • Event Viewer
  • Local Users and Groups

23
IAS Management Console
  • The the management console should look like the
    following

24
IAS Management Console
  • Configuring the System Log to display IAS events
    (optional)
  • From the IAS Management Console
  • Expand Event Viewer
  • Right Click the System Log File Properties

25
IAS Management Console
  • Click the filter tab in the system log properties
  • Select IAS from the event source drop down box
  • Click OK

26
IAS Management Console
  • Creating Users and Groups in the IAS Management
    Console
  • Expand Local Users and Groups
  • Creating Groups
  • Expand Groups
  • Click Action New Group
  • Add the following groups
  • Router_Admins
  • Internet_Users
  • Creating Users
  • Expand Users
  • Click Action New User
  • Add the following users
  • Administrator member of group Router_Admins
  • I_User member of group Internet_Users

27
Case Study
  • Implementing RADIUS AAA

28
Case Study
  • You work for a small business and would like to
    implement AAA for remote users and telnet
    sessions. Here are the requirements for your
    design
  • Authenticate remote users who are members of the
    group Router_Admins and Internet_Users.
  • Authorize Router_Admins for EXEC sessions, PPP
    sessions and telnet.
  • Authorize Internet_Users for PPP sessions only.
  • Implement accounting for EXEC sessions, PPP
    sessions, and telnet sessions.

29
Case Study
  • Objectives
  • Windows 2000 Server Administration
  • Installing Microsofts IAS
  • Using the Microsoft Management Console
  • Configuring AAA
  • Viewing IAS accounting log
  • Tools/Preparation
  • 1 Windows 2000 Server
  • 1 Cisco 1900 Catalyst
  • 1 Cisco 2600 Router
  • 2 modems and drivers
  • 1 PC running Windows 2000

30
Topology
Implementing IAS Overview IAS Configuration IAS
Installation Remote Access Policies IAS
Management Console
31
IAS Configuration
32
IAS Configuration
  • Configuring IAS Authentication and Accounting
    Ports (optional)
  • IAS uses port 1845, 1645 by default for
    authentication and 1846, 1646 by default for
    accounting.
  • Optional step but by following this step we are
    only opening 2 ports on our server instead of 4
  • Open the IAS MC or IAS applet Right Click
    Internet Authentication Service Click
    Properties Click the tab labeled RADIUS
  • Set the Authentication port to 1645 and the
    Accounting port to 1646 Click OK

33
IAS Configuration
  • Configuring IAS Accounting
  • Open the IAS MC or IAS applet click Remote
    Access Logging Right click Local File
    Properties
  • Local file properties
  • Select the settings tab check the following
  • Log Authentication Requests
  • Log Accounting Requests
  • Log Periodic Status
  • Select the Local File tab check the following
  • Database compatible file format
  • Click OK
  • Note that the log will be saved to
    C\winnt\system32\logfiles

34
IAS Configuration
  • Adding a RADIUS client overview
  • Recall that RADIUS is a client/server protocol.
  • The RADIUS client is typically, a NAS or router
  • The RADIUS server is the machine running the
    RADIUS daemon process, which in our case is the
    IAS server
  • The RADIUS server needs the following information
    about the RADIUS client
  • IP Address
  • Security Protocol being used
  • Client-Vendor
  • Shared-Secret (also known as a key)

35
IAS Configuration
  • Adding a RADIUS client
  • Open the IAS MC or the IAS applet
  • Expand IAS
  • Right click the folder labeled clients
  • Click new client

36
IAS Configuration
  • Adding a RADIUS client
  • Enter the hostname of your router and select the
    RADIUS protocol
  • Click Next

37
IAS Configuration
  • Adding a RADIUS client
  • Enter the IP Address of the RADIUS client
  • Select Cisco as the client-vendor
  • Enter a shared-secret (key)
  • Finish

38
IAS Configuration
  • Remote Access Policies
  • IAS uses remote access policies to authenticate
    and authorize users
  • Keep in mind that a user may be authenticated but
    not authorized to use certain network services
    (PPP, EXEC, telnet).
  • The following is a guide if you trying to
    implement the case study and you are having a
    hard time recreating the Remote Access Policies
  • This does not follow the class demonstration!
    But youll get the same results

39
IAS Configuration
  • Remote Access Policies
  • Open the IAS applet or IAS MC
  • Expand IAS
  • Click Remote Access Policies
  • Right click and delete the policy on the right

40
IAS Configuration
  • Remote Access Policies
  • Right click remote access policies and click new
    remote access policy

41
IAS Configuration
  • Remote Access Policies
  • Enter a Policy friendly name
  • In our case well enter Allow members of the
    group Internet_Users PPP network services
  • Click next
  • Specifying conditions
  • Click Add

42
IAS Configuration
  • Remote Access Policies
  • Highlight Windows-Groups click add
  • In the Groups applet click add
  • Highlight the Internet_Users group and click add
    then OK

43
IAS Configuration
  • Remote Access Policies
  • Add another condition by clicking add
  • Highlight NAS-port-type click add
  • Highlight async(modem) click add then click OK

44
IAS Configuration
  • Remote Access Policies
  • Your condition should look similar to the
    following screen capture

45
IAS Configuration
  • Remote Access Policies
  • Click Next
  • Select Grant remote access permission
  • Click Next
  • Click Edit Profile
  • Click the Authentication tab
  • Only check PAP uncheck all other authentication
    methods
  • Click the Advanced tab
  • Service-type should be Framed
  • Framed-Protocol should be PPP
  • Click OK
  • Ok, Now what did we just do?

46
IAS Configuration
  • Remote Access Policies
  • We created a remote access policy that said if a
    user accesses the RADIUS client through an async
    port and that user is a member of the windows
    group Internet_Users authorize the user to use
    the framed protocol PPP. Heres a shorten
    version of the condition
  • Policy Name
  • Allow members of the group Internet_Users PPP
    network service.
  • Windows-Groups
  • Internet_Users
  • NAS-Port-Type
  • Async(modem)
  • Service-Type
  • Framed
  • Framed Protocol
  • PPP

47
IAS Configuration
  • Remote Access Policies
  • Create the following remote access policies (demo
    in class)
  • Policy Name
  • Allow members of the group Router_Admins PPP
    network service and EXEC session.
  • Windows-Groups
  • Router_Admins
  • NAS-Port-Type
  • Async(modem)
  • Service-Type
  • Administrative
  • Framed Protocol
  • PPP

48
IAS Configuration
  • Remote Access Policies
  • Policy Name
  • Allow members of the group Router_Admins telnet
    access.
  • Windows-Groups
  • Router_Admins
  • NAS-Port-Type
  • Virtual(VPN)
  • Service-Type
  • Administrative

49
Router Configuration
  • The RADIUS client

50
Router Configuration
  • The router is the RADIUS client.
  • It must have the same IP address that was entered
    in the IAS RADIUS client configuration.
  • Here is the router configuration file without AAA

51
Router Configuration
  • We need to know what a method list is before we
    get started with the router configuration
  • Method list
  • Defines the type of AAA to be performed and the
    sequence in which it will be performed
  • Some types of AAA include authentication login,
    authorization exec and others
  • An example of a sequence type is checking a
    server or a local database for user information

52
Router Configuration
  • Here is the final configuration file that was
    demonstrated.
  • Demonstration notes and some accounting database
    stuff

53
RADIUS Case Study
  • Summary

54
Case Study Summary
  • Authentication and Authorization
  • User initiates PPP authentication to the NAS.
  • NAS prompts for username and password (if PAP) or
    challenge (if CHAP).
  • User replies.
  • RADIUS client sends username and password to the
    RADIUS server.
  • RADIUS server responds with Accept, Reject, or
    Challenge.
  • The RADIUS client acts upon service parameters
    bundled with Accept or Reject.

55
Case Study Summary
  • Accounting
  • The NAS sends an Accounting-Request start packet
    to the RADIUS security server
  • The RADIUS security server sends an
    Accounting-Response packet to acknowledge the
    receipt of the Accounting-Request start packet.
  • After the NAS has sent all the accounting info it
    wanted to send, it sends an Accounting-Request
    stop packet. This stop packet describes the type
    of service delivered and other optional values.
  • The RADIUS server acknowledges receipt of the
    Accounting-Request stop packet by sending an
    Accounting-Response packet.

56
Resources
  • http//www.cisco.com
  • Search For
  • Configuring Authentication
  • Configuring RADIUS
  • Configuring TACACS
  • Configuring Kerberos
  • Configuring Authorization
  • RADIUS Attributes
  • Configuring Accounting
  • http//www.microsoft.com
  • Search For
  • Dialup Corporate Access
  • Extranet Access for Business Partners
  • Outsourced corporate access through service
    providers
  • Configuring IAS for dial-up and VPN access
  • Configuring IAS to outsource dial-up access
Write a Comment
User Comments (0)
About PowerShow.com