Title: Global InternetIntranet Access Service
1AAA Services
Richard Perlman
2AAA Services
- Authentication
- Authorization
- Accounting
3Authentication
- Verify the user is who he/she claims to be
- Use Password, Special Token card, Caller-ID, etc.
- May issue additional challenge
4Authorization
- Check that the user may access the services
he/she wishes. - Check database or file information about the user
5Accounting
- Record what the user has done.
- Time online. Bytes sent/received. Services
accessed. Files downloaded. Etc.
6NAS/RASNetwork Access ServerRemote Access Server
TCP/IP Network
Phone Lines
7Types of AAA Services
- Local accounts on the NAS/RAS
- Proprietary software between NAS and server
- RADIUS
- TACACS (tacacs, tacacs, xtacacs)
8RADIUS Basics
- A protocol for communicating between a Network
Access Server (NAS) and a remote
Authentication/Access/Accounting server - Not the actual server itself
9RADIUS Basics
- Defined by IETF standard RFC2138 RFC2139
- http//www.faqs.org/rfcs/rfc2138.htmlhttp//www.
faqs.org/rfcs/rfc2139.html - Requires Clients (normally a NAS) and servers
(often called RADIUS servers)
10RADIUS BasicsAuthentication Data Flow
ISP User Database
UserID bobPassword ge55gepNAS-ID 207.12.4.1
Select UserIDbob
ISP Modem Pool
Bobpasswordge55gepTimeout3600other
attributes
UserID bobPassword ge55gep
Access-AcceptUser-Namebobother attributes
ISP RADIUS Server
Framed-Address217.213.21.5
The Internet
User dials modem pool and establishes connection
Internet PPP connection established
11RADIUS BasicsAuthentication Data Flow
Sun May 10 204741 1998 Acct-Status-TypeStar
t User-Namebob Framed-Address217.213.21.
5 ...
Acct-Status-TypeStartUser-NamebobFramed-Addres
s217.213.21.5...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
Internet PPP connection established
The Accounting Start Record
12RADIUS BasicsAuthentication Data Flow
Sun May 10 205049 1998 Acct-Status-TypeStop
User-Namebob Acct-Session-Time1432
...
Acct-Status-TypeStopUser-NamebobAcct-Session-T
ime1432...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
User Disconnects
Internet PPP connection established
The Accounting Stop Record
13RADIUS Basics
- Key data for Authentication
- NAS/Client Info
- IP Name and/or IP Address
- Shared Secret Key for encryption
- User Information
- User-Name Password
- Session Information
- Speed, dialed number, port, NAS ID, etc.
14RADIUS Basics The process flow
- Decode Packet using shared secret key
15RADIUS BasicsShared Secret Keys
Shared
Secret
Session Key
Plaintext
Plaintext
Ciphertext
Encryption
Decryption
Shared
Secret
User 1
Session Key
Plaintext
Plaintext
Decryption
Encryption
Ciphertext
Shared
Secret
Session Key
Shared Secret Session Key
16RADIUS Basics The process flow
- Lookup users in local or external database
- Text File
- Password file (UNIX)
- NT Registry/Netware Directory
- NIS/NIS
- LDAP
- Etc., etc.
17RADIUS Basics The process flow
- Authenticate
- User-Name, Password, etc.
- Chap Challenge
- SecurID Token card
- Etc.
18RADIUS Basics The process flow
- Check arbitrary access criteria
- Type of access (analog, ISDN)
- Time of day
- Called or Calling number
19RADIUS Basics The process flow
- Send Accept/Reject to NAS with appropriate
session attributes - Session timers
- Filters (allow/reject IP addrs)
- IP Address
- ISDN session parameters
- Etc.
20RADIUS BasicsProcess Description
- Using a modem, the user dials-in to a modem
connected to a NAS. Once the modem connection is
completed, the NAS attempts to use the CHAP or
PAP protocol to determine the userID and
password. If that fails, the NAS prompts the user
for the userID and password.
21RADIUS BasicsProcess Description
- The NAS creates a data packet from this
information called the authentication request.
This packet includes information identifying the
specific NAS sending the authentication request,
the port that is being used for the modem
connection, and the user name and password. For
protection from eavesdropping the NAS, acting as
a RADIUS client, encrypts (using a shared secret
key) the password before it is sent to the RADIUS
server.
22RADIUS BasicsProcess Description
- The Authentication Request is sent over the
network from the RADIUS client (I.e. the NAS) to
the RADIUS server. This communication can be done
over a local- or wide-area network, allowing
network managers to locate RADIUS clients
remotely from the RADIUS server. If the RADIUS
server cannot be reached, the NAS can usually
route the request to an alternate server.
23RADIUS BasicsProcess Description
- When an Authentication Request is received, the
RADIUS Server validates the request and then
decrypts the data packet to access the user name
and password information. This information is
passed on to the appropriate security system
being supported. This could be a text file, UNIX
password files, NIS, LDAP, a commercially
available security system or a custom database.
24RADIUS BasicsProcess Description
- If the user name and password are correct, the
server sends an Authentication Acknowledgment
that includes information on the user's network
system and service requirements. For example, the
RADIUS server will tell the NAS that a user needs
TCP/IP and/or NetWare using PPP (Point-to-Point
Protocol) or that the user needs SLIP (Serial
Line Internet Protocol) to connect to the
network. The acknowledgment can even contain
filtering information to limit a user's access to
specific resources on the network.
25RADIUS BasicsProcess Description
- If at any point in this log-in process conditions
are not met, the RADIUS server sends an
Authentication Reject to the NAS and the user is
denied access to the network.
26RADIUS BasicsProcess Description
- To ensure that requests are not responded to by
unauthorized persons or devices on the network,
the RADIUS server sends an authentication key, or
signature, identifying itself to the RADIUS
client.
27RADIUS BasicsProcess Description
- Once the server information is received and
verified by the NAS, it enables the necessary
configuration to deliver the right network
services to the user.
28RADIUS BasicsEssential Server Data
- Client Information
- IP Name
- Shared secret key
- Group Assignment
- Special Parameters
- NAS Type
29RADIUS BasicsEssential Server Data
- NAS/Client Info
- Stored in a clients file or similar data
structure - This file contains a list of clients which
are allowed to make authentication requests
and their encryption key. The first field is
a valid hostname for the client. The second
field (separated by blanks or tabs) is the
encryption key. Client Name
Key ---------------------------------- portmast
er1 wP40cQ0 portmaster2
A3X445A 192.168.1.2 wer369st
30RADIUS BasicsEssential Server Data
- Dictionary
- Definition of RADIUS attributes
- Assign readable names to attribute numbers
- String, Integer, IP Address, Date
31RADIUS BasicsEssential Server Data
- Dictionary
- Stored in a dictionary file or similar data
structure - This file contains dictionary translations
for parsing requests and generating responses.
All transactions are composed of
Attribute/Value Pairs. The value of each
attribute is specified as one of 4 data types.
Valid data types are string - 0-253
octets ipaddr - 4 octets in network byte
order integer - 32 bit value (high byte
first) date - 32 bit value - seconds
since 000000 GMT, Jan. 1, 1970
32RADIUS BasicsEssential Server Data
- Dictionary
- Attr.
Attr.Keyword Attribute Name Num Type
ATTRIBUTE User-Name 1
stringATTRIBUTE Password 2
stringATTRIBUTE CHAP-Password 3
stringATTRIBUTE Client-Id 4
ipaddrATTRIBUTE Client-Port-Id 5
integerATTRIBUTE User-Service-Type 6
integerATTRIBUTE Framed-Protocol 7
integerATTRIBUTE Framed-Address 8
ipaddrATTRIBUTE Framed-Netmask 9
ipaddr... ...
33RADIUS BasicsEssential Server Data
- User Information (users file)
- User-Name
- Password
- Authentication method
- Check attributes
- Send attributes
34RADIUS BasicsEssential Server Data
- User Data (Example 1)
- bob Password "ge55ep Service-Type
Framed-User, Framed-Protocol
PPP, Framed-IP-Address 255.255.255.254, Framed
-IP-Netmask 255.255.255.255, Framed-Routing
None, Filter-Id "std.ppp", Framed-MTU 1500
35RADIUS BasicsEssential Server Data
- User Data (Example 2)
- bob Password "ge55gep", NAS-IP-Address
192.168.1.54, NAS-Port-Type
ISDN Service-Type Framed-User, Framed-Protocol
PPP
36RADIUS BasicsEssential Server Data
- User Data (Example 3)
- bob Password "ge55gep, Caller-Id
510-555-1212 Service-Type Callback-Login-User,
Login-IP-Host 192.168.1.76, Login-Service
Telnet, Login-TCP-Port 23, Callback-Number
"9,1-800-555-1234"
37RADIUS BasicsAccounting Start Record
- Sun May 10 204741 1998 User-Name
bob Client-Id 206.171.153.11 Client-Port-Id
20110 Acct-Status-Type Start Acct-Delay-Time
0 Acct-Session-Id "262282375 Acct-Authenti
c RADIUS Caller-Id 5105551212 Client-Port
-DNIS 5218296 Framed-Protocol
PPP Framed-Address 209.79.145.46
38RADIUS BasicsAccounting Stop Record
- Sun May 10 205049 1998
- User-Name bob Client-Id 206.171.153.11
Client-Port-Id 20110 Acct-Status-Type
Stop Acct-Delay-Time 0 Acct-Session-Id
"262282353 Acct-Authentic RADIUS
Acct-Session-Time 4871 Acct-Input-Octets
459078 Acct-Output-Octets 4440286 Caller-Id
5105551212 Client-Port-DNIS "4218296
Framed-Protocol PPP Framed-Address
209.79.145.46
39RADIUS BasicsProxy Services
- A forwarding or proxy server can forward
authentication and/or accounting requests to
another server for handling. - In order to differentiate between requests that
should be handled locally and those that should
be forwarded the NAI needs to be specially
processed.
40RADIUS BasicsProxy Services
- The NAI (Network Access Identifier) is commonly
called the userID. - In proxy and roaming situations the NAI is
modified to include both the userID and a realm
identifier. - The realm is a keyword indicating the server
responsible for authenticating the userID.
41RADIUS BasicsProxy Services
- The standard way to send a userID and real in the
NAI is to separate them with a _at_. - A typical proxy NAI looks like user_at_realm
- A proxy RADIUS server looks for the _at_ in the
NAI to determine if it should handle the request
or forward it.
42RADIUS BasicsProxy Services
- If no _at_ is present, the enter NAI is assumed to
be only a userID. - If a _at_ is present, the NAI is split into two
tokens (a userID and a realm label).
43RADIUS BasicsProxy Services
- The realm label is looked up in a local file or
database to find the address of the server for
the realm and the protocol (typically RADIUS)
used to connect to it. - Although the realm label may look like a domain
name (E-Mail addresses are often used as NAIs) it
is not safe to assume that.
44RADIUS BasicsProxy Services
- An example realms file might look like
- realm IP
- label Address Port Protocol
Secrethomeco 167.24.12.5 1812 Radius
Dont3v3rtellbiginiv 12.123.43.9 1645 Radius
jsyWpnfE2vuR - (A real realms file might contain much more
information. Each vendor implements realm
information differently.)
45RADIUS BasicsProxy Services
- A typical bilateral proxy model looks like
Access Request UserID bill_at_homeco Password
mypass
Access Request UserID bill Password mypass
Reply
Reply
DB
46RADIUS BasicsProxy Services
- Bilateral relationships, with all the realm
information stored in a local realms file or
table can be effective with a small number of
roaming or proxy partners. - But, the files must be changed each time there is
a change in a server configuration.
47RADIUS BasicsProxy Services
- A consortium, or clearinghouse, solves that
problem by having all proxy requests forwarded to
it first. - The consortium maintains a list of all the server
information for it
48RADIUS BasicsProxy Services
- In the case of a roaming consortium or
clearinghouse it may be necessary to add
additional information to the NAI. - This is because each server in the proxy chain
might strip off the realm before passing the
request on to the next server.
49RADIUS BasicsProxy Services
- A common solution is to use the / as an
additional separator. - In the case of a consortium called cons the NAI
would look like cons/user_at_realmAn actual NAI
might be infonet/rdperl_at_berkinet.com
50RADIUS BasicsProxy Services
- The first server may now strip-off cons and
forward the remaining two tokens. - rdperl_at_berkinet.com
- The consortiums server strips off the remaining
realm and forwards the userID to the final
server - rdperl
51RADIUS BasicsProxy Services
- A consortium proxy model looks like
Access Request UserID cons/bill_at_homeco Password
mypass
Access Request UserID bill_at_homeco Password
mypass
Access Request UserID billPassword mypass
Reply
Reply
Reply
DB
RealmsFile homeco
52RADIUS BasicsProxy Services Editing Attributes
- A proxy server may add, delete or modify the
attributes that it forwards. - An IP Address may be invalid on a given network,
the maximum online time may be different, local
filters may be required, etc.
53RADIUS BasicsProxy Services Editing Attributes
- In cases where special control of attributes is
required bi-lateral relationships may work best. - A proxy server may also need to translate
attributes intended for one brand of NAS into
another brands format (pools, filters, etc.)
54RADIUS Proxy Servers
- Freeware
- DTC - Radius 2.0 - NT/UNIX - (Japanese)
- http//www.dtc.co.jp/Radius2.0
- Commercial
- Shiva - Shiva Access Manager - 95/NT/UNIX
- http//athena.shiva.com/remote/radius
- Open System Consultants Pty Ltd - Radiator -
NT/UNIX - http//www.open.com.au/radiator/
- Microsoft - Microsoft Commercial Internet System
(MCIS) - NT - http//www.microsoft.com/mcis/guide/features.asp
- Funk - Steel-Belted Radius - Netware/NT
- http//www.funk.com/Radius/
- Vircom - Proxy Roaming Radius Server (PRRS) -
NT - http//www.vircom.com/info/vprrsrel.htm
- Novell - BorderManager - Netware
- http//www.novell.com/text/bordermanager/radius.ht
ml - Ascend Communications Access Control NT/UNIX
- http//www.ascend.com/324.html
- Merit - Merit AAA Server - UNIX
55Other Authentication Protocols
- TACACS (TACACS and XTACACS)
- Developed by Cisco Systems for Military
applications. Originally used between Cisco
terminal server and a UNIX TACACS server. - Mostly replaced by RADIUS since Cisco added
RADIUS support to access products - Still used for SecurID lookups since SecurID
(ACE) server support TACACS. However, new
releases of SecurID now support RADIUS.
56Other Authentication Protocols
- SecurID ACE Server
- Uses token card with One-Time-Password.
- Can function as stand-alone server (RADIUS or
TACACS compatible). - Can also handle queries from a RADIUS server.
- ACE server software available for many platforms.
- http//www.securitydynamics.com/solutions/products
/asvrdata.html