SBR/SPE Training

1
Preside Radius
2
Main Menu

• Introduction and Overview
• Installation and Configuration
• Monitoring and Logging
• External Data Storage
• LDAP
• SQL Authentication
• Accounting
• Proxy RADIUS
• Troubleshooting and Logging
• Other Features
• LCI

3
Introduction and Overview

4
Funk Software

• Software Developer Publisher
• Founded 1982
• Headquarter Cambridge, MA
• European Operations Paris, France
• Product focus
• Access Security
• Communications

5
Preside Radius

• ...the short version
• 100 fully IETF compliant RADIUS server
• Easy administration GUI
• Powerful, flexible accounting
• Leverages existing SQL/LDAP databases
• SecurID authentication
• LDAP configuration interface
• Load balancing
• Concurrent access limits

6
RADIUS RFCs

• Internet Engineering Task Force web site
  http//www.ietf.org/
• Began as Request For Comments
• Status now Standards Track
• /rfc/rfc2865.txt - RADIUS Authentication
• /rfc/rfc2866.txt - RADIUS Accounting
• All standard attributes defined here
• Both RFCs are dated June 2000
• Previous RFCs (2138, 2139) are dated April 1997

7
Basic RADIUSAuthentication Transaction

• Access request
• RADIUS client
• RADIUS server

User
NAS Device
RADIUS Server
8
RADIUS Clients

• PPP servers
• Nortel/Ascend
• Cisco Access Servers
• VPN
• Nortel Extranet Switch
• Firewalls
• Firewall-1, NetScreen
• Back Office Software
• Oracle 8i
• Wireless
• PDSN
• GCSN
• GSM
• SGSM

9
RADIUS AAA Services

• Authentication
• Are the credentials correct?
• Match username/password to profile
• Authorization
• Which services may be provided?
• Use profile to validate users request
• Accounting
• Track usage during connections lifetime
• Sort, filter, organize attributes
• Send attributes anywhere (logfile, Proxy, SQL)

10
RADIUS Messages

• A device that supports RADIUS can receive and
  send RADIUS messages.
• RADIUS messages contain RADIUS attributes.
• Attributes how information is exchanged
• Messages Types
• Access-Request
• Access-Reject
• Access-Accept
• Access-Challenge

• Accounting-Start
• Accounting-Stop
• Accounting-Interim
• Accounting-On
• Accounting-Off

11
Standard Radius Authentication Attributes
User-Name User-Password CHAP-Password NAS-IP-Addre
ss NAS-Port Service-Type Framed-Protocol Framed-IP
-Address Framed-IP-Netmask Framed-Routing Filter-I
d Framed-MTU Framed-Compression Login-IP-Host Logi
n-Service Login-TCP-Port Reply-Message Callback-Nu
mber Callback-Id Framed-Route Framed-IPX-Network

• Standard RADIUS authentication attributes are
  listed in RFC 2865

State Class Vendor-Specific Session-Timeout Idle-T
imeout Termination-Action Called-Station-Id Callin
g-Station-Id NAS-Identifier Proxy-State Login-LAT-
Service Login-LAT-Node Login-LAT-Group Framed-Appl
eTalk-Link Framed-AppleTalk-Network Framed-AppleTa
lk-Zone CHAP-Challenge NAS-Port-Type Port-Limit Lo
gin-LAT-Port
12
Standard RADIUS Accounting Attributes
Framed-AppleTalk-Network Framed-AppleTalk-Zone Acc
t-Status-Type Acct-Delay-Time Acct-Input-Octets Ac
ct-Output-Octets Acct-Session-Id Acct-Authentic Ac
ct-Session-Time Acct-Input-Packets Acct-Output-Pac
kets Acct-Terminate-Cause Acct-Multi-Session-Id Ac
ct-Link-Count CHAP-Challenge NAS-Port-Type Port-Li
mit Login-LAT-Port

• Standard accounting attributes are defined in RFC
  2866

Callback-Number Callback-Id Framed-Route Framed-IP
X-Network State Class Vendor-Specific Session-Time
out Idle-Timeout Termination-Action Called-Station
-Id Calling-Station-Id NAS-Identifier Proxy-State
Login-LAT-Service Login-LAT-Node Login-LAT-Group F
ramed-AppleTalk-Link
User-Name User-Password CHAP-Password NAS-IP-Addre
ss NAS-Port Service-Type Framed-Protocol Framed-IP
-Address Framed-IP-Netmask Framed-Routing Filter-I
d Framed-MTU Framed-Compression Login-IP-Host Logi
n-Service Login-TCP-Port Reply-Message
13
Vendor Specific Attributes

• Vendors can create their own attributes that
  allow their devices to perform authorization
  functions and provide information relevant to the
  type of device (ppp, vpn, firewall, etc.)
• Ascend-Disconnect-Cause
• Cisco-AVPAIR
• RB-Context_Name
• PW_Tunnel_Authentication
• All VSAs are defined in configurable text files
  (.dct files)
• VSAs are non-standard (vendor-specific)
  information packaged into a format that is
  standard RADIUS
• Preside Radius includes comprehensive dictionary
  lists for most devices on the market today

14
The Role of Attributes

• Checklist attributes are present in the
  access-request message
• Once the nas client has obtained such
  information, it may choose to authenticate using
  RADIUS. To do so, the client creates an
  "Access-Request" containing such Attributes as
  the user's name, the user's password, the ID of
  the client and the Port ID which the user is
  accessing. When a password is present, it is
  hidden using a method based on the RSA Message
  Digest Algorithm MD5 RFC 2865 page 4.
• Returnlist attributes are present in the
  access-response message
• If all checklist conditions are met, the list
  of configuration values for the user are placed
  into an "Access-Accept" response. These values
  include the type of service (for example SLIP,
  PPP, Login User) and all necessary values to
  deliver the desired service. RFC 2865 page 6.

15
Access Services...
Enterpriseor Service Provider
Remote Users
RAS Server
VPN Router
Firewall
16
Managed Services
Enterprise LAN - Enterpriseor Service Provider
Service Provider
Remote Users
Preside Radius
RAS
RAS A
Firewall
Private Network / Internet
Preside Radius
Link to ISP (T1)
RAS B
CPE router, firewall, and/or VPN
RAS C
17
And Wholesale Data Services
Outsourced Modem Pools (UUNET)
Remote Users
Virtual ISPs
Preside Radius
ISP A
Private Network/ Internet
RAS A
Private Network/ Internet
ISP B
RAS B
Private Network/ Internet
PROXY
ISP C
RAS C
18
BSAC

• Fully compliant RADIUS server
• Easy administration GUI
• Powerful, flexible accounting log
• Accounting to SQL databases
• Authentication against SQL databases
• Authentication against LDAP directories
• Authentication against token systems (SecurID,
  TACACS)
• SecurID token caching
• Authentication against local O/S
• Concurrent connection limits
• Expired NT domain passwords
• LDAP Configuration Interface available
• Basic Proxy RADIUS functionality

19
Preside Radius

• Built on the scale required by ISPs
• Advanced Proxy RADIUS features
• Directed authentication, accounting
• Advanced accounting log features
• SNMP support (Solaris)
• perfmon counters and events (Windows NT)
• SQL, LDAP load balancing
• Authorization based on time of day
• Request routing by attribute values
• Administrative access levels
• Auto-restart of the server
• LDAP Configuration Interface built-in
• Concurrency Server available

20
Preside Radius ISP Features

• Preside Radius provides many features that help
  ISPs (and others) deliver and bill for services.
• Time of day
• Acct-Status-Types
• Attribute aliasing
• Configurable accounting log
• Activity log levels
• Auto-detect make/model
• Auto-restart server
• User-Name validation
• Administrative access levels
• Event configuration (NT only)

21
Data Storage Options
22
Preside Radiuss Authentication Options

• Preside Radius
• Native Database
• SQL Databases
• Oracle
• Informix
• ODBC-compliant (NT only)
• Authentication Servers
• TACACS
• SecurID
• Other token systems

• LDAP Directories
• Netscape
• MS Active Directory
• Merit
• Host O/S Databases
• NT Domain
• NT Host
• Solaris

23
SQL Authentication

• Any RADIUS attribute can be retrieved from an SQL
  column
• Any SQL column can be mapped to a RADIUS
  attribute and returned in the response

User
SQL Server
NAS
RADIUS Server

• All data remains in SQL database

24
LDAP Summary

• Any RADIUS attribute can be part of the LDAP
  query
• Any LDAP object can be mapped to a RADIUS
  attribute and returned in the response
• Lightweight Directory Access Protocol standard
• An example of an off-line directory is the
  phone book or mail-order catalogue.
• Suited to reference data (read from much more
  often than it is written to).
• Very flexible, both in looking up data and in
  changing the types of information stored.
• All data remains in LDAP database

25
SecurID Summary

• Token card system
• Generates new credentials each login
• ACE/Server authenticates credentials
• Preside Radius can pass-through to ACE/Server
• Detailed configuration necessary
• New Pin/Next Token
• Support of other token systems

26
Host O/S Databases

• NT Domain Host
• Solaris Password File NIS
• Netware NDS Bindery

27
Accounting

• A billing system requires these fundamental
  attributes

• Acct-Session-ID
• Connections unique identifier
• Matches STARTs and STOPs
• Acct-Status-Type
• Start, Stop, Interim, On, Off
• Framed-IP-Address
• IP address of users connection
• Authentication, accounting attribute
• User-Name
• The account using the network
• Authentication, accounting attribute

• Acct-Session-Time
• For how many seconds did the user receive
  service?
• ?TIME ? MONEY
• Acct-Input-Packets, Acct-Output
  Packets,Acct-Input-Octets, Acct-Output-Octets
• What was the volume of network traffic generated
  by the user?
• ?TRAFFIC? MONEY

• Other attributes (including VSAs) provide
  additional detail

28
SQL Accounting

• Preside Radius lets you write to an SQL database
  the specific accounting information that you want
  to maintain
• INSERT is the query used to write to the database
• Any RADIUS accounting attribute listed in Preside
  Radiuss account.ini file can be used in the
  INSERT statement
• Preside Radius can write the transaction time,
  full username, NAS name, session time, and record
  type to the database

29
LCI LDAP Command Interface

• LDAP Schema mapped onto native database
• Using LCI commands
• Change passwords, authentication methods
• Add clients, users, tunnels, IP pools
• Search current user list
• Find and modify any aspect of Preside Radius that
  the administrative program provides
• ldapsearch.exe
• ldapsearch -V 2 -p 667 -D "cnadmin,oradius"
  -w radadmin -s sub -T b "oradius" objectclass
• ldapmodify.exe
• ldapmodify -c -V 2 -p 667 -D cnadmin,oradius
  -w radadmin -f ltfilenamegt
• ldapadd.exe
• ldapadd -c -V 2 -p 667 -D cnadmin,oradius -w
  radadmin -f ltfilenamegt

30
Installation and Configuration
31
Installation Files

• CD is cross-platform
• Unix expand tar file, run install.sh script
• No compiling. Install script will unpack all
  directories and files, guide you through the
  configuration, and start the radius process.
• Open web browser to the /radadmin/java/index.html
  to launch admin application.
• NT Run the setup.exe file.
• Setup.exe installs Radius directory, expands
  files, starts the Preside Radius process, and
  launches admin application.

32
Servers Dialog
33
RAS Clients Dialog

• name
• IP address

• shared secret
• UDP port

• on both sides,client and server!

34
Make/Model

• Determining make/model of RADIUS client
• NAS-IP-Address matches a RAS Client entry OR
• Auto-detect matches any attribute to make/model
• Benefits of make/model
• Identifies correct attribute dictionary
• Enables vendor-specific configuration help
• Make/model field in Administrator GUI
• Profiles and make/model
• Profiles can reference various VSAs
• Only the current devices VSAs are used
• Other VSAs filtered out at request time
• - Standard Radius - safe choice, all clients

35
Make/Model Examples

• list box
• help file
• dictionary (.dct) files
• vendor.ini file

36
Attribute Dictionaries

• dictiona.dcm
• Inventory of all available attributes
• Includes all .dct files
• radius.dct
• Standard RADIUS attributes AND
• Funk Radius VSAs
• .dct
• Vendor-specific attributesName, ID, length,
  type, valid values, usage
• One file per vendor
• Each file can be edited
• New .dct files can be added

37
Users Dialog

• User type (native vs external)
• Password
• Attributes vs Profile
• Concurrency

38
Types of User

• Native
• NT Domain
• NT Host
• UNIX User
• UNIX Group
• SecurID
• TACACS

39
RADIUS Attributes

• Check List (Access-Request)
• A List of criteria that a user must satisfy, in
  addition to providing a password, before Preside
  Radius will authenticate them
• Return List (Access-Accept)
• A list of information that Preside Radius passes
  back to the NAS once the user has been
  authenticated. Return List Attribute
  requirements are defined by the NAS.
• Accounting (Acct-Request)
• Additional information sent from the NAS to the
  Preside Radius server for accounting purposes.

40
Profiles Dialog

• Design a Template for each class of user.

41
Profile Examples

• Basic Dial-In
• Advanced Dial-In
• Free Access
• Basic Tunnel

42
Proxy Dialog

• name
• IP address

• shared secret
• UDP port

• on both sides,target and proxy!

43
Tunnel Dialog

• Tunnel attribute storage
• DNIS recognition
• Tunnel support for specific vendor equipment
  handled through Users Dialog

44
IP/IPX Pools Dialog

• Configure Multiple Pools
• Create multiple ranges per pool
• Associate with users, profiles, or NAS

45
Access Dialog

• Configure Preside Radius administrators based on
  domain authentication

46
Configuration Dialog

• Authentication Methods List
• Activate, Deactivate, Sort

• Reject Messages
• Log File Storage
• Tunnel Name Parsing

47
Statistics Dialog
48
Current Users Dialog
49
Preside Radius Data Portability

• Import/Export
• Database Files
• LDAP Configuration Interface

50
Import/Export

• In Preside Radius Admin
• Stores all data configured in Admin GUI
• Creates RIF File
• Import ASCII files
• Cross Platform

51
Database Files

• Preside Radius NT Netware
• radads.dat
• radclnt.dat
• Preside Radius Solaris
• radiusdata.d01
• radiusdata.d02
• radiusdata.d03

• radiusdata.dbd
• radiusdata.k01
• radiusdata.k02

52
LCI LDAP Command Interface

• Change Passwords
• Add clients, users
• Add tunnels, IP pools
• Search current user list
• Find and modify any aspect of Preside Radius that
  the administrative program provides
• ldapsearch.exe
• ldapsearch -V 2 -p 667 -D "cnadmin,oradius"
  -w radadmin -s sub -T b "oradius" objectclass
• ldapmodify.exe
• ldapmodify -c -V 2 -p 667 -D cnadmin,oradius
  -w radadmin -f ltfilenamegt
• ldapadd.exe
• ldapadd -c -V 2 -p 667 -D cnadmin,oradius -w
  radadmin -f ltfilenamegt

53
Monitoring and Logging
54
Tools

• Activity Logs
• Accounting Logs
• Statistics Dialog
• Current Users
• Reporting
• Windows NT Performance Monitor
• Windows NT Events
• SNMP Support
• Using The LCI For Reporting

55
Activity Log

• yyyymmdd.log
• typical entries
• Sent accept response for user X to client Y
• Unable to find user X with matching password
• Sent reject response
• Shutting down RADIUS Authentication Server
• Starting RADIUS Authentication Server

56
Activity Log Details

• All Preside Radius information is in a daily log
  file (yyyymmdd.log)
• radius.ini controls the level of logging
  detailin its Configuration section
• LogLevel
• 0 production (sparse)
• 1 informational (medium)
• 2 debug (verbose)
• TraceLevel
• 0 no packet tracing
• 1 parsed contents of packets are logged
• 2 raw contents of packets are logged
• Kept for a number of days set in Configuration
  section of radius.ini

57
Accounting Log Details

• All Preside Radius accounting information is in a
  daily log file (yyyymmdd.act)
• Accounting transactions are also logged to the
  authentication log file, since accounting start
  and stop messages impact users active sessions
• account.ini controls the attributes logged
• Kept for a number of days set in Configuration
  section of radius.ini
• Comma-separated format for easy importing into
  other databases or spreadsheet applications
• Date, Time, RAS-Client, Record-Type, Full-Name,
  Auth-Type are built in to native accounting
• All standard RADIUS attributes are listed next by
  default
• Depending on the device configured, any VSAs are
  listed after that
• Edit account.ini to add/remove any accounting
  information logged

58
Log File Errors

• Errors can be looked at from two perpsectives
• Information contained within a packet may be a
  source of error
• Information relative to Preside Radius itself and
  its connections may be a source of error
• Use Tracelevel1 or 2 for logging to decode
  packet errors
• Use Loglevel1 or 2 for explanatory Preside
  Radius application errors

59
Statistics Dialog
60
Statistics

• Authentication Requests
• Accounting Requests
• Proxy Requests
• Transactions, Details, Silent Discards

61
Current Users Dialog
62
Current Users

• Quick View
• Username
• RAS Client
• Port
• Time
• Session-ID
• IP Address

• Preside Radius receives an authentication request
• Generates a phantom record
• When an accounting message comes in that matches
  the authentication record, the phantom record is
  deleted
• Match is based on NAS IP address and NAS port

63
Reporting

• Create an RTF report file composed of the
  selected items.
• Information is polled from all aspects of Preside
  Radius

64
Performance Monitor

• Run perfmon.exe on the administrative workstation

• Add Preside Radius service as an object to the
  chart items
• Add any of the Preside Radius counters needed
• Acct-Starts, Auth-Requests, Sessions Online, etc.

65
Windows NT Events

• Event Service types
• Core event relating to the functioning of Preside
  Radius itself
• RADCAT_CORE
• ID1
• Events relating to the authentication service
• RADCAT_AUTH
• ID2
• Events relating to the accounting service
• RADCAT_ACCT
• ID3

66
Severity of Preside Radius Events

• Informational Events
• Service has started
• Service has stopped
• Warning Events
• Count of available threads has dropped below
  nnnn.
• Amount of free file system space has dropped
  below minimum threshold
• Error Events
• Unable to create thread
• The connection to Accounting Server has failed

67
SNMP Support

• Requires Solstice Enterprise Agent (SEA)
• http//www.sun.com/solstice/products/ent.agents/pr
  od_spec.html
• Preside Radius acts as a subagent
• Three MIB files that get copied to the SNMP
  Manager
• rauths.mib, raccs.mib, and fnkradtr.mib
• Queries are defined in the rauths and raccs mib
  files
• Traps and alarms are defined in the fnkradtr mib
  file
• Informational, Warning, and Error messages
• Similar to Windows NT Events
• Events.ini configures the reporting options. Can
  dilute (reduce the frequency) reporting of common
  events

68
LCI Reporting Options

• Use the LCI to report current users by client, IP
  address, Session ID, full name
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions,oradius
  client
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions,oradius
  ipaddressfrompool
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions,oradius
  acct-session-id
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions_by_user,oradius
  fullname

69
LDAP

70
LDAP Summary

• Lightweight Directory Access Protocol
• A directory is a specialized database
• An example of an off-line directory is the
  phone book or mail-order catalogue.
• Suited to reference data (read from much more
  often than it is written to).
• Very flexible, both in looking up data and in
  changing the types of information stored.

71
LDAP Authentication

• RADIUS client
• Preside Radius
• LDAP database server

User
LDAP Server
NAS
RADIUS Server
72
LDAP Authentication

• You have user data in an LDAP database.
• Create an .aut file that (1) BINDs Preside
  Radius to an LDAP database and(2) issues a
  SEARCH query to retrieve the password, based on
  the username.
• Name the authentication method (
  InitializationString ltLDAPNamegt )
• Stop and restart the Preside Radius server.
• Enable, disable, and re-order the ltLDAPNamegt
  method in the Preside Radius Administrator,
  Configuration Dialog, Authentication Methods
  list.
• Reference the ltLDAPNamegt method from a directed
  realm.

73
Secondary LDAP Searches

• Issue an additional search based on whether a
  search did or did not find the user in the
  initial search base
• An OnFound section executes a secondary search
  after the first returns found
• Execute second search based on parameters from
  original search and parameters from original
  access-request message
• Execute a search for additional parameters in
  another branch of the LDAP directory based on the
  found user
• An OnNotFound section executes a secondary search
  after the first returns not found
• Execute a search on a separate branch of the LDAP
  directory in a secondary attempt to validate the
  user

74
Decision Tree Processing
Execute initial search

• Based on OnFound and OnNotFound portions of an
  LDAP authentication method
• Develop a process as complex as necessary to suit
  organizations needs

DSL subscriber?
Yes
Found?
Yes
Return DSL Profile
No
No
Search an alternate branch
Dial-up subscriber?
Yes
Found?
Yes
No
No
REJECT
ACCEPT
75
Bind vs. BindName

• Bind
• Connect to directory as the dial-in user
• The connection has this users rights
• BindName
• Connect to directory as the same user for all
  filters for example an administrative account
• Directory view does not change from transaction
  to transaction

76
LDAP Bind Example

• LDAP Bind
• Standard Netscape schema
• Same profile (TheUserProfile) for all Accepts
• Response section could be empty ? Return no
  attributes in an Accept

77
LDAP BindName Example

• BindName using an administrative account
• LDAP Search for users stored credentials
• Standard Netscape schema
• RAS Client is Ascend device
• DNIS callback number returned with Accept

78
LDAP References

• Understanding and Deploying LDAP Directory
  Services
• 1999 - Timothy A. Howes, Mark C. Smith, Gordon
  S. Good
• Comprehensive
• Easy to read
• Defines key terms
• Openldap.org
• http//www.openldap.org/
• Netscape
• http//developer.netscape.com/software/tools/index
  .html?contentldap.html
• http//www.iplanet.com/downloads/download/index.ht
  ml

79
SQL Authentication

80
SQL Authentication

• RADIUS client
• Preside Radius
• SQL database server
• Any RADIUS attribute can be retrieved from SQL
• Any SQL column can be returned in the response

User
SQL Server
NAS
RADIUS Server
81
SQL Summary

• Structured Query Language
• A way to read from/write to databases
• Tried and trusted, its everywhere
• Suited to fast-changing data (frequent r/w)
• Inflexible format (rows and columns only)
• Map SQL columns to any RADIUS attribute

82
SQL Configuration

• You have user data in a SQL database.
• Create an .aut file that (1) connects to the SQL
  database and (2) issues a SELECT query to
  retrieve the password, based on the username.
• Username, password, profile, as well as any
  desired attribute stored in database
• Execute stored procedures in MSSql, stored
  functions in Oracle
• Name the authentication method (
  InitializationString ltSQLNamegt )
• Enable .aut file (Enable 1)
• Stop and restart the Preside Radius server.
• Activate, deactivate, and re-order the ltSQLNamegt
  method in the Preside Radius Administrator,
  Configuration Dialog, Authentication Methods list.

83
SQL SELECT

• SELECT is used in the authentication process to
  retrieve information from the database.
• Preside Radius uses the SELECT statement to
  return the users password, stored in the
  external database.
• If the password returned from the external
  database matches the password received in the
  Access-Request for the user, Preside Radius will
  accept the connection.
• Sample syntax

84
SELECT Examples

• SQLTable?
• Retrieve only the password from the database
• Retrieve password and profile from the database
• Authenticate user only if users account is
  paid
• In each case
• What if the Access-Request contains the
  credentials Kevin/Test ?
• What if the Access-Request contains the
  credentials Mel/Test3 ?
• What if the Access-Request contains the
  credentials Nicole/Test4 ?

85
Stored Procedures Authentication

• Support of execution of stored procedures in
  MSSql 7
• Authentication Example
• SQL EXECUTE authenticate_user name/20s,
  password/20s
• Returns a profile with the following stored
  procedure
• CREATE PROCEDURE authenticate_user
• _at_username varchar(20), _at_password varchar(20)
• AS SELECT userprofile FROM usertable
• WHERE username _at_username
• AND password _at_password

86
Stored Procedures Accounting

• Support of execution of stored procedures in
  MSSql 7
• Inserts accounting data into accounting table
• SQLEXECUTE add_account transactiontime/20s, \
• _at_user-name/21s, \
• _at_Acct-Session-ID/12s, \
• _at_NAS-IP-Address/15s, \
• _at_NAS-PORT-TYPE/5s, \
• _at_FRAMED-IP-ADDRESS/15s, \
• _at_calling-station-id/12s, \
• _at_called-station-id/12s, \
• TYPE/4s, \
• _at_ACCT-SESSION-TIME/14s, \
• _at_ACCT-TERMINATION-CAUSE/12s

87
Stored Functions in Oracle Authentication

• Support of execution of stored functions in
  Oracle
• Authentication Example
• SQL SELECT authenticate_user (name/20s,
  password/20s) FROM DUAL
• Returns a profile with the following stored
  function
• CREATE OR REPLACE FUNCTION authenticate_user (un
  IN VARCHAR2, pw IN VARCHAR2) RETURN VARCHAR2 IS
• profile LONG
• BEGIN
• SELECT userprofile INTO profile FROM usertable
• WHERE username un AND password pw
• RETURN profile
• END authenticate_user
• /

88
Stored Functions in Oracle Accounting

• Support of execution of stored functions in
  Oracle
• Inserts accounting data into accounting table
• SQLSELECT add_account (transactiontime/20s, \
• _at_user-name/21s, \
• _at_Acct-Session-ID/12s, \
• _at_NAS-IP-Address/15s, \
• _at_NAS-PORT-TYPE/5s, \
• _at_FRAMED-IP-ADDRESS/15s, \
• _at_calling-station-id/12s, \
• _at_called-station-id/12s, \
• TYPE/4s, \
• _at_ACCT-SESSION-TIME/14s, \
• _at_ACCT-TERMINATION-CAUSE/12s) FROM DUAL

89
Common SQL Tech Notes

• RD260 Setting up Steel-Belted Radius-NT ODBC to
  a MS-SQL Server database (http//198.186.160.88/te
  chnote.nsf/93d5a611e8cf6ccf8525667f0066e926/104dab
  75b858c53f852566b80054d15a?OpenDocument)
• RD212 Oracle SQL setup for Steel-Belted
  Radius-UNIX 2.10. (http//198.186.160.88/technote.
  nsf/93d5a611e8cf6ccf8525667f0066e926/b5ef55bf97feb
  5d185256604006f2251?OpenDocument)
• RD211 Informix SQL setup for Steel-Belted
  Radius-UNIX 2.10 (http//198.186.160.88/technote.n
  sf/93d5a611e8cf6ccf8525667f0066e926/7fcd8f3a44905a
  8285256604006ed591?OpenDocument)
• RD272 Steel-Belted Radius rejects SQL users when
  the password field is defined as 'char' type
  (http//198.186.160.88/technote.nsf/93d5a611e8cf6c
  cf8525667f0066e926/5ba7f5d40c0981db852566c1001cbb1
  7?OpenDocument)
• RD298 SQL configuration files database
  connectivity options (http//198.186.160.88/techno
  te.nsf/93d5a611e8cf6ccf8525667f0066e926/afe3aad0b7
  908f538525672100598443?OpenDocument)

90
SQL References

• The Practical SQL Handbook Using Structured
  Query Language
• 3rd ed. 1996 - Judith S. Bowman, Sandra L.
  Emerson, Marcy Darnovsky
• Includes sample software on CD-ROM
• Cross-references different SQL products
• Oracle
• http//technet.oracle.com/docs/index.htm
• Microsoft
• http//www.microsoft.com/sql/default.htm
• Generic Introduction to SQL
• http//w3.one.net/jhoffman/sqltut.htm

91
Accounting

92
SQL Accounting

• You have billing records in a SQL database.
• Create an .acc file that (1) connects to the SQL
  database and (2) issues an INSERT query that
  writes accounting data to it.
• Name the accounting method ( InitializationString
  ltSQLNamegt ).
• Enable the ltSQLNamegt accounting method ( Enable
  1 ).
• Stop and restart the Preside Radius server.
• Optionally, you may reference ltSQLNamegt from a
  directed realm.

93
RADIUS Accounting Attributes

• What do they tell us? How are they used?

• On Off
• These messages tell us about the NAS device.
• They provide information about the startup or
  shutdown of a RADIUS client.
• They enable Preside Radius to notify devices and
  management tools on the network about the status
  of the RADIUS client.

• Start Stop Interim
• These messages tell us about the user.
• When a user starts to receive service on the
  network, these messages provides
  type-of-connection and other activity
  information. They give notice when the user has
  stopped using the network.
• These messages enable us to account for network
  usage and bill for consumptive use.
  (Flat-rate, monthly billing does not require
  accounting.)

94
SQL INSERT

• Preside Radius lets you write to an SQL database
  the specific accounting information that you want
  to maintain.
• INSERT is the query used to write to the
  database.
• Any RADIUS accounting attribute listed in Preside
  Radiuss account.ini file can be used in the
  INSERT statement.
• _at_AttributeName
• Preside Radius also can write the transaction
  time, full username, NAS name and record type to
  the database.
• Value
• Sample syntax

95
Accounting and Billing

• A rudimentary billing system requires only these
  attributes

• Acct-Session-ID
• Connections unique identifier
• Matches STARTs and STOPs
• Acct-Status-Type
• Start, Stop, Interim, On, Off
• Framed-IP-Address
• IP address of users connection
• Authentication, accounting attribute
• User-Name
• The account using the network
• Authentication, accounting attribute

• Acct-Session-Time
• For how many seconds did the user receive
  service?
• ?TIME ? MONEY
• Acct-Input-Packets, Acct-Output
  Packets,Acct-Input-Octets, Acct-Output-Octets
• What was the volume of network traffic generated
  by the user?
• ?TRAFFIC? MONEY

• Other attributes (including VSAs) provide
  additional detail.

96
INSERT Examples

• SQLTable?
• A simple INSERT statement might capture
• The time of the transaction
• The username
• The NAS to which the user connected
• The type of accounting message
• The total connect time
• Expect to create complex INSERT statements like
  these

97
Native Accounting Log File

• yyyymmdd.ACT
• comma-delimited
• typical entry (a single line)

98
Proxy Radius

99
Why Proxy RADIUS?

• Enables outsourcing
• Customer info stays _at_ realm
• The larger carrier does not get it
• Customer keeps control of its own data
• Users of Proxy RADIUS
• AOL, MSN, Compuserve
• iPass
• Any organization looking to sell wholesale
  network access

100
Proxy RADIUS BSAC

• BSAC Radius receives request (User-Name
  Carol_at_Funk)
• BSAC Radius forwards request to server Funk
• Target server authenticates request (User-Name
  Carol)
• All realms are treated the same way

101
Proxy RADIUS Preside

• Options, options, options...

102
Proxy RADIUS Preside

• Preside Radius receives request
• User-Name Carol_at_Funk
• Preside Radius checks if its hosting the realm
• If so, Preside Radius authenticates the request
• If not, the request is forwarded to realm Funk
  (realm Funk must exist)
• Various options are applied to request
• Request is authenticated
• User-Name CarolOR
• User-Name Carol_at_Funk

103
Preside Proxy Features

• Customer requirements not all the same
• Sense of self
• Support for wholesaling
• Hosting RADIUS services
• Different ways of routing
• Username prefix and suffix support
• DNIS routing
• Routing by any attribute
• Multiple hops
• Realm-specific configuration options

104
Preside Proxy Features

• Customer requirements not all the same
• Multiple targets
• Redundancy
• Load balancing
• Failure options
• Username handling
• First Proxy might not be the final stop
• Outsourcing by the outsourcer
• Attribute filters

105
Directed Authentication and Accounting Methods

• Simplify hosting of RADIUS services
• Permit prefix, suffix, or DNIS routing
• Enable individual accounting files for each
  customer
• Remove requirement for additional RADIUS servers
  (permit a unique RADIUS configuration for each
  customer on the same server)
• Leverage investment in SQL or LDAP
• Promote savings on hardware, software,
  support/maintenance, training, and facilities

106
Why Directed Methods?

• Directed Authentication
• Carriers can host AAA servers for their customers
• Each realm
• Points to a specific auth method only
• May have specific auth order list
• _at_Ford attempted against Fords database only!

• Directed Accounting
• Customer records handled separately in logfiles
  or SQL db
• Simplifies delivery of accounting information to
  the customer (no Proxy RADIUS needed at customer
  site)

107
Directed Methods Licensing

• 10 licenses with Preside Radius
• Each directed method consumes 1 license
• Authentication, accounting methods are counted
  individually
• 6 authentication plus 4 accounting 10
• 1 accounting plus 9 authentication 10
• Additional 5-packs available
• Add licenses without re-installing Preside Radius

108
Filters

• When directing messages to and from Preside
  Radius realms, filters can be applied that place
  or remove attribute information into or from the
  message
• filter.ini defines all filter names and filter
  rules
• Filter names are referenced from realm
  configuration files ltrealmnamegt.pro and
  ltrealmnamegt.dir

109
Filter Options

• Create Allow, Exclude, or Add attribute rules in
  filter.ini
• filtername
• Allow
• Exclude NAS-Identifier
• Add Idle-Timeout 60
• Reference filternames in realm .pro/.dir files
• Auth
• FilterInfiltername1
• FilterOutfiltername2
• Acct
• FilterInfiltername3
• FilterOutfiltername4

110
Troubleshooting and Logging
111
Process

• Find out what happened (logs)
• Remove Preside Radius from the picture
• Use configuration checklists
• Use system tools (perfmon, top, event viewer,
  etc...)

112
Activity Log

• yyyymmdd.log
• typical entries
• Sent accept response for user X to client Y
• Unable to find user X with matching password
• Sent reject response
• Shutting down RADIUS Authentication Server
• Starting RADIUS Authentication Server

113
Activity Log Details

• All Preside Radius information is in a daily log
  file (yyyymmdd.log)
• radius.ini controls the level of logging
  detailin its Configuration section
• LogLevel
• 0 production (sparse)
• 1 informational (medium)
• 2 debug (verbose)
• TraceLevel
• 0 no packet tracing
• 1 parsed contents of packets are logged
• 2 raw contents of packets are logged
• Kept for a number of days set in Configuration
  section of radius.ini

114
Accounting Log Details

• All Preside Radius accounting information is in a
  daily log file (yyyymmdd.act)
• Accounting transactions are also logged to the
  authentication log file, since accounting start
  and stop messages impact users active sessions
• account.ini controls the attributes logged
• Kept for a number of days set in Configuration
  section of radius.ini
• Comma-separated format for easy importing into
  other databases or spreadsheet applications
• Date, Time, RAS-Client, Record-Type, Full-Name,
  Auth-Type are built in to native accounting
• All standard RADIUS attributes are listed next by
  default
• Depending on the device configured, any VSAs are
  listed after that
• Edit account.ini to add/remove any accounting
  information logged

115
Log File Errors

• Errors can be looked at from two perpsectives
• Information contained within a packet may be a
  source of error
• Information relative to Preside Radius itself and
  its connections may be a source of error
• Use Tracelevel1 or 2 for logging to decode
  packet errors
• Use Loglevel1 or 2 for explanatory Preside
  Radius application errors

116
Packet Specific Errors

• Trace packets to decode information that is
  contained within RADIUS messages
• Determine whether appropriate attributes are
  present in packet
• Determine whether appropriate attribute values
  are present in packet
• Determine whether a device is sending valid
  RADIUS packets

117
RADIUS Attributes

• Standard RADIUS08 06 lt00..00gtID Length
  Data
• Vendor-specific1a 0e 000001ad 67
  08 lt00..00gt ID Length VendorID ID Length
  Data

118
Preside RadiusLogging Error Messages

• Preside Radius will log connection attempts to
  any external databases (sql, ldap)
• Log file will record messages transmitted to and
  from other RADIUS devices
• Read these to determine if packets are being sent
  to and from other RADIUS clients, servers
• Configuration issues can be seen here
• Invalid license strings
• failure to load configuration files
• failure to execute SQL SELECT and INSERT
  statements
• Accept and Rejection messages are logged from
  upstream clients and downstream servers

119
Refer to Manual Index

• Example Which password protocols does Preside
  Radius support?

120
Common Tech Notes

• Steel-Belted Radius tech notes found in the
  support section of www.funk.com
• RD124 Realm name appended to username causes
  Steel-Belted Radius reject
• RD143 NT RAS Dial-in clients failing
  authentication while other dial-in clients are
  authenticated
• RD162 Setting up a SecurID/ACE Server
• RD168 How to Disable CHAP Password on a NT RAS
• RD175 User rights problems when installing on NT
  PC that is NOT Domain Controller
• RD207 Simple Cisco set up
• RD208 Native Users works, but pass-through
  authentication doesnt
• RD219 Need to test Steel-Belted Radius in stand
  alone mode (testrig)
• RD231 Forgot admin password on Preside Radius
  UNIX
• RD254 Requirements for persistence mode
  functionality w/ Steel-Belted Radius v 1.5 and
  later
• RD259 MS-CHAP authentication supports Preside
  Radius
• RD260 Setting up Steel-Belted Radius NT ODBC to
  a MS SQL server database
• RD269 How to decode Radius packets
• RD279 Logging additional attributes to
  Steel-Belted Radius .ACT files
• RD285 Matching request found in auth. Cache and
  cached response being re-sent log msg

121
Common Tech Notes

• RD296 NT Trust Issues across multiple domains
  authentication against remote domains
• RD306 Steel-Belted Radius Database Files
• RD311 Limiting NAS access for specific users
• RD334 Definitions for checklist and returnlist
  attributes
• RD336 Default Ports for Preside Radius
• RD367 License issue for upgrades, etc. (no
  valid primary license found)
• RD369 Radius authentication via PAP or CHAP
• RD371 SQL authentication and accounting for NT
  4.0 using MS Access 97
• RD376 Importing flat text users/passwords into
  Preside Radius
• RD407 Sample LDAPSEARCH strings for use with
  LCI
• RD411 System Requirements for Preside Radius
• RD414 Windows 2000 Set Up considerations
  install crashes 79 and get 115 error
• RD417 Recommend Steps for Upgrading Steel-Belted
  Radius
• RD436 Sample file for authorization against LDAP
  using Bind
• RD437 Using Bind Name
• RD447 LDAP EXE Files
• RD463 NT Expired Password Setting up Profiles
• RD291 Pipe messages in the Steel-Belted Radius
  daily activity log

122
Other Features
123
Tunnels

• Preside Radius supports the authentication and
  accounting needs of existing tunnels
• Can store and pass back information the NAS
  device needs to establish a tunnel connection
• Track number of tunnels in use and compare to
  maximum number of tunnels allowed

124
Tunnel Process

• Preside Radius looks for the Called-Station-ID in
  the access-request message and looks for a tunnel
  entry matching this attribute
• Alternately, Preside Radius looks for a tunnel
  entry matching the username decoration
• Usernameltdelimitergttunnelname
• Tunnelnameltdelimitergtusername
• Preside Radius can place tunnel-specific
  attributes into the access-accept message that
  will enable the NAS device to establish a tunnel
  connection
• Ascend-Tunneling-Protocol
• Tunnel-Assignment-ID
• Tunnel-Medium-Type
• Authentication occurs after this point.
  Successful authentication at the enterprise site
  will complete the connection

125
Auto Restart

• Enables Preside Radius to restart itself whenever
  it experiences a shutdown
• Disabled by default
• Stop radius process
• Edit /etc/rc2.d/S90radius script
• Uncomment this line
• RADIUSRADIUSDIR/radiusd --server
  RADIUSDIR/radius
• Runs the radius process as a child of radiusd

126
Auto Restart Options

• The child process is polled based on cofiguration
  options defined in the radiusd Perl script
• config
• ping_interval 5
• max_pong 17
• max_startup 60
• max_shutdown 60
• debug_mode 0
• If syslog is available to Perl, all
  informational, warning and debugging messages are
  recorded in syslog
• Optionally, a specific log file can be specified
• If not specified, and syslog is not available,
  messages are written to radiusd.log in the radius
  directory

127
Time Of Day Restrictions

• Using the Allowed-Access-Hours Funk standard
  attribute, time-of-day restrictions can be
  enforced
• Apply this attribute to a native user, a profile,
  a host OS user/group, or token system user
• Store this attribute/value in LDAP or SQL, apply
  it to externally authenticated users
• Time ranges are 24 hour
• 0800-2200 represents 8 AM to 10 PM
• Day ranges M, Tu, W, Th, F, Sa, Su
• M-Th represents Monday through Thursday
  inclusively
• Day and time ranges can intermix, but there must
  be at least one time range for any day that is
  used
• Allowed-Access-Hours M-W 0100-1400 2300-2400
• Allowed-Access-Hours Tu,Th-F 0530-1200
  1300-1830
• Allowed-Access-Hours Sa-Su 0000-2400

128
IP Resource Management

129
Managing IP Data

• IP Resources can be managed by
• Preside Radius
• Static IP addresses assigned to native users
• Named Pools of IP addresses that can be
  associated with a user, a profile, or a NAS
  device
• External Databases
• Store and return specific IP addresses or names
  of address pools in LDAP or SQL. Preside Radius
  will then return that IP address (or an IP
  address in one of its named IP Pools) in the
  authentication response
• Enable external applications to manage these data
  stores
• Existing DHCP Servers
• Preside Radius can request IP information from a
  DHCP server and pass that information back to the
  NAS device and dial-in client. From then on, the
  client, NAS, and DHCP server negotiate the IP
  lease

130
IP / IPX Pools Dialog

• Configure Multiple Pools
• Create multiple ranges per pool
• Associate with users, profiles, or NAS

131
Static IP Assignment

• Store static IP addresses in your SQL or LDAP
  database
• Store static IP addresses with native users in
  Preside Radius
• Return an IP Address from SQL
• In Settings section of sqlauth.aut
• SELECT password, ipaddress FROM usertable WHERE
  usernamename/40
• Return IP Address from LDAP Directory
• In Response section of ldap.aut
• Response
• Framed-IP-Address ipaddress

132
IP Pool Assignment

• Store IP Pool names in your SQL or LDAP database.
  Value in database must match existing Preside
  Radius IP Pool name.
• Return an IP Address Pool Name from SQL
• In Settings section of sqlauth.aut
• SELECT password, ipaddresspool FROM usertable
  WHERE usernamename/40
• In Results section
• Password1/48
• Framed-IP-Address2/48
• Return IP Address Pool name from LDAP Directory
• In Response section of ldap.aut
• Response
• Framed-IP-Address ipaddresspool
• IP Pools can also be associated with an Preside
  Radius-defined profile or a specific NAS device
• If an IP Pool runs out of addresses, users will
  get rejected

133
DHCP Support

• Leverage existing DHCP servers to maintain IP
  Address management
• Configure dhcp.ini and ltpoolnamegt.dhc files
• Return IP Pool name from external source that
  corresponds to a DCHP defined pool name.
• RADIUS attributes can be mapped to and from DHCP
  options in the ltpoolnamegt.dhc file
• Request
• 12s Calling-Station-ID
• 60s \x01\x02\x03\x04\x05
• Reply
• Framed-IP-Netmask 1ip
• Framed-MTU 26n16

134
IP Address Leakage

• Addresses assigned through Preside Radius may
  leak, or become unavailable for use when
• An accounting-stop message is not sent from the
  NAS
• A NAS device shuts down unexpectedly
• Packet loss occurs
• Device is not configured correctly i.e. sending
  accounting packets to a secondary RADIUS server
  when primary server is available
• Mis-matched authentication, accounting messages
• when phantom and start messages fail to match,
  phantom sessions may not removed properly
• When start and stop messages fail to match, start
  sessions may not be removed properly

135
Solutions

• Leaked addresses will remain so until manually
  deleted from Current Users list or
• Preside Radius will automatically release address
  when another request comes in from the same NAS
  on the same port
• Preside Radius assumes that the previous user can
  no longer be using the same NAS/port combination
• Preside Radius clears out all current users
  associated with a NAS when it receives an
  accounting-on message from that NAS
• Manually delete remaining sessions
• Use DHCP leasing to lessen the impact of leaked
  addresses
• Leased addresses are released back into the pool
  after configurable time periods
• Stopping Preside Radius, deleting the radads.hst
  file, and restarting Preside Radius will also
  delete all current users.

136
Statistics Dialog
137
Current Users Dialog
138
LCI Reporting Options

• Use the LCI to report current users by client, IP
  address, Session ID, full name
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions,oradius
  client
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions,oradius
  ipaddressfrompool
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions,oradius
  acct-session-id
• ldapsearch V 2 p 667 D cnadmin,oradius w
  radius b radiusstatussessions_by_user,oradius
  fullname
• See LCI Schema for more options

139
Wildcards Strings

• Use wildcard values in checklist attributes,
  extended proxy, and attribute mapping
• The expression for any number of variable
  characters in a string is the character.
• For any single character, use the ?
• Precede all strings with to indicate that the
  string be treated for wildcard values
• Example using a checklist attribute
• Calling-Station-Id 508
• Allows user dialing in from anywhere within the
  508 area code
• Set multiple Calling-Station-Id checklist
  attributes to enable more area codes

140
Wildcards IP Numbers

• Use IP wildcards to filter checklist attributes
  by network
• IP Numbers are wildcarded by class notation
• 198.186.160.0 represents 198.186.160.0 through
  198.186.160.255
• 140.100.0.0 represents 140.100.0.0 through
  140.100.255.255
• 75.0.0.0 represents 75.0.0.0 through
  75.255.255.255

141
Blacklisting

• Automatically reject any user that fits a defined
  profile
• Create the profile to be blacklisted
• Add that profile name to blacklist.ini
• From that point on, an administrator can
  automatically reject an authentication request
  based on any standard RADIUS, Funk-standard, or
  vendor-specific attribute

142
Acco