AAA%20Services

1
AAA Services

2
AAA Services

• Authentication
• Authorization
• Accounting

3
Authentication

• Verify the user is who he/she claims to be
• Use Password, Special Token card, Caller-ID, etc.
• May issue additional challenge

4
Authorization

• Check that the user may access the services
  he/she wishes.
• Check database or file information about the user

5
Accounting

• Record what the user has done.
• Time online. Bytes sent/received. Services
  accessed. Files downloaded. Etc.

6
NAS/RASNetwork Access ServerRemote Access Server
TCP/IP Network
Phone Lines
7
Types of AAA Services

• Local accounts on the NAS/RAS
• Proprietary software between NAS and server
• RADIUS
• TACACS (tacacs, tacacs, xtacacs)

8
RADIUS Basics

• A protocol for communicating between a Network
  Access Server (NAS) and a remote
  Authentication/Access/Accounting server
• Not the actual server itself

9
RADIUS Basics

• Defined by IETF standard RFC2138 RFC2139
• http//www.faqs.org/rfcs/rfc2138.htmlhttp//www.
  faqs.org/rfcs/rfc2139.html
• Requires Clients (normally a NAS) and servers
  (often called RADIUS servers)

10
RADIUS BasicsAuthentication Data Flow
ISP User Database
UserID bobPassword ge55gepNAS-ID 207.12.4.1
Select UserIDbob
ISP Modem Pool
Bobpasswordge55gepTimeout3600other
attributes
UserID bobPassword ge55gep
Access-AcceptUser-Namebobother attributes
ISP RADIUS Server
Framed-Address217.213.21.5
The Internet
User dials modem pool and establishes connection
Internet PPP connection established
11
RADIUS BasicsAuthentication Data Flow
Sun May 10 204741 1998 Acct-Status-TypeStar
t User-Namebob Framed-Address217.213.21.
5 ...
Acct-Status-TypeStartUser-NamebobFramed-Addres
s217.213.21.5...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
Internet PPP connection established
The Accounting Start Record
12
RADIUS BasicsAuthentication Data Flow
Sun May 10 205049 1998 Acct-Status-TypeStop
User-Namebob Acct-Session-Time1432
...
Acct-Status-TypeStopUser-NamebobAcct-Session-T
ime1432...
ISP Modem Pool
ISP AccountingDatabase
Acknowledgement
ISP RADIUS Server
The Internet
User Disconnects
Internet PPP connection established
The Accounting Stop Record
13
RADIUS Basics

• Key data for Authentication
• NAS/Client Info
• IP Name and/or IP Address
• Shared Secret Key for encryption
• User Information
• User-Name Password
• Session Information
• Speed, dialed number, port, NAS ID, etc.

14
RADIUS Basics The process flow

• Decode Packet using shared secret key

15
RADIUS BasicsShared Secret Keys
Shared
Secret
Session Key
Plaintext
Plaintext
Ciphertext
Encryption
Decryption
Shared
Secret
User 1
Session Key
Plaintext
Plaintext
Decryption
Encryption
Ciphertext
Shared
Secret
Session Key
Shared Secret Session Key
16
RADIUS Basics The process flow

• Lookup users in local or external database
• Text File
• Password file (UNIX)
• NT Registry/Netware Directory
• NIS/NIS
• LDAP
• Etc., etc.

17
RADIUS Basics The process flow

• Authenticate
• User-Name, Password, etc.
• Chap Challenge
• SecurID Token card
• Etc.

18
RADIUS Basics The process flow

• Check arbitrary access criteria
• Type of access (analog, ISDN)
• Time of day
• Called or Calling number

19
RADIUS Basics The process flow

• Send Accept/Reject to NAS with appropriate
  session attributes
• Session timers
• Filters (allow/reject IP addrs)
• IP Address
• ISDN session parameters
• Etc.

20
RADIUS BasicsProcess Description

• Using a modem, the user dials-in to a modem
  connected to a NAS. Once the modem connection is
  completed, the NAS attempts to use the CHAP or
  PAP protocol to determine the userID and
  password. If that fails, the NAS prompts the user
  for the userID and password.

21
RADIUS BasicsProcess Description

• The NAS creates a data packet from this
  information called the authentication request.
  This packet includes information identifying the
  specific NAS sending the authentication request,
  the port that is being used for the modem
  connection, and the user name and password. For
  protection from eavesdropping the NAS, acting as
  a RADIUS client, encrypts (using a shared secret
  key) the password before it is sent to the RADIUS
  server.

22
RADIUS BasicsProcess Description

• The Authentication Request is sent over the
  network from the RADIUS client (I.e. the NAS) to
  the RADIUS server. This communication can be done
  over a local- or wide-area network, allowing
  network managers to locate RADIUS clients
  remotely from the RADIUS server. If the RADIUS
  server cannot be reached, the NAS can usually
  route the request to an alternate server.

23
RADIUS BasicsProcess Description

• When an Authentication Request is received, the
  RADIUS Server validates the request and then
  decrypts the data packet to access the user name
  and password information. This information is
  passed on to the appropriate security system
  being supported. This could be a text file, UNIX
  password files, NIS, LDAP, a commercially
  available security system or a custom database.

24
RADIUS BasicsProcess Description

• If the user name and password are correct, the
  server sends an Authentication Acknowledgment
  that includes information on the user's network
  system and service requirements. For example, the
  RADIUS server will tell the NAS that a user needs
  TCP/IP and/or NetWare using PPP (Point-to-Point
  Protocol) or that the user needs SLIP (Serial
  Line Internet Protocol) to connect to the
  network. The acknowledgment can even contain
  filtering information to limit a user's access to
  specific resources on the network.

25
RADIUS BasicsProcess Description

• If at any point in this log-in process conditions
  are not met, the RADIUS server sends an
  Authentication Reject to the NAS and the user is
  denied access to the network.

26
RADIUS BasicsProcess Description

• To ensure that requests are not responded to by
  unauthorized persons or devices on the network,
  the RADIUS server sends an authentication key, or
  signature, identifying itself to the RADIUS
  client.

27
RADIUS BasicsProcess Description

• Once the server information is received and
  verified by the NAS, it enables the necessary
  configuration to deliver the right network
  services to the user.

28
RADIUS BasicsEssential Server Data

• Client Information
• IP Name
• Shared secret key
• Group Assignment
• Special Parameters
• NAS Type

29
RADIUS BasicsEssential Server Data

• NAS/Client Info
• Stored in a clients file or similar data
  structure
• This file contains a list of clients which
  are allowed to make authentication requests
  and their encryption key. The first field is
  a valid hostname for the client. The second
  field (separated by blanks or tabs) is the
  encryption key. Client Name
  Key ---------------------------------- portmast
  er1 wP40cQ0 portmaster2
  A3X445A 192.168.1.2 wer369st

30
RADIUS BasicsEssential Server Data

• Dictionary
• Definition of RADIUS attributes
• Assign readable names to attribute numbers
• String, Integer, IP Address, Date

31
RADIUS BasicsEssential Server Data

• Dictionary
• Stored in a dictionary file or similar data
  structure
• This file contains dictionary translations
  for parsing requests and generating responses.
  All transactions are composed of
  Attribute/Value Pairs. The value of each
  attribute is specified as one of 4 data types.
  Valid data types are string - 0-253
  octets ipaddr - 4 octets in network byte
  order integer - 32 bit value (high byte
  first) date - 32 bit value - seconds
  since 000000 GMT, Jan. 1, 1970

32
RADIUS BasicsEssential Server Data

• Dictionary
• Attr.
  Attr.Keyword Attribute Name Num Type
  ATTRIBUTE User-Name 1
  stringATTRIBUTE Password 2
  stringATTRIBUTE CHAP-Password 3
  stringATTRIBUTE Client-Id 4
  ipaddrATTRIBUTE Client-Port-Id 5
  integerATTRIBUTE User-Service-Type 6
  integerATTRIBUTE Framed-Protocol 7
  integerATTRIBUTE Framed-Address 8
  ipaddrATTRIBUTE Framed-Netmask 9
  ipaddr... ...

33
RADIUS BasicsEssential Server Data

• User Information (users file)
• User-Name
• Password
• Authentication method
• Check attributes
• Send attributes

34
RADIUS BasicsEssential Server Data

• User Data (Example 1)
• bob Password "ge55ep Service-Type
  Framed-User, Framed-Protocol
  PPP, Framed-IP-Address 255.255.255.254, Framed
  -IP-Netmask 255.255.255.255, Framed-Routing
  None, Filter-Id "std.ppp", Framed-MTU 1500

35
RADIUS BasicsEssential Server Data

• User Data (Example 2)
• bob Password "ge55gep", NAS-IP-Address
  192.168.1.54, NAS-Port-Type
  ISDN Service-Type Framed-User, Framed-Protocol
  PPP

36
RADIUS BasicsEssential Server Data

• User Data (Example 3)
• bob Password "ge55gep, Caller-Id
  510-555-1212 Service-Type Callback-Login-User,
  Login-IP-Host 192.168.1.76, Login-Service
  Telnet, Login-TCP-Port 23, Callback-Number
  "9,1-800-555-1234"

37
RADIUS BasicsAccounting Start Record

• Sun May 10 204741 1998 User-Name
  bob Client-Id 206.171.153.11 Client-Port-Id
  20110 Acct-Status-Type Start Acct-Delay-Time
  0 Acct-Session-Id "262282375 Acct-Authenti
  c RADIUS Caller-Id 5105551212 Client-Port
  -DNIS 5218296 Framed-Protocol
  PPP Framed-Address 209.79.145.46

38
RADIUS BasicsAccounting Stop Record

• Sun May 10 205049 1998
• User-Name bob Client-Id 206.171.153.11
  Client-Port-Id 20110 Acct-Status-Type
  Stop Acct-Delay-Time 0 Acct-Session-Id
  "262282353 Acct-Authentic RADIUS
  Acct-Session-Time 4871 Acct-Input-Octets
  459078 Acct-Output-Octets 4440286 Caller-Id
  5105551212 Client-Port-DNIS "4218296
  Framed-Protocol PPP Framed-Address
  209.79.145.46

39
RADIUS BasicsProxy Services

• A forwarding or proxy server can forward
  authentication and/or accounting requests to
  another server for handling.
• In order to differentiate between requests that
  should be handled locally and those that should
  be forwarded the NAI needs to be specially
  processed.

40
RADIUS BasicsProxy Services

• The NAI (Network Access Identifier) is commonly
  called the userID.
• In proxy and roaming situations the NAI is
  modified to include both the userID and a realm
  identifier.
• The realm is a keyword indicating the server
  responsible for authenticating the userID.

41
RADIUS BasicsProxy Services

• The standard way to send a userID and real in the
  NAI is to separate them with a _at_.
• A typical proxy NAI looks like user_at_realm
• A proxy RADIUS server looks for the _at_ in the
  NAI to determine if it should handle the request
  or forward it.

42
RADIUS BasicsProxy Services

• If no _at_ is present, the enter NAI is assumed to
  be only a userID.
• If a _at_ is present, the NAI is split into two
  tokens (a userID and a realm label).

43
RADIUS BasicsProxy Services

• The realm label is looked up in a local file or
  database to find the address of the server for
  the realm and the protocol (typically RADIUS)
  used to connect to it.
• Although the realm label may look like a domain
  name (E-Mail addresses are often used as NAIs) it
  is not safe to assume that.

44
RADIUS BasicsProxy Services

• An example realms file might look like
• realm IP
• label Address Port Protocol
  Secrethomeco 167.24.12.5 1812 Radius
  Dont3v3rtellbiginiv 12.123.43.9 1645 Radius
  jsyWpnfE2vuR
• (A real realms file might contain much more
  information. Each vendor implements realm
  information differently.)

45
RADIUS BasicsProxy Services

• A typical bilateral proxy model looks like

Access Request UserID bill_at_homeco Password
mypass
Access Request UserID bill Password mypass
Reply
Reply
DB
46
RADIUS BasicsProxy Services

• Bilateral relationships, with all the realm
  information stored in a local realms file or
  table can be effective with a small number of
  roaming or proxy partners.
• But, the files must be changed each time there is
  a change in a server configuration.

47
RADIUS BasicsProxy Services

• A consortium, or clearinghouse, solves that
  problem by having all proxy requests forwarded to
  it first.
• The consortium maintains a list of all the server
  information for it

48
RADIUS BasicsProxy Services

• In the case of a roaming consortium or
  clearinghouse it may be necessary to add
  additional information to the NAI.
• This is because each server in the proxy chain
  might strip off the realm before passing the
  request on to the next server.

49
RADIUS BasicsProxy Services

• A common solution is to use the / as an
  additional separator.
• In the case of a consortium called cons the NAI
  would look like cons/user_at_realmAn actual NAI
  might be infonet/rdperl_at_berkinet.com

50
RADIUS BasicsProxy Services

• The first server may now strip-off cons and
  forward the remaining two tokens.
• rdperl_at_berkinet.com
• The consortiums server strips off the remaining
  realm and forwards the userID to the final
  server
• rdperl

51
RADIUS BasicsProxy Services

• A consortium proxy model looks like

Access Request UserID cons/bill_at_homeco Password
mypass
Access Request UserID bill_at_homeco Password
mypass
Access Request UserID billPassword mypass
Reply
Reply
Reply
DB
RealmsFile homeco
52
RADIUS BasicsProxy Services Editing Attributes

• A proxy server may add, delete or modify the
  attributes that it forwards.
• An IP Address may be invalid on a given network,
  the maximum online time may be different, local
  filters may be required, etc.

53
RADIUS BasicsProxy Services Editing Attributes

• In cases where special control of attributes is
  required bi-lateral relationships may work best.
• A proxy server may also need to translate
  attributes intended for one brand of NAS into
  another brands format (pools, filters, etc.)

54
RADIUS Proxy Servers

• Freeware
• DTC - Radius 2.0 - NT/UNIX - (Japanese)
• http//www.dtc.co.jp/Radius2.0
• Commercial
• Shiva - Shiva Access Manager - 95/NT/UNIX
• http//athena.shiva.com/remote/radius
• Open System Consultants Pty Ltd - Radiator -
  NT/UNIX
• http//www.open.com.au/radiator/
• Microsoft - Microsoft Commercial Internet System
  (MCIS) - NT
• http//www.microsoft.com/mcis/guide/features.asp
• Funk - Steel-Belted Radius - Netware/NT
• http//www.funk.com/Radius/
• Vircom - Proxy Roaming Radius Server (PRRS) -
  NT
• http//www.vircom.com/info/vprrsrel.htm
• Novell - BorderManager - Netware
• http//www.novell.com/text/bordermanager/radius.ht
  ml
• Ascend Communications Access Control NT/UNIX
• http//www.ascend.com/324.html
• Merit - Merit AAA Server - UNIX

55
Other Authentication Protocols

• TACACS (TACACS and XTACACS)
• Developed by Cisco Systems for Military
  applications. Originally used between Cisco
  terminal server and a UNIX TACACS server.
• Mostly replaced by RADIUS since Cisco added
  RADIUS support to access products
• Still used for SecurID lookups since SecurID
  (ACE) server support TACACS. However, new
  releases of SecurID now support RADIUS.

56
Other Authentication Protocols

• SecurID ACE Server
• Uses token card with One-Time-Password.
• Can function as stand-alone server (RADIUS or
  TACACS compatible).
• Can also handle queries from a RADIUS server.
• ACE server software available for many platforms.
• http//www.securitydynamics.com/solutions/products
  /asvrdata.html