AAA Services

2 è Authentication è Authorization è Accounting

3 Authentication  Verify the user is who he/she claims to be  Use Password, Special Token card, Caller-ID, etc.  May issue additional ‘challenge’

4 Authorization  Check that the user may access the services he/she wishes.  Check database or file information about the user

5 Accounting  Record what the user has done.  Time online. Bytes sent/received. Services accessed. Files downloaded. Etc.

6 NAS/RAS Network Access Server Remote Access Server Modems Protocol Conversion Routing Phone Lines TCP/IP Network

7 Types of AAA Services  Local accounts on the NAS/RAS  Proprietary software between NAS and server è RADIUS  TACACS (tacacs, tacacs+, xtacacs)

8 RADIUS Basics s A protocol for communicating between a Network Access Server (NAS) and a remote Authentication/Access/Accounting server s Not the actual server itself

9 RADIUS Basics s Defined by IETF standard RFC2138 & RFC s Requires Clients (normally a NAS) and servers (often called RADIUS servers)

10 RADIUS: Basics Authentication Data Flow ISP User Database ISP Modem Pool User dials modem pool and establishes connection UserID: bob Password: ge55gep UserID: bob Password: ge55gep NAS-ID: Select UserID=bob Bob password=ge55gep Timeout=3600 [other attributes] Access-Accept User-Name=bob [other attributes] Framed-Address= The Internet ISP RADIUS Server Internet PPP connection established

11 RADIUS: Basics Authentication Data Flow ISP Accounting Database ISP Modem Pool Acct-Status-Type=Start User-Name=bob Framed-Address= …... Sun May 10 20:47: Acct-Status-Type=Start User-Name=bob Framed-Address= …... The Internet ISP RADIUS Server Internet PPP connection established Acknowledgement The Accounting “Start” Record

12 RADIUS: Basics Authentication Data Flow ISP Accounting Database ISP Modem Pool The Internet ISP RADIUS Server Internet PPP connection established Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 …... Sun May 10 20:50: Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 …... Acknowledgement The Accounting “Stop” Record User Disconnects

13 RADIUS: Basics s Key data for Authentication uNAS/Client Info l IP Name and/or IP Address l Shared Secret Key for encryption uUser Information l User-Name & Password uSession Information l Speed, dialed number, port, NAS ID, etc.

14 RADIUS Basics The process flow ¶Decode Packet using shared secret key

15 RADIUS Basics Shared Secret Keys User 1 EncryptionDecryption Plaintext Ciphertext Plaintext DecryptionEncryption Plaintext Ciphertext Plaintext Shared Secret Session Key Shared Secret Session Key Shared Secret Session Key Shared Secret Session Key

16 RADIUS Basics The process flow ·Lookup users in local or external database uText File uPassword file (UNIX) uNT Registry/Netware Directory uNIS/NIS+ uLDAP uEtc., etc.

17 RADIUS Basics The process flow ¸Authenticate s User-Name, Password, etc. s Chap Challenge s SecurID Token card s Etc.

18 RADIUS Basics The process flow ¹Check arbitrary access criteria uType of access (analog, ISDN) uTime of day uCalled or Calling number

19 RADIUS Basics The process flow ºSend Accept/Reject to NAS with appropriate session attributes uSession timers uFilters (allow/reject IP addrs) uIP Address uISDN session parameters uEtc.

20 RADIUS: Basics Process Description u Using a modem, the user dials-in to a modem connected to a NAS. Once the modem connection is completed, the NAS attempts to use the CHAP or PAP protocol to determine the userID and password. If that fails, the NAS prompts the user for the userID and password.

21 RADIUS: Basics Process Description u The NAS creates a data packet from this information called the authentication request. This packet includes information identifying the specific NAS sending the authentication request, the port that is being used for the modem connection, and the user name and password. For protection from eavesdropping the NAS, acting as a RADIUS client, encrypts (using a shared secret key) the password before it is sent to the RADIUS server.

22 RADIUS: Basics Process Description u The Authentication Request is sent over the network from the RADIUS client (I.e. the NAS) to the RADIUS server. This communication can be done over a local- or wide-area network, allowing network managers to locate RADIUS clients remotely from the RADIUS server. If the RADIUS server cannot be reached, the NAS can usually route the request to an alternate server.

23 RADIUS: Basics Process Description u When an Authentication Request is received, the RADIUS Server validates the request and then decrypts the data packet to access the user name and password information. This information is passed on to the appropriate security system being supported. This could be a text file, UNIX password files, NIS, LDAP, a commercially available security system or a custom database.

24 RADIUS: Basics Process Description u If the user name and password are correct, the server sends an Authentication Acknowledgment that includes information on the user's network system and service requirements. For example, the RADIUS server will tell the NAS that a user needs TCP/IP and/or NetWare using PPP (Point-to-Point Protocol) or that the user needs SLIP (Serial Line Internet Protocol) to connect to the network. The acknowledgment can even contain filtering information to limit a user's access to specific resources on the network.

25 RADIUS: Basics Process Description u If at any point in this log-in process conditions are not met, the RADIUS server sends an Authentication Reject to the NAS and the user is denied access to the network.

26 RADIUS: Basics Process Description u To ensure that requests are not responded to by unauthorized persons or devices on the network, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client.

27 RADIUS: Basics Process Description u Once the server information is received and verified by the NAS, it enables the necessary configuration to deliver the right network services to the user.

28 RADIUS: Basics Essential Server Data s Client Information uIP Name uShared secret key  Group Assignment  Special Parameters  NAS Type

29 RADIUS: Basics Essential Server Data s NAS/Client Info Stored in a “clients” file or similar data structure # This file contains a list of clients # which are allowed to make # authentication requests and their # encryption key. The first field is a # valid hostname for the client. # The second field (separated by blanks # or tabs) is the encryption key. # #Client Name Key # portmaster1 wP40cQ0 portmaster2 A3X445A wer369st

30 RADIUS: Basics Essential Server Data s Dictionary uDefinition of RADIUS attributes l Assign readable names to attribute numbers l String, Integer, IP Address, Date

31 RADIUS: Basics Essential Server Data s Dictionary Stored in a “dictionary” file or similar data structure # This file contains dictionary # translations for parsing requests and # generating responses. All transactions # are composed of Attribute/Value Pairs. # The value of each attribute is specified # as one of 4 data types. Valid data types # are: # string octets # ipaddr - 4 octets in network byte order # integer - 32 bit value (high byte first) # date - 32 bit value - seconds since # 00:00:00 GMT, Jan. 1, 1970

32 RADIUS: Basics Essential Server Data s Dictionary # Attr. Attr. #Keyword Attribute Name Num Type ATTRIBUTE User-Name 1 string ATTRIBUTE Password 2 string ATTRIBUTE CHAP-Password 3 string ATTRIBUTE Client-Id 4 ipaddr ATTRIBUTE Client-Port-Id 5 integer ATTRIBUTE User-Service-Type 6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-Address 8 ipaddr ATTRIBUTE Framed-Netmask 9 ipaddr......

33 RADIUS: Basics Essential Server Data s User Information (“users” file) uUser-Name uPassword uAuthentication method uCheck attributes uSend attributes

34 RADIUS: Basics Essential Server Data s User Data (Example 1) bob Password = "ge55ep” Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = , Framed-IP-Netmask = , Framed-Routing = None, Filter-Id = "std.ppp", Framed-MTU = 1500

35 RADIUS: Basics Essential Server Data s User Data (Example 2) bob Password = "ge55gep", NAS-IP-Address = , NAS-Port-Type = ISDN Service-Type = Framed-User, Framed-Protocol = PPP

36 RADIUS: Basics Essential Server Data s User Data (Example 3) bob Password = "ge55gep”, Caller-Id = “ Service-Type = Callback-Login-User, Login-IP-Host = , Login-Service = Telnet, Login-TCP-Port = 23, Callback-Number = "9, "

37 RADIUS: Basics Accounting Start Record Sun May 10 20:47: User-Name = ”bob” Client-Id = Client-Port-Id = Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = " ” Acct-Authentic = RADIUS Caller-Id = ” ” Client-Port-DNIS = ” ” Framed-Protocol = PPP Framed-Address =

38 RADIUS: Basics Accounting Stop Record Sun May 10 20:50: User-Name = ”bob” Client-Id = Client-Port-Id = Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = " ” Acct-Authentic = RADIUS Acct-Session-Time = 4871 Acct-Input-Octets = Acct-Output-Octets = Caller-Id = ” ” Client-Port-DNIS = " ” Framed-Protocol = PPP Framed-Address =

39 RADIUS: Basics Proxy Services s A forwarding or “proxy” server can forward authentication and/or accounting requests to another server for handling. s In order to differentiate between requests that should be handled locally and those that should be forwarded the NAI needs to be specially processed.

40 RADIUS: Basics Proxy Services s The NAI (Network Access Identifier) is commonly called the userID. s In proxy and roaming situations the NAI is modified to include both the userID and a “realm” identifier. s The realm is a keyword indicating the server responsible for authenticating the userID.

41 RADIUS: Basics Proxy Services s The standard way to send a userID and real in the NAI is to separate them with a  A typical proxy NAI looks like: s A proxy RADIUS server looks for the in the NAI to determine if it should handle the request or forward it.

42 RADIUS: Basics Proxy Services s If no is present, the enter NAI is assumed to be only a userID. s If a is present, the NAI is split into two tokens (a userID and a realm label).

43 RADIUS: Basics Proxy Services s The realm label is looked up in a local file or database to find the address of the server for the realm and the protocol (typically RADIUS) used to connect to it.  Although the realm label may look like a domain name ( addresses are often used as NAIs) it is not safe to assume that.

44 RADIUS: Basics Proxy Services An example “realms” file might look like: #realm IP #label Address Port Protocol Secret homeco Radius Don’t3v3rtell biginiv Radius js&yWpnfE2vuR (A real realms file might contain much more information. Each vendor implements realm information differently.)

45 RADIUS: Basics Proxy Services A typical bilateral proxy model looks like: NAS RADIUS Proxy RADIUS Access Request UserID: Password: mypass Reply Log DB Log Access Request UserID: bill Password: mypass Realms File homeco

46 RADIUS: Basics Proxy Services s Bilateral relationships, with all the realm information stored in a local realms file or table can be effective with a small number of roaming or proxy partners. s But, the files must be changed each time there is a change in a server configuration.

47 RADIUS: Basics Proxy Services s A consortium, or clearinghouse, solves that problem by having all proxy requests forwarded to it first. s The consortium maintains a list of all the server information for it’

48 RADIUS: Basics Proxy Services s In the case of a roaming consortium or clearinghouse it may be necessary to add additional information to the NAI. s This is because each server in the proxy chain might strip off the realm before passing th e request on to the next server.

49 RADIUS: Basics Proxy Services s A common solution is to use the “/” as an additional separator.  In the case of a consortium called “cons” the NAI would look like: An actual NAI might be:

50 RADIUS: Basics Proxy Services s The first server may now strip-off “cons” and forward the remaining two tokens. s The consortium’s server strips off the remaining realm and forwards the userID to the final server: urdperl

51 RADIUS: Basics Proxy Services A consortium proxy model looks like: NASRADIUS Reply DB Log RADIUS Proxy Log RADIUS Proxy Log Reply Realms File cons Access Request UserID: Password: mypass Access Request UserID: Password: mypass Access Request UserID: bill Password: mypass Realms File homeco

52 RADIUS: Basics Proxy Services: Editing Attributes s A proxy server may add, delete or modify the attributes that it forwards. s An IP Address may be invalid on a given network, the maximum online time may be different, local filters may be required, etc.

53 RADIUS: Basics Proxy Services: Editing Attributes s In cases where special control of attributes is required bi-lateral relationships may work best. s A proxy server may also need to translate attributes intended for one brand of NAS into another brands format (pools, filters, etc.)

54 RADIUS Proxy Servers s Freeware uDTC - Radius NT/UNIX - (Japanese) l s Commercial 3 Shiva - Shiva Access Manager - 95/NT/UNIX l 3 Open System Consultants Pty Ltd - Radiator - NT/UNIX l 3 Microsoft - Microsoft Commercial Internet System (MCIS) - NT l 3 Funk - Steel-Belted Radius - Netware/NT l 3 Vircom - Proxy & Roaming Radius Server (PRRS) - NT l 3 Novell - BorderManager - Netware l 3 Ascend Communications “Access Control” NT/UNIX l 3 Merit - Merit AAA Server - UNIX l

55 Other Authentication Protocols s TACACS (TACACS+ and XTACACS) uDeveloped by Cisco Systems for Military applications. Originally used between Cisco terminal server and a UNIX TACACS server. uMostly replaced by RADIUS since Cisco added RADIUS support to access products uStill used for SecurID lookups since SecurID (ACE) server support TACACS. However, new releases of SecurID now support RADIUS.

56 Other Authentication Protocols s SecurID ACE Server uUses “token” card with One-Time-Password. uCan function as stand-alone server (RADIUS or TACACS compatible). uCan also handle queries from a RADIUS server. uACE server software available for many platforms.