1. RADIUS By: Nicole Cappella

2. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How to Minimize Security Issues

3. Central Authentication Service  Central Authentication Service (CAS):  Single sign-on protocol for the web  Permit user to access multiple applications while providing credentials only once  Web applications authenticate users without gaining access to user’s security credentials

4. Central Authentication Servers  Reason Needed:  Employees need access and authorizations for a dozen or more servers  Benefits:  Reduce costs  Consistency in authentication no matter where user or attacker comes into the network  Company-wide changes can be made instantly

5. RADIUS  Remote Authentication Dial-In User Service  Network protocol that provides security to networks against unauthorized access  Enables centralized authentication of dial-in users and authorizing their access to use a network service  Performs 3 major functions:  Authenticates users trying to establish connection to network  Authorizes users to access requested network services  Accounts for use of those services

6. RADIUS  Most widely used standard for central authentication servers  Allows company to maintain user profiles in a central database that all remote servers can share  Provides better security  Easier to track usage for billing and for keeping network statistics

7. “AAA Transaction” Authentication and Authorization Request sent to Remote Access Server (RAS) RAS sends RADIUS Access Request message to RADIUS server Includes access credentials RADIUS server checks if info is correct using authentication schemes: PAP, CHAP, EAP RADIUS Authentication and Authorization Flow

8. “AAA Transaction”  RADIUS server returns one of three responses to the RAS  1. Access Reject  Denied access to all requested network resources  2. Access Challenge  Additional information needed from user  3. Access Accept  User granted access

9. “AAA Transaction” Accounting Accounting Start sent by NAS to RADIUS sever to signal start of user’s network access Interim Update Update RADIUS server on status of an active session Accounting Stop Issued when user’s network access is closed RADIUS Accounting Flow

10. Roaming  Commonly used to facilitate roaming between ISPs  Provides single global set of credentials to be used on any public network  Facilitated by use of realms  Realms:  Appended to user’s user name and delimited with an ‘@’  Resemble domains, but do not contain real domain names

11. Interaction between a dial-in user and the RADIUS client and server

12. Security  Access-Request messages sent by RADIUS clients are not authenticated  Radius shared secret can be weak due to poor configuration and limited size  Sensitive attributes are encrypted using the Radius hiding mechanism  Poor request authenticator values can be used to decrypt encrypted attributes

13. Minimize Security Issues  Use strong shared secrets  Require the Message-Authenticator attribute in all Access- Request messages  Cryptographic-quality values for the Request Authenticator  Different shared secrets for each RADIUS client/server pair  Internet Protocol Security to provide data confidentiality for RADIUS messages

14. Summary  RADIUS stands for Remote Authentication Dial-In User Server  RADIUS is the most widely used central authentication servers  RADIUS servers use the “AAA Transaction” to manage network access  Security issues arise, but if implemented correctly, they can be avoided

15. References  Janssen, Cory. "Remote Authentication Dial-in User Service (RADIUS)." Techopedias. N.p., n.d. Web. 02 Dec. 2013.  "RADIUS Server." Webopedia. N.p., n.d. Web. 02 Dec. 2013.  "RADIUS." Wikipedia. Wikimedia Foundation, 25 Nov. 2013. Web. 02 Dec. 2013.