AAA Services. 2 è Authentication è Authorization è Accounting.
-
Upload
edgar-mcdowell -
Category
Documents
-
view
213 -
download
0
Transcript of AAA Services. 2 è Authentication è Authorization è Accounting.
AAA ServicesAAA Services
2
AAA ServicesAAA Services
Authentication Authorization Accounting
3
AuthenticationAuthentication
Verify the user is who he/she claims to beUse Password, Special Token
card, Caller-ID, etc.May issue additional ‘challenge’
4
AuthorizationAuthorization
Check that the user may access the services he/she wishes.Check database or file information
about the user
5
AccountingAccounting
Record what the user has done.Time online. Bytes sent/received.
Services accessed. Files downloaded. Etc.
6
NAS/RASNAS/RASNetwork Access ServerNetwork Access ServerRemote Access ServerRemote Access Server
Modems
Protocol Conversion
Routing
Phone Lines
TCP/IP Network
7
Types of AAA ServicesTypes of AAA Services
Local accounts on the NAS/RAS
Proprietary software between NAS and server
RADIUSTACACS (tacacs, tacacs+, xtacacs)
8
RADIUS BasicsRADIUS Basics
A protocol for communicating between a Network Access Server (NAS) and a remote Authentication/Access/Accounting server
Not the actual server itself
9
RADIUS BasicsRADIUS Basics
Defined by IETF standard RFC2138 & RFC2139
http://www.faqs.org/rfcs/rfc2138.htmlhttp://www.faqs.org/rfcs/rfc2139.html
Requires Clients (normally a NAS) and servers (often called RADIUS servers)
10
RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow
ISP User Database
ISP Modem Pool
User dials modem pool and establishes connection
UserID: bobPassword: ge55gep
UserID: bobPassword: ge55gepNAS-ID: 207.12.4.1
Select UserID=bob
Bobpassword=ge55gepTimeout=3600[other attributes]
Access-AcceptUser-Name=bob[other attributes]
Framed-Address=217.213.21.5
The Internet
ISP RADIUS Server
Internet PPP connection established
11
RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow
ISP AccountingDatabase
ISP Modem Pool
Acct-Status-Type=StartUser-Name=bobFramed-Address=217.213.21.5…...
Sun May 10 20:47:41 1998 Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 … ...
The Internet
ISP RADIUS Server
Internet PPP connection established
Acknowledgement
The Accounting “Start” Record
12
RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow
ISP AccountingDatabase
ISP Modem Pool
The Internet
ISP RADIUS Server
Internet PPP connection established
Acct-Status-Type=StopUser-Name=bobAcct-Session-Time=1432…...
Sun May 10 20:50:49 1998 Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 … ...
Acknowledgement
The Accounting “Stop” Record
User Disconnects
13
RADIUS: BasicsRADIUS: Basics
Key data for Authentication NAS/Client Info
IP Name and/or IP Address Shared Secret Key for encryption
User Information User-Name & Password
Session Information Speed, dialed number, port, NAS ID, etc.
14
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Decode Packet using shared secret key
15
RADIUS BasicsRADIUS BasicsShared Secret KeysShared Secret Keys
User 1
Encryption Decryption
Plaintext
Ciphertext
Plaintext
Decryption EncryptionPlaintext Ciphertext Plaintext
SharedSecret
Session Key
SharedSecret
Session Key
SharedSecret
Session Key
SharedSecret
Session Key
16
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Lookup users in local or external database Text File Password file (UNIX) NT Registry/Netware Directory NIS/NIS+ LDAP Etc., etc.
17
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Authenticate User-Name, Password, etc.Chap ChallengeSecurID Token cardEtc.
18
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Check arbitrary access criteriaType of access (analog, ISDN)Time of dayCalled or Calling number
19
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Send Accept/Reject to NAS with appropriate session attributes Session timers Filters (allow/reject IP addrs) IP Address ISDN session parameters Etc.
20
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
Using a modem, the user dials-in to a modem connected to a NAS. Once the modem connection is completed, the NAS attempts to use the CHAP or PAP protocol to determine the userID and password. If that fails, the NAS prompts the user for the userID and password.
21
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
The NAS creates a data packet from this information called the authentication request. This packet includes information identifying the specific NAS sending the authentication request, the port that is being used for the modem connection, and the user name and password. For protection from eavesdropping the NAS, acting as a RADIUS client, encrypts (using a shared secret key) the password before it is sent to the RADIUS server.
22
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
The Authentication Request is sent over the network from the RADIUS client (I.e. the NAS) to the RADIUS server. This communication can be done over a local- or wide-area network, allowing network managers to locate RADIUS clients remotely from the RADIUS server. If the RADIUS server cannot be reached, the NAS can usually route the request to an alternate server.
23
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
When an Authentication Request is received, the RADIUS Server validates the request and then decrypts the data packet to access the user name and password information. This information is passed on to the appropriate security system being supported. This could be a text file, UNIX password files, NIS, LDAP, a commercially available security system or a custom database.
24
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
If the user name and password are correct, the server sends an Authentication Acknowledgment that includes information on the user's network system and service requirements. For example, the RADIUS server will tell the NAS that a user needs TCP/IP and/or NetWare using PPP (Point-to-Point Protocol) or that the user needs SLIP (Serial Line Internet Protocol) to connect to the network. The acknowledgment can even contain filtering information to limit a user's access to specific resources on the network.
25
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
If at any point in this log-in process conditions are not met, the RADIUS server sends an Authentication Reject to the NAS and the user is denied access to the network.
26
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
To ensure that requests are not responded to by unauthorized persons or devices on the network, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client.
27
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
Once the server information is received and verified by the NAS, it enables the necessary configuration to deliver the right network services to the user.
28
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
Client Information IP Name Shared secret keyGroup AssignmentSpecial ParametersNAS Type
29
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
NAS/Client InfoStored in a “clients” file or similar data structure
# This file contains a list of clients# which are allowed to make# authentication requests and their# encryption key. The first field is a# valid hostname for the client.# The second field (separated by blanks# or tabs) is the encryption key. ##Client Name Key#----------------------------------portmaster1 wP40cQ0portmaster2 A3X445A192.168.1.2 wer369st
30
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
Dictionary Definition of RADIUS attributes
Assign readable names to attribute numbers
String, Integer, IP Address, Date
31
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
DictionaryStored in a “dictionary” file or similar data structure
# This file contains dictionary# translations for parsing requests and# generating responses. All transactions# are composed of Attribute/Value Pairs.# The value of each attribute is specified# as one of 4 data types. Valid data types# are:# string - 0-253 octets# ipaddr - 4 octets in network byte order# integer - 32 bit value (high byte first)
# date - 32 bit value - seconds since# 00:00:00 GMT, Jan. 1, 1970
32
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
Dictionary# Attr. Attr.#Keyword Attribute Name Num Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE Client-Id 4 ipaddrATTRIBUTE Client-Port-Id 5 integerATTRIBUTE User-Service-Type 6 integerATTRIBUTE Framed-Protocol 7 integerATTRIBUTE Framed-Address 8 ipaddrATTRIBUTE Framed-Netmask 9 ipaddr... ...
33
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Information (“users” file) User-Name Password Authentication method Check attributes Send attributes
34
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Data (Example 1)bob Password = "ge55ep”
Service-Type = Framed-User,Framed-Protocol = PPP,Framed-IP-Address = 255.255.255.254,Framed-IP-Netmask = 255.255.255.255,Framed-Routing = None,Filter-Id = "std.ppp",Framed-MTU = 1500
35
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Data (Example 2)bob Password = "ge55gep",
NAS-IP-Address = 192.168.1.54, NAS-Port-Type = ISDNService-Type = Framed-User,Framed-Protocol = PPP
36
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Data (Example 3)bob Password = "ge55gep”,
Caller-Id = “510-555-1212Service-Type = Callback-Login-
User,Login-IP-Host = 192.168.1.76,Login-Service = Telnet,Login-TCP-Port = 23,Callback-Number = "9,1-800-555-
1234"
37
RADIUS: BasicsRADIUS: BasicsAccounting Accounting StartStart Record Record
Sun May 10 20:47:41 1998User-Name = ”bob”Client-Id = 206.171.153.11Client-Port-Id = 20110Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = "262282375”Acct-Authentic = RADIUSCaller-Id = ”5105551212”Client-Port-DNIS = ”5218296”Framed-Protocol = PPPFramed-Address = 209.79.145.46
38
RADIUS: BasicsRADIUS: BasicsAccounting Accounting StopStop Record Record
Sun May 10 20:50:49 1998 User-Name = ”bob” Client-Id = 206.171.153.11 Client-Port-Id = 20110 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = "262282353” Acct-Authentic = RADIUS Acct-Session-Time = 4871 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Caller-Id = ”5105551212” Client-Port-DNIS = "4218296” Framed-Protocol = PPP Framed-Address = 209.79.145.46
39
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A forwarding or “proxy” server can forward authentication and/or accounting requests to another server for handling.
In order to differentiate between requests that should be handled locally and those that should be forwarded the NAI needs to be specially processed.
40
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The NAI (Network Access Identifier) is commonly called the userID.
In proxy and roaming situations the NAI is modified to include both the userID and a “realm” identifier.
The realm is a keyword indicating the server responsible for authenticating the userID.
41
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The standard way to send a userID and real in the NAI is to separate them with a “@”.
A typical proxy NAI looks like:user@realm
A proxy RADIUS server looks for the “@” in the NAI to determine if it should handle the request or forward it.
42
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
If no “@” is present, the enter NAI is assumed to be only a userID.
If a “@” is present, the NAI is split into two tokens (a userID and a realm label).
43
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The realm label is looked up in a local file or database to find the address of the server for the realm and the protocol (typically RADIUS) used to connect to it.
Although the realm label may look like a domain name (E-Mail addresses are often used as NAIs) it is not safe to assume that.
44
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
An example “realms” file might look like:#realm IP
#label Address Port Protocol Secrethomeco 167.24.12.5 1812 Radius Don’t3v3rtellbiginiv 12.123.43.9 1645 Radius js&yWpnfE2vuR
(A real realms file might contain much more information. Each vendor implements realm information differently.)
45
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A typical bilateral proxy model looks like:
NAS RADIUSProxy
RADIUS
Access RequestUserID: bill@homeco
Password: mypass
Reply Reply
Log
DB
Log
Access RequestUserID: bill
Password: mypass
RealmsFilehomeco
46
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
Bilateral relationships, with all the realm
information stored in a local realms file or
table can be effective with a small number of
roaming or proxy partners.
But, the files must be changed each time
there is a change in a server configuration.
47
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A consortium, or clearinghouse, solves
that problem by having all proxy requests
forwarded to it first.
The consortium maintains a list of all the
server information for it’
48
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
In the case of a roaming consortium or
clearinghouse it may be necessary to add
additional information to the NAI.
This is because each server in the proxy
chain might strip off the realm before
passing the request on to the next server.
49
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A common solution is to use the “/” as an
additional separator.
In the case of a consortium called “cons”
the NAI would look like:cons/user@realm
An actual NAI might be:infonet/[email protected]
50
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The first server may now strip-off “cons”
and forward the remaining two tokens. [email protected]
The consortium’s server strips off the
remaining realm and forwards the userID
to the final server: rdperl
51
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A consortium proxy model looks like:
NAS RADIUSReply Reply
DB
Log
RADIUSProxy
Log
RADIUSProxy
Log
Reply
RealmsFilecons
Access RequestUserID: cons/bill@homeco
Password: mypass
Access RequestUserID: bill@homeco
Password: mypass
Access RequestUserID: bill
Password: mypass
RealmsFilehomeco
52
RADIUS: BasicsRADIUS: BasicsProxy Services: Editing AttributesProxy Services: Editing Attributes
A proxy server may add, delete or modify
the attributes that it forwards.
An IP Address may be invalid on a given
network, the maximum online time may be
different, local filters may be required, etc.
53
RADIUS: BasicsRADIUS: BasicsProxy Services: Editing AttributesProxy Services: Editing Attributes
In cases where special control of attributes is
required bi-lateral relationships may work
best.
A proxy server may also need to translate
attributes intended for one brand of NAS into
another brands format (pools, filters, etc.)
54
RADIUS Proxy ServersRADIUS Proxy Servers Freeware
DTC - Radius 2.0 - NT/UNIX - (Japanese) http://www.dtc.co.jp/Radius2.0
Commercial Shiva - Shiva Access Manager - 95/NT/UNIX
http://athena.shiva.com/remote/radius Open System Consultants Pty Ltd - Radiator - NT/UNIX
http://www.open.com.au/radiator/ Microsoft - Microsoft Commercial Internet System (MCIS) - NT
http://www.microsoft.com/mcis/guide/features.asp Funk - Steel-Belted Radius - Netware/NT
http://www.funk.com/Radius/ Vircom - Proxy & Roaming Radius Server (PRRS) - NT
http://www.vircom.com/info/vprrsrel.htm Novell - BorderManager - Netware
http://www.novell.com/text/bordermanager/radius.html Ascend Communications “Access Control” NT/UNIX
http://www.ascend.com/324.html Merit - Merit AAA Server - UNIX
http://www.merit.edu/aaa/
55
Other Authentication Other Authentication ProtocolsProtocols
TACACS (TACACS+ and XTACACS) Developed by Cisco Systems for Military
applications. Originally used between Cisco terminal server and a UNIX TACACS server.
Mostly replaced by RADIUS since Cisco added RADIUS support to access products
Still used for SecurID lookups since SecurID (ACE) server support TACACS. However, new releases of SecurID now support RADIUS.
56
Other Authentication Other Authentication ProtocolsProtocols
SecurID ACE Server Uses “token” card with One-Time-Password. Can function as stand-alone server (RADIUS
or TACACS compatible). Can also handle queries from a RADIUS
server. ACE server software available for many
platforms.http://www.securitydynamics.com/solutions/products/asvrdata.html