1 / 65

RADIUS

RADIUS. Sunil Vallamkonda Oct. 25, 2006. What is AAA ?. Authentication Authorization Accounting. Authentication. Verify a person’s or machine’s declared identity. Mechanisms: passwords, PKI. Key aspect is Trust relationships between servers. Authorization.

Mia_John
Download Presentation

RADIUS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RADIUS Sunil Vallamkonda Oct. 25, 2006 RADIUS presentation by Sunil Vallamkonda

  2. What is AAA ? • Authentication • Authorization • Accounting RADIUS presentation by Sunil Vallamkonda

  3. Authentication • Verify a person’s or machine’s declared identity. • Mechanisms: passwords, PKI. • Key aspect is Trust relationships between servers. RADIUS presentation by Sunil Vallamkonda

  4. Authorization • Rules or templates on what a authenticated user can do on a system. • Dial up user requests can be one link or multiple. RADIUS presentation by Sunil Vallamkonda

  5. Accounting • Measures and tracks resources a user accesses. • Include time, amount of data, session statistics, resource utilization etc. • Logs sent and analyzed for billing, security servers. RADIUS presentation by Sunil Vallamkonda

  6. RADIUS presentation by Sunil Vallamkonda

  7. RADIUS presentation by Sunil Vallamkonda

  8. RADIUS presentation by Sunil Vallamkonda

  9. Properties • Client/server model • UDP based • Hop by hop security • Stateless • Uses MD5 for password hiding. • A-V pairs • PAP/CHAP via PPP RADIUS presentation by Sunil Vallamkonda

  10. Packet format • ACCESS-REQUEST (1) • ACCESS-RESPONSE (2) • ACCESS-REJECT (3) • ACCESS-CHALLENGE (11) • ACCOUNTING-REQUEST (4) • ACCOUNTING-RESPONSE (5) • STATUS-SERVER (12) • STATUS-CLIENT (13) RADIUS presentation by Sunil Vallamkonda

  11. RADIUS Packet • Header : Code (1), Identifier (1), length (2), Authenticator (16), payload • Code: as above • Identifier: used to perform auto linking of initial requests and subsequent replies. • Length: valid range: 20 – 4096. • Authenticator: used to conceal passwords using one way MD5. Request (random number) / Response authenticators. RADIUS presentation by Sunil Vallamkonda

  12. Packet formats Code (1) ID (1) Len (2) Authenticator (16) AV (Payload) RADIUS data packet RADIUS presentation by Sunil Vallamkonda

  13. Packet formats Code (1) ID (1) Len (2) Authenticator (16) AV (Payload) RADIUS data packet RADIUS presentation by Sunil Vallamkonda

  14. Access-Request/Accept Packet Code (1) ID (q) Len (header + payload) Authenticator (request) (random) Attributes: Username, NAS IP (MD5) User Password or CHAP PWD (varies) Authenticator (response) = (code + ID +len + req. Authenticator + attribute and secret) ID (q) Len (header + payload) Code (2) Attributes: (all optional) services authorized (varies) RADIUS presentation by Sunil Vallamkonda

  15. Access-Reject Authenticator (response) = MD5 (Code + ID + length + request authenticator + attributes + secret) ID (q per transmission) Len (header + payload) Code (3) Attributes: (optional) RADIUS presentation by Sunil Vallamkonda

  16. Authentication methods • PAP: Password Authentication Protocol (MD5/XOR). • CHAP: Challenge Access protocol: password is never sent on wire. • PAP is preferred sometimes in cases where authorization must travel outside the realm of control RADIUS presentation by Sunil Vallamkonda

  17. RADIUS presentation by Sunil Vallamkonda

  18. The CHAP 3-way handshake RADIUS presentation by Sunil Vallamkonda

  19. CHAP Security RADIUS presentation by Sunil Vallamkonda

  20. Using RADIUS and CHAP RADIUS presentation by Sunil Vallamkonda

  21. RADIUS presentation by Sunil Vallamkonda

  22. Realm • Identifiers placed before or after values normally contained in User-Name attribute for server to identify which server to contact. • Examples: prefix realm such as @, \,/ as CSI\john. • Suffix realms as: james@itmm RADIUS presentation by Sunil Vallamkonda

  23. Hints • RADIUS can be setup to handle service authorizations based on hints. • To controls resources needed to provision service for client • Example: specific IP address, IP pool. • If NAS cannot allocate, service is disconnected. • Can be temporary, optional or extra characteristics. RADIUS presentation by Sunil Vallamkonda

  24. Attributes • Describe a property of type of service. • RADIUS attributes vs VSA. • RADIUS attribute types (RFC): • INT (4, 32 bit unsigned), ENUM(4, 32 bit unsigned), IPADDR (4, 32-bit) , STRING (1-253, variable), DATE (4, 32-bit unsigned), BINARY (1,1 bit). • Examples: • INT: 6, 256 • ENUM: 3 = callback-login, 4 = callback-Framed. • STRING: “Charlotte”, “San Jose” • IPADDR: 0x1954ff8e • DATE: 0x00000a • BINARY: 1 RADIUS presentation by Sunil Vallamkonda

  25. Attributes - example Standard: Example – call back-number Number: 19 Length: 3 or more octets Value: String Allowed in: Access-Request, Access-Accept Prohibited in: Access-Reject, Access-Challenge Maximum Iterations: 1 Presence in packet: not required RADIUS presentation by Sunil Vallamkonda

  26. Dictionary • Server machines has a way of relating which attribute corresponds to which attribute number and expected type. • Example: • Attribute-Name: User-Name, Type: String • Attribute-Name: NAS-IP-ADDR, Type: IPADDR • Attribute-Name: Service-Type, Type: ENUM RADIUS presentation by Sunil Vallamkonda

  27. AVP pattern Number (1-255) Len ( > 3) Value (depends on attribute number) Num: 26 Len (X) VID: 262 Num (47) Len(X) value (min. 1) RADIUS presentation by Sunil Vallamkonda

  28. Accounting • Client/Server model. • Extensible: proxy, defined and qualified by AVPs. • Packet: Accounting-Request Start/Stop. • Accounting- Response. RADIUS presentation by Sunil Vallamkonda

  29. Ports • Authentication: udp/1812 • Accounting: udp/1813 RADIUS presentation by Sunil Vallamkonda

  30. Implementations • Livingston • GNU • FreeRADIUS • Cistron • Radiator • Alepo • Juniper: Steel Belt. RADIUS presentation by Sunil Vallamkonda

  31. Performance • Logons per second • Logoffs per second • Rejects per second • Reject cause threshold • Total packets per second per interface • Load average • Memory, disk usage RADIUS presentation by Sunil Vallamkonda

  32. EAP • Extensible Authentication Protocol • Used over links running on PPP • Authentication schemes such as public key, smart cards, OTP, Kerberos etc. are supported over PPP when EAP is used. • RADIUS includes 2 new attributes: EAP-Message and Message-Authenticator. RADIUS presentation by Sunil Vallamkonda

  33. EAP architecture User EAP Authentication Protocol (PAP, CHAP, MS-CHAP, etc.) Inner Application Extension to TLS TLS EAP - TTLS EAP Carrier Protocol (PPP, EAPOL, RADIUS, etc) RADIUS presentation by Sunil Vallamkonda

  34. User protocol : EAP layering User EAP Authentication Protocol (MD-Challenge, etc.) EAP Inner Application extension to TLS TLS EAP - TTLS EAP RADIUS presentation by Sunil Vallamkonda Carrier Protocol (PPP, EAPOL, RADIUS, Diameter, etc)

  35. 802.1x RADIUS presentation by Sunil Vallamkonda

  36. Port based authentication • Why is it called "port"-based authentication? The Authenticator deals with controlled and uncontrolled ports. Both the controlled and the uncontrolled port are logical entities (virtual ports), but use the same physical connection to the LAN (same point of attachment). RADIUS presentation by Sunil Vallamkonda

  37. Port based Auth RADIUS presentation by Sunil Vallamkonda

  38. contd • Figure port: The authorization state of the controlled port. • Before authentication, only the uncontrolled port is "open". The only traffic allowed is EAPOL; see Authenticator System 1 on figure port. After the Supplicant has been authenticated, the controlled port is opened, and access to other LAN resources are granted; see Authenticator System 2 on figure port. • 802.1X plays a major role in the new IEEE wireless standard 802.11i. RADIUS presentation by Sunil Vallamkonda

  39. WEP • Wired Equivalent Privacy (WEP), which is part of the original 802.11 standard, should provide confidentiality. Unfortunately WEP is poorly designed and easily cracked. There is no authentication mechanism, only a weak form of access control (must have the shared key to communicate). • As a response to WEP broken security, IEEE has come up with a new wireless security standard named 802.11i. 802.1X plays a major role in this new standard. RADIUS presentation by Sunil Vallamkonda

  40. 802.11 • The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories: • Temporary Key Integrity Protocol (TKIP) is a short-term solution that fixes all WEP weaknesses. TKIP can be used with old 802.11 equipment (after a driver/firmware upgrade) and provides integrity and confidentiality. • Counter Mode with CBC-MAC Protocol (CCMP) [RFC2610] is a new protocol, designed from ground up. It uses AES [FIPS 197] as its cryptographic algorithm, and, since this is more CPU intensive than RC4 (used in WEP and TKIP), new 802.11 hardware may be required. Some drivers can implement CCMP in software. CCMP provides integrity and confidentiality. • 802.1X Port-Based Network Access Control: Either when using TKIP or CCMP, 802.1X is used for authentication. • In addition, an optional encryption method called "Wireless Robust Authentication Protocol" (WRAP) may be used instead of CCMP. WRAP was the original AES-based proposal for 802.11i, but was replaced by CCMP since it became plagued by property encumbrances. Support for WRAP is optional, but CCMP support is mandatory in 802.11i. • 802.11i also has an extended key derivation/management. RADIUS presentation by Sunil Vallamkonda

  41. 802.1x • 802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN. • 802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X). RADIUS presentation by Sunil Vallamkonda

  42. RADIUS presentation by Sunil Vallamkonda

  43. 8021.X and RADIUS • Remote Authentication Dial-In User Service (RADIUS) is defined in [RFC2865] (with friends), and was primarily used by ISPs who authenticated username and password before the user got authorized to use the ISP's network. • 802.1X does not specify what kind of back-end authentication server must be present, but RADIUS is the "de-facto" back-end authentication server used in 802.1X. • There are not many AAA protocols available, but both RADIUS and DIAMETER [RFC3588] (including their extensions) conform to full AAA support. AAA stands for Authentication, Authorization, and Accounting (IETF's AAA Working Group RADIUS presentation by Sunil Vallamkonda

  44. EAP methods • EAP-MD5: MD5-Challenge requires username/password, and is equivalent to the PPP CHAP protocol [RFC1994]. This method does not provide dictionary attack resistance, mutual authentication, or key derivation, and has therefore little use in a wireless authentication enviroment. • Lightweight EAP (LEAP): A username/password combination is sent to a Authentication Server (RADIUS) for authentication. Leap is a proprietary protocol developed by Cisco, and is not considered secure. Cisco is phasing out LEAP in favor of PEAP. Ref: http://lists.cistron.nl/pipermail/cistron-radius/2001-September/002042.html RADIUS presentation by Sunil Vallamkonda

  45. EAP- methods (contd) • EAP-TLS: Creates a TLS session within EAP, between the Supplicant and the Authentication Server. Both the server and the client(s) need a valid (x509) certificate, and therefore a PKI. This method provides authentication both ways. EAP-TLS is described in [RFC2716]. • EAP-TTLS: Sets up a encrypted TLS-tunnel for safe transport of authentication data. Within the TLS tunnel, (any) other authentication methods may be used. Developed by Funk Software and Meetinghouse, and is currently an IETF draft. RADIUS presentation by Sunil Vallamkonda

  46. Methods (contd) • Protected EAP (PEAP): Uses, as EAP-TTLS, an encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS and EAP-PEAP are optional, but server (AS) certificates are required. Developed by Microsoft, Cisco, and RSA Security, and is currently an IETF draft. • EAP-MSCHAPv2: Requires username/password, and is basically an EAP encapsulation of MS-CHAP-v2 [RFC2759]. Usually used inside of a PEAP-encrypted tunnel. Developed by Microsoft, and is currently an IETF draft. RADIUS presentation by Sunil Vallamkonda

  47. RADIUS presentation by Sunil Vallamkonda

  48. RADIUS presentation by Sunil Vallamkonda

  49. Authentication methods • Authentication methods • The following authentication types are some of the methods which are supported by the server • Clear-text password in local configuration file (PAP) • Encrypted password in local configuration file • CHAP • MS-CHAP • MS-CHAPv2 • authentication to a Windows Domain Controller (via ntlm_auth and winbindd) • Proxy to another RADIUS server • System authentication. (usually through /etc/passwd ) • PAM (Pluggable Authentication Modules) • LDAP (PAP only) • PAM (PAP only) • CRAM • Perl program • Python program • SIP Digest (Cisco VOIP boxes) RADIUS presentation by Sunil Vallamkonda

  50. Contd (methods) • A locally executed program. (like a CGI program.) • Netscape-MTA-MD5 encrypted passwords • Kerberos authentication • X9.9 authentication token (e.g. CRYPTOCard) • EAP, with embedded authentication methods • EAP-MD5, • Cisco LEAP, • EAP-MSCHAP-V2 (as implemented by Microsoft), • EAP-GTC, • EAP-SIM, • EAP-TLS, • EAP-TTLS, with any authentication protocol inside of the TLS tunnel, • EAP-PEAP, with tunneled EAP RADIUS presentation by Sunil Vallamkonda

More Related