AAA Services. 2 è Authentication è Authorization è Accounting

AAA ServicesAAA Services

2

AAA ServicesAAA Services

Authentication Authorization Accounting

3

AuthenticationAuthentication

Verify the user is who he/she claims to beUse Password, Special Token

card, Caller-ID, etc.May issue additional ‘challenge’

4

AuthorizationAuthorization

Check that the user may access the services he/she wishes.Check database or file information

about the user

5

AccountingAccounting

Record what the user has done.Time online. Bytes sent/received.

Services accessed. Files downloaded. Etc.

6

NAS/RASNAS/RASNetwork Access ServerNetwork Access ServerRemote Access ServerRemote Access Server

Modems

Protocol Conversion

Routing

Phone Lines

TCP/IP Network

7

Types of AAA ServicesTypes of AAA Services

Local accounts on the NAS/RAS

Proprietary software between NAS and server

RADIUSTACACS (tacacs, tacacs+, xtacacs)

8

RADIUS BasicsRADIUS Basics

A protocol for communicating between a Network Access Server (NAS) and a remote Authentication/Access/Accounting server

Not the actual server itself

9

RADIUS BasicsRADIUS Basics

Defined by IETF standard RFC2138 & RFC2139

http://www.faqs.org/rfcs/rfc2138.htmlhttp://www.faqs.org/rfcs/rfc2139.html

Requires Clients (normally a NAS) and servers (often called RADIUS servers)

10

RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow

ISP User Database

ISP Modem Pool

User dials modem pool and establishes connection

UserID: bobPassword: ge55gep

UserID: bobPassword: ge55gepNAS-ID: 207.12.4.1

Select UserID=bob

Bobpassword=ge55gepTimeout=3600[other attributes]

Access-AcceptUser-Name=bob[other attributes]

Framed-Address=217.213.21.5

The Internet

ISP RADIUS Server

Internet PPP connection established

11


ISP AccountingDatabase

ISP Modem Pool

Acct-Status-Type=StartUser-Name=bobFramed-Address=217.213.21.5…...

Sun May 10 20:47:41 1998 Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 … ...

The Internet

ISP RADIUS Server


Acknowledgement

The Accounting “Start” Record

12


ISP AccountingDatabase

ISP Modem Pool

The Internet

ISP RADIUS Server


Acct-Status-Type=StopUser-Name=bobAcct-Session-Time=1432…...

Sun May 10 20:50:49 1998 Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 … ...

Acknowledgement

The Accounting “Stop” Record

User Disconnects

13

RADIUS: BasicsRADIUS: Basics

Key data for Authentication NAS/Client Info

IP Name and/or IP Address Shared Secret Key for encryption

User Information User-Name & Password

Session Information Speed, dialed number, port, NAS ID, etc.

14

RADIUS BasicsRADIUS BasicsThe process flowThe process flow

Decode Packet using shared secret key

15

RADIUS BasicsRADIUS BasicsShared Secret KeysShared Secret Keys

User 1

Encryption Decryption

Plaintext

Ciphertext

Plaintext

Decryption EncryptionPlaintext Ciphertext Plaintext

SharedSecret

Session Key

SharedSecret

Session Key

SharedSecret

Session Key

SharedSecret

Session Key

16


Lookup users in local or external database Text File Password file (UNIX) NT Registry/Netware Directory NIS/NIS+ LDAP Etc., etc.

17


Authenticate User-Name, Password, etc.Chap ChallengeSecurID Token cardEtc.

18


Check arbitrary access criteriaType of access (analog, ISDN)Time of dayCalled or Calling number

19


Send Accept/Reject to NAS with appropriate session attributes Session timers Filters (allow/reject IP addrs) IP Address ISDN session parameters Etc.

20

RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description

Using a modem, the user dials-in to a modem connected to a NAS. Once the modem connection is completed, the NAS attempts to use the CHAP or PAP protocol to determine the userID and password. If that fails, the NAS prompts the user for the userID and password.

21


The NAS creates a data packet from this information called the authentication request. This packet includes information identifying the specific NAS sending the authentication request, the port that is being used for the modem connection, and the user name and password. For protection from eavesdropping the NAS, acting as a RADIUS client, encrypts (using a shared secret key) the password before it is sent to the RADIUS server.

22


The Authentication Request is sent over the network from the RADIUS client (I.e. the NAS) to the RADIUS server. This communication can be done over a local- or wide-area network, allowing network managers to locate RADIUS clients remotely from the RADIUS server. If the RADIUS server cannot be reached, the NAS can usually route the request to an alternate server.

23


When an Authentication Request is received, the RADIUS Server validates the request and then decrypts the data packet to access the user name and password information. This information is passed on to the appropriate security system being supported. This could be a text file, UNIX password files, NIS, LDAP, a commercially available security system or a custom database.

24


If the user name and password are correct, the server sends an Authentication Acknowledgment that includes information on the user's network system and service requirements. For example, the RADIUS server will tell the NAS that a user needs TCP/IP and/or NetWare using PPP (Point-to-Point Protocol) or that the user needs SLIP (Serial Line Internet Protocol) to connect to the network. The acknowledgment can even contain filtering information to limit a user's access to specific resources on the network.

25


If at any point in this log-in process conditions are not met, the RADIUS server sends an Authentication Reject to the NAS and the user is denied access to the network.

26


To ensure that requests are not responded to by unauthorized persons or devices on the network, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client.

27


Once the server information is received and verified by the NAS, it enables the necessary configuration to deliver the right network services to the user.

28

RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data

Client Information IP Name Shared secret keyGroup AssignmentSpecial ParametersNAS Type

29


NAS/Client InfoStored in a “clients” file or similar data structure

# This file contains a list of clients# which are allowed to make# authentication requests and their# encryption key. The first field is a# valid hostname for the client.# The second field (separated by blanks# or tabs) is the encryption key. ##Client Name Key#----------------------------------portmaster1 wP40cQ0portmaster2 A3X445A192.168.1.2 wer369st

30


Dictionary Definition of RADIUS attributes

Assign readable names to attribute numbers

String, Integer, IP Address, Date

31


DictionaryStored in a “dictionary” file or similar data structure

# This file contains dictionary# translations for parsing requests and# generating responses. All transactions# are composed of Attribute/Value Pairs.# The value of each attribute is specified# as one of 4 data types. Valid data types# are:# string - 0-253 octets# ipaddr - 4 octets in network byte order# integer - 32 bit value (high byte first)

# date - 32 bit value - seconds since# 00:00:00 GMT, Jan. 1, 1970

32


Dictionary# Attr. Attr.#Keyword Attribute Name Num Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE Client-Id 4 ipaddrATTRIBUTE Client-Port-Id 5 integerATTRIBUTE User-Service-Type 6 integerATTRIBUTE Framed-Protocol 7 integerATTRIBUTE Framed-Address 8 ipaddrATTRIBUTE Framed-Netmask 9 ipaddr... ...

33


User Information (“users” file) User-Name Password Authentication method Check attributes Send attributes

34


User Data (Example 1)bob Password = "ge55ep”

Service-Type = Framed-User,Framed-Protocol = PPP,Framed-IP-Address = 255.255.255.254,Framed-IP-Netmask = 255.255.255.255,Framed-Routing = None,Filter-Id = "std.ppp",Framed-MTU = 1500

35


User Data (Example 2)bob Password = "ge55gep",

NAS-IP-Address = 192.168.1.54, NAS-Port-Type = ISDNService-Type = Framed-User,Framed-Protocol = PPP

36


User Data (Example 3)bob Password = "ge55gep”,

Caller-Id = “510-555-1212Service-Type = Callback-Login-

User,Login-IP-Host = 192.168.1.76,Login-Service = Telnet,Login-TCP-Port = 23,Callback-Number = "9,1-800-555-

1234"

37

RADIUS: BasicsRADIUS: BasicsAccounting Accounting StartStart Record Record

Sun May 10 20:47:41 1998User-Name = ”bob”Client-Id = 206.171.153.11Client-Port-Id = 20110Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = "262282375”Acct-Authentic = RADIUSCaller-Id = ”5105551212”Client-Port-DNIS = ”5218296”Framed-Protocol = PPPFramed-Address = 209.79.145.46

38

RADIUS: BasicsRADIUS: BasicsAccounting Accounting StopStop Record Record

Sun May 10 20:50:49 1998 User-Name = ”bob” Client-Id = 206.171.153.11 Client-Port-Id = 20110 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = "262282353” Acct-Authentic = RADIUS Acct-Session-Time = 4871 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Caller-Id = ”5105551212” Client-Port-DNIS = "4218296” Framed-Protocol = PPP Framed-Address = 209.79.145.46

39

RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services

A forwarding or “proxy” server can forward authentication and/or accounting requests to another server for handling.

In order to differentiate between requests that should be handled locally and those that should be forwarded the NAI needs to be specially processed.

40


The NAI (Network Access Identifier) is commonly called the userID.

In proxy and roaming situations the NAI is modified to include both the userID and a “realm” identifier.

The realm is a keyword indicating the server responsible for authenticating the userID.

41


The standard way to send a userID and real in the NAI is to separate them with a “@”.

A typical proxy NAI looks like:user@realm

A proxy RADIUS server looks for the “@” in the NAI to determine if it should handle the request or forward it.

42


If no “@” is present, the enter NAI is assumed to be only a userID.

If a “@” is present, the NAI is split into two tokens (a userID and a realm label).

43


The realm label is looked up in a local file or database to find the address of the server for the realm and the protocol (typically RADIUS) used to connect to it.

Although the realm label may look like a domain name (E-Mail addresses are often used as NAIs) it is not safe to assume that.

44


An example “realms” file might look like:#realm IP

#label Address Port Protocol Secrethomeco 167.24.12.5 1812 Radius Don’t3v3rtellbiginiv 12.123.43.9 1645 Radius js&yWpnfE2vuR

(A real realms file might contain much more information. Each vendor implements realm information differently.)

45


A typical bilateral proxy model looks like:

NAS RADIUSProxy

RADIUS

Access RequestUserID: bill@homeco

Password: mypass

Reply Reply

Log

DB

Log

Access RequestUserID: bill

Password: mypass

RealmsFilehomeco

46


Bilateral relationships, with all the realm

information stored in a local realms file or

table can be effective with a small number of

roaming or proxy partners.

But, the files must be changed each time

there is a change in a server configuration.

47


A consortium, or clearinghouse, solves

that problem by having all proxy requests

forwarded to it first.

The consortium maintains a list of all the

server information for it’

48


In the case of a roaming consortium or

clearinghouse it may be necessary to add

additional information to the NAI.

This is because each server in the proxy

chain might strip off the realm before

passing the request on to the next server.

49


A common solution is to use the “/” as an

additional separator.

In the case of a consortium called “cons”

the NAI would look like:cons/user@realm

An actual NAI might be:infonet/[email protected]

50


The first server may now strip-off “cons”

and forward the remaining two tokens. [email protected]

The consortium’s server strips off the

remaining realm and forwards the userID

to the final server: rdperl

51


A consortium proxy model looks like:

NAS RADIUSReply Reply

DB

Log

RADIUSProxy

Log

RADIUSProxy

Log

Reply

RealmsFilecons

Access RequestUserID: cons/bill@homeco

Password: mypass

Access RequestUserID: bill@homeco

Password: mypass

Access RequestUserID: bill

Password: mypass

RealmsFilehomeco

52

RADIUS: BasicsRADIUS: BasicsProxy Services: Editing AttributesProxy Services: Editing Attributes

A proxy server may add, delete or modify

the attributes that it forwards.

An IP Address may be invalid on a given

network, the maximum online time may be

different, local filters may be required, etc.

53

RADIUS: BasicsRADIUS: BasicsProxy Services: Editing AttributesProxy Services: Editing Attributes

In cases where special control of attributes is

required bi-lateral relationships may work

best.

A proxy server may also need to translate

attributes intended for one brand of NAS into

another brands format (pools, filters, etc.)

54

RADIUS Proxy ServersRADIUS Proxy Servers Freeware

DTC - Radius 2.0 - NT/UNIX - (Japanese) http://www.dtc.co.jp/Radius2.0

Commercial Shiva - Shiva Access Manager - 95/NT/UNIX

http://athena.shiva.com/remote/radius Open System Consultants Pty Ltd - Radiator - NT/UNIX

http://www.open.com.au/radiator/ Microsoft - Microsoft Commercial Internet System (MCIS) - NT

http://www.microsoft.com/mcis/guide/features.asp Funk - Steel-Belted Radius - Netware/NT

http://www.funk.com/Radius/ Vircom - Proxy & Roaming Radius Server (PRRS) - NT

http://www.vircom.com/info/vprrsrel.htm Novell - BorderManager - Netware

http://www.novell.com/text/bordermanager/radius.html Ascend Communications “Access Control” NT/UNIX

http://www.ascend.com/324.html Merit - Merit AAA Server - UNIX

http://www.merit.edu/aaa/

55

Other Authentication Other Authentication ProtocolsProtocols

TACACS (TACACS+ and XTACACS) Developed by Cisco Systems for Military

applications. Originally used between Cisco terminal server and a UNIX TACACS server.

Mostly replaced by RADIUS since Cisco added RADIUS support to access products

Still used for SecurID lookups since SecurID (ACE) server support TACACS. However, new releases of SecurID now support RADIUS.

56

Other Authentication Other Authentication ProtocolsProtocols

SecurID ACE Server Uses “token” card with One-Time-Password. Can function as stand-alone server (RADIUS

or TACACS compatible). Can also handle queries from a RADIUS

server. ACE server software available for many

platforms.http://www.securitydynamics.com/solutions/products/asvrdata.html

Documents

AAA Services. 2 è Authentication è Authorization è Accounting