SBR/SPE Training
Upcoming SlideShare
Loading in...5
×
 

SBR/SPE Training

on

  • 2,214 views

 

Statistics

Views

Total Views
2,214
Views on SlideShare
2,214
Embed Views
0

Actions

Likes
0
Downloads
36
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Paul Funk is the owner. Started in 1982 with Sideways – bought by Lotus and then IBM Since then, developed other communications and networking applications such as: Appmeter Wanderlink Proxy Preside Radius (~1995, 1996?) Developed a feature rich version of the basic product: Preside Radius (~1998, 1999?) Funk Software is a privately-owned company. We're growing at a sustained rate for Strong support and maintenance staff – offer different levels of support service. Also provide support for evaluation versions of software as well.
  • Remote Authentication Dial-In User Service, or RADIUS, is the standard for centralizing the authentication, authorization and accounting of remote access users. Briefly, here's how RADIUS works: When a user dials in to a remote access server, that server communicates with the central RADIUS server to determine if the user is authorized to connect to the LAN. The RADIUS server performs the authentication and responds with the result -- either an accept or a reject. If the user is accepted, the remote access server routes the user onto the network; if not, the RAS will terminate the user's connection. The RADIUS server also provides accounting services, if the remote access server can support this. With RADIUS, a network manager need only maintain a single, central database against which all dial-in authentication happens. This greatly eases the management burden associated with administering large numbers of dial-in users.
  • This means that we communicate using the language specified in these documents. Any RADIUS client or server must communicate using these standards, or they are not compliant. With the new 1.5 release, Preside Radius will be 100% fully compliant with these new standards.
  • A remote user needs to gain access to some aspect of a network. To accomplish this, there are three basic components. The user, the network control device (NAS/RAS), and the authentication/authorization/accounting server. Each of these components can be further broken down into more complex pieces, but this diagram represents the simplified versions of each of these components. User dials in to their local ISP or other service provider NAS/RAS NAS device answers the call and begins the username/password challenge process with the user User enters username and password information NAS/RAS then hands that information, along with any other vendor specific information it is configured for, to a RADIUS server RADIUS server then attempts to authenticate that username/password combination from it’s list of authentication methods RADIUS server sends a message back to the NAS/RAS with an authentication response message – either or accept or reject NAS/RAS now knows what services to allow this user access to.
  • A Network Access Server (NAS) is a device that can recognize and handle connection requests from outside the network “edge.” When the NAS receives a User’s connection request, it may perform an initial access negotiation with the User (PPP or SLIP). This negotiation will establish certain data (username, password, NAS device identifier, NAS port number, and so on). The NAS will then pass this data to the RADIUS server and request authentication. Any device that communicates via the RADIUS standards can be considered a RADIUS client. These devices are capable of sending RADIUS packets to other RADIUS servers. Preside Radius itself can be both, a RADIUS client and a RADIUS server. Once they send a RADIUS packet, they know to wait for a response. Once they get the response, they then know what to do with it after that. Out of the box, Preside Radius supports most of the major NAS devices. Is there a new device that needs a special dictionary? Just add that name and dictionary information to the vendor.ini file and you'll have access to it in the make/model section when choosing a NAS device. 3Com ADC Kentrox Pacesetter Access Beyond RAM Rack ACC Tigris and Amazon Servers Alcatel Altiga VPN Concentrator Ascend Assured Access Technology Aventail Bay Networks BBN Dialinx Bintec Bianca Cabletron CyberSWITCH Family Checkpoing Firewall-1 Cisco Compaq Series 6000 Compatible Systems CompuTone PowerRack and IntelliServer Concentric RemoteLink Service Digi LANAserver Gandalf XpressConnect Indus River Riverworks Kasten Chase Optiva Lantronix LRS LeeMah Bandwagon Livingston PortMaster MichNet Shared Dial-in Microsoft RRAS for Windows NT New Oak Nomadix USG Nortel Perle 833/833AS Proteon GT-Secure RADLINX PASSaPORT Raptor Eagle Redback RedCreek RavlinSoft Shiva Stallion ITK NetBlazer US Robotics NETServer UUNet VIP Service VPNet VPN Service Unit Xylan Zoom All "Standard RADIUS" compatible devices
  • Authentication. How do we know you are who you say you are? Comparing usernames and password combinations against internal or external data stores is how we do it. In the case of Preside Radius, that match may be found: on the RADIUS server on some other type of authentication server (ACE/Server or TACACS+) in an SQL or LDAP database or on some other RADIUS server for which this server is a “proxy.”
  • Preside Radius is a flexible tool designed to interact with common legacy systems. Preside Radius will work within your existing architecture to leverage existing processes.
  • Standard with Preside Radius, add-on for Preside Radius/Enterprise
  • Java admin gui is also functional on NT. Copy contents of java directory to any other machine and run remotely to administer the UNIX host.
  • Standard with Preside Radius, add-on for Preside Radius/Enterprise
  • Sample .aut File for LDAP Authentication LDAP Bind Standard Netscape schema Profile determined by IP address of client NAS device 
  • The primary difference is that Bind uses more bandwith as it opens and closes a connection for every LDAP authentication request. BindName makes only one connection on start up, and then issues queries for each authentication request. This reduces network usage.
  • (continued on next page)
  • (End of table) 
  • In the SQL statement, there needs to be a column named “ipaddress” in the usertable. In the LDAP Directory, there needs to be an attribute labeled “ipaddress” associated with the searched object.
  • Standard with Preside Radius, add-on for Preside Radius/Enterprise

SBR/SPE Training SBR/SPE Training Presentation Transcript

  • Preside Radius
  • Main Menu
    • Introduction and Overview
    • Installation and Configuration
    • Monitoring and Logging
    • External Data Storage
      • LDAP
      • SQL Authentication
      • Accounting
    • Proxy RADIUS
    • Troubleshooting and Logging
    • Other Features
    • LCI
  • Introduction and Overview
  • Funk Software
    • Software Developer & Publisher
    • Founded 1982
    • Headquarter: Cambridge, MA
    • European Operations: Paris, France
    • Product focus
      • Access Security
      • Communications
  • Preside Radius
    • ...the short version
    • 100% fully IETF compliant RADIUS server
    • Easy administration GUI
    • Powerful, flexible accounting
    • Leverages existing SQL/LDAP databases
    • SecurID authentication
    • LDAP configuration interface
    • Load balancing
    • Concurrent access limits
  • RADIUS RFCs
    • Internet Engineering Task Force web site http://www. ietf .org/
    • Began as “Request For Comments”
    • Status now “Standards Track”
      • / rfc /rfc2865.txt - RADIUS Authentication
      • / rfc /rfc2866.txt - RADIUS Accounting
    • All standard attributes defined here
      • Both RFCs are dated June 2000
      • Previous RFCs (2138, 2139) are dated April 1997
  • Basic RADIUS Authentication Transaction
    • Access request
    • RADIUS client
    • RADIUS server
    User NAS Device RADIUS Server
  • RADIUS Clients
    • PPP servers
      • Nortel/Ascend
      • Cisco Access Servers
    • VPN
      • Nortel Extranet Switch
    • Firewalls
      • Firewall-1, NetScreen
    • Back Office Software
      • Oracle 8i
    • Wireless
      • PDSN
      • GCSN
      • GSM
      • SGSM
  • RADIUS AAA Services
    • A uthentication
      • Are the credentials correct?
      • Match username/password to profile
    • A uthorization
      • Which services may be provided?
      • Use profile to validate user’s request
    • A ccounting
      • Track usage during connection’s lifetime
      • Sort, filter, organize attributes
      • Send attributes anywhere (logfile, Proxy, SQL)
    • A device that “supports RADIUS” can receive and send RADIUS messages.
    • RADIUS messages contain RADIUS attributes.
    • Attributes = how information is exchanged
    • Messages Types:
      • Access-Request
      • Access-Reject
      • Access-Accept
      • Access-Challenge
    RADIUS Messages
      • Accounting-Start
      • Accounting-Stop
      • Accounting-Interim
      • Accounting-On
      • Accounting-Off
  • Standard Radius Authentication Attributes
    • Standard RADIUS authentication attributes are listed in RFC 2865
    User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
  • Standard RADIUS Accounting Attributes
    • Standard accounting attributes are defined in RFC 2866
    User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link
  • Vendor Specific Attributes
    • Vendors can create their own attributes that allow their devices to perform authorization functions and provide information relevant to the type of device (ppp, vpn, firewall, etc.)
      • Ascend-Disconnect-Cause
      • Cisco-AVPAIR
      • RB-Context_Name
      • PW_Tunnel_Authentication
    • All VSAs are defined in configurable text files (.dct files)
    • VSAs are non-standard (vendor-specific) information packaged into a format that is standard RADIUS
    • Preside Radius includes comprehensive dictionary lists for most devices on the market today
  • The Role of Attributes
    • Checklist attributes are present in the access-request message
      • “ Once the [nas] client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access-Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5” – RFC 2865 page 4.
    • Returnlist attributes are present in the access-response message
      • “ If all [checklist] conditions are met, the list of configuration values for the user are placed into an "Access-Accept" response. These values include the type of service (for example: SLIP, PPP, Login User) and all necessary values to deliver the desired service.” –RFC 2865 page 6.
  • Access Services... Enterprise or Service Provider Remote Users RAS Server VPN Router Firewall Local SQL NT LDAP TACACS+ Preside Radius
  • Managed Services Preside Radius Link to ISP (T1) Preside Radius CPE router, firewall, and/or VPN Private Network / Internet Enterprise LAN - Enterprise or Service Provider RAS Firewall Service Provider Remote Users RAS “A” RAS “B” RAS “C” NetWare Bindery Local NetWare NDS NT Domain NT Host ACE/ Server
  • And … Wholesale Data Services Preside Radius Outsourced Modem Pools (UUNET) Remote Users RAS “A” RAS “B” RAS “C” ISP “B” PROXY Virtual ISPs ISP “A” ISP “C” Private Network/ Internet Private Network/ Internet Private Network/ Internet Native SQL LDAP TACACS+ NT Domain
  • BSAC
    • Fully compliant RADIUS server
    • Easy administration GUI
    • Powerful, flexible accounting log
    • Accounting to SQL databases
    • Authentication against SQL databases
    • Authentication against LDAP directories
    • Authentication against token systems (SecurID, TACACS+)
    • SecurID token caching
    • Authentication against local O/S
    • Concurrent connection limits
    • Expired NT domain passwords
    • LDAP Configuration Interface available
    • Basic Proxy RADIUS functionality
  • Preside Radius
    • Built on the scale required by ISPs
    • Advanced Proxy RADIUS features
    • Directed authentication, accounting
    • Advanced accounting log features
    • SNMP support (Solaris)
    • perfmon counters and events (Windows NT)
    • SQL, LDAP load balancing
    • Authorization based on time of day
    • Request routing by attribute values
    • Administrative access levels
    • Auto-restart of the server
    • LDAP Configuration Interface built-in
    • Concurrency Server available
  • Preside Radius ISP Features
    • Preside Radius provides many features that help ISPs (and others) deliver and bill for services.
    • Time of day
    • Acct-Status-Types
    • Attribute aliasing
    • Configurable accounting log
    • Activity log levels
    • Auto-detect make/model
    • Auto-restart server
    • User-Name validation
    • Administrative access levels
    • Event configuration (NT only)
  • Data Storage Options
  • Preside Radius’s Authentication Options
    • Preside Radius
      • Native Database
    • SQL Databases
      • Oracle
      • Informix
      • ODBC-compliant (NT only)
    • Authentication Servers
      • TACACS+
      • SecurID
      • Other token systems
    • LDAP Directories
      • Netscape
      • MS Active Directory
      • Merit
    • Host O/S Databases
      • NT Domain
      • NT Host
      • Solaris
  • S QL Authentication
    • Any RADIUS attribute can be retrieved from an SQL column
    • Any SQL column can be mapped to a RADIUS attribute and returned in the response
    • * All data remains in SQL database
    User NAS SQL Server RADIUS Server
  • LDAP Summary
    • Any RADIUS attribute can be part of the LDAP query
    • Any LDAP object can be mapped to a RADIUS attribute and returned in the response
    • Lightweight Directory Access Protocol standard
    • An example of an “off-line” directory is the phone book or mail-order catalogue.
    • Suited to reference data (“read from” much more often than it is “written to”).
    • Very flexible, both in looking up data and in changing the types of information stored.
    • All data remains in LDAP database
  • SecurID Summary
    • Token card system
    • Generates new credentials each login
    • ACE/Server authenticates credentials
    • Preside Radius can pass-through to ACE/Server
    • Detailed configuration necessary
    • New Pin/Next Token
    • Support of other token systems
  • Host O/S Databases
    • NT Domain & Host
    • Solaris Password File & NIS
    • Netware NDS & Bindery
  • Accounting
    • Acct-Session-ID
      • Connection’s unique identifier
      • Matches STARTs and STOPs
    • Acct-Status-Type
      • Start, Stop, Interim, On, Off
    • Framed-IP-Address
      • IP address of user’s connection
      • Authentication, accounting attribute
    • User-Name
      • The account using the network
      • Authentication, accounting attribute
    • Acct-Session-Time
      • For how many seconds did the user receive service?
      •  TIME  = $ MONEY $
    • Acct-Input-Packets, Acct-Output Packets, Acct-Input-Octets, Acct-Output-Octets
      • What was the volume of network traffic generated by the user?
      •  TRAFFIC  = $ MONEY $
    • A billing system requires these fundamental attributes:
    • Other attributes (including VSAs) provide additional detail
  • SQL Accounting
    • Preside Radius lets you write to an SQL database the specific accounting information that you want to maintain
    • INSERT is the query used to write to the database
    • Any RADIUS accounting attribute listed in Preside Radius’s account.ini file can be used in the INSERT statement
    • Preside Radius can write the transaction time, full username, NAS name, session time, and record type to the database
  • LCI LDAP Command Interface
    • LDAP Schema mapped onto native database
    • Using LCI commands:
      • Change passwords, authentication methods
      • Add clients, users, tunnels, IP pools
      • Search current user list
    • Find and modify any aspect of Preside Radius that the administrative program provides
      • ldapsearch.exe
        • ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=*
      • ldapmodify.exe
        • ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename>
      • ldapadd.exe
        • ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename>
  • Installation and Configuration
  • Installation Files
    • CD is cross-platform
    • Unix: expand tar file, run install.sh script
      • No compiling. Install script will unpack all directories and files, guide you through the configuration, and start the radius process.
      • Open web browser to the /radadmin/java/index.html to launch admin application.
    • NT: Run the setup.exe file.
      • Setup.exe installs Radius directory, expands files, starts the Preside Radius process, and launches admin application.
  • Servers Dialog
  • RAS Clients Dialog
    • name
    • IP address
    • … on both sides, client and server!
    • shared secret
    • UDP port
  • Make/Model
    • Determining make/model of RADIUS client:
      • NAS-IP-Address matches a RAS Client entry OR
      • Auto-detect matches any attribute to make/model
    • Benefits of make/model
      • Identifies correct attribute dictionary
      • Enables vendor-specific configuration help
    • Make/model field in Administrator GUI
    • Profiles and make/model
      • Profiles can reference various VSAs
      • Only the current device’s VSAs are used
      • “ Other” VSAs filtered out at request time
    • - Standard Radius - safe choice, all clients
  • Make/Model Examples
    • list box
    • help file
    • dictionary (.dct) files
    • vendor.ini file
  • Attribute Dictionaries
    • dictiona.dcm
      • Inventory of all available attributes
      • Includes all *.dct files
    • radius.dct
      • Standard RADIUS attributes AND
      • Funk Radius VSAs
    • *.dct
      • Vendor-specific attributes: Name, ID, length, type, valid values, usage
      • One file per vendor
      • Each file can be edited
      • New *.dct files can be added
  • Users Dialog
    • User type (native vs external)
    • Password
    • Attributes vs Profile
    • Concurrency
  • Types of User
    • Native
    • NT Domain
    • NT Host
    • UNIX User
    • UNIX Group
    • SecurID
    • TACACS+
  • RADIUS Attributes
    • Check List (Access-Request)
      • A List of criteria that a user must satisfy, in addition to providing a password, before Preside Radius will authenticate them
    • Return List (Access-Accept)
      • A list of information that Preside Radius passes back to the NAS once the user has been authenticated. Return List Attribute requirements are defined by the NAS.
    • Accounting (Acct-Request)
      • Additional information sent from the NAS to the Preside Radius server for accounting purposes.
  • Profiles Dialog
    • Design a Template for each class of user.
  • Profile Examples
    • Basic Dial-In
    • Advanced Dial-In
    • Free Access
    • Basic Tunnel
    { { { {
  • Proxy Dialog
    • name
    • IP address
    • … on both sides, target and proxy!
    • shared secret
    • UDP port
  • Tunnel Dialog
    • Tunnel attribute storage
    • DNIS recognition
    • Tunnel support for specific vendor equipment handled through Users Dialog
  • IP/IPX Pools Dialog
    • Configure Multiple Pools
    • Create multiple ranges per pool
    • Associate with users, profiles, or NAS
  • Access Dialog
    • Configure Preside Radius administrators based on domain authentication
  • Configuration Dialog
    • Authentication Methods List
    • Activate, Deactivate, Sort
    • Reject Messages
    • Log File Storage
    • Tunnel Name Parsing
  • Statistics Dialog
  • Current Users Dialog
  • Preside Radius Data Portability
    • Import/Export
    • Database Files
    • LDAP Configuration Interface
  • Import/Export
    • In Preside Radius Admin
    • Stores all data configured in Admin GUI
    • Creates RIF File
    • Import ASCII files
    • Cross Platform
  • Database Files
    • Preside Radius NT & Netware
      • radads.dat
      • radclnt.dat
    • Preside Radius Solaris
      • radiusdata.d01
      • radiusdata.d02
      • radiusdata.d03
      • radiusdata.dbd
      • radiusdata.k01
      • radiusdata.k02
  • LCI LDAP Command Interface
    • Change Passwords
    • Add clients, users
    • Add tunnels, IP pools
    • Search current user list
    • Find and modify any aspect of Preside Radius that the administrative program provides
      • ldapsearch.exe
        • ldapsearch -V 2 -p 667 -D &quot;cn=admin,o=radius&quot; -w radadmin -s sub -T –b &quot;o=radius&quot; objectclass=*
      • ldapmodify.exe
        • ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename>
      • ldapadd.exe
        • ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename>
  • Monitoring and Logging
  • Tools
    • Activity Logs
    • Accounting Logs
    • Statistics Dialog
    • Current Users
    • Reporting
    • Windows NT Performance Monitor
    • Windows NT Events
    • SNMP Support
    • Using The LCI For Reporting
  • Activity Log
    • yyyymmdd .log
    • typical entries
      • Sent accept response for user X to client Y
      • Unable to find user X with matching password
      • Sent reject response
      • Shutting down RADIUS Authentication Server
      • Starting RADIUS Authentication Server
  • Activity Log Details
    • All Preside Radius information is in a daily log file (yyyymmdd.log)
    • radius.ini controls the level of logging detail in its [Configuration] section
      • LogLevel =
        • 0 = production (sparse)
        • 1 = informational (medium)
        • 2 = debug (verbose)
      • TraceLevel =
        • 0 = no packet tracing
        • 1 = parsed contents of packets are logged
        • 2 = raw contents of packets are logged
    • Kept for a number of days set in [Configuration] section of radius.ini
  • Accounting Log Details
    • All Preside Radius accounting information is in a daily log file (yyyymmdd.act)
    • Accounting transactions are also logged to the authentication log file, since accounting start and stop messages impact users’ active sessions
    • account.ini controls the attributes logged
    • Kept for a number of days set in [Configuration] section of radius.ini
    • Comma-separated format for easy importing into other databases or spreadsheet applications
      • Date, Time, RAS-Client, Record-Type, Full-Name, Auth-Type are built in to native accounting
      • All standard RADIUS attributes are listed next by default
      • Depending on the device configured, any VSAs are listed after that
      • Edit account.ini to add/remove any accounting information logged
  • Log File Errors
    • Errors can be looked at from two perpsectives
      • Information contained within a packet may be a source of error
      • Information relative to Preside Radius itself and its connections may be a source of error
    • Use Tracelevel=1 or 2 for logging to decode packet errors
    • Use Loglevel=1 or 2 for explanatory Preside Radius application errors
  • Statistics Dialog
  • Statistics
    • Authentication Requests
    • Accounting Requests
    • Proxy Requests
    • Transactions, Details, Silent Discards
  • Current Users Dialog
  • Current Users
    • Quick View
      • Username
      • RAS Client
      • Port
      • Time
      • Session-ID
      • IP Address
    • Preside Radius receives an authentication request
      • Generates a phantom record
      • When an accounting message comes in that matches the authentication record, the phantom record is deleted
      • Match is based on NAS IP address and NAS port
  • Reporting
    • Create an RTF report file composed of the selected items.
    • Information is polled from all aspects of Preside Radius
  • Performance Monitor
    • Run perfmon.exe on the administrative workstation
    • Add Preside Radius service as an object to the chart items
    • Add any of the Preside Radius counters needed
    • Acct-Starts, Auth-Requests, Sessions Online, etc.
  • Windows NT Events
    • Event Service types:
      • Core event relating to the functioning of Preside Radius itself
        • RADCAT_CORE
        • ID=1
      • Events relating to the authentication service
        • RADCAT_AUTH
        • ID=2
      • Events relating to the accounting service
        • RADCAT_ACCT
        • ID=3
  • Severity of Preside Radius Events
    • Informational Events
      • Service has started
      • Service has stopped
    • Warning Events
      • Count of available threads has dropped below nnnn .
      • Amount of free file system space has dropped below minimum threshold
    • Error Events
      • Unable to create thread
      • The connection to Accounting Server has failed
  • SNMP Support
    • Requires Solstice Enterprise Agent (SEA)
      • http://www.sun.com/solstice/products/ ent .agents/prod_spec.html
    • Preside Radius acts as a subagent
    • Three MIB files that get copied to the SNMP Manager
      • rauths.mib, raccs.mib, and fnkradtr.mib
    • Queries are defined in the rauths and raccs mib files
    • Traps and alarms are defined in the fnkradtr mib file
      • Informational, Warning, and Error messages
      • Similar to Windows NT Events
    • Events.ini configures the reporting options. Can dilute (reduce the frequency) reporting of common events
  • LCI Reporting Options
    • Use the LCI to report current users by client, IP address, Session ID, full name:
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” client=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” ipaddressfrompool=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” acct-session-id=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=*
  • LDAP
  • LDAP Summary
    • Lightweight Directory Access Protocol
    • A “directory” is a specialized database
    • An example of an “off-line” directory is the phone book or mail-order catalogue.
    • Suited to reference data (“read from” much more often than it is “written to”).
    • Very flexible, both in looking up data and in changing the types of information stored.
  • LDAP Authentication
    • RADIUS client
    • Preside Radius
    • LDAP database server
    User NAS LDAP Server RADIUS Server
  • LDAP Authentication
    • You have user data in an LDAP database.
    • Create an .aut file that (1) BINDs Preside Radius to an LDAP database and (2) issues a SEARCH query to retrieve the password, based on the username.
    • Name the authentication method ( InitializationString = <LDAPName> )
    • Stop and restart the Preside Radius server.
    • Enable , disable, and re-order the <LDAPName> method in the Preside Radius Administrator, Configuration Dialog, Authentication Methods list.
    • Reference the <LDAPName> method from a directed realm.
  • Secondary LDAP Searches
    • Issue an additional search based on whether a search did or did not find the user in the initial search base
    • An OnFound section executes a secondary search after the first returns found
      • Execute second search based on parameters from original search and parameters from original access-request message
      • Execute a search for additional parameters in another branch of the LDAP directory based on the found user
    • An OnNotFound section executes a secondary search after the first returns not found
      • Execute a search on a separate branch of the LDAP directory in a secondary attempt to validate the user
  • Decision Tree Processing
    • Based on OnFound and OnNotFound portions of an LDAP authentication method
    • Develop a process as complex as necessary to suit organization’s needs
    Found? Execute initial search $REJECT $ACCEPT DSL subscriber? No Dial-up subscriber? Yes Yes Yes No Return DSL Profile No Search an alternate branch Found? Yes No
  • Bind vs. BindName
    • Bind
      • Connect to directory as the dial-in user
      • The connection has this user’s rights
    • BindName
      • Connect to directory as the same user for all filters; for example an administrative account
      • Directory view does not change from transaction to transaction
  • LDAP Bind Example
    • LDAP Bind
    • Standard Netscape schema
    • Same profile ( TheUserProfile ) for all Accepts
    • [Response] section could be empty  Return no attributes in an Accept
  • LDAP BindName Example
    • BindName using an administrative account
    • LDAP Search for user’s stored credentials
    • Standard Netscape schema
    • RAS Client is Ascend device
    • DNIS callback number returned with Accept
  • LDAP References
    • Understanding and Deploying LDAP Directory Services
      • 1999 - Timothy A. Howes, Mark C. Smith, Gordon S. Good
        • Comprehensive
        • Easy to read
        • Defines key terms
    • Openldap.org
      • http://www.openldap.org/
    • Netscape
      • http://developer.netscape.com/software/tools/index.html?content=ldap.html
      • http://www.iplanet.com/downloads/download/index.html
  • SQL Authentication
  • SQL Authentication
    • RADIUS client
    • Preside Radius
    • SQL database server
    • Any RADIUS attribute can be retrieved from SQL
    • Any SQL column can be returned in the response
    User NAS SQL Server RADIUS Server
  • SQL Summary
    • Structured Query Language
    • A way to read from/write to databases
    • Tried and trusted, it’s everywhere
    • Suited to fast-changing data (frequent r/w )
    • Inflexible format (rows and columns only)
    • Map SQL columns to any RADIUS attribute
  • SQL Configuration
    • You have user data in a SQL database.
    • Create an .aut file that (1) connects to the SQL database and (2) issues a SELECT query to retrieve the password, based on the username.
      • Username, password, profile, as well as any desired attribute stored in database
      • Execute stored procedures in MSSql, stored functions in Oracle
    • Name the authentication method ( InitializationString = <SQLName> )
    • Enable .aut file ( Enable = 1 )
    • Stop and restart the Preside Radius server.
    • Activate , deactivate, and re-order the <SQLName> method in the Preside Radius Administrator, Configuration Dialog, Authentication Methods list.
  • SQL SELECT
    • SELECT is used in the authentication process to retrieve information from the database.
    • Preside Radius uses the SELECT statement to return the user’s password, stored in the external database.
    • If the password returned from the external database matches the password received in the Access-Request for the user, Preside Radius will accept the connection.
    • Sample syntax:
  • SELECT Examples
    • SQL Table 
    • Retrieve only the password from the database:
    • Retrieve password and profile from the database:
    • Authenticate user only if user’s account is paid:
    • In each case:
      • What if the Access-Request contains the credentials Kevin/Test ?
      • What if the Access-Request contains the credentials Mel/Test3 ?
      • What if the Access-Request contains the credentials Nicole/Test4 ?
  • Stored Procedures: Authentication
    • Support of execution of stored procedures in MSSql 7
    • Authentication Example:
      • SQL= EXECUTE authenticate_user %name/20s, %password/20s
    • Returns a profile with the following stored procedure:
        • CREATE PROCEDURE authenticate_user
        • @username varchar(20), @password varchar(20)
        • AS SELECT userprofile FROM usertable
        • WHERE username = @username
        • AND password = @password
  • Stored Procedures: Accounting
    • Support of execution of stored procedures in MSSql 7
    • Inserts accounting data into accounting table:
      • SQL=EXECUTE add_account %transactiontime/20s,
        • @user-name/21s,
        • @Acct-Session-ID/12s,
        • @NAS-IP-Address/15s,
        • @NAS-PORT-TYPE/5s,
        • @FRAMED-IP-ADDRESS/15s,
        • @calling-station-id/12s,
        • @called-station-id/12s,
        • %TYPE/4s,
        • @ACCT-SESSION-TIME/14s,
        • @ACCT-TERMINATION-CAUSE/12s
  • Stored Functions in Oracle: Authentication
    • Support of execution of stored functions in Oracle
    • Authentication Example:
      • SQL= SELECT authenticate_user (%name/20s, %password/20s) FROM DUAL
    • Returns a profile with the following stored function:
      • CREATE OR REPLACE FUNCTION authenticate_user (un IN VARCHAR2, pw IN VARCHAR2) RETURN VARCHAR2 IS
        • profile LONG;
        • BEGIN
        • SELECT userprofile INTO profile FROM usertable
        • WHERE username = un AND password = pw;
        • RETURN profile;
        • END authenticate_user;
        • /
  • Stored Functions in Oracle: Accounting
    • Support of execution of stored functions in Oracle
    • Inserts accounting data into accounting table:
      • SQL=SELECT add_account (%transactiontime/20s,
        • @user-name/21s,
        • @Acct-Session-ID/12s,
        • @NAS-IP-Address/15s,
        • @NAS-PORT-TYPE/5s,
        • @FRAMED-IP-ADDRESS/15s,
        • @calling-station-id/12s,
        • @called-station-id/12s,
        • %TYPE/4s,
        • @ACCT-SESSION-TIME/14s,
        • @ACCT-TERMINATION-CAUSE/12s) FROM DUAL
  • Common SQL Tech Notes
    • RD260: Setting up Steel-Belted Radius-NT ODBC to a MS-SQL Server database ( http://198.186.160.88/ technote . nsf /93d5a611e8cf6ccf8525667f0066e926/104dab75b858c53f852566b80054d15a? OpenDocument )
    • RD212: Oracle SQL setup for Steel-Belted Radius-UNIX 2.10. ( http://198.186.160.88/ technote . nsf /93d5a611e8cf6ccf8525667f0066e926/b5ef55bf97feb5d185256604006f2251? OpenDocument )
    • RD211: Informix SQL setup for Steel-Belted Radius-UNIX 2.10 ( http://198.186.160.88/ technote . nsf /93d5a611e8cf6ccf8525667f0066e926/7fcd8f3a44905a8285256604006ed591? OpenDocument )
    • RD272: Steel-Belted Radius rejects SQL users when the password field is defined as 'char' type ( http://198.186.160.88/ technote . nsf /93d5a611e8cf6ccf8525667f0066e926/5ba7f5d40c0981db852566c1001cbb17? OpenDocument )
    • RD298: SQL configuration files: database connectivity options ( http://198.186.160.88/ technote . nsf /93d5a611e8cf6ccf8525667f0066e926/afe3aad0b7908f538525672100598443? OpenDocument )
  • SQL References
    • The Practical SQL Handbook: Using Structured Query Language
      • 3rd ed. 1996 - Judith S. Bowman, Sandra L. Emerson, Marcy Darnovsky
      • Includes sample software on CD-ROM
      • Cross-references different SQL products:
    • Oracle
      • http://technet.oracle.com/docs/index.htm
    • Microsoft
      • http://www. microsoft .com/ sql /default. htm
    • Generic Introduction to SQL:
      • http://w3.one.net/~ jhoffman / sqltut . htm
  • Accounting
  • SQL Accounting
    • You have billing records in a SQL database.
    • Create an .acc file that (1) connects to the SQL database and (2) issues an INSERT query that writes accounting data to it.
    • Name the accounting method ( InitializationString = <SQLName> ).
    • Enable the <SQLName> accounting method ( Enable = 1 ).
    • Stop and restart the Preside Radius server.
    • Optionally, you may reference <SQLName> from a directed realm.
  • RADIUS Accounting Attributes
    • On • Off
      • These messages tell us about the NAS device .
      • They provide information about the startup or shutdown of a RADIUS client.
      • They enable Preside Radius to notify devices and management tools on the network about the status of the RADIUS client .
    • What do they tell us? How are they used?
    • Start • Stop • Interim
      • These messages tell us about the user .
      • When a user starts to receive service on the network, these messages provides type-of-connection and other activity information . They give “notice” when the user has stopped using the network.
      • These messages enable us to account for network usage and bill for “consumptive” use . (Flat-rate, monthly billing does not require accounting.)
  • SQL INSERT
    • Preside Radius lets you write to an SQL database the specific accounting information that you want to maintain.
    • INSERT is the query used to write to the database.
    • Any RADIUS accounting attribute listed in Preside Radius’s account.ini file can be used in the INSERT statement.
      • @ AttributeName
    • Preside Radius also can write the transaction time, full username, NAS name and record type to the database.
      • % Value
    • Sample syntax:
  • Accounting and Billing
    • A rudimentary billing system requires only these attributes:
    • Acct-Session-ID
      • Connection’s unique identifier
      • Matches STARTs and STOPs
    • Acct-Status-Type
      • Start, Stop, Interim, On, Off
    • Framed-IP-Address
      • IP address of user’s connection
      • Authentication, accounting attribute
    • User-Name
      • The account using the network
      • Authentication, accounting attribute
    • Acct-Session-Time
      • For how many seconds did the user receive service?
      •  TIME  = $ MONEY $
    • Acct-Input-Packets, Acct-Output Packets, Acct-Input-Octets, Acct-Output-Octets
      • What was the volume of network traffic generated by the user?
      •  TRAFFIC  = $ MONEY $
    • Other attributes (including VSAs) provide additional detail.
  • INSERT Examples
    • SQL Table 
    • A simple INSERT statement might capture:
      • The time of the transaction
      • The username
      • The NAS to which the user connected
      • The type of accounting message
      • The total connect time
    • Expect to create complex INSERT statements like these:
  • Native Accounting Log File
    • yyyymmdd .ACT
    • comma-delimited
    • typical entry (a single line)
  • Proxy Radius
  • Why Proxy RADIUS?
    • Enables outsourcing
    • Customer info stays @ realm
      • The larger carrier does not get it
      • Customer keeps control of its own data
    • Users of Proxy RADIUS
      • AOL, MSN, Compuserve
      • iPass
      • Any organization looking to sell wholesale network access
  • Proxy RADIUS • BSAC
    • BSAC Radius receives request (User-Name = [email_address] )
    • BSAC Radius forwards request to server Funk
    • Target server authenticates request (User-Name = Carol )
    • All realms are treated the same way
  • Proxy RADIUS • Preside
    • Options, options, options...
  • Proxy RADIUS • Preside
    • Preside Radius receives request
      • User-Name = [email_address]
    • Preside Radius checks if it’s hosting the realm
      • If so, Preside Radius authenticates the request
      • If not, the request is forwarded to realm Funk (realm Funk must exist)
    • Various options are applied to request
    • Request is authenticated
      • User-Name = Carol OR
      • User-Name = [email_address]
  • Preside Proxy Features
    • Customer requirements not all the same
    • “ Sense of self”
      • Support for wholesaling
      • Hosting RADIUS services
    • Different ways of routing
      • Username prefix and suffix support
      • DNIS routing
      • Routing by any attribute
      • Multiple hops
    • Realm-specific configuration options
  • Preside Proxy Features
    • Customer requirements not all the same
    • Multiple targets
      • Redundancy
      • Load balancing
      • Failure options
    • Username handling
      • First Proxy might not be the final stop
      • Outsourcing by the outsourcer
    • Attribute filters
  • Directed Authentication and Accounting Methods
    • Simplify hosting of RADIUS services
    • Permit prefix, suffix, or DNIS routing
    • Enable individual accounting files for each customer
    • Remove requirement for additional RADIUS servers (permit a unique RADIUS configuration for each customer on the same server)
    • Leverage investment in SQL or LDAP
    • Promote savings on hardware, software, support/maintenance, training, and facilities
  • Why Directed Methods?
    • Directed Authentication
      • Carriers can host AAA servers for their customers
      • Each realm:
        • Points to a specific auth method only
        • May have specific auth order list
      • @Ford attempted against Ford’s database only !
    • Directed Accounting
      • Customer records handled separately in logfiles or SQL db
      • Simplifies delivery of accounting information to the customer (no Proxy RADIUS needed at customer site)
  • Directed Methods Licensing
    • 10 licenses with Preside Radius
    • Each directed method consumes 1 license
    • Authentication, accounting methods are counted individually:
      • 6 authentication plus 4 accounting = 10
      • 1 accounting plus 9 authentication = 10
    • Additional 5-packs available
    • Add licenses without re-installing Preside Radius
  • Filters
    • When directing messages to and from Preside Radius realms, filters can be applied that place or remove attribute information into or from the message
      • filter.ini defines all filter names and filter rules
      • Filter names are referenced from realm configuration files: <realmname>.pro and <realmname>.dir
  • Filter Options
    • Create Allow, Exclude, or Add attribute rules in filter.ini
        • [filtername]
        • Allow
        • Exclude NAS-Identifier
        • Add Idle-Timeout 60
    • Reference filternames in realm .pro/.dir files
        • [Auth]
        • FilterIn=filtername1
        • FilterOut=filtername2
        • [Acct]
        • FilterIn=filtername3
        • FilterOut=filtername4
  • Troubleshooting and Logging
  • Process
    • Find out what happened (logs)
    • Remove Preside Radius from the picture
    • Use configuration checklists
    • Use system tools (perfmon, top, event viewer, etc...)
  • Activity Log
    • yyyymmdd .log
    • typical entries
      • Sent accept response for user X to client Y
      • Unable to find user X with matching password
      • Sent reject response
      • Shutting down RADIUS Authentication Server
      • Starting RADIUS Authentication Server
  • Activity Log Details
    • All Preside Radius information is in a daily log file (yyyymmdd.log)
    • radius.ini controls the level of logging detail in its [Configuration] section
      • LogLevel =
        • 0 = production (sparse)
        • 1 = informational (medium)
        • 2 = debug (verbose)
      • TraceLevel =
        • 0 = no packet tracing
        • 1 = parsed contents of packets are logged
        • 2 = raw contents of packets are logged
    • Kept for a number of days set in [Configuration] section of radius.ini
  • Accounting Log Details
    • All Preside Radius accounting information is in a daily log file (yyyymmdd.act)
    • Accounting transactions are also logged to the authentication log file, since accounting start and stop messages impact users’ active sessions
    • account.ini controls the attributes logged
    • Kept for a number of days set in [Configuration] section of radius.ini
    • Comma-separated format for easy importing into other databases or spreadsheet applications
      • Date, Time, RAS-Client, Record-Type, Full-Name, Auth-Type are built in to native accounting
      • All standard RADIUS attributes are listed next by default
      • Depending on the device configured, any VSAs are listed after that
      • Edit account.ini to add/remove any accounting information logged
  • Log File Errors
    • Errors can be looked at from two perpsectives
      • Information contained within a packet may be a source of error
      • Information relative to Preside Radius itself and its connections may be a source of error
    • Use Tracelevel=1 or 2 for logging to decode packet errors
    • Use Loglevel=1 or 2 for explanatory Preside Radius application errors
  • Packet Specific Errors
    • Trace packets to decode information that is contained within RADIUS messages
      • Determine whether appropriate attributes are present in packet
      • Determine whether appropriate attribute values are present in packet
      • Determine whether a device is sending valid RADIUS packets
  • RADIUS Attributes
    • Standard RADIUS: 08 06 <00..00> ID Length Data
    • Vendor-specific: 1a 0e 000001ad 67 08 <00..00> ID Length VendorID ID Length Data
    { {
  • Preside Radius Logging Error Messages
    • Preside Radius will log connection attempts to any external databases (sql, ldap)
    • Log file will record messages transmitted to and from other RADIUS devices
      • Read these to determine if packets are being sent to and from other RADIUS clients, servers
    • Configuration issues can be seen here
      • Invalid license strings
      • failure to load configuration files
      • failure to execute SQL SELECT and INSERT statements
    • Accept and Rejection messages are logged from upstream clients and downstream servers
  • Refer to Manual Index
    • Example: “Which password protocols does Preside Radius support?”
  • Common Tech Notes
    • Steel-Belted Radius tech notes found in the support section of www.funk.com
    • RD124: Realm name appended to username causes Steel-Belted Radius reject
    • RD143: NT RAS Dial-in clients failing authentication while other dial-in clients are authenticated
    • RD162: Setting up a SecurID/ACE Server
    • RD168: How to Disable CHAP Password on a NT RAS
    • RD175: User rights problems when installing on NT PC that is NOT Domain Controller
    • RD207: Simple Cisco set up
    • RD208: Native Users works, but pass-through authentication doesn’t
    • RD219: Need to test Steel-Belted Radius in stand alone mode (testrig)
    • RD231: Forgot admin password on Preside Radius UNIX
    • RD254: Requirements for persistence mode functionality w/ Steel-Belted Radius v 1.5 and later
    • RD259: MS-CHAP authentication supports Preside Radius
    • RD260: Setting up Steel-Belted Radius NT ODBC to a MS SQL server database
    • RD269: How to decode Radius packets
    • RD279: Logging additional attributes to Steel-Belted Radius “*.ACT” files
    • RD285: “Matching request found in auth. Cache and cached response being re-sent” log msg
  • Common Tech Notes
    • RD296: NT Trust Issues across multiple domains; authentication against remote domains
    • RD306: Steel-Belted Radius Database Files
    • RD311: Limiting NAS access for specific users
    • RD334: Definitions for checklist and returnlist attributes
    • RD336: Default Ports for Preside Radius
    • RD367: License issue for upgrades, etc. (“no valid primary license found”)
    • RD369: Radius authentication via PAP or CHAP
    • RD371: SQL authentication and accounting for NT 4.0 using MS Access 97
    • RD376: Importing flat text users/passwords into Preside Radius
    • RD407: Sample “LDAPSEARCH” strings for use with LCI
    • RD411: System Requirements for Preside Radius
    • RD414: Windows 2000 Set Up considerations – install crashes 79% and get –115 error
    • RD417: Recommend Steps for Upgrading Steel-Belted Radius
    • RD436: Sample file for authorization against LDAP using Bind
    • RD437: Using Bind Name
    • RD447: LDAP EXE Files
    • RD463: NT Expired Password – Setting up Profiles
    • RD291: “Pipe” messages in the Steel-Belted Radius daily activity log
  • Other Features
  • Tunnels
    • Preside Radius supports the authentication and accounting needs of existing tunnels
    • Can store and pass back information the NAS device needs to establish a tunnel connection
    • Track number of tunnels in use and compare to maximum number of tunnels allowed
  • Tunnel Process
    • Preside Radius looks for the Called-Station-ID in the access-request message and looks for a tunnel entry matching this attribute
    • Alternately, Preside Radius looks for a tunnel entry matching the username decoration:
      • Username<delimiter>tunnelname
      • Tunnelname<delimiter>username
    • Preside Radius can place tunnel-specific attributes into the access-accept message that will enable the NAS device to establish a tunnel connection:
      • Ascend-Tunneling-Protocol
      • Tunnel-Assignment-ID
      • Tunnel-Medium-Type
    • Authentication occurs after this point. Successful authentication at the enterprise site will complete the connection
  • Auto Restart
    • Enables Preside Radius to restart itself whenever it experiences a shutdown
    • Disabled by default
      • Stop radius process
      • Edit /etc/rc2.d/S90radius script
        • Uncomment this line:
          • # RADIUS=“$RADIUSDIR/radiusd --server $RADIUSDIR/radius”
    • Runs the radius process as a child of radiusd
  • Auto Restart Options
    • The child process is polled based on cofiguration options defined in the radiusd Perl script
          • # config
          • $ping_interval = 5;
          • $max_pong = 17;
          • $max_startup = 60;
          • $max_shutdown = 60;
          • $debug_mode = 0;
    • If syslog is available to Perl, all informational, warning and debugging messages are recorded in syslog
      • Optionally, a specific log file can be specified
      • If not specified, and syslog is not available, messages are written to radiusd.log in the radius directory
  • Time Of Day Restrictions
    • Using the “Allowed-Access-Hours” Funk standard attribute, time-of-day restrictions can be enforced
    • Apply this attribute to a native user, a profile, a host OS user/group, or token system user
    • Store this attribute/value in LDAP or SQL, apply it to externally authenticated users
      • Time ranges are 24 hour
        • 0800-2200 represents 8 AM to 10 PM
      • Day ranges: M, Tu, W, Th, F, Sa, Su
        • M-Th represents Monday through Thursday inclusively
      • Day and time ranges can intermix, but there must be at least one time range for any day that is used
        • Allowed-Access-Hours M-W 0100-1400 2300-2400
        • Allowed-Access-Hours Tu,Th-F 0530-1200 1300-1830
        • Allowed-Access-Hours Sa-Su 0000-2400
  • IP Resource Management
  • Managing IP Data
    • IP Resources can be managed by:
      • Preside Radius
        • Static IP addresses assigned to native users
        • Named Pools of IP addresses that can be associated with a user, a profile, or a NAS device
      • External Databases
        • Store and return specific IP addresses or names of address pools in LDAP or SQL. Preside Radius will then return that IP address (or an IP address in one of its named IP Pools) in the authentication response
        • Enable external applications to manage these data stores
      • Existing DHCP Servers
        • Preside Radius can request IP information from a DHCP server and pass that information back to the NAS device and dial-in client. From then on, the client, NAS, and DHCP server negotiate the IP lease
  • IP / IPX Pools Dialog
    • Configure Multiple Pools
    • Create multiple ranges per pool
    • Associate with users, profiles, or NAS
  • Static IP Assignment
    • Store static IP addresses in your SQL or LDAP database
    • Store static IP addresses with native users in Preside Radius
    • Return an IP Address from SQL:
      • In [Settings] section of sqlauth.aut:
        • SELECT password, ipaddress FROM usertable WHERE username=%name/40
    • Return IP Address from LDAP Directory:
      • In [Response] section of ldap.aut:
        • [Response]
        • Framed-IP-Address = ipaddress
  • IP Pool Assignment
    • Store IP Pool names in your SQL or LDAP database. Value in database must match existing Preside Radius IP Pool name.
    • Return an IP Address Pool Name from SQL:
      • In [Settings] section of sqlauth.aut:
        • SELECT password, ipaddresspool FROM usertable WHERE username=%name/40
      • In [Results] section:
        • Password=1/48
        • Framed-IP-Address=2/48
    • Return IP Address Pool name from LDAP Directory:
      • In [Response] section of ldap.aut:
        • [Response]
        • Framed-IP-Address = ipaddresspool
    • IP Pools can also be associated with an Preside Radius-defined profile or a specific NAS device
    • If an IP Pool runs out of addresses, users will get rejected
  • DHCP Support
    • Leverage existing DHCP servers to maintain IP Address management
    • Configure dhcp.ini and <poolname>.dhc files
    • Return IP Pool name from external source that corresponds to a DCHP defined pool name.
    • RADIUS attributes can be mapped to and from DHCP options in the <poolname>.dhc file:
      • [Request]
      • 12s = Calling-Station-ID
      • 60s = “x01x02x03x04x05”
      • [Reply]
      • Framed-IP-Netmask = 1ip
      • Framed-MTU = 26n16
  • IP Address Leakage
    • Addresses assigned through Preside Radius may ‘leak’, or become unavailable for use when:
      • An accounting-stop message is not sent from the NAS
      • A NAS device shuts down unexpectedly
      • Packet loss occurs
      • Device is not configured correctly: i.e. sending accounting packets to a secondary RADIUS server when primary server is available
      • Mis-matched authentication, accounting messages:
        • when phantom and start messages fail to match, phantom sessions may not removed properly
        • When start and stop messages fail to match, start sessions may not be removed properly
  • Solutions
    • Leaked addresses will remain so until manually deleted from Current Users list or…
    • Preside Radius will automatically release address when another request comes in from the same NAS on the same port:
      • Preside Radius assumes that the previous user can no longer be using the same NAS/port combination
      • Preside Radius clears out all current users associated with a NAS when it receives an accounting-on message from that NAS
    • Manually delete remaining sessions
    • Use DHCP leasing to lessen the impact of leaked addresses
      • Leased addresses are released back into the pool after configurable time periods
    • Stopping Preside Radius, deleting the radads.hst file, and restarting Preside Radius will also delete all current users.
  • Statistics Dialog
  • Current Users Dialog
  • LCI Reporting Options
    • Use the LCI to report current users by client, IP address, Session ID, full name:
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” client=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” ipaddressfrompool=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” acct-session-id=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=*
    • See LCI Schema for more options
  • Wildcards – Strings
    • Use wildcard values in checklist attributes, extended proxy, and attribute mapping
    • The expression for any number of variable characters in a string is the * character.
    • For any single character, use the ?
    • Precede all strings with ^ to indicate that the string be treated for wildcard values
    • Example using a checklist attribute:
      • Calling-Station-Id ^508*
      • Allows user dialing in from anywhere within the 508 area code
      • Set multiple Calling-Station-Id checklist attributes to enable more area codes
  • Wildcards – IP Numbers
    • Use IP wildcards to filter checklist attributes by network
    • IP Numbers are wildcarded by class notation:
      • 198.186.160.0 represents 198.186.160.0 through 198.186.160.255
      • 140.100.0.0 represents 140.100.0.0 through 140.100.255.255
      • 75.0.0.0 represents 75.0.0.0 through 75.255.255.255
  • Blacklisting
    • Automatically reject any user that fits a defined profile
    • Create the profile to be blacklisted
    • Add that profile name to blacklist.ini
    • From that point on, an administrator can automatically reject an authentication request based on any standard RADIUS, Funk-standard, or vendor-specific attribute
  • Account Lockout
    • User accounts can be configured to lock after a configurable number of failed attempts
    • Lock is released after either:
      • Configurable time period has elapsed
      • Administrator manually unlocks account
    • All options administered in lockout.ini
  • LCI LDAP Command Interface
  • LCI LDAP Summary
    • Change Passwords
    • Add clients, users
    • Add tunnels, IP pools
    • Search current user list
    • Find and modify any aspect of Preside Radius that the administrative program provides
      • ldapsearch.exe
        • ldapsearch -V 2 -p 667 -D &quot;cn=admin,o=radius&quot; -w radadmin -s sub -T –b &quot;o=radius&quot; objectclass=*
      • ldapmodify.exe
        • ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename>
      • ldapadd.exe
        • ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename>
  • LCI Schema (1)
  • LCI Schema (2)
  • LCI Schema (3)
  • ldapsearch Options
    • – V 2
      • The version 2 dialect of LDAP is to be used to communicate with the server
    • – p 354
      • TCP port 354 is to be used to communicate with the LDAP interface of the server. The –p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the –p option is not specified, the default port number for the server and the LDAP utilities is used (port 389)
    • – D &quot;cn=oper,o=radius&quot;
      • The command will be authenticated using an adminsitrative account called oper
    • – w radadmin
      • The command is providing an authentication password of radadmin
    • -h 192.168.1.1
      • To search a remote host, insert the host’s IP address after the –h option
    • – s sub
      • Recursion is to be used starting at the base
    • – T
      • To make the output more readable, long output lines are not to be continued on the next line
    • – b &quot;radiusclass=Client,o=radius&quot;
      • This is the base at which the search operation is to begin
    • radiusname=*
      • This is the criteria which matched objects must satisfy
  • ldapmodify, ldapadd Options
    • – c
      • The command is to run in continuous mode; it will not stop on errors
    • – V 2
      • The version 2 dialect of LDAP is to be used to communicate with the server
    • – p 354
      • TCP port 354 is to be used to communicate with the LDAP interface of the server. The –p value must match the TCPPort setting in the [LDAP] section of radius.ini . If the –p option is not specified, the default port number for the Preside Radius server and the LDAP utilities is used (port 389 )
    • – D &quot;cn=oper,o=radius&quot;
      • The command will be authenticated using an adminsitrative account called oper
    • – w radadmin
      • The command is providing an authentication password of radadmin
    • -h 192.168.1.1
      • To search a remote host, insert the host’s IP address after the –h option
    • – f <filename>
      • This is the input LDIF file to process
  • LCI Reporting Options
    • Use the LCI to report on current users by client, IP address, Session ID, full name:
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” client=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_ipaddress,o=radius” framed-ip-address=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” acct-session-id=*
      • ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=*
  • LDIF Example
    • This file will add a proxy target to Preside Radius
    • Store this text as addproxy.ldif
    • ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f addproxy.ldif
        • dn: radiusname=PROXYTARGET,radiusclass=Proxy,o=radius
        • changetype: add
        • ip-address: 192.168.1.1
        • accounting: both
        • retry-count: 3
        • retry-timeout: 5000
        • shared-secret: testing123
        • include-in-auth-list: no
  • LDIF Example
    • This file will add a user to Preside Radius
    • Store this text as adduser.ldif
    • ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f adduser.ldif
        • dn: radiusname=PASSERVER,radiusclass=Proxy,o=radius
        • changetype: add
        • ip-address: 192.168.1.1
        • accounting: both
        • retry-count: 3
        • retry-timeout: 5000
        • shared-secret: testing123
        • include-in-auth-list: no
  • End www.funk.com