Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service.
2. Access management in an Enterprise
using RADIUS
• Remote Authentication Dial In User Service
(RADIUS) is a networking protocol that
provides centralized Authentication,
Authorization, and Accounting (AAA)
management for computers to connect and
use a network service. RADIUS was developed
by Livingston Enterprises, Inc., in 1991 as an
access server authentication and accounting
protocol and later brought into the IETF
standards.
3. What is AAA?
AAA stands for (i) Authentication (ii) Authorization and (iii) Accounting.
Authentication :
Refers to confirmation that a user who is requesting a service is a valid user.
Accomplished via the presentation of an identity and credentials.
Examples of credentials are passwords, one-time tokens, digital certificates, and phone
numbers (calling/called).
Authorization :
Refers to the granting of specific types of service (including "no service") to a user, based
on their authentication.
Accounting :
Refers to the tracking of the consumption of network resources by users.
Typical information that is gathered in accounting is the identity of the user, the nature of
the service delivered, when the service began, and when it ended.
May be used for management, planning, billing etc. AAA server provides all the above
services to its clients.
4. AAA Protocols
RADIUS :
Remote Authentication Dial In User Service is an AAA protocol for applications such as Network
Access or IP Mobility.
Look in text file, LDAP Servers, Database for authentication.
Uses PAP, CHAP or EAP protocols to authenticate users.
After authentication services parameters passed back to NAS.
Be notified when the session starts and top. This data will be used for Billing or Statistics
purposes.
SNMP is used for remote monitoring.
DIAMETER :
Diameter is a planned replacement of RADIUS.
5. NAS
The Network Access Server(NAS) is a service element that clients dial in order to get access to the
network. A Network Access Server is a device which usually has interfaces both to the backbone
and to the telco (POTS or ISDN) and receives calls from hosts that want to access the backbone b
dialup services. A NAS is located at an internet provider's point of presence to give their
customers internet access.
7. • Because of the broad support and the
ubiquitous nature of the RADIUS protocol it is
often used by ISPs and enterprises to manage
access to the Internet or internal networks,
wireless networks, and integrated e-mail
services. These networks may incorporate
modems, DSL, access points, VPNs,
network ports, web servers, etc.[2]
8. • RADIUS is a client/server protocol that runs in the
application layer, using UDP as transport. The
Remote Access Server, the
Virtual Private Network server, the
Network switch with port-based authentication,
and the Network Access Server, are all gateways
that control access to the network, and all have a
RADIUS client component that communicates
with the RADIUS server. The RADIUS server is
usually a background process running on a UNIX
or Windows NT machine.[3]
9. • RADIUS serves three functions:
– to authenticate users or devices before granting
them access to a network,
– to authorize those users or devices for certain
network services and
– to account for usage of those services.
10. Authentication and Authorization
• The user or machine sends a request to a
Network Access Server (NAS) to gain access to a
particular network resource using access credentials.
• The credentials are passed to the NAS device via the
link-layer protocol - for example,
Point-to-Point Protocol (PPP) in the case of many
dialup or DSL providers or posted in a HTTPS secure
web form.
• In turn, the NAS sends a RADIUS Access Request
message to the RADIUS server, requesting
authorization to grant access via the RADIUS protocol.
[4]
12. • This request includes access credentials, typically in the form of
username and password or security certificate provided by the
user. Additionally, the request may contain other information
which the NAS knows about the user, such as its network address
or phone number, and information regarding the user's physical
point of attachment to the NAS.
• The RADIUS server checks that the information is correct using
authentication schemes like PAP, CHAP or EAP. The user's proof of
identification is verified, along with, optionally, other information
related to the request, such as the user's network address or phone
number, account status and specific network service access
privileges. Historically, RADIUS servers checked the user's
information against a locally stored flat file database. Modern
RADIUS servers can do this, or can refer to external sources -
commonly SQL, Kerberos, LDAP, or Active Directory servers - to
verify the user's credentials.
13. • The RADIUS server then returns one of three responses to the NAS : 1)
Access Reject, 2) Access Challenge or 3) Access Accept.
• Access Reject - The user is unconditionally denied access to all requested
network resources. Reasons may include failure to provide proof of
identification or an unknown or inactive user account.
• Access Challenge - Requests additional information from the user such as
a secondary password, PIN, token or card. Access Challenge is also used in
more complex authentication dialogs where a secure tunnel is established
between the user machine and the Radius Server in a way that the access
credentials are hidden from the NAS.
• Access Accept - The user is granted access. Once the user is authenticated,
the RADIUS server will often check that the user is authorised to use the
network service requested. A given user may be allowed to use a
company's wireless network, but not its VPN service, for example. Again,
this information may be stored locally on the RADIUS server, or may be
looked up in an external source like LDAP or Active Directory.
14. Accounting
• When network access is granted to the user by the NAS, an Accounting Start (a
RADIUS Accounting Request packet containing a Acct-Status-Type attribute with
the value "start") is sent by the NAS to the RADIUS server to signal the start of the
user's network access. "Start" records typically contain the user's identification,
network address, point of attachment and a unique session identifier.[5]
• Periodically, Interim Update records (a RADIUS Accounting Request packet
containing a Acct-Status-Type attribute with the value "interim-update") may be
sent by the NAS to the RADIUS server, to update it on the status of an active
session. "Interim" records typically convey the current session duration and
information on current data usage.
• Finally, when the user's network access is closed, the NAS issues a final Accounting
Stop record (a RADIUS Accounting Request packet containing a Acct-Status-Type
attribute with the value "stop") to the RADIUS server, providing information on the
final usage in terms of time, packets transferred, data transferred, reason for
disconnect and other information related to the user's network access.
• Typically, the client sends Accounting-Request packet until it receives a
Accounting-Response acknowledgement, using some retry interval.
• The primary purpose of this data is that the user can be billed accordingly; the
data is also commonly used for statistical purposes and for general network
monitoring.
17. • RADIUS clients Commands
• In the following example, wireless access point
is added as a RADIUS client to the NPS
configuration. This RADIUS client has the name
WirelessAP, the IP address 10.0.0.200, an
enabled state, and a shared secret of
9vq7822hFsJ8rm.
• netsh nps add client name= WirelessAP
address= 10.0.0.200 state=Enable
sharedsecret=9vq7822hFsJ8rm
napcompatible=Yes
18. • RADIUS clients Commands
• delete client
• Deletes one or more existing RADIUS clients.
• Syntax: delete client [ name= ] name
• Example: Following is an example of the
command usage. In this example, three wireless
access points with the friendly names
WirelessAP1, WirelessAP2, and WirelessAP3 are
removed as RADIUS clients from the NPS
configuration.
• delete client
WirelessAP1,WirelessAP2,WirelessAP3
19. • RADIUS Server Commands
• add registeredserver
• delete
registeredserver
• dump
• export
• import
• reset config
• reset eventlog
• reset ports
• set eventlog
• set ports
• show config
• show eventlog
• show ports
• Show
• registeredserver
• show vendors
20. • RADIUS Server Commands
• add registeredserver
• Adds a Network Policy Server (NPS) to the list of
registered servers in Active Directory.
• Syntax: add registeredserver [[ domain = ]
domain [ server = ] server ]
• Examples: The first example registers the local
NPS server in the local domain.
• netsh nps add registeredserver
• netsh nps add registeredserver domain =
example.com server = 192.168.0.2
21. • RADIUS Server Commands
• delete registeredserver
• Deletes an NPS server from the list of
registered servers in Active Directory.
• Syntax:delete registeredserver [[ domain = ]
domain [ server = ] server ]
• Examples:The first example removes the local
NPS server in the local domain.
• netsh nps delete registeredserver
• netsh nps delete registeredserver domain =
example.com server = 192.168.0.2
22. • RADIUS Server Commands
• show registeredserver
• Displays information for a server that is
registered in Active Directory.
• Syntax: show registeredserver [[ domain = ]
domain [ server = ] server ]
• show ports
• Displays the RADIUS port configuration for the
local NPS server.
• Syntax:show ports