Medium 9780596003227

RADIUS: Securing Public Access to Private Resources

Views: 1094
Ratings: (0)

The subject of security never strays far from the minds of IT workers, for good reason. If there is a network with even just one connection to another network, it needs to be secured. RADIUS, or Remote Authentication Dial-In User Service, is a widely deployed protocol that enables companies to authenticate, authorize and account for remote users who want access to a system or service from a central network server. Originally developed for dial-up remote access, RADIUS is now used by virtual private network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. Extensible, easy to implement, supported, and actively developed, RADIUS is currently the de facto standard for remote authentication.RADIUS provides a complete, detailed guide to the underpinnings of the RADIUS protocol, with particular emphasis on the utility of user accounting. Author Jonathan Hassell draws from his extensive experience in Internet service provider operations to bring practical suggestions and advice for implementing RADIUS. He also provides instructions for using an open-source variation called FreeRADIUS."RADIUS is an extensible protocol that enjoys the support of a wide range of vendors," says Jonathan Hassell. "Coupled with the amazing efforts of the open source development community to extend RADIUS's capabilities to other applications-Web, calling card security, physical device security, such as RSA's SecureID-RADIUS is possibly the best protocol with which to ensure only the people that need access to a resource indeed gain that access."This unique book covers RADIUS completely, from the history and theory of the architecture around which it was designed, to how the protocol and its ancillaries function on a day-to-day basis, to implementing RADIUS-based security in a variety of corporate and service provider environments. If you are an ISP owner or administrator, corporate IT professional responsible for maintaining mobile user connectivity, or a web presence provider responsible for providing multiple communications resources, you'll want this book to help you master this widely implemented but little understood protocol.

List price: $27.99

Your Price: $22.39

You Save: 20%

 

11 Slices

Format Buy Remix

1. An Overview of RADIUS

ePub

In an ideal world, we wouldnt have to use authentication of any type to gain access to anything. But as long as free enterprise exists and access to private resources is sold, authentication will exist.

You may have experienced authentication as recently as an hour ago, when you used a dial-up Internet account to log on and surf the Web for the latest headlines. You may have checked your corporate email on your PalmPilot to see if your biggest client had returned your message about the newest proposal. And this weekend, when you use a VPN to connect to your office network so you can revise that presentation thats due early Monday morning, youll have to authenticate yourself.

But what goes on behind the scenes when you prove your identity to a computer? After all, the computer has to have a set of processes and protocols to verify that you are indeed who you say you are, find out what you are allowed to access, and finally, tell you all of this. Theres one protocol that does this all: the Remote Access Dialin User Service, or RADIUS.

 

2. RADIUS Specifics

ePub

In this chapter, Ill step through the most important sections of the RADIUS RFC and interpret them. Since the RFC is approximately 80 pages long, its not appropriate to provide every detail here. Some portions of the document are antiquated, seldom used, or simply not important. While formality dictates their presence in the official document, this chapter is meant more as a working reference guide.

A question frequently asked of the RADIUS development team is why the protocol uses the UDP protocol instead of TCP. For purely operational requirements, UDP was selected largely because RADIUS has a few inherent properties that are characteristic of UDP: RADIUS requires that failed queries to a primary authentication server be redirected to a secondary server, and to do this, a copy of the original request must exist above the transport layer of the OSI model. This, in effect, mandates the use of retransmission timers.

The protocol bets on the patience of users to wait for a response. It assumes some middle ground between lightning fast and slow as molasses. The RADIUS RFC describes it best: At one extreme, RADIUS does not require a responsive detection of lost data. The user is willing to wait several seconds for the authentication to complete. The generally aggressive TCP retransmission (based on average round trip time) is not required, nor is the acknowledgment overhead of TCP. At the other extreme, the user is not willing to wait several minutes for authentication. Therefore the reliable delivery of TCP data two minutes later is not useful. The faster use of an alternate server allows the user to gain access before giving up.

 

3. Standard RADIUS Attributes

ePub

In this chapter, Ill look at the global set of standard RADIUS attributes as per the RADIUS RFC. There are 63 attributes defined in the RFC that provide support and configuration options for everything from connection type, virtual terminals, and connect/session time limits to packet filtering and caller-return services. This chapter presents these attributes in alphabetical order.

One note: this chapter covers only the attributes based on the authentication and authorization processes of a RADIUS transaction, which are attributes 1-39 and 60-63. Attributes 40-59 are covered in Chapter 4.

Each attribute in this chapter is presented as a separate nugget of information. Each nugget contains a quick-reference chart for the particulars of the attribute, followed by a discussion of the attribute, where I discuss any special considerations in the usage or configuration of the attribute, how its use affects or requires other attributes, practical applications of the attribute, and how it sometimes differs from the theoretical implication from the RFC.

 

4. RADIUS Accounting

ePub

ISPs often manage points of presence over several locations, most likely geographically dispersed. All of these points of presence require protection to guard against unauthorized use of the expensive network to which they allow access. Although the front line of defense may (and should) be a robust and extensible form of authentication (to verify a users declared identity) and authorization (to provide a user with only the services to which he is entitled), much valuable information can be gleaned from data collected about users activities on the network. Which user logged on? When did she do so? What services was he granted?

The data becomes even more useful when it is compiled to analyze a group of users. What is the average call time for a user? How much data does that user transfer? Do I, as a system administrator, need to set a time limit for a single session so as to protect limited dial-in resources? Do I have users that are abusing an on-demand connection? All of these questions can be answered using information mined from the accounting process.

 

5. Getting Started with FreeRADIUS

ePub

Up to this point, Ive talked about the theoretical underpinnings of both the authentication-authorization-accounting (AAA) architecture as well as the specific implementation of AAA characteristics that is the RADIUS protocol. I will now focus on practical applications of RADIUS: implementing it, customizing it for your specific needs, and extending its capabilities to meet other needs in your business. First, though, I need a product that talks RADIUS.

Enter FreeRADIUS.

The developers of FreeRADIUS speak on their product and its development, from the FreeRADIUS web site:

FreeRADIUS is one of the most modular and featureful [sic] RADIUS servers available today. It has been written by a team of developers who have more than a decade of collective experience in implementing and deploying RADIUS software, in software engineering, and in Unix package management. The product is the result of synergy between many of the best-known names in free software-based RADIUS implementations, including several developers of the Debian GNU/Linux operating system, and is distributed under the GNU GPL (version 2).

 

6. Advanced FreeRADIUS

ePub

Congratulations! Chances are that, by now, you have a base FreeRADIUS system up, running, and tested to be working correctly. But its probably not an optimal system for your implementation and needs. In this chapter, Ill take a look at some of the more advanced tools and methods you can use to extend the capabilities of FreeRADIUS and better integrate it with your existing environment.

FreeRADIUS supports the pluggable authentication model, or PAM, but that must be enabled at compile time. (A discussion of PAM is beyond the scope of this book; however, an excellent introduction to PAM, with answers to some frequently asked questions, is available at http://www.kernel.org/pub/linux/libs/pam/FAQ.) However, the current support for PAM is rather non-standard. In most RADIUS distributions, to enable PAM in transactions, enter User-Password = PAM in the users file; this is not supported in FreeRADIUS. You must instead use Auth-Type = Pam. For example, here is a configuration stanza for a non-specific (that is to say, default) user configured for PAM authentication, when he logs in from a specific RADIUS client machine:

 

7. Other RADIUS Applications

ePub

The previous two chapters have focused on using the FreeRADIUS product as the basis of an authentication/authorization/accounting system for a regular Internet service provider-style setup. In this chapter, Ill cover FreeRADIUS in conjunction with Web, LDAP, and email servers, and will discuss a utility, RadiusReport, for parsing RADIUS accounting files to glean valuable information from them.

Chances are good that you have an area of your web site that needs to be protected from general public access. If you use the Apache web server, you may be familiar with the various methods by which this can be done: using an .htaccess and .htpasswd combination, setting Unix file system permissions, using Allow and Deny directives inside the Apache configuration file, and others. However, its now possible to instruct Apache to authenticate against an existing RADIUS database of users, thereby protecting the area of your web site from unknown users and allowing access to those you trust.

 

8. The Security of RADIUS

ePub

Its a little ironic that Im devoting a chapter (albeit shorter than the others) to the security shortcomings of the RADIUS protocol, but its something that needs doing. Unfortunately, RADIUSa protocol designed from the outset to provide security so that only authorized users can take advantage of resources offered to a large group of peoplehas security problems, and some are actually quite serious.

The most prominent security vulnerability is rooted in RADIUSs wide use. It enjoys support from a number of network equipment vendors and is found in nearly all Internet service providers and corporate dial-up implementations. This popularity, however, is a double-edged sword. Security vulnerabilities in the core RADIUS protocol leave thousands upon thousands of systems open to compromise. Further, major changes cant be made to the core protocol, because that would run the risk of breaking compatibility with those same thousands upon thousands of systems that run RADIUS.

In this chapter, Ill discuss these vulnerabilities, offer some workarounds that protect your systems better, and close with a commentary from a security analyst on why users of RADIUS should push for minor protocol changes.

 

9. New RADIUS Developments

ePub

Up to this point, Ive covered the contents and specifications of the original RADIUS RFC drafts. Since those drafts were approved and published, new advancements in technology have mandated some revisions to those RFCs, particularly in the areas of tunnel support and new security technologies. In this chapter, Ill cover these updates and how they might affect your current implementation or any changes you will make in the future.

RADIUS now includes support for interim accounting updates. Prior to the issuing of the RADIUS Extensions RFC in June 2000, accounting updates were done primarily at the beginning and end of a transaction, when the server received Accounting-Start and Accounting-Stop packets from the user. However, now the server can include the Acct-Interim-Interval attribute in the message. The value of this attribute is the time (in seconds) between accounting update messages. An administrator can also choose to configure a minimum value locally on the RADIUS client, but this value always overrides any Acct-Interim-Interval value found in an Access-Accept packet.

 

10. Deployment Techniques

ePub

Its the do-or-die moment: its time to deploy your AAA infrastructure. That infrastructure most likely takes the form of one or more RADIUS servers (otherwise you would probably not be reading this book). This chapter is designed to cover many of the inevitable questions that come up with regard to designing a plan to deploy RADIUS servers.

First, Ill look at configuring the typical services that are offered by ISPs and corporations to their clients and then broaden that to cover extended services that support other business models. Next, Ill discuss how to maintain the service by designing a secure, highly available network. Following that are two case studies of RADIUS implementation design. Finally, Ill provide information about other RADIUS servers, available documentation, and other resources you can use to support your RADIUS operation.

As youve learned from the chapters on FreeRADIUS, the users that connect through your RADIUS server must be either configured into the users file for the RADIUS server itself or known by a remote system with which the initial RADIUS server can communicate. Anything else falls into the default connection configuration, which is sometimes known as the catchall. Most implementations have a generic configuration that is meant for most users and a few user-specific configurations sprinkled about. In the following sections, I will provide examples of both scenarios whenever appropriate.

 

A. Attribute Reference

ePub

In this Appendix, the RADIUS standard attributes are listed in order by their attribute number, followed by the official name, the length of the attribute in the packet, and what type of value the attribute supports. Each attribute is then cross-referenced with the main body page explaining the details of the attribute.

TableA-1.The RADIUS standard attributes

Number

Name

Length

Value

Page

1

User-Name

3+ octets

String

User-Name

2

User-Password

18-130

String

User-Password

3

CHAP-Password

19

String

CHAP-Password

4

NAS-IP-Address

6

IP Ad.

NAS-IP-Address

5

NAS-Port

6

Integer

NAS-Port

6

Service-Type

6

Enum

Service-Type

7

Framed-Protocol

6

Enum

Framed-Protocol

8

Framed-IP-Address

6

IP Ad.

Framed-IP-Address

9

Framed-IP-Netmask

6

IP Ad.

Framed-IP-Netmask

10

Framed-Routing

6

Enum

Framed-Routing

11

Filter-ID

3+ octets

String

Filter-ID

12

Framed-MTU

6

Integer

Framed-MTU

13

Framed-Compression

6

Enum

Framed-Compression

14

Login-IP-Host

6

IP Ad.

Login-IP-Host

15

Login-Service

6

Enum

Login-Service

16

Login-TCP-Port

6

Integer

Login-TCP-Port

17

(not in service)

18

Reply-Message

3+ octets

String

 

Details

Print Book
E-Books
Slices

Format name
ePub
Encrypted
No
Sku
9781449395889
Isbn
9781449395889
File size
0 Bytes
Printing
Not Allowed
Copying
Not Allowed
Read aloud
No
Format name
ePub
Encrypted
No
Printing
Allowed
Copying
Allowed
Read aloud
Allowed
Sku
In metadata
Isbn
In metadata
File size
In metadata