aaa services. 2 è authentication è authorization è accounting
TRANSCRIPT
![Page 1: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/1.jpg)
AAA ServicesAAA Services
![Page 2: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/2.jpg)
2
AAA ServicesAAA Services
Authentication Authorization Accounting
![Page 3: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/3.jpg)
3
AuthenticationAuthentication
Verify the user is who he/she claims to beUse Password, Special Token
card, Caller-ID, etc.May issue additional ‘challenge’
![Page 4: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/4.jpg)
4
AuthorizationAuthorization
Check that the user may access the services he/she wishes.Check database or file information
about the user
![Page 5: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/5.jpg)
5
AccountingAccounting
Record what the user has done.Time online. Bytes sent/received.
Services accessed. Files downloaded. Etc.
![Page 6: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/6.jpg)
6
NAS/RASNAS/RASNetwork Access ServerNetwork Access ServerRemote Access ServerRemote Access Server
Modems
Protocol Conversion
Routing
Phone Lines
TCP/IP Network
![Page 7: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/7.jpg)
7
Types of AAA ServicesTypes of AAA Services
Local accounts on the NAS/RAS
Proprietary software between NAS and server
RADIUSTACACS (tacacs, tacacs+, xtacacs)
![Page 8: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/8.jpg)
8
RADIUS BasicsRADIUS Basics
A protocol for communicating between a Network Access Server (NAS) and a remote Authentication/Access/Accounting server
Not the actual server itself
![Page 9: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/9.jpg)
9
RADIUS BasicsRADIUS Basics
Defined by IETF standard RFC2138 & RFC2139
http://www.faqs.org/rfcs/rfc2138.htmlhttp://www.faqs.org/rfcs/rfc2139.html
Requires Clients (normally a NAS) and servers (often called RADIUS servers)
![Page 10: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/10.jpg)
10
RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow
ISP User Database
ISP Modem Pool
User dials modem pool and establishes connection
UserID: bobPassword: ge55gep
UserID: bobPassword: ge55gepNAS-ID: 207.12.4.1
Select UserID=bob
Bobpassword=ge55gepTimeout=3600[other attributes]
Access-AcceptUser-Name=bob[other attributes]
Framed-Address=217.213.21.5
The Internet
ISP RADIUS Server
Internet PPP connection established
![Page 11: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/11.jpg)
11
RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow
ISP AccountingDatabase
ISP Modem Pool
Acct-Status-Type=StartUser-Name=bobFramed-Address=217.213.21.5…...
Sun May 10 20:47:41 1998 Acct-Status-Type=Start User-Name=bob Framed-Address=217.213.21.5 … ...
The Internet
ISP RADIUS Server
Internet PPP connection established
Acknowledgement
The Accounting “Start” Record
![Page 12: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/12.jpg)
12
RADIUS: BasicsRADIUS: BasicsAuthentication Data FlowAuthentication Data Flow
ISP AccountingDatabase
ISP Modem Pool
The Internet
ISP RADIUS Server
Internet PPP connection established
Acct-Status-Type=StopUser-Name=bobAcct-Session-Time=1432…...
Sun May 10 20:50:49 1998 Acct-Status-Type=Stop User-Name=bob Acct-Session-Time=1432 … ...
Acknowledgement
The Accounting “Stop” Record
User Disconnects
![Page 13: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/13.jpg)
13
RADIUS: BasicsRADIUS: Basics
Key data for Authentication NAS/Client Info
IP Name and/or IP Address Shared Secret Key for encryption
User Information User-Name & Password
Session Information Speed, dialed number, port, NAS ID, etc.
![Page 14: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/14.jpg)
14
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Decode Packet using shared secret key
![Page 15: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/15.jpg)
15
RADIUS BasicsRADIUS BasicsShared Secret KeysShared Secret Keys
User 1
Encryption Decryption
Plaintext
Ciphertext
Plaintext
Decryption EncryptionPlaintext Ciphertext Plaintext
SharedSecret
Session Key
SharedSecret
Session Key
SharedSecret
Session Key
SharedSecret
Session Key
![Page 16: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/16.jpg)
16
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Lookup users in local or external database Text File Password file (UNIX) NT Registry/Netware Directory NIS/NIS+ LDAP Etc., etc.
![Page 17: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/17.jpg)
17
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Authenticate User-Name, Password, etc.Chap ChallengeSecurID Token cardEtc.
![Page 18: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/18.jpg)
18
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Check arbitrary access criteriaType of access (analog, ISDN)Time of dayCalled or Calling number
![Page 19: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/19.jpg)
19
RADIUS BasicsRADIUS BasicsThe process flowThe process flow
Send Accept/Reject to NAS with appropriate session attributes Session timers Filters (allow/reject IP addrs) IP Address ISDN session parameters Etc.
![Page 20: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/20.jpg)
20
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
Using a modem, the user dials-in to a modem connected to a NAS. Once the modem connection is completed, the NAS attempts to use the CHAP or PAP protocol to determine the userID and password. If that fails, the NAS prompts the user for the userID and password.
![Page 21: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/21.jpg)
21
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
The NAS creates a data packet from this information called the authentication request. This packet includes information identifying the specific NAS sending the authentication request, the port that is being used for the modem connection, and the user name and password. For protection from eavesdropping the NAS, acting as a RADIUS client, encrypts (using a shared secret key) the password before it is sent to the RADIUS server.
![Page 22: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/22.jpg)
22
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
The Authentication Request is sent over the network from the RADIUS client (I.e. the NAS) to the RADIUS server. This communication can be done over a local- or wide-area network, allowing network managers to locate RADIUS clients remotely from the RADIUS server. If the RADIUS server cannot be reached, the NAS can usually route the request to an alternate server.
![Page 23: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/23.jpg)
23
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
When an Authentication Request is received, the RADIUS Server validates the request and then decrypts the data packet to access the user name and password information. This information is passed on to the appropriate security system being supported. This could be a text file, UNIX password files, NIS, LDAP, a commercially available security system or a custom database.
![Page 24: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/24.jpg)
24
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
If the user name and password are correct, the server sends an Authentication Acknowledgment that includes information on the user's network system and service requirements. For example, the RADIUS server will tell the NAS that a user needs TCP/IP and/or NetWare using PPP (Point-to-Point Protocol) or that the user needs SLIP (Serial Line Internet Protocol) to connect to the network. The acknowledgment can even contain filtering information to limit a user's access to specific resources on the network.
![Page 25: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/25.jpg)
25
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
If at any point in this log-in process conditions are not met, the RADIUS server sends an Authentication Reject to the NAS and the user is denied access to the network.
![Page 26: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/26.jpg)
26
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
To ensure that requests are not responded to by unauthorized persons or devices on the network, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client.
![Page 27: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/27.jpg)
27
RADIUS: BasicsRADIUS: BasicsProcess DescriptionProcess Description
Once the server information is received and verified by the NAS, it enables the necessary configuration to deliver the right network services to the user.
![Page 28: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/28.jpg)
28
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
Client Information IP Name Shared secret keyGroup AssignmentSpecial ParametersNAS Type
![Page 29: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/29.jpg)
29
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
NAS/Client InfoStored in a “clients” file or similar data structure
# This file contains a list of clients# which are allowed to make# authentication requests and their# encryption key. The first field is a# valid hostname for the client.# The second field (separated by blanks# or tabs) is the encryption key. ##Client Name Key#----------------------------------portmaster1 wP40cQ0portmaster2 A3X445A192.168.1.2 wer369st
![Page 30: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/30.jpg)
30
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
Dictionary Definition of RADIUS attributes
Assign readable names to attribute numbers
String, Integer, IP Address, Date
![Page 31: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/31.jpg)
31
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
DictionaryStored in a “dictionary” file or similar data structure
# This file contains dictionary# translations for parsing requests and# generating responses. All transactions# are composed of Attribute/Value Pairs.# The value of each attribute is specified# as one of 4 data types. Valid data types# are:# string - 0-253 octets# ipaddr - 4 octets in network byte order# integer - 32 bit value (high byte first)
# date - 32 bit value - seconds since# 00:00:00 GMT, Jan. 1, 1970
![Page 32: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/32.jpg)
32
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
Dictionary# Attr. Attr.#Keyword Attribute Name Num Type ATTRIBUTE User-Name 1 stringATTRIBUTE Password 2 stringATTRIBUTE CHAP-Password 3 stringATTRIBUTE Client-Id 4 ipaddrATTRIBUTE Client-Port-Id 5 integerATTRIBUTE User-Service-Type 6 integerATTRIBUTE Framed-Protocol 7 integerATTRIBUTE Framed-Address 8 ipaddrATTRIBUTE Framed-Netmask 9 ipaddr... ...
![Page 33: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/33.jpg)
33
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Information (“users” file) User-Name Password Authentication method Check attributes Send attributes
![Page 34: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/34.jpg)
34
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Data (Example 1)bob Password = "ge55ep”
Service-Type = Framed-User,Framed-Protocol = PPP,Framed-IP-Address = 255.255.255.254,Framed-IP-Netmask = 255.255.255.255,Framed-Routing = None,Filter-Id = "std.ppp",Framed-MTU = 1500
![Page 35: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/35.jpg)
35
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Data (Example 2)bob Password = "ge55gep",
NAS-IP-Address = 192.168.1.54, NAS-Port-Type = ISDNService-Type = Framed-User,Framed-Protocol = PPP
![Page 36: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/36.jpg)
36
RADIUS: BasicsRADIUS: BasicsEssential Server DataEssential Server Data
User Data (Example 3)bob Password = "ge55gep”,
Caller-Id = “510-555-1212Service-Type = Callback-Login-
User,Login-IP-Host = 192.168.1.76,Login-Service = Telnet,Login-TCP-Port = 23,Callback-Number = "9,1-800-555-
1234"
![Page 37: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/37.jpg)
37
RADIUS: BasicsRADIUS: BasicsAccounting Accounting StartStart Record Record
Sun May 10 20:47:41 1998User-Name = ”bob”Client-Id = 206.171.153.11Client-Port-Id = 20110Acct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = "262282375”Acct-Authentic = RADIUSCaller-Id = ”5105551212”Client-Port-DNIS = ”5218296”Framed-Protocol = PPPFramed-Address = 209.79.145.46
![Page 38: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/38.jpg)
38
RADIUS: BasicsRADIUS: BasicsAccounting Accounting StopStop Record Record
Sun May 10 20:50:49 1998 User-Name = ”bob” Client-Id = 206.171.153.11 Client-Port-Id = 20110 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = "262282353” Acct-Authentic = RADIUS Acct-Session-Time = 4871 Acct-Input-Octets = 459078 Acct-Output-Octets = 4440286 Caller-Id = ”5105551212” Client-Port-DNIS = "4218296” Framed-Protocol = PPP Framed-Address = 209.79.145.46
![Page 39: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/39.jpg)
39
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A forwarding or “proxy” server can forward authentication and/or accounting requests to another server for handling.
In order to differentiate between requests that should be handled locally and those that should be forwarded the NAI needs to be specially processed.
![Page 40: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/40.jpg)
40
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The NAI (Network Access Identifier) is commonly called the userID.
In proxy and roaming situations the NAI is modified to include both the userID and a “realm” identifier.
The realm is a keyword indicating the server responsible for authenticating the userID.
![Page 41: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/41.jpg)
41
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The standard way to send a userID and real in the NAI is to separate them with a “@”.
A typical proxy NAI looks like:user@realm
A proxy RADIUS server looks for the “@” in the NAI to determine if it should handle the request or forward it.
![Page 42: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/42.jpg)
42
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
If no “@” is present, the enter NAI is assumed to be only a userID.
If a “@” is present, the NAI is split into two tokens (a userID and a realm label).
![Page 43: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/43.jpg)
43
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The realm label is looked up in a local file or database to find the address of the server for the realm and the protocol (typically RADIUS) used to connect to it.
Although the realm label may look like a domain name (E-Mail addresses are often used as NAIs) it is not safe to assume that.
![Page 44: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/44.jpg)
44
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
An example “realms” file might look like:#realm IP
#label Address Port Protocol Secrethomeco 167.24.12.5 1812 Radius Don’t3v3rtellbiginiv 12.123.43.9 1645 Radius js&yWpnfE2vuR
(A real realms file might contain much more information. Each vendor implements realm information differently.)
![Page 45: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/45.jpg)
45
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A typical bilateral proxy model looks like:
NAS RADIUSProxy
RADIUS
Access RequestUserID: bill@homeco
Password: mypass
Reply Reply
Log
DB
Log
Access RequestUserID: bill
Password: mypass
RealmsFilehomeco
![Page 46: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/46.jpg)
46
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
Bilateral relationships, with all the realm
information stored in a local realms file or
table can be effective with a small number of
roaming or proxy partners.
But, the files must be changed each time
there is a change in a server configuration.
![Page 47: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/47.jpg)
47
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A consortium, or clearinghouse, solves
that problem by having all proxy requests
forwarded to it first.
The consortium maintains a list of all the
server information for it’
![Page 48: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/48.jpg)
48
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
In the case of a roaming consortium or
clearinghouse it may be necessary to add
additional information to the NAI.
This is because each server in the proxy
chain might strip off the realm before
passing the request on to the next server.
![Page 49: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/49.jpg)
49
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A common solution is to use the “/” as an
additional separator.
In the case of a consortium called “cons”
the NAI would look like:cons/user@realm
An actual NAI might be:infonet/[email protected]
![Page 50: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/50.jpg)
50
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
The first server may now strip-off “cons”
and forward the remaining two tokens. [email protected]
The consortium’s server strips off the
remaining realm and forwards the userID
to the final server: rdperl
![Page 51: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/51.jpg)
51
RADIUS: BasicsRADIUS: BasicsProxy ServicesProxy Services
A consortium proxy model looks like:
NAS RADIUSReply Reply
DB
Log
RADIUSProxy
Log
RADIUSProxy
Log
Reply
RealmsFilecons
Access RequestUserID: cons/bill@homeco
Password: mypass
Access RequestUserID: bill@homeco
Password: mypass
Access RequestUserID: bill
Password: mypass
RealmsFilehomeco
![Page 52: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/52.jpg)
52
RADIUS: BasicsRADIUS: BasicsProxy Services: Editing AttributesProxy Services: Editing Attributes
A proxy server may add, delete or modify
the attributes that it forwards.
An IP Address may be invalid on a given
network, the maximum online time may be
different, local filters may be required, etc.
![Page 53: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/53.jpg)
53
RADIUS: BasicsRADIUS: BasicsProxy Services: Editing AttributesProxy Services: Editing Attributes
In cases where special control of attributes is
required bi-lateral relationships may work
best.
A proxy server may also need to translate
attributes intended for one brand of NAS into
another brands format (pools, filters, etc.)
![Page 54: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/54.jpg)
54
RADIUS Proxy ServersRADIUS Proxy Servers Freeware
DTC - Radius 2.0 - NT/UNIX - (Japanese) http://www.dtc.co.jp/Radius2.0
Commercial Shiva - Shiva Access Manager - 95/NT/UNIX
http://athena.shiva.com/remote/radius Open System Consultants Pty Ltd - Radiator - NT/UNIX
http://www.open.com.au/radiator/ Microsoft - Microsoft Commercial Internet System (MCIS) - NT
http://www.microsoft.com/mcis/guide/features.asp Funk - Steel-Belted Radius - Netware/NT
http://www.funk.com/Radius/ Vircom - Proxy & Roaming Radius Server (PRRS) - NT
http://www.vircom.com/info/vprrsrel.htm Novell - BorderManager - Netware
http://www.novell.com/text/bordermanager/radius.html Ascend Communications “Access Control” NT/UNIX
http://www.ascend.com/324.html Merit - Merit AAA Server - UNIX
http://www.merit.edu/aaa/
![Page 55: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/55.jpg)
55
Other Authentication Other Authentication ProtocolsProtocols
TACACS (TACACS+ and XTACACS) Developed by Cisco Systems for Military
applications. Originally used between Cisco terminal server and a UNIX TACACS server.
Mostly replaced by RADIUS since Cisco added RADIUS support to access products
Still used for SecurID lookups since SecurID (ACE) server support TACACS. However, new releases of SecurID now support RADIUS.
![Page 56: AAA Services. 2 è Authentication è Authorization è Accounting](https://reader031.vdocuments.mx/reader031/viewer/2022032722/56649cef5503460f949bd965/html5/thumbnails/56.jpg)
56
Other Authentication Other Authentication ProtocolsProtocols
SecurID ACE Server Uses “token” card with One-Time-Password. Can function as stand-alone server (RADIUS
or TACACS compatible). Can also handle queries from a RADIUS
server. ACE server software available for many
platforms.http://www.securitydynamics.com/solutions/products/asvrdata.html