Radius

Topic : RADIUS
H c Bin 0985 196 884 bien.ho@truongtan.edu.vn CCIE Written, CCNP, CCNA MCSA, MCITP-EA Security+, Security+ CEH
Pre- RADIUS Infrastructure

Boston 10,000 Users
Worcester
10 NASs
Springfield S i fi ld NAS Devices
100,000 Management Tasks
Multiple locations + multiple devices = g g management nightmare

http://www.truongtan.edu.vn
RADIUS Implementation
Boston 10,000 Users
Worcester RADIUS Server Springfield NAS Devices
10 NASs
1 AAA Server
10,000 Centrally Managed Objects
Location no longer an issue Updates centrally in one place
What Is RADIUS?
Client/Server protocol that enables remote access servers to communicate with a central server to authenticate and authorize users to access that system Standardized method of info exchange between RADIUS Client and Server Simply put, a mechanism for delivering information
User RADIUS Client RADIUS Server
PPP or SLIP Negotiation
RADIUS Request/Response
RADIUS Clients
PPP Servers VPN Firewalls Wireless Lan Access Points
Steel-Belted Radius
Central hub for distributed services
Authentication Authorization Accounting
Server Groups
RADIUS_1
RADIUS_2
TACACS+_1 TACACS+ 1
TACACS 2 TACACS+_2
Workstation
Authentication
Provides the method of identifying users including login users, and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption t l l t ti
Example of Authentication
! username myuser password secure_password ! aaa new-model aaa authentication ppp default group radius group tacacs+ local aaa authentication login admin local ! radius-server host 10.0.1.12 key cisco tacacs server tacacs-server host 10.0.1.14 key cisco 10 0 1 14 ! line vty 0 4 login authentication admin
Authorization
Provides the method for remote access control, including control one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet t f IP IPX ARA dT l t
Example of Authorization
aaa new-model g aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local ! username myuser password secure password secure_password ! radius-server host 10.0.1.12 key radiuskey ! interface group-async 1 i t f group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization myauth line 1 16 autoselect ppp autoselect during-login login authentication admin modem dialin
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands ( t d d (such as PPP) number of packets, h PPP), b f k t and number of bytes
Example of Accounting
aaa new-model aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local aaa accounting network myacct start-stop g g y p group radius p ! username myuser password secure_password ! radius-server host 10.0.1.12 key radiuskey ! interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting myacct
TACACS+ and RADIUS Comparison

TACACS+ Port Used Transport Protocol Encryption AAA Architecture Standard/Proprietary
49
RADIUS
Authentication/Authorization: 1645 and 1812 Accounting: 1646 and 1813
TC Full packet encryption Separate control of each AAA service Cisco
UDP Encrypts only passwords up to 16 bytes AAA combined as one service Industry standard
Configuring AAA Services to work with a AAA Server

Cisco Secure ACS2 NAS
10.0.1.14
router(config)# router(config)# enable router(config)# enable router(config)# radius router(config)# router(config)# router(config)# OR router(config)#
Cisco Secure ACS1

10.0.1.12
aaa new-model aaa authentication login default group tacacs+ aaa authorization network default group tacacs+ aaa accounting network myacct start-stop group tacacs-server host 10.0.1.12 tacacs-server host 10.0.1.14 tacacs-server key cisco123 tacacs-server host 10.0.1.12 key cisco123
Network Configuration
RADIUS Messages Authentication Request R t

1.
User
User logs on to service (Internet, Network)
2.
RADIUS Client
Access Request Packet (username/password)
3.
RADIUS Server
Validation / Authentication
PPP/SLIP connection
RADIUS Messages Authentication Response

6.
User
5.
RADIUS Client
4.
RADIUS Server
ACCEPT/REJECT
RADIUS Response Packet
Access Response (ACCEPT/REJECT/ CHALLENGE)
RADIUS Messages Accounting

1.
User
User logs on to service (Internet, Network)
2.
RADIUS Client
ACCT Start/Stop
3.
RADIUS Server
RADIUS Packets
4.
ACCT dB
SQL INSERT statement
.ACT file
What happens:
1. 2. 2 3. 4.
User logs on, gets service (ACCT Start) User plays on Internet (Time) User disconnects RADIUS Client generates and sends ACCT Stop w/billing data
RADIUS Basics Shared Secret Keys

Shared Secret Session Key
Plaintext a te t
Encryption Shared Secret Session Key Ciphertext Decryption
Plaintext a te t
User 1
Plaintext
Decryption D ti
Ciphertext Ci h t t
Encryption E ti
Plaintext
Shared Secret Session Key
Shared Sh d Secret Session Key
Cisco Secure ACS

Cisco Secure ACS for Windows Remote Client (Dial-Up) NAS
PSTN
Internal Clients Remote Client (VPN Client) Switch
External User Database Server
Internet
Router
PSTN = public switched telephone network
NADs AAA Clients
External Policy Server
Web Interface
Hardware and Software Requirements

Hardware
Pentium 4 processor, 1.8 GHz or faster 1 GB of RAM At least 1 GB of free disk space p Minimum graphics resolution of 256 colors at 800x600 pixels CD-Rom drive 100Base-T or faster connection
Software
Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions: With SP4 installed i t ll d Without Microsoft Windows 2000 Cluster Service installed Without other features specific to Microsoft Windows 2000 Advanced Server enabled Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition http://www.truongtan.edu.vn
Demo : Router Authentication
Trust and Identity
Implementing Cisco IBNS
Concepts of Cisco IBNS in Action

Authorized User Identity-Based Authentication
Valid Credentials
X
Invalid/No Credentials
Corporate Network
No Access
Corporate Resources
Unauthorized External Wireless User
Cisco IBNS
Unified Control of User Identity for the Enterprise
Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls
Hard and Soft Tokens
Cisco Secure ACS
OTP Server
Internet Firewall Router Remote Offices http://www.truongtan.edu.vn
VPN Clients
Cisco IBNS Port-Based Access Control Port Based

End User (Client) Cisco Catalyst Series 2950 (switch) Authentication Server (Cisco Secure ACS/RADIUS)
EAPOL-start Login request
1 2 3
7 Switch enables port 5 Policy database confirms ID and grants access
Login L i response
4 Check with policy database Policy database informs switch 6
IEEE 802 1x 802.1x

Standard set by the IEEE 802 1 working group 802.1 A framework designed to address and provide port-based access control using authentication Primarily an encapsulation definition for EAP over IEEE 802 media (EAPOL is the key protocol.) Layer 2 protocol for transporting authentication messages ( (EAP) between supplicant ( ) pp (user/PC) and authenticator ( ) (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and p g port-state monitoring
802.1x 802 1x Components
Supplicant pp
Authenticator
Authentication Server
EAPOL
RADIUS
802.1x 802 1x Operation

For each 802.1x switch port, the switch creates two virtual access points at each port port.
The Th controlled port i open only when th d i t ll d t is l h the device connected to the port has been authorized by 802.1x.
Controlled
EAPOL
Uncontrolled
EAPOL
Uncontrolled Port Provides a Path for The uncontrolled port provides only. Extensible Authentication path for (EAPOL) traffic only AND CDP Traffic ONLY a Protocol over LAN (EAPOL) http://www.truongtan.edu.vn
How 802 1x Works 802.1x

End User (Cli t) (Client) Cisco Catalyst 2950 S i S it h Series Switch (NAD) Authentication Server (Ci (Cisco S Secure ACS)
EAPOL
RADIUS
The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, g y but it is just an intermediary.
How 802 1x Works (Cont ) 802.1x (Cont.)

End User (Client) Cisco Catalyst 2950 (Switch) Authentication Server (Cisco Secure ACS)
EAPOL-start EAPOL start EAP Request/Identity EAP Response/Identity EAPAuth Exchange EAP Success/EAP Failure Port Authorized Policies EAPOLLogoff EAPOL L ff Port Unauthorized
EAPmethod dependent
Auth Exchange with AAA Server Auth Success/Reject j
What Is EAP?
EAP the Extensible Authentication Protocol EAPthe A flexible transport protocol used to carry arbitrary authentication informationnot the authentication method itself Typically runs directly over data-link layers such as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by RFC 3748 Supports multiple authentication types
Current Prevalent Authentication Methods

Challenge-response-based
EAP-MD5: Uses MD5-based challenge-response for authentication LEAP: Uses username/password authentication EAP-MS-CHAPv2: uses username/password MSCHAPv2 challenge-response authentication
Cryptographic-based
EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism for authentication
Other
EAP-GTC: Generic token and OTP authentication
EAP Methods
EAP MD5 EAP-MD5 EAP-TLS PEAP with EAP-MS-CHAPv2
EAP MD5 EAP-MD5

EAPOL
EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/Challenge EAP Response/Challenge EAP Success EAP Response/Identity EAP Request/Challenge EAP Response/Challenge EAP Success
RADIUS
EAP TLS EAP-TLS

EAPOL RADIUS
EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/TLS start EAP Response/TLS client h ll R /TLS li t hello EAP Response/Identity EAP Request/TLS start EAP Response/TLS Client Hello
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Cert Request, Server Hello Done EAP Response/TLS ClientCert Client Key Exchange ClientCert, Exchange, Cert Verify, Change Ciph Spec, TLS Finished EAP Request/TLS Change_Ciph_Spec,TLS Finished EAP Response EAP Success EAP Response EAP Success Protected Tunnel
PEAP with MS-CHAPv2 MS CHAPv2

EAPOL
EAPOL-start EAP Request/Identity EAP Response/Identity EAP Request/TLS start EAP Response/TLS client hello EAP Response/Identity EAP Request/TLS start EAP Response/TLS client hello Phase 1
RADIUS
EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done EAP Response/Cert Verify, Change Ciph Spec EAP Request/TLS Change Ciph_Spec [Identity Request] equest/ S C a ge_C p Spec [ de t ty equest] Identity response EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response EAP MS CHAPV2 R EAP Success Identity response EAP-MS-CHAPv2 Challenge EAP-MS-CHAPV2 Response EAP MS CHAPV2 R EAP Success Phase 2 Protected
802 1x and Port Security 802.1x

A = Attacker Hub I do not know A, I do know B.
Port unauthorized
Port Security and Identity

B = Legitimate User
Cisco Secure ACS/RADIUS
Configuring 802 1x in Cisco IOS 802.1x

Enable AAA AAA. Configure 802.1x authentication. Configure RADIUS communications. Enable 802.1x globally. Configure interface and enable 802.1x. Verify 802 1x operation 802.1x operation.
Enable AAA
switch(config)#
aaa new-model
Enable AAA
switch(config)#
aaa authentication dot1x [<list name> | default] g group radius p
Create an IEEE 802.1X authentication method list

switch(config)#
aaa authorization network {default} group radius
(Optional ) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment
Configure RADIUS Communications

switch(config)#
radius-server host [host name | IP address]
Specify the IP address of the RADIUS server

switch(config)#
radius-server key [string]
Specify the authentication and encryption key

switch(config)#
radius-server vsa send [accounting | authentication]
(Optional) Enable the switch to recognize and use VSAs

Enable 802 1x Globally 802.1x

switch(config)#
dot1x system-auth-control
Enable IEEE 802.1x authentication globally on the switch

switch(config)#
dot1x guest-vlan supplicant
(Optional) Enable the optional guest VLAN behavior globally on the switch
Configure Interface and Enable 802 1x 802.1x

switch(config-if)#
switchport mode access / no switchport
Configure port as an access port

switch(config-if)#
dot1x port-control [force-authorized | force-unauthorized force unauthorized | auto]
Enable IEEE 802.1x authentication on the port

switch(config-if)#
dot1x host-mode multi-host
(Optional) Allow multiple clients on an IEEE 802 1x authorized port 802.1x-authorized

Verify 802 1x Operation 802.1x

switch# #
show dot1x
View the operational status of IEEE 802.1x

switch#
show dot1x [all | interface]
View the IEEE 802.1x status for all ports or a specific port
Demo : 802.1X Authentication
Q&A
Email : bien.ho@truongtan.edu.vn Forum : htt //tt t F http://ttgtc.com/forum/ /f /

Radius

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Radius

Hochgeladen von

Copyright:

Verfügbare Formate

Topic : RADIUS

Pre- RADIUS Infrastructure

Springfield S i fi ld NAS Devices

100,000 Management Tasks

Multiple locations + multiple devices = g g management nightmare

Worcester RADIUS Server Springfield NAS Devices

10,000 Centrally Managed Objects

Location no longer an issue Updates centrally in one place

PPP or SLIP Negotiation

TACACS+ and RADIUS Comparison

TC Full packet encryption Separate control of each AAA service Cisco

Configuring AAA Services to work with a AAA Server

Cisco Secure ACS1

RADIUS Messages Authentication Request R t

RADIUS Messages Authentication Response

RADIUS Response Packet

Access Response (ACCEPT/REJECT/ CHALLENGE)

RADIUS Messages Accounting

RADIUS Basics Shared Secret Keys

Shared Secret Session Key

Shared Sh d Secret Session Key

Cisco Secure ACS

Internal Clients Remote Client (VPN Client) Switch

External User Database Server

PSTN = public switched telephone network

NADs AAA Clients

External Policy Server

Hardware and Software Requirements

Demo : Router Authentication

Trust and Identity

Implementing Cisco IBNS

Concepts of Cisco IBNS in Action

Unauthorized External Wireless User

Cisco Secure ACS

Internet Firewall Router Remote Offices http://www.truongtan.edu.vn

Cisco IBNS Port-Based Access Control Port Based

EAPOL-start Login request

7 Switch enables port 5 Policy database confirms ID and grants access

4 Check with policy database Policy database informs switch 6

IEEE 802 1x 802.1x

802.1x 802 1x Components

802.1x 802 1x Operation

How 802 1x Works 802.1x

How 802 1x Works (Cont ) 802.1x (Cont.)

Current Prevalent Authentication Methods

EAP MD5 EAP-MD5

EAP TLS EAP-TLS

PEAP with MS-CHAPv2 MS CHAPv2

802 1x and Port Security 802.1x

Port Security and Identity

Cisco Secure ACS/RADIUS

Configuring 802 1x in Cisco IOS 802.1x

aaa authentication dot1x [<list name> | default] g group radius p

Create an IEEE 802.1X authentication method list

aaa authorization network {default} group radius

Configure RADIUS Communications

radius-server host [host name | IP address]

Specify the IP address of the RADIUS server

radius-server key [string]

Specify the authentication and encryption key

radius-server vsa send [accounting | authentication]

(Optional) Enable the switch to recognize and use VSAs

Enable 802 1x Globally 802.1x