radius

Topic : RADIUS

Hồ Đắc Biên0985 196 8840985 196 [email protected] Written, CCNP, CCNAMCSA, MCITP-EASecurity+ CEHSecurity+, CEH

Pre- RADIUS Infrastructure

Boston 10,000 Users

Worcester10 NAS’s

Worcester

S i fi ld100,000

Management TasksSpringfield Management Tasks

NAS Devices

Multiple locations + multiple devices = management nightmare

http://www.truongtan.edu.vn

g g

RADIUS Implementation

Boston 10,000 Users

Worcester10 NAS’s

Springfield

RADIUS Server 1 AAA Server

Location – no longer an issueNAS Devices 10,000 Centrally

Managed Objects

Location no longer an issueUpdates – centrally in one place


What Is RADIUS?

•Client/Server protocol that enables remote access servers to communicate with a central server to authenticate and authorize users to access that system•Standardized method of info exchange between RADIUS Client and Server•Simply put, a mechanism for delivering information

User RADIUS Client

RADIUS Server

PPP or SLIP Negotiation RADIUS Request/Response


RADIUS Clients

•PPP Servers

•VPN

•Firewalls

•Wireless Lan Access Points


Steel-Belted RadiusSteel-Belted Radius

Central hub for distributed services Authentication Authorization Accounting


Server GroupsServer Groups

RADIUS_1

RADIUS_2

TACACS+ 1TACACS+_1

TACACS 2TACACS+_2

Workstation


AuthenticationAuthentication

Provides the method of identifying users including loginProvides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security

t l l t tiprotocol you select, encryption


Example of AuthenticationExample of Authentication

!!

username myuser password secure_password

!

aaa new-model

aaa authentication ppp default group radius group tacacs+ local

aaa authentication login admin local

!

radius-server host 10.0.1.12 key cisco

tacacs-server host 10 0 1 14 key ciscotacacs server host 10.0.1.14 key cisco

!

line vty 0 4


login authentication admin

AuthorizationAuthorization

Provides the method for remote access control includingProvides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and

t f IP IPX ARA d T l tsupport of IP, IPX, ARA, and Telnet


Example of AuthorizationExample of Authorizationaaa new-model

aaa authentication login admin localg

aaa authentication ppp dialins group radius local

aaa authorization network myauth group radius local

!

username myuser password secure passwordusername myuser password secure_password

!

radius-server host 10.0.1.12 key radiuskey

!

i t f 1interface group-async 1

group-range 1 16

encapsulation ppp

ppp authentication chap dialins

ppp authorization myauth

line 1 16

autoselect ppp

autoselect during-login


login authentication admin

modem dialin

AccountingAccounting

Provides the method for collecting and sending securityProvides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times,

t d d ( h PPP) b f k texecuted commands (such as PPP), number of packets, and number of bytes


Example of AccountingExample of Accountingaaa new-model

aaa authentication login admin localaaa authentication login admin local

aaa authentication ppp dialins group radius local

aaa authorization network myauth group radius local

aaa accounting network myacct start-stop group radiusg y p g p

!

username myuser password secure_password

!

radius-server host 10.0.1.12 key radiuskey

!

interface group-async 1

1 16group-range 1 16

encapsulation ppp

ppp authentication chap dialins

ppp authorization scoobee


ppp authorization scoobee

ppp accounting myacct

TACACS+ and RADIUS ComparisonTACACS+ and RADIUS Comparison

TACACS+ RADIUS

Authentication/Authorization:Port Used 49

Authentication/Authorization: 1645 and 1812Accounting: 1646 and 1813

Transport TC UDPTransport Protocol TC UDP

Encryption Full packet encryption Encrypts only passwords up to 16 bytes

AAA Architecture Separate control of each AAA service AAA combined as one service

Standard/Proprietary Cisco Industry standard


Standard/Proprietary Cisco Industry standard

Configuring AAA Services to work with a AAA ServerAAA Server

Cisco SecureACS1

Cisco SecureACS2

NAS

10.0.1.1210.0.1.14

router(config)# aaa new-modelrouter(config)# aaa authentication login default group tacacs+ enablerouter(config)# aaa authorization network default group tacacs+ enablerouter(config)# aaa accounting network myacct start-stop group radiusrouter(config)# tacacs-server host 10.0.1.12router(config)# tacacs-server host 10.0.1.14router(config)# tacacs-server key cisco123


ORrouter(config)# tacacs-server host 10.0.1.12 key cisco123

Network ConfigurationNetwork Configuration


RADIUS Messages – Authentication R tRequest

1.User

2.RADIUS Client

3.RADIUS Server

User logs on to service (Internet, Network)

ClientAccess Request Packet(username/password)

ServerValidation / Authentication

PPP/SLIP connection


RADIUS Messages – Authentication Response

4.5.6. 4.RADIUS Server

5.RADIUS Client

6.User

Access Response (ACCEPT/REJECT/CHALLENGE)

RADIUS Response Packet

ACCEPT/REJECT


RADIUS Messages – AccountingRADIUS Messages Accounting1.

RADIUS 2.

RADIUS 3.

ACCT4.

UserUser logs on to service (Internet, Network)

RADIUS Client

ACCT Start/Stop

RADIUS Server

RADIUS Packets

ACCTdB

SQL INSERT statement

.ACT file

What happens:1. User logs on, gets service (ACCT Start)2 User plays on Internet (Time)2. User plays on Internet (Time)3. User disconnects4. RADIUS Client generates and sends ACCT Stop w/billing data


RADIUS BasicsShared Secret KeysShared Secret Keys

Plaintext Plaintext

SharedSecret

Session Key

Encryption Decryption

a te t

Ciphertext

a te t

User 1

D ti E tiPlaintext Ci h t t Plaintext

SharedSecret

Session Key

Decryption EncryptionPlaintext Ciphertext Plaintext SharedSecret

Session Key

Sh d


SharedSecret

Session Key

Cisco Secure ACSCisco Secure ACSCisco Secure ACS

for WindowsRemote Client

(Dial-Up) NAS

PSTN

Internal Clients

Internet

Remote Client(VPN Client)

External User Database Server

Switch

InternetRouter

NADsAAAPSTN = public switched telephone


AAA Clients

External Policy Server

PSTN = public switched telephone network

Web InterfaceWeb Interface


Hardware and Software RequirementsHardware and Software Requirements

HardwareHardware Pentium 4 processor, 1.8 GHz or faster 1 GB of RAM At least 1 GB of free disk spacep Minimum graphics resolution of 256 colors at 800x600 pixels CD-Rom drive 100Base-T or faster connection

Software Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions:

With SP4 i t ll d– With SP4 installed– Without Microsoft Windows 2000 Cluster Service installed– Without other features specific to Microsoft Windows 2000 Advanced

Server enabled


Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition

Demo : Router Authentication


Trust and Identity

Implementing Cisco IBNS

Concepts of Cisco IBNS in ActionConcepts of Cisco IBNS in Action

Authorized User Identity-Based Authentication

√Valid Credentials

CorporateNetwork

XCorporateNo Access

Invalid/No Credentials

Unauthorized External

Corporate Resources


Wireless User

Cisco IBNSCisco IBNS

Unified Control of User Identity for the Enterprise

Cisco VPN Concentrators, Cisco IOS Routers, Cisco PIX Firewalls

Cisco Secure ACSHard and Soft

TokensOTP Server

VPN ClientsInternet

RouterFirewall

Remote


Remote Offices

Cisco IBNS Port Based Access ControlCisco IBNS Port-Based Access Control

Authentication ServerCisco Catalyst Authentication Server(Cisco SecureACS/RADIUS)

Cisco CatalystSeries 2950

(switch)End User(Client)

EAPOL-start Switch enables1 7

Login request

L i

Policy database confirms ID and grants access

Switch enables port

2

3 4

5

Login responseCheck with policy database

Policy database informs switch

grants access3 4


6

IEEE 802 1xIEEE 802.1x

Standard set by the IEEE 802 1 working group Standard set by the IEEE 802.1 working group A framework designed to address and provide port-based access

control using authentication Primarily an encapsulation definition for EAP over IEEE 802 Primarily an encapsulation definition for EAP over IEEE 802

media (EAPOL is the key protocol.) Layer 2 protocol for transporting authentication messages

(EAP) between supplicant (user/PC) and authenticator (switch ( ) pp ( ) (or access point)

Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state g p

monitoring


802 1x Components802.1x Components

Authentication ServerAuthenticatorSupplicant Serverpp

EAPOL RADIUS


802 1x Operation802.1x OperationFor each 802.1x switch port, the switch createstwo virtual access points at each porttwo virtual access points at each port.

Th t ll d t i l h th d iThe controlled port is open only when the device connected to the port has been authorized by 802.1x.

Controlled

UncontrolledEAPOL EAPOL

Uncontrolled Port Provides a Path forExtensible Authentication Protocol over LAN (EAPOL) AND CDP Traffic ONLY

The uncontrolled port provides a path for (EAPOL) traffic only


Extensible Authentication Protocol over LAN (EAPOL) AND CDP Traffic ONLYa path for (EAPOL) traffic only.

How 802 1x WorksHow 802.1x WorksAuthentication Server(Ci S ACS)

Cisco Catalyst2950 S i S it h

End User(Cli t) (Cisco Secure ACS)2950 Series Switch

(NAD)(Client)

EAPOL RADIUS

The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity,


g ybut it is just an intermediary.

How 802 1x Works (Cont )How 802.1x Works (Cont.)Authentication Server(Cisco Secure ACS)

Cisco Catalyst 2950(Switch)

End User(Client)

EAPOL startEAPOL-start

EAP Request/Identity

EAP Response/Identity EAP–method dependent

Auth Exchange with AAA ServerEAP–Auth Exchange

Auth Success/RejectEAP Success/EAP Failure jEAP Success/EAP Failure

Port Authorized

EAPOL L ffPolicies


EAPOL–Logoff

Port Unauthorized

What Is EAP?What Is EAP?

EAP the Extensible Authentication Protocol EAP—the Extensible Authentication Protocol A flexible transport protocol used to carry arbitrary authentication

information—not the authentication method itself Typically runs directly over data-link layers such

as PPP or IEEE 802 media Originally specified in RFC 2284, obsolete by

RFC 3748 Supports multiple “authentication” types


Current Prevalent Authentication MethodsMethods

Challenge-response-based EAP-MD5: Uses MD5-based challenge-response for authentication LEAP: Uses username/password authentication EAP-MS-CHAPv2: uses username/password MSCHAPv2

challenge-response authentication

Cryptographic-based EAP-TLS: Uses x.509 v3 PKI certificates and the TLS mechanism

for authentication

OtherOther EAP-GTC: Generic token and OTP authentication


EAP MethodsEAP Methods

EAP MD5 EAP-MD5 EAP-TLS PEAP with EAP-MS-CHAPv2


EAP MD5EAP-MD5

EAPOL RADIUS

EAPOL-start


EAP Response/Identity EAP Response/Identity

EAP Request/Challenge EAP Request/Challenge

EAP Response/Challenge EAP Response/Challenge

EAP SuccessEAP Success


EAP TLSEAP-TLSEAPOL RADIUS

EAPOL-start


EAP Response/IdentityEAP Response/Identity

EAP Request/TLS startEAP Request/TLS start

EAP R /TLS li t h llEAP Response/TLS client hello EAP Response/TLS Client Hello

EAP Response/TLS Server Hello, Server Cert, Server Key Exchange,Cert Request, Server Hello Done

EAP Response/TLS ClientCert Client Key Exchange

EAP Response EAP Response

EAP Response/TLS ClientCert, Client Key Exchange, Cert Verify, Change Ciph Spec, TLS Finished

EAP Request/TLS Change_Ciph_Spec,TLS Finished


EAP Response EAP Response

EAP SuccessEAP Success Protected Tunnel

PEAP with MS CHAPv2PEAP with MS-CHAPv2EAPOL RADIUS

EAPOL-startEAP Request/Identity

EAP Response/Identity EAP Response/IdentityEAP Response/Identity EAP Response/Identity

EAP Request/TLS start EAP Request/TLS start

EAP Response/TLS client hello EAP Response/TLS client hello Phase 1

EAP Response/TLS Server Hello, Server Cert, Server Key Exchange, Server Hello Done

EAP Response/Cert Verify, Change Ciph Spec

EAP Request/TLS Change Ciph Spec [Identity Request]

EAP MS CHAPV2 R EAP MS CHAPV2 RPhase 2 Protected

Identity response Identity response

EAP-MS-CHAPv2 Challenge EAP-MS-CHAPv2 Challenge

equest/ S C a ge_C p _Spec [ de t ty equest]


EAP-MS-CHAPV2 Response EAP-MS-CHAPV2 Response

EAP SuccessEAP Success

Protected

802 1x and Port Security802.1x and Port Security

A Attacker

I do not

A = Attacker

Hub

know A,I do

know B.

Cisco Secure

Port unauthorized

ACS/RADIUSPort Securityand

Identity

http://www.truongtan.edu.vnB = Legitimate User

Configuring 802 1x in Cisco IOSConfiguring 802.1x in Cisco IOS

Enable AAA Enable AAA. Configure 802.1x authentication. Configure RADIUS communications. Enable 802.1x globally. Configure interface and enable 802.1x. Verify 802 1x operation Verify 802.1x operation.


Enable AAAEnable AAAswitch(config)#

aaa new-model

Enable AAA

aaa authentication dot1x [<list name> | default]group radius

switch(config)#

g p

Create an IEEE 802.1X authentication method list

switch(config)#

aaa authorization network {default} group radius

switch(config)#

(Optional ) Configure the switch for user RADIUS authorization for


all network-related service requests, such as VLAN assignment

Configure RADIUS CommunicationsConfigure RADIUS Communications

radius-server host [host name | IP address]

switch(config)#

Specify the IP address of the RADIUS server

switch(config)#

Specify the IP address of the RADIUS server

radius-server key [string]

Specify the authentication and encryption key

radius-server vsa send [accounting | authentication]

switch(config)#


(Optional) Enable the switch to recognize and use VSAs

Enable 802 1x GloballyEnable 802.1x Globally

switch(config)#

dot1x system-auth-control

switch(config)#

Enable IEEE 802.1x authentication globally on the switch

dot1x guest-vlan supplicant

switch(config)#

(Optional) Enable the optional guest VLAN behavior globally on the switch


Configure Interface and Enable 802 1xConfigure Interface and Enable 802.1x

switch(config-if)#

switchport mode access / no switchport

Configure port as an access port

dot1x port-control [force-authorized |force unauthorized | auto]

switch(config-if)#

force-unauthorized | auto]

Enable IEEE 802.1x authentication on the port

dot1x host-mode multi-host

switch(config-if)#

(Optional) Allow multiple clients on an IEEE 802 1x authorized port


(Optional) Allow multiple clients on an IEEE 802.1x-authorized port

Verify 802 1x OperationVerify 802.1x Operation

switch#

show dot1x

#

View the operational status of IEEE 802.1x

show dot1x [all | interface]

switch#

View the IEEE 802.1x status for all ports or a specific port


Demo : 802.1X Authentication


Q & AQ & A

Email : [email protected] htt //tt t /f /Forum : http://ttgtc.com/forum/


radius

Documents

cisco secure

cisco secure

eap responsetls

server key

chapv2 challenge

cisco catalyst

12 key radiuskey

based eap