RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

Download RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006

Post on 23-Dec-2015

225 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • RADIUS presentation by Sunil Vallamkonda 1 RADIUS Sunil Vallamkonda Oct. 25, 2006
  • Slide 2
  • RADIUS presentation by Sunil Vallamkonda 2 What is AAA ? Authentication Authorization Accounting
  • Slide 3
  • RADIUS presentation by Sunil Vallamkonda 3 Authentication Verify a persons or machines declared identity. Mechanisms: passwords, PKI. Key aspect is Trust relationships between servers.
  • Slide 4
  • RADIUS presentation by Sunil Vallamkonda 4 Authorization Rules or templates on what a authenticated user can do on a system. Dial up user requests can be one link or multiple.
  • Slide 5
  • RADIUS presentation by Sunil Vallamkonda 5 Accounting Measures and tracks resources a user accesses. Include time, amount of data, session statistics, resource utilization etc. Logs sent and analyzed for billing, security servers.
  • Slide 6
  • RADIUS presentation by Sunil Vallamkonda 6
  • Slide 7
  • 7
  • Slide 8
  • 8
  • Slide 9
  • 9 Properties Client/server model UDP based Hop by hop security Stateless Uses MD5 for password hiding. A-V pairs PAP/CHAP via PPP
  • Slide 10
  • RADIUS presentation by Sunil Vallamkonda 10 Packet format ACCESS-REQUEST (1) ACCESS-RESPONSE (2) ACCESS-REJECT (3) ACCESS-CHALLENGE (11) ACCOUNTING-REQUEST (4) ACCOUNTING-RESPONSE (5) STATUS-SERVER (12) STATUS-CLIENT (13)
  • Slide 11
  • RADIUS presentation by Sunil Vallamkonda 11 RADIUS Packet Header : Code (1), Identifier (1), length (2), Authenticator (16), payload Code: as above Identifier: used to perform auto linking of initial requests and subsequent replies. Length: valid range: 20 4096. Authenticator: used to conceal passwords using one way MD5. Request (random number) / Response authenticators.
  • Slide 12
  • RADIUS presentation by Sunil Vallamkonda 12 Packet formats
  • Slide 13
  • RADIUS presentation by Sunil Vallamkonda 13 Packet formats
  • Slide 14
  • RADIUS presentation by Sunil Vallamkonda 14 Access-Request/Accept Packet
  • Slide 15
  • RADIUS presentation by Sunil Vallamkonda 15 Access-Reject
  • Slide 16
  • RADIUS presentation by Sunil Vallamkonda 16 Authentication methods PAP: Password Authentication Protocol (MD5/XOR). CHAP: Challenge Access protocol: password is never sent on wire. PAP is preferred sometimes in cases where authorization must travel outside the realm of control
  • Slide 17
  • RADIUS presentation by Sunil Vallamkonda 17
  • Slide 18
  • RADIUS presentation by Sunil Vallamkonda 18 The CHAP 3-way handshake
  • Slide 19
  • RADIUS presentation by Sunil Vallamkonda 19 CHAP Security
  • Slide 20
  • RADIUS presentation by Sunil Vallamkonda 20 Using RADIUS and CHAP
  • Slide 21
  • RADIUS presentation by Sunil Vallamkonda 21
  • Slide 22
  • RADIUS presentation by Sunil Vallamkonda 22 Realm Identifiers placed before or after values normally contained in User-Name attribute for server to identify which server to contact. Examples: prefix realm such as @, \,/ as CSI\john. Suffix realms as: james@itmm
  • Slide 23
  • RADIUS presentation by Sunil Vallamkonda 23 Hints RADIUS can be setup to handle service authorizations based on hints. To controls resources needed to provision service for client Example: specific IP address, IP pool. If NAS cannot allocate, service is disconnected. Can be temporary, optional or extra characteristics.
  • Slide 24
  • RADIUS presentation by Sunil Vallamkonda 24 Attributes Describe a property of type of service. RADIUS attributes vs VSA. RADIUS attribute types (RFC): INT (4, 32 bit unsigned), ENUM(4, 32 bit unsigned), IPADDR (4, 32- bit), STRING (1-253, variable), DATE (4, 32-bit unsigned), BINARY (1,1 bit). Examples: INT: 6, 256 ENUM: 3 = callback-login, 4 = callback-Framed. STRING: Charlotte, San Jose IPADDR: 0x1954ff8e DATE: 0x00000a BINARY: 1
  • Slide 25
  • RADIUS presentation by Sunil Vallamkonda 25 Attributes - example Standard: Example call back-number Number: 19 Length: 3 or more octets Value: String Allowed in: Access-Request, Access-Accept Prohibited in: Access-Reject, Access-Challenge Maximum Iterations: 1 Presence in packet: not required
  • Slide 26
  • RADIUS presentation by Sunil Vallamkonda 26 Dictionary Server machines has a way of relating which attribute corresponds to which attribute number and expected type. Example: Attribute-Name: User-Name, Type: String Attribute-Name: NAS-IP-ADDR, Type: IPADDR Attribute-Name: Service-Type, Type: ENUM
  • Slide 27
  • RADIUS presentation by Sunil Vallamkonda 27 AVP pattern
  • Slide 28
  • RADIUS presentation by Sunil Vallamkonda 28 Accounting Client/Server model. Extensible: proxy, defined and qualified by AVPs. Packet: Accounting-Request Start/Stop. Accounting- Response.
  • Slide 29
  • RADIUS presentation by Sunil Vallamkonda 29 Ports Authentication: udp/1812 Accounting: udp/1813
  • Slide 30
  • RADIUS presentation by Sunil Vallamkonda 30 Implementations Livingston GNU FreeRADIUS Cistron Radiator Alepo Juniper: Steel Belt.
  • Slide 31
  • RADIUS presentation by Sunil Vallamkonda 31 Performance Logons per second Logoffs per second Rejects per second Reject cause threshold Total packets per second per interface Load average Memory, disk usage
  • Slide 32
  • RADIUS presentation by Sunil Vallamkonda 32 EAP Extensible Authentication Protocol Used over links running on PPP Authentication schemes such as public key, smart cards, OTP, Kerberos etc. are supported over PPP when EAP is used. RADIUS includes 2 new attributes: EAP- Message and Message-Authenticator.
  • Slide 33
  • RADIUS presentation by Sunil Vallamkonda 33 EAP architecture User EAP Authentication Protocol (PAP, CHAP, MS-CHAP, etc.) EAP Inner Application Extension to TLS TLS EAP - TTLS Carrier Protocol (PPP, EAPOL, RADIUS, etc)
  • Slide 34
  • RADIUS presentation by Sunil Vallamkonda 34 User protocol : EAP layering User EAP Authentication Protocol (MD-Challenge, etc.) EAP Inner Application extension to TLS TLS EAP - TTLS EAP Carrier Protocol (PPP, EAPOL, RADIUS, Diameter, etc)
  • Slide 35
  • RADIUS presentation by Sunil Vallamkonda 35 802.1x
  • Slide 36
  • RADIUS presentation by Sunil Vallamkonda 36 Port based authentication Why is it called "port"-based authentication? The Authenticator deals with controlled and uncontrolled ports. Both the controlled and the uncontrolled port are logical entities (virtual ports), but use the same physical connection to the LAN (same point of attachment).
  • Slide 37
  • RADIUS presentation by Sunil Vallamkonda 37 Port based Auth
  • Slide 38
  • RADIUS presentation by Sunil Vallamkonda 38 contd Figure port: The authorization state of the controlled port. Before authentication, only the uncontrolled port is "open". The only traffic allowed is EAPOL; see Authenticator System 1 on figure port. After the Supplicant has been authenticated, the controlled port is opened, and access to other LAN resources are granted; see Authenticator System 2 on figure port.port 802.1X plays a major role in the new IEEE wireless standard 802.11i.
  • Slide 39
  • RADIUS presentation by Sunil Vallamkonda 39 WEP Wired Equivalent Privacy (WEP), which is part of the original 802.11 standard, should provide confidentiality. Unfortunately WEP is poorly designed and easily cracked. There is no authentication mechanism, only a weak form of access control (must have the shared key to communicate). As a response to WEP broken security, IEEE has come up with a new wireless security standard named 802.11i. 802.1X plays a major role in this new standard.
  • Slide 40
  • RADIUS presentation by Sunil Vallamkonda 40 802.11 The new security standard, 802.11i, which was ratified in June 2004, fixes all WEP weaknesses. It is divided into three main categories: Temporary Key Integrity Protocol (TKIP) is a short-term solution that fixes all WEP weaknesses. TKIP can be used with old 802.11 equipment (after a driver/firmware upgrade) and provides integrity and confidentiality. Counter Mode with CBC-MAC Protocol (CCMP) [RFC2610] is a new protocol, designed from ground up. It uses AES [FIPS 197] as its cryptographic algorithm, and, since this is more CPU intensive than RC4 (used in WEP and TKIP), new 802.11 hardware may be required. Some drivers can implement CCMP in software. CCMP provides integrity and confidentiality.RFC2610FIPS 197 802.1X Port-Based Network Access Control: Either when using TKIP or CCMP, 802.1X is used for authentication. In addition, an optional encryption method called "Wireless Robust Authentication Protocol" (WRAP) may be used instead of CCMP. WRAP was the original AES-based proposal for 802.11i, but was replaced by CCMP since it became plagued by property encumbrances. Support for WRAP is optional, but CCMP support is mandatory in 802.11i. 802.11i also has an extended key derivation/management.
  • Slide 41
  • RADIUS presentation by Sunil Vallamkonda 41 802.1x 802.1X takes advantage of an existing authentication protocol know