Bay Networks Radius Manual de usuario descargar pdf (Pagina 5)

The primary function of the RADIUS server is

authentication,the first “

A”,of the AAA trans-

action process.This section covers basics

of authentication:

• What happens during the authenti-

cation process

• Types of authentication available

•

RADIUS attribute exchange

•

RADIUS dictionaries

User authentication at the

ISP is a multi-step

process.Process steps occur both at the

ISP

and at the subscriber site (Refer to Figure 1):

1. A user dials in to one of several remote

access servers at the

ISP and PPP nego-

tiation begins.

2. The

RAS passes authentication infor-

mation—username and password—

obtained during

PPP negotiations to the

ISP’s local Proxy RADIUS server.

3. The Proxy

RADIUS server parses the user

name e.g.,username@companyname.

The

RADIUS server performs a translation

in its database to determine the

address of the “username’s”Enterprise

RADIUS server for “companyname”.After

establishing the proper remote link to

the username’s Enterprise network,the

username and password are forwarded

to the Enterprise’s

RADIUS server for

further authentication.

4. If the username’s Enterprise

RADIUS

server is able to authenticate the user,it

issues an accept response to the

ISP’s

Proxy

RADIUS server.The Proxy RADIUS

server,in turn,issues an accept response

to the

ISP’s RAS,along with the user

profile information obtained from the

subscriber’s Enterprise

RADIUS server.

The

RAS requires the profile to set up

the connection.

RADIUS Authentication

If the subscriber’s Enterprise RADIUS

server is unable to authenticate the

user,it issues a reject response to

the

ISP’s RAS,along with a text string

indicating the reason.

5. Using this information,the

RAS com-

pletes

PPP negotiation with the user:

If the

ISP’s RAS received an “accept”

response,it allows access to the user-

name’s Enterprise network.If the

ISP’s

RAS received a “reject”response,it termi-

nates the user’s connection.It may pass

on the reason for termination so that it

can be displayed at the user’s terminal.

Authentication Types

During an authentication transaction, pass-

word information is transmitted between

the User,

RAS and RADIUS server.The pass-

word information is always encrypted

between the

RAS and the RADIUS server

using a secret key entered both at the

RAS

and at the RADIUS server.

The password information originally comes

from the user,usually as part of

PPP negoti-

ations.The

RAS is really just an intermediary.

The authentication transaction occurs

between the user and the

RADIUS server.

Authentication Between the User and RAS

RADIUS supports two types of authentication

transactions between a remote access user

and a

RAS:Password Authentication Protocol

(PAP) and Challenge Handshake Adminis-

tration Protocol

(CHAP). PAP and CHAP are

authentication methods used in Point to

Point Protocol

(PPP).

•

PAP is very simple.The user sends his or

her password to the

RADIUS server,and

the

RADIUS server validates it either

against its own database or against the

Microsoft

NT Domain or Workgroup,

NetWare Bindery or

NDS,or the UNIX NIS.

Of the two legs of the journey the pass-

word takes between user and

RADIUS

server,the first leg,from the user to the

RAS,is usually unencrypted,and the RAS

gets the password from the user in clear

text.In the second leg,from the

RAS to

the

RADIUS server,the RAS encrypts the

password and the

RADIUS server

decrypts it using a shared secret key.

Ultimately,the

RADIUS server has the

password in clear text form and is able

to use it directly for authentication.

•

CHAP avoids sending passwords in clear

text over any communication link.Using

CHAP,the RAS generates a random

number,the challenge,and sends it to

the user.The user’s

PPP client creates a

“digest”—a one-way encryption—of

the password concatenated with the

challenge,and sends this digest to the

RAS.Because the digest is a one-way

encryption,the

RADIUS server cannot

recover the password from the digest.

Instead,it performs the identical digest

operation using its own copy of the

user’s password stored in clear text in

the

RADIUS server’s database along with

the same challenge.If the two digests

match,the user is authenticated.

White Paper RADIUS Security Technology

1 2 3 4 5 6 7 8 9 10

Comentarios a estos manuales

Sin comentarios

Bay Networks Radius Manual de usuario Pagina 5

Comentarios a estos manuales

Relacionado con productos y manuales para Software Bay Networks Radius