Remote Authentication Dial
In User Service Security and Accounting Server (RADIUS 2.0)
Product Overview
Lucent-invented Remote Authentication Dial In User Service (RADIUS 2.0) is the
latest version of the RADIUS Security and Accounting Server. RADIUS 2.0 supports
authentication using Security Dynamics, Inc. (SDI) SecurID cards and ACE/Server, adds a
powerful new scripting language, and includes enhanced attribute support.
Key Features and Benefits
RADIUS 2.0 Security Options
RADIUS 2.0 offers many ways to implement security for remote LAN access. These
options include: password database, dial-back, PAP and CHAP, and the use of third party
authentication servers such as SDI SecurID cards and ACE/Server. RADIUS 2.0 offers
the most flexible approach to security because RADIUS 2.0 maintains unique user profiles
which permit authentication on a per-user basis.
Security Dynamics Support
SDI is a third party authentication system based on token-generating cards and an
authentication server called ACE/Server. This authentication technology requires a remote
user, at login, to enter a Personal Identification Number (PIN) along with a card-generated
one-time password. This type of security is considered superior to static remembered
passwords because it relies on a two part process-a remembered password and physical
token required to be in the users' possession.
How Security Dynamics Works
An example of a remote LAN access network is detailed in Figure 1 below and the
following step by step description. Components of the network include: a remote laptop
user with modem and SecurID card, the PortMaster Communications
Server, a RADIUS 2.0 Security and Accounting Server, and the SDI ACE/Server.
1. A connection is initiated by the remote laptop user dialing into the
PortMaster.
2. The PortMaster prompts the remote user for his login ID and password.
3. The user enters his login ID. With the SecurID PINPAD card he then enters his private
PIN number and uses the response as his password.
4. The PortMaster forwards this information to the RADIUS 2.0 Server for authentication.
5. The RADIUS 2.0 server looks into its user database for the profile of the remote user. It
looks to see what type of security should be used, and in this case, finds SecurID as the
authentication method. The RADIUS 2.0 server forwards the login ID name and password
to the ACE/Server for authentication.
6. The ACE/Server performs a user lookup of its own for the remote user, checks the
serial number of the SecurID card, and performs a calculation to verify if the remote user is
who he says he is. If the verification proves to be valid, an acknowledgment is sent to the
RADIUS 2.0 server.
7. The RADIUS 2.0 server then sends an acknowledgment back to the PortMaster .
8. The PortMaster permits access or terminates the call if the remote user is not authorized.
Setting SDI configuration in the RADIUS user profile
One of the main benefits of Lucent's implementation of SDI is the fact that the
PortMaster is transparent to the type of authentication used by the individual remote users.
The RADIUS 2.0 user profile determines which type of security to use to authenticate a
remote user's identity. Following is a sample RADIUS 2.0 user profile for user name kimf
configured for SDI authentication.
Sample RADIUS 2.0 user profile
kimf Auth-Type = SecurID
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 138.16.135.1,
Framed-Netmask = 255.255.255.0,
Framed-Routing = None,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500
Scripting Language Support
Scripting language is an example of a front-end utility which greatly simplifies dial-in
network access. With scripts, network administrators can generate simple text-based
menus as a part of a user's profile. The designated menu screen appears on the remote
users' screen after successfully logging into a PortMaster Communications Server. The user
is then able to select from a predetermined list of desired network functions.
Additionally, scripting language can be used to send notification (informational) messages
or as an application springboard, i.e. menu selection screen.
All scripts are stored on the RADIUS 2.0 server and can be configured on a per-user
basis.
The sample menu screen below illustrates how an ISP could use the scripting language to
allow users to select between SLIP and PPP service. The section of the sample menu
script listed between "menu" and "end" is what would appear on the remote user's console.
The part of the script listed between "1" and "3" is the information that would be used
based on which item the remote user selected.
Sample Menu Script
menu
*** Thank you for using ACME Internet Service ***
Please select an option:
1. Start SLIP session
2. Start Dial-back login service
3. Quit
Option:
end
1
Password = "ge55gec"
User-Service-Type = Framed-User,
Framed-Protocol = SLIP,
Framed-Address = 192.9.200.130,
Framed-Netmask = 255.255.255.0,
Framed-Routing = None,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1006
#
2
Password = "ge55ged"
User-Service-Type = Dialback-Login-User,
Login-Host = 0.0.0.0,
Dialback-No = "9,5551212",
Login-Service = Telnet,
Login-TCP-Port = 23,
Termination-Menu = "menu3"
#
3
Menu = "EXIT"
#
DEFAULT
Menu = "menu3"
builddbm Utility
builddbm is another newly-enhanced feature of RADIUS 2.0. The builddbm utility uses the
UNIX database concept to optimize the lookup sequence of the users profile. This feature
is mainly used for large sites in which the user file contains thousands of user records.
Enhanced Attribute Support
RADIUS 2.0 offers many new features including:
Idle Time-out
Network administrators now have the ability to define the amount of idle time of a
particular user's session before the PortMaster automatically terminates an established call.
For ISPs who provide time-based billing, this feature ensures call termination, eliminating
unwarranted client charges. Additionally, idle time-out allows network administrators to
manage dial-in resources more efficiently. Any phone line not being used for a defined
period of time can be disconnected and returned to the dial-in pool for other callers to
access. The idle time limit is a variable which can be set from 2 minutes to 4 hours.
Session Time-out
Session time-out defines the maximum amount of time a user can be on-line before the
PortMaster terminates an established call. ISPs can use the session time-out feature to limit
the duration of dial-in user sessions, which discourages customers from staying on-line
indefinitely. The session time-out is a variable which can be set from two minutes to one
month. Once this limit is reached the PortMaster automatically disconnects the dial-in user.
Port Limit Support
Port Limit Support is a RADIUS attribute which can be used to limit the maximum number
of dial-in ports that are used for ISDN Multilink PPP or ISDN Multilink V.120 sessions.
This feature is useful to ISPs who wish to restrict which users have access to network
services greater than 64 Kbps.
Single User Name
Single User Name takes full advantage of a prefix/suffix naming convention which allows
RADIUS to identify the type of account while maintaining a single user name in the
RADIUS user database.
In the past, unique user profiles were created to match unique individuals. However, when
service changes to a large subscription base, such as in migration to a different protocol or
authentication method, unique user profiles create a logistical burden. To implement the
new service, providers must create duplicate user profiles with new user name and
password and inform each user of their new authentication information. In addition, the user
must remember a whole new set of authentication information, which increases confusion
and support burden on the service provider.
For example, an ISP using SLIP-based service and slowly migrating users to PPP may
create a blanket prefix/suffix account profile. As a result, users who have the new service
can simply use their existing name with a prefix or suffix to indicate that they have selected
a new service. The service provider simply creates one default user profile specifying that
when a user logs in using a prefix (for example "P") and their existing user name, their
session will be authorized for PPP instead of SLIP. If they log in with just their existing user
name, they will be authorized for SLIP.
Port Type Identification
Port type identification is a RADIUS 2.0 attribute that indicates what type of port is being
accessed. This information is extremely useful for network managers who require statistical
usage data for new network or expanding network planning decisions or for ISPs who
charge differently based on access methods (analog modem versus ISDN). The port
identification attribute indicates whether the port is asynchronous, synchronous, ISDN,
ISDN-V.120 or ISDN-V.110.
ISDN Calling Station and Called Station ID
ISDN calling station and called station ID are a RADIUS 2.0 accounting attribute which
reports the calling party phone number, the called party phone number or both (where
supported) for ISDN dial-in. This accounting feature can be used as a security audit to
ensure only authorized customers have access.
Input/Output Octets
Input/Output Octets are accounting attributes which measure the amount of data traffic on
a per-call basis. This attribute is useful for network managers who wish to administer user
account billing based on usage, i.e. the amount of data sent, received or both, or for
capacity planning.
Product Availability and Pricing
RADIUS 2.0 will be included on the Total Access CD-ROM free of charge
for all new Lucent customers.
RADIUS 2.0 will be made available to all Lucent customers at the end of August 1996.
|