Remote Authentication Dial
In User Service Security and Accounting Server
(RADIUS 2.0)
Product Overview
Lucent-invented Remote Authentication Dial In User Service (RADIUS 2.0) is the latest version of the RADIUS Security and Accounting Server. RADIUS 2.0 supports authentication using Security Dynamics, Inc. (SDI) SecurID cards and ACE/Server, adds a powerful new scripting language, and includes enhanced attribute support.
Key Features and Benefits
RADIUS 2.0 Security Options
RADIUS 2.0 offers many ways to implement security for remote LAN access. These options include: password database, dial-back, PAP and CHAP, and the use of third party authentication servers such as SDI SecurID cards and ACE/Server. RADIUS 2.0 offers the most flexible approach to security because RADIUS 2.0 maintains unique user profiles which permit authentication on a per-user basis.
Security Dynamics Support
SDI is a third party authentication system based on token-generating cards and an authentication server called ACE/Server. This authentication technology requires a remote user, at login, to enter a Personal Identification Number (PIN) along with a card-generated one-time password. This type of security is considered superior to static remembered passwords because it relies on a two part process-a remembered password and physical token required to be in the users' possession.
How Security Dynamics Works
An example of a remote LAN access network is detailed in Figure 1 below and the following step by step description. Components of the network include: a remote laptop user with modem and SecurID card, the PortMaster Communications Server, a RADIUS 2.0 Security and Accounting Server, and the SDI ACE/Server.
1. A connection is initiated by the remote laptop user dialing into the PortMaster.
2. The PortMaster prompts the remote user for his login ID and password.
3. The user enters his login ID. With the SecurID PINPAD card he then enters his private PIN number and uses the response as his password.
4. The PortMaster forwards this information to the RADIUS 2.0 Server for authentication.
5. The RADIUS 2.0 server looks into its user database for the profile of the remote user. It looks to see what type of security should be used, and in this case, finds SecurID as the authentication method. The RADIUS 2.0 server forwards the login ID name and password to the ACE/Server for authentication.
6. The ACE/Server performs a user lookup of its own for the remote user, checks the serial number of the SecurID card, and performs a calculation to verify if the remote user is who he says he is. If the verification proves to be valid, an acknowledgment is sent to the RADIUS 2.0 server.
7. The RADIUS 2.0 server then sends an acknowledgment back to the PortMaster .
8. The PortMaster permits access or terminates the call if the remote user is not authorized.
Setting SDI configuration in the RADIUS user profile
One of the main benefits of Lucent's implementation of SDI is the fact that the PortMaster is transparent to the type of authentication used by the individual remote users. The RADIUS 2.0 user profile determines which type of security to use to authenticate a remote user's identity. Following is a sample RADIUS 2.0 user profile for user name kimf configured for SDI authentication.
Sample RADIUS 2.0 user profile
kimf Auth-Type = SecurID User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 138.16.135.1, Framed-Netmask = 255.255.255.0, Framed-Routing = None, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500
Scripting Language Support
Scripting language is an example of a front-end utility which greatly simplifies dial-in network access. With scripts, network administrators can generate simple text-based menus as a part of a user's profile. The designated menu screen appears on the remote users' screen after successfully logging into a PortMaster Communications Server. The user is then able to select from a predetermined list of desired network functions.
Additionally, scripting language can be used to send notification (informational) messages or as an application springboard, i.e. menu selection screen.
All scripts are stored on the RADIUS 2.0 server and can be configured on a per-user basis.
The sample menu screen below illustrates how an ISP could use the scripting language to allow users to select between SLIP and PPP service. The section of the sample menu script listed between "menu" and "end" is what would appear on the remote user's console. The part of the script listed between "1" and "3" is the information that would be used based on which item the remote user selected.
Sample Menu Script
menu
*** Thank you for using ACME Internet Service ***
Please select an option:
1. Start SLIP session
2. Start Dial-back login service
3. Quit
Option:
end
1 Password = "ge55gec" User-Service-Type = Framed-User, Framed-Protocol = SLIP, Framed-Address = 192.9.200.130, Framed-Netmask = 255.255.255.0, Framed-Routing = None, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1006 # 2 Password = "ge55ged" User-Service-Type = Dialback-Login-User, Login-Host = 0.0.0.0, Dialback-No = "9,5551212", Login-Service = Telnet, Login-TCP-Port = 23, Termination-Menu = "menu3" # 3 Menu = "EXIT"
# DEFAULT Menu = "menu3"
builddbm Utility
builddbm is another newly-enhanced feature of RADIUS 2.0. The builddbm utility uses the UNIX database concept to optimize the lookup sequence of the users profile. This feature is mainly used for large sites in which the user file contains thousands of user records.
Enhanced Attribute Support
RADIUS 2.0 offers many new features including:Idle Time-out
Network administrators now have the ability to define the amount of idle time of a
particular user's session before the PortMaster automatically terminates an established call.
For ISPs who provide time-based billing, this feature ensures call termination, eliminating
unwarranted client charges. Additionally, idle time-out allows network administrators to
manage dial-in resources more efficiently. Any phone line not being used for a defined
period of time can be disconnected and returned to the dial-in pool for other callers to
access. The idle time limit is a variable which can be set from 2 minutes to 4 hours.
Session Time-out
Session time-out defines the maximum amount of time a user can be on-line before the PortMaster terminates an established call. ISPs can use the session time-out feature to limit the duration of dial-in user sessions, which discourages customers from staying on-line indefinitely. The session time-out is a variable which can be set from two minutes to one month. Once this limit is reached the PortMaster automatically disconnects the dial-in user.
Port Limit Support
Port Limit Support is a RADIUS attribute which can be used to limit the maximum number of dial-in ports that are used for ISDN Multilink PPP or ISDN Multilink V.120 sessions. This feature is useful to ISPs who wish to restrict which users have access to network services greater than 64 Kbps.
Single User Name
Single User Name takes full advantage of a prefix/suffix naming convention which allows RADIUS to identify the type of account while maintaining a single user name in the RADIUS user database.
In the past, unique user profiles were created to match unique individuals. However, when service changes to a large subscription base, such as in migration to a different protocol or authentication method, unique user profiles create a logistical burden. To implement the new service, providers must create duplicate user profiles with new user name and password and inform each user of their new authentication information. In addition, the user must remember a whole new set of authentication information, which increases confusion and support burden on the service provider.
For example, an ISP using SLIP-based service and slowly migrating users to PPP may create a blanket prefix/suffix account profile. As a result, users who have the new service can simply use their existing name with a prefix or suffix to indicate that they have selected a new service. The service provider simply creates one default user profile specifying that when a user logs in using a prefix (for example "P") and their existing user name, their session will be authorized for PPP instead of SLIP. If they log in with just their existing user name, they will be authorized for SLIP.
Port Type Identification
Port type identification is a RADIUS 2.0 attribute that indicates what type of port is being accessed. This information is extremely useful for network managers who require statistical usage data for new network or expanding network planning decisions or for ISPs who charge differently based on access methods (analog modem versus ISDN). The port identification attribute indicates whether the port is asynchronous, synchronous, ISDN, ISDN-V.120 or ISDN-V.110.
ISDN Calling Station and Called Station ID
ISDN calling station and called station ID are a RADIUS 2.0 accounting attribute which reports the calling party phone number, the called party phone number or both (where supported) for ISDN dial-in. This accounting feature can be used as a security audit to ensure only authorized customers have access.
Input/Output Octets
Input/Output Octets are accounting attributes which measure the amount of data traffic on a per-call basis. This attribute is useful for network managers who wish to administer user account billing based on usage, i.e. the amount of data sent, received or both, or for capacity planning.
Product Availability and Pricing
RADIUS 2.0 will be included on the Total Access CD-ROM free of charge for all new Lucent customers. RADIUS 2.0 will be made available to all Lucent customers at the end of August 1996.