Overview

Introduction to RADIUS

The Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol created by Livingston Enterprises. Security information is stored in a central location, known as the RADIUS server. RADIUS clients (such as a PortMaster communications server) communicate with the RADIUS server to authenticate users. Although the term RADIUS refers to the network protocol that the client and server use to communicate, it is often used to refer to the entire client/server system.

RADIUS offers the following advantages:

Tight security

In large networks, security information may be scattered throughout the network on different devices. RADIUS allows user information to be stored on one host, minimizing the risk of security loopholes. All authentication and access to network services is managed by the host functioning as the RADIUS server.

Flexibility

RADIUS server software is distributed in source code format to Livingston customers. Using modifiable "stubs," RADIUS can be adapted to work with existing security systems and protocols. The RADIUS server may be adapted to your network, rather than adjusting your network to work with RADIUS. RADIUS may be used with any communications server that supports the RADIUS protocol. When new security technology becomes available or security needs increase, RADIUS may be expanded to offer new services.

Simplified management

Security information is stored in text files at a central location, the RADIUS server. Adding new users to the database or modifying existing user information can be easily accomplished by editing these text files.

Extensive logging capabilities

RADIUS provides extensive audit trail capabilities, referred to as RADIUS accounting. Information collected in a log file can be analyzed for security purposes, or used for billing.

Platforms

The RADIUS server is available for the following operating systems:

• SunOS 4.1.4
• Solaris 2.5
• HP/UX 10.01
• Linux 1.2.13 (ELF)
• AIX 3.2.5
• SGI Irix 5.2
• DEC Alpha OSF/1 3.0
• BSD/OS 2.0

How RADIUS Works

The three main functions of RADIUS are authentication, authorization, and accounting.

Authentication

RADIUS is used to authenticate users for dial-in remote access. Authentication information may be stored in a local users file or accessed from external authentication mechanisms such as a UNIX password file or SecurID ACE/Server.

For example, user bob may attempt to log into a PortMaster. The following authentication sequence would take place:

1. The PortMaster asks bob for his username and password, then compares the username/password pair to the PortMaster User Table.
2. If the username is not found in the User Table and security for the port is set to on, the PortMaster sends an access-request message to the RADIUS server, if one is defined. This message asks the RADIUS server to authenticate the user.
3. The RADIUS server checks its database to determine if user bob is present. In order for bob's login to be successful, a matching username and password must be found in the RADIUS database.
4. If a matching password is found in the RADIUS users file, the RADIUS server sends an access-accept message to the PortMaster, which lets the PortMaster know that bob has been successfully authenticated. It also sends authorization information about the services bob may access and configuration information about his connection.
5. If a matching password is not found in the RADIUS users file, the RADIUS server sends an access-reject packet, which lets the PortMaster know that the authentication attempt has failed. The PortMaster prevents bob's connection attempt.

Authorization

Authorization controls access to specific services on the network. Once a user is authenticated, RADIUS tells the PortMaster what a user is authorized (permitted) to access. For example, user bob may be authorized to use PPP for his connection, use IP address 192.168.200.4, and use packet filter std.ppp.

Accounting

RADIUS accounting permits system administrators to track dial-in use. This information is often used for billing purposes. See "RADIUS Accounting" for more information.

Enhancements

RADIUS version 2.0 provides the following enhancements:

Menus

When RADIUS menus are used, users are presented with a list of login options after they are authenticated. The RADIUS administrator may customize menus, including "chaining" one menu to other menus. See "RADIUS Menus" for more details.

SecurID

SecurID authentication is based on Security Dynamics' token technology, which authenticates users using a patented time-synchronization method.

The RADIUS 2.0 server can forward some or all authentication requests to a SecurID ACE/Server running on the same host as the RADIUS server.

For more information, see "RADIUS Server Configuration" and "SecurID Installation."

builddbm utility

RADIUS 2.0 includes a utility named builddbm, which increases the speed of user look-up by converting the users file to the UNIX DBM format. Livingston recommends the use of the builddbm utility when the users file contains more than 500 users. See "RADIUS DBM Database" for more details.

Prefix/Suffix

Prefixes and Suffixes allow a user to access multiple accounts by prepending or appending a string of characters defined by the administrator to the username.

Session-Timeout

The Session-Timeout reply item specifies the time limit for a session. Session-Timeout is specified as a particular number of seconds, up to a maximum of 31536000 (1 year).

Idle-Timeout

The Idle-Timeout reply item controls the maximum time that a session may be idle before it is disconnected. Idle-Timeout is specified as a number of seconds between 120 (2 minutes) and 14400 (4 hours).

Port-Limit

The Port-Limit reply item controls the maximum number of ports available for a Multilink PPP or Multilink V.120 connection. Port-Limit only applies to ISDN connections; other connection types are not affected by this setting.

NAS-Port-Type

The NAS-Port-Type check item restricts the type of port. The user may use one of the following port types: asynchronous, synchronous, ISDN, ISDN-V120, or ISDN-V110.

Getting Started

Select a UNIX host to use as the RADIUS server. Choose a host with the following characteristics:

• Located in a secure physical location
• Root access is limited to the Security Officer or System Administrator
• Offers a limited number of user accounts, preferably none
• Offers basic memory and disk space

Livingston recommends the use of a secondary RADIUS server. The primary RADIUS server is always queried first; if the server does not respond, it is queried a second time, then both the primary and secondary servers are queried up to eight times at three-second intervals until one responds or 30 seconds elapses without a response.

The RADIUS accounting server may be located on the same host as the RADIUS server used for authentication, or on a separate host. A secondary accounting server can be defined; the secondary server serves as a backup in the event that the primary server cannot be contacted.

Each PortMaster using RADIUS and its RADIUS server(s) share an authentication key of up to 15 alphanumeric characters called the shared secret. The shared secret must be configured on each RADIUS server and the PortMaster. It is stored as clear text in the clients file on the RADIUS server and in the nonvolatile memory of the PortMaster. Each PortMaster may share a different secret with the RADIUS servers, or multiple PortMasters may share the same secret.

To configure the RADIUS server, continue to "RADIUS Server Configuration." To configure a PortMaster to use RADIUS, see "RADIUS Client Configuration." For more information on RADIUS accounting see "RADIUS Accounting."

/ Prev / Next / TOC / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /