O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

RADIUS

Book Description

The subject of security never strays far from the minds of IT workers, for good reason. If there is a network with even just one connection to another network, it needs to be secured. RADIUS, or Remote Authentication Dial-In User Service, is a widely deployed protocol that enables companies to authenticate, authorize and account for remote users who want access to a system or service from a central network server. Originally developed for dial-up remote access, RADIUS is now used by virtual private network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. Extensible, easy to implement, supported, and actively developed, RADIUS is currently the de facto standard for remote authentication.RADIUS provides a complete, detailed guide to the underpinnings of the RADIUS protocol, with particular emphasis on the utility of user accounting. Author Jonathan Hassell draws from his extensive experience in Internet service provider operations to bring practical suggestions and advice for implementing RADIUS. He also provides instructions for using an open-source variation called FreeRADIUS."RADIUS is an extensible protocol that enjoys the support of a wide range of vendors," says Jonathan Hassell. "Coupled with the amazing efforts of the open source development community to extend RADIUS's capabilities to other applications-Web, calling card security, physical device security, such as RSA's SecureID-RADIUS is possibly the best protocol with which to ensure only the people that need access to a resource indeed gain that access."This unique book covers RADIUS completely, from the history and theory of the architecture around which it was designed, to how the protocol and its ancillaries function on a day-to-day basis, to implementing RADIUS-based security in a variety of corporate and service provider environments. If you are an ISP owner or administrator, corporate IT professional responsible for maintaining mobile user connectivity, or a web presence provider responsible for providing multiple communications resources, you'll want this book to help you master this widely implemented but little understood protocol.

Table of Contents

  1. Preface
    1. Audience
    2. Organization
    3. Conventions Used in This Book
    4. How to Contact Us
    5. Acknowledgments
  2. 1. An Overview of RADIUS
    1. An Overview of AAA
      1. Authentication
      2. Authorization
      3. Accounting
    2. Key Points About AAA Architecture
    3. The Authorization Framework
      1. Authorization Sequences
      2. Roaming
      3. Distributed Services
      4. Policies
      5. Resource and Session Management
    4. And Now, RADIUS
      1. A Brief History
      2. Properties of RADIUS
      3. Limitations of RADIUS
  3. 2. RADIUS Specifics
    1. Using UDP versus TCP
    2. Packet Formats
      1. Code
      2. Identifier
      3. Length
      4. Authenticator
    3. Packet Types
    4. Shared Secrets
    5. Attributes and Values
      1. Attributes
        1. Attribute types
        2. Vendor-specific attributes
      2. Values
      3. Dictionaries
    6. Authentication Methods
      1. PAP
      2. CHAP
      3. Selecting PAP, CHAP, or Other Protocols
    7. Realms
    8. RADIUS Hints
  4. 3. Standard RADIUS Attributes
    1. Attribute Properties
  5. 4. RADIUS Accounting
    1. Key Points in RADIUS Accounting
    2. Basic Operation
      1. More on Proxying
    3. The Accounting Packet Format
      1. Code
      2. Identifier
      3. Length
      4. Authenticator
      5. Reliability of Accounting
    4. Accounting Packet Types
    5. Accounting-specific Attributes
  6. 5. Getting Started with FreeRADIUS
    1. Introduction to FreeRADIUS
    2. Installing FreeRADIUS
      1. The clients File
      2. The naslist File
      3. The naspasswd File
      4. The hints File
      5. The huntgroups File
      6. The users File
      7. The radiusd.conf File
      8. Testing the Initial Setup
    3. In-depth Configuration
      1. Configuring radiusd.conf
      2. Configuring the users File
        1. A sample complete entry
        2. DEFAULT entries
        3. Prefixes and suffixes
        4. Using RADIUS callback
        5. Completely denying access to users
    4. Troubleshooting Common Problems
      1. Linking Errors When Starting FreeRADIUS
      2. Incoming Request Passwords Are Gibberish
      3. NAS Machine Ignores a RADIUS Reply
      4. CHAP Authentication Doesn’t Work Correctly
  7. 6. Advanced FreeRADIUS
    1. Using PAM
    2. Proxying and Realms
    3. Using the clients.conf File
    4. FreeRADIUS with Some NAS Gear
      1. Ascend Equipment
      2. Cisco Equipment
      3. Nortel Equipment
      4. 3Com and US Robotics Equipment
    5. Using MySQL with FreeRADIUS
      1. Extending the MySQL Functionality
        1. Realm support
        2. Redundancy with MySQL
    6. Simultaneous Use
      1. When It Goes Pear Shaped
        1. 3Com and US Robotics equipment
        2. Ascend equipment
        3. Cisco equipment
    7. Monitoring FreeRADIUS
  8. 7. Other RADIUS Applications
    1. RADIUS for Web Authentication
      1. The Functionality
      2. Configuring the Module
      3. Using Challenge-Response with mod_auth_radius
      4. Limitations of the Module
    2. Using the LDAP Directory Service
      1. Configuring FreeRADIUS to Use LDAP
      2. Configuring CommuniGate Pro for LDAP Use
    3. Parsing RADIUS Accounting Files
      1. Generating Reports
        1. Example reports
      2. Using RadiusSplit
  9. 8. The Security of RADIUS
    1. Vulnerabilities
      1. MD5 and the Shared Secret
      2. The Access-Request Packet
      3. The User-Password Cipher Scheme
      4. The User-Password Shared Secret
      5. The User-Password Attribute and Password Attacks
      6. Attacks Using the Request Authenticator
        1. Repeated request authenticators and the User-Password attribute
        2. Shared secrets
    2. The Extensible Authentication Protocol
    3. Compensating for the Deficiencies
    4. Modifying the RADIUS Protocol
  10. 9. New RADIUS Developments
    1. Interim Accounting Updates
    2. The Apple Remote Access Protocol
    3. The Extensible Authentication Protocol
      1. Examples of an EAP Conversation
      2. Potential Uses
    4. Tunneling Protocols
    5. New Extensions Attributes
  11. 10. Deployment Techniques
    1. Typical Services
      1. System Shell Accounts
      2. Direct Connect Accounts
    2. RADIUS and Availability
      1. Determining Normal System Behavior
        1. Explicit requirements
        2. Derived requirements
      2. Points of Failure
      3. Planning to Fail
      4. Proactive System Management
      5. Case Studies in Deployment and Availability
        1. Scenario 1: A small, regional ISP
        2. Scenario 2: A corporation with branch offices
    3. Other Things RADIUS
      1. Other RADIUS Servers
      2. RADIUS Tools
  12. A. Attribute Reference
  13. Index
  14. About the Author
  15. Colophon
  16. Copyright