190 likes | 344 Views
Lesson 16. RADIUS Design Chapter Thirteen. Radius Client/Server model. RADIUS Server Type OS/Platform Client RRAS Server May not need to know or care what this is Server IAS Server Windows 2000 Server. RADIUS Uses.
E N D
Lesson 16 RADIUS Design Chapter Thirteen
Radius Client/Server model RADIUS Server Type OS/Platform Client RRAS Server May not need to know or care what this is Server IAS Server Windows 2000 Server
RADIUS Uses • You’ve outsourced your remote access services, but you want to authenticate users from within your site. • You have a remote access server on the DMZ, but you want to authenticate from within the private network. • Your servers are separated by geographic distances. • The client and server pieces need to be on different platforms and OS architectures. • You want to encrypt your RAS connections at authentication time by using either IPSec or MPPE tunnels.
Components vs RADIUS Protocol • Client • Provides remote access connectivity • Dial-up or VPN access server • Provided by RRAS in Win 2000 • Supports IP, IPX, AppleTalk • Server • Provides authentication, auditing, accounting • IAS in Win 2000
RADIUS client receives authentication request RADIUS client forwards user credential and request to RADIUS server RADIUS server authenticates user credentials RADIUS server validates user credentials and sends response to RADIUS client RADIUS client receives response instructing allow or deny and RADIUS Attributes Access is granted to the user RADIUS Sequence
Outsource Reduce the costs associated with dial-up remote access connectivity Provide a single set of logon credentials to the remote users Establish an agreement with the third-party organization that provides the dial-up remote access connectivity Provide enhanced security, such as remote user caller-ID identification or user callback RADIUS Solutions • In-House • Wants to or is willing to centralize the administration of the remote access servers and remote access policies • Wants to or is willing to place remote access servers outside the private network or on screened subnets • Wants to or is willing to retain ownership of all aspects of the remote access design • Doesn't want to establish an agreement with the third-party organization
RADIUS Placement • RADIUS Clients • For Dial-Up • Geographically near the client • For VPN • Near the Internet connection • RADIUS Servers • When using AD • On network segment of DCs • Consider putting IAS on DCs
RADIUS Connections • Each Server MUST provide authentication OR accounting to at least one client • Each client can • Use one server for both authentication and accounting • Use one server for authentication and one server for accounting
RADIUS Realms • In Win NT analogous to a domain • Any user account database accessible by RADIUS server for other OSs • Default can be specified • Use prefix (realm/) or suffix (@realm)
Data Protection • Preventing unauthorized access • Restrict users to resources on the RADIUS client • Restrict traffic through RADIUS client or RAS box • Place RADIUS clients or RAS box in DMZs
Preventing Unauthorized Access VPN Remote access server allows only HTTP and FTP
Protecting Confidential Data • Authenticate Users • Active Directory • Windows NT 4 Domains • Microsoft Commercial Internet System (Passport) • Any user database utilized by RADIUS on other OSs
Protecting Confidential Data • Encrypt the data • Between users and remote access servers • Independent of RADIUS client • Between remote users and RADIUS clients and between RADIUS clients and remote access servers • Depends on capability of RADIUS client
Protecting Confidential Data • Enforce remote access policies • Called RADIUS attributes in RADIUS design • Managed and stored on the RADIUS server • Shared by all RADIUS clients • Replicated among all RADIUS servers • Different on RADIUS servers and RADIUS clients running on non Win 2000 OSs
RADIUS Design Optimization • Enhanced availability • Distribute clients among several servers • Network Load Balancing • Enhanced performance • Improve hardware or add RADIUS servers • Use NLB or distribute using RADIUS configuration