Cataclysmic Revolution

Document Sample
Cataclysmic Revolution Powered By Docstoc
					Implementing RADIUS AAA
           Phil & Rick
• Terms and Concepts
  •Access Control
  •What is AAA?
  •Benefits of AAA
  •What is RADIUS?
• Microsoft IAS
  •Management Console
• Case Study
  •IAS Configuration
  •Router Configuration
  •Case Study Summary
Terms and Concepts
                  Access Control
• Access control is the way you
  control who is allowed access to
  the network server and what
  services they are allowed to use
  once they have access.
• Authentication, Authorization, and
  Accounting (AAA) provide the
  primary framework through which
  you set up access control on your
  router or access server.
                      What is AAA?
• Authentication, Authorization
  and Accounting
• Authentication
  • Verifies users before they are
    allowed access to the network and
    network services
• Authorization
  • Enables you to limit the services
    available to a user
• Accounting
  • Enables you to track the services that
    users are accessing and the amount
    of network resources they are
                   Benefits of AAA
• AAA provides the following
  •Increased flexibility and control of
   access configuration
  •Standardized authentication methods
   such as RADIUS, TACACS+, and
  •Multiple backup systems
• AAA is designed to enable you to
  dynamically configure the type of
  authentication and authorization
  you want on a per-line (per-user) or
                What is RADIUS?
• Remote Access Dial-in User Service
• Client/Server Protocol
  •Client is typically a NAS
  •Server is usually a daemon process
   running on a Unix or Windows
  •The client passes user information to
   the designated RADIUS servers, and
   acts on the response that is returned
  •RADIUS servers receive user
   connection requests, authenticate the
   user, and then return the
   configuration information necessary
Internet Authentication Service
Internet Authentication Service
• Internet Authentication Service
   • Performs centralized AAA of users who
     connect to the network.
   • Implements the IETF standard RADIUS
• Implementing IAS Overview
   • Configure your server with a static IP address
      • IP Address: (case study)
      • Default Gateway: (case study)
   • Install IAS
   • Create an IAS Management Console (optional)
      • Create users and groups (case study)
      • Edit system log to show IAS events (optional)
   • Configure authentication and accounting
     ports (optional)
   • Configure IAS log (case study)
   • Add a RADIUS client (case study)
   • Creating Remote Access Policies (case study)
                      IAS Installation
• Installing IAS
  •Start > Settings > Control Panel >
   Add/Remove Programs
                 IAS Installation
•Open the Windows Component
 Wizard by clicking Add/Remove
 Windows Components
                  IAS Installation
•Highlight Network Services in the
 Components box and then click details
                   IAS Installation
•Find Internet Authentication Service in
 the Subcomponents of Networking
 Services box
•Check the box to the left of IAS and
 click OK
                IAS Installation
•Click Next
•Click Finish
    IAS Management Console
Creating and Using an IAS Management Console
     IAS Management Console
• Microsoft management consoles
  centralize IAS administration
• Creating an IAS Management
  •Start > Run > mmc
   IAS Management Console
•In the MMC menu bar click Console >
 Add/Remove snap-in
     IAS Management Console
• From the Add/Remove snap-in
  •Click Add
     IAS Management Console
• Adding a Standalone Snap-in
  •Highlight Internet Authentication
   Service Standalone Snap-In
  •Click Add
     IAS Management Console
• Select the computer you want the
  snap-in to manage
  •Select local computer
  •Click Finish
     IAS Management Console
• Add the following standalone
  •Event Viewer
  •Local Users and Groups
     IAS Management Console
• The the management console
  should look like the following
     IAS Management Console
• Configuring the System Log to
  display IAS events (optional)
  •From the IAS Management Console
     • Expand Event Viewer
     • Right Click the System Log File > Properties
IAS Management Console
• Click the filter tab in the system log
• Select IAS from the event source drop
  down box
• Click OK
     IAS Management Console
• Creating Users and Groups in the
  IAS Management Console
  •Expand Local Users and Groups
• Creating Groups
     • Expand Groups
     • Click Action > New Group
     • Add the following groups
         • Router_Admins
         • Internet_Users
• Creating Users
     • Expand Users
     • Click Action > New User
     • Add the following users
         • Administrator member of group
         • I_User member of group
    Case Study
Implementing RADIUS AAA
                       Case Study
You work for a small business and
 would like to implement AAA for
 remote users and telnet sessions.
 Here are the requirements for your
  •Authenticate remote users who are
   members of the group Router_Admins
   and Internet_Users.
  •Authorize Router_Admins for EXEC
   sessions, PPP sessions and telnet.
  •Authorize Internet_Users for PPP
   sessions only.
  •Implement accounting for EXEC
   sessions, PPP sessions, and telnet
                       Case Study
• Objectives
  •Windows 2000 Server Administration
  •Installing Microsoft’s IAS
  •Using the Microsoft Management
  •Configuring AAA
  •Viewing IAS accounting log
• Tools/Preparation
  •1 Windows 2000 Server
  •1 Cisco 1900 Catalyst
  •1 Cisco 2600 Router
  •2 modems and drivers
  •1 PC running Windows 2000


Implementing IAS Overview   IAS Configuration
IAS Installation                   Remote Access
IAS Configuration
                 IAS Configuration
• Configuring IAS Authentication
  and Accounting Ports (optional)
  •IAS uses port 1845, 1645 by default for
   authentication and 1846, 1646 by
   default for accounting.
  •Optional step but by following this
   step we are only opening 2 ports on
   our server instead of 4
  •Open the IAS MC or IAS applet > Right
   Click Internet Authentication Service >
   Click Properties > Click the tab labeled
  •Set the Authentication port to 1645
   and the Accounting port to 1646 >
                      IAS Configuration
• Configuring IAS Accounting
   • Open the IAS MC or IAS applet > click Remote
     Access Logging > Right click Local File >
• Local file properties
   • Select the settings tab > check the following
      • Log Authentication Requests
      • Log Accounting Requests
      • Log Periodic Status
   • Select the Local File tab > check the following
      • Database compatible file format
   • Click OK
   • Note that the log will be saved to
                   IAS Configuration
• Adding a RADIUS client overview
  •Recall that RADIUS is a client/server
  •The RADIUS client is typically, a NAS or
  •The RADIUS server is the machine
   running the RADIUS daemon process,
   which in our case is the IAS server
  •The RADIUS server needs the
   following information about the
   RADIUS client
     • IP Address
     • Security Protocol being used
     • Client-Vendor
     • Shared-Secret (also known as a key)
                  IAS Configuration
• Adding a RADIUS client
  •Open the IAS MC or the IAS applet
  •Expand IAS
  •Right click the folder labeled clients
  •Click new client
                IAS Configuration
• Adding a RADIUS client
  •Enter the hostname of your router and
   select the RADIUS protocol
  •Click Next
                IAS Configuration
• Adding a RADIUS client
  •Enter the IP Address of the RADIUS
  •Select Cisco as the client-vendor
  •Enter a shared-secret (key)
                 IAS Configuration
• Remote Access Policies
  •IAS uses remote access policies to
   authenticate and authorize users
  •Keep in mind that a user may be
   authenticated but not authorized to
   use certain network services (PPP,
   EXEC, telnet).
  •The following is a guide if you trying
   to implement the case study and you
   are having a hard time recreating the
   Remote Access Policies
  •This does not follow the class
   demonstration! But you’ll get the
   same results
                    IAS Configuration
• Remote Access Policies
     • Open the IAS applet or IAS MC
     • Expand IAS
     • Click Remote Access Policies
     • Right click and delete the policy on the
                 IAS Configuration
• Remote Access Policies
  •Right click remote access policies and
   click new remote access policy
                           IAS Configuration
• Remote Access Policies
   • Enter a Policy friendly name
      • In our case we’ll enter “Allow members of the
        group Internet_Users PPP network services”
      • Click next
   • Specifying conditions
      • Click Add
                IAS Configuration
• Remote Access Policies
  •Highlight Windows-Groups click add
  •In the Groups applet click add
  •Highlight the Internet_Users group
   and click add then OK
                IAS Configuration
• Remote Access Policies
  •Add another condition by clicking add
  •Highlight NAS-port-type click add
  •Highlight async(modem) click add
   then click OK
                 IAS Configuration
• Remote Access Policies
  •Your condition should look similar to
   the following screen capture
                IAS Configuration
• Remote Access Policies
  •Click Next
  •Select Grant remote access permission
  •Click Next
  •Click Edit Profile
  •Click the Authentication tab
  •Only check PAP uncheck all other
   authentication methods
  •Click the Advanced tab
  •Service-type should be Framed
  •Framed-Protocol should be PPP
  •Click OK
  •Ok, Now what did we just do?
                      IAS Configuration
• Remote Access Policies
   • We created a remote access policy that said if
     a user accesses the RADIUS client through an
     async port and that user is a member of the
     windows group Internet_Users authorize the
     user to use the framed protocol PPP. Here’s a
     shorten version of the condition
      • Policy Name
          • Allow members of the group
             Internet_Users PPP network service.
      • Windows-Groups
          • Internet_Users
      • NAS-Port-Type
          • Async(modem)
      • Service-Type
          • Framed
      • Framed Protocol
          • PPP
                  IAS Configuration
• Remote Access Policies
  •Create the following remote access
   policies (demo in class)
     • Policy Name
         • Allow members of the group
           Router_Admins PPP network service
           and EXEC session.
     • Windows-Groups
         • Router_Admins
     • NAS-Port-Type
         • Async(modem)
     • Service-Type
         • Administrative
     • Framed Protocol
         • PPP
                   IAS Configuration
• Remote Access Policies
     • Policy Name
         • Allow members of the group
           Router_Admins telnet access.
     • Windows-Groups
         • Router_Admins
     • NAS-Port-Type
         • Virtual(VPN)
     • Service-Type
         • Administrative
Router Configuration
    The RADIUS client
            Router Configuration
• The router is the RADIUS client.
• It must have the same IP address
  that was entered in the IAS RADIUS
  client configuration.
• Here is the router configuration file
  without AAA
            Router Configuration
• We need to know what a method
  list is before we get started with
  the router configuration
    •Method list
     •Defines the type of AAA to be
      performed and the sequence in
      which it will be performed
     •Some types of AAA include
      authentication login, authorization
      exec and others
     •An example of a sequence type is
      checking a server or a local
      database for user information
             Router Configuration
• Here is the final configuration file
  that was demonstrated.

• Demonstration notes and some
  accounting database stuff
RADIUS Case Study
                  Case Study Summary

•   Authentication and Authorization
    1. User initiates PPP authentication to the NAS.
    2. NAS prompts for username and password (if
       PAP) or challenge (if CHAP).
    3. User replies.
    4. RADIUS client sends username and password to
       the RADIUS server.
    5. RADIUS server responds with Accept, Reject, or
    6. The RADIUS client acts upon service parameters
       bundled with Accept or Reject.
             Case Study Summary
• Accounting
  • The NAS sends an Accounting-Request start
    packet to the RADIUS security server
  • The RADIUS security server sends an
    Accounting-Response packet to acknowledge
    the receipt of the Accounting-Request start
  • After the NAS has sent all the accounting info
    it wanted to send, it sends an Accounting-
    Request stop packet. This stop packet
    describes the type of service delivered and
    other optional values.
  • The RADIUS server acknowledges receipt of
    the Accounting-Request stop packet by
    sending an Accounting-Response packet.
  • Search For:
     •   Configuring Authentication
     •   Configuring RADIUS
     •   Configuring TACACS+
     •   Configuring Kerberos
     •   Configuring Authorization
     •   RADIUS Attributes
     •   Configuring Accounting
  • Search For:
     • Dialup Corporate Access
     • Extranet Access for Business Partners
     • Outsourced corporate access through service
     • Configuring IAS for dial-up and VPN access
     • Configuring IAS to outsource dial-up access

Shared By: