Thursday, December 22, 2005

FreeRADIUS III

Picking up where we left off yesterday, we continued with our FreeRADIUS trilogy. Today, we will hands-on to integrate CISCO VPN 3000 Concentrator with the FreeRADIUS server.
The CISCO VPN concentrator is the access point, through which remote users gain access to protected network resources, while the FreeRADIUS server acts as the centralized platform to service authentication and accounting requests.
Typical services offered by Internet Service Providers and Corporations to their clients are either:
  1. system shell accounts, that allow access to the command line interface of a remote server using rlogin or telnet sessions; or
  2. direct connect accounts, that use a framed remote access protocol, usually PPP for support dialin for its remote, mobile and home users.

RADIUS Protocol

RADIUS (Remote Access Dialin User Service) Protocol is defined in the IETF RFC 2865 to provide a framework for AAA (Authentication, Authorization, and Accounting). It is a UDP-based connectionless client/server protocol.

The RADIUS client in this case, is our VPN Concentrator, that act as NAS (Network Access Server). If the NAS receives a user-connection requests, it passes them to the FreeRADIUS server.

If the username is found and the password is correct, the FreeRADIUS server returns an Access-Accept response that grants access of the resource(s) to the user.

RADIUS Attributes and Values

RADIUS transaction is built around passing to and from the client and server attribute-value pairs (AVP) that contain virtually every property and characteristics of the AAA transaction.

For Cisco VPN Concentrator, vendor-specfic attributes are already defined in a dictionary file: dictionary.cisco.vpn3000. The dictionary file contains the attribute-value pairs (AVPs) that can be used in our FreeRADIUS configuration, information such as service type, protocol type, IP address to assign the user, the access control list (ACL) etc.

RADIUS Accounting

FreeRADIUS also support a full-featured accounting protocol subset, allowing logging of session statistics and usage information, and is used for authorisation control, billing, trend analysis, resource utilisation, and capacity planning activities.

RADIUS Configuration

We have previously installed our FreeRADIUS server and verified it is working. Now, to configure it.

The configuration files are found in the ~/etc/raddb folder.

  1. Configure the server by editing the radiusd.conf file
  2. Configure the client by editing the clients.conf file. NAS can be grouped by IP subnet or by hostname or IP address.
  3. Configure the user by editing the user file. This file contains authentication and configuration information for each user.

RADIUS User Authorisation

Next, we configure the authentication server AVP for user authorisation. So that an administrator login request is returned to the NAS after authentication is accepted.

NAS Configuration

Lastly, configuration for the NAS. Typically, we will need to work through the following steps:

  1. Enable AAA
  2. Configure the authentication
  3. Configure the authorisation
  4. Configure the accounting. To send account records to the RADIUS server.

In summary, hopefully, I have provide a useful insight on AAA concepts with a simple scenario for installation and implementation to put the solution into context. The entire process has been simplified by hiding the details to provide instructions on installing and configuring the RADIUS server as well as configuring the NAS server.

0 Comments:

Post a Comment

<< Home