Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preside Radius Preside Radius.

Similar presentations


Presentation on theme: "Preside Radius Preside Radius."— Presentation transcript:

1 Preside Radius Preside Radius

2 Main Menu Introduction and Overview Installation and Configuration
Monitoring and Logging External Data Storage LDAP SQL Authentication Accounting Proxy RADIUS Troubleshooting and Logging Other Features LCI Preside Radius

3 Introduction and Overview
Preside Radius

4 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Funk Software Software Developer & Publisher Founded 1982 Headquarter: Cambridge, MA European Operations: Paris, France Product focus Access Security Communications Preside Radius Paul Funk is the owner. Started in 1982 with Sideways – bought by Lotus and then IBM Since then, developed other communications and networking applications such as: Appmeter Wanderlink Proxy Preside Radius (~1995, 1996?) Developed a feature rich version of the basic product: Preside Radius (~1998, 1999?) Funk Software is a privately-owned company. We're growing at a sustained rate for Strong support and maintenance staff – offer different levels of support service. Also provide support for evaluation versions of software as well. Student Notes and Workbook

5 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Preside Radius ...the short version 100% fully IETF compliant RADIUS server Easy administration GUI Powerful, flexible accounting Leverages existing SQL/LDAP databases SecurID authentication LDAP configuration interface Load balancing Concurrent access limits Preside Radius Remote Authentication Dial-In User Service, or RADIUS, is the standard for centralizing the authentication, authorization and accounting of remote access users. Briefly, here's how RADIUS works: When a user dials in to a remote access server, that server communicates with the central RADIUS server to determine if the user is authorized to connect to the LAN. The RADIUS server performs the authentication and responds with the result -- either an accept or a reject. If the user is accepted, the remote access server routes the user onto the network; if not, the RAS will terminate the user's connection. The RADIUS server also provides accounting services, if the remote access server can support this. With RADIUS, a network manager need only maintain a single, central database against which all dial-in authentication happens. This greatly eases the management burden associated with administering large numbers of dial-in users. Student Notes and Workbook

6 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RADIUS RFCs Internet Engineering Task Force web site Began as “Request For Comments” Status now “Standards Track” /rfc/rfc2865.txt - RADIUS Authentication /rfc/rfc2866.txt - RADIUS Accounting All standard attributes defined here Both RFCs are dated June 2000 Previous RFCs (2138, 2139) are dated April 1997 Preside Radius This means that we communicate using the language specified in these documents. Any RADIUS client or server must communicate using these standards, or they are not compliant. With the new 1.5 release, Preside Radius will be 100% fully compliant with these new standards. Student Notes and Workbook

7 Basic RADIUS Authentication Transaction
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 Basic RADIUS Authentication Transaction Access request RADIUS client RADIUS server Preside Radius User NAS Device RADIUS Server A remote user needs to gain access to some aspect of a network. To accomplish this, there are three basic components. The user, the network control device (NAS/RAS), and the authentication/authorization/accounting server. Each of these components can be further broken down into more complex pieces, but this diagram represents the simplified versions of each of these components. User dials in to their local ISP or other service provider NAS/RAS NAS device answers the call and begins the username/password challenge process with the user User enters username and password information NAS/RAS then hands that information, along with any other vendor specific information it is configured for, to a RADIUS server RADIUS server then attempts to authenticate that username/password combination from it’s list of authentication methods RADIUS server sends a message back to the NAS/RAS with an authentication response message – either or accept or reject NAS/RAS now knows what services to allow this user access to. Student Notes and Workbook

8 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RADIUS Clients PPP servers Nortel/Ascend Cisco Access Servers VPN Nortel Extranet Switch Firewalls Firewall-1, NetScreen Back Office Software Oracle 8i Wireless PDSN GCSN GSM SGSM Preside Radius A Network Access Server (NAS) is a device that can recognize and handle connection requests from outside the network “edge.” When the NAS receives a User’s connection request, it may perform an initial access negotiation with the User (PPP or SLIP). This negotiation will establish certain data (username, password, NAS device identifier, NAS port number, and so on). The NAS will then pass this data to the RADIUS server and request authentication. Any device that communicates via the RADIUS standards can be considered a RADIUS client. These devices are capable of sending RADIUS packets to other RADIUS servers. Preside Radius itself can be both, a RADIUS client and a RADIUS server. Once they send a RADIUS packet, they know to wait for a response. Once they get the response, they then know what to do with it after that. Out of the box, Preside Radius supports most of the major NAS devices. Is there a new device that needs a special dictionary? Just add that name and dictionary information to the vendor.ini file and you'll have access to it in the make/model section when choosing a NAS device. 3Com ADC Kentrox Pacesetter Access Beyond RAM Rack ACC Tigris and Amazon Servers Alcatel Altiga VPN Concentrator Ascend Assured Access Technology Aventail Bay Networks BBN Dialinx Bintec Bianca Cabletron CyberSWITCH Family Checkpoing Firewall-1 Cisco Compaq Series 6000 Compatible Systems CompuTone PowerRack and IntelliServer Concentric RemoteLink Service Digi LANAserver Gandalf XpressConnect Indus River Riverworks Kasten Chase Optiva Lantronix LRS LeeMah Bandwagon Livingston PortMaster MichNet Shared Dial-in Microsoft RRAS for Windows NT New Oak Nomadix USG Nortel Perle 833/833AS Proteon GT-Secure RADLINX PASSaPORT Raptor Eagle Redback RedCreek RavlinSoft Shiva Stallion ITK NetBlazer US Robotics NETServer UUNet VIP Service VPNet VPN Service Unit Xylan Zoom All "Standard RADIUS" compatible devices Student Notes and Workbook

9 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RADIUS AAA Services Authentication Are the credentials correct? Match username/password to profile Authorization Which services may be provided? Use profile to validate user’s request Accounting Track usage during connection’s lifetime Sort, filter, organize attributes Send attributes anywhere (logfile, Proxy, SQL) Preside Radius Authentication. How do we know you are who you say you are? Comparing usernames and password combinations against internal or external data stores is how we do it. In the case of Preside Radius, that match may be found: on the RADIUS server on some other type of authentication server (ACE/Server or TACACS+) in an SQL or LDAP database or on some other RADIUS server for which this server is a “proxy.” Student Notes and Workbook

10 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RADIUS Messages A device that “supports RADIUS” can receive and send RADIUS messages. RADIUS messages contain RADIUS attributes. Attributes = how information is exchanged Messages Types: Access-Request Access-Reject Access-Accept Access-Challenge Preside Radius Accounting-Start Accounting-Stop Accounting-Interim Accounting-On Accounting-Off Student Notes and Workbook

11 Standard Radius Authentication Attributes
User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network Standard RADIUS authentication attributes are listed in RFC 2865 State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port Preside Radius

12 Standard RADIUS Accounting Attributes
Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port Standard accounting attributes are defined in RFC 2866 Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Preside Radius

13 Vendor Specific Attributes
Vendors can create their own attributes that allow their devices to perform authorization functions and provide information relevant to the type of device (ppp, vpn, firewall, etc.) Ascend-Disconnect-Cause Cisco-AVPAIR RB-Context_Name PW_Tunnel_Authentication All VSAs are defined in configurable text files (.dct files) VSAs are non-standard (vendor-specific) information packaged into a format that is standard RADIUS Preside Radius includes comprehensive dictionary lists for most devices on the market today Preside Radius

14 The Role of Attributes Checklist attributes are present in the access-request message “Once the [nas] client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access-Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5” – RFC 2865 page 4. Returnlist attributes are present in the access-response message “If all [checklist] conditions are met, the list of configuration values for the user are placed into an "Access-Accept" response. These values include the type of service (for example: SLIP, PPP, Login User) and all necessary values to deliver the desired service.” –RFC 2865 page 6. Preside Radius

15 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Access Services... Remote Users Enterprise or Service Provider Preside Radius Local SQL NT LDAP TACACS+ RAS Server Preside Radius VPN Router Firewall Student Notes and Workbook

16 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Managed Services Remote Users Service Provider Enterprise LAN - Enterprise or Service Provider Preside Radius NetWare Bindery Local NetWare NDS NT Domain NT Host ACE/ Server RAS RAS “A” Firewall Preside Radius Private Network / Internet Preside Radius RAS “B” Link to ISP (T1) CPE router, firewall, and/or VPN RAS “C” Student Notes and Workbook

17 And … Wholesale Data Services
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 And … Wholesale Data Services Remote Users Outsourced Modem Pools (UUNET) Virtual ISPs Preside Radius ISP “A” Private Network/ Internet Native SQL LDAP TACACS+ NT Domain RAS “A” Preside Radius Private Network/ Internet ISP “B” RAS “B” Private Network/ Internet PROXY ISP “C” RAS “C” Student Notes and Workbook

18 BSAC Fully compliant RADIUS server Easy administration GUI
Powerful, flexible accounting log Accounting to SQL databases Authentication against SQL databases Authentication against LDAP directories Authentication against token systems (SecurID, TACACS+) SecurID token caching Authentication against local O/S Concurrent connection limits Expired NT domain passwords LDAP Configuration Interface available Basic Proxy RADIUS functionality Preside Radius

19 Preside Radius Built on the scale required by ISPs
Advanced Proxy RADIUS features Directed authentication, accounting Advanced accounting log features SNMP support (Solaris) perfmon counters and events (Windows NT) SQL, LDAP load balancing Authorization based on time of day Request routing by attribute values Administrative access levels Auto-restart of the server LDAP Configuration Interface built-in Concurrency Server available Preside Radius

20 Preside Radius ISP Features
Preside Radius provides many features that help ISPs (and others) deliver and bill for services. Time of day Acct-Status-Types Attribute aliasing Configurable accounting log Activity log levels Auto-detect make/model Auto-restart server User-Name validation Administrative access levels Event configuration (NT only) Preside Radius

21 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Data Storage Options Preside Radius Preside Radius is a flexible tool designed to interact with common legacy systems. Preside Radius will work within your existing architecture to leverage existing processes. Student Notes and Workbook

22 Preside Radius’s Authentication Options
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 Preside Radius’s Authentication Options Preside Radius Native Database SQL Databases Oracle Informix ODBC-compliant (NT only) Authentication Servers TACACS+ SecurID Other token systems LDAP Directories Netscape MS Active Directory Merit Host O/S Databases NT Domain NT Host Solaris Preside Radius Student Notes and Workbook

23 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL Authentication Any RADIUS attribute can be retrieved from an SQL column Any SQL column can be mapped to a RADIUS attribute and returned in the response Preside Radius User NAS RADIUS Server SQL Server *All data remains in SQL database Student Notes and Workbook

24 LDAP Summary Any RADIUS attribute can be part of the LDAP query
Any LDAP object can be mapped to a RADIUS attribute and returned in the response Lightweight Directory Access Protocol standard An example of an “off-line” directory is the phone book or mail- order catalogue. Suited to reference data (“read from” much more often than it is “written to”). Very flexible, both in looking up data and in changing the types of information stored. All data remains in LDAP database Preside Radius

25 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SecurID Summary Token card system Generates new credentials each login ACE/Server authenticates credentials Preside Radius can pass-through to ACE/Server Detailed configuration necessary New Pin/Next Token Support of other token systems Preside Radius Student Notes and Workbook

26 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Host O/S Databases NT Domain & Host Solaris Password File & NIS Netware NDS & Bindery Preside Radius Student Notes and Workbook

27 Accounting A billing system requires these fundamental attributes:
Acct-Session-ID Connection’s unique identifier Matches STARTs and STOPs Acct-Status-Type Start, Stop, Interim, On, Off Framed-IP-Address IP address of user’s connection Authentication, accounting attribute User-Name The account using the network Acct-Session-Time For how many seconds did the user receive service? TIME  = $ MONEY $ Acct-Input-Packets, Acct-Output Packets, Acct-Input-Octets, Acct-Output-Octets What was the volume of network traffic generated by the user? TRAFFIC = $ MONEY $ Preside Radius Other attributes (including VSAs) provide additional detail

28 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL Accounting Preside Radius lets you write to an SQL database the specific accounting information that you want to maintain INSERT is the query used to write to the database Any RADIUS accounting attribute listed in Preside Radius’s account.ini file can be used in the INSERT statement Preside Radius can write the transaction time, full username, NAS name, session time, and record type to the database Preside Radius Student Notes and Workbook

29 LCI LDAP Command Interface
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 LCI LDAP Command Interface LDAP Schema mapped onto native database Using LCI commands: Change passwords, authentication methods Add clients, users, tunnels, IP pools Search current user list Find and modify any aspect of Preside Radius that the administrative program provides ldapsearch.exe ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=* ldapmodify.exe ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename> ldapadd.exe ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename> Preside Radius Standard with Preside Radius, add-on for Preside Radius/Enterprise Student Notes and Workbook

30 Installation and Configuration
Preside Radius

31 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Installation Files CD is cross-platform Unix: expand tar file, run install.sh script No compiling. Install script will unpack all directories and files, guide you through the configuration, and start the radius process. Open web browser to the /radadmin/java/index.html to launch admin application. NT: Run the setup.exe file. Setup.exe installs Radius directory, expands files, starts the Preside Radius process, and launches admin application. Preside Radius Java admin gui is also functional on NT. Copy contents of java directory to any other machine and run remotely to administer the UNIX host. Student Notes and Workbook

32 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Servers Dialog Preside Radius Student Notes and Workbook

33 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RAS Clients Dialog name IP address shared secret UDP port Preside Radius …on both sides, client and server! Student Notes and Workbook

34 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Make/Model Determining make/model of RADIUS client: NAS-IP-Address matches a RAS Client entry OR Auto-detect matches any attribute to make/model Benefits of make/model Identifies correct attribute dictionary Enables vendor-specific configuration help Make/model field in Administrator GUI Profiles and make/model Profiles can reference various VSAs Only the current device’s VSAs are used “Other” VSAs filtered out at request time - Standard Radius - safe choice, all clients Preside Radius Student Notes and Workbook

35 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Make/Model Examples list box help file dictionary (.dct) files vendor.ini file Preside Radius Student Notes and Workbook

36 Attribute Dictionaries
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 Attribute Dictionaries dictiona.dcm Inventory of all available attributes Includes all *.dct files radius.dct Standard RADIUS attributes AND Funk Radius VSAs *.dct Vendor-specific attributes: Name, ID, length, type, valid values, usage One file per vendor Each file can be edited New *.dct files can be added Preside Radius Student Notes and Workbook

37 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Users Dialog User type (native vs external) Password Attributes vs Profile Concurrency Preside Radius Student Notes and Workbook

38 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Types of User Native NT Domain NT Host UNIX User UNIX Group SecurID TACACS+ Preside Radius Student Notes and Workbook

39 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RADIUS Attributes Check List (Access-Request) A List of criteria that a user must satisfy, in addition to providing a password, before Preside Radius will authenticate them Return List (Access-Accept) A list of information that Preside Radius passes back to the NAS once the user has been authenticated. Return List Attribute requirements are defined by the NAS. Accounting (Acct-Request) Additional information sent from the NAS to the Preside Radius server for accounting purposes. Preside Radius Student Notes and Workbook

40 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Profiles Dialog Design a Template for each class of user. Preside Radius Student Notes and Workbook

41 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Profile Examples { Basic Dial-In Advanced Dial-In Free Access Basic Tunnel { Preside Radius { { Student Notes and Workbook

42 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Proxy Dialog name IP address shared secret UDP port Preside Radius …on both sides, target and proxy! Student Notes and Workbook

43 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Tunnel Dialog Tunnel attribute storage DNIS recognition Tunnel support for specific vendor equipment handled through Users Dialog Preside Radius Student Notes and Workbook

44 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 IP/IPX Pools Dialog Configure Multiple Pools Create multiple ranges per pool Associate with users, profiles, or NAS Preside Radius Student Notes and Workbook

45 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Access Dialog Configure Preside Radius administrators based on domain authentication Preside Radius Student Notes and Workbook

46 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Configuration Dialog Authentication Methods List Activate, Deactivate, Sort Reject Messages Log File Storage Tunnel Name Parsing Preside Radius Student Notes and Workbook

47 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Statistics Dialog Preside Radius Student Notes and Workbook

48 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Current Users Dialog Preside Radius Student Notes and Workbook

49 Preside Radius Data Portability
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 Preside Radius Data Portability Import/Export Database Files LDAP Configuration Interface Preside Radius Student Notes and Workbook

50 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Import/Export In Preside Radius Admin Stores all data configured in Admin GUI Creates RIF File Import ASCII files Cross Platform Preside Radius Student Notes and Workbook

51 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Database Files Preside Radius NT & Netware radads.dat radclnt.dat Preside Radius Solaris radiusdata.d01 radiusdata.d02 radiusdata.d03 Preside Radius radiusdata.dbd radiusdata.k01 radiusdata.k02 Student Notes and Workbook

52 LCI LDAP Command Interface
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 LCI LDAP Command Interface Change Passwords Add clients, users Add tunnels, IP pools Search current user list Find and modify any aspect of Preside Radius that the administrative program provides ldapsearch.exe ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=* ldapmodify.exe ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename> ldapadd.exe ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename> Preside Radius Standard with Preside Radius, add-on for Preside Radius/Enterprise Student Notes and Workbook

53 Monitoring and Logging
Preside Radius

54 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Tools Activity Logs Accounting Logs Statistics Dialog Current Users Reporting Windows NT Performance Monitor Windows NT Events SNMP Support Using The LCI For Reporting Preside Radius Student Notes and Workbook

55 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Activity Log yyyymmdd.log typical entries Sent accept response for user X to client Y Unable to find user X with matching password Sent reject response Shutting down RADIUS Authentication Server Starting RADIUS Authentication Server Preside Radius Student Notes and Workbook

56 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Activity Log Details All Preside Radius information is in a daily log file (yyyymmdd.log) radius.ini controls the level of logging detail in its [Configuration] section LogLevel = 0 = production (sparse) 1 = informational (medium) 2 = debug (verbose) TraceLevel = 0 = no packet tracing 1 = parsed contents of packets are logged 2 = raw contents of packets are logged Kept for a number of days set in [Configuration] section of radius.ini Preside Radius Student Notes and Workbook

57 Accounting Log Details
All Preside Radius accounting information is in a daily log file (yyyymmdd.act) Accounting transactions are also logged to the authentication log file, since accounting start and stop messages impact users’ active sessions account.ini controls the attributes logged Kept for a number of days set in [Configuration] section of radius.ini Comma-separated format for easy importing into other databases or spreadsheet applications Date, Time, RAS-Client, Record-Type, Full-Name, Auth-Type are built in to native accounting All standard RADIUS attributes are listed next by default Depending on the device configured, any VSAs are listed after that Edit account.ini to add/remove any accounting information logged Preside Radius

58 Log File Errors Errors can be looked at from two perpsectives
Information contained within a packet may be a source of error Information relative to Preside Radius itself and its connections may be a source of error Use Tracelevel=1 or 2 for logging to decode packet errors Use Loglevel=1 or 2 for explanatory Preside Radius application errors Preside Radius

59 Statistics Dialog Preside Radius

60 Statistics Authentication Requests Accounting Requests Proxy Requests
Transactions, Details, Silent Discards Preside Radius

61 Current Users Dialog Preside Radius

62 Current Users Quick View
Username RAS Client Port Time Session-ID IP Address Preside Radius receives an authentication request Generates a phantom record When an accounting message comes in that matches the authentication record, the phantom record is deleted Match is based on NAS IP address and NAS port Preside Radius

63 Reporting Create an RTF report file composed of the selected items.
Information is polled from all aspects of Preside Radius Preside Radius

64 Performance Monitor Run perfmon.exe on the administrative workstation
Add Preside Radius service as an object to the chart items Add any of the Preside Radius counters needed Acct-Starts, Auth-Requests, Sessions Online, etc. Preside Radius

65 Windows NT Events Event Service types:
Core event relating to the functioning of Preside Radius itself RADCAT_CORE ID=1 Events relating to the authentication service RADCAT_AUTH ID=2 Events relating to the accounting service RADCAT_ACCT ID=3 Preside Radius

66 Severity of Preside Radius Events
Informational Events Service has started Service has stopped Warning Events Count of available threads has dropped below nnnn. Amount of free file system space has dropped below minimum threshold Error Events Unable to create thread The connection to Accounting Server has failed Preside Radius

67 SNMP Support Requires Solstice Enterprise Agent (SEA)
Preside Radius acts as a subagent Three MIB files that get copied to the SNMP Manager rauths.mib, raccs.mib, and fnkradtr.mib Queries are defined in the rauths and raccs mib files Traps and alarms are defined in the fnkradtr mib file Informational, Warning, and Error messages Similar to Windows NT Events Events.ini configures the reporting options. Can dilute (reduce the frequency) reporting of common events Preside Radius

68 LCI Reporting Options Use the LCI to report current users by client, IP address, Session ID, full name: ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” client=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” ipaddressfrompool=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” acct-session-id=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=* Preside Radius

69 LDAP Preside Radius

70 LDAP Summary Lightweight Directory Access Protocol
A “directory” is a specialized database An example of an “off-line” directory is the phone book or mail-order catalogue. Suited to reference data (“read from” much more often than it is “written to”). Very flexible, both in looking up data and in changing the types of information stored. Preside Radius

71 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 LDAP Authentication RADIUS client Preside Radius LDAP database server Preside Radius User NAS RADIUS Server LDAP Server Student Notes and Workbook

72 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 LDAP Authentication You have user data in an LDAP database. Create an .aut file that (1) BINDs Preside Radius to an LDAP database and (2) issues a SEARCH query to retrieve the password, based on the username. Name the authentication method ( InitializationString = <LDAPName> ) Stop and restart the Preside Radius server. Enable, disable, and re-order the <LDAPName> method in the Preside Radius Administrator, Configuration Dialog, Authentication Methods list. Reference the <LDAPName> method from a directed realm. Preside Radius Sample .aut File for LDAP Authentication LDAP Bind Standard Netscape schema Profile determined by IP address of client NAS device Student Notes and Workbook

73 Secondary LDAP Searches
Issue an additional search based on whether a search did or did not find the user in the initial search base An OnFound section executes a secondary search after the first returns found Execute second search based on parameters from original search and parameters from original access-request message Execute a search for additional parameters in another branch of the LDAP directory based on the found user An OnNotFound section executes a secondary search after the first returns not found Execute a search on a separate branch of the LDAP directory in a secondary attempt to validate the user Preside Radius

74 Decision Tree Processing
Execute initial search Based on OnFound and OnNotFound portions of an LDAP authentication method Develop a process as complex as necessary to suit organization’s needs Found? Yes DSL subscriber? Yes No Return DSL Profile No Search an alternate branch Preside Radius Dial-up subscriber? Yes Found? Yes No No $REJECT $ACCEPT

75 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Bind vs. BindName Bind Connect to directory as the dial-in user The connection has this user’s rights BindName Connect to directory as the same user for all filters; for example an administrative account Directory view does not change from transaction to transaction Preside Radius The primary difference is that Bind uses more bandwith as it opens and closes a connection for every LDAP authentication request. BindName makes only one connection on start up, and then issues queries for each authentication request. This reduces network usage. Student Notes and Workbook

76 LDAP Bind Example LDAP Bind Standard Netscape schema
Same profile (TheUserProfile) for all Accepts [Response] section could be empty  Return no attributes in an Accept Preside Radius

77 LDAP BindName Example BindName using an administrative account
LDAP Search for user’s stored credentials Standard Netscape schema RAS Client is Ascend device DNIS callback number returned with Accept Preside Radius

78 LDAP References Understanding and Deploying LDAP Directory Services
Timothy A. Howes, Mark C. Smith, Gordon S. Good Comprehensive Easy to read Defines key terms Openldap.org Netscape Preside Radius

79 SQL Authentication Preside Radius

80 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL Authentication RADIUS client Preside Radius SQL database server Any RADIUS attribute can be retrieved from SQL Any SQL column can be returned in the response Preside Radius User NAS RADIUS Server SQL Server Student Notes and Workbook

81 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL Summary Structured Query Language A way to read from/write to databases Tried and trusted, it’s everywhere Suited to fast-changing data (frequent r/w) Inflexible format (rows and columns only) Map SQL columns to any RADIUS attribute Preside Radius Student Notes and Workbook

82 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL Configuration You have user data in a SQL database. Create an .aut file that (1) connects to the SQL database and (2) issues a SELECT query to retrieve the password, based on the username. Username, password, profile, as well as any desired attribute stored in database Execute stored procedures in MSSql, stored functions in Oracle Name the authentication method ( InitializationString = <SQLName> ) Enable .aut file (Enable = 1) Stop and restart the Preside Radius server. Activate, deactivate, and re-order the <SQLName> method in the Preside Radius Administrator, Configuration Dialog, Authentication Methods list. Preside Radius Student Notes and Workbook

83 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL SELECT SELECT is used in the authentication process to retrieve information from the database. Preside Radius uses the SELECT statement to return the user’s password, stored in the external database. If the password returned from the external database matches the password received in the Access-Request for the user, Preside Radius will accept the connection. Sample syntax: Preside Radius (continued on next page) Student Notes and Workbook

84 Steel-Belted Radius: Lab Objectives
SELECT Examples First Delivered January 10-14, 2000 SQL Table  Retrieve only the password from the database: Retrieve password and profile from the database: Authenticate user only if user’s account is paid: In each case: What if the Access-Request contains the credentials Kevin/Test ? What if the Access-Request contains the credentials Mel/Test3 ? What if the Access-Request contains the credentials Nicole/Test4 ? Preside Radius (End of table)  Student Notes and Workbook

85 Stored Procedures: Authentication
Support of execution of stored procedures in MSSql 7 Authentication Example: SQL= EXECUTE authenticate_user %name/20s, %password/20s Returns a profile with the following stored procedure: CREATE PROCEDURE authenticate_user @username varchar(20) AS SELECT userprofile FROM usertable WHERE username AND password Preside Radius

86 Stored Procedures: Accounting
Support of execution of stored procedures in MSSql 7 Inserts accounting data into accounting table: SQL=EXECUTE add_account %transactiontime/20s, \ @user-name/21s, \ @Acct-Session-ID/12s, \ @NAS-IP-Address/15s, \ @NAS-PORT-TYPE/5s, \ @FRAMED-IP-ADDRESS/15s, \ @calling-station-id/12s, \ @called-station-id/12s, \ %TYPE/4s, \ @ACCT-SESSION-TIME/14s, \ @ACCT-TERMINATION-CAUSE/12s Preside Radius

87 Stored Functions in Oracle: Authentication
Support of execution of stored functions in Oracle Authentication Example: SQL= SELECT authenticate_user (%name/20s, %password/20s) FROM DUAL Returns a profile with the following stored function: CREATE OR REPLACE FUNCTION authenticate_user (un IN VARCHAR2, pw IN VARCHAR2) RETURN VARCHAR2 IS profile LONG; BEGIN SELECT userprofile INTO profile FROM usertable WHERE username = un AND password = pw; RETURN profile; END authenticate_user; / Preside Radius

88 Stored Functions in Oracle: Accounting
Support of execution of stored functions in Oracle Inserts accounting data into accounting table: SQL=SELECT add_account (%transactiontime/20s, \ @user-name/21s, \ @Acct-Session-ID/12s, \ @NAS-IP-Address/15s, \ @NAS-PORT-TYPE/5s, \ @FRAMED-IP-ADDRESS/15s, \ @calling-station-id/12s, \ @called-station-id/12s, \ %TYPE/4s, \ @ACCT-SESSION-TIME/14s, \ @ACCT-TERMINATION-CAUSE/12s) FROM DUAL Preside Radius

89 Common SQL Tech Notes RD260: Setting up Steel-Belted Radius-NT ODBC to a MS-SQL Server database (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/104dab75b858c53f852566b80054d15a?OpenDocument) RD212: Oracle SQL setup for Steel-Belted Radius-UNIX (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/b5ef55bf97feb5d f2251?OpenDocument) RD211: Informix SQL setup for Steel-Belted Radius-UNIX 2.10 (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/7fcd8f3a44905a ed591?OpenDocument) RD272: Steel-Belted Radius rejects SQL users when the password field is defined as 'char' type (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/5ba7f5d40c0981db852566c1001cbb17?OpenDocument) RD298: SQL configuration files: database connectivity options (http:// /technote.nsf/93d5a611e8cf6ccf f0066e926/afe3aad0b7908f ?OpenDocument) Preside Radius

90 SQL References The Practical SQL Handbook: Using Structured Query Language 3rd ed Judith S. Bowman, Sandra L. Emerson, Marcy Darnovsky Includes sample software on CD-ROM Cross-references different SQL products: Oracle Microsoft Generic Introduction to SQL: Preside Radius

91 Accounting Preside Radius

92 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL Accounting You have billing records in a SQL database. Create an .acc file that (1) connects to the SQL database and (2) issues an INSERT query that writes accounting data to it. Name the accounting method ( InitializationString = <SQLName> ). Enable the <SQLName> accounting method ( Enable = 1 ). Stop and restart the Preside Radius server. Optionally, you may reference <SQLName> from a directed realm. Preside Radius Student Notes and Workbook

93 RADIUS Accounting Attributes
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 RADIUS Accounting Attributes What do they tell us? How are they used? Start • Stop • Interim These messages tell us about the user. When a user starts to receive service on the network, these messages provides type-of-connection and other activity information. They give “notice” when the user has stopped using the network. These messages enable us to account for network usage and bill for “consumptive” use. (Flat-rate, monthly billing does not require accounting.) On • Off These messages tell us about the NAS device. They provide information about the startup or shutdown of a RADIUS client. They enable Preside Radius to notify devices and management tools on the network about the status of the RADIUS client. Preside Radius Student Notes and Workbook

94 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 SQL INSERT Preside Radius lets you write to an SQL database the specific accounting information that you want to maintain. INSERT is the query used to write to the database. Any RADIUS accounting attribute listed in Preside Radius’s account.ini file can be used in the INSERT statement. @AttributeName Preside Radius also can write the transaction time, full username, NAS name and record type to the database. %Value Sample syntax: Preside Radius Student Notes and Workbook

95 Accounting and Billing
A rudimentary billing system requires only these attributes: Acct-Session-ID Connection’s unique identifier Matches STARTs and STOPs Acct-Status-Type Start, Stop, Interim, On, Off Framed-IP-Address IP address of user’s connection Authentication, accounting attribute User-Name The account using the network Acct-Session-Time For how many seconds did the user receive service? TIME  = $ MONEY $ Acct-Input-Packets, Acct-Output Packets, Acct-Input-Octets, Acct-Output-Octets What was the volume of network traffic generated by the user? TRAFFIC = $ MONEY $ Preside Radius Other attributes (including VSAs) provide additional detail.

96 Steel-Belted Radius: Lab Objectives
INSERT Examples First Delivered January 10-14, 2000 SQL Table  A simple INSERT statement might capture: The time of the transaction The username The NAS to which the user connected The type of accounting message The total connect time Expect to create complex INSERT statements like these: Preside Radius Student Notes and Workbook

97 Native Accounting Log File
Steel-Belted Radius: Lab Objectives First Delivered January 10-14, 2000 Native Accounting Log File yyyymmdd.ACT comma-delimited typical entry (a single line) Preside Radius Student Notes and Workbook

98 Proxy Radius Preside Radius

99 Why Proxy RADIUS? Enables outsourcing Customer info stays @ realm
The larger carrier does not get it Customer keeps control of its own data Users of Proxy RADIUS AOL, MSN, Compuserve iPass Any organization looking to sell wholesale network access Preside Radius

100 Proxy RADIUS • BSAC BSAC Radius receives request (User-Name = BSAC Radius forwards request to server Funk Target server authenticates request (User-Name = Carol) All realms are treated the same way Preside Radius

101 Proxy RADIUS • Preside Options, options, options... Preside Radius

102 Proxy RADIUS • Preside Preside Radius receives request
User-Name = Preside Radius checks if it’s hosting the realm If so, Preside Radius authenticates the request If not, the request is forwarded to realm Funk (realm Funk must exist) Various options are applied to request Request is authenticated User-Name = Carol OR Preside Radius

103 Preside Proxy Features
Customer requirements not all the same “Sense of self” Support for wholesaling Hosting RADIUS services Different ways of routing Username prefix and suffix support DNIS routing Routing by any attribute Multiple hops Realm-specific configuration options Preside Radius

104 Preside Proxy Features
Customer requirements not all the same Multiple targets Redundancy Load balancing Failure options Username handling First Proxy might not be the final stop Outsourcing by the outsourcer Attribute filters Preside Radius

105 Directed Authentication and Accounting Methods
Simplify hosting of RADIUS services Permit prefix, suffix, or DNIS routing Enable individual accounting files for each customer Remove requirement for additional RADIUS servers (permit a unique RADIUS configuration for each customer on the same server) Leverage investment in SQL or LDAP Promote savings on hardware, software, support/maintenance, training, and facilities Preside Radius

106 Why Directed Methods? Directed Authentication
Carriers can host AAA servers for their customers Each realm: Points to a specific auth method only May have specific auth order list @Ford attempted against Ford’s database only! Preside Radius Directed Accounting Customer records handled separately in logfiles or SQL db Simplifies delivery of accounting information to the customer (no Proxy RADIUS needed at customer site)

107 Directed Methods Licensing
10 licenses with Preside Radius Each directed method consumes 1 license Authentication, accounting methods are counted individually: 6 authentication plus 4 accounting = 10 1 accounting plus 9 authentication = 10 Additional 5-packs available Add licenses without re-installing Preside Radius Preside Radius

108 Filters When directing messages to and from Preside Radius realms, filters can be applied that place or remove attribute information into or from the message filter.ini defines all filter names and filter rules Filter names are referenced from realm configuration files: <realmname>.pro and <realmname>.dir Preside Radius

109 Filter Options Create Allow, Exclude, or Add attribute rules in filter.ini [filtername] Allow Exclude NAS-Identifier Add Idle-Timeout 60 Reference filternames in realm .pro/.dir files [Auth] FilterIn=filtername1 FilterOut=filtername2 [Acct] FilterIn=filtername3 FilterOut=filtername4 Preside Radius

110 Troubleshooting and Logging
Preside Radius

111 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Process Find out what happened (logs) Remove Preside Radius from the picture Use configuration checklists Use system tools (perfmon, top, event viewer, etc...) Preside Radius Student Notes and Workbook

112 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Activity Log yyyymmdd.log typical entries Sent accept response for user X to client Y Unable to find user X with matching password Sent reject response Shutting down RADIUS Authentication Server Starting RADIUS Authentication Server Preside Radius Student Notes and Workbook

113 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Activity Log Details All Preside Radius information is in a daily log file (yyyymmdd.log) radius.ini controls the level of logging detail in its [Configuration] section LogLevel = 0 = production (sparse) 1 = informational (medium) 2 = debug (verbose) TraceLevel = 0 = no packet tracing 1 = parsed contents of packets are logged 2 = raw contents of packets are logged Kept for a number of days set in [Configuration] section of radius.ini Preside Radius Student Notes and Workbook

114 Accounting Log Details
All Preside Radius accounting information is in a daily log file (yyyymmdd.act) Accounting transactions are also logged to the authentication log file, since accounting start and stop messages impact users’ active sessions account.ini controls the attributes logged Kept for a number of days set in [Configuration] section of radius.ini Comma-separated format for easy importing into other databases or spreadsheet applications Date, Time, RAS-Client, Record-Type, Full-Name, Auth-Type are built in to native accounting All standard RADIUS attributes are listed next by default Depending on the device configured, any VSAs are listed after that Edit account.ini to add/remove any accounting information logged Preside Radius

115 Log File Errors Errors can be looked at from two perpsectives
Information contained within a packet may be a source of error Information relative to Preside Radius itself and its connections may be a source of error Use Tracelevel=1 or 2 for logging to decode packet errors Use Loglevel=1 or 2 for explanatory Preside Radius application errors Preside Radius

116 Packet Specific Errors
Trace packets to decode information that is contained within RADIUS messages Determine whether appropriate attributes are present in packet Determine whether appropriate attribute values are present in packet Determine whether a device is sending valid RADIUS packets Preside Radius

117 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 RADIUS Attributes { Standard RADIUS: <00..00> ID Length Data Vendor-specific: 1a 0e ad <00..00> ID Length VendorID ID Length Data Preside Radius { Student Notes and Workbook

118 Preside Radius Logging Error Messages
Preside Radius will log connection attempts to any external databases (sql, ldap) Log file will record messages transmitted to and from other RADIUS devices Read these to determine if packets are being sent to and from other RADIUS clients, servers Configuration issues can be seen here Invalid license strings failure to load configuration files failure to execute SQL SELECT and INSERT statements Accept and Rejection messages are logged from upstream clients and downstream servers Preside Radius

119 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Refer to Manual Index Example: “Which password protocols does Preside Radius support?” Preside Radius Student Notes and Workbook

120 Common Tech Notes Steel-Belted Radius tech notes found in the support section of RD124: Realm name appended to username causes Steel-Belted Radius reject RD143: NT RAS Dial-in clients failing authentication while other dial-in clients are authenticated RD162: Setting up a SecurID/ACE Server RD168: How to Disable CHAP Password on a NT RAS RD175: User rights problems when installing on NT PC that is NOT Domain Controller RD207: Simple Cisco set up RD208: Native Users works, but pass-through authentication doesn’t RD219: Need to test Steel-Belted Radius in stand alone mode (testrig) RD231: Forgot admin password on Preside Radius UNIX RD254: Requirements for persistence mode functionality w/ Steel-Belted Radius v 1.5 and later RD259: MS-CHAP authentication supports Preside Radius RD260: Setting up Steel-Belted Radius NT ODBC to a MS SQL server database RD269: How to decode Radius packets RD279: Logging additional attributes to Steel-Belted Radius “*.ACT” files RD285: “Matching request found in auth. Cache and cached response being re-sent” log msg Preside Radius

121 Common Tech Notes RD296: NT Trust Issues across multiple domains; authentication against remote domains RD306: Steel-Belted Radius Database Files RD311: Limiting NAS access for specific users RD334: Definitions for checklist and returnlist attributes RD336: Default Ports for Preside Radius RD367: License issue for upgrades, etc. (“no valid primary license found”) RD369: Radius authentication via PAP or CHAP RD371: SQL authentication and accounting for NT 4.0 using MS Access 97 RD376: Importing flat text users/passwords into Preside Radius RD407: Sample “LDAPSEARCH” strings for use with LCI RD411: System Requirements for Preside Radius RD414: Windows 2000 Set Up considerations – install crashes 79% and get –115 error RD417: Recommend Steps for Upgrading Steel-Belted Radius RD436: Sample file for authorization against LDAP using Bind RD437: Using Bind Name RD447: LDAP EXE Files RD463: NT Expired Password – Setting up Profiles RD291: “Pipe” messages in the Steel-Belted Radius daily activity log Preside Radius

122 Other Features

123 Tunnels Preside Radius supports the authentication and accounting needs of existing tunnels Can store and pass back information the NAS device needs to establish a tunnel connection Track number of tunnels in use and compare to maximum number of tunnels allowed Preside Radius

124 Tunnel Process Preside Radius looks for the Called-Station-ID in the access-request message and looks for a tunnel entry matching this attribute Alternately, Preside Radius looks for a tunnel entry matching the username decoration: Username<delimiter>tunnelname Tunnelname<delimiter>username Preside Radius can place tunnel-specific attributes into the access-accept message that will enable the NAS device to establish a tunnel connection: Ascend-Tunneling-Protocol Tunnel-Assignment-ID Tunnel-Medium-Type Authentication occurs after this point. Successful authentication at the enterprise site will complete the connection Preside Radius

125 Auto Restart Enables Preside Radius to restart itself whenever it experiences a shutdown Disabled by default Stop radius process Edit /etc/rc2.d/S90radius script Uncomment this line: # RADIUS=“$RADIUSDIR/radiusd --server $RADIUSDIR/radius” Runs the radius process as a child of radiusd Preside Radius

126 Auto Restart Options The child process is polled based on cofiguration options defined in the radiusd Perl script # config $ping_interval = 5; $max_pong = 17; $max_startup = 60; $max_shutdown = 60; $debug_mode = 0; If syslog is available to Perl, all informational, warning and debugging messages are recorded in syslog Optionally, a specific log file can be specified If not specified, and syslog is not available, messages are written to radiusd.log in the radius directory Preside Radius

127 Time Of Day Restrictions
Using the “Allowed-Access-Hours” Funk standard attribute, time-of-day restrictions can be enforced Apply this attribute to a native user, a profile, a host OS user/group, or token system user Store this attribute/value in LDAP or SQL, apply it to externally authenticated users Time ranges are 24 hour represents 8 AM to 10 PM Day ranges: M, Tu, W, Th, F, Sa, Su M-Th represents Monday through Thursday inclusively Day and time ranges can intermix, but there must be at least one time range for any day that is used Allowed-Access-Hours M-W Allowed-Access-Hours Tu,Th-F Allowed-Access-Hours Sa-Su Preside Radius

128 IP Resource Management
Preside Radius

129 Managing IP Data IP Resources can be managed by: Preside Radius
Static IP addresses assigned to native users Named Pools of IP addresses that can be associated with a user, a profile, or a NAS device External Databases Store and return specific IP addresses or names of address pools in LDAP or SQL. Preside Radius will then return that IP address (or an IP address in one of its named IP Pools) in the authentication response Enable external applications to manage these data stores Existing DHCP Servers Preside Radius can request IP information from a DHCP server and pass that information back to the NAS device and dial-in client. From then on, the client, NAS, and DHCP server negotiate the IP lease Preside Radius

130 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 IP / IPX Pools Dialog Configure Multiple Pools Create multiple ranges per pool Associate with users, profiles, or NAS Preside Radius Student Notes and Workbook

131 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Static IP Assignment Store static IP addresses in your SQL or LDAP database Store static IP addresses with native users in Preside Radius Return an IP Address from SQL: In [Settings] section of sqlauth.aut: SELECT password, ipaddress FROM usertable WHERE username=%name/40 Return IP Address from LDAP Directory: In [Response] section of ldap.aut: [Response] Framed-IP-Address = ipaddress Preside Radius In the SQL statement, there needs to be a column named “ipaddress” in the usertable. In the LDAP Directory, there needs to be an attribute labeled “ipaddress” associated with the searched object. Student Notes and Workbook

132 IP Pool Assignment Store IP Pool names in your SQL or LDAP database. Value in database must match existing Preside Radius IP Pool name. Return an IP Address Pool Name from SQL: In [Settings] section of sqlauth.aut: SELECT password, ipaddresspool FROM usertable WHERE username=%name/40 In [Results] section: Password=1/48 Framed-IP-Address=2/48 Return IP Address Pool name from LDAP Directory: In [Response] section of ldap.aut: [Response] Framed-IP-Address = ipaddresspool IP Pools can also be associated with an Preside Radius-defined profile or a specific NAS device If an IP Pool runs out of addresses, users will get rejected Preside Radius

133 DHCP Support Leverage existing DHCP servers to maintain IP Address management Configure dhcp.ini and <poolname>.dhc files Return IP Pool name from external source that corresponds to a DCHP defined pool name. RADIUS attributes can be mapped to and from DHCP options in the <poolname>.dhc file: [Request] 12s = Calling-Station-ID 60s = “\x01\x02\x03\x04\x05” [Reply] Framed-IP-Netmask = 1ip Framed-MTU = 26n16 Preside Radius

134 IP Address Leakage Addresses assigned through Preside Radius may ‘leak’, or become unavailable for use when: An accounting-stop message is not sent from the NAS A NAS device shuts down unexpectedly Packet loss occurs Device is not configured correctly: i.e. sending accounting packets to a secondary RADIUS server when primary server is available Mis-matched authentication, accounting messages: when phantom and start messages fail to match, phantom sessions may not removed properly When start and stop messages fail to match, start sessions may not be removed properly Preside Radius

135 Solutions Leaked addresses will remain so until manually deleted from Current Users list or… Preside Radius will automatically release address when another request comes in from the same NAS on the same port: Preside Radius assumes that the previous user can no longer be using the same NAS/port combination Preside Radius clears out all current users associated with a NAS when it receives an accounting-on message from that NAS Manually delete remaining sessions Use DHCP leasing to lessen the impact of leaked addresses Leased addresses are released back into the pool after configurable time periods Stopping Preside Radius, deleting the radads.hst file, and restarting Preside Radius will also delete all current users. Preside Radius

136 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Statistics Dialog Preside Radius Student Notes and Workbook

137 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 Current Users Dialog Preside Radius Student Notes and Workbook

138 LCI Reporting Options Use the LCI to report current users by client, IP address, Session ID, full name: ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” client=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” ipaddressfrompool=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions,o=radius” acct-session-id=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=* See LCI Schema for more options Preside Radius

139 Wildcards – Strings Use wildcard values in checklist attributes, extended proxy, and attribute mapping The expression for any number of variable characters in a string is the * character. For any single character, use the ? Precede all strings with ^ to indicate that the string be treated for wildcard values Example using a checklist attribute: Calling-Station-Id ^508* Allows user dialing in from anywhere within the 508 area code Set multiple Calling-Station-Id checklist attributes to enable more area codes Preside Radius

140 Wildcards – IP Numbers Use IP wildcards to filter checklist attributes by network IP Numbers are wildcarded by class notation: represents through represents through represents through Preside Radius

141 Blacklisting Automatically reject any user that fits a defined profile
Create the profile to be blacklisted Add that profile name to blacklist.ini From that point on, an administrator can automatically reject an authentication request based on any standard RADIUS, Funk-standard, or vendor-specific attribute Preside Radius

142 Account Lockout User accounts can be configured to lock after a configurable number of failed attempts Lock is released after either: Configurable time period has elapsed Administrator manually unlocks account All options administered in lockout.ini Preside Radius

143 LDAP Command Interface
LCI LDAP Command Interface

144 Steel-Belted Radius: Lab Objectives
First Delivered January 10-14, 2000 LCI LDAP Summary Change Passwords Add clients, users Add tunnels, IP pools Search current user list Find and modify any aspect of Preside Radius that the administrative program provides ldapsearch.exe ldapsearch -V 2 -p 667 -D "cn=admin,o=radius" -w radadmin -s sub -T –b "o=radius" objectclass=* ldapmodify.exe ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename> ldapadd.exe ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f <filename> Preside Radius Standard with Preside Radius, add-on for Preside Radius/Enterprise Student Notes and Workbook

145 LCI Schema (1) Preside Radius

146 LCI Schema (2) Preside Radius

147 LCI Schema (3) Preside Radius

148 ldapsearch Options Preside Radius –V 2
The version 2 dialect of LDAP is to be used to communicate with the server –p 354 TCP port 354 is to be used to communicate with the LDAP interface of the server. The –p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the –p option is not specified, the default port number for the server and the LDAP utilities is used (port 389) –D "cn=oper,o=radius" The command will be authenticated using an adminsitrative account called oper –w radadmin The command is providing an authentication password of radadmin -h To search a remote host, insert the host’s IP address after the –h option –s sub Recursion is to be used starting at the base –T To make the output more readable, long output lines are not to be continued on the next line –b "radiusclass=Client,o=radius" This is the base at which the search operation is to begin radiusname=* This is the criteria which matched objects must satisfy Preside Radius

149 ldapmodify, ldapadd Options
–c The command is to run in continuous mode; it will not stop on errors –V 2 The version 2 dialect of LDAP is to be used to communicate with the server –p 354 TCP port 354 is to be used to communicate with the LDAP interface of the server. The –p value must match the TCPPort setting in the [LDAP] section of radius.ini. If the –p option is not specified, the default port number for the Preside Radius server and the LDAP utilities is used (port 389) –D "cn=oper,o=radius" The command will be authenticated using an adminsitrative account called oper –w radadmin The command is providing an authentication password of radadmin -h To search a remote host, insert the host’s IP address after the –h option –f <filename> This is the input LDIF file to process Preside Radius

150 LCI Reporting Options Use the LCI to report on current users by client, IP address, Session ID, full name: ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” client=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_ipaddress,o=radius” framed-ip-address=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” acct-session-id=* ldapsearch –V 2 –p 667 –D “cn=admin,o=radius” –w radius –b “radiusstatus=sessions_by_user,o=radius” fullname=* Preside Radius

151 LDIF Example This file will add a proxy target to Preside Radius
Store this text as addproxy.ldif ldapmodify -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f addproxy.ldif dn: radiusname=PROXYTARGET,radiusclass=Proxy,o=radius changetype: add ip-address: accounting: both retry-count: 3 retry-timeout: 5000 shared-secret: testing123 include-in-auth-list: no Preside Radius

152 LDIF Example This file will add a user to Preside Radius
Store this text as adduser.ldif ldapadd -c -V 2 -p 667 -D “cn=admin,o=radius” -w radadmin -f adduser.ldif dn: radiusname=PASSERVER,radiusclass=Proxy,o=radius changetype: add ip-address: accounting: both retry-count: 3 retry-timeout: 5000 shared-secret: testing123 include-in-auth-list: no Preside Radius

153 End


Download ppt "Preside Radius Preside Radius."

Similar presentations


Ads by Google