Implementing RADIUS AAA Phil & Rick

Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation Management Console Case Study IAS Configuration Router Configuration Case Study Summary Resources

Terms and Concepts

Access Control Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication, Authorization, and Accounting (AAA) provide the primary framework through which you set up access control on your router or access server.

What is AAA? Authentication, Authorization and Accounting Authentication Verifies users before they are allowed access to the network and network services Authorization Enables you to limit the services available to a user Accounting Enables you to track the services that users are accessing and the amount of network resources they are consuming

Benefits of AAA AAA provides the following benefits: Increased flexibility and control of access configuration Scalability Standardized authentication methods such as RADIUS, TACACS+, and Kerberos Multiple backup systems AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX) basis

What is RADIUS? Remote Access Dial-in User Service (RADIUS) Client/Server Protocol Client is typically a NAS Server is usually a daemon process running on a Unix or Windows machine The client passes user information to the designated RADIUS servers, and acts on the response that is returned RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user

Internet Authentication Service Overview

Internet Authentication Service Performs centralized AAA of users who connect to the network. Implements the IETF standard RADIUS protocol. Implementing IAS Overview Configure your server with a static IP address IP Address: /24 (case study) Default Gateway: (case study) Install IAS Create an IAS Management Console (optional) Create users and groups (case study) Edit system log to show IAS events (optional) Configure authentication and accounting ports (optional) Configure IAS log (case study) Add a RADIUS client (case study) Creating Remote Access Policies (case study)

IAS Installation

IAS Installation Installing IAS Start > Settings > Control Panel > Add/Remove Programs

IAS Installation Open the Windows Component Wizard by clicking Add/Remove Windows Components

IAS Installation Highlight Network Services in the Components box and then click details

IAS Installation Find Internet Authentication Service in the Subcomponents of Networking Services box Check the box to the left of IAS and click OK

IAS Installation Click Next Click Finish

IAS Management Console Creating and Using an IAS Management Console

IAS Management Console Microsoft management consoles centralize IAS administration Creating an IAS Management Console Start > Run > mmc

IAS Management Console In the MMC menu bar click Console > Add/Remove snap-in

IAS Management Console From the Add/Remove snap-in applet Click Add

IAS Management Console Adding a Standalone Snap-in Highlight Internet Authentication Service Standalone Snap-In Click Add

IAS Management Console Select the computer you want the snap-in to manage Select local computer Click Finish

IAS Management Console Add the following standalone snap-insAdd the following standalone snap-ins Event Viewer Local Users and Groups

IAS Management Console The the management console should look like the following

IAS Management Console Configuring the System Log to display IAS events (optional) From the IAS Management Console Expand Event Viewer Right Click the System Log File > Properties

IAS Management Console Click the filter tab in the system log properties Select IAS from the event source drop down box Click OK

IAS Management Console Creating Users and Groups in the IAS Management Console Expand Local Users and Groups Creating Groups Expand Groups Click Action > New Group Add the following groups Router_Admins Internet_Users Creating Users Expand Users Click Action > New User Add the following users Administrator member of group Router_Admins I_User member of group Internet_Users

Case Study Implementing RADIUS AAA

Case Study You work for a small business and would like to implement AAA for remote users and telnet sessions. Here are the requirements for your design: Authenticate remote users who are members of the group Router_Admins and Internet_Users. Authorize Router_Admins for EXEC sessions, PPP sessions and telnet. Authorize Internet_Users for PPP sessions only. Implement accounting for EXEC sessions, PPP sessions, and telnet sessions.

Case Study Objectives Windows 2000 Server Administration Installing Microsoft’s IAS Using the Microsoft Management Console Configuring AAA Viewing IAS accounting log Tools/Preparation 1 Windows 2000 Server 1 Cisco 1900 Catalyst 1 Cisco 2600 Router 2 modems and drivers 1 PC running Windows 2000

Topology Implementing IAS OverviewImplementing IAS Overview IAS ConfigurationIAS Configuration IAS InstallationIAS Installation Remote Access PoliciesRemote Access Policies IAS Management Console

IAS Configuration

Configuring IAS Authentication and Accounting Ports (optional) IAS uses port 1845, 1645 by default for authentication and 1846, 1646 by default for accounting. Optional step but by following this step we are only opening 2 ports on our server instead of 4 Open the IAS MC or IAS applet > Right Click Internet Authentication Service > Click Properties > Click the tab labeled RADIUS Set the Authentication port to 1645 and the Accounting port to 1646 > Click OK

IAS Configuration Configuring IAS Accounting Open the IAS MC or IAS applet > click Remote Access Logging > Right click Local File > Properties Local file properties Select the settings tab > check the following Log Authentication Requests Log Accounting Requests Log Periodic Status Select the Local File tab > check the following Database compatible file format Click OK Note that the log will be saved to C:\winnt\system32\logfiles

IAS Configuration Adding a RADIUS client overview Recall that RADIUS is a client/server protocol. The RADIUS client is typically, a NAS or router The RADIUS server is the machine running the RADIUS daemon process, which in our case is the IAS server The RADIUS server needs the following information about the RADIUS client IP Address Security Protocol being used Client-Vendor Shared-Secret (also known as a key)

IAS Configuration Adding a RADIUS client Open the IAS MC or the IAS applet Expand IAS Right click the folder labeled clients Click new client

IAS Configuration Adding a RADIUS client Enter the hostname of your router and select the RADIUS protocol Click Next

IAS Configuration Adding a RADIUS client Enter the IP Address of the RADIUS client Select Cisco as the client-vendor Enter a shared-secret (key) Finish

IAS Configuration Remote Access Policies IAS uses remote access policies to authenticate and authorize users Keep in mind that a user may be authenticated but not authorized to use certain network services (PPP, EXEC, telnet). The following is a guide if you trying to implement the case study and you are having a hard time recreating the Remote Access Policies This does not follow the class demonstration! But you’ll get the same results

IAS Configuration Remote Access Policies Open the IAS applet or IAS MC Expand IAS Click Remote Access Policies Right click and delete the policy on the right

IAS Configuration Remote Access Policies Right click remote access policies and click new remote access policy

IAS Configuration Remote Access Policies Enter a Policy friendly name In our case we’ll enter “Allow members of the group Internet_Users PPP network services” Click next Specifying conditions Click Add

IAS Configuration Remote Access Policies Highlight Windows-Groups click add In the Groups applet click add Highlight the Internet_Users group and click add then OK

IAS Configuration Remote Access Policies Add another condition by clicking add Highlight NAS-port-type click add Highlight async(modem) click add then click OK

IAS Configuration Remote Access Policies Your condition should look similar to the following screen capture

IAS Configuration Remote Access Policies Click Next Select Grant remote access permission Click Next Click Edit Profile Click the Authentication tab Only check PAP uncheck all other authentication methods Click the Advanced tab Service-type should be Framed Framed-Protocol should be PPP Click OK Ok, Now what did we just do?

IAS Configuration Remote Access Policies We created a remote access policy that said if a user accesses the RADIUS client through an async port and that user is a member of the windows group Internet_Users authorize the user to use the framed protocol PPP. Here’s a shorten version of the condition Policy Name Allow members of the group Internet_Users PPP network service. Windows-Groups Internet_Users NAS-Port-Type Async(modem) Service-Type Framed Framed Protocol PPP

IAS Configuration Remote Access Policies Create the following remote access policies (demo in class) Policy Name Allow members of the group Router_Admins PPP network service and EXEC session. Windows-Groups Router_Admins NAS-Port-Type Async(modem) Service-Type Administrative Framed Protocol PPP

IAS Configuration Remote Access Policies Policy Name Allow members of the group Router_Admins telnet access. Windows-Groups Router_Admins NAS-Port-Type Virtual(VPN) Service-Type Administrative

Router Configuration The RADIUS client

Router Configuration The router is the RADIUS client. It must have the same IP address that was entered in the IAS RADIUS client configuration.IAS RADIUS client configuration Here is the router configuration file without AAA

Router Configuration We need to know what a method list is before we get started with the router configuration Method list Defines the type of AAA to be performed and the sequence in which it will be performed Some types of AAA include authentication login, authorization exec and others An example of a sequence type is checking a server or a local database for user information

Router Configuration Here is the final configuration file that was demonstrated. Demonstration notes and some accounting database stuff

RADIUS Case Study Summary

Case Study Summary Authentication and Authorization 1.User initiates PPP authentication to the NAS. 2.NAS prompts for username and password (if PAP) or challenge (if CHAP). 3.User replies. 4.RADIUS client sends username and password to the RADIUS server. 5.RADIUS server responds with Accept, Reject, or Challenge. 6.The RADIUS client acts upon service parameters bundled with Accept or Reject.

Case Study Summary Accounting The NAS sends an Accounting-Request start packet to the RADIUS security server The RADIUS security server sends an Accounting-Response packet to acknowledge the receipt of the Accounting-Request start packet. After the NAS has sent all the accounting info it wanted to send, it sends an Accounting- Request stop packet. This stop packet describes the type of service delivered and other optional values. The RADIUS server acknowledges receipt of the Accounting-Request stop packet by sending an Accounting-Response packet.

Resources Search For: Configuring Authentication Configuring RADIUS Configuring TACACS+ Configuring Kerberos Configuring Authorization RADIUS Attributes Configuring Accounting Search For: Dialup Corporate Access Extranet Access for Business Partners Outsourced corporate access through service providers Configuring IAS for dial-up and VPN access Configuring IAS to outsource dial-up access