Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 10: RADIUS As a Solution for Remote Access.

Published byApril Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 10: RADIUS As a Solution for Remote Access."— Presentation transcript:

1 Module 10: RADIUS As a Solution for Remote Access

2 Overview Introducing RADIUS Designing a Functional RADIUS Solution Discussion: Designing a RADIUS Solution Securing a RADIUS Solution Enhancing a RADIUS Design for Availability Optimizing a RADIUS Design for Performance Discussion: Enhancing the RADIUS Solution

3 Organizations that outsource dial-up remote access, or those that perform joint ventures with other organizations, require authentication of user accounts outside the private network. Also, organizations that provide the outsourcing services, such as Internet service providers (ISPs), require remote user connection accounting so that they can charge subscribers. Remote Authentication Dial-In User Service (RADIUS) is an industry standard protocol that provides the solution to these authentication and remote user accounting requirements by supporting secured user authentication, and accounting services for remote users.

4 At the end of this module, you will be able to: Recognize RADIUS as a solution for remote access. Identify the functional aspects of a RADIUS design. Select the appropriate strategies to secure a RADIUS solution. Select the appropriate strategies to enhance RADIUS availability. Select the appropriate strategies to improve RADIUS performance.

5  Introducing RADIUS Design Decisions for a RADIUS Solution RADIUS Features Integration Benefits

6 RADIUS is a client/server protocol that requires a RADIUS client and a RADIUS server to provide remote access. In Microsoft® Windows® 2000, support for RADIUS is provided by the combination of Routing and Remote Access and the Internet Authentication Service (IAS). A remote access server is a RADIUS client, and a server running IAS is a RADIUS server.

7 To design a strategy for providing remote access by using RADIUS, you must: Identify the design decisions that influence a RADIUS solution. Describe the features of RADIUS and how the features support the design requirements for remote access. Determine how integrating RADIUS with other networking services benefits the network design.

8 Design Decisions for a RADIUS Solution Geographic Locations of Remote Access Users? Number of Users at Each Location? Connection Between Geographic Locations? Remote User Connection Accounting ? Central Office RADIUS Client ISP Active Directory Partner Network Internet RADIUS Client Remote Access Clients

9 Windows 2000 uses RADIUS for network configurations that require user authentication outside the private network. Before you design a RADIUS solution (a remote access solution that uses RADIUS), you must identify the decisions that influence the design.

10 For designing a RADIUS solution, you need to determine the: Geographic distribution of the remote access users to determine the placement of the RADIUS clients. Number of remote access users at each location so that you can determine the number of RADIUS clients to place at each location. Network connections between the geographic locations so that you can determine the amount of data that can be transmitted between the locations. Organization requirements for tracking remote user connectivity time so that you can determine if RADIUS accounting is required

11 RADIUS Features Separating Remote Access and User Authentication Providing Remote Access Client Connectivity Providing Remote User Authentication and Accounting Integrating Into Existing Networks

12 RADIUS is used for providing authentication, authorization, and accounting services for remote access connectivity. When creating a remote access design by using RADIUS, you must identify how the features of RADIUS support the organization's requirements.

13 Separating Remote Access and User Authentication RADIUS separates the remote access server functions from the user authentication server functions. The communication between the computer that provides remote access support and the computer that provides user authentication is established by using RADIUS.

14 Separating remote access and user authentication allows the: RADIUS client and server to support different operating systems and hardware architectures. RADIUS client and server to be geographically separated. User accounts to be secure by ensuring that the accounts are located on servers within the private network. Encryption of authentication traffic between the RADIUS client and the RADIUS server by using Internet Protocol Security (IPSec) or virtual private network (VPN) tunnels. Outsourcing of dial-up remote access to third-party organizations.

15 Providing Remote Access Client Connectivity The remote access client connectivity feature provided by the RADIUS client determines how remote users gain access to the private network. The remote access client connectivity provided by the RADIUS client allows the remote access users to: Use a variety of authentication protocols, such as Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Authentication Protocol (MS-CHAP), or clear text to get authenticated. Encrypt data by using a variety of encryption algorithms, such as Microsoft Point-to-Point Encryption (MPPE) or Data Encryption Standard (DES). Connect by using a variety of protocols, such as Transmission Control Protocol/Internet Protocol (TCP/IP) or Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX). Connect by using a variety of technologies, such as dial-up modems, digital subscriber line (DSL), or Integrated Services Digital Network (ISDN).

16 Providing Remote User Authentication and Accounting Remote user authentication provided by the RADIUS server determines the user accounts that are authenticated. Remote user authentication allows the: Authentication of user accounts that are stored in the Active Directory™ directory service. Authentication of user accounts that are stored in Microsoft Windows NT® version 4.0 domains.

17 Providing Remote User Authentication and Accounting … Remote user accounting provided by the RADIUS server creates a historical record of RADIUS transactions that occur between the RADIUS client and server. You can also perform selective recording by modifying the details of accounting information recorded by the RADIUS server. Remote user accounting records: The length of time the remote user is connected. Remote user authentication success or failure. Situations when the RADIUS server is unable to authenticate a RADIUS client.

18 Integrating into Existing Networks While integrating RADIUS with existing networks, you can determine how Windows 2000-based RADIUS clients and servers interact with RADIUS clients and servers found in other operating systems. Because the RADIUS protocol is an Internet standard, any existing RADIUS clients or servers that support the Internet RFCs integrate with the Windows 2000-based RADIUS clients and servers. Note: The RADIUS protocol specifications are found in RFCs 2138 and 2139.

19 Integration Benefits Authentication and IPSec Tunnels Machine Certificates and User Account Authentication RADIUS Active Directory IPSec Windows NT 4.0 Domains Routing and Remote Access Demand-Dial Connections, IP Filters, and VPN Tunnels User Account Authentication

20 RADIUS integrates with other networking services to take advantage of their features. Some of these features, such as the ability to authenticate users in Active Directory, are available automatically to RADIUS. Other features require you to include additional specifications in the design, such as including VPN tunnels for authentication and data encryption between RADIUS clients and servers.

21 The following table describes the benefits of integrating RADIUS with other networking services. RADIUS integrates with To Routing and Remote Access Provide support for nonpersistent connections by using specified demand-dial connections. Reduce undesired traffic by using specified IP filters. Provide authentication and encryption of data transmitted between RADIUS clients and servers if specified in the design. IPSecProvide authentication and encryption of data transmitted between RADIUS clients and servers if specified in the design. Windows NT 4.0 domains Provide authentication for user accounts that reside in Windows NT 4.0 domains. Active DirectoryProvide authentication for user accounts that reside in Active Directory.

22  Designing a Functional RADIUS Solution Placing RADIUS Clients and RADIUS Servers Selecting the Remote Access Client Connections Selecting the Remote Access Client Protocols Providing RADIUS Client to RADIUS Server Connections Selecting the Authentication Domain

23 There are certain specifications that you must include while designing a RADIUS remote access solution. After you establish these specifications, you can optimize the solution by adding security, availability, and performance specifications to your network design.

24 You can design a functional RADIUS solution by specifying: Where to place RADIUS clients and RADIUS servers within the network so that network traffic is minimized without compromising security. Whether RADIUS clients must support dial-up or VPN-based remote access clients so that the required remote access connections are included. Which protocols the RADIUS client must support so that the remote access clients can connect to the network. What persistence, data rate, and security the RADIUS client and server connection must support so that RADIUS traffic and remote access traffic can be exchanged. What domain the RADIUS server uses by default to authenticate remote access users.

25 Placing RADIUS Clients and RADIUS Servers Place RADIUS Clients Close to Remote Access Users Place RADIUS Servers Close to User Accounts Central Office RADIUS Server ISP Active Directory Internet RADIUS Client Partner Network RADIUS Client

26 To establish a remote access connection, a RADIUS design requires a minimum of one RADIUS client and one RADIUS server. You must place RADIUS clients and servers within the network so that network traffic is minimized and security is not compromised.

27 Placing RADIUS Clients Close to Remote Access Users You need to place RADIUS clients close to remote access users so that you: Localize the traffic between the remote access client and the RADIUS client. Reduce or eliminate dial-up charges by providing a local point of presence (POP). Can delegate the RADIUS client's administration to the administrators of the remote access users in the same geographic region. Reduce the risk of exposing confidential data. You achieve this by controlling the security between the RADIUS client and the private network. In the preceding illustration, the RADIUS client in the partner network is located close to the remote access users in the partner network. You can ensure that the area of highest risk, the data transfer between the RADIUS client in the partner network, and the central office resources are secure by forcing data encryption.

28 Placing RADIUS Servers Close to User Accounts You must place RADIUS servers close to the server that provides remote user account authentication so that the: Traffic between the authentication server and the RADIUS server is localized. Authentication server and the RADIUS server are within the private network, which prevents unauthorized access to the user's account database.

29 Selecting the Remote Access Client Connections Select Dial-Up Remote Access Client Connections Select VPN Remote Access Client Connections Determine RADIUS Client Resource Requirements Proxy Server Central Office RADIUS Server ISP Active Directory Partner Network Internet RADIUS Client with Dial-Up RADIUS Client with VPN RADIUS Client with VPN Dial-Up Client Remote Access Clients

30 A RADIUS client can support a dial-up connection, a VPN-based connection, or both types of remote access connections. To determine the number of RADIUS clients and their hardware requirements, you must determine the number of remote access clients and the types of connections that each RADIUS client must support. Dial-up remote access clients require a dial-up port connected to the RADIUS client computer. VPN remote access clients require a VPN port that is allocated on the RADIUS client computer. Based on the security requirements of the organization, you can select VPN ports that use Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).

31 Selecting Dial-Up Remote Access Client Connections In the preceding illustration, the organization has decided to outsource the dial-up remote access support to an ISP. The dial-up remote access clients will access the central office through the RADIUS client within the ISP's network. The RADIUS server within the central office authenticates the remote users.

32 Include a dial-up remote access client connection in your design if: Security requirements prohibit the use of the Internet for accessing the private network. Additional security features are required, such as identification by using caller ID or callback. The remote access strategy for the organization supports the ongoing maintenance of telephone lines, modems, and multiport communications adapters.

33 Selecting VPN Remote Access Client Connections In the preceding illustration, the organization also has a joint venture with a partner organization. The remote users in the partner network access the central office through the RADIUS client within the partner network. The RADIUS server within the central office authenticates the remote users in the partner network. In addition, the organization has remote users who attach directly to the Internet through an ISP selected by the remote user. These remote users access the central office by using the RADIUS client in the central office.

34 Include a VPN remote access client connection in your design if: Security requirements allow the use of the Internet for accessing the private network. The connection to the Internet supports the traffic created by the remote access clients. The remote access strategy for the organization supports the outsourcing of telephone lines, modems, and multiport communications adapters maintenance.

35 Determining RADIUS Client Resource Requirements The following table describes the information you must collect to determine the computing resources needed for the RADIUS clients in your network design. Determine the So that you can specify User accounts to be granted remote access permission The user accounts that require remote access permission. Remote access policy restrictions The maximum number of simultaneous connections at a given time throughout the day. Number of dial-up ports Enough telephone lines, modems, and asynchronous ports to support the maximum number of simultaneous clients by using dial-up connections.Enough telephone lines, modems, and asynchronous ports to support the maximum number of simultaneous clients by using dial-up connections. Number of PPTP ports Enough PPTP ports to support the maximum number of clients simultaneously by using VPN connections. Number of L2TP ports Enough L2TP ports to support the maximum number of clients simultaneously by using VPN connections.

36 After collecting the information mentioned in the table, you can determine the RADIUS client resources that are required to support the maximum number of remote access clients, and the appropriate hardware architecture to support the maximum number of simultaneous users.

37 Selecting the Remote Access Client Protocols IncludeIf Remote Access Clients Must TCP/IPAdminister Windows 2000–based servers. Access Web-based applications and FTP servers. Run applications that are based on TCP/IP. IPX/SPXAdminister NetWare-based servers. Access NetWare-based file and print resources. Run applications that are based on the IPX/SPX protocol. AppleTalkAdminister Apple Macintosh–based servers. Access Apple Macintosh-based file and print resources. Run applications that are based on the AppleTalk protocol.

38 A RADIUS client can support a variety of protocols. Because the RADIUS client is a remote access server, the RADIUS client supports all of the protocols supported by Routing and Remote Access. You need to select which remote access client protocols the RADIUS client must support so that the remote access clients can connect to the network. Certain protocols are required for access to protocol- specific, private network-based resources.

39 The following table lists the protocols supported by a RADIUS client, and when you would include that protocol in your design. IncludeIf remote access clients must TCP/IPAdminister Windows 2000-based servers. Access Web-based applications and File Transfer Protocol (FTP) servers. Run applications that are based on TCP/IP. IPX/SPXAdminister NetWare-based servers. Access NetWare-based file and print resources. Run applications that are based on the IPX/SPX protocol. AppleTalkAdminister Apple Macintosh-based servers. Access Apple Macintosh-based file and print resources. Run applications that are based on the AppleTalk protocol.

40 Providing RADIUS Client to RADIUS Server Connections Select the Connection Data Rate and Persistence Select the Connection Security Central Office RADIUS Server ISP Partner Network RADIUS Client Windows 2000 Domain Controller = RADIUS Client and Server Connection Internet

41 The RADIUS client exchanges RADIUS authentication packets with the RADIUS server, and acts as an intermediary between the remote access client and the private network. You need to select the connection data rate, persistence, and security level for the connection between the RADIUS client, the RADIUS server, and the private network.

42 Selecting the Connection Data Rate and Persistence You select the connection data rate and persistence between the RADIUS client, the RADIUS server, and the private network. You make the selection by determining the required response times for remote user authentication and applications that the remote users run.

43 For the connections in your design, you need to include a sufficient data rate to ensure that the: Remote users are authenticated within the response times specified by the organization. Applications that remote users run respond within the response times specified by the organization. Note: As a best practice, specify a persistent connection that exceeds the data rate you calculate.

44 Selecting the Connection Security In many designs, the RADIUS client, the RADIUS server, and the private network are connected over a public network, such as the Internet. Because the connection is over the Internet, it requires data encryption to prevent unauthorized access to the data.

45 You can select the level of connection security between the RADIUS client, the RADIUS server, and the private network by determining the: Level of encryption that is required when exchanging user account and password information between the RADIUS client and RADIUS server. Level of encryption that is required when exchanging confidential data between the RADIUS client and the private network. Restrictions that are placed on data encryption standards by any government regulations. Level of authentication that is required to identity the RADIUS client and server. Important: As a best practice, specify a connection that encrypts all data and authenticates the RADIUS client and server by using VPN tunnels or IPSec. If the RADIUS client or server is not a computer running Windows 2000, the RADIUS client or server must support VPN tunnels or IPSec to provide encryption.

46 Selecting the Authentication Domain Authenticate from Any Domain Default Authentication Domain Central Office RADIUS Server ISP Partner Network RADIUS Client Windows 2000 Domain Controller Internet Remote Access Clients

47 To authenticate the remote access users, you must select the domain that the RADIUS server uses. You can specify a default domain so that remote users are not required to specify a logon domain. Note: In RADIUS terminology, the authentication domain is called a realm.

48 Authenticating from Any Domain You can authenticate remote access users by using any domain accessible to Windows 2000. You can specify that the RADIUS server authenticate accounts that reside in: Windows 2000 native-mode domains. Windows 2000 mixed-mode domains. Windows NT 4.0 domains. Domains that are accessible through trust relationships.

49 Default Authentication Domain The RADIUS server can support only a single default domain. The remote access user can select a domain other than the default domain by explicitly specifying a different authentication domain. You need to select the default domain for the RADIUS server based on the: Types of domains in the organization, such as Windows 2000 domains or Windows NT 4.0 domains. Domains where the majority of the remote access user accounts reside.

50 Discussion: Designing a RADIUS Solution Seattle Anchorage San Francisco Los Angeles Phoenix Dallas Miami Atlanta Washington DC New York Chicago Denver Honolulu

51 As you create remote access designs by using RADIUS, you need to translate the information relating to the solution into design requirements. The following scenario describes the current network configuration of a bioelectronics maintenance company.

52 Scenario A bioelectronics maintenance company services electronic medical equipment that is installed in hospitals and medical clinics. The bioelectronics company has regional field offices located across the United States. The administration and dispatching of field engineers takes place in the Phoenix office. The field engineers use a Web-based application for maintenance tracking and reporting. Customers can place maintenance requests by using another Web- based application that either creates a maintenance request or notifies a field engineer for more urgent requests.

53  Securing a RADIUS Solution Restricting Remote User Access to the Private Network Authenticating Remote Access Clients Encrypting Remote Access Client Traffic Protecting RADIUS Client and RADIUS Server Traffic Integrating RADIUS into Screened Subnets

54 Because the remote access users will have access to private network resources, you must secure the RADIUS solution to protect confidential data. You can protect the confidential data by securing the connection between the remote access client and the RADIUS client, and by securing the connection between the RADIUS client, the private network, and the RADIUS server.

55 You can secure a RADIUS solution by specifying: Which remote access policies the RADIUS client must enforce to restrict remote access users. Which authentication protocols and encryption algorithms the RADIUS client must include to protect confidential data. Which authentication methods and encryption algorithms the RADIUS client and server must support to protect confidential data. Where to place RADIUS clients and servers in relation to screened subnets so that network traffic is minimized without compromising security.

56 Restricting Remote User Access to the Private Network Specify Remote Access Policies Centralize Remote Access Policies RADIUS Client Remote Access Policies Central Office RADIUS Server ISP Partner Network Internet RADIUS Client Remote Access Policies

57 In Windows 2000, user authorization for remote access is granted based on the dial-up properties of a user account and on remote access policies. Remote access policies are a set of conditions that give network administrators flexibility in authorizing connection attempts. To restrict remote user access to the private network, you need to determine which remote access policies to enforce. The RADIUS client and server both use remote access policies to determine whether to accept or reject connection attempts.

58 Specifying Remote Access Policies You can select the remote access policies by determining the: Characteristics used to identify a remote user, such as the IP address or phone number. Restrictions to be placed on a remote user after the user is identified, such as time of the day and day of the week restrictions, or tunneling protocol usage restrictions.

59 You can create multiple remote access policies to accommodate the security requirements of any organization. Note: See the Windows 2000 Help files for more information about the restrictions you can specify with remote access policies.

60 Centralizing Remote Access Policies In your network design, always specify the remote access polices on the RADIUS server. Because the RADIUS server authenticates the remote user, the remote access policies on the RADIUS server are applied to the remote access users. Any remote access policies on the RADIUS client are ignored. The RADIUS clients assigned to the RADIUS server automatically use the remote access policies on the RADIUS server. Tip: Without RADIUS, remote access polices are stored locally and must be configured on each remote access server. Include RADIUS in your remote access solution to centralize remote access policies.

61 Authenticating Remote Access Clients SelectWhen Providing Encrypted Authentication MS-CHAPFor Windows 95, Windows 98, or Windows NT 4.0 MS-CHAP V2For Windows 2000 EAP-TLSBy using a smart card and the remote access clients are equipped with smart card readers CHAPFor a mixture of operating systems SPAPFor Shiva LAN Rover remote access clients PAPWhen no other protocol is supported

62 Authenticating Remote Access Clients To protect the confidential data that is transferred between the RADIUS client and the remote access client, you must determine which authentication protocols to include in the network design. Because the RADIUS client is a remote access server, RADIUS supports all of the authentication protocols supported by Routing and Remote Access. The following table lists the authentication protocols supported by RADIUS clients, and when to include the authentication protocol in your design.

63 Encrypting Remote Access Client Traffic MPPE Encryption Algorithm IPSec Encryption Algorithm RADIUS Client Central Office RADIUS Server ISP Partner Network Internet RADIUS Client

64 To protect the confidential data that is transferred between the RADIUS client and the remote access client, you must determine which encryption algorithms to include in the network design. Because the RADIUS client is a remote access server, RADIUS supports all of the encryption algorithms supported by Routing and Remote Access. To ensure data security, the RADIUS client supports data encryption for the remote access client by using MPPE or IPSec encryption algorithms.

65 Selecting the MPPE Encryption Algorithm For remote access clients that connect by using the Point-to-Point Protocol (PPP) or PPTP, the data is encrypted by using MPPE. If your design includes remote access clients that use operating systems such as Windows 95, Windows 98, Windows NT 4.0, or Windows 2000, select PPP and PPTP connections.

66 The following table lists the encryption key length for MPPE and when to select the key length. Key length Include this key length in your design if 56-bitPerformance improvement, due to shorter key length, is desirable. 128-bitThe security requirements mandate a longer key length to provide the strongest security. Reduction in performance, due to longer key length, is acceptable. Note: To encrypt data by using MPPE, the remote access client must use the MS-CHAP, MS-CHAP v2, or EAP-TLS authentication protocol.

67 Selecting the IPSec Encryption Algorithm For remote access clients that connect by using the L2TP, the data is encrypted by using any IPSec encryption algorithm. If your design includes only Windows 2000-based remote access clients, select L2TP connections.

68 Protecting RADIUS Client and RADIUS Server Traffic Encryption Methods Authentication Methods Central Office RADIUS Server ISP Partner Network RADIUS Client Windows 2000 Domain Controller = RADIUS Client and Server Connection Internet

69 To protect confidential data that is transferred between the RADIUS client and server, you must determine which authentication and encryption methods the RADIUS client and server must support. Because the RADIUS client and server are Windows 2000-based computers, RADIUS supports all of the authentication and encryption methods supported by Windows 2000.

70 Specifying the Encryption Methods You need to encrypt the RADIUS traffic between the RADIUS client and RADIUS server to protect the authentication information. You also need to encrypt the confidential data that is exchanged between remote access users (through the RADIUS clients) and the private network resources.

71 The following table lists the encryption methods and when to include the encryption method. MethodInclude this method in your design if all RADIUS computers that MPPERequire encryption are authenticated by using user accounts. IPSecRequire encryption are authenticated by using machine certificates.

72 Specifying Authentication Methods You can authenticate RADIUS clients and RADIUS servers by using RADIUS secrets, IPSec machine certificates, or VPN tunnels. RADIUS supports a simple password called a secret. RADIUS secrets are combined with a 16-byte random number and then passed through a one-way Message Digest 5 (MD5) hash to create a 16-byte encryption value. The 16-byte encryption value is stored with the password entered by the remote access user. Note: Always include RADIUS secrets in your remote access design because RADIUS secrets are essential in the encryption of the remote access user password.

73 Protecting RADIUS Client and RADIUS Server Traffic The following table lists the authentication methods and when to include each authentication method. MethodInclude this method in your design if RADIUS secrets Mutually authenticating RADIUS computers. Encrypting the remote user password. IPSec machine certificates All RADIUS computers that require authorization support IPSec. An Active Directory or public key infrastructure exists to issue the machine-based certificates. VPN tunnelsAll RADIUS computers that require authorization support VPNs. Note: As a best practice, specify RADIUS secrets that are at least 16 characters in length and that include upper case letters, lowercase letters, and punctuation.

74 Integrating RADIUS into Screened Subnets Place RADIUS Clients Outside the Screened Subnets Place RADIUS Servers Inside the Screened Subnet Proxy Server Central Office RADIUS Server ISP Active Directory Partner Network Internet RADIUS Client with Dial-Up RADIUS Client with VPN RADIUS Client with VPN Dial-Up Client Screened Subnet

75 You need to place RADIUS clients and servers in relation to screened subnets so that network traffic is minimized without compromising security. You place the RADIUS server inside a screened subnet and the RADIUS clients outside the screened subnet.

76 Placing RADIUS Clients Outside the Screened Subnet RADIUS clients are placed outside the screened subnet to forward the traffic from remote access clients, through the screened subnet, to resources within the private network. To direct all traffic from the remote access clients into the private network, you must include VPN or IPSec tunnels between the RADIUS clients and the private network.

77 You must tunnel all traffic from RADIUS clients which are outside the screened subnet, to the private network, so that you: Simplify the criteria for creating the screened subnet by tunneling all traffic between the remote access client and the private network. Allow the remote access clients to use any authentication protocol and encryption algorithm without requiring modifications to the filters that create the screened subnet. Can centrally-enforce the security of all remote traffic that is sent through the tunnel.

78 Placing RADIUS Servers Inside the Screened Subnet You need to place RADIUS servers inside the screened subnet so that: User accounts are not exposed outside the private network. Remote access polices are not exposed outside the private network. All authentication and accounting traffic can be tunneled through the screened subnet by using an IPSec or a VPN tunnel.

79 Enhancing a RADIUS Design for Availability Central Office RADIUS Servers ISP Partner Network Internet RADIUS Client Windows 2000 Domain Controller RADIUS Clients Authentication and AccountingRemote Access Client

80 You can enhance the availability of a RADIUS design so that remote users are always able to connect to private network resources. To enhance the availability of a RADIUS design, you must include more than one RADIUS client and server.

81 Authentication and Accounting Providing highly available RADIUS servers ensures that the RADIUS clients are always able to obtain remote user authentication and record RADIUS accounting information. To improve the authentication and accounting availability in your design, you can: Make certain that all redundant RADIUS servers use the same user account authentication database, thereby ensuring that the user accounts are available for authentication. Specify that RADIUS clients use the redundant RADIUS servers to ensure proper authentication and accounting.

82 Remote Access Client RADIUS clients provide the physical remote connection for remote access clients. In addition, RADIUS clients communicate with RADIUS servers. Providing highly available RADIUS clients ensures that the remote access clients are always connected to the private network.

83 Improving availability for RADIUS clients with dial-up connections To improve the availability for RADIUS clients with dial- up connections in your design, you can: Provide additional telephone lines and modems. Assign remote access clients primary and backup telephone numbers that are connected to different RADIUS clients. Register the redundant RADIUS clients with the RADIUS servers to ensure proper authentication and accounting.

84 Improving availability for RADIUS clients with VPN connections To improve the availability for RADIUS clients with VPN connections in your design, you can: Use round robin DNS entries to distribute remote access clients across multiple RADIUS clients. Use Network Load Balancing to provide immediate failover in the event of a RADIUS client failure. Register the redundant RADIUS clients with the RADIUS servers to ensure proper authentication and accounting.

85 Optimizing a RADIUS Design for Performance Remote Access Client Performance Authentication and Accounting Performance Central Office RADIUS Servers Partner Network Internet RADIUS Clients Windows 2000 Domain Controller RADIUS Clients ISP

86 You can enhance the performance of a RADIUS solution by including more than one RADIUS client and server in your network design. By design, RADIUS clients and servers require minimal management and administration. However, over time, changes in the number of remote access clients, changes in WAN technology, and other factors can reduce the performance of RADIUS.

87 Remote Access Client Performance Because RADIUS clients manage the remote access client connections, the performance of RADIUS clients directly affects the remote access client performance. In your design, to improve the performance for remote access clients for all types of connections, you can: Add additional RADIUS clients. Upgrade the hardware resources of existing RADIUS clients. Replace existing RADIUS clients with higher performance servers.

88 Improving performance of RADIUS clients with dial- up connections To improve the performance of RADIUS clients with dial- up connections, you can: Assign remote access clients different primary and backup telephone numbers. This ensures that the remote access clients connect to different RADIUS clients and provide load balancing. Upgrade to modems that support a faster transmission rate. Upgrade to intelligent communications adapters to offload processing from the RADIUS client.

89 Improving performance of RADIUS clients with VPN connections In your design, to improve the performance of RADIUS clients with VPN connections, you can: Use round robin DNS entries to distribute remote access clients across multiple RADIUS clients and to provide load balancing. Use Network Load Balancing to distribute remote access clients across multiple RADIUS clients and to provide load balancing. Increase the data rate of the connections between the remote access client and the private network.

90 Authentication and Accounting Performance RADIUS servers provide authentication and accounting for RADIUS clients, and interact with the authentication servers. As a result, the authentication and accounting performance is determined by the RADIUS server performance. To improve the authentication and accounting performance in your design, you can: Add additional RADIUS servers. Upgrade the hardware resources of the existing RADIUS servers. Replace existing RADIUS servers with higher performance servers. Reduce the level of detail recorded in RADIUS accounting.

91 Discussion: Enhancing the RADIUS Solution Seattle Anchorage San Francisco Los Angeles Phoenix Dallas Miami Atlanta Washington DC New York Chicago Denver Honolulu

92 After you have provided a basic remote access solution by using RADIUS, you need to examine the security, availability, and performance requirements for the solution. The following scenario describes the requirements for enhancing the remote access solution of a bioelectronics maintenance company.

93 Scenario The bioelectronics maintenance company has contacted you to review the current status of your remote access solution. The company just acquired contracts to support almost twice the amount of equipment with the same number of field offices. As a result, the number of field engineers has doubled as well. In addition, since the initial deployment, a number of security breaches have occurred.

94 Lab A: Designing a RADIUS Solution

95 Objectives After completing this lab, you will be able to: Evaluate an existing scenario to determine the requirements that affect a remote access design by using RADIUS. Design a remote access solution for the given scenario by using RADIUS.

96 Prerequisites Before working on this lab, you must have: Knowledge of the design decisions required to create a RADIUS design. Knowledge of strategies to enhance the security, availability, and performance of a RADIUS solution.

97 Exercise 1: Designing a RADIUS Solution In this exercise, you are presented with the task of creating a RADIUS solution for a consortium of aerospace companies. This consortium has a headquarters and a number of research facilities. You are assigned to one of the research and development facilities. You will use RADIUS to design a remote access solution that supports the consortium's remote access requirements. You will record your solution on a specific design worksheet. Review the scenario, the design requirements and limitations, and the diagram. Follow the Instructions to complete the RADIUS Design Worksheet.

98 Scenario A group of international aerospace companies have formed a consortium to work on a satellite launch vehicle. The management of the consortium is a board of directors consisting of employees from each of the companies and is located in Bonn. The members of the consortium have research and development facilities in London, San Jose, Madrid, Moscow, and Paris. The research facilities are where the launch vehicle development occurs. Each member of the consortium has appointed a team of engineers that is assigned to the development of the launch vehicle. The engineers travel between research facilities as the project progresses and may be in a facility for three to six months at a time.

99 Design Limitations and Requirements By examining existing documentation, and conducting interviews with the consortium personnel, you have established the design requirements that must be achieved. Make sure your solution meets or exceeds these requirements.

100 Applications The launch vehicle consortium uses a number of applications to conduct the day-to-day operations. To create a solution for the consortium, your design must provide: Support for a mission-critical Web-based application that provides project status and reporting for engineers working for the consortium. Private network access to all shared folders and Web-based applications at the consortium headquarters and research facilities. Authentication of field engineers by using accounts contained in the domain controllers within the consortium member private network at each research facility. Active Directory for the consortium headquarters and the consortium-shared network at each research facility. Remote access response times such that the application response time is not reduced. Pilot tests on approved computers indicate that each RADIUS client can support no more than 85 remote access clients while providing performance within the given application response times. Support for all mission-critical applications to be available 24-hours-a-day, 7- days-a-week.

101 Connectivity The applications used by the consortium require connectivity between the consortium headquarters and the research facilities. To create a solution for the consortium, your design must provide: Support for the research facilities to connect to the consortium headquarters by using dedicated connections over the Internet. Support for the consortium engineers to connect to their respective companies by using dedicated connections over the Internet from the consortium headquarters. Support for the consortium engineers to connect to their respective companies by using dedicated connections over the Internet from any of the research facilities. Isolation of the consortium-shared network and the consortium member's private network within each research facility. Isolation of the consortium headquarters and the research facilities from the Internet. Encryption of all data transmitted over the Internet.

102 Instructions To complete the RADIUS Design Worksheet for the section, you need to: Designate a name for the RADIUS computer. You will use this name when specifying RADIUS options. Record this under RADIUS name. Specify the subnet on which you will place the RADIUS computer. Record this under RADIUS placement. Explain your reasons for the placement of the RADIUS computer. Record this under Reason for placing RADIUS computer. Specify the RADIUS-specific options required to achieve the criteria in the scenario. Record this under RADIUS options. Explain the reason why you added the RADIUS-specific options to the RADIUS design. Record this under Reason for specifying option.

103 Review Introducing RADIUS Designing a Functional RADIUS Solution Discussion: Designing a RADIUS Solution Securing a RADIUS Solution Enhancing a RADIUS Design for Availability Optimizing a RADIUS Design for Performance Discussion: Enhancing the RADIUS Solution

Download ppt "Module 10: RADIUS As a Solution for Remote Access."

Similar presentations

Module 12: Strategies for Combining Networking Services.

Module 12: Strategies for Combining Networking Services.
1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.

1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Module 9: Providing Secure Access to Remote Users.

Module 9: Providing Secure Access to Remote Users.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.

Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Remote Networking Architectures

Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.

Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.

Similar presentations

Ads by Google