Page 134 - StudyBook.pdf
P. 134
118 Chapter 3 • Communication Security: Remote Access and Messaging
VPN authentication. RADIUS is the most popular of all the authentication, autho-
rization, and accounting (AAA) servers, including TACACS,TACACS+, and
DIAMETER.A RAS must be able to authenticate a user, authorize the authenti-
cated user to perform specified functions, and log (that is, account for) the actions
of users for the duration of the connection.
When users dial into a network, RADIUS is used to authenticate usernames
and passwords.A RADIUS server can either work alone or in a distributed envi-
ronment (known as distributed RADIUS) where RADIUS servers are configured in
a tiered (hierarchical) structure.
In a distributed RADIUS environment, a RADIUS server forwards the authen-
tication request to an enterprise RADIUS server using a protocol called proxy
RADIUS.The enterprise RADIUS server handles verification of user credentials
and responds back to the service provider’s RADIUS server.
One of the reasons that RADIUS is so popular is that it supports a number of
protocols including:
■ Point-to-Point Protocol (PPP)
■ Password Authentication Protocol (PAP)
■ Challenge Handshake Authentication Protocol (CHAP)
Authentication Process
RADIUS authentication consists of five steps (Figure3.4):
1. Users initiate a connection with an ISP RAS or corporate RAS. Once a
connection is established, users are prompted for a username and password.
The RAS encrypts the username and password using a shared secret, and passes
the encrypted packet to the RADIUS server.
3. The RADIUS server attempts to verify the user’s credentials against a cen-
tralized database.
4. If the credentials match those found in the database, the server responds
with an access-accept message. If the username does not exist or the pass-
word is incorrect, the server responds with an access-reject message.
5. The RAS then accepts or rejects the message and grants the appropriate
rights.
www.syngress.com
