RADIUS Server Application Blog

RADIUS Server now includes EAP-SIM Authentication Protocol Support

2008-02-24T21:20:00.003-05:00

Interlink Networks RAD-Series RADIUS Server Version 7.3 was released on January 31, 2008. Version 7.3 includes the following new features:

EAP-SIM Authentication Protocol Support

EAP-SIM secures IP WLAN access to SIM enabled mobile devices. The RAD-Series RADIUS Server implementation is a powerful and flexible implementation including:

Full RFC 4186 compliance including Fast Reauthentication and Pseudonyms.
Both IMSI and non-IMSI usernames.
Both algorithm based and random pseudonym generation for identity hiding.
Flexible storage of subscriber identities including

Authentication Centers on SS7 networks.
Any RAD-Series RADIUS Server supported datastore including local configurations and LDAP.

Tools to implement A3/A8 algorithms within the RADIUS Server.

As with all RAD-Series RADIUS Server features, EAP-SIM applications can be further extended and customized using the RAD-Series Advanced Policy Engine and RADIUS Software Developers Kit.

These features make the RADIUS Server ideal for the full range of EAP-SIM applications including:

GSM network operators with an existing SS7 infrastructure who are expanding into IP network access.
Enterprises and network operators wanting to secure SIM enabled mobile access independent of SS7.
Mobile hardware and software vendors needing an easy to use EAP-SIM authentication server for a lab environment.

Extensions to the Advanced Policy Engine

The RAD-Series Advanced Policy Engine provides powerful, administrator defined, authorization policies using a straightforward scripting language, which requires no compilation or other software development. In Version 7.3 of the RADIUS Server, the Advanced Policy Engine has been extended to include:

AVP deletion
AVP modification
If-then-else control actions
User defined logging functions
AVP instance counting functions
AVP length, substring, and string conversion functions
Tagged AVP support

Support for Carrier Class Service Platforms

The RAD-Series RADIUS Server V7.3 runs on Sun Solaris 8, 9, and 10 and Red Hat Enterprise Linux 3, 4, and 5.

Professional Services

Interlink Networks provides both offsite and onsite design, development, testing, and training services on all of its RADIUS Server software to ensure the timely and reliable delivery of AAA services for its customers.

Wireless VLANs Managed by RAD-Series RADIUS Server

2008-02-04T09:40:00.000-05:00

VLANs are powerful networking tools that are especially applicable to wireless and hybrid networks. Combined with the RAD-Series RADIUS Server, they are an easy and effective way of managing access to key enterprise resources.

What is a VLAN?

A VLAN is a switched network that is logically rather than physically segmented. VLANs enable workstations and other devices to have a virtual association, independent of geographic location or physical attachment to the network. These groupings can be based upon organizational unit, application, role, or any other logical grouping.

Why use a VLAN?

VLANs deliver many benefits to the network administrator.

§ Security is increased by segregating groups of users. Each group has access to only those resources that are appropriate for its projects and responsibilities within the organization.

§ Network management is made easier by allowing changes to projects, roles, and group memberships. This does not require any changes to the physical topology of the network.

§ VLANs reduce costs through the efficient sharing of network resources. Groups of users can be logically separated on shared equipment instead of physically separated on redundant equipment.

Why use VLANs with a wireless network?

The case for using VLANs in a wireless network is even stronger than for wired networks. Because there are no physical boundaries in wireless networks, logical boundaries must be built to protect sensitive data while enabling access to role-based network resources.

VLANs multiply the benefits that make wireless networking so attractive to enterprises. Wireless networks are flexible and easy to set up because there are no wires to pull. VLANs are flexible and easy to establish because they are not dependent upon a physical point of attachment to the network. Wireless networks reduce expenses by eliminating some of the physical infrastructure. VLANs further reduce expenses through the efficient sharing of network resources.

Example Wireless VLAN

Taking a look at the needs of a small software engineering company will help illustrate the power of VLANs in a wireless network. This engineering company has identified four groups that it wants to segregate on its wireless network through the establishment of VLANs:

§ Sales – the company’s executives and sales managers need access to sensitive account and sales information. When the regional sales managers visit the home office, the wireless network makes it possible for them to update account information and participate in sales meetings.

§ Network Administrator – the network administrator has privileged access to all computer systems and network devices. The wireless network facilitates the administrator’s work no matter where he is in the building.

§ Engineering – the software developers and QA engineers need access to the testbed machines. They are often working collaboratively in groups made possible by the wireless NICs in their laptops.

§ Guests – the company often hosts meetings with vendors and customers. During their visits, guests are given Internet access through the wireless network.

Each of these groups is assigned a VLAN that provides access to only the appropriate resources for that group.

Completing the VLAN picture with the RAD-Series RADIUS Server

The final and critical step in implementing wireless VLANs is the authentication and assignment of users to the correct VLAN using the RAD-Series RADIUS Server. The benefits of wireless VLANs are greatly diminished without the ease and flexibility of the central management afforded by the RAD-Series RADIUS server. At the time the user is authenticated, the RADIUS server assigns the user to the correct VLAN based upon the user’s profile or a policy involving the user’s role, group membership, or any other attribute. The RADIUS server can further improve security by requiring stronger forms of authentication for VLANs with access to the most critical resources.

The RAD-Series RADIUS Server can be configured to assign a user to a VLAN by adding the following three Reply-Items to the user’s profile:

Tunnel-Type=VLAN

Tunnel-Medium-Type=IEEE-802

Tunnel-Private-Group-Id="vlan-number"

where "vlan-number" is the number of the user’s VLAN.

Changing VLAN membership is as easy as changing the VLAN number in the user profile. It will then take effect the next time the user authenticates anywhere on the wireless network.

Using RADIUS Attributes to Implement Services in the RADIUS Server

2008-01-01T13:00:00.000-05:00

A policy is a set of business rules concerning access to network resources. It can be as simple as a list of who has access to what resources written in plain English. Because Interlink RADIUS server policies are implemented in text-based Decision Files, they are easy to create from a list of business rules, easy to read, and easy to understand at a later time.

Much like a computer language is used to implement an algorithm as a computer program, RADIUS Server Decision Files are used to implement business rules that are centrally enforced by the RAD-Series RADIUS Server Advanced Policy Engine.

Selecting an EAP Method - RADIUS Server Implications

2007-12-08T04:50:00.000-05:00

With this blog entry, we conclude our series on factors involved in choosing the best authentication method for a 802.1X applications by discussing RADIUS servers. Like the supplicant software discussed last month, the choice of a RADIUS server is critical because it is one of the endpoints engaging in the EAP authentication and must therefore have direct support for the chosen EAP method. The RADIUS server must also have support for the directory or database being used to store the user profiles and credentials.

Platform Flexibility

In the vast majority of cases, wireless networking is an added feature rather than a function designed into the enterprise’s original network. If wireless security is to be achieved, then a RADIUS server compatible with existing enterprise networks and meeting corporate requirements must be selected. Enterprises with established IT departments often have standards for servers. Any new server must run on the standard platform and operating system whether it is Unix, Linux, or Windows. Smaller enterprises cannot afford the IT expertise necessary to support multiple platforms. In some of these cases, a turnkey RADIUS appliance may be the best choice. The choice of the best EAP method should not be further complicated or limited by a RADIUS server lacking in flexibility and power.

Legacy RADIUS Servers

The existing network may already include legacy RADIUS servers used to authenticate dial-in access and wired access to systems. The reasonable options are to either replace the legacy server that can do both EAP and standard RADIUS authentication, or to add a new RADIUS server, which can interact with the legacy RADIUS server to authenticate wireless users. The option of adding a dedicated RADIUS server for wireless access would complicate user management by requiring its own user database.

If the first option is chosen, then the new RADIUS server must support the existing user repository, whether it is flat files, an LDAP directory, kerberos, or SecurID. More significantly, the RADIUS server must be able to distinguish between wired and wireless RADIUS authentication requests for the same user and handle them appropriately. Interlink Networks’ RAD-Series RADIUS Servers has the flexibility and power to configure both wireless and wired authentication for the same user groups. The server uses the contents of the access request to determine the protocol being used and which configuration should be applied.

If the second option is chosen, then the two RADIUS servers must work together. The legacy RADIUS server does not support EAP, but it has access to the user profiles. The wireless authentication server supports EAP, but does not have direct access to the user credentials. In this scenario, TTLS is the EAP method of choice. The wireless RADIUS server authenticates the network to the supplicant using a digital certificate and establishes a TLS tunnel through which a legacy protocol can be used to authenticate the supplicant to the network. The wireless RADIUS server terminates both the TLS tunnel and EAP. The user authentication using PAP, CHAP, or MS-CHAP is then forwarded to the legacy RADIUS server as a standard RADIUS request that it can handle.

Digital Certificate Support

If the enterprise already has a Public Key Infrastructure (PKI), then EAP-TLS is the EAP method that can satisfy those requirements. Other enterprises will find EAP-TLS less attractive because of the significant overhead of generating and managing user certificates. To adequately support EAP-TLS, the RADIUS server should support certificate revocation lists (CRL).

Password Hashes

For many authentication methods, passwords are the keys that open the gates of the network. As such, network administrators take additional security measures to protect passwords. They avoid protocols like PAP, which involve transmitting the password, and store a one-way hash of the password in the user’s profile instead of the password itself. Commonly used hashes include crypt on Unix systems, nthash on Windows systems, and SHA-1 or MD5 in LDAP directories. Because a one-way hash cannot be decrypted, some hashes will not be usable in protocols where the RADIUS server is authenticated by proving to the supplicant that it has the user’s password. In particular, Cisco LEAP and PEAP-MSCHAPv2 will only work if the password is stored in cleartext or an nthash.

If the password is already stored in a hash other than nthash, then the solution is to use one of the tunneled EAP methods like EAP-TTLS or PEAP. By creating a TLS encrypted tunnel, these methods make it secure to use an inner authentication protocol, which involves transmitting the user’s password from the supplicant to the RADIUS server. The RADIUS server then performs the appropriate hash operation on the password and compares the result to what is stored in the user’s profile. For EAP-TTLS, PAP will work as the inner authentication method and EAP-GTC will work as the inner authentication method for PEAP. CHAP and MS-CHAP will not work as inner authentication protocols because they involve a series of challenges instead of transmitting the user’s password inside of the tunnel. Mutual authentication means both ends must prove that they have the password.

Microsoft Active Directory Issues

Microsoft’s Active Directory Server (ADS) stores user passwords as an nthash. However, it takes user password security a step further in that it does not return any password hashes in response to an LDAP search. This does not necessarily restrict your options for EAP methods.

If the RADIUS server runs on a different machine from ADS, then the LDAP interface must be used and the same issues apply as were discussed for hashed passwords. In this case, either EAP-TTLS with PAP or PEAP-GTC should be chosen as the EAP method. Through the security of a TLS encrypted tunnel, they both provide a username and password, which can be authenticated by binding them to the ADS LDAP interface.

Conclusion

Through the course of this series of blog entries we have seen that the choice of an EAP method in wireless networking is essential in delivering both security and interoperability. Which EAP method is best for an enterprise can be determined by looking at its requirements for wireless station platforms, access points, and the network infrastructure. The choice of the right RADIUS server completes the security solution, provided that it is flexible and powerful enough to support the network’s platforms, databases, existing security systems, and desired EAP methods. Interlink Networks’ RAD-Series RADIUS Server supports the broadest range of platforms and EAP methods, making it possible to implement the strongest security with the greatest ease of use.

RADIUS & 802.1X: Selecting an EAP Method - Supplicant Software

2007-11-30T12:39:00.000-05:00

In this blog posting, we continue our discussion of EAP methods and the factors involved in finding the best authentication method for a wireless application. We have already identified the components that must interoperate to deliver secure wireless communication and we have discussed the access point requirements. Our next topic is the supplicant software, which runs on the wireless station such as the laptop, PDA, or phone. It is critical because it is one of the endpoints engaging in the EAP authentication (along with the RADIUS server at the other end) and must therefore have direct support for the chosen EAP method.

Supplicant Availability

Supplicant software is available from a number of sources, supporting a variety of EAP methods and operating systems. Most supplicants support EAP-MD5, EAP-TLS, and EAP-PEAP. However, not all vendors have implemented the same version of EAP-PEAP and each vendor has a different approach to managing user profiles. To minimize interoperability and management issues, settle on a single source of supplicant software that supports all of your required platforms, if at all possible. Please note that Interlink’s RADIUS server is standards-based and is designed to interoperate with all leading supplicants.

In some cases EAP supplicants are provided with the operating system. In particular, Windows XP includes support for both EAP-TLS and PEAP. Some organizations will prefer the simplicity of configuring a native supplicant to managing the installation and set up of third party software on all workstations.

User Profile Management

Supplicant software differs in its approach to managing the user profile ranging from those that are set up once and forgotten to those offering a great deal of flexibility and power. Some supplicant software includes a utility for configuring and managing multiple user profiles. This is useful for stations that will be used by multiple users or in multiple environments requiring different authentication methods. The user profiles are configured in advance and the appropriate profile selected as needed. At the other end of the spectrum are those supplicants that store the user identity and credentials at set up and then never require any intervention by the user. These are very easy to use but are more difficult to reconfigure. This becomes a problem if you want a policy of regularly changing passwords. It is also a security liability should the station ever become lost or stolen.

Identity Hiding

The tunneled EAP methods such as EAP-TTLS and EAP-PEAP support a concept called identity hiding. Authentication between the supplicant and authentication server takes place in two phases. In the first phase, the supplicant presents an outer user identity, in response to which the authentication server establishes an encrypted tunnel. This outer identity is often an anonymous user. The supplicant then presents the true user name as the inner identity used by the authentication method transported through the tunnel. Because the encrypted tunnel has its endpoints at the supplicant and the authentication server, the users true identity is hidden from the access point. Only the outer identity is visible to the access point. This feature may be desirable when the station is roaming on a foreign network but undesirable when managing users on the local network. Each supplicant has a different approach to identity hiding. Some supplicants offer only an anonymous outer identity, others use the username for both the inner and outer identities, and others make the outer identity configurable. Which approach is best depends on the need to make the user’s true identity either hidden or visible.

Conclusion

The choice of supplicant software is important. Because it must be distributed on all wireless stations, it may be difficult to change and manage once it is in the field. The EAP methods supported, platforms supported, ease of use, and flexibility can all be factors in making the right decision.

Interoperability between the supplicant and the RADIUS server is a critical factor being assured through testing by organizations like InteropNet Labs and the Wi-Fi Alliance. You can be assured of interoperability today by using an independent RADIUS server like Interlink’s RAD-Series RADIUS Server, which have been designed to conform to the latest industry standards and interoperate with leading supplicants and the widest range of EAP types in the industry. Interlink’s RADIUS Server supports both PEAP v0 promoted by Microsoft, and PEAP v1 implemented by Cisco, and are so flexible that you can mix and match supplicant software and EAP types – for example Alfa-Ariss’ TTLS supplicant and Cisco PEAP – and use them concurrently.

How the RADIUS server manages the user credentials and interacts with the supplicant will be continued in the next blog posting.

Comparing Certificate-Based RADIUS Authentication Methods: EAP-TLS, EAP-TTLS, and EAP-PEAP

2007-11-19T09:13:00.001-05:00

In the latest series of blog postings, we started exploring 802.1X and EAP methods used to secure networks using a RADIUS server. In this posting, we'll compare the 3 different certificate-based authentication methods: EAP-TLS, EAP-TTLS, and EAP-PEAP.

EAP-TLS – Transport Layer Security

EAP TLS is one of the most commonly implemented EAP type for securing wireless LANs (Wi-Fi) through a RADIUS Server. In a Wi-Fi environment, the workstation must have a certificate that the RADIUS server can validate. Likewise, the RADIUS server must have a certificate that the workstation can validate. This is referred to mutual authentication. This is only true if both parties can validate the other’s certificate. This is typically done by having both certificates issued by one Certificate Authority (CA), and for each party to have the CA’s certificate.

Pros:

Client is included in Windows Vista, XP, 2000 SP3
EAP-TLS is resilient to man-in-the-middle attacks
It provides explicit mutual authentication between the workstation and RADIUS server

Cons:

Requires the complexity and expense of a CA to support the workstation and RADIUS server authentication
Certificates are required on both the client and RADIUS server
Requires certificate distribution and administration

EAP-TTLS – Tunneled Transport Layer Security

EAP-TTLS is an authentication protocol that uses TLS to provide a secure channel for traditional authentication methods like CHAP, MS-CHAP, MS-CHAP-V2, and MD5-Challenge. This reduces the certificate requirements and can leverage legacy RADIUS authentication methods.

Pros:

Certificates are only required on the RADIUS server

Cons:

Most clients are proprietary and cost between $25-$50
Requires server certificate distribution and administration
Requires the complexity and expense of a certificate authority for RADIUS server authentication

EAP-PEAP – Protected Extensible Authentication Protocol

EAP-PEAP is an authentication protocol backed by Microsoft, Cisco and RSA Security. PEAP extends TLS to carry an EAP exchange. Once the initial TLS exchange authenticates the RADIUS server to the workstation, any other EPA method can be used to authenticate the workstation to the RADIUS server. Thus, traditional EAP methods like MD5 or MS-CHAP can be used in conjunction with EAP-PEAP.

Pros:

Server certificates are included in Windows XP, 2000

Cons:

Requires server certificate distribution and administration
Requires the complexity and expense of a certificate authority for RADIUS server authentication

Table 1 – Authentication Protocol Comparison

Issue	EAP-TLS	EAP-TTLS	EAP-PEAP
Client Certificates	Yes	Optional	Optional
RADIUS Server Certificates	Yes	Yes	Yes
Supported Authentication Database	Active Directory	Active Directory, NT Domains, Tokens, LDAP, SQL, RADIUS	Active Directory, NT Domains, Tokens¹, LDAP¹, SQL¹,
Dynamic Key Exchange	Yes	Yes	Yes
Mutual Authentication	Yes	Yes	Yes
Client OS Support	Windows XP, 2000, Linux	Windows 98, ME, 2000, XP, CE	Windows XP
Access Point Support	Any that support 802.1x	Any that support 802.1x	Any that support 802.1x

¹ Cisco’s version of PEAP Only

Selecting an 802.1X EAP Method: Access Point Considerations

2007-10-30T10:18:00.000-04:00

In the last RADIUS server blog posting, we embarked on the daunting task of securing access to a wireless network with a RADIUS server. This led us to 802.1X and the Extensible Authentication Protocol, EAP, which is at the heart of best practices for wireless network access management. Because of EAP’s extensible nature, we discussed that there are not only several network components to consider in securing the wireless network, but also many EAP Methods (protocols) from which to choose and configure in your clients and RADIUS server. In evaluating the currently available EAP Methods, we are examining factors involving each component of the wireless network. Because they provide the wireless connectivity, Access Points (APs) are the first and primary component that most enterprises evaluate. We will follow suit by looking at access point issues related to supporting wireless network access management using EAP.

802.1x Support

The most important AP feature necessary for wireless access management is support for 802.1x. This should be a requirement for enterprise wireless networks. One cannot take this feature for granted since it is generally not available on low cost consumer access points. 802.1x is the IEEE standard for Port Based Network Access Control. Included in this specification is the use of EAP for authentication. If an Access Point supports 802.1x, then it supports EAP.

WEP (Wired Equivalent Privacy) is another term frequently found on AP datasheets. While WEP based encryption is found often on APs using 802.1x, by itself it is not sufficient indication that EAP is supported. Many implementations authenticate by configuring static WEP keys. If the workstation can communicate by virtue of having the correct key, then it is authenticated. 802.1x was designed to overcome the numerous shortcomings of WEP key based authentication by authenticating user access through a RADIUS server. Additionally, WPA/TKIP has been developed to solve the problems of WEP’s poor encryption and data integrity.

Some Access Point datasheets will mention support for RADIUS. While RADIUS is used to transport EAP between the Access Point and the Authentication Server, it does not necessarily mean that the AP supports EAP. Some APs perform MAC address authentication with a RADIUS server. This form of authentication falls short of EAP’s ability to provide mutual authentication, authentication of the actual user, and session encryption keys with a RADIUS server.

Once it is determined that the AP supports 802.1x, then the next question is which EAP Methods are supported. The EAP authentication is conducted between the Supplicant (wireless device) and the RADIUS Server (Authentication Server). It is carried over EAPOL on the wireless side of the AP and over RADIUS on the network side of the AP. The AP only serves to relay the EAP packets, not to participate in the protocol. Therefore, any AP that supports 802.1x should be able to support all EAP methods. In practice, this is generally true. There have been exceptions found during interoperability tests, but these have been determined to be bugs that the AP vendors are expected to fix.

Proprietary EAP Methods

The one exception to the rule of thumb that all EAP Methods should be supported by all 802.1x APs is Cisco’s proprietary EAP-LEAP (Lightweight Extensible Authentication Protocol). It is only supported by APs, supplicants, and authentication servers that have licensed Cisco’s technology. LEAP makes use of Cisco’s vendor-specific attributes (VSAs) to distribute key material. The access point must support the Cisco VSAs and the LEAP algorithm for generating session keys from the key material. Because Cisco is a networking leader, LEAP has gained acceptance. Other vendor’s supplicants and authentication servers support LEAP – but if an enterprise wants to standardize on LEAP, then it must use Cisco APs.

Accounting Support

Although it is not a requirement for EAP, it should be noted that some access points do not support RADIUS accounting. This is an issue for ISPs and Wi-Fi hotspot venfors and less of an issue for enterprises that aren’t invoicing for wireless network access. However, all users might still want to implement audit trails and policies which require RADIUS accounting messages to mark the beginning and end of sessions.

Configuring EAP in the Access Point

Configuring EAP in an access point consists of four straightforward steps:

1. Enabling 802.1x, often by checking a box on a web form

2. Entering the authentication server’s IP address

3. Entering the authentication server’s port number (usually 1812)

4. Entering the secret shared with the authentication server

In conclusion, beyond the need to support 802.1x, the access point does not need to be a determining factor in which EAP Method to choose. The key is recognizing which access points support 802.1x. From there, enabling 802.1x and configuring communication with the authentication server is fairly straightforward. There is no need to configure a specific EAP method within the access point.

Choosing and configuring an EAP Method becomes more involved as we look at the supplicant and RADIUS server (authentication server in upcoming blog posts.

Introduction: Selecting an 802.1X EAP Method

2007-10-16T10:05:00.000-04:00

Wireless networking is a hot technology because of the flexibility and productivity it offers. It removes boundaries and barriers to communication, empowering an increasingly mobile society. Wireless networking also gained a lot of attention and concern because of the new security challenges that it introduced. Because of the broadcast nature of wireless networking, security must be expanded beyond the requirements of wired networks to include mutual authentication, distribution of session keys, and immunity to dictionary attacks to name a few. The industry has responded with a series of technologies such as EAP, WEP, WPA, and TKIP.

The common thread in these security developments for the RADIUS server using 802.1X technology is EAP - Extensible Authentication Protocol. EAP is a vehicle for meeting today’s wireless security requirements. As the name suggests, it is powerful because it is extensible. This is a two edged sword to the IT director wanting to implement wireless networks in his enterprise. On the one hand he has the assurance that EAP is a standard solution, will not soon become obsolete, and can be extended to meet future needs. On the other hand he is confronted with a complex array of EAP methods from which to choose, and still more methods being developed.

EAP methods are the authentication protocols being transported within the EAP framework over 802.1X between the supplicant (client) and the RADIUS server. There are advantages, disadvantages, and requirements for each of the various methods.

Given the wealth of choices, how is one to identify the best EAP method for a given enterprise? As is the case with any networking function, there are a number of pieces to the puzzle that must all fit together. A review of the relevant network components will help to clarify the EAP method decision and prevent the costly mistake of an incompatible or incomplete solution.

The key network components to consider when implementing wireless security are:

Wireless Station Supplicant Software (Clients)

The wireless station must have supplicant software to engage in the 802.1X/EAP authentication exchange with the RADIUS server. Some EAP methods are standard with some operating systems and others require the installation of additional client software.

Access Points

The access point is the gateway for wireless communication. It must support 802.1X and EAP at a minimum, but there may be other requirements. Some methods require additional support, which is not available from all vendors.

Data Stores

Ideally, the wireless security system should be integrated with existing and future network systems rather than creating redundant systems that are difficult to synchronize and maintain. Of particular concern is where and how the user credentials are stored. Many EAP methods have specific credential requirements that are not obvious to the uninformed.

Authentication Server (RADIUS Server)

As the authority to which you have entrusted the security of your wireless network, the RADIUS server (authentication server) must support the EAP method, have an interface to the user credential database, and support any vendor specific features of the access point.

Upcoming RADIUS server blog posts will address each of these factors in greater detail, highlighting the advantages and limitations for each EAP method. Armed with this knowledge, an informed decision can be made on how best to secure your wireless network with a RADIUS server.

High Performance RADIUS Server

2007-09-17T10:52:00.000-04:00

The RAD-Series RADIUS Server is the high end, high performance RADIUS server specifically designed for Carrier, Service Provider and OEM applications that require high throughput and carrier class reliability. Interlink Networks' RADIUS server delivers well over 2000 authentications per second on the Intel-based Linux platforms and Sun-based Solaris platforms.

Network Computing's independent Real-World Labs tested the RAD-Series RADIUS Server against four other popular RADIUS Server products: Cisco ACS, Lucent NavisRadius, Funk Steel-Belted Radius and IEA running on a common hardware platform. In Network Computing's words, Interlink's RADIUS Server delivered a "jaw-dropping" 1900 authentication and accounting transactions per second, compared to between 170 and 320 transactions per second from each of the other RADIUS servers. Their test results are shown below.

RADIUS Server	Performance
Interlink RAD-Series RADIUS Server	1900 trans/sec
IEA RadiusNT RADIUS Server	170 trans/sec
Lucent NavisRadius RADIUS Server	170 trans/sec
Cisco ACS RADIUS Server	170 trans/sec
Funk Steel-Belted Radius Server	320 trans/sec

Interlink's RADIUS Server outperformed Funk Steel-Belted Radius server by a factor of almost 6 to 1. Interlink's RAD-Series outperformed Cisco ACS and Lucent NavisRadius by over 1000%. These tests were run by Network Computing in their Real-World Labs on a Dell PowerEdge 2450 PCs with 1 GB of RAM, 25-GB SCSI hard drives and 993-MHz dual processors running against Windows Active Directory.

The RAD-Series RADIUS Server delivers similar performance on Sun Solaris. Running on a Sun v240 1.2GHz CPU against an LDAP directory server RADIUS delivers over 2400 authentications per second.

Of course, performance is both hardware and application dependent, varying on factors that include hardware platform, software configuration and the data store interface.

802.1X Terminology and the RADIUS Server

2007-09-04T19:20:00.000-04:00

Many networking terms such as client and server have become overloaded, leading to confusion. In order to clear some of the confusion, here are some of the basic terms frequently used in 802.1X discussions and how it relates to the RADIUS Server.

802.1X

The IEEE 802.1X standard, Port Based Network Access Control, defines a mechanism for port-based network access control that makes use of the physical access characteristics of IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics. The 802.1X specification includes a number of features aimed specifically at supporting the use of Port Access Control in IEEE 802.11 Wireless LANs (WLANs). These include the ability for a WLAN Access Point to distribute or obtain global key information to/from attached stations, following successful authentication.

Extensible Authentication Protocol (EAP)

The Extensible Authentication Protocol (EAP), specified in RFC 2284, is a method of conducting an authentication conversation between a Supplicant and an Authentication Server. Intermediate devices such as Access Points and proxy servers do not take part in the conversation. Their role is to relay EAP messages between the parties performing the authentication. The EAP messages are transported between a wireless station and an 802.1XAuthenticator using EAPOL. The EAP messages are transported between an 802.1XAuthenticator and the Authentication Server using RADIUS. The EAP framework supports the definition of Authentication Methods. Currently implemented EAP Authentication Methods include MD5, TLS, TTLS, PEAP, and Ciscos’s LEAP.

Supplicant

The Supplicant is the client authentication software/firmware. It runs on the station seeking WLAN access and conducts an authentication conversation with the Authentication Server (RADIUS Server) using EAP Until authenticated, the Supplicant can only communicate with the Authentication (RADIUS) Server.

Authenticator

An Authenticator performs port-based access control on a Network Access Server such as a Wireless Access Point. During authentication it relays EAP messages between the Supplicant and Authentication (RADIUS) Server and discards all other traffic from the Supplicant.

Once notified of successful authentication by the Authentication (RADIUS) Server, the Authenticator establishes the session and provides network access to the Supplicant using any session keys provided by the Authentication (RADIUS) Server.

Authentication Server (RADIUS Server)

The Authentication Server (typically a RADIUS Server) provides authentication services to the Authenticator. The Authenticator and Authentication (RADIUS) Server have a trusted (client/server) relationship over the secure (usually wired) portion of the network. The Authentication (RADIUS) Server conducts an authentication conversation with the Supplicant using EAP. The Authentication (RADIUS) Server authenticates the Supplicant based upon a user profile that can be maintained either locally or remotely. The Authentication (RADIUS) Server may also perform authorization, collect accounting, and provide session keys to the Authenticator.

A Primer on Using Interlink’s Powerful RADIUS Server Software Developer’s Kit (RADIUS SDK)

2007-08-28T12:26:00.000-04:00

Interlink’s RADIUS Server SDK is ideal for customers wishing to customize and enhance the RAD-Series RADIUS Server to meet their specific application requirements. The RADIUS Server SDK provides a set of easy-to-implement, modular tools to develop extensions to the core RADIUS architecture. The tool kit provides APIs (Application Program Interfaces) that make it easy to build custom modules for unique RADIUS authentication, authorization, or accounting methods; modify the internal RADIUS processing engine; set user-based policy; and to customize user interfaces.

With the SDK, you can write capabilities to:

Authenticate users stored in any data source, including off-the-shelf and proprietary databases
Track and control usage based on unique billing systems
Implement highly customized authorization schemes
Add support for unique network access hardware

RADIUS plug-in modules allow feature enhancements without editing, recompiling, and retesting all of the server code, providing for speedy development of additional functionality. The RADIUS Server SDK functions follow standard ANSI C, so there is no specialized programming or scripting language to learn.

Major system integrator and mobile communication companies throughout the world have used our RADIUS SDK to customize their RADIUS server to meet their specific application needs.

Achieving Ease of Use in RADIUS Management While Maintaining Network Security

2007-08-01T08:00:00.000-04:00

The need for ease of use in network management has never been greater. The ever-increasing pace of technical innovation has made it impractical for some of the most technical IT personnel to keep up with the innumerable configuration options and syntaxes. This has led to the widespread use of Graphical User Interfaces (GUIs). This allows the user navigates through a sequence of configuration screens and be presented with a list of options, instead of having to remember what configuration details are required and how to type the corresponding commands at the console prompt. Everyone is familiar with this style of interface on their desktop computer. The same ease of use has been extended to remote network devices through web-based graphical interfaces and the HyperText Transfer Protocol (HTTP).

With this ease of use come a number of security problems.

HTTP uses clear text making it easy to intercept passwords.
Default passwords for well-known applications become “back doors” to the system if they are not changed or disabled.
Well-known port numbers for administrative interfaces make themselves subject to attack.
Managing security issues becomes more difficult when each device must be managed by its own independent interface.

Keeping network devices such as a RADIUS Server behind a firewall does not solve the problem. Not all employees are intended to have administrative access to network resources. Security must be applied on the inside of an organization as well as outside. In addition, any successful attempt to hack through the firewall now has access to hack any device behind the firewall, creating yet more holes.

Interlink Networks RAD-Series RADIUS Server Manager

The RAD-Series RADIUS Server Manager addresses all of the above security issues.

The RADIUS Server Manager is easily configured to use HTTPS instead of HTTP. This is the same protocol used by commercial web sites to provide secure encrypted communications for sensitive information like credit card numbers.
Unlike many administrative interfaces, the RADIUS Server Manager requires an administrative username in addition to a password. To further protect against a default password being used as a back door, the RADIUS Server Manager installer prompts for the Administrator’s login name and password instead of always starting with a default.
The RADIUS Server Manager is easily configured to use any desired port number rather than being limited to a fixed default port.
A single Server Manager can manage multiple RAD-Series RADIUS Servers. This contributes to ease of use and the assurance that all servers will be managed in a consistent and secure fashion. Communication between the RADIUS Server Manager and the servers is further secured through the use of a shared secret.

Ease of use and secure operations are both important goals in managing the corporate network. With the RAD-Series RADIUS Server Manager, both of these goals can be achieved without diminishing the other.

Using RADIUS Attributes to Implement Services

2007-07-12T15:49:00.000-04:00

Defining RADIUS Attributes using Vendor Specific Attributes (VSAs) for use in policies is a flexible and powerful way for service providers to enhance their services and enterprises to better manage their networks.

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach, new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services a la carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.

Our last RADIUS blog entry walked through the steps of defining RADIUS VSAs to define new services. This month we will complete the project by writing the RADIUS policies that give the services their meaning.

What is a Policy?

A policy is a set of business rules concerning access to network resources. This does not have to be a highly technical exercise. It can be as simple as a list of who has access to what resources written in plain English. Because Interlink RADIUS policies are implemented in text based Decision Files, they are easy to create from a list of business rules, easy to read, and easy to understand at a later time. Much like a computer language is used to implement an algorithm as a computer program, Decision Files are used to implement business rules that are centrally enforced by the Interlink Networks RAD-Series RADIUS Server Advanced Policy Engine.

Implementing Levels of Service for a Service Provider

In our last RADIUS Server blog entry, our fictitious service provider, NewISP, defined a RADIUS Vendor Specific Attribute named Service-Level with three levels of service: Platinum, Gold, and Silver. Having laid that groundwork, NewISP is now ready to establish its service level business rules as a policy managed by the RAD-Series RADIUS Server Advanced Policy Engine.

Step One is to establish the business rules in plain English. NewISP’s product management team has decided upon the following service offerings.

Platinum level gets

Internet browsing and email
Access to premium services and downloads from the NewISP web site
Unlimited length of sessions
Access to the NewISP toll free number, 800-555-1000

Gold level gets

Internet browsing and email
Sessions up to 4 hours

Silver level gets

Internet browsing and email
Sessions up to 1 hour during business hours (M-F, 8 am – 5 pm)
Sessions up to 4 hours during evenings and weekends

The standard Internet and email access is defined with an IP filter named StandardArea. The standard Internet and email access plus the premium service area is defined with an IP filter named PremiumArea.

Step Two is to write the business rules in Decision File format. A Decision File is made up of a series of Groups. Each Group consists of a set of conditions and a set of replies if the conditions are fully met. Both the conditions and the replies are defined in terms of RADIUS attributes including Vendor Specific Attributes. The RADIUS Advanced Policy Engine searches the policy until it finds the first Group for which the RADIUS Attribute-Value pairs (AV-pairs) in the request satisfy all of the conditions. Then the AV-pairs in the Reply section are added to the RADIUS response for the purpose of configuring the session at the NAS.

NewISP’s business rules now take the following form in a Decision File.

# Platinum accounts are unlimited with access to the
# premium services.
Group Platinum {
Condition {
Service-Level = Platinum
}
Reply {
Decision = ACK
Filter-Id = PremiumArea
}
}

# Gold accounts get standard services for up to 4 hours.
# Toll free access is restricted.

Group Gold {
Condition {
(Service-Level = Gold) &&
(Called-Station-Id != "800-555-1000")
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 14400
}
}

# Silver accounts get standard services for up to 1 hour
# during business hours. Toll free access is restricted.

Group Silver-Primetime {
Condition {
(Service-Level = Silver) &&
(Called-Station-Id != "800-555-1000") &&
(Day-Of-Week >= Monday) &&
(Day-Of-Week <= Friday) && (Time-Of-Day >= 8:00 ) && (Time-Of-Day <= 17:00)
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 3600
}
}

# Silver accounts get standard services for up to 4 hours
# during off hours. Toll free access is restricted.

Group Silver-Offtime {
Condition {
(Service-Level = Silver) &&
(Called-Station-Id != "800-555-1000") &&
((Day-Of-Week < style=""> (Day-Of-Week > Friday) ||
(Time-Of-Day < style=""> (Time-Of-Day > 17:00))
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 14400
}
}

# Other requests such as gold or Silver accounts calling
# the toll-free number are rejected.

Group Invalid-Use {
Reply {
Decision = NAK
Reply-Message = "Access denied - restricted number"
}
}

Step Three is to plug the Decision File into the RADIUS Authentication and Authorization process by creating a pointer to it in the Finite State Machine table, radius.fsm. The pointer is the optional Xstring parameter used in conjunction with the POLICY action. NewISP has saved its policy in a Decision File named service-level. The FSM table would be changed to include:

Chkdny:
*.*.ACK POLICY AUTHwait Xstring=decisionfile:service-level
*.*.NAK REPLY Hold

NewISP now has its levels of service in place. The Decision File format gives the best of all worlds. It is read by the RADIUS Advanced Policy Engine and cached in memory where it delivers high speed, scalable performance. The text-based Decision File also documents the policy in a form that is easy to review and understand. Because the policy is managed centrally, it is easy to update as the companies requirements and business rules change. Only the one Decision File needs to be modified and then reloaded by the RADIUS Server in order to change products and policies throughout the entire network.