1 / 19

Lesson 16

Lesson 16. RADIUS Design Chapter Thirteen. Radius Client/Server model. RADIUS Server Type OS/Platform Client RRAS Server May not need to know or care what this is Server IAS Server Windows 2000 Server. RADIUS Uses.

Télécharger la présentation

Lesson 16

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lesson 16 RADIUS Design Chapter Thirteen

  2. Radius Client/Server model RADIUS Server Type OS/Platform Client RRAS Server May not need to know or care what this is Server IAS Server Windows 2000 Server

  3. RADIUS Uses • You’ve outsourced your remote access services, but you want to authenticate users from within your site. • You have a remote access server on the DMZ, but you want to authenticate from within the private network. • Your servers are separated by geographic distances. • The client and server pieces need to be on different platforms and OS architectures. • You want to encrypt your RAS connections at authentication time by using either IPSec or MPPE tunnels.

  4. Components vs RADIUS Protocol • Client • Provides remote access connectivity • Dial-up or VPN access server • Provided by RRAS in Win 2000 • Supports IP, IPX, AppleTalk • Server • Provides authentication, auditing, accounting • IAS in Win 2000

  5. Relationship

  6. RADIUS client receives authentication request RADIUS client forwards user credential and request to RADIUS server RADIUS server authenticates user credentials RADIUS server validates user credentials and sends response to RADIUS client RADIUS client receives response instructing allow or deny and RADIUS Attributes Access is granted to the user RADIUS Sequence

  7. Outsource Reduce the costs associated with dial-up remote access connectivity Provide a single set of logon credentials to the remote users Establish an agreement with the third-party organization that provides the dial-up remote access connectivity Provide enhanced security, such as remote user caller-ID identification or user callback RADIUS Solutions • In-House • Wants to or is willing to centralize the administration of the remote access servers and remote access policies • Wants to or is willing to place remote access servers outside the private network or on screened subnets  • Wants to or is willing to retain ownership of all aspects of the remote access design • Doesn't want to establish an agreement with the third-party organization

  8. Outsourced

  9. In-House

  10. RADIUS Placement • RADIUS Clients • For Dial-Up • Geographically near the client • For VPN • Near the Internet connection • RADIUS Servers • When using AD • On network segment of DCs • Consider putting IAS on DCs

  11. RADIUS Connections • Each Server MUST provide authentication OR accounting to at least one client • Each client can • Use one server for both authentication and accounting • Use one server for authentication and one server for accounting

  12. RADIUS Connections

  13. RADIUS Realms • In Win NT analogous to a domain • Any user account database accessible by RADIUS server for other OSs • Default can be specified • Use prefix (realm/) or suffix (@realm)

  14. Data Protection • Preventing unauthorized access • Restrict users to resources on the RADIUS client • Restrict traffic through RADIUS client or RAS box • Place RADIUS clients or RAS box in DMZs

  15. Preventing Unauthorized Access VPN Remote access server allows only HTTP and FTP

  16. Protecting Confidential Data • Authenticate Users • Active Directory • Windows NT 4 Domains • Microsoft Commercial Internet System (Passport) • Any user database utilized by RADIUS on other OSs

  17. Protecting Confidential Data • Encrypt the data • Between users and remote access servers • Independent of RADIUS client • Between remote users and RADIUS clients and between RADIUS clients and remote access servers • Depends on capability of RADIUS client

  18. Protecting Confidential Data • Enforce remote access policies • Called RADIUS attributes in RADIUS design • Managed and stored on the RADIUS server • Shared by all RADIUS clients • Replicated among all RADIUS servers • Different on RADIUS servers and RADIUS clients running on non Win 2000 OSs

  19. RADIUS Design Optimization • Enhanced availability • Distribute clients among several servers • Network Load Balancing • Enhanced performance • Improve hardware or add RADIUS servers • Use NLB or distribute using RADIUS configuration

More Related