Download RADIUS: Network Access Control and Single Sign On and more Slides Internet and Information Access in PDF only on Docsity!
RADIUS, Network Access, Single
Sign On
RADIUS
- Remote authentication dial-in user service ( RADIUS )
- AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility
- The RADIUS server will also be notified if and when the session starts and stops - Billing - Logging
- originally developed by Livingston Enterprises for their PortMaster series of Network Access Servers - Currently as RFC 2865 and 2866 - several commercial and open-source RADIUS servers exist
RADIUS Architecture
Authentication Flow
RADIUS Server
- Cistron
- freeRADIUS
- ICRADIUS
- YARD RADIUS
- GNU-radius
Standards
• IEEE
- 802.1x “Network port authentication”
- 802.1w “Spanning tree rapid convergence”
- 802.11e “Quality of service”
- 802.11f “Inter-access point protocol”
- 802.11i “Extended security”
- IETF
- RADIUS & AAA – authentication, authorization, and accounting
- PPP Extensible authentication protocol (EAP)
- IPSec and IPSRA – IPSec and VPNs
Wholesale Wireless Access
AP A
AP A
**Public
Wireless Networks**
Internet (^) BIGCO
IP
802.11 Wireless Access Points
Carrier networks
Customer RADIUS Server
ISP A RADIUS Proxy
AP A
Directory
Benefits of Wholesale Access
- Ubiquitous 802.11 wireless support
- Enables rapid deployment of IEEE 802. technologies in hotels, airports, malls
- Users can obtain wireless access using their existing corporate accounts
- Easier to provide “backup” providers
- RADIUS provides accounting information
- Reduced carrying costs
- Leverage ISP capacity and aggregation
- Shared support burden and ISP expertise Docsity.com
Why Shared Use APs?
- Multiple providers are becoming the norm within airports
- Airlines are installing 802.11 networks for use in baggage handling and roving ticket counters
- Multiple wireless ISPs often want to serve airport customers
- Radio interference is an issue
- In the US and Europe, 802.11b networks can support only 3 non- overlapping channels; in France and Japan only one channel is available
- Once the channels are utilized by existing APs, additional APs will interfere and reduce performance
- 802.11 deployment in public spaces is expensive
- The cost of providing wireless access is inversely proportional to infrastructure utilization
- More economical to build infrastructure and share it among multiple providers than to build overlapping infrastructure
Single Sign On (SSO)
- Introduction
- SSO Approaches
- Dealing with different SSO options
- Focus:
- Perspective of an ISV/Developer who has to deal with customers’ SSO environments.
Traditional Authentication
User types Login id & Password
System checks user id and password against application user database
If both factors found in database, user is now authenticated for application.
The Problem
- With the web, users no longer work with just one application.
- Most users can’t remember all of their passwords, get irritated having to re-type their user id and password.
- System admins finding it challenging to maintain user information.
- Security sacrificed because
- User Databases are not current
- Users keep their user ids and passwords written down on their desk.
Single Sign on
- Allows a user to enter user id and password (authentication factors) in one place for all applications.
- Authentication based on user definitions from a central database
- Eases users linking between applications (one application is an instrument…many applications working together is a symphony)
The Answer?
Login only Once
SSO Server
User authenticated to central SSO server
User authenticatedhere… authenticated here..^ And User authenticated here^ And User
Corporate Dir. (LDAP, RDMS, etc.)