Distributed Network Security through Radius

Rafeeq Ur Rehman

The term "network security" covers a number of technologies that protect remote access to a network, whether over telephone lines or between networks. These technologies include passwords, encryption, firewalls, callbacks, etc., and work in different ways; network managers often combine them to create secure network environments.

Network security is not new to computing, though it is relatively new to personal computing. Mainframe computers have always used high-level security technology to protect sensitive business data. In the early days of personal computing, most CPUs were standalone units that could be protected by locking an office door.

Today, new users of technology have made security a critical issue for any type of computing. Growing use of local and wide area networks, laptops, and remote computing has increased access to critical business data. Hackers thrive on breaking into vulnerable networks, and security breaches can wreak havoc on a network. Not only is confidential information stolen, but "crackers" have been known to bring down a network through "worms," computer viruses, and other hazards to network traffic. Reports on security issues can be found from Computer Emergency Response Team Coordination Center (CERT-CC) at http://www.cert.org.

Every time a modem is added to a computer or communications server on a corporate network, that network becomes more vulnerable to security breaches. Network administrators are left with few tools to guard against break-ins. State-of-the-art security systems generally require special hardware or are compatible only with a small number of products. This problem is multiplied several times in large networks with many points of access.

RADIUS Overview

Remote Authentication Dial-In User Service, or RADIUS, is a freely available, distributed security system based on recommendations from the Network Access Server Working Requirements Group of the Internet Engineering Task Force (IETF). Distributed security is a client/server approach that allows a number of communications servers or clients to authenticate a dial-in user's identity through a single, central database, or authentication server - a feature particularly important to networks that include large modem banks and multiple remote communciations servers. The authentication server stores all information about users, their passwords, and access privileges. Using a single authentication server, which can support hundreds of communications servers and serve thousands of users, is more secure than scattering that information on different devices throughout a network. Communications servers can access an authentication server locally or remotely over WAN connections. Figure 1 depicts the RADIUS security model.

RADIUS provides an open and scalable client/server security system, eliminating the need for special hardware and providing access to a variety of state-of-the-art security solutions. The RADIUS server can be easily adapted to work with third-party security products or proprietary security systems. Any communications server or network hardware that supports the RADIUS client protocols can communicate with a RADIUS server. Any device that supports RADIUS can be a RADIUS client, so a remote user can gain access to the same services from any communications server communicating with the RADIUS server. Because RADIUS can be easily adapted to work with systems and protocols already in use, programmers can save tremendous amounts of time by modifying the RADIUS server to fit their networks instead of reworking their networks to incorporate new communications servers.

Authentication servers can be set up in a variety of ways, depending on the security scheme of the network they are serving. The basic process for authenticating a user is:

1. A user dials into a network through a communications server.

2. The communcations server forwards the user ID and password the authentication server.

3. The authentication server validates the user and provides access privileges to the network.

RADIUS also uses an extensible architecture; thus, as the type and complexity of service a communication server must deliver increases, RADIUS can be easily expanded to provide those services.

RADIUS Client/Server Architecture

RADIUS includes two pieces: an authentication server and client protocols. The server is installed on a central computer at the Internet Service Provider's LAN or at a central location on a corporate network. RADIUS is designed to simplify the security process by separating security technology from communications technology.

With RADIUS, you can categorize network access methods of users so that different users can use different methods to access the network. These methods may be SLIP, PPP, Telnet, LAT, Shell, etc. All user authentication and network service access information is located on the authentication, or RADIUS, server. This information is contained in a variety of formats. RADIUS in its generic form will authenticate users against a UNIX password file, Network Information Service (NIS), a separately maintained RADIUS database, or any combination of these.

Communications servers working with modems such as Xyplex MaxServer or Livingston PortMaster operate as RADIUS clients. The RADIUS client sends authentication requests to the RADIUS server and acts on responses sent back by the server. Once a user is authenticated, the client provides that user with access to the appropriate network services. The following is a description of the authentication process using a communications server and RADIUS.

1. Using a modem, the user dials-in to a modem connected to a communications server. Once the modem connection is completed, the communications server prompts the user for a name and password.

2. The communications server creates a data packet, or the authentication request, from this information. This packet includes information identifying the specific communications server sending the authentication request, the port being used for the modem connection, and the user name and password. For protection from eavesdropping hackers, the communications server, acting as a RADIUS client, encrypts the password before it is sent to the RADIUS server.

3. The authentication request is sent over the network from the RADIUS client to the RADIUS server. This communication can be done over a local- or wide-area network, allowing network managers to locate RADIUS clients remotely from the RADIUS server. If the RADIUS server cannot be reached, the RADIUS client can route the request to an alternate server (the secondary RADIUS server).

4. When an authentication request is received, the RADIUS server validates the request and then decrypts the data packet to access the user name and password information. This information is passed on to the appropriate security system being supported. This could be UNIX /etc/passwd files or RADIUS's own user database.

5. If the user name and password are correct, the RADIUS server sends an authentication acknowledgment that includes information on the user's network system and service requirements. For example, the RADIUS server will tell the communication server that a user needs TCP/IP and/or NetWare using PPP (Point-to-Point Protocol) or that the user needs SLIP (Serial Line Internet Protocol) to connect to the network.

6. If at any point in this login process conditions are not met, the RADIUS server sends an authentication reject to the communication server and the user is denied access to the network.

7. To ensure that unauthorized hackers on the network do not respond to requests, the RADIUS server sends an authentication key, or signature, identifying itself to the RADIUS client. Once the communication server receives this information, it enables the necessary configuration to deliver the right network services to the user.

RADIUS Sources and Installation

The next examples show the setup and installation procedure at Asternet-Online (http://www.aster.com.pk), an Internet Service Provider in Pakistan. Customers of Asternet get Internet access through modems attached to Xyplex MaxServer 1620 communication servers. These communication servers act as RADIUS clients and are attached to a local area network. This LAN is connected to the Internet through a CISCO router. There are two RADIUS servers (primary and secondary) on this LAN. Linux is the operating system on these machines. Since both RADIUS and Linux are freely available, it makes an excellent low-cost combination for ISPs. Moreover, the same Linux machines are also being used for other services such as DNS and FTP. Figure 2 shows the schematic diagram of the Asternet setup.

There are two basic steps to installing a RADIUS system on a network: install primary and secondary RADIUS servers, and configure communications servers to get authentication of each user dialing in from these servers.

Installing and Configuring a RADIUS Server

RADIUS is available from many sites on the Internet such as http://www.merit.edu and http://www.livingston.com. I downloaded the source code from http://www.livingston.com in tar format. After extracting the source code in a temporary directory, edit the makefile to reflect the settings of the local operating system, installation directories, and compiler. In this case the operating system is Linux 1.2.8, the installation directory is /etc/raddb, and the compiler in GNU gcc. After making these changes, running make compiles the source code and generates radiusd, the RADIUS server daemon.

The process of configuring a RADIUS server described next assumes that RADIUS is installed in /etc/raddb directory.

Add the following two lines to /etc/services on your RADIUS server:

Radius     1645/udp     radiusd
radacct    1646/udp

Now execute the following commands as root:

umask 22
mkdir /etc/raddb /usr/adm/radacct
chmod 700 /etc/raddb /usr/adm/radacct

Copy the compiled radiusd in /etc/raddb along with example configuration files. Now edit the /etc/rc.d/rc.local file and add these two lines at the end of this file:

echo "Running RADIUS Server..."
/etc/raddb/radiusd

Create a file /etc/raddb/clients to add RADIUS clients (communication servers) to the list of RADIUS database:

#
#This file contains a list of clients that are allowed to
#make authentication requests and their encryption key.
#The first field is a valid hostname for the client.
#The second field (separated by blanks or tabs) is the
#encryption key.
#
#Client Name     Key
#
203.128.6.10     test1
203.128.6.11     test2
203.128.6.12     test3

This file shows IP numbers of three client machines (Xyples MaxServers) along with encryption keys that are allowed to make requests to the RADIUS server. These encryption keys are used for communications between clients and server. This is necessary from a security point of view so that only authorized RADIUS clients can make requests to the RADIUS server.

Next create a file /etc/raddb/users for a user database consisting of user name, password, access method, etc. You can assign multiple access methods for a particular user. Also, you can give unlimited access to a particular user as far as access to a network or the communication server itself is concerned. I recommend giving a user only one access method, as shown in /etc/raddb/users:

,pre> # System administrator having unlimited # access to the system admin Password = "1klkea" # A typical Asternet user with PPP access. zelin Password = "raza34lp" User-Service-Type = Framed-User, Framed-Protocol = PPP # If a user is not found above, /etc/passwd # file is looked up for a user name and password # and then PPP access is granted. DEFAULT Password = "UNIX" User-Service-Type = Framed-User, Framed-Protocol = PPP

Finally, reboot the RADIUS server so that these changes take effect, or send a HUP signal to the inetd process and start radiusd manually at this stage.

Setting up RADIUS Clients

The Xyplex MaxServer1620 communications server acts as a RADIUS client. The IP address of the communications server is 203.128.6.10. First, enable RADIUS services on the communications server using the following commands:

DEF SERVER RADIUS ENABLED
DEF SERVER RADIUS PRIMARY SECRET "test1"
DEF SERVER RADIUS SECONDARY SECRET "test1"
DEF SERVER RADIUS PRIMARY SERVER 203.128.6.8
DEF SERVER RADIUS SECONDARY SERVER 203.128.6.2
DEF PORT 1-20 RADIUS SOLICITS ENAB
INIT DELAY 0

The first line enables RADIUS services on the communications server. The next two lines define secret keys to be used for any communication between the RADIUS client and server. Primary and secondary secrets are the keys that are placed in /etc/raddb/clients file on the primary and secondary RADIUS servers, respectively. The next two lines tell the communications server which are the primary and secondary RADIUS servers. Ports 1 to 20 are initialized to send login and password prompts to customers dialing to modems attached to these ports. The last line initializes the communications server. RADIUS is now fully functional on this network.

Security Considerations

In practice, within or associated with each RADIUS server is a database that associates user names with authentication information (secrets). It is not anticipated that a particular named user would be authenticated by multiple methods. This would make the user vulnerable to attacks that negotiate the least secure method within a set. Instead, for each named user there should be an indication of exactly one method used to authenticate that user name. If a user needs to use different authentication methods under different circumstances, then distinct user names should be employed, each of which identifies exactly one authentication method.

Passwords and other secrets should be stored at the respective ends so that access to them is limited. Ideally, the secrets should only be accessible to the process requiring access in order to perform the authentication. The secrets should be distributed with a mechanism that limits the number of entities that handle (and thus gain knowledge of) the secret. Ideally, no unauthorized person should ever gain knowledge of the secrets.

Giving Limited Access to Customers

In an ISP environment, customers often want to change their passwords. So there must be a way to allow customers to change passwords. So, we placed user names and passwords of all of our customers in /etc/passwd of the RADIUS server. We gave a login shell to all of these users so that when they telnet to the RADIUS server, they are allowed to change their passwords. Source code of this shell is:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>

void main() {
char ch;
while(1) {
clrscr();
printf("\n WELCOME TO ASTERNET ON-LINE\n");
printf("\nPlease select one of the choices ...\n");
printf("1- Change your password\n");
printf("2- Exit\n\n");
printf("                              Your choice:");
ch=getchar();
switch(ch) {
case '1': system("passwd");
printf("Press Enter to continue...");
getchar();
getchar();
break;
default: exit(0);
} /* switch */
} /* while */
}

Now when users log into the RADIUS server through telnet, they get only two options: either change the password or log out.

Acknowledgements

This work was supported by a grant from the Ministry of Science and Technology, Government of Pakistan and Directorate of Research, Extensions and Advisory Services, University of Engineering and Technology, Lahore while I was completing a thesis work. I am grateful to all of the Asternet staff for providing help at every stage.