Configuring RADIUS.pdf

(201 KB) Pobierz
Configuring RADIUS
This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system,
defines its operation, and identifies appropriate and inappropriate network environments for using
RADIUS technology. The “RADIUS Configuration Task List” section describes how to configure
RADIUS with the authentication, authorization, and accounting (AAA) command set.
For a complete description of the RADIUS commands used in this chapter, refer to the “RADIUS
Commands” chapter in the Cisco IOS Security Command Reference . To locate documentation of other
commands that appear in this chapter, use the command reference master index or search online.
In This Chapter
This chapter includes the following sections:
RADIUS Overview
RADIUS Operation
RADIUS Configuration Task List
RADIUS Attributes
RADIUS Configuration Examples
RADIUS Overview
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a
central RADIUS server that contains all user authentication and network service access information.
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with
any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA
security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all
Cisco platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security
while maintaining network access for remote users.
Cisco IOS Security Configuration Guide
SC-101
808158498.043.png 808158498.044.png 808158498.045.png
 
Configuring RADIUS
RADIUS Operation
Use RADIUS in the following network environments that require access security:
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a “smart card” access control system. In one case, RADIUS
has been used with Enigma’s security cards to validate users and grant access to network resources.
Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This
might be the first step when you make a transition to a Terminal Access Controller Access Control
System Plus (TACACS+) server.
Networks in which a user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to a single protocol such as Point-to-Point
Protocol (PPP). For example, when a user logs in, RADIUS identifies this user as having
authorization to run PPP using IP address 10.2.3.4 and the defined access list is started.
Networks that require resource accounting. You can use RADIUS accounting independent of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and
so on) used during the session. An Internet service provider (ISP) might use a freeware-based
version of RADIUS access control and accounting software to meet special security and billing
needs.
RADIUS is not suitable in the following network security situations:
Multiprotocol access environments. RADIUS does not support the following protocols:
AppleTalk Remote Access (ARA)
NetBIOS Frame Control Protocol (NBFCP)
NetWare Asynchronous Services Interface (NASI)
X.25 PAD connections
Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be
used to authenticate from one router to a non-Cisco router if the non-Cisco router requires RADIUS
authentication.
Networks using a variety of services. RADIUS generally binds a user to one service model.
RADIUS Operation
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps
occur:
1.
The user is prompted for and enters a username and password.
2.
The username and encrypted password are sent over the network to the RADIUS server.
3.
The user receives one of the following responses from the RADIUS server:
a.
ACCEPT—The user is authenticated.
b.
REJECT—The user is not authenticated and is prompted to reenter the username and password,
or access is denied.
Cisco IOS Security Configuration Guide
SC-102
808158498.001.png 808158498.002.png 808158498.003.png 808158498.004.png 808158498.005.png
 
Configuring RADIUS
RADIUS Configuration Task List
c. CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional
data from the user.
d. CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select
a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network
authorization. You must first complete RADIUS authentication before using RADIUS authorization.
The additional data included with the ACCEPT or REJECT packets consists of the following:
Services that the user can access, including Telnet, rlogin, or local-area transport (LAT)
connections, and PPP, Serial Line Internet Protocol (SLIP), or EXEC services.
Connection parameters, including the host or client IP address, access list, and user timeouts.
RADIUS Configuration Task List
To configure RADIUS on your Cisco router or access server, you must perform the following tasks:
Use the aaa new-model global configuration command to enable AAA. AAA must be configured if
you plan to use RADIUS. For more information about using the aaa new-model command, refer to
the “AAA Overview” chapter.
Use the aaa authentication global configuration command to define method lists for RADIUS
authentication. For more information about using the aaa authentication command, refer to the
“Configuring Authentication” chapter.
Use line and interface commands to enable the defined method lists to be used. For more
information, refer to the “Configuring Authentication” chapter.
The following configuration tasks are optional:
If needed, use the aaa server group command to group selected RADIUS hosts for specific
services. For more information about using the aaa server group command, refer to the
“Configuring AAA Server Groups” section in this chapter.
If needed, use the aaa dnis map command to select RADIUS server groups based on DNIS number.
To use this command, you must define RADIUS server groups using the aaa server group
command. For more information about using the aaa dnis map command, refer to the “Configuring
AAA Server Group Selection Based on DNIS” section in this chapter.
If needed, use the aaa authorization global command to authorize specific user functions. For more
information about using the aaa authorization command, refer to the “Configuring Authorization”
chapter.
If needed, use the aaa accounting command to enable accounting for RADIUS connections. For
more information about using the aaa accounting command, refer to the “Configuring Accounting”
chapter.
This section describes how to set up RADIUS for authentication, authorization, and accounting on your
network, and includes the following sections:
Configuring Router to RADIUS Server Communication (Required)
Configuring Router to Use Vendor-Specific RADIUS Attributes (Optional)
Configuring Router for Vendor-Proprietary RADIUS Server Communication (Optional)
Configuring Router to Query RADIUS Server for Static Routes and IP Addresses (Optional)
Configuring Router to Expand Network Access Server Port Information (Optional)
Cisco IOS Security Configuration Guide
SC-103
808158498.006.png 808158498.007.png 808158498.008.png 808158498.009.png 808158498.010.png
 
Configuring RADIUS
RADIUS Configuration Task List
Configuring AAA Server Groups (Optional)
Configuring AAA Server Group Selection Based on DNIS (Optional)
Specifying RADIUS Authentication
Specifying RADIUS Authorization (Optional)
Specifying RADIUS Accounting (Optional)
For RADIUS configuration examples using the commands in this chapter, refer to the “RADIUS
Configuration Examples” section at the end of the this chapter.
Configuring Router to RADIUS Server Communication
The RADIUS host is normally a multiuser system running RADIUS server software from Livingston,
Merit, Microsoft, or another software provider. Configuring router to RADIUS server communication
can have several components:
Host name or IP address
Authentication destination port
Accounting destination port
Timeout period
Retransmission value
Key string
RADIUS security servers are identified on the basis of their host name or IP address, host name and
specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP
address and UDP port number creates a unique identifier, allowing different ports to be individually
defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier
enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two
different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry configured acts as fail-over backup to the first one. Using this
example, if the first host entry fails to provide accounting services, the network access server will try the
second host entry configured on the same device for accounting services. (The RADIUS host entries will
be tried in the order they are configured.)
A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange
responses.To configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the router.
The timeout, retransmission, and encryption key values are configurable globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the router, use the three unique global
commands: radius-server timeout , radius-server retransmit , and radius-server key . To apply these
values on a specific RADIUS server, use the radius-server host command.
You can configure both global and per-server timeout, retransmission, and key value
commands simultaneously on the same Cisco network access server. If both global and
per-server functions are configured on a router, the per-server timer, retransmission, and
key value commands override global timer, retransmission, and key value commands.
Note
Cisco IOS Security Configuration Guide
SC-104
808158498.011.png 808158498.012.png 808158498.013.png 808158498.014.png
 
808158498.015.png 808158498.016.png 808158498.017.png 808158498.018.png 808158498.019.png 808158498.020.png
 
Configuring RADIUS
RADIUS Configuration Task List
To configure per-server RADIUS server communication, use the following command in global
configuration mode:
Command
Purpose
Specifies the IP address or host name of the remote RADIUS
server host and assign authentication and accounting destination
port numbers. Use the auth-port port-number option to configure
a specific UDP port on this RADIUS server to be used solely for
authentication. Use the acct-port port-number option to
configure a specific UDP port on this RADIUS server to be used
solely for accounting.
To configure the network access server to recognize more than
one host entry associated with a single IP address, simply repeat
this command as many times as necessary, making sure that each
UDP port number is different. Set the timeout, retransmit, and
encryption key values to use with the specific RADIUS host.
If no timeout is set, the global value is used; otherwise, enter a
value in the range 1 to 1000. If no retransmit value is set, the
global value is used; otherwise enter a value in the range 1 to
1000. If no key string is specified, the global value is used.
radius-server host {hostname | ip-address}
[ auth-port port-number] [ acct-port port-number]
[ timeout seconds] [ retransmit retries] [ key
string]
The key is a text string that must match the encryption key
used on the RADIUS server. Always configure the key as
the last item in the radius-server host command syntax
because the leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in
your key, do not enclose the key in quotation marks unless
the quotation marks themselves are part of the key.
Note
To configure global communication settings between the router and a RADIUS server, use the following
radius-server global configuration commands:
Command
Purpose
Step 1
Specifies the shared secret text string used between
the router and a RADIUS server.
radius-server key string
Step 2
Specifies the number of times the router transmits
each RADIUS request to the server before giving up
(the default is three).
radius-server retransmit retries
Step 3
Specifies the number of seconds a router waits for a
reply to a RADIUS request before retransmitting the
request.
radius-server timeout seconds
Step 4
Specifies the number of minutes a RADIUS server,
which is not responding to authentication requests, is
passed over by requests for RADIUS authentication.
radius-server deadtime minutes
Cisco IOS Security Configuration Guide
SC-105
808158498.021.png 808158498.022.png 808158498.023.png 808158498.024.png
 
808158498.025.png 808158498.026.png 808158498.027.png 808158498.028.png 808158498.029.png 808158498.030.png 808158498.031.png 808158498.032.png 808158498.033.png 808158498.034.png 808158498.035.png 808158498.036.png 808158498.037.png 808158498.038.png 808158498.039.png 808158498.040.png 808158498.041.png 808158498.042.png
 

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin