Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
FreeRADIUS Beginner's Guide

You're reading from   FreeRADIUS Beginner's Guide Master authentication, authorization, and accessing your network resources using FreeRADIUS

Arrow left icon
Product type Paperback
Published in Sep 2011
Publisher Packt
ISBN-13 9781849514088
Length 344 pages
Edition 1st Edition
Arrow right icon
Toc

Table of Contents (16) Chapters Close

Preface 1. Introduction to AAA and RADIUS FREE CHAPTER 2. Installation 3. Getting Started with FreeRADIUS 4. Authentication 5. Sources of Usernames and Passwords 6. Accounting 7. Authorization 8. Virtual Servers 9. Modules 10. EAP 11. Dictionaries 12. Roaming and Proxying 13. Troubleshooting A. Pop Quiz Answers Index
Authentication, Authorization, and Accounting

Users gain access to data networks and network resources through various devices. This happens through a wide range of hardware. Ethernet switches

, Wi-Fi access points, and VPN servers all offer network access.

When these devices are used to control access to a network, for example a Wi-Fi access point with WPA2 Enterprise security implemented or an Ethernet switch with 802.1x (EAP) port-based authentication enabled, they are referred to as a Network Access Server (NAS).

All these devices need to exercise some form of control to ensure proper security and usage. This requirement is commonly described as Authentication, Authorization, and Accounting (AAA). AAA is also sometimes referred to as the Triple A Framework. AAA is a high-level architecture model, which can be used for specific implementations.

AAA is specified through various RFCs. Generic AAA Architecture is specified in RFC 2903. There are also RFCs that cover different AAA aspects.

Authentication

Authentication is usually the first step taken in order to gain access to a network and the services it offers. This is a process to confirm whether the credentials which Alice provided are valid. The most common way to provide credentials is by a username and password. Other ways such as one-time tokens, certificates, PIN numbers, or even biometric scanning can also be used.

After successful authentication a session is initialized. This session lasts until the connection to the network is terminated.

Note

Who is Alice?

Alice and Bob are placeholder names. In fact there is a whole character set, each representing a specific role. We will use the following placeholder names:

Alice: A user who wants access to our network

Bob: Another user who wants access to our network

Isaac: The Internet Service Provider (ISP)/our network

You can read more about them on Wikepedia: http://en.wikipedia.org/wiki/Alice_and_Bob.

The following image illustrates an authentication process by using the common activity of drawing money from an ATM as an example. This in essence lets you gain access to the bank's network (although it is limited in the extreme).

Authentication

Authorization

Authorization is a means by which Isaac controls the usage of the resources. After Alice has authenticated herself, Isaac can impose certain restrictions or grant certain privileges. Isaac can, for instance, check from which device Alice accesses the network and based on this make a decision. He can limit the number of open sessions that Alice can have, give her a pre-determined IP Address, only allow certain traffic through, or even enforce Quality of Service (QoS) based on an SLA.

Authorization usually involves logic. If Alice is part of the student group then no Internet access is allowed during working hours. If Bob accessed the network through a captive portal then a bandwidth limit is imposed to prevent him from hogging the Internet connection.

Logic can be based on numerous things. Authorization decisions for instance can be based on group membership or the NAS through which you connect or even the time of day when you access our resources.

If we take the previous ATM example we can see that if Alice does not have an overdraft facility she will be limited on the amount of money she can withdraw.

Authorization

Accounting

Accounting is a means of measuring the usage of resources. After Isaac has established who Alice is and imposed proper control on the established session, he can also measure her usage. Accounting is the ongoing process of measuring usage.

This allows Isaac to track how much time or resources Alice spends during an established session. Obtaining accounting data allows Isaac to bill Alice for the usage of his resources. Accounting data is not only useful to recover costs but it allows for capacity planning, trend analysis, and activity monitoring.

When Alice wants to check her usage and availability of money the ATM offers this functionality. The Bank of Isaac can also monitor her account and discover if she is usually broke before the end of the month. They can then offer her an overdraft facility.

Accounting

RADIUS is a protocol which is used to provide AAA on TCP/IP networks. The next section will continue with more on the RADIUS protocol.

You have been reading a chapter from
FreeRADIUS Beginner's Guide
Published in: Sep 2011
Publisher: Packt
ISBN-13: 9781849514088
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image