Join Lisa Bock for an in-depth discussion in this video Introducing RADIUS, part of IT Security Foundations: Operating System Security.
- When providing access control to external users, we have some choices. First of all, we're looking at one choice being decentralized access control. Access control which is decentralized gives control of the access to the people who are closer to the resource. Decentralized access control, however, has no method for consistent control. Centralized access control gives a single, centralized entity the ability to oversee access to the corporate resources and provides a consistent and uniform method of controlling access.
Now, one of the methods we can use for access control when having users from the outside come in is RADIUS. RADIUS is Remote Authentication Dial-In User Service. Now we say "dial-in," and that is because this protocol was developed in the late 90's. Now we know at this point, there's a lot other choices but this is still a great protocol. RADIUS provides authentication and authorization and is what's considered a client-server model whereby a network access server is a client of the RADIUS server.
RADIUS provides a number of flexible authentication options. Now when we take a look at one being Challenge Handshake Authentication Protocol, CHAP, CHAP is a challenge-response authentication. We also see it supports Password Authentication Protocol, or PAP. PAP is similar to a normal login procedure. RADIUS also assures secure communication, meaning the client and RADIUS use a shared secret that is local and not sent over the network.
Any passwords are sent between the client and RADIUS server are encrypted. Now let's step through this process. We see that in using RADIUS, we have a remote client that would like to gain access to the internal network. The remote client goes in to the network and first gains access to a network access server. Now, this is the client of the RADIUS server. The RADIUS server checks the user accounts and the name and password given by the user and the network access server passes user information to the RADIUS server, and then that acts on the response received.
They're either allowed or denied permission to access the corporate network. Now RADIUS is now being used for wireless authentication. Now when we take a look at wireless authentication there are a couple of terms that we'll use. First of all, the wireless client is called the supplicant. That is the client that wants to be authenticated. The RADIUS server provides the authentication. And the device in between, such as a wireless access point, is called the authenticator.
When configuring wireless access using RADIUS, you would use WPA or WPA2 Enterprise. Then from the encryption algorithm drop-down list, you would select the most appropriate encryption method. Similar to RADIUS, but an extension of RADIUS, is called TACACS, Terminal-Access Controller Access Control System. This provides access control for routers, network access servers, and other, networked computing devices.
It's an authentication program used on Unix and Linux systems. It's an extension of the RADIUS protocol and it uses TCP, not UDP, and also another benefit is it separates authentication, authorization, and accounting. Keep in mind that the RADIUS protocol is set up by the network administrator. I'm going to show you here, in server 2008, some of the steps just taken behind the scenes that would enable a RADIUS client to be set up.
I'm going to go into Server Manager, and here I would see RADIUS Clients and Servers. And I would then Add a new RADIUS Client at this point. So RADIUS provides great, centralized access control providing a consistent and uniform method of controlling access.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Creating strong passwords
- Understanding biometric security
- Adjusting permission behavior
- Enabling auditing
- OS hardening
- Using the Microsoft Baseline Security Analyzer
- Protecting email