Chapter 29 - Maintaining The Router
RADIUS Authentication
RADIUS (Remote Authentication Dial In User Service), described in RFC 2865, is a
protocol designed to allow the centralization of authentication, authorization, and
configuration of various types of services. The goal of RADIUS authentication is
typically to restrict the distribution of account information and to avoid the replication
of security management effort.
The typical mode of operation involves a Network Access Server (NAS) – in this case
the RuggedRouter – and a remote RADIUS server, where account information is
stored. In the course of attempting to access connection-oriented services on the NAS,
a user presents credentials to the NAS for authentication. The NAS forwards these to
a configured RADIUS server and accepts from it the determination of whether the
user is allowed the requested access.
In order to protect the security of account information and of both the NAS and the
RADIUS server, transactions are encrypted and authenticated through the use of a
shared secret, which is never sent in the clear.
RADIUS deals with categories of authentication known as services. RuggedRouter
supports user logins via the LOGIN service, PPP connections via the PPP service and
non-root Web management via the WEBMIN service. The WEBMIN service allows
operator actions to be logged under his or her own login name (as opposed to “root”).
The LOGIN service consists of the following types of access:
• Console logins via serial port, modem and SSH
• SCP and SFTP (SSH file copies and file transfers)
• Logins to the rrsetup configuration interface (rrsetup account only)
Authentication requests for LOGIN services will attempt to use RADIUS first. If no
response is received from any configured RADIUS server, RuggedRouter will
authenticate against the local user database.
The PPP service includes incoming PPP connections via modem. Authentication
requests to the PPP service use RADIUS only. In the event that no response is
received from any configured RADIUS server, RuggedRouter will not complete the
authentication request.
The WEBMIN service includes access to the Webmin user interface. Webmin
accesses are authenticated first against the local user database. If the user does not
exist locally, (the root account, for example, is always defined locally) then Webmin
will attempt to authenticate the user via RADIUS.
RuggedRouter supports RADIUS server redundancy. Multiple RADIUS servers,
usually operating from a common database, may be used to authenticate a new
session. If the first configured RADIUS server does not respond, subsequent servers
will be tried until a positive/negative acknowledgment is received or an attempt has
been made to contact all configured servers.
Each server is configured with an associated timeout which limits the time that
RuggedRouter will wait for a response. An authentication request could thus require
up to the sum of the timeouts of all configured servers.
The user has the option of designating different servers to authenticate either LOGIN,
PPP or WEMBIN services separately or in combination.
RuggedCom 277