Networking

Get IT Done: User-to-service, RADIUS completes the circle

Learn about RADIUS technology with this general introduction


The number of mobile professionals is increasing, along with the demand to support telecommuters. As a result, managing secure dial-up access to enterprise networks is becoming a major part of many administrators' responsibilities.

Why do I need RADIUS?
RADIUS, which stands for Remote Authentication Dial-in User Service, provides an important tool for centralized management of remote, even mobile, user access to networks over any IP (Internet Protocol) connection.

RADIUS consists of:
  • A RADIUS server, which maintains a database of authorized users
  • A RADIUS client, which has access to this server
  • A user seeking authentication

Livingston Enterprises (now owned by Lucent) developed RADIUS for UNIX platforms, but there are many implementations. Microsoft included some support for RADIUS in Windows NT 4.0, and Windows 2000 Server adds additional RADIUS tools. The version of RADIUS being implemented in Windows 2000 is an Internet Draft Standard.

Historical note
For the younger IT professionals in our audience, Lucent was Ma Bell, where C and UNIX originated.

Once again, I have to offer the disclaimer that this column is being written before the official shipping date for Windows 2000, so there may be changes in the actual release version. Please consider this a general introduction to RADIUS and how Microsoft says it intends to implement it, rather than a specific description of how it will operate in Windows 2000.

The three As
RADIUS supports the three keys of secure access: authentication, authorization, and accounting.

Authentication is conducted by comparing username and password against the RADIUS database when users attempt to access a service on a RADIUS network and the RADIUS security for that particular port is set to "on." More sophisticated authentication tools can also be implemented.

Authorization for approved users is then forwarded to the service device, along with information about just what access the user is authorized to have, such as the ability to have an IP address for PPP communication, and which, if any, filters are to be applied to the user’s traffic.

Accounting means that authorized user sessions are logged either for billing or security purposes.

The RADIUS advantage
One advantage of using RADIUS is the ability to maintain a single user-profile database, which is much easier to manage and secure than having user-access information distributed across various clients in the enterprise. On a properly configured RADIUS network, all access to network services can be controlled by the RADIUS server. A RADIUS server should be installed in a physically secure location with extremely limited account access.

Because of the heavy overhead imposed by RADIUS, large networks often use both a primary RADIUS server and one or more secondary authorization or accounting servers.

Windows NT 4.0 Server provided support for RADIUS clients operating through ISPs, but the Windows NT Option Pack added support for a RADIUS server.

Meet Win2K’s IAS
Microsoft says Windows 2000's IAS (Internet Authentication Service) will have full-fledged RADIUS functionality, support both authentication and accounting, and allow RADIUS authentication information to be stored in either Active Directory or a local database.

Microsoft's "Remote Access for Telecommuters and Mobile Workers " white paper, posted Sept. 13, 1999, states that management parameters available in IAS will include RADIUS-enforced policy regulation of privileges based on:
  • IP address
  • Manufacturer of the Network Access Server NAS
  • Group of the user
  • Service requested
  • Protocol used
  • Telephone number dialed by user
  • Originating phone number
  • Physical port used
  • Day or time
  • Originating client IP address

Windows 2000 will support not only RADIUS access to its own services, but also access to other RADIUS networks. Such interoperability will greatly expand Windows 2000’s capabilities, as it can now be integrated with other systems.

For example, the Lucent Technologies (Livingston) "original brand" RADIUS for UNIX server version 2.1 is available in ready-to-run binary form for the following platforms:
  • Alpha Digital UNIX 4.0
  • BSD/OS 2.0 and 3.0
  • HP-UX 10.20
  • IBM RS6000 AIX 4.2
  • Red Hat Linux 5.0
  • SGI IRIX 6.3
  • Slackware Linux 2.0.30
  • Solaris 2.5.1
  • Solaris x86 2.5.1
  • SunOS 4.1.4

For more on Microsoft's use of RADIUS in Windows, see "Comparing Microsoft Windows NT Server with Novell NetWare 5." The Microsoft white paper compares everything from file and print services to networking and Web services on the two platforms.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.


Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.

 

Editor's Picks

Free Newsletters, In your Inbox