Authentication, Authorization and Accounting (AAA) Protocols

Total Page:16

File Type:pdf, Size:1020Kb

Authentication, Authorization and Accounting (AAA) Protocols Authentication, Authorization and Accounting (AAA) Protocols Agententechnologien in der Telekommunikation Sommersemester 2009 Babak Shafieian [email protected] A O T Agententechnologien in betrieblichen Anwendungen 10.06.2009 und der Telekommunikation Overview A O T Agententechnologien in der Telekommunikation - 2 TU Berlin Motivation (Why AAA?) Ö Telecommunications services are a global market worth over US$ 1.5 trillion in revenue. Home Entertainment Voice over IP (VoIP) Multimedia Conference Messaging/ Presence A O T Agententechnologien in der Telekommunikation - 3 TU Berlin Authentication (Who is [email protected]) Ö Authentication is the process of verifying user’s identity using credentials like username, password or certificates. Ö After the successful match of user’s authentication credentials with the credentials stored in the database of the service provider, the user is granted access to the network, otherwise the access is denied. A O T Agententechnologien in der Telekommunikation - 4 TU Berlin Authorization Ö Is the process of enforcing policies. It determines what types or qualities of network resources or specific services the user is permitted. Ö By using the access policy defined for a specific user, the service provider grants or rejects the access requests from the user. Ö Access policy could be applied on a per user or group basis. A O T Agententechnologien in der Telekommunikation - 5 TU Berlin Accounting Ö Is the process of keeping track of what the user is doing. Ö It includes: Amount of the time spent in the network (duration of session) Number of packets(or bytes) transmitted during a session. The accessed services during a session. Ö It may be used for: Billing Trend analysis Capacity planning and resource utilization Auditing A O T Agententechnologien in der Telekommunikation - 6 TU Berlin History of AAA Ö 1950’s/60’s: Classic Login Good old terminal logins on mainframes Ö 1993: TACACS (RFC 1492) Terminal Access Controller Access-Control System (TACACS) was originally designed to handle the access control in ARPANET. XTACACS is the extended version introduced by Cisco. The current version TACACS+ is an entirely new protocol and not compatible with older versions. Ö 1997: RADIUS (RFC 2058/2138/2865) Ö 1998: Diameter Framework Document (Internet Draft) Ö 2003: Diameter Base Protocol (RFC 3588) Ö 2005: Diameter Mobile IPv4 Application (RFC 4004) A O T Agententechnologien in der Telekommunikation - 7 TU Berlin IRTF AAA Research Group Ö The Authentication, Authorization and Accounting Working Group focused on the development of requirements for Authentication, Authorization and Accounting as applied to network access. Ö Archive available under http://www.aaaarch.org/ Ö Major RFCs: RFC 2903 Generic AAA Architecture RFC 2904 AAA Authorization Framework RFC 2905 AAA Authorization Application Examples RFC 2906 AAA Authorization Requirements A O T Agententechnologien in der Telekommunikation - 8 TU Berlin Overview A O T Agententechnologien in der Telekommunikation - 9 TU Berlin AAA Architecture A O T Agententechnologien in der Telekommunikation - 10 TU Berlin AAA Components Ö End-User: Establishes a connection to the NAS via PPP and sends his credentials to it. Ö AAA Client: Gets the requests from the end-user and communicates via RADIUS protocol with AAA server. If the user could not be authenticated locally via PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), the AAA client sends a request to the AAA server. Ö AAA Server: The user data are stored in a database, LDAP directory or a text file. A O T Agententechnologien in der Telekommunikation - 11 TU Berlin Flow of AAA Communication A O T Agententechnologien in der Telekommunikation - 12 TU Berlin Flow of AAA Communication 1) In order to establish a connection with the network, the user sends his credentials to the AAA client. 2) The AAA client sends an Access-Request including user’s data to the AAA server. 3) The AAA server verifies the user’s credentials. In the case of successful authentication it replies with an Access-Accept otherwise with an Access-Reject. 4) The accounting data are sent to the AAA server after the user’s log-in and log-off. Other service related information could be also sent to the AAA server. A O T Agententechnologien in der Telekommunikation - 13 TU Berlin AAA Failover Ö For the sake of failover the administrator can define a list of AAA servers. t If the R1-Server responds with the PASS to the authentication request, then the access is granted. t If the R1- Server responds with the FAIL to the authentication request, then the access is rejected. t If there is no response at all from R1-Server, then the R2-Server is contacted. A O T Agententechnologien in der Telekommunikation - 14 TU Berlin Authorization Sequences Ö There are three types of communication relationships between the AAA components (in RFC 2904 as Single Domain Case Message Sequences): 1) Agent Sequence 2) Pull Sequence 3) Push Sequence A O T Agententechnologien in der Telekommunikation - 15 TU Berlin Agent Sequence 1) The user sends a request to the AAA-Server 2) The AAA-Server authenticates the user and verifies whether the user is authorized for the service and requests the service from the service provider. 3) The service provider accepts the request. 4) The AAA-Server lets the user know that the access to service is granted. A O T Agententechnologien in der Telekommunikation - 16 TU Berlin Pull Sequence 1) The user asks the AAA-Server directly for the service. 2) The service provider authenticates the user and verifies user’s credentials via AAA- Server. 3) The AAA-Server sends back the result. 4) The service provider provides the service. A O T Agententechnologien in der Telekommunikation - 17 TU Berlin Push Sequence 1) The user is directly authenticated by the AAA-Server 2) The AAA-Server issues a signed ticket containing the authorization details. 3) The user presents the ticket to the service provider. 4) The service provider provides the service. A O T Agententechnologien in der Telekommunikation - 18 TU Berlin Overview A O T Agententechnologien in der Telekommunikation - 19 TU Berlin AAA in CDMA A O T Agententechnologien in der Telekommunikation - 20 TU Berlin AAA in CDMA Ö Access Network AAA: Enables authentication and authorization functions at the AN. Ö Broker AAA: Acts as an intermediary to proxy AAA traffic between roaming partner networks. (i.e., home network and serving network) Ö Home AAA: The H-AAA is similar to the HLR in voice. The H-AAA stores user profile information, responds to authentication requests, and collects accounting information. Ö Visited AAA: The V-AAA communicates with the H-AAA. Authentication requests and accounting information are forwarded by the V-AAA to the H-AAA, either directly or through a B-AAA. A O T Agententechnologien in der Telekommunikation - 21 TU Berlin Overview A O T Agententechnologien in der Telekommunikation - 22 TU Berlin RADIUS History Ö 1991: Originally specified by Merit Network to control dial-in access to NSFNET. Ö 1993: First RADIUS server developed by Livingston Enterprises. Ö 1996: IETF formalized Livingston’s work in 1996 by appointing RADIUS WG (Working Group). Ö 1997: First RADIUS RFC (RFC 2058) Ö 2001: RADIUS and IPv6 (RFC 3162) Ö 2008: RADIUS Extension for Digest Authentication (RFC 5090) A O T Agententechnologien in der Telekommunikation - 23 TU Berlin RADIUS Functionality Ö Basics: RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. Ö Client-server-based operations: A RADIUS client resides on a NAS (e.g. WLAN access point, Foreign Agent, GGSN) collects user’s requests and forwards them to the RADIUS server. The RADIUS server may handle them locally or acts as a proxy for another RADIUS server. Ö Network Security: The communication between a RADIUS client and server is authenticated by a shared secret key that is never sent over the network. The passwords are obfuscated using shared secrets along with the MD5 hashing algorithm. A O T Agententechnologien in der Telekommunikation - 24 TU Berlin RADIUS Functionality Ö Authentication Methods: RADIUS supports a wide range of authentication methods like PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol) and EAP (Extended Authentication Protocol). Ö Attribute Value Pairs (AVP): Transports AAA information in a RADIUS message. New attributes could be added. A O T Agententechnologien in der Telekommunikation - 25 TU Berlin RADIUS Packet 1 Ö Code: determines the type of message. Ö Identifier: helps to match requests and replies. Ö Length: indicates the length of the entire RADIUS packet. A O T Agententechnologien in der Telekommunikation - 26 TU Berlin RADIUS Packet 2 Ö Authenticator: is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords. Ö Attributes: contains the AAA information and configuration details regarding the requests/responses. A O T Agententechnologien in der Telekommunikation - 27 TU Berlin Major RADIUS Codes A O T Agententechnologien in der Telekommunikation - 28 TU Berlin Attribute-Value Pair (AVP) A O T Agententechnologien in der Telekommunikation - 29 TU Berlin RADIUS Example – ISP Dial-In 1) User initiates PPP authentication to the NAS. 2) NAS prompts for username and password (if PAP) or challenge (if CHAP). 3) User replies. 4) RADIUS client sends username and encrypted password to the server. 5) RADIUS server responds with Accept, Reject, or Challenge. 6) The RADIUS client acts upon services parameters bundled with response. A O T Agententechnologien in der Telekommunikation - 30 TU Berlin Overview A O T Agententechnologien in der Telekommunikation - 31 TU Berlin Extensible Authentication Protocol (EAP) Ö Is a authentication framework used in wireless networks and PPP connections. Ö IETF Standard (defined in RFC 3748) Ö It runs directly over data link layers such as PPP or IEEE 802.
Recommended publications
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: July 30, 2020 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: July 30, 2020 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant January 27, 2020 The TACACS+ Protocol draft-ietf-opsawg-tacacs-17 Abstract This document describes the Terminal Access Controller Access-Control System Plus (TACACS+) protocol which is widely deployed today to provide Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 30, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Dahm, et al. Expires July 30, 2020 [Page 1] Internet-Draft The TACACS+ Protocol January 2020 carefully, as they describe your rights and restrictions with respect to this document.
    [Show full text]
  • Cisco Products Quick Reference Guide December 2004
    Cisco SYSTEMS pII Cisco Product Quick Reference Guide December 2004 Table of Contents Introduction Routing Switching Wireless LAN Voice and IP Communications VPN and Security Content Networking Broadband and Dial Access Optical Networking lOS Software and Network Management 10 Storage Networking Cicro SYsTEr Cisco Products Quick Reference Guide December 2004 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 951 34-1706 USA http//wvvw.cisco.com Tel 408 526-4000 800 553-NETS 6387 Customer Order Number 78-5983-13 Text Part Number 78-5983-13 Gisco Products Quick Reference Guide Copyright 2005 Cisco Systems Inc All rights reserved Gener Discbimer Although Cisco has attempted to provide accurate information in this Guide Cisco assumes no responsibility for the accuracy of the information Cisco may change the programs or products mentioned at any time without prior notice Mention of non-Cisco products or services is for information purposes only and constitutes neither an endorsement nor recommendation of such products or services or of any company that develops or sells such products or services ALL INFORMATION PROVIDED ON THIS WEB SITE IS PROVIDED AS IS WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR PARTICULAR PURPOSE AND NONINFRJNGEMENT OR ARISING FROM COURSE OF DEALING USAGE OR TRADE PRACTICE CISCO AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY INDIRECT
    [Show full text]
  • Single Sign-On the Way It Should Be
    Single sign-on the way it should be 6 ways Citrix Workspace delivers seamless access to all apps while improving security and the user experience Contents Single sign-on (SSO) solutions .......................................................................3 Secure access to everything ...........................................................................5 Granular controls for SaaS apps and the web ...........................................6 Control over your user identity ......................................................................7 Security beyond user names and passwords ............................................8 Seamless integration with your existing environment ..........................9 Resolving issues faster with end-to-end visibility ............................... 10 ↑ Back← Pg. to 2 contents | Pg. 4 → Citrix.com 2 Single sign-on (SSO) solutions were designed to make life easier for employees and IT. They’re meant to reduce the cost of management and provide better security, all while delivering an improved user experience. However, many solutions fall short, covering only one type or a subset of application types. This forces you to implement several access solutions from different vendors to cover your entire application landscape — negating the productivity and user experience benefits you hoped for. The complexity this type of implementation creates also runs counter to the Zero Trust initiatives that many organizations are undertaking Citrix Workspace helps you unify all apps and data across your distributed IT architecture to provide single sign-on to all the applications and data people need to be productive. Working with your existing infrastructure, Citrix Access Control consolidates multiple remote access solutions, like traditional VPNs or SSO solutions, simplifying management for IT and providing unified access for employees. ↑ Back to contents ← Pg. 2 | Pg. 4 → 3 Citrix.com | e-book | Choosing a Single Sign-On Solution ↓ 6 benefits of the Citrix Workspace SSO solution ↑ ← Pg.
    [Show full text]
  • Operations T. Dahm Internet-Draft A. Ota Intended Status: Informational Google Inc Expires: January 9, 2017 D
    Operations T. Dahm Internet-Draft A. Ota Intended status: Informational Google Inc Expires: January 9, 2017 D. Medway Gash Cisco Systems, Inc. D. Carrel vIPtela, Inc. L. Grant July 8, 2016 The TACACS+ Protocol draft-ietf-opsawg-tacacs-04 Abstract TACACS+ provides Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. This document describes the protocol that is used by TACACS+. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 9, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Dahm, et al. Expires January 9, 2017 [Page 1] Internet-Draft The TACACS+ Protocol July 2016 to this document.
    [Show full text]
  • 7750 SR OS System Management Guide
    7750 SR OS System Management Guide Software Version: 7750 SR OS 10.0 R1 February 2012 Document Part Number: 93-0071-09-01 *93-0071-09-01* This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2012 Alcatel-Lucent Alcatel-Lucent. All rights reserved. Table of Contents Preface. .13 Getting Started Alcatel-Lucent 7750 SR Router Configuration Process . .17 Security Authentication, Authorization, and Accounting . .20 Authentication . .21 Local Authentication . .22 RADIUS Authentication . .22 TACACS+ Authentication. .25 Authorization . .26 Local Authorization. .27 RADIUS Authorization . .27 TACACS+ Authorization. .27 Accounting. .28 RADIUS Accounting . .28 TACACS+ Accounting . .28 Security Controls . .30 When a Server Does Not Respond . .30 Access Request Flow . .31 CPU Protection . .32 CPU Protection Extensions ETH-CFM . .36 Vendor-Specific Attributes (VSAs) . .38 Other Security Features . .39 Secure Shell (SSH) . .39 Per Peer CPM Queuing. .41 CPM Filters and Traffic Management . .42 TTL Security for BGP and LDP . .43 Exponential Login Backoff . .43 User Lockout . .45 Encryption . .46 802.1x Network Access Control . .46 TCP Enhanced Authentication Option. .46 Packet Formats . .48 Keychain. .49 Configuration Notes . .50 General . .50 Configuring Security with CLI . .51 Setting Up Security Attributes. .52 Configuring Authentication . .52 Configuring Authorization .
    [Show full text]
  • Catalyst 9600 Switches)
    Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9600 Switches) First Published: 2019-04-17 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Centralized Authentication Services (Radius, Tacacs, Diameter)
    83-10-32 DATA SECURITY MANAGEMENT CENTRALIZED AUTHENTICATION SERVICES (RADIUS, TACACS, DIAMETER) Bill Stackpole INSIDE Key Features of an AAA Service; RADIUS: Remote Authentication Dial-in User Service; TACACS: Terminal Access Controller Access Control System; DIAMETER: Twice RADIUS? INTRODUCTION RADIUS, TACACS, and DIAMETER are classified as authentication, autho- rization, and accounting (AAA) servers. The Internet Engineering Task Force (IETF) chartered an AAA Working Group in 1998 to develop the authentication, authorization, and accounting requirements for network access. The goal was to produce a base protocol that supported a num- ber of different network access models, including traditional dial-in net- work access servers (NAS), Mobile-IP, and roaming operations (ROAMOPS). The group was to build upon the work of existing access providers like Livingston Enterprises. Livingston Enterprises originally developed RADIUS (Remote Authen- tication Dial-in User Service) for their line of network access servers (NAS) to assist timeshare and Internet service providers with billing infor- mation consolidation and connection configuration. Livingston based RA- DIUS on the IETF distributed security model and actively promoted it PAYOFF IDEA through the IETF Network Access Got the telecommuter, mobile workforce, VPN, Server Requirements Working Group multi-platform, dial-in user authentication blues? Need a centralized method for controlling and au- in the early 1990s. The client/server diting external accesses to your network? Then design was created to be open and RADIUS, TACACS, or DIAMETER may be just what extensible so it could be easily you have been looking for. Flexible, inexpensive, adapted to work with other third- and easy to implement, these centralized authen- party products.
    [Show full text]
  • Fortiauthenticator Administration Guide Contains the Following Sections
    FortiAuthenticator - Administration Guide Version 6.2.0 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://fortiguard.com/ END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: [email protected] January 15, 2021 FortiAuthenticator 6.2.0 Administration Guide 23-620-657445-20210115 TABLE OF CONTENTS Change Log 9 What's new in FortiAuthenticator 10 FortiAuthenticator 6.2.0 10 REST API enhancements 10 TACACS+ support 10 SAML IdP Proxy: 0365 Azure/ADFS hybrid support 10 Get Windows AD nested groups during SAML IdP configuration 10 REST API key visibility for Admin users 11 RADSEC support 11 SCEP enrollment requests search 11 LDAP group filter support for remote RADIUS realms 11 Sync certificate bindings to load balancers 11 Show Password toggle included in replacement messages 11 Legacy Self-service Portal disabled by default 12 Additional SCEP CRL/OCSP enrollment options 12 Revoked/expired user certificates hidden by default 12 Richer logs for self-registered users 12 Usernames included in FTM activation messages 12 FTC: Sync email and mobile number 13 SNMP trap for RAID status changes 13 Administrator password required before changes can be made to administrator accounts 13 FortiAuthenticator
    [Show full text]
  • Identity Awareness Reference Architecture and Best Practices
    CHECK POINT Identity Awareness Reference Architecture and Best Practices INTRODUCTION There is a wealth of contextual metadata available about network devices once they join a network. Traditional firewalls that enforce security policies defined with IP addresses are largely unaware of the user and device identities behind those IP addresses. They rely on static rule bases and are unable to enforce dynamic users and role-based access, or provide important metadata and context in logs and security reports. “New partnership and customer engagement models have extended the identity boundary of today's digital businesses: Security pros must manage identities and access across a variety of populations (employees, partners, and customers), device access methods, and hosting models. A strong digital IAM strategy protects the firm and its customers from sophisticated cybercrimin als and improves efficiencies.” Forrester 2018 [1] THE IDENTITY PROCESS Network Authentication, Authorization, and Accounting (AAA, pronounced "triple-A") has been in use since the dawn of the Internet. Authentication asks the question, "Who or what are you?" Authorization asks, "What are you allowed to do?" And finally, Accounting wants to know, "What did you do?" Authentication – Who or What are You? Check Point devices usually learn who the user is from other devices, but there are cases where Check Point authenticates the user, e.g. through remote VPN access or a captive portal where the user’s network request is redirected to a browser-based authentication page. The client platform may be Windows, macOS, Linux, Android or Apple iOS. The authentication method may be one or more of a username/password or a digital certificate in a Check Point database.
    [Show full text]
  • Diameter Next Generation's AAA Protocol Håkan Ventura
    Diameter next generation’s AAA protocol Master thesis in Information theory by Håkan Ventura LiTH-ISY-EX-3232-2002 2002-04-25 Diameter next generation’s AAA protocol Master thesis in Information theory at Linköpings Tekniska Högskola by Håkan Ventura LiTH-ISY-EX-3232-2002 Handledare: Miguel Garcia, Peter Cederstrand Examinator: Viiveke Fåk Linköping 2002-04-25 ii Avdelning, Institution Datum Division, Department Date 2002-04-25 Institutionen för Systemteknik 581 83 LINKÖPING Språk Rapporttyp ISBN Language Report category Svenska/Swedish Licentiatavhandling ISRN LITH-ISY-EX-3232-2002 X Engelska/English X Examensarbete C-uppsats Serietitel och serienummer ISSN D-uppsats Title of series, numbering Övrig rapport ____ URL för elektronisk version http://www.ep.liu.se/exjobb/isy/2002/3232/ Titel Diameter - Nästa generations AAA protocol Title Diameter - Next generation’s AAA protocol Författare Håkan Ventura Author Sammanfattning Abstract The need for AAA protocols in the world are increasing and todays most common protocols RADIUS and TACACS+, cannot cope with the fast advances in fields benefiting from the use of AAA protocols. This is why IETF has developed the protocol Diameter as a next generations AAA protocol. The objective of this thesis is to account for the work conducted with Diameter as well as to determine if it is going to become the major AAA protocol of the next generation. In this thesis, I describe what Diameter is, its close integration with the Mobile IP protocol and its other uses. As Diameter is based on RADIUS an introduction to AAA and RADIUS is given in order to comprehend where we are today and where we are going as well as to why.
    [Show full text]
  • Radius: a Remote Authentication Dial-In User Service
    InSight: RIVIER ACADEMIC JOURNAL, VOLUME 5, NUMBER 2, FALL 2009 RADIUS: A REMOTE AUTHENTICATION DIAL-IN USER SERVICE Daniel Szilagyi*, Arti Sood** and Tejinder Singh§ M.S. in Computer Science Program, Rivier College Abstract This paper provides an overview of RADIUS deployment in the network. It also introduces the various protocols, such as EAP, that is used to implement this service, and PAP, CHAP, MSCHAP, EAP-TLS, EAP-TTLS, EAP- LEAP, EAP-FAST, EAP-FAST that provide authentication mechanisms. These protocols are not discussed in detail but only to present the idea of workflow as to how the RADIUS works in conjunction with them. The role of RADIUS is outlined in point-to-point and VPN connection. Also the 802.1x framework and RADIUS are described briefly. The various AAA protocols are discussed briefly along with DIAMETER, an enhanced version of the RADIUS protocol. This paper is intended for readers with Computer Science or Information Technology background. 1. Overview With growing numbers of remote users like telecommuters using wireless laptops, PDA(s) trying to access the network, Remote Authentication Dial-In User Service (RADIUS) is widely used. RADIUS, a distributed service, provides centralized management of user access control and security. RADIUS manages and secures the Wireless Local Area Network (WLAN), remote Virtual Private Network (VPN), and wired access. RADIUS is available as a standalone service like Internet Authentication Service (IAS), Access Control Server (ACS) etc. It may also be embedded in the network devices such as routers, switches etc. Users are authenticated by the RADIUS server against a central database which stores profile data such as passwords, type of access, etc.
    [Show full text]
  • Session Layer Protocols: Dialog Management, Synchronization
    UNIT-IV UPPER LAYERS: - Session Layer Protocols: Dialog Management, Synchronization. Presentation layer functions: translation, encryption, compression. Cryptography : substitution and Transposition Ciphers, Data Encryption standards ( DES) , DES Chaining, Breaking DES, Public Key cryptography, Authentication protocols, Different compression coding techniques. Application layer protocols & services : Email, World Wide Web, file transfer protocol, remote file server, internet telephony & chatting. Session Layer Protocols: The session layer is layer 5 of the seven-layer OSI model of computer networking. The session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. Communication sessions consist of requests and responses that occur between applications. Session-layer services are commonly used in application environments that make use of remote procedure calls (RPCs). An example of a session-layer protocol is the OSI protocol suite session-layer protocol, also known as X.235 or ISO 8327. In case of a connection loss this protocol may try to recover the connection. If a connection is not used for a long period, the session-layer protocol may close it and re-open it. It provides for either full duplex or half-duplex operation and provides synchronization points in the stream of exchanged messages. Other examples of session layer implementations include Zone Information Protocol (ZIP) – the AppleTalk protocol that coordinates the name binding process, and Session Control Protocol (SCP) – the DECnet Phase IV session-layer protocol. Within the service layering semantics of the OSI network architecture, the session layer responds to service requests from the presentation layer and issues service requests to the transport layer.
    [Show full text]