RADIUS: Secure Authentication Services at Your Service - Page 3
A Relationship Based on Security and Trust
Security and trust are at the heart of the RADIUS client and server interaction. Their transactions are authenticated using a shared secret. To be certain that an outsider can never spoof either party, the shared secret is never transmitted over the network. Instead, it is configured directly into the client and server. The protocol also allows RADIUS servers to issue cryptographically-based challenges (ultimately responded to by the end user) as an extra security measure.
What makes RADIUS so versatile is that it does not dictate the end user connection or communication with the client, so it could be dial-up, hardwired to a switch port, wireless, or some new technology that hasn’t been invented yet. The connection password can and should be protected using a mechanism appropriate to the link technology. It also does not dictate the method used by the server to authenticate a password, once it knows the end user’s username and password.
The basis of RADIUS operations is the exchange of attributes between the client and server. The use of standard attributes, such as user name, password, service, addressing, and timeout information, is determined by your requirements and configuration.
RADIUS also supports the use of vendor-specific attributes — vendor-defined extensions that are implemented in only certain products, such as one vendor’s firewalls or remote access servers. When purchasing a RADIUS server, make sure that it has support for the vendor-specific attributes that are important to your network and the equipment (associated with clients) that you have or are planning to buy.
Deployment Architecture Choices
Since RADIUS supports distributed operations, the first important decision in your RADIUS deployment design is whether to outsource the management of the servers or to keep it in-house. If you neither have nor want to acquire in-house RADIUS expertise, the cost of outsourcing may compare favorably with in-house RADIUS server acquisition and operation.
If you do decide to keep it in-house, there are some important considerations for the RADIUS implementation. The RADIUS server software runs on either a dedicated or shared server platform. Like any popular client-server protocol, RADIUS server implementations are available for a variety of operating system environments, including network appliances.
Since the goal of RADIUS is to secure and control access to your network, proper RADIUS database configuration is paramount. It all comes down to good policy design first, and then implementation in the RADIUS server. Your access policy covers the rules for granting access to the network and specifying when and how RADIUS security mechanisms are used to safeguard its operation. It may be as simple as table look-ups, or it may use more sophisticated logic to look at history, behavior, or current conditions.
The configuration also includes the distribution and storage of the shared client and server secrets, and if and when challenges are used. Good security design is based on experience and an understanding of your particular needs, as well as the specifics of your network technology. If you don’t have in-house expertise, consider some outside help.