1

Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design Optimization

2

RADIUS in Remote Access Designs Provides protocols that allow

Remote access Remote user authentication Remote user auditing Remote user accounting

Allows control of all security Includes RADIUS client and server

3

RADIUS Clients and Servers

4

RADIUS and Microsoft Windows 2000 RADIUS provided by

Routing and Remote Access Internet Authentication Service (IAS)

RADIUS client RADIUS server

5

RADIUS Design Review Determine the following:

Amount of data transmitted Number of locations Connectivity and security capabilities Operating systems used Number of remote access clients Security needs

6

RADIUS Design Decisions RADIUS integration into existing

network Number and placement of servers and

clients Hardware requirements for clients Data protection methods User authentication methods Optimization methods

7

Outsourced Dial-Up Remote Access The most common design Dial-up outsourced to a third party Reduced dial-up costs Single set of logon credentials Enhanced security features

8

Outsourced Dial-Up Remote Access (Cont.)

9

In-House Remote Access Allows the organization to own the

entire design Centralizes administration Avoids dependence on third-party

vendors Places RADIUS clients

Outside private network On screened subnets

10

In-House Remote Access (Cont.)

11

Partner Network Remote Access Provides remote access for partner’s

users Centralizes administration Enhances security of partner’s access Places RADIUS client in partner’s

network

12

Partner Network Remote Access (Cont.)

13

Number of RADIUS Clients and Servers RADIUS client

Supports hundreds of remote access computers

Requires same type of number decisions as for VPN

RADIUS server Supports many RADIUS clients Requires one RADIUS server per user account

database Provides for RADIUS authentication and

accounting

14

Placing RADIUS Clients Make same type of placement decisions

as for dial-up or VPN Place near remote users For dial-up, place geographically close For VPN, place near Internet connection

15

Placing RADIUS Servers Place near servers that manage user

accounts For Active Directory directory service,

place close to domain controllers Run IAS on a domain controller to

reduce traffic

16

Connecting RADIUS Clients and Servers

17

Selecting Remote Access Client Support Make same type of design decisions as

for VPN and dial-up. Specify a RADIUS realm, which

Is a user account database Is the same as a domain in Microsoft

Windows NT and Windows 2000 Specify a default realm for each RADIUS

client.

18

Preventing Unauthorized Access Methods are the same as for VPN and

dial-up. Shared secrets

Identify authorized RADIUS clients and servers

Use case-sensitive text strings Can be used to encrypt messages Must be configured on both client and

server

19

Protecting Confidential Data Use same basic methods as for VPN and

dial-up. Consider additional authentication methods. Encrypt data

Between remote user and server within network Both ways between remote user and RADIUS

clients Enforce remote access policies (RADIUS

attributes) that are managed, stored, and replicated on RADIUS servers.

20

Enhancing RADIUS Availability Configure clients to use multiple servers.

Works on all platforms Provides dynamic fault tolerance Servers must be manually added and deleted

Use Network Load Balancing. Provides automatic reconfiguration Works only on RADIUS clients Requires extra resources Is not available for non–Microsoft operating

systems

21

Improving RADIUS Performance Configure clients to use multiple servers.

Works on all platforms Provides load balancing across multiple servers Servers must be manually added and deleted

Use Network Load Balancing. Provides automatic reconfiguration Works only on RADIUS clients Requires extra resources Is not available for non–Microsoft operating

systems

22

Chapter Summary RADIUS provides remote access solutions. RADIUS includes RADIUS clients and RADIUS

servers. The design decisions for RADIUS depend on

the configuration. Outsourced dial-up remote access designs In-house remote access designs Partner network remote access designs

Protect data and improve availability and performance by using the same methods as for VPN and dial-up.