Free the RADIUS
Free the RADIUS
Free the RADIUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong>Problem Solving
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Problem Solving - Reducing Help Desk HasslesExpanding 802.1X beyond <strong>the</strong> niche network
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Problem Solving - Reducing Help Desk HasslesExpanding 802.1X beyond <strong>the</strong> niche networkRegistration site served from ‘Quarantine’VLAN firewalls with automatic HTTPredirection.Automatic OS detection simplifiesregistration process, and allows forpassive data collection.Web server and client on <strong>the</strong> same Layer2 segment. Unregistered MAC Addressescan be gleaned from servers ARP cache.
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Problem Solving - It looks bad but ...Expanding 802.1X beyond <strong>the</strong> niche networkAu<strong>the</strong>ntication FailuresbadDomain macAuth badConfig badUID authFail600050004000300020001000021/9/0728/9/075/10/0712/10/0719/10/0726/10/072/11/079/11/0716/11/0723/11/0730/11/077/12/0714/12/0721/12/0728/12/074/1/0811/1/0818/1/0825/1/081/2/088/2/0815/2/0822/2/0829/2/087/3/0814/3/0821/3/08Au<strong>the</strong>ntication Failures• During Advertised ‘service at risk’ periods• Inappropriate DB locking• Peaks in Au<strong>the</strong>ntication requests• Hash Synchronisation• Accounting DOSMisconfigured Supplicant• Initial Presentation onto network (2000, XP, Vista)• Strange unexplainable au<strong>the</strong>ntication attempts on service start/ stop.
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Problem Solving - Database DilemmasExpanding 802.1X beyond <strong>the</strong> niche networkWhat’s wrong with standard LLL DB Based accounting mechanisms ?• Ties up finite resources processing Accounting data, where Au<strong>the</strong>ntication requests should alwayshave priority• Accounting request ‘DOS’ after widespread power loss• Buggy NAS can easily overwhelm DB• Accounting data lost during DB outages• Accounting data lost during Home Server outages when proxying• Doesn’t scale easilyIncreasing reliability and performance• InnoDB not MyISAM (if using MySQL)• Separate pools of database connections for au<strong>the</strong>ntication and authorisation requests• Load balance stanza to balance requests between SQL processing nodes• File Based Buffers• FR < v2.0.3 RAD Relay / SQL Relay (File based Buffers)• FR >= v2.0.3 RAD Relay features integrated into server core as Virtual-Server optionFile Based Buffers in FR 2.0.3• Accounting Data not removed until operation has succeeded• Server Auto-Throttles based on <strong>the</strong> time taken to process previous request and system load• Buffer grows during peak load freeing up resources for au<strong>the</strong>ntication• Requests processed in serial fashion, though parallel processing may be coming in <strong>the</strong> nearfuture.
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Problem Solving - Bigger BuffersExpanding 802.1X beyond <strong>the</strong> niche networkNASListenUDP 1813ListenFile acctproxy-bufferListenFile acct-sqlbufferAccountingRequestRecievedRead in datafrom fileRead in datafrom filePre-AcctPre-AcctAccountingAccountingAccountingInsert intoSQL DBRemoterealm ?Yesrlm_detailappend toacct-proxy-bufferacct-proxybufferProxy ToHome ServerAccountingreturned ok ?NoNoYesrlm_detailappend toacct-proxy-bufferacct-sqlbufferGot AccountingResponse ?YesNoRemove Acctentry from fileRemove Acctentry from fileSendaccountingresponse.Home ServerSQL Database
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong>Looking Forward
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Looking Forward - Twice <strong>the</strong> au<strong>the</strong>ntication of <strong>the</strong> next leading VendorExpanding 802.1X beyond <strong>the</strong> niche networkWhy is Open VLAN a bad thing ?• To prevent banned users being placed in <strong>the</strong> Open VLAN you may have to break RFC 3749 2.6.3• No records regarding point of connection onto <strong>the</strong> ‘unauth’ VLAN• No way to *easily* disconnect users• One ‘unauth’ VLAN for all• Can’t use GVRP to distribute <strong>the</strong> ‘unauth’ VLAN• It’s a hack, and not a pretty oneBenefits of multi-tiered au<strong>the</strong>ntication• Hosts can be blocked at <strong>the</strong> edge• Support for legacy hosts (Non Dot1x compliant devices can still use <strong>the</strong> network)• Au<strong>the</strong>ntication records generated for every connection onto <strong>the</strong> network:• Allows context sensitive support pages• Reliable inventory of hosts connected to <strong>the</strong> network• Allows SNMP Based analysis of connected hosts (where supported)• Dynamic service changes via SNMP (no need for CoA support if not proxying)• and more...• Different ‘un-authorised’ VLANs depending on host (concept of resting VLANs for workstations)• Truly centralised VLAN assignment (part of a homogenous edge environment)
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Looking Forward - Twice <strong>the</strong> au<strong>the</strong>ntication of <strong>the</strong> next leading VendorExpanding 802.1X beyond <strong>the</strong> niche networkSupplicant Au<strong>the</strong>nticator Au<strong>the</strong>ntication ServerstartAu<strong>the</strong>nticateUserConnects toportInitialize PortAu<strong>the</strong>nticator[User Rejected][User Au<strong>the</strong>nticated]ProcessEAPOL BPDU[Supplicant Enabled]EAP Identity[Request]Retrieve UserAuthorisationState[Supplicant Disabled]EAP Identity[Response][No Response][User Soft Banned][User Authorised[User Hard Banned][Got Response]StartEAPBasedAuthStart MACBased AuthRetrieve MACAuthorisationState[MAC Banned][MAC Not Found][MAC Authorised][MAC 'soft' ban][MAC Authorised][MAC Not Found][MAC 'soft' banned]Block anynone EAPOLtraffic[MAC Banned]endAlter port VLANmembership toQuarantineVLANAlter port VLANmembership toService VLANRejectRequestAssignQuarantineVLANAssignService VLAN
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Looking Forward - GVRPExpanding 802.1X beyond <strong>the</strong> niche networkWhat <strong>the</strong> heck is GVRP (Generic VLAN Registration Protocol)?• Defined in 802.1D as an implementation of GARP (Generic Attribute Registration Protocol)• Allows registration of arbitrary attributes with ports of an 802.1D MAC Bridge• Allows propagation of VLAN information from multiple GVRP advertisement roots• Allows creation of dynamic on demand VLAN paths• Follows spanning treeWhy hasn’t it been widely used ?• Requires NIC support for VLAN advertisements - not much use for general hosts• Inherently insecure in it’s base form• VLAN configuration largely static on edge switches(GVRP && 802.1x) ? awesome : less-awesome• Every VLAN on every switch VLAN everywhere• VLANS assigned via 802.1x and paths created via GVRP• VLANS follow users or hosts around <strong>the</strong> network !• 802.1x negates <strong>the</strong> need for GVRP enabled NIC• GVRP disabled on 802.1x edge ports (no more security risk) !• Truly centralised VLAN management (part of a homogenous edge environment)
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Looking Forward - GVRP - For Example...Expanding 802.1X beyond <strong>the</strong> niche networkCore Network (Not GVRP Enabled)VLANs 8 10 602 603 610 TaggedVLAN 228 TaggedZone Switches act as conceptualGVRP advertisement roots.Unknown-Vlan: DisableZONE Switch AZONE Switch BEdge SwitchesUnknown-Vlan: LearnTags 602,603,610VLANs Advertised 602, 603, 610VLAN 10 Forbidden on downlinksUnknown-Vlan: BlockTags 602Miss patched - Zone linkUnknown-Vlan: Learn Unknown-Vlan: LearnVLAN Advertised 228Unknown-Vlan: BlockTags 602,603,610Tags 602Unknown-Vlan: LearnUnknown-Vlan: BlockSTP May blockUnknown-Vlan: BlockVLAN 602,603,610 not learned as not already presentVLAN 228 not learned as not already presentUnknown-Vlan: DisableSwitch Advertises 602 on all ports (except this one)802.1x Auth Assigns VLAN 602 untagged on portAu<strong>the</strong>nticated equipment with GVRP enabled NIC,advertises 602,603,610 to subvert network controls. Advertisementblocked by GVRP disabled port.Unau<strong>the</strong>nticated equipment with GVRP enabled NIC,advertises 602,603,610 to subvert network controls. Advertisementblocked by GVRP disabled port. (or if no unauth-vid, port-access controller)
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong> - Looking Forward - Beyond <strong>the</strong> edgeExpanding 802.1X beyond <strong>the</strong> niche network<strong>Free</strong><strong>RADIUS</strong> += DHCPAll <strong>the</strong> flexibility of <strong>Free</strong><strong>RADIUS</strong> with DHCPVery tight integration of 802.1x and DHCP lease assignmentAno<strong>the</strong>r piece of <strong>the</strong> support puzzle (Host registration, SNTP etc...)User Based IP Assignment across PPP links and on Local NetworkMobile(ish) IPv4 / IPv6Eduroam (routing)BSD FirewallEduroam VLAN Presented onto campusbackboneRouted BackboneEduroam firewall performs DHCPassignment and DNS for sussexsecondary Class C range(192.33.16.0/24). Full open policyon all inbound/outbound traffic.Route 192.33.16.0/24Cisco catalyst6509 IOS 12.2Cisco catalyst6509 IOS 12.2Cisco catalyst6509 IOS 12.2Racoon VPNJuniper M20LENSEEduroam VLAN present onlyat layer 2 on core routers.Route 139.184.0.0/16LACP BondedRedundant (transparent)Campus BSD FirewallsRoveDiversely connected ZonePoint of Presence SwitchesHP 5304xl (J4819A)HP 5308xl (J4850A)GatesCheneyScooterStacked Edge SwitchesHP 2600-8-PWR (J8762A)HP 2626 (J4900B)HP 2650 (J4899B)BoltonService (routing) BSD FirewallsRoaming, ResNet, QuarantineWireless Access PointsWireless Access Points
<strong>Free</strong> <strong>the</strong> <strong>RADIUS</strong>Question Time
Change language