Remote Access Management with RADIUS

[June 1999]
Remote Access Management with RADIUS
By: Tao Zhou
Feature
InstantDoc #5377
From the June 1999 edition of Windows IT Pro

Simplify user authentication

Mobile users, virtual offices, and telecommuting aren't futurist fantasies in 1999. Many Windows NT network managers have installed RAS servers with modem pools in their networks to provide dial-in service to remote users for accessing corporate network resources. As the number of remote users grows, network managers need to add more modems and RAS servers to their networks, and companies spend more money on long distance and toll-free telephone service. At the same time, remote access media technologies continue to evolve. For example, asymmetric digital subscriber line (ADSL), wireless, and cable modems are replacing slower traditional modems. In the face of these changes, network managers need to create long-term RAS solutions. One viable solution is to outsource RAS to an ISP so that the ISP provides and hosts RAS for the outsourcing company. Outsourcing RAS has several advantages. First, remote users can dial up their ISP's local Point of Presence (POP) to reach their corporate network, which reduces long-distance charges. (In general, ISPs charge connection fees that are much less expensive than long-distance charges.) Second, network managers needn't worry about RAS server hardware upgrades. Third, with a good service level agreement (SLA), ISPs guarantee high service availability.

However, network managers face two areas of concern when outsourcing RAS: security and user account management. If RAS security isn't adequate, intruders can steal sensitive business data as it traverses the Internet. Without centralized user account management, users need an extra account, in addition to their corporate network account, to dial up an ISP. Network managers have no control over the way an ISP manages its user accounts. However, ISPs that have many POPs and RAS servers need centralized user account databases for user authentication; the alternative is to maintain user accounts on every RAS server.

Fortunately, two Internet technologies—network tunneling and Remote Authentication Dial-in User Service (RADIUS)—greatly reduce problems with security and user account management in RAS. Network tunneling—which PPTP, Layer 2 Tunneling Protocol (L2TP), and IP Security (IPSec) implement—protects network traffic by forming a secure channel between a remote machine on the Internet and a tunnel server in the corporate network. Many people refer to this technology as VPN. RADIUS lets an ISP's RAS servers forward user authentication requests to a corporate network through the Internet. The corporate network can use its existing user directory, such as an NT directory service, to authenticate users for both ISP and corporate network access. RADIUS thus removes the requirement of maintaining a separate user database for the ISP and buying individual user accounts from the ISP.

Windows 2000 (Win2K) and NT 4.0 support network tunneling and RADIUS. Tunneling technologies are well known in today's NT world. RADIUS, however, is relatively new in NT. In this article, I explore RADIUS and its functionality. I discuss Microsoft's RADIUS server software, which the company calls Internet Authentication Service (IAS). I don't discuss PPTP and other tunneling technologies in detail, but I look at how you can integrate RADIUS and VPN.

RADIUS User Management
RADIUS is an Internet protocol that Livingston Enterprises (currently Lucent Technologies Remote Access Business Unit) proposed in 1996 in the Internet Engineering Task Force (IETF—http://www.ietf.org) Request for Comments (RFC) 2058 and RFC 2059. Livingston redefined RADIUS in 1997 in RFC 2138 and RFC 2139. RADIUS contains three user management pieces—authentication, authorization, and accounting—which Livingston referred to as AAA.

RADIUS authentication identifies a remote user by checking the user's identity against a user account database. RADIUS supports such authentication methods as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Microsoft's RADIUS also supports Microsoft CHAP (MSCHAP). Depending on the vendor implementation, RADIUS can authenticate a user with user account information in NT domains, Novell Directory Services (NDS), Lightweight Directory Access Protocol (LDAP) directories, Microsoft SQL Server databases, ODBC databases, and UNIX password files. For example, IAS Commercial Edition (IAS/C) supports NT domains, ODBC databases, Microsoft Commercial Internet System (MCIS) membership in SQL Server, and flat user file-based authentication.

RADIUS authorization restricts authenticated users' access to certain network services to ensure high network security. For example, you can set up a user authorization profile in RADIUS that lets only remote users access a specified server and service, such as a Telnet server and service.

RADIUS accounting records the amount of network resources (e.g., connection time, number of transferred packets) that a remote user uses during a specific session. ISPs can use the accounting information for billing needs and network traffic analysis. Corporate network managers can use the accounting information to verify ISP charges and allocate expenses to individual departments.

RFC 2138 (and the obsolete RFC 2058) define RADIUS authentication and authorization. RFC 2139 (and the obsolete RFC 2059) describe RADIUS accounting. RADIUS accounting is independent of RADIUS authentication and authorization, and you can use RADIUS without accounting.

Prev. page [1] 2 3 4 next page

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Backup & Recover like the DBA star you are: With continuous application imaging and data de-dupe, Replay AppImage speeds recovery in test or live environments from hours to minutes. Try it now!

SQL Management Made Easy with DBLaunch 4.0!: Wish you could migrate multiple SQL databases with the same time and effort it takes for one? Now you can with DBLaunch. Download a free trial today!

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

FEATURED LINKS

Empower Your Processes with PowerShell 201: Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

SQL Connections, March 22-25, 2009 – Orlando, FL: The first 800 paid attendees receive SQL Server 2008 Standard Edition w/one CAL. Register by January 12 and receive a free night at the JW Marriott (with 3-night stay). For details (203) 268-3204 or 800-438-6720.

Join Today: VIP Monthly Pass: Get online access to ALL of the resources in the Windows IT Pro and SQL Server Magazine network! With your order, you'll also receive a full digital copy of the latest issue of SQL Server Magazine.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home SuperSite IT Job Hound ITTV

	Copyright © 2009 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Learning Path

Windows IT Pro Resources

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Backup & Recover like the DBA star you are

SQL Management Made Easy with DBLaunch 4.0!

Order Your SharePoint Fundamentals CD!

FEATURED LINKS

Empower Your Processes with PowerShell 201

SQL Connections, March 22-25, 2009 – Orlando, FL

Join Today: VIP Monthly Pass