Module 10: RADIUS as a Solution for Remote Access
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.73 MB, 50 trang )
Module 10: RADIUS as
a Solution for Remote
Access
Contents
Overview
1
Introducing RADIUS
2
Designing a Functional RADIUS Solution
7
Discussion: Designing a RADIUS Solution
16
Securing a RADIUS Solution
18
Enhancing a RADIUS Design for
Availability
28
Optimizing a RADIUS Design for
Performance
30
Discussion: Enhancing the RADIUS
Solution
32
Lab A: Designing a RADIUS Solution
34
Review
43
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media,
Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries/regions.
Project Lead: Don Thompson (Volt Technical)
Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc.
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Jack Creasey, Doug Steen (Independent Contractor)
Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Kristen Heller (Wasser)
Copy Editor: Kaarin Dolliver (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Test Leads: Sid Benevente, Keith Cotton
Test Developer: Greg Stemp (S&T OnSite)
Production Support: Lori Walker (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Ken Rosen
Group Product Manager: Robert Stewart
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 10: RADIUS as a Solution for Remote Access
iii
Instructor Notes
Presentation:
75 Minutes
Lab:
45 Minutes
This module provides students with the information and decision-making
experiences needed to design a Remote Authentication Dial-In User Service
(RADIUS) solution in Microsoft® Windows® 2000. Students will evaluate and
create RADIUS solutions to meet the remote access requirements of an
organization.
At the end of this module, students will be able to:
Recognize RADIUS as a solution for remote access.
Identify the functional aspects of a RADIUS design.
Select the appropriate strategies to secure a RADIUS solution.
Select the appropriate strategies to enhance RADIUS availability.
Select the appropriate strategies to improve RADIUS performance.
Upon completion of the lab, students will be able to design RADIUS solutions
that meet the remote access requirements of a variety of organizations.
Course Materials and Preparation
This section provides you with the required materials and preparation tasks that
are needed to teach this module.
Required Materials
To teach this module, you need the following materials:
Microsoft PowerPoint® file 1562B_10.ppt
Preparation Tasks
To prepare for this module:
Review the contents of this module.
Read any relevant information in the Windows 2000 Help files, the
Windows 2000 Resource Kit, or in documents provided on the Instructor
CD.
Read the relevant RFCs in the Windows 2000 Help files.
Review discussion material and be prepared to lead class discussions on the
topics.
Complete the lab and be prepared to elaborate beyond the solutions found
there.
Read the review questions and be prepared to elaborate beyond the answers
provided in the text.
iv
Module 10: RADIUS as a Solution for Remote Access
Module Strategy
Use the following strategy to present this module:
Introducing RADIUS
RADIUS is an industry standard protocol that provides the solution to an
organization’s remote access requirements by supporting secured user
authentication, and accounting services for remote users.
In this section:
• Explain that the network designer needs to determine the geographic
location of remote access users, the number of users at each location, the
connection between geographic locations, and the remote access
accounting information. This information provides the basic decisions
for establishing a RADIUS remote access connection.
• Emphasize that separate remote access and user authentication, remote
access client connectivity, remote user authentication and accounting,
and integration with the existing networks are the main features
supported by RADIUS.
• Point out that, to extend the user authentication and data encryption
feature to mixed operating systems, the RADIUS service integrates with
other Windows 2000 networking services.
Designing a Functional RADIUS Solution
A functional Windows 2000 RADIUS remote access solution supports
various Internet service providers (ISPs) or corporate remote access users
for authentication and accounting schemes.
In this section:
• Emphasize that a RADIUS design requires a minimum of one RADIUS
client and one RADIUS server. Discuss the placement of RADIUS
clients and servers.
• Emphasize that a RADIUS client can support a dial-up client
connection, a virtual private network (VPN)-based client connection, or
both types of connections. Explain this with reference to the scenario
diagram on the slide.
• Point out that RADIUS supports Transmission Control Protocol/Internet
Protocol (TCP/IP), Internetwork Packet Exchange/Sequenced Packet
Exchange (IPX/SPX), and AppleTalk remote access client protocols.
• Explain that the selection of connection data rate, persistence, and
security level is essential in providing RADIUS client to RADIUS
server connections.
• Emphasize that it is necessary to select the default domain for the
RADIUS server to set up a RADIUS remote access solution.
Discussion: Designing a RADIUS Solution
Ensure that students understand the scenario description and directions for
the Discussion. Direct them to read through the scenario and answer the
questions. Be prepared to clarify if necessary. Lead a class discussion on the
students’ responses.
Module 10: RADIUS as a Solution for Remote Access
v
Securing a RADIUS Solution
A secure RADIUS solution ensures that only authorized remote access
clients and servers are allowed to participate in a remote access connection.
In this section:
• Emphasize the use of remote access policies to restrict remote user
access to the private network.
• Describe the use of authentication protocols and encryption algorithms
for protecting remote access client traffic. Point out that the use of these
services protects the confidential data from unauthorized users.
• Explain the use of Microsoft Point-to-Point Encryption (MPPE) and
Internet Protocol Security (IPSec) as encryption methods to protect
RADIUS client and server traffic. Also point out the usage of RADIUS
secrets, IPSec machine certificates, and VPN tunnels.
• Emphasize that the RADIUS clients and servers must be placed in
relation to screened subnets so that network traffic is minimized without
compromising on security.
Enhancing a RADIUS Design for Availability
A highly available RADIUS solution ensures that remote users can connect
to the private network resources whenever required. Point out that the
availability of a RADIUS design can be improved by including more than
one RADIUS client and server in the network design.
Optimizing a RADIUS Design for Performance
The performance of the RADIUS design can be optimized to provide the
fastest possible response to remote access clients. Point out that using dialup and VPN connections can optimize the performance of a RADIUS client.
Emphasize that improving the authentication and accounting performance
also affects the performance of a RADIUS design.
Discussion: Enhancing the RADIUS Solution
Make sure that students understand the scenario description and directions
for the Discussion. Direct them to read through the scenario and answer the
questions. Be prepared to clarify if necessary. Lead a class discussion on the
students’ responses.
vi
Module 10: RADIUS as a Solution for Remote Access
Lab Strategy
Use the following strategy to present this lab.
Lab A: Designing a RADIUS Solution
In the lab, students will design a RADIUS solution based on specific
requirements outlined in the given scenario.
Students will review the scenario and the design requirements and read any
supporting materials. They will use this information, and the knowledge gained
from the module, to develop a detailed design by using RADIUS as a solution.
To conduct the lab:
Read through the lab carefully, paying close attention to the instructions and
to the details of the scenario.
Consider dividing the class into teams of two or more students.
Present the lab and make sure students understand the instructions and the
purpose of the lab.
Direct students to use the planning worksheet to record their solutions.
Remind students to consider any functionality, security, availability, and
performance criteria provided in the scenario and how they will incorporate
strategies to meet these criteria in their design.
Allow some time to discuss the solutions after the lab is completed. A
solution is provided in your materials to assist you in reviewing the lab
results. Encourage students to critique each other’s solutions and to discuss
any ideas for improving their designs.
Module 10: RADIUS as a Solution for Remote Access
Overview
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will
evaluate and design a
RADIUS solution for remote
access.
Introducing RADIUS
Designing a Functional RADIUS Solution
Discussion: Designing a RADIUS Solution
Securing a RADIUS Solution
Enhancing a RADIUS Design for Availability
Optimizing a RADIUS Design for Performance
Discussion: Enhancing the RADIUS Solution
Organizations that outsource dial-up remote access, or those that perform joint
ventures with other organizations, require authentication of user accounts
outside the private network. Also, organizations that provide the outsourcing
services, such as Internet service providers (ISPs), require remote user
connection accounting so that they can charge subscribers.
Remote Authentication Dial-In User Service (RADIUS) is an industry standard
protocol that provides the solution to these authentication and remote user
accounting requirements by supporting secured user authentication, and
accounting services for remote users.
At the end of this module, you will be able to:
Recognize RADIUS as a solution for remote access.
Identify the functional aspects of a RADIUS design.
Select the appropriate strategies to secure a RADIUS solution.
Select the appropriate strategies to enhance RADIUS availability.
Select the appropriate strategies to improve RADIUS performance.
1
2
Module 10: RADIUS as a Solution for Remote Access
Introducing RADIUS
Slide Objective
To introduce RADIUS as a
solution for remote access
in a Windows 2000 network.
Lead-in
Support for RADIUS is
provided by the combination
of Routing and Remote
Access and IAS.
Design Decisions for a RADIUS Solution
RADIUS Features
Integration Benefits
RADIUS is a client/server protocol that requires a RADIUS client and a
RADIUS server to provide remote access. In Microsoft® Windows® 2000,
support for RADIUS is provided by the combination of Routing and Remote
Access and the Internet Authentication Service (IAS). A remote access server is
a RADIUS client, and a server running IAS is a RADIUS server.
To design a strategy for providing remote access by using RADIUS, you must:
Identify the design decisions that influence a RADIUS solution.
Describe the features of RADIUS and how the features support the design
requirements for remote access.
Determine how integrating RADIUS with other networking services
benefits the network design.
Module 10: RADIUS as a Solution for Remote Access
3
Design Decisions for a RADIUS Solution
Slide Objective
RADIUS
Client
To introduce the decisions
that influence the design of
a RADIUS solution.
Internet
Lead-in
The first step in designing a
RADIUS solution is to
identify the decisions that
influence the design.
ISP
Active
Directory
Central
Office
RADIUS
Client
Remote
Access
Clients
RADIUS
Client
Partner
Network
Geographic Locations of Remote Access Users?
Number of Users at Each Location?
Connection Between Geographic Locations?
Remote User Connection Accounting ?
Discuss the bulleted points
with students. Tell them that
these are the questions they
need to answer before
designing a RADIUS
solution. Explain the
relevance of these decisions
with reference to the
graphic.
Windows 2000 uses RADIUS for network configurations that require user
authentication outside the private network. Before you design a RADIUS
solution (a remote access solution that uses RADIUS), you must identify the
decisions that influence the design.
For designing a RADIUS solution, you need to determine the:
Geographic distribution of the remote access users to determine the
placement of the RADIUS clients.
Number of remote access users at each location so that you can determine
the number of RADIUS clients to place at each location.
Network connections between the geographic locations so that you can
determine the amount of data that can be transmitted between the locations.
Organization requirements for tracking remote user connectivity time so that
you can determine if RADIUS accounting is required.
4
Module 10: RADIUS as a Solution for Remote Access
RADIUS Features
Slide Objective
To describe the features of
RADIUS.
Lead-in
When creating a remote
access design by using
RADIUS, you must
understand how the features
of RADIUS support the
organization’s requirements.
Separating Remote Access and User Authentication
Providing Remote Access Client Connectivity
Providing Remote User Authentication and Accounting
Integrating Into Existing Networks
RADIUS is used for providing authentication, authorization, and accounting
services for remote access connectivity. When creating a remote access design
by using RADIUS, you must identify how the features of RADIUS support the
organization’s requirements.
Separating Remote Access and User Authentication
RADIUS separates the remote access server functions from the user
authentication server functions. The communication between the computer that
provides remote access support and the computer that provides user
authentication is established by using RADIUS.
Separating remote access and user authentication allows the:
RADIUS client and server to support different operating systems and
hardware architectures.
RADIUS client and server to be geographically separated.
User accounts to be secure by ensuring that the accounts are located on
servers within the private network.
Encryption of authentication traffic between the RADIUS client and the
RADIUS server by using Internet Protocol Security (IPSec) or virtual
private network (VPN) tunnels.
Outsourcing of dial-up remote access to third-party organizations.
Module 10: RADIUS as a Solution for Remote Access
Providing Remote Access Client Connectivity
The remote access client connectivity feature provided by the RADIUS client
determines how remote users gain access to the private network. The remote
access client connectivity provided by the RADIUS client allows the remote
access users to:
Use a variety of authentication protocols, such as Challenge Handshake
Authentication Protocol (CHAP), Microsoft Challenge Authentication
Protocol (MS-CHAP), or clear text to get authenticated.
Encrypt data by using a variety of encryption algorithms, such as Microsoft
Point-to-Point Encryption (MPPE) or Data Encryption Standard (DES).
Connect by using a variety of protocols, such as Transmission Control
Protocol/Internet Protocol (TCP/IP) or Internetwork Packet
Exchange/Sequenced Packet Exchange (IPX/SPX).
Connect by using a variety of technologies, such as dial-up modems, digital
subscriber line (DSL), or Integrated Services Digital Network (ISDN).
Providing Remote User Authentication and Accounting
Remote user authentication provided by the RADIUS server determines the
user accounts that are authenticated. Remote user authentication allows the:
Authentication of user accounts that are stored in the Active Directory™
directory service.
Authentication of user accounts that are stored in Microsoft Windows NT®
version 4.0 domains.
Remote user accounting provided by the RADIUS server creates a historical
record of RADIUS transactions that occur between the RADIUS client and
server. You can also perform selective recording by modifying the details of
accounting information recorded by the RADIUS server. Remote user
accounting records:
The length of time the remote user is connected.
Remote user authentication success or failure.
Situations when the RADIUS server is unable to authenticate a RADIUS
client.
Integrating into Existing Networks
While integrating RADIUS with existing networks, you can determine how
Windows 2000–based RADIUS clients and servers interact with RADIUS
clients and servers found in other operating systems. Because the RADIUS
protocol is an Internet standard, any existing RADIUS clients or servers that
support the Internet RFCs integrate with the Windows 2000–based RADIUS
clients and servers.
Note The RADIUS protocol specifications are found in RFCs 2138 and 2139.
5
6
Module 10: RADIUS as a Solution for Remote Access
Integration Benefits
Slide Objective
To describe how integrating
RADIUS with other
networking services benefits
the network design.
Routing and
Remote Access
Demand-Dial
Connections,
IP Filters, and
VPN Tunnels
Lead-in
RADIUS integrates with
other networking services to
take advantage of their
features.
IPSec
Windows NT 4.0
Domains
Active
Directory
Authentication
and IPSec Tunnels
User Account Authentication
Machine Certificates and
User Account Authentication
RADIUS
RADIUS integrates with other networking services to take advantage of their
features. Some of these features, such as the ability to authenticate users in
Active Directory, are available automatically to RADIUS. Other features
require you to include additional specifications in the design, such as including
VPN tunnels for authentication and data encryption between RADIUS clients
and servers.
The following table describes the benefits of integrating RADIUS with other
networking services.
RADIUS integrates with
To
Routing and Remote Access
Provide support for nonpersistent connections by using
specified demand-dial connections.
Reduce undesired traffic by using specified IP filters.
Provide authentication and encryption of data
transmitted between RADIUS clients and servers if
specified in the design.
IPSec
Provide authentication and encryption of data
transmitted between RADIUS clients and servers if
specified in the design.
Windows NT 4.0
domains
Provide authentication for user accounts that reside in
Windows NT 4.0 domains.
Active Directory
Provide authentication for user accounts that reside in
Active Directory.
Module 10: RADIUS as a Solution for Remote Access
7
Designing a Functional RADIUS Solution
Slide Objective
To introduce the decisions
involved in creating a
functional remote access
solution by using RADIUS.
Lead-in
There are certain
specifications that you must
include while designing a
RADIUS remote access
solution.
Placing RADIUS Clients and RADIUS Servers
Selecting the Remote Access Client Connections
Selecting the Remote Access Client Protocols
Providing RADIUS Client to RADIUS Server Connections
Selecting the Authentication Domain
There are certain specifications that you must include while designing a
RADIUS remote access solution. After you establish these specifications, you
can optimize the solution by adding security, availability, and performance
specifications to your network design.
You can design a functional RADIUS solution by specifying:
Where to place RADIUS clients and RADIUS servers within the network so
that network traffic is minimized without compromising security.
Whether RADIUS clients must support dial-up or VPN-based remote access
clients so that the required remote access connections are included.
Which protocols the RADIUS client must support so that the remote access
clients can connect to the network.
What persistence, data rate, and security the RADIUS client and server
connection must support so that RADIUS traffic and remote access traffic
can be exchanged.
What domain the RADIUS server uses by default to authenticate remote
access users.
8
Module 10: RADIUS as a Solution for Remote Access
Placing RADIUS Clients and RADIUS Servers
Slide Objective
RADIUS
Client
To describe the placement
of RADIUS clients and
RADIUS servers within the
network.
Central
Office
Lead-in
You must place RADIUS
clients and servers within
the network so that network
traffic is minimized and
security is not compromised.
Active
Directory
ISP
Internet
RADIUS
Server
RADIUS
Client
Partner
Network
Place RADIUS Clients Close to Remote Access Users
Place RADIUS Servers Close to User Accounts
Delivery Tip
Use the diagram on the
slide to show the placement
of servers in the network.
To establish a remote access connection, a RADIUS design requires a minimum
of one RADIUS client and one RADIUS server. You must place RADIUS
clients and servers within the network so that network traffic is minimized and
security is not compromised.
Placing RADIUS Clients Close to Remote Access Users
You need to place RADIUS clients close to remote access users so that you:
Localize the traffic between the remote access client and the RADIUS
client.
Reduce or eliminate dial-up charges by providing a local point of presence
(POP).
Can delegate the RADIUS client’s administration to the administrators of
the remote access users in the same geographic region.
Reduce the risk of exposing confidential data. You achieve this by
controlling the security between the RADIUS client and the private
network.
In the preceding illustration, the RADIUS client in the partner network is
located close to the remote access users in the partner network. You can
ensure that the area of highest risk, the data transfer between the RADIUS
client in the partner network, and the central office resources are secure by
forcing data encryption.
Module 10: RADIUS as a Solution for Remote Access
9
Placing RADIUS Servers Close to User Accounts
You must place RADIUS servers close to the server that provides remote user
account authentication so that the:
Traffic between the authentication server and the RADIUS server is
localized.
Authentication server and the RADIUS server are within the private
network, which prevents unauthorized access to the user’s account database.
10
Module 10: RADIUS as a Solution for Remote Access
Selecting the Remote Access Client Connections
Slide Objective
To describe when to select
the dial-up or VPN remote
access client support for a
RADIUS client.
Lead-in
A RADIUS client can
support a dial-up
connection, a VPN-based
connection, or both types of
remote access connections.
Central
Office
Active
Directory
RADIUS
Client with
Dial-Up
Dial-Up
Client
ISP
Internet
Remote
Access
Clients
Proxy
Server
RADIUS
Server
RADIUS Client
with VPN
RADIUS Client
with VPN
Partner
Network
Select Dial-Up Remote Access Client Connections
Select VPN Remote Access Client Connections
Determine RADIUS Client Resource Requirements
Refer to the example on the
slide to explain the selection
of dial-up and VPN remote
access client connections.
A RADIUS client can support a dial-up connection, a VPN-based connection,
or both types of remote access connections. To determine the number of
RADIUS clients and their hardware requirements, you must determine the
number of remote access clients and the types of connections that each
RADIUS client must support.
Dial-up remote access clients require a dial-up port connected to the RADIUS
client computer. VPN remote access clients require a VPN port that is allocated
on the RADIUS client computer. Based on the security requirements of the
organization, you can select VPN ports that use Point-to-Point Tunneling
Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).
Selecting Dial-Up Remote Access Client Connections
In the preceding illustration, the organization has decided to outsource the dialup remote access support to an ISP. The dial-up remote access clients will
access the central office through the RADIUS client within the ISP’s network.
The RADIUS server within the central office authenticates the remote users.
Include a dial-up remote access client connection in your design if:
Security requirements prohibit the use of the Internet for accessing the
private network.
Additional security features are required, such as identification by using
caller ID or callback.
The remote access strategy for the organization supports the ongoing
maintenance of telephone lines, modems, and multiport communications
adapters.
Module 10: RADIUS as a Solution for Remote Access
11
Selecting VPN Remote Access Client Connections
In the preceding illustration, the organization also has a joint venture with a
partner organization. The remote users in the partner network access the central
office through the RADIUS client within the partner network. The RADIUS
server within the central office authenticates the remote users in the partner
network.
In addition, the organization has remote users who attach directly to the Internet
through an ISP selected by the remote user. These remote users access the
central office by using the RADIUS client in the central office.
Include a VPN remote access client connection in your design if:
Security requirements allow the use of the Internet for accessing the private
network.
The connection to the Internet supports the traffic created by the remote
access clients.
The remote access strategy for the organization supports the outsourcing of
telephone lines, modems, and multiport communications adapters
maintenance.
Determining RADIUS Client Resource Requirements
The following table describes the information you must collect to determine the
computing resources needed for the RADIUS clients in your network design.
Determine the
So that you can specify
User accounts to be granted The user accounts that require remote access permission.
remote access permission
Remote access policy
restrictions
The maximum number of simultaneous connections at a
given time throughout the day.
Number of dial-up ports
Enough telephone lines, modems, and asynchronous ports
to support the maximum number of simultaneous clients
by using dial-up connections.
Number of PPTP ports
Enough PPTP ports to support the maximum number of
clients simultaneously by using VPN connections.
Number of L2TP ports
Enough L2TP ports to support the maximum number of
clients simultaneously by using VPN connections.
After collecting the information mentioned in the table, you can determine the
RADIUS client resources that are required to support the maximum number of
remote access clients, and the appropriate hardware architecture to support the
maximum number of simultaneous users.
12
Module 10: RADIUS as a Solution for Remote Access
Selecting the Remote Access Client Protocols
Slide Objective
Include
To introduce the decisions
involved in selecting the
RADIUS client protocols in a
network design.
TCP/IP
Lead-in
The RADIUS client supports
all of the protocols
supported by Routing and
Remote Access because
the RADIUS client is a
remote access server.
If Remote Access Clients Must
• Administer Windows 2000–based servers.
• Access Web-based applications and FTP
servers.
• Run applications that are based on TCP/IP.
IPX/SPX
• Administer NetWare-based servers.
• Access NetWare-based file and print
resources.
• Run applications that are based on the
IPX/SPX protocol.
AppleTalk
• Administer Apple Macintosh–based servers.
• Access Apple Macintosh-based file and print
resources.
• Run applications that are based on the
AppleTalk protocol.
A RADIUS client can support a variety of protocols. Because the RADIUS
client is a remote access server, the RADIUS client supports all of the protocols
supported by Routing and Remote Access.
You need to select which remote access client protocols the RADIUS client
must support so that the remote access clients can connect to the network.
Certain protocols are required for access to protocol-specific, private networkbased resources.
The following table lists the protocols supported by a RADIUS client, and
when you would include that protocol in your design.
Include
If remote access clients must
TCP/IP
Administer Windows 2000–based servers.
Access Web-based applications and File Transfer Protocol (FTP)
servers.
Run applications that are based on TCP/IP.
IPX/SPX
Administer NetWare-based servers.
Access NetWare-based file and print resources.
Run applications that are based on the IPX/SPX protocol.
AppleTalk
Administer Apple Macintosh–based servers.
Access Apple Macintosh–based file and print resources.
Run applications that are based on the AppleTalk protocol.
Module 10: RADIUS as a Solution for Remote Access
13
Providing RADIUS Client to RADIUS Server Connections
= RADIUS Client and Server Connection
Slide Objective
To describe the decisions
involved in providing
RADIUS client to RADIUS
server connections.
RADIUS
Client
Windows 2000
Domain Controller
Internet
Lead-in
You need to select the
connection data rate,
persistence, and security
level that the RADIUS client
and server connection must
be able to support, so that
RADIUS and remote access
traffic can be exchanged.
ISP
Central
Office
RADIUS
Server
RADIUS
Client
Partner
Network
Select the Connection Data Rate and Persistence
Select the Connection Security
The RADIUS client exchanges RADIUS authentication packets with the
RADIUS server, and acts as an intermediary between the remote access client
and the private network. You need to select the connection data rate,
persistence, and security level for the connection between the RADIUS client,
the RADIUS server, and the private network.
Selecting the Connection Data Rate and Persistence
You select the connection data rate and persistence between the RADIUS
client, the RADIUS server, and the private network. You make the selection by
determining the required response times for remote user authentication and
applications that the remote users run.
For the connections in your design, you need to include a sufficient data rate to
ensure that the:
Remote users are authenticated within the response times specified by the
organization.
Applications that remote users run respond within the response times
specified by the organization.
Note As a best practice, specify a persistent connection that exceeds the data
rate you calculate.
14
Module 10: RADIUS as a Solution for Remote Access
Selecting the Connection Security
In many designs, the RADIUS client, the RADIUS server, and the private
network are connected over a public network, such as the Internet. Because the
connection is over the Internet, it requires data encryption to prevent
unauthorized access to the data.
You can select the level of connection security between the RADIUS client, the
RADIUS server, and the private network by determining the:
Level of encryption that is required when exchanging user account and
password information between the RADIUS client and RADIUS server.
Level of encryption that is required when exchanging confidential data
between the RADIUS client and the private network.
Restrictions that are placed on data encryption standards by any government
regulations.
Level of authentication that is required to identity the RADIUS client and
server.
Important As a best practice, specify a connection that encrypts all data and
authenticates the RADIUS client and server by using VPN tunnels or IPSec. If
the RADIUS client or server is not a computer running Windows 2000, the
RADIUS client or server must support VPN tunnels or IPSec to provide
encryption.
Module 10: RADIUS as a Solution for Remote Access
15
Selecting the Authentication Domain
Slide Objective
To describe the decisions
involved in selecting the
authentication domain for
the RADIUS server.
Lead-in
For a RADIUS server, you
must select the domain to
authenticate the remote
access users.
Remote Access
Clients
RADIUS
Client
Windows 2000
Domain Controller
Central
Office
ISP
Internet
RADIUS
Server
RADIUS
Client
Partner
Network
Authenticate from Any Domain
Default Authentication Domain
To authenticate the remote access users, you must select the domain that the
RADIUS server uses. You can specify a default domain so that remote users are
not required to specify a logon domain.
Note In RADIUS terminology, the authentication domain is called a realm.
Authenticating from Any Domain
You can authenticate remote access users by using any domain accessible to
Windows 2000. You can specify that the RADIUS server authenticate accounts
that reside in:
Windows 2000 native-mode domains.
Windows 2000 mixed-mode domains.
Windows NT 4.0 domains.
Domains that are accessible through trust relationships.
Default Authentication Domain
The RADIUS server can support only a single default domain. The remote
access user can select a domain other than the default domain by explicitly
specifying a different authentication domain.
You need to select the default domain for the RADIUS server based on the:
Types of domains in the organization, such as Windows 2000 domains or
Windows NT 4.0 domains.
Domains where the majority of the remote access user accounts reside.
16
Module 10: RADIUS as a Solution for Remote Access
Discussion: Designing a RADIUS Solution
Slide Objective
To evaluate the decisions
involved in designing
RADIUS solutions.
Lead-in
To design a functional
RADIUS solution, you must
decide RADIUS client
placement, RADIUS server
placement, and the inclusion
of networking protocols in
the RADIUS design.
Seattle
New York
San Francisco
Chicago
Denver
Washington DC
Los Angeles
Phoenix
Atlanta
Dallas
Anchorage
Miami
Honolulu
Delivery Tip
Read the scenario to the
students and review the
questions as a group. Give
the students time to
consider their answers and
then lead a discussion
based on their responses.
Remind the students that
there can be more than one
possible solution to the
scenario.
As you create remote access designs by using RADIUS, you need to translate
the information relating to the solution into design requirements. This
discussion involves designing basic remote access solutions. During the
discussion, note any ideas presented by other students in the class that are
relevant to the remote access solution.
The following scenario describes the current network configuration of a
bioelectronics maintenance company. Read the scenario and answer the
questions. Be prepared to discuss your answers with the class.
Scenario
A bioelectronics maintenance company services electronic medical equipment
that is installed in hospitals and medical clinics. The bioelectronics company
has regional field offices located across the United States. The administration
and dispatching of field engineers takes place in the Phoenix office.
The field engineers use a Web-based application for maintenance tracking and
reporting. Customers can place maintenance requests by using another Webbased application that either creates a maintenance request or notifies a field
engineer for more urgent requests.
Module 10: RADIUS as a Solution for Remote Access
17
Questions
1. Currently the field engineers run the Web-based applications by using a
dial-up connection to remote access servers in the Phoenix location. The
organization has decided to outsource the dial-up connections to an ISP. As
the senior consultant on the project, what remote access solution would you
recommend that uses RADIUS?
You could make the following recommendations:
•
Place a RADIUS server at the Phoenix office.
•
Specify the RADIUS server as an authentication and accounting
server for all RADIUS clients within the ISP.
•
Specify that the domain within the Phoenix office is the default
authentication domain/realm.
•
Specify all RADIUS clients within the ISP as clients for the
RADIUS server at the Phoenix office.
•
Specify a VPN or IPSec tunnel between the RADIUS clients and the
RADIUS server.
2. During the deployment of the RADIUS solution, a network support
technician in the Phoenix office has noticed that they can view all remote
access traffic by using a protocol analyzer, such as Network Monitor. The
director of information services for the company is concerned about the
situation. How would you respond to their concerns?
In your specifications for the solution, a VPN or IPSec tunnel must have
encrypted the traffic between the RADIUS client and servers.
Potentially, the ISP’s RADIUS clients (network access server devices)
may not support VPN or IPSec tunnels.
If the RADIUS clients or RADIUS servers do not support VPN or IPSec
tunnels, you will need to specify VPN tunnels from the remote access
client to the remote access server.
18
Module 10: RADIUS as a Solution for Remote Access
Securing a RADIUS Solution
Slide Objective
To introduce the strategies
used for securing a RADIUS
solution.
Restricting Remote User Access to the Private Network
Lead-in
Authenticating Remote Access Clients
Because the remote access
users will have access to
private network resources,
you must secure the
RADIUS solution to protect
confidential data.
Encrypting Remote Access Client Traffic
Protecting RADIUS Client and RADIUS Server Traffic
Integrating RADIUS into Screened Subnets
Because the remote access users will have access to private network resources,
you must secure the RADIUS solution to protect confidential data. You can
protect the confidential data by securing the connection between the remote
access client and the RADIUS client, and by securing the connection between
the RADIUS client, the private network, and the RADIUS server.
You can secure a RADIUS solution by specifying:
Which remote access policies the RADIUS client must enforce to restrict
remote access users.
Which authentication protocols and encryption algorithms the RADIUS
client must include to protect confidential data.
Which authentication methods and encryption algorithms the RADIUS
client and server must support to protect confidential data.
Where to place RADIUS clients and servers in relation to screened subnets
so that network traffic is minimized without compromising security.
Module 10: RADIUS as a Solution for Remote Access
19
Restricting Remote User Access to the Private Network
Slide Objective
To describe how to restrict
remote user access to
private network resources.
Lead-in
To restrict remote user
access to the private
network, you must enforce
the appropriate remote
access policy.
Remote Access
Policies
Central
Office
RADIUS
Server
RADIUS
Client
ISP
Internet
Remote Access
Policies
RADIUS
Client
Partner
Network
Specify Remote Access Policies
Centralize Remote Access Policies
In Windows 2000, user authorization for remote access is granted based on the
dial-up properties of a user account and on remote access policies. Remote
access policies are a set of conditions that give network administrators
flexibility in authorizing connection attempts. To restrict remote user access to
the private network, you need to determine which remote access policies to
enforce.
The RADIUS client and server both use remote access policies to determine
whether to accept or reject connection attempts.
Specifying Remote Access Policies
You can select the remote access policies by determining the:
Characteristics used to identify a remote user, such as the IP address or
phone number.
Restrictions to be placed on a remote user after the user is identified, such as
time of the day and day of the week restrictions, or tunneling protocol usage
restrictions.
You can create multiple remote access policies to accommodate the security
requirements of any organization.
Note See the Windows 2000 Help files for more information about the
restrictions you can specify with remote access policies.
