Radius advantages and disadvantages
In previous articles of the series part I and part II, we saw the different protocols that can be used to comply with triple A. We talked about RADIUS, DIAMETER and TACACS+. We talked about RADIUS, DIAMETER and TACACS+. Today we will discuss the comparison of the protocols and summarize the series with the strengths of each.
Authentication and authorization in the RADIUS protocol are sent by the server to the client, containing the authorization information. This is not a good practice as they should be separated by layers. On the other hand TACACS+ does authorization and authentication independently, using AAA architecture. In DIAMETER they are independent. It is clearly seen how DIAMETER and TACACS+ perform this task correctly. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates over the Kerberos server, it requests authorization requests from the TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated to a Kerberos server, and then the server will provide authorization information.
Radius port 1812
IEEE 802.1 X standard for port-based network access control protects Ethernet LANs against unauthorized user access. It blocks all traffic to and from a supplicant (client) on the interface until the supplicant’s credentials are presented to and matched by the authentication server (a RADIUS server). When the supplicant authenticates, the switch stops blocking access and opens the interface to the supplicant. Read this topic for more information.
How 802.1 X authentication works 802.1X authentication works by using an authenticating port access entity (the switch) to block inbound traffic from a supplicant (end device) on the port until the supplicant’s credentials are presented and matched at the authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant.
802.1 x authentication on trunk portsBeginning with Junos OS Release 18.3 of R1, you can configure 802.1 X authentication on trunk interfaces, which allows the network access device (NAS) to authenticate an access point (AP) or other Layer 2 connected device. An AP or switch connected to the NAS will support multiple VLANs, so it must be connected to a trunk port. Enabling 802.1 X authentication on the trunk interface protects the NAS from a security breach where an attacker could disconnect the AP and connect a laptop to gain free access to the network for all configured VLANs.
Protocol aaa pdf
November 6, 2013 By Juan Manuel Sanz Nowadays wireless connections have become indispensable when connecting to the Internet, the flood of new devices such as cell phones, tablets, ebooks etc … They make that in almost every home there is a router with access point functions to connect wirelessly.
The reasons that lead to connect wirelessly are several, from the simple convenience of not throwing cables around the house, to the characteristics of the infrastructure of a company or the geographical properties of a place, which do not allow another type of connection.
Evolution led to the emergence of the new WPA encryption, which solves the security problems of WEP encryption, but is WPA completely secure? Well, not completely, because it inherits many of the defects of WEP encryption.
With teleworking advancing unstoppably, one of the solutions that companies have to allow several people to operate from outside the company, as if they were there, is with a virtual private network or VPN.
We are going to put this into practice by creating a scheme of 3 machines in which one acts as a domain server and RADIUS server, another as a RADIUS client and VPN access provider to the outside and finally one or more computers that connect from the outside to make use of the corporate network.
We start from a computer with Windows Server 2019 Standard to which we install the role of Active Directory Domain Services (AD DS), to configure a domain called radius.brs. The installation of this role, involves the installation of DNS. Additionally I install a DHCP server to manage the computers in the same domain network.
In case you need help for the installation of these prerequisites, I published a complete guide to install a Windows Server 2016 server, which is fully homologous to the 2019 version.