Security | Remote Access | VPN

There are two essential security issues with remote access: authentication of the user, and the user’s authorization to use particular services. One old and proven way of authorizing dial-in is call-back. In a call-back authorization, the caller dials into a remote access server and enters a log-in name and password. The remote access server then hangs up the modem connection and searches its database to authenticate the user. If the user is authenticated, the access server calls the user back at a predefined number. This method can work for a telecommuter who always works at home, but naturally fails if the worker travels.

Although call-back could be improved (for example, the access server could be reprogrammed to dial a specific hotel telephone based on a preapproved travel itinerary), the industry has agreed on a much more versatile security application: The Remote Authentication Dial-In User Service (RADIUS). RADIUS is an important application by itself; the following example describes how it works:

  • 1. Using a modem, the user’s PC dials in to a modem that is connected to a remote access server.

  • 2. Once this connection is completed, the user is prompted for the log-in name and password.

  • 3. The access server encrypts log-in and password information and sends it to a centralized RADIUS server, which decrypts the data and passes it on to the appropriate security system module. (The encryption and decryption steps are omitted in some networks.)

  • 4. The security system module authenticates (or rejects) the caller; if the caller is authenticated, the RADIUS server checks its database to find out which services the caller is authorized to use. [This includes specific protocols supported by the user’s PC, such as Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP),  If the authentication process fails, the caller is denied access to the network. Otherwise, the authorization and specifics of the applicable services are sent to the access server. The RADIUS server may also send policing information (such as the data rate for carrying user data) to the access server, as well as filtering information, which limits the caller’s access to the enterprise network resources (for example, the caller may be allowed to access e-mail, but not to change or even copy the contents of files). To ensure that requests are not responded to by unauthorized sources, the RADIUS server sends an authentication key identifying itself to the RAS.

Some networks may require multiple levels of passwords for resource access, in which case RADIUS may be involved in authorizing relevant access.

In the preceding description, the seemingly unnecessary references to the security system module (why would RADIUS itself not do that?) are actually essential to understanding of the service: Support of any specific security mechanism is not a function of RADIUS per se; instead, RADIUS interworks with security mechanisms.


honey said...

This trick has also been used to nab drug dealers and fortunately, save some lives of kidnapped people or adventurers lost in the forest. COOL right

spy phone

michael said...

I've been looking for an article like this about Remote Access and VPN. My professor assign me a report about this topic.

radius log

Horace Jones said...

Michael are you at CalTech under old Wiley? He is a tougg professor but always fair - wait till the end of the course when you get to the advanced project. I did mine on PC remote access, which has proven highly useful.

Telecom Made Simple

Related Posts with Thumbnails