[Top] [Prev] [Next] [Bottom]

Introducing RADIUS

This document gives an overview of RADIUS (Remote Authentication Dial-In User Service), explains how the Nx Networks implementation of RADIUS works, and lists the steps for setting up RADIUS for use with GTSecure. It includes the following sections:

RADIUS Overview

How RADIUS Works

Setting up RADIUS

RADIUS Overview

RADIUS is a security system that uses a client-server approach to authenticate remote users. RADIUS authenticates users through a series of challenges and responses that the client relays between the server and the user.

In the Nx Networks implementation of RADIUS, the server resides on a UNIX workstation and the GTSecure router acts as the RADIUS client. You can locate the server locally or remotely from the client.

The user uses a token device that generates responses to the challenges that the RADIUS server sends. This implementation of RADIUS works with the CRYPTOCard©, which is produced by the CRYPTOCard Corporation.

The RADIUS server has a collection of databases that contain information about the

Users who authenticate
Authentication device that the users are using
RADIUS clients

The GTSecure client relays challenges from the server to the user, and it relays responses back from the user to the server. You configure GTSecure with information about the RADIUS server. You can set up and prioritize up to four RADIUS servers. If GTSecure cannot reach the first server, it sends the authentication request to an alternate server.

You can set up a shared secret between the RADIUS server and the GTSecure client so that they can authenticate each other. This secret is based on the RSA Data Security, Inc. MD5 Message-Digest Algorithm. Using a secret prevents an unauthorized intruder from responding to authentication requests.

Communication Between the Router and the User

You can set up the router so that the user who is authenticating can connect to the router using either Telnet or HTTP. The advantages to using HTTP over Telnet are:

The router allows only two active Telnet sessions at one time versus 128 active HTTP sessions at one time. Because router administrators are likely to use Telnet to configure or monitor the router, one of the available Telnet sessions could potentially be in use for an extended period.
Some Internet Service Providers (ISPs) do not offer Telnet services.

If you set up the router for HTTP authentication, the router acts as an HTTP (Web) server. The router supports any Web browser that supports forms.

Types of Challenges and Responses

You can set up the CRYPTOCard and the RADIUS server to work either in challenge-response mode or in reduced-entry mode.

Challenge-response mode uses a random challenge for each authentication transaction. The user must enter this challenge into their CRYPTOCard and the CRYPTOCard calculates a response.
In reduced-entry mode, the server and the CRYPTOCard both save the response from the previous authentication transaction and use it to compute a default challenge for the next transaction. In this way, the CRYPTOCard can anticipate the challenge, and the user does not have to enter the challenge into the CRYPTOCard. The user simply presses the ENT key.

How RADIUS Works

The following steps detail the process that the RADIUS server and GTSecure client use to authenticate a user.

1. The user runs Telnet or HTTP to the GTSecure router.

2. GTSecure prompts the user for a name and password.

3. The user responds to the prompts.

4. GTSecure handles the user's response in one of two ways:

For HTTP users, GTSecure encrypts the name and password and sends them to the RADIUS server in an Authentication Request packet.
For Telnet users, GTSecure checks if the login name is in the router's Administrator database. If the name is not in the database, GTSecure encrypts the name and password and sends them to the RADIUS server in an Authentication Request packet.

5. The RADIUS server validates the request using the shared secret that you set up between GTSecure and the RADIUS server. The server then decrypts the packet to access the user name and password.

6. The server sends a random number challenge to GTSecure and GTSecure displays the challenge to the user.

7. Using the CRYPTOcard, the user responds to the challenge. See Using the CRYPTOCard to Authenticate.

If the user sends the correct response to the challenge, the server sends an Authentication Acknowledgment to GTSecure. For Telnet users, the acknowledgment includes either a user service type for the user or a list of IP filter profiles that are set up for the user. The user service type specifies the type of login access the user has to the router. Based on the service type, the user is logged into the router as an Administrative user or as a Monitor user. The IP filter profiles specify the user's access to resources on the network. The user selects which profile(s) to install.

Once RADIUS authenticates a user, GTSecure either logs the user into the router via the Telnet session or installs the profile(s) and closes the HTTP or Telnet session. The user can then access the services that the login service type or the profile allows.

If at any point during the authentication process conditions are not met, the RADIUS server sends an Authentication Reject to GTSecure and GTSecure denies access to the network.

Setting up RADIUS

Setting up a RADIUS configuration involves the following:

1. Installing and setting up the RADIUS server on a UNIX workstation. The RADIUS server includes a collection of databases that tell the server how the client and the CRYPTOCard are configured.

See Installing and Using the RADIUS Server.

2. Configuring GTSecure as the RADIUS client. You set up GTSecure with information on the RADIUS server(s) to use to authenticate users.

See Setting Up the RADIUS Client.

3. Programming a CRYPTOCard for each user.

See the documentation provided with your CRYPTOCard.

[Top] [Prev] [Next] [Bottom]