RSA RADIUS Overview RSA RADIUS Overview

You can use RSA RADIUS with RSA Authentication Manager to directly authenticate users attempting to access network resources through RADIUS-enabled devices. A RADIUS server receives remote user access requests from RADIUS clients, for example, a VPN. The RADIUS server forwards the access requests to RSA Authentication Manager for validation. Authentication Manager sends accept or reject messages to the RADIUS server, which forwards the messages to the requesting RADIUS clients.

RADIUS is automatically installed and configured during the Authentication Manager installation. After installation, RADIUS is configured to run on the same instance with Authentication Manager.

You can use the Security Console or the Operations Console to view the RADIUS servers in your deployment. For each RADIUS server, you can view the IP address, RADIUS server status, and Authentication Manager replication status:

• IP Address. IP address that RADIUS clients and other RADIUS servers use to communicate with this server. This is the same IP address used by Authentication Manager.
• RADIUS Server Status. A "Normal" RADIUS server status means that the RADIUS server is functioning properly. If the RADIUS server is "Offline," you can restart the RADIUS server in the Operations Console. Click Deployment Configuration > RADIUS Servers.
• Authentication Manager Replication Status. The Authentication Manager Replication Status describes the state of Authentication Manager data on the primary or replica instance on which the RADIUS server is installed. Authentication Manager replicates data for the entire deployment, including RADIUS data. For more information, see Replication Status.

You can use the Security Console to complete most tasks associated with managing RADIUS day-to-day operations. Through the Security Console, you can perform these tasks:

• Manage RADIUS clients and RADIUS client agents.

• Manage RADIUS profiles, including assigning profiles to users, user groups and agents, and specifying a default profile.

• Manage RADIUS user attributes and custom attributes.

• View RADIUS server and RADIUS client statistics.

You use the Operations Console to configure RSA RADIUS and manage settings that must be made on individual instances running RSA RADIUS and for non-routine maintenance of the RADIUS servers. Through the Operations Console, you can perform these tasks:

• Manage the certificates used by RSA RADIUS, including the RADIUS server certificate and the trusted root certificates for Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) authentications.

• Manage RADIUS server files, including RADIUS dictionary files and configuration files.

When using the Operations Console to modify RADIUS servers, you must restart the RADIUS server for the changes to take effect.

RSA RADIUS Authentication ProcessRSA RADIUS Authentication Process

In a RADIUS-protected network, the authentication process works as follows:

1. The user provides authentication information to a RADIUS client.

2. The RADIUS client sends an “Access-Request” to server, which could include the following:

   • User ID

   • User password (encrypted)

   • Client ID

   • Port ID

3. RSA RADIUS validates the client using a shared secret. If no secret exists, the request is ignored.

4. RSA RADIUS checks requirements that must be met for the user to access the resource. The requirements are known as RADIUS attributes and may include the following:

   • Password

   • Clients through which the user can access a resource

   • Ports on which the user can access

5. RSA RADIUS forwards the request to Authentication Manager.

6. Authentication Manager allows or denies the request.

7. RSA RADIUS sends one of three responses:

   • Access-Accept. RSA RADIUS allows access and returns a set of RADIUS attributes to the client.

   • Access-Challenge. RSA RADIUS issues a challenge to which the user must respond, for example, with a passcode.

     If RSA RADIUS does not receive a response, an inactivity timeout occurs after 3 minutes.

   • Access-Reject. The conditions are not met so access is denied.

Each authentication attempt must be completed within the maximum timeout period of 10 minutes or less.

RADIUS clients control user access at the network perimeter. RADIUS clients, which can be VPN servers, wireless access points, or Network Access Servers connected to dial-in modems, interact with RSA RADIUS for user authentication and to establish appropriate access control parameters. When authentication succeeds, RSA RADIUS returns a set of attributes to RADIUS clients for session control.

The following figure shows how an RSA RADIUS server runs as a service on an Authentication Manager instance. The RADIUS service handles the requests from the clients and communicates with the Authentication Manager, which processes the authentications and grants or denies access to the user.

RADIUS Network TopologyRADIUS Network Topology

Firewalls typically separate the VPN server from the RADIUS server and the Internet. In most cases, RADIUS servers are configured on multiple replica instances for load balancing and failover. Additional RADIUS clients may also be configured, for example, as multiple wireless access points in strategic locations throughout a site. These details are somewhat hidden from administrators because most routine administration is applied to a primary server that replicates some of those changes to replica servers.

Some administration operations that are performed less frequently require administrators to know about replica servers for failover, disaster recovery, and other system maintenance purposes.

Remote users with direct Internet connections can access network resources using a RADIUS-enabled VPN server. Remote users without direct Internet connections can connect using telephone lines and dial-in modems connected to a RADIUS-enabled network access server. Wireless users can access the network over RADIUS-enabled wireless access points.

For all of these access methods, RADIUS provides fine-grained access controls that allow administrators to tightly manage individual user access, restricting users to a specific network access device, session length, IP address or range, or other restriction.

Communication Between RADIUS Servers and ClientsCommunication Between RADIUS Servers and Clients

Communication between the RADIUS server and Authentication Manager always uses HTTPS. Communication between RADIUS servers and clients always uses the RADIUS protocol. Authentication Manager uses the security features available in the RADIUS protocol, namely, sensitive fields are encrypted with a shared secret.

RADIUS uses a RADIUS shared secret to secure communication between a RADIUS server and a RADIUS client. You can configure the RADIUS shared secret through the Security Console. After the RADIUS shared secret is created, you must set the secret in the RADIUS client using the RADIUS client’s administrative interface.