Greetings,
Network security is one of my interests, so I thought I’d post about probably the most secure way of "securing" any network, be it wired or wireless. Commonly known under its IEEE name 802.1x, RADIUS (it is written using caps) is a method of validating both the end device and the authenticating device to ensure that everyone is "on the list and can come in".
There are three different flavours commonly used, all part of the EAP family, which stands for Extensible Authentication Protocol. There is PEAP the easiest to apply, EAP_TLS and then EAP_TTLS for the very secure.
You may have seen RADIUS authentication parameters before, possible on higher end Routers, within the Authentication Tab of your wireless settings on your Operating System, or other. It stands for: Remote Authentication Dial In User Service. Some part of this are a bit throw back to eras where people were given dongles (or key cards) and had these synchronised to an internal authentication server and would need to put in a username and “token” number to get into a network when connecting from the outside over a VPN (Virtual Private Network), and this is still kind of the case.
Essentially there are three components: the end device, the authenticator (this is usually a switch or router) and the authenticating device which is the RADIUS server itself (again this can be a router and at times a switch).
So, once everything is configured properly what happens is when you attempt to connect to the network, be that by plugging in your Ethernet cable into a port or connecting to a Wireless SSID you will receive a little prompt. In this box you will be required to put in a Username and Password. After this step (it’s a little complicated and a bit boring) there are a number of handshakes, chit chat between the devices and you are either let in, or not. There are steps which can be taken if you don’t “pass” this is called remediation, but this is another topic.
Now the wonders of RADIUS authentication really come into their own if you’re trying to bolt down your network like the MOD or somesuch. I have personally deployed highly secured networks, where the machine, the user, the authenticating device (server in this case) all had to have valid certificates. You can simplify this hugely whereby all you are required to enter is a username/password which then goes off to check either an internal database (on the router for instance) or in the Domain’s Active Directory for Microsoft, or E-Directory for Novel.
If you have a bunker in your backyard, regularly wear a tin-foil hat and are sure Nibiru is coming in 2012, then perhaps RADIUS authentication is for you! (this was not meant in a pejorative manner at all).
I hope this was enlightening, and you didn’t fall asleep. You can read a lot more here:
http://en.wikipedia.org/wiki/RADIUSCheers,
T
Author
Topic: RADIUS authentication - PEAP, EAP-TLS, EAP-TTLS, 802.1x (Read 4722 times)