Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Managerial Accounting

Using RADIUS as a AAA backbone for Windows Networks, Poznan

advertisement 
Title
Using RADIUS as a AAA backbone for Windows networks
Authors
Kostas Kalevras, Network Operations Centre, National Technical University of Athens, Iroon
Polytexneiou 9, 15780 Zografou, Greece
E-Mail: kkalev@noc.ntua.gr
Dimitrios Kalogeras, Network Operations Centre, National Technical University of Athens, Iroon
Polytexneiou 9, 15780 Zografou, Greece
E-Mail: dkalo@noc.ntua.gr
Keywords
RADIUS, AAA, FreeRADIUS, Windows, GINA, pGina
Abstract
Today, Windows continue to dominate the end user workstation, usually in a networked
environment consisting of a number of Windows workstations and a central Domain Controller.
On the other hand Unix (and especially open source flavors like Linux and FreeBSD) is gaining
increasing popularity in the central server market. It is commonplace in many academic
institutions, school networks and other large organizations to have the service core based on
Unix servers usually authenticating access through a central LDAP server (where the main
user database is stored) while the end users connect to the network and use it’s resources
through a sometimes large number of separate Windows Domains each with it’s own Windows
Domain Controller.
This structure creates a substantial administration overhead for the Windows Domains since
users must be added manually in each Domain they need access to, while user passwords are
not synchronized. User management, on a per person basis, is not done centrally but
separately on each Domain creating even more administration costs.
Two approaches are available to overcome this problem. One is based on a Meta-Directory
infrastructure replicating user information from the central Directory server to the Domain
Controllers, or vice versa if depending on need. The other is based on replacing the
authentication mechanism (GINA) on each workstation with a specially written one which can
query a central user database (LDAP,RADIUS, PAM) for user information and use that for user
authentication.
In this paper the disadvantages of the Meta-Directory approach are first analyzed. A real life
case study of the Greek School Network and its use of the SUN-ONE Password Synchronization
platform is performed by outlining the problems faced while initially deploying such an
infrastructure and the reasons for consequently abandoning the endeavor.
Afterwards, the pGina platform is introduced, describing its main capabilities and features with
a special focus on LDAP and RADIUS. The main advantages of using RADIUS as an
authentication mechanism are then described. The main areas covered are the following:
 RADIUS usage as a decision point rather than just another database. Thus user
administration/management can be performed on the centre (RADIUS) rather than on
the edges, reducing administration costs and overhead.
 User creation on the Windows Domain Controller based on user information passed
back by RADIUS. Dynamic expansion on user attributes and calculated attributes are
covered.
 Special features provided by RADIUS such as default and per group profiles, user time
quotas, login-time restrictions and per user settings which are all stored in a central
LDAP database.




pGina user caching feature which allows authentication to be performed by the
Domain Controller and only user creation and password changes need to be
propagated by RADIUS thus reducing network traffic and RADIUS service overhead.
RADIUS Accounting, which is, stored in a corresponding database thus allowing full
overview of user sessions and statistics extraction.
Delegated administration on a per domain basis accomplished through a central
administration tool. Accounting views on the accounting database are provided to each
administrator providing access only to the corresponding domain accounting data.
Anonymous User support. The infrastructure for creating dynamic accounts that are
valid only for a specific time span is described. These anonymous accounts can be
used on public workstations (pclabs, public libraries etc).
A complete listing of the changes performed by the NTUA development team to the pGina
source code is also included.
Lastly a large-scale pGina installation in the Greek School Network (GSN) is examined. The
GSN network structure and user population is briefly described followed by the description of
the pGina and RADIUS installation. Service statistics and trends are provided followed by an
analysis of the advantages the pGina installation provided to the GSN.
Acknowledgments
Agis Andreou, former member of the Network Operations Centre development team,
performed a large part of the pGina core source code changes. The authors would like to thank
him for his hard work and commitment to the project as well as for his help with various parts
of the GSN pGina installation procedure.
The authors would also like to thank Ntina Sakka of the Network Operations Centre for her
valuable comments and assistance as well as the technical support staff of the Greek School
Network for their assistance in the FreeRADIUS server deployment.
References
pGina user authentication platform: http://pgina.xpasystems.com
FreeRADIUS RADIUS server: http://www.freeradius.org/
Vitae
Kostas Kalevras is a network engineer for the Network Operations Centre of the NTUA. Among
other things he is in charge of the LDAP and RADIUS services for both the NTUA and the Greek
School Network. He is also a primary developer for the FreeRADIUS project having both
developed and maintained a large number of server modules as well as the web based
administration front-end dialupadmin. He is also participating in the pGina project with
patches to the pGina core and RADIUS module.
Dimitris Kalogeras was born in Athens, Greece in 1967. He received the Diploma in Electrical
Engineering from the National Technical University of Athens (NTUA), Greece in 1990 and PhD
in Electrical and Computer Engineering from NTUA in 1996.
From 1993 to 1995 he worked for the NTUA Network Management Center as Data Network
Engineer. From 1995 to 1996 he worked for INTRACOM S.A. as an Engineer in Research &
Development. From 1997 to 1999 he worked as Technical Consultant for NTUA NMC and
GRNET. From 1999 till today he is a Researcher of Institute of Communication and Computer
Systems, Department of Electrical and Computer Engineering.
Related documents
2.6 Related Rates notes
2.6 Related Rates notes
PC 1.5 Combination of Functions
PC 1.5 Combination of Functions
PLUS Activity 25: Jeopardy
PLUS Activity 25: Jeopardy
MSWord Format
MSWord Format
Section 4.6 - Related Rates
Section 4.6 - Related Rates
Coordinate Systems
Coordinate Systems
1.9
1.9
Problem Solving: Karel and Elementary Graphics
Problem Solving: Karel and Elementary Graphics
VolofCShapes3
VolofCShapes3
- eSymbiosis
- eSymbiosis
Meet the team! - European Master in Renewable Energy
Meet the team! - European Master in Renewable Energy
Download
advertisement