Buffer

What exactly is an AAA Server?

Elvis Elvis

On this page I will describe what an AAA Server is and how such a server works. I will describe on the basis of what protocols are being worked on by such a server. Furthermore, some of the products that a user can use to be able to authorize will be described and functionality of these products.

– What is an AAA Server –

It’s a server that works with a specific protocol called the AAA Protocol. AAA stands for Authentication, Authorization and Accounting.

Authentication means that there will be checked if a user who wants access to a specific network service, is allowed to get that access. This check is done on the basis of an identity of the user. The identity may include for example a user name and / or password. This way of authentication is a common way. Another way can be digital certificates for example.

Authorization means that certain services are available for the user and certain services aren’t. This depends on the authentication of the user, the current system status and for what services will be asked by the user. Authorization can be based on restrictions. Thinking about a “time-of-day” restriction. This may mean that a user, who wants to log in, is not able to login because he or she wants to login outside working hours.

So there can be set on which hours of the day a particular is allowed to login and when they aren’t allowed to login.
Another limitation is the physical location restriction. This may mean that in certain departments or locations there can be logged in or there cannot be logged in by a particular user.

Again another restriction is that a user cannot be logged in more than once. Authorization determines which services are provided to a user after the login. Examples of type of services are: IP address filtering, address allocation, bandwidth control, encryption, etc.

What exactly is an AAA Server?

Accounting means checking and logging of the use of network resources by a user. This information can then be used again, for example for management, planning, accounting and other purposes. Typical information that is collected in Accounting is the identity of the user, the type of the service, when the service began, and when the service was terminated. This information can be stored in text files, databases or can be forwarded to remote servers.

– AAA Protocols –

List of AAA Protocols

  • RADIUS
  • DIAMETER
  • TACACS
  • TACACS +

Other protocols which work in combination with the above protocols are:

  • PPP
  • EAP
  • LDAP

RADIUS
RADIUS stands for: Remote Authentication Dial In User Service.
This is an AAA protocol for applications such as network access. It is meant for both local and roaming situations.
When for example, there will be tried to connect to an ISP via a modem, DSL, cable or wireless connection, at some providers there has to be entered a user name and password.
This information will be forwarded to a Network Access Server (NAS) device over the Point-to-Point Protocol (PPP) and then to a RADIUS Server over the RADIUS protocol. The RADIUS Server then checks whether the information is correct by using authentication protocols such as PAP, CHAP or EAP.
If everything is accepted, the server takes care that access will be given to the ISP system and provides the system of an IP address etc.
RADIUS uses the UDP (User Data Protocol) protocol.

DIAMETER
This is also an AAA protocol for applications such as network access. This protocol is meant for both local and roaming situations.
This protocol is an upgrade of the RADIUS protocol.
The name DIAMETER is a pun on the RADIUS protocol, which is the predecessor (a diameter is twice the radius). The DIAMETER is an improvement of RADIUS.
DIAMETER uses the TCP (Transmission Control Protocol) protocol.

TACACS
The abbreviation TACACS stands for: Terminal Access Controller Access Control System.
This is a remote authentication protocol that is used to communicate with an authentication server. TACACS ensures that a remote access server can communicate with an authentication server, to determine if the user has access to the network.
TACACS ensures that a client accepts a user name and password and sends a query to a TACACS authentication server. This server is normally a program that runs on a host. The host then determines whether the application is accepted or blocked and replies back.
TACACS uses TCP and UDP and uses standard port 49. TACACS +
TACACS + is based on TACACS, but even where the name is TACACS+, it is an entirely new protocol that is not compatible with a previous version of TACACS. TACACS + and RADIUS normally have replaced the previous protocols in the somewhat newer networks. But on older systems TACACS often still runs.
One difference between RADIUS and TACACS + is that the RADIUS combines authentication and authorization in a user profile and TACACS + separates these two. Another difference is that RADIUS uses the UDP protocol and TACACS + uses the TCP protocol. Most administrators recommend TACACS + because TCP is seen as a more reliable protocol.

What exactly is an AAA Server?

PPP
The PPP abbreviation stands for Point-to-Point Protocol. It is one of the TCP / IP protocols. PPP is a communication protocol that is used to establish a connection between two computers.
This can for example be a computer of a user and a dial-in server of an internet provider. PPP was often used by dial-in connections, where the communication takes place over the telephone line. But it is also used for DSL connections.

EAP
The EAP abbreviation stands for Extensible Authentication Protocol. It is an authentication framework that is widely used in wireless networks, and Point-to-Point connections. EAP is not just limited to wireless networks but can also be used in wired networks. So the authentication can be wired and wireless.

LDAP
The abbreviation LDAP stands for Lightweight Directory Access Protocol. It is a network protocol that describes how data from X.500 – directory services have to be approached. X.500 – directory service is a kind of database where data can be stored, such as addresses, personal data, phone numbers etc. This protocol has been developed to make the access to electronically stored information, such as personal- and organizational information, from a so called directory-structure, easier. But also to make the directory-structure of all kinds files and documents more easily. LDAP is derived from the DAP protocol. The ‘L’ in LDAP stands for Lightweight. This means ‘less comprehensive’.

– Products of ActiveIdentity –
The company ActivIdentity provides several products that have to do with securing a corporate network remotely. The company offers for example several server software packages, client software packages and several of authentication devices.
Below I will only discuss the authentication devices because there are many different types of authentication devices available. Therefore it is quite interesting to know what the different types are and how they work.

ActivIdentity Smart Cards
ActivIdentity Smart Cards are cards in form of a credit card with a microprocessor in it. There are multiple access codes stored on it which are chosen randomly and furthermore PIN verification. These can be read by an ActivIdentity Handheld Pin pass Reader to gain access.

ActivIdentity USB keys
Through this usb key, the user can be authorized and the user can use the services which are available for this particular user.
This usb key works along with AAA server and Activ Client. A user’s private key, passwords and profiles to gain access to the network service are stored into the usb key.
The only thing users need to do is to put the usb key in their computer and to enter their computers security (PIN) code.

– Hardware configuration and technical specifications –

Hardware configuration
The AAA Server package of ActivIdentity consists of several components. The components are:

  • Administration Console
  • Authentication Server (RADIUS, TACACS +)

There are also several optional components. These are:

  • Web helpdesk & self service portal
  • Web access agent (IIS & Sun One)
  • Citrix Presentation Server – Web Interface Agent
  • Novell NMAS agent
  • Realm Proxy

To let the AAA Server package run well, it is important that this package will be installed on a system that meets specific hardware requirements. The requirements for this package are the following:

Administration console

  • Intel Pentium 3 650 MHz
  • 128 MB RAM
  • 100 MB hard disk
  • Windows 2000 (SP4), Windows XP Pro (SP1), Windows Server 2003 (SP1)
  • ODBC compatible database

Authentication Server

  • Intel Pentium 3 650 MHz
  • 128 MB RAM
  • 4 GB hard disk
  • Windows 2000 (SP4), or Windows Server 2003
  • ODBC compatible database

Administration services
Below I will describe the possibilities of this package to configure certain things. The things you can configure are the following:

Administrator

  • Manage authentication server parameters and access
  • Determining authorization and authentication and accounting profiles
  • Determining authorize profiles based on certain conditions

Audit manager

  • View and removing logs

Device manager

  • Create, delete, and initialize of devices
  • configuring of devices

Help desk

  • Lock, unlock and re-synchronization of personal devices
  • Activate, deactivate emergency access

Self Service Portal

  • Unlock and re-synchronization
  • report stolen or lost devices

Compatibility
Below is a list of hardware and software of which ActivIdentity AAA Server is compatible with.

The AAA Server package is compatible with:

  • Each RADIUS and TACACS + server or client (Firewalls, VPNs, routers, 802.1x Access Points
  • Check Point Firewall-1
  • Check Point VPN-1 SecuRemote
  • Cisco Systems Secure PIX Firewall
  • Cisco Systems Secure VPN
  • Cisco 802.1x clients
  • Citrix MetaFrame Presentation Server Web Interface
  • Funk Odyssey 802.1x client
  • Juniper Firewall and VPN
  • Microsoft 802.1x clients
  • Microsoft IIS Web Server
  • Microsoft RAS client
  • Microsoft Outlook Web Access
  • Nortel Networks Contivity
  • Novell Modular Authentication Service (NMAS)
  • Microsoft SQL Server, Microsoft Desktop Engine, Oracle databases
  • SunOne Web server
  • Directory Services
  • Critical Path
  • Directory Server
  • Microsoft Active Directory
  • IBM Tivoli Directory Server
  • Novell eDirectory
  • Sun Java System Directory Server

Leading-server reporting tools

Network Architecture
The figures below are possible network architectures of AAA (RADIUS) server in a network. These are quite different from each other. For example there are possibilities where they choose to place the RADIUS server in front of the corporate network, while other choose to place it IN the corporate network. The choice to do this one way is different for each organization. I can’t tell you which way is the best way. I think an IT-architect has to make this decision for his own company.

The following figures show the architecture of a network in which an AAA server is included. These figures also indicate the location of the AAA server in a corporate network.

In this figure the server is placed in front of the corporate network so it can authorize users first. After that it can determine whether the user can access the corporate network or not.

Also in this example, the AAA (RADIUS) server is placed in front of the corporate network. This is an example of how the network infrastructure could look like. Here is the corporate network behind the ‘Billing Server’ so there has to be made contact with the AAA server and then will be determined if a particular user has access to the network or not.

In this example, the AAA (RADIUS) server is placed in front of the corporate network in the DMZ. This is also a possibility.

In this example, the AAA (RADIUS) server is placed IN corporate network. But this server communicates with the authenticator which is placed in front of the corporate network and handles the request after it has received the data from the authenticator.

– Summary –

An AAA server is a server that handles the requests for access to systems or services, and takes care of the authentication, authorization and accounting (logging).
If a user attempts to gain access to a particular network service, the AAA server checks if the user can be authorized. On base of this authorization the AAA server determines if this user can use the requested service.
As I said before, this authorization can be done in several ways. As I described earlier this can be done by ActivIdentity Smartcards, ActiveIdentity USB sticks, ActivIdentity Fingerprint Readers.

An AAA server does the above for LAN connections, VPN, dial, Web Access, Terminal Services and Wireless connections.
Because of the integration of LDAP and SQL databases, an AAA server can be linked to an own users database. It is also possible to link Active Directory to this package. So that all users can centrally be managed from the Active Directory.

Some functionalities:

  • Create LDAP queries, filters, and user profiles
  • Activate, de-activate temporary access
  • report of lost and stolen tokens
  • Authenticate users on routers, firewalls, VPNs, or Web servers
  • Encryption of:
  • Administration database
  • Remote administration session
  • Token to server authentication
  • Authentication server exports