Bài 9.Radius-CallBack

8/3/2019 Bi 9.Radius-CallBack

1/24

Bo Co Mn HcMng My Tnh Cn Bn

LAB 1 :Ging Vin : Nguyn c Quang

Sinh vin : Nguyn Duy - 106102205


2/24

1. Tm hiu giao thc PPP

PPP c xy dng da trn nn tng giao thc iu khin truyn d liu lp cao (HighLevel Data link Control (HDLC)) n nh ra cc chun cho vic truyn d liu cc giao d

DTE v DCE ca mng WAN nh V.35, T1, E1, HSSI, EIA-232-D, EIA-449. PPP c ri nh mt s thay th giao thc Serial Line Internet Protocol (SLIP), mt dng n gica TCP/IP.

PPP cung cp c ch chuyn ti d liu ca nhiu giao thc trn mt ng truyn, c csa li nn header, nn d liu v multilink. PPP c hai thnh phn:

Link Control Protocol (LCP): (c cp n trong RFC 1570) thit lp, iu chnh chnh, v hy b mt lin kt. Hn th na LCP cn c c ch Link Quality Monitoring(LQM) c th c cu hnh kt hp vi mt trong hai c ch chng thc PasswordAuthentication Protocol (PAP) hay Challenge Handshake Authentication Protocol (CHAP

Network Control Protocol (NCP): NCP lm nhim v thit lp, iu chnh cu hnh v h b vic truyn d liu ca cc giao thc ca lp network nh: IP, IPX, AppleTalk andDECnet.

C LCP v NCP u hat ng lp 2. Hin c m rng ca PPP phc v cho vic t

d liu s dng nhiu links mt lc, l Multilink PPP (MPPP) trong s dng MultiProtocol (MLP) lin kt cc lp LCP v NCP

Cc bc vn hnh ca giao thc lin kt im im

- Sau khi gi d liu c ng gi, nt ngun gi cc frame LCP ti nt ch thng qukt ni im im

- Cc frame LCP c s dng cu hnh kt ni theo cc thng s quy nh, kim so

kt ni c thit lp, nu c yu cu

- Sau khi nt ch chp nhn yu cu kt ni v mt ng kt ni c thit lp, cc kin c tha thun bi LCPs


3/24

- Nt ngun gi cc frame NCP( Netware Core Protocal ) chn v cu hnh giao thlp mng

- Sau khi giao thc lp mng c cu hnh, hai nt bt u trao i d liu

Khi kt ni PPP c cu hnh, n s tn ti cho n khi c tn hiu kt thc kt ni LCP v NCP. Kt ni cng c th kt thc do c li trn ng truyn hoc s can thipuser.

2. Giao thc MPPP

Tc truyn Internet qu chm lun l mt vn au u i vi ngi s dng mult trn Internet vi tc cao. Chnh v vy hng lot cng ngh bng thng c

ra nhm gii quyt tnh trng tc nghn trn mng nh mng thu bao k thut s ADSLmng dch v s tch hp ISDN, modem cp hay v tinh. Nhng cc cng ngh ny umang mt c im chung l t tin v hn na li cha th p dng rng ri. Rt may cn c cch khc vi chi ph c th chp nhn c,cng ngh kt ni im - im a luMPPP l gii php c th chp nhn.

Nguyn l hot ng ca MPPP

Giao thc Multilink Point-to-point l chun m rng ca giao thc kt ni mng din rWAN hin ang c s dng rt ph bin l giao thc im-ni-im (point-to-point protocol - PPP). Multilink PPP cho php kt hp nhiu knh truyn dn vt l chy giao im-ni-im thnh mt knh truyn dn logic vi tc truyn dn d liu cao hn, bng tng tc truyn dn d liu ca cc knh vt l. Tt c cc gi d liu cn truyqua knh logic pha thit b pht c chia thnh cc gi tin c kch thc nh hn v b qua cc knh truyn dn vt l thnh phn. Ti u pha thit b thu s thc hin qu sp xp li cc gi tin b phn mnh v ng gi thnh cc gi tin c kch thc nguyn t

Ton b qu trnh phn mnh v ng gi li cc gi tin truyn dn qua knh truyn dnlogic c iu khin bi cc trnh phn mm kt ni mng din rng qua thoi c h trtrao thc Multilink PPP.

Multilink PPP c th cho php kt hp nhiu knh truyn dn ng b (synchronous) honhiu knh truyn dn khng ng b (async) thnh 1 knh logic. c bit Multilink PP


4/24

hiu qu khi s dng trong dch v thoi ISDN. Ngi dng ISDN u cui c bn (basirate) c th s dng kt hp 2 knh d liu B (c tc 64kbps) c mt knh truydn tc cao (khong 112kbps ). Nhng hn ch ln nht ca dch v Multilink qua ISl gi u t thit b v thu bao s dng tng i cao. Multilink PPP cng h tr vic khp cc knh truyn dn PPP qua modem v mng thoi truyn thng. Khi ngi s dc th s dng nhiu modem (chun h tr modem c tc cao nht hin ti l 56kbpsto thnh ng truyn dn logic c tc cao hn. Trong trng hp ny gi thnh uthit b v ph s dng thp hn so vi ISDN. Tuy nhin, do tc truyn d liu trn thoi khng n nh nn hiu qu ca Multilink PPP trn ng thoi khng cao bng trISDN.

3. Khi nim Radius

RADIUS l giao thc bo mt Internet da trn m hnh my ch/my khch. My truy cvo mng l my khch v server RADIUS cui mng xc nhn my khch. Tng qutserver RADIUS xc nhn ngi s dng bng danh sch username/password c lu.RADIUS cng c th hot ng nh mt my khch xc nhn ngi s dng ca cciu hnh nh UNIX, NT hay Netware. Thm vo , server RADIUS cng c th hot nh mt my khch cho cc server RADIUS khc. bo mt cho cc thng tin trn truyn gia cc my khch v server RADIUS th c th s dng m ha s dng c chnhn (authentication mechanisms) v d nh Password Authentication Protocol (PAP) vChallenge Handshake Authentication Protocol (CHAP).

C ch hot ng ca Radius

Giao thc Remote Authentication Dial In User Service (RADIUS) c nh ngha trongRFC 2865 c a ra vi nh ngha: Vi kh nng cung cp xc thc tp trung, cp phv iu khin truy cp (Authentication, Authorization, v Access Control AAA) cho c

phin lm vic vi SLIP v PPP Dial-up nh vic cung cp xc thc ca cc nh cung dch v Internet (ISP) u da trn giao thc ny xc thc ngi dng khi h truy cpInternet. N cn thit trong tt c cc Network Access Server (NAS) lm vic vi dansch cc username v password cho vic cp php, RADIUS Access-Request s chuyn thng tin ti mt Authentication Server, thng thng n l mt AAA Server (AAA


5/24

Authentication, Authoriztion, v Accounting). Trong kin trc cua h thng n to ra khnng tp trung cc d thng tin ca ngi dng, cc iu kin truy cp trn mt im dunht (single point), trong khi c kh nng cung cp cho mt h thng ln, cung cp gii NASs.

Khi mt user kt ni, NAS s gi mt message dng RADIUS Access-Request ti my cAAA Server, chuyn cc thng tin nh username v password, thng qua mt port xc NAS identify, v mt message Authenticator.

Sau khi nhn c cc thng tin my ch AAA s dng cc gi tin c cung cp nh, Nidentify, v Authenticator thm nh li vic NAS c c php gi cc yu cu khng. Nu c kh nng, my ch AAA s tm kim tra thng tin username v password

ngi dng yu cu truy cp trong c s d lu. Nu qu trnh kim tra l ng th n smang mt thng tin trong Access-Request quyt nh qu trnh truy cp ca user l chp nhn.

Khi qu trnh xc thc bt u c s dng, my ch AAA c th s tr v mt RADIUAccess-Challenge mang mt s ngu nhin. NAS s chuyn thng tin n ngi dng t(vi v d ny s dng CHAP). Khi ngi dng s phi tr li ng cc yu cu xc n(trong v d ny, a ra li ngh m ho password), sau NAS s chuyn ti my ch

AAA mt message RADIUS Access-Request.

Nu my ch AAA sau khi kim tra cc thng tin ca ngi dng hon ton tho mn s php s dng dch v, n s tr v mt message dng RADIUS Access-Accept. Nu khtho mn my ch AAA s tr v mt tin RADIUS Access-Reject v NAS s ngt kt nuser.

Khi mt gi tin Access-Accept c nhn v RADIUS Accounting c thit lp, NA

gi mtgi tin RADIUS Accounting-Request (Start) ti my ch AAA. My ch s thmthng tin vo file Log ca n, vi vic NAS s cho php phin lm vic vi user bt uno, v kt thc khi no, RADIUS Accouting lm nhim v ghi li qu trnh xc thc causer vo h thng, khi kt thc phin lm vic NAS s gi mt thng tin RADIUSAccounting-Request (stop).


6/24

Phng thc bo mt

Tt c cc message ca RADIUS u c ng gi bi UDP datagrams, n bao gm cthng tin nh: message type, sequence number, length, Authenticator, v mt lot cc

Attribute-Value.

Authenticator: tc dng ca Authenticator l cung cp mt ch bo mt. NAS v AAAServer s dng Authenticator hiu uc cc thng tin c m ho ca nhau nh mkhu chng hn. Authenticator cng gip NAS pht hin s gi mo ca gi tin RADIUSResponses. Cui cng, Authenticator c s dng lm cho bin password thnh mtdng no , ngn chn vic lm l mt khu ca ngi dng trong cc message RADIU

Authenticator gi Access-Request trong mt s ngu nhin. MD5 s bm (hash) s ngunhien thnh mt dng ring l ORed cho mt khu ca ngwoif dng v gi trong AccRequest User-Password. Ton b RADIUS response sau c MD5 bm (hash) vi cthng s bo mt ca Authenticator, v cc thng s response khc.

Authenticator gip cho qu trnh giao tip gia NAS v my ch AAA c bo mt nhnu k tn cng tm c c hai gi tin RADIUS Access-Request v Access-Response thth thc hin "dictionary attack" phn tch vic ng gi ny. Trong iu kin thc tvic gii m kh khn bn cn phi s dng nhng thng s di hn, ton b vn c knng nguy hi cho qu trnh truyn ti ny c miu t rt k trong RFC 3580.

Attribute-Value Pairs: Thng tin c mang bi RADIUS uc miu t trong mt dngAttribute-Value, h tr cho nhiu cng ngh khc nhau, v nhiu phng thc xc thkhc nhau. Mt chun c nh ngha trong Attribute-Value pairs (cp i), bao gm U Nam, User-Password, NAS-IPAddress, NAS-Port, Service-Type. Cc nh sn xut (vendocng c th nh ngha Attribute-Value pairs mang cc thng tin ca mnh nh Vendor

Specific ton b v d ny c miu t trong RFC 2548 - nh ngh Microsoft AttributeValue pair trong MS-CHAP.


7/24

4. M hnh lab Radius Server

Thit lp cu hnh cho Radius Server

Chn Start > Programs > Admintrative tools > Internet Authentication Service


8/24

Trong ca s Internet Authentication Service, ta click chuot phi mc InternetAuthentication Service (Local) chn Register Server in Active Directory de nk my RADIUS Server vimy ch Active Directory.

Trong hop thoi IAS Information chn OK hon tt qu trnh ng k.

Ch nh my lm Radius Client > Right-click Radius Clients > New Radiusclients


9/24


10/24

Shared Secret : ta in 123456 thng s ny chng cn nh khi thit lp RaClient chng ta in vo > Finish

Thng tin m t my mt my RADIUS Client xut hin.

To Remote Access Policy > Right-lick Remote access policy > New Remoteaccess policy > Next


11/24

Trong hop thoi Policy Configuration Method, ta t tn cho chnh sch ny lRadius Server


12/24

Chn Group l DialUser


13/24

mc nh lc chn MS-CHAPv2

Chn mc nh Level Encryption > Next


14/24

Nhn finish hon thnKhi cu hnh xong ta c nh sau:

Cu hnh RRAS chng thc bng Radius server.

Trong hop thoi Properties - Security. Trong mc Authentication provide, chnRADIUS Authentication.

Chn Radius Authentication


15/24

Nhn Yes

Chn Add


16/24

in IP ca Radius Server

Nhp vo secrect. y l 123456


17/24

Lc ny ta c kt qu nh sau . Nhn next

Chn Apply - OK de hon tt qu trnh m t_ my RADIUS Server cung nh chnh cho my RRAS dng phng php xc thc l RADIUS.


18/24

Chn Ok

Khi ng li dch v hon thnh.


19/24

D cho User c th kt ne61i Dial Up v thc hin Call Back , trnProperties ca User ta cu hnh nh sau :


20/24

User cde sau khi thuc hien ket noi :


21/24


22/24

Bt cc gi tin bng WireShark:

Gi tin CallBack Resquest:Gi tin lm nhim v g tn hiu n server bo kt ni gi n ny l kt ni Callback khic gi ny server s ngt kt ni v gi li gi CallBack Response cho bit n s gi li


23/24

Gi tin CallBack Response :

Gi tin Server gi cho client bit l n s gi li . Khi nhn gi ny client s chuyn qua chWaiting Callback v ch server gi li . Khi server gi li th qu trnh kt ni CallBack xemnh thnh cng.


24/24

Bài 9.Radius-CallBack

Documents

Transcript of Bài 9.Radius-CallBack