The expanding role of the RADIUS server

The public Internet and networking in general have been huge driving forces in computing that have had an enormous impact on the conduct of business and the nature of our society.

However, as the domain of connectivity has overflowed the physical boundaries of the corporate office, the networked enterprise has become increasingly vulnerable. The ability to expand networking to new types of users over new types of media depends crucially upon the availability of security solutions that can control access to the network and guarantee privacy.

As its name implies, the RADIUS (Remote Authentication Dial-In User Service) protocol was introduced in the mid-'90s to authenticate users dialing into a network from a remote location. As dial-in network access became popular, it became clear that the access device containing the modem responsible for authenticating each user didn't scale.

Instead, the authentication of users dialing in to many access devices could be consolidated in a single RADIUS server to which all the access devices communicated via the RADIUS protocol.

The server that implements the RADIUS protocol is often called a triple-A (AAA) server, because it performs authentication, authorization and accounting. The RADIUS protocol is quite simple, and its beginnings are rather humble. But as new types of access media were introduced and as diverse mechanisms and databases for user authentication were deployed, the capabilities required of the RADIUS server also grew. And as the Internet service industry organized itself for economies of scale, the RADIUS server emerged as a central player in a complex and far-flung infrastructure.

Today, RADIUS servers negotiate access for Digital Subscriber Line (DSL), virtual private network (VPN), mobile cellular and wireless LAN users; operate against a multitude of credentials databases, including SQL, Lightweight Directory Access Protocol, Windows, Unix and SecurID; negotiate with one another to support access wholesaling and brokerage arrangements among carriers, Internet service providers and corporate customers; and provide the usage information that allows service providers to bill customers.

RADIUS finds room to grow in wireless market

The driving force behind each wave of expansion in RADIUS usage is often the introduction of a new network-access medium. Dial-up was responsible for the initial demand for RADIUS; DSL created an additional RADIUS market to support the much faster Internet access these technologies afford; and VPN access over the Internet is responsible for yet another market. The media that will drive new RADIUS markets in the future are wireless ones, including WLAN and cellular technologies.

The 802.11 WLAN is the most immediate opportunity for expansion of the RADIUS infrastructure. The WLAN is compelling to the enterprise because it untethers the laptop and makes PDAs useful instruments of business. With a WLAN, knowledge workers can bring their computers into the conference room, workers can operate inventory applications on their feet, and medical personnel can update records from the bedside. Plus, networks can be deployed at lower cost, with little facilities planning, and they can be redeployed without drilling into walls or rerouting cables.

Early WLANs, circa 2000, had problems in security and scalability. WLAN devices were based on a cryptographic confidentiality mechanism called Wired Equivalent Privacy. WEP's security was based on matching keys stored in the access point (AP) and the client's PC. Either a separate key was set up for each client PC, or the same key handled all users. In any case, each AP had to be configured with the same set of keys to allow roaming.

This was quickly found to be unscalable. In addition, replication of keys to multiple APs was understood to be a security hazard. The WLAN industry responded by doing exactly what the dial-up industry did several years earlier: It turned to RADIUS to organize access control. In 2001, the IEEE introduced the 802.1x protocol as a means for a client PC to communicate authentication information to an AP and anointed RADIUS as the protocol of choice for the AP to use with a back-end security server.

This solved the scalability problem. It also increased security by ensuring that fresh encryption keys were generated dynamically each time a user is authenticated. The keying information was to be generated by the RADIUS server based on secret and unpredictable information generated during authentication. This mandate for not only authenticating users but also generating keying information to be used in the subsequent data connection makes the RADIUS server a central player in each WLAN deployment.

Security remains an issue

However, security problems remained. The main problem affecting RADIUS had to do with the security of the authentication itself. Password-based authentication mechanisms commonly in use were notoriously subject to dictionary attacks by eavesdroppers. That is, someone nearby could listen to the WLAN transmissions, observe an authentication and then replicate that authentication off-line, trying millions of common or probable passwords hoping to hit upon the right one. Because passwords tend to be relatively low-entropy secrets, this type of attack would succeed with some regularity.

While these vulnerable authentication mechanisms have been in common use over dial-up lines, eavesdropping a dial-up connection is difficult, but eavesdropping a radio connection is ridiculously easy. Therefore, mechanisms needed to be developed to protect the user's credentials.

One alternative to password-based authentication is the use of public- or private-key certificates, and a protocol already existed to perform this authentication (Extensible Authentication Protocol-Transport Layer Security, or EAP-TLS). However, deploying certificates to large user bases is a difficult administrative problem, and most enterprises have avoided it.

To solve the problem of password confidentiality without resorting to user certificates, two new authentication protocols were developed. Funk Software Inc. and Certicom Corp. introduced EAP-TTLS (Tunneled Transport Layer Security) in August 2001, and Microsoft Corp. and Cisco Systems Inc. introduced EAP-PEAP (Protected Extensible Authentication Protocol) several months later. Both are based on performing password-based authentications within the protection of an encrypted tunnel based on the certificate of a trusted server. These protocols eliminate the security issues related to password-based authentications on a WLAN.

Paul Funk

However, a serious problem remained. The WEP protocol itself was shown to be highly flawed in more than one way. It was demonstrated that by eavesdropping on about a million packets (which might be done in as little as a half hour), the WEP encryption could be broken and all data traffic revealed to the attacker.

The revelations concerning WEP put a severe dent in WLAN adoption by security-conscious enterprises. The IEEE raced to fix the security issues, and the result has been two new standards: Wi-Fi Protected Access (WPA) and 802.11i. WPA represents a "prerelease" of 802.11i by an ad hoc industry group eager to fix the security problems as quickly as possible before the final 802.11i specification is approved by the IEEE. WPA equipment began appearing in the summer 2003; 802.11i equipment should be appearing in the middle of 2004. These new encryption protocols should allay the fears of the market and eliminate perceived security barriers to widespread deployment of WLANs.

Interestingly, the use of 802.1X for authenticating wireless access based on user identity has engendered a similar effort for traditional wired LANs. Leading switch manufacturers such as 3Com Corp., Alcatel, Cisco Systems Inc., Enterasys Networks Inc., Extreme Networks Inc., and Juniper Networks Inc. have embraced 802.1X as a means of authenticating users to a wired LAN port and assigning them to an appropriate virtual LAN. This essentially allows each user's access to the LAN to be conditioned on who the user is, not which Ethernet receptacle he happened to plug into. To the extent that use of 802.1X becomes the norm, both for wireless and wired LAN access, the RADIUS server occupies an increasingly critical position in the network infrastructure.

The WLAN is also compelling to the Internet service provider. The emerging public "hot-spot" market will expand the locus of Internet availability to the coffee shop, shopping mall, airport and elsewhere. Though ubiquitous mobile access via cellular technologies has lost its tempo, WLAN hot spots can at least fill the gap in areas of high traffic.

Once the cellular technologies take off, the WLAN hot spot is still likely to offer higher bandwidth for some time to come. A plausible scenario for the future is for someone to retain seamless connectivity from the office to the coffee shop and back: WLAN in the office, Code Division Multiple Access (CDMA) crossing the street and WLAN again in the coffee shop.

Public hot-spot networks require robust AAA functionality for authenticating users, authorizing them for specific levels of service and accounting to track usage and enable settlement between providers. In addition, network operators and service providers want to leverage as much of their existing infrastructure as possible, and the RADIUS server is a critical component for enabling this.

In 2000, wireless operators introduced cellular data services. The overall architecture for the CDMA and GSM/GPRS data networks is based on standards set by the Third Generation Partnership Project (3GPP) and 3GPP2 organizations. These standards endorse the use of RADIUS (and the up-and-coming "son of RADIUS" protocol, Diameter) for authenticating users to the data network, assigning IP addresses to the mobile device, managing the mobility of the user and providing network state information to Wireless Application Protocol gateways and other network servers.

Though the expected growth of this market was abruptly halted by the recession, the benefits of cellular networking are as compelling to data communication as cellular telephony is to voice communication, and investment in this market can be expected to see a resurgence.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon