Monday, 22 October 2012

User Account Configuration Example - RADIUS Basic

The goal for this exercise is to configure radius authentication along with some policy to manage different types of user access. The lab topology I used is outlined in the diagram below. I used VMware Workstation to create an instance of Windows Server 2008 R2 (for radius), and used an SRX100 for the device configuration.

Configuring the SRX100
The goal of this exercise is to setup basic radius authentication. Below is a screenshot displaying the configuration that was done on the SRX100. Note that a user 'remote' was configured. This was done to map radius authenticated users to a class, in the case of this example to a read-only class. Juniper refers to this type of account as a "template account" as it serves as a template for all radius users. The username 'remote' is used by default. Keep in mind this account is configured exactly like a regular user account except no local password or DSA/RSA key was defined. We could also specify MSCHAPv2 (Microsoft Challenge-Handshake Authentication Protocol) as the handshake protocol to use within radius. This would be wise as the default protocol used by radius in Junos is PAP (Password Authentication Protocol) which passes user information in clear-text. In this case we will leave it as the default of PAP. This will allow us to look at some packet captures.

Configuring the Windows Server 2008 RADIUS settings
The following screenshots outline the set-up I completed on the Windows 2008 Server to get the radius server up and running. I do not have a domain configured so I manually created a user 'Fred' and assigned him to the group 'Juniper'. We can setup radius authentication to grant access based on group membership and use the user account 'Fred' to test this.
1. Under 'Local Users and Groups' create a new user named "fred".

2. Create a new group 'juniper' and add the user 'fred' to this group.

3. Open server manager and add the role of 'Network Policy and Access Services'.

4. Once the 'Network Policy and Access Services' role is installed open 'Network Policy Server' from the administrative tools menu. The administrative tools menu can be accessed from the start menu. The screeshot below displays the Network Policy Server window. We will need to add the SRX100 as a RADIUS client. If you right click on 'RADIUS Clients' you will see an option to create a new client. The important information to enter is the IP Address and the Shared Secret. In this case the IP address is the IP address of the SRX device and the shared secret that we configured on the SRX100 was p@ssword. The advanced tab can be left at the default settings. The screenshots below outline this.

5. Now on the left hand pane expand the 'Policies' menu, and then select 'Network Policies'. We will need to add a new policy and this can be done by right clicking on 'Network Policies' and selecting new.

6. This will open a new window to create the network policy. The important items to configure here are the policy name. Also make sure the type of network access server as 'unspecified'.

7. In the next window we can set the condition. The condition is set to a user group of 'Juniper' which 'fred' is a member of. This means that if the user is a member of this group the radius server will respond with an 'access accept' message therefore authenticating the user.

8. In the next window you can set constraints. In the case of this lab exercise we enabled PAP authentication as Junos uses this by default (and it also allows us to look at the RADIUS client/server responses in Wireshark). The other settings can be left at defaults.

9. In the next window we can specify settings such as radius attributes. For this exercise ensure that the only attribute in use is 'Service Type' and the value is 'Login'. The screenshots below outline this.

10. Now that all of the RADIUS server settings have been updated we can stop and restart the NPS service to make sure all of the settings are applied. This can be done by right clicking the NPS icon in the upper right hand corner and selecting stop NPS service. After a few seconds right click the NPS icon again and select start NPS service.

Now that all the configuration steps are complete we can test to see if this works.

It works! We also know that the template works as the template assigned a read-only class to Fred. This is proven as Fred cannot access the command 'edit' to gain access to the configuration menu. He can access read level commands such as 'show system software'.

Below is a packet capture screenshot of the RADIUS traffic that took place to authenticate Fred. In the access-request you can see the username is identified. In the reply the radius code is 'access-accept' showing the user was authenticated.

In the next post we will explore some examples using RADIUS attributes.

No comments:

Post a Comment