RSA Security 6.1 manual Tunneled Accounting

Page 23

Tunneled Accounting

During authentication, a user is typically identified by attributes such as User-Name (in the authentication request) and Class (in the authentication accept response). Standard RADIUS accounting requests typically include these attributes in messages flagging Start, Interim, and Stop events so that the user’s identity can be recorded for accounting and auditing purposes.

When an organization uses a tunneled authentication protocol such as EAP/TTLS or EAP/PEAP, the identity of a user requesting authentication might be concealed from the RAS; the User-Name attribute carried by the outer authentication protocol is typically a nonunique value such as anonymous. As a result, the outer User-Name value included in accounting requests might not be sufficient to determine a user’s identity. Class attributes provided by an authentication server cannot be included in cleartext in an outer Access-Accept message because they might contain clues about the user’s identity, thereby defeating the identity-hiding feature of the tunneled protocol.

Tunneled accounting enables RSA RADIUS Server to pass user identity information to accounting processes without exposing user identities to a RAS or AP that should not see them. When tunneled accounting is enabled, RADIUS attributes are encrypted and encapsulated in a Class attribute. If the information for a Class attribute exceeds the attribute payload size (253 octets),

RSA RADIUS Server returns more than one Class attribute for a user.

Tunneled accounting works as follows:

1The RSA RADIUS Server acting as the tunnel endpoint for EAP/TTLS or EAP/PEAP encrypts a user’s inner User-Name and Class attributes when it authenticates the user.

2The server returns the encrypted information to the RAS or AP encapsulated in a Class attribute in the outer Access-Accept message. The RAS or AP associates this encapsulated identity attribute with the user, and echoes the encapsulated identity attribute whenever it generates an accounting request for the user.

3When the RSA RADIUS Server receives an accounting request from a RAS or Access Point, the server scans the request for an encapsulated identity attribute.

4If the server finds an encapsulated identity attribute, it decapsulates and decrypts the attributes to reconstitute the original inner User-Name and Class attributes.

5The server substitutes the decrypted attributes for the ones returned from the RAS or AP.

RSA RADIUS Server 6.1 Administrator’s Guide

About RSA RADIUS Server

11

Page 22 Page 24
Image 23
Page 22 Page 24
Contents RSA Radius Server 6.1 Administrator’s Guide Contact Information Trademarks Distribution Contents Chapter Installing the RSA Radius Server Chapter Administering Profiles Glossary Index What’s In This Manual About This GuideAudience Syntax Conventions Requests for Comments RFCs Related DocumentationRSA Radius Server Documentation Vendor InformationBefore You Call for Customer Support Getting Support and ServiceThird-Party Products About RSA Radius Server RSA Radius Server FeaturesAbout RSA Radius Server September RSA Radius Server OverviewRSA Radius Authentication Radius Packets Radius Client Configuration Radius ConfigurationRadius Server Configuration Radius Shared SecretsNode Secret Radius SecretReplication Secret Radius Ports AuthenticationAccounting Comma-Delimited Log Files Accounting SequenceTunneled Accounting Make/Model Field AttributesDictionaries Vendor-Specific AttributesUpdating Attribute Information Checklist AttributesAttribute Lists Multi-Valued Attributes Attribute ValuesReturn List Attributes Echo Property Default ValuesOrderable Attributes System Assigned ValuesCentralized Configuration Management Designating a New Primary Radius Server Replacing a Replica Radius ServerChanging the Name or IP Address of a Server Recovering a Replica After a Failed DownloadData Migration/Registration Installing the RSA Radius ServerBefore You Begin Required FilesSystem Requirements Installing on WindowsIf you are installing a Replica RSA Radius Server, click Installing the RSA Radius ServerUninstalling the RSA Radius Server Software Installer Syntax Installing on SolarisPath Reppkg Installing the RSA Radius Server SoftwareEnter RSA administration port Stopping and Starting the Radius Daemon Migration Log File Linux Server System Requirements Installing on LinuxShould be overwritten Installing the RSA Radius Server Software Enter RSA administration port Etc/init.d/sbrd stop # ./uninstallrsa.sh Running RSA Radius Administrator Using RSA Radius AdministratorFile Menu Navigating in RSA Radius AdministratorRSA Radius Administrator Menus Panel Menu See , Administering Radius Clients onHelp Menu RSA Radius Administrator ToolbarWeb Menu Adding an Entry RSA Radius Administrator WindowsSample Add Window Editing an EntrySample Edit Window Cutting/Copying/Pasting RecordsSorting Information Using Context MenusResizing Columns Changing Column SequenceAdding a License Key Accessing Online HelpDisplaying Version Information Add a License for Server Window Exiting the RSA Radius AdministratorRadius Clients Panel Administering Radius ClientsAdd Radius Client Window Adding a Radius ClientSecret to display the characters in the shared secret Deleting a Radius Client Verifying a Shared SecretPage Administering Radius Clients September About Profiles Administering ProfilesAdding a Checklist or Return List Attribute for a Profile Resolving Profile and User Attributes Default ProfileAdding a Profile Setting Up ProfilesClick Add to add this attribute/value pair to the list Removing a Profile Administering Profiles September Displaying Statistics Displaying Server Authentication StatisticsStatistics Panel System Authentication Statistics Radius client is sending incorrectly formed packets to Statistics Panel System Accounting Statistics Displaying Server Accounting StatisticsAccounting Statistic Meaning Displaying Radius Client Statistics Resetting Server StatisticsOptionally, sort the messages by clicking a column header Displaying Statistics September Administering Radius Servers Adding a Radius Server Manually Replication PanelAdd Server Window Deleting a Radius Server Enabling a Radius ServerNotifying Replica Radius Servers Publishing Server Configuration InformationDesignating a New Primary Radius Server Recovering a Replica After a Failed DownloadChanging the Name or IP Address of a Server Regenerating a Node Secret Resetting the Radius Database Administering Radius Servers September Logging Files Using the Radius System LogLogging Controlling Log File Size Level of Logging DetailAccounting Log File Format Using the Accounting LogComma Placeholders First Line HeadingsAcct-Status-Type Standard Radius Accounting AttributesAcct-Input-Packets P e n d i x a Ldap Configuration Interface FileLdap Utilities About the Ldap Configuration InterfaceDownloading the Ldap Utilities Ldap RequestsLdap Version Compliance Configuring the Ldap TCP PortAvailable Attributes Ldap Virtual SchemaLdap Schema Slide 2 Ldap Schema Slide 3 Cn=username,o=radius -w passcode cachedPW Unspecified or 0.0.0.0 RAS IP address When you display Searching for Records Ldap Command ExamplesLdapmodify Option Meaning Modifying RecordsWhere Adding Records Deleting Records Stattype server Statistics VariablesCounter Statistics Stattype accounting Stattype authenticationRate Statistics Using the Ldap Configuration Interface September AAA GlossaryDNS Tokencode Radius Servers TLS 104 Glossary September Index Tokencode
Top Page Image Contents