m (Shin moved page RADIUS 개요 to RADIUS Overview) |
|||
| Line 1: | Line 1: | ||
| − | RADIUS(Remote Authentication Dial-In User Service) | + | RADIUS(Remote Authentication Dial-In User Service) is a networking protocol, operating on ports 1812 and 1813, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. <ref>https://en.wikipedia.org/wiki/RADIUS</ref> |
| − | + | ||
| + | RADIUS authentication consists of supplicant(user device), NAS(Network Access Server), and the RADIUS server. | ||
| + | The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The NAS sends a RADIUS Access-Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The RADIUS server checks that the information is correct. | ||
| − | |||
[[File:Drawing_RADIUS_1812.svg.png|400px]] | [[File:Drawing_RADIUS_1812.svg.png|400px]] | ||
| + | The imRAD was developed based on the '''[https://wiki.freeradius.org/Home FreeRADIUS]''' and provides the most of RADIUS services. | ||
| + | Our system can authenticate a User-Name in a Local database, a remote database, or an LDAP server, and by Proxy. | ||
| + | The following is the supporting DBMS or LDAP. | ||
| + | * MariaDB | ||
| + | * MySql | ||
| + | * Oracle 11g ~ 19c | ||
| + | * Microsoft SQL Server 2014 ~ 2019 | ||
| + | * Tibero 6 | ||
| + | * PostgreSQL 12 | ||
| + | * SYBASE | ||
| + | * OpenLDAP | ||
| + | * Microsoft Active Directory Domain service(AD DS) | ||
| + | * Microsoft Active Directory Lightweight directory service(AD LDS) | ||
| + | |||
| + | The imRAD applies strong security communication and sets EAP-TTLS<ref>https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_Tunneled_Transport_Layer_Security_(EAP-TTLS)</ref> as a default authentication method. | ||
| + | |||
| + | When you set the '''[[Pass-Through Authentication]]''' to authenticate a user from a remote database(e.g, Customer employee database), many traffic can be sent to the remote database whenever a user connects to a network, and it may slow down the database. | ||
| + | So, the user credentials that were authenticated from a remote database can be saved into the local database for few days. | ||
| + | To conceal the User-Name password from any imRAD administrators, the User-Name password in the user credentials is saved as hashed data using the strong hash algorithm(e.g, SHA256 with salt).We called it "cached user". | ||
| + | You can set how many days the cached users are kept in the local database from the [[RADIUS general settings]]. | ||
| + | |||
| + | Supporting TLS(Transport Layer Security) version is between 1.0 and 1.3 and can change the minimum and the maximum version from the [[RADIUS general settings]]. | ||
| + | You must make sure the TLS version because some client operating systems still use TLS 1.0. | ||
| − | + | RADIUS Proxy | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
* Proxy / Eduroam 또는 에듀롬 인증 | * Proxy / Eduroam 또는 에듀롬 인증 | ||
* NAS-ID 기반 인증 | * NAS-ID 기반 인증 | ||
Revision as of 18:06, 9 March 2021
RADIUS(Remote Authentication Dial-In User Service) is a networking protocol, operating on ports 1812 and 1813, that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. [1]
RADIUS authentication consists of supplicant(user device), NAS(Network Access Server), and the RADIUS server. The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The NAS sends a RADIUS Access-Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. The RADIUS server checks that the information is correct.
The imRAD was developed based on the FreeRADIUS and provides the most of RADIUS services. Our system can authenticate a User-Name in a Local database, a remote database, or an LDAP server, and by Proxy. The following is the supporting DBMS or LDAP.
- MariaDB
- MySql
- Oracle 11g ~ 19c
- Microsoft SQL Server 2014 ~ 2019
- Tibero 6
- PostgreSQL 12
- SYBASE
- OpenLDAP
- Microsoft Active Directory Domain service(AD DS)
- Microsoft Active Directory Lightweight directory service(AD LDS)
The imRAD applies strong security communication and sets EAP-TTLS[2] as a default authentication method.
When you set the Pass-Through Authentication to authenticate a user from a remote database(e.g, Customer employee database), many traffic can be sent to the remote database whenever a user connects to a network, and it may slow down the database. So, the user credentials that were authenticated from a remote database can be saved into the local database for few days. To conceal the User-Name password from any imRAD administrators, the User-Name password in the user credentials is saved as hashed data using the strong hash algorithm(e.g, SHA256 with salt).We called it "cached user". You can set how many days the cached users are kept in the local database from the RADIUS general settings.
Supporting TLS(Transport Layer Security) version is between 1.0 and 1.3 and can change the minimum and the maximum version from the RADIUS general settings. You must make sure the TLS version because some client operating systems still use TLS 1.0.
RADIUS Proxy
- Proxy / Eduroam 또는 에듀롬 인증
- NAS-ID 기반 인증
- 동시 접속 제한(Accouting이 제공된는 환경에서만 가능)
- TLS 1.2 이상
- 이력
- Accounting
- 인증처리(Post-Authentication)
References