Networking Fundamentals, 3rd Edition page 466

Copyright Goodheart-Willcox Co., Inc. 466 Networking Fundamentals usernames and passwords and record user activity. A token is typically assigned to the user after authentication. Th e token is used to authorize the user account to var- ious portions of the network that match the user permissions. Th e token is also used to track user activity. RADIUS is referred to as a port authentication standard. Microsoft refers to it as an 802.1x security standard. Some switches have an advanced feature referred to as port authentication. Port authentication is a method in which a switch restricts access through a specifi c switch port until access is authenticated by a RADIUS or TACACS+ server. To learn more about Microsoft RADIUS, visit the following Microsoft TechNet links: ■ http://technet.microsoft.com/en-us/network/bb643123.aspx ■ http://technet.microsoft.com/en-us/library/bb742381.aspx ■ http://technet.microsoft.com/en-us/library/cc731320.aspx Diameter Diameter is an IETF standard and a next-generation authentication protocol de- signed to secure a connection between two or more devices. Th e Diameter standard is especially applicable to roaming devices such as cell phones. In contrast to RADIUS, Diameter does not require a client/server model and can be used in a peer- to-peer network for applications such as a cell phone peer-to-peer wireless network. Diameter allows for attributes to be added to the basic Diameter protocol structure. By adding attributes, Diameter is enhanced to meet AAA security requirements. In its simplest form, Diameter is not directly compatible with RADUIS, but the IETF designed Diameter so that it can be compatible with a client/server application that uses a RADIUS server. For example, attributes can be added to the Diameter protocol that will allow a Diameter device to authenticate with a RADIUS server. Di- ameter can be compatible with a RADIUS server without the need to translate proto- cols or use a gateway. RADIUS typically requires the clients and server be confi gured manually, whereas Diameter supports automatic dynamic discovery through DNS. When Diameter is extended to meet the AAA requirements, it can be used for not only authentication and authorization, but also accounting. Cell phone billing information can be included in the accounting portion of AAA. For example, a user with a Diameter-enabled portable communication device can make a secure con- nection with the home-offi ce network. Th e user will authenticate through the net- work RADIUS server and be tracked not only by the client/server network but also by the cell phone service provider. You can think of it as a shared AAA environment. Th e AAA proxy is any network device that acts as an intermediary to exchange security packets between the AAA server and the AAA client. For example, when a portable device such as a cell phone receives a request, it acts as the server by for- warding the authentication request to a RADIUS server for verifi cation. Th e cell phone acting as a server will then act as a client to the RADIUS server when it re- ceives verifi cation. In this function, the cell phone acts as an AAA proxy server. Diameter uses TCP packets only and uses IPSec and TLS for security. To learn more about Diameter, visit www.ibm.com/developerworks/library/wi-diameter/ index.html. TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is a secure alternative to RADIUS. TACACS+ is often confused with TACACS and thought to be an improved version of TACACS. It is actually an entirely new system, not a derivative Note Diameter is a play on words with RADIUS both refer to measurements of a circle. 2.3, 4.2 NET

Previous Page Next Page

Networking Fundamentals, 3rd Edition Page 466 (488 of 720)

Resources and Downloads

Help