S 5.138 Usage of RADIUS servers
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
In large networks, authentication servers, for example RADIUS servers, should be used if possible. RADIUS (Remote Authentication Dial-In User Service) is a client-server protocol used for the authentication, authorization, and accounting (AAA system) of users for the central securing of connections. The protocol is described in a series of RFCs, the most important of which is RFC 2865.
An authentication server should guarantee that only authorised users are able to access the internal network, and that this access can also be restricted to certain terminal devices. During the process, identification must be provided first, for example using an identifier, and then authentication is performed, for example using a password. This data should be transmitted in encrypted form. The EAP protocol (Extensible Authentication Protocol) is often used to this end. Authentication is port-based in EAP and is based on the IEEE 802.1X standard. This means that access to the network is only permitted when the client has unequivocally provided identification on the RADIUS server.
The authentication servers operated must be appropriately secured (see S 4.250 Selection of a central, network-based authentication service).
Sufficiently long and complex cryptographic keys are to be used for the shared secrets between the RADIUS server and RADIUS clients. In this case, a separate shared secret can be used for each RADIUS client-server connection if the administrative capabilities are provided.
The components used for RADIUS should meet the requirements of the RFCs for RADIUS to ensure the greatest possible interoperability between the various components. It should be possible to store the authentication and accounting protocols in a separate database system.
RADIUS communication should be restricted to ports 1812 and 1813. Ports 1645 and 1646 should not be used if possible. Other ports are to be closed if it is technically possible to close them. The RADIUS communication from the server is to be restricted to the RADIUS clients known by and authenticated on the server.
In the event of high protection requirements regarding the confidentiality of the authentication information, it is recommended to use IPSec to secure the RADIUS communication, while maintaining the integrated RADIUS procedures for securing the communication. Likewise, using a redundant RADIUS server in this case should also be considered.
The rules specifying when a RADIUS server will respond to an authentication request should be set as restrictively as possible. In this case, the rules should specify the permissible dialup times, the MAC address of the RADIUS client requesting a connection and its port type, the IP address of the RADIUS client, and the EAP method to be used for authentication.
Review questions:
- Does the central, network-based authentication service dispose of a regulation regarding remote dial-in connections?
- Have the ports for RADIUS communication been restricted to the required extent (e.g. port 1812 and/or port 1813)?
- In the event of high protection requirements regarding confidentiality: Is IPSec used in addition to the internal RADIUS procedures in order to secure the communication?
- In the event of high availability: Has the RADIUS service been designed redundantly?
- Has the RADIUS service been restricted to authorised RADIUS clients on the part of the authentication server?
- Have the guidelines of the RADIUS server regarding the acceptance of authentication requests been selected as restrictively as possible?