now our first triple A server that we're gonna talk about is radius now. Radius stands for remote authentication. Dial in user service and radius is going to be our standard that we're going to see in most of our domain environments most of our windows environments. And it's going to be what we use in order to dial in and authenticate users
not just over VP and connections,
but also using wireless is well, and our radius is going to authenticate using UDP connections. Now, we talked about UDP much earlier in these videos over in module one and you d p stands for user data Graham Protocol. And it is a non violent, non verified connective ity. And
between point A and point B,
when we send packets and we send data using UDP,
that means that we're not verifying that the data got to us. We're not verifying that the data got to the end point and we don't send any Reade receipts. We don't send and we don't try. We don't rescind data. That's TCP,
so radius sins on transmits using UDP.
Now we're talking about radius. We have a couple different components of our radius of our radius system, mainly our radius client
and our radius server.
Now, when you hear Radius client, you may think, Oh, well, that's the person who's trying to connect in remotely. Well, not quite.
Radius client is actually
all remote access. Server arrests are last device, so
a remote access server acts as the radius client.
The server providing
Triple A the summer providing authentication, authorization and accounting is our radius server.
So our radius server
once we once it tries to connect and send a packet and try to authenticate to our Triple A server,
is going to send back to our grass and accept, reject or challenge. So let's take a look at this in practice before we go too much further.
we have a user who's working from home.
We're trying to work from home, and they need to authenticate,
so they're going to initiate a dial in session to our remote access server.
So they go through the Internet and they initiate a dial in session,
to a remote access server.
When they connect remote access server, they hand off our users the user name and password to a remote access server.
Our remote access servers receives that in our remote access server is now acting as the Radius client.
Our radius client is any server that is authentic. Is sending authentication information directly to our Triple A server.
We don't put our radius server. We don't put our Triple A server right out on our perimeter because this leaves it more open to vulnerabilities. It leaves it more open to attack. We want to put our Triple A server inside are protected network because our Triple A server is where we're keeping all of our user account password and permission information.
So that needs to be kept secure. And radius helps us do that.
So we have We can say that we actually have a d m Z type setup here
it's actually redraw this a little bit.
We have our client, and then we have our We're gonna set up our d m Z. We have our perimeter firewall, and then we have our private firewall.
So our triple A server
is actually inside of our private firewall, so it makes it a little bit. Makes it quite a bit more secure.
So we've sent our user name and password to a remote access server and remote before our remote access server will actually, and it will complete that session with us and allow us to access devices. Inside our network are remote access server sins that
since that user name and password to the radius server to the Triple A server. And it says, Hey, I got this using the password from Remote client.
Are they allowed in or user name and password or certificate, or whichever the case may be? I got this authentication method from this user, and they want in. Can I allow them in?
Our Triple A server is going to take a look at what it has in its records, and it's a says. Yeah, that's good. They're allowed in.
So it's going to send an except message
our remote access server. And remember, a remote access server is the radius client
because it is the person. It is the device that is directly communicating with our Triple A server, and our Triple A server is our radius server.
So after our communication is past our except is passed back to our rest now, ar rass will finalize and initially initiate the VPN with our remote user.
And now our remote user will just be communicating through a grass
to our network devices. So say our file server.
while wrasse in this situation is out on our d m Z, it's out in our perimeter network. And in order to protect our user accounts, we put our Triple A server. We put our radius server deeper inside of our network, so it's more protected
We mentioned that we can also use radius for WiFi. Well, how does this work
in a very similar method?
So let's again modifier diagram a little bit. Instead of our radius client being a rest,
our radius client is going to be a wireless access point we bring in our laptop toe work.
Or maybe it's a company laptop that we're using,
and we want to connect into our network to access our network server in all of the different functions from the wireless. So we want to access our file server and everything. But before our wireless access point is going to allow us to connect to our file server, it's going to authenticate us using radius
Debbie P. A. To does support radius so we can authenticate users through a wireless access point not based not on a shared key, but instead based on their account credentials based on the user account that they logged into their computer with.
All we have to do is we set up our wireless access point as a radius client, and we tell our wireless access point, no one is allowed to connect to you unless you can authenticate them on our Triple A server.
So our Triple A server eyes able to access our active directory and is able to see all of our user account our domain, usually user names and passwords.
connects over to our wireless access point,
and as it does so, it sends its authentication packet that sends its user name and password
the wireless access point
once it receives that user name and password. Remember, the wireless access point is now the radius client
sins the user name and password onto our that we can change. This
is going to Caen bit the user name and password onto our Triple A server is going to send it on to our radius server,
our radius server is going to see the user name and password that our user logged in with to the laptop. It is going to say Okay, Yeah, you're good. You can connect
so it will send an except message to this wireless access point.
And the wireless access point will now allow this laptop to connect, and it can now access network resource is
so That's how radius allows us to authenticate, not just remote VP and users, but it also allows us to authenticate
users connecting to all wireless access point.
And we can see how radius can be implemented in conjunction with something like Curb arose because radius we can set up radius. And then before we're able to connect, we have to authenticate to our Triple A server. We have to authenticate, too. Are are counting, sir, our authentication authorization accounting server.
But if we were to go ahead and actually add in a
ticket granting server
then and set up curb arose,
which if this is ah Windows domain environment than more than likely this is what were you This is what we're doing
our first step after we authenticate with radius as we're authenticating with radius were also receiving, and we're setting up that ticket granting ticket.
So we've authenticated with Radius were allowed to connect to the wireless access point, and we receive a ticket granting ticket that we can use in order to get service tickets to connect to these devices. So Carlos is a is a flexible, flexible security initiative
that we can use, and it's a flexible protocol
that we use it we can use in conjunction with Radius or in conjunction with the next, the next Triple Eight protocol that we're gonna talk about the tax plus so
don't don't think that they're they're completely separate. Don't think that you can use Radius or Kerberos. They can use their used, typically in conjunction with each other. So But in the case of Radius, Radius is mainly dealing with the authentication of devices that are initially trying to connect to the network.
Hobos is more dealing with
devices that are trying to connect with other resource is on the network, such as a file server. But when we first are connecting in either remotely or through a wireless access point to our network, we're dealing with that initial radius set up were initially dealing
with our remote authentication dialling user service.
So something to be aware of with Radius, however, is that radius on Lee encrypts the password in the authentication packet. So the packet header and some of the details and some of the more detailed information about where that packet is headed and where that package is going to is not encrypted.
The only thing encrypted in that packet
Additionally, Radius, as opposed to Tak it's plus, is going to provide us with Maura counting. We have more flexibility as faras what we can log and what we can all audit in radius than we do in Tax plus.