Integrating RADIUS with an MSSP's remote access VPN

Integrating RADIUS with an MSSP's remote access VPN

Lisa Phifer, Vice President, Core Competence, Inc.

In a recent SearchSecurity webcast, speaker Lisa Phifer, vice president and owner of consulting firm Core Competence, addressed technological developments in virtual private networks. Here Lisa answers a user-submitted question that she didn't have time to answer during the broadcast. If you missed our webcast New directions in VPNs or would like to review it, you may listen to the recorded

    Requires Free Membership to View

    Login

    SearchEnterpriseWAN.com members gain immediate and unlimited access to breaking industry news, best practices for designing and managing Wide Area Networks, WAN Security, and more -- all at no cost. Join me on SearchEnterpriseWAN.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchEnterpriseWAN.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseWAN.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

webcast on-demand.


My company will be using an outside vendor to manage the VPN. I would like the VPN to use RSA RADIUS for AAA. Does it matter if I use SSL or IPSec? What problems should I expect?

A growing number of Managed Security Service Providers (MSSPs) will integrate their remote-access VPN offering with customer-supplied authentication databases and AAA servers. As you suggest, this is often done with RADIUS, chaining RADIUS Access-Requests from the provider's AAA server to your own AAA server based on the user's domain name and/or the VPN gateway they are attempting to access.

Problems (if any) usually relate to use of vendor-specific RADIUS attributes, but as long as you stick to standard RADIUS attributes you will probably have little trouble. You'll also want to make sure that your RADIUS shared secret is long and RADIUS traffic flows over a relatively secure link between your AAA server and your provider's AAA server.

It is quite common for both IPsec and SSL VPN products to behave as RADIUS clients for user-level authentication, but the method used to carry user credentials over the VPN differs. IPsec VPNs tend to use something like Extended Authentication (XAUTH), where all users first authenticate with a group-shared secret, then sub-authenticate the user with credentials like username/password. There are known security risks associated with XAUTH; for more info, see Cisco's Web site and John Pliam's paper. SSL VPNs often send user login traffic through the SSL tunnel after first authenticating only the server (VPN gateway). However, it's important for the client to really authenticate the SSL VPN server and not just blindly accept the server's certificate; see this SANS paper for more information.


MORE INFORMATION ON VPNs:

This was first published in March 2004

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top