본문 바로가기
2011.12.23 20:37

LDAP or RADIUS? (Good)

조회 수 5708 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://www.linkedin.com/answers/technology/information-technology/computer-networking/TCH_ITS_CNW/344173-24763866


LDAP or Radius?

A lot of companies are using Microsoft AD as enterprise IT directory. And AD account is used as identity to logon remote access VPN. Let me take Cisco WebVPN as an example. There are two ways to use AD. First one, Cisco ASA --> Raidus Server -->AD, AD as an backend database of Radius server. Second one, Cisco ASA --> AD. ASA use LDAP interact with AD directly. Obviously, the second method save one device and maintenance cost, and have a better performance.

Do you think the second method is better than the first one? And LDAP will be more and more popular?


============ ANSWER ================


The two protocols are designed to do different jobs, and while binding to LDAP can be used for authentication great care should be taken as often the password will be passed in plain text over the network (unless you use LDAP over SSL).

RADIUS too can be misconfigured to send passwords in plain text and you should ensure you are either tunneling RADIUS and/or using keys to protect the password in transit. Fundementally RADIUS is designed as a AAA protocol and is robust and well understood in this roll, conversly LDAP was designed as a directory _access_ protocol and is simply commonly (mis)used to provide authentication services, although it can be done well and does, as you say, give you one less box to admin.

The other major factor is wether you really want an edge device / bastion host such as an ASA to have direct access to through your internal firewalls to the domain controllers, which are auguably the most sensitive and critical hosts on your network? I tend to prefer to use RADIUS, allowing my edge network to talk to the RADIUS server on a very controlled set of ports and an unencrypted protocol which I can inspect (only the password is obscured), then allow the RADIUS server to talk to the DC's, probably using NTLMv2 rather then LDAP.

The final advantage to RADIUS is that once you have it, you can use it for all sorts of other things such as 802.1x, authenticating admin access to network kit, etc. You can also use a good RADIUS server to make decisions based on directory information, such as placing a particular user in the correct VLAN based on group membership.

Links:

Clarification added October 17, 2008:

One other point I made about authenticating against AD with LDAP rather then RADIUS then NTLM is that LDAP binding does not give you much (if any) of an audit trail in AD while using NTLM produces a proper audit trail in your security logs.


===============================

The LDAP solution will be easier, and you're right that RADIUS just acts as a middle-man (however, it does give you some extra control), but since RADIUS/IAS is simply a Windows component, there's not necessarily an extra device you would have to maintain. In any case, I'd simply recommend searching the web for any caveats or gotchas related to your particular version of ASA and Active Directory.

-------------------------------------

Radius is a generic AAA tool useful if you have many devices needing authentication. If you device to ONLY use products that can directly connect to AD then you do not need radius. Still it would make a great middleware if you are splitting into more than one direction at the same time. Performance wise it does not make a difference unless you have more than a few hundred connections per second ....

-------------------------------------

Use LDAP, when you terminate access of an employee to the network, you can remove remote access by disabling his account instead of a two (or more) process.

-------------------------------------

LDAP is still popular, and anyway you need a data store for your authentication server. In enterprise environment that datastore is commonly LDAP (SunDS, FedoraDS, AD).

If you need RADIUS (eg for network logon), use it. If you don't, well.. there's no reason to.

-------------------------------------

ASA-LDAP(AD) authentication is easier to maintain and hence widely adopted as VPN users can be authenticated with their login credentials i.e. username/password on the domain.
On the other hand if you want the users to be authenticated on a more granular level and authorized based on complex checks amd logics then RADIUS authentication is best with AD as the referenced database.RADIUS also gives accounting feature something which cant be achieved with just an AD.
Deployments of the ASA-AD type are popular owing to their simplicity but if tighter controls and two stage authentication,accounting are needed ASA-RADIUS-AD fits the bill.You can also expolre the possibility of ASA-RADIUS Server with integrated databases if number of devices is a concern

-------------------------------------

Whether you use radius or ldap is a question of your security policy. I've set up both. For small shops with a small administration staff, direct ldap integration makes sense. In larger shops with slightly more stringent requirements, the LDAP infrastructure and the radius infrastructure are managed by different teams, and they have to collaborate to enable remote access (The LDAP team has to set the remote-access flag, and the radius team has to associate them with the proper group). This enforces the "separation of duties" concept of security - it's a lot harder to bribe two people to violate a security policy than one.

-------------------------------------

LDAP/AD is the primary tool for managing users, agents, resources, and authorization decisions for those resources. Radius just provides a secure and flexible/extensible way to authenticate those users and agents -- whether via the ASA or some other NAS device.


In your particular scenario, using radius as the authenticator with the cisco ASA is preferable, since with radius you can implement a whole range of authentication methods such two-factor token, soft-token, usename/password, challenge/response, etc. You cannot do this with AD or ldap. Granted, Windows/AD now has support for EAP for wireless, but so does freeradius, and radius is just so much more extensible and flexible, it lets you integrate your network backwards and forwards, and also provides redundancy.

So the short answer to whether you need ldap or radius, is that you need to use both.

-------------------------------------

While Martin's answer is so far most complete (and he points out the insecurity of basic LDAP), a major piece of this puzzle has been missed: Your domain controllers already have RADIUS software on them.
The Windows 2003 "IAS" function or Windows Server 2008 "NPS" role both provide RADIUS authentication out of the box, so no extra device or maintenance are required.
My suggestion, therefore is AD -> ASA over RADIUS by installing IAS or NPS on 2 of your domain controllers for failover.

Links:

-------------------------------------

The one thing I would point out is that LDAP dirctly from the ASA will work fine for basic authentication. When you want to do more things like tighter restrictions, login hours, downloadable ACLs, etc you must either extend the AD Schema and map AD values to these functions, or use RADIUS. Microsoft IAS is a fairly easy solution to get working, and (sorry to correct you Gregg) when you disable an account in AD, RADIUS will have it automatically disabled if you are using Microsoft's IAS or Cisco Secure ACS (my preference) tied to AD.



Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
92 Selecting an 802.1X EAP Method: Access Point Considerations Hojung 2015.04.22 1898
91 How does 802.1X help wireless security? Hojung 2015.04.22 2061
90 EAP-AKA 기반의 인증 및 인터넷 접속 흐름 file Hojung 2015.04.20 4597
89 Wi-Fi WPA2 AES(CCMP) 암호화 알고리즘 file Hojung 2015.04.20 4345
88 Good Article about Hotspot Logins with Wi-Fi Devices Hojung 2015.04.20 2001
87 Wireless LAN (Wi-Fi): Standard and Basic Terms file Hojung 2015.04.20 2303
86 Ports used for SNMP Trap and Poll file Hojung 2014.08.22 2898
85 SMTP Client with SSL/TLS Hojung 2013.04.23 3442
84 How to extract original file from pcap (wireshark) file Hojung 2013.02.26 6413
83 웹브라우저에서 인증서 보안경고 후 계속 진행시 다시 액세스함 file Hojung 2012.12.24 6232
82 Path MTU 와 ICMP Filtering 과의 관계 Hojung 2012.09.20 5389
81 TCP sessions with untrusted cert file Hojung 2012.02.24 4356
80 IP Fragmentation을 이용한 공격기술들 file Hojung 2012.02.24 5543
79 XML, SOAP, WSDL, UDDI 설명 (Good) Hojung 2012.02.02 18317
78 QoS lecture from Youtube Hojung 2012.01.05 4813
77 What is SOA? What is REST? Hojung 2011.12.25 5526
76 SOAP 기반 웹서비스와 RESTful 기반 웹서비스 Hojung 2011.12.25 5417
75 NTLM VS Kerberos Hojung 2011.12.24 5067
» LDAP or RADIUS? (Good) Hojung 2011.12.23 5708
73 IPSec Overview (good) Hojung 2011.10.19 5635
Board Pagination ‹ Prev 1 2 3 4 5 Next ›
/ 5

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5