VPN and RADIUS The boom in telecommuting and the need to support more remote workers is making life tough for IT managers. Besides the normal tasks of maintaining remote-access server (RAS) equipment, managers often find their time consumed administering access rights and authentication privileges on several, geographically dispersed remote access servers at the same time. Enter the Remote Authentication Dial In User Service (RADIUS), a commonly used authentication system. Most remote-access equipment vendors have supported RADIUS in their remote-access ser-vers. Many virtual private networking equipment companies also are supporting the use of a RADIUS server for user authentication. For IT managers, the main attraction of RADIUS is that it allows them to simplify administration of user authentication by maintaining a centralized database of access rights.
IT managers who did not have RADIUS have had to maintain access rights on multiple pieces of equipment. This leads to a problem: If someone joins or leaves a company, a manager must add or change access rights for that person on every piece of access equipment. RADIUS avoids such problems. IT managers can use a single RADIUS server to authenticate users dialing into multiple remote-access servers. With RADIUS, IT managers maintain a single authentication database. All users dialing into a network are authenticated against this database.
For such centralized authentication to work, a RAS and VPN equipment must securely communicate with a RADIUS server and verify that the user meets certain conditions before allowing the user to gain access to the network. The process of authenticating users is transparent to the user dialing in. The way it works is that a user places a call into a remote-access server and a Point-to-Point Protocol session is initiated. The RAS or VPN takes authentication information, such as a user name and password, and passes this information to the RADIUS server. If the user is in the database and has access privileges to the network, the RADIUS server signals the remote-access server that it is OK to continue the process. At the same time, the RADIUS server also sends what is called profile information about the user to the remote-access server.
The profile can include information such as the user's IP address, the maximum amount of time the user can remain connected to the network and the phone number the user is allowed to dial to access the network. The RAS or VPN takes this information and checks to make sure the user meets all the criteria of the checklist items. If all the conditions are met, the PPP negotiation with the user is completed and access is granted. If the user does not meet all the conditions, say the person called using a number reserved for other people in the company, the call is terminated.