Steel Belted Radius Carrier 7.0 Administration and Configuration Guide > Administering RADIUS Tunnels > About RADIUS Tunnels

About RADIUS Tunnels

A tunnel is a uniquely secure type of remote connection. A tunnel passes data between a remote site and an enterprise site, providing an additional layer of encrypted protocol wrapper around the data. A tunnel offers authentication and encryption features that help secure the connection against network vandals and eavesdroppers. In addition, a tunnel can provide quality of service features such as guaranteed bandwidth.

NOTE: Steel-Belted Radius Carrier does not add tunnel functionality to your network. Steel-Belted Radius Carrier is able to support the authentication and accounting needs of any tunnels that you have already set up.

Administration and configuration of the tunnel happens at the remote site, since this is the side of the connection that requests remote access and opens the tunnel. An administrator at the remote site must configure the tunnel with various attributes: its destination IP address, what security protocols it supports, its password, and so on. These attributes are stored in a database to be retrieved when needed to set up a connection.

Storing tunnel attributes on a RADIUS server simplifies tunnel connections. At connection time, the tunnel is established by a network access device at the remote site. The NAD retrieves the tunnel configuration attributes from the RADIUS server and uses them to open the tunnel into the carrier's network. After the tunnel is open, the user can be authenticated at the carrier's network.

A RADIUS server is said to support tunnels if it has the ability to store and retrieve the configuration data that a NAD needs to open a tunnel. Steel-Belted Radius Carrier fully supports tunnels:

• Steel-Belted Radius Carrier can determine from the attributes in the incoming Access-Request whether the connection request involves a tunnel, and if so, which tunnel.
• Steel-Belted Radius Carrier can store and retrieve tunnel configuration data.
• Steel-Belted Radius Carrier can track the number of tunnels currently in use, compare to a maximum number, and refuse the connection if the number is exceeded.

Tunnel Authentication Sequence

1. Steel-Belted Radius Carrier receives an Access-Request message.
2. Steel-Belted Radius Carrier checks whether the Access-Request contains a Called-Station-Id attribute. If it does, Steel-Belted Radius Carrier searches its database for a tunnel entry that contains the indicated telephone number in its Called-Station-Id list.

If a match between the Called-Station-Id and a tunnel entry can be found, Steel-Belted Radius Carrier constructs an Access-Accept message using the Attributes list in the matching tunnel entry. It then returns the Access-Accept to the client NAD. If a match exists, then skip to step 4; if no match exists, continue with step 3.

NOTE: If realms are in use, Steel-Belted Radius Carrier also searches for the Called-Station_ID number in its realm configuration files. If a match is found, the Access-Request is routed to the realm, and the quest for a tunnel is abandoned. For this reason, make sure that DNIS numbers are unique across all tunnel entries and across all realm configuration files.

3. If no match was found in step 2, then Steel-Belted Radius Carrier checks whether the Access-Request contains a username in the form User<Delimiter>TunnelName or TunnelName<Delimiter>User. <Delimiter> is a single character that must match the server's tunnel delimiter character. The order of the realm name relative to the username must match the server's tunnel naming convention (prefix or suffix). Both of these values are determined per server (that is, all tunnels that use this server must follow the same conventions) by entering them in the Tunnels > Name Parsing panel. If a match exists, continue with step 4; if no match exists, then skip to step 6.
4. Steel-Belted Radius Carrier searches its database for a tunnel entry whose name matches the incoming TunnelName. If a match can be found, Steel-Belted Radius Carrier constructs an Access-Accept message using the Attributes list in the matching tunnel entry. It then returns the Access-Accept to the client NAD.
5. If Steel-Belted Radius Carrier was able to match the Access-Request with a tunnel entry, the NAD uses the attributes returned in the Access-Accept message to open a tunnel into the enterprise site. Authentication of the User-Name is attempted, usually at the carrier's site. If user authentication succeeds, the connection is complete. Otherwise, the user's connection request is denied.
6. If no matching tunnel entry was found in steps 2 or 3, Steel-Belted Radius Carrier concludes that a tunnel is not involved in making this connection. It then continues with its User-Name parsing sequence determine a destination for the authentication request.

Configuring Tunnel Support

To configure Steel-Belted Radius Carrier to support a tunnel, you must open the Tunnels panel (described on 142) in the SBR Administrator and add a tunnel entry.

A tunnel entry allows you to specify a list of connection Attributes such as the tunnel password, the IP address of the NAD at the enterprise site, encryption conventions to use, and so on. You can also enter the maximum number of tunnels that can be open at one time. You need to coordinate with the administrator at the enterprise site to get some of this information.

Called Station Id

DNIS (Dialed Number Information Services) refers to a capability that many network access devices have to determine and use the telephone number that was dialed to make a connection request. The RADIUS standard supports DNIS by specifying the following attributes:

• Calling-Station-Id is the number from which the user originated the request.
• Called-Station-Id is the telephone number that was dialed to make the network connection.

When setting up a tunnel entry for the Steel-Belted Radius Carrier database, you can enter a telephone number or list of numbers in the Called Station Id list in the Tunnels panel. This list identifies Called-Station-Id attribute values that the server should expect to find in tunnel connection requests.

Dictionaries for Tunnel Support

The Tunnels panel allows you to create the Attributes list by selecting attributes from a drop-down list. The available selections include attributes from all standard and vendor-specific RADIUS dictionaries installed on the Steel-Belted Radius Carrier server.

When the server can accept a tunnel connection request, it consults the corresponding tunnel entry for the list of Attributes to return in the Access-Accept packet. Steel-Belted Radius Carrier always returns any standard RADIUS attributes that appear in the Attributes list. It also returns any vendor-specific attributes that are appropriate for the NAD that requested the tunnel connection. Vendor-specific attributes in the Attributes list that do not apply to the requesting NAD are ignored.

Concurrent Tunnel Connections

Steel-Belted Radius Carrier tracks the number of active connections for each tunnel. You can limit the number of concurrent connections that can be open through a specific tunnel. When a user requests a new connection through a tunnel, Steel-Belted Radius Carrier compares the number of active connections in a tunnel to the maximum number of connections: if a new connection would exceed the limit, Steel-Belted Radius Carrier rejects the additional connection.

For concurrent connection limits to work, each NAD that can open a tunnel must be configured for RADIUS accounting and the same Steel-Belted Radius Carrier server must be specified for both authentication and accounting.

NOTE: Concurrent tunnel connections cannot be tracked across multiple Steel-Belted Radius Carrier servers without additional software extensions. Contact Juniper Networks for more information.