Radius to Radius server communication

mulhollandm · ‎06-06-2007

folks

i have a vpn connection coming into my network which i'm passing onto a third party network

we use radius to authenticate our own users but the new connection uses the third party's authentication server(SecureID - i think) and they now want to our radius server and theirs to use proxy radius authentication so our radius server will authenticate their users

my concern is that as i know nothing about this i could be introducing a hole in my security model by inadvertently passing on or allowing them to pull our user details to their radius server

has anyone any ideas, thoughts or relevant documents on this please

many thanks to anyone taking the time to reply

Premdeep Banga · ‎06-06-2007

Hi,

Though there wont be any security hole in such a setup. As you just have to see on which parameters you'll decide that a request need to be proxied to their Radius server for authentication. In general all radius servers have this proxy feature.

If you have ACS server, then you can accomplish this by configuring SecureID as an external Database.

Here's something that will help you with ACS-SecureID,

http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ACS_401_AuthMan61.pdf

http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ACS_333_11_AuthMan6.1.pdf

Apart from this if you want to really proxy the request, I can help you with ACS,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp341876

I m sure pure proxy feature is there in most of the radius servers.

Regards,

Prem