Radius to Radius server communication

Unanswered Question
Jun 6th, 2007
User Badges:

folks


i have a vpn connection coming into my network which i'm passing onto a third party network


we use radius to authenticate our own users but the new connection uses the third party's authentication server(SecureID - i think) and they now want to our radius server and theirs to use proxy radius authentication so our radius server will authenticate their users


my concern is that as i know nothing about this i could be introducing a hole in my security model by inadvertently passing on or allowing them to pull our user details to their radius server


has anyone any ideas, thoughts or relevant documents on this please


many thanks to anyone taking the time to reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Wed, 06/06/2007 - 04:02
User Badges:
  • Gold, 750 points or more

Hi,


Though there wont be any security hole in such a setup. As you just have to see on which parameters you'll decide that a request need to be proxied to their Radius server for authentication. In general all radius servers have this proxy feature.


If you have ACS server, then you can accomplish this by configuring SecureID as an external Database.


Here's something that will help you with ACS-SecureID,


http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ACS_401_AuthMan61.pdf

http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ACS_333_11_AuthMan6.1.pdf


Apart from this if you want to really proxy the request, I can help you with ACS,


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp341876


I m sure pure proxy feature is there in most of the radius servers.


Regards,

Prem

Actions

This Discussion