TELKOM
NIKA Indonesia
n
Journal of
Electrical En
gineering
Vol.12, No.4, April 201
4, pp. 3040 ~ 3
0
4
5
DOI: http://dx.doi.org/10.11591/telkomni
ka.v12i4.4776
3040
Re
cei
v
ed Se
ptem
ber 10, 2013; Revi
se
d No
vem
ber
23, 2013; Accepted Decem
ber 3, 201
3
Based on the RADIUS and AAA Authe
n
tication of the
Campus Networks Security System Design and
Implementation
Y
u
y
a
ng
Lu*
1
, Xiang Zhang Chen
2
, W
e
njie W
a
ng
3
, Y
ong Y
a
ng
4
Schoo
l of Information Ma
nag
ement
T
e
chn
o
l
o
g
y
, C
o
ll
eg
e of Industrial
T
e
ch
nol
og
y
,
Xuz
h
o
u
, Jian
g
s
u, 2210
00, Ch
ina
*Corres
p
o
ndi
n
g
author
, e-ma
i
l
:
luyy
@mail.x
z
cit.cn
1
, chenxz
@
mail.
xzcit.cn
2
,
wa
n
g
wj
@
m
a
i
l
.
x
z
c
i
t
.
c
n
3
,
han
da
n
y
an
g
y
o
ng@
126.com
4
A
b
st
r
a
ct
As the work o
f
digital cam
p
us
con
s
tru
c
ti
on, the functi
on
of
netw
o
rk beca
m
e mor
e
and
mo
r
e
importa
nt. T
h
e
kern
el
of d
i
git
a
l c
a
mpus
is f
a
st spe
ed, fu
n
c
tion for
m
ida
b
l
e
, reso
urce w
i
dely. T
h
e c
a
mpu
s
netw
o
rk is a special
netw
o
rk, w
h
ich face spe
c
ial us
er
community, it is thou
ght ,technol
ogy
of active, and it
ado
pt access
l
a
yer acc
e
ss ,s
o the
netw
o
rk security is
low
e
r, Vuln
era
b
le
to ill
ega
l us
ers
and v
i
rus
attacks.
This text us
e
RADIUS a
n
d
AAA auth
entic
ation
tech
nol
o
g
y in
the
ca
mpus, thro
ug
h u
s
er a
u
thentic
at
ion,
strengthe
n th
e
netw
o
rk acces
s
restrictio
ns, the
log
se
rv
ice,
campus
netw
o
r
k
man
age
ment
more
syste
m
a
t
i
c
and safe.
Ke
y
w
ords
:
AAA, RADIUS, network security,
campus network
Copy
right
©
2014 In
stitu
t
e o
f
Ad
van
ced
En
g
i
n
eerin
g and
Scien
ce. All
rig
h
t
s reser
ve
d
.
1. Introduc
tion
Camp
us
net
work
(CN) i
s
the co
mpreh
ensive
i
n
form
ation service
netwo
rk for
teach
e
rs
and
stud
ents teaching,
re
sea
r
ching.
T
here
a
r
e
all
different
kin
d
s
p
e
rso
n
in
campu
s
i
n
the
net.
So it is hard to avoid the hack by some
one with
net tech
nolo
g
y wh
en co
nne
ctin
g the net. If they
enter into
CN and modify the co
nfigu
r
ati
on of
network equipm
ent, the CN will b
e
destroyed a
nd
paraly
s
is
. The paper
makes
the purpos
e of
bu
ilding
s
a
fety CN by
us
ing Cisc
o
AAA s
e
t
the
certification, award, billing
sa
fety function configuration.
Cisco AAA architecture has thr
ee independent safety
function,
whi
c
h
reali
z
es the safety
acc
e
s
s
c
ont
rol. The AAA s
a
fety model c
an
c
ont
rol s
o
me user vis
i
ting the net recours
e
intelligently b
y
using relev
ant awa
r
d
strategy
and au
dit servi
c
e co
ndition. The
comp
re
hen
si
ve
safety service ca
n ma
ke
the efficient
net man
age
ment an
d sa
fety net visiting into to
get
her.
Turni
ng o
n
th
e network e
q
u
ipment AAA
function
such as ro
uter
can ma
ke th
e
con
n
e
c
tion
with
the Cisco
se
curity servi
c
e
by these protocol
s.
Cisco AAA
includ
es t
h
ree
ba
sic conte
n
ts: Authenticatio
n,
Authori
z
a
t
ion,
and
Acco
unting.
They are de
p
ende
d on
ea
ch other.
It ca
n be a
u
thenti
c
ate
without
authori
z
atio
n
and
accou
n
ting, b
u
t it can not
be autho
ri
zed
and a
c
c
ount
ed witho
u
t au
thenticatio
n. The p
r
oto
c
ols in
AAA authentication are RA
DIUS protocol, Ta
cacs prot
ocol and HW
TACACS prot
ocol.
2. CN
AA
A
Au
t
h
entic
a
tion
Securit
y
De
v
e
lopment
Next, throu
g
h
a se
ction
of
net se
cu
rity se
tting of so
m
e
coll
ege
net
work to
polog
y prove
s
AAA authentication
system enhanci
n
g the net saf
e
ty. We set
the example as from
coll
ege
central ap
paratus room to
dormito
ry. Among th
e
s
e
central ap
paratus room a
r
rang
es
an A
AA
serve
r
, whi
c
h
is imitated by virtual machin
e wi
th 2
003 se
rver o
peratio
n syst
em. And in the
stude
nt dorm
i
tory, we use
another
co
mmon virtual
imitating student client. T
he interm
edi
ate
equipm
ent is
Cisco 3
700
serie
s
ro
uter. I
n
the rig
h
t pa
rt stude
nt dormitory we u
s
e a ro
uter
with
swit
chin
g mo
dule a
s
do
rm
itory floor swi
t
chbo
ar
d
(thi
s can be
sim
u
lated
swit
ch
board in G
N
3
3
).
The ISP internet can b
e
si
mulated
by a
route
r
na
med
ISP in the Fi
gure
1 th
e cl
o
ud me
an
s net
in
the Figure 1. AAA server adopts DA
GIUS au
thentication. T
h
e swit
chboard ado
pts 802.
1X
authenti
c
atio
n system. Fig
u
re 1 is the d
y
namic
IP ad
dre
ss di
stri
bu
tion topology
netwo
rk.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Based on the RADIUS and
AAA Authentication of the
Ca
m
pus
Net
w
orks… (Yuyang Lu)
3041
Figure 1.
The
Dynamic IP
A
ddre
s
s Di
stribution
T
opol
ogy
2.1.
Net
w
o
r
k Eq
uipment Related
Con
f
igu
r
ation (Some
Part)
SW1 configu
r
ation:
SW1(co
nfig)#
hostn
ame S
W
1 //Switch name:SW1
SW1(co
nfig)#
enabl
e pa
ssword ci
sco
AAA c
onfiguration:
SW1(co
nfig)#
aaa ne
w-mod
e
l //overall open AAA
,
the default con
d
i
t
ion is clo
s
e.
SW1(co
nfig)#
aaa auth
entication logi
n d
e
f
ault group
ra
dius lo
cal
SW1(co
nfig)#
aaa aut
hentication login
L
O
CAL1 l
o
ca
l
//set login list
’
s lo
cal ente
r
name i
s
“LO
C
AL1
”
SW1(co
nfig)#
aaa auth
entication login
NOACS li
ne n
o
ne //offline protect, keep e
n
tering
into route
r
after login failtu
r
e.
SW1(co
nfig)#
aaa auth
entic
ation dot1x d
e
fault grou
p radiu
s
local
SW1(co
nfig)#
aaa auth
o
ri
za
tion exec ci
sco grou
p ra
diu
s
local
SW1(co
nfig)#
aaa autho
ri
za
tion netwo
rk
default gr
o
up radiu
s
lo
cal //after authen
tication
su
ccessfully, the authori
z
e
d
use
r
s by
RADIUS c
a
n enter into the net.
SW1(config)#aaa accounti
ng exec
ci
sco start
-
stop
group ra
dius ///Accounting the
exec mod
e
u
s
ers, re
co
rdin
g the start an
d end time.
SW1(co
nfig)#
aaa a
c
counti
ng com
m
an
d
s
15 ci
sco sta
r
t-sto
p
group
taca
cs+
DHCP add
re
ss p
ool config
uration
:
SW1(co
nfig)#
ip dhcp ex
cl
uded
-ad
d
re
ss 10.
10.10.1 10.10.10.5 /Except the addre
ss
se
ction
10.10
.10.1 10.1
0
.1
0.5 all th
e a
ddre
s
s a
r
e
ready for reserve.
Dividin
g
the
co
nne
cting
use
r
s p
o
rt int
o
relevant VL
AN:
SW1(config)#ip dhcp pool
AAA
SW1(dh
cp-co
n
fig)#n
etwo
rk
10.10.10.0 2
55.255.2
55.0
SW1(dh
cp-co
n
fig)#d
efault-route
r
10.10.
10.1
SW1(dh
cp-co
n
fig)#d
omain
-
name www.ci
s
co.co
m
SW1(dh
cp-co
n
fig)#le
a
se in
finite
将
接
用
的接口划分到相
的
连户
应
:
VLAN
SW1(co
nfig)#
interf
ace Fa
stEthernet1/0
SW1(co
nfig-if
)
# switch
po
rt acce
ss vlan 2
SW1(co
nfig-if
)
# sp
anni
ng
-tree po
rtfast
SW1(co
nfig-if
)
#inte
r
face FastEthernet1/
1
SW1(co
nfig-if
)
# switch
po
rt acce
ss vlan 2
SW1(co
nfig-if
)
# dot1x pae
authenti
c
ator
SW1(co
nfig-if
)
# dot1x po
rt-control auto
SW1(co
nfig-if
)
# sp
anni
ng
-tree po
rtfast
SW1(co
nfig)#
dot1x sy
ste
m
-
auth
-
control //open
th
en d
o
t1x a
u
thentication
functio
n
overall
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 4, April 2014: 3040 – 3
045
3042
SW1(co
nfig)#
vlan 2
SW1(c
o
nfig-v
lan)#name AAA
SW1(co
nfig)#
int vlan 2
SW1(co
nfig)#
ip address 10
.10.
10.1 255.
255.25
5.0
SW1(co
nfig)#
route
r
ospf 1
//use ospf
SW1(co
nfig-router)#
ro
uter-id 1.1.1.1
SW1(co
nfig-router)# net
wo
rk
10.1
0
.10.1
0.0.0.0 area
0
SW1(co
nfig)#
line vty 0 4
SW1(co
nfig-li
ne)# a
u
tho
r
ization exec
cisco
SW1(co
nfig-li
ne)# a
c
cou
n
ting com
m
an
d
s
15 ci
sco
SW1(co
nfig-li
ne)# a
c
cou
n
ting exec
cisco
SW1(co
nfig-li
ne)# lo
gin aut
hentication L
O
CAL1
SW1(co
nfig)#
line co
nsole 0
SW1(co
nfig-li
ne)#l
ogin a
u
thentication NOACS
R2(co
n
fig-if)#
interface Seri
al1/0
R2(co
n
fig-if)#
ip addre
s
s 1
2
.1.1.2 255.2
55.255.0
R2(co
n
fig-if)#
no sh
R2(co
n
fig)#in
t
erface F
a
stE
t
hernet0/0
R2(co
n
fig-if)#
ip addre
s
s 1
0
.10.10.2 25
5
.
255.255.0
R2(co
n
fig-if)#
no sh
R2(co
n
fig)#ro
u
ter ospf 1
R2(co
n
fig-rou
t
er)# route
r-id
2.2.2.2
R
2
(c
on
fig
-
r
o
ute
r
)
#
log
-
ad
jac
e
nc
y-c
h
an
ge
s
R2(co
n
fig-rou
t
er)# n
e
two
r
k
10.10.10.2 0.
0.0.0 area 0
R2(co
n
fig-rou
t
er)# n
e
two
r
k
12.1.1.2 0.0.0
.
0 area 0
Use the sam
e
interface an
d OSPF proto
c
ol on the
R3
:
R3(co
n
fig)#in
t
erface F
a
stE
t
hernet0/0
R3(co
n
fig-if)#
ip addre
s
s 1
92.168.1
23.3
255.25
5.255.
0
R3(co
n
fig-if)#
no sh
R3(co
n
fig)#in
t
erface Se
rial
1/1
R3(co
n
fig-if)#
ip addre
s
s 1
2
.1.1.1 255.2
55.255.0
R3(co
n
fig-if)#
no sh
R3(co
n
fig-if)#
route
r
ospf 1
R3(co
n
fig-if)#
route
r-id 3.3.
3.3
R3(co
n
fig-if)#
netwo
rk 3.3.3
.
3 0.0.0.0 are
a
0
R3(co
n
fig-if)#
netwo
rk 1
2
.1.1.1 0.0.0.0 area 0
R3(co
n
fig-if)#
netwo
rk 3
4
.1.1.3 0.0.0.0 area 0
R3(co
n
fig-if)#
netwo
rk 1
92.
168.12
3.3 0.0
.
0.0 area 0
R3(co
n
fig)# ip nat insid
e
source lis
t 10
0
interface L
o
o
pba
ck0 overl
oad
R3(co
n
fig)#a
ccess-li
st 100
permit icmp
any any
R3(co
n
fig)#in
t
erface s1/1
R3(config-if)#ip nat inside
R3(c
onfig)#interfac
e
f3/0
R3(co
n
fig-if)#
ip nat outsid
e
2.2. Se
v
e
r-Side Con
f
igur
ation
(1)
As
Figure
2, create a count
with nam
e
snc15 in ACS sever, t
hen fill the username
and pa
ssword (user
setup
)
, whe
r
e the u
s
er
will be co
nne
cted by switch
er in future.
(2)
As Figure 3,
addi
ng the AAA client-sid
e and
sever-side in
formation (net
work
configuration): AAA client IP
address i
s
the VLAN2’
s IP addres
s
among the switcher. Shared
se
cret i
s
the passwords of
switcher
setti
ng pa
sswo
rd
s ‘ci
s
co’. Authenticate
Usi
n
g is RADI
US.
(3)
As Figu
re 4,
next step i
s
setting the gr
o
up auth
entica
t
ion. A
fter authenticating u
s
er
can
ente
r
int
o
net (Group
Setup). In t
he optio
n of
IETF RADI
US Attribute
s
cho
o
se all t
h
e
sele
cted
opti
on .Attention:
064
is the
a
u
thentication
only for th
e
use
r
u
nde
r V
L
AN. 06
5 i
s
t
h
e
802.1x auth
e
n
tication
mod
e
.081
sets a
s
VLAN ID
(here
is V
L
AN 2). Th
at is
b
e
ca
use the
p
r
e
-
plan fo
r
switcher auth
e
n
tication
bel
ong
s to VL
AN 2. After all the
s
e
setting
s, cli
ck
Submit+Res
tart.
(4)
After all these above ste
p
s, we
can
test the defi
ned nam
e a
nd pa
sswo
rd
s in
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Based on the RADIUS and
AAA Authentication of the
Ca
m
pus
Net
w
orks… (Yuyang Lu)
3043
swit
che
r
whe
t
her can
b
e
authenti
c
ate compl
e
te
ly. Figure
5 sho
w
s auth
entication completel
y
.
SW1#te
s
t aa
a grou
p ra
diu
s
sn
c1
5 ci
sco
new-co
d
e
Figure 2.
Add
Use
r
Figure 3.
Add
i
ng Clie
nt-Sid
e Information
Figure 4. IETF RADIUS Attributes Settin
g
Figure 5. Authentication T
e
st
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 12, No. 4, April 2014: 3040 – 3
045
3044
2.2.
Test Result
(1)
To client-sid
e
to certificate wheth
e
r
t
he
common
u
s
e
r
can
ente
r
i
n
to net. A
c
cord
ing
to Figure 6 hi
nts cli
ck the p
l
ace.
(2)
As Figu
re
7, input the u
s
e
r
name
and
pa
sswo
rd
s ju
st test in
pop
-up
dialog, the
n
click
ok waiting aut
hentication completely.
(3)
Waiting a moment, it will display aut
hent
icate successfully as Figure 8.
(4)
As Fig
u
re
9,
in cli
ent-side
we
ope
n the
CMD comma
nd lin
e a
nd t
r
y to logi
n S
W
1
with just the u
s
ernam
e and
passwords.
(5)
The clie
nt-si
d
e can conn
ect with the out
side camp
us
net as Figu
re
10. We can
tr
y
to ping one
some add
re
ss 4.4.4.4 amo
ng the ISP
topolo
g
y, and
then con
n
e
c
t with the rou
t
e
r
belon
ging to
outsid
e
s n
e
t to see the n
e
twork ad
dress translatio
n
in
formation a
s
Figure 10.
(6)
As Figu
re
12,
we
ch
eck th
e user l
ogin
time in a
c
cou
n
ting data
ba
se on
seve
r-si
de.
Click Repo
rts and Activity,
and t
hen cho
o
se RADIUS Acco
unting:
Figure 6. The
Client-Sid
e Hints
Figure 7. Local Login
Hints
Figure 8. Authentication Succe
ssfully
Figure 9. Try To Login
s
w1
Figure 10. Cli
ent Comp
uter Visit Outside
Net
Figure 11. R3
NAT Tran
sla
t
ion Table
Figure 12. Accou
n
ting Data Base Di
spl
a
ys
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Based on the RADIUS and
AAA Authentication of the
Ca
m
pus
Net
w
orks… (Yuyang Lu)
3045
Thro
ugh abo
ve
operation we can ch
eck
the
a
u
t
henti
c
ation users who
ca
n get
useful IP
address an
d visit outside n
e
t, beside
s
can find the user login time.
Cisc
o AAA is a authentic
at
ion mec
h
anism for che
c
k
i
ng user in
remote s
e
c
u
rity sever. It
offer authe
ntication, a
u
tho
r
izatio
n, acco
unti
ng three
basi
c
fun
c
tio
n
s for
mana
ging me
ss n
e
t
use
r
s to
network
man
age
r, whi
c
h ma
ke
s legal u
s
e
r
s vi
sit all ki
nd
s n
e
t resou
r
ce safely. The ci
sco
AAA authenti
c
ation can account the legal user logi
n time and
restri
ct t
he
action. At present
stage
of inte
rnet m
anag
e
m
ent the
hig
hest
autho
ri
ty is not
belo
ng to eve
r
y
admini
s
trato
r
. It
alway
s
dep
e
nds o
n
the level of the ability or
posit
ion of the high and lo
w resp
ectively with
different leve
ls of pe
rmission
s. One
hand i
s
ma
king the internet mana
ge
ment mu
ch
more
norm
a
lization
,
on the other han
d to avoid the
newcome
r intern
et manage
r‘
s fail settings to
paraly
z
e the
netwo
rk.
Referen
ces
[
1
]
Yusufbhaiji.
N
e
t
w
o
r
k
s
e
c
u
r
i
t
y
t
e
c
hnol
og
ies a
nd Sol
u
tio
n
s. Beiji
ng: Post &T
elec
om Press. 200
9: 203-
217.
[2] Brand
on
Carro
.
Cisco
Access Control Security:
AAA
Adm
i
nistrative
Services.
S
y
ngr
e
ss Publishi
n
g
.
200
4: P58-7
3
.
[3]
Greg Bastien,
Christia
n Aber
a Deg
u
. CCSP
Cisco
Secur
e
PIX Fire
w
a
ll E
x
am Certificati
o
n Guide.
Beiji
ng: Post & T
e
lecom Press. 2003: 9-1
8
.
[4]
Wa
y
n
e Le
w
i
s, Ph.D, Cisco S
ystems, Cisco Ne
t
w
o
r
ki
ng Aca
dem
y
pro
g
ram:
CCNP4.fau
l
t clear
ance.
Beiji
ng: Post & T
e
lecom Press. 2005: 23-
33.
[5] Rajesh.
Cisco Security
Bible.
John W
i
l
e
y
& S
ons INC Pub
lis
hin
g
. 200
2: 21-
29.
[6] Joe
Harris.
Cisco Network Security Little Black Book
.
P
A
RAGL
YPH PR Publishing.
200
2; 19-2
8
.
[7] James
Macfarl
ane.
Netw
ork Routi
ng Basics
: Understan
din
g
IP
Routin
g in
Cisco Systems
. John W
i
l
e
y
& Sons INC Pu
blish
i
n
g
. 200
6: 12-2
4
.
[8] http://baike.ba
i
du.com/vie
w
/
2
951
21
8.htm
Evaluation Warning : The document was created with Spire.PDF for Python.