Before you start
Objectives: Learn what is Remote Access, Remote Access Server, and how it is typically used and configured.
Prerequisites: no prerequisites.
Key terms: remote access, server, configuration, RAS, protocols, PPPoE
What is Remote Access
Remote Access allows a host to connect to a server or a private network, and access resources on the server or network as if they were connected to the local network. Remote Access connection requires some type of physical connection between devices.
Lets say that we have a remote client that wants to access remote office network. In the old days, to accomplish this we could connect trough public switched telephone network (PSTN) using a modem on one device, and configuring a special server called a Remote Access Server (RAS) that accepts incoming phone calls. The RAS server may had a modem bank installed, which allowed connections from multiple different clients on different phone lines. Users dialed-up to the RAS and were granted access to the resources on the server or the private network.
Today we typically use broadband or always on connections. In this case, we can think of the physical connection being established when we connect the device to the network and turn it on. In this case, to connect our client to the remote server we will typically use Virtual Private Network (VPN) connection trough the Internet connection. A VPN server can receive connections from remote clients trough the Internet. VPN adds additional security on public networks like Internet, so that when we communicate, the Information that is sent can’t be viewed by third parties.
Data Link Layer Connection
Following the physical connection, devices need to negotiate a data link layer connection. When the connection is first established, the devices will do a negotiation, where they decide together what protocols they will use to communicate. These are upper layer protocols such as IP, and they also decide on the compression and encryption (if any), and authentication method.
Two common protocols used during this phase are PPP and PPPoE. PPP was used in a dial-up connection. PPPoE is used for broadband connections (always on connections), such as DSL, fiber optic, etc. PPPoE is actually a modification of PPP that allows negotiation of parameters that are not present on regular Ethernet network. Internet Service Providers typically implement PPPoE to control and monitor Internet access over broadband links.
During the process of negotiation, the client is assigned an IP address so that it can communicate on the network. The IP address can be assigned from a range configured on the remote access server, or from a DHCP server on the private network. The assigned IP address for the remote client can be on the same subnet as the private network, or it can be on a different subnet. If the IP address is on the same subnet as the private network, the remote access server uses a process called proxy ARP to forward packets from the private network to the remote access client. With proxy ARP, the MAC address of the remote access server is associated with the IP address of the remote clients. The remote access server receives the frames addressed to the remote access client, and forwards the packets to the remote access client. If the IP address is on a different subnet, then the remote access server acts as a router sending packets between the remote client and the public network. In this configuration, the remote access server must be configured with routing enabled.
If we were to look at the protocol stack, we would see an IP packet at the network layer (layer 3), which is used to create a PPP frame at the data link layer for negotiating connection parameters (layer 2). PPP is then used to create an Ethernet frame which is then sent on the network to the other device. This process is called encapsulation (PPP frame is encapsulated in the Ethernet frame). The receiving device takes the Ethernet frame and uses the PPP information within the frame to identify the protocols to use, such as IP, authentication and encryption. In normal Ethernet connection without PPP, the connection is simply established between two devices. Running PPPoE allows the devices to do things such as authentication as well as control other parameters of the connection that typically can’t be done on a normal Ethernet connection.
Internet as Remote Network
Another example of remote access would be the broadband connection to the Internet. In this case we actually connect to the remote network trough an Internet Service Provider (ISP), which acts as a Remote Access Server (RAS). The client computer connects to the ISP to gain access to the Internet, and the Internet is the remote network in this case.
Authentication is the process of proving identity. PPP doesn’t actually perform the authentication. It simply helps the devices to choose the type of authentication method they will use. Once the connection is made, then authentication kicks in, and the devices must authenticate by exchanging the logon credentials. For remote connections, several authentication protocols are typically used, and those are:
- Challenge Handshake Authentication Protocol (CHAP)
- Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
- Extensible Authentication Protocol (EAP)
Both CHAP and MS-CHAP use some form of username and password, but the password is not sent between devices. EAP is extensible, meaning that it can support multiple different methods of authentication. So, EAP can be used to support both username and passwords, but other forms as well, such as using certificates and smart cards for authentication.
After the physical connection is established, the communication parameters are agreed upon and authentication occurs. The next step is authorization. Authorization identifies what resources remote clients can access on the remote network. For example, it may be that the remote clients can only access the RAS and nothing else, if all the shared content is located on the RAS directly. We can also allow remote clients to connect to the private network. From here we may further restrict it in a way that we only allow access to certain devices.
Both authentication and authorization are typically controlled by remote access policies. Those policies simply identify users who can connect, and then if the connection is allowed or denied. For example, we might only allow certain users to always connect. We can also allow or deny access for certain users based on the time of day (ie. access only allowed during working hours). We may restrict access based on the type of connection being used (PPP, PPPoE, wired or wireless). When the user connects, the RAS checks its policies to find out what type of restrictions might apply, and then applies what is necessary. The policies may be defined directly on the RAS itself, which is the solution only used in small implementations. In larger implementations, we may have our RAS connect to another server that identifies our users. For example, in Microsoft networks we can have RAS server that is using Active Directory to identify users who can connect, and to match users with their passwords.
If we have many clients, we might come into situation that our RAS can’t support them all. One solution to this problem would be to install a second RAS on our network. The drawback to this solution is that we have maintain policies available on all our RAS servers separately. The solution to this problem is a triple A server (AAA). AAA stands for the three parts of the remote access process, which is Authentication, Authorization, and Accounting. Accounting is the process of keeping track of what was done during the connection and tracking connection characteristics. For example, we might need to keep track of how long the clients were connected. Accounting is often used by ISPs to bill for services based on time or the amount of data downloaded. With a AAA server, instead of having policies defined on each individual RAS server, we instead define the policies once on the AAA server. In that case, policies are no longer defined on individual RAS servers. Instead, when an authentication request is received by and RAS server, the authentication request is forwarded to the AAA server where the credentials and policies are checked to verify if the access should be allowed or denied.
RADIUS and TACACS+
There are two common solutions for providing this type of authentication mechanism. One is called RADIUS (Remote Authentication Dial-In User Service). With a RADIUS server, authentication and authorization are typically combined on a single device, while accounting is separated. We can also have a single device which combines all three (AAA). RADIUS uses UDP and encrypts only the password.. RADIUS is typically used with remote access solutions in Microsoft environments.
Another solution is called TACACS+ (Terminal Access Controller Access-Control System Plus). This protocol separates all three functions (A, A, A) into different services. We can combine all three services into a single physical server that provides authentication, authorization and accounting, or we can split those between different physical machines. Another key difference between RADIUS and TACACS+ is that TACACS+ uses TCP instead of UDP. In addition, TACASC+ encrypts the entire communication between the RAS and the AAA server. It also supports more protocols besides IP. TACACS+ was developed by CISCO and is used by other vendors as well.
When implementing this kind of solution, the server that provides the AAA services is called the server.So, if we use RADIUS, the AAA server would be called the RADIUS server. The RAS servers are in that case called the RADIUS clients, which send the information to the RADIUS server. The remote access clients are still called like that. They connect to the RAS server which forwards the authentication information to the RADIUS server which provides the authentication. Accounting keeps track of what happens during the connection.