CA Privileged Access Manager LDAP RADIUS Andreas Mller

CA Privileged Access Manager LDAP - RADIUS Andreas Müller 28. March 2017

Agenda 1 LDAP CONCEPTS 2 CONFIGURE PAM TO AUTHENTICATE LDAP USERS 3 RADIUS CONCEPTS

LDAP 3 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR

LDAP Concepts • DSA design • Application design DSA X. 500 LDAP DSA •

§ The X. 500 directory naming strategy organises information in a hierarchical fashion. Countries

What is the LDAP protocol? Client Request Server Response BIND (auth-level) CONFIRM | REFUSE

DEMO § Configuration of PAM for Active Directory § Import of the AD users

8 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

9 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

10 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

11 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

12 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

13 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

14 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

15 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

16 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

17 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

RADIUS 18 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR

RADIUS (Remote Authentication Dial-In User Service) A client/server protocol and software that § enables

§ The client sends its authentication requests to a central RADIUS server that contains

Features of RADIUS: § Uses the Client/Server model § Transactions between the client and

DEMO § Configuration of a Win 2012 DC as a RADIUS Server § Configuration

23 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

24 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

25 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

26 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

27 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

28 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

29 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

30 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

31 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

32 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

33 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

34 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

35 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

36 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

37 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

38 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

39 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

40 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

41 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

42 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

43 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

44 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

45 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

46 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

47 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

48 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

49 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

50 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL

Slides: 50

Download presentation

CA Privileged Access Manager LDAP - RADIUS Andreas Müller 28. March 2017

Agenda 1 LDAP CONCEPTS 2 CONFIGURE PAM TO AUTHENTICATE LDAP USERS 3 RADIUS CONCEPTS 4 CONFIGURE RADIUS ON WINDOWS 2012 5 CONFIGURE PAM TO AUTHENTICATE RADIUS USERS 2 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

LDAP Concepts • DSA design • Application design DSA X. 500 LDAP DSA • Namespace / DIT design 4 CA R&D Mooroolbark Fred Smith DSA • Schema design org. Person oc Fred cn Smith surname 03 9727 - 9111 telephone Programmer title © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

§ The X. 500 directory naming strategy organises information in a hierarchical fashion. Countries The name of an entry is called a Australia Distinguished Name Organisations because it unambiguously ACME distinguishes the entry Organisational Units , Sales Finance within a potentially People and Devices global directory John Smith Fax Machine system. X. 500 Name: <C AU><O ACME><OU Sales><CN John Smith> LDAP Name: CN=John Smith, OU=Sales, O=ACME, C=AU 5 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION. YVEM

What is the LDAP protocol? Client Request Server Response BIND (auth-level) CONFIRM | REFUSE (result-code) UNBIND N/A ABANDON (Message. Id) N/A SEARCH (base, scope, deref. Alias, size. Lim, time. Lim, types, filter, attributes. To. Return) CONFIRM (results) | REFUSE (result-code) COMPARE (DN, Attribute. Value. Assertion) CONFIRM (result-code) | REFUSE (result-code) MODIFY (DN, attribute-operation) CONFIRM | REFUSE (result-code) ADD (DN, attribute-list) CONFIRM | REFUSE (result-code) DELETE (DN) CONFIRM | REFUSE (result-code) MODIFYDN (DN, New. RDN, delete. Old. RDN, New. Superior) CONFIRM | REFUSE (result-code) Extended Operation Request (for future expansion) Extended Operation Response (for future expansion) 6 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

DEMO § Configuration of PAM for Active Directory § Import of the AD users via built in LDAP Browser § Authentication of an AD User via LDAP in PAM 7 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

RADIUS (Remote Authentication Dial-In User Service) A client/server protocol and software that § enables RAS to communicate with a central server to authenticate dial-in users and authorize their access to requested systems § is carrying authentication, authorization, and accounting information between a Network Access Server (NAS) and a shared Authentication Server. § RADIUS was adopted as a standard protocol by the Internet Engineering Task Force. 19 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

§ The client sends its authentication requests to a central RADIUS server that contains all of the users’ authentication and network service access information, their network ACLs. § A NAS operates as a client of RADIUS. § RADIUS is a fully open protocol and is distributed in source code format. It can be modified to utilize vendor specific attributes § It can also be used with TACACS+ and Kerberos and provides PAP or CHAP remote node authentication. 20 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

Features of RADIUS: § Uses the Client/Server model § Transactions between the client and the RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. § By default uses UDP ports 1812 (authentication) and 1813 (accounting). § Encrypts only the password. § Has very strong accounting features. 21 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.

DEMO § Configuration of a Win 2012 DC as a RADIUS Server § Configuration of PAM for RADIUS § Import of the AD users via built in LDAP Browser § Authentication of an AD User via RADIUS in PAM 22 © 2014 CA. ALL RIGHTS RESERVED. CA CONFIDENTIAL AND PROPRIETARY INFORMATION; FOR INTERNAL USE ONLY. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.