Wednesday, March 23, 2016

Deploying flexible Radiator AAA for Cisco ASR/CSR VPN

The increased use of Cisco ASR/CSR and its IPSEC VPNs with IKEv2 creates new challenges for authentication, authorisation and accounting (AAA) software. The first challenge is interoperability, especially when Cisco’s implementation of IKEv2 requires EAP-MSCHAPv2 to be used for VPN user authentication.

Most AAA server softwares support MSCHAPv2 for RADIUS authentication, but only few have support also for MSCHAPv2 encapsulated inside EAP protocol. Radiator supports them both. What is more, with Radiator it is possible to separate the MSCHAPv2 from EAP by terminating the EAP tunnel in Radiator and forwarding the inner MSCHAPv2 to other authentication servers or services.

The Radiator’s ability to separate MSCHAPv2 from EAP protocol makes it possible to use Radiator as a flexible proxy for various authentication sources (see Figure 1) such as Windows Active Directory, One-Time-Password (HOTP/TOTP) services, RSA / Yubikey / Duo Security tokens etc. For some authentication sources, Radiator works as the actual endpoint for AAA service reducing the need of multiple separate authentication servers or appliances sitting in your network.

Radiator EAP - MSCHAPv2 Architecture

Do you want to know more?

This is a popular use case and we have been been contacted by several customers who need to separate MSCHAPv2 from EAP protocol. This functionality is one reason why Radiator AAA Server is called 'The Swiss Army Knife of AAA Servers'. Radiator provides various protocols and can be used as a proxy in different environments – often with configurations that are provided without additional charge when purchasing the license.

For more information, please contact our team at sales(a.t.)