This is a guide to RADIUS, Remote Access Dial-In User Service, how it can be used, and why you might want to use it to control access to a Local Area Network (LAN). A RADIUS server is a mechanism for regulating user access to a computer network. This article provides a high level overview of RADIUS on both Windows Server 2012 and FreeRADIUS, a popular open source alternative.

Let’s say you want to reward your best customers when they visit your cafe or restaurant. You decide to implement a member rewards program that includes free Wireless Network (WiFi) access. Many restaurants currently provide access to a WiFi hot spot using either a shared password or no password at all, but neither is a secure solution.

The RADIUS server checks the passwords entered by the users and grants or denies access as appropriate. It also keeps a record of network usage so that the restaurants’ management can see when and how much their networks are being used.

The RADIUS Protocol

RADIUS is actually a standardized protocol, not a program; it’s an interface, not an implementation. As with other Internet-related protocols, the standard is established by the Internet Engineering Task Force (IETF) and documented the following Request for Comments (RFC) specifications below:

• RFC 2138
• RFC 2865 (the RADIUS authenticating and authorizing protocol)
• RFC 2866 (the RADIUS accounting protocol)

These documents are the ultimate authority on the RADIUS protocol.

RADIUS defines a standard “conversation” for the purposes of connecting a computer to a network. One side of the conversation is the server, the other is the client.

On the client side of the protocol are a variety of devices called network access servers (NAS), which is any type of equipment that directly accepts users’ connections. For example, in a WiFi network, the access point serves as the NAS. By contrast, in an ISP’s dial-up network, the NAS is the switch that connects the receiving modems to the computers providing the dialup services like e-mail and web browsing.

One essential detail of the RADIUS specification is that it uses port 1812. Port numbers are part of the TCP/IP mechanism for connecting clients and servers on the Internet.

RADIUS Benefits

RADIUS consists of computer user authentication, authorization, and accounting. RADIUS server performs a number of useful services. For example: Authentication, Authorization, and Accounting collectively called AAA.

Authentication is the process of determining the identity of a user. The most common form of authentication is by user name and password. This is the form used at the restaurant. Other forms of authentication use digital certificates, digital signatures, etc.

Authorization is the process of determining which service(s) a user is permitted to use and to what extent. It requires that the identity of the user be previously established by some authentication process. The authenticated user ID is then authorized by lookup in a file, table, database, or directory service such as LDAP such as Active Directory.

Accounting is the process of keeping track of network usage. It records the date and time of the start of each user’s session, its duration and the number of bytes transferred.

RADIUS is based on an IEEE standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. RADIUS enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting. Compared to using one password or no password at all, RADIUS offers a few advantages listed below.

1. Enhanced security when implemented properly.
2. Enhanced reporting and tracking based on client usernames, even more so when tied into a Lightweight Directory Access Protocol (LDAP) back end such as Active Directory.
3. Ability to direct user groups into a User Profile based on LDAP membership and/or RADIUS attributes. This allows you to place restrictions on specific classes of users.
4. When a user authenticates to a service set identifier (SSID) using RADIUS, that individual session is encrypted uniquely between the user and access point. This means that another user connected to the same SSID cannot sniff the traffic and acquire information because they will have a different encryption key for their connection. With a Pre-shared key (PSK) network, every device connected to the access point is on a “shared encryption” connection so they can all see each other’s traffic if they choose to do so.
5. If you need to de-authorize a particular user or device, having RADIUS makes this much easier because you disconnect a single user or device without having to change the key for everyone or allow that potential security risk of that user re-joining the network with the known access key.
6. You can assign network permissions such as VLAN, firewall policy (including application permissions), Quality of Service (QoS) settings, tunneling policies, schedules — everything within a user profile can be dynamically assigned to users based on their identity. With a pre-shared key, you only get a single user profile that everyone shares. You can assign different permissions based on the attribute returned from the RADIUS server.

These are the fundamental elements of the RADIUS service.

AAA Process

In RADIUS, authentication and authorization are done by lookup in a database, and accounting is done by recording usage information there, too.

The sequence of events in the life-cycle of a RADIUS-mediated WiFi connection are as follows:

1. An administrator provides commands to the RADIUS server to cause it to store the name and password of a user in its database.
2. A user with a laptop connects by WiFi to the access point and requests something such as a web page, a file transfer from a remote host, a connection to a POP (email) server, etc.
3. The access point challenges the laptop user for an ID and a password.
4. The access point contacts the RADIUS server across the Internet and asks it to authenticate the user.
5. The RADIUS finds the user and password in its database, bestows its blessing, and logs the start of a new session.
6. The access point proceeds to grant the laptop user the services he or she requests.
7. When the user session terminates (whether or not by the user’s choice) the access point informs the RADIUS server which logs the end of the session.

Windows Server NPS RADIUS

For restaurant owners who already use Windows Server with domain networking, NPS role can be installed and used for free. In Windows Server 2012, RADIUS is implemented by installing a Network Policy Server (NPS) role. RADIUS is a major feature of NPS.

Microsoft’s Windows Server platform provides a RADIUS server, an economical option for those already running (or planning to run) a Windows Server. Starting with Windows Server 2008, Microsoft provided the RADIUS service with its NPS role, whereas previously it was provided by the Internet Authentication Service (IAS) role. Like most other Windows Server roles, NPS configuration is GUI-based.

The RADIUS client can be defined by using a fully qualified domain name or an IP address, but groups of RADIUS clients can’t be defined by specifying an IP address range. The Enterprise and Datacenter editions allow an unlimited number of RADIUS clients and remote RADIUS server groups, and allow defining RADIUS clients via IP address ranges in addition to a domain name or single IP.

NPS supports the basic common authentication protocols: PEAP, EAP-TLS, PAP, SPAP, CHAP, MD5, MS-CHAP, MS-CHAPv2 and EAP-MD5. Additionally, Microsoft allows plug-ins of other vendors’ EAP methods on NPS. One-time password (OTP) method is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional static password-based authentication; a number of implementations also incorporate two factor authentication by ensuring that the one-time password requires access to something a person has, such as a specific cellphone, as well as something a person knows, such as a personal identification number (PIN).

On Windows Server, if authentication and authorization are successful, users are granted access to the network resources for which they have permissions to within the Active Directory database. In fact, NPS only uses Active Directory for the user name and password database. Windows Server can also proxy requests to multiple RADIUS servers for processing. For RADIUS accounting, Windows Server can write to a text file and/or Microsoft SQL Server database. In short, Windows server offers a robust and scalable solution with many advanced features, if you need them.

For those without Windows Server

The most widely used and popular open source alternative is called FreeRadius. It is is a free and open source RADIUS server released under the GNU General Public License Version 2 (GPLv2). Designed to run on Unix based operating systems, like Linux, it’s primarily a non-GUI server in which you adjust settings in configuration files and run the server via command line. It can serve the AAA needs of small networks with a few users or even service providers with millions of users. The installation is very simple and only takes a few minutes.

There isn’t any published hardware requirement for FreeRADIUS, but generally any commodity PC can serve up to a few hundred thousand users. It can run on a variety of platforms in many different operating systems (OS), including Linux (CentOS, Debian, Mandriva, Red Hat, SUSE, Ubuntu), Solaris, and FreeBSD. Many OSs have FreeRADIUS binaries in their package repositories, making the installation simple, but they might not be updated with the latest release. In these cases you can build the packages yourself with the FreeRADIUS source code but this can be a challenge, especially for those less experienced with Unix/Linux.

Summary

Even though RADIUS was initially designed for dial up access, it is still useful today especially to control access to WiFi networks. There are versions of RADIUS for Windows Server as well as Open Source Alternatives. As RADIUS is a standardized, multi-platform protocol not a specific software. If you have questions or need more information about this topic, please leave your comments below. While you’re at it, why don’t you like and subscribe to this article if topics like this are of interest to you.

RADIUS Server Access Control was originally published in Tech Jobs Academy on Medium, where people are continuing the conversation by highlighting and responding to this story.

DNS Forwarding improves performance, load balances, and makes your network more resilient. It provides a way to pass on namespaces or resource records that are not contained in a local Domain Name System (DNS) server’s zone to remote DNS server for resolution of name queries both inside and outside a network.

There are two methods that we’ll discuss: forwarding and Conditional Forwarding. To understand the benefits of Conditional Forwarding, we must first understand how forwarding works.

Forwarding

In a simple example, a DNS forwarder sends name queries of external domains to a remote DNS servers outside of its local network for resolution. Internal name queries are handled by the Internal DNS server.

If the DNS server has no forwarder listed for the name designated in the query, it can attempt to resolve the query using standard recursion using root hints file.

There are two types of DNS name queries: recursive and iterative. While both DNS forwarding and Conditional DNS Forwarding follows the general steps above, each is a little different.

Recursive Name Query
Forwarded queries are sent as a recursive. In this scenario, the DNS client requires that the DNS server respond to the client with either the requested resource record or an error message stating that the record or domain name does not exist. The DNS server cannot just refer the DNS client to a different DNS server.

Iterative Name Query
DNS client allows the DNS server to return the best answer it can give based on its cache or zone data.

A DNS server configured to use a forwarder will behave differently than a DNS server that is not configured to use a forwarder. Here’s how a DNS server works when using forwarding:

1.When the DNS server receives a name query, it attempts to resolve this query using its primary zones, secondary zones and finally its cache in that order.

2. If the name query cannot be resolved using its local zone data or cache, then it will forward the query to the DNS server designated as a forwarder. As a result, root hints method of name resolution will not be used.

3. The original DNS server that received the initial query will wait briefly for an answer from the forwarder. If that fails, it will attempt to contact the DNS servers specified in its root hints as a last resort.

Conditional forwarders allow you to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet, such as results from a company merger.

Conditional forwarders

Conditional forwarders are DNS servers that only forward queries for specific domain names. Instead of forwarding all queries it cannot resolve locally to a forwarder, a conditional forwarder is configured to forward a query to specific forwarders based on the domain name contained in the query. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process.

Let’s walk through two examples where Conditional Forwarding really comes in handy. The first example is an internal name and the second is an external name resolution scenario.

Example 1. Intranet name resolution

When a DNS server configured with a conditional forwarder receives a query for a domain name, it will compare that domain name with its list of domain name conditions and use the longest domain name condition that corresponds to the domain name in the query. For example, in the figure below, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:

1. The DNS server receives a query for networks.example.microsoft.com.
2. It compares that domain name with both microsoft.com and example.microsoft.com.
3. The DNS server determines that example.microsoft.com is the domain name that more closely matches the domain name query.
4. The DNS server forwards the query to the DNS server with the IP address 172.31.255.255, which is associated with example.microsoft.com.

Example 2: Internet name resolution

DNS servers can use conditional forwarders to resolve queries between the DNS domain names of companies that share information. For example, two companies, Widgets Toys and TailspinToys, want to improve how the DNS clients of Widgets Toys resolve the names of the DNS clients of Tailspin Toys. The administrators from Tailspin Toys inform the administrators of Widgets Toys about the set of DNS servers in the Tailspin Toys network where Widgets can send queries for the domain dolls.tailspintoys.com. The DNS servers within the Widgets Toys network are configured to forward all queries for names ending with dolls.tailspintoys.com to the designated DNS servers in the network for Tailspin Toys. Consequently, the DNS servers in the Widgets Toys network do not need to query their internal root servers, or the Internet root servers, to resolve queries for names ending with dolls.tailspintoys.com.

The result is better performance, less network bandwidth, and happier end users because their name queries between different domains are resolved faster.

Conditional Forwarding Benefits

Conditional Forwarding leads to a safer, faster, smarter and more reliable Internet. When a DNS server forwards a query to a forwarder, it sends a recursive query to the forwarder. This is different than the iterative name query that a DNS server will send to other DNS servers during standard name query resolution (name resolution that does not involve a forwarder).

By configuring the DNS servers in one internal namespace to forward queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing iterative name query on the DNS namespace of the Internet, which leads to better performance and utilization of DNS servers and reduced traffic on a Local Area Network (LAN) subnet.

A LAN is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, or office building. A local area network is contrasted in principle to a wide area network (WAN), in which two or more LANs are connected and thus covers a larger geographic distance and may involve leased telecommunication circuits, while the media for LANs are locally managed.

When you designate a DNS server as a forwarder, you make that forwarder responsible for handling external traffic, thereby limiting DNS server exposure to the Internet. A forwarder will build up a large cache of external DNS information because all of the external DNS queries in the network are resolved through it. In a small amount of time, a forwarder will be able to resolve a good portion of external DNS queries using this cached data and thereby decrease the Internet traffic over the network and the response time for DNS clients. As a result, root hint usage is greatly reduced.

Setting up a DNS Server Forwarder

Instructions to setup a conditional DNS forwarder for external domain name resolution using Windows Server 2012 R2 are described below.

1. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.

2. In the console tree, double-click the applicable DNS server. Expand DNS, and then double-click Applicable DNS server.

3. In the console tree, click Conditional Forwarders, and then on the Action menu, click New Conditional Forwarder.

4. In DNS domain, type the fully qualified domain name (FQDN) of the domain for which you want to forward queries.

5. Click the IP addresses of the master servers list, type the IP address of the server to which you want to forward queries for the specified DNS domain, and then press Enter.

6. Click check box “Store this conditional forwarder in Active Directory,” and replicate it.

Summary

The DNS protocol is an important part of the web’s infrastructure, serving as the Internet’s phone book: every time you visit a website, your computer performs a DNS lookup. Complex pages often require multiple DNS lookups before they start loading, so your computer may be performing hundreds of lookups a day. DNS Conditional Forwarding can provide higher performance and security.

Even if you do not have access to Windows Server or the ability to run a local DNS server, you can still experiment with DNS forwarding using a Google Public DNS or Cisco’s OpenDNS. Both are free options that allow you to experiment with DNS forwarding. In both cases, all your DNS traffic will be forwarded to them and not your Internet Service Provider (ISP). Benefits are increased performance and security from phishing, malware, botnets, and targeted online attacks. In both cases, your traffic will probably be tracked and profiled, so buyer beware. At the very least, these services help you understand how DNS Forwarding works in real life.

While setup of DNS Forwarding in Windows Server is elaborate, on a normal Windows computer, however, it only takes one screen to configure.

Instructions

1. Open Control Panel
2. Open Network and Internet
3. Open Network and Sharing Center
4. Click Change Adapter Setting
5. View Properties sheet of Active Network Connection
6. View Properties sheet for Internet Protocol Version 4

To use OpenDNS instead of Google Public DNS, where it says “Preferred DNS Server” and “Alternate DNS server”, use IP OpenDNS’s IP address.

For OpenDNS, the IP addresses are always:

• 208.67.222.222
• 208.67.220.220

If you have questions or need more information about Conditional DNS Forwarding, please leave your comments below. While you’re at it, why don’t you like, comment, and subscribe to this article if topics like this are of interest to you.

Thank you Saron Yitbarek for editing this article.

DNS Forwarding and Conditional Forwarding was originally published in Tech Jobs Academy on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a getting started guide to PowerShell, how to start using it, and what features you can readily use in your daily IT work.

PowerShell is a command line interface (CLI) tool used to control a Windows PC. It is designed to help system administrators automate repetitive tasks they regularly perform.

How to Setup PowerShell

The latest version of the product is 4.0. It is a free download from Microsoft. It works on Windows 7 and above.

Start using PowerShell now

To get started quickly, just forget about using the normal Windows command prompt (C:\>) and start using PowerShell prompt instead (PS C:\>). PowerShell provides everything command shell gave you plus easy-to-use commands that will help you automate tasks and work more efficiently.

Using PowerShell

For Windows 8 and above users: push Windows Key to get to desktop. Start typing the word “PowerShell” which will automatically open start menu to launch the program. For Windows 7 users, go to the start button and in the search input area, type “PowerShell” to find the PowerShell icon in the start menu.

Alias commands

In order to speed up adoption, PowerShell includes aliases for those already familiar with MS-DOS, UNIX, and Windows native commands. Aliases in PowerShell are shortcuts to real PowerShell Cmdlets; pronounced as “Command-lets” and rhymes with (Java) Applets.

Unix aliases in PowerShell

Below are popular UNIX commands that are already implemented PowerShell as aliases.

PS C:\> ps 
PS C:\> ls
PS C:\> chdir
PS C:\> cp
PS C:\> kill 
PS C:\> grep
PS C:\> mv
PS C:\> mkdir
PS C:\> man
PS C:\> cls

Windows Native Commands aliases in PowerShell

Below are major Windows Native command shell programs that also work in PowerShell.

PS C:\> notepad
PS C:\> calc
PS C:\> explorer
PS C:\> ipconfig
PS C:\> nslookup
PS C:\> ping
PS C:\> cls
PS C:\> cd
PS C:\> ren
PS C:\> rm
PS C:\> dir
PS C:\> tasklist
PS C:\> taskkill
PS C:\> mspaint

Get-Alias provides a list of current PowerShell Aliases. In fact, Get-Alias g* command provides a list of current PowerShell Aliases that start with the letter “g.” In addition, “gal” is a alias for “Get-Alias.”

PS C:\> Get-Alias
PS C:\> Get-Alias g*

PS C:\> gal *sv
PS C:\> gal st*
PS C:\> gal spsv

As in all CLI environments, the asterisk (*) means everything and is one of the most commonly used symbols used in regular expressions.

Automate repetitive task using Cmdlets

Love Unix or hate it, PowerShell borrows many ideas from Unix, especially the composition model of scripting. That is, PowerShell scripts should be very small and the script author should leverage the PowerShell “engine” and avoid writing full-blown programs. In order to create complex routines, the pipe character (“|”) is used extensively, as in Unix, to perform larger tasks by chaining commands together and thus creating complicated functions. In this programming model, the output from the first command becomes the input of the next command and so on.

Compared to Windows, Unix is a document oriented operating system (OS), because a lot of the routine management and administration is done by editing text files. Windows simply cannot be managed in the same manner as Unix, the management style is completely different. Unix tools like bash, grep, awk, and sed are used for text manipulation in Windows, while in Unix they are used as management tools for the OS.

On Unix, most config information comes from text files, and text files are ridiculously easy to edit. By contrast, Windows is built around an enormous set of disparate Application Programming Interfaces (APIs). To get CLI commands to work on Windows is not only harder, but it’s essentially a never-ending task. And prior to PowerShell, you basically had to use a Graphical User Interface (GUI) to manage Window objects like the registry, WMI, or Active Directory. Because Windows is an API oriented OS, traditional Unix configuration management tools just do not work well on Windows.

Example PowerShell Commands

Get-WindowsFeature
Install-WindowsFeature
Enable-ADAccount
Test-NetConnection
New-NetRoute
Restart-Service
Stop-Service
Start-Service

PowerShell follows a simple model of composition using familiar verb-noun grammar and a well defined set of parameters.

This allows for regularity that allows a systems administrators to automate repetitive and error-prone operations. It’s an extensible schema that most people can pickup quickly. Due to PowerShell’s similarity with natural language grammar, even non-programmers can get the gist of Powershell.

PS C:\> help
PS C:\> man
PS C:\> Get-Help

For help, Powershell.org is a community-based website intended to be a central starting point for entry into this field. The website coordinates a number of services and events that help foster community engagement, and provide a platform for members of the community who want to contribute to the common base of knowledge and expertise with PowerShell.

To log bug reports and/or submit suggestions for PowerShell, use the Microsoft Connect website.

Summary

In my opinion, PowerShell and the push for “Desired State configuration (DSC)” is part of a larger ecosystem called “IT server automation software.” It shares this marketplace with offerings from Puppet, Chef, and Docker. In a world of virtualized servers, disks and storage spaces, PowerShell is a key piece in Microsoft’s Windows Management Framework.

Getting started using PowerShell is simple. Whenever you open Windows command prompt, stop yourself, take a deep breath and use PowerShell (PS C:\>) instead because it offers all the features of command prompt and much more. It’s the future.

Powershell Computing was originally published in Tech Jobs Academy on Medium, where people are continuing the conversation by highlighting and responding to this story.