ABSTRACT
This research is aimed at the modification of the Remote Access Dial in User Server (RADIUS)
protocol with the one-time password (OTP) technique for the authentication environment with a
captive portal to prevent replay attacks. One of the important network security measures on a
campus network is the use of authentication for identification of legitimate users and one of the
most widely used solution in network authentication is the RADIUS protocol. However, there are
potential security vulnerabilities in the RADIUS network especially for networks using captive
portal, such as the replay attack. The Ahmadu Bello University (ABU) network is simulated using
the Graphical Network Simulator (GNS3) software on a virtualized environment using
Virtualbox. An OTP generator was developed using Hypertext Processor (PhP) programming
language for the three variants of the OTP, Time One Time Password (TOTP), Challenge
Response One Time Password (CROTP) and Hash One Time Password (HOTP). Before
improvement on the OTP technique using a PhP developed script, the result obtained shows the
average response time for TOTP, CROTP and HOTP as 2.5s, 5.2s and 5.7s respectively, this
result showed no improvement in the TOTP, CROPT and HOTP response time respectively when
compared with the recommended response time of a RADIUS server in a captive portal
environment which is 1000ms. After improving the OTP technique by integrating all the variants
of OTP with the RADIUS server on a single server using the simulated ABU campus network
using GNS3, the result shows a significant improvement over the above results. The results
obtained shows the average response time for TOTP, CROTP and HOTP as 1.2s, 2s and 1.9s. The
validation, based on the developed and simulated configuration was carried out using live servers,
routers and switches and the results shows improvement over the above results, the average
response time for TOTP, CROTP and HOTP were obtained as 0.4s, 0.9s and 0.9s respectively.
This shows significant improvement in the TOTP, CROPT and HOTP respectively. The result
shows the average response time is less than the recommended 1000ms for RADIUS server
response time in a captive portal environment.
TABLE OF CONTENTS
DECLARATION i
CERTIFICATION ii
DEDICATION iii
ACKNOWLEDGEMENT iv
ABSTRACT v
TABLE OF CONTENTS vi
LIST OF FIGURES ix
LIST OF ABBREVIATIONS xi
CHAPTER ONE INTRODUCTION 1
1.1 BACKGROUND 1
1.2 USER AUTHENTICATION WITH CAPTIVE PORTAL 5
1.3 PROBLEM STATEMENT 6
1.4 AIM AND OBJECTIVES 6
CHAPTER TWO LITERATURE REVIEW 8
2.1 INTRODUCTION 8
2.2 REVIEW OF FUNDAMENTAL CONCEPTS 8
2.2.1 COMPUTER SECURITY 8
2.2.1.1 Goals of computer security 8
2.2.1.2 Components of computer security 8
2.2.2 SECURITY ARCHITECTURE 9
2.2.3 RADIUS PROTOCOL 9
2.2.4 AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) 10
2.2.5 SYSTEM ARCHITECTURE 11
2.2.5.1 Network access server (NAS) 12
2.2.6 PACKET FORMAT 14
2.2.7 SHARED SECRETS 17
2.2.8 THE VULNERABILITY OF RADIUS PROTOCOL 18
2.2.8.1 Attacker database 19
2.2.8.2 Replay attack components 20
2.2.8.3 Replay attack architecture 21
2.2.9 ONE TIME PASSWORD (OTP) TECHNIQUE 22
vii
2.2.9.1 Generation OTP and distribution 23
2.2.9.2 Justification for OTP 24
2.2.9.3Approaches for the generation of OTP 24
1. TIME SYNCHRONIZATION 24
2. EVENT SYNCHRONIZATION 25
3. CHALLENGE – RESPONSE TECHNIQUE 25
2.2.9.4 Types of OTP techniques 25
1. HASH ONE TIME PASSWORD (HOTP) TECHNIQUE 25
2.2.9.5 Time one time password (TOTP) technique 28
2.2.9.5 Cryptography one time password (CROTP) technique 32
2.2.10 SIMULATION SOFTWARE 35
2.2.10.1 OMNET++ 35
2.2.10.2 Optimized network engineering tools (OPNET) 35
2.2.10.3 Network simulator version 2 (NS2) 36
2.2.10.4 Graphical network simulator-3 (GNS3) 36
2.2.11 VIRTUALIZATION OVERVIEW 37
2.2.11.1 Server virtualization 37
1. VMWARE WORKSTATION 38
2. PARALLELS WORKSTATION 38
3. VIRTUALBOX VIRTUALIZATION 39
2.2.12 PHP PROGRAMMING LANGUAGE 40
2.3 REVIEW OF SIMILAR WORKS 41
CHAPTER THREE MATERIALS AND METHODS 45
3.1 INTRODUCTION 45
3.2 METHODOLOGY 45
3.3 ABU CAMPUS NETWORK MODELING AND SIMULATION USING GNS3 45
3.4 RADIUS SERVER ENVIRONMENT 47
3.5 CAPTIVE PORTAL IMPLEMENTATION 49
3.6 OTP GENERATION SCENARIOS 50
3.7 OBTAINING USERNAMES, PIN AND OTP 51
3.8 USER LOGIN SCENARIO 51
viii
3.9 THE IMPROVED OTP TECHNIQUE 53
3.10 VALIDATION 56
CHAPTER FOUR RESULTS AND DISCUSSION 59
4.1 INTRODUCTION 59
4.2 DATA COLLECTION AND ANALYSIS 59
4.3 IMPROVED OTP TECNIQUE 63
4.4 VALIDATION 67
CHAPTER FIVE CONCLUSIONS AND RECOMMENDATIONS 70
5.1 INTRODUCTION 70
5.2 SIGNIFICANT CONTRIBUTION 70
5.3 CONCLUSION 70
5.4 LIMITATIONS 71
5.5 RECOMMENDATION FOR FUTURE WORK 71
REFERENCES 72
APPENDIX I 75
APPENDIX II 79
CHAPTER ONE
INTRODUCTION
1.1 BACKGROUND
The entire Ahmadu Bello University Campus Network Infrastructure, runs on fiber optic
technology for transmission and is built based on the Cisco standard hierarchical design standard
for campus networks (core, distribution and access levels) providing high speed and redundancy.
The network is built on Cisco technology using high end devices which include Cisco Catalyst
6500 series as the core switch, 4500, 3700 and 3560 series switches as distribution switches and
2960 series and gigabit small business series switches as access switches. This setup guarantees
gigabit transmission to every host on the network. The network covers all the campuses of ABU
Zaria which include Samaru, Kongo, Shika and NAPRI all connected with over 60km of optical
fiber cable.
The core network as in Figure1.1 is built on the Virtual Switching System technology for high
capacity using ether channel technology, whereby so many fiber ports are bundled together for
more bandwidth capacity on a link, all the servers are part of the core network including the
authentication server. Distribution is built on Layer 3 switches the Cisco 3750G all the distribution
points are connected back to the core network through a fiber link, with static addressing of point
to point nodes. Dynamic routing protocol is enabled running Open Shortest Path First (OSPF),
with each distribution switch used as the OSPF Area Border Router (ABR) with separate areas.
The distributions also host the virtual local area network VLAN of each access layer switches.
The access layer which comprises mainly of Small Business Series switches and 2960 series
switches is built on Layer 2 switching technology. Access layer devices have access to Dynamic
Host Configuration Protocol (DHCP) services from the distribution switch to which the Access
switch is connected.
2
Figure 1.1: The Core Physical Connectivity Diagram. (ABU Network,2012)
Core Network: The core network as in Fig, 1.1 which provides a high-speed connectivity to the
distribution network with most of link having up to 10Gbps for a single link. The core also hosts
all the servers on the network includes the authentication server. If there is a failure in the core
most network services will be down.
3
Catalyst 6500SERIES Catalyst 6500SERIES
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750 SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Figure 1.2: Core to Distribution Physical Connectivity Diagram. (ABU Network, 2012)
Distribution layer Network: This layer as in Figure 1.2 ensures that packets are properly routed
between subnets and VLANs in the network. It is at this layer where control is exerted over
network transmissions, including what comes in and what goes out of the network. Broadcast
domains virtual LANs can be created and limited in this layer, if necessary, and various
management tasks conducted, including obtaining route summaries. In a route summary, traffic
from many subnets are consolidated into a core network connection. This layer is also called the
Workgroup layer. (Lammle, 2014)
4
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750
SERIES 1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750
SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catalyst 3750
SERIES
1 2
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catalyst 3750
SERIES
1 2
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catalyst 3750
SERIES
1 2
Catalyst 3750 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 3750
SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
STACK
1 2 3 4 5 6 7 8 9 10 11 12
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750
SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750
SERIES
1 2 3 4 5 6 7 8 9 10
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catalyst 3750
SERIES
1 2
Figure 1.3: Distribution to Access Physical Connectivity Diagram. (ABU Network 2012)
MODE
STACK
SPEED
DUPLX
STAT
MASTR
RPS
SYST
Catalyst 3750
1 2 3 4 5 6 7 8 9 10 SERIES
1X
2X
15X
16X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
17X
18X
31X
32X
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
33X
34X
47X
48X
43 44 45 46 47 48
2 4
1 3
Figure 1.4: Access Aggregate Physical Connectivity. (ABU Network, 2012)
5
Access Layer Network: The access layer as in Figs. 1.3 and 1.4 as shown above contains devices
that allow workgroups and users to use the services provided by the distribution and core layers. In
the access layer, the user connects to the network through their laptops, desktops etc. This is where
the users authenticate with their user name and password through any browser used.
1.2 USER AUTHENTICATION WITH CAPTIVE PORTAL
Authentication is the process of verifying a person’s (or machine’s) declared identity. The most
common form of authentication is using a combination of login ID and a password, in which the
knowledge of the password is a representation that the user is authentic. (Mikko, 2004)
The captive portal is the page that appears to the user to login with username and a password.
The emerging campus networks are migrating from a purely dedicated wired LAN infrastructure to
a hybrid that incorporates both wired and wireless LAN users like the Ahmadu Bello University
campus network, contends with the challenges of securing the network especially with the large
number of mobile users. The use of RADIUS services is one of the most effective ways to secure
the network.
This is particularly true from an access and policy enforcement perspective with the proliferation
of wireless and wired devices including notebooks, laptops and desktop PC and control the amount
of traffic each user is generating and billing functionalities, the challenge to ensure that staff and
students are subjected to the same network enforcement management policies regardless of how
they connected to the network. The challenges with using RADIUS protocol with captive portal is
the issue of the replay attack and response time of the RADIUS protocol. (Alan, 2013).
This research will focus on the prevention and improvement on these issues. The Ahmadu Bello
University network uses the Mikrotik operating system to serve as a user management and a
captive portal. The Mikrotik user management is placed at ABU core network as shown in Figure
1.1
6
1.3 PROBLEM STATEMENT
Emerging campus networks are migrating from a dedicated wired LAN infrastructure to high
speed hybrid campus networks that incorporates both wired as well as wireless users like the
Ahmadu Bello University campus network, the challenges of securing both users and network
integrity becomes more complex. One of the most effective ways of securing users access is the
use a captive portal with Radius services. The implementation of RADIUS services is however
bedeviled with large database overtime and this is prone to replay attacks on the network. This
therefore suggests the need for multiple level of authentication on networks. One-time password
(OTP) techniques are used to prevent replay attacks. There are several OTP techniques used today
and this research work is aimed at analyzing and comparing three variants of the OTP namely
TOTP, HOTP and CROTP in RADIUS protocol. (Amna, 2014) using the response time of each
technique as the performance metric.
1.4 AIM AND OBJECTIVES
The aim of this research work is to prevent replay attack in RADIUS environment by improving
response time of OTP.
The main objectives of this research work are as follows:
1) Simulation of the ABU Zaria network using GNS3 Simulator
2) Modification of the three variants of the OTP technique (TOTP, HOTP and CROTP) and
selection of the best technique using the response time as the performance metric
3) Validation of the improved authentication technique by comparing its response time with that
of the standard technique
7
1.5 METHODOLOGY
The following methodology will be adopted in carrying out this research work:
1) ABU Campus Network Modeling and Emulation using GNS3 to simulate all the switches,
routers, firewall and servers on the network
2) Installation of Operating Systems (Linux), Free Radius 2.0 and Firewall
3) Implementation of network Access Server which provides the captive portal on a Virtual
Machine (VM) Virtualbox is the virtualization software of choice.
4) Generate OTP for the 3 techniques using an open source generator written in PhP scripts.
5) Development of an OTP technique with the highest response time from the three available
techniques of OTP, using the PhP scripts.
6) Development of an improve RADIUS Server on the network access server and generate
OTP for the improved technique.
1.6 DISSERTATION ORGANIZATION
The general introduction of computer networks, ABU campus network, statement of the problem,
methodology, and aims and objectives has been presented in chapter one. The rest of the chapters
are presented as follows: a detailed review of the fundamental concepts of RADIUS Protocol,
Captive portal, OTP Techniques, PhP programming language, GNS3, Vitrualbox, OPNET as well
as a review of similar research works is presented in chapter two, detailed methodology and step
by step guide in the configuration and implementations of three technique of OTP in a campus
network are presented in chapter three, analysis and discussions of the results are presented in
chapter four, summary, conclusions, significant contributions, limitations and recommendations
are presented in chapter five.
IF YOU CAN'T FIND YOUR TOPIC, CLICK HERE TO HIRE A WRITER»