Note: Please see the RadCAS pages for 2-factor authentication for forms
based schemes.
RadIIS has been around for almost 5 years. After hundreds of installations,
it has become a standard for 2 main areas of application.
Firstly, users can be authenticated on web sites using a standard Radius
user database. This offers considerable savings over Microsoft CAL user
licensing. IIS logs contain the Radius username and nothing must be added
to the individual web pages to uphold the access specifications.
RadIIS can co-exist with AD. Users can be added to web content which is already
controlled by AD by simply creating a virtual directory pointing to the same
content. AD users access the content using the old method while new users
access via Radius thru the newly creating virtual directory.
With RadIIS, users can be authenticated (and logged) without the expense
of AD CAL's and without the extensive content modification required to use
Microsoft Passport.
Secondly it has found wide use as a site 'otp wrapper'. Most token based
OTP password authentication systems run off the Radius protocol. Using the
Basic Authentication mechanism, an OTP scheme is used to obtain site (or
directory) access without interference to the underlying forms based schemes
that already exist on the site. By decoding the Basic Authentication header,
forms based login screens can pre-populate the username field leaving only
the password to be typed in. As with the first case, no additional code needs
to be added to the protected content to enforce the secure domain of OTP
protection.
Original RadIIS Architecture
Upon successful Radius authentication, RadIIS makes an IIS log entry using
the username typed into the browser. It then substitutes the
ntusername/ntpassword specified in the ini. This is exactly equivalent to
the default username/password used in anonymous authentication. This way,
only a single CAL is used.
New in Release 2.62
The new releases of RadIIS now supports a variety of enhanced features. This
was done to add support to its existing application base (Radius and OTP)
and to support TCP Data's expanding product line in the area of SMS based
OTP security systems.
RadIIS now supports authentication via ODBC compliant databases and the use
of SMS (cell phone) based one-time-passwords (OTP). RadIIS 2.6 can now be
configured exactly as older versions of RadIIS and use EITHER Radius or ODBC.
RadIIS is now the only product on the market that supports 2-factor
authentication on top of Window's NTLM/Integrated/Kerberos. This can be either
with a Radius compliant OTP server, our new Radius/Active Directory Data
Server (RADDS) which provides U/P/OTP in its internal database or provides
'databaseless' AD OTP's.
In 2-factor mode, the user is first presented with the usual Basic Authentication
username/password entry screen. Upon successful authentication, a second,
customizable screen appears for entry of the one-time-password. The sequence
is precisly the same whether the one-time password is generated by an external
device or it arrives via SMS (cell phone).
When RADDS is used (please see the RADDS pages), the user has two options.
Either the entire username/password/SMS-address database resides on the RADDS
or RADDS stores and accesses SMS-address data from AD itself for a 'databaseless'
SMS-OTP impementation.
RADIIS is built upon IIS's implementation of the standard 'Basic Authentication'
scheme. The client-server protocol specifications, for the Basic Authentication
scheme, are defined in the HTTP standard. Microsoft's implementation of this
scheme is rich in features, supporting easy configuration, advanced logging
and custom error pages.
The Basic Authentication scheme, by itself, is a medium security protocol.
As such, it is not suitable for all levels of security requirements. The
principal flaw is that username/password pairs are sent across the open internet
cloaked with only simple uuencoding protection (it is NOT send as clear
text, as is stated on IIS directory security property sheets!). When
used over standard SSL connections, however, the Basic Authentication scheme
provides a standard, flexible, highly secure method for authenticated access
to web servers.
RadIIS provides a total web server security solution by using 3 well defined,
widely accepted protocols: Basic Authentication, RADIUS and (where
needed) SSL. RadIIS combines, in a simple manner, proven security methodologies
that are well understood.
|
