Authentication Server/Software

[miracle]

Can anyone recommend authentication server software? More specifically, one of my clients has a router with a VPN endpoint, but the only authentication is via a key exchanged between the VPN client and router....beyond that, there is no way for someone connecting to authenticate with the windows network.

More details:

Network type: Win2k server with 2 Windows NT and 2 Windows 2000 clients
Router: Linksys RVxxx series

Thanks in advance !

[Egaladeist]

Hi miracle,

Well...you could start here...

http://www.google.ca/search?client=f...=Google+Search
Google Search: authentication server software

Eg

[miracle]

The first smartass reply to one of my posts, and from a senior member, none the less. As much as it is my first instinct to blast back, I will respect the quip from a Senior Member of this forum in light of the fact that there are many skiddies that roam these boards looking for handouts without doing any work themselves. I respect your status in this community and I also realize that I am most likely not as knowledgeable as you in any area of net security.

In all seriousness, though, I have seen what type of software is out there, and I have even used some of the packages before. I have used google, and I have found opinions about different software solutions. However, my desire was to get un-biased, honest opinions as to what has worked for people and what hasn't. I find that the opinions of the experts at AntiOnline are much more valuable and often on the money than opinions that I can find at "tehleetNetAdmin.com/forums".

[ss2chef]

If your device can hit a radius server, win2k & 2k3 servers have it built in.

Is called IAS. It works great!!

http://www.microsoft.com/windowsserv...s/default.mspx

If your device supports it, should work just fine.

[Egaladeist]

Hi miracle,

I think you assumed the wrong meaning...there was no ' quip '!

As the least computer knowledgeable person on this board I was trying to at least lead you in the right direction...I took from your post that you were looking for software...not advice by people who have used it.

You can put your indignation back in your pocket now and save it for someone who is trying to be a smart-a@@.

Eg

[miracle]

D'oh! I'm an idiot.

I've used IAS before, and yes, it works great, but I mistyped the clients server type. He is actually using a Windows NT server, not a Windows2k server.



And, my mistake egaladiest....indignation put back in my pocket

[HTRegz]

Hey Hey,

I just took a quick look at one of the configs on the RV series routers and they don't seem to have the ability to use an outside authentication server.



[Now that there's the correct about the NT server up there this won't work.... I'd suggest a server upgrade in this case]

You still have a couple of options available to you.

1) Scratch the router and use the 2K Server as the VPN Server.
2) Allow the Router to be the VPN End Point but put DHCP on the 2K Server. Require authentication (using something like netreg (prolly take some work to make it work in Windows... or you could put up a linux box for DHCP)) The only problem is that setting a static IP Address will defeat that.

The problem is that Linksys is a Home user brand of router... It doesn't support advanced fuctionality and what you're trying to do is advanced..


Peace,
HT

[miracle]

Thank you HTRegz.

I have never used netreg, and am always interested in new software. I'm downloading the packages right now to check it out.

[zencoder]

OK, I will keep this as nuetral as possible (if you don't know why I'm saying that, don't worry about it...you wouldn't care.) Also, sorry for reviving a thread that's a couple months old, but I missed it, this is one of my areas of expertise, and I've come into some new information recently that is relevant.

---

As for Authentication Solutions, I can suggest you consider 2, and I'll mention a 3rd and how the first two are better than #3.

#1 - Entrust IdentityGuard
I've not worked directly with this, but it is a novel, low tech approach to 2-factor authentication. It's basically a card (size and form factor of a credit card, minus the mag-stripe or smart card), with a serial number to identify it, and a grid with the X & Y axis labeled. The cell's each contain a character (or 2 characters), and you prompt the user for certain coordinates. Have you ever played Bingo? Then you can use this card. It is ingenius...and it is brand new, and could have some serious flaws. I say could because I am not aware of anyone outside Entrust or their "independant reviewers" who have hammered on this to see what it can do, and how it can be broken. It is relatively inexpensive, in so far as the cost of the e and-user token. It requires a java app on your server, and has an API and several hooks for common software.

#2 - VeriSign Unified Authentication Service
I have had the pleasure of using UAS as an end user, and I appreciate the flexibility it affords you. The cost is similar to Entrusts, but the simplicity is not. That is the trade off...extreme flexibility or extreme usability. UAS basically provides a 'token' in many form factors; hardware OTP, hardware digital certificate store (USB Smart Card), hardware hybrid (OTP and dig. cert, and secure Flash storage, all on USB Smart Card), traditional smart card, software token (PC), PDA software token, and probably others I have forgotten. It plugs into AD very easily, and authentication for OTP can be performed 'in the cloud' or in-house, depending on if you want to dedicate a 2nd server and ODBC platform for auth services. What's nice about it is that you can have a user with an OTP token, that also stores their IPSec certificate, S/MIME certificate, AD certificate, and it's all on one simple USB token. The draw back is it does require a more technical savvy userbase (or a greater toll on your helpdesk.)

I wouldn't dare give my grandma a UAS token. I can't get her to leave my IdentityGuard demo cards alone. So they are both worth looking into. VeriSign obviously is using UAS as a vehicle to help promote the use of PKI and multifactor authentication. Entrust is enabling consumer multi-factor authentication.

The third party is of course, RSA (or as The Devils Infosec Dictionary defines them, Three guys who really are going to be pretty disappointed when we figure out a fast way to factor large integers.) RSA is the Cadillac of OTP token authentication. However, I see a lot of old, beat up, ugly yellow or green Cadillac’s on the road these days. Yes, the new Cadillac’s are sleek and sexy...and really, really over priced for what you ultimately get. RSA does some things well, but they are expensive, and require the greatest fiscal output (beyond licensing and support costs) to setup and maintain. Yes, they have a new hybrid token, like VeriSign UAS. But AFAIK it requires their keone and/or cleartrust products...more licensing and platform costs. UAS allows you to store ANY digital cert's and keys on the token. Heck, you can store your PGP keys on it if you want. And as far as IdentityGuard, RSA has nothing to compete...except for selling to the likes of AOL senior management, who were reportedly deploying RSA key fobs to all their end-users for authentication. Wow, that'll be expensive.

So, I hope this brief insight into some leading token types was informative. There are other tokens, but I've not really had much experience with them, and don't want to formulate opinions based solely on what I read online. All three of these solutions I've had hands on and/or keyboard time with, and have talked to engineers and admins from the vendors about the products.