Authentication Tools

Many organizations are seeking to replace or supplement password authentication with a single means of token-based access for all users. We tested five token systems. Our editor's choice, with its

January 28, 2005

24 Min Read
NetworkComputing logo in a gray background | NetworkComputing

The Haves

All the products we tested except Novell's Nsure SecureLogin rely on RADIUS as their primary authentication mechanism, with a tie-in to LDAP and AD. Novell allows the choice of e-Directory, AD or any LDAP directory and stores credentials for RADIUS authentication against another server. All let us build various levels of custom interaction for our users. With any of these products, you can enforce authentication policies that are as strong as your organization demands and your users can bear.

If secure authentication is your only concern, any of these products is likely to meet your needs. We found significant differences, though, in how easily they let us build custom scripts, their flexibility and the extent to which they support authentication-process management. In addition, there's one area in which the products clearly differ: Secure Computing and ActivCard provide token-based authentication systems that offer additional authentication services on a global basis. Lucent, Funk and Novell provide global authentication systems that may include token-based authentication. It sounds like mere wordplay, but there are significant variations between the approaches. One important point of contention is when you're considering whether to give tokens to all your users, or just to those with high-value privileges--"C-level" officers and network administrators, for example. A global-authentication system that allows for tokens will offer more flexibility in how the non-token users authenticate. If every user is going to get a token, though, a token-based system is likely to cost less than a general authentication system with token support.

In terms of purchase price, Lucent came in at the low end, with a single-server implementation supporting 500 simultaneous users at $1,000, and a 2,000 simultaneous user version at $4,800. Funk's Global Authentication version of Steel-Belted Radius cost $10,000 as tested, though the vendor offers versions priced at $4,000 to $20,000 and says one server will support as many as 20,000 users with its native database.ActivCard, Novell and Secure Computing all offer per-user pricing. ActivCard has a $60 flat fee for its server, with tokens costing $43 each (for 1,000). Novell charges $79 per user for SecureLogin. Secure Computing prices its silver tokens at $106.16 each (for 1,000) and includes the server in the token cost. Pricing gets more complicated if you want to include some tokens in a global-authentication implementation--the combined purchase price will mirror the implementation cost, climbing with each layer of additional software.

Lucent NavisRadius is a model of flexibility and earns our Editor's Choice award. Designed for the needs of ISPs and large enterprises, NavisRadius assumes that someone on staff thoroughly understands the authentication process, and it supports that knowledgeable individual with well-thought-out capabilities, tools and interface. Like all these products, NavisRadius requires integration and customization work for your network and applications. But Lucent recognizes this and provides a set of integration tools that simplifies the development process, with features that give you a head start in writing code and then help you debug it. Because it provides exceptional functionality at a very low starting price, NavisRadius also receives our Best Value award.

For those willing to trade some flexibility for ease of use, Secure Computing's SafeWord PremierAccess is a solid product that makes setting up token-based authentication and enrolling large numbers of tokens exceptionally easy. Its initial purchase price is high, but PremierAccess' user self-enrollment and straightforward server configuration will save you money on deployment, and the tokens are easy for users to handle.

NavisRadius initially seemed like overkill for a small or midsize business network. As it turns out, though, NavisRadius' low cost of entry and automated configuration tools make it a realistic option for any company with a need for solid authentication and a willingness to task a network professional with learning how authentication works.Lucent bills its product as a RADIUS development platform on which customers can write authentication applications combining device and user authentication with application initiation and complex accounting processes. Instead of C code, Lucent provides a high-level scripting language for building custom apps; Lucent's programmers use this language and interface in developing supplied authentication scripts. In our tests, this interface made programming relatively easy, and script development was fast because no compiling was needed.

NavisRadius' Policy Assistant helped us establish the initial configuration and deploy necessary plug-ins, Lucent's term for the modular scripts used in building deployment configurations. We found the Policy Assistant software flexible, with an enormous variety of options available as we moved through the questions that comprise the setup routine.

Lucent supplies a plethora of plug-ins, and even in cases where we knew that some implementation-specific work would be required--importing MAC (Media Access Control) addresses of wireless cards for populating an ACL (access-control list), for example--we could use a generated configuration as the basis for custom scripts, saving time. We found LDAP and SQL plug-ins, along with a Read DNS plug-in, and functions that act on program flow, reporting, accounting and system performance were included or easily developed. Programming possibilities within plug-ins are almost unlimited. For example, we built ACLs as part of the "allow this" plug-in. We then reversed the logic for a "deny this" plug-in.

NavisRadiusClick to Enlarge

Because Lucent assumes that NavisRadius customers have enterprise-class accounting and reporting tools, the product provides many options for delivering information to reporting systems, including traps, syslog, database or Web pages. Information can be exported over LDAP, though Lucent doesn't recommend this route, saying it finds other external stores more robust and easily accessible to external applications. NavisRadius also can pass variables to an external program or to thread-safe C code, though these last two options inflict a performance hit on the processor. Finally, you can selectively log certain criteria to specific external sources. NavisRadius doesn't include an internal reporting tool, though Lucent says one will be released shortly.NavisRadius can be hosted under Apple Mac OS X, Hewlett-Packard HP-UX, Microsoft Windows 2003, Red Hat Linux and Sun Solaris. The product interoperates with certificates for device authentication, accepts self-signing certificates, and generates both server and user certificates.

We began our tests by running the full-featured and powerful Policy Assistant wizard to help with setup. We found a long list of possible user-information databases to authenticate against--all major types and companies are represented. Within the database types were options for dealing with EAP (all varieties) and many other authentication variations. In another section, we could specify multiple servers for failover or load balancing. When we ran into snags, we clicked over to the NavisRadius Web site; its documentation, tech notes and plug-ins discussion forum were helpful.

When building authentication scripts, good testing tools are critical, and it's here that NavisRadius truly shines. Lucent supplies a good selection of test tools, including a real-time packet decoder, NAS simulator for load testing and VPN test client. During our tests, we forgot to reboot our server, and the errors rolling through the debugger pointed us to what had happened. We did run into some problems related to the product's understanding of global groups in our Windows domain controller--we thought they'd been set up, but the product disagreed. Turns out our NavisRadius machine wasn't registered as part of the domain--once that was done, things worked much better.

After setting up the Windows AD and SAM (Software Asset Management) authentication, building a Microsoft RAS (Remote Access Services)-based client-to-server VPN was very easy. We established accounting messages that would flow from the NavisRadius server, and setup went off without a hitch.

We then set out to develop a multistage authentication routine. The plug-in (authen-t) we were using had a couple of minor coding hiccups that affected our ability to authenticate. We ran traces on authentication attempts and localized the problems, then went into the plug-in, made a couple of simple changes and got the authentication running just fine. The scripting language is a basic object-oriented language that will look familiar to anyone who has worked in C++ or Java, and solid debugging tools made developing and tweaking scripts a breeze. Documentation within the scripting language is good. We're security geeks, not coders, but we felt comfortable even when building custom authentication routines.

The management console is Java-based; despite that, it performed well. We used the console to see active connections, statistics on connection attempts, error conditions and live traffic flows.

NavisRadius has neither native tokens nor a token engine but works with those from Accent, RSA and SafeWord. For other token types, you'll have to create custom plug-ins, and regardless of the tokens chosen, you must run the token-authentication server separately. Lucent provided custom plug-ins to work with our SafeWord system, using SafeWord methods and libraries built into NavisRadius. We encountered some interesting complications in making the two work together; for example, standard port assumptions from NavisRadius didn't match the port assignments on the SafeWord server we had in place, but changing the NavisRadius port assignment was a five-click process.NavisRadius 4.0, $1,000 (500 simultaneous users), $4,800 (2,000 simultaneous users). Lucent Technologies, (888) 582-3686, (908) 582-8500. www.lucent.com

Secure Computing comes at authentication from the token side, though it uses partnerships to provide SSO and direct application support. If your plan for enterprise SSO goes through a Web server, PremierAccess will handle everything on its own. For authentication using login scripts that don't require a Web server, the product integrates with several third-party products. SafeWord PremierAccess also achieves directory synchronization through partnerships, this time with Maxware and Sun.

PremierAccess isn't a low-cost system by any means, coming in at the top of the range in this review. There are also costs to be borne if you intend to use a partner company to provide additional functionality. Having said that, Secure Computing provides versions of its tokens and servers that include integration kits, which promise to allow very easy integration with those partner companies' products, potentially saving significant money on the deployment side.

Like the other products we tested, PremierAccess has integrated hooks into AD, RADIUS and LDAP. The integration and method of establishing ACLs varies between the three: If there is an AD database with access rules and roles, then it is used, but if the authentication database is RADIUS or LDAP, the ACL can live on the PremierAccess installation. In any of these, the ACL can provide authorization information to accompany the user's authentication.

Token enrollment can be a bear if you need to deploy more than a handful, and here PremierAccess excels, offering the most capable token features of the products we tested. If your plans include two-factor authentication for an entire organization, this product will save you money when deploying tokens. For example, though PremierAccess does let you import a database or manually enroll individual users, the product's has a Web server option for self-enrollment.We also liked that we could contract with Secure Computing to enroll tokens for us--tokens can be programmed, packaged and shipped to users, and a database delivered to IT. PIN letters are mailed separately and directly to the user. The option, called Automated Deployment Services, can provide different services at various prices, but you can figure on adding about $10 to the price of each deployed token.

Installation of PremierAccess went well--until we began building authentication for our Microsoft RAS-based client-to-server VPN. The big problem came in addressing for the two ends of the tunnel. Fortunately, the basic Secure Computing RADIUS server has good debugging facilities. Still, even after we got the communications working, some attributes weren't being passed from PremierAccess to AD, which left the authentication incomplete.

There are many options for information that's exchanged during an authentication transaction. Most of the time, we wouldn't expect to see such complexity in a basic GUI-controlled setup, but editing a configuration file let us, for example, send setup strings for Cisco infrastructure components or define the networking parameters of the response set. In our case, the IP address of RRAS (Routing and RAS) was not being set through DHCP (even though we had the server using DHCP) on the server machine. We finally got to the root of the problem. In addition, during installation we ran into a known problem with MPPE (Microsoft Point-to-Point Encryption) in Windows 2003. Secure Computing told us it's in the process of writing patches.

The UWA (Universal Web Agent) runs Apache and does a reverse proxy, receiving all requests through Port 80, then forwarding requests to the application Web site. This adds a layer of protection, especially to IIS, which can listen on 127.0.0.1 and never be directly exposed to the Internet. As part of the authentication process, the UWA sets a session cookie and uses a certificate that defaults to its own internal certificate authority; we could also use any standard certificate authority. With some configuration through the UWA and the hosts file on the IIS server, we got our site protected in about 10 minutes.

We could audit log entries, each containing full information on passes, failures, administrative changes and more. We were able to check information on a user, his actions and results, the server against which he authenticated, the ACL under which he entered, what was returned and where (in terms of IP address) he came from. We also could create reports that select records based on a wide variety of criteria and run them at scheduled times as batch or cron jobs.

We found three SDKs for creating custom scripts for Windows or Solaris platforms, with user applications running on HP-UX, IBM AIX, Linux, Windows and Solaris, plus an authentication SDK that included libraries and sample code for Java, C and Windows DLLs and let us set up authentication for legacy applications. An administration SDK provides all the capabilities found in the PremierAccess admin console. Here we could build UIs and Web consoles.

Although the SDKs are good, Secure Computing doesn't offer the same level of debugging as NavisRadius. We set up real-time alarming and notification, so we could watch all authentication activity (or any selected portion of it) as it happened, or have the system alert us immediately when a glitch occurred.Secure Computing SafeWord PremierAccess, starts at $120.99 per user for 500 users. Secure Computing, (800) 971-2622. www.securecomputing.com

SecureLogin requires little in the way of server CPU power. Memory requirements aren't as parsimonious, but you won't have to go out and buy a new dual-CPU box to host this server. Installation is a piece of cake if you're steeped in NetWare, but an exercise in interesting nomenclature if you're not.

We installed both SecureLogin and e-Directory, and found the e-Directory installation on Windows 2003 Server straightforward and complete; when the manager goes through to detect applications and services, it will install, for example, the Apache Web server and JVM (Java Virtual Machine) if it doesn't find something already in place. A reboot to make sure that all the services were started properly got us to the Web management interface. Note that e-Directory is included in SecureLogin's $79 per seat purchase price, making a move to e-Directory attractive if you've made the SecureLogin decision.

Novell offers a wide range of directory, authentication and identity-management products. We tested the SecureLogin Client, a client-side agent that manages authentication and authorization against a variety of possible back-end servers.

SecureLogin was designed with SSO in mind--when it recognized a user name-password combo, it offered to launch a wizard to create SSO information around that password. Much of the SSO functionality is in the client--we could let users create their own login info or designate that it be created for them by the administrator. We found lots of prebuilt login scripts and could build custom login schemes. For security, we could create and enforce password policies on the client and set up security phrases that are used for authentication. Administrators can choose among several encryption options for securely storing and transmitting this information, including 3DES, Novell SecretStore within e-Directory and Novell International Cryptographic Infrastructure (NICI), a FIPS-certified service within e-Directory.ConsoleOne is the user interface for managing e-Directory, and on the server side we were pleased to find that, with a few limits, we could create login scripts that looked and acted the way we wanted them to. One interesting capability is the possibility of providing password access to applications without letting users see the passwords. The password can be attached as a property to a login, or used as part of a script, while hiding the information from a user initiating the login or script.

For a product that doesn't have a native token, SecureLogin has a smooth token-integration process that makes use of DigiPass tokens from Vasco. We set up our token methods following the instructions provided by Vasco; note that Vasco is the only token for which all methods are available with no additional software required (for a review of Vasco's and other tokens, see "Strength In Layers," at nwc. securitypipeline.com/showArticle.jhtml?articleID= 19400031). Unlike the token support in the Lucent and Funk products, Novell provides all the back-end support necessary for two-factor authentication with a Vasco token (SecureLogin can also perform pass-through authentication with other tokens, but more integration effort is required). In our case, a simple download was needed--no additional server or client software or licenses were necessary.Novell Nsure SecureLogin 3.5, $79 per user. Novell, (888) 321-4272, (781) 464-8000. www.novell.com

In some areas, Steel-Belted Radius (SBR) held its own against NavisRadius. But where Lucent's authentication is designed for authentication experts, Funk makes it easy for network generalists to set up strong authorization. For example, the manual explains what RADIUS is and how it works. However, if your implementation calls for customization, be warned: In our tests, when parameter changes became extensive, the product's INI orientation caused some pain, and the lack of solid debugging tools was sorely felt.

We installed SBR Global Enterprise Edition. Even this largest version of SBR has a simple start-up user interface. We connected to a local server and selected from five authentication methods: native user, NT domain user, NT domain group, Windows domain group and Windows domain user. Most functions within the setup routine were established and defined with a single click. We added a new RAS client from a long list of RAS clients available for connection, chose NT and then created an IP pool for clients.

Building a profile was a matter of setting up the attributes checked, those accepted and those passed through to other authentication methods or apps. The list of possibilities is similar to those in NavisRadius. The big difference is the user interface: SBR let us do one thing at a time in its straightforward interface. We could, for example, easily set up custom messages if an authentication were rejected for various reasons.

The step-through process to add a user had us simply entering the name, domain and SecureID. We ran into problems with network authentication, though: Funk's documentation said that with a device installed on a machine other than a domain controller, network or host authentication is possible. But our error messages said SBR wasn't doing domain authentication because the server wasn't installed on a domain controller.To debug the problem, we used Wintail for a real-time log reading. SBR's reporting and logging are basic--SBR runs all configuration information into a Windows .txt file, though real-time data can be fed to Perfmon for viewing. We also had to go into RADIUS.INI to make changes because SBR uses .INI files for configuration information. There are a number of them included with the product, and instructions are provided in the manual for modifying INI files to customize the implementation. We found that it was possible, but not particularly easy, to make changes this way. We finally downloaded a new .dll file that gave us an improved error message (rather than no response at all). We added groups of users from AD, but had to adjust the time parameters of the servers to synchronize them to authenticate between the two.

After a call with Funk's tech support, we adjusted the shared secret and three MPPE attributes. The three are required for AD pass-through, but their settings aren't in the manual (this was confirmed by tech support).For tokens, we found it was important to use PAP rather than CHAP. SBR natively supports RSA tokens, but the RSA server must be running behind it. We installed RSA Ace Server and the integration went as described in the documentation.

Included plug-ins for Crypto-Card and Vasco DigiPass were developed by other companies. SBR will do RADIUS pass-through for others as well, but you'll need to buy the particular token authentication server separately.

Steel-Belted Radius 4.71, $10,000. Funk Software, (800) 828-4146, (617) 497-6339. www.funk.com

This product is obviously designed to work with external directories and databases--AD, LDAP, SunOne--rather than with an internal database. We found it a bit frustrating because it includes some useful features that ultimately made deployment a straightforward affair, but that are wrapped in an interface that isn't as well-thought-out as the others.

We tied the server to AD and almost immediately noted one helpful feature: It makes use of an otherwise unused property within the schema (any unused property at all) to use as a token element--you don't have to extend the AD schema to make the product work. To associate tokens with users, an unused or new field within the LDAP schema must be matched to the ActivPack authentication attribute. We paired "facsimiletelephonenumber" with the ActivPack attribute "Device Serial Number," which was filled with the assigned token's serial number. Although Microsoft designed AD as an extendible architecture, many admins are understandably reluctant to meddle with the basic schema, so this approach is attractive.The basic installation was straightforward, but the documentation was less so. It's difficult to simply go to a topic, and we needed to have an idea of where our problem originated before we could get help.

Fortunately, setting up connections to AD was simple. With an experienced AD admin, basic setup should take less than five minutes. We did have a problem with the layered approach ActivCard takes to creating the server and the somewhat confusing terminology it uses to describe what's going on. First, we created the server (actually an instance of the authentication service), then we created a "gate" to provide RADIUS or TACACS+, which actually does most of the work of gluing ActivCard to the directory. The gate setup includes settings for authorized remote clients, authorization and accounting profile default assignments, and dictionary selection (in which the methods for a particular authentication method are stored) containing settings for most major manufacturers' authentication and VPN servers.

One small problem with tokens: Activation is through a floppy disk, and none of our test clients had floppy drives. We also couldn't find a token self-enrollment routine for this product, which means admins must assign tokens. The ActivPack Web Help Desk, an add-on component included with the server, lets helpdesk operators review authentication logs, lock and unlock tokens, resynchronize tokens, unlock token PINs, and set and assign temporary passwords.

An audit log showed us the activity of our ActivPack server. We could set up different accounting systems, and three types of logs are supported: audit, accounting and authentication. A basic connectivity-checking RADIUS "ping" test let us confirm the server was working properly before we added the VPN and switch to be authenticated.

ActivPack successfully authenticated users logging in to our Windows 2003 VPN Server and HP 2524 switch, and it includes a Web Access Agent for IIS and SunOne in addition to an API for extra Web servers. An included Web self-service portal lets users report lost or stolen tokens, unlock PINs, resynchronize tokens and set security questions, but unfortunately, it doesn't let users self-enroll.

ActivCard ActivPack AAA Server 6.3, $60 for server site license; $15 per token. ActivCard. www.activcard.com

CURTIS FRANKLIN JR. is a senior technology editor for Secure Enterprise and Network Computing. He was founder of the BYTE Testing Lab, director of labs for Client/ Server Labs and managing editor/ technology at InternetWeek. He has been writing about the computer and network industries since 1985. Write to him at [email protected].John H. Sawyer is the systems security engineer for the Institute for Food and Agricultural Science statewide network at the University of Florida. Write to him at [email protected].

We tested these authentication systems in the IT Service Lab of the Institute for Food and Agricultural Sciences (IFAS) at the University of Florida, Gainesville.

Our tests were done on custom-built AMD Athlon XP 3000+ processor-based machines with 1 GB of RAM, 80-GB hard drives, DVD drives and 3Com 10/100 network interfaces. The server ran Windows Server 2003 Standard Edition with the most current system patches available. We used VMware Workstation 4.5 to create virtual machines, which let us easily make configuration changes for testing and revert to previous states. When needed, we used a test Active Directory domain running under Windows Server 2003. An HP 2524 switch was configured for RADIUS authentication to evaluate products containing RADIUS server functionality.

We set up procedures that authenticated users against the tested system's internal database, if available; against a test Active Directory database (or a production IFAS AD domain, if no AD schema modification was required by the product under test); and against an LDAP-enabled database. Application authentication was tested against Microsoft IIS and against the authentication schemes of legacy internal applications. Two-factor authentication was established using the native token capability of the product or the default token products and methods listed by the vendor. Tokens were provided by the vendors and tested for both administrative and user accounts.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E W

Authentication



Sorry,
your browser
is not Java
enabled



Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.


SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights