Eurospace.it - Prodotti Deerfield

Overview

RADIUS is one of the most widely used distributed security/authentication protocols in use today. It originally gained popularity with ISP's, where it got its name (Remote Authentication Dial In User Service). Because of its inherent architectural advantages, it has become widely used in other network environments, including wireless and the general corporate intranet. The RADIUS client-server architecture provides an open and scalable solution that is broadly supported by a large vendor base. RADIUS provides a widely accepted standard protocol anywhere network access servers (NAS) must authenticate users prior to granting access to a protected network.

Web server access authentication has evolved along somewhat different lines, with no clear standard. Companies that authenticate users to access their networks (ISP/RAS dialup users, secure tunnel connections, etc) often make use of RADIUS protocol based servers. These companies are often in a situation where they must keep a separate user database, and use a separate procedure, to authenticate the same users to access their web servers.

User authentication for IIS web servers is typically based on the NT username/password. Individual users gain access to a particular protected directory by 'logging in' to an NT user account. This scheme is both non-standard and redundant in instances where there is a pre-existing RADIUS based authentication infrastructure. In addition, special precautions are necessary to assure that the NT username/password is not used for purposes other than access to intended web-based facilities.

RADIIS is built upon IIS's implementation of the standard 'Basic Authentication' scheme. The client-server protocol specifications, for the Basic Authentication scheme, are defined in the HTTP standard. Microsoft's implementation of this scheme is rich in features, supporting easy configuration, advanced logging and custom error pages.

The Basic Authentication scheme, by itself, is a medium security protocol. As such, it is not suitable for all levels of security requirements. The principal flaw is that username/password pairs are sent across the open internet cloaked with only simple uuencoding protection (it is NOT send as clear text, as is stated on IIS directory security property sheets!) . When used over standard SSL connections, however, the Basic Authentication scheme provides a standard, flexible, highly secure method for authenticated access to web servers.

RadIIS provides a total web server security solution by using 3 well defined, widely accepted protocols: Basic Authentication, RADIUS and (where needed) SSL. RadIIS combines, in a simple manner, proven security methodologies that are well understood.