Stratus Technologies : Products : Operating Systems : OpenVOS : RADIUS

RADIUS is an Internet protocol which is being added to VOS. RADIUS carries authentication, authorization, and configuration information between a Network Access Server [e.g., VOS] and a shared Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138.

Key features and benefits
Product description

RADIUS: Key features and benefits

RADIUS: Key Features and Benefits
Features	Benefits
RADIUS supports dynamic passwords and challenge/response passwords.	Improved system security due to the fact that passwords are not static. It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms.
RADIUS allows the user to have a single user ID and password for all computers in a network.	Improved usability due to the fact that the user has to remember only one login combination.
RADIUS is able to: Prevent RADIUS users from logging in via login (or ftp). Require them to log in via login (or ftp) Require them to login to a specific network access server (NAS); i.e., to a specific VOS module. Control access by time of day.	Provides very granular control over the types of logins allowed, on a per-user basis.
VOS user applications can access the RADIUS authentication server.	Applications can authenticate users with the same techniques that VOS uses.
The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS server is site-configurable.	RADIUS gives a VOS System Administrator more flexibility in managing which users can login from which hosts or devices.
Traditional VOS users with static passwords will continue to be able to login at any time, from any device.	The customer has the flexibility to continue using the traditional VOS login process where appropriate.

Product description:

The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service.

The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access. Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain entry into the system, the user must generate both this one-time number and his or her user ID and password.

Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect against a wide range of active attacks.

RADIUS on VOS enables a VOS system to act as a NAS (Network Access Server) in a RADIUS-equipped network. A NAS operates as a client of a RADIUS server. This means that the VOS NAS can request authentication from the RADIUS server. It does not mean that a VOS system can deliver RADIUS authentication to another client.

The use of RADIUS applies to direct login connections, TELNET and FTP clients. It does not change how RSN connections are authenticated, nor does it affect verify_system_access.

VOS is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned.

RADIUS authentication servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the NAS client to deliver service to the user.

Any remote user of VOS presents authentication information to the client, often via a login prompt, where the user is expected to enter a username and password. A VOS user can be registered to require OS authentication or RADIUS authentication.

The RADIUS authentication server can support a variety of methods to authenticate a user. This includes static passwords, dynamic passwords, a combination of static and dynamic passwords, and challenge/response passwords.

Once the VOS system has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access- Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5.

The Access-Request is submitted to the RADIUS server via the network and the user is either authorized or rejected. If no response is returned within a length of time, the request is re-sent a number of times.

RADIUS can also enable "challenge/response" authentication.

Challenge/Response

In challenge/response authentication, the user is given an unpredictable number and challenged to encrypt it and give back the result. Authorized users are equipped with special devices such as smart cards, hardware keys or software that facilitate calculation of the correct response. Unauthorized users who lack the appropriate device or software can only guess at the response.

The Access-Challenge packet includes a challenge to be presented to the user, such as a numeric value unlikely ever to be repeated. Typically this is obtained from an external server that knows what type of authenticator should be in the possession of the authorized user and can therefore choose a random or non-repeating pseudorandom number.

The user then enters the challenge into his device (or software) and it calculates a response, which the user enters into VOS. VOS then forwards it to the RADIUS server via a second Access-Request. If the response matches the expected response the RADIUS server replies with an Access-Accept message, otherwise it sends an Access-Reject message.

Using RADIUS, a VOS System Administrator is able to assign most management of, and all verification of, user passwords to a RADIUS server on a user-by-user basis.

Radius also can enable "single sign-on", which allows a user to have one User ID and password for some or all computers on a network.