For over a decade now, RADIUS servers have been a mainstay of dial-up and VPN access control. The rather inconspicuous RADIUS server, perhaps better known as that beige, general-purpose PC collecting dust in the corner of your data center, has proved sufficient for performing basic duties like validating passwords and granting network access.
Ten Reasons your RADIUS Server Needs a Refresh:
Ensuring authentication, authorization, and audit across your network
For over a decade now, RADIUS servers have been a mainstay of dial-up and VPN access control. The rather inconspicuous RADIUS server, perhaps better known as that beige, general-purpose PC collecting dust in the corner of your data center, has proved sufficient for performing basic duties like validating passwords and granting network access. But while these servers have been diligently chugging away at their tasks, the world of networking and security technology has evolved substantially, leaving the current generation of RADIUS servers in the dust.
The emergence of wired and wireless 802.1X network authentication, combined with NAC, has outstripped the capabilities of the current-generation RADIUS servers. The emergence of wired and Fortunately, Identity Engines has built the future of RADIUS servers in its next-generation, hardened RADIUS appliance, the Ignition Server. wireless 802.1X network 1. You don't have a AAA server, you have an AA server.authentication, combined Accounting, authentication, and authorization are the cornerstones of a RADIUS server's functionality. When you connect to a network, authentication validates who you are, with NAC, has outstripped authorization dictates what resources you can use, and accounting tracks what you have done. Frustratingly, for most networks today the middle "A," authorization, is missing; the capabilities of the current feasible network authorization remains more dream than reality.
AAA only provides its promised benefits if all three parts are working together towards a -generation RADIUS servers. common goal. In the past, this goal was merely to check the user's password against a list, and authorization wasn't required. With dial-up and VPN access control, the goal became to grant remote users the same access rights they would have, had they connected to the network by connecting directly to a network port on-site. Still, authorization was not part of the picture in most environments.
Now, IT teams aim to solve bigger problems when they roll out AAA. Current industry regulations and audit requirements demand two important evolutions in AAA server capabilities, far beyond what incumbent AAA servers can provide. The first new requirement is for the network to allow system-wide auditing of access events. This capability allows the AAA system to answer queries like, "When and from where has Karen Benning in finance accessed the network over the last 90 days?" or "Were finance users accessing critical finance resources from secure locations?" These types of queries simply cannot be answered unless the AAA infrastructure authenticates and authorizes every user session on your wired and wireless infrastructures, in addition to your dial-up and VPN.
The second new requirement is to manage access rights based on the role of an individual within an organization. Today, industry regulations and audit requirements demand that networks no longer provide one-size-fits-all access. For example, sales people should be able to access sales systems, but not engineering systems; finance employees are the only users who should be allowed access to the finance servers and, even then, only if their computers have up-to-date virus protection and a secure network connection.
idengines.com Ten Reasons your RADIUS Server Needs a Refresh Page 1Today's unauthenticated networks and legacy RADIUS servers are incapable of performing such functions. Much like a country without Customs for Immigration, or a high-rise apartment with only a single lock on the front door to the building, the lack of authentication on most networks today means that, once past the "front door," an adversary has the complete run of the place, leaving each application to fend for itself by providing its own layer of access control. This is clearly not secure; the new goal, therefore, is auditable, role-based access control to the network itself.
In order to provide authorization, a RADIUS server needs to have a more in-depth conversation with the network-edge device through which the user connects, and this conversation must be based on a far more in-depth policy. A simple policy for your existing platform might be:
Finance users may only a... [download for more]
