S 4.113 Use of an authentication server within RAS access

Initiation responsibility: IT Security Management Team

Implementation responsibility: Administrator

For RAS systems with a lot of users, consideration must be given to the question of how user administration for RAS access can be carried out efficiently. As a rule, every RAS user must also either be given a system identity (user account of the operating system) or else be identified via such a user account. Some operating systems (e.g. Windows NT) offer direct integration of the RAS functionality and a common user administration facility. For medium-sized and large networks, most of which are organisationally split into several subnets (domains, administration areas), in many cases there is often the problem that administration of user data is performed separately in each administration area. If such users are also to be able to log on to outside subnets, cross permissions (cross certificates, trust relationships) or a central directory service must be set up and maintained. Another alternative is that the users are given another user account in the other subnet; however this complicates administration of the user data. In particular, in the RAS context special authentication systems have been developed which can also be used for the "normal" authentication process during system logon. Typical examples of such systems are RADIUS, TACACS, TACACS+, SecureID, SafeWord etc.

These systems always operate as follows:

• Users' authentication data is administered through a central server.

• The system logon program refers to the authentication server to check the authentication data entered by the user.

• A secure protocol is generally used for communications between the logon process and the authentication server.

The logon process must support the use of external authentication servers and the network address of the authentication server to be used must be correctly entered in the configuration data for the logon process. If a user now wishes to log on to the system, irrespective of whether he is using a RAS connection for this or is directly inside the LAN, the following rough simplified sequence of events occurs:

• If a connection is established during the system or RAS logon process, the logon process contacts the authentication server and informs it that the user has requested a connection. If the Challenge-Response procedure is being used, the authentication server sends back a Challenge to the process, which then passes this on to the user.

• The user enters his secret authentication data. Depending on the system used, this can be a password or one of several types of one-time password (numbers, text).

• The logon process passes the data to the authentication server, generally transparently to the user.

• The authentication server verifies the user data and passes the results of the validation process to the logon process.

• If the user has been successfully authenticated, access is now granted to the (access) network.

Through the use of central authentication servers it is possible to ensure on the one hand that the authentication data is consistently administered and on the other hand that better authentication mechanisms can be used than are supported as standard by the operating systems. In particular, smart card and token-based mechanisms should be mentioned here. Depending on the system, these generate, for example, one-time passwords which are shown on a display and which the user must specify as password.

For medium-sized and large networks the use of authentication servers is especially recommended in the RAS area as these offer a significantly higher degree of security during user authentication. However, it should be noted that these servers also have to be administered and maintained. An authentication server must be positioned in the network in such a way that performance is good while at the same time protection is provided against unauthorised accesses.

Additional controls:

• Is the external authentication system supported by the operating system and the RAS system?

• Does the RAS client software allow use of a smart card reader for smart card-based authentication systems?

• What security mechanisms are offered by the external authentication system?