• Overview of Benefits
• Features
  • - Authnodes & RADIUS
  • - Automated End User Helpdesk
  • - Brand the Signify service with your own labels
  • - Emergency Access Management
  • - How to set up the service
  • - How to set up your security policy
  • - IMC Logging and Reporting
  • - Overview of Provisioning Services
  • - Role Based Management
  • - RSA SecurID - The market leading authentication tokens
  • - Signify Service Infrastructure
  • - Temporary User Access Control
  • - The Identity Management Centre (IMC)
  • - Why you still need 2FA with Juniper SSL VPNs
  • - Signify Service availability
• Services
• How to Buy
• Contact Us

• Home

Authnodes & RADIUS

A key link in the Signify authentication process is the communication between the client’s Authentication Node (AuthNode) and the Signify Authentication Service infrastructure.    

What is an AuthNode?

The Authnode may be any system owned by the client that challenges the user to authenticate themselves, such as a VPN, RAS, Citrix or Web Server.   When the user submits their login credentials the AuthNode passes these credentials to Signify for verification. The Signify service is fully compatible with all leading VPNs, firewalls and web servers including:

How does an AuthNode communicate with Signify?

The Signify service can support several alternative authentication protocols, which may be used by different types of AuthNode.

• RADIUS: is the open standard, RFC compliant protocol supported by the widest range of AuthNode devices.
• RSA SecurID protocol: is implemented on many devices and Web server systems and may require the installation of free RSA Agent software on that AuthNode device
• 802.1x: is an emerging authentication protocol typically that has been developed as an extension to RADIUS that is supported by a growing number of business class access devices such as Wireless Access points, Ethernet switches and routers etc, and provides end-to-end encryption of the users credentials.  

The choice of authentication protocol is typically determined by what your AuthNode device can support.  We normally recommend RADIUS as a straightforward, open standards based protocol which offers the greatest flexibility, widest AuthNode support and least vendor lock-in, while 802.1x is potentially the ideal replacement for RADIUS in the medium term future.  The RSA SecurID protocol is a good, simple option if supported by your AuthNode and a proprietary solution is acceptable.  

User credentials on a RADIUS connection

When being passed from your AuthNode to the Signify RADIUS Broker servers, your user’s passcode details are encrypted. The encryption key is generated using an MD5 Hash of a unique, complex RADIUS shared secret that is generated by the Signify IMC and a 16 octet random number ‘Request Authenticator’ generated by the client for each RADIUS authentication request.

It is essential that the privacy of this ‘shared secret’ is maintained so you must control access to the management interface of your AuthNode device.  If you ever have reason to think your shared secret has been compromised, you should visit the Signify IMC and request a change.

Any attack on the Radius encryption could only be undertaken if the packets are intercepted.

Despite popular misconceptions, the interception of packets as they traverse the Internet between your boundary routers and a third party such as Signify is an extremely difficult attack to undertake.  It requires highly privileged access to the core networks of Internet Service Providers and telecoms carriers and is very unlikely when discussing threats to commercial grade customers.

In reality, the most common point for an attacker to intercept the RADIUS packets is by sniffing them while they are still on your local network before they are delivered to your ISP.  This highlights the obvious and ongoing need for all organisations to complement strong authentication and encryption of external traffic with tight internal security procedures. 

Is there a significant risk using OTP credentials?

By using One-Time Passcode (OTP) credentials as generated by RSA SecurID tokens or Signify’s Passcode OnDemand service, the risk of your users credentials being compromised is reduced even further.

Even if an attacker achieves all the necessary steps to intercept your RADIUS traffic and break the RADIUS encryption so he can decrypt the user’s OTP, he will find it to be useless.  When he tries to log in to your AuthNode and presents this stolen passcode it will be rejected by the Signify Authentication Service, as it will be the second time that the OTP has been used.  A One Time Passcode can only be used once!

So, Signify’s advice is that, if your systems and information are of standard, commercial-grade sensitivity, the RADIUS protocol is sufficiently strongly protected to secure the authentication of users using OTP credentials.