Authentication Methods

External Authentication Sources

External authentication sources utilize identity information obtained either directly or indirectly from the client. An identity confirmation is used in all cases except for the null authentication source. All external authentication sources work in conjunction with the CWP (captive web portal), customization of which is discussed in Portal Modules. The CWP can required the client to agree to a Terms of Service/Acceptable Use Policy agreement before being allowed access.

A wide range of social media authentication mechanisms are used.

The external authentication sources are:

• Null - no identification is required.
• Email - the client enters their email address, which A3 uses to send a message. The message that the client receives includes a link that will complete the authentication. This form of authentication requires that Alerting be set up during Initial A3 Configuration.
• SMS - the client enters their cell phone number, which A3 uses to send an SMS message. The message that the client receives includes a PIN (personal identification number) that is entered into the CWP page to complete the authentication. This form of authentication requires that Alerting be set up during Initial A3 Configuration.
• Sponsor - the client enters their name and the email address of a sponsor within the organization authorized to enable sponsored access. The sponsor receives an email that includes a link that will complete the users authentication. This form of authentication requires that Alerting be set up during Initial A3 Configuration.
• Social login - any of a number of social media sites are used to authenticate the client. Social media technology is described in Social Login Authentication Technology. Clients are directed to log in to the social media site if they have not already done so. Their authentication information is returned to A3.

The A3 administrator must pre-configure access on the social media site to obtain several security parameters. These parameters are entered into A3 as part of the definition of a social media authentication source.

The registration for social media authentication methods supported by A3 are:

• Clickatell API Registration
• Facebook API Registration
• Github API Registration
• Google API Registration
• Instagram API Registration
• Kickbox API Registration
• LinkedIn API Registration
• OpenID API Registration
• Pinterest API Registration
• Twilio API Registration
• Twitter API Registration
• WindowsLive API Registration

Note that the registration process for each of the sites is maintained by the social media vendor and can change without notice. The registration procedure for each of the social login sites is covered in one of the A3 Installation and Usage Guides (Installation and Usage Guide - Registration VLAN or Installation and Usage Guide - No Registration VLAN).

Internal Authentication Sources

Internal authentication sources are methods for which the organization deploying A3 has control. Only internal authentication sources can be used for 802.1x/EAP authentication. The sources that are available are:

• Active Directory (AD) / LDAP - uses an LDAP compatible directory, including Window’s Active Directory, for identity and group information. The Associated Realm parameter in the LDAP Authentication definition ties the definition to particular domain controllers.
• Authorization - performs authorization without client input.
• EAP-TLS - uses the EAP-TLS protocol for LDAP access. Requiring client certificates, EAP-TLS is a common EAP method used. The client and server perform mutual authentication and form encryption keys based on certificate contents. The Associated Realm parameter in the LDAP Authentication definition ties the definition to particular domain controllers. EAP technology is discussed inExtended Authentication Protocol (EAP) and X.509 Certificates .
• Htpasswd - uses a flat file with name and password commonly used in basic authentication on Apache HTTP servers.
• HTTP - permits access to A3 via an API that uses basic authentication. It is used, for example, to enable AD servers to send notice of user changes.
• Kerberos - uses a Kerberos server. A Kerberos server is embedded within the A3 server and can be referenced with an IP address of 127.0.0.1. A list of users can be maintained in the Users top level menu option.
• Password of the Day - generates a password regularly that is mailed to an administrator. The administrator then distributes it to clients who use the password for authentication.
• RADIUS - uses a RADIUS server. A FreeRADIUS is embedded within the A3 server and can be referenced with an IP address of 127.0.0.1. A list of users can be maintained in the Users top level menu option.
• SAML - SAML (Security Assertion Markup Language) is an open standard based on XML for exchanging authentication and authorization data. It was initially designed to support single sign-on for web browsers.

Exclusive Authentication Sources

When used, exclusive authentication sources must be the only authentication source used in a connection profile. Several authentication sources are included in the exclusive category:

• AdminProxy - an authentication mechanism used in Microsoft systems for administrator single sign-on.
• Blackhole - an authentication mechanism that denies authentication for the client. This can be used to deny clients access that would otherwise be granted.
• Eduroam (education roaming) - a global example of realm-based authentication. The technology behind Eduroam is based on the IEEE 802.1X standard and a hierarchy of RADIUS proxy servers. Eduroam is a secure, worldwide roaming access service developed for the international research and higher education community.

Billing Authentication Sources

Billing authentication sources provide authentication following successful payment. The A3 administrator must pre-configure access on the billing site to obtain several security parameters. These parameters are entered into A3 as part of the definition of a billing authentication source.

Billing tiers are defined in Configuration > Advanced Configuration > Billing Tiers. The means by which each is pre-configured is described below. Note that the registration process for each of the sites is maintained by the vendor and can change without notice.

The sources that are available are described in:

• AuthorizeNet
• Mirapay
• PayPal
• Stripe

Registration for each of the billing sources is covered in one of the Installation and Usage Guides.

RBAC (Role-based Access Control) authenticates users and their devices with information provided by device-resident supplicant software. This information is matched against internal databases such as AD. 802.1X protocols define the way in which the components talk to each other. A variety of encryption techniques are used to ensure the security of 802.1X protocol messages, including the EAP (Extensible Access Protocol). EAP variants are covered inExtended Authentication Protocol (EAP) and X.509 Certificates. EAP requires X.509 digital certificates, which are covered in PKI Providers.

The figure below illustrates the components involved in RBAC.

Supplicants

Supplicants are client devices that seek access to the network. They run device-resident supplicant software that supplies credential information to the authentication server.

Some common credentials include:

• User name and password
• MAC address
• Digital certificates
• Dynamic and one-time passwords
• Smart cards or credentials stored on USB devices
• Machine credentials
• Pre-shared keys

One or more credentials can be required by the authenticator. Supplicants can be integrated with the client OS, or supplied by third parties. Installing and configuring supplicants can be a time-consuming and complex task. You can automate this and other configuration tasks using automation and MDM (mobile device managers), which are described in Provisioners.

Authenticator

An authenticator is a device that blocks or allows traffic to pass through its ports. Many types of devices can serve as authenticators:

• Extreme Networks access points (APs): APs provide both wireless access and authentication.
• Generic APs: APs can require the use of a separate Wi-Fi controller that performs authentication in addition to AP control.
• Enterprise switches: An advanced wired network switch can also be an authenticator.

Authentication Servers

Depending on the type of authentication you use, a number of servers can be involved. At a minimum they include:

• A3: the A3 server acts as a proxy for access to the other authentication servers. It matches information returned from these servers for extensive control over access control. A3 uses a built-in RADIUS server and DNS, DHCP, and HTTP servers.
• RADIUS Server: RADIUS is the key protocol used for authentication. The RADIUS server contain its own database of users and roles, and works with additional authentication servers. A3 uses a built-in FreeRADIUS server.
• LDAP Server: LDAP (lightweight directory access protocol) is used to access databases that contain user, machine, roles, and other information organized in multiple hierarchies. Microsoft's AD and OpenLDAP are two of a number of LDAP servers in common use.

Extended Authentication Protocol (EAP) and X.509 Certificates

EAP is an authentication framework that facilitates secure communications between clients and authentication servers. The figure below is a simplified network diagram featuring Extreme Networks components.