Imagine you have a great idea for a new open source project that would meet some of your company's needs. You know it will be needed at other organizations, as everyone needs some help managing critical infrastructure. You map out an architecture, do some quick test code, and now it's time to add in some authentication code. If it's a web-based tool, support http authentication and you're done. Apache can handle it. If it's Linux-based, support PAM. Done. But what if it's neither?
You might think "We'll make it pluggable and we'll do an LDAP plugin so we can work with Active Directtory or LDAP. Now, on to logging..." Wait. Step back. I want to propose a better authentication protocol than LDAP as the default go-to protocol: RADIUS.
RADIUS is an interesting protocol. It is ubiquitous in the enterprise, but not often used until needed. It is incredibly simple to configure, but misunderstood. It supports more functionality than LDAP, but is infrequently considered by developers that are creating enterprise-oriented software. It is supported by Cisco, Checkpoint, Netgear, Apache, PAM, every two-factor authentication vendor, every VPN provider, etc.
The best reason why RADIUS should be favored over LDAP: an LDAP server considers itself to be the final authority for authorization and authentication; a RADIUS server will split authentication and authorization. Authentication is who you are. Authorization is what you are allowed to do. Splitting them is important because increasingly you need two-factor authentication. You don't have to split them, though. Supporting RADIUS also gets you LDAP.
Splitting authz and authn is a good thing from a security standpoint. It allows you to do user management in your directory rather than in your your authentication server. An HR person could disable a user in the directory and that user would be locked out. It's much better than needing to disable them in two places.
Additionally, there are free and open source server options on both Linux and Windows. Linux has the venerable and robust Freeradius and other options. Windows has NPS, the free Microsoft RADIUS plugin. In addition, there are robust offerings from Cisco and other networking vendors.
Both RADIUS and LDAP are protocols as well as servers in that you can have a RADIUS server and you can have two systems that speak RADIUS but do not perform the functions of a RADIUS server. So, a VPN can validate credentials to a two-factor authentication system using RADIUS. It's not the best setup, but it's possible and dead simple.
RADIUS is quite simple. All you need is the IP address of each system and a shared secret. No BindDN or LDAP URL or anything like that. (I'll say it: I hate configuring LDAP. LDAP is lightweight only in relation to X509.) For developers, adding RADIUS is as easy as adding LDAP. There are open source libraries available such as jRadius.
What about Single sign-on protocols? I wish I could make a recommendation. It appears that OpenID-Connect could be a winner but it's still a long way off. These procotols need a lot of vetting and review to prove their security. I'm sure most of you have removed your "Login with OpenID" option on your websites. Until there are clear winners in the SSO protocols, I hope developers will consider RADIUS. It gives you LDAP and provides more security options.
4 Comments