What is an Authentication Server?
An Authentication Server is a specialised server responsible for verifying the identity of users or systems attempting to access resources or services within a network or system.
How an Authentication Server Typically Function
Verification
When a user or system attempts to access a resource, they send their authentication credentials to the Authentication Server.
Validation
The Authentication Server verifies the received credentials against the data stored in its database. This database contains information such as usernames, passwords, digital certificates or other authentication tokens associated with authorised users.
Response
If the credentials match the records in the database, the Authentication Server sends a confirmation message to the requesting entity, indicating that the identity has been successfully authenticated.
Access Control
Based on the authentication outcome, the Authentication Server either grants or denies access to the requested resource or service.
Authentication Servers are a fundamental component of IAM systems, ensuring that only authenticated and authorised users or systems are allowed access to protected resources. They provide a centralised and secure mechanism for managing user authentication across an organisation's network, helping to enforce security policies and safeguard against unauthorised access attempts.
Authentication servers come in various types, each catering to different authentication needs and scenarios.
Types of Authentication Servers
RADIUS (Remote Authentication Dial-In User Service)
RADIUS servers are commonly used for authenticating remote users accessing network resources, particularly in dial-up and VPN environments. They centralise authentication, authorisation, and accounting (AAA) functions, providing a single point of control for managing access. RADIUS is widely supported across networking devices and platforms.
LDAP (Lightweight Directory Access Protocol)
LDAP servers store and manage user identity information within directory services, such as Microsoft Active Directory or OpenLDAP. They facilitate authentication by allowing clients to query the directory for user credentials and other attributes. LDAP is often used in enterprise environments for user authentication, user management, and directory services.
Kerberos:
Kerberos is a network authentication protocol that uses tickets to authenticate users to network services. It provides strong authentication through mutual authentication between clients and servers, reducing the risk of credential theft. Kerberos is commonly used in Windows domains and integrated with Active Directory for single sign-on (SSO) authentication.
TACACS+ (Terminal Access Controller Access-Control System Plus):
TACACS+ servers are primarily used for controlling access to network devices, such as routers, switches, and firewalls. They support authentication, authorisation, and accounting functionalities, allowing granular control over user access privileges. TACACS+ offers features like command authorization and accounting, making it suitable for managing network infrastructure security. Additionally, various authentication protocols govern how the authentication process is conducted between clients and servers.
Authentication Protocols
HTTP Basic Authentication
A simple authentication protocol where the client sends credentials (username and password) in the HTTP header. It's easy to implement but lacks security features like encryption, making it susceptible to credential interception.
OAuth (Open Authorization)
An authentication protocol commonly used for delegated access, such as allowing third-party applications to access user data without exposing credentials. OAuth facilitates secure authentication and authorisation workflows for web and mobile applications.
OAuth 2.0
A revised version of OAuth, focusing primarily on authorisation rather than authentication. OAuth 2.0 enables users to grant limited access to their resources on one site (the service provider) to another site (the consumer) without sharing their credentials.
OpenID Connect
An identity layer built on top of OAuth 2.0, providing authentication services for web and mobile applications. OpenID Connect allows clients to verify the identity of end-users based on authentication performed by an authorisation server.
SAML (Security Assertion Markup Language)
A standard for exchanging authentication and authorisation data between parties, typically between an identity provider (IdP) and a service provider (SP). SAML enables single sign-on (SSO) authentication, allowing users to access multiple applications with a single set of credentials.
Each authentication server type and protocol has its strengths and weaknesses and the choice depends on factors such as security requirements, compatibility with existing systems and the specific use case or environment. Organisations often deploy a combination of authentication servers and protocols to meet their diverse authentication needs while maintaining a balance between security, usability and scalability.