Tanapro taRadiusSrv 2.2
This is the product description of Tanapro taRadiusSrv. The technical documentation can be found here.
Tanapro taRadiusSrv is a copyrighted RADIUS server of Tanapro GmbH (www.tanapro.ch) that provides strong authentication for user logins (VPN, RAS, etc.). It is a secure, inexpensive, software-only solution that does not need any additional HW/SW tokens.
The software is multi-lingual and delivered in english and german. You can easily translate the texts in the language files and have them installed by the system administrator.
taRadiusSrv is written in Eve (www.ewesoft.com) and uses the freely available Eve VM (version 1.38 or higher).
Features
- Secure solution - uses password + one-time tokens for authentication
- Easy administration
- Uses very little ressources - runs on any networked Win32- or Linux system with installed Eve VM. Under Win32 it can be installed to run as a service (with additional freeware).
- The software also runs on Linux systems that do not have a graphical user interface. In this case, the administration can be done from a Windows based system.
- Inexpensive solution (in terms of licenses and administration costs)
- Easy to monitor - there is a special monitor user that is always denied access. But if a deny is received by the monitoring process, we know that the server is still running. The logging for those monitoring requests can be suppressed.
- taStrongSudo support: This function allows a normal user to execute certain (pre-defined) commands that would normally require administrative rights. This is made possible by passing the commands to the RADIUS server which will execute them if the user has successfully authenticated himself. taStrongSudo could for example be used to easily reset user passwords.
Strong authentication
What is strong authentication and why do we need it?
Strong authentication means identifying a user by a method that is more secure than just login-name and password. This is especially needed when logging-in via the Internet where there are no other identifying criterias like the calling-station-id (the phone number from where the user is connecting).
With only login-name/password, a user is poorly identified and hackers could guess or even know the login credentials. By using a second authentication factor (two factor security) this security threat is eliminated or at least extremely reduced.
Security details
The login procedure runs as follows:- The user logs in with his password, that is stored in the server's database.
- If the password is correct, the server creates a one-time token and sends it to the user. The system's administrator can configure up to 3 methods for sending the token. The easiest way is by email to a web-based mail account. If there is a SMS gateway, the token could be sent to the user's mobile phone.
- The user logs in again, this time with password+token. If password and token are correct, the user is allowed to login.
- User accounts can be set to expire at a certain date
- Supports PAP and CHAP authentication
- After too many wrong tries (configurable), the user account is locked.
- The token has a limited, configurable lifetime.
- After a successful login, the token becomes invalid.
- The server's database is encrypted and access is secured by an admin password.
- The admin GUI closes automatically if too long idle.
Costs
The whole solution is not costly for the following reasons:- Since there are no HW/SW tokens there is no need for the costly token management which would include:
- Bringing the token to the user and getting it back when not needed anymore.
- Replacing broken or lost tokens.
- Unlocking tokens when the user has forgotten his access password for the token.
- Resynchronizing tokens, that are out-of-sync.
- Providing temporary passwords to users who have forgotten to take their tokens with them.
- No dedicated server hardware needed.
- No need to buy HW/SW tokens.
- Licenses are based on the amount of users in the database. They are available in small steps: 5,10,15,etc.
- The License never expires.
