The Network Services for Authentication package is available on all Infoblox appliance platforms .

The Infoblox Network Services for Authentication (NSA) package provides reliable, and highly available policy-based authentication services for network devices and users. By merging standards-based RADIUS authentication services with Infoblox grid technology, extended enterprises now have the ability to distribute reliable, secure, nonstop authentication services throughout their organizations easily using Infoblox appliances.

802.1X Authentication: New Opportunities, New Challenges

802.1X is the industry standard for authenticating network access, and is the key element for ensuring security in wired and wireless networks; thus enabling new security initiatives such as network access control (NAC). 802.1X requires three components: the supplicant, which is software on the client device; the network access device (aka the authenticator), which is typically a wireless access point or a wired switch; and an authentication server, which communicates with the network access device using RADIUS. With 802.1X, the authentication server becomes a key component of the network infrastructure. If the authentication server fails or becomes unreachable, all access to the network may be denied. As such, network authentication services must be deployed with the highest possible reliability, and the overall system design must sustain against the failure of servers or the WAN links among remote network access devices and centralized user directories.

Infoblox has targeted the initial release of the Network Services for Authentication package for a specific application (Distributed 802.1X Authentication). Functionality enhancements will enable additional applications that benefit from rich policy capabilities.

Providing Distributed RADIUS Services

The Network Services for Authentication package includes support for the RADIUS protocol and the underlying authentication methods required for 802.1X authentication, as well as the Infoblox grid module. Infoblox grid technology allows hundreds of appliances to provide authentication services throughout an enterprise network with central management and automatic replication of user credentials stored. User credentials can be within the built-in database in the Infoblox NIOS™ software or within Microsoft Active Directory. In Active Directory environments, user credentials are securely replicated from the Microsoft domain controller to the grid master and stored in the built-in Infoblox bloxSDB™ database. The credentials are then replicated over a secure VPN to all Infoblox appliances in the grid. When an appliance is deployed in a branch office, it can provide authentication services for 802.1X even during a WAN outage that makes the Infoblox grid master (and the Active Directory server) unreachable. Infoblox NIOS software also has built-in, hardware-based high-availability (HA) technology that provides an extra layer of reliability by enabling appliances to be deployed in redundant pairs.

Network Services for Authentication Advantages  

• Eliminates performance bottleneck
  Instead of having a central RADIUS server provide services for all devices, the authentication load is spread out among all of the Infoblox appliances deployed at remote sites.
• Ensures local survivability if a WAN link fails
  Remote appliances replicate the user credentials and continue to deliver services even if the grid master is unreachable.
• Automatic replication of user credentials to remote appliances via Infoblox grid
  Once loaded on the grid master, credentials and group memberships are securely replicated to remote appliances in real time.
• Automatic synchronization of user credentials from Microsoft Active Directory
  The Infoblox Replication Agent for Active Directory automatically pushes new or modified user names, passwords and group memberships to the Infoblox grid master.
• Secure, hardened platform
  Infoblox appliances are security-hardened and resist tampering and attacks.
• Appliances can be deployed in HA pairs and failover mode for increased availability
  Administrators can easily design and deploy authentication services that support any desired level of availability.

Features and Benefits

The Network Services for Authentication package delivers reliable, manageable, and secure authentication services at a lower cost than any alternative. The package also includes NTP, FTP/TFTP/HTTP file download, and Syslog proxy, which allows organizations to integrate network services into a single platform and manage it centrally. The NSA package is available standalone or as an optional add-on for other Infoblox packages. With the full Network Services Suite package, Infoblox appliances can deliver a full complement of network services (including DNS, DHCP, RADIUS, NTP, FTP, TFTP, HTTP and Syslog proxy) in a single appliance or grid of appliances.
 

• Grid Connector for Active Directory: The Infoblox Grid Connetor for Active Directory replicates the user credentials from Active Directory and securely pushes them to the grid master, which then replicates the data to appliances in the grid. If the WAN connection to a remote site goes down, the appliance is still able to authenticate users trying to access the wireless network. The agent sends changes to the grid master on a periodic basis as determined by
  the administrator.
• Local User Store: Provides RADIUS services without requiring a local Active Directory or LDAP directory server.
• Grid Replication of Credentials: User names and passwords are automatically synchronized across all appliances in an Infoblox grid to ensure consistency of data and heightened real-time security.
• Enhanced RADIUS Policies: Assign VLANs based on Active directory group membership and enhance security and usability through extended and Vendor-Specific Attributes (VSA)
• PEAP/EAP-MS-CHAPv2 and Client Certificate (EAP-TLS) Authentication: The solution supports authentication methods used by the Microsoft built-in 802.1X supplicant which means no additional client software is required.
• Automatic Support for Numerous Authentication Methods: RADIUS module is automatically configured to support numerous popular authentication methods including: PAP, EAP-TLS, EAP-MS-CHAPv2, EAP-GTC, PEAP/EAP-MS-CHAPv2, PEAP/EAP-GTC, EAP-TTLS/EAP-PAP, EAP-TTLS/EAP-MS-CHAP, EAP-TTLS/EAP-MS-CHAPv2, EAP-TTLS/EAP-GTC and client certificates. This greatly simplifies the deployment of RADIUS authentication services.
• HA and Failover: The RADIUS module provides multiple levels of high availability: If the appliance at the remote site fails but the WAN link is still available, network access devices at the remote site can be configured to automatically fail over to the central RADIUS server. Also, appliances can be deployed in HA pairs for increased reliability.
• Generation of Self-signed Certificates, CSRs, and Automatic Certificate Replication: Many authentication methods require that the RADIUS server have a X.509 certificate. The RADIUS module can generate a self-signed certificate for the RADIUS server which can simplify the deployment of RADIUS. Certificate signing requests (CSR) can also be created and sent to a certificate authority (CA) to sign the certificate and provide an added level of security for using client certificates. Client certificates can replace user names and passwords when authenticating clients (e.g. wireless laptops) connecting to a network that uses 802.1X authentication. Also, a single certificate can be shared by all of the RADIUS servers in an Infoblox grid as the certificate is replicated to all appliances.

Additional Benefits

The core of Infoblox NIOS software is a security-hardened, real-time operating system that includes a built-in, zero-administration database and extensive support for high-availability operation.

Resilient Grid Technology: Enterprises can create resilient Infoblox grids using individual (or HA-paired) appliances deployed across a LAN or WAN environment. Infoblox grids are resilient against the failure of individual appliances; continue to provide service in the face of a failure of a LAN or WAN link; and automatically re-synchronize all units in an Infoblox grid when a failed device is replaced or a LAN or WAN connection is restored.

Unified Management: Devices and data in an Infoblox grid can be managed as a single entity, without regard for where data actually resides. This virtualization of services to the grid level rather than the individual appliance level dramatically reduces administrative overhead and greatly lowers the possibility of configuration errors. An Infoblox grid can be completely managed remotely, from any location.

Real-time, Secure, System-wide Data Updates: The grid module synchronizes the databases across multiple appliances in real time in response to changes. This ensures that changes in users and passwords are quickly reflected throughout an extended environment.

Simplified, Role-based Management of Network Devices, Data, and Services: With configuration and data entry for a collection of appliances from a single user interface, operations are streamlined. This approach simplifies the initial configuration and the ongoing lifecycle management of a grid of devices, rather than having to individually set up and administer each device independently.

Radius Technical Specifications
	Authentication Method • PAP - Password Authentication Protocol • EAP – Extensible Authentication Protocol for 802.1x port-based authentication EAP-TLS, EAP-MSCHAPv2, EAP-GTC • PEAP – Protected Extensible Authentication Protocol for 802.1x port-based authentication PEAP/EAP-GTC, PEAP/ EAP-MSCHAPv2 (authentication method natively supported by Microsoft Windows clients) ) • EAP/TLS – Extensible Authentication Protocol Transport Layer Security, provides mutual authentication, requires client certificates •EAP-TTLS/EAP-PAP, EAP-TTLS/EAP-MS-CHAP, EAP-TTLS/EAP-MS-CHAPv2, EAP-TTLS/EAP-GTC User Databases • Internal User Database • Microsoft Active Directory (using the Infoblox Replication Agent for Active Directory)