Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Product review: Identity Engines' Ignition Server

Identity Engines' Ignition Server manages access controls across disparate directory services platforms (Active Directory, LDAP, eDirectory) by consolidating them into a single user store.


Identity Engines Ignition Server

Identity Engines
Price: Starts at $33,500



Identity Engines' Ignition Server manages access controls across disparate directory services platforms (Active Directory, LDAP, eDirectory) by consolidating them into a single user store. Deployed as an alternative to RADIUS, the appliance includes a comprehensive policy engine to use with multiple access control devices (wireless access points, switches, firewalls, VPNs) throughout a heterogeneous enterprise.

Configuration/Management B+  
Because of well-written documentation, we completed basic network installation in minutes. But that's where simplicity ends. Users must have an extensive knowledge of authentication protocols, directory structures, virtual provisioning and certificate management to take full advantage of the Ignition Server's features.

There are three major aspects of the Ignition Server: networked devices (authenticators), user stores (directory services) and policies.

Authenticators--devices attached to the network--can be bundled by subnet to facilitate large installations. They can be managed according to several attributes, including service categories--groups of authenticators to which policies are applied. Adding authenticators was the same as with RADIUS: Provide a name, IP and shared secret. Service category, device type (wired, wireless, VPN) and vendor are added the same way.

Ignition Server automatically connected to AD once we entered the domain name, service account name and password, and to LDAP using the service account domain name, password, IP address and port number. We could create fall-through rules across multiple directory services for a variety of situations (for example, check AD first to authenticate a VPN user, then LDAP).

Policy Control A  
The Ignition Server is really a policy engine that speaks RADIUS. It does everything a RADIUS server would do, but it's the policy engine that sets it apart. We liked how multiple authenticators are tied together into a single service category to which three different policies--authentication, identity routing and authorization--can be easily configured and applied.

Authentication policy determines the tunnel protocols, credentials and ciphers for communication between the supplicant, Ignition Server and directory services.

An identity routing policy traverses directory services during authentication, determining which user store to apply based on the user's network domain or what device is making the authentication request.

The authorization policy controls access according to the user account.

Effectiveness A  
We authenticated users to specific devices, such as wireless access points, and assigned a common policy using credentials from two directory services (AD, LDAP).

Ignition Server supports strong authentication, such as RSA SecurID and Secure Computing's SafeWord.

Security is solid. Built on a 64-bit hardened appliance running a stripped-down version of BSD, security features include onboard IDS, 256-bit AES encrypted file system, and protection against physical tampering.

Reporting C  
This is Ignition Server's biggest shortcoming. While real-time statistics and logging are available, the logs could only be exported hourly, daily or weekly--nothing customized or on-demand. We'd welcome the ability to export the statistics displayed in the individual tabs.

Organizations that need a unified policy engine to control network access using multiple authentication systems will be able to justify Ignition Server's price tag.

Testing methodology: Ignition Server was deployed in place of the RADIUS server in our simulated enterprise network. It provided AAA services for our wired and wireless network access, as well as for a VPN.

Article 8 of 13
This was last published in June 2007

Dig Deeper on Active Directory security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All