Browse Prior Art Database

Tivoli WebSEAL & RADIUS integrated Login Disclosure Number: IPCOM000022401D
Original Publication Date: 2004-Mar-12
Included in the Prior Art Database: 2004-Mar-12
Document File: 3 page(s) / 42K

Publishing Venue



The ability to use one user id and password for authentication (single sign on) is a feature that integrates RADIUS authentication with IBM's Tivoli* Access Manager's WebSEAL sign on. RADIUS and WebSEAL go hand in hand because RADIUS Server authentication gives a user access to the network and the WebSEAL sign on gives a user access to all of the web resources on the network. Thus it would be advantageous to integrate these two logon methods. A single sign on solution is very useful in large networks so that users do not need to waste time logging on several times.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 1 of 3

Tivoli WebSEAL & RADIUS integrated Login

WebSEAL is a subsystem of the Tivoli* Access Manager product.
WebSEAL is the resource manager responsible for managing and
protecting Web-based information and resources. It is a web
server that applies fine-grained security policy to the Tivoli
Access Manager product. Requests passing through WebSEAL are
evaluated by the Tivoli Access Manager authorization service to
determine whether the user is authorized to access a requested
resource. WebSEAL supports multiple authentication methods.

RADIUS is a client/server protocol that provides client
authentication and authorization. The client in a RADIUS
scenario is a Network Access Server (NAS). It is responsible for
passing user information to designated RADIUS Servers, and then
acting on the response. A NAS is usually hardware that provides
for managing dispersed serial line and modem pools or it may be a
wireless access point. RADIUS Servers (software) are responsible
for receiving user connection requests, authenticating the user,
and then returning all configuration information (authorization)
necessary for the client to deliver service to the user. RADIUS
Servers are based on an Internet Engineering Task Force (IETF)
RFC standards describing the RADIUS protocol (2865) and RADIUS
accounting (2866).

A RADIUS Server is used to authenticate remote users and to give
them access to corporate network services. The actual
authentication takes place at the RADIUS server. By clever use
of the RADIUS server's client configuration data, RADIUS
attributes (defined in the RFC), and storing the user name and IP
address, the RADIUS Server can retrieve a user ID (based on IP
address) and provide it to any requesting 'informational' client.
In this design WebSEAL will be an informational client or a NAS.

The advantage of this solution is that WebSEAL users do not have
to authenticate once to the RADIUS server, then to WebSEAL. The
RADIUS server can respond to an information client (WebSEAL) and
provide a user name that has already be authenticated by a RADIUS

Current process path is:

- User connects to NAS. A NAS is a hardware device that typically connects serial lines to modems. It is used for access to a LAN. A NAS can also be a wireless Access Point (AP) device. - User tries to login to NAS, provides authentication data (userid/password) - NAS forwards authentication data to RADIUS using the RADIUS protocol messages. - RADIUS Server authenticates the user depending on configuration data.


Page 2 of 3

- NAS completes the session. - User opens browser and connects to WebSEAL. - WebSEAL prompts user for id and password.

The goal is to eliminate the last step. However, WebSEAL has no
way of knowing the id that the user presented to the NAS/RADIUS.
WebSEAL does have the IP address of the browser (in most
circumstances). The RADIUS protocol defines an attribute called
a Framed-IP-Address attribute, which is the IP address the NAS
assigns to the user...