24th May 2012

You are here: Home / Blog / Opinion / Review of ActivIdentity ActivID 4Tress AAA and 2 factor tokens

Review of ActivIdentity ActivID 4Tress AAA and 2 Factor Tokens

9th April 2008 By 3 Comments

In a recent project I was required to use ActivIdentity ActivID for two factor authentication. This post is about my overall experience with the product and its poor approach to HA. While ActivID does work fine, and its tokens look nice and it works OK, this is not a product for any small or medium company, and requires a lot of IT resources to make it work

The two factor token authentication market has many players, and the RSA SecurID solution has first to market advantage. The SecurID product is ‘reassuringly expensive‘ and is the default solution for token authentication. It was mandated from Head Office that ActivID was the chosen product. On a first pass cost analysis, it looked good value for money.

Licensing

The ActivID 4Tress AAA server software has no licensing requirements and is based on an honesty system. This is refreshing in the modern era, however this was never covered in the documentation and it took over two weeks for the support to be able to indicate that there was no activation or licensing required. Just install it and go.

Note however, that you still have to buy the tokens, so you can’t bypass the licensing in the end.

Tech Support

I was not able to access quality technical support. Because ActivID only wants to work with big companies directly, I was unable to buy a maintenance contract directly from ActivID. I was forced to use a distributor for tech support. At purchase time I had deep misgivings about this knowing that for a non core product like ActivID, the distributor was unlikely to have more than one person trained in the product, and that person was possibly not their best engineer. This turned out to be true and I was unable to get satisfactory answers to any questions. In fact, I was unable to get anyone to answer support questions. Even worse, when I tried to escalate to ActivID and make direct contact, ActivID would refer me back to the distributor and refuse to take my call.

Windows Only

So ActivID 4TRESS AAA server is Windows only, and that includes the management client as well. While this is probably suitable for most corporate IT departments, a significant number of IT people are moving away from Windows on their own desktops. Vendors need to recognise this and move to develop clients that are universal. The Web Help desk does work in any browser but the thick client does not.

The dependency on Microsoft SQL server is similar, and although integration with other systems is possible, tech support becomes a problem (see above). Many organisations are moving to use MySQL instead MSSQL for IT operations and the lack of support for any other database was a disappointment.

High Availability – useless

ActvID have chosen to use a database backend to achieve synchronisation between servers. Which means that you have to install a full MSSQL (or use an existing unit) to allow for data replication. I find this ridiculous. As a network engineer, I do not want to be installing SQL or integrating with a database administrator to maintain such an important system. In effect, this concept designs failure INTO the system.

And the extra cost for MS SQL licenses is not appreciated either. While some organisations will use MSSQL, many more will use Oracle or something similar.

< !ñ-nextpage-ñ>

Does what it says on the Tin

The product does work, and, once you adapt yourself around the way it works, it works fine. The Web Helpdesk is a nice idea, but obviously something that you are expected develop a user interface for as part of your helpdesk software. For smaller IT operations no one is going to take time to customise it. It looks like an afterthought and is not intuitive to use. ActivIdentity could do a much better job of this to improve the out of box experience.

ActivID can integrate with Windows AD, but I found the interface a little funky (read not intuitive). The ability to be creative with group selection and username matching was limited. The entire management interface looked very dated to me.

Other tools in the box

ActivId has a lot of tools that allow it to integrate with other stuff. There are several directories on the CD that might be interesting if I need to integrate with other stuff. If you want these features then I suspect that my negatives might not be yours thus your mileage may vary.

Conclusion

If I had to work in a very large company, had access to software development resources and Windows administrators then the money saved compared to SecurID might be worthwhile. But if you are small to medium business with , say, less than 100 IT staff you will be better off with something else.

Once again, the quality of technical support lets an American product down. The favoured model by US tech companies of having their own tech support in America but handing it to distributors in the rest of the world continues to be a disappointment. Make sure that you take the time to check how the maintenance is delivered before you buy.

This post is copyright of Thropos Ltd ©2008-2011 at Etherealmind.com - contact | email: greg.ferro@packetpushers.net - twitter: @etherealmind | All rights reserved
Filed Under: Opinion Tagged With:
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • Julian lovelock

    As product manager for the ActivID 4Tress AAA Product I obviously read your blog with some interest, and wanted to make a couple of points.

    Tech Support:
    We have a global team of support engineers based in AMERICAS, EMEA and APAC to provide continuous 24×7 support services to our End Customers, Partners, Distributors and Resellers.

    We do have a two tier support model. This includes Standard Support (8×5) where end-customers obtain Support Services through their ActivIdentity Certified Channel Partner; and Premium Support (24×7) where end-customers engage directly with ActivIdentity for their Support Services.

    It is true that we donít provide direct support to Customers with small user base as you can understand and agree it becomes hard for us to maintain high quality of service if we take on all the small customers. That being said itís very unfortunate that our Distributor couldnít provide you proper guidance & support. We do require our Distributors to maintain a minimum of two technical people certified by ActivIdentity on staff at all times.

    It’s also worth making the point that competitor products typically follow a similar model.

    High Availability
    You also commented that from a high Availability perspective the product was useless, which is an unfortunate observation, given that it is not true. The product does support replication between different databases instances to enable high availability, without relying on the underlying database replication capabilities. I do take the point that we could probably do a better job of documenting this.

    Please note that ActivID 4Tress AAA does support Oracle along with MS SQL Server as database.

    We do have a lot of smaller customers with less than 100 staff.

    PS – If its any consolation, I am English, albeit working in America. Not sure whether that makes things better or worse;)

    • http://etherealmind.com Greg Ferro

      You have your right of reply.

      “It is true that we donít provide direct support to Customers with small user base as you can understand and agree it becomes hard for us to maintain high quality of service if we take on all the small customers”

      I do not agree. Customers are the reason for your business not the cause of it. Small customers become big customers, and they create market momentum.

      Further, maintaining a high quality of service means good management and investment to achieve it. You are suggesting that your company does not or cannot do either. That suggests……..ah well, that might be a bit harsh. I don’t believe you can abrogate support for your customers by claiming its too hard.

      Since you have no capability to support small to medium customers (by your own admission and by my criteria), then don’t sell packages for small companies. I have stated that distributors are inadequate, and your product does not seem to have the necessary market penetration for them to give it focus. (How can one person, who spends less than one day a week on your product be a quality service experience ? ).

      “You also commented that from a high(sic) Availability perspective the product was useless, which is an unfortunate observation, given that it is not true.”

      Indeed it is true. From my position, your attempt at HA is certainly useless. HA using an external database is unacceptable as a mandatory choice. By forcing external dependencies you:

      (1) increase complexity and thus reduce reliability
      (2) increase the MTTR
      (3) make troubleshooting more complex.
      (4) operational costs are higher

      Further, as the solution crosses operational boundaries it is not suitable for any networking focused deployment (as I noted in the article).

      Your documentation on HA is (was?) vile. The hidden cost of MSSQL was not a pleasant experience.

      Compared with Cisco Secure Access Control Server with its integrated database and replication engine, the ActivIdentity product is much more complex to maintain and install.

      PS I don’t mind who you are or where you are from. I have my opinion and I choose to express it. I wasted way too much time getting your product to install and be usable. Particularly, I wasted weeks of man time on the deployment instead of getting support and getting assistance. This reflects badly on your company.

      • Julian lovelock

        Greg,

        I am sorry that your distributor was unable to provide sufficient support and we were unable to provide sufficient centralised backup. I accept the criticism of the execution of our model, i.e. using distributors and it is something we continue to work on to improve, but not the model itself.

        The product is generally accepted by our customers and the market as being easy to install and use. To quote from an SC magazine review which awarded the product 5 stars for ease of use, ‘The installation of 4TRESS AAA was as easy as can be expected. The offering can leverage existing SQL (structured query language) or Oracle databases, but ships with its own SQL MDSE database, which we used for testing. The software installs into two components a server module and a console module. The console module was among the better modules we used and it had a logical layout which was easy to use, even for the novice, and the commands were simple to understand. If you have worked around a Radius server before, the 4TRESS AAA server should hold no surprises. We found the interface to be intuitive.’

        To repeat the point I made above ‘The product does support replication between different databases instances to enable high availability, without relying on the underlying database replication capabilities.’ In other words, using the external database for HA is not a mandatory choice.