VACMan is saddled with a rather limited feature set. The essentials--user and token management, server configuration and authentication settings--are included and they are easy to identify. Intuitive command options make administration a snap, though the GUI can feel counterproductive. We slogged through searches for users only to click the wrong button and bounce ourselves out of the management window.

Users can be imported from Unix password files, a comma-separated ASCII file, Unix-based RADIUS password lists and from the Shiva LANRover. We threw the university's 30,000-line Unix password file at the import routine and watched as VACMan chugged slowly along importing users until it hit the 500 evaluation-user limit. We had hoped that this process would have been faster and can only speculate how long the process would have taken without our 500-user limit. If you have a large user list, this is definitely a task to run before a coffee break.

One feature we found very useful during testing was the RADIUS Packet Simulator included on the VACMan installation CD. A utility for creating fake RADIUS authentication requests, the packet simulator provided us with basic testing of our VACMan configuration and services--before we decided to configure the NAS equipment.

Installing the Windows 95 client software was easy and configuration was accomplished via an informative wizard dialog. Five minutes and a restart later, we were asked to authenticate and the token configuration we had specified on the server was kicking in on the client. After entering the password and token-generated digits, we were in.

Vasco has numerous tokens ranging from the phaser-like Digipass 300 to the credit-card-cum-calculator Digipass 500, to a smart card with a 3.5-inch disk caddy-reader. To be fair to other vendors and to limit our testing range, we stuck with the Digipass 300--it's Vasco's most popular hardware token.

We found this plastic token difficult to hold while keying in our PIN and responses. The 300 includes an LED array at its tip for automatic entry of your authentication challenge. A clever gimmick, we found no manner of adjustment could make this method any faster than simply punching in our challenge. An administrative version of the 300 was also shipped. Identified by its bright red color, this device can be used to "unlock" user tokens after the incorrect PIN limit has been reached. Keying in the lock code found on the user token will generate an unlock code on the administrative token. This code unlocks the user's token, which then requests a new PIN. We were intrigued by this process, so we threw numerous random numbers at the administrative token and were disturbed to see a pattern of nonrandom unlock codes. This made us somewhat uneasy about the security of Digipass user tokens that fall into the wrong hands.

VACMan is a decent authentication product, but overall it fails to match up to either Security Dynamics' or CryptoCard's products. The product is easy to use and configure, and it might be right for smaller shops or organizations seeking less overhead in their first token system.

VACMan 3.5 with Digipass, starts at $6,000 plus $120 for tokens, Vasco Data Security (630) 932-8844; fax (630) 932-8852. www.vasco.com or info_usa@vasco.com