Guarding The Flank With RADIUS & TACACS+

By Dan Backman our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/  Successfully implementing enterprise remote access is easy. Plug the T1 lines into that top-of-the-line remote-access server the vendor promised would work seamlessly, then board a plane for a week in Bermuda. Oh, and don't forget to check the price tag on the Brooklyn Bridge on your way to the airport. Connectivity issues aside, enterprise remote access is a challenging balance between accessibility and security. Users shouldn't have to remember yet another account name and password for dial-in access. Network access servers should authenticate users against an NDS tree, Windows NT domain or NIS (Network Information Service) map, for example (see "Plugging Holes With Rem ote Authentication," www.NetworkComputing.com/720/720w1.html). Of course, unified enterprisewide authentication systems still are science fiction in most organizations. Dial-in-based systems have to support multiple concurrent back-end authentication systems. Finally, supporting departmental chargebacks means supporting detailed usage accounting records, which in turn requires an effective central accounting database. We've been dealing with all of these real-world issues in Network Computing's lab at Syracuse University, where we've tested dozens of remote-access products during the past year. And recently, we've implemented a number of RADIUS (Remote Access Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System Plus) services. The products we've tested include: Cisco Systems' CiscoSecure ACS (Access Control Server) version 2.0 for Windows NT and CiscoSecure ACS 2.1.2 for Solaris, Funk Software's Steel-Belted Radius 1.3 for Windows NT, Livingston Enterprises' RADIUS 2.0.1 for Solaris, Novell's RADIUS for NDS 1.0 and Shiva Corp.'s Access Manager 3.0. The products from Funk, Livingston and Novell deliver only RADIUS support. Shiva Access Manager and CiscoSecure support both RADIUS and TACACS+. Our test bed included three network access servers: Ascend Communications' MAX 4004, Cisco's AS5300 and Shiva's LANRover/E Plus--all with the latest available firmware. Halt! Who Goes There? (The Protocol) Designed to bridge the gap between network access servers and your internal network infrastructure, dial-up authentication protocols like RADIUS and TACACS+ ease the burden of managing enterprise remote-access services. These systems provide a suite of services, including user authentication, authorization and usage accounting, collectively known as AAA. Although both protocols are roughly equivalent in functionality, we have found nearly universal support for the IETF-standardized RADIUS among network access servers, making it a safe and strategic choice. However, just as importa nt as the protocol is the authentication server. We strongly recommend investing in a product that supports RADIUS proxy authentication, server-side access control rules, and back-end database support if scalability and flexibility are concerns. The choice of dial-in authentication protocol should be dependent on four criteria: network access server support, availability of desired back-end authentication proxies, authorization features and usage accounting systems.

Other Workshops The Ups and Downs of Analyzing Middleware By Barry Nance Integrating LDAP and The Exchange Directory By Nancy Cox Achieving Production Quality Messaging By Nancy Cox Related Links Smokin' Remote Access Pushed To The Max: Part II Internet-Based Multiprotocol Remote Access Plugging Holes With Remote Authentication