Upcoming Events

A Network Computing Webinar:
Avoiding Downtime: How Virtualization Can Help In Times of Trouble

June 12, 2013
11:00 AM PT / 2:00 PM ET

Are you caught between a desire for the benefits of the cloud and concerns about security and control? Then you should attend this insight-packed webinar to learn how private data networking technologies like MPLS IP-VPNs can address your concerns and allow you to safely and intelligently reap the savings, agility and other benefits associated with cloud computing.

Join us to hear top industry experts discuss the private data network technologies that are best suited for enterprise cloud access requirements. You won't want to miss this opportunity to learn how your organization can best mitigate risk while reaping the full potential benefits of the cloud.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up




Guarding The Flank With RADIUS & TACACS+

By Dan Backman
our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/
 Successfully implementing enterprise remote access is easy. Plug the T1 lines into that top-of-the-line remote-access server the vendor promised would work seamlessly, then board a plane for a week in Bermuda. Oh, and don't forget to check the price tag on the Brooklyn Bridge on your way to the airport.

Connectivity issues aside, enterprise remote access is a challenging balance between accessibility and security. Users shouldn't have to remember yet another account name and password for dial-in access. Network access servers should authenticate users against an NDS tree, Windows NT domain or NIS (Network Information Service) map, for example (see "Plugging Holes With Rem ote Authentication," www.NetworkComputing.com/720/720w1.html). Of course, unified enterprisewide authentication systems still are science fiction in most organizations. Dial-in-based systems have to support multiple concurrent back-end authentication systems. Finally, supporting departmental chargebacks means supporting detailed usage accounting records, which in turn requires an effective central accounting database.

We've been dealing with all of these real-world issues in Network Computing's lab at Syracuse University, where we've tested dozens of remote-access products during the past year. And recently, we've implemented a number of RADIUS (Remote Access Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System Plus) services. The products we've tested include: Cisco Systems' CiscoSecure ACS (Access Control Server) version 2.0 for Windows NT and CiscoSecure ACS 2.1.2 for Solaris, Funk Software's Steel-Belted Radius 1.3 for Windows NT, Livingston Enterprises' RADIUS 2.0.1 for Solaris, Novell's RADIUS for NDS 1.0 and Shiva Corp.'s Access Manager 3.0. The products from Funk, Livingston and Novell deliver only RADIUS support. Shiva Access Manager and CiscoSecure support both RADIUS and TACACS+. Our test bed included three network access servers: Ascend Communications' MAX 4004, Cisco's AS5300 and Shiva's LANRover/E Plus--all with the latest available firmware.

Halt! Who Goes There? (The Protocol) Designed to bridge the gap between network access servers and your internal network infrastructure, dial-up authentication protocols like RADIUS and TACACS+ ease the burden of managing enterprise remote-access services. These systems provide a suite of services, including user authentication, authorization and usage accounting, collectively known as AAA. Although both protocols are roughly equivalent in functionality, we have found nearly universal support for the IETF-standardized RADIUS among network access servers, making it a safe and strategic choice. However, just as importa nt as the protocol is the authentication server. We strongly recommend investing in a product that supports RADIUS proxy authentication, server-side access control rules, and back-end database support if scalability and flexibility are concerns.

The choice of dial-in authentication protocol should be dependent on four criteria: network access server support, availability of desired back-end authentication proxies, authorization features and usage accounting systems.


Other Workshops

The Ups and Downs of Analyzing Middleware
By Barry Nance
Integrating LDAP and The Exchange Directory
By Nancy Cox
Achieving Production Quality Messaging
By Nancy Cox

Related Links

Smokin' Remote Access Pushed To The Max: Part II
Internet-Based Multiprotocol Remote Access
Plugging Holes With Remote Authentication


Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

May 2013
Network Computing: May 2013


TechWeb Careers