Network Computingwww.networkcomputing.com

Iron ically, Shiva's Access Manager came to the rescue--by not enforcing the RFC. Since it didn't insist on the return of the "Proxy-State" variable, Access Manager had no problem demonstrating the power of RADIUS proxy authentication. By defining four authentication realms in Access Manager's configuration, we built a five-way system using a single RADIUS proxy server. Authenticating against our internal Windows NT Domain, NDS tree, NIS domain, as well as Access Manager's user database and Syracuse University's NIS domain, dial-up users could specify the source of authentication at connect time by appending the appropriate realm name to their login.

Proxy authentication is often used by nationwide or global carriers, enabling access servers in virtually any location to query independently maintained user databases. However, transmitting authentication packets across public networks poses a distinct security risk. RADIUS and TACACS+ encryption is based on static keys, and user names, passwords and authenticatio n server information are conveniently contained in a single packet.

TACACS+ also supports proxy authentication. Cisco supports proxy RADIUS and TACACS+ authentication through its CiscoSecure GRS (Global Roaming Server), aimed primarily at service providers and global enterprise networks.

My Apologies, General. After You. (Authorization) Easily upstaged by concerns of authentication, other strengths of centralized dial-up authentication include conditional access and session control. Although described under the umbrella term of authorization, there are two distinct types of services that are the true value-added service of advanced authentication systems.

Both RADIUS and TACACS+ return session configuration variables with each accepted authentication, which is critical to the deployment of a central network access server management strategy. Whereas TACACS+ uses a fixed set of attribute/value pairs to define protocol and addressing parameters and 16 privilege levels, RADIUS relies on a set of standardized variables, but includes an extensible dictionary to support vendor-specific attributes. IETF standard RADIUS attributes define rudimentary service types, such as framed protocols, automatic TCP sessions, network access server shell and administrative access, as well as protocol types and addressing information. Applying these attributes to a group of users makes it convenient to support both PPP and ASCII terminal users on the same network access server, without maintaining complex configurations on each server.

However, the true value in centralized authorization control is not in session parameters in the RADIUS or TACACS+ protocols. Because control is centralized, it's possible to intelligently manage access rights and dynamically adjust attributes such as addressing and automatic session time-outs. However, these server-side access controls are completely internal to the authentication server and are not protocol dependent. For instance, CiscoSecure and Shiva Access Manager permit time-of -day restrictions and can limit access during certain hours. Similarly, Access Manager tracks individual usage time and can implement usage quotas on a daily, weekly or monthly basis. Finally, we found the ability to temporarily lock a user account after it exceeds a threshold of failed logins a welcome addition.

Which Way Did He Go? (Accounting) Always valuable as a continuous audit trail of dial-up activity, accurate accounting and usage tracking is a critical application for central IT departments and service providers that bill users for services. XTACACS originally made its mark by tracking "stop" records in order to gauge dial-up usage, and both TACACS+ and RADIUS offer rich accounting features.

RADIUS and TACACS+ record not only the owner and duration of each remote-access session, but also the service and protocol used, network access server and port identifiers, addresses, octets transferred and cause of session termination. Together, these variables offer a detailed record of each remot e-access session, useful in both auditing and billing functions.

All RADIUS and TACACS+ servers will write activity logs to flat text files. However, we found that one of the major benefits of value-added (as opposed to free) authentication servers is support for logging to back-end databases through SQL or ODBC (Open Database Connectivity). If scalability and usage accounting are priorities, we recommend choosing an authentication server that supports your existing database management system.

Dan Backman can be reached at dbackman@nwc.com.