our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

key enabling technology in remote-access centers ranging from SOHO (small office/home office) to ISP densities. Pigeonholing RADIUS as a password-authentication protocol doesn't do justice to its strengths in concentrating remote-access session configuration and accounting capabilities. An effective RADIUS solution gathers remote-access authentication, user access rights and accounting (known collectively as AAA) under a common, IETF-standardized management protocol.

To view the Report card.A RADIUS server's choice of back-end authentication protocols is of critical importance--especially in enterprise settings, where dial-in user accounts are linked to existing enterprise authentication systems. An effective bridge between network access servers and any desired authentication system, RADIUS adds the capability to transmit session-configuration information bidirectionally. Through an extensible "dictionary" of known attributes (similar

to MIBs in SNMP), RADIUS servers can not only validate a password, but can pass detailed session configurations to the network access server each time a user is authenticated. By matching users to templates based on anything from logical user groups to access servers or port numbers, RADIUS moves remote-access administration from the access server to the RADIUS server. For an in-depth look at RADIUS in remote-access authentication, see "Guarding the Flank With RADIUS and TACACS+," www.NetworkComputing.com/902/902ws1.html.

RADIUS also supports rich accounting features, allowing access servers to confirm delivery of usage and session information to a central RADIUS accounting server. By tracking accounting "Start" and "Stop" records, a

RADIUS server not only tracks active dial-in sessions across a non-vendor-specific dial-in pool, but can apply additional logic to subsequent user authentications and session configurations. Examples include the ability to limit concurrent logins by a single user or enforce usage quotas at authentication time.

Put to the Test We put three leading RADIUS server products to the test in our Syracuse University and San Mateo, Calif., Real-World Labs®, with a focus on support for back-end authentication protocols, server-side access controls, and logging and accounting features.

Shiva Corp.'s Access Manager 3.0 delivered the most server-side intelligence, while Funk's Steel-Belted Radius 2.1 (and BaySecure Access Manager, a rebranded version of Funk's product) offered solid functionality. We invited Cisco Systems and Livingston Technologies to have their products included in our comparison, but Cisco declined to participate due to a self-imposed moratorium, while Livingston was unable to provide us with a beta copy of its new RADIUS product in time for our tests. This comparison also excluded products specifically targeted at hard-token authentication.