Of the products we tested, Shiva's Access Manager gets our top recommendation for its long list of back-end authentication modules, as well as its conditional authentication features such as time-of-day restrictions and individual usage quota enforcement. However, Funk Software's Steel-Belted Radius is a close second with its support for user-customizable SQL logging and authentication.
Shiva Corp. Access Manager 3.0
 Access Manager is nearly an all-in-one dial-in authentication server solution. In addition to RADIUS support, it includes support for TACACS+ and the older TACACS and XTACACS protocols. But its greatest strength is on the back end. Instead of offering authentication against only a local user database and the underlying operating system, Access Manager includes authentication "proxies" for NT Domains, NDS, NetWare Binderies, Unix /etc/
passwd, Kerberos, DCE (Distributed Computing Environment) and various hard-token-based authentication systems. Each of these proxies is available out of the box, making Access Manager a sound choice for complex authentication environments that require multiple back ends.
Shiva's Access Manager runsas an application under Windows95, as a Windows NT service or as a daemon under Solaris, but it's managed remotely using a 32-bit Windows application. The Solaris version includes a well-written Java-based utility with functionality that mirrors the Windows client. Our tests showed most functions to be identical in the Windows NT and Solaris versions--except for the included proxy modules. While the NT version supports all the listed proxy modules, the Solaris version we tested only offered support for local /etc/passwd, Kerberos, Enigma Logic and RADIUS proxy authentication (in addition to Access Manager's own user database). We recommend evaluating your need for back-end authentication mechanisms before choosing
Access Manager for Solaris (particularly if you need to support NT Domains, NDS or NetWare Bindery lookups).
User configurations in Access Manager can be simple (authentication only, with no specified authorization attributes) and range through complex access control lists with multiple authentication sources and user profiles. Session configurations are accessed through the "Users" button in the management console. They can be set on a per-user level or can be defined as profiles, which are assigned to users.
One of Access Manager's greatest assets is its support for many conditional authentication and access controls. In addition to simply validating user names and passwords, authentication requests can be subjected to various logical tests. Time-of-day restrictions allow login times to be allowed or disallowed in one-hour increments over the span of a week. Usage quota enforcement relies on accounting data (generated by the access server), where each session's duration is tallied and checked against an allowed quota upon authentication.
Access Manager also tracks active sessions and can reject authentication requests if a user exceeds a predefined number of concurrent logins. Access Manager also includes options for password aging and violation thresholds.
However, we were surprised to find that Access Manager doesn't manage IP address pools; as a tool for concentrating remote-access management, the ability to allocate IP addresses from a RADIUS server-managed pool is useful. However, Access Manager can assign IP addresses on a per-user basis if included as a Framed-IP-Address RADIUS attribute in the user manager.
Configuring Access Manager to support a simple authentication solution (a handful of access servers and all users are queried against a local NT domain) was an easy task. First, we defined the NT proxy as the default authentication proxy (this bypasses the local password database and authenticates users' names and passwords against the NT domain controller). Next, we configured the default user profile with a handful of RADIUS attributes (such as Service-Type= Framed and Framed-Protocol=PPP) to make the remote-access servers launch PPP sessions once authenticated. By default, Access Manager returns no attributes, placing the task of session configuration on the access server.
Our only other complaint about Access Manager was the relatively slow performance of its NT domain authentication proxy. Access Manager was noticeably slower to authenticate users through its NT domain proxy than Funk Software's NT version of Steel-Belted Radius.
In addition to specifying RADIUS attributes to be returned to the access server upon authentication, you can also define "check" attributes. Used as an access control, check attributes can limit an individual user to a particular server, port or any other attribute value specified by the access server in the authentication request. Access Manager supports TACACS+ and XTACACS, so the user manager also contains privilege levels and TACACS+ Attribute-Value pairs.
|
REPORTS
ANALYTICS
Follow 
