In addition, the Access Manager Console includes a statistics window, which graphs up to four performance variables in real time. Server statistics such as accepted or rejected authentication requests, total accounting requests or concurrent users over time are nicely graphed in a small child window.

In contrast to Access Manager's rich monitoring capabilities, we were a little disappointed by the product's dearth of serious reporting tools. While Access Manager supports the logging of accounting data to either a flat-file or ODBC (Open Database Connectivity) database, the included reporting engine allows only a small set of predefined reports. Included are usage reports (broken down per user) and a handful of audit reports, such as login accept and denial, user modification and manager logins. However, a scriptable reporting tool would be a welcome addition.

We were surprised to find that Access Manager does not reject accounting packets with bad authenticators.

RADIUS is designed to be a secure protocol, so each accounting packet includes a 16-byte "authenticator" consisting of an MD5 hash of type code, packet length, attributes and secret key shared between the access server and the

RADIUS server. This failure to reject packets with bad authenticators should be considered a security breach--particularly if the accounting data is used in billing or departmental chargebacks.

Funk Software Steel-Belted Radius 2.1 (Beta)
Funk Software's latest Steel-Belted Radius (SBR) release distinguishes itself through its access to a back-end database as both a back-end authentication source and a logging device for accounting data. Although it doesn't support as many authentication options as Access Manager does, SBR continues to be a solid, reliable and easy-to-use RADIUS server. We tested a late beta of the Solaris-based version of SBR as well as an NT version of the previous release (1.5, which only lacked the external database support). We also tested a Solaris version of Bay Networks' BaySecure Access Control, which is a repackaged copy of SBR.

While it may appear to be very similar to previous releases, SBR 2.1 distinguishes itself through its support for scriptable conditional authentication. Through customized SQL statements, the administrator can query a SQL database for user authentication information. Any logic that can be built into a simple SQL statement (or stored procedure on the database server) can be used to control RADIUS authentication. Likewise, accounting to a back-end database is customizable via SQL, allowing administrators to specify exactly what accounting data is recorded.

We were impressed to find support for scores of different RAS servers through Funk's 31 bundled RADIUS dictionaries. Adding a RADIUS client is as simple as choosing a make and model of access server and entering the server's IP address and shared secret key. Conveniently located on the same window is a button that brings up a checklist for enabling RADIUS client support on the specified remote-access server--an effective and useful implementation of context-sensitive help.

While SBR is not as multilingual as Access Manager (it cannot double as a TACACS+ or XTACACS server), we were surprised to find support for TACACS+ as a back-end authenticator. According to Funk, this is included to support legacy systems migrating from TACACS+ to RADIUS.

Funk's SBR is available on three platforms: It runs as a Windows NT service, a NetWare NLM or a daemon under Solaris. Like Access Manager, the NT (and NetWare) versions include a Windows-native management console, while SBR for Solaris includes a Java version that mirrors the Win32 application in both looks and functionality. While each version of SBR can authenticate users against its native operating system, Funk does not include proxy authentication modules like those in Access Manager. Authenticating users against an NT domain and an NDS context means using two copies of SBR in a RADIUS proxy configuration.