Review: Enterprise RADIUS Servers
Posted by
Frank Robinson and Network Computing
June 08, 2004
If you have more than, say, 30 users connecting to your organization's network using dial-up, broadband and wireless over a range of public and private networks, managing these disparate systems while staying on top of AAA (authentication, authorization and accounting) can be a full-time job. The RADIUS (Remote Access Dial-In User Service) protocol was designed to solve the problem of centralized AAA across multiple, possibly heterogeneous, network-aggregation points--such as modem pools, switches, firewalls, VPN concentrators and wireless access points--through which remote users gain access to protected network resources. Once stereotyped as simply a password-authentication protocol, RADIUS has been thrust into the limelight by the wireless community, which realized its untapped potential in concentrating remote-access session configurations based on user access rights and accounting requirements.
We set out to evaluate enterprise RADIUS servers, requesting products that not only support Microsoft Active Directory and RSA Security SecureID, but also interface with multiple clients, aka NAS (network access server) devices, such as dial-up servers, VPN concentrators, WLAN access points and firewalls. Funk Software, IEA Software, Interlink Networks and Lucent Technologies sent their server software to our Syracuse University Real-World Labs. Vircom didn't participate because it's between revisions; XPerience Technologies' appliance didn't qualify for this review because it lacks SecureID authentication; and Secure Computing declined to participate.
Standard Standards
We figured standards compliance would be a given, and indeed, all the products meet RADIUS specifications and EAP (Extensible Authentication Protocol) definitions. But we dug deeper to discover the types of authentication mechanisms and back-end authentication stores supported. For interoperability, we looked at how well the server worked with an array of RADIUS clients, including access points, VPNs and dial-in servers. We scored configuration management based on how easily we could create user and group profiles and on the flexibility of configuring user-specific attributes. Security was a major concern as well. We wanted to see how the servers enabled and preserved integrity and communication with the NAS devices. In most cases, this boiled down to support for SSL certificates, but Funk and Interlink went beyond the call of duty in establishing shared secrets among multiple servers to ensure confidentiality. Interlink even makes shared secrets mandatory for remote configuration.
Of course, security features and policies won't work if you can't manage them. We evaluated the various rules that could be enforced through the server, with particular emphasis on time-of-day restrictions by user, group or role. All the products we tested except Funk's Steel-Belted Radius implement these restrictions. We also looked for time-quota enforcement, which lets you cap how long a user or group can access the network through the RADIUS server. Lucent's and Cisco's software support time quotas. All the products support restrictions based on the number of simultaneous logons, at the user or application level.
Most of the RADIUS servers we tested use a SQL database to store and access user profiles via ODBC or JDBC. Database integration is crucial for handling the masses of data collected for accounting and event logging. And what good is all that data if you can't slice, dice and report on it? We looked at the tools provided to present information, how dynamic that information is and what tasks can be performed with it.
