Vendors Encircle Radius

SAN equipment vendors -- with the clear support of Microsoft Corp. (Nasdaq: MSFT) -- are rallying around the Remote Authentication Dial-In User Service (Radius) authentication protocol as a standard that promises to seal up a potential security hole in Fibre Channel fabrics.

The latest development on this front is QLogic Corp.'s (Nasdaq: QLGC) announcement today that it has implemented Microsoft's version of the Radius protocol on its SANbox2 line of switches.

Radius, an Internet Engineering Task Force (IETF) protocol, is used to authenticate, authorize, and audit users and devices in a network according to previously defined permissions, based on existing enterprise policy. While most storage companies offer proprietary ways of ensuring that only authorized people and machines have access to different servers and data, Radius -- which has long been the standard authentication protocol on the IP networking side -- is rapidly becoming the industry standard for storage as well.

Fibre Channel storage devices are not actually required to run Radius, but are required to run the Challenge Handshake Access Protocol (CHAP), which is compliant with Radius. Industry observers say Radius offers many additional benefits: Instead of having to configure every individual server with individual access policies and the associated usernames and passwords, Radius provides centralized management for all server authentication and authorization. This not only removes complexity; it is also safer, since all the passwords are stored on the Radius server.

"You can go to a single point to give access or take access away," says Brandon Hoff, McData Corp.'s (Nasdaq: MCDTA) senior manager of advanced development.While SAN vendors appear to be coalescing around Radius, however, the question remains which version of Radius to choose. Unsurprisingly, perhaps, it seems that the Radius version that's integrated into the Internet Authentication Service (IAS) component of Microsoft's Windows 2000 and Windows 2003 has taken the lead.

QLogic's announcement today comes just a month after Microsoft announced its move to implement Radius in Windows as an authentication mechanism for SANs, along with the support of Brocade Communications Systems Inc. (Nasdaq: BRCD). At the conference, Brocade also announced the demonstration of its Secure Fabric Operating System with the Microsoft Radius component (see Microsoft Boosts SAN Security).

McData, meanwhile, has yet to make an announcement on the subject, but the company says it has already started integrating the Microsoft version of Radius in its products. "We've been talking about native Radius support in McData devices since December," Hoff says.

While standard Radius offers many benefits, Microsoft claims that the IAS version of the protocol is especially beneficial to users, since it already exists on Windows.

"Instead of buying additional software, you take advantage of the infrastructure you already have in Windows," says Zane Adam, the director of product management and marketing in Microsoft's enterprise storage division. "We expect other companies to implement Radius, and we expect you'll see more partners implementing our solutions... With growing customer demand, more and more companies will come onboard."And since IAS is integrated with Microsoft's Active Directory (AD), he says, it allows companies to manage all of their users -- whether on the network side or on the storage side -- from a single console. "It becomes a single management platform," he says.

While Microsoft currently has an impressive list of partners, it is still lacking the pronounced support of one significant vendor: Cisco Systems Inc. (Nasdaq: CSCO).

Since it had already implemented Radius on the networking side, Cisco was quick to add the protocol to its storage products as well. "Cisco is very supportive of Radius," says Mark Bakke, the technical leader at Cisco's Storage Router Business Unit. "An iSCSI product without Radius support may work fine for small installations, but as soon as a user scales up... it becomes complex... A product is certainly better off if it supports Radius."

So far, at least, Cisco has contented itself with standard Radius. A company spokesman, however, says that it's not unthinkable that Cisco will also soon join the Microsoft Radius parade.

Eugénie Larson, Reporter, Byte and Switch