Review: Enterprise RADIUS Servers update from June 2004

Click HERE for our Executive Summary

Click HERE for a description of how we tested.

NavisRadius takes a balanced approach to enterprise AAA requirements. It is the only RADIUS server we tested to include a JDBC API to interface with SQL databases. Managing the bundled Sybase database with the product's SMT (Server Management Tool) and the JDBC plug-in was simple. And the form-based PolicyAssistant gave us elaborate control over the server configuration (earlier versions allowed such control only through the persnickety PolicyFlow AAA programming language). Thanks to its Java roots, SMT ports quite well onto multiple platforms. Remote administration, though requiring an independent installation, was not much of a hassle once we made sure Java 2 was installed and running. SMT's user interface worked well; we didn't encounter the time lags characteristic of Java-based APIs.

The product's PolicyFlow language is both a boon and a bane. It's not a true programming language, like C++ or Java, but more of a scripting toolkit that provides access to the processing steps of the RADIUS server. These steps determine how requests will be handled, gather information from user records, decode realms and so on. If you have the time to learn the nuances of the toolkit, you'll gain detailed customization. However, we found the toolkit unforgiving--specify one wrong attribute and you'll spend a long time debugging. Learn from our pain: Tinker with the plug-ins and methods only if you have a big problem to solve. SMT offers enough flexibility for configuring standard RADIUS variables.

Instead of offering authentication only against a text-based user file and local user database, NavisRadius includes authentication "proxies" for Windows Active Directory/NT domains; Unix/etc/passwd; Kerberos; Novell Directory; external databases, such as Oracle or MySQL; LDAP servers; and various hard-token authentication systems, such as SecureID, Defender, SafeWord and VASCO. Although it doesn't natively support NDS and Windows AD, it uses the LDAP interface to authenticate after registering itself as a user with administrative rights. We were surprised to learn NavisRadius doesn't support TACACS+, an AAA protocol based on TCP rather than UDP that is often used for administrative access.

Java 2 is needed because the server builds on the flexible and extensible Java-based PolicyFlow plug-in architecture. We were impressed at how NavisRadius isolated the authorization aspect of RADIUS from authentication and accounting. For example, the USS (Universal State Server) keeps track of all the sessions the server supports and facilitates authorization decisions based on counters in the internal network-session database. We could use this feature to enforce concurrent logon restrictions by the same user name or limit logons to specific realms supported by the server.

User configuration in the Access Manager could be simple (authentication only, with no specified authorization attributes) or complex with access-control lists using multiple authentication sources and user profiles. You can set them on a per-user level or define them as profiles (templates) that are assigned to users.

NavisRadius doesn't manage IP address pools as a tool for concentrating remote-access management (Funk's and Cisco's products do). Being able to allocate an IP address from a RADIUS server-managed pool is useful, especially to assign addresses to users and restrict access based on availability of IP addresses dynamically. Lucent says this is a function of its IP Manager, which integrates with the NavisRadius. However, NavisRadius can assign IP addresses on a per-user basis if the address is included in the user profile or template as a Framed-IP-Address RADIUS attribute. NavisRadius also has a DHCP plug-in that you can use to request that the network DHCP server allocate an IP address for the authenticating user.We ran into a few glitches while trying to authenticate against AD, especially after we upgraded NavisRadius to version 4.3.2. For example, the server would authenticate the user against AD successfully, but the PolicyFlow would fail to authorize a valid user, even after a fresh install of the server. Ultimately, we had to reboot the machine. It was apparent that the registry entries were not updated with the upgrade. The customizable real-time log feature and the built-in test client helped us resolve this problem, with assistance from Lucent.

NavisRadius' flexibility in its logging and real-time tracking tools is first-rate. The sheer volume of types and levels of logging available is overwhelming at first, but logging rules and log-rotation capabilities make managing them, well, manageable. Like all the servers we tested, NavisRadius logs standard events (accept, reject, discard) and lets you define a number of log-output sources, referred to as "channels," including syslog, SNMP trap, SQL database, e-mail, or pagers and files.

For reporting, NavisRadius takes advantage of Java. We liked the tasty pie chart that gave us a comprehensive view of overall server status; it is much easier to absorb than the straight numbers provided by Cisco's and IEA's offerings. The performance monitor records requests, accepts and rejects on a common scale over the last 200 observations in an easy-to-read line graph; the visual updating performs exceptionally well, considering that this is a Java-based console.

NavisRadius also wowed us with extras. It decodes RADIUS packets in real time, which helped us understand the server's behavior--particularly welcome when we inserted methods in the wrong places in the PolicyFlow chain. SNMP support makes tracking the server much easier (the server supports only read capabilities). Another useful feature, though not easy to configure, is e-mail notification for specific systems. This must be configured through a PolicyFlow script. The icing on the cake, though, is the pricing scheme, based on the number and type of clients supported.

Steel-Belted Radius (SBR) distinguishes itself with its dedication to securing the WLAN segment and unparalleled EAP support. Its interface is simple yet functional. And though it doesn't provide the granular control of NavisRadius, SBR is a full-featured all-in-one RADIUS server.Funk sent us the enterprise version for Windows 2000. SBR led the pack in integration, interoperability and support for authentication mechanisms and back-end authentication sources. And it fit into our primary test bed beautifully. It worked seamlessly with Windows AD and the ACE/Server and has an elaborate library of vendor-specific attributes for NAS devices.

Installing and commissioning the server went well, but we did encounter a problem when starting the server for the first time because it expected the NT "Netlogon" service to be started on the machine. To authenticate against the Windows domain, the server had to be a member of the domain.

We were impressed by how SBR plugged into our Windows domain, letting the server authenticate individual users against their user profiles in the native database or against their group profiles. Setting up profiles and NAS devices on SBR was intuitive and flexible. We used profiles to set up check and reply attributes, then applied the profiles to users in the native database.The enterprise version of SBR supports a host of authentication mechanisms, but lacks a few draft EAP types, such as SIM (Subscriber Identity Model), though SBR 4.7 should support EAP-SIM. SBR covers the gamut of back-end authentication sources, with the exception of Kerberos, and binds with NDS only through the LDAP interface. SBR runs on Windows as a service and is administered through a Win32 API-based custom management application.

We liked SBR's easy-to-use server administration and user-friendly interface. We didn't have to drill deep into various categories to configure the server, as we did with NavisRadius and Cisco's ACS, and the categories were easy to figure out. For example, we easily set up tunneling-based authentication for VPNs and firewalls, taking the complexity out of complex security interfaces. These tunnels enforce restrictions based on attributes, like NAS IP address, NAS type, number of concurrent sessions the tunnel can support and called-station ID. However, as with the other products we tested, we had to configure advanced settings, such as EAP definitions, using a text-based file that requires a server restart to enact changes.

We liked Funk's LCI (LDAP Configuration Interface), which let us administer SBR using LDAP commands. The LDAP schema is fixed because the LCI is a gateway/wrapper between the commands and the internal database. LCI also was used to link our external LDAP server with SBR. It facilitates binding with the Windows Domain when SBR runs on a workgroup machine.

To our delight, SBR supports IP address pool management. We used the radius.ini file to ensure that the address pools were kept mutually exclusive and to avoid IP address overlap across multiple realms. The ability to allocate IP address pools based on NAS device gave us granularity in authorizing clients with respect to network resources.

Although navigation and administration were simple, to administer the server remotely we had to install the Win32 Server Configuration API on every remote computer. Or you could run SBR from a terminal server and use Terminal Service clients for remote administration. In contrast, Cisco's ACS and Interlink's RAD-Series let you configure the server remotely from a Web page. Funk says SBR 5.0 will have a Web-based installer.SBR was the only server tested to support user-based accounting for EAP-TTLS (EAP-Tunneled Transport Layered Security) in anonymous mode. EAP-TTLS and EAP-PEAP (EAP-Protected EAP) use anonymous user names to set up tunnels and then encrypt all data in the tunnels. Most RADIUS servers can't extract accounting data from such sessions because the user credentials are hidden.

SBR doesn't support time quotas and native time-of-day enforcement, but honors time-of-day restrictions. You can impose session time-out and concurrent logon restrictions as attributes on individual user and group profiles. But SBR doesn't offer administrative or configuration audit logs; this could make it difficult to track and troubleshoot changes. The level of logging can extend to capturing each transaction the server makes apart from the standard accepts, rejects and discards, and also to why the requests were rejected.

Our favorite reporting feature in SBR is its ability to tie server statistics to the Windows Performance Monitor. This one-stop shop provides an overall perspective of server-resource use. Even the management interface has a real-time counter of server stats. The display session tab is a brilliant reporting tool; we used it to keep track of how the server was handling multiple session threads.

SBR's advanced feature set, however, is underwhelming. One major disappointment is its lack of SNMP support. And there's no explicit communication with the DHCP server to take advantage of capabilities like requesting an address from a specific scope based on the user, NAS or any other identifiable differentiator.

RAD-Series was the only server we tested on Linux, and its performance score was a jaw-dropping 1,900 transactions (authentication and accounting) per second against Windows AD. Interlink also sent its Secure XS server, which runs on Windows and focuses on securing WLANs, but the product didn't fit the scope of this review.The RAD-Series performed well overall but fell short in security and policy management. And we were disappointed with its reporting and presentation features. Installing and configuring the server, however, was a breeze compared with getting the open-source, Linux-based FreeRADIUS server up and running. The installation was similar to that of NavisRadius and SBR, except that it was text-based. We did need to set up a shared secret between the server manager on remote machines and the RAD-Series servers; the other products tested use SSL certificates to secure communications. We could administer our RAD-Series using a Web interface apart from the command prompt and telnet. We were impressed that the server could be managed through an SNMP workstation, too.

Configuring the RAD-Series to interface with Windows AD was no easy task--we had to edit the authfile and define LDAP scripts. Occasionally, when we restarted the server, the authfile would change its format and the server could not parse the content of the file properly. Interlink said this was because we tried to edit the file through both the text editor and the configuration manager. However, the server manager does have the intelligence to lock down the interface to only one administrative session in the entire network.

The RAD-Series doesn't support TACACS+. However, it supports a breadth of other authentication stores, using primarily LDAP for external systems, such as SecureID and Kerberos. We could define user configuration at the user and realm levels. ProLDAP, bundled with the RAD-Series, provided a scalable repository for authentication with support from complex policy implementations, including check and deny lists.

The RAD-Series' ability to support two-phase TTLS authentication was an unexpected bonus, and the product extends the two-phase authentication even to PEAP. That means each session authenticated against two user profiles, the first to set up the tunnel and the second to authenticate the user.

We liked RAD-Series' "attribute pruning." This security enhancement lets the server remove irrelevant attributes in its response to NAS devices, reducing the danger of packets carrying superfluous information, which can be exploited if intercepted. The RAD-Series has solid support for time-of-day restrictions, but it doesn't have algorithms to enforce time quotas. Interlink says this could be enabled with its extended SDK.The RAD-Series server didn't give us a comprehensive view of server statistics. It lacks a vital real-time element to let you keep track of what's happening, especially when troubleshooting. However, the product does track sessions and identifies who connected to which realm and for how long, though unlike SBR it doesn't show all the active sessions across multiple RADIUS clients. We were able to stop any session from the server manager interface.

RAD-Series AAA RADIUS Server. Interlink Networks, (734) 821-1200. www.interlinknetworks.com

The Cisco Secure ACS is robust. It's feature-rich, its capabilities are top-notch, and if you run a Cisco shop, integration will be seamless. But it's just not flexible enough. To start with, we couldn't reconfigure the authentication and accounting ports; they stay assigned to UDP 1645.1646,1812 and 1813. If, owing to security reasons or some mishap, the old and new authentication ports are being used by another program, ACS will not respond to any authentication request.

ACS performed as expected in authenticating users against our various ID stores and paid special attention to TACACS+, good news for users who need access to crucial infrastructure elements. But it lagged in accommodating the Kerberos authentication system, and it doesn't support EAP-TTLS. On the other hand, its support for token-based authentication systems is exhaustive: SafeWord, PassGo, CryptoCard, ActivCard, Vasco and SecureID.

Being a Cisco product definitely gave ACS an edge in NAS support. Its ability to download ACLs (access-control lists) to Cisco NAS devices provides more granular control over client access to the network, but it locks you down to Cisco gear.

We administered ACS through a Web page and found its capacity to secure the Web site with SSL useful. The interface was the most intuitive among the products we tested. Every section has a brief description of the options that can be configured or managed from that specific level, and the Web interface has enough depth to configure all aspects of the RADIUS server. We never had to use the text editor or the command prompt.

We could authenticate against multiple ID stores at the same time and noticed that ACS cached authentications against external databases and, by default, restricted the number of users allowed to connect from a group to the IP address pool assigned to the group. This meant that the ACS did not interface with--or take advantage of the advanced capabilities of--our local DHCP server.

ACS' security and policy-management capabilities are top notch. ACS and NavisRadius are the only servers to support time-quota enforcement and time-of-day restrictions both on user and group profiles. We easily configured account-disablement rules based on time thresholds and number of failed attempts. And we could assign different passwords for the same user profile based on the front-end authentication mechanism. ACS also has the unique capability to let users listed in its native database change their access passwords through a Web page.ACS' reporting capabilities are only so-so. Cisco recommends customers use third-party reporting tools to manage report data. Logs collected were made available in CSV files categorized by type of event. One report type unique to ACS is the "administrative audit," which keeps track of all activities on the server based on the administrative login. CSMon, an advanced feature that caught our eye, keeps track of the server's health and triggers predefined responsive action based on the event.

ACS earns a spot among elite enterprise RADIUS servers by being a pioneer in introducing VoIP support. VoIP user configuration doesn't specify any password, and VoIP accounting/logging is isolated from the other accounting logs. This helps differentiate VoIP users and manage their network access according to their needs.

RadiusNT 5.0 is a component of IEA Software's Emerald management suite; the standard, professional and enterprise versions sell for a fraction of the price of the other servers reviewed. We tested the full-featured enterprise edition, which includes LDAP authentication and support for major token cards. Installation was nearly problem-free, but RadiusNT comes bundled with the Emerald UI, and we had to install the Emerald SQL database. We were still able to interface with other databases, including Oracle, Sybase, MS SQL, MySQL and PostgreSQL, with the ODBC interface.

We administered RadiusNT via its Web-based configuration utility. The GUI was not intuitive--it took us a while to find certain server-configurable attributes. The server does come bundled with a RADIUS client to test the server configuration. And you can start the server from the command prompt in debug mode, which let us identify the root cause of failed authentication. The server was not as forthcoming, however, with support for authentication mechanisms, especially not with mutual-certificate-based mechanisms like TLS and TTLS. It did have adequate support for PEAP.

We were impressed with RadiusNT's time-quota enforcement: Every time someone signs on, that user's time bank is debited for time spent online. The session limit is sent in the authentication response to ensure users can't exceed their allotted times.

Reporting and logging aren't bright spots, though when the server used ODBC to interface with our SQL database, we could customize and query the accounting logs. We were intrigued by RadiusNT's VoIP accounting and its capacity to interface with other VoIP accounting databases. IEA Software said that VoIP support is primarily used to provide calling-card services once the RadiusNT is integrated with a billing platform.

SNMP support for remote monitoring is a handy option; we tracked the standard statistics, like accepts, rejects, declines, accounting starts and stops. RadiusNT also uses SNMP concurrency checking to prevent incorrect denials. Security features include keeping track of duplicate auth request and use of SSL certificates to maintain the integrity of LDAP communications.

Why do you need an enterprise RADIUS server? The proliferation of NAS devices and your users' need to stay connected over multiple links make administering a single database that will verify a user's credentials, apply permissions and restrictions, and track the user's access to network resources the only way to go.

We tested RADIUS server software from Cisco Systems, Funk Software, IEA Software, Interlink Networks and Lucent Technologies in our Syracuse University Real-World Labs. The software had to be compatible with Active Directory and SecureID, and capable of working in multiple connectivity scenarios. In our tests, we also examined standards compliance and interoperability, configuration management, security and policy management, reporting capabilities, advanced features, cost and performance.Each offering rose to the challenge. Lucent's NaviRadius earned our Editor's Choice award, thanks to its flexible pricing structure and ace standards compliance. But it was a tight race, and you can't go wrong with any one of these powerhouses.

FRANK ROBINSON is a systems associate at Syracuse University. Write to him at [email protected].

We tested RADIUS servers in our Syracuse University Real-World Labs on Dell PowerEdge 2450 PCs with 1 GB of RAM, 25-GB SCSI hard drives and 993-MHz dual processors. For our OSs, we ran Windows 2000 Server with SP4 and Linux 7.3.

We configured the servers to interface with multiple RADIUS clients, including a Cisco VPN 3000 concentrator, a Cisco Aironet 1100 access point and a Proxim AP-600 access point. We also used commercial RADIUS test utilities, such as NAS Simulator and Evolynx RADIUS Load Test, to emulate multiple authentication requests. The test utilities gave us the flexibility to check the servers' capacity to support legacy RADIUS clients.

Performance was highly dependent on which platform the server was running. Because the RADIUS servers were running on dedicated machines, we could stress-test them by generating multiple sessions until the server's CPU usage reached 90 percent to 95 percent. Maintaining the authentication request rate at this level let us observe the number of dropped requests. We then added multiple users but a single session, checking how efficiently the database served up user profiles. The results were similar to those of the single-user scenario. However, there was a noticeable difference in accessing external databases, but those results were dependent on the performance of the server into which the RADIUS proxied.

To emulate a real-world scenario, we made the test tools set up five simultaneous sessions while alternating between five valid users and two invalid users. To ensure a fair comparison, we had them all authenticate against Active Directory. IEA's RadiusNT, Lucent's NavisRadius and Cisco's ACS averaged 170 requests per second, while Funk's Steel-Belted Radius averaged 320 requests per second. Interlink's RAD-Series supported a whopping 1,900 requests per second! This blazing performance is primarily because of its Linux platform. But performance shouldn't dictate your choice, because, on average, the server will handle no more than 90 to 120 requests per second at peak times. All the servers we tested cleared that threshold with ease.We verified that the servers supported RFC2865 to RFC2869 (RADIUS specifications) and RFC 2716 (EAP definitions). We also examined how well the server addressed CERT Advisory CA-2002-06, which identifies denial-of-service vulnerabilities on the RADIUS server.

Finally, we evaluated how well the server meets the demands of enterprise IT departments and what features it provides beyond the standard specification, such as embedded packet-inspection tools, SNMP and DHCP server support, utilities to obtain digital certificates, e-mail alerting on events, provisioning of test utilities and VoIP (voice over IP) support.