Network Engines drives steel-belted user authentication

See correction below

RADIUS servers for remote-user authentication, authorization, and accounting can make life easier for the corporate system administrators and accounting departments.

With a RADIUS server in place, administrators have to maintain only one database for authorization purposes, thereby greatly reducing their workloads. Similarly, the detailed billing logs provided by RADIUS servers simplify life for the accounting department.

To authenticate service requests from users dialing in to a network, the RADIUS server takes data passed from a NAS/RADIUS client, matches it to a designated database, and authorizes the user’s service request. After the connection closes, the server logs user information and the duration of the transaction for billing and accounting purposes.

Network Engines’ Steel-Belted RADIUS Enterprise Edition Appliance Version 2.0, which runs Version 4.5 of Funk Software’s Steel-Belted RADIUS (SBR) Enterprise Edition software, is well suited to take on anything an enterprise or reasonably busy ISV can dish out. It scales to handle as many as 400 RADIUS packets per second and supports major enterprise OSes, such as Unix and Windows NT, XP, and 2000 Professional.

If you’re in the market, important additions to this version make SBR a worthwhile investment. By hardening the Windows 2000 Professional OS, Funk has increased the SBR’s security: Services that the appliance doesn’t require have either been disabled or removed. Other added features include support for Cisco PEAP (Protected Extensible Authentication Protocol) and EAP-TTLS (EAP Tunneled TLS) accounting, which improves account tracking when a user logs in anonymously. Version 4.5 also features improved reject-logging functions and improved authorization for Windows Groups and source IP access.

The Network Engines appliance arrives with the Funk SBR software preinstalled on the 866MHz Pentium III appliance, a time-saver for the system admin.

The appliance boasts a compact 1U rack-mount form factor. I dropped it into a rack relatively easily. Beside the standard mouse, keyboard, monitor, and serial ports, there are two Ethernet and two USB ports located on the back panel. Its front panel offers a well-cloaked CD-ROM and an easily accessible LED, which you can use to turn on the unit and to configure it.

Communication between the RAS (Remote Access Service) client and RADIUS server follows a standard request/reply structure. The RADIUS packets are for authentication or accounting use. You must use compatible UDP (User Datagram Protocol) ports to successfully exchange packets. For example, a NAS must send authentication packets via the same port that the RADIUS server uses to receive them. You must use another port for passing accounting packets.

Adding servers and clients is relatively simple. Configuring the server requires you to input the IP address and the shared, secret alphanumeric string to be used by both the server and client. You also must specify device make and model and UDP port for packet transport. You need virtually the same info to configure clients.

The SBR software is flexible and customizable. It can authenticate using several different means, and it offers three different levels of logging detail. Native user authentication checks against accounts stored directly on the server, and OS pass-through authenticates from an NT security database such as SecurID or TACACS (Terminal Access Controller Access Control System).

Funk’s SBR can also direct authentication requests to another RADIUS server that acts as a proxy, or it can grant access externally, as through SQL or LDAP. Furthermore, it can perform authenticate-only requests, responding just with an Access Accept or Reject.

I liked the Tracelevel setting, which allows an administrator to decide whether packets should be logged as they are received and processed and what level of detail should be recorded.

Accounting and billing tools produce comma-delimited ASCII files that should be exported into a database or spreadsheet application for use. Expired logs are deleted, conserving disk space. Reporting capabilities are extensive; reports in Windows are generated in RTF. 

Although not cheap at $7,500, Network Engines’ SBR appliance is reasonably priced given its capabilities and is worth serious consideration. It provides a means for sifting out billing issues and simplifies life for system administrators by offering them the option of downsizing to one security database.

Correction

In this review, the name we provided for the product reviewed was originally incorrect. The product we evaluated was Network Engines’ Steel-Belted RADIUS Enterprise Edition Appliance Version 2.0, which incorporates Version 4.5 of Funk Software’s Steel-Belted RADIUS Enterprise Edition software.