Network administrators who try to balance a secure network and one that's easy to access now can do both and still get home from work on time. The technology that makes this possible is Remote Authentication Dial-In User Service, or Radius.
A method of exchanging security information -- such as user IDs and passwords -- between a remote-access device and an authentication source, Radius acts as an authentication gateway between remote-access devices and existing LAN security implementation.
A standard created by Livingston Enterprises, in California, Radius is supported by a slew of remote-access and firewall devices from major vendors, such as 3Com, Ascend Systems, Bay Networks, Cabletron Systems, and Cisco Systems. In fact, it is likely that your existing remote-access devices are already Radius enabled. Some software-only products -- such as those from Microsoft, Novell, and Funk Software -- also boast Radius support.
If you're not using Radius and your remote-access devices support it, you owe it to yourself (as well as your remote users) to tap into this resource.
Why not just use a remote-access device's security features to authenticate users? Because all that information is already established for your LAN access. Why go through the pain of creating and maintaining another authentication source when you already have one?
Radius allows you to exchange necessary security information between a remote-access device and an your existing authentication source. As such, it functions as an authentication gateway between those devices and your existing security implementation.
Using Radius also means that your users don't have to remember different passwords at the office, at home, and on the road. Users have just one password no matter how or from where they're accessing the network. And network managers don't have to maintain multiple access lists: one for the LAN, another for the remote access server, and yet another for the firewall.
If you have one remote-access device that provides access to a highly secure area of your network, where only a handful of key people have access, it would probably be best to use device-level security rather than offloading the chore to Radius. But for common remote access, Radius make life easier for everyone.
A single Radius server can handle all remote-access requests for all remote-access servers in a single location. Geographically dispersed offices can share a single Radius server if they are connected by a high-bandwidth wide area link.
Because Radius uses existing LAN security to provide access, it also consolidates access management tasks. By centralising administration across the various remote-access devices on your network, you won't have to maintain security information on each device.
Radius also offers support for caller accounting and reporting features. This is useful for gathering information on each dial-in user that can be used for error tracking, generating history reports of dial-in sessions, and reporting on your company's remote-access usage statistics.
If you decide to deploy a Radius server, you have a variety of options. There are utilities available from Microsoft and Novell that integrate with their NOS and server suites, and even a variety of shareware products available for free.
But the best Radius implementation I've tested is Funk Software's Steel-Belted Radius. Steel-Belted Radius isn't inexpensive, but it does support the broadest range of remote-access devices and authentication sources on the market.
A need for consolidated management of disparate remote-access devices and the ability to use your existing security source for remote authentication are the most compelling reasons to deploy a Radius server on your network. The broad range of device support and server-platform options make the implementation of a Radius server all the more attractive. More security, less management overhead: that's what Radius is all about.
Dennis Williams is a writer and network consultant based in Alpine, Utah. He can be reached at firstname.lastname@example.org.