Ronneil Camara <[EMAIL PROTECTED]> wrote:
>I'm setting up a lab now. I'll be installing ACE server and have it
pointed to a radius server >for authentication. I'm planning to use
freebsd. Has anyone tried icradius to run on a >freebsd? And will it be
able to talk to the ACE server? Or maybe, you can just suggest >me an
opensource radius server that is able to talk to ACE server with no problems.
Hi Ronneil,
As Simon and Tajeshwar noted (from different sides of the world), RSA's
ACE/Server has shipped for many years with an integrated RADIUS server --
in recent years, a Livingston 2.0 RADIUS server. You can even manage your
RADIUS and ACE/SecurID user accounts from a single database.
There were a lot of efforts to improve performance, streamline
administration, and offer new optimized config options -- among them, an
option for storing ACE user records in an LDAP Directory -- in the new
ACE/Server 5.0 that RSA just began shipping. 5.0 also has a new RADIUS
server, which RSA engineers developed in-house, which is said to offer a
400 percent improvement in throughput over the Livingston code, and be more
RFC compliant. RSA also slipped in a RADIUS-specific config utility which
allows a customer to tune for his site and environment. He can even
customize (or internationalize) the RADIUS prompts.
If you are setting up a lab, you might want to look rather closely at the
capabilities of this new ACE/Server. Depending on the size of the network
you are developing for, the 5.0 ACE/Server might make a significant
difference in your options for network design, expansion, and
management. [Datasheet at:
<http://www.rsasecurity.com/products/securid/rsaaceserver.html>]
On the management end, most ACE Admins -- whatever the size of their
network -- will cheer 5.0's new webified Help Desk facility, for quickly
dealing with the users' Tier One problems.
The 5.0 ACE/Server is backwards-compatible with the earlier ACE/Agents --
both those from RSA itself, and those which ship embedded in some 250
third-party products -- but 5.0 also introduces RSA's long-promised
RC5/128-bit second generation ACE protocol.
The new ACE protocol will require a new generation of 5.0-compatible
ACE/Agents to take full advantage of its capabilities to enhance, as well
as secure, the traditional ACE/SecurID authentication service, but the
return on the upgrade hassle will be worth it on many networks.
(The new ACE/Server CD ships with 5.0-compatible ACE/Agents for Unix:
Solaris 2.5, 2.6, 7 and 8; P-UX 10.20 and 11.0; and AIX 4.3.3. Later this
year, RSA is scheduled to release new 5.0-compatible ACE/Agents for
Windows, NT and 2K, and for Apache on Redhat Linux. Additional
5.0-compatible ACE/Agents are planned, and some customers will probably
charter RSA Consulting to do some custom ACE/Client development.)
In globe-girding enterprise networks with multiple realms, and with
multiple ACE/Servers in each realm -- 5.0 can scale up to 20 realms, with
up to 10 operational database replicas in each -- RSA's new ACE/Agents can
now detect and track the relative response times of the ACE/Servers and
replica servers. This allows the Agents to load balance: to actively route
incoming SecurID authentication requests to wherever they can be most
efficiently handled.
A network manager can even define his own load-balancing priorities by
defining a pick list in the ACE/Server configuration file. (RADIUS users
like your folks, Ronniel, can do the same using RADIUS hunt groups.)
Hope this helps. (I disagree, btw, that this subject is off-topic. User
authentication -- in all of its technical manifestations -- has been close
to the core of firewall design and implementation concerns since the
Intrepid Pioneers began playing with barriers and filters at the Digital
and AT&T gateways. One might as well cuss TCP/IP as "off-topic.")
Suerte,
_Vin
PS. Please discount my enthusiasm appropriately. I've been a consultant to
RSA since the late Paleolithic era -- and this particular ACE/Server has
features which I (and many veteran ACE Admins;-) have asking for, on this
List and elsewhere, for a long time.
"Cryptography is like literacy in the Dark Ages.
Infinitely potent, for good and ill... yet basically an
intellectual construct, an idea, which by its nature
will resist efforts to restrict it to bureaucrats and
others who deem only themselves worthy of such
Privilege." _A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
