RE: RADIUS question

Sun, 6 Feb 2000 15:40:09 -0800 

> -----Original Message-----
> From: Jesus Gonzalez [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 4 February 2000 11:21 AM
> To: [EMAIL PROTECTED]
> Subject: RADIUS question
> 
> 
> Hi All,
> 2 questions;

> Our VPN switch requires a RADIUS server (well, it's highly suggested),
> although it does include an LDAP sevrer built in.  So my 
> questions are;
> 
> 1) what are the pros and cons of RADIUS vs. LDAP for 
> authentication (and
> accounting, I suppose), and

Um, they're different. LDAP is a directory thing and RADIUS is a remote
authentication thing. I don't know if I can easily explain the
difference....Basically, RADIUS does everything you probably want -
authenticates users, does accounting and authorisation. By itself, it's self
contained. You need to enter dialin user's details and credentials into a
standalone RADIUS server and maintain it separately.

LDAP is usually a big central directory. If you wanted to do the same thing
with LDAP then you'd be using services that talked to the directory (and to
the VPN box) in languages that they each understood. In other words, you
might have a RADIUS (or TACACS+ or whatever) service that gets it's user
authentication / authorisation data from the LDAP directory.

However, if your VPN box groks LDAP, and you have an LDAP directory in your
network then you may not need RADIUS at all. Sounds like you're using NT4
though - if so, you don't have an LDAP directory.

> 2) NT server includes a RADIUS server in Option pack 4.  
> Aside from the
> anti-microsoft sentiments, is this a viable solution?  Is 
> there an industry
> 'standard' that perhaps Microsoft's does not conform to, etc?

Sorry, dunno. The RADIUS server in W2K seems to work fine to me, though, and
integrates with the Active Directory (LDAP) fairly nicely.

RADIUS is the weaker of the two main services used for this kind of thing.
If you don't trust your internal LAN, use TACACS+ or IP level encryption
between the VPN box and the directory server.

> 
> Thanks again in advance!
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]

Cheers!

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to