one note: LDAP is a directory access protocol, not a
directory. one can have a RADIUS server implementation
that accesses a directory, perhaps using LDAP to do so.
you could also stick policy information in a directory; this
could be used by the authentication server at run-time to
determine the response to an authentication request.
since an LDAP implementation in an end-device may not
have any logic to implement policy, you may have to
implement such logic on the switch itself or on a server,
and RADIUS is a choice for a communications protocol
between the end device(s) and such a server.
-paul
--On Monday, 07 February, 2000 10:09 +1030 Ben Nagy <[EMAIL PROTECTED]>
wrote:
>> -----Original Message-----
>> From: Jesus Gonzalez [mailto:[EMAIL PROTECTED]]
>> Sent: Friday, 4 February 2000 11:21 AM
>> To: [EMAIL PROTECTED]
>> Subject: RADIUS question
>>
>>
>> Hi All,
>> 2 questions;
>
>> Our VPN switch requires a RADIUS server (well, it's highly suggested),
>> although it does include an LDAP sevrer built in. So my
>> questions are;
>>
>> 1) what are the pros and cons of RADIUS vs. LDAP for
>> authentication (and
>> accounting, I suppose), and
>
> Um, they're different. LDAP is a directory thing and RADIUS is a remote
> authentication thing. I don't know if I can easily explain the
> difference....Basically, RADIUS does everything you probably want -
> authenticates users, does accounting and authorisation. By itself, it's
> self contained. You need to enter dialin user's details and credentials
> into a standalone RADIUS server and maintain it separately.
>
> LDAP is usually a big central directory. If you wanted to do the same
> thing with LDAP then you'd be using services that talked to the
> directory (and to the VPN box) in languages that they each understood.
> In other words, you might have a RADIUS (or TACACS+ or whatever) service
> that gets it's user authentication / authorisation data from the LDAP
> directory.
>
> However, if your VPN box groks LDAP, and you have an LDAP directory in
> your network then you may not need RADIUS at all. Sounds like you're
> using NT4 though - if so, you don't have an LDAP directory.
>
>> 2) NT server includes a RADIUS server in Option pack 4.
>> Aside from the
>> anti-microsoft sentiments, is this a viable solution? Is
>> there an industry
>> 'standard' that perhaps Microsoft's does not conform to, etc?
>
> Sorry, dunno. The RADIUS server in W2K seems to work fine to me, though,
> and integrates with the Active Directory (LDAP) fairly nicely.
>
> RADIUS is the weaker of the two main services used for this kind of
> thing. If you don't trust your internal LAN, use TACACS+ or IP level
> encryption between the VPN box and the directory server.
>
>>
>> Thanks again in advance!
>> -
>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> "unsubscribe firewalls" in the body of the message.]
>
> Cheers!
>
> --
> Ben Nagy
> Network Consultant, CPM&S Group of Companies
> PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
