Of course, security features and policies won't work if you can't manage them. We evaluated the various rules that could be enforced through the server, with particular emphasis on time-of-day restrictions by user, group or role. All the products we tested except Funk's Steel-Belted Radius implement these restrictions. We also looked for time-quota enforcement, which lets you cap how long a user or group can access the network through the RADIUS server. Lucent's and Cisco's software support time quotas. All the products support restrictions based on the number of simultaneous logons, at the user or application level.
Most of the RADIUS servers we tested use a SQL database to store and access user profiles via ODBC or JDBC. Database integration is crucial for handling the masses of data collected for accounting and event logging. And what good is all that data if you can't slice, dice and report on it? We looked at the tools provided to present information, how dynamic that information is and what tasks can be performed with it.
Beyond these basics, we rated the servers' proactive participation with network-management systems. We took the complexity of enabling valuable e-mail alerts into consideration, for example. Implementing e-mail alerts was smooth in Cisco's and IEA Software's servers, but enabling the functionality in Lucent's server was no walk in the park. We also evaluated certificate-request utilities, which let signed certificates be awarded to the requesting RADIUS server; here, Lucent, Cisco, Funk and Interlink came through. VoIP (voice over IP) accounting capabilities were rare, found only in Cisco's and IEA Software's offerings.
As for how much all this will cost, vendors recognize that customers differ in RADIUS use. (For prices, see the features chart on page 86.) Lucent, for example, offers an alternate pricing scheme if the primary use of the RADIUS server is to provide wireless access. This flexible pricing combined with top-notch standards compliance made Lucent's NavisRadius Authentication Server our Editor's Choice. But the spread between our first- and last-place finishers was not even half a point. Depending on your needs, you can't go wrong with any of them.
NavisRadius takes a balanced approach to enterprise AAA requirements. It is the only RADIUS server we tested to include a JDBC API to interface with SQL databases. Managing the bundled Sybase database with the product's SMT (Server Management Tool) and the JDBC plug-in was simple. And the form-based PolicyAssistant gave us elaborate control over the server configuration (earlier versions allowed such control only through the persnickety PolicyFlow AAA programming language). Thanks to its Java roots, SMT ports quite well onto multiple platforms. Remote administration, though requiring an independent installation, was not much of a hassle once we made sure Java 2 was installed and running. SMT's user interface worked well; we didn't encounter the time lags characteristic of Java-based APIs.
The product's PolicyFlow language is both a boon and a bane. It's not a true programming language, like C++ or Java, but more of a scripting toolkit that provides access to the processing steps of the RADIUS server. These steps determine how requests will be handled, gather information from user records, decode realms and so on. If you have the time to learn the nuances of the toolkit, you'll gain detailed customization. However, we found the toolkit unforgiving--specify one wrong attribute and you'll spend a long time debugging. Learn from our pain: Tinker with the plug-ins and methods only if you have a big problem to solve. SMT offers enough flexibility for configuring standard RADIUS variables.