Test RADIUS server
Test the RADIUS server in the past RADIUS more use in remote dial-up access, but in future corporate networks, RADIUS will be used more in terms of Ethernet access, wireless local area network access. Choosing good RADIUs will become more important. A laboratory in the United States decided to assess the company RADIUS server, which requires the products to support Microsoft Active Directory and RSA Security SecureID, but also connect a variety of clients, NAS (Network Access Server) devices, such as dial-up servers, VPN concentrations The WLAN access point and firewall. Cisco, Funk Software, IEA Software, Interlink Networks, and Lucent's products participated in this test. Measuring Radius's standard RADIUS performance is where users are concerned, such as how many requests can be accepted, and how much transactions can be handled. At the same time, comply with the standard and have a good interoperability with the access control device is an important indicator of the quality of the RADIUS server. From the test of the test, all products are in line with the RADIUS specification and EAP (extension authentication protocol) definitions. However, in order to find the types of certification mechanisms supported and backend certification stores, testers have conducted a more in-depth study. In terms of interoperability, they tested these servers when working with a variety of RADIUS clients (including access points, VPN, and dial servers). They are based on the difficulty of creating users and workgroup profiles and the flexibility of configuring the user's proprietary attributes, and the configuration management score of participating the product. Security is also the focus of attention. The tester wants how to guarantee security and integrity during the process of communicating with NAS devices. In addition, the RADIUS is able to make the administrator to achieve many management security features and strategies. To this end, the tester evaluates different rules that can be performed through the RADIUS server, especially to focus on time periods that are implemented in user, user groups, or roles. The tester also pays attention to whether the product supports the mandatory time quota. This feature allows network administrators to limit users or user groups how long it can be accessed through the RADIUS server. Most referenced RADIUS servers are saved and access user profiles using the SQL Server database through ODBC or JDBC. Database integration is critical to processing data collected in a large number of accounts and event logs. If the network administrator cannot analyze and report data, these data does not make sense, to this test for displaying information, dynamicity of information, displaying information, and utilizing information that can perform what tasks can be performed. In addition to the above basic characteristics, the tester also tested the function of the RADIUS server. They evaluated the server to work with the network management system. For example, they assessed the complexity of implementing email alarms. Implementing an email alarm is very smooth in Cisco and IEA Software, but it is not so easy to in some other devices. The tester also assessed the certificate request tool. The request tool allows the signature certificate to a requesting RADIUS server. Products with VoIP account feature are rare, only Cisco and IEA Software products are available. Test Method In order to test the RADIUS server, the tester set a nearly real test environment. The tester configured the server to connect multiple RADIUS clients, including a Cisco VPN 3000 concentrator, a Cisco Aironet 1100 access point, and a Proxim AP-600 access point. They also use commercial RADIUS test utilities such as NAS Simulator and EvoyNX Radius Load Test to simulate multiple authentication requests. These test utilities provide testers with the ability and flexibility of checking the server to support RADIUS clients. Performance depends on what platform on which the server is running.
Many RADIUS servers run on a dedicated machine, testers can perform pressure testing: generate multiple sessions until the server's CPU utilization reaches 90% to 95%. Keep the authentication request rate at this level, allow the tester to observe the number of requests. Then, the tester adds multiple users, and only adds a session to check the efficiency of the database to process the user profile. The result obtained at this time is similar to the results of the single user scenario. However, there is a significant difference in accessing the external database, but these results depends on the server performance connected by the RADIUS agent. In order to simulate real scenes, testers let test tools have established five parallel sessions while alternating between 5 valid users and two invalid users. In order to ensure fair comparison, the tester allows all products to authenticate using Active Directory. IEA's Radiusnt, Lucent's NavisRadius, and Cisco's ACS, ACS, averaged 170 requests per second, while funk's Steel-Belted Radius processes 320 requests per second. Interlink's RAD-Series actually supported a surprising 1900 requests per second. This high performance is mainly due to its Linux platform. However, performance should not be the only basis for the choice of network managers, as average, the Interlink server handles no more than 90 to 120 requests per second per second. All servers tested can easily jump through this threshold. The tester verifies whether these servers support RFC 2865 to RFC 2869 (RADIUS specifications) and RFC 2716 (EAP specifications). The tester also studied the server complies with Cert Advisory CA-2002-06. CA-2002-06 determines the rejection service security vulnerability on the RADIUS server. Finally, the tester evaluates the server how to meet the needs of the company IT department and provide features other than the standard specification, such as embedded packet check tools, SNMP and DHCP server support, digital certificate acquisition tools, event alarm email, Test utility configuration and VoIP support. Radius Working Principles The original purpose of RADIUS is to authenticate and billing dial users. Later, after many improvements, a general authentication billing agreement was formed. RADIUS is a C / S structure protocol, which is initially NAS server, and now any computer running the RADIUS client software can be a client of RADIUS.
