Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LDAP and Strong Auth

From: "Guy D. Hadsall" <ghadsall () telcordia com>
Date: Tue, 16 Jan 2001 08:42:01 -0500


Jeff,

Its fairly easy to deploy the ACE/Serve with an LDAP backend.  Having engineered
and deployed a few in the past makes it alot easier.... but its certainly not a
requirement.

The architecture of the ACE/Server product allows for the database to be
somewhat independent; thus you can redirect the ACE/Server AAA requests to one
of several backends.  From the quirky database they ship, to another ACE, or
RADIUS server, or to an LDAP schema its fairly easy once you get the data comm
issues resolved.  No incompabilities concerning the schema either... it does not
have to be in the root of a tree.  Bored one evening we even played with latency
and scaling by adding distributing the network elements (ACE/Server, RADIUS, and
LDAP) through proxying and found it worked... though much slower as expected.

I've not deployed the SafeWord product.  Hopefully someone else will kickin on
it.

GuyH
Telcordia Technologies (yes, we use to have another more recognized name that
started with a B)





Jeff Newton <Jeff_Newton () pmc-sierra com> on 01/15/2001 07:07:02 PM

Please respond to Jeff Newton <Jeff_Newton () pmc-sierra com>

To:   firewall-wizards () nfr com
cc:    (bcc: Guy D. Hadsall/Telcordia)
Subject:  [fw-wiz] LDAP and Strong Auth





Has anyone deployed LDAP with SecurID or Secure Computing's SafeWord
Plus?  I am primarily interested in interoperability, and redundancy
issues.

As far as I can tell, RSA expects its ACE server to the first point of
client authentication.  The ACE server either auths those with tokens
or retrieves passwords from the LDAP store.  SafeWord Plus looks like
it incorporates a v2/v3 LDAP directory server.

As for redundancy, I have never been a fan of ACE server's master and
slave topology, especially with many remote WAN-dependent offices.
SafeWord Plus is supposedly peer-to-peer.

I would welcome any advice or tails from the trenches on this topic
(offline if more appropriate).

Cheers,

----
Jeff Newton


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards






_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: