16 Chapter 1 Authentication servicesNN46110-600With user- and group-specific profiles, you can group common attributes whilepreserving the flexibility to make exceptions for individual users. The productfeatures and network access that apply to a user are controlled by the user identity,rather than by the source IP address or another mechanism. This is necessary tosupport mobile users and users coming from other organizations.LDAPThe Lightweight Directory Access Protocol (LDAP) emerged from the X.500directory service. LDAP is gaining acceptance as the directory model for theInternet. Microsoft*, Netscape*, and Novell* all support LDAP in their directoryservice strategies. LDAP is based on directory entries; it has an Internet personschema that defines standard attributes and you can extend it to include otherattributes. A directory service is a central repository of user information; forexample, the VPN Router supports the following elements using LDAP:• groups• users• filters• servicesRADIUSRemote Authentication Dial-In User Services (RADIUS) is a distributed securitysystem that uses an authentication server to verify dial-up connection attributesand authenticate connections. RADIUS is commonly used for remote accessauthentication.Many security systems are configured with a RADIUS front end to facilitateremote access authentication. RADIUS is also the most common authenticationmechanism used by ISPs. Novell NDS*, Microsoft Windows NT* Domains, andSecurity Dynamics ACE Server* all support RADIUS authentication. WindowsNT Domain authentication controls access to NT file servers and other resourceson NT networks. The RADIUS server provides a place to store user passwords,because users generally remember their file server passwords.