One of the coolest new features available with ISA 2004 is RADIUS authentication for Web Publishing rules. So, why is this a big deal? Why is this even necessary?
Here's the list off the top of my head:
Web Browsers don't understand RADIUS as an authentication type, so ISA challenges the client for Basic authentication credentials, then creates a RADIUS Access Request packet that it sends to its chosen RADIUS server. If the RADIUS server responds with an Access-Accept, then the user is allowed through; an Access-Reject predictably causes authentication to fail. Assuming the user is successfully authenticated, Basic Delegation can then be enabled to allow the previously submitted credentials to be forwarded directly to the published Web Server, allowing a single-sign-on-like experience.
So - the short version: decoupling authentication from the underlying Windows infrastructure has some real benefits for some scenarios.
Possible drawbacks as I see them:
So, my take is that it's a really useful feature. Adds a nice big tick to the "plays well with others" column.