Radius Server

Started by LynK, March 28, 2018, 09:23:24 AM

Previous topic - Next topic

LynK

What are you guys current using?

Currently we are using a microsoft NPS, and it has been pretty unreliable so far... Im debating between standing up a new 2016 NPS, or giving freeradius a try.


Biggest needs are for infrastructure + wireless (multiple SSID) authentication.

Any other recommendations?
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

icecream-guy

Quote from: LynK on March 28, 2018, 09:23:24 AM


Any other recommendations?

TACACS+

RADIUS is an all or none Authentication protocol.

TACACS will provide you with Authentication and Authorization.

Move to TACACS+

We use Cisco ACS which is going EoL end of this year, I think.
ISE training going on this week.
:professorcat:

My Moral Fibers have been cut.

wintermute000

#2
ISE, Clearpass or Forescout.

Do you requirements / future roadmap then pick your poison.

My personal view is that any identity based integration into future networking e.g. unified wired/wireless fabric or 'software defined campus fabric' etc. should be called out and the appropriate identity engine lined up that will integrate nicely with this roadmap. Along with all the usual guest requirements (portal? provisioning? onboarding? wired dot1x? etc.) Then there's the micro-seg and identity based firewalling discussions (exchanging tags with NSX? FW vendor X? etc.). It might not be a simple case of LDAP/RADIUS.

LynK

I worked with ISE (deployed + managed before). It was crap. I was not impressed at all. Now granted this was 2+ years ago. But we do not want to fork out  a big check for something like this when things like packetfence are available for free
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

wintermute000

+1 for bringing packetfence to my attention, it looks good on paper (and really slick website presentation to boot esp for open source)

LynK

@winter

some big companies have adopted it (like indeed) (they have a youtube presentation on their deployment + issues with it... really good video). They deployed 22 of these boxes across their campus. I'm excited to sink my teeth into this stuff. I'm hoping the wireless portion meets my expectations.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

DISCLAIMER: I work for the vendor I'm going to recommend because of my experience with it before I was working for the vendor.

ForeScout CounterACT is very strong as a 802.1X-RADIUS solution for wireless and NAC, but falls short in its current version as a RADIUS solution for other systems, such as switch/router access. I found its troubleshooting capabilities to be superior, as one could click on any host and view its RADIUS log information, which was vital for finding out why it got a RADIUS-reject message.

Packetfence is common in education environments, but it can have issues with scaling if you don't have someone who is familiar with it working with the solution. But, it's cheap and good, so you know you're giving up fast with it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

LynK

@dean,

In what ways does it fall short for switch/router access?
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

I've tried to use it as a clearing house for RADIUS logins to switches and other devices, but it doesn't handle those kinds of logons. This may change with the next version, I'll test that as soon as it releases and I get to play with the final image in my homelab.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Just had a look in the Packetfence documentation but they only support MAC authentication on Juniper so not an option, on the wired network at least.

What sort of stability issues are you having with NPS?

wintermute000

ironically overheard some of our SEC guys today talking about how you can't replace a traditional ACS deployment with forescout, sounds like what you were talking about...

deanwebb

Quote from: wintermute000 on April 04, 2018, 08:08:33 AM
ironically overheard some of our SEC guys today talking about how you can't replace a traditional ACS deployment with forescout, sounds like what you were talking about...

Correct. ForeScout does not do TACACS+, for example.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.