Radius Server

[LynK]

What are you guys current using?

Currently we are using a microsoft NPS, and it has been pretty unreliable so far... Im debating between standing up a new 2016 NPS, or giving freeradius a try.


Biggest needs are for infrastructure + wireless (multiple SSID) authentication.

Any other recommendations?

[icecream-guy]

Any other recommendations?

TACACS+

RADIUS is an all or none Authentication protocol.

TACACS will provide you with Authentication and Authorization.

Move to TACACS+

We use Cisco ACS which is going EoL end of this year, I think.
ISE training going on this week.

[wintermute000]

ISE, Clearpass or Forescout.

Do you requirements / future roadmap then pick your poison.

My personal view is that any identity based integration into future networking e.g. unified wired/wireless fabric or 'software defined campus fabric' etc. should be called out and the appropriate identity engine lined up that will integrate nicely with this roadmap. Along with all the usual guest requirements (portal? provisioning? onboarding? wired dot1x? etc.) Then there's the micro-seg and identity based firewalling discussions (exchanging tags with NSX? FW vendor X? etc.). It might not be a simple case of LDAP/RADIUS.

[LynK]

I worked with ISE (deployed + managed before). It was crap. I was not impressed at all. Now granted this was 2+ years ago. But we do not want to fork out  a big check for something like this when things like packetfence are available for free

[wintermute000]

+1 for bringing packetfence to my attention, it looks good on paper (and really slick website presentation to boot esp for open source)

[LynK]

@winter

some big companies have adopted it (like indeed) (they have a youtube presentation on their deployment + issues with it... really good video). They deployed 22 of these boxes across their campus. I'm excited to sink my teeth into this stuff. I'm hoping the wireless portion meets my expectations.

[deanwebb]

DISCLAIMER: I work for the vendor I'm going to recommend because of my experience with it before I was working for the vendor.

ForeScout CounterACT is very strong as a 802.1X-RADIUS solution for wireless and NAC, but falls short in its current version as a RADIUS solution for other systems, such as switch/router access. I found its troubleshooting capabilities to be superior, as one could click on any host and view its RADIUS log information, which was vital for finding out why it got a RADIUS-reject message.

Packetfence is common in education environments, but it can have issues with scaling if you don't have someone who is familiar with it working with the solution. But, it's cheap and good, so you know you're giving up fast with it.

[LynK]

@dean,

In what ways does it fall short for switch/router access?

[deanwebb]

I've tried to use it as a clearing house for RADIUS logins to switches and other devices, but it doesn't handle those kinds of logons. This may change with the next version, I'll test that as soon as it releases and I get to play with the final image in my homelab.

[SimonV]

Just had a look in the Packetfence documentation but they only support MAC authentication on Juniper so not an option, on the wired network at least.

What sort of stability issues are you having with NPS?

[wintermute000]

ironically overheard some of our SEC guys today talking about how you can't replace a traditional ACS deployment with forescout, sounds like what you were talking about...

[deanwebb]

ironically overheard some of our SEC guys today talking about how you can't replace a traditional ACS deployment with forescout, sounds like what you were talking about...

Correct. ForeScout does not do TACACS+, for example.