Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
1
Replies

Local authentication using RADIUS and Azure/on-prem setup best practice...

nickds100
Level 1
Level 1

‎04-01-2018 03:25 AM - edited ‎02-21-2020 10:52 AM

Hi,

 

So, we are a small shop (50 users, low levels of activity) and have 2 x DCs in Azure and 2 x on-prem - all Windows. I want to add RADIUS local authentication to our networking kit, most of which is Cisco. Just adding an NPAS role to a DC in Azure and a DC on-prem with the standard setup (Windows groups for users vs. Admins plus policy to set the priv-lvl accordingly) would seem the obvious way to go, but is it best practice?

 

Can Azure's MFA server's RADIUS support be used or is there another way?

 

Is there any point in having RADIUS on it's own servers vs. just as a role on the DCs, especially n a small shop? What are people's thoughts on best practice? I'm getting conflicting stories...

 

Many thanks.

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎04-01-2018 11:47 AM

Hi,

I think what you suggest is perfectly fine. As you said you are a small shop, no need to spend a fortune on a TACACS+ solution. Even with Windows NPS you can authenticate users centrally, you will get some basic accounting information.

 

If you want even more security, you can also configure an ACL on the vty lines, to lock down access to the devices from trusted subnets. In addition you can configure syslog and send success/failed authentication attempts to a syslog server.

 

Having separate NPS servers might be over kill in a small environment, but I don't know the load on your current DCs. I cannot imagine adding the additional role to the server and the odd radius authentication would add a considerable amount of load to the server. This question maybe better answer in a Microsoft forum though.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents