cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3365
Views
13
Helpful
10
Replies

Linux or Windows for Radius ? Or even straight LDAP ?

from88
Level 4
Level 4


Hello, im plannning to implement two (Main and Backup) Radius servers for Cisco (Nexus, ASR and ISR) devices. Now im thinking which platform would be more suitable to use windows or linux (free radius) fo it. The main requirements that it'd support a synchronization of databases between each other. Also it'd be nie to have Radius accounting (to log to server any command, that has been entered by user)
Also, i see that devices support straight LDAP configuration, maybe it's also a good idea ? Do someone have tried it ?

Or maybe you can recommend any whitepapers? Thanks!

1 Accepted Solution

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

Most devices do not support direct LDAP authentication so be careful about selecting that option. With your requirements, I would take a serious look at Cisco ISE. IMO RADIUS accounting is basically not existent (especially on Windows). TACACS accounting on the other hand is great, but that more or less only runs on Cisco ACS or Cisco ISE.

HTH

View solution in original post

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

Most devices do not support direct LDAP authentication so be careful about selecting that option. With your requirements, I would take a serious look at Cisco ISE. IMO RADIUS accounting is basically not existent (especially on Windows). TACACS accounting on the other hand is great, but that more or less only runs on Cisco ACS or Cisco ISE.

HTH

Thank you.
I'm considering something more OPEN standard. So im sure it would be a Radius, even if the accounting doesn't work well (or not at all:) )
So the main question still exists - Linux (freeradius) or Windows ? and what the most practical method for syncing databases between the servers ? Thanks again:)

Windows can sync, but the servers must be setup that way. Just installing NPS will not be enough. I don't use Free Radius so someone else will probably chime in on that.

Thank you, for such a fast response:)

As i remember my company have AD environment. So maybe it's a good idea to run it on windows with AD ? I heard it's quite easy to set up and not so much effort demanding..

btw maybe you know do the AAA accounting (specifically logging of users commands entered) with MS Radius implementation ?

And the other question about AAA configuration on CISCO nodes:

DO the "aaa authorization exec default group radius local" is mandatory to be able to get to exec mode ?

Thank you

Logging entered commands will only be sent with Tacacs+ on Catalyst switches, not with Radius. I don't know about other products though.

On an additional note, do not install Radius on the AD servers itself, install fresh servers. They will need to be authorized in the AD by a domain admin before they can authenticate users.

I think i would run it on NPS (Network policy server) system and would register it to AD.

Or im thinking wrong ? Thanks.

Correct yes. NPS has been slightly renamed in Server 2012 and later, but it's still more or less the same for Radius functionality. And yeah, I suggest to make two standalone installations for higher stability and reliability, but double configuration work (which is still easy if you don't have too many policies).

If you do plan on using Health Policies (antivirus checks, firewall checks and so on) you might want to use a different product though.

it would run two groups of users: with just read only, and with full access. And the users db would be small (about) 15 users. would be perfect to setup an active directory for both servers syncing between each other.

I use two Windows based Radius servers since many years. They work very fine, but logging can be a bit troublesome. Logrotate is not really existing. On the other hand, it's much easier to configure than freeradius (which I also use, but for something different).

To actually browse the logs on Windows, I don't use Event Viewer, I use Event Log Explorer :)

Under Linux I use grep for my freeradius logs, but luckily I don't need it often there.

My servers are not synchronized, they are both running standalone. That means I always have to configure both servers. The positive side is, they are fully standalone and the second continues to work if the first has a problem (after a software update or configuration change).

Also important, Radius servers tend to get marked as "offline" or "dead" if your client (Switch, Wi-Fi, ...) configuration isn't correct, in such a moment the client will switch to the other radius server and typically not switch back until the second is dead. This can be configured with some clients.

Rob Cluett
Level 1
Level 1

tacacs+ is available as a linux debian package.

"sudo apt-get install tacacs+ -y"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco