Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Webcast- Automate Nexus9k

Community Member

Linux or Windows for Radius ? Or even straight LDAP ?


Hello, im plannning to implement two (Main and Backup) Radius servers for Cisco (Nexus, ASR and ISR) devices. Now im thinking which platform would be more suitable to use windows or linux (free radius) fo it. The main requirements that it'd support a synchronization of databases between each other. Also it'd be nie to have Radius accounting (to log to server any command, that has been entered by user)
Also, i see that devices support straight LDAP configuration, maybe it's also a good idea ? Do someone have tried it ?

Or maybe you can recommend any whitepapers? Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Most devices do not support

Most devices do not support direct LDAP authentication so be careful about selecting that option. With your requirements, I would take a serious look at Cisco ISE. IMO RADIUS accounting is basically not existent (especially on Windows). TACACS accounting on the other hand is great, but that more or less only runs on Cisco ACS or Cisco ISE.

HTH

10 REPLIES

Most devices do not support

Most devices do not support direct LDAP authentication so be careful about selecting that option. With your requirements, I would take a serious look at Cisco ISE. IMO RADIUS accounting is basically not existent (especially on Windows). TACACS accounting on the other hand is great, but that more or less only runs on Cisco ACS or Cisco ISE.

HTH

Community Member

Thank you.I'm considering

Thank you.
I'm considering something more OPEN standard. So im sure it would be a Radius, even if the accounting doesn't work well (or not at all:) )
So the main question still exists - Linux (freeradius) or Windows ? and what the most practical method for syncing databases between the servers ? Thanks again:)

Highlighted

Windows can sync, but the

Windows can sync, but the servers must be setup that way. Just installing NPS will not be enough. I don't use Free Radius so someone else will probably chime in on that.

Community Member

Thank you, for such a fast

Thank you, for such a fast response:)

As i remember my company have AD environment. So maybe it's a good idea to run it on windows with AD ? I heard it's quite easy to set up and not so much effort demanding..

btw maybe you know do the AAA accounting (specifically logging of users commands entered) with MS Radius implementation ?

And the other question about AAA configuration on CISCO nodes:

DO the "aaa authorization exec default group radius local" is mandatory to be able to get to exec mode ?

Thank you

Logging entered commands will

Logging entered commands will only be sent with Tacacs+ on Catalyst switches, not with Radius. I don't know about other products though.

On an additional note, do not install Radius on the AD servers itself, install fresh servers. They will need to be authorized in the AD by a domain admin before they can authenticate users.

Community Member

I think i would run it on NPS

I think i would run it on NPS (Network policy server) system and would register it to AD.

Or im thinking wrong ? Thanks.

Correct yes. NPS has been

Correct yes. NPS has been slightly renamed in Server 2012 and later, but it's still more or less the same for Radius functionality. And yeah, I suggest to make two standalone installations for higher stability and reliability, but double configuration work (which is still easy if you don't have too many policies).

If you do plan on using Health Policies (antivirus checks, firewall checks and so on) you might want to use a different product though.

Community Member

it would run two groups of

it would run two groups of users: with just read only, and with full access. And the users db would be small (about) 15 users. would be perfect to setup an active directory for both servers syncing between each other.

I use two Windows based

I use two Windows based Radius servers since many years. They work very fine, but logging can be a bit troublesome. Logrotate is not really existing. On the other hand, it's much easier to configure than freeradius (which I also use, but for something different).

To actually browse the logs on Windows, I don't use Event Viewer, I use Event Log Explorer :)

Under Linux I use grep for my freeradius logs, but luckily I don't need it often there.

My servers are not synchronized, they are both running standalone. That means I always have to configure both servers. The positive side is, they are fully standalone and the second continues to work if the first has a problem (after a software update or configuration change).

Also important, Radius servers tend to get marked as "offline" or "dead" if your client (Switch, Wi-Fi, ...) configuration isn't correct, in such a moment the client will switch to the other radius server and typically not switch back until the second is dead. This can be configured with some clients.

Community Member

tacacs+ is available as a

tacacs+ is available as a linux debian package.

"sudo apt-get install tacacs+ -y"

667
Views
13
Helpful
10
Replies
CreatePlease to create content