Cisco Support Community
Community Member

Help with Radius server

I am a newbie for this matter and I really need your help ;)

I am working on a project to build ethernet connections for offices in high-rise buildings.

The project uses point to multipoint broadband wireless access to carry data transmission from the base station (where the ISP is) to the subscriber sites.

Currently my plan is to use routers (cisco 2600 series) to segregate the bandwidth and switches to build vlans for each office/customer. (one port per customer)

The thing is how can i perform authentication for each customer at a central location ?. Thinking of radius server as the solution. If so what radius server should i use ? Is W2K with IAS sufficient to do the job ? And where should I put the radius server ? what are the physical configurations of those equipments. Can i disable the port when a user log out and enable it back when a user log in and authenticated ?


Community Member

Re: Help with Radius server

Cisco has a good access control server ( you might want to look at. Using VLANS and routers, I assume firewalling and security is not a big issue to you. You can use ACS to authenticate your users or you could just manually turn on/off the switch ports. It’s easy enough to do that, just telnet or browse to the switch. Authentication will give you the ability to do that on a per user basis and give you better accounting. Have you talked to your Cisco rep to help with your design? There are a lot of options and variables

Community Member

Re: Help with Radius server

This sounds like a pretty big project, and without very specific details, there are a few different ways that you could go with this. From what I understand, wireless will not be the point of entry i.e. the user will connect to the network over direct cat5, and wireless will exist at the distribution layer instead of the access layer.

I mention this because Cisco's aironet wireless product can itelf authenticate users on a per-user basis via radius. But it looks like the point of entry here would be via switch or router.

One option is to run auth proxy on the routers, 2600's can get pretty beefy with added ram and flash, but auth proxy can bump up your cpu utilization pretty decent. But it would allow per-user authentication, which can then be proxied off to a radius or tacacs+ server. You could then run auth-proxy at each router point of entry (access layer).

Otherwise, you will need a firewall to enforce this per-user access. I would highly suggest the PIX firewall, they are designed to handle this high volume, they can authenticate on a per-user basis, they can proxy this off to a radius/tacacs+ server, and if you choose tacacs+, you can choose what protocols each user/group can use, and what destinations they can get to per procotol. But you would have to position the PIXes so that they lie between the user and the core network; depending on design you may need quite a few. So auth-proxy is nice in this respect; no additional hardware, but you will need the firewall feature set.

I would also suggest the CiscoSecure ACS server - talk to your Cisco accounts rep about getting a trial version. Radius has lower (bandwidth) overhead than tacacs+ since it is udp, but tacacs+ has more features, allowing greater control over users with minimal administration.

These are just some general ideas, but hopefully they will provide some direction.

Good luck!

CreatePlease to create content