Main Nav

Can anyone recommend a radius solution with HA capabilities that is scalable to 10’s of thousands of users running 802.1x?

We are also looking for something that is low maintenance with good logging, reporting, and troubleshooting tools.

 

Pete Morrissey

Syracuse University

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Funny you ask this, Network World just did a review on low-cost RADIUS servers!
 
http://www.networkworld.com/reviews/2012/091012-radius-servers-wifi-security-test-261976.html
 
Tristan
 
--
Tristan Rhodes
Network Engineer
Weber State University
(801) 626-8549


>>> On 9/21/2012 at 10:09 AM, in message <47FE4CC0B92ADA478ECC286A11E97301205E23@SUEX10-mbx-03.ad.syr.edu>, Peter P Morrissey <ppmorris@SYR.EDU> wrote:

Can anyone recommend a radius solution with HA capabilities that is scalable to 10’s of thousands of users running 802.1x?

We are also looking for something that is low maintenance with good logging, reporting, and troubleshooting tools.

 

Pete Morrissey

Syracuse University

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Currently handling 9,057 simultaneous 802.1x authenticated wireless clients but expecting to eventually add wired.

Cisco controllers -> F5(x2) -> Juniper Steel-Belted Radius(x2) -> F5(x2, the same 2) -> LDAP(x4) servers

Not cheap but Solid, low-maintenance, scalable, production for 2+ yrs. 

-Scott

 

Scott-

 

Do you run native Windows and Mac supplicants, or the Juniper client? Also- are you able to load certificates on the F5 in this case, or did they need to be on the RADIUS servers?

 

Thanks-

 

Lee H. Badman

Network Architect/Wireless TME

Information Technology and Services (ITS)

Syracuse University

315 443-3003

 

 

 

Lee,

We only use native supplicants although we provide some help on configuration via CloudPath for those who want/need it.  We installed the edu certs on the RADIUS servers, not certain about whether they made it to the F5s or not.

 

From our project documentation:

 

The Juniper Steel-Belted RADIUS Enterprise Edition was selected in the design to provide uniform security policy enforcement across network access method.  The software is commercially supported and has been tested to work with our configuration. The Juniper Steel-Based RADIUS server allows for single user bind to the LDAP servers while performing multiple user authentications, therefore minimizing the overhead on the LDAP servers

 

1.1         Wireless Encryption

 

The Enterprise Secure Wireless Service must implement WPA2 enterprise protected access and require AES-CCMP data encryption protocol to be used.  WPA2 enterprise provides link-layer security and encrypts all data travelling between the wireless host and the wireless access point.  The protocols also regularly rotate encryption keys to prevent compromise by well-known key-recovery attacks.

1.1.1        Authentication Encryption

 

Protection of user’s NetID credentials is of primary importance as authentication of the wireless host occurs over the wireless network.  Protection will be provided with the use of Extensible Authentication Protocol framework (EAP) and selection of PEAP protocol to provide encryption for authenticated data.  The PEAP protocol, also known as PEAPv0/EAP-MSCHAPv2, is the protocol used to establish trust and a secure tunnel with the RADIUS (Authentication) Server and the MSCAPv2 protocol is tunneled through to perform the authentication.  In order to establish the trust between the wireless host and the RADIUS servers, the RADIUS servers will utilize third party CA signed SSL certificates.

 

-Scott

 

 

We run FreeRadius on servers in three locations, using anycast IP for load balancing/failover.  It allows for both Kerberos and AD authentication so we can (and do) use it for all of our wireless and VPN services.  If you're looking for a GUI this
may not be what you're looking for, but it's cheap and reliable.  (Well, cheap because we already had load balancers that could do the anycast for us...)

>>> On 9/21/2012 at 10:09 AM, in message <47FE4CC0B92ADA478ECC286A11E97301205E23@SUEX10-mbx-03.ad.syr.edu>, Peter P Morrissey <ppmorris@SYR.EDU> wrote:

Can anyone recommend a radius solution with HA capabilities that is scalable to 10’s of thousands of users running 802.1x?

We are also looking for something that is low maintenance with good logging, reporting, and troubleshooting tools.

 

Pete Morrissey

Syracuse University

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.




--
                           Dr. Kurt Hillig
  UMNet Administration    I always tell the  (734)647-8778 desk
 University of Michigan    absolute truth,   (734)323-2736 cell
Ann Arbor, MI  48105-3640   as I see it.   khillig(at)umich.edu

> Computers were invented to help people waste more time faster <


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.