RADIUS appliance?

[Rogue]

I'm looking to migrate my entire network infrastructure to 802.1x wired port authentication and need a purpose built RADIUS platform that is going to authenticate thousands of users in a very short timeframe every day. The system has to be robust, redundant and have good logging/reporting facilities. Anyone know of something that doesn't run on a standard *nix or Windows server platform?

I am looking at the InfoBlox solution now, but am open to other suggestions.

 

[cmetz]

Rogue, everbody I know doing serious RADIUS does it on a *IX platform. In particular, I've had good luck with FreeRADIUS on Linux. It does a lot of the wacky EAP stuff without too much pain. If you want to spend a lot of money and get something that doesn't work as well, I'm sure there's vendors who will take your money. But before you go down that path, you might grab a spare PC and try it.

 

[Rogue]

Well, here's the other problem. Running it on a server with a commercially available OS is too, how should I say, insecure. I need ultra high availability, not kernel updates and patches. For all that Linux is, I do have to say that it requires at least as much patching and rebooting as any well maintained Windows server does. I don't want a server based system running on a standard PC architecture. I am going to place the integrity of a 500 switch network (6000+ ports) and the accessibility of it in the hands of a generic server or PC platform? I need something dedicated, hardened and streamlined. So far InfoBlox is the only one touting RADIUS standards compliance, a hardened OS built with security in mind and dedicated support. This is a military application, so a *nix server isn't going to cut it unless you can show me a distro that does RADIUS and only RADIUS.

 

[Nothinman]

An appliance runs an OS too (a lot of the time Linux these days) and needs updates just as much as a 'regular' server. Not evaluating FreeRADIUS is a huge oversight on your part. I can understand your desire to not have to babysit another box, but a properly setup box won't add very much administrative overhead.

This is a military application, so a *nix server isn't going to cut it unless you can show me a distro that does RADIUS and only RADIUS.

Debian, OpenBSD, FreeBSD, etc with nothing but FreeRADIUS installed would meet those requirements. If you don't know how to setup the box, just say so but don't blame the software.

 

[spidey07]

Originally posted by: cmetz
Rogue, everbody I know doing serious RADIUS does it on a *IX platform. In particular, I've had good luck with FreeRADIUS on Linux. It does a lot of the wacky EAP stuff without too much pain. If you want to spend a lot of money and get something that doesn't work as well, I'm sure there's vendors who will take your money. But before you go down that path, you might grab a spare PC and try it.

quoted for truth.

Lets face it a radius server doesn't take much of a load - the transactions are only a few dozen packets at MAX. Stability, ease of administration and features rule here.

If the staff can't properly support a nix platform then do windows. But when it comes to radius you don't want any limitations and you want complete customization.

oh - edit - thousands of users on a radius server every day a super low class server could handle. The hardware/OS isn't the limiting factor on radius - its features, reporting, etc.

 

[Rogue]

I'm as much a FreeBSD fanboi as anyone else, however, my other problem (yes, that's at least three problems I've quoted now) is that placing it on a server means that it is managed by our server people, period. Simply put, I don't trust a mission critical server such as that in their hands. I know it sounds like I've got my mind made up, however, an appliance would put 100% control of it in my hands, hell, they'd be scared to even touch it. If anyone knows a vendor that sells pre-loaded BSD/*nix based RADIUS boxes, I'm all for it, give me the info. If I have to take a pre-existing server and load it out though, it will be a never ending war with the server folks for control of the box.

I do have to admit though, the InfoBlox solution looks top notch. It runs on a modified Linux kernel and is purpose built using all of the open source RADIUS solutions on the market, at least based on my research. If anyone can sell me on a purpose built RADIUS platform at least equivalent to the InfoBlox solution that they're quoting me $10k for (I need at least two of them), then have at it. Hell, at this point I'll take anything that doesn't scream "server" to our server admins, so it damn well better not say Dell, HP or IBM on the front of it, otherwise it's a fight to the finish and they'll want their grubby hands on it. It can even be a disguised server of some kind with a generic name on it for all I care, but I've got security money to spend right now and I need RADIUS to do port authentication with. It has to be scary enough for our server admins to not even want to touch.

 

[Rogue]

Look, bottom line here is, you all seem to know a bit more than I do about the various RADIUS options on the market. My experience has been with IAS on Windows 2003 Enterprise and the research I've done on the InfoBlox offering. I'm asking for help because besides my research, all I've heard is the sales pitch from the InfoBlox guys today. I'm skeptical of dumping $10k on these appliances when I know I can do the same thing on PC hardware, but on the same note I've got to fight internally for control of the systems if they even look like a server. The advice thus far has been helpful, but vague. I know you all know your $hit, so I'm asking for your help.

I need a purpose built, standards based RADIUS platform that is secure, reliable and relatively easy to manage. I'm a network admin, so command line doesn't scare me, in fact, I pretty much despise a GUI for anything that doesn't involve reporting. It has to be easy for other people to pick up on as well as I have two other network guys in my shop. I've built several Linux and BSD systems previously to run Snort, Samba and desktop apps. Syslog logging is mandatory and logging to a database is a plus and a good reporting mechanism would be the icing on the cake. Recommend me something that meets these goals and I'll jump on it and give it a try.

To complicate matters even more, it MUST authenticate against Active Directory and I DO NOT have administrative rights to join it to the directory controllers. NSA approved standards are a plus since it's a military application. FreeRADIUS doesn't work because it's still listed as a beta and that will never float with our security people higher up the food chain. Is that enough of a challenge for you?

 

[spidey07]

Ahhh, the dreaded "8th layer"

good luck, wish I knew how to help.

 

[Garion]

Good news - There's a box that does EXACTLY what you want by InfoBlox. It's called the RADIUSOne Network Identity Module. We use a lot of their DNSOne boxes for managing our Internet-facing DNS infrastructures and they work great.

Enjoy!

- G

Edit: Duh, you're aready looking at this. Well, consider this a solid vote for the company and their products. I haven't used this specific product before, but their DNS stuff is top notch.

 

[Rogue]

Originally posted by: Garion
Good news - There's a box that does EXACTLY what you want by InfoBlox. It's called the RADIUSOne Network Identity Module. We use a lot of their DNSOne boxes for managing our Internet-facing DNS infrastructures and they work great.

Enjoy!

- G

Edit: Duh, you're aready looking at this. Well, consider this a solid vote for the company and their products. I haven't used this specific product before, but their DNS stuff is top notch.

Is that a concession based on my high demands for an alternative or a real-world recommendation of their product. InfoBlox is currently the front runner because they're on the GSA schedule and seem to fit my needs, however, $10k is a good chunk to spend on something like this I think. I'm still open to alternatives, anyone?

 

[nweaver]

Cisco..not sure if the WLSE server will do radius, but their ACS server will run. Get it, put it on a box and tell them it's a appliance

If you are serious about securing your wireless infrastructure, you need to give more thought then just a good radius server. I know that the WLSE server makes it very nice with WDS, client walkabout to ensure coverage, rogue client and rogue AP detection, etc.

 

[Rogue]

Originally posted by: nweaver
Cisco..not sure if the WLSE server will do radius, but their ACS server will run. Get it, put it on a box and tell them it's a appliance

If you are serious about securing your wireless infrastructure, you need to give more thought then just a good radius server. I know that the WLSE server makes it very nice with WDS, client walkabout to ensure coverage, rogue client and rogue AP detection, etc.

I'm only worried about wired port security for now. Wireless is still a ways off and the DoD standard for wireless is pretty much all inclusive where security is concerned.

 

[TGS]

You really just have to submit your solution to the SSO, and they will tell you if you will be able to use the device. There should be a DoD, or approved hardware/software list for the command you are within. Kinda takes the guess work out of figuring out what devices have already been tested for secure environments. Anything outside of the approved list wil need at the minimum a signature from someone within your network security office.

Our radius servers ran off windows boxes, on a 15000 user site.