NAC vs Seperate Radius Server

  • 0
  • 1
  • Question
  • Updated 7 months ago
  • Doesn't Need an Answer
Hi There,

This is a short question, which I'm sure has a long answer..... its something I've come across quite often and but I'm not really sure on the answer.
What's the advantage of using a separate RADIUS server, opposed to just using NAC itself?
Sure the answer might be better integration with AD, if say using windows RADIUS, but what exactly does that mean and how does it benefit or not the different types of authentication you might use. Like using NAC for 802.1x via LDAP vs using RADIUS (as one example).

Its simply (as of yet), not seen anything I couldn't do with NAC itself that a separate RADIUS would offer any additional benefit !?

Many thanks in advance.
Photo of Martin Flammia

Martin Flammia

  • 6,006 Points 5k badge 2x thumb

Posted 7 months ago

  • 0
  • 1
Photo of Ryan Turner

Ryan Turner

  • 260 Points 250 badge 2x thumb

I'll bite...  We have an extremely large NAC environment (I think over 30 access gateways) that are authenticating all wired and wireless across campus (over 100,000 devices a day).  Our main EAP method for wireless is TLS.  We also use a federated wireless SSID called eduroam.  We have found that by proxying our requests to stand alone freeRadius servers for 802.1X, we get a lot of flexibility and configuration options that would be cumbersome or impossible within XMC.  You also can scale beyond the XMC limitation of 4 RADIUS servers with another proxy in between your access gateways and the termination RADIUS server.

We do a lot with the configuration of how the requests are handled and logged.  When you do enforces, or upgrades, likely all of that would be gone.

I also don't think that Extreme has been using an 'up to date' version of freeRadius.

So we leave the access gateways (TAGs/NAGs/ACEs/whatever they call them this week) to MAC authentications only and ship everything else external.

Our 802.1X authentication times range from 11ms to 50ms (depending on load) and our MAC Authentication times are in the range of 65ms to 200ms (which always seem strange to me that it takes longer to authentication a MAC locally on access gateway then to proxy a request to an entire different bank of TLS servers and wait for the response)

Photo of Martin Flammia

Martin Flammia

  • 6,006 Points 5k badge 2x thumb
Hi Ryan,

Thanks for going to the trouble of answering my post and sharing from your experience.

To summarise, some reasons might be:
  • Scalability
  • Additional flexibility
  • And possible performance increase
Scalability and Performance are possibly easier to explain, but you additionally mention a lot more flexibility in configuration options when using FreeRadius..... this I'm interested in. Do you have any / or as many examples as you can think of what these might be?

Appreciate your time is valuable, but it would be really handy to know.

If anyone else also has any experience, ideas, reasons on what additional flexibility of having a separate Radius server would be, that would be great.

Many thanks.
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,038 Points 5k badge 2x thumb
very short answer:

NAC does more than just radius:
- guest captive portal
- health posture assessment
- remediation
- much more easy to maintain = easy to use
- much better visibility = much more information available (Switch name, switch IP, port name, port description, first seen, last seen, status....)
Photo of Martin Flammia

Martin Flammia

  • 6,006 Points 5k badge 2x thumb
Hi Zdenek,

Thanks for posting.

Well that’s interesting you say that as apart from some of those things mentioned I can’t seem to find a reason generally not to use NAC as my RADIUS server, but always been told to use a dedicated one without understanding way?

Those things you mention though I can still take advantage of NAC features by way of proxy and carry on using an external RADIUS, so I’m still at a loss as to pros and cons of using an External RADIUS if indeed I really need to use one at all?

What do you think?

Thanks
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,028 Points 5k badge 2x thumb
My point of view.

switch use NAC-engine as radius server.
NAC-engine can use NPS as upstream radius server = advantage: you have one repository where username and password is stored. the way to add/remove/change users in M$ world is comfortable
NAC-engine can use LDAP/LDAPs as upstream authentication = advantage: you do not need to install NPS and Certificates
NAC-engine can use local database = advantage: you do not need any other component, but the way to add/remove/change users needs to be integrated to the customer processes

the most common deployment:
- NAC-engine use radius to verify username/password against domain.
- NAC-engine use LDAPs to check the group membership
advantage of the combination above:
- M$ believe the radius is more secure compare to the NTLM used in LDAPs
- configure and troubleshoot NPS rules is nightmare = if you have one rule only in NPS it is easier
- configure rules based on LDAPs is much more easy to troubleshoot and operate

Regards

Z.
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,028 Points 5k badge 2x thumb
NAC is much better in every aspect comparing to "pure" radius. Some customers are calling NPS as NAC, some customers are calling ACS as NAC.

To distinguish that, we use "Extreme Control" instead of NAC :)

the terminology can be fuzzy.

Z.
Photo of Martin Flammia

Martin Flammia

  • 6,006 Points 5k badge 2x thumb
Thanks Zdenek for the information. Was struggling to find any reason (in my particular case) not to use Extreme Control directly and needed to hear that in order to validate it... so great, I can proceed with confidence. Cheers :)
Photo of Ryan Turner

Ryan Turner

  • 260 Points 250 badge 2x thumb
If you run a very simple environment, I agree that keeping it simple is best. If you start running a very large environment, you will find that XMS’s simplicity is a pain. We ran the TAGs as the sole RADIUS servers for a while until we started doing eduroam.

But to make sure we are clear. Running connections through NAC but proxying through to a non XMS RADIUS server hurts nothing.

We do custom hashing algorithms, tune performance for TLS by slimming down the modules being loaded, have lots of realm handlers, have custom and complex proxy rules, and customize logging that is exported to other log and analytics servers to process 802.1X logins. Most of these things you will not be able to easily maintain through the GUI. Everytime you hit enforce, your customized settings may blow up. Every time you upgrade, your settings may blow up

So you have to decide how complicated you are going to get.
(Edited)