Extreme Networks

Anonymous · ‎01-17-2018

Hi There,

This is a short question, which I'm sure has a long answer..... its something I've come across quite often and but I'm not really sure on the answer.

What's the advantage of using a separate RADIUS server, opposed to just using NAC itself?

Sure the answer might be better integration with AD, if say using windows RADIUS, but what exactly does that mean and how does it benefit or not the different types of authentication you might use. Like using NAC for 802.1x via LDAP vs using RADIUS (as one example).

Its simply (as of yet), not seen anything I couldn't do with NAC itself that a separate RADIUS would offer any additional benefit !?

Many thanks in advance.

Ryan_Turner · ‎01-19-2018

If you run a very simple environment, I agree that keeping it simple is best. If you start running a very large environment, you will find that XMS’s simplicity is a pain. We ran the TAGs as the sole RADIUS servers for a while until we started doing eduroam.

But to make sure we are clear. Running connections through NAC but proxying through to a non XMS RADIUS server hurts nothing.

We do custom hashing algorithms, tune performance for TLS by slimming down the modules being loaded, have lots of realm handlers, have custom and complex proxy rules, and customize logging that is exported to other log and analytics servers to process 802.1X logins. Most of these things you will not be able to easily maintain through the GUI. Everytime you hit enforce, your customized settings may blow up. Every time you upgrade, your settings may blow up

So you have to decide how complicated you are going to get.

Anonymous · ‎01-19-2018

Thanks Zdenek for the information. Was struggling to find any reason (in my particular case) not to use Extreme Control directly and needed to hear that in order to validate it... so great, I can proceed with confidence. Cheers 🙂

Zdeněk_Pala · ‎01-19-2018

NAC is much better in every aspect comparing to "pure" radius. Some customers are calling NPS as NAC, some customers are calling ACS as NAC.

To distinguish that, we use "Extreme Control" instead of NAC 🙂

the terminology can be fuzzy.

Z.

Regards Zdeněk Pala

Zdeněk_Pala · ‎01-19-2018

My point of view.

switch use NAC-engine as radius server.
NAC-engine can use NPS as upstream radius server = advantage: you have one repository where username and password is stored. the way to add/remove/change users in M$ world is comfortable
NAC-engine can use LDAP/LDAPs as upstream authentication = advantage: you do not need to install NPS and Certificates
NAC-engine can use local database = advantage: you do not need any other component, but the way to add/remove/change users needs to be integrated to the customer processes

the most common deployment:
- NAC-engine use radius to verify username/password against domain.
- NAC-engine use LDAPs to check the group membership
advantage of the combination above:
- M$ believe the radius is more secure compare to the NTLM used in LDAPs
- configure and troubleshoot NPS rules is nightmare = if you have one rule only in NPS it is easier
- configure rules based on LDAPs is much more easy to troubleshoot and operate

Regards

Z.

Regards Zdeněk Pala

Extreme Networks

NAC vs Seperate Radius Server

NAC vs Seperate Radius Server