This is a short question, which I'm sure has a long answer..... its something I've come across quite often and but I'm not really sure on the answer.
What's the advantage of using a separate RADIUS server, opposed to just using NAC itself?Sure the answer might be better integration with AD, if say using windows RADIUS, but what exactly does that mean and how does it benefit or not the different types of authentication you might use. Like using NAC for 802.1x via LDAP vs using RADIUS (as one example).
Its simply (as of yet), not seen anything I couldn't do with NAC itself that a separate RADIUS would offer any additional benefit !?
Many thanks in advance.
I'll bite... We have an extremely large NAC environment (I think over 30 access gateways) that are authenticating all wired and wireless across campus (over 100,000 devices a day). Our main EAP method for wireless is TLS. We also use a federated wireless SSID called eduroam. We have found that by proxying our requests to stand alone freeRadius servers for 802.1X, we get a lot of flexibility and configuration options that would be cumbersome or impossible within XMC. You also can scale beyond the XMC limitation of 4 RADIUS servers with another proxy in between your access gateways and the termination RADIUS server.
We do a lot with the configuration of how the requests are handled and logged. When you do enforces, or upgrades, likely all of that would be gone.
I also don't think that Extreme has been using an 'up to date' version of freeRadius.
So we leave the access gateways (TAGs/NAGs/ACEs/whatever they call them this week) to MAC authentications only and ship everything else external.
Our 802.1X authentication times range from 11ms to 50ms (depending on load) and our MAC Authentication times are in the range of 65ms to 200ms (which always seem strange to me that it takes longer to authentication a MAC locally on access gateway then to proxy a request to an entire different bank of TLS servers and wait for the response)
Thanks for going to the trouble of answering my post and sharing from your experience.
To summarise, some reasons might be:
- Additional flexibility
- And possible performance increase
Appreciate your time is valuable, but it would be really handy to know.
If anyone else also has any experience, ideas, reasons on what additional flexibility of having a separate Radius server would be, that would be great.
NAC does more than just radius:
- guest captive portal
- health posture assessment
- much more easy to maintain = easy to use
- much better visibility = much more information available (Switch name, switch IP, port name, port description, first seen, last seen, status....)
Thanks for posting.
Well that’s interesting you say that as apart from some of those things mentioned I can’t seem to find a reason generally not to use NAC as my RADIUS server, but always been told to use a dedicated one without understanding way?
Those things you mention though I can still take advantage of NAC features by way of proxy and carry on using an external RADIUS, so I’m still at a loss as to pros and cons of using an External RADIUS if indeed I really need to use one at all?
What do you think?