siteadmin:radius_server_choice_guide
System | Cost | Platform | Pros | Cons | Why to choose |
---|---|---|---|---|---|
FreeRADIUS | Free | * Linux (and similar e.g. Mac OS) * Packaged with most distributions | * Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL. * Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2) * Flexible configuration language for defining complex policies. * Allows breakout into Perl or Python for exceptionally complex policies. Or integration with more escoteric data sources. * Extensible via plugin modules. * Supports RadSec natively. * Fast and efficient - a pair of RADIUS servers is usually sufficient for govroam deployments. | * Does not yet support DNS based Dynamic Discovery for RadSec (not yet relevant to govroam for ORPS deployments) * Can be difficult to configure due to the number of options available, especially for novice system administrators | * It's extreme flexibility and high performance means that FreeRADIUS is a good fit for most govroam sites, which is why it is the most deployed RADIUS servers within the eduroam federation. * The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve. * JISC can provide in-house consultancy. |
Microsoft NPS | Free with Windows | * Windows | * Windows GUI means no linux or scripting skills or experience needed * Works well with AD * Can be made to do the basics of the required job | * Filtering of RADIUS attributes not properly supported, but over-write workround is satisfactory * Doesn't support Status Server * Doesn't support Operator-Name injection * Doesn't support Chargeable User Identity * GUI interface limits what you can configure * Everything is policy-based, which makes configuration based on logic somewhat difficult * Logging is minimal and inflexible | * If you're primarily a Windows shop you may be comfortable with the familiar interface and feel confident in selecting a fully supported product whilst accepting NPS's limitations. |
OSC RADIATOR | From ~£1,000 | * Linux * Windows | * Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL. * Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2). * Flexible configuration language for defining complex policies. * Supports RadSec natively. * A pair of RADIUS servers is usually sufficient for govroam deployments. * Fully supported product - a range of support options are available | * Written in PERL so when your configuration get large and complex the server will get slower. | * Its extreme flexibility means that RADIATOR is a good fit for most govroam sites. * The upshot of its popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve and it is provided with a 'goodies' directory containing many recipes ready for use or to start off with. * If you need a flexible RADIUS server, and have the in house expertise to configure it, RADIATOR is a good choice * RADIATOR is written in PERL and can be run on Windows servers (with a prerequisite PERL interpreter installed) which would suit if you're primarily a Windows shop |
Cisco ACS/ISE | From ~£1,000 | * Appliance | * Doesn't support Status Server | * An obvious choice if site already makes heavy use of Cisco wireless. | |
Aruba Clearpass | From ~£4,000 | * Appliance * VM | * FreeRADIUS under the bonnet with a GUI front end * An obvious choice if site already makes heavy use of Aruba wireless |
||
radsecproxy | Free | * Linux (and similar) * Packaged with most distributions | * Very small foot print. * Simple, flat configuration. * Good performance. * Supports all the requirements for govroam (e.g. attribute filtering, Operator-Name). * Support RADSEC and non-RADSEC connections. | * Just a proxy - no ability to authenticate | * If your platform cannot do good filtering or add attributes then if you use this at the border to talk to the NRPS you can leverage these abilities. * Can be easily dropped in as a pure ORPS. |
siteadmin/radius_server_choice_guide.txt · Last modified: 2022/09/07 10:12 by admin