Govroam

The Roaming solution for the public sector

User Tools

Site Tools


siteadmin:radius_server_choice_guide
System Cost Platform Pros Cons Why to choose
FreeRADIUS Free * Linux (and similar e.g. Mac OS)
* Packaged with most distributions
* Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.
* Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2)
* Flexible configuration language for defining complex policies.
* Allows breakout into Perl or Python for exceptionally complex policies. Or integration with more escoteric data sources.
* Extensible via plugin modules.
* Supports RadSec natively.
* Fast and efficient - a pair of RADIUS servers is usually sufficient for govroam deployments.
* Does not yet support DNS based Dynamic Discovery for RadSec (not yet relevant to govroam for ORPS deployments)
* Can be difficult to configure due to the number of options available, especially for novice system administrators
* It's extreme flexibility and high performance means that FreeRADIUS is a good fit for most govroam sites, which is why it is the most deployed RADIUS servers within the eduroam federation.
* The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve.
* JISC can provide in-house consultancy.
Microsoft NPS Free with Windows * Windows * Windows GUI means no linux or scripting skills or experience needed
* Works well with AD
* Can be made to do the basics of the required job
* Filtering of RADIUS attributes not properly supported, but over-write workround is satisfactory
* Doesn't support Status Server
* Doesn't support Operator-Name injection
* Doesn't support Chargeable User Identity
* GUI interface limits what you can configure
* Everything is policy-based, which makes configuration based on logic somewhat difficult
* Logging is minimal and inflexible
* If you're primarily a Windows shop you may be comfortable with the familiar interface and feel confident in selecting a fully supported product whilst accepting NPS's limitations.
OSC RADIATOR From ~£1,000 * Linux
* Windows
* Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.
* Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2).
* Flexible configuration language for defining complex policies.
* Supports RadSec natively.
* A pair of RADIUS servers is usually sufficient for govroam deployments.
* Fully supported product - a range of support options are available
* Written in PERL so when your configuration get large and complex the server will get slower. * Its extreme flexibility means that RADIATOR is a good fit for most govroam sites.
* The upshot of its popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve and it is provided with a 'goodies' directory containing many recipes ready for use or to start off with.
* If you need a flexible RADIUS server, and have the in house expertise to configure it, RADIATOR is a good choice
* RADIATOR is written in PERL and can be run on Windows servers (with a prerequisite PERL interpreter installed) which would suit if you're primarily a Windows shop
Cisco ACS/ISE From ~£1,000 * Appliance * Doesn't support Status Server * An obvious choice if site already makes heavy use of Cisco wireless.
Aruba Clearpass From ~£4,000 * Appliance
* VM
* FreeRADIUS under the bonnet with a GUI front end
* An obvious choice if site already makes heavy use of Aruba wireless
radsecproxy Free * Linux (and similar)
* Packaged with most distributions
* Very small foot print.
* Simple, flat configuration.
* Good performance.
* Supports all the requirements for govroam (e.g. attribute filtering, Operator-Name).
* Support RADSEC and non-RADSEC connections.
* Just a proxy - no ability to authenticate * If your platform cannot do good filtering or add attributes then if you use this at the border to talk to the NRPS you can leverage these abilities.
* Can be easily dropped in as a pure ORPS.
siteadmin/radius_server_choice_guide.txt · Last modified: 2022/09/07 10:12 by admin