| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| siteadmin:radius_server_choice_guide [2018/01/23 10:20] – [Table] admin | siteadmin:radius_server_choice_guide [2022/09/07 10:12] (current) – [Table] admin |
|---|
| ^ System ^ Cost ^ Platform ^ Pros ^ Cons ^ Why to choose ^ | ^ System ^ Cost ^ Platform ^ Pros ^ Cons ^ Why to choose ^ |
| | FreeRADIUS | Free | * Linux (and similar e.g. Mac OS)\\ * Packaged with most distributions | * Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.\\ * Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2)\\ * Flexible configuration language for defining complex policies.\\ * Allows breakout into Perl or Python for exceptionally complex policies. Or integration with more escoteric data sources.\\ * Extensible via plugin modules.\\ * Supports RadSec natively.\\ * Fast and efficient - a pair of RADIUS servers is usually sufficient for govroam deployments. | * Does not yet support DNS based Dynamic Discovery for RadSec (not yet relevant to govroam for ORPS deployments)\\ * Can be difficult to configure due to the number of options available, especially for novice system administrators | * It's extreme flexibility and high performance means that FreeRADIUS is a good fit for most govroam sites, which is why it is the most deployed RADIUS servers within the eduroam federation.\\ * The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve.\\ * JISC can provide in-house consultancy. | | | FreeRADIUS | Free | * Linux (and similar e.g. Mac OS)\\ * Packaged with most distributions | * Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.\\ * Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2)\\ * Flexible configuration language for defining complex policies.\\ * Allows breakout into Perl or Python for exceptionally complex policies. Or integration with more escoteric data sources.\\ * Extensible via plugin modules.\\ * Supports RadSec natively.\\ * Fast and efficient - a pair of RADIUS servers is usually sufficient for govroam deployments. | * Does not yet support DNS based Dynamic Discovery for RadSec (not yet relevant to govroam for ORPS deployments)\\ * Can be difficult to configure due to the number of options available, especially for novice system administrators | * It's extreme flexibility and high performance means that FreeRADIUS is a good fit for most govroam sites, which is why it is the most deployed RADIUS servers within the eduroam federation.\\ * The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve.\\ * JISC can provide in-house consultancy. | |
| | Microsoft NPS | Free with Windows | * Windows | * Windows GUI means no linux or scripting skills or experience needed\\ * Works well with AD\\ * Can be made to do the basics of the required job | * Filtering of RADIUS attributes not properly supported, but over-write workround is satisfactory\\ * Doesn't support Status Server\\ * Doesn't support Operator-Name injection\\ * Doesn't support Chargeable User Identity\\ * GUI interface limits what you can configure\\ * Everything is policy-based, which makes configuration based on logic somewhat difficult\\ * Logging is minimal and inflexible | * If you're primarily a Windows shop you may be comfortable with the familiar interface and feel confident in selecting a fully supported product whilst accepting NPS's limitations. | | | Microsoft NPS | Free with Windows | * Windows | * Windows GUI means no linux or scripting skills or experience needed\\ * Works well with AD\\ * Can be made to do the basics of the required job | * Filtering of RADIUS attributes not properly supported, but over-write workround is satisfactory\\ * Doesn't support Status Server\\ * Doesn't support Operator-Name injection\\ * Doesn't support Chargeable User Identity\\ * GUI interface limits what you can configure\\ * Everything is policy-based, which makes configuration based on logic somewhat difficult\\ * Logging is minimal and inflexible | * If you're primarily a Windows shop you may be comfortable with the familiar interface and feel confident in selecting a fully supported product whilst accepting NPS's limitations. | |
| | OSC RADIATOR | From ~£1,000 | * Linux\\ * Windows | * Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.\\ * Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2).\\ * Flexible configuration language for defining complex policies.\\ * Supports RadSec natively.\\ * A pair of RADIUS servers is usually sufficient for govroam deployments.\\ * Fully supported product - a range of support options are available | * Written in PERL so when your configuration get large and complex the server will get slower. | * It's extreme flexibility means that RADIATOR is a good fit for most govroam sites.\\ * The upshot of it's popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve and it is provided with a 'goodies' directory containing many recipes ready for use or to start off with.\\ * If you need a flexible RADIUS server, and have the in house expertise to configure it, RADIATOR is a good choice\\ * RADIATOR is written in PERL and can be run on Windows servers (with a prerequisite PERL interpreter installed) which would suit if you're primarily a Windows shop | | | OSC RADIATOR | From ~£1,000 | * Linux\\ * Windows | * Integrates with a wide range of authentication backends, including AD, LDAP, Kerberos, and multiple flavours of SQL.\\ * Supports all EAP flavours commonly used for user authentication in govroam (EAP-PEAP, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAPv2).\\ * Flexible configuration language for defining complex policies.\\ * Supports RadSec natively.\\ * A pair of RADIUS servers is usually sufficient for govroam deployments.\\ * Fully supported product - a range of support options are available | * Written in PERL so when your configuration get large and complex the server will get slower. | * Its extreme flexibility means that RADIATOR is a good fit for most govroam sites.\\ * The upshot of its popularity is that there are many technical guides already published which take some of the edge of the sharp learning curve and it is provided with a 'goodies' directory containing many recipes ready for use or to start off with.\\ * If you need a flexible RADIUS server, and have the in house expertise to configure it, RADIATOR is a good choice\\ * RADIATOR is written in PERL and can be run on Windows servers (with a prerequisite PERL interpreter installed) which would suit if you're primarily a Windows shop | |
| | Cisco ACS/ISE | From ~£1,000 | * Appliance | | * Doesn't support Status Server | * An obvious choice if site already makes heavy use of Cisco wireless. | | | Cisco ACS/ISE | From ~£1,000 | * Appliance | | * Doesn't support Status Server | * An obvious choice if site already makes heavy use of Cisco wireless. | |
| | Aruba Clearpass | From ~£4,000 | * Appliance\\ * VM | | | * FreeRADIUS under the bonnet with a GUI front end\\ * An obvious choice if site already makes heavy use of Aruba wireless | | | Aruba Clearpass | From ~£4,000 | * Appliance\\ * VM | | | * FreeRADIUS under the bonnet with a GUI front end\\ * An obvious choice if site already makes heavy use of Aruba wireless | |
| | radsecproxy | Free | * Linux (and similar)\\ * Packaged with most distributions | * Very small foot print.\\ * Simple, flat configuration.\\ * Good performance.\\ * Supports all the requirements for govroam (e.g. attribute filtering, Operator-Name).\\ * Support RADSEC and non-RADSEC connections. | * Just a proxy - no ability to authenticate | * If your platform cannot do good filtering or add attributes then if you use this at the border to talk to the NRPS you can leverage these abilities.\\ * Can be easily dropped in as a pure ORPS. | | | radsecproxy | Free | * Linux (and similar)\\ * Packaged with most distributions | * Very small foot print.\\ * Simple, flat configuration.\\ * Good performance.\\ * Supports all the requirements for govroam (e.g. attribute filtering, Operator-Name).\\ * Support RADSEC and non-RADSEC connections. | * Just a proxy - no ability to authenticate | * If your platform cannot do good filtering or add attributes then if you use this at the border to talk to the NRPS you can leverage these abilities.\\ * Can be easily dropped in as a pure ORPS. | |
| | FreeRADIUS.net | Free | * Windows | * Runs on Windows\\ * Has same features as FreeRADIUS | * Very old (v 1.1.7 where FreeRADIUS is v 3.X.X)\\ * Designed to run on Windows XP\\ * Not suitable for production environment | * Not a good choice for a critical service | | |
